packages/wireshark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 3.6.14 for fix CVE-2023-0667,CVE-2023-2952

Browse Source 
(cherry picked from commit cf4b1cba7c9dc256247c76c61eadf98c5ff38eb1)
This commit is contained in:
wk333 2023-06-15 10:12:49 +08:00 committed by openeuler-sync-bot
parent 0b30e80d82
commit 6821a3e615
14 changed files with 5 additions and 832 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
CVE-2023-0668.patch
View File

@ -1,32 +0,0 @@
From c23343d2213c04b26a4810c0894ea2bb2cefec82 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sat, 20 May 2023 23:08:08 -0400
Subject: [PATCH] synphasor: Use val_to_str_const
Don't use a value from packet data to directly index a value_string,
particularly when the value string doesn't cover all possible values.
Fix #19087
(cherry picked from commit c4f37d77b29ec6a9754795d0efb6f68d633728d9)
---
epan/dissectors/packet-synphasor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c
index 12b388b3667..fbde8756ef3 100644
--- a/epan/dissectors/packet-synphasor.c
+++ b/epan/dissectors/packet-synphasor.c
@@ -1212,7 +1212,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c
data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4,
ett_conf_phflags, NULL, "Phasor Data flags: %s",
- conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr);
+ val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown"));
/* first and second bytes - phasor modification flags*/
phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags,
--
GitLab

61
CVE-2023-1161.patch
View File

@ -1,61 +0,0 @@
From 51e23ea7fd49cb04ba33db3bfbeba690a2f7c5b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dr=2E=20Lars=20V=C3=B6lker?=
<lars.voelker@technica-engineering.de>
Date: Fri, 3 Feb 2023 19:42:03 +0100
Subject: [PATCH] ISO15765/ISO10681 memory corruption bugfix
Fixes a situation in which the code wrote behind the frag_id_high array
and corrupted memory.
Closes #18839
---
epan/dissectors/packet-iso10681.c | 7 ++++++-
epan/dissectors/packet-iso15765.c | 8 ++++++--
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/epan/dissectors/packet-iso10681.c b/epan/dissectors/packet-iso10681.c
index 9e749eea8cf..6772e936e06 100644
--- a/epan/dissectors/packet-iso10681.c
+++ b/epan/dissectors/packet-iso10681.c
@@ -340,7 +340,12 @@ dissect_iso10681(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 fr
}
if (!(pinfo->fd->visited)) {
- frag_id += ((iso10681_frame->frag_id_high[frag_id]++) * 16);
+ DISSECTOR_ASSERT(frag_id < 16);
+ guint16 tmp = iso10681_frame->frag_id_high[frag_id]++;
+ /* Make sure that we assert on using more than 4096 (16*255) segments.*/
+ DISSECTOR_ASSERT(iso10681_frame->frag_id_high[frag_id] != 0);
+ frag_id += tmp * 16;
+
/* Save the frag_id for subsequent dissection */
iso10681_info->frag_id = frag_id;
}
diff --git a/epan/dissectors/packet-iso15765.c b/epan/dissectors/packet-iso15765.c
index 3157397bf21..4c73927c807 100644
--- a/epan/dissectors/packet-iso15765.c
+++ b/epan/dissectors/packet-iso15765.c
@@ -573,14 +573,18 @@ dissect_iso15765(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 bu
tvbuff_t *new_tvb = NULL;
iso15765_frame_t *iso15765_frame;
guint16 frag_id = frag_id_low;
-
/* Get frame information */
iso15765_frame = (iso15765_frame_t *)wmem_map_lookup(iso15765_frame_table,
GUINT_TO_POINTER(iso15765_info->seq));
if (iso15765_frame != NULL) {
if (!(pinfo->fd->visited)) {
- frag_id += ((iso15765_frame->frag_id_high[frag_id]++) * 16);
+ DISSECTOR_ASSERT(frag_id < 16);
+ guint16 tmp = iso15765_frame->frag_id_high[frag_id]++;
+ /* Make sure that we assert on using more than 4096 (16*255) segments.*/
+ DISSECTOR_ASSERT(iso15765_frame->frag_id_high[frag_id] != 0);
+ frag_id += tmp * 16;
+
/* Save the frag_id for subsequent dissection */
iso15765_info->frag_id = frag_id;
--
GitLab

61
CVE-2023-1992.patch
View File

@ -1,61 +0,0 @@
From c224405c31688d351ed79a304fa491517f541191 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sun, 19 Mar 2023 15:16:39 -0400
Subject: [PATCH] RPCoRDMA: Frame end cleanup for global write offsets
Add a frame end routine for a global which is assigned to packet
scoped memory. It really should be made proto data, but is used
in a function in the header (that doesn't take the packet info
struct as an argument) and this fix needs to be made in stable
branches.
Fix #18852
(cherry picked from commit 3c8be14c827f1587da3c2b3bb0d9c04faff57413)
---
epan/dissectors/packet-rpcrdma.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c
index 177e772c44b..815f6a3fc76 100644
--- a/epan/dissectors/packet-rpcrdma.c
+++ b/epan/dissectors/packet-rpcrdma.c
@@ -24,6 +24,7 @@
#include <epan/addr_resolv.h>
#include "packet-rpcrdma.h"
+#include "packet-frame.h"
#include "packet-infiniband.h"
#include "packet-iwarp-ddp-rdmap.h"
@@ -271,6 +272,18 @@ void rpcrdma_insert_offset(gint offset)
wmem_array_append_one(gp_rdma_write_offsets, offset);
}
+/*
+ * Reset the array of write offsets at the end of the frame. These
+ * are packet scoped, so they don't need to be freed, but we want
+ * to ensure that the global doesn't point to no longer allocated
+ * memory in a later packet.
+ */
+static void
+reset_write_offsets(void)
+{
+ gp_rdma_write_offsets = NULL;
+}
+
/* Get conversation state, it is created if it does not exist */
static rdma_conv_info_t *get_rdma_conv_info(packet_info *pinfo)
{
@@ -1409,6 +1422,7 @@ dissect_rpcrdma(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data
if (write_size > 0 && !pinfo->fd->visited) {
/* Initialize array of write chunk offsets */
gp_rdma_write_offsets = wmem_array_new(wmem_packet_scope(), sizeof(gint));
+ register_frame_end_routine(pinfo, reset_write_offsets);
TRY {
/*
* Call the upper layer dissector to get a list of offsets
--
GitLab

96
CVE-2023-1993.patch
View File

@ -1,96 +0,0 @@
From 646b1313038487f7c04bf0ada7960ad906a01408 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Fri, 10 Mar 2023 22:55:54 -0500
Subject: [PATCH] LISP: Don't go past a LCAF payload length
The LISP Canonical Address Format has a payload length indicator.
Use that to create a payload tvb and don't dissect outside the
payload length. With fuzzed and malformed packets, this was causing
the same bytes to be dissected many times, particularly in the
recursive address types.
A LCAF would be dissected outside the payload region, but then
elsewhere the offset was only advanced by the payload length.
Fix #18900
(cherry picked from commit b911cf286f495ba068c77b8b2b3445d1a325a819)
---
epan/dissectors/packet-lisp.c | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/epan/dissectors/packet-lisp.c b/epan/dissectors/packet-lisp.c
index fe93d360c71..e8468c1d8bb 100644
--- a/epan/dissectors/packet-lisp.c
+++ b/epan/dissectors/packet-lisp.c
@@ -1825,6 +1825,7 @@ dissect_lcaf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset, p
guint16 len;
proto_item *tir, *ti_header, *ti_flags, *ti;
proto_tree *lcaf_tree, *lcaf_header_tree, *flags_tree;
+ tvbuff_t *payload_tvb;
len = tvb_get_ntohs(tvb, offset + 4);
@@ -1869,46 +1870,47 @@ dissect_lcaf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset, p
proto_tree_add_item(lcaf_header_tree, hf_lisp_lcaf_length, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
+ payload_tvb = tvb_new_subset_length(tvb, 0, offset + len);
ti = (tip) ? tip : tir;
switch (lcaf_type) {
case LCAF_NULL:
break;
case LCAF_AFI_LIST:
- offset = dissect_lcaf_afi_list(tvb, pinfo, lcaf_tree, offset, len);
+ offset = dissect_lcaf_afi_list(payload_tvb, pinfo, lcaf_tree, offset, len);
break;
case LCAF_IID:
- offset = dissect_lcaf_iid(tvb, pinfo, lcaf_tree, offset, ti);
+ offset = dissect_lcaf_iid(payload_tvb, pinfo, lcaf_tree, offset, ti);
break;
case LCAF_ASN:
- offset = dissect_lcaf_asn(tvb, pinfo, lcaf_tree, offset, ti);
+ offset = dissect_lcaf_asn(payload_tvb, pinfo, lcaf_tree, offset, ti);
break;
case LCAF_GEO:
- offset = dissect_lcaf_geo(tvb, pinfo, lcaf_tree, offset, ti);
+ offset = dissect_lcaf_geo(payload_tvb, pinfo, lcaf_tree, offset, ti);
break;
case LCAF_NATT:
- offset = dissect_lcaf_natt(tvb, pinfo, lcaf_tree, offset, len);
+ offset = dissect_lcaf_natt(payload_tvb, pinfo, lcaf_tree, offset, len);
break;
case LCAF_NONCE_LOC:
- offset = dissect_lcaf_nonce_loc(tvb, pinfo, lcaf_tree, offset, ti);
+ offset = dissect_lcaf_nonce_loc(payload_tvb, pinfo, lcaf_tree, offset, ti);
break;
case LCAF_MCAST_INFO:
- offset = dissect_lcaf_mcast_info(tvb, pinfo, lcaf_tree, offset, ti);
+ offset = dissect_lcaf_mcast_info(payload_tvb, pinfo, lcaf_tree, offset, ti);
break;
case LCAF_ELP:
- offset = dissect_lcaf_elp(tvb, pinfo, lcaf_tree, offset, len, ti);
+ offset = dissect_lcaf_elp(payload_tvb, pinfo, lcaf_tree, offset, len, ti);
break;
case LCAF_SRC_DST_KEY:
- offset = dissect_lcaf_src_dst_key(tvb, pinfo, lcaf_tree, offset, ti);
+ offset = dissect_lcaf_src_dst_key(payload_tvb, pinfo, lcaf_tree, offset, ti);
break;
case LCAF_RLE:
- offset = dissect_lcaf_rle(tvb, pinfo, lcaf_tree, offset, len, ti);
+ offset = dissect_lcaf_rle(payload_tvb, pinfo, lcaf_tree, offset, len, ti);
break;
case LCAF_KV_ADDR_PAIR:
- offset = dissect_lcaf_kv_addr_pair(tvb, pinfo, lcaf_tree, offset);
+ offset = dissect_lcaf_kv_addr_pair(payload_tvb, pinfo, lcaf_tree, offset);
break;
case LCAF_VENDOR:
- offset = dissect_lcaf_vendor(tvb, pinfo, lcaf_tree, offset, len);
+ offset = dissect_lcaf_vendor(payload_tvb, pinfo, lcaf_tree, offset, len);
break;
default:
proto_tree_add_expert(tree, pinfo, &ei_lisp_undecoded, tvb, offset, len);
--
GitLab

51
CVE-2023-1994.patch
View File

@ -1,51 +0,0 @@
From 8970fc17e8a9d48bc746855a7f2a7a3b1bd6a00e Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Sun, 2 Apr 2023 15:29:12 -0700
Subject: [PATCH] GQUIC: Fix a null pointer exception
Ensure that dissect_gquic_frame_type has a valid info pointer.
Fixes #18947.
(cherry picked from commit ee314ace8ae2d2fa8c6f7280231010252054fd7b)
---
epan/dissectors/packet-gquic.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/epan/dissectors/packet-gquic.c b/epan/dissectors/packet-gquic.c
index c9e1be63069..66115ce14e0 100644
--- a/epan/dissectors/packet-gquic.c
+++ b/epan/dissectors/packet-gquic.c
@@ -204,6 +204,7 @@ static expert_field ei_gquic_tag_unknown = EI_INIT;
static expert_field ei_gquic_version_invalid = EI_INIT;
static expert_field ei_gquic_invalid_parameter = EI_INIT;
static expert_field ei_gquic_length_invalid = EI_INIT;
+static expert_field ei_gquic_data_invalid = EI_INIT;
static const value_string gquic_short_long_header_vals[] = {
{ 0, "Short Header" },
@@ -1743,6 +1744,11 @@ dissect_gquic_tags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ft_tree, guint
int
dissect_gquic_frame_type(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tree, guint offset, guint8 len_pkn, gquic_info_data_t *gquic_info){
+ if (!gquic_info) {
+ expert_add_info(pinfo, gquic_tree, &ei_gquic_data_invalid);
+ return offset + tvb_reported_length_remaining(tvb, offset);
+ }
+
proto_item *ti, *ti_ft, *ti_ftflags /*, *expert_ti*/;
proto_tree *ft_tree, *ftflags_tree;
guint8 frame_type;
@@ -3244,7 +3250,8 @@ proto_register_gquic(void)
{ &ei_gquic_tag_unknown, { "gquic.tag.unknown.data", PI_UNDECODED, PI_NOTE, "Unknown Data", EXPFILL }},
{ &ei_gquic_version_invalid, { "gquic.version.invalid", PI_MALFORMED, PI_ERROR, "Invalid Version", EXPFILL }},
{ &ei_gquic_invalid_parameter, { "gquic.invalid.parameter", PI_MALFORMED, PI_ERROR, "Invalid Parameter", EXPFILL }},
- { &ei_gquic_length_invalid, { "gquic.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid Length", EXPFILL }}
+ { &ei_gquic_length_invalid, { "gquic.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid Length", EXPFILL }},
+ { &ei_gquic_data_invalid, { "gquic.data.invalid", PI_PROTOCOL, PI_WARN, "Invalid Data", EXPFILL }},
};
expert_module_t *expert_gquic;
--
GitLab

105
CVE-2023-2855.patch
View File

@ -1,105 +0,0 @@
From 9ce7445be0b38c4df824671ffe196177c2bd107e Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Tue, 16 May 2023 12:05:07 -0700
Subject: [PATCH] candump: check for a too-long frame length.
If the frame length is longer than the maximum, report an error in the
file.
Fixes #19062, preventing the overflow on a buffer on the stack (assuming
your compiler doesn't call a bounds-checknig version of memcpy() if the
size of the target space is known).
(backported from commit 0181fafb2134a177328443a60b5e29c4ee1041cb)
---
wiretap/candump.c | 39 +++++++++++++++++++++++++++++++--------
1 file changed, 31 insertions(+), 8 deletions(-)
diff --git a/wiretap/candump.c b/wiretap/candump.c
index 28fda911072..f548cb0b6e6 100644
--- a/wiretap/candump.c
+++ b/wiretap/candump.c
@@ -34,8 +34,9 @@ void register_candump(void);
* This is written by the candump utility on Linux.
*/
-static void
-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+static gboolean
+candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err,
+ gchar **err_info)
{
static const char *can_proto_name = "can-hostendian";
static const char *canfd_proto_name = "canfd";
@@ -67,6 +68,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
{
canfd_frame_t canfd_frame = {0};
+ /*
+ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame.
+ */
+ if (msg->data.length > CANFD_MAX_DLEN) {
+ *err = WTAP_ERR_BAD_FILE;
+ if (err_info != NULL) {
+ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u",
+ msg->data.length, CANFD_MAX_DLEN);
+ }
+ return FALSE;
+ }
+
canfd_frame.can_id = msg->id;
canfd_frame.flags = msg->flags;
canfd_frame.len = msg->data.length;
@@ -78,6 +91,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
{
can_frame_t can_frame = {0};
+ /*
+ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame.
+ */
+ if (msg->data.length > CAN_MAX_DLEN) {
+ *err = WTAP_ERR_BAD_FILE;
+ if (err_info != NULL) {
+ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u",
+ msg->data.length, CAN_MAX_DLEN);
+ }
+ return FALSE;
+ }
+
can_frame.can_id = msg->id;
can_frame.can_dlc = msg->data.length;
memcpy(can_frame.data, msg->data.data, msg->data.length);
@@ -93,6 +118,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
rec->rec_header.packet_header.caplen = packet_length;
rec->rec_header.packet_header.len = packet_length;
+
+ return TRUE;
}
static gboolean
@@ -199,9 +226,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info,
candump_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh));
#endif
- candump_write_packet(rec, buf, &msg);
-
- return TRUE;
+ return candump_write_packet(rec, buf, &msg, err, err_info);
}
static gboolean
@@ -225,9 +250,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec,
if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info))
return FALSE;
- candump_write_packet(rec, buf, &msg);
-
- return TRUE;
+ return candump_write_packet(rec, buf, &msg, err, err_info);
}
static const struct supported_block_type candump_blocks_supported[] = {
--
GitLab

66
CVE-2023-2856.patch
View File

@ -1,66 +0,0 @@
From 1c264ced5701dd7ec22f425ee82c9e7abc45fe94 Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Thu, 18 May 2023 15:03:23 -0700
Subject: [PATCH] vms: fix the search for the packet length field.
The packet length field is of the form
Total Length = DDD = ^xXXX
where "DDD" is the length in decimal and "XXX" is the length in
hexadecimal.
Search for "length ". not just "Length", as we skip past "Length ", not
just "Length", so if we assume we found "Length " but only found
"Length", we'd skip past the end of the string.
While we're at it, fail if we don't find a length field, rather than
just blithely acting as if the packet length were zero.
Fixes #19083.
(backported from commit db5135826de3a5fdb3618225c2ff02f4207012ca)
---
wiretap/vms.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/wiretap/vms.c b/wiretap/vms.c
index 600282e506c..7f82461570c 100644
--- a/wiretap/vms.c
+++ b/wiretap/vms.c
@@ -322,6 +322,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
{
char line[VMS_LINE_LENGTH + 1];
int num_items_scanned;
+ gboolean have_pkt_len = FALSE;
guint32 pkt_len = 0;
int pktnum;
int csec = 101;
@@ -378,7 +379,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
return FALSE;
}
}
- if ( (! pkt_len) && (p = strstr(line, "Length"))) {
+ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) {
p += sizeof("Length ");
while (*p && ! g_ascii_isdigit(*p))
p++;
@@ -394,9 +395,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
*err_info = g_strdup_printf("vms: Length field '%s' not valid", p);
return FALSE;
}
+ have_pkt_len = TRUE;
break;
}
} while (! isdumpline(line));
+ if (! have_pkt_len) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup_printf("vms: Length field not found");
+ return FALSE;
+ }
if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
/*
* Probably a corrupt capture file; return an error,
--
GitLab

219
CVE-2023-2857.patch
View File

@ -1,219 +0,0 @@
From 6c7199da0c84a966ac9b06cd7fbb6aa0ccff9acb Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Tue, 16 May 2023 18:09:41 -0700
Subject: [PATCH] blf: add some sanity checks.
Have blf_pull_logcontainer_into_memory() return a libwiretap error code
and additional information string, including various values being
inconsistent.
(If any of those correspond to identifiable file problems, they should
be reported with WTAP_ERR_BAD_FILE and with a description more relevant
to somebody writing code to write those files.)
Fixes #19063.
(backported from commit c899be35a94440b6c46cf5715c5f24eda597f4c1)
---
wiretap/blf.c | 134 +++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 115 insertions(+), 19 deletions(-)
diff --git a/wiretap/blf.c b/wiretap/blf.c
index 92b7f55ed56..ed2ee5f7135 100644
--- a/wiretap/blf.c
+++ b/wiretap/blf.c
@@ -433,12 +433,18 @@ blf_find_logcontainer_for_address(blf_t *blf_data, gint64 pos, blf_log_container
}
static gboolean
-blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_container) {
+blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_container, int *err, gchar **err_info) {
blf_t *blf_data = params->blf_data;
blf_log_container_t tmp;
if (index_log_container >= blf_data->log_containers->len) {
- ws_debug("cannot pull an unknown log container into memory");
+ /*
+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a
+ * malformed file (WTAP_ERR_BAD_FILE)?
+ */
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: index_log_container (%u) >= blf_data->log_containers->len (%u)",
+ index_log_container, blf_data->log_containers->len);
return FALSE;
}
@@ -450,20 +456,56 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe
if (tmp.compression_method == BLF_COMPRESSION_ZLIB) {
#ifdef HAVE_ZLIB
- int err = 0;
- gchar *err_info;
-
- file_seek(params->fh, tmp.infile_data_start, SEEK_SET, &err);
- if (err < 0) {
- ws_debug("cannot seek to start of log_container");
+ if (file_seek(params->fh, tmp.infile_data_start, SEEK_SET, err) == -1) {
return FALSE;
}
/* pull compressed data into buffer */
unsigned char *compressed_data = g_try_malloc0((gsize)tmp.infile_length);
- guint64 data_length = (unsigned int)tmp.infile_length - (tmp.infile_data_start - tmp.infile_start_pos);
- if (!wtap_read_bytes_or_eof(params->fh, compressed_data, (unsigned int)data_length, &err, &err_info)) {
- ws_debug("cannot read compressed data");
+ if (tmp.infile_start_pos < 0) {
+ /*
+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a
+ * malformed file (WTAP_ERR_BAD_FILE)?
+ */
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: tmp.infile_start_pos (%" G_GINT64_FORMAT ") < 0",
+ tmp.infile_start_pos);
+ return FALSE;
+ }
+ if (tmp.infile_data_start < (guint64)tmp.infile_start_pos) {
+ /*
+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a
+ * malformed file (WTAP_ERR_BAD_FILE)?
+ */
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: tmp.infile_data_start (%" G_GUINT64_FORMAT ") < tmp.infile_start_pos (%" G_GINT64_FORMAT ")",
+ tmp.infile_data_start, tmp.infile_start_pos);
+ return FALSE;
+ }
+ if (tmp.infile_length < tmp.infile_data_start - (guint64)tmp.infile_start_pos) {
+ /*
+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a
+ * malformed file (WTAP_ERR_BAD_FILE)?
+ */
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: tmp.infile_length (%" G_GUINT64_FORMAT ") < (tmp.infile_data_start (%" G_GUINT64_FORMAT ") - tmp.infile_start_pos (%" G_GINT64_FORMAT ")) = %" G_GUINT64_FORMAT,
+ tmp.infile_length,
+ tmp.infile_data_start, tmp.infile_start_pos,
+ tmp.infile_data_start - (guint64)tmp.infile_start_pos);
+ return FALSE;
+ }
+ guint64 data_length = tmp.infile_length - (tmp.infile_data_start - (guint64)tmp.infile_start_pos);
+ if (data_length > UINT_MAX) {
+ /*
+ * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a
+ * malformed file (WTAP_ERR_BAD_FILE)?
+ */
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: data_length (%" G_GUINT64_FORMAT ") > UINT_MAX",
+ data_length);
+ return FALSE;
+ }
+ if (!wtap_read_bytes_or_eof(params->fh, compressed_data, (unsigned int)data_length, err, err_info)) {
return FALSE;
}
@@ -477,6 +519,18 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe
/* the actual DE-compression work. */
if (Z_OK != inflateInit(&infstream)) {
+ /*
+ * XXX - check the error code and handle this appropriately.
+ */
+ *err = WTAP_ERR_INTERNAL;
+ if (infstream.msg != NULL) {
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: inflateInit failed for LogContainer %d, message\"%s\"",
+ index_log_container,
+ infstream.msg);
+ } else {
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: inflateInit failed for LogContainer %d",
+ index_log_container);
+ }
ws_debug("inflateInit failed for LogContainer %d", index_log_container);
if (infstream.msg != NULL) {
ws_debug("inflateInit returned: \"%s\"", infstream.msg);
@@ -487,6 +541,50 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe
int ret = inflate(&infstream, Z_NO_FLUSH);
/* Z_OK should not happen here since we know how big the buffer should be */
if (Z_STREAM_END != ret) {
+ switch (ret) {
+
+ case Z_NEED_DICT:
+ *err = WTAP_ERR_DECOMPRESS;
+ *err_info = g_strdup("preset dictionary needed");
+ break;
+
+ case Z_STREAM_ERROR:
+ *err = WTAP_ERR_DECOMPRESS;
+ *err_info = (infstream.msg != NULL) ? g_strdup(infstream.msg) : NULL;
+ break;
+
+ case Z_MEM_ERROR:
+ /* This means "not enough memory". */
+ *err = ENOMEM;
+ *err_info = NULL;
+ break;
+
+ case Z_DATA_ERROR:
+ /* This means "deflate stream invalid" */
+ *err = WTAP_ERR_DECOMPRESS;
+ *err_info = (infstream.msg != NULL) ? g_strdup(infstream.msg) : NULL;
+ break;
+
+ case Z_BUF_ERROR:
+ /* XXX - this is recoverable; what should we do here? */
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: Z_BUF_ERROR from inflate(), message \"%s\"",
+ (infstream.msg != NULL) ? infstream.msg : "(none)");
+ break;
+
+ case Z_VERSION_ERROR:
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: Z_VERSION_ERROR from inflate(), message \"%s\"",
+ (infstream.msg != NULL) ? infstream.msg : "(none)");
+ break;
+
+ default:
+ *err = WTAP_ERR_INTERNAL;
+ *err_info = g_strdup_printf("blf_pull_logcontainer_into_memory: unexpected error %d from inflate(), message \"%s\"",
+ ret,
+ (infstream.msg != NULL) ? infstream.msg : "(none)");
+ break;
+ }
ws_debug("inflate failed (return code %d) for LogContainer %d", ret, index_log_container);
if (infstream.msg != NULL) {
ws_debug("inflate returned: \"%s\"", infstream.msg);
@@ -495,6 +593,9 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe
}
if (Z_OK != inflateEnd(&infstream)) {
+ /* Returns either Z_OK or Z_STREAM_ERROR. */
+ *err = WTAP_ERR_DECOMPRESS;
+ *err_info = (infstream.msg != NULL) ? g_strdup(infstream.msg) : NULL;
ws_debug("inflateEnd failed for LogContainer %d", index_log_container);
if (infstream.msg != NULL) {
ws_debug("inflateEnd returned: \"%s\"", infstream.msg);
@@ -506,6 +607,8 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, guint index_log_containe
g_array_index(blf_data->log_containers, blf_log_container_t, index_log_container) = tmp;
return TRUE;
#else
+ *err = WTAP_ERR_DECOMPRESSION_NOT_SUPPORTED;
+ *err_info = NULL;
return FALSE;
#endif
}
@@ -593,14 +696,7 @@ blf_read_bytes_or_eof(blf_params_t *params, guint64 real_pos, void *target_buffe
case BLF_COMPRESSION_ZLIB:
while (current_container_index <= end_container_index) {
- if (!blf_pull_logcontainer_into_memory(params, current_container_index)) {
- /*
- * XXX - does this represent a bug (WTAP_ERR_INTERNAL) or a
- * malformed file (WTAP_ERR_BAD_FILE)?
- */
- *err = WTAP_ERR_INTERNAL;
- *err_info = g_strdup_printf("blf_read_bytes_or_eof: cannot pull in container");
- ws_debug("cannot pull in container");
+ if (!blf_pull_logcontainer_into_memory(params, current_container_index, err, err_info)) {
return FALSE;
}
--
GitLab

93
CVE-2023-2858.patch
View File

@ -1,93 +0,0 @@
From a0403c4b396adacd666d8ebd3b97506e355e646c Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Fri, 19 May 2023 16:29:45 -0700
Subject: [PATCH] netscaler: add more checks to make sure the record is within
the page.
Whie we're at it, restructure some other checks to test-before-casting -
it's OK to test afterwards, but testing before makes it follow the
pattern used elsewhere.
Fixes #19081.
(cherry picked from commit cb190d6839ddcd4596b0205844f45553f1e77105)
---
wiretap/netscaler.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c
index 8dcbd42a089..b94caca0869 100644
--- a/wiretap/netscaler.c
+++ b/wiretap/netscaler.c
@@ -1114,13 +1114,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int file_version, int *err,
#define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \
do {\
- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
/* Make sure the record header is entirely contained in the page */\
- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\
+ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\
*err = WTAP_ERR_BAD_FILE;\
*err_info = g_strdup("nstrace: record header crosses page boundary");\
return FALSE;\
}\
+ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
/* Check sanity of record size */\
if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\
*err = WTAP_ERR_BAD_FILE;\
@@ -1186,6 +1186,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
case NSPR_ABSTIME_V10:
{
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+ return FALSE;
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
if (pletoh16(&fp->nsprRecordSize) == 0) {
*err = WTAP_ERR_BAD_FILE;
@@ -1199,6 +1201,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
case NSPR_RELTIME_V10:
{
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+ return FALSE;
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
if (pletoh16(&fp->nsprRecordSize) == 0) {
*err = WTAP_ERR_BAD_FILE;
@@ -1216,6 +1220,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
default:
{
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+ return FALSE;
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
if (pletoh16(&fp->nsprRecordSize) == 0) {
*err = WTAP_ERR_BAD_FILE;
@@ -1500,14 +1506,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf,
#define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\
do {\
- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
/* Make sure the record header is entirely contained in the page */\
- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\
+ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\
*err = WTAP_ERR_BAD_FILE;\
*err_info = g_strdup("nstrace: record header crosses page boundary");\
g_free(nstrace_tmpbuff);\
return FALSE;\
}\
+ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
(rec)->rec_type = REC_TYPE_PACKET;\
(rec)->block = wtap_block_create(WTAP_BLOCK_PACKET);\
TIMEDEFV##ver((rec),fp,type);\
@@ -1615,7 +1621,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf,
g_free(nstrace_tmpbuff);
return FALSE;
}
-
hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset];
if (nspr_getv20recordsize(hdp) == 0) {
*err = WTAP_ERR_BAD_FILE;
--
GitLab

36
CVE-2023-2879.patch
View File

@ -1,36 +0,0 @@
From 3412780abd6f44ff1613cd1472c867b8372de24c Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sat, 13 May 2023 21:45:16 -0400
Subject: [PATCH] GDSDB: Make sure our offset advances.
add_uint_string() returns the next offset to use, not the number
of bytes consumed. So to consume all the bytes and make sure the
offset advances, return the entire reported tvb length, not the
number of bytes remaining.
Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f
Fixes #19068
(cherry picked from commit 118815ca7c9f82c1f83f8f64d9e0e54673f31677)
---
epan/dissectors/packet-gdsdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c
index 13ba8b37628..e2dd332ca85 100644
--- a/epan/dissectors/packet-gdsdb.c
+++ b/epan/dissectors/packet-gdsdb.c
@@ -480,7 +480,7 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o
int ret_offset = offset + length;
if (length < 4 || ret_offset < offset) {
expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length);
- return tvb_reported_length_remaining(tvb, offset);
+ return tvb_reported_length(tvb);
}
return ret_offset;
}
--
GitLab

BIN
SIGNATURES-3.6.11.txt
View File

Binary file not shown.

BIN
SIGNATURES-3.6.14.txt Normal file
View File

Binary file not shown.

BIN
wireshark-3.6.11.tar.xz → wireshark-3.6.14.tar.xz
View File

Binary file not shown.

17
wireshark.spec
View File

@ -4,8 +4,8 @@
Summary: Network traffic analyzer
Name: wireshark
Version: 3.6.11
Release: 4
Version: 3.6.14
Release: 1
Epoch: 1
License: GPL+
Url: http://www.wireshark.org/
@ -21,16 +21,6 @@ Patch4: wireshark-0004-Restore-Fedora-specific-groups.patch
Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch
Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch
Patch7: wireshark-0007-cmakelists.patch
Patch8: CVE-2023-1161.patch
Patch9: CVE-2023-1992.patch
Patch10: CVE-2023-1993.patch
Patch11: CVE-2023-1994.patch
Patch12: CVE-2023-0668.patch
Patch13: CVE-2023-2855.patch
Patch14: CVE-2023-2856.patch
Patch15: CVE-2023-2857.patch
Patch16: CVE-2023-2858.patch
Patch17: CVE-2023-2879.patch
Requires: xdg-utils
Requires: hicolor-icon-theme
@ -205,6 +195,9 @@ exit 0
%{_mandir}/man?/*
%changelog
* Thu Jun 15 2023 wangkai <13474090681@163.com> - 1:3.6.14-1
- Update to 3.6.14 for fix CVE-2023-0667,CVE-2023-2952
* Tue May 30 2023 yaoxin <yao_xin001@hoperun.com> - 1:3.6.11-4
- Fix CVE-2023-0668,CVE-2023-2855,CVE-2023-2856,CVE-2023-2857,CVE-2023-2858 and CVE-2023-2879