From 4ca76cbccd2c9380ebd794a19ab1bbb55c98972e Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Tue, 7 Dec 2021 00:02:25 +0100 Subject: [PATCH] restund: fix CVE-2021-21382 Patches taken from [1]. [1] https://github.com/wireapp/restund/pull/7 Signed-off-by: Sebastian Kemper (cherry picked from commit dec6316f2f9204f3c34fadc7616435ddecf19e6c) --- net/restund/Makefile | 2 +- ...urn-block-forwarding-to-loopback-any.patch | 69 +++++++++++++++++++ ...so-don-t-forward-linklocal-addresses.patch | 29 ++++++++ ...-loopback-range-also-block-broadcast.patch | 52 ++++++++++++++ 4 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 net/restund/patches/200-turn-block-forwarding-to-loopback-any.patch create mode 100644 net/restund/patches/201-turn-also-don-t-forward-linklocal-addresses.patch create mode 100644 net/restund/patches/202-turn-block-whole-loopback-range-also-block-broadcast.patch diff --git a/net/restund/Makefile b/net/restund/Makefile index 64cf420..88b8bd7 100644 --- a/net/restund/Makefile +++ b/net/restund/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=restund PKG_VERSION:=0.4.12 -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.creytiv.com/pub diff --git a/net/restund/patches/200-turn-block-forwarding-to-loopback-any.patch b/net/restund/patches/200-turn-block-forwarding-to-loopback-any.patch new file mode 100644 index 0000000..dba6023 --- /dev/null +++ b/net/restund/patches/200-turn-block-forwarding-to-loopback-any.patch @@ -0,0 +1,69 @@ +From ffa2d56cac3d37715fe1381df81802774240da92 Mon Sep 17 00:00:00 2001 +From: Dusan Stevanovic +Date: Thu, 11 Mar 2021 10:58:32 +0100 +Subject: [PATCH] turn: block forwarding to loopback/any + +--- + modules/turn/turn.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/modules/turn/turn.c ++++ b/modules/turn/turn.c +@@ -153,6 +153,7 @@ static bool indication_handler(struct re + struct stun_attr *data, *peer; + struct allocation *al; + struct perm *perm; ++ const struct sa *psa; + int err; + (void)sock; + (void)ctx; +@@ -173,13 +174,17 @@ static bool indication_handler(struct re + if (!peer || !data) + return true; + +- perm = perm_find(al->perms, &peer->v.xor_peer_addr); ++ psa = &peer->v.xor_peer_addr; ++ perm = perm_find(al->perms, psa); + if (!perm) { + ++al->dropc_tx; + return true; + } + +- err = udp_send(al->rel_us, &peer->v.xor_peer_addr, &data->v.data); ++ if (sa_is_loopback(psa) || sa_is_any(psa)) ++ err = EPERM; ++ else ++ err = udp_send(al->rel_us, psa, &data->v.data); + if (err) + turnd.errc_tx++; + else { +@@ -200,6 +205,7 @@ static bool raw_handler(int proto, const + uint16_t numb, len; + struct perm *perm; + struct chan *chan; ++ const struct sa *psa; + int err; + + al = allocation_find(proto, src, dst); +@@ -219,7 +225,8 @@ static bool raw_handler(int proto, const + if (!chan) + return false; + +- perm = perm_find(al->perms, chan_peer(chan)); ++ psa = chan_peer(chan); ++ perm = perm_find(al->perms, psa); + if (!perm) { + ++al->dropc_tx; + return false; +@@ -227,7 +234,10 @@ static bool raw_handler(int proto, const + + mb->end = mb->pos + len; + +- err = udp_send(al->rel_us, chan_peer(chan), mb); ++ if (sa_is_loopback(psa) || sa_is_any(psa)) ++ err = EPERM; ++ else ++ err = udp_send(al->rel_us, psa, mb); + if (err) + turnd.errc_tx++; + else { diff --git a/net/restund/patches/201-turn-also-don-t-forward-linklocal-addresses.patch b/net/restund/patches/201-turn-also-don-t-forward-linklocal-addresses.patch new file mode 100644 index 0000000..d8db456 --- /dev/null +++ b/net/restund/patches/201-turn-also-don-t-forward-linklocal-addresses.patch @@ -0,0 +1,29 @@ +From e2f4094e23c73d4563a55f0de72244f34bb5b702 Mon Sep 17 00:00:00 2001 +From: Dusan Stevanovic +Date: Thu, 11 Mar 2021 11:53:50 +0100 +Subject: [PATCH] turn: also don't forward linklocal addresses + +--- + modules/turn/turn.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/modules/turn/turn.c ++++ b/modules/turn/turn.c +@@ -181,7 +181,7 @@ static bool indication_handler(struct re + return true; + } + +- if (sa_is_loopback(psa) || sa_is_any(psa)) ++ if (sa_is_loopback(psa) || sa_is_any(psa) || sa_is_linklocal(psa)) + err = EPERM; + else + err = udp_send(al->rel_us, psa, &data->v.data); +@@ -234,7 +234,7 @@ static bool raw_handler(int proto, const + + mb->end = mb->pos + len; + +- if (sa_is_loopback(psa) || sa_is_any(psa)) ++ if (sa_is_loopback(psa) || sa_is_any(psa) || sa_is_linklocal(psa)) + err = EPERM; + else + err = udp_send(al->rel_us, psa, mb); diff --git a/net/restund/patches/202-turn-block-whole-loopback-range-also-block-broadcast.patch b/net/restund/patches/202-turn-block-whole-loopback-range-also-block-broadcast.patch new file mode 100644 index 0000000..772ff9a --- /dev/null +++ b/net/restund/patches/202-turn-block-whole-loopback-range-also-block-broadcast.patch @@ -0,0 +1,52 @@ +From 955064fc220b5739010a2e207a8561ea44f974d3 Mon Sep 17 00:00:00 2001 +From: Dusan Stevanovic +Date: Thu, 11 Mar 2021 13:15:27 +0100 +Subject: [PATCH] turn: block whole loopback range, also block broadcast + +--- + modules/turn/turn.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/modules/turn/turn.c ++++ b/modules/turn/turn.c +@@ -144,6 +144,22 @@ static bool request_handler(struct restu + return true; + } + ++static inline bool is_loopback(const struct sa *sa) ++{ ++ return (ntohl(sa->u.in.sin_addr.s_addr) & 0xffffff00) == 0x7f000000; ++} ++ ++static inline bool is_broadcast(const struct sa *sa) ++{ ++ return ntohl(sa->u.in.sin_addr.s_addr) == 0xffffffff; ++} ++ ++static inline bool is_blocked(const struct sa *sa) ++{ ++ return is_loopback(sa) || is_broadcast(sa) ++ || sa_is_any(sa) || sa_is_linklocal(sa); ++ ++} + + static bool indication_handler(struct restund_msgctx *ctx, int proto, + void *sock, const struct sa *src, +@@ -181,7 +197,7 @@ static bool indication_handler(struct re + return true; + } + +- if (sa_is_loopback(psa) || sa_is_any(psa) || sa_is_linklocal(psa)) ++ if (is_blocked(psa)) + err = EPERM; + else + err = udp_send(al->rel_us, psa, &data->v.data); +@@ -234,7 +250,7 @@ static bool raw_handler(int proto, const + + mb->end = mb->pos + len; + +- if (sa_is_loopback(psa) || sa_is_any(psa) || sa_is_linklocal(psa)) ++ if (is_blocked(psa)) + err = EPERM; + else + err = udp_send(al->rel_us, psa, mb); -- 2.30.2