Fix CVE-2023-1992,CVE-2023-1993 and CVE-2023-1994

CVE-2023-1992.patch

@@ -0,0 +1,61 @@
+From c224405c31688d351ed79a304fa491517f541191 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Sun, 19 Mar 2023 15:16:39 -0400
+Subject: [PATCH] RPCoRDMA: Frame end cleanup for global write offsets
+
+Add a frame end routine for a global which is assigned to packet
+scoped memory. It really should be made proto data, but is used
+in a function in the header (that doesn't take the packet info
+struct as an argument) and this fix needs to be made in stable
+branches.
+
+Fix #18852
+
+
+(cherry picked from commit 3c8be14c827f1587da3c2b3bb0d9c04faff57413)
+---
+ epan/dissectors/packet-rpcrdma.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c
+index 177e772c44b..815f6a3fc76 100644
+--- a/epan/dissectors/packet-rpcrdma.c
++++ b/epan/dissectors/packet-rpcrdma.c
+@@ -24,6 +24,7 @@
+ #include <epan/addr_resolv.h>
+ 
+ #include "packet-rpcrdma.h"
++#include "packet-frame.h"
+ #include "packet-infiniband.h"
+ #include "packet-iwarp-ddp-rdmap.h"
+ 
+@@ -271,6 +272,18 @@ void rpcrdma_insert_offset(gint offset)
+     wmem_array_append_one(gp_rdma_write_offsets, offset);
+ }
+ 
++/*
++ * Reset the array of write offsets at the end of the frame. These
++ * are packet scoped, so they don't need to be freed, but we want
++ * to ensure that the global doesn't point to no longer allocated
++ * memory in a later packet.
++ */
++static void
++reset_write_offsets(void)
++{
++    gp_rdma_write_offsets = NULL;
++}
++
+ /* Get conversation state, it is created if it does not exist */
+ static rdma_conv_info_t *get_rdma_conv_info(packet_info *pinfo)
+ {
+@@ -1409,6 +1422,7 @@ dissect_rpcrdma(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data
+             if (write_size > 0 && !pinfo->fd->visited) {
+                 /* Initialize array of write chunk offsets */
+                 gp_rdma_write_offsets = wmem_array_new(wmem_packet_scope(), sizeof(gint));
++                register_frame_end_routine(pinfo, reset_write_offsets);
+                 TRY {
+                     /*
+                      * Call the upper layer dissector to get a list of offsets
+-- 
+GitLab
+

CVE-2023-1993.patch

@@ -0,0 +1,96 @@
+From 646b1313038487f7c04bf0ada7960ad906a01408 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Fri, 10 Mar 2023 22:55:54 -0500
+Subject: [PATCH] LISP: Don't go past a LCAF payload length
+
+The LISP Canonical Address Format has a payload length indicator.
+Use that to create a payload tvb and don't dissect outside the
+payload length. With fuzzed and malformed packets, this was causing
+the same bytes to be dissected many times, particularly in the
+recursive address types.
+
+A LCAF would be dissected outside the payload region, but then
+elsewhere the offset was only advanced by the payload length.
+
+Fix #18900
+
+(cherry picked from commit b911cf286f495ba068c77b8b2b3445d1a325a819)
+---
+ epan/dissectors/packet-lisp.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/epan/dissectors/packet-lisp.c b/epan/dissectors/packet-lisp.c
+index fe93d360c71..e8468c1d8bb 100644
+--- a/epan/dissectors/packet-lisp.c
++++ b/epan/dissectors/packet-lisp.c
+@@ -1825,6 +1825,7 @@ dissect_lcaf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset, p
+     guint16      len;
+     proto_item  *tir, *ti_header, *ti_flags, *ti;
+     proto_tree  *lcaf_tree, *lcaf_header_tree, *flags_tree;
++    tvbuff_t    *payload_tvb;
+ 
+     len = tvb_get_ntohs(tvb, offset + 4);
+ 
+@@ -1869,46 +1870,47 @@ dissect_lcaf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset, p
+     proto_tree_add_item(lcaf_header_tree, hf_lisp_lcaf_length, tvb, offset, 2, ENC_BIG_ENDIAN);
+     offset += 2;
+ 
++    payload_tvb = tvb_new_subset_length(tvb, 0, offset + len);
+     ti = (tip) ? tip : tir;
+ 
+     switch (lcaf_type) {
+         case LCAF_NULL:
+             break;
+         case LCAF_AFI_LIST:
+-            offset = dissect_lcaf_afi_list(tvb, pinfo, lcaf_tree, offset, len);
++            offset = dissect_lcaf_afi_list(payload_tvb, pinfo, lcaf_tree, offset, len);
+             break;
+         case LCAF_IID:
+-            offset = dissect_lcaf_iid(tvb, pinfo, lcaf_tree, offset, ti);
++            offset = dissect_lcaf_iid(payload_tvb, pinfo, lcaf_tree, offset, ti);
+             break;
+         case LCAF_ASN:
+-            offset = dissect_lcaf_asn(tvb, pinfo, lcaf_tree, offset, ti);
++            offset = dissect_lcaf_asn(payload_tvb, pinfo, lcaf_tree, offset, ti);
+             break;
+         case LCAF_GEO:
+-            offset = dissect_lcaf_geo(tvb, pinfo, lcaf_tree, offset, ti);
++            offset = dissect_lcaf_geo(payload_tvb, pinfo, lcaf_tree, offset, ti);
+             break;
+         case LCAF_NATT:
+-            offset = dissect_lcaf_natt(tvb, pinfo, lcaf_tree, offset, len);
++            offset = dissect_lcaf_natt(payload_tvb, pinfo, lcaf_tree, offset, len);
+             break;
+         case LCAF_NONCE_LOC:
+-            offset = dissect_lcaf_nonce_loc(tvb, pinfo, lcaf_tree, offset, ti);
++            offset = dissect_lcaf_nonce_loc(payload_tvb, pinfo, lcaf_tree, offset, ti);
+             break;
+         case LCAF_MCAST_INFO:
+-            offset = dissect_lcaf_mcast_info(tvb, pinfo, lcaf_tree, offset, ti);
++            offset = dissect_lcaf_mcast_info(payload_tvb, pinfo, lcaf_tree, offset, ti);
+             break;
+         case LCAF_ELP:
+-            offset = dissect_lcaf_elp(tvb, pinfo, lcaf_tree, offset, len, ti);
++            offset = dissect_lcaf_elp(payload_tvb, pinfo, lcaf_tree, offset, len, ti);
+             break;
+         case LCAF_SRC_DST_KEY:
+-            offset = dissect_lcaf_src_dst_key(tvb, pinfo, lcaf_tree, offset, ti);
++            offset = dissect_lcaf_src_dst_key(payload_tvb, pinfo, lcaf_tree, offset, ti);
+             break;
+         case LCAF_RLE:
+-            offset = dissect_lcaf_rle(tvb, pinfo, lcaf_tree, offset, len, ti);
++            offset = dissect_lcaf_rle(payload_tvb, pinfo, lcaf_tree, offset, len, ti);
+             break;
+         case LCAF_KV_ADDR_PAIR:
+-            offset = dissect_lcaf_kv_addr_pair(tvb, pinfo, lcaf_tree, offset);
++            offset = dissect_lcaf_kv_addr_pair(payload_tvb, pinfo, lcaf_tree, offset);
+             break;
+         case LCAF_VENDOR:
+-            offset = dissect_lcaf_vendor(tvb, pinfo, lcaf_tree, offset, len);
++            offset = dissect_lcaf_vendor(payload_tvb, pinfo, lcaf_tree, offset, len);
+             break;
+         default:
+             proto_tree_add_expert(tree, pinfo, &ei_lisp_undecoded, tvb, offset, len);
+-- 
+GitLab
+

CVE-2023-1994.patch

@@ -0,0 +1,51 @@
+From 8970fc17e8a9d48bc746855a7f2a7a3b1bd6a00e Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Sun, 2 Apr 2023 15:29:12 -0700
+Subject: [PATCH] GQUIC: Fix a null pointer exception
+
+Ensure that dissect_gquic_frame_type has a valid info pointer.
+
+Fixes #18947.
+
+(cherry picked from commit ee314ace8ae2d2fa8c6f7280231010252054fd7b)
+---
+ epan/dissectors/packet-gquic.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-gquic.c b/epan/dissectors/packet-gquic.c
+index c9e1be63069..66115ce14e0 100644
+--- a/epan/dissectors/packet-gquic.c
++++ b/epan/dissectors/packet-gquic.c
+@@ -204,6 +204,7 @@ static expert_field ei_gquic_tag_unknown = EI_INIT;
+ static expert_field ei_gquic_version_invalid = EI_INIT;
+ static expert_field ei_gquic_invalid_parameter = EI_INIT;
+ static expert_field ei_gquic_length_invalid = EI_INIT;
++static expert_field ei_gquic_data_invalid = EI_INIT;
+ 
+ static const value_string gquic_short_long_header_vals[] = {
+     { 0, "Short Header" },
+@@ -1743,6 +1744,11 @@ dissect_gquic_tags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ft_tree, guint
+ 
+ int
+ dissect_gquic_frame_type(tvbuff_t *tvb, packet_info *pinfo, proto_tree *gquic_tree, guint offset, guint8 len_pkn, gquic_info_data_t *gquic_info){
++    if (!gquic_info) {
++        expert_add_info(pinfo, gquic_tree, &ei_gquic_data_invalid);
++        return offset + tvb_reported_length_remaining(tvb, offset);
++    }
++
+     proto_item *ti, *ti_ft, *ti_ftflags /*, *expert_ti*/;
+     proto_tree *ft_tree, *ftflags_tree;
+     guint8 frame_type;
+@@ -3244,7 +3250,8 @@ proto_register_gquic(void)
+         { &ei_gquic_tag_unknown, { "gquic.tag.unknown.data", PI_UNDECODED, PI_NOTE, "Unknown Data", EXPFILL }},
+         { &ei_gquic_version_invalid, { "gquic.version.invalid", PI_MALFORMED, PI_ERROR, "Invalid Version", EXPFILL }},
+         { &ei_gquic_invalid_parameter, { "gquic.invalid.parameter", PI_MALFORMED, PI_ERROR, "Invalid Parameter", EXPFILL }},
+-        { &ei_gquic_length_invalid, { "gquic.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid Length", EXPFILL }}
++        { &ei_gquic_length_invalid, { "gquic.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid Length", EXPFILL }},
++        { &ei_gquic_data_invalid, { "gquic.data.invalid", PI_PROTOCOL, PI_WARN, "Invalid Data", EXPFILL }},
+     };
+ 
+     expert_module_t *expert_gquic;
+-- 
+GitLab
+

wireshark.spec

@@ -5,7 +5,7 @@
 Summary:	Network traffic analyzer
 Name:		wireshark
 Version:	3.6.11
-Release:	2
+Release:	3
 Epoch:		1
 License:	GPL+
 Url:		http://www.wireshark.org/
@@ -22,6 +22,9 @@ Patch5:		wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch
 Patch6:		wireshark-0006-Move-tmp-to-var-tmp.patch
 Patch7:		wireshark-0007-cmakelists.patch
 Patch8:         CVE-2023-1161.patch
+Patch9:         CVE-2023-1992.patch
+Patch10:        CVE-2023-1993.patch
+Patch11:        CVE-2023-1994.patch
 
 Requires:	xdg-utils
 Requires:	hicolor-icon-theme
@@ -196,6 +199,9 @@ exit 0
 %{_mandir}/man?/*
 
 %changelog
+* Mon Apr 24 2023 yaoxin <yao_xin001@hoperun.com> - 1:3.6.11-3
+- Fix CVE-2023-1992,CVE-2023-1993 and CVE-2023-1994
+
 * Mon Mar 27 2023 yaoxin <yaoxin30@h-partners.com> - 1:3.6.11-2
 - Fix CVE-2023-1161