diff options
| author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-06-06 16:43:51 +0530 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-06-11 11:29:02 -0400 |
| commit | c7a5562f7760ffed6d5fa18e019790f720a13ba7 (patch) | |
| tree | 2aa50c577d3820961588b3961c69029a1c19cdf4 | |
| parent | a506fa6eacbbcef37111135a4835c9578ddd8a2e (diff) | |
| download | meta-openembedded-c7a5562f7760ffed6d5fa18e019790f720a13ba7.tar.gz | |
wireshark: CVE-2023-2856 VMS TCPIPtrace file parser crash
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch | 69 | ||||
| -rw-r--r-- | meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb | 1 |
2 files changed, 70 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch new file mode 100644 index 0000000000..863421f986 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch | |||
| @@ -0,0 +1,69 @@ | |||
| 1 | From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Guy Harris <gharris@sonic.net> | ||
| 3 | Date: Thu, 18 May 2023 15:03:23 -0700 | ||
| 4 | Subject: [PATCH] vms: fix the search for the packet length field. | ||
| 5 | |||
| 6 | The packet length field is of the form | ||
| 7 | |||
| 8 | Total Length = DDD = ^xXXX | ||
| 9 | |||
| 10 | where "DDD" is the length in decimal and "XXX" is the length in | ||
| 11 | hexadecimal. | ||
| 12 | |||
| 13 | Search for "length ". not just "Length", as we skip past "Length ", not | ||
| 14 | just "Length", so if we assume we found "Length " but only found | ||
| 15 | "Length", we'd skip past the end of the string. | ||
| 16 | |||
| 17 | While we're at it, fail if we don't find a length field, rather than | ||
| 18 | just blithely acting as if the packet length were zero. | ||
| 19 | |||
| 20 | Fixes #19083. | ||
| 21 | |||
| 22 | Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca] | ||
| 23 | CVE: CVE-2023-2856 | ||
| 24 | |||
| 25 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 26 | --- | ||
| 27 | wiretap/vms.c | 9 ++++++++- | ||
| 28 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
| 29 | |||
| 30 | diff --git a/wiretap/vms.c b/wiretap/vms.c | ||
| 31 | index 0aa83ea..5f5fdbb 100644 | ||
| 32 | --- a/wiretap/vms.c | ||
| 33 | +++ b/wiretap/vms.c | ||
| 34 | @@ -318,6 +318,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in | ||
| 35 | { | ||
| 36 | char line[VMS_LINE_LENGTH + 1]; | ||
| 37 | int num_items_scanned; | ||
| 38 | + gboolean have_pkt_len = FALSE; | ||
| 39 | guint32 pkt_len = 0; | ||
| 40 | int pktnum; | ||
| 41 | int csec = 101; | ||
| 42 | @@ -374,7 +375,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in | ||
| 43 | return FALSE; | ||
| 44 | } | ||
| 45 | } | ||
| 46 | - if ( (! pkt_len) && (p = strstr(line, "Length"))) { | ||
| 47 | + if ( (! have_pkt_len) && (p = strstr(line, "Length "))) { | ||
| 48 | p += sizeof("Length "); | ||
| 49 | while (*p && ! g_ascii_isdigit(*p)) | ||
| 50 | p++; | ||
| 51 | @@ -390,9 +391,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in | ||
| 52 | *err_info = g_strdup_printf("vms: Length field '%s' not valid", p); | ||
| 53 | return FALSE; | ||
| 54 | } | ||
| 55 | + have_pkt_len = TRUE; | ||
| 56 | break; | ||
| 57 | } | ||
| 58 | } while (! isdumpline(line)); | ||
| 59 | + if (! have_pkt_len) { | ||
| 60 | + *err = WTAP_ERR_BAD_FILE; | ||
| 61 | + *err_info = g_strdup_printf("vms: Length field not found"); | ||
| 62 | + return FALSE; | ||
| 63 | + } | ||
| 64 | if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { | ||
| 65 | /* | ||
| 66 | * Probably a corrupt capture file; return an error, | ||
| 67 | -- | ||
| 68 | 2.25.1 | ||
| 69 | |||
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index b1f484803e..f99669a624 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb | |||
| @@ -17,6 +17,7 @@ SRC_URI += " \ | |||
| 17 | file://0004-lemon-Remove-line-directives.patch \ | 17 | file://0004-lemon-Remove-line-directives.patch \ |
| 18 | file://CVE-2022-3190.patch \ | 18 | file://CVE-2022-3190.patch \ |
| 19 | file://CVE-2023-2855.patch \ | 19 | file://CVE-2023-2855.patch \ |
| 20 | file://CVE-2023-2856.patch \ | ||
| 20 | " | 21 | " |
| 21 | 22 | ||
| 22 | UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" | 23 | UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" |
