Fix CVE-2024-8645
This commit is contained in:
starlet-dx
parent
efc71edeb1
commit
e5f170ccb7
87
CVE-2024-8645.patch
Normal file
87
CVE-2024-8645.patch
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
From cc67f836c01b6f55f2ff70aa4df44a1b934d7404 Mon Sep 17 00:00:00 2001
|
||||||
|
From: John Thacker <johnthacker@gmail.com>
|
||||||
|
Date: Wed, 29 May 2024 14:23:04 +0000
|
||||||
|
Subject: [PATCH] SPRT: Fix crash
|
||||||
|
|
||||||
|
SDP can setup a RTP conversation with a setup frame before the current
|
||||||
|
frame, which changes the dissection on the second pass. If in the period
|
||||||
|
in the middle there is a SPRT packet, it can be dissected differently on
|
||||||
|
the second pass, and the SPRT conversation data won't be found on the
|
||||||
|
second pass.
|
||||||
|
|
||||||
|
Fix #19559 (at least prevent the crash. There's some more cleanup that
|
||||||
|
should happen.)
|
||||||
|
|
||||||
|
|
||||||
|
(cherry picked from commit 05f6364cbd766e8758f98c5ee2070aef27c1ffef)
|
||||||
|
|
||||||
|
Co-authored-by: John Thacker <johnthacker@gmail.com>
|
||||||
|
---
|
||||||
|
epan/dissectors/packet-rtp.c | 3 +++
|
||||||
|
epan/dissectors/packet-sprt.c | 29 +++++++++++++++++------------
|
||||||
|
2 files changed, 20 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/epan/dissectors/packet-rtp.c b/epan/dissectors/packet-rtp.c
|
||||||
|
index 9731e03..6ec8f6f 100644
|
||||||
|
--- a/epan/dissectors/packet-rtp.c
|
||||||
|
+++ b/epan/dissectors/packet-rtp.c
|
||||||
|
@@ -1097,6 +1097,9 @@ srtp_add_address(packet_info *pinfo, const port_type ptype, address *addr, int p
|
||||||
|
* If not, create a new conversation.
|
||||||
|
*/
|
||||||
|
if (!p_conv || p_conv->setup_frame != setup_frame_number) {
|
||||||
|
+ /* XXX - If setup_frame_number < pinfo->num, creating this conversation
|
||||||
|
+ * can mean that the dissection is different on later passes.
|
||||||
|
+ */
|
||||||
|
p_conv = conversation_new(setup_frame_number, addr, &null_addr, conversation_pt_to_endpoint_type(ptype),
|
||||||
|
(guint32)port, (guint32)other_port,
|
||||||
|
NO_ADDR2 | (!other_port ? NO_PORT2 : 0));
|
||||||
|
diff --git a/epan/dissectors/packet-sprt.c b/epan/dissectors/packet-sprt.c
|
||||||
|
index 87e543c..568d242 100644
|
||||||
|
--- a/epan/dissectors/packet-sprt.c
|
||||||
|
+++ b/epan/dissectors/packet-sprt.c
|
||||||
|
@@ -1341,6 +1341,23 @@ dissect_sprt(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_
|
||||||
|
/*guint16 tcn;*/
|
||||||
|
/*guint16 sqn;*/
|
||||||
|
|
||||||
|
+ /* Get conversation data, or create it if not found */
|
||||||
|
+ p_conv_data = find_sprt_conversation_data(pinfo);
|
||||||
|
+ if (!p_conv_data)
|
||||||
|
+ {
|
||||||
|
+ sprt_add_address(pinfo,
|
||||||
|
+ &pinfo->src, pinfo->srcport,
|
||||||
|
+ 0,
|
||||||
|
+ "SPRT stream",
|
||||||
|
+ pinfo->num);
|
||||||
|
+ p_conv_data = find_sprt_conversation_data(pinfo);
|
||||||
|
+ if (!p_conv_data) {
|
||||||
|
+ // This shouldn't happen; likely a new RTP conversation was set up
|
||||||
|
+ // after this frame but with a setup frame before this one.
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Make entries in Protocol column and Info column on summary display */
|
||||||
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, "SPRT");
|
||||||
|
col_clear(pinfo->cinfo, COL_INFO);
|
||||||
|
@@ -1395,18 +1412,6 @@ dissect_sprt(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_
|
||||||
|
|
||||||
|
noa = (tvb_get_ntohs(tvb, offset + 4) & 0xC000) >> 14;
|
||||||
|
|
||||||
|
- /* Get conversation data, or create it if not found */
|
||||||
|
- p_conv_data = find_sprt_conversation_data(pinfo);
|
||||||
|
- if (!p_conv_data)
|
||||||
|
- {
|
||||||
|
- sprt_add_address(pinfo,
|
||||||
|
- &pinfo->src, pinfo->srcport,
|
||||||
|
- 0,
|
||||||
|
- "SPRT stream",
|
||||||
|
- pinfo->num);
|
||||||
|
- p_conv_data = find_sprt_conversation_data(pinfo);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
proto_tree_add_item(sprt_tree, hf_sprt_header_extension_bit, tvb, offset, 1, ENC_BIG_ENDIAN);
|
||||||
|
proto_tree_add_item(sprt_tree, hf_sprt_subsession_id, tvb, offset, 1, ENC_BIG_ENDIAN);
|
||||||
|
offset++;
|
||||||
|
--
|
||||||
|
2.46.2
|
||||||
|
|
||||||
@ -5,7 +5,7 @@
|
|||||||
Summary: Network traffic analyzer
|
Summary: Network traffic analyzer
|
||||||
Name: wireshark
|
Name: wireshark
|
||||||
Version: 3.6.14
|
Version: 3.6.14
|
||||||
Release: 11
|
Release: 12
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
License: GPL+
|
License: GPL+
|
||||||
Url: http://www.wireshark.org/
|
Url: http://www.wireshark.org/
|
||||||
@ -40,6 +40,7 @@ Patch21: CVE-2024-4854.patch
|
|||||||
Patch22: CVE-2024-4855.patch
|
Patch22: CVE-2024-4855.patch
|
||||||
Patch23: CVE-2024-8250.patch
|
Patch23: CVE-2024-8250.patch
|
||||||
Patch24: CVE-2024-24476.patch
|
Patch24: CVE-2024-24476.patch
|
||||||
|
Patch25: CVE-2024-8645.patch
|
||||||
|
|
||||||
Requires: xdg-utils
|
Requires: xdg-utils
|
||||||
Requires: hicolor-icon-theme
|
Requires: hicolor-icon-theme
|
||||||
@ -214,6 +215,9 @@ exit 0
|
|||||||
%{_mandir}/man?/*
|
%{_mandir}/man?/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Oct 09 2024 yaoxin <yao_xin001@hoperun.com> - 1:3.6.14-12
|
||||||
|
- Fix CVE-2024-8645
|
||||||
|
|
||||||
* Mon Oct 07 2024 liningjie <liningjie@xfusion.com> - 1:3.6.14-11
|
* Mon Oct 07 2024 liningjie <liningjie@xfusion.com> - 1:3.6.14-11
|
||||||
- Fix CVE-2024-24476
|
- Fix CVE-2024-24476
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user