[AUTO-CHERRYPICK] iperf3: address CVE-2024-53580 - branch 3.0-dev (#11869)

CBL-Mariner-Bot · Kanishk-Bansal · web-flow · commit 22d5fc19c895 · 2025-01-13T10:52:40.000-05:00
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/iperf3/CVE-2024-53580.patch b/SPECS/iperf3/CVE-2024-53580.patch
@@ -0,0 +1,287 @@
+From 837c1f9389fc64938a6081517c34a749a11692b0 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Tue, 31 Dec 2024 09:23:23 +0000
+Subject: [PATCH] Fix CVE-2024-53580
+
+---
+ src/iperf_api.c   | 98 +++++++++++++++++++++++------------------------
+ src/iperf_error.c |  6 +--
+ src/iperf_util.c  | 36 +++++++++++++++++
+ src/iperf_util.h  |  1 +
+ 4 files changed, 89 insertions(+), 52 deletions(-)
+
+diff --git a/src/iperf_api.c b/src/iperf_api.c
+index 7fb741e..bb3be92 100644
+--- a/src/iperf_api.c
++++ b/src/iperf_api.c
+@@ -2308,72 +2308,72 @@ get_parameters(struct iperf_test *test)
+             cJSON_free(str);
+ 	}
+ 
+-	if ((j_p = cJSON_GetObjectItem(j, "tcp")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "tcp", cJSON_True)) != NULL)
+ 	    set_protocol(test, Ptcp);
+-	if ((j_p = cJSON_GetObjectItem(j, "udp")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "udp", cJSON_True)) != NULL)
+ 	    set_protocol(test, Pudp);
+-        if ((j_p = cJSON_GetObjectItem(j, "sctp")) != NULL)
++        if ((j_p = iperf_cJSON_GetObjectItemType(j, "sctp", cJSON_True)) != NULL)
+             set_protocol(test, Psctp);
+-	if ((j_p = cJSON_GetObjectItem(j, "omit")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "omit", cJSON_Number)) != NULL)
+ 	    test->omit = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "server_affinity")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "server_affinity", cJSON_Number)) != NULL)
+ 	    test->server_affinity = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "time")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "time", cJSON_Number)) != NULL)
+ 	    test->duration = j_p->valueint;
+         test->settings->bytes = 0;
+-	if ((j_p = cJSON_GetObjectItem(j, "num")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "num", cJSON_Number)) != NULL)
+ 	    test->settings->bytes = j_p->valueint;
+         test->settings->blocks = 0;
+-	if ((j_p = cJSON_GetObjectItem(j, "blockcount")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "blockcount", cJSON_Number)) != NULL)
+ 	    test->settings->blocks = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "MSS")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "MSS", cJSON_Number)) != NULL)
+ 	    test->settings->mss = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "nodelay")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "nodelay", cJSON_True)) != NULL)
+ 	    test->no_delay = 1;
+-	if ((j_p = cJSON_GetObjectItem(j, "parallel")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "parallel", cJSON_Number)) != NULL)
+ 	    test->num_streams = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "reverse")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "reverse", cJSON_True)) != NULL)
+ 	    iperf_set_test_reverse(test, 1);
+-        if ((j_p = cJSON_GetObjectItem(j, "bidirectional")) != NULL)
++        if ((j_p = iperf_cJSON_GetObjectItemType(j, "bidirectional", cJSON_True)) != NULL)
+             iperf_set_test_bidirectional(test, 1);
+-	if ((j_p = cJSON_GetObjectItem(j, "window")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "window", cJSON_Number)) != NULL)
+ 	    test->settings->socket_bufsize = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "len")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "len", cJSON_Number)) != NULL)
+ 	    test->settings->blksize = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "bandwidth")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "bandwidth", cJSON_Number)) != NULL)
+ 	    test->settings->rate = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "fqrate")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "fqrate", cJSON_Number)) != NULL)
+ 	    test->settings->fqrate = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "pacing_timer")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "pacing_timer", cJSON_Number)) != NULL)
+ 	    test->settings->pacing_timer = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "burst")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "burst", cJSON_Number)) != NULL)
+ 	    test->settings->burst = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "TOS")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "TOS", cJSON_Number)) != NULL)
+ 	    test->settings->tos = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "flowlabel")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "flowlabel", cJSON_Number)) != NULL)
+ 	    test->settings->flowlabel = j_p->valueint;
+-	if ((j_p = cJSON_GetObjectItem(j, "title")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "title", cJSON_String)) != NULL)
+ 	    test->title = strdup(j_p->valuestring);
+-	if ((j_p = cJSON_GetObjectItem(j, "extra_data")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "extra_data", cJSON_String)) != NULL)
+ 	    test->extra_data = strdup(j_p->valuestring);
+-	if ((j_p = cJSON_GetObjectItem(j, "congestion")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "congestion", cJSON_String)) != NULL)
+ 	    test->congestion = strdup(j_p->valuestring);
+-	if ((j_p = cJSON_GetObjectItem(j, "congestion_used")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "congestion_used", cJSON_String)) != NULL)
+ 	    test->congestion_used = strdup(j_p->valuestring);
+-	if ((j_p = cJSON_GetObjectItem(j, "get_server_output")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "get_server_output", cJSON_Number)) != NULL)
+ 	    iperf_set_test_get_server_output(test, 1);
+-	if ((j_p = cJSON_GetObjectItem(j, "udp_counters_64bit")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "udp_counters_64bit", cJSON_Number)) != NULL)
+ 	    iperf_set_test_udp_counters_64bit(test, 1);
+-	if ((j_p = cJSON_GetObjectItem(j, "repeating_payload")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "repeating_payload", cJSON_Number)) != NULL)
+ 	    test->repeating_payload = 1;
+-	if ((j_p = cJSON_GetObjectItem(j, "zerocopy")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "zerocopy", cJSON_Number)) != NULL)
+ 	    test->zerocopy = j_p->valueint;
+ #if defined(HAVE_DONT_FRAGMENT)
+-	if ((j_p = cJSON_GetObjectItem(j, "dont_fragment")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "dont_fragment", cJSON_Number)) != NULL)
+ 	    test->settings->dont_fragment = j_p->valueint;
+ #endif /* HAVE_DONT_FRAGMENT */
+ #if defined(HAVE_SSL)
+-	if ((j_p = cJSON_GetObjectItem(j, "authtoken")) != NULL)
++	if ((j_p = iperf_cJSON_GetObjectItemType(j, "authtoken", cJSON_String)) != NULL)
+         test->settings->authtoken = strdup(j_p->valuestring);
+ #endif //HAVE_SSL
+ 	if (test->mode && test->protocol->id == Ptcp && has_tcpinfo_retransmits())
+@@ -2532,10 +2532,10 @@ get_results(struct iperf_test *test)
+ 	i_errno = IERECVRESULTS;
+         r = -1;
+     } else {
+-	j_cpu_util_total = cJSON_GetObjectItem(j, "cpu_util_total");
+-	j_cpu_util_user = cJSON_GetObjectItem(j, "cpu_util_user");
+-	j_cpu_util_system = cJSON_GetObjectItem(j, "cpu_util_system");
+-	j_sender_has_retransmits = cJSON_GetObjectItem(j, "sender_has_retransmits");
++	j_cpu_util_total = iperf_cJSON_GetObjectItemType(j, "cpu_util_total", cJSON_Number);
++	j_cpu_util_user = iperf_cJSON_GetObjectItemType(j, "cpu_util_user", cJSON_Number);
++	j_cpu_util_system = iperf_cJSON_GetObjectItemType(j, "cpu_util_system", cJSON_Number);
++	j_sender_has_retransmits = iperf_cJSON_GetObjectItemType(j, "sender_has_retransmits", cJSON_Number);
+ 	if (j_cpu_util_total == NULL || j_cpu_util_user == NULL || j_cpu_util_system == NULL || j_sender_has_retransmits == NULL) {
+ 	    i_errno = IERECVRESULTS;
+ 	    r = -1;
+@@ -2557,7 +2557,7 @@ get_results(struct iperf_test *test)
+ 	    else if ( test->mode == BIDIRECTIONAL )
+ 	        test->other_side_has_retransmits = result_has_retransmits;
+ 
+-	    j_streams = cJSON_GetObjectItem(j, "streams");
++	    j_streams = iperf_cJSON_GetObjectItemType(j, "streams", cJSON_Array);
+ 	    if (j_streams == NULL) {
+ 		i_errno = IERECVRESULTS;
+ 		r = -1;
+@@ -2569,16 +2569,16 @@ get_results(struct iperf_test *test)
+ 			i_errno = IERECVRESULTS;
+ 			r = -1;
+ 		    } else {
+-			j_id = cJSON_GetObjectItem(j_stream, "id");
+-			j_bytes = cJSON_GetObjectItem(j_stream, "bytes");
+-			j_retransmits = cJSON_GetObjectItem(j_stream, "retransmits");
+-			j_jitter = cJSON_GetObjectItem(j_stream, "jitter");
+-			j_errors = cJSON_GetObjectItem(j_stream, "errors");
+-                        j_omitted_errors = cJSON_GetObjectItem(j_stream, "omitted_errors");
+-			j_packets = cJSON_GetObjectItem(j_stream, "packets");
+-                        j_omitted_packets = cJSON_GetObjectItem(j_stream, "omitted_packets");
+-			j_start_time = cJSON_GetObjectItem(j_stream, "start_time");
+-			j_end_time = cJSON_GetObjectItem(j_stream, "end_time");
++			j_id = iperf_cJSON_GetObjectItemType(j_stream, "id", cJSON_Number);
++			j_bytes = iperf_cJSON_GetObjectItemType(j_stream, "bytes", cJSON_Number);
++			j_retransmits = iperf_cJSON_GetObjectItemType(j_stream, "retransmits", cJSON_Number);
++			j_jitter = iperf_cJSON_GetObjectItemType(j_stream, "jitter", cJSON_Number);
++			j_errors = iperf_cJSON_GetObjectItemType(j_stream, "errors", cJSON_Number);
++                        j_omitted_errors = iperf_cJSON_GetObjectItemType(j_stream, "omitted_errors", cJSON_Number);
++			j_packets = iperf_cJSON_GetObjectItemType(j_stream, "packets", cJSON_Number);
++                        j_omitted_packets = iperf_cJSON_GetObjectItemType(j_stream, "omitted_packets", cJSON_Number);
++			j_start_time = iperf_cJSON_GetObjectItemType(j_stream, "start_time", cJSON_Number);
++			j_end_time = iperf_cJSON_GetObjectItemType(j_stream, "end_time", cJSON_Number);
+ 			if (j_id == NULL || j_bytes == NULL || j_retransmits == NULL || j_jitter == NULL || j_errors == NULL || j_packets == NULL) {
+ 			    i_errno = IERECVRESULTS;
+ 			    r = -1;
+@@ -2667,7 +2667,7 @@ get_results(struct iperf_test *test)
+ 		    }
+ 		    else {
+ 			/* No JSON, look for textual output.  Make a copy of the text for later. */
+-			j_server_output = cJSON_GetObjectItem(j, "server_output_text");
++			j_server_output = iperf_cJSON_GetObjectItemType(j, "server_output_text", cJSON_String);
+ 			if (j_server_output != NULL) {
+ 			    test->server_output_text = strdup(j_server_output->valuestring);
+ 			}
+@@ -2676,7 +2676,7 @@ get_results(struct iperf_test *test)
+ 	    }
+ 	}
+ 
+-	j_remote_congestion_used = cJSON_GetObjectItem(j, "congestion_used");
++	j_remote_congestion_used = iperf_cJSON_GetObjectItemType(j, "congestion_used", cJSON_String);
+ 	if (j_remote_congestion_used != NULL) {
+ 	    test->remote_congestion_used = strdup(j_remote_congestion_used->valuestring);
+ 	}
+@@ -4878,7 +4878,7 @@ iperf_json_finish(struct iperf_test *test)
+ 
+         /* --json-stream, so we print various individual objects */
+         if (test->json_stream) {
+-            cJSON *error = cJSON_GetObjectItem(test->json_top, "error");
++            cJSON *error = iperf_cJSON_GetObjectItemType(test->json_top, "error", cJSON_String);
+             if (error) {
+                 JSONStream_Output(test, "error", error);
+             }
+diff --git a/src/iperf_error.c b/src/iperf_error.c
+index 0fedf31..3cb9b45 100644
+--- a/src/iperf_error.c
++++ b/src/iperf_error.c
+@@ -60,11 +60,11 @@ iperf_err(struct iperf_test *test, const char *format, ...)
+     if (test != NULL && test->json_output && test->json_top != NULL)
+ 	cJSON_AddStringToObject(test->json_top, "error", str);
+     else {
+-        if (pthread_mutex_lock(&(test->print_mutex)) != 0) {
++        if (test != NULL && pthread_mutex_lock(&(test->print_mutex)) != 0) {
+             perror("iperf_err: pthread_mutex_lock");
+         }
+ 
+-	if (test && test->outfile && test->outfile != stdout) {
++	if (test != NULL && test->outfile != NULL && test->outfile != stdout) {
+ 	    if (ct) {
+ 		fprintf(test->outfile, "%s", ct);
+ 	    }
+@@ -77,7 +77,7 @@ iperf_err(struct iperf_test *test, const char *format, ...)
+ 	    fprintf(stderr, "iperf3: %s\n", str);
+ 	}
+ 
+-        if (pthread_mutex_unlock(&(test->print_mutex)) != 0) {
++        if (test != NULL && pthread_mutex_unlock(&(test->print_mutex)) != 0) {
+             perror("iperf_err: pthread_mutex_unlock");
+         }
+ 
+diff --git a/src/iperf_util.c b/src/iperf_util.c
+index 81e8da1..a8a32e1 100644
+--- a/src/iperf_util.c
++++ b/src/iperf_util.c
+@@ -430,6 +430,42 @@ iperf_json_printf(const char *format, ...)
+     return o;
+ }
+ 
++/********************** cJSON GetObjectItem w/ Type Helper ********************/
++cJSON * iperf_cJSON_GetObjectItemType(cJSON * j, char * item_string, int expected_type){
++    cJSON *j_p;
++    if((j_p = cJSON_GetObjectItem(j, item_string)) != NULL)
++        switch(expected_type){
++        case cJSON_True:
++            if(cJSON_IsBool(j_p))
++                return j_p;
++            else
++                iperf_err(NULL, "iperf_cJSON_GetObjectItemType mismatch %s", item_string);
++            break;
++        case cJSON_String:
++            if(cJSON_IsString(j_p))
++                return j_p;
++            else
++                iperf_err(NULL, "iperf_cJSON_GetObjectItemType mismatch %s", item_string);
++            break;
++        case cJSON_Number:
++            if(cJSON_IsNumber(j_p))
++                return j_p;
++            else
++                iperf_err(NULL, "iperf_cJSON_GetObjectItemType mismatch %s", item_string);
++            break;
++        case cJSON_Array:
++            if(cJSON_IsArray(j_p))
++                return j_p;
++            else
++                iperf_err(NULL, "iperf_cJSON_GetObjectItemType mismatch %s", item_string);
++            break;
++        default:
++            iperf_err(NULL, "unsupported type");
++	}
++
++    return NULL;
++}
++
+ /* Debugging routine to dump out an fd_set. */
+ void
+ iperf_dump_fdset(FILE *fp, const char *str, int nfds, fd_set *fds)
+diff --git a/src/iperf_util.h b/src/iperf_util.h
+index b109af2..c39a1f7 100644
+--- a/src/iperf_util.h
++++ b/src/iperf_util.h
+@@ -53,6 +53,7 @@ const char* get_system_info(void);
+ const char* get_optional_features(void);
+ 
+ cJSON* iperf_json_printf(const char *format, ...);
++cJSON * iperf_cJSON_GetObjectItemType(cJSON * j_p, char * item_string, int expected_type);
+ 
+ void iperf_dump_fdset(FILE *fp, const char *str, int nfds, fd_set *fds);
+ 
+-- 
+2.45.2
+
diff --git a/SPECS/iperf3/iperf3.spec b/SPECS/iperf3/iperf3.spec
@@ -1,14 +1,15 @@
 Summary:        A network performance benchmark tool.
 Name:           iperf3
 Version:        3.17.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD and MIT and Public Domain
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Applications/System
 URL:            https://github.com/esnet/iperf
 Source0:        https://github.com/esnet/iperf/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Patch1:         disablepg.patch
+Patch2:         CVE-2024-53580.patch
 BuildRequires:  autoconf >= 2.71
 BuildRequires:  automake
 
@@ -66,6 +67,9 @@ make %{?_smp_mflags} check
 %{_mandir}/man3/libiperf.3.gz
 
 %changelog
+* Tue Dec 31 2024 Kanishk Bansal <kanbansal@microsoft.com> - 3.17.1-2
+- Address CVE-2024-53580 using an upstream patch.
+
 * Fri Aug 09 2024 Muhammad Falak <mwani@microsoft.com> - 3.17.1-1
 - Update version to 3.17.1 to address CVE-2024-26306
 
