wireshark: Fix for CVE-2023-4511

Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-01-30 10:45:51 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-02-07 18:41:41 -0500
commit: 5f46d71fca49dc6347dbf022e4f7ca1b262a082f (patch)
tree: 4e930cf068ff7520d2109316391909cd774113cd
parent: 182c4742c6f4f91ce51e66978f961ef2c2923bd5 (diff)
download: meta-openembedded-5f46d71fca49dc6347dbf022e4f7ca1b262a082f.tar.gz
2 files changed, 82 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch
new file mode 100644
index 0000000000..6a2f20163c
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch
@@ -0,0 +1,81 @@
+From ef9c79ae81b00a63aa8638076ec81dc9482972e9 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Thu, 10 Aug 2023 05:29:09 -0400
+Subject: [PATCH] btsdp: Keep offset advancing
+hf_data_element_value is a FT_NONE, so we can add the item with
+the expected length and get_hfi_length() will adjust the length
+without throwing an exception. There's no need to add it with
+zero length and call proto_item_set_len. Also, don't increment
+the offset by 0 instead of the real length when there isn't
+enough data in the packet, as that can lead to failing to advance
+the offset.
+When dissecting a sequence type (sequence or alternative) and
+recursing into the sequence member, instead of using the main
+packet tvb directly, create a subset using the indicated length
+of the sequence. That will properly throw an exception if a
+contained item is larger than the containing sequence, instead of
+dissecting the same bytes as several different items (inside
+the sequence recursively, as well in the outer loop.)
+Fix #19258
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9]
+CVE: CVE-2023-4511
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ epan/dissectors/packet-btsdp.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c
+index 397ece7..eb7f5fa 100644
+--- a/epan/dissectors/packet-btsdp.c
+++ b/epan/dissectors/packet-btsdp.c
+@@ -1925,13 +1925,11 @@ dissect_data_element(proto_tree *tree, proto_tree **next_tree,
+         offset += len - length;
+     }
+ 
+-    pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset,  0, ENC_NA);
+    pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, length, ENC_NA);
+     if (length > tvb_reported_length_remaining(tvb, offset)) {
+         expert_add_info(pinfo, pitem, &ei_data_element_value_large);
+-        length = 0;
+-    }
+-    proto_item_set_len(pitem, length);
+-    if (length == 0)
+       proto_item_append_text(pitem, ": MISSING");
+    } else if (length == 0)
+         proto_item_append_text(pitem, ": MISSING");
+ 
+     if (next_tree) *next_tree = proto_item_add_subtree(pitem, ett_btsdp_data_element_value);
+@@ -3523,6 +3521,8 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
+         gint           bytes_to_go = size;
+         gint           first       = 1;
+         wmem_strbuf_t *substr;
+       tvbuff_t      *next_tvb = tvb_new_subset_length(tvb, offset, size);
+       gint           next_offset = 0;
+ 
+         ti = proto_tree_add_item(next_tree, (type == 6) ? hf_data_element_value_sequence : hf_data_element_value_alternative,
+                 tvb, offset, size, ENC_NA);
+@@ -3537,14 +3537,15 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
+                 first = 0;
+             }
+ 
+-            size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid,
+            size = dissect_sdp_type(st, pinfo, next_tvb, next_offset,
+                   attribute, service_uuid,
+                     service_did_vendor_id, service_did_vendor_id_source,
+                     service_hdp_data_exchange_specification, service_info, &substr);
+             if (size < 1) {
+                 break;
+             }
+             wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr));
+-            offset += size ;
+            next_offset += size;
+             bytes_to_go -= size;
+         }
+ 
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index f5e316d9dc..41c363ad30 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -28,6 +28,7 @@ SRC_URI += " \
    file://CVE-2023-1992.patch \
    file://CVE-2022-4345.patch \
    file://CVE-2024-0208.patch \
+    file://CVE-2023-4511.patch \
 "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-01-30 10:45:51 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-02-07 18:41:41 -0500
commit	5f46d71fca49dc6347dbf022e4f7ca1b262a082f (patch)
tree	4e930cf068ff7520d2109316391909cd774113cd
parent	182c4742c6f4f91ce51e66978f961ef2c2923bd5 (diff)
download	meta-openembedded-5f46d71fca49dc6347dbf022e4f7ca1b262a082f.tar.gz

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch new file mode 100644 index 0000000000..6a2f20163c --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch
@@ -0,0 +1,81 @@
		1	From ef9c79ae81b00a63aa8638076ec81dc9482972e9 Mon Sep 17 00:00:00 2001
		2	From: John Thacker <johnthacker@gmail.com>
		3	Date: Thu, 10 Aug 2023 05:29:09 -0400
		4	Subject: [PATCH] btsdp: Keep offset advancing
		5
		6	hf_data_element_value is a FT_NONE, so we can add the item with
		7	the expected length and get_hfi_length() will adjust the length
		8	without throwing an exception. There's no need to add it with
		9	zero length and call proto_item_set_len. Also, don't increment
		10	the offset by 0 instead of the real length when there isn't
		11	enough data in the packet, as that can lead to failing to advance
		12	the offset.
		13
		14	When dissecting a sequence type (sequence or alternative) and
		15	recursing into the sequence member, instead of using the main
		16	packet tvb directly, create a subset using the indicated length
		17	of the sequence. That will properly throw an exception if a
		18	contained item is larger than the containing sequence, instead of
		19	dissecting the same bytes as several different items (inside
		20	the sequence recursively, as well in the outer loop.)
		21
		22	Fix #19258
		23
		24	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9]
		25	CVE: CVE-2023-4511
		26	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		27	---
		28	epan/dissectors/packet-btsdp.c \| 15 ++++++++-------
		29	1 file changed, 8 insertions(+), 7 deletions(-)
		30
		31	diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c
		32	index 397ece7..eb7f5fa 100644
		33	--- a/epan/dissectors/packet-btsdp.c
		34	+++ b/epan/dissectors/packet-btsdp.c
		35	@@ -1925,13 +1925,11 @@ dissect_data_element(proto_tree tree, proto_tree *next_tree,
		36	offset += len - length;
		37	}
		38
		39	- pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, 0, ENC_NA);
		40	+ pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, length, ENC_NA);
		41	if (length > tvb_reported_length_remaining(tvb, offset)) {
		42	expert_add_info(pinfo, pitem, &ei_data_element_value_large);
		43	- length = 0;
		44	- }
		45	- proto_item_set_len(pitem, length);
		46	- if (length == 0)
		47	+ proto_item_append_text(pitem, ": MISSING");
		48	+ } else if (length == 0)
		49	proto_item_append_text(pitem, ": MISSING");
		50
		51	if (next_tree) *next_tree = proto_item_add_subtree(pitem, ett_btsdp_data_element_value);
		52	@@ -3523,6 +3521,8 @@ dissect_sdp_type(proto_tree tree, packet_info pinfo, tvbuff_t *tvb,
		53	gint bytes_to_go = size;
		54	gint first = 1;
		55	wmem_strbuf_t *substr;
		56	+ tvbuff_t *next_tvb = tvb_new_subset_length(tvb, offset, size);
		57	+ gint next_offset = 0;
		58
		59	ti = proto_tree_add_item(next_tree, (type == 6) ? hf_data_element_value_sequence : hf_data_element_value_alternative,
		60	tvb, offset, size, ENC_NA);
		61	@@ -3537,14 +3537,15 @@ dissect_sdp_type(proto_tree tree, packet_info pinfo, tvbuff_t *tvb,
		62	first = 0;
		63	}
		64
		65	- size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid,
		66	+ size = dissect_sdp_type(st, pinfo, next_tvb, next_offset,
		67	+ attribute, service_uuid,
		68	service_did_vendor_id, service_did_vendor_id_source,
		69	service_hdp_data_exchange_specification, service_info, &substr);
		70	if (size < 1) {
		71	break;
		72	}
		73	wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr));
		74	- offset += size ;
		75	+ next_offset += size;
		76	bytes_to_go -= size;
		77	}
		78
		79	--
		80	2.25.1
		81


diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index f5e316d9dc..41c363ad30 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -28,6 +28,7 @@ SRC_URI += " \
28	file://CVE-2023-1992.patch \	28	file://CVE-2023-1992.patch \
29	file://CVE-2022-4345.patch \	29	file://CVE-2022-4345.patch \
30	file://CVE-2024-0208.patch \	30	file://CVE-2024-0208.patch \
		31	file://CVE-2023-4511.patch \
31	"	32	"
32		33
33	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"	34	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"