summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnil Dongare <adongare@cisco.com>2026-02-13 05:28:46 -0800
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-02-25 13:45:44 +0530
commit2160609b5bc27ccd9039c0a8c2c9c1162bf1d200 (patch)
tree2b76d5c136572ebb0b42034fb405c516bbee9940
parent4e4ad54c9ae346abaaa1d05eddb6c45d36c30aac (diff)
downloadmeta-openembedded-2160609b5bc27ccd9039c0a8c2c9c1162bf1d200.tar.gz
wireshark 4.2.14: Fix CVE-2026-0962
Upstream Repository: https://gitlab.com/wireshark/wireshark.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0962 Type: Security Fix CVE: CVE-2026-0962 Score: 6.5 Patch: https://gitlab.com/wireshark/wireshark/-/commit/825b83e1ed14 Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-networking/recipes-support/wireshark/files/CVE-2026-0962.patch152
-rw-r--r--meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb1
2 files changed, 153 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2026-0962.patch b/meta-networking/recipes-support/wireshark/files/CVE-2026-0962.patch
new file mode 100644
index 0000000000..c9a3723ba9
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2026-0962.patch
@@ -0,0 +1,152 @@
1From 912286bc877a2914f089a063dbf5fa8037efd709 Mon Sep 17 00:00:00 2001
2From: Gerald Combs <gerald@wireshark.org>
3Date: Mon, 12 Jan 2026 17:01:48 -0800
4Subject: [PATCH] SOME/IP-SD: Fix a buffer overflow
5
6Make sure we don't write past the end of our option port array. Make our
7option count unsigned.
8
9Fixes #20945
10
11(cherry picked from commit 55ec8b3db4968c97115f014fb5974206cdf57454)
12
13Conflicts:
14 epan/dissectors/packet-someip-sd.c
15(cherry picked from commit 825b83e1ed146f6c8fa8f1d7ad2794061b82c895)
16
17CVE: CVE-2026-0962
18Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/825b83e1ed14]
19
20Backport Changes:
21- In the epan/dissectors/packet-someip-sd.c file, the variable
22 ef_someipsd_too_many_options was added in place of ei_someipsd_too_many_options
23 to maintain consistency with the existing expert_field naming conventions.
24- This update is already included in Wireshark version 4.4 with the following
25 commit: https://gitlab.com/wireshark/wireshark/-/commit/9e59a18db82f
26
27Signed-off-by: Anil Dongare <adongare@cisco.com>
28---
29 epan/dissectors/packet-someip-sd.c | 30 ++++++++++++++++++------------
30 1 file changed, 18 insertions(+), 12 deletions(-)
31
32diff --git a/epan/dissectors/packet-someip-sd.c b/epan/dissectors/packet-someip-sd.c
33index 85144d5925..7088ee5210 100644
34--- a/epan/dissectors/packet-someip-sd.c
35+++ b/epan/dissectors/packet-someip-sd.c
36@@ -242,6 +242,7 @@ static expert_field ef_someipsd_option_unknown = EI_INIT;
37 static expert_field ef_someipsd_option_wrong_length = EI_INIT;
38 static expert_field ef_someipsd_L4_protocol_unsupported = EI_INIT;
39 static expert_field ef_someipsd_config_string_malformed = EI_INIT;
40+static expert_field ef_someipsd_too_many_options = EI_INIT;
41
42 /*** prototypes ***/
43 void proto_register_someip_sd(void);
44@@ -274,13 +275,13 @@ someip_sd_register_ports(guint32 opt_index, guint32 opt_num, guint32 option_coun
45 }
46
47 static void
48-dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum) {
49+dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) {
50 guint32 offset_orig = offset;
51 const guint8 *config_string;
52 proto_item *ti;
53 proto_tree *subtree;
54
55- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Configuration Option", optionnum);
56+ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%u: Configuration Option", optionnum);
57
58 /* Add common fields */
59 proto_tree_add_item(tree, hf_someip_sd_option_length, tvb, offset, 2, ENC_BIG_ENDIAN);
60@@ -317,8 +318,8 @@ dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, pr
61 }
62
63 static void
64-dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 offset, guint32 length, int optionnum) {
65- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Load Balancing Option", optionnum);
66+dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) {
67+ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%u Load Balancing Option", optionnum);
68
69 /* Add common fields */
70 proto_tree_add_item(tree, hf_someip_sd_option_length, tvb, offset, 2, ENC_BIG_ENDIAN);
71@@ -337,7 +338,7 @@ dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_
72 }
73
74 static void
75-dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum, guint32 option_ports[]) {
76+dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum, guint32 option_ports[]) {
77 guint8 type = 255;
78 const gchar *description = NULL;
79 guint32 l4port = 0;
80@@ -350,7 +351,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree
81
82 type = tvb_get_guint8(tvb, offset + 2);
83 description = val_to_str(type, sd_option_type, "(Unknown Option: %d)");
84- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description);
85+ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description);
86
87 if (length != SD_OPTION_IPV4_LENGTH) {
88 expert_add_info(pinfo, ti_top, &ef_someipsd_option_wrong_length);
89@@ -391,7 +392,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree
90 }
91
92 static void
93-dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum, guint32 option_ports[]) {
94+dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum, guint32 option_ports[]) {
95 guint8 type = 255;
96 const gchar *description = NULL;
97 guint32 l4port = 0;
98@@ -404,7 +405,7 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree
99 type = tvb_get_guint8(tvb, offset + 2);
100 description = val_to_str(type, sd_option_type, "(Unknown Option: %d)");
101
102- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description);
103+ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description);
104
105 if (length != SD_OPTION_IPV6_LENGTH) {
106 expert_add_info(pinfo, ti_top, &ef_someipsd_option_wrong_length);
107@@ -444,11 +445,11 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree
108 }
109
110 static void
111-dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum) {
112+dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) {
113 guint32 len = 0;
114 proto_item *ti;
115
116- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%d: %s Option", optionnum,
117+ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%u: %s Option", optionnum,
118 val_to_str_const(tvb_get_guint8(tvb, offset + 2), sd_option_type, "Unknown"));
119
120 expert_add_info(pinfo, ti, &ef_someipsd_option_unknown);
121@@ -473,7 +474,7 @@ static int
122 dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_item *ti, guint32 offset_orig, guint32 length, guint32 option_ports[], guint *option_count) {
123 guint16 real_length = 0;
124 guint8 option_type = 0;
125- int optionnum = 0;
126+ unsigned optionnum = 0;
127 tvbuff_t *subtvb = NULL;
128
129 guint32 offset = offset_orig;
130@@ -484,7 +485,11 @@ dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tre
131 }
132
133 while (tvb_bytes_exist(tvb, offset, SD_OPTION_MINLENGTH)) {
134- ws_assert(optionnum >= 0 && optionnum < SD_MAX_NUM_OPTIONS);
135+ if (optionnum >= SD_MAX_NUM_OPTIONS) {
136+ expert_add_info(pinfo, ti, &ef_someipsd_too_many_options);
137+ return offset;
138+ }
139+
140 option_ports[optionnum] = 0;
141
142 real_length = tvb_get_ntohs(tvb, offset) + 3;
143@@ -1195,6 +1200,7 @@ proto_register_someip_sd(void) {
144 { &ef_someipsd_option_wrong_length,{ "someipsd.option_wrong_length", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Option length is incorrect!", EXPFILL } },
145 { &ef_someipsd_L4_protocol_unsupported,{ "someipsd.L4_protocol_unsupported", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Unsupported Layer 4 Protocol!", EXPFILL } },
146 { &ef_someipsd_config_string_malformed,{ "someipsd.config_string_malformed", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Configuration String malformed!", EXPFILL } },
147+ { &ef_someipsd_too_many_options,{ "someipsd.too_many_options", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Too many options!", EXPFILL } },
148 };
149
150 /* Register Protocol, Fields, ETTs, Expert Info, Taps, Dissector */
151--
1522.43.7
diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
index d03b86775e..81c300fcb5 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
16 file://CVE-2025-9817.patch \ 16 file://CVE-2025-9817.patch \
17 file://CVE-2025-13499.patch \ 17 file://CVE-2025-13499.patch \
18 file://CVE-2026-0959.patch \ 18 file://CVE-2026-0959.patch \
19 file://CVE-2026-0962.patch \
19 " 20 "
20 21
21UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src/all-versions" 22UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src/all-versions"