wireshark/CVE-2024-4854.patch

From 40ed7e814bce9d27cc7a43a3c9612d25692be716 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sat, 30 Mar 2024 08:07:26 -0400
Subject: [PATCH] Mongo: Ensure the offset advances

The MongoDB Wire Protocol uses _signed_ 32 bit integers for lengths.
dissect_bson_document checks for bogus values and ensures that a
non-negative (and at least 5) size is returned, but we need to make
sure to use that return value instead of trusting the value read
from the packet in dissect_op_msg_section.

Fix #19726


(cherry picked from commit 38c0efcee8d22d922e446888b268effc3ccf725f)
---
 epan/dissectors/packet-mongo.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c
index b5a8bbffc2a..8e5f6370fbf 100644
--- a/epan/dissectors/packet-mongo.c
+++ b/epan/dissectors/packet-mongo.c
@@ -799,7 +799,10 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
 
   switch (e_type) {
     case KIND_BODY:
-      dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
+      section_len = dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
+      /* If section_len is bogus (e.g., negative), dissect_bson_document sets
+       * an expert info and can return a different value than read above.
+       */
       break;
     case KIND_DOCUMENT_SEQUENCE: {
       gint32 dsi_length;
@@ -808,6 +811,9 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
       proto_tree *documents_tree;
 
       proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+      /* This is redundant with the lengths in the documents, we don't use this
+       * size at all. We could still report an expert info if it's bogus.
+       */
       offset += 4;
       to_read -= 4;
 
-- 
GitLab