wireshark: CVE-2023-2952 XRA dissector infinite loop

Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-06-16 17:13:34 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-06-17 13:15:57 -0400
commit: 5a01ab461c9bcabcbb2298236602373948f8f073 (patch)
tree: 5cf49d706226cf54eec3b7407ee9215b7816ba9f
parent: 6e9118383c62a38f313e9bc3d19fa79b70c12cf2 (diff)
download: meta-openembedded-5a01ab461c9bcabcbb2298236602373948f8f073.tar.gz
2 files changed, 99 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
new file mode 100644
index 0000000000..41b02bb3fa
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
@@ -0,0 +1,98 @@
+From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Tue, 23 May 2023 13:52:03 -0700
+Subject: [PATCH] XRA: Fix an infinite loop
+C compilers don't care what size a value was on the wire. Use
+naturally-sized ints, including in dissect_message_channel_mb where we
+would otherwise overflow and loop infinitely.
+Fixes #19100
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5]
+CVE: CVE-2023-2952
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-xra.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c
+index 68a8e72..6c7ab74 100644
+--- a/epan/dissectors/packet-xra.c
+++ b/epan/dissectors/packet-xra.c
+@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
+   it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info);
+ 
+-  guint32 tlv_index =0;
+  unsigned tlv_index = 0;
+   while (tlv_index < tlv_length) {
+     guint8 type = tvb_get_guint8 (tvb, tlv_index);
+     ++tlv_index;
+@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
+   it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info);
+ 
+-  guint32 tlv_index =0;
+  unsigned tlv_index = 0;
+   while (tlv_index < tlv_length) {
+     guint8 type = tvb_get_guint8 (tvb, tlv_index);
+     ++tlv_index;
+@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
+   it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info);
+ 
+-  guint32 tlv_index =0;
+  unsigned tlv_index = 0;
+   while (tlv_index < tlv_length) {
+     guint8 type = tvb_get_guint8 (tvb, tlv_index);
+     ++tlv_index;
+@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da
+   it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv);
+ 
+-  guint32 tlv_index =0;
+  unsigned tlv_index = 0;
+   tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb;
+ 
+   while (tlv_index < tlv_length) {
+@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
+   if(packet_start_pointer_field_present) {
+     proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer);
+ 
+-    guint16 docsis_start = 3 + packet_start_pointer;
+    unsigned docsis_start = 3 + packet_start_pointer;
+     while (docsis_start + 6 < remaining_length) {
+       /*DOCSIS header in packet*/
+       guint8 fc = tvb_get_guint8(tvb,docsis_start + 0);
+@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
+         docsis_start += 1;
+         continue;
+       }
+-      guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
+      unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
+       if (docsis_start + 6 + docsis_length <= remaining_length) {
+         /*DOCSIS packet included in packet*/
+         tvbuff_t *docsis_tvb;
+@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) {
+ static int
+ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) {
+ 
+-  guint16 offset = 0;
+  int offset = 0;
+   proto_tree *plc_tree;
+   proto_item *plc_item;
+   tvbuff_t *mb_tvb;
+@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _
+ 
+ static int
+ dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) {
+-  guint16 offset = 0;
+  int offset = 0;
+   proto_tree *ncp_tree;
+   proto_item *ncp_item;
+   tvbuff_t *ncp_mb_tvb;
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index 758c5e57dc..96603710f4 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -20,6 +20,7 @@ SRC_URI += " \
    file://CVE-2023-2856.patch \
    file://CVE-2023-2858.patch \
    file://CVE-2023-2879.patch \
+    file://CVE-2023-2952.patch \
 "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-06-16 17:13:34 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-06-17 13:15:57 -0400
commit	5a01ab461c9bcabcbb2298236602373948f8f073 (patch)
tree	5cf49d706226cf54eec3b7407ee9215b7816ba9f
parent	6e9118383c62a38f313e9bc3d19fa79b70c12cf2 (diff)
download	meta-openembedded-5a01ab461c9bcabcbb2298236602373948f8f073.tar.gz

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch new file mode 100644 index 0000000000..41b02bb3fa --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
@@ -0,0 +1,98 @@
		1	From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001
		2	From: Gerald Combs <gerald@wireshark.org>
		3	Date: Tue, 23 May 2023 13:52:03 -0700
		4	Subject: [PATCH] XRA: Fix an infinite loop
		5
		6	C compilers don't care what size a value was on the wire. Use
		7	naturally-sized ints, including in dissect_message_channel_mb where we
		8	would otherwise overflow and loop infinitely.
		9
		10	Fixes #19100
		11
		12	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5]
		13	CVE: CVE-2023-2952
		14
		15	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		16	---
		17	epan/dissectors/packet-xra.c \| 16 ++++++++--------
		18	1 file changed, 8 insertions(+), 8 deletions(-)
		19
		20	diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c
		21	index 68a8e72..6c7ab74 100644
		22	--- a/epan/dissectors/packet-xra.c
		23	+++ b/epan/dissectors/packet-xra.c
		24	@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
		25	it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA);
		26	xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info);
		27
		28	- guint32 tlv_index =0;
		29	+ unsigned tlv_index = 0;
		30	while (tlv_index < tlv_length) {
		31	guint8 type = tvb_get_guint8 (tvb, tlv_index);
		32	++tlv_index;
		33	@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
		34	it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA);
		35	xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info);
		36
		37	- guint32 tlv_index =0;
		38	+ unsigned tlv_index = 0;
		39	while (tlv_index < tlv_length) {
		40	guint8 type = tvb_get_guint8 (tvb, tlv_index);
		41	++tlv_index;
		42	@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
		43	it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA);
		44	xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info);
		45
		46	- guint32 tlv_index =0;
		47	+ unsigned tlv_index = 0;
		48	while (tlv_index < tlv_length) {
		49	guint8 type = tvb_get_guint8 (tvb, tlv_index);
		50	++tlv_index;
		51	@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da
		52	it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA);
		53	xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv);
		54
		55	- guint32 tlv_index =0;
		56	+ unsigned tlv_index = 0;
		57	tvbuff_t xra_tlv_cw_info_tvb, xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb;
		58
		59	while (tlv_index < tlv_length) {
		60	@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
		61	if(packet_start_pointer_field_present) {
		62	proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer);
		63
		64	- guint16 docsis_start = 3 + packet_start_pointer;
		65	+ unsigned docsis_start = 3 + packet_start_pointer;
		66	while (docsis_start + 6 < remaining_length) {
		67	/DOCSIS header in packet/
		68	guint8 fc = tvb_get_guint8(tvb,docsis_start + 0);
		69	@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
		70	docsis_start += 1;
		71	continue;
		72	}
		73	- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
		74	+ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
		75	if (docsis_start + 6 + docsis_length <= remaining_length) {
		76	/DOCSIS packet included in packet/
		77	tvbuff_t *docsis_tvb;
		78	@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) {
		79	static int
		80	dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) {
		81
		82	- guint16 offset = 0;
		83	+ int offset = 0;
		84	proto_tree *plc_tree;
		85	proto_item *plc_item;
		86	tvbuff_t *mb_tvb;
		87	@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _
		88
		89	static int
		90	dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) {
		91	- guint16 offset = 0;
		92	+ int offset = 0;
		93	proto_tree *ncp_tree;
		94	proto_item *ncp_item;
		95	tvbuff_t *ncp_mb_tvb;
		96	--
		97	2.25.1
		98


diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index 758c5e57dc..96603710f4 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -20,6 +20,7 @@ SRC_URI += " \
20	file://CVE-2023-2856.patch \	20	file://CVE-2023-2856.patch \
21	file://CVE-2023-2858.patch \	21	file://CVE-2023-2858.patch \
22	file://CVE-2023-2879.patch \	22	file://CVE-2023-2879.patch \
		23	file://CVE-2023-2952.patch \
23	"	24	"
24		25
25	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"	26	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"