rpms/wireshark
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: #2211413 - XRA dissector infinite loop

Browse Source
This commit is contained in:
Michal Ruprich 2023-06-19 11:01:04 +02:00
parent 0ad1647cc3
commit 5f037f52f2
2 changed files with 103 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
wireshark-0017-cve-2023-2952.patch Normal file
View File

@ -0,0 +1,98 @@
From e18d0e369729b0fff5f76f41cbae67e97c2e52e5 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Tue, 23 May 2023 13:52:03 -0700
Subject: [PATCH] XRA: Fix an infinite loop
C compilers don't care what size a value was on the wire. Use
naturally-sized ints, including in dissect_message_channel_mb where we
would otherwise overflow and loop infinitely.
Fixes #19100
(cherry picked from commit ce87eac0325581b600b3093fcd75080df14ccfda)
Conflicts:
epan/dissectors/packet-xra.c
---
epan/dissectors/packet-xra.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c
index ef8437e9382..4c3713db94b 100644
--- a/epan/dissectors/packet-xra.c
+++ b/epan/dissectors/packet-xra.c
@@ -445,7 +445,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA);
xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info);
- guint32 tlv_index =0;
+ unsigned tlv_index = 0;
while (tlv_index < tlv_length) {
guint8 type = tvb_get_guint8 (tvb, tlv_index);
++tlv_index;
@@ -500,7 +500,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA);
xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info);
- guint32 tlv_index =0;
+ unsigned tlv_index = 0;
while (tlv_index < tlv_length) {
guint8 type = tvb_get_guint8 (tvb, tlv_index);
++tlv_index;
@@ -534,7 +534,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA);
xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info);
- guint32 tlv_index =0;
+ unsigned tlv_index = 0;
while (tlv_index < tlv_length) {
guint8 type = tvb_get_guint8 (tvb, tlv_index);
++tlv_index;
@@ -574,7 +574,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da
it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA);
xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv);
- guint32 tlv_index =0;
+ unsigned tlv_index = 0;
tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb;
while (tlv_index < tlv_length) {
@@ -718,7 +718,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
if(packet_start_pointer_field_present) {
proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer);
- guint16 docsis_start = 3 + packet_start_pointer;
+ unsigned docsis_start = 3 + packet_start_pointer;
while (docsis_start + 6 < remaining_length) {
/*DOCSIS header in packet*/
guint8 fc = tvb_get_guint8(tvb,docsis_start + 0);
@@ -727,7 +727,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
docsis_start += 1;
continue;
}
- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
+ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
if (docsis_start + 6 + docsis_length <= remaining_length) {
/*DOCSIS packet included in packet*/
tvbuff_t *docsis_tvb;
@@ -797,7 +797,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) {
static int
dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) {
- guint16 offset = 0;
+ int offset = 0;
proto_tree *plc_tree;
proto_item *plc_item;
tvbuff_t *mb_tvb;
@@ -857,7 +857,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _
static int
dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) {
- guint16 offset = 0;
+ int offset = 0;
proto_tree *ncp_tree;
proto_item *ncp_item;
tvbuff_t *ncp_mb_tvb;
--
GitLab

6
wireshark.spec
View File

@ -6,7 +6,7 @@
Summary: Network traffic analyzer Summary: Network traffic analyzer
Name: wireshark Name: wireshark
Version: 3.4.10 Version: 3.4.10
Release: 5%{?dist} Release: 6%{?dist}
Epoch: 1 Epoch: 1
License: GPL+ License: GPL+
Url: http://www.wireshark.org/ Url: http://www.wireshark.org/
@ -35,6 +35,7 @@ Patch0013: wireshark-0013-cve-2023-0666.patch
Patch0014: wireshark-0014-cve-2023-2858.patch Patch0014: wireshark-0014-cve-2023-2858.patch
Patch0015: wireshark-0015-cve-2023-2856.patch Patch0015: wireshark-0015-cve-2023-2856.patch
Patch0016: wireshark-0016-cve-2023-2855.patch Patch0016: wireshark-0016-cve-2023-2855.patch
Patch0017: wireshark-0017-cve-2023-2952.patch
#install tshark together with wireshark GUI #install tshark together with wireshark GUI
Requires: %{name}-cli = %{epoch}:%{version}-%{release} Requires: %{name}-cli = %{epoch}:%{version}-%{release}
@ -282,6 +283,9 @@ fi
%{_libdir}/pkgconfig/%{name}.pc %{_libdir}/pkgconfig/%{name}.pc
%changelog %changelog
* Mon Jun 19 2023 Michal Ruprich <mruprich@redhat.com> - 1:3.4.10-6
- Resolves: #2211413 - XRA dissector infinite loop
* Wed Jun 07 2023 Michal Ruprich <mruprich@redhat.com> - 1:3.4.10-5 * Wed Jun 07 2023 Michal Ruprich <mruprich@redhat.com> - 1:3.4.10-5
- Resolves: #2210864 - Candump log file parser crash - Resolves: #2210864 - Candump log file parser crash
Resolves: #2210865 - VMS TCPIPtrace file parser crash Resolves: #2210865 - VMS TCPIPtrace file parser crash