!19 fix CVE-2018-16056

From: @wangxiao65 Reviewed-by: @yanzh_h Signed-off-by: @yanzh_h
2020-09-17 11:38:58 +08:00 · 2020-09-17 11:38:58 +08:00 · ea48230712
commit ea48230712
parent bfbd275549 6daa668982
2 changed files with 111 additions and 1 deletions
--- a/CVE-2018-16056.patch
+++ b/CVE-2018-16056.patch
@ -0,0 +1,103 @@
+From 10db757c350b5427eb668ad8a20607a9ea28c099 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy@alum.mit.edu>
+Date: Sun, 22 Jul 2018 10:18:19 -0700
+Subject: [PATCH] Don't assume a given btgatt.uuid0xXXXX dissector exists.
+
+They're not guaranteed to have been registered.
+
+Bug: 14994
+Change-Id: I11c2b2d4d8a7dd020a0ef3d700b29b0859bc68ca
+Reviewed-on: https://code.wireshark.org/review/28805
+Reviewed-by: Guy Harris <guy@alum.mit.edu>
+(cherry picked from commit f98fbce64cb230e94a2cafc410a3cedad657b485)
+Reviewed-on: https://code.wireshark.org/review/28806
+---
+ epan/dissectors/packet-btatt.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/epan/dissectors/packet-btatt.c b/epan/dissectors/packet-btatt.c
+index 803ed14f92..10375c0046 100644
+--- a/epan/dissectors/packet-btatt.c
+++ b/epan/dissectors/packet-btatt.c
+@@ -4205,6 +4205,19 @@ dissect_handle(proto_tree *tree, packet_info *pinfo, gint hf,
+ static gint
+ btatt_dissect_attribute_handle(guint16 handle, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, btatt_data_t *att_data);
+ 
+static int
+btatt_call_dissector_by_dissector_name_with_data(const char *dissector_name,
+        tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
+{
+	dissector_handle_t handle;
+
+	handle = find_dissector(dissector_name);
+	if (handle != NULL)
+		return call_dissector_with_data(handle, tvb, pinfo, tree, data);
+	else
+		return call_data_dissector(tvb, pinfo, tree);
+}
+
+ static gint
+ dissect_attribute_value(proto_tree *tree, proto_item *patron_item, packet_info *pinfo, tvbuff_t *old_tvb,
+         gint old_offset, gint length, guint16 handle, bluetooth_uuid_t uuid, btatt_data_t *att_data)
+@@ -4728,7 +4741,7 @@ dissect_attribute_value(proto_tree *tree, proto_item *patron_item, packet_info *
+             proto_tree_add_item(tree, hf_btatt_value_trigger_setting_analog, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+             offset += 2;
+         } else if (value == 4) {
+-            call_dissector_with_data(find_dissector("btgatt.uuid0x2a56"), tvb_new_subset_length_caplen(tvb, offset, 1, 1), pinfo, tree, att_data);
+            btatt_call_dissector_by_dissector_name_with_data("btgatt.uuid0x2a56", tvb_new_subset_length_caplen(tvb, offset, 1, 1), pinfo, tree, att_data);
+             offset += 1;
+         } else if (value == 5 || value == 6) {
+             proto_tree_add_item(tree, hf_btatt_value_trigger_setting_analog_one, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+@@ -6443,10 +6456,10 @@ dissect_attribute_value(proto_tree *tree, proto_item *patron_item, packet_info *
+         if (bluetooth_gatt_has_no_parameter(att_data->opcode))
+             break;
+ 
+-        call_dissector_with_data(find_dissector("btgatt.uuid0x2a56"), tvb_new_subset_length_caplen(tvb, offset, 1, 1), pinfo, tree, att_data);
+        btatt_call_dissector_by_dissector_name_with_data("btgatt.uuid0x2a56", tvb_new_subset_length_caplen(tvb, offset, 1, 1), pinfo, tree, att_data);
+         offset += 1;
+ 
+-        call_dissector_with_data(find_dissector("btgatt.uuid0x2a58"), tvb_new_subset_length_caplen(tvb, offset, 2, 2), pinfo, tree, att_data);
+        btatt_call_dissector_by_dissector_name_with_data("btgatt.uuid0x2a58", tvb_new_subset_length_caplen(tvb, offset, 2, 2), pinfo, tree, att_data);
+         offset += 2;
+ 
+         break;
+@@ -6543,7 +6556,7 @@ dissect_attribute_value(proto_tree *tree, proto_item *patron_item, packet_info *
+             sub_item = proto_tree_add_item(tree, hf_btatt_plx_spot_check_measurement_timestamp, tvb, offset, 7, ENC_NA);
+             sub_tree = proto_item_add_subtree(sub_item, ett_btatt_value);
+ 
+-            call_dissector_with_data(find_dissector("btgatt.uuid0x2a08"), tvb_new_subset_length_caplen(tvb, offset, 7, 7), pinfo, sub_tree, att_data);
+            btatt_call_dissector_by_dissector_name_with_data("btgatt.uuid0x2a08", tvb_new_subset_length_caplen(tvb, offset, 7, 7), pinfo, sub_tree, att_data);
+             offset += 7;
+         }
+ 
+@@ -9116,7 +9129,7 @@ dissect_attribute_value(proto_tree *tree, proto_item *patron_item, packet_info *
+         sub_item = proto_tree_add_item(tree, hf_btatt_ots_object_first_created, tvb, offset, 7, ENC_NA);
+         sub_tree = proto_item_add_subtree(sub_item, ett_btatt_value);
+ 
+-        call_dissector_with_data(find_dissector("btgatt.uuid0x2a08"), tvb_new_subset_length_caplen(tvb, offset, 7, 7), pinfo, sub_tree, att_data);
+        btatt_call_dissector_by_dissector_name_with_data("btgatt.uuid0x2a08", tvb_new_subset_length_caplen(tvb, offset, 7, 7), pinfo, sub_tree, att_data);
+         offset += 7;
+ 
+         break;
+@@ -9135,7 +9148,7 @@ dissect_attribute_value(proto_tree *tree, proto_item *patron_item, packet_info *
+         sub_item = proto_tree_add_item(tree, hf_btatt_ots_object_last_modified, tvb, offset, 7, ENC_NA);
+         sub_tree = proto_item_add_subtree(sub_item, ett_btatt_value);
+ 
+-        call_dissector_with_data(find_dissector("btgatt.uuid0x2a08"), tvb_new_subset_length_caplen(tvb, offset, 7, 7), pinfo, sub_tree, att_data);
+        btatt_call_dissector_by_dissector_name_with_data("btgatt.uuid0x2a08", tvb_new_subset_length_caplen(tvb, offset, 7, 7), pinfo, sub_tree, att_data);
+         offset += 7;
+ 
+         break;
+@@ -9342,10 +9355,10 @@ dissect_attribute_value(proto_tree *tree, proto_item *patron_item, packet_info *
+             break;
+         case 0x06: /* Created Between */
+         case 0x07: /* Modified Between */
+-            call_dissector_with_data(find_dissector("btgatt.uuid0x2a08"), tvb_new_subset_length_caplen(tvb, offset, 7, 7), pinfo, tree, att_data);
+            btatt_call_dissector_by_dissector_name_with_data("btgatt.uuid0x2a08", tvb_new_subset_length_caplen(tvb, offset, 7, 7), pinfo, tree, att_data);
+             offset += 7;
+ 
+-            call_dissector_with_data(find_dissector("btgatt.uuid0x2a08"), tvb_new_subset_length_caplen(tvb, offset, 7, 7), pinfo, tree, att_data);
+            btatt_call_dissector_by_dissector_name_with_data("btgatt.uuid0x2a08", tvb_new_subset_length_caplen(tvb, offset, 7, 7), pinfo, tree, att_data);
+             offset += 7;
+ 
+             break;
--- a/wireshark.spec
+++ b/wireshark.spec
@ -1,6 +1,6 @@
 Name:           wireshark
 Version:        2.6.2
-Release:        10
+Release:        11
 Epoch:          1
 Summary:        Network traffic analyzer
 License:        GPL+
@ -40,6 +40,7 @@ Patch6025:      CVE-2020-11647.patch
 Patch6026:      fix-hash-table-key-memory-corruption.patch
 Patch6027:      CVE-2020-13164.patch
 Patch6028:      CVE-2020-15466.patch
+Patch6029:      CVE-2018-16056.patch

 Requires(pre):  shadow-utils
 Requires(post): systemd-udev
@ -146,6 +147,12 @@ getent group usbmon >/dev/null || groupadd -r usbmon
 %{_mandir}/man?/*

 %changelog
+* Wed Sep 15 2020 wangxiao <wangxiao65@huawei.com> - 2.6.2-11
+- Type:cves
+- ID: CVE-2018-16056
+- SUG:restart
+- DESC: fix CVE-2018-16056
+
 * Thu Sep 10 2020 baizhonggui <baizhonggui@huawei.com> - 2.6.2-10
 - Modify source0