diff mbox series

[meta-networking,kirkstone] wireshark: Backport fix for CVE-2024-2955

Message ID 20240328101931.31732-1-asharma@mvista.com
State New
Headers show
Series [meta-networking,kirkstone] wireshark: Backport fix for CVE-2024-2955 | expand

Commit Message

Ashish Sharma March 28, 2024, 10:19 a.m. UTC 
Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/6fd3af5e999c71df67c2cdcefb96d0dc4afa5341]

Signed-off-by: Ashish Sharma <asharma@mvista.com>
---
 .../wireshark/files/CVE-2024-2955.patch       | 52 +++++++++++++++++++
 .../wireshark/wireshark_3.4.12.bb             |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch
new file mode 100644
index 000000000..347943d42
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch
@@ -0,0 +1,52 @@ 
+From 6fd3af5e999c71df67c2cdcefb96d0dc4afa5341 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Wed, 6 Mar 2024 20:40:42 -0500
+Subject: [PATCH] t38: Allocate forced defragmented memory in correct scope
+
+Fragment data can't be allocated in pinfo->pool scope, as it
+outlives the frame. Set it to be freed when the associated tvb
+is freed, as done in the main reassemble.c code.
+
+Fix #19695
+
+CVE: CVE-2024-2955
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/6fd3af5e999c71df67c2cdcefb96d0dc4afa5341]
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ epan/dissectors/asn1/t38/packet-t38-template.c | 3 ++-
+ epan/dissectors/packet-t38.c                   | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/epan/dissectors/asn1/t38/packet-t38-template.c b/epan/dissectors/asn1/t38/packet-t38-template.c
+index 7b856626865..526b313d054 100644
+--- a/epan/dissectors/asn1/t38/packet-t38-template.c
++++ b/epan/dissectors/asn1/t38/packet-t38-template.c
+@@ -325,8 +325,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id)
+ 	  last_fd=fd_i;
+ 	}
+ 
+-	data = (guint8 *) wmem_alloc(pinfo->pool, size);
++	data = (guint8 *) g_malloc(size);
+ 	fd_head->tvb_data = tvb_new_real_data(data, size, size);
++        tvb_set_free_cb(fd_head->tvb_data, g_free);
+ 	fd_head->len = size;		/* record size for caller	*/
+ 
+ 	/* add all data fragments */
+diff --git a/epan/dissectors/packet-t38.c b/epan/dissectors/packet-t38.c
+index ca95ae8b64e..5083c936c5a 100644
+--- a/epan/dissectors/packet-t38.c
++++ b/epan/dissectors/packet-t38.c
+@@ -355,8 +355,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id)
+ 	  last_fd=fd_i;
+ 	}
+ 
+-	data = (guint8 *) wmem_alloc(pinfo->pool, size);
++	data = (guint8 *) g_malloc(size);
+ 	fd_head->tvb_data = tvb_new_real_data(data, size, size);
++        tvb_set_free_cb(fd_head->tvb_data, g_free);
+ 	fd_head->len = size;		/* record size for caller	*/
+ 
+ 	/* add all data fragments */
+-- 
+GitLab
+
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index 41c363ad3..75c353283 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -29,6 +29,7 @@  SRC_URI += " \
     file://CVE-2022-4345.patch \
     file://CVE-2024-0208.patch \
     file://CVE-2023-4511.patch \
+    file://CVE-2024-2955.patch \
 "
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"