From: Markus Koschany Date: Thu, 24 Mar 2022 15:10:57 +0100 Subject: CVE-2021-4185 Origin: https://gitlab.com/wireshark/wireshark/-/commit/a0084bd76f45f9566bd94c49d7fb7571e0d4bdaa --- epan/dissectors/packet-rtmpt.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/epan/dissectors/packet-rtmpt.c b/epan/dissectors/packet-rtmpt.c index f043cc7..555daad 100644 --- a/epan/dissectors/packet-rtmpt.c +++ b/epan/dissectors/packet-rtmpt.c @@ -1893,6 +1893,11 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_ if (pinfo->fd->flags.visited) { /* Already done the work, so just dump the existing state */ + /* XXX: If there's bogus sequence numbers and the + * tcp.analyze_sequence_numbers pref is TRUE, we can't actually + * assume that we processed this frame the first time around, + * since the TCP dissector might not have given it to us. + */ wmem_stack_t *packets; /* List all RTMP packets terminating in this TCP segment, from end to beginning */ @@ -1901,10 +1906,18 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_ wmem_stack_push(packets, 0); tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], seq+remain-1); - while (tp && tp->lastseq >= seq) { + while (tp && GE_SEQ(tp->lastseq, seq)) { + /* Sequence numbers can wrap around (especially with + * tcp.relative_sequence_numbers FALSE), so use the + * wrap around aware comparison from packet-tcp.h + */ wmem_stack_push(packets, tp); if (tp->seq == 0) { // reached first segment. + /* XXX: Assuming tcp.relative_sequence_numbers + * is TRUE, that is, since on TCP we just + * reuse the sequence numbers from tcpinfo. + */ break; } tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], tp->seq-1);