wireshark/CVE-2023-5371.patch

From 1921740b0bf561941e0906884757831bde989add Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Wed, 6 Sep 2023 06:13:23 -0400
Subject: [PATCH] RTPS: Check for signed overflow

Origin: https://gitlab.com/wireshark/wireshark/-/commit/1921740b0bf561941e0906884757831bde989add

The offset is a signed integer, and we use negative offsets
to mean "offset counting from the end of the tvb." That means
that we can still have an excessive loop without unsigned overflow
or running off the end of the tvb, if the result of adding a large
unsigned integer to the offset results in a small negative number.

Just check if the result of the addition makes the offset move
backwards.

Fix #19322

(backported from commit 0de07f8fe4f8e06da9084485e64a24c8f85a20f4)
---
 epan/dissectors/packet-rtps.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c
index 82ac8f9436b..c152d50dfc6 100644
--- a/epan/dissectors/packet-rtps.c
+++ b/epan/dissectors/packet-rtps.c
@@ -2474,13 +2474,14 @@ static const fragment_items rtps_frag_items = {
     "RTPS fragments"
 };
 
-static guint32 check_offset_addition(guint32 offset, guint32 value, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
+static gint check_offset_addition(gint offset, guint32 value, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
 {
-    if (offset > G_MAXUINT32 - value) {
+    gint new_offset = offset + (gint)value;
+    if (new_offset < offset) {
         proto_tree_add_expert_format(tree, pinfo, &ei_rtps_value_too_large, tvb, 0, 0, "Offset value too large: %u", value);
         THROW(ReportedBoundsError);
     }
-    return offset + value;
+    return new_offset;
 }
 
 static void rtps_util_dissect_parameter_header(tvbuff_t * tvb, gint * offset,
-- 
GitLab
Fix CVE-2023-5371 2023-10-07 14:52:45 +08:00			`From 1921740b0bf561941e0906884757831bde989add Mon Sep 17 00:00:00 2001`
			`From: John Thacker <johnthacker@gmail.com>`
			`Date: Wed, 6 Sep 2023 06:13:23 -0400`
			`Subject: [PATCH] RTPS: Check for signed overflow`

			`Origin: https://gitlab.com/wireshark/wireshark/-/commit/1921740b0bf561941e0906884757831bde989add`

			`The offset is a signed integer, and we use negative offsets`
			`to mean "offset counting from the end of the tvb." That means`
			`that we can still have an excessive loop without unsigned overflow`
			`or running off the end of the tvb, if the result of adding a large`
			`unsigned integer to the offset results in a small negative number.`

			`Just check if the result of the addition makes the offset move`
			`backwards.`

			`Fix #19322`

			`(backported from commit 0de07f8fe4f8e06da9084485e64a24c8f85a20f4)`
			`---`
			`epan/dissectors/packet-rtps.c \| 7 ++++---`
			`1 file changed, 4 insertions(+), 3 deletions(-)`

			`diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c`
			`index 82ac8f9436b..c152d50dfc6 100644`
			`--- a/epan/dissectors/packet-rtps.c`
			`+++ b/epan/dissectors/packet-rtps.c`
			`@@ -2474,13 +2474,14 @@ static const fragment_items rtps_frag_items = {`
			`"RTPS fragments"`
			`};`

			`-static guint32 check_offset_addition(guint32 offset, guint32 value, proto_tree tree, packet_info pinfo, tvbuff_t *tvb)`
			`+static gint check_offset_addition(gint offset, guint32 value, proto_tree tree, packet_info pinfo, tvbuff_t *tvb)`
			`{`
			`- if (offset > G_MAXUINT32 - value) {`
			`+ gint new_offset = offset + (gint)value;`
			`+ if (new_offset < offset) {`
			`proto_tree_add_expert_format(tree, pinfo, &ei_rtps_value_too_large, tvb, 0, 0, "Offset value too large: %u", value);`
			`THROW(ReportedBoundsError);`
			`}`
			`- return offset + value;`
			`+ return new_offset;`
			`}`

			`static void rtps_util_dissect_parameter_header(tvbuff_t * tvb, gint * offset,`
			`--`
			`GitLab`