Resolves: RHEL-62013 - Improper Handling of Missing Values in Wireshark

2024-10-15 15:39:01 +02:00 · 2024-10-15 15:39:01 +02:00 · a26d30dee6
commit a26d30dee6
parent b6d59e63b8
2 changed files with 169 additions and 1 deletions
--- a/wireshark-0011-CVE-2024-9781.patch
+++ b/wireshark-0011-CVE-2024-9781.patch
@ -0,0 +1,164 @@
+From cad248ce3bf53026cc837fedeaca65d0f20ea3b5 Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Tue, 8 Oct 2024 11:56:28 -0700
+Subject: [PATCH] AppleTalk: Make sure we have valid addresses
+
+Make sure ATP, ZIP, and ASP have valid addresses. Use sizeof instead of
+a hard-coded value in a few places.
+
+Fixes #20114
+
+(cherry picked from commit 3de741321f85c205c0a8266c40f33cb0013bd1d2)
+
+Conflicts:
+	epan/dissectors/packet-atalk.c
+  epan/dissectors/packet-reload-framing.c
+---
+ epan/dissectors/packet-atalk.c | 44 ++++++++++++++++++++++++----------
+ 1 file changed, 32 insertions(+), 12 deletions(-)
+ epan/dissectors/packet-reload-framing.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/epan/dissectors/packet-atalk.c b/epan/dissectors/packet-atalk.c
+index 396e7af5194..065d6aedb68 100644
+--- a/epan/dissectors/packet-atalk.c
+++ b/epan/dissectors/packet-atalk.c
+@@ -232,9 +232,18 @@ static int hf_asp_attn_code     = -1;
+ static int hf_asp_seq           = -1;
+ static int hf_asp_size          = -1;
+ 
+/*
+ * Structure used to represent a DDP address; gives the layout of the
+ * data pointed to by an Appletalk "address" structure.
+ */
+struct atalk_ddp_addr {
+  guint16 net;
+  guint8 node;
+};
+
+ typedef struct {
+   guint32 conversation;
+-  guint8  src[4];
+  guint8  src[sizeof(struct atalk_ddp_addr)];
+   guint16 tid;
+ } asp_request_key;
+ 
+@@ -502,6 +511,10 @@ static const value_string asp_error_vals[] = {
+   {0,                   NULL } };
+ value_string_ext asp_error_vals_ext = VALUE_STRING_EXT_INIT(asp_error_vals);
+ 
+static bool is_ddp_address(address *addr) {
+  return addr->type == atalk_address_type && addr->len == sizeof(struct atalk_ddp_addr);
+}
+
+ /*
+  * hf_index must be a FT_UINT_STRING type
+  * Are these always in a Mac extended character set?  Should we have a
+@@ -744,6 +757,12 @@ dissect_atp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+   conversation_t  *conversation;
+   asp_request_val *request_val   = NULL;
+ 
+  // ATP is carried over DDP
+  if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) {
+    return 0;
+  }
+
+
+   col_set_str(pinfo->cinfo, COL_PROTOCOL, "ATP");
+ 
+   ctrlinfo = tvb_get_guint8(tvb, offset);
+@@ -770,7 +789,7 @@ dissect_atp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+     asp_request_key request_key;
+ 
+     request_key.conversation = conversation->conv_index;
+-    memcpy(request_key.src, (!atp_asp_dsi_info.reply)?pinfo->src.data:pinfo->dst.data, 4);
+    memcpy(request_key.src, (!atp_asp_dsi_info.reply)?pinfo->src.data:pinfo->dst.data, sizeof(struct atalk_ddp_addr));
+     request_key.tid = atp_asp_dsi_info.tid;
+ 
+     request_val = (asp_request_val *) wmem_map_lookup(atp_request_hash, &request_key);
+@@ -1018,7 +1037,7 @@ get_transaction(tvbuff_t *tvb, packet_info *pinfo, struct atp_asp_dsi_info *atp_
+   conversation = find_or_create_conversation(pinfo);
+ 
+   request_key.conversation = conversation->conv_index;
+-  memcpy(request_key.src, (!atp_asp_dsi_info->reply)?pinfo->src.data:pinfo->dst.data, 4);
+  memcpy(request_key.src, (!atp_asp_dsi_info->reply)?pinfo->src.data:pinfo->dst.data, sizeof(struct atalk_ddp_addr));
+   request_key.tid = atp_asp_dsi_info->tid;
+ 
+   request_val = (asp_request_val *) wmem_map_lookup(asp_request_hash, &request_key);
+@@ -1051,6 +1070,11 @@ dissect_asp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
+   if (data == NULL)
+     return 0;
+ 
+  // ASP is carried over ATP/DDP
+  if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) {
+    return 0;
+  }
+
+   col_set_str(pinfo->cinfo, COL_PROTOCOL, "ASP");
+   col_clear(pinfo->cinfo, COL_INFO);
+ 
+@@ -1183,15 +1207,6 @@ dissect_asp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
+ /* -----------------------------
+    ZIP protocol cf. inside appletalk chap. 8
+ */
+-/*
+- * Structure used to represent a DDP address; gives the layout of the
+- * data pointed to by an Appletalk "address" structure.
+- */
+-struct atalk_ddp_addr {
+-    guint16 net;
+-    guint8  node;
+-};
+-
+ 
+ static int atalk_str_len(const address* addr _U_)
+ {
+@@ -1241,6 +1256,11 @@ dissect_atp_zip(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
+   if (data == NULL)
+     return 0;
+ 
+  // ATP ZIP is carried over DDP
+  if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) {
+    return 0;
+  }
+
+   col_set_str(pinfo->cinfo, COL_PROTOCOL, "ZIP");
+   col_clear(pinfo->cinfo, COL_INFO);
+ 
+diff --git a/epan/dissectors/packet-reload-framing.c b/epan/dissectors/packet-reload-framing.c
+index eac1744c315..688068bbe61 100644
+--- a/epan/dissectors/packet-reload-framing.c
+++ b/epan/dissectors/packet-reload-framing.c
+@@ -124,8 +124,14 @@ dissect_reload_framing_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tr
+   effective_length = tvb_captured_length(tvb);
+ 
+   /* First, make sure we have enough data to do the check. */
+-  if (effective_length < MIN_HDR_LENGTH)
+  if (effective_length < MIN_HDR_LENGTH) {
+     return 0;
+  }
+
+  /* Next, make sure we can create transaction ID keys. */
+  if (!(pinfo->src.data && pinfo->dst.data)) {
+    return 0;
+  }
+ 
+   conversation = find_conversation_pinfo(pinfo, 0);
+   if (conversation)
+@@ -194,14 +200,14 @@ dissect_reload_framing_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tr
+     transaction_id_key[1].length = 1;
+     transaction_id_key[1].key    = &pinfo->srcport;
+     transaction_id_key[2].length = (pinfo->src.len) / (guint)sizeof(guint32);
+-    transaction_id_key[2].key    = (guint32 *)g_malloc(pinfo->src.len);
+    transaction_id_key[2].key    = (guint32 *)wmem_alloc(wmem_file_scope(), pinfo->src.len);
+     memcpy(transaction_id_key[2].key, pinfo->src.data, pinfo->src.len);
+   }
+   else {
+     transaction_id_key[1].length = 1;
+     transaction_id_key[1].key    = &pinfo->destport;
+     transaction_id_key[2].length = (pinfo->dst.len) / (guint)sizeof(guint32);
+-    transaction_id_key[2].key    = (guint32 *)g_malloc(pinfo->dst.len);
+    transaction_id_key[2].key    = (guint32 *)wmem_alloc(wmem_file_scope(), pinfo->dst.len);
+     memcpy(transaction_id_key[2].key, pinfo->dst.data, pinfo->dst.len);
+   }
+   transaction_id_key[3].length=0;
--- a/wireshark.spec
+++ b/wireshark.spec
@ -6,7 +6,7 @@
 Summary:	Network traffic analyzer
 Name:		wireshark
 Version:	4.2.6
-Release:	2%{?dist}
+Release:	3%{?dist}
 Epoch:		1
 License:	BSD-1-Clause AND BSD-2-Clause AND BSD-3-Clause AND MIT AND GPL-2.0-or-later AND LGPL-2.0-or-later AND Zlib AND ISC AND (BSD-3-Clause OR GPL-2.0-only) AND (GPL-2.0-or-later AND Zlib)
 Url:		http://www.wireshark.org/
@ -30,6 +30,7 @@ Patch7:   wireshark-0007-cmakelists.patch
 Patch8:   wireshark-0008-pkgconfig.patch
 Patch9:   wireshark-0009-sync-pipe-stderr-messages.patch
 Patch10:  wireshark-0010-CVE-2024-8250.patch
+Patch11:  wireshark-0011-CVE-2024-9781.patch

 #install tshark together with wireshark GUI
 Requires:	%{name}-cli = %{epoch}:%{version}-%{release}
@ -282,6 +283,9 @@ fi
 %{_libdir}/pkgconfig/%{name}.pc

 %changelog
+* Tue Oct 15 2024 Michal Ruprich <mruprich@redhat.com> - 1:4.2.6-3
+- Resolves: RHEL-62013 - Improper Handling of Missing Values in Wireshark
+
 * Fri Sep 27 2024 Michal Ruprich <mruprich@redhat.com> - 1:4.2.6-2
 - Resolves: RHEL-56505 - NTLMSSP dissector crash