!156 Fix CVE-2023-5371

From: @wk333 Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-10-07 07:23:38 +00:00 · 2023-10-07 07:23:38 +00:00 · 940fadae02
commit 940fadae02
parent 6f3894badd 48ab59482a
2 changed files with 53 additions and 1 deletions
--- a/CVE-2023-5371.patch
+++ b/CVE-2023-5371.patch
@ -0,0 +1,48 @@
+From 1921740b0bf561941e0906884757831bde989add Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Wed, 6 Sep 2023 06:13:23 -0400
+Subject: [PATCH] RTPS: Check for signed overflow
+
+Origin: https://gitlab.com/wireshark/wireshark/-/commit/1921740b0bf561941e0906884757831bde989add
+
+The offset is a signed integer, and we use negative offsets
+to mean "offset counting from the end of the tvb." That means
+that we can still have an excessive loop without unsigned overflow
+or running off the end of the tvb, if the result of adding a large
+unsigned integer to the offset results in a small negative number.
+
+Just check if the result of the addition makes the offset move
+backwards.
+
+Fix #19322
+
+(backported from commit 0de07f8fe4f8e06da9084485e64a24c8f85a20f4)
+---
+ epan/dissectors/packet-rtps.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c
+index 82ac8f9436b..c152d50dfc6 100644
+--- a/epan/dissectors/packet-rtps.c
+++ b/epan/dissectors/packet-rtps.c
+@@ -2474,13 +2474,14 @@ static const fragment_items rtps_frag_items = {
+     "RTPS fragments"
+ };
+ 
+-static guint32 check_offset_addition(guint32 offset, guint32 value, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
+static gint check_offset_addition(gint offset, guint32 value, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
+ {
+-    if (offset > G_MAXUINT32 - value) {
+    gint new_offset = offset + (gint)value;
+    if (new_offset < offset) {
+         proto_tree_add_expert_format(tree, pinfo, &ei_rtps_value_too_large, tvb, 0, 0, "Offset value too large: %u", value);
+         THROW(ReportedBoundsError);
+     }
+-    return offset + value;
+    return new_offset;
+ }
+ 
+ static void rtps_util_dissect_parameter_header(tvbuff_t * tvb, gint * offset,
+-- 
+GitLab
+
--- a/wireshark.spec
+++ b/wireshark.spec
@ -5,7 +5,7 @@
 Summary:	Network traffic analyzer
 Name:		wireshark
 Version:	3.6.14
-Release:	3
+Release:	4
 Epoch:		1
 License:	GPL+
 Url:		http://www.wireshark.org/
@ -27,6 +27,7 @@ Patch10:	CVE-2023-2906.patch
 Patch11:	CVE-2023-4513-1.patch
 Patch12:	CVE-2023-4513-2.patch
 Patch13:	CVE-2023-4511.patch
+Patch14:	CVE-2023-5371.patch

 Requires:	xdg-utils
 Requires:	hicolor-icon-theme
@ -201,6 +202,9 @@ exit 0
 %{_mandir}/man?/*

 %changelog
+* Sat Oct 07 2023 wangkai <13474090681@163.com> - 1:3.6.14-4
+- Fix CVE-2023-5371
+
 * Wed Sep 06 2023 wangkai <13474090681@163.com> - 1:3.6.14-3
 - Fix CVE-2023-3649,CVE-2023-2906,CVE-2023-4511,CVE-2023-4513