new file mode 100644
@@ -0,0 +1,93 @@
+From 5a7a80e139396c07d45e70d63c6d3974c50ae5e8 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Sat, 13 May 2023 21:45:16 -0400
+Subject: GDSDB: Make sure our offset advances.
+
+add_uint_string() returns the next offset to use, not the number
+of bytes consumed. So to consume all the bytes and make sure the
+offset advances, return the entire reported tvb length, not the
+number of bytes remaining.
+
+Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f
+
+Fixes #19068
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677]
+CVE: CVE-2022-0585 & CVE-2023-2879
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-gdsdb.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c
+index 95fed7e..950d68f 100644
+--- a/epan/dissectors/packet-gdsdb.c
++++ b/epan/dissectors/packet-gdsdb.c
+@@ -15,6 +15,7 @@
+ #include "config.h"
+
+ #include <epan/packet.h>
++#include <epan/expert.h>
+
+ void proto_register_gdsdb(void);
+ void proto_reg_handoff_gdsdb(void);
+@@ -182,6 +183,8 @@ static int hf_gdsdb_cursor_type = -1;
+ static int hf_gdsdb_sqlresponse_messages = -1;
+ #endif
+
++static expert_field ei_gdsdb_invalid_length = EI_INIT;
++
+ enum
+ {
+ op_void = 0,
+@@ -474,7 +477,12 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o
+ offset, 4, ENC_ASCII|ENC_BIG_ENDIAN);
+ length = dword_align(tvb_get_ntohl(tvb, offset))+4;
+ proto_item_set_len(ti, length);
+- return offset + length;
++ int ret_offset = offset + length;
++ if (length < 4 || ret_offset < offset) {
++ expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length);
++ return tvb_reported_length(tvb);
++ }
++ return ret_offset;
+ }
+
+ static int add_byte_array(proto_tree *tree, int hf_len, int hf_byte, tvbuff_t *tvb, int offset)
+@@ -1407,7 +1415,12 @@ dissect_gdsdb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U
+ offset, 4, ENC_BIG_ENDIAN);
+
+ /* opcode < op_max */
++ int old_offset = offset;
+ offset = gdsdb_handle_opcode[opcode](tvb, pinfo, gdsdb_tree, offset+4);
++ if (offset <= old_offset) {
++ expert_add_info(NULL, ti, &ei_gdsdb_invalid_length);
++ return tvb_reported_length_remaining(tvb, old_offset);
++ }
+ if (offset < 0)
+ {
+ /* But at this moment we don't know how much we will need */
+@@ -2022,12 +2035,20 @@ proto_register_gdsdb(void)
+ &ett_gdsdb_connect_pref
+ };
+
++/* Expert info */
++ static ei_register_info ei[] = {
++ { &ei_gdsdb_invalid_length, { "gdsdb.invalid_length", PI_MALFORMED, PI_ERROR,
++ "Invalid length", EXPFILL }},
++ };
++
+ proto_gdsdb = proto_register_protocol(
+ "Firebird SQL Database Remote Protocol",
+ "FB/IB GDS DB", "gdsdb");
+
+ proto_register_field_array(proto_gdsdb, hf, array_length(hf));
+ proto_register_subtree_array(ett, array_length(ett));
++ expert_module_t *expert_gdsdb = expert_register_protocol(proto_gdsdb);
++ expert_register_field_array(expert_gdsdb, ei, array_length(ei));
+ }
+
+ void
+--
+2.25.1
+
@@ -19,6 +19,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
file://CVE-2023-0668.patch \
file://CVE-2023-2906.patch \
file://CVE-2023-3649.patch \
+ file://CVE-2022-0585-CVE-2023-2879.patch \
"
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../files/CVE-2022-0585-CVE-2023-2879.patch | 93 +++++++++++++++++++ .../wireshark/wireshark_3.2.18.bb | 1 + 2 files changed, 94 insertions(+) create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch