wireshark: Fix for CVE-2023-4511

Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-03-28 11:49:02 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-04-25 08:27:27 -0400
commit: 850da18f9cf3aeb8416e4bb22917053b8709d69f (patch)
tree: a90b401f4f388e20be396048c663c06aa1d01469
parent: bf0da59a92e9b9b10ec5e9de4f21daab7499dbd8 (diff)
download: meta-openembedded-850da18f9cf3aeb8416e4bb22917053b8709d69f.tar.gz
2 files changed, 82 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch
new file mode 100644
index 000000000..fbbdf0cfc
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch
@@ -0,0 +1,81 @@
+From ef9c79ae81b00a63aa8638076ec81dc9482972e9 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Thu, 10 Aug 2023 05:29:09 -0400
+Subject: [PATCH] btsdp: Keep offset advancing
+hf_data_element_value is a FT_NONE, so we can add the item with
+the expected length and get_hfi_length() will adjust the length
+without throwing an exception. There's no need to add it with
+zero length and call proto_item_set_len. Also, don't increment
+the offset by 0 instead of the real length when there isn't
+enough data in the packet, as that can lead to failing to advance
+the offset.
+When dissecting a sequence type (sequence or alternative) and
+recursing into the sequence member, instead of using the main
+packet tvb directly, create a subset using the indicated length
+of the sequence. That will properly throw an exception if a
+contained item is larger than the containing sequence, instead of
+dissecting the same bytes as several different items (inside
+the sequence recursively, as well in the outer loop.)
+Fix #19258
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9]
+CVE: CVE-2023-4511
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ epan/dissectors/packet-btsdp.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c
+index 529bb71..f18d531 100644
+--- a/epan/dissectors/packet-btsdp.c
+++ b/epan/dissectors/packet-btsdp.c
+@@ -1925,13 +1925,11 @@ dissect_data_element(proto_tree *tree, proto_tree **next_tree,
+         offset += len - length;
+     }
+ 
+-    pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset,  0, ENC_NA);
+    pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset,  length, ENC_NA);
+     if (length > tvb_reported_length_remaining(tvb, offset)) {
+         expert_add_info(pinfo, pitem, &ei_data_element_value_large);
+-        length = 0;
+-    }
+-    proto_item_set_len(pitem, length);
+-    if (length == 0)
+       proto_item_append_text(pitem, ": MISSING");
+    } else if (length == 0)
+         proto_item_append_text(pitem, ": MISSING");
+ 
+     if (next_tree) *next_tree = proto_item_add_subtree(pitem, ett_btsdp_data_element_value);
+@@ -3523,6 +3521,8 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
+         gint           bytes_to_go = size;
+         gint           first       = 1;
+         wmem_strbuf_t *substr;
+        tvbuff_t      *next_tvb = tvb_new_subset_length(tvb, offset, size);
+       gint           next_offset = 0;
+ 
+         ti = proto_tree_add_item(next_tree, (type == 6) ? hf_data_element_value_sequence : hf_data_element_value_alternative,
+                 tvb, offset, size, ENC_NA);
+@@ -3537,14 +3537,15 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
+                 first = 0;
+             }
+ 
+-            size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid,
+            size = dissect_sdp_type(st, pinfo, next_tvb, next_offset,
+                   attribute, service_uuid,
+                     service_did_vendor_id, service_did_vendor_id_source,
+                     service_hdp_data_exchange_specification, service_info, &substr);
+             if (size < 1) {
+                 break;
+             }
+             wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr));
+-            offset += size ;
+            next_offset += size;
+             bytes_to_go -= size;
+         }
+ 
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
index 8054cbb5a..8af0e6aa5 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
           file://CVE-2022-4345.patch \
           file://CVE-2024-0208.patch \
           file://CVE-2023-1992.patch \
+           file://CVE-2023-4511.patch \
           "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-03-28 11:49:02 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-04-25 08:27:27 -0400
commit	850da18f9cf3aeb8416e4bb22917053b8709d69f (patch)
tree	a90b401f4f388e20be396048c663c06aa1d01469
parent	bf0da59a92e9b9b10ec5e9de4f21daab7499dbd8 (diff)
download	meta-openembedded-850da18f9cf3aeb8416e4bb22917053b8709d69f.tar.gz

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch new file mode 100644 index 000000000..fbbdf0cfc --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch
@@ -0,0 +1,81 @@
		1	From ef9c79ae81b00a63aa8638076ec81dc9482972e9 Mon Sep 17 00:00:00 2001
		2	From: John Thacker <johnthacker@gmail.com>
		3	Date: Thu, 10 Aug 2023 05:29:09 -0400
		4	Subject: [PATCH] btsdp: Keep offset advancing
		5
		6	hf_data_element_value is a FT_NONE, so we can add the item with
		7	the expected length and get_hfi_length() will adjust the length
		8	without throwing an exception. There's no need to add it with
		9	zero length and call proto_item_set_len. Also, don't increment
		10	the offset by 0 instead of the real length when there isn't
		11	enough data in the packet, as that can lead to failing to advance
		12	the offset.
		13
		14	When dissecting a sequence type (sequence or alternative) and
		15	recursing into the sequence member, instead of using the main
		16	packet tvb directly, create a subset using the indicated length
		17	of the sequence. That will properly throw an exception if a
		18	contained item is larger than the containing sequence, instead of
		19	dissecting the same bytes as several different items (inside
		20	the sequence recursively, as well in the outer loop.)
		21
		22	Fix #19258
		23
		24	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9]
		25	CVE: CVE-2023-4511
		26	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		27	---
		28	epan/dissectors/packet-btsdp.c \| 15 ++++++++-------
		29	1 file changed, 8 insertions(+), 7 deletions(-)
		30
		31	diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c
		32	index 529bb71..f18d531 100644
		33	--- a/epan/dissectors/packet-btsdp.c
		34	+++ b/epan/dissectors/packet-btsdp.c
		35	@@ -1925,13 +1925,11 @@ dissect_data_element(proto_tree tree, proto_tree *next_tree,
		36	offset += len - length;
		37	}
		38
		39	- pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, 0, ENC_NA);
		40	+ pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, length, ENC_NA);
		41	if (length > tvb_reported_length_remaining(tvb, offset)) {
		42	expert_add_info(pinfo, pitem, &ei_data_element_value_large);
		43	- length = 0;
		44	- }
		45	- proto_item_set_len(pitem, length);
		46	- if (length == 0)
		47	+ proto_item_append_text(pitem, ": MISSING");
		48	+ } else if (length == 0)
		49	proto_item_append_text(pitem, ": MISSING");
		50
		51	if (next_tree) *next_tree = proto_item_add_subtree(pitem, ett_btsdp_data_element_value);
		52	@@ -3523,6 +3521,8 @@ dissect_sdp_type(proto_tree tree, packet_info pinfo, tvbuff_t *tvb,
		53	gint bytes_to_go = size;
		54	gint first = 1;
		55	wmem_strbuf_t *substr;
		56	+ tvbuff_t *next_tvb = tvb_new_subset_length(tvb, offset, size);
		57	+ gint next_offset = 0;
		58
		59	ti = proto_tree_add_item(next_tree, (type == 6) ? hf_data_element_value_sequence : hf_data_element_value_alternative,
		60	tvb, offset, size, ENC_NA);
		61	@@ -3537,14 +3537,15 @@ dissect_sdp_type(proto_tree tree, packet_info pinfo, tvbuff_t *tvb,
		62	first = 0;
		63	}
		64
		65	- size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid,
		66	+ size = dissect_sdp_type(st, pinfo, next_tvb, next_offset,
		67	+ attribute, service_uuid,
		68	service_did_vendor_id, service_did_vendor_id_source,
		69	service_hdp_data_exchange_specification, service_info, &substr);
		70	if (size < 1) {
		71	break;
		72	}
		73	wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr));
		74	- offset += size ;
		75	+ next_offset += size;
		76	bytes_to_go -= size;
		77	}
		78
		79	--
		80	2.25.1
		81


diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index 8054cbb5a..8af0e6aa5 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
23	file://CVE-2022-4345.patch \	23	file://CVE-2022-4345.patch \
24	file://CVE-2024-0208.patch \	24	file://CVE-2024-0208.patch \
25	file://CVE-2023-1992.patch \	25	file://CVE-2023-1992.patch \
		26	file://CVE-2023-4511.patch \
26	"	27	"
27	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"	28	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
28		29