diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-11-03 11:19:31 +0530 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-11-12 10:41:59 -0500 |
commit | 026fcadc2e2a270e0942554dea785f4ecf1c5959 (patch) | |
tree | 903af7568de4275351b03fed42b84852244b24fb | |
parent | 7c74ee839d65e71ffd2e8aaf8fb34cfa7ab9529d (diff) | |
download | meta-openembedded-026fcadc2e2a270e0942554dea785f4ecf1c5959.tar.gz |
wireshark: Fix CVE-2023-3649
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch | 231 | ||||
-rw-r--r-- | meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb | 1 |
2 files changed, 232 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch new file mode 100644 index 000000000..5e92bd8a2 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch | |||
@@ -0,0 +1,231 @@ | |||
1 | From 75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c Mon Sep 17 00:00:00 2001 | ||
2 | From: John Thacker <johnthacker@gmail.com> | ||
3 | Date: Sat, 24 Jun 2023 00:34:50 -0400 | ||
4 | Subject: [PATCH] iscsi: Check bounds when extracting TargetAddress | ||
5 | |||
6 | Use tvb_ functions that do bounds checking when parsing the | ||
7 | TargetAddress string, instead of incrementing a pointer to an | ||
8 | extracted char* and sometimes accidentally overrunning the | ||
9 | string. | ||
10 | |||
11 | While we're there, go ahead and add support for IPv6 addresses. | ||
12 | |||
13 | Fix #19164 | ||
14 | |||
15 | (backported from commit 94349bbdaeb384b12d554dd65e7be7ceb0e93d21) | ||
16 | |||
17 | Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c] | ||
18 | CVE: CVE-2023-3649 | ||
19 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
20 | --- | ||
21 | epan/dissectors/packet-iscsi.c | 146 +++++++++++++++++---------------- | ||
22 | 1 file changed, 75 insertions(+), 71 deletions(-) | ||
23 | |||
24 | diff --git a/epan/dissectors/packet-iscsi.c b/epan/dissectors/packet-iscsi.c | ||
25 | index 8a80f49..08f44a8 100644 | ||
26 | --- a/epan/dissectors/packet-iscsi.c | ||
27 | +++ b/epan/dissectors/packet-iscsi.c | ||
28 | @@ -20,8 +20,6 @@ | ||
29 | |||
30 | #include "config.h" | ||
31 | |||
32 | -#include <stdio.h> | ||
33 | - | ||
34 | #include <epan/packet.h> | ||
35 | #include <epan/prefs.h> | ||
36 | #include <epan/conversation.h> | ||
37 | @@ -29,6 +27,7 @@ | ||
38 | #include "packet-scsi.h" | ||
39 | #include <epan/crc32-tvb.h> | ||
40 | #include <wsutil/crc32.h> | ||
41 | +#include <wsutil/inet_addr.h> | ||
42 | #include <wsutil/strtoi.h> | ||
43 | |||
44 | void proto_register_iscsi(void); | ||
45 | @@ -512,70 +511,81 @@ typedef struct _iscsi_conv_data { | ||
46 | dissector for the address/port that TargetAddress points to. | ||
47 | (it starts to be common to use redirectors to point to non-3260 ports) | ||
48 | */ | ||
49 | +static address null_address = ADDRESS_INIT_NONE; | ||
50 | + | ||
51 | static void | ||
52 | -iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, char *val, guint offset) | ||
53 | +iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, guint offset) | ||
54 | { | ||
55 | - address *addr = NULL; | ||
56 | + address addr = ADDRESS_INIT_NONE; | ||
57 | guint16 port; | ||
58 | - char *value = wmem_strdup(wmem_packet_scope(), val); | ||
59 | - char *p = NULL, *pgt = NULL; | ||
60 | - | ||
61 | - if (value[0] == '[') { | ||
62 | - /* this looks like an ipv6 address */ | ||
63 | - p = strchr(value, ']'); | ||
64 | - if (p != NULL) { | ||
65 | - *p = 0; | ||
66 | - p += 2; /* skip past "]:" */ | ||
67 | - | ||
68 | - pgt = strchr(p, ','); | ||
69 | - if (pgt != NULL) { | ||
70 | - *pgt++ = 0; | ||
71 | - } | ||
72 | + int colon_offset; | ||
73 | + int end_offset; | ||
74 | + char *ip_str, *port_str; | ||
75 | + | ||
76 | + colon_offset = tvb_find_guint8(tvb, offset, -1, ':'); | ||
77 | + if (colon_offset == -1) { | ||
78 | + /* RFC 7143 13.8 TargetAddress "If the TCP port is not specified, | ||
79 | + * it is assumed to be the IANA-assigned default port for iSCSI", | ||
80 | + * so nothing to do here. | ||
81 | + */ | ||
82 | + return; | ||
83 | + } | ||
84 | |||
85 | - /* can't handle ipv6 yet */ | ||
86 | + /* We found a colon, so there's at least one byte and this won't fail. */ | ||
87 | + if (tvb_get_guint8(tvb, offset) == '[') { | ||
88 | + offset++; | ||
89 | + /* could be an ipv6 address */ | ||
90 | + end_offset = tvb_find_guint8(tvb, offset, -1, ']'); | ||
91 | + if (end_offset == -1) { | ||
92 | + return; | ||
93 | } | ||
94 | - } else { | ||
95 | - /* This is either a ipv4 address or a dns name */ | ||
96 | - int i0,i1,i2,i3; | ||
97 | - if (sscanf(value, "%d.%d.%d.%d", &i0,&i1,&i2,&i3) == 4) { | ||
98 | - /* looks like a ipv4 address */ | ||
99 | - p = strchr(value, ':'); | ||
100 | - if (p != NULL) { | ||
101 | - char *addr_data; | ||
102 | - | ||
103 | - *p++ = 0; | ||
104 | - | ||
105 | - pgt = strchr(p, ','); | ||
106 | - if (pgt != NULL) { | ||
107 | - *pgt++ = 0; | ||
108 | - } | ||
109 | |||
110 | - addr_data = (char *) wmem_alloc(wmem_packet_scope(), 4); | ||
111 | - addr_data[0] = i0; | ||
112 | - addr_data[1] = i1; | ||
113 | - addr_data[2] = i2; | ||
114 | - addr_data[3] = i3; | ||
115 | - | ||
116 | - addr = wmem_new(wmem_packet_scope(), address); | ||
117 | - addr->type = AT_IPv4; | ||
118 | - addr->len = 4; | ||
119 | - addr->data = addr_data; | ||
120 | + /* look for the colon before the port, if any */ | ||
121 | + colon_offset = tvb_find_guint8(tvb, end_offset, -1, ':'); | ||
122 | + if (colon_offset == -1) { | ||
123 | + return; | ||
124 | + } | ||
125 | |||
126 | - if (!ws_strtou16(p, NULL, &port)) { | ||
127 | - proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid, | ||
128 | - tvb, offset + (guint)strlen(value), (guint)strlen(p), "Invalid port: %s", p); | ||
129 | - } | ||
130 | - } | ||
131 | + ws_in6_addr *ip6_addr = wmem_new(pinfo->pool, ws_in6_addr); | ||
132 | + ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, end_offset - offset, ENC_ASCII); | ||
133 | + if (ws_inet_pton6(ip_str, ip6_addr)) { | ||
134 | + /* looks like a ipv6 address */ | ||
135 | + set_address(&addr, AT_IPv6, sizeof(ws_in6_addr), ip6_addr); | ||
136 | + } | ||
137 | |||
138 | + } else { | ||
139 | + /* This is either a ipv4 address or a dns name */ | ||
140 | + ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, colon_offset - offset, ENC_ASCII); | ||
141 | + ws_in4_addr *ip4_addr = wmem_new(pinfo->pool, ws_in4_addr); | ||
142 | + if (ws_inet_pton4(ip_str, ip4_addr)) { | ||
143 | + /* looks like a ipv4 address */ | ||
144 | + set_address(&addr, AT_IPv4, 4, ip4_addr); | ||
145 | } | ||
146 | + /* else a DNS host name; we could, theoretically, try to use | ||
147 | + * name resolution information in the capture to lookup the address. | ||
148 | + */ | ||
149 | } | ||
150 | |||
151 | + /* Extract the port */ | ||
152 | + end_offset = tvb_find_guint8(tvb, colon_offset, -1, ','); | ||
153 | + int port_len; | ||
154 | + if (end_offset == -1) { | ||
155 | + port_len = tvb_reported_length_remaining(tvb, colon_offset + 1); | ||
156 | + } else { | ||
157 | + port_len = end_offset - (colon_offset + 1); | ||
158 | + } | ||
159 | + port_str = tvb_get_string_enc(pinfo->pool, tvb, colon_offset + 1, port_len, ENC_ASCII); | ||
160 | + if (!ws_strtou16(port_str, NULL, &port)) { | ||
161 | + proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid, | ||
162 | + tvb, colon_offset + 1, port_len, "Invalid port: %s", port_str); | ||
163 | + return; | ||
164 | + } | ||
165 | |||
166 | /* attach a conversation dissector to this address/port tuple */ | ||
167 | - if (addr && !pinfo->fd->visited) { | ||
168 | + if (!addresses_equal(&addr, &null_address) && !pinfo->fd->visited) { | ||
169 | conversation_t *conv; | ||
170 | |||
171 | - conv = conversation_new(pinfo->num, addr, addr, ENDPOINT_TCP, port, port, NO_ADDR2|NO_PORT2); | ||
172 | + conv = conversation_new(pinfo->num, &addr, &null_address, ENDPOINT_TCP, port, 0, NO_ADDR2|NO_PORT2); | ||
173 | if (conv == NULL) { | ||
174 | return; | ||
175 | } | ||
176 | @@ -587,30 +597,24 @@ iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, | ||
177 | static gint | ||
178 | addTextKeys(packet_info *pinfo, proto_tree *tt, tvbuff_t *tvb, gint offset, guint32 text_len) { | ||
179 | const gint limit = offset + text_len; | ||
180 | + tvbuff_t *keyvalue_tvb; | ||
181 | + int len, value_offset; | ||
182 | |||
183 | while(offset < limit) { | ||
184 | - char *key = NULL, *value = NULL; | ||
185 | - gint len = tvb_strnlen(tvb, offset, limit - offset); | ||
186 | - | ||
187 | - if(len == -1) { | ||
188 | - len = limit - offset; | ||
189 | - } else { | ||
190 | - len = len + 1; | ||
191 | - } | ||
192 | - | ||
193 | - key = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, len, ENC_ASCII); | ||
194 | - if (key == NULL) { | ||
195 | - break; | ||
196 | - } | ||
197 | - value = strchr(key, '='); | ||
198 | - if (value == NULL) { | ||
199 | + /* RFC 7143 6.1 Text Format: "Every key=value pair, including the | ||
200 | + * last or only pair in a LTDS, MUST be followed by one null (0x00) | ||
201 | + * delimiter. | ||
202 | + */ | ||
203 | + proto_tree_add_item_ret_length(tt, hf_iscsi_KeyValue, tvb, offset, -1, ENC_ASCII, &len); | ||
204 | + keyvalue_tvb = tvb_new_subset_length(tvb, offset, len); | ||
205 | + value_offset = tvb_find_guint8(keyvalue_tvb, 0, len, '='); | ||
206 | + if (value_offset == -1) { | ||
207 | break; | ||
208 | } | ||
209 | - *value++ = 0; | ||
210 | + value_offset++; | ||
211 | |||
212 | - proto_tree_add_item(tt, hf_iscsi_KeyValue, tvb, offset, len, ENC_ASCII|ENC_NA); | ||
213 | - if (!strcmp(key, "TargetAddress")) { | ||
214 | - iscsi_dissect_TargetAddress(pinfo, tvb, tt, value, offset + (guint)strlen("TargetAddress") + 2); | ||
215 | + if (tvb_strneql(keyvalue_tvb, 0, "TargetAddress=", strlen("TargetAddress=")) == 0) { | ||
216 | + iscsi_dissect_TargetAddress(pinfo, keyvalue_tvb, tt, value_offset); | ||
217 | } | ||
218 | |||
219 | offset += len; | ||
220 | @@ -2941,7 +2945,7 @@ proto_register_iscsi(void) | ||
221 | }, | ||
222 | { &hf_iscsi_KeyValue, | ||
223 | { "KeyValue", "iscsi.keyvalue", | ||
224 | - FT_STRING, BASE_NONE, NULL, 0, | ||
225 | + FT_STRINGZ, BASE_NONE, NULL, 0, | ||
226 | "Key/value pair", HFILL } | ||
227 | }, | ||
228 | { &hf_iscsi_Text_F, | ||
229 | -- | ||
230 | 2.25.1 | ||
231 | |||
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index 64e436df3..b4425cb66 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb | |||
@@ -18,6 +18,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz | |||
18 | file://CVE-2023-0667.patch \ | 18 | file://CVE-2023-0667.patch \ |
19 | file://CVE-2023-0668.patch \ | 19 | file://CVE-2023-0668.patch \ |
20 | file://CVE-2023-2906.patch \ | 20 | file://CVE-2023-2906.patch \ |
21 | file://CVE-2023-3649.patch \ | ||
21 | " | 22 | " |
22 | UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" | 23 | UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" |
23 | 24 | ||