wireshark/CVE-2024-8250.patch

From be0e7c955d7efa628baa97447127c3434b575765 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sun, 28 Jul 2024 13:06:50 +0000
Subject: [PATCH] ntlmssp: Don't insert a key created on the stack into a hash
 table

Origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/16640

We could change this table to an autoreset wmem_map as well.

Fix #19943


(cherry picked from commit 66dcd56f1eae615697b6588ac4778a61a5576391)

Co-authored-by: John Thacker <johnthacker@gmail.com>
---
 epan/dissectors/packet-ntlmssp.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c
index a538c204e61..d279d74eb53 100644
--- a/epan/dissectors/packet-ntlmssp.c
+++ b/epan/dissectors/packet-ntlmssp.c
@@ -2353,7 +2353,9 @@ decrypt_data_payload(tvbuff_t *tvb, int offset, guint32 encrypted_block_length,
       decrypted_payloads = g_slist_prepend(decrypted_payloads,
                                            packet_ntlmssp_info->decrypted_payload);
       if (key != NULL) {
-        g_hash_table_insert(hash_packet, key, packet_ntlmssp_info);
+        uint8_t *perm_key = g_new(uint8_t, NTLMSSP_KEY_LEN);
+        memcpy(perm_key, key, NTLMSSP_KEY_LEN);
+        g_hash_table_insert(hash_packet, perm_key, packet_ntlmssp_info);
       }
 
       /* Do the decryption of the payload */
@@ -2803,7 +2805,7 @@ header_hash(gconstpointer pointer)
 static gboolean
 header_equal(gconstpointer pointer1, gconstpointer pointer2)
 {
-  if (!memcmp(pointer1, pointer2, 16)) {
+  if (!memcmp(pointer1, pointer2, NTLMSSP_KEY_LEN)) {
     return TRUE;
   }
   else {
@@ -2814,7 +2816,7 @@ header_equal(gconstpointer pointer1, gconstpointer pointer2)
 static void
 ntlmssp_init_protocol(void)
 {
-  hash_packet = g_hash_table_new(header_hash, header_equal);
+  hash_packet = g_hash_table_new_full(header_hash, header_equal, g_free, NULL);
 }
 
 static void
-- 
GitLab