| Message ID | 20230612113110.10593-1-hprajapati@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-networking,kirkstone] wireshark: CVE-2023-2952 XRA dissector infinite loop | expand |
On 6/12/23 7:31 AM, Hitendra Prajapati wrote: > Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5 > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> This patch does not apply and should be rebased from kirkstone once merge is complete. There are several wireshark patches stacked in there. - armin > --- > .../wireshark/files/CVE-2023-2952.patch | 98 +++++++++++++++++++ > .../wireshark/wireshark_3.4.12.bb | 1 + > 2 files changed, 99 insertions(+) > create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch > > diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch > new file mode 100644 > index 000000000..41b02bb3f > --- /dev/null > +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch > @@ -0,0 +1,98 @@ > +From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001 > +From: Gerald Combs <gerald@wireshark.org> > +Date: Tue, 23 May 2023 13:52:03 -0700 > +Subject: [PATCH] XRA: Fix an infinite loop > + > +C compilers don't care what size a value was on the wire. Use > +naturally-sized ints, including in dissect_message_channel_mb where we > +would otherwise overflow and loop infinitely. > + > +Fixes #19100 > + > +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5] > +CVE: CVE-2023-2952 > + > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + epan/dissectors/packet-xra.c | 16 ++++++++-------- > + 1 file changed, 8 insertions(+), 8 deletions(-) > + > +diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c > +index 68a8e72..6c7ab74 100644 > +--- a/epan/dissectors/packet-xra.c > ++++ b/epan/dissectors/packet-xra.c > +@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint > + it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA); > + xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info); > + > +- guint32 tlv_index =0; > ++ unsigned tlv_index = 0; > + while (tlv_index < tlv_length) { > + guint8 type = tvb_get_guint8 (tvb, tlv_index); > + ++tlv_index; > +@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint > + it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA); > + xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info); > + > +- guint32 tlv_index =0; > ++ unsigned tlv_index = 0; > + while (tlv_index < tlv_length) { > + guint8 type = tvb_get_guint8 (tvb, tlv_index); > + ++tlv_index; > +@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu > + it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA); > + xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info); > + > +- guint32 tlv_index =0; > ++ unsigned tlv_index = 0; > + while (tlv_index < tlv_length) { > + guint8 type = tvb_get_guint8 (tvb, tlv_index); > + ++tlv_index; > +@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da > + it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA); > + xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv); > + > +- guint32 tlv_index =0; > ++ unsigned tlv_index = 0; > + tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb; > + > + while (tlv_index < tlv_length) { > +@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree > + if(packet_start_pointer_field_present) { > + proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer); > + > +- guint16 docsis_start = 3 + packet_start_pointer; > ++ unsigned docsis_start = 3 + packet_start_pointer; > + while (docsis_start + 6 < remaining_length) { > + /*DOCSIS header in packet*/ > + guint8 fc = tvb_get_guint8(tvb,docsis_start + 0); > +@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree > + docsis_start += 1; > + continue; > + } > +- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); > ++ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); > + if (docsis_start + 6 + docsis_length <= remaining_length) { > + /*DOCSIS packet included in packet*/ > + tvbuff_t *docsis_tvb; > +@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) { > + static int > + dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) { > + > +- guint16 offset = 0; > ++ int offset = 0; > + proto_tree *plc_tree; > + proto_item *plc_item; > + tvbuff_t *mb_tvb; > +@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _ > + > + static int > + dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) { > +- guint16 offset = 0; > ++ int offset = 0; > + proto_tree *ncp_tree; > + proto_item *ncp_item; > + tvbuff_t *ncp_mb_tvb; > +-- > +2.25.1 > + > diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb > index 1a4aedc13..c48da9561 100644 > --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb > +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb > @@ -16,6 +16,7 @@ SRC_URI += " \ > file://0003-bison-Remove-line-directives.patch \ > file://0004-lemon-Remove-line-directives.patch \ > file://CVE-2022-3190.patch \ > + file://CVE-2023-2952.patch \ > " > > UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#103214): https://lists.openembedded.org/g/openembedded-devel/message/103214 > Mute This Topic: https://lists.openembedded.org/mt/99480605/3616698 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch new file mode 100644 index 000000000..41b02bb3f --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch @@ -0,0 +1,98 @@ +From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001 +From: Gerald Combs <gerald@wireshark.org> +Date: Tue, 23 May 2023 13:52:03 -0700 +Subject: [PATCH] XRA: Fix an infinite loop + +C compilers don't care what size a value was on the wire. Use +naturally-sized ints, including in dissect_message_channel_mb where we +would otherwise overflow and loop infinitely. + +Fixes #19100 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5] +CVE: CVE-2023-2952 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-xra.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c +index 68a8e72..6c7ab74 100644 +--- a/epan/dissectors/packet-xra.c ++++ b/epan/dissectors/packet-xra.c +@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu + it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da + it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA); + xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb; + + while (tlv_index < tlv_length) { +@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + if(packet_start_pointer_field_present) { + proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer); + +- guint16 docsis_start = 3 + packet_start_pointer; ++ unsigned docsis_start = 3 + packet_start_pointer; + while (docsis_start + 6 < remaining_length) { + /*DOCSIS header in packet*/ + guint8 fc = tvb_get_guint8(tvb,docsis_start + 0); +@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + docsis_start += 1; + continue; + } +- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); ++ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); + if (docsis_start + 6 + docsis_length <= remaining_length) { + /*DOCSIS packet included in packet*/ + tvbuff_t *docsis_tvb; +@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) { + static int + dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) { + +- guint16 offset = 0; ++ int offset = 0; + proto_tree *plc_tree; + proto_item *plc_item; + tvbuff_t *mb_tvb; +@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _ + + static int + dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) { +- guint16 offset = 0; ++ int offset = 0; + proto_tree *ncp_tree; + proto_item *ncp_item; + tvbuff_t *ncp_mb_tvb; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index 1a4aedc13..c48da9561 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb @@ -16,6 +16,7 @@ SRC_URI += " \ file://0003-bison-Remove-line-directives.patch \ file://0004-lemon-Remove-line-directives.patch \ file://CVE-2022-3190.patch \ + file://CVE-2023-2952.patch \ " UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../wireshark/files/CVE-2023-2952.patch | 98 +++++++++++++++++++ .../wireshark/wireshark_3.4.12.bb | 1 + 2 files changed, 99 insertions(+) create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch