packages/wireshark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-3649,CVE-2023-2906,CVE-2023-4511,CVE-2023-4513

Browse Source
This commit is contained in:
wk333 2023-09-06 19:52:28 +08:00
parent 636df0673b
commit 5b19e6cbe8
6 changed files with 423 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
CVE-2023-2906.patch Normal file
View File

@ -0,0 +1,36 @@
From 0b874ad0f50f71a5b780cb915ea62f8625112402 Mon Sep 17 00:00:00 2001
From: Jaap Keuter <jaap.keuter@xs4all.nl>
Date: Thu, 27 Jul 2023 20:21:19 +0200
Subject: [PATCH] CP2179: Handle timetag info response without records
Fixes #19229
(cherry picked from commit 44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d)
---
epan/dissectors/packet-cp2179.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/epan/dissectors/packet-cp2179.c b/epan/dissectors/packet-cp2179.c
index 30f53f84946..70fe0332843 100644
--- a/epan/dissectors/packet-cp2179.c
+++ b/epan/dissectors/packet-cp2179.c
@@ -721,11 +721,14 @@ dissect_response_frame(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, int
proto_tree_add_item(cp2179_proto_tree, hf_cp2179_timetag_numsets, tvb, offset, 1, ENC_LITTLE_ENDIAN);
num_records = tvb_get_guint8(tvb, offset) & 0x7F;
+ offset += 1;
+
+ if (num_records == 0 || numberofcharacters <= 1)
+ break;
+
recordsize = (numberofcharacters-1) / num_records;
num_values = (recordsize-6) / 2; /* Determine how many 16-bit analog values are present in each event record */
- offset += 1;
-
for (x = 0; x < num_records; x++)
{
cp2179_event_tree = proto_tree_add_subtree_format(cp2179_proto_tree, tvb, offset, recordsize, ett_cp2179_event, NULL, "Event Record # %d", x+1);
--
GitLab

227
CVE-2023-3649.patch Normal file
View File

@ -0,0 +1,227 @@
From 75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sat, 24 Jun 2023 00:34:50 -0400
Subject: [PATCH] iscsi: Check bounds when extracting TargetAddress
Use tvb_ functions that do bounds checking when parsing the
TargetAddress string, instead of incrementing a pointer to an
extracted char* and sometimes accidentally overrunning the
string.
While we're there, go ahead and add support for IPv6 addresses.
Fix #19164
(backported from commit 94349bbdaeb384b12d554dd65e7be7ceb0e93d21)
---
epan/dissectors/packet-iscsi.c | 146 +++++++++++++++++----------------
1 file changed, 75 insertions(+), 71 deletions(-)
diff --git a/epan/dissectors/packet-iscsi.c b/epan/dissectors/packet-iscsi.c
index 031f07e5aa6..3b5d64de9fd 100644
--- a/epan/dissectors/packet-iscsi.c
+++ b/epan/dissectors/packet-iscsi.c
@@ -20,8 +20,6 @@
#include "config.h"
-#include <stdio.h>
-
#include <epan/packet.h>
#include <epan/prefs.h>
#include <epan/conversation.h>
@@ -29,6 +27,7 @@
#include "packet-scsi.h"
#include <epan/crc32-tvb.h>
#include <wsutil/crc32.h>
+#include <wsutil/inet_addr.h>
#include <wsutil/strtoi.h>
#include <wsutil/ws_roundup.h>
@@ -514,70 +513,81 @@ typedef struct _iscsi_conv_data {
dissector for the address/port that TargetAddress points to.
(it starts to be common to use redirectors to point to non-3260 ports)
*/
+static address null_address = ADDRESS_INIT_NONE;
+
static void
-iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, char *val, guint offset)
+iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, guint offset)
{
- address *addr = NULL;
+ address addr = ADDRESS_INIT_NONE;
guint16 port;
- char *value = wmem_strdup(pinfo->pool, val);
- char *p = NULL, *pgt = NULL;
-
- if (value[0] == '[') {
- /* this looks like an ipv6 address */
- p = strchr(value, ']');
- if (p != NULL) {
- *p = 0;
- p += 2; /* skip past "]:" */
-
- pgt = strchr(p, ',');
- if (pgt != NULL) {
- *pgt++ = 0;
- }
+ int colon_offset;
+ int end_offset;
+ char *ip_str, *port_str;
+
+ colon_offset = tvb_find_guint8(tvb, offset, -1, ':');
+ if (colon_offset == -1) {
+ /* RFC 7143 13.8 TargetAddress "If the TCP port is not specified,
+ * it is assumed to be the IANA-assigned default port for iSCSI",
+ * so nothing to do here.
+ */
+ return;
+ }
- /* can't handle ipv6 yet */
+ /* We found a colon, so there's at least one byte and this won't fail. */
+ if (tvb_get_guint8(tvb, offset) == '[') {
+ offset++;
+ /* could be an ipv6 address */
+ end_offset = tvb_find_guint8(tvb, offset, -1, ']');
+ if (end_offset == -1) {
+ return;
}
- } else {
- /* This is either a ipv4 address or a dns name */
- int i0,i1,i2,i3;
- if (sscanf(value, "%d.%d.%d.%d", &i0,&i1,&i2,&i3) == 4) {
- /* looks like a ipv4 address */
- p = strchr(value, ':');
- if (p != NULL) {
- char *addr_data;
-
- *p++ = 0;
-
- pgt = strchr(p, ',');
- if (pgt != NULL) {
- *pgt++ = 0;
- }
- addr_data = (char *) wmem_alloc(pinfo->pool, 4);
- addr_data[0] = i0;
- addr_data[1] = i1;
- addr_data[2] = i2;
- addr_data[3] = i3;
-
- addr = wmem_new(pinfo->pool, address);
- addr->type = AT_IPv4;
- addr->len = 4;
- addr->data = addr_data;
+ /* look for the colon before the port, if any */
+ colon_offset = tvb_find_guint8(tvb, end_offset, -1, ':');
+ if (colon_offset == -1) {
+ return;
+ }
- if (!ws_strtou16(p, NULL, &port)) {
- proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid,
- tvb, offset + (guint)strlen(value), (guint)strlen(p), "Invalid port: %s", p);
- }
- }
+ ws_in6_addr *ip6_addr = wmem_new(pinfo->pool, ws_in6_addr);
+ ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, end_offset - offset, ENC_ASCII);
+ if (ws_inet_pton6(ip_str, ip6_addr)) {
+ /* looks like a ipv6 address */
+ set_address(&addr, AT_IPv6, sizeof(ws_in6_addr), ip6_addr);
+ }
+ } else {
+ /* This is either a ipv4 address or a dns name */
+ ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, colon_offset - offset, ENC_ASCII);
+ ws_in4_addr *ip4_addr = wmem_new(pinfo->pool, ws_in4_addr);
+ if (ws_inet_pton4(ip_str, ip4_addr)) {
+ /* looks like a ipv4 address */
+ set_address(&addr, AT_IPv4, 4, ip4_addr);
}
+ /* else a DNS host name; we could, theoretically, try to use
+ * name resolution information in the capture to lookup the address.
+ */
}
+ /* Extract the port */
+ end_offset = tvb_find_guint8(tvb, colon_offset, -1, ',');
+ int port_len;
+ if (end_offset == -1) {
+ port_len = tvb_reported_length_remaining(tvb, colon_offset + 1);
+ } else {
+ port_len = end_offset - (colon_offset + 1);
+ }
+ port_str = tvb_get_string_enc(pinfo->pool, tvb, colon_offset + 1, port_len, ENC_ASCII);
+ if (!ws_strtou16(port_str, NULL, &port)) {
+ proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid,
+ tvb, colon_offset + 1, port_len, "Invalid port: %s", port_str);
+ return;
+ }
/* attach a conversation dissector to this address/port tuple */
- if (addr && !pinfo->fd->visited) {
+ if (!addresses_equal(&addr, &null_address) && !pinfo->fd->visited) {
conversation_t *conv;
- conv = conversation_new(pinfo->num, addr, addr, ENDPOINT_TCP, port, port, NO_ADDR2|NO_PORT2);
+ conv = conversation_new(pinfo->num, &addr, &null_address, ENDPOINT_TCP, port, 0, NO_ADDR2|NO_PORT2);
if (conv == NULL) {
return;
}
@@ -589,30 +599,24 @@ iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree,
static gint
addTextKeys(packet_info *pinfo, proto_tree *tt, tvbuff_t *tvb, gint offset, guint32 text_len) {
const gint limit = offset + text_len;
+ tvbuff_t *keyvalue_tvb;
+ int len, value_offset;
while(offset < limit) {
- char *key = NULL, *value = NULL;
- gint len = tvb_strnlen(tvb, offset, limit - offset);
-
- if(len == -1) {
- len = limit - offset;
- } else {
- len = len + 1;
- }
-
- key = tvb_get_string_enc(pinfo->pool, tvb, offset, len, ENC_ASCII);
- if (key == NULL) {
- break;
- }
- value = strchr(key, '=');
- if (value == NULL) {
+ /* RFC 7143 6.1 Text Format: "Every key=value pair, including the
+ * last or only pair in a LTDS, MUST be followed by one null (0x00)
+ * delimiter.
+ */
+ proto_tree_add_item_ret_length(tt, hf_iscsi_KeyValue, tvb, offset, -1, ENC_ASCII, &len);
+ keyvalue_tvb = tvb_new_subset_length(tvb, offset, len);
+ value_offset = tvb_find_guint8(keyvalue_tvb, 0, len, '=');
+ if (value_offset == -1) {
break;
}
- *value++ = 0;
+ value_offset++;
- proto_tree_add_item(tt, hf_iscsi_KeyValue, tvb, offset, len, ENC_ASCII|ENC_NA);
- if (!strcmp(key, "TargetAddress")) {
- iscsi_dissect_TargetAddress(pinfo, tvb, tt, value, offset + (guint)strlen("TargetAddress") + 2);
+ if (tvb_strneql(keyvalue_tvb, 0, "TargetAddress=", strlen("TargetAddress=")) == 0) {
+ iscsi_dissect_TargetAddress(pinfo, keyvalue_tvb, tt, value_offset);
}
offset += len;
@@ -2943,7 +2947,7 @@ proto_register_iscsi(void)
},
{ &hf_iscsi_KeyValue,
{ "KeyValue", "iscsi.keyvalue",
- FT_STRING, BASE_NONE, NULL, 0,
+ FT_STRINGZ, BASE_NONE, NULL, 0,
"Key/value pair", HFILL }
},
{ &hf_iscsi_Text_F,
--
GitLab

80
CVE-2023-4511.patch Normal file
View File

@ -0,0 +1,80 @@
From d3068e8d2e80908ab284c2bcc96d3ff7f8a5c1ae Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Thu, 10 Aug 2023 05:29:09 -0400
Subject: [PATCH] btsdp: Keep offset advancing
hf_data_element_value is a FT_NONE, so we can add the item with
the expected length and get_hfi_length() will adjust the length
without throwing an exception. There's no need to add it with
zero length and call proto_item_set_len. Also, don't increment
the offset by 0 instead of the real length when there isn't
enough data in the packet, as that can lead to failing to advance
the offset.
When dissecting a sequence type (sequence or alternative) and
recursing into the sequence member, instead of using the main
packet tvb directly, create a subset using the indicated length
of the sequence. That will properly throw an exception if a
contained item is larger than the containing sequence, instead of
dissecting the same bytes as several different items (inside
the sequence recursively, as well in the outer loop.)
Fix #19258
(cherry picked from commit ef9c79ae81b00a63aa8638076ec81dc9482972e9)
---
epan/dissectors/packet-btsdp.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c
index 66265d6ef92..34d8ee80b89 100644
--- a/epan/dissectors/packet-btsdp.c
+++ b/epan/dissectors/packet-btsdp.c
@@ -1925,13 +1925,11 @@ dissect_data_element(proto_tree *tree, proto_tree **next_tree,
offset += len - length;
}
- pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, 0, ENC_NA);
+ pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, length, ENC_NA);
if (length > tvb_reported_length_remaining(tvb, offset)) {
expert_add_info(pinfo, pitem, &ei_data_element_value_large);
- length = 0;
- }
- proto_item_set_len(pitem, length);
- if (length == 0)
+ proto_item_append_text(pitem, ": MISSING");
+ } else if (length == 0)
proto_item_append_text(pitem, ": MISSING");
if (next_tree) *next_tree = proto_item_add_subtree(pitem, ett_btsdp_data_element_value);
@@ -3523,6 +3521,8 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
gint bytes_to_go = size;
gint first = 1;
wmem_strbuf_t *substr;
+ tvbuff_t *next_tvb = tvb_new_subset_length(tvb, offset, size);
+ gint next_offset = 0;
ti = proto_tree_add_item(next_tree, (type == 6) ? hf_data_element_value_sequence : hf_data_element_value_alternative,
tvb, offset, size, ENC_NA);
@@ -3537,14 +3537,15 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
first = 0;
}
- size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid,
+ size = dissect_sdp_type(st, pinfo, next_tvb, next_offset,
+ attribute, service_uuid,
service_did_vendor_id, service_did_vendor_id_source,
service_hdp_data_exchange_specification, service_info, &substr);
if (size < 1) {
break;
}
wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_finalize(substr));
- offset += size ;
+ next_offset += size;
bytes_to_go -= size;
}
--
GitLab

39
CVE-2023-4513-1.patch Normal file
View File

@ -0,0 +1,39 @@
From 863f6c3dc760ab770a7b31b33e9c769868e4289b Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Thu, 10 Aug 2023 01:19:21 -0400
Subject: [PATCH] wmem: Fix leak in block_fast when realloc'ing jumbo blocks
In block fast wmem_allocator is used, keep the double linked
list of jumbo blocks accurate by pointing the prev pointer of
the old head (if it exists) to the newly allocated jumbo block.
This prevents a leak if a jumbo block which is not the most
recently added jumbo block is realloc'ed. If the prev pointer
isn't set properly, then all the jumbo blocks added afterwards
will be lost from the list and leaked.
Fix #19259
(cherry picked from commit d086f2733bc611eb310aafec51bd28d44166fa42)
---
wsutil/wmem/wmem_allocator_block_fast.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/wsutil/wmem/wmem_allocator_block_fast.c b/wsutil/wmem/wmem_allocator_block_fast.c
index bdb8c2f75dc..117e9df6193 100644
--- a/wsutil/wmem/wmem_allocator_block_fast.c
+++ b/wsutil/wmem/wmem_allocator_block_fast.c
@@ -97,6 +97,9 @@ wmem_block_fast_alloc(void *private_data, const size_t size)
size + WMEM_JUMBO_HEADER_SIZE + WMEM_CHUNK_HEADER_SIZE);
block->next = allocator->jumbo_list;
+ if (block->next) {
+ block->next->prev = block;
+ }
block->prev = NULL;
allocator->jumbo_list = block;
--
GitLab

32
CVE-2023-4513-2.patch Normal file
View File

@ -0,0 +1,32 @@
From 016af38af0a27b14c8e2fb4fb3e2c4811bb0211b Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Thu, 10 Aug 2023 02:47:58 -0400
Subject: [PATCH] btsdp: Finalize wmem_strbuf
The allocated wmem_strbuf isn't used after this, so it can
be finalized to save a bit of memory.
Related to #19259
(cherry picked from commit 7fecc31427e0ec5e55ac2611df94678940c1df7d)
---
epan/dissectors/packet-btsdp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c
index a60b3051b4d..66265d6ef92 100644
--- a/epan/dissectors/packet-btsdp.c
+++ b/epan/dissectors/packet-btsdp.c
@@ -3543,7 +3543,7 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
if (size < 1) {
break;
}
- wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr));
+ wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_finalize(substr));
offset += size ;
bytes_to_go -= size;
}
--
GitLab

10
wireshark.spec
View File

@ -5,7 +5,7 @@
Summary: Network traffic analyzer Summary: Network traffic analyzer
Name: wireshark Name: wireshark
Version: 3.6.14 Version: 3.6.14
Release: 2 Release: 3
Epoch: 1 Epoch: 1
License: GPL+ License: GPL+
Url: http://www.wireshark.org/ Url: http://www.wireshark.org/
@ -22,6 +22,11 @@ Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch
Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch
Patch7: wireshark-0007-cmakelists.patch Patch7: wireshark-0007-cmakelists.patch
Patch8: CVE-2023-3648.patch Patch8: CVE-2023-3648.patch
Patch9: CVE-2023-3649.patch
Patch10: CVE-2023-2906.patch
Patch11: CVE-2023-4513-1.patch
Patch12: CVE-2023-4513-2.patch
Patch13: CVE-2023-4511.patch
Requires: xdg-utils Requires: xdg-utils
Requires: hicolor-icon-theme Requires: hicolor-icon-theme
@ -196,6 +201,9 @@ exit 0
%{_mandir}/man?/* %{_mandir}/man?/*
%changelog %changelog
* Wed Sep 06 2023 wangkai <13474090681@163.com> - 1:3.6.14-3
- Fix CVE-2023-3649,CVE-2023-2906,CVE-2023-4511,CVE-2023-4513
* Thu Jul 27 2023 liningjie <liningjie@xfusion.com> - 1:3.6.14-2 * Thu Jul 27 2023 liningjie <liningjie@xfusion.com> - 1:3.6.14-2
- Fix CVE-2023-3648 - Fix CVE-2023-3648