46 lines
2.3 KiB
Diff
46 lines
2.3 KiB
Diff
From: Markus Koschany <apo@debian.org>
|
|
Date: Thu, 24 Mar 2022 15:10:57 +0100
|
|
Subject: CVE-2021-4185
|
|
|
|
Origin: https://gitlab.com/wireshark/wireshark/-/commit/a0084bd76f45f9566bd94c49d7fb7571e0d4bdaa
|
|
---
|
|
epan/dissectors/packet-rtmpt.c | 15 ++++++++++++++-
|
|
1 file changed, 14 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/epan/dissectors/packet-rtmpt.c b/epan/dissectors/packet-rtmpt.c
|
|
index f043cc7..555daad 100644
|
|
--- a/epan/dissectors/packet-rtmpt.c
|
|
+++ b/epan/dissectors/packet-rtmpt.c
|
|
@@ -1893,6 +1893,11 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_
|
|
|
|
if (pinfo->fd->flags.visited) {
|
|
/* Already done the work, so just dump the existing state */
|
|
+ /* XXX: If there's bogus sequence numbers and the
|
|
+ * tcp.analyze_sequence_numbers pref is TRUE, we can't actually
|
|
+ * assume that we processed this frame the first time around,
|
|
+ * since the TCP dissector might not have given it to us.
|
|
+ */
|
|
wmem_stack_t *packets;
|
|
|
|
/* List all RTMP packets terminating in this TCP segment, from end to beginning */
|
|
@@ -1901,10 +1906,18 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_
|
|
wmem_stack_push(packets, 0);
|
|
|
|
tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], seq+remain-1);
|
|
- while (tp && tp->lastseq >= seq) {
|
|
+ while (tp && GE_SEQ(tp->lastseq, seq)) {
|
|
+ /* Sequence numbers can wrap around (especially with
|
|
+ * tcp.relative_sequence_numbers FALSE), so use the
|
|
+ * wrap around aware comparison from packet-tcp.h
|
|
+ */
|
|
wmem_stack_push(packets, tp);
|
|
if (tp->seq == 0) {
|
|
// reached first segment.
|
|
+ /* XXX: Assuming tcp.relative_sequence_numbers
|
|
+ * is TRUE, that is, since on TCP we just
|
|
+ * reuse the sequence numbers from tcpinfo.
|
|
+ */
|
|
break;
|
|
}
|
|
tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], tp->seq-1);
|