wireshark: fix CVE-2022-4345 multiple (BPv6, OpenFlow, and Kafka protocol) dissector infinite loops

Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/39db474f80af87449ce0f034522dccc80ed4153f Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: vkumbhar <vkumbhar@mvista.com> 2023-12-13 17:25:03 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-12-17 15:36:42 -0500
commit: fc632d5bb0936e91e4e0191547b9aa8ca47b4ffe (patch)
tree: 3ae4d47234add8bb2d91540c9a084245e4b321f2
parent: 3bcc5bb4deee32f04b4c6ba0a3b342c864f1c03d (diff)
download: meta-openembedded-fc632d5bb0936e91e4e0191547b9aa8ca47b4ffe.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch
new file mode 100644
index 000000000..938b7cf77
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch
@@ -0,0 +1,52 @@
+From 39db474f80af87449ce0f034522dccc80ed4153f Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Thu, 1 Dec 2022 20:46:15 -0500
+Subject: [PATCH] openflow_v6: Prevent infinite loops in too short ofp_stats
+The ofp_stats struct length field includes the fixed 4 bytes.
+If the length is smaller than that, report the length error
+and break out. In particular, a value of zero can cause
+infinite loops if this isn't done.
+(cherry picked from commit 13823bb1059cf70f401892ba1b1eaa2400cdf3db)
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/39db474f80af87449ce0f034522dccc80ed4153f]
+CVE: CVE-2022-4345
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ epan/dissectors/packet-openflow_v6.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/epan/dissectors/packet-openflow_v6.c b/epan/dissectors/packet-openflow_v6.c
+index f3bd0ef..96a3233 100644
+--- a/epan/dissectors/packet-openflow_v6.c
+++ b/epan/dissectors/packet-openflow_v6.c
+@@ -1118,17 +1118,23 @@ dissect_openflow_v6_oxs(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+ static int
+ dissect_openflow_stats_v6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, guint16 length _U_)
+ {
+    proto_item *ti;
+     guint32 stats_length;
+     int oxs_end;
+     guint32 padding;
+ 
+     proto_tree_add_item(tree, hf_openflow_v6_stats_reserved, tvb, offset, 2, ENC_NA);
+ 
+-    proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length);
+    ti = proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length);
+ 
+     oxs_end = offset + stats_length;
+     offset+=4;
+ 
+    if (stats_length < 4) {
+        expert_add_info(pinfo, ti, &ei_openflow_v6_length_too_short);
+        return offset;
+    }
+
+     while (offset < oxs_end) {
+         offset = dissect_openflow_v6_oxs(tvb, pinfo, tree, offset, oxs_end - offset);
+     }
+-- 
+2.40.1
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
index b35c24328..7d99a1438 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
@@ -20,6 +20,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
           file://CVE-2023-2906.patch \
           file://CVE-2023-3649.patch \
           file://CVE-2022-0585-CVE-2023-2879.patch \
+           file://CVE-2022-4345.patch \
           "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
author	vkumbhar <vkumbhar@mvista.com>	2023-12-13 17:25:03 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-12-17 15:36:42 -0500
commit	fc632d5bb0936e91e4e0191547b9aa8ca47b4ffe (patch)
tree	3ae4d47234add8bb2d91540c9a084245e4b321f2
parent	3bcc5bb4deee32f04b4c6ba0a3b342c864f1c03d (diff)
download	meta-openembedded-fc632d5bb0936e91e4e0191547b9aa8ca47b4ffe.tar.gz

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch new file mode 100644 index 000000000..938b7cf77 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch
@@ -0,0 +1,52 @@
		1	From 39db474f80af87449ce0f034522dccc80ed4153f Mon Sep 17 00:00:00 2001
		2	From: John Thacker <johnthacker@gmail.com>
		3	Date: Thu, 1 Dec 2022 20:46:15 -0500
		4	Subject: [PATCH] openflow_v6: Prevent infinite loops in too short ofp_stats
		5
		6	The ofp_stats struct length field includes the fixed 4 bytes.
		7	If the length is smaller than that, report the length error
		8	and break out. In particular, a value of zero can cause
		9	infinite loops if this isn't done.
		10
		11
		12	(cherry picked from commit 13823bb1059cf70f401892ba1b1eaa2400cdf3db)
		13
		14	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/39db474f80af87449ce0f034522dccc80ed4153f]
		15	CVE: CVE-2022-4345
		16	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		17	---
		18	epan/dissectors/packet-openflow_v6.c \| 8 +++++++-
		19	1 file changed, 7 insertions(+), 1 deletion(-)
		20
		21	diff --git a/epan/dissectors/packet-openflow_v6.c b/epan/dissectors/packet-openflow_v6.c
		22	index f3bd0ef..96a3233 100644
		23	--- a/epan/dissectors/packet-openflow_v6.c
		24	+++ b/epan/dissectors/packet-openflow_v6.c
		25	@@ -1118,17 +1118,23 @@ dissect_openflow_v6_oxs(tvbuff_t tvb, packet_info pinfo _U_, proto_tree *tree,
		26	static int
		27	dissect_openflow_stats_v6(tvbuff_t tvb, packet_info pinfo _U_, proto_tree *tree, int offset, guint16 length _U_)
		28	{
		29	+ proto_item *ti;
		30	guint32 stats_length;
		31	int oxs_end;
		32	guint32 padding;
		33
		34	proto_tree_add_item(tree, hf_openflow_v6_stats_reserved, tvb, offset, 2, ENC_NA);
		35
		36	- proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length);
		37	+ ti = proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length);
		38
		39	oxs_end = offset + stats_length;
		40	offset+=4;
		41
		42	+ if (stats_length < 4) {
		43	+ expert_add_info(pinfo, ti, &ei_openflow_v6_length_too_short);
		44	+ return offset;
		45	+ }
		46	+
		47	while (offset < oxs_end) {
		48	offset = dissect_openflow_v6_oxs(tvb, pinfo, tree, offset, oxs_end - offset);
		49	}
		50	--
		51	2.40.1
		52


diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index b35c24328..7d99a1438 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
@@ -20,6 +20,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
20	file://CVE-2023-2906.patch \	20	file://CVE-2023-2906.patch \
21	file://CVE-2023-3649.patch \	21	file://CVE-2023-3649.patch \
22	file://CVE-2022-0585-CVE-2023-2879.patch \	22	file://CVE-2022-0585-CVE-2023-2879.patch \
		23	file://CVE-2022-4345.patch \
23	"	24	"
24	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"	25	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
25		26