diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-03-28 11:49:02 +0530 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2024-04-25 08:27:27 -0400 |
commit | 850da18f9cf3aeb8416e4bb22917053b8709d69f (patch) | |
tree | a90b401f4f388e20be396048c663c06aa1d01469 | |
parent | bf0da59a92e9b9b10ec5e9de4f21daab7499dbd8 (diff) | |
download | meta-openembedded-850da18f9cf3aeb8416e4bb22917053b8709d69f.tar.gz |
wireshark: Fix for CVE-2023-4511
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch | 81 | ||||
-rw-r--r-- | meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb | 1 |
2 files changed, 82 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch new file mode 100644 index 000000000..fbbdf0cfc --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch | |||
@@ -0,0 +1,81 @@ | |||
1 | From ef9c79ae81b00a63aa8638076ec81dc9482972e9 Mon Sep 17 00:00:00 2001 | ||
2 | From: John Thacker <johnthacker@gmail.com> | ||
3 | Date: Thu, 10 Aug 2023 05:29:09 -0400 | ||
4 | Subject: [PATCH] btsdp: Keep offset advancing | ||
5 | |||
6 | hf_data_element_value is a FT_NONE, so we can add the item with | ||
7 | the expected length and get_hfi_length() will adjust the length | ||
8 | without throwing an exception. There's no need to add it with | ||
9 | zero length and call proto_item_set_len. Also, don't increment | ||
10 | the offset by 0 instead of the real length when there isn't | ||
11 | enough data in the packet, as that can lead to failing to advance | ||
12 | the offset. | ||
13 | |||
14 | When dissecting a sequence type (sequence or alternative) and | ||
15 | recursing into the sequence member, instead of using the main | ||
16 | packet tvb directly, create a subset using the indicated length | ||
17 | of the sequence. That will properly throw an exception if a | ||
18 | contained item is larger than the containing sequence, instead of | ||
19 | dissecting the same bytes as several different items (inside | ||
20 | the sequence recursively, as well in the outer loop.) | ||
21 | |||
22 | Fix #19258 | ||
23 | |||
24 | Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9] | ||
25 | CVE: CVE-2023-4511 | ||
26 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
27 | --- | ||
28 | epan/dissectors/packet-btsdp.c | 15 ++++++++------- | ||
29 | 1 file changed, 8 insertions(+), 7 deletions(-) | ||
30 | |||
31 | diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c | ||
32 | index 529bb71..f18d531 100644 | ||
33 | --- a/epan/dissectors/packet-btsdp.c | ||
34 | +++ b/epan/dissectors/packet-btsdp.c | ||
35 | @@ -1925,13 +1925,11 @@ dissect_data_element(proto_tree *tree, proto_tree **next_tree, | ||
36 | offset += len - length; | ||
37 | } | ||
38 | |||
39 | - pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, 0, ENC_NA); | ||
40 | + pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, length, ENC_NA); | ||
41 | if (length > tvb_reported_length_remaining(tvb, offset)) { | ||
42 | expert_add_info(pinfo, pitem, &ei_data_element_value_large); | ||
43 | - length = 0; | ||
44 | - } | ||
45 | - proto_item_set_len(pitem, length); | ||
46 | - if (length == 0) | ||
47 | + proto_item_append_text(pitem, ": MISSING"); | ||
48 | + } else if (length == 0) | ||
49 | proto_item_append_text(pitem, ": MISSING"); | ||
50 | |||
51 | if (next_tree) *next_tree = proto_item_add_subtree(pitem, ett_btsdp_data_element_value); | ||
52 | @@ -3523,6 +3521,8 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, | ||
53 | gint bytes_to_go = size; | ||
54 | gint first = 1; | ||
55 | wmem_strbuf_t *substr; | ||
56 | + tvbuff_t *next_tvb = tvb_new_subset_length(tvb, offset, size); | ||
57 | + gint next_offset = 0; | ||
58 | |||
59 | ti = proto_tree_add_item(next_tree, (type == 6) ? hf_data_element_value_sequence : hf_data_element_value_alternative, | ||
60 | tvb, offset, size, ENC_NA); | ||
61 | @@ -3537,14 +3537,15 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, | ||
62 | first = 0; | ||
63 | } | ||
64 | |||
65 | - size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid, | ||
66 | + size = dissect_sdp_type(st, pinfo, next_tvb, next_offset, | ||
67 | + attribute, service_uuid, | ||
68 | service_did_vendor_id, service_did_vendor_id_source, | ||
69 | service_hdp_data_exchange_specification, service_info, &substr); | ||
70 | if (size < 1) { | ||
71 | break; | ||
72 | } | ||
73 | wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr)); | ||
74 | - offset += size ; | ||
75 | + next_offset += size; | ||
76 | bytes_to_go -= size; | ||
77 | } | ||
78 | |||
79 | -- | ||
80 | 2.25.1 | ||
81 | |||
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index 8054cbb5a..8af0e6aa5 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb | |||
@@ -23,6 +23,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz | |||
23 | file://CVE-2022-4345.patch \ | 23 | file://CVE-2022-4345.patch \ |
24 | file://CVE-2024-0208.patch \ | 24 | file://CVE-2024-0208.patch \ |
25 | file://CVE-2023-1992.patch \ | 25 | file://CVE-2023-1992.patch \ |
26 | file://CVE-2023-4511.patch \ | ||
26 | " | 27 | " |
27 | UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" | 28 | UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" |
28 | 29 | ||