Message ID | 20240328061902.188059-1-vanusuri@mvista.com |
---|---|
State | New |
Headers | show |
Series | [meta-networking,dunfell] wireshark: Fix for CVE-2023-4511 | expand |
Hi Armin, Any Update on this ? Thanks & Regards, Vijay On Thu, Mar 28, 2024 at 11:49 AM <vanusuri@mvista.com> wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > Upstream-Status: Backport from > https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../wireshark/files/CVE-2023-4511.patch | 81 +++++++++++++++++++ > .../wireshark/wireshark_3.2.18.bb | 1 + > 2 files changed, 82 insertions(+) > create mode 100644 > meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch > > diff --git > a/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch > b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch > new file mode 100644 > index 000000000..fbbdf0cfc > --- /dev/null > +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch > @@ -0,0 +1,81 @@ > +From ef9c79ae81b00a63aa8638076ec81dc9482972e9 Mon Sep 17 00:00:00 2001 > +From: John Thacker <johnthacker@gmail.com> > +Date: Thu, 10 Aug 2023 05:29:09 -0400 > +Subject: [PATCH] btsdp: Keep offset advancing > + > +hf_data_element_value is a FT_NONE, so we can add the item with > +the expected length and get_hfi_length() will adjust the length > +without throwing an exception. There's no need to add it with > +zero length and call proto_item_set_len. Also, don't increment > +the offset by 0 instead of the real length when there isn't > +enough data in the packet, as that can lead to failing to advance > +the offset. > + > +When dissecting a sequence type (sequence or alternative) and > +recursing into the sequence member, instead of using the main > +packet tvb directly, create a subset using the indicated length > +of the sequence. That will properly throw an exception if a > +contained item is larger than the containing sequence, instead of > +dissecting the same bytes as several different items (inside > +the sequence recursively, as well in the outer loop.) > + > +Fix #19258 > + > +Upstream-Status: Backport [ > https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9 > ] > +CVE: CVE-2023-4511 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + epan/dissectors/packet-btsdp.c | 15 ++++++++------- > + 1 file changed, 8 insertions(+), 7 deletions(-) > + > +diff --git a/epan/dissectors/packet-btsdp.c > b/epan/dissectors/packet-btsdp.c > +index 529bb71..f18d531 100644 > +--- a/epan/dissectors/packet-btsdp.c > ++++ b/epan/dissectors/packet-btsdp.c > +@@ -1925,13 +1925,11 @@ dissect_data_element(proto_tree *tree, proto_tree > **next_tree, > + offset += len - length; > + } > + > +- pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, > offset, 0, ENC_NA); > ++ pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, > offset, length, ENC_NA); > + if (length > tvb_reported_length_remaining(tvb, offset)) { > + expert_add_info(pinfo, pitem, &ei_data_element_value_large); > +- length = 0; > +- } > +- proto_item_set_len(pitem, length); > +- if (length == 0) > ++ proto_item_append_text(pitem, ": MISSING"); > ++ } else if (length == 0) > + proto_item_append_text(pitem, ": MISSING"); > + > + if (next_tree) *next_tree = proto_item_add_subtree(pitem, > ett_btsdp_data_element_value); > +@@ -3523,6 +3521,8 @@ dissect_sdp_type(proto_tree *tree, packet_info > *pinfo, tvbuff_t *tvb, > + gint bytes_to_go = size; > + gint first = 1; > + wmem_strbuf_t *substr; > ++ tvbuff_t *next_tvb = tvb_new_subset_length(tvb, offset, > size); > ++ gint next_offset = 0; > + > + ti = proto_tree_add_item(next_tree, (type == 6) ? > hf_data_element_value_sequence : hf_data_element_value_alternative, > + tvb, offset, size, ENC_NA); > +@@ -3537,14 +3537,15 @@ dissect_sdp_type(proto_tree *tree, packet_info > *pinfo, tvbuff_t *tvb, > + first = 0; > + } > + > +- size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, > service_uuid, > ++ size = dissect_sdp_type(st, pinfo, next_tvb, next_offset, > ++ attribute, service_uuid, > + service_did_vendor_id, service_did_vendor_id_source, > + service_hdp_data_exchange_specification, > service_info, &substr); > + if (size < 1) { > + break; > + } > + wmem_strbuf_append_printf(info_buf, "%s ", > wmem_strbuf_get_str(substr)); > +- offset += size ; > ++ next_offset += size; > + bytes_to_go -= size; > + } > + > +-- > +2.25.1 > + > diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb > b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb > index 8054cbb5a..8af0e6aa5 100644 > --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb > +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb > @@ -23,6 +23,7 @@ SRC_URI = " > https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz > file://CVE-2022-4345.patch \ > file://CVE-2024-0208.patch \ > file://CVE-2023-1992.patch \ > + file://CVE-2023-4511.patch \ > " > UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" > > -- > 2.25.1 > >
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch new file mode 100644 index 000000000..fbbdf0cfc --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch @@ -0,0 +1,81 @@ +From ef9c79ae81b00a63aa8638076ec81dc9482972e9 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 10 Aug 2023 05:29:09 -0400 +Subject: [PATCH] btsdp: Keep offset advancing + +hf_data_element_value is a FT_NONE, so we can add the item with +the expected length and get_hfi_length() will adjust the length +without throwing an exception. There's no need to add it with +zero length and call proto_item_set_len. Also, don't increment +the offset by 0 instead of the real length when there isn't +enough data in the packet, as that can lead to failing to advance +the offset. + +When dissecting a sequence type (sequence or alternative) and +recursing into the sequence member, instead of using the main +packet tvb directly, create a subset using the indicated length +of the sequence. That will properly throw an exception if a +contained item is larger than the containing sequence, instead of +dissecting the same bytes as several different items (inside +the sequence recursively, as well in the outer loop.) + +Fix #19258 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9] +CVE: CVE-2023-4511 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + epan/dissectors/packet-btsdp.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c +index 529bb71..f18d531 100644 +--- a/epan/dissectors/packet-btsdp.c ++++ b/epan/dissectors/packet-btsdp.c +@@ -1925,13 +1925,11 @@ dissect_data_element(proto_tree *tree, proto_tree **next_tree, + offset += len - length; + } + +- pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, 0, ENC_NA); ++ pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, length, ENC_NA); + if (length > tvb_reported_length_remaining(tvb, offset)) { + expert_add_info(pinfo, pitem, &ei_data_element_value_large); +- length = 0; +- } +- proto_item_set_len(pitem, length); +- if (length == 0) ++ proto_item_append_text(pitem, ": MISSING"); ++ } else if (length == 0) + proto_item_append_text(pitem, ": MISSING"); + + if (next_tree) *next_tree = proto_item_add_subtree(pitem, ett_btsdp_data_element_value); +@@ -3523,6 +3521,8 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, + gint bytes_to_go = size; + gint first = 1; + wmem_strbuf_t *substr; ++ tvbuff_t *next_tvb = tvb_new_subset_length(tvb, offset, size); ++ gint next_offset = 0; + + ti = proto_tree_add_item(next_tree, (type == 6) ? hf_data_element_value_sequence : hf_data_element_value_alternative, + tvb, offset, size, ENC_NA); +@@ -3537,14 +3537,15 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, + first = 0; + } + +- size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid, ++ size = dissect_sdp_type(st, pinfo, next_tvb, next_offset, ++ attribute, service_uuid, + service_did_vendor_id, service_did_vendor_id_source, + service_hdp_data_exchange_specification, service_info, &substr); + if (size < 1) { + break; + } + wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr)); +- offset += size ; ++ next_offset += size; + bytes_to_go -= size; + } + +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index 8054cbb5a..8af0e6aa5 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb @@ -23,6 +23,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz file://CVE-2022-4345.patch \ file://CVE-2024-0208.patch \ file://CVE-2023-1992.patch \ + file://CVE-2023-4511.patch \ " UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"