wireshark: fix CVE-2022-4345 multiple (BPv6, OpenFlow, and Kafka protocol) dissector infinite loops

Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/39db474f80af87449ce0f034522dccc80ed4153f Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: vkumbhar <vkumbhar@mvista.com> 2023-12-13 12:07:01 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-01-12 07:14:16 -0500
commit: 52e23d3fcd48a64af71f5423233f261af6c59f60 (patch)
tree: 2abde802d3c5e29d9ea4e78c6aeac4ec218904f7
parent: e80ffdd368644ae5646f3a8206a3aef1f872fad0 (diff)
download: meta-openembedded-52e23d3fcd48a64af71f5423233f261af6c59f60.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch
new file mode 100644
index 0000000000..ccf04459e8
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch
@@ -0,0 +1,52 @@
+From 39db474f80af87449ce0f034522dccc80ed4153f Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Thu, 1 Dec 2022 20:46:15 -0500
+Subject: [PATCH] openflow_v6: Prevent infinite loops in too short ofp_stats
+The ofp_stats struct length field includes the fixed 4 bytes.
+If the length is smaller than that, report the length error
+and break out. In particular, a value of zero can cause
+infinite loops if this isn't done.
+(cherry picked from commit 13823bb1059cf70f401892ba1b1eaa2400cdf3db)
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/39db474f80af87449ce0f034522dccc80ed4153f]
+CVE: CVE-2022-4345
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ epan/dissectors/packet-openflow_v6.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/epan/dissectors/packet-openflow_v6.c b/epan/dissectors/packet-openflow_v6.c
+index 16016af..3e24d76 100644
+--- a/epan/dissectors/packet-openflow_v6.c
+++ b/epan/dissectors/packet-openflow_v6.c
+@@ -1118,17 +1118,23 @@ dissect_openflow_v6_oxs(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+ static int
+ dissect_openflow_stats_v6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, guint16 length _U_)
+ {
+    proto_item *ti;
+     guint32 stats_length;
+     int oxs_end;
+     guint32 padding;
+ 
+     proto_tree_add_item(tree, hf_openflow_v6_stats_reserved, tvb, offset, 2, ENC_NA);
+ 
+-    proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length);
+    ti = proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length);
+ 
+     oxs_end = offset + stats_length;
+     offset+=4;
+ 
+    if (stats_length < 4) {
+        expert_add_info(pinfo, ti, &ei_openflow_v6_length_too_short);
+        return offset;
+    }
+
+     while (offset < oxs_end) {
+         offset = dissect_openflow_v6_oxs(tvb, pinfo, tree, offset, oxs_end - offset);
+     }
+-- 
+2.40.1
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index f233b42532..365ec5e90a 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -26,6 +26,7 @@ SRC_URI += " \
    file://CVE-2023-0668.patch \
    file://CVE-2023-2906.patch \
    file://CVE-2023-1992.patch \
+    file://CVE-2022-4345.patch \
 "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
author	vkumbhar <vkumbhar@mvista.com>	2023-12-13 12:07:01 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-01-12 07:14:16 -0500
commit	52e23d3fcd48a64af71f5423233f261af6c59f60 (patch)
tree	2abde802d3c5e29d9ea4e78c6aeac4ec218904f7
parent	e80ffdd368644ae5646f3a8206a3aef1f872fad0 (diff)
download	meta-openembedded-52e23d3fcd48a64af71f5423233f261af6c59f60.tar.gz

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch new file mode 100644 index 0000000000..ccf04459e8 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch
@@ -0,0 +1,52 @@
		1	From 39db474f80af87449ce0f034522dccc80ed4153f Mon Sep 17 00:00:00 2001
		2	From: John Thacker <johnthacker@gmail.com>
		3	Date: Thu, 1 Dec 2022 20:46:15 -0500
		4	Subject: [PATCH] openflow_v6: Prevent infinite loops in too short ofp_stats
		5
		6	The ofp_stats struct length field includes the fixed 4 bytes.
		7	If the length is smaller than that, report the length error
		8	and break out. In particular, a value of zero can cause
		9	infinite loops if this isn't done.
		10
		11
		12	(cherry picked from commit 13823bb1059cf70f401892ba1b1eaa2400cdf3db)
		13
		14	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/39db474f80af87449ce0f034522dccc80ed4153f]
		15	CVE: CVE-2022-4345
		16	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		17	---
		18	epan/dissectors/packet-openflow_v6.c \| 8 +++++++-
		19	1 file changed, 7 insertions(+), 1 deletion(-)
		20
		21	diff --git a/epan/dissectors/packet-openflow_v6.c b/epan/dissectors/packet-openflow_v6.c
		22	index 16016af..3e24d76 100644
		23	--- a/epan/dissectors/packet-openflow_v6.c
		24	+++ b/epan/dissectors/packet-openflow_v6.c
		25	@@ -1118,17 +1118,23 @@ dissect_openflow_v6_oxs(tvbuff_t tvb, packet_info pinfo _U_, proto_tree *tree,
		26	static int
		27	dissect_openflow_stats_v6(tvbuff_t tvb, packet_info pinfo _U_, proto_tree *tree, int offset, guint16 length _U_)
		28	{
		29	+ proto_item *ti;
		30	guint32 stats_length;
		31	int oxs_end;
		32	guint32 padding;
		33
		34	proto_tree_add_item(tree, hf_openflow_v6_stats_reserved, tvb, offset, 2, ENC_NA);
		35
		36	- proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length);
		37	+ ti = proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length);
		38
		39	oxs_end = offset + stats_length;
		40	offset+=4;
		41
		42	+ if (stats_length < 4) {
		43	+ expert_add_info(pinfo, ti, &ei_openflow_v6_length_too_short);
		44	+ return offset;
		45	+ }
		46	+
		47	while (offset < oxs_end) {
		48	offset = dissect_openflow_v6_oxs(tvb, pinfo, tree, offset, oxs_end - offset);
		49	}
		50	--
		51	2.40.1
		52


diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index f233b42532..365ec5e90a 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -26,6 +26,7 @@ SRC_URI += " \
26	file://CVE-2023-0668.patch \	26	file://CVE-2023-0668.patch \
27	file://CVE-2023-2906.patch \	27	file://CVE-2023-2906.patch \
28	file://CVE-2023-1992.patch \	28	file://CVE-2023-1992.patch \
		29	file://CVE-2022-4345.patch \
29	"	30	"
30		31
31	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"	32	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"