| Message ID | 20230606083524.123709-1-hprajapati@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-networking,kirkstone] wireshark: CVE-2023-2855 Candump log file parser crash | expand |
On 6/6/23 4:35 AM, Hitendra Prajapati wrote: > Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> These need to go into master first. -armin > --- > .../wireshark/files/CVE-2023-2855.patch | 108 ++++++++++++++++++ > .../wireshark/wireshark_3.4.12.bb | 1 + > 2 files changed, 109 insertions(+) > create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch > > diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch > new file mode 100644 > index 000000000..b4718f460 > --- /dev/null > +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch > @@ -0,0 +1,108 @@ > +From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001 > +From: Guy Harris <gharris@sonic.net> > +Date: Tue, 16 May 2023 12:05:07 -0700 > +Subject: [PATCH] candump: check for a too-long frame length. > + > +If the frame length is longer than the maximum, report an error in the > +file. > + > +Fixes #19062, preventing the overflow on a buffer on the stack (assuming > +your compiler doesn't call a bounds-checknig version of memcpy() if the > +size of the target space is known). > + > +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb] > +CVE: CVE-2023-2855 > + > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + wiretap/candump.c | 39 +++++++++++++++++++++++++++++++-------- > + 1 file changed, 31 insertions(+), 8 deletions(-) > + > +diff --git a/wiretap/candump.c b/wiretap/candump.c > +index 0def7bc..3f7c2b2 100644 > +--- a/wiretap/candump.c > ++++ b/wiretap/candump.c > +@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off, > + wtap_rec *rec, Buffer *buf, > + int *err, gchar **err_info); > + > +-static void > +-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) > ++static gboolean > ++candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err, > ++ gchar **err_info) > + { > + static const char *can_proto_name = "can-hostendian"; > + static const char *canfd_proto_name = "canfd"; > +@@ -59,6 +60,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) > + { > + canfd_frame_t canfd_frame = {0}; > + > ++ /* > ++ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame. > ++ */ > ++ if (msg->data.length > CANFD_MAX_DLEN) { > ++ *err = WTAP_ERR_BAD_FILE; > ++ if (err_info != NULL) { > ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u", > ++ msg->data.length, CANFD_MAX_DLEN); > ++ } > ++ return FALSE; > ++ } > ++ > + canfd_frame.can_id = msg->id; > + canfd_frame.flags = msg->flags; > + canfd_frame.len = msg->data.length; > +@@ -70,6 +83,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) > + { > + can_frame_t can_frame = {0}; > + > ++ /* > ++ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame. > ++ */ > ++ if (msg->data.length > CAN_MAX_DLEN) { > ++ *err = WTAP_ERR_BAD_FILE; > ++ if (err_info != NULL) { > ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u", > ++ msg->data.length, CAN_MAX_DLEN); > ++ } > ++ return FALSE; > ++ } > ++ > + can_frame.can_id = msg->id; > + can_frame.can_dlc = msg->data.length; > + memcpy(can_frame.data, msg->data.data, msg->data.length); > +@@ -84,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) > + > + rec->rec_header.packet_header.caplen = packet_length; > + rec->rec_header.packet_header.len = packet_length; > ++ > ++ return TRUE; > + } > + > + static gboolean > +@@ -190,9 +217,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, > + ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh)); > + #endif > + > +- candump_write_packet(rec, buf, &msg); > +- > +- return TRUE; > ++ return candump_write_packet(rec, buf, &msg, err, err_info); > + } > + > + static gboolean > +@@ -216,9 +241,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec, > + if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info)) > + return FALSE; > + > +- candump_write_packet(rec, buf, &msg); > +- > +- return TRUE; > ++ return candump_write_packet(rec, buf, &msg, err, err_info); > + } > + > + /* > +-- > +2.25.1 > + > diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb > index 1a4aedc13..b1f484803 100644 > --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb > +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb > @@ -16,6 +16,7 @@ SRC_URI += " \ > file://0003-bison-Remove-line-directives.patch \ > file://0004-lemon-Remove-line-directives.patch \ > file://CVE-2022-3190.patch \ > + file://CVE-2023-2855.patch \ > " > > UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#103134): https://lists.openembedded.org/g/openembedded-devel/message/103134 > Mute This Topic: https://lists.openembedded.org/mt/99359292/3616698 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch new file mode 100644 index 000000000..b4718f460 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch @@ -0,0 +1,108 @@ +From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Tue, 16 May 2023 12:05:07 -0700 +Subject: [PATCH] candump: check for a too-long frame length. + +If the frame length is longer than the maximum, report an error in the +file. + +Fixes #19062, preventing the overflow on a buffer on the stack (assuming +your compiler doesn't call a bounds-checknig version of memcpy() if the +size of the target space is known). + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb] +CVE: CVE-2023-2855 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/candump.c | 39 +++++++++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/wiretap/candump.c b/wiretap/candump.c +index 0def7bc..3f7c2b2 100644 +--- a/wiretap/candump.c ++++ b/wiretap/candump.c +@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off, + wtap_rec *rec, Buffer *buf, + int *err, gchar **err_info); + +-static void +-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) ++static gboolean ++candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err, ++ gchar **err_info) + { + static const char *can_proto_name = "can-hostendian"; + static const char *canfd_proto_name = "canfd"; +@@ -59,6 +60,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + { + canfd_frame_t canfd_frame = {0}; + ++ /* ++ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame. ++ */ ++ if (msg->data.length > CANFD_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u", ++ msg->data.length, CANFD_MAX_DLEN); ++ } ++ return FALSE; ++ } ++ + canfd_frame.can_id = msg->id; + canfd_frame.flags = msg->flags; + canfd_frame.len = msg->data.length; +@@ -70,6 +83,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + { + can_frame_t can_frame = {0}; + ++ /* ++ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame. ++ */ ++ if (msg->data.length > CAN_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u", ++ msg->data.length, CAN_MAX_DLEN); ++ } ++ return FALSE; ++ } ++ + can_frame.can_id = msg->id; + can_frame.can_dlc = msg->data.length; + memcpy(can_frame.data, msg->data.data, msg->data.length); +@@ -84,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + rec->rec_header.packet_header.caplen = packet_length; + rec->rec_header.packet_header.len = packet_length; ++ ++ return TRUE; + } + + static gboolean +@@ -190,9 +217,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, + ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh)); + #endif + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + static gboolean +@@ -216,9 +241,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec, + if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info)) + return FALSE; + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + /* +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index 1a4aedc13..b1f484803 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb @@ -16,6 +16,7 @@ SRC_URI += " \ file://0003-bison-Remove-line-directives.patch \ file://0004-lemon-Remove-line-directives.patch \ file://CVE-2022-3190.patch \ + file://CVE-2023-2855.patch \ " UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../wireshark/files/CVE-2023-2855.patch | 108 ++++++++++++++++++ .../wireshark/wireshark_3.4.12.bb | 1 + 2 files changed, 109 insertions(+) create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch