packages/wireshark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!57 fix CVE-2019-13619 CVE-2019-19553 CVE-2020-9428 CVE-2020-9431

Browse Source 
From: @wangxiao65
Reviewed-by: @zhanghua1831,@disnight,@small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-02-25 17:10:20 +08:00 committed by Gitee
commit 6563f7e52a
6 changed files with 463 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
CVE-2019-13619.patch Normal file
View File

@ -0,0 +1,33 @@
From 7e90aed666e809c0db5de9d1816802a7dcea28d9 Mon Sep 17 00:00:00 2001
From: Dario Lombardo <lomato@gmail.com>
Date: Mon, 24 Jun 2019 23:36:15 +0200
Subject: [PATCH] asn1: don't increment a buffer beyond its end.
Bug: 15870
Change-Id: I04cbb822f0e77c8e0ac8513e3a5c13116920ca6e
Reviewed-on: https://code.wireshark.org/review/33731
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(cherry picked from commit 45a3d0787f3c9f6f5fb5b53a8c29771b3f28e406)
Reviewed-on: https://code.wireshark.org/review/33736
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
---
epan/asn1.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/epan/asn1.c b/epan/asn1.c
index bf30529cc6..1faef845ee 100644
--- a/epan/asn1.c
+++ b/epan/asn1.c
@@ -234,6 +234,9 @@ double asn1_get_real(const guint8 *real_ptr, gint len) {
DISSECTOR_ASSERT_NOT_REACHED();
}
+ /* Ensure the buffer len and its content are coherent */
+ DISSECTOR_ASSERT(lenE < len - 1);
+
Eneg = (*p) & 0x80 ? TRUE : FALSE;
for (i = 0; i < lenE; i++) {
if(Eneg) {

197
CVE-2019-19553.patch Normal file
View File

@ -0,0 +1,197 @@
From 34d2e0d5318d0a7e9889498c721639e5cbf4ce45 Mon Sep 17 00:00:00 2001
From: Pascal Quantin <pascal@wireshark.org>
Date: Mon, 4 Nov 2019 15:08:22 +0100
Subject: [PATCH] CMS: reset object_identifier_id after dissecting ContentInfo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug: 15961
Change-Id: I3d6b3e96103b69f88fcb512da81fa20ff6a1c40e
Reviewed-on: https://code.wireshark.org/review/34960
Petri-Dish: Pascal Quantin <pascal@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Reviewed-by: Roland Knall <rknall@gmail.com>
(cherry picked from commit 23850a3342d64b9c9808f14c20bfea6d22b7dc08)
Conflicts:
epan/dissectors/packet-cms.c
Reviewed-on: https://code.wireshark.org/review/34975
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
---
epan/dissectors/asn1/cms/cms.cnf | 1 +
.../dissectors/asn1/cms/packet-cms-template.c | 2 +-
epan/dissectors/packet-cms.c | 31 ++++++++++---------
3 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/epan/dissectors/asn1/cms/cms.cnf b/epan/dissectors/asn1/cms/cms.cnf
index 06ff8d239f..4384fd0ae7 100644
--- a/epan/dissectors/asn1/cms/cms.cnf
+++ b/epan/dissectors/asn1/cms/cms.cnf
@@ -97,6 +97,7 @@ FirmwarePackageLoadError/version fwErrorVersion
top_tree = tree;
%(DEFAULT_BODY)s
content_tvb = NULL;
+ object_identifier_id = NULL;
top_tree = NULL;
#.FN_PARS ContentType
diff --git a/epan/dissectors/asn1/cms/packet-cms-template.c b/epan/dissectors/asn1/cms/packet-cms-template.c
index b03c96421b..199353cd85 100644
--- a/epan/dissectors/asn1/cms/packet-cms-template.c
+++ b/epan/dissectors/asn1/cms/packet-cms-template.c
@@ -43,7 +43,7 @@ static int hf_cms_ci_contentType = -1;
static int dissect_cms_OCTET_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) ; /* XXX kill a compiler warning until asn2wrs stops generating these silly wrappers */
-static const char *object_identifier_id;
+static const char *object_identifier_id = NULL;
static tvbuff_t *content_tvb = NULL;
static proto_tree *top_tree=NULL;
diff --git a/epan/dissectors/packet-cms.c b/epan/dissectors/packet-cms.c
index c62c92be44..592af2dad0 100644
--- a/epan/dissectors/packet-cms.c
+++ b/epan/dissectors/packet-cms.c
@@ -309,7 +309,7 @@ static gint ett_cms_FirmwarePackageMessageDigest = -1;
static int dissect_cms_OCTET_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) ; /* XXX kill a compiler warning until asn2wrs stops generating these silly wrappers */
-static const char *object_identifier_id;
+static const char *object_identifier_id = NULL;
static tvbuff_t *content_tvb = NULL;
static proto_tree *top_tree=NULL;
@@ -371,7 +371,7 @@ cms_verify_msg_digest(proto_item *pi, tvbuff_t *content, const char *alg, tvbuff
int
dissect_cms_ContentType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 106 "./asn1/cms/cms.cnf"
+#line 107 "./asn1/cms/cms.cnf"
const char *name = NULL;
offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_index, &object_identifier_id);
@@ -391,7 +391,7 @@ dissect_cms_ContentType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
static int
dissect_cms_T_content(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 116 "./asn1/cms/cms.cnf"
+#line 117 "./asn1/cms/cms.cnf"
offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
@@ -415,6 +415,7 @@ dissect_cms_ContentInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
ContentInfo_sequence, hf_index, ett_cms_ContentInfo);
content_tvb = NULL;
+ object_identifier_id = NULL;
top_tree = NULL;
@@ -468,7 +469,7 @@ dissect_cms_DigestAlgorithmIdentifiers(gboolean implicit_tag _U_, tvbuff_t *tvb
static int
dissect_cms_T_eContent(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 120 "./asn1/cms/cms.cnf"
+#line 121 "./asn1/cms/cms.cnf"
offset = dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &content_tvb);
@@ -502,7 +503,7 @@ dissect_cms_EncapsulatedContentInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_
static int
dissect_cms_T_attrType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 150 "./asn1/cms/cms.cnf"
+#line 151 "./asn1/cms/cms.cnf"
const char *name = NULL;
offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_cms_attrType, &object_identifier_id);
@@ -522,7 +523,7 @@ dissect_cms_T_attrType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
static int
dissect_cms_AttributeValue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 160 "./asn1/cms/cms.cnf"
+#line 161 "./asn1/cms/cms.cnf"
offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
@@ -784,7 +785,7 @@ dissect_cms_T_otherRevInfoFormat(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, i
static int
dissect_cms_T_otherRevInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 144 "./asn1/cms/cms.cnf"
+#line 145 "./asn1/cms/cms.cnf"
offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
@@ -1121,7 +1122,7 @@ dissect_cms_T_keyAttrId(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
static int
dissect_cms_T_keyAttr(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 139 "./asn1/cms/cms.cnf"
+#line 140 "./asn1/cms/cms.cnf"
offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
@@ -1309,7 +1310,7 @@ dissect_cms_T_oriType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _
static int
dissect_cms_T_oriValue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 133 "./asn1/cms/cms.cnf"
+#line 134 "./asn1/cms/cms.cnf"
offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
@@ -1386,14 +1387,14 @@ dissect_cms_ContentEncryptionAlgorithmIdentifier(gboolean implicit_tag _U_, tvbu
static int
dissect_cms_EncryptedContent(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 210 "./asn1/cms/cms.cnf"
+#line 211 "./asn1/cms/cms.cnf"
tvbuff_t *encrypted_tvb;
proto_item *item;
offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
&encrypted_tvb);
-#line 215 "./asn1/cms/cms.cnf"
+#line 216 "./asn1/cms/cms.cnf"
item = actx->created_item;
@@ -1551,7 +1552,7 @@ dissect_cms_AuthenticatedData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int
static int
dissect_cms_MessageDigest(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 164 "./asn1/cms/cms.cnf"
+#line 165 "./asn1/cms/cms.cnf"
proto_item *pi;
int old_offset = offset;
@@ -1626,7 +1627,7 @@ dissect_cms_Countersignature(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o
static int
dissect_cms_RC2ParameterVersion(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 200 "./asn1/cms/cms.cnf"
+#line 201 "./asn1/cms/cms.cnf"
guint32 length = 0;
offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
@@ -1694,7 +1695,7 @@ dissect_cms_DigestInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
static int
dissect_cms_T_capability(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 182 "./asn1/cms/cms.cnf"
+#line 183 "./asn1/cms/cms.cnf"
const char *name = NULL;
offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_cms_attrType, &object_identifier_id);
@@ -1715,7 +1716,7 @@ dissect_cms_T_capability(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse
static int
dissect_cms_T_parameters(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 193 "./asn1/cms/cms.cnf"
+#line 194 "./asn1/cms/cms.cnf"
offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);

108
CVE-2020-9428-pre.patch Normal file
View File

@ -0,0 +1,108 @@
From 71cf784bfc5435cd7e1531d9ef7dce462274e9ad Mon Sep 17 00:00:00 2001
From: Dario Lombardo <lomato@gmail.com>
Date: Thu, 11 Oct 2018 14:20:22 +0200
Subject: [PATCH] eap: don't dissect the identity as IMSI unless that's the
case.
The identity in SIM/AKA/AKA' is IMSI (permanent identity) in some cases only.
Others contain a pseudonym or a fast reauthentication username. Dissect the
formers as flat usernames.
Bug: 15196
Change-Id: Ia4491431b6ff557a248271b743c1e37c4e6c0b24
Reviewed-on: https://code.wireshark.org/review/30129
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-on: https://code.wireshark.org/review/30130
Reviewed-by: Dario Lombardo <lomato@gmail.com>
---
epan/dissectors/packet-eap.c | 37 ++++++++++++++++++++++++++++++++++--
1 file changed, 35 insertions(+), 2 deletions(-)
diff --git a/epan/dissectors/packet-eap.c b/epan/dissectors/packet-eap.c
index b1f10b8150..a4b1527957 100644
--- a/epan/dissectors/packet-eap.c
+++ b/epan/dissectors/packet-eap.c
@@ -36,6 +36,8 @@ static int hf_eap_type = -1;
static int hf_eap_type_nak = -1;
static int hf_eap_identity = -1;
+static int hf_eap_identity_pseudo = -1;
+static int hf_eap_identity_reauth = -1;
static int hf_eap_identity_actual_len = -1;
static int hf_eap_identity_wlan_prefix = -1;
static int hf_eap_identity_wlan_mcc = -1;
@@ -94,6 +96,7 @@ static expert_field ei_eap_ms_chap_v2_length = EI_INIT;
static expert_field ei_eap_mitm_attacks = EI_INIT;
static expert_field ei_eap_md5_value_size_overflow = EI_INIT;
static expert_field ei_eap_dictionary_attacks = EI_INIT;
+static expert_field ei_eap_identity_invalid = EI_INIT;
static dissector_handle_t eap_handle;
@@ -543,6 +546,7 @@ dissect_eap_identity_wlan(tvbuff_t *tvb, packet_info* pinfo, proto_tree* tree, i
guint ntokens = 0;
gboolean ret = TRUE;
int hf_eap_identity_wlan_mcc_mnc;
+ proto_item* item;
identity = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, size, ENC_ASCII);
@@ -566,10 +570,28 @@ dissect_eap_identity_wlan(tvbuff_t *tvb, packet_info* pinfo, proto_tree* tree, i
/* Go on with the dissection */
eap_identity_tree = proto_item_add_subtree(tree, ett_identity);
eap_identity_prefix = tokens[0][0];
- proto_tree_add_uint(eap_identity_tree, hf_eap_identity_wlan_prefix,
+ item = proto_tree_add_uint(eap_identity_tree, hf_eap_identity_wlan_prefix,
tvb, offset, 1, eap_identity_prefix);
- dissect_e212_utf8_imsi(tvb, pinfo, eap_identity_tree, offset + 1, (guint)strlen(tokens[0]) - 1);
+ switch(eap_identity_prefix) {
+ case '0':
+ case '1':
+ case '6':
+ dissect_e212_utf8_imsi(tvb, pinfo, eap_identity_tree, offset + 1, (guint)strlen(tokens[0]) - 1);
+ break;
+ case '2':
+ case '3':
+ case '7':
+ proto_tree_add_item(eap_identity_tree, hf_eap_identity_pseudo, tvb, offset + 1, (guint)strlen(tokens[0]) - 1, ENC_ASCII|ENC_NA);
+ break;
+ case '4':
+ case '5':
+ case '8':
+ proto_tree_add_item(eap_identity_tree, hf_eap_identity_reauth, tvb, offset + 1, (guint)strlen(tokens[0]) - 1, ENC_ASCII|ENC_NA);
+ break;
+ default:
+ expert_add_info(pinfo, item, &ei_eap_identity_invalid);
+ }
/* guess if we have a 3 bytes mnc by comparing the first bytes with the imsi */
if (!sscanf(tokens[2] + 3, "%u", &mnc) || !sscanf(tokens[3] + 3, "%u", &mcc)) {
@@ -1339,6 +1361,16 @@ proto_register_eap(void)
FT_STRING, BASE_NONE, NULL, 0x0,
NULL, HFILL }},
+ { &hf_eap_identity_pseudo, {
+ "Identity (Pseudonym)", "eap.identity",
+ FT_STRING, BASE_NONE, NULL, 0x0,
+ NULL, HFILL }},
+
+ { &hf_eap_identity_reauth, {
+ "Identity (Reauth)", "eap.identity",
+ FT_STRING, BASE_NONE, NULL, 0x0,
+ NULL, HFILL }},
+
{ &hf_eap_identity_wlan_prefix, {
"WLAN Identity Prefix", "eap.identity.wlan.prefix",
FT_CHAR, BASE_HEX, VALS(eap_identity_wlan_prefix_vals), 0x0,
@@ -1664,6 +1696,7 @@ proto_register_eap(void)
{ &ei_eap_dictionary_attacks, { "eap.dictionary_attacks", PI_SECURITY, PI_WARN,
"Vulnerable to dictionary attacks. If possible, change EAP type."
" See http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/2331_pp.pdf", EXPFILL }},
+ { &ei_eap_identity_invalid, { "eap.identity.invalid", PI_PROTOCOL, PI_WARN, "Invalid identity code", EXPFILL }}
};
expert_module_t* expert_eap;

34
CVE-2020-9428.patch Normal file
View File

@ -0,0 +1,34 @@
From 9fe2de783dbcbe74144678d60a4e3923367044b2 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Fri, 21 Feb 2020 10:19:35 -0800
Subject: [PATCH] EAP: Remove a couple of string length assumptions.
Don't assume our MNC and MCC string lengths are > 3.
Bug: 16397
Change-Id: I0759dcb9d0c5f078cf3a98e9323d9cb741e15dd4
Reviewed-on: https://code.wireshark.org/review/36146
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(cherry picked from commit 8bda8642dfc8c9a870c6a48771566012353cc898)
Reviewed-on: https://code.wireshark.org/review/36173
---
epan/dissectors/packet-eap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/epan/dissectors/packet-eap.c b/epan/dissectors/packet-eap.c
index a4b1527957..c3fc33fb07 100644
--- a/epan/dissectors/packet-eap.c
+++ b/epan/dissectors/packet-eap.c
@@ -594,7 +594,8 @@ dissect_eap_identity_wlan(tvbuff_t *tvb, packet_info* pinfo, proto_tree* tree, i
}
/* guess if we have a 3 bytes mnc by comparing the first bytes with the imsi */
- if (!sscanf(tokens[2] + 3, "%u", &mnc) || !sscanf(tokens[3] + 3, "%u", &mcc)) {
+ /* XXX Should we force matches on "mnc" and "mmc"? */
+ if (!sscanf(tokens[2], "%*3c%u", &mnc) || !sscanf(tokens[3], "%*3c%u", &mcc)) {
ret = FALSE;
goto end;
}

82
CVE-2020-9431.patch Normal file
View File

@ -0,0 +1,82 @@
From 086003c9d616906e08bbeeab9c17b3aa4c6ff850 Mon Sep 17 00:00:00 2001
From: Pascal Quantin <pascal@wireshark.org>
Date: Wed, 22 Jan 2020 11:38:02 +0100
Subject: [PATCH] LTE RRC: fix a memory leak in composite TVB handling
Bug: 16341
Change-Id: Ib6c020ea3df8b39a02f742f0684fca7db96f1fc3
Reviewed-on: https://code.wireshark.org/review/35899
Petri-Dish: Pascal Quantin <pascal@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
(cherry picked from commit adeeb7f2da801303768ce96e2cacf6a703a69c6f)
Conflicts:
epan/dissectors/packet-lte-rrc.c
Reviewed-on: https://code.wireshark.org/review/35903
---
epan/dissectors/asn1/lte-rrc/lte-rrc.cnf | 6 +++---
epan/dissectors/packet-lte-rrc.c | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/epan/dissectors/asn1/lte-rrc/lte-rrc.cnf b/epan/dissectors/asn1/lte-rrc/lte-rrc.cnf
index 2a00468a0f..eb2b9d20dd 100644
--- a/epan/dissectors/asn1/lte-rrc/lte-rrc.cnf
+++ b/epan/dissectors/asn1/lte-rrc/lte-rrc.cnf
@@ -438,7 +438,7 @@ MasterInformationBlock/schedulingInfoSIB1-BR-r13 TYPE=FT_UINT32 DISPLAY=BASE_DEC
tvbuff_t *gsm_rlcmac_dl_tvb = tvb_new_composite();
guint8 *pd = (guint8 *) wmem_alloc(actx->pinfo->pool, 1);
pd[0] = 0x40;
- tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_real_data(pd, 1, 1));
+ tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_child_real_data(tvb, pd, 1, 1));
tvb_composite_append(gsm_rlcmac_dl_tvb, target_rat_msg_cont_tvb);
tvb_composite_finalize(gsm_rlcmac_dl_tvb);
add_new_data_source(actx->pinfo, gsm_rlcmac_dl_tvb, "GPRS DL control block");
@@ -506,7 +506,7 @@ MasterInformationBlock/schedulingInfoSIB1-BR-r13 TYPE=FT_UINT32 DISPLAY=BASE_DEC
tvbuff_t *si_tvb = tvb_new_composite();
guint8 *pd = (guint8 *) wmem_alloc(actx->pinfo->pool, 1);
pd[0] = 0x06;
- tvb_composite_append(si_tvb, tvb_new_real_data(pd, 1, 1));
+ tvb_composite_append(si_tvb, tvb_new_child_real_data(tvb, pd, 1, 1));
tvb_composite_append(si_tvb, sys_info_list_tvb);
tvb_composite_finalize(si_tvb);
add_new_data_source(actx->pinfo, si_tvb, "System Information");
@@ -519,7 +519,7 @@ MasterInformationBlock/schedulingInfoSIB1-BR-r13 TYPE=FT_UINT32 DISPLAY=BASE_DEC
tvbuff_t *gsm_rlcmac_dl_tvb = tvb_new_composite();
guint8 *pd = (guint8 *) wmem_alloc(actx->pinfo->pool, 1);
pd[0] = 0x40;
- tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_real_data(pd, 1, 1));
+ tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_child_real_data(tvb, pd, 1, 1));
tvb_composite_append(gsm_rlcmac_dl_tvb, sys_info_list_tvb);
tvb_composite_finalize(gsm_rlcmac_dl_tvb);
add_new_data_source(actx->pinfo, gsm_rlcmac_dl_tvb, "GPRS DL control block");
diff --git a/epan/dissectors/packet-lte-rrc.c b/epan/dissectors/packet-lte-rrc.c
index 71ad21350d..6cef81e81f 100644
--- a/epan/dissectors/packet-lte-rrc.c
+++ b/epan/dissectors/packet-lte-rrc.c
@@ -52217,7 +52217,7 @@ dissect_lte_rrc_T_targetRAT_MessageContainer(tvbuff_t *tvb _U_, int offset _U_,
tvbuff_t *gsm_rlcmac_dl_tvb = tvb_new_composite();
guint8 *pd = (guint8 *) wmem_alloc(actx->pinfo->pool, 1);
pd[0] = 0x40;
- tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_real_data(pd, 1, 1));
+ tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_child_real_data(tvb, pd, 1, 1));
tvb_composite_append(gsm_rlcmac_dl_tvb, target_rat_msg_cont_tvb);
tvb_composite_finalize(gsm_rlcmac_dl_tvb);
add_new_data_source(actx->pinfo, gsm_rlcmac_dl_tvb, "GPRS DL control block");
@@ -52279,7 +52279,7 @@ dissect_lte_rrc_SystemInfoListGERAN_item(tvbuff_t *tvb _U_, int offset _U_, asn1
tvbuff_t *si_tvb = tvb_new_composite();
guint8 *pd = (guint8 *) wmem_alloc(actx->pinfo->pool, 1);
pd[0] = 0x06;
- tvb_composite_append(si_tvb, tvb_new_real_data(pd, 1, 1));
+ tvb_composite_append(si_tvb, tvb_new_child_real_data(tvb, pd, 1, 1));
tvb_composite_append(si_tvb, sys_info_list_tvb);
tvb_composite_finalize(si_tvb);
add_new_data_source(actx->pinfo, si_tvb, "System Information");
@@ -52292,7 +52292,7 @@ dissect_lte_rrc_SystemInfoListGERAN_item(tvbuff_t *tvb _U_, int offset _U_, asn1
tvbuff_t *gsm_rlcmac_dl_tvb = tvb_new_composite();
guint8 *pd = (guint8 *) wmem_alloc(actx->pinfo->pool, 1);
pd[0] = 0x40;
- tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_real_data(pd, 1, 1));
+ tvb_composite_append(gsm_rlcmac_dl_tvb, tvb_new_child_real_data(tvb, pd, 1, 1));
tvb_composite_append(gsm_rlcmac_dl_tvb, sys_info_list_tvb);
tvb_composite_finalize(gsm_rlcmac_dl_tvb);
add_new_data_source(actx->pinfo, gsm_rlcmac_dl_tvb, "GPRS DL control block");

10
wireshark.spec
View File

@ -1,6 +1,6 @@
Name: wireshark
Version: 2.6.2
Release: 17
Release: 18
Epoch: 1
Summary: Network traffic analyzer
License: GPL+ and GPL-2.0+ and GPL-3.0 and GPL-3.0+ and BSD and ISC
@ -49,6 +49,11 @@ Patch6034: CVE-2020-9430-1.patch
Patch6035: CVE-2020-9430-2.patch
Patch6036: CVE-2019-16319.patch
Patch6037: CVE-2020-26575.patch
Patch6038: CVE-2019-13619.patch
Patch6039: CVE-2019-19553.patch
Patch6040: CVE-2020-9428-pre.patch
Patch6041: CVE-2020-9428.patch
Patch6042: CVE-2020-9431.patch
Requires(pre): shadow-utils
Requires(post): systemd-udev
@ -155,6 +160,9 @@ getent group usbmon >/dev/null || groupadd -r usbmon
%{_mandir}/man?/*
%changelog
* Thu Feb 25 2021 wangxiao <wangxiao65@huawei.com> - 2.6.2-18
- Fix CVE-2019-13619 CVE-2019-19553 CVE-2020-9428 CVE-2020-9431
* Mon Feb 08 2021 wangyue <wangyue92@huawei.com> - 2.6.2-17
- fix CVE-2020-26575