packages/wireshark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-3648

Browse Source
This commit is contained in:
liningjie 2023-07-27 21:46:58 +08:00
parent b4f3eafde9
commit 79abe0a7fb
2 changed files with 109 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
CVE-2023-3648.patch Normal file
View File

@ -0,0 +1,104 @@
From 146721324b8eab1a480dda86b5addae6c1820818 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sun, 28 May 2023 07:14:52 -0400
Subject: [PATCH] kafka: Don't use after free
Neither tvb_new_child_real_data() nor tvb_composite_append() copy
the real data buffer that they're given. So we can't free a
decompressed buffer after making it a tvb.
We can realloc if the output size is smaller.
Fix #19105
(cherry picked from commit b673bc022aa28c2c381cb96cae09357bd27eb0df)
---
epan/dissectors/packet-kafka.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/epan/dissectors/packet-kafka.c b/epan/dissectors/packet-kafka.c
index b530d2cf787..eabcc5d264d 100644
--- a/epan/dissectors/packet-kafka.c
+++ b/epan/dissectors/packet-kafka.c
@@ -1677,7 +1677,6 @@ decompress_lz4(tvbuff_t *tvb, packet_info *pinfo, int offset, guint32 length, tv
dst_size = (size_t)lz4_info.contentSize;
}
- decompressed_buffer = wmem_alloc(pinfo->pool, dst_size);
size_t out_size;
int count = 0;
@@ -1687,12 +1686,16 @@ decompress_lz4(tvbuff_t *tvb, packet_info *pinfo, int offset, guint32 length, tv
goto end;
}
+ decompressed_buffer = wmem_alloc(pinfo->pool, dst_size);
out_size = dst_size;
rc = LZ4F_decompress(lz4_ctxt, decompressed_buffer, &out_size,
&data[src_offset], &src_size, NULL);
if (LZ4F_isError(rc)) {
goto end;
}
+ if (out_size != dst_size) {
+ decompressed_buffer = (guint8 *)wmem_realloc(pinfo->pool, decompressed_buffer, out_size);
+ }
if (out_size == 0) {
goto end;
}
@@ -1734,7 +1737,7 @@ static gboolean
decompress_snappy(tvbuff_t *tvb, packet_info *pinfo, int offset, guint32 length, tvbuff_t **decompressed_tvb, int *decompressed_offset)
{
guint8 *data = (guint8*)tvb_memdup(pinfo->pool, tvb, offset, length);
- size_t uncompressed_size;
+ size_t uncompressed_size, out_size;
snappy_status rc = SNAPPY_OK;
tvbuff_t *composite_tvb = NULL;
gboolean ret = FALSE;
@@ -1771,18 +1774,21 @@ decompress_snappy(tvbuff_t *tvb, packet_info *pinfo, int offset, guint32 length,
goto end;
}
guint8 *decompressed_buffer = (guint8*)wmem_alloc(pinfo->pool, uncompressed_size);
- rc = snappy_uncompress(&data[pos], chunk_size, decompressed_buffer, &uncompressed_size);
+ out_size = uncompressed_size;
+ rc = snappy_uncompress(&data[pos], chunk_size, decompressed_buffer, &out_size);
if (rc != SNAPPY_OK) {
goto end;
}
+ if (out_size != uncompressed_size) {
+ decompressed_buffer = (guint8 *)wmem_realloc(pinfo->pool, decompressed_buffer, out_size);
+ }
if (!composite_tvb) {
composite_tvb = tvb_new_composite();
}
tvb_composite_append(composite_tvb,
- tvb_new_child_real_data(tvb, decompressed_buffer, (guint)uncompressed_size, (gint)uncompressed_size));
+ tvb_new_child_real_data(tvb, decompressed_buffer, (guint)out_size, (gint)out_size));
pos += chunk_size;
- wmem_free(pinfo->pool, decompressed_buffer);
count++;
DISSECTOR_ASSERT_HINT(count < MAX_LOOP_ITERATIONS, "MAX_LOOP_ITERATIONS exceeded");
}
@@ -1797,12 +1803,16 @@ decompress_snappy(tvbuff_t *tvb, packet_info *pinfo, int offset, guint32 length,
guint8 *decompressed_buffer = (guint8*)wmem_alloc(pinfo->pool, uncompressed_size);
- rc = snappy_uncompress(data, length, decompressed_buffer, &uncompressed_size);
+ out_size = uncompressed_size;
+ rc = snappy_uncompress(data, length, decompressed_buffer, &out_size);
if (rc != SNAPPY_OK) {
goto end;
}
+ if (out_size != uncompressed_size) {
+ decompressed_buffer = (guint8 *)wmem_realloc(pinfo->pool, decompressed_buffer, out_size);
+ }
- *decompressed_tvb = tvb_new_child_real_data(tvb, decompressed_buffer, (guint)uncompressed_size, (gint)uncompressed_size);
+ *decompressed_tvb = tvb_new_child_real_data(tvb, decompressed_buffer, (guint)out_size, (gint)out_size);
*decompressed_offset = 0;
}
--
GitLab

6
wireshark.spec
View File

@ -5,7 +5,7 @@
Summary: Network traffic analyzer Summary: Network traffic analyzer
Name: wireshark Name: wireshark
Version: 3.6.14 Version: 3.6.14
Release: 1 Release: 2
Epoch: 1 Epoch: 1
License: GPL+ License: GPL+
Url: http://www.wireshark.org/ Url: http://www.wireshark.org/
@ -21,6 +21,7 @@ Patch4: wireshark-0004-Restore-Fedora-specific-groups.patch
Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch
Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch
Patch7: wireshark-0007-cmakelists.patch Patch7: wireshark-0007-cmakelists.patch
Patch8: CVE-2023-3648.patch
Requires: xdg-utils Requires: xdg-utils
Requires: hicolor-icon-theme Requires: hicolor-icon-theme
@ -195,6 +196,9 @@ exit 0
%{_mandir}/man?/* %{_mandir}/man?/*
%changelog %changelog
* Thu Jul 27 2023 liningjie <liningjie@xfusion.com> - 1:3.6.14-2
- Fix CVE-2023-3648
* Thu Jun 15 2023 wangkai <13474090681@163.com> - 1:3.6.14-1 * Thu Jun 15 2023 wangkai <13474090681@163.com> - 1:3.6.14-1
- Update to 3.6.14 for fix CVE-2023-0667,CVE-2023-2952 - Update to 3.6.14 for fix CVE-2023-0667,CVE-2023-2952