packages/wireshark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:0452b133a6ab523e71651cf4ce3dd71f43933fe8
Branches Tags
packages:main
..
compare: packages:7a4926f4658739cf9519c759f2f16ea3b8c7db63
Branches Tags
packages:main

No commits in common. "0452b133a6ab523e71651cf4ce3dd71f43933fe8" and "7a4926f4658739cf9519c759f2f16ea3b8c7db63" have entirely different histories.
0452b133a6 ... 7a4926f465

8 changed files with 1 additions and 679 deletions
Show Stats Expand all files Collapse all files

116
CVE-2023-0666.patch
View File

@ -1,116 +0,0 @@
From 28fdce547c417b868c521f87fb58f71ca6b1e3f7 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Thu, 18 May 2023 13:52:48 -0700
Subject: [PATCH] RTPS: Fixup our g_strlcpy dest_sizes
Use the proper dest_size in various g_strlcpy calls.
Fixes #19085
---
epan/dissectors/packet-rtps.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c
index c152d50..f4da449 100644
--- a/epan/dissectors/packet-rtps.c
+++ b/epan/dissectors/packet-rtps.c
@@ -4487,7 +4487,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
++tk_id;
}
- (void) g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), 40);
+ (void) g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), sizeof(type_name));
/* Structure of the typecode data:
*
@@ -4658,7 +4658,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
member_name, -1, NULL, ndds_40_hack);
}
/* Finally prints the name of the struct (if provided) */
- (void) g_strlcpy(type_name, "}", 40);
+ (void) g_strlcpy(type_name, "}", sizeof(type_name));
break;
} /* end of case UNION */
@@ -4829,7 +4829,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
}
}
/* Finally prints the name of the struct (if provided) */
- (void) g_strlcpy(type_name, "}", 40);
+ (void) g_strlcpy(type_name, "}", sizeof(type_name));
break;
}
@@ -4921,7 +4921,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
offset += 4;
alias_name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, alias_name_length, ENC_ASCII);
offset = check_offset_addition(offset, alias_name_length, tree, NULL, tvb);
- (void) g_strlcpy(type_name, alias_name, 40);
+ (void) g_strlcpy(type_name, alias_name, sizeof(type_name));
break;
}
@@ -4956,7 +4956,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
if (tk_id == RTI_CDR_TK_VALUE_PARAM) {
type_id_name = "valueparam";
}
- g_snprintf(type_name, 40, "%s '%s'", type_id_name, value_name);
+ g_snprintf(type_name, sizeof(type_name), "%s '%s'", type_id_name, value_name);
break;
}
} /* switch(tk_id) */
@@ -5120,7 +5120,7 @@ static gint rtps_util_add_type_library_type(proto_tree *tree,
long_number = tvb_get_guint32(tvb, offset_tmp, encoding);
name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset_tmp+4, long_number, ENC_ASCII);
if (info)
- (void) g_strlcpy(info->member_name, name, long_number);
+ (void) g_strlcpy(info->member_name, name, sizeof(info->member_name));
proto_item_append_text(tree, " %s", name);
offset = check_offset_addition(offset, member_length, tree, NULL, tvb);
@@ -5296,13 +5296,13 @@ static gint rtps_util_add_type_member(proto_tree *tree,
proto_item_append_text(tree, " %s (ID: %d)", name, member_id);
if (member_object) {
member_object->member_id = member_id;
- (void) g_strlcpy(member_object->member_name, name, long_number < 256 ? long_number : 256);
+ (void) g_strlcpy(member_object->member_name, name, sizeof(member_object->member_name));
member_object->type_id = member_type_id;
}
if (info && info->extensibility == EXTENSIBILITY_MUTABLE) {
mutable_member_mapping * mutable_mapping = NULL;
mutable_mapping = wmem_new(wmem_file_scope(), mutable_member_mapping);
- (void) g_strlcpy(mutable_mapping->member_name, name, long_number < 256 ? long_number : 256);
+ (void) g_strlcpy(mutable_mapping->member_name, name, sizeof(mutable_mapping->member_name));
mutable_mapping->struct_type_id = info->type_id;
mutable_mapping->member_type_id = member_type_id;
mutable_mapping->member_id = member_id;
@@ -5357,7 +5357,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree,
union_member_mapping * mapping = NULL;
mapping = wmem_new(wmem_file_scope(), union_member_mapping);
- (void) g_strlcpy(mapping->member_name, object.member_name, 256);
+ (void) g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name));
mapping->member_type_id = object.type_id;
mapping->discriminator = HASHMAP_DISCRIMINATOR_CONSTANT;
mapping->union_type_id = union_type_id + mapping->discriminator;
@@ -5370,7 +5370,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree,
union_member_mapping * mapping = NULL;
mapping = wmem_new(wmem_file_scope(), union_member_mapping);
- (void) g_strlcpy(mapping->member_name, object.member_name, 256);
+ (void) g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name));
mapping->member_type_id = object.type_id;
mapping->discriminator = -1;
mapping->union_type_id = union_type_id + mapping->discriminator;
@@ -5390,7 +5390,7 @@ static gint rtps_util_add_type_union_member(proto_tree *tree,
ti = proto_tree_add_item(labels, hf_rtps_type_object_union_label, tvb, offset_tmp, 4, encoding);
offset_tmp += 4;
- (void) g_strlcpy(mapping->member_name, object.member_name, 256);
+ (void) g_strlcpy(mapping->member_name, object.member_name, sizeof(mapping->member_name));
mapping->member_type_id = object.type_id;
mapping->discriminator = discriminator_case;
mapping->union_type_id = union_type_id + discriminator_case;
--
2.33.0

157
CVE-2024-24476.patch
View File

@ -1,157 +0,0 @@
From 108217f4bb1afb8b25fc705c2722b3e328b1ad78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Valverde?= <j@v6e.pt>
Date: Sat, 16 Sep 2023 06:59:12 +0100
Subject: [PATCH] addr_resolv: Fix a heap buffer overflow
Make sure we always pass at least 6 bytes to ws_manuf_lookup_str().
Fixes #19344.
---
epan/addr_resolv.c | 29 +++++++++++++++++++++--------
epan/addr_resolv.h | 4 ++--
epan/address_types.c | 4 ++--
3 files changed, 25 insertions(+), 12 deletions(-)
diff --git a/epan/addr_resolv.c b/epan/addr_resolv.c
index 3e0cc6d..4a6be03 100644
--- a/epan/addr_resolv.c
+++ b/epan/addr_resolv.c
@@ -1607,12 +1607,16 @@ add_manuf_name(const guint8 *addr, unsigned int mask, gchar *name, gchar *longna
} /* add_manuf_name */
static hashmanuf_t *
-manuf_name_lookup(const guint8 *addr)
+manuf_name_lookup(const guint8 *addr, size_t size)
{
guint32 manuf_key;
guint8 oct;
hashmanuf_t *manuf_value;
+ if (size < 6) {
+ return NULL;
+ }
+
/* manuf needs only the 3 most significant octets of the ethernet address */
manuf_key = addr[0];
manuf_key = manuf_key<<8;
@@ -1773,6 +1777,7 @@ eth_addr_resolve(hashether_t *tp) {
ether_t *eth;
hashmanuf_t *manuf_value;
const guint8 *addr = tp->addr;
+ size_t addr_size = sizeof(tp->addr);
if ( (eth = get_ethbyaddr(addr)) != NULL) {
(void) g_strlcpy(tp->resolved_name, eth->name, MAXNAMELEN);
@@ -1819,7 +1824,7 @@ eth_addr_resolve(hashether_t *tp) {
} while (mask--);
/* Now try looking in the manufacturer table. */
- manuf_value = manuf_name_lookup(addr);
+ manuf_value = manuf_name_lookup(addr, addr_size);
if ((manuf_value != NULL) && (manuf_value->status != HASHETHER_STATUS_UNRESOLVED)) {
g_snprintf(tp->resolved_name, MAXNAMELEN, "%s_%02x:%02x:%02x",
manuf_value->resolved_name, addr[3], addr[4], addr[5]);
@@ -3378,11 +3383,11 @@ get_vlan_name(wmem_allocator_t *allocator, const guint16 id)
} /* get_vlan_name */
const gchar *
-get_manuf_name(const guint8 *addr)
+get_manuf_name(const guint8 *addr, size_t size)
{
hashmanuf_t *manuf_value;
- manuf_value = manuf_name_lookup(addr);
+ manuf_value = manuf_name_lookup(addr, size);
if (gbl_resolv_flags.mac_name && manuf_value->status != HASHETHER_STATUS_UNRESOLVED)
return manuf_value->resolved_name;
@@ -3393,16 +3398,22 @@ get_manuf_name(const guint8 *addr)
const gchar *
tvb_get_manuf_name(tvbuff_t *tvb, gint offset)
{
- return get_manuf_name(tvb_get_ptr(tvb, offset, 3));
+ guint8 buf[6] = { 0 };
+ tvb_memcpy(tvb, buf, offset, 3);
+ return get_manuf_name(buf, sizeof(buf));
}
const gchar *
-get_manuf_name_if_known(const guint8 *addr)
+get_manuf_name_if_known(const guint8 *addr, size_t size)
{
hashmanuf_t *manuf_value;
guint manuf_key;
guint8 oct;
+ if (size != 6) {
+ return NULL;
+ }
+
/* manuf needs only the 3 most significant octets of the ethernet address */
manuf_key = addr[0];
manuf_key = manuf_key<<8;
@@ -3437,7 +3448,9 @@ uint_get_manuf_name_if_known(const guint manuf_key)
const gchar *
tvb_get_manuf_name_if_known(tvbuff_t *tvb, gint offset)
{
- return get_manuf_name_if_known(tvb_get_ptr(tvb, offset, 3));
+ guint8 buf[6] = { 0 };
+ tvb_memcpy(tvb, buf, offset, 3);
+ return get_manuf_name_if_known(buf, sizeof(buf));
}
char* get_hash_manuf_resolved_name(hashmanuf_t* manuf)
@@ -3455,7 +3468,7 @@ eui64_to_display(wmem_allocator_t *allocator, const guint64 addr_eui64)
/* Copy and convert the address to network byte order. */
*(guint64 *)(void *)(addr) = pntoh64(&(addr_eui64));
- manuf_value = manuf_name_lookup(addr);
+ manuf_value = manuf_name_lookup(addr, 8);
if (!gbl_resolv_flags.mac_name || (manuf_value->status == HASHETHER_STATUS_UNRESOLVED)) {
ret = wmem_strdup_printf(allocator, "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x", addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7]);
} else {
diff --git a/epan/addr_resolv.h b/epan/addr_resolv.h
index 313e8f9..362682c 100644
--- a/epan/addr_resolv.h
+++ b/epan/addr_resolv.h
@@ -223,13 +223,13 @@ const gchar *get_ether_name_if_known(const guint8 *addr);
* Given a sequence of 3 octets containing an OID, get_manuf_name()
* returns the vendor name, or "%02x:%02x:%02x" if not known.
*/
-extern const gchar *get_manuf_name(const guint8 *addr);
+extern const gchar *get_manuf_name(const guint8 *addr, size_t size);
/*
* Given a sequence of 3 octets containing an OID, get_manuf_name_if_known()
* returns the vendor name, or NULL if not known.
*/
-WS_DLL_PUBLIC const gchar *get_manuf_name_if_known(const guint8 *addr);
+WS_DLL_PUBLIC const gchar *get_manuf_name_if_known(const guint8 *addr, size_t size);
/*
* Given an integer containing a 24-bit OID, uint_get_manuf_name_if_known()
diff --git a/epan/address_types.c b/epan/address_types.c
index 86812af..776a02d 100644
--- a/epan/address_types.c
+++ b/epan/address_types.c
@@ -382,7 +382,7 @@ static const gchar* fcwwn_name_res_str(const address* addr)
case FC_NH_NAA_IEEE_E:
memcpy (oui, &addrp[2], 6);
- return get_manuf_name(oui);
+ return get_manuf_name(oui, sizeof(oui));
case FC_NH_NAA_IEEE_R:
oui[0] = ((addrp[0] & 0x0F) << 4) | ((addrp[1] & 0xF0) >> 4);
@@ -392,7 +392,7 @@ static const gchar* fcwwn_name_res_str(const address* addr)
oui[4] = ((addrp[4] & 0x0F) << 4) | ((addrp[5] & 0xF0) >> 4);
oui[5] = ((addrp[5] & 0x0F) << 4) | ((addrp[6] & 0xF0) >> 4);
- return get_manuf_name(oui);
+ return get_manuf_name(oui, sizeof(oui));
}
return "";
--
2.33.0

33
CVE-2024-4853.patch
View File

@ -1,33 +0,0 @@
From 683166c81bc1f8a6268f4955654bfd64ca98c07a Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Fri, 29 Mar 2024 09:42:44 -0400
Subject: [PATCH] editcap: Don't memmove more than allocated in the buffer
When moving from the begining with a beginning offset specified,
don't run off the end. Subtract the source memory area's full offset
from the beginning of the buffer from the capture length.
Fix #19724
(cherry picked from commit 7c744e7933794b09e7af4d9703194ad0b01be282)
---
editcap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/editcap.c b/editcap.c
index 3b5a70127ee..f64a8155576 100644
--- a/editcap.c
+++ b/editcap.c
@@ -2462,7 +2462,7 @@ handle_chopping(chop_t chop, wtap_packet_header *out_phdr,
if (chop.off_begin_pos > 0) {
memmove(*buf + chop.off_begin_pos,
*buf + chop.off_begin_pos + chop.len_begin,
- out_phdr->caplen - chop.len_begin);
+ out_phdr->caplen - (chop.off_begin_pos + chop.len_begin));
} else {
*buf += chop.len_begin;
}
--
GitLab

48
CVE-2024-4854.patch
View File

@ -1,48 +0,0 @@
From 40ed7e814bce9d27cc7a43a3c9612d25692be716 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sat, 30 Mar 2024 08:07:26 -0400
Subject: [PATCH] Mongo: Ensure the offset advances
The MongoDB Wire Protocol uses _signed_ 32 bit integers for lengths.
dissect_bson_document checks for bogus values and ensures that a
non-negative (and at least 5) size is returned, but we need to make
sure to use that return value instead of trusting the value read
from the packet in dissect_op_msg_section.
Fix #19726
(cherry picked from commit 38c0efcee8d22d922e446888b268effc3ccf725f)
---
epan/dissectors/packet-mongo.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c
index b5a8bbffc2a..8e5f6370fbf 100644
--- a/epan/dissectors/packet-mongo.c
+++ b/epan/dissectors/packet-mongo.c
@@ -799,7 +799,10 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
switch (e_type) {
case KIND_BODY:
- dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
+ section_len = dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
+ /* If section_len is bogus (e.g., negative), dissect_bson_document sets
+ * an expert info and can return a different value than read above.
+ */
break;
case KIND_DOCUMENT_SEQUENCE: {
gint32 dsi_length;
@@ -808,6 +811,9 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
proto_tree *documents_tree;
proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+ /* This is redundant with the lengths in the documents, we don't use this
+ * size at all. We could still report an expert info if it's bogus.
+ */
offset += 4;
to_read -= 4;
--
GitLab

158
CVE-2024-4855.patch
View File

@ -1,158 +0,0 @@
From f6cb547426d1ee5df2038809b5a6f23380edc932 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sat, 20 Apr 2024 13:15:16 +0000
Subject: [PATCH] editcap, libwiretap: Don't use array of initial DSBs after
freeing
wtap_dump_close frees the passed in GArray of initial DSBs, used
by editcap for injecting DSBs from a file or list of files.
Add functions to increment and decrement the reference count of
an array of wtap blocks. Dereference the block of initial DSBs
in wtap_dump_close() instead of freeing it. In editcap, before
closing the dump file in cases where we intend to open a new
file (e.g., with a maximum time value or a maximum packet count),
reference the block.
Fix #19782, #19783, #19784.
(cherry picked from commit be3550b3b138f39bebb87ac0b8490e75fc8cc847)
Co-authored-by: John Thacker <johnthacker@gmail.com>
---
editcap.c | 9 +++++++++
wiretap/file_access.c | 2 +-
wiretap/wtap.h | 3 ++-
wiretap/wtap_opttypes.c | 26 ++++++++++++++++++++++++++
wiretap/wtap_opttypes.h | 23 +++++++++++++++++++++++
5 files changed, 61 insertions(+), 2 deletions(-)
diff --git a/editcap.c b/editcap.c
index 45091e5..50597c5 100644
--- a/editcap.c
+++ b/editcap.c
@@ -1858,6 +1858,10 @@ main(int argc, char *argv[])
}
while (nstime_cmp(&rec->ts, &block_next) > 0) { /* time for the next file */
+ /* We presumably want to write the DSBs from files given
+ * on the command line to every file.
+ */
+ wtap_block_array_ref(params.dsbs_initial);
if (!wtap_dump_close(pdh, &write_err, &write_err_info)) {
cfile_close_failure_message(filename, write_err,
write_err_info);
@@ -1890,6 +1894,11 @@ main(int argc, char *argv[])
if (split_packet_count != 0) {
/* time for the next file? */
if (written_count > 0 && (written_count % split_packet_count) == 0) {
+
+ /* We presumably want to write the DSBs from files given
+ * on the command line to every file.
+ */
+ wtap_block_array_ref(params.dsbs_initial);
if (!wtap_dump_close(pdh, &write_err, &write_err_info)) {
cfile_close_failure_message(filename, write_err,
write_err_info);
diff --git a/wiretap/file_access.c b/wiretap/file_access.c
index ff7a640..50d1fb1 100644
--- a/wiretap/file_access.c
+++ b/wiretap/file_access.c
@@ -2655,7 +2655,7 @@ wtap_dump_close_new_temp(wtap_dumper *wdh, gboolean *needs_reload,
*needs_reload = wdh->needs_reload;
g_free(wdh->priv);
wtap_block_array_free(wdh->interface_data);
- wtap_block_array_free(wdh->dsbs_initial);
+ wtap_block_array_unref(wdh->dsbs_initial);
g_free(wdh);
return ret;
}
diff --git a/wiretap/wtap.h b/wiretap/wtap.h
index d592884..75e4fc6 100644
--- a/wiretap/wtap.h
+++ b/wiretap/wtap.h
@@ -1419,7 +1419,8 @@ typedef struct addrinfo_lists {
* @note The shb_hdr, idb_inf, and nrb_hdr arguments will be used until
* wtap_dump_close() is called, but will not be free'd by the dumper. If
* you created them, you must free them yourself after wtap_dump_close().
- * dsbs_initial will be freed by wtap_dump_close(),
+ * dsbs_initial will be unreferenced by wtap_dump_close(), so to reuse
+ * them for another dump file, call wtap_block_array_ref() before closing.
* dsbs_growing typically refers to another wth->dsbs.
*
* @see wtap_dump_params_init, wtap_dump_params_cleanup.
diff --git a/wiretap/wtap_opttypes.c b/wiretap/wtap_opttypes.c
index 2068743..d4a9602 100644
--- a/wiretap/wtap_opttypes.c
+++ b/wiretap/wtap_opttypes.c
@@ -436,6 +436,32 @@ void wtap_block_array_free(GArray* block_array)
g_array_free(block_array, TRUE);
}
+void wtap_block_array_ref(GArray* block_array)
+{
+ unsigned block;
+
+ if (block_array == NULL)
+ return;
+
+ for (block = 0; block < block_array->len; block++) {
+ wtap_block_ref(g_array_index(block_array, wtap_block_t, block));
+ }
+ g_array_ref(block_array);
+}
+
+void wtap_block_array_unref(GArray* block_array)
+{
+ unsigned block;
+
+ if (block_array == NULL)
+ return;
+
+ for (block = 0; block < block_array->len; block++) {
+ wtap_block_unref(g_array_index(block_array, wtap_block_t, block));
+ }
+ g_array_unref(block_array);
+}
+
/*
* Make a copy of a block.
*/
diff --git a/wiretap/wtap_opttypes.h b/wiretap/wtap_opttypes.h
index 58d3103..5d130c5 100644
--- a/wiretap/wtap_opttypes.h
+++ b/wiretap/wtap_opttypes.h
@@ -572,6 +572,29 @@ wtap_block_unref(wtap_block_t block);
WS_DLL_PUBLIC void
wtap_block_array_free(GArray* block_array);
+/** Decrement the reference count of an array of blocks
+ *
+ * Decrement the reference count of each block in the array
+ * and the GArray itself. Any element whose reference count
+ * drops to 0 will be freed. If the GArray and every block
+ * has a reference count of 1, this is the same as
+ * wtap_block_array_free().
+ *
+ * @param[in] block_array Array of blocks to be dereferenced
+ */
+WS_DLL_PUBLIC void
+wtap_block_array_unref(GArray* block_array);
+
+/** Increment the reference count of an array of blocks
+ *
+ * Increment the reference count of each block in the array
+ * and the GArray itself.
+ *
+ * @param[in] block_array Array of blocks to be referenced
+ */
+WS_DLL_PUBLIC void
+wtap_block_array_ref(GArray* block_array);
+
/** Provide type of a block
*
* @param[in] block Block from which to retrieve mandatory data
--
2.33.0

56
CVE-2024-8250.patch
View File

@ -1,56 +0,0 @@
From be0e7c955d7efa628baa97447127c3434b575765 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sun, 28 Jul 2024 13:06:50 +0000
Subject: [PATCH] ntlmssp: Don't insert a key created on the stack into a hash
table
Origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/16640
We could change this table to an autoreset wmem_map as well.
Fix #19943
(cherry picked from commit 66dcd56f1eae615697b6588ac4778a61a5576391)
Co-authored-by: John Thacker <johnthacker@gmail.com>
---
epan/dissectors/packet-ntlmssp.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c
index a538c204e61..d279d74eb53 100644
--- a/epan/dissectors/packet-ntlmssp.c
+++ b/epan/dissectors/packet-ntlmssp.c
@@ -2353,7 +2353,9 @@ decrypt_data_payload(tvbuff_t *tvb, int offset, guint32 encrypted_block_length,
decrypted_payloads = g_slist_prepend(decrypted_payloads,
packet_ntlmssp_info->decrypted_payload);
if (key != NULL) {
- g_hash_table_insert(hash_packet, key, packet_ntlmssp_info);
+ uint8_t *perm_key = g_new(uint8_t, NTLMSSP_KEY_LEN);
+ memcpy(perm_key, key, NTLMSSP_KEY_LEN);
+ g_hash_table_insert(hash_packet, perm_key, packet_ntlmssp_info);
}
/* Do the decryption of the payload */
@@ -2803,7 +2805,7 @@ header_hash(gconstpointer pointer)
static gboolean
header_equal(gconstpointer pointer1, gconstpointer pointer2)
{
- if (!memcmp(pointer1, pointer2, 16)) {
+ if (!memcmp(pointer1, pointer2, NTLMSSP_KEY_LEN)) {
return TRUE;
}
else {
@@ -2814,7 +2816,7 @@ header_equal(gconstpointer pointer1, gconstpointer pointer2)
static void
ntlmssp_init_protocol(void)
{
- hash_packet = g_hash_table_new(header_hash, header_equal);
+ hash_packet = g_hash_table_new_full(header_hash, header_equal, g_free, NULL);
}
static void
--
GitLab

87
CVE-2024-8645.patch
View File

@ -1,87 +0,0 @@
From cc67f836c01b6f55f2ff70aa4df44a1b934d7404 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Wed, 29 May 2024 14:23:04 +0000
Subject: [PATCH] SPRT: Fix crash
SDP can setup a RTP conversation with a setup frame before the current
frame, which changes the dissection on the second pass. If in the period
in the middle there is a SPRT packet, it can be dissected differently on
the second pass, and the SPRT conversation data won't be found on the
second pass.
Fix #19559 (at least prevent the crash. There's some more cleanup that
should happen.)
(cherry picked from commit 05f6364cbd766e8758f98c5ee2070aef27c1ffef)
Co-authored-by: John Thacker <johnthacker@gmail.com>
---
epan/dissectors/packet-rtp.c | 3 +++
epan/dissectors/packet-sprt.c | 29 +++++++++++++++++------------
2 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/epan/dissectors/packet-rtp.c b/epan/dissectors/packet-rtp.c
index 9731e03..6ec8f6f 100644
--- a/epan/dissectors/packet-rtp.c
+++ b/epan/dissectors/packet-rtp.c
@@ -1097,6 +1097,9 @@ srtp_add_address(packet_info *pinfo, const port_type ptype, address *addr, int p
* If not, create a new conversation.
*/
if (!p_conv || p_conv->setup_frame != setup_frame_number) {
+ /* XXX - If setup_frame_number < pinfo->num, creating this conversation
+ * can mean that the dissection is different on later passes.
+ */
p_conv = conversation_new(setup_frame_number, addr, &null_addr, conversation_pt_to_endpoint_type(ptype),
(guint32)port, (guint32)other_port,
NO_ADDR2 | (!other_port ? NO_PORT2 : 0));
diff --git a/epan/dissectors/packet-sprt.c b/epan/dissectors/packet-sprt.c
index 87e543c..568d242 100644
--- a/epan/dissectors/packet-sprt.c
+++ b/epan/dissectors/packet-sprt.c
@@ -1341,6 +1341,23 @@ dissect_sprt(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_
/*guint16 tcn;*/
/*guint16 sqn;*/
+ /* Get conversation data, or create it if not found */
+ p_conv_data = find_sprt_conversation_data(pinfo);
+ if (!p_conv_data)
+ {
+ sprt_add_address(pinfo,
+ &pinfo->src, pinfo->srcport,
+ 0,
+ "SPRT stream",
+ pinfo->num);
+ p_conv_data = find_sprt_conversation_data(pinfo);
+ if (!p_conv_data) {
+ // This shouldn't happen; likely a new RTP conversation was set up
+ // after this frame but with a setup frame before this one.
+ return 0;
+ }
+ }
+
/* Make entries in Protocol column and Info column on summary display */
col_set_str(pinfo->cinfo, COL_PROTOCOL, "SPRT");
col_clear(pinfo->cinfo, COL_INFO);
@@ -1395,18 +1412,6 @@ dissect_sprt(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_
noa = (tvb_get_ntohs(tvb, offset + 4) & 0xC000) >> 14;
- /* Get conversation data, or create it if not found */
- p_conv_data = find_sprt_conversation_data(pinfo);
- if (!p_conv_data)
- {
- sprt_add_address(pinfo,
- &pinfo->src, pinfo->srcport,
- 0,
- "SPRT stream",
- pinfo->num);
- p_conv_data = find_sprt_conversation_data(pinfo);
- }
-
proto_tree_add_item(sprt_tree, hf_sprt_header_extension_bit, tvb, offset, 1, ENC_BIG_ENDIAN);
proto_tree_add_item(sprt_tree, hf_sprt_subsession_id, tvb, offset, 1, ENC_BIG_ENDIAN);
offset++;
--
2.46.2

25
wireshark.spec
View File

@ -5,7 +5,7 @@
Summary: Network traffic analyzer Summary: Network traffic analyzer
Name: wireshark Name: wireshark
Version: 3.6.14 Version: 3.6.14
Release: 12 Release: 7
Epoch: 1 Epoch: 1
License: GPL+ License: GPL+
Url: http://www.wireshark.org/ Url: http://www.wireshark.org/
@ -33,14 +33,6 @@ Patch15: CVE-2023-6175.patch
Patch16: Fix-libvirt-build-fail.patch Patch16: Fix-libvirt-build-fail.patch
Patch17: CVE-2024-0208.patch Patch17: CVE-2024-0208.patch
Patch18: CVE-2024-0209.patch Patch18: CVE-2024-0209.patch
# https://gitlab.com/wireshark/wireshark/-/commit/28fdce547c417b868c521f87fb58f71ca6b1e3f7
Patch19: CVE-2023-0666.patch
Patch20: CVE-2024-4853.patch
Patch21: CVE-2024-4854.patch
Patch22: CVE-2024-4855.patch
Patch23: CVE-2024-8250.patch
Patch24: CVE-2024-24476.patch
Patch25: CVE-2024-8645.patch
Requires: xdg-utils Requires: xdg-utils
Requires: hicolor-icon-theme Requires: hicolor-icon-theme
@ -215,21 +207,6 @@ exit 0
%{_mandir}/man?/* %{_mandir}/man?/*
%changelog %changelog
* Wed Oct 09 2024 yaoxin <yao_xin001@hoperun.com> - 1:3.6.14-12
- Fix CVE-2024-8645
* Mon Oct 07 2024 liningjie <liningjie@xfusion.com> - 1:3.6.14-11
- Fix CVE-2024-24476
* Fri Aug 30 2024 wangkai <13474090681@163.com> - 1:3.6.14-10
- Fix CVE-2024-8250
* Wed May 15 2024 yaoxin <yao_xin001@hoperun.com> - 1:3.6.14-9
- Fix CVE-2024-4853,CVE-2024-4854 and CVE-2024-4855
* Mon Mar 25 2024 yaoxin <yao_xin001@hoperun.com> - 1:3.6.14-8
- Fix CVE-2023-0666
* Thu Jan 04 2024 wangkai <13474090681@163.com> - 1:3.6.14-7 * Thu Jan 04 2024 wangkai <13474090681@163.com> - 1:3.6.14-7
- Fix CVE-2024-0208,CVE-2024-0209 - Fix CVE-2024-0208,CVE-2024-0209