packages/wireshark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!14 Fix the CVE-2020-15466

Browse Source 
Merge pull request !14 from yaokai13/master
This commit is contained in:
openeuler-ci-bot 2020-08-05 18:43:45 +08:00 committed by Gitee
commit 30025f87e7
2 changed files with 152 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

144
CVE-2020-15466.patch Normal file
View File

@ -0,0 +1,144 @@
From d70bd4489feed4035c3a35cd2e76cdf877b3f485 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Mon, 29 Jun 2020 15:19:19 -0700
Subject: [PATCH] GVCP: Fix an infinite loop.
Remove an "if(tree)" test in order to ensure that our offset always
advances.
Bug: 16029
Change-Id: I5bb38f2eccfbf3c44a06682a17aafcba9d8fa0c6
Reviewed-on: https://code.wireshark.org/review/37611
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
epan/dissectors/packet-gvcp.c | 101 +++++++++++++++++-----------------
1 file changed, 51 insertions(+), 50 deletions(-)
diff --git a/epan/dissectors/packet-gvcp.c b/epan/dissectors/packet-gvcp.c
index 4b5d950..3a58cfa 100644
--- a/epan/dissectors/packet-gvcp.c
+++ b/epan/dissectors/packet-gvcp.c
@@ -1803,66 +1803,67 @@ static void dissect_eventdata_cmd(proto_tree *gvcp_telegram_tree, tvbuff_t *tvb,
/* fill in Info column in Wireshark GUI */
col_append_fstr(pinfo->cinfo, COL_INFO, "[ID: 0x%04X]", eventid);
- if (gvcp_telegram_tree != NULL)
+ /* If extended ID, then we have event_size here (2.1) */
+ if (extendedblockids)
{
- /* If extended ID, then we have event_size here (2.1) */
- if (extendedblockids)
- {
- proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_extid_length, tvb, offset, 2, ENC_BIG_ENDIAN);
- data_length = tvb_get_ntohs(tvb, offset); // We get the data length here
- }
-
- /* skip reserved field */
- offset += 2;
-
- /* Use range to determine type of event */
- if ((eventid >= 0x0000) && (eventid <= 0x8000))
- {
- /* Standard ID */
- proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_id, tvb, offset, 2, ENC_BIG_ENDIAN);
- }
- else if ((eventid >= 0x8001) && (eventid <= 0x8FFF))
- {
- /* Error */
- proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_error_id, tvb, offset, 2, ENC_BIG_ENDIAN);
- }
- else if ((eventid >= 0x9000) && (eventid <= 0xFFFF))
- {
- /* Device specific */
- proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_device_specific_id, tvb, offset, 2, ENC_BIG_ENDIAN);
- }
+ proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_extid_length, tvb, offset, 2, ENC_BIG_ENDIAN);
+ data_length = tvb_get_ntohs(tvb, offset); // We get the data length here
+ }
+ /* skip reserved field */
+ offset += 2;
+ /* Use range to determine type of event */
+ if ((eventid >= 0x0000) && (eventid <= 0x8000))
+ {
+ /* Standard ID */
+ proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_id, tvb, offset, 2, ENC_BIG_ENDIAN);
+ }
+ else if ((eventid >= 0x8001) && (eventid <= 0x8FFF))
+ {
+ /* Error */
+ proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_error_id, tvb, offset, 2, ENC_BIG_ENDIAN);
+ }
+ else if ((eventid >= 0x9000) && (eventid <= 0xFFFF))
+ {
+ /* Device specific */
+ proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_device_specific_id, tvb, offset, 2, ENC_BIG_ENDIAN);
+ }
+ offset += 2;
+
+ /* Stream channel (possibly) associated with event */
+ proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_stream_channel_index, tvb, offset, 2, ENC_BIG_ENDIAN);
+ if (extendedblockids == 0)
+ {
+ /* Block id (16 bit) associated with event */
+ proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_block_id, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
-
- /* Stream channel (possibly) associated with event */
- proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_stream_channel_index, tvb, offset, 2, ENC_BIG_ENDIAN);
+ }
+ else
+ {
offset += 2;
-
- if (extendedblockids == 0)
- {
- /* Block id (16 bit) associated with event */
- proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_block_id, tvb, offset, 2, ENC_BIG_ENDIAN);
- offset += 2;
- }
- else
- {
- offset += 2;
- /* Block id (64 bit) only if reported by gvcp flag */
- proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_block_id_64bit_v2_0, tvb, offset, 8, ENC_BIG_ENDIAN);
- offset += 8;
- }
-
- /* Timestamp (64 bit) associated with event */
- proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_timestamp, tvb, offset, 8, ENC_BIG_ENDIAN);
+ /* Block id (64 bit) only if reportedby gvcp flag */
+ proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_block_id_64bit_v2_0, tvb, offset, 8, ENC_BIG_ENDIAN);
offset += 8;
+ }
- if ((data_length == 24) && (extendedblockids))
+ /* Timestamp (64 bit) associated with event */
+ proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_timestamp, tvb, offset, 8, ENC_BIG_ENDIAN);
+ offset += 8;
+
+ if (extendedblockids)
+ {
+ if (data_length > 24)
{
- /* "no data" this is an ok case for extended id, eventcmd to be deprecated */
- return;
+ /* Data */
+ proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_data, tvb, offset, data_length - 24, ENC_NA);
+ offset += data_length - 24;
}
+ }
+ else
+ {
/* Data */
proto_tree_add_item(gvcp_telegram_tree, hf_gvcp_eventcmd_data, tvb, offset, -1, ENC_NA);
+ return;
}
}
--
2.23.0

9
wireshark.spec
View File

@ -1,6 +1,6 @@
Name: wireshark
Version: 2.6.2
Release: 8
Release: 9
Epoch: 1
Summary: Network traffic analyzer
License: GPL+
@ -39,6 +39,7 @@ Patch6024: CVE-2019-5719.patch
Patch6025: CVE-2020-11647.patch
Patch6026: fix-hash-table-key-memory-corruption.patch
Patch6027: CVE-2020-13164.patch
Patch6028: CVE-2020-15466.patch
Requires(pre): shadow-utils
Requires(post): systemd-udev
@ -145,6 +146,12 @@ getent group usbmon >/dev/null || groupadd -r usbmon
%{_mandir}/man?/*
%changelog
* Wed Aug 05 2020 yaokai <yaokai13@huawei.com> - 2.6.2-9
- Type:cves
- ID: CVE-2020-15466
- SUG:restart
- DESC: fix CVE-2020-15466
* Tue Jul 21 2020 wangyue <wangyue92@huawei.com> - 2.6.2-8
- Type:cves
- ID: CVE-2020-13164