rpms/wireshark
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-69442 - Rebase wireshark to 4.4.2

Browse Source 
Resolves: RHEL-68453 - Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark
Resolves: RHEL-68452 - Buffer Over-read in Wireshark
This commit is contained in:
Michal Ruprich 2024-11-28 15:59:29 +01:00
parent 5362bf2241
commit bb5dee6296
8 changed files with 44 additions and 868 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (wireshark-4.2.6.tar.xz) = 265bbc50787ba15646a8a4602e2598bb58494aee496b14a2392293862725320674f7084c7c00de5f9db41dbfc2eb23d88fd8e6b72f3c4036067192b44da22516
SHA512 (SIGNATURES-4.2.6.txt) = 287342d1ccb36326a9bab5e50c48442a41b599e258611e9046eedb078a84f2840d16f29f91b1259b3b4d37486e48d85596192ea5c6b9d1fa7ad3e78543193e0b
SHA512 (wireshark-4.4.2.tar.xz) = df80c98a2d00ba46a853acfe3aec9dfc0d4484f490a276b8b8390b6d108634b7e0fa38e8f02f8d93afe5c2394c463a0d89611027032898d7d0390d2111b70ca6
SHA512 (SIGNATURES-4.4.2.txt) = c809085b69c909702b3390b93891a19b8a8c0812d448ac9399eb59991618737b3bfeb737bd569267dcffc46290d59b34664f967e88c1a38b1678faaecd76d445

12
wireshark-0003-fix-string-overrun-in-plugins-profinet.patch
View File

@ -8,11 +8,11 @@ index 52c5017e1f..fb980269db 100644
--- a/plugins/epan/profinet/packet-dcom-cba.c
+++ b/plugins/epan/profinet/packet-dcom-cba.c
@@ -543,7 +543,7 @@ dissect_ICBAPhysicalDevice_get_LogicalDevice_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
{
guint32 u32Pointer;
- gchar szStr[1000];
+ gchar szStr[1000] = "";
guint32 u32MaxStr = sizeof(szStr);
gchar *call;
uint32_t u32Pointer;
- char szStr[1000];
+ char szStr[1000] = "";
uint32_t u32MaxStr = sizeof(szStr);
char *call;

42
wireshark-0006-Move-tmp-to-var-tmp.patch
View File

@ -18,27 +18,6 @@ to use different directory on different filesystem.
create mode 100644 wsutil/wstmpdir.c
create mode 100644 wsutil/wstmpdir.h
diff --git a/ui/qt/about_dialog.cpp b/ui/qt/about_dialog.cpp
index 752b669ac4..42c2be0fca 100644
--- a/ui/qt/about_dialog.cpp
+++ b/ui/qt/about_dialog.cpp
@@ -14,6 +14,7 @@
#include "main_application.h"
#include <wsutil/filesystem.h>
+#include <wsutil/wstmpdir.h> /* for get_tmp_dir() */
#include <QDesktopServices>
#include <QUrl>
@@ -185,7 +186,7 @@ FolderListModel::FolderListModel(QObject * parent):
appendRow(QStringList() << tr("\"File\" dialogs") << get_open_dialog_initial_dir() << tr("capture files"));
/* temp */
- appendRow(QStringList() << tr("Temp") << (global_capture_opts.temp_dir && global_capture_opts.temp_dir[0] ? global_capture_opts.temp_dir : g_get_tmp_dir()) << tr("untitled capture files"));
+ appendRow(QStringList() << tr("Temp") << (global_capture_opts.temp_dir && global_capture_opts.temp_dir[0] ? global_capture_opts.temp_dir : get_tmp_dir()) << tr("untitled capture files"));
/* pers conf */
appendRow(QStringList() << tr("Personal configuration")
diff --git a/ui/qt/iax2_analysis_dialog.cpp b/ui/qt/iax2_analysis_dialog.cpp
index 07b9b42e01..fb09de989b 100644
--- a/ui/qt/iax2_analysis_dialog.cpp
@ -272,3 +251,24 @@ index 0000000000..07ac5837ac
--
2.37.3
diff --git a/ui/qt/about_dialog.cpp b/ui/qt/about_dialog.cpp
index ea11122..982ba1a 100644
--- a/ui/qt/about_dialog.cpp
+++ b/ui/qt/about_dialog.cpp
@@ -14,6 +14,7 @@
#include "main_application.h"
#include <wsutil/filesystem.h>
+#include <wsutil/wstmpdir.h> /* for get_tmp_dir() */
#include <QDesktopServices>
#include <QUrl>
@@ -204,7 +205,7 @@ FolderListModel::FolderListModel(QObject * parent):
appendRow(QStringList() << tr("\"File\" dialog location") << get_open_dialog_initial_dir() << tr("Capture files"));
/* temp */
- appendRow(QStringList() << tr("Temp") << (global_capture_opts.temp_dir && global_capture_opts.temp_dir[0] ? global_capture_opts.temp_dir : g_get_tmp_dir())
+ appendRow(QStringList() << tr("Temp") << (global_capture_opts.temp_dir && global_capture_opts.temp_dir[0] ? global_capture_opts.temp_dir : get_tmp_dir())
<< tr("Untitled capture files"));
/* pers conf */

13
wireshark-0008-pkgconfig.patch
View File

@ -1,13 +1,12 @@
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 27fa752..7bdc036 100644
index 17fa031..6876018 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -4037,9 +4037,6 @@ install(
"${CMAKE_BINARY_DIR}/wireshark.pc"
DESTINATION
${CMAKE_INSTALL_LIBDIR}/pkgconfig
- COMPONENT
- "Development"
@@ -4175,8 +4175,6 @@ endif()
install(FILES "${CMAKE_BINARY_DIR}/resources/wireshark.pc"
DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
- COMPONENT "Development"
- EXCLUDE_FROM_ALL
)

612
wireshark-0009-sync-pipe-stderr-messages.patch
View File

@ -1,612 +0,0 @@
From 4a454d8d626ade8804d2d492c796939d82b484b6 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Thu, 28 Dec 2023 20:18:38 -0500
Subject: [PATCH] dumpcap: Don't use fd 2 (stderr) for the sync pipe
Don't use stderr for the sync pipe, because third party libraries
and functions sometimes pollute stderr with other information.
Instead, pass the information necessary to dumpcap as a parameter
to the special capture child option -Z.
On UN*X, that means passing the sync pipe write file descriptor, as
the child is created by fork + exec and shares the file descriptor table.
On Windows, the child process does not share the file descriptor table,
but it does share the HANDLE value for inherited handles, so pass that
instead. (The HANDLE is a void* and technically 64 bit, but only the
lower 32 bits are used for inherited handles that can be shared
and it is permissible to truncate:
https://learn.microsoft.com/en-us/windows/win32/procthread/inheritance
https://learn.microsoft.com/en-us/windows/win32/winprog64/interprocess-communication
https://learn.microsoft.com/en-us/windows/win32/WinProg64/rules-for-using-pointers
though perhaps in the future casting to an intptr_t makes more sense.)
Move the special Windows named signal pipe to its own long option
instead of using the parameter from the capture child option.
This means that we alter argv inside sync_pipe_open_command so change
the static functions and free argv there. Once glib 2.68 and later is
required a GStrvBuilder could be used instead.
Fix #12222
---
capture/capture_sync.c | 105 ++++++++++++++++++++---------------------
dumpcap.c | 85 +++++++++++++++++++++++----------
2 files changed, 112 insertions(+), 78 deletions(-)
diff --git a/capture/capture_sync.c b/capture/capture_sync.c
index 5c70baa6dfb..aa29a0b7ff7 100644
--- a/capture/capture_sync.c
+++ b/capture/capture_sync.c
@@ -115,14 +115,6 @@ static ssize_t pipe_read_block(GIOChannel *pipe_io, char *indicator, int len, ch
static void (*fetch_dumpcap_pid)(ws_process_id) = NULL;
-static void free_argv(char** argv, int argc)
-{
- int i;
- for (i = 0; i < argc; i++)
- g_free(argv[i]);
- g_free(argv);
-}
-
void
capture_session_init(capture_session *cap_session, capture_file *cf,
new_file_fn new_file, new_packets_fn new_packets,
@@ -202,6 +194,8 @@ void capture_process_finished(capture_session *cap_session)
/* Append an arg (realloc) to an argc/argv array */
/* (add a string pointer to a NULL-terminated array of string pointers) */
+/* XXX: For glib >= 2.68 we could use a GStrvBuilder.
+ */
static char **
sync_pipe_add_arg(char **args, int *argc, const char *arg)
{
@@ -277,12 +271,12 @@ pipe_io_cb(GIOChannel *pipe_io, GIOCondition condition _U_, void * user_data)
#define PIPE_BUF_SIZE 5120
static int
#ifdef _WIN32
-sync_pipe_open_command(char* const argv[], int *data_read_fd,
+sync_pipe_open_command(char **argv, int *data_read_fd,
GIOChannel **message_read_io, int *signal_write_fd,
ws_process_id *fork_child, GArray *ifaces,
char **msg, void(*update_cb)(void))
#else
-sync_pipe_open_command(char* const argv[], int *data_read_fd,
+sync_pipe_open_command(char **argv, int *data_read_fd,
GIOChannel **message_read_io, int *signal_write_fd _U_,
ws_process_id *fork_child, GArray *ifaces _U_,
char **msg, void(*update_cb)(void))
@@ -290,6 +284,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
{
enum PIPES { PIPE_READ, PIPE_WRITE }; /* Constants 0 and 1 for PIPE_READ and PIPE_WRITE */
int message_read_fd = -1;
+ char sync_id[ARGV_NUMBER_LEN];
#ifdef _WIN32
HANDLE sync_pipe[2]; /* pipe used to send messages from child to parent */
HANDLE data_pipe[2]; /* pipe used to send data from child to parent */
@@ -320,6 +315,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
if (!msg) {
/* We can't return anything */
+ g_strfreev(argv);
#ifdef _WIN32
g_string_free(args, true);
#endif
@@ -338,6 +334,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
/* Couldn't create the message pipe between parent and child. */
*msg = ws_strdup_printf("Couldn't create sync pipe: %s",
win32strerror(GetLastError()));
+ g_strfreev(argv);
return -1;
}
@@ -351,6 +348,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
message_read_fd = _open_osfhandle( (intptr_t) sync_pipe[PIPE_READ], _O_BINARY);
if (message_read_fd == -1) {
*msg = ws_strdup_printf("Couldn't get C file handle for message read pipe: %s", g_strerror(errno));
+ g_strfreev(argv);
CloseHandle(sync_pipe[PIPE_READ]);
CloseHandle(sync_pipe[PIPE_WRITE]);
return -1;
@@ -363,6 +361,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
/* Couldn't create the message pipe between parent and child. */
*msg = ws_strdup_printf("Couldn't create data pipe: %s",
win32strerror(GetLastError()));
+ g_strfreev(argv);
ws_close(message_read_fd); /* Should close sync_pipe[PIPE_READ] */
CloseHandle(sync_pipe[PIPE_WRITE]);
return -1;
@@ -378,6 +377,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
*data_read_fd = _open_osfhandle( (intptr_t) data_pipe[PIPE_READ], _O_BINARY);
if (*data_read_fd == -1) {
*msg = ws_strdup_printf("Couldn't get C file handle for data read pipe: %s", g_strerror(errno));
+ g_strfreev(argv);
CloseHandle(data_pipe[PIPE_READ]);
CloseHandle(data_pipe[PIPE_WRITE]);
ws_close(message_read_fd); /* Should close sync_pipe[PIPE_READ] */
@@ -398,6 +398,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
/* Couldn't create the signal pipe between parent and child. */
*msg = ws_strdup_printf("Couldn't create signal pipe: %s",
win32strerror(GetLastError()));
+ g_strfreev(argv);
ws_close(message_read_fd); /* Should close sync_pipe[PIPE_READ] */
CloseHandle(sync_pipe[PIPE_WRITE]);
return -1;
@@ -414,6 +415,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
if (signal_pipe_write_fd == -1) {
/* Couldn't create the pipe between parent and child. */
*msg = ws_strdup_printf("Couldn't get C file handle for sync pipe: %s", g_strerror(errno));
+ g_strfreev(argv);
ws_close(message_read_fd); /* Should close sync_pipe[PIPE_READ] */
CloseHandle(sync_pipe[PIPE_WRITE]);
CloseHandle(signal_pipe);
@@ -439,7 +441,25 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
si.hStdInput = NULL; /* handle for named pipe*/
si.hStdOutput = data_pipe[PIPE_WRITE];
}
- si.hStdError = sync_pipe[PIPE_WRITE];
+ si.hStdError = GetStdHandle(STD_ERROR_HANDLE);
+
+ /* On Windows, "[a]n inherited handle refers to the same object in the child
+ * process as it does in the parent process. It also has the same value."
+ * https://learn.microsoft.com/en-us/windows/win32/procthread/inheritance
+ * When converted to a file descriptor (via _open_osfhandle), the fd
+ * value is not necessarily the same in the two processes, but the handle
+ * value can be shared.
+ * A HANDLE is a void* though "64-bit versions of Windows use 32-bit handles
+ * for interoperability... only the lower 32 bits are significant, so it is
+ * safe to truncate the handle... or sign-extend the handle"
+ * https://learn.microsoft.com/en-us/windows/win32/winprog64/interprocess-communication
+ * So it should be fine to call PtrToLong instead of casting to intptr_t.
+ * https://learn.microsoft.com/en-us/windows/win32/WinProg64/rules-for-using-pointers
+ */
+ int argc = g_strv_length(argv);
+ argv = sync_pipe_add_arg(argv, &argc, "-Z");
+ snprintf(sync_id, ARGV_NUMBER_LEN, "%ld", PtrToLong(sync_pipe[PIPE_WRITE]));
+ argv = sync_pipe_add_arg(argv, &argc, sync_id);
#endif
if (ifaces) {
@@ -458,7 +478,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
if (si.hStdOutput && (si.hStdOutput != si.hStdInput)) {
handles[i_handles++] = si.hStdOutput;
}
- handles[i_handles++] = si.hStdError;
+ handles[i_handles++] = sync_pipe[PIPE_WRITE];
if (ifaces) {
for (j = 0; j < ifaces->len; j++) {
interface_opts = &g_array_index(ifaces, interface_options, j);
@@ -491,6 +511,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
}
ws_close(message_read_fd); /* Should close sync_pipe[PIPE_READ] */
CloseHandle(sync_pipe[PIPE_WRITE]);
+ g_strfreev(argv);
g_string_free(args, true);
g_free(handles);
return -1;
@@ -498,6 +519,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
*fork_child = pi.hProcess;
/* We may need to store this and close it later */
CloseHandle(pi.hThread);
+ g_strfreev(argv);
g_string_free(args, true);
g_free(handles);
@@ -509,6 +531,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
if (pipe(sync_pipe) < 0) {
/* Couldn't create the message pipe between parent and child. */
*msg = ws_strdup_printf("Couldn't create sync pipe: %s", g_strerror(errno));
+ g_strfreev(argv);
return -1;
}
@@ -517,6 +540,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
if (pipe(data_pipe) < 0) {
/* Couldn't create the data pipe between parent and child. */
*msg = ws_strdup_printf("Couldn't create data pipe: %s", g_strerror(errno));
+ g_strfreev(argv);
ws_close(sync_pipe[PIPE_READ]);
ws_close(sync_pipe[PIPE_WRITE]);
return -1;
@@ -533,11 +557,16 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
ws_close(data_pipe[PIPE_READ]);
ws_close(data_pipe[PIPE_WRITE]);
}
- dup2(sync_pipe[PIPE_WRITE], 2);
ws_close(sync_pipe[PIPE_READ]);
- ws_close(sync_pipe[PIPE_WRITE]);
+ /* dumpcap should be running in capture child mode (hidden feature) */
+#ifndef DEBUG_CHILD
+ int argc = g_strv_length(argv);
+ argv = sync_pipe_add_arg(argv, &argc, "-Z");
+ snprintf(sync_id, ARGV_NUMBER_LEN, "%d", sync_pipe[PIPE_WRITE]);
+ argv = sync_pipe_add_arg(argv, &argc, sync_id);
+#endif
execv(argv[0], argv);
- sync_pipe_write_int_msg(2, SP_EXEC_FAILED, errno);
+ sync_pipe_write_int_msg(sync_pipe[PIPE_WRITE], SP_EXEC_FAILED, errno);
/* Exit with "_exit()", so that we don't close the connection
to the X server (and cause stuff buffered up by our parent but
@@ -549,6 +578,8 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
_exit(1);
}
+ g_strfreev(argv);
+
if (fetch_dumpcap_pid && *fork_child > 0)
fetch_dumpcap_pid(*fork_child);
@@ -556,6 +587,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd,
*data_read_fd = data_pipe[PIPE_READ];
}
message_read_fd = sync_pipe[PIPE_READ];
+
#endif
/* Parent process - read messages from the child process over the
@@ -863,14 +895,12 @@ sync_pipe_start(capture_options *capture_opts, GPtrArray *capture_comments,
}
}
- /* dumpcap should be running in capture child mode (hidden feature) */
#ifndef DEBUG_CHILD
- argv = sync_pipe_add_arg(argv, &argc, "-Z");
#ifdef _WIN32
+ /* pass process id to dumpcap for named signal pipe */
+ argv = sync_pipe_add_arg(argv, &argc, "--signal-pipe");
snprintf(control_id, ARGV_NUMBER_LEN, "%ld", GetCurrentProcessId());
argv = sync_pipe_add_arg(argv, &argc, control_id);
-#else
- argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
#endif
#endif
@@ -899,13 +929,11 @@ sync_pipe_start(capture_options *capture_opts, GPtrArray *capture_comments,
if (ret == -1) {
report_failure("%s", msg);
g_free(msg);
- free_argv(argv, argc);
return false;
}
/* Parent process - read messages from the child process over the
sync pipe. */
- free_argv(argv, argc);
cap_session->fork_child_status = 0;
cap_session->cap_data_info = cap_data;
@@ -964,7 +992,7 @@ sync_pipe_close_command(int *data_read_fd, GIOChannel *message_read_io,
/* XXX - assumes PIPE_BUF_SIZE > SP_MAX_MSG_LEN */
#define PIPE_BUF_SIZE 5120
static int
-sync_pipe_run_command_actual(char* const argv[], char **data, char **primary_msg,
+sync_pipe_run_command_actual(char **argv, char **data, char **primary_msg,
char **secondary_msg, void(*update_cb)(void))
{
char *msg;
@@ -1176,7 +1204,7 @@ sync_pipe_run_command_actual(char* const argv[], char **data, char **primary_msg
* redirects to sync_pipe_run_command_actual()
*/
static int
-sync_pipe_run_command(char* const argv[], char **data, char **primary_msg,
+sync_pipe_run_command(char **argv, char **data, char **primary_msg,
char **secondary_msg, void (*update_cb)(void))
{
int ret, i;
@@ -1241,22 +1269,14 @@ sync_interface_set_80211_chan(const char *iface, const char *freq, const char *t
*primary_msg = g_strdup("Out of mem.");
*secondary_msg = NULL;
*data = NULL;
- free_argv(argv, argc);
return -1;
}
argv = sync_pipe_add_arg(argv, &argc, "-k");
argv = sync_pipe_add_arg(argv, &argc, opt);
-#ifndef DEBUG_CHILD
- /* Run dumpcap in capture child mode */
- argv = sync_pipe_add_arg(argv, &argc, "-Z");
- argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
-#endif
-
ret = sync_pipe_run_command(argv, data, primary_msg, secondary_msg, update_cb);
g_free(opt);
- free_argv(argv, argc);
return ret;
}
@@ -1294,13 +1314,7 @@ sync_interface_list_open(char **data, char **primary_msg,
/* Ask for the interface list */
argv = sync_pipe_add_arg(argv, &argc, "-D");
-#ifndef DEBUG_CHILD
- /* Run dumpcap in capture child mode */
- argv = sync_pipe_add_arg(argv, &argc, "-Z");
- argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
-#endif
ret = sync_pipe_run_command(argv, data, primary_msg, secondary_msg, update_cb);
- free_argv(argv, argc);
return ret;
}
@@ -1348,13 +1362,7 @@ sync_if_capabilities_open(const char *ifname, bool monitor_mode, const char* aut
argv = sync_pipe_add_arg(argv, &argc, auth);
}
-#ifndef DEBUG_CHILD
- /* Run dumpcap in capture child mode */
- argv = sync_pipe_add_arg(argv, &argc, "-Z");
- argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
-#endif
ret = sync_pipe_run_command(argv, data, primary_msg, secondary_msg, update_cb);
- free_argv(argv, argc);
return ret;
}
@@ -1449,20 +1451,17 @@ sync_interface_stats_open(int *data_read_fd, ws_process_id *fork_child, char **d
argv = sync_pipe_add_arg(argv, &argc, "-S");
#ifndef DEBUG_CHILD
- argv = sync_pipe_add_arg(argv, &argc, "-Z");
#ifdef _WIN32
+ argv = sync_pipe_add_arg(argv, &argc, "--signal-pipe");
ret = create_dummy_signal_pipe(msg);
if (ret == -1) {
return -1;
}
argv = sync_pipe_add_arg(argv, &argc, dummy_control_id);
-#else
- argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
#endif
#endif
ret = sync_pipe_open_command(argv, data_read_fd, &message_read_io, NULL,
fork_child, NULL, msg, update_cb);
- free_argv(argv, argc);
if (ret == -1) {
return -1;
}
diff --git a/dumpcap.c b/dumpcap.c
index b5a5423..533aa96 100644
--- a/dumpcap.c
+++ b/dumpcap.c
@@ -130,6 +130,7 @@ static gchar *sig_pipe_name = NULL;
static HANDLE sig_pipe_handle = NULL;
static gboolean signal_pipe_check_running(void);
#endif
+static int sync_pipe_fd = 2;
#ifdef ENABLE_ASAN
/* This has public visibility so that if compiled with shared libasan (the
@@ -562,7 +563,7 @@ dumpcap_cmdarg_err(const char *fmt, va_list ap)
gchar *msg;
/* Generate a 'special format' message back to parent */
msg = ws_strdup_vprintf(fmt, ap);
- sync_pipe_write_errmsgs_to_parent(2, msg, "");
+ sync_pipe_write_errmsgs_to_parent(sync_pipe_fd, msg, "");
g_free(msg);
} else {
fprintf(stderr, "dumpcap: ");
@@ -582,7 +583,7 @@ dumpcap_cmdarg_err_cont(const char *fmt, va_list ap)
if (capture_child) {
gchar *msg;
msg = ws_strdup_vprintf(fmt, ap);
- sync_pipe_write_errmsgs_to_parent(2, msg, "");
+ sync_pipe_write_errmsgs_to_parent(sync_pipe_fd, msg, "");
g_free(msg);
} else {
vfprintf(stderr, fmt, ap);
@@ -1007,7 +1008,7 @@ show_filter_code(capture_options *capture_opts)
#endif
if (capture_child) {
/* Let our parent know we succeeded. */
- sync_pipe_write_string_msg(2, SP_SUCCESS, NULL);
+ sync_pipe_write_string_msg(sync_pipe_fd, SP_SUCCESS, NULL);
}
return TRUE;
}
@@ -1029,7 +1030,7 @@ print_machine_readable_interfaces(GList *if_list)
if (capture_child) {
/* Let our parent know we succeeded. */
- sync_pipe_write_string_msg(2, SP_SUCCESS, NULL);
+ sync_pipe_write_string_msg(sync_pipe_fd, SP_SUCCESS, NULL);
}
i = 1; /* Interface id number */
@@ -1096,7 +1097,7 @@ print_machine_readable_if_capabilities(if_capabilities_t *caps, int queries)
if (capture_child) {
/* Let our parent know we succeeded. */
- sync_pipe_write_string_msg(2, SP_SUCCESS, NULL);
+ sync_pipe_write_string_msg(sync_pipe_fd, SP_SUCCESS, NULL);
}
if (queries & CAPS_QUERY_LINK_TYPES) {
@@ -1197,7 +1198,7 @@ print_statistics_loop(gboolean machine_readable)
if (capture_child) {
/* Let our parent know we succeeded. */
- sync_pipe_write_string_msg(2, SP_SUCCESS, NULL);
+ sync_pipe_write_string_msg(sync_pipe_fd, SP_SUCCESS, NULL);
}
if (!machine_readable) {
@@ -4985,7 +4986,7 @@ capture_loop_write_pcapng_cb(capture_src *pcap_src, const pcapng_block_header_t
ws_info("Sending SP_FILE on first SHB");
#endif
/* SHB is now ready for capture parent to read on SP_FILE message */
- sync_pipe_write_string_msg(2, SP_FILE, report_capture_filename);
+ sync_pipe_write_string_msg(sync_pipe_fd, SP_FILE, report_capture_filename);
report_capture_filename = NULL;
}
}
@@ -5214,7 +5215,7 @@ set_80211_channel(const char *iface, const char *opt)
}
if (capture_child)
- sync_pipe_write_string_msg(2, SP_SUCCESS, NULL);
+ sync_pipe_write_string_msg(sync_pipe_fd, SP_SUCCESS, NULL);
out:
g_strfreev(options);
@@ -5238,6 +5239,9 @@ gather_dumpcap_runtime_info(feature_list l)
#define LONGOPT_IFNAME LONGOPT_BASE_APPLICATION+1
#define LONGOPT_IFDESCR LONGOPT_BASE_APPLICATION+2
#define LONGOPT_CAPTURE_COMMENT LONGOPT_BASE_APPLICATION+3
+#ifdef _WIN32
+#define LONGOPT_SIGNAL_PIPE LONGOPT_BASE_APPLICATION+4
+#endif
/* And now our feature presentation... [ fade to music ] */
int
@@ -5252,6 +5256,9 @@ main(int argc, char *argv[])
{"ifname", ws_required_argument, NULL, LONGOPT_IFNAME},
{"ifdescr", ws_required_argument, NULL, LONGOPT_IFDESCR},
{"capture-comment", ws_required_argument, NULL, LONGOPT_CAPTURE_COMMENT},
+#ifdef _WIN32
+ {"signal-pipe", ws_required_argument, NULL, LONGOPT_SIGNAL_PIPE},
+#endif
{0, 0, 0, 0 }
};
@@ -5308,10 +5315,31 @@ main(int argc, char *argv[])
if (strcmp("-Z", argv[i]) == 0) {
capture_child = TRUE;
machine_readable = TRUE; /* request machine-readable output */
+ i++;
+ if (i >= argc) {
+ exit_main(1);
+ }
+
+ if (strcmp(argv[i], SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
+ // get_positive_int calls cmdarg_err
+ if (!ws_strtoi(argv[i], NULL, &sync_pipe_fd) || sync_pipe_fd <= 0) {
+ exit_main(1);
+ }
#ifdef _WIN32
- /* set output pipe to binary mode, to avoid ugly text conversions */
- _setmode(2, O_BINARY);
+ /* On UN*X the fd is the same when we fork + exec.
+ * On Windows the HANDLE value is the same for inherited
+ * handles in the child process and the parent, although
+ * not necessarily the fd value from _open_osfhandle.
+ * https://learn.microsoft.com/en-us/windows/win32/procthread/inheritance
+ * Also, "64-bit versions of Windows use 32-bit handles for
+ * interoperability... only the lower 32 bits are significant,
+ * so it is safe to truncate... or sign-extend the handle."
+ * https://learn.microsoft.com/en-us/windows/win32/winprog64/interprocess-communication
+ */
+ /* set output pipe to binary mode, avoid ugly text conversions */
+ sync_pipe_fd = _open_osfhandle( (intptr_t) sync_pipe_fd, _O_BINARY);
#endif
+ }
}
}
@@ -5628,9 +5656,17 @@ main(int argc, char *argv[])
break;
case 'Z':
capture_child = TRUE;
+ /*
+ * Handled above
+ */
+ break;
#ifdef _WIN32
- /* set output pipe to binary mode, to avoid ugly text conversions */
- _setmode(2, O_BINARY);
+ case LONGOPT_SIGNAL_PIPE:
+ if (!capture_child) {
+ /* We have already checked for -Z at the very beginning. */
+ cmdarg_err("--signal-pipe may only be specified with -Z");
+ exit_main(1);
+ }
/*
* ws_optarg = the control ID, aka the PPID, currently used for the
* signal pipe name.
@@ -5646,9 +5682,8 @@ main(int argc, char *argv[])
exit_main(1);
}
}
-#endif
break;
-
+#endif
case 'q': /* Quiet */
quiet = TRUE;
break;
@@ -5885,7 +5920,7 @@ main(int argc, char *argv[])
char *error_msg = ws_strdup_printf("The capabilities of the capture device "
"\"%s\" could not be obtained (%s)",
interface_opts->name, open_status_str);
- sync_pipe_write_errmsgs_to_parent(2, error_msg,
+ sync_pipe_write_errmsgs_to_parent(sync_pipe_fd, error_msg,
get_pcap_failure_secondary_error_message(open_status, open_status_str));
g_free(error_msg);
}
@@ -6032,7 +6067,7 @@ dumpcap_log_writer(const char *domain, enum ws_log_level level,
#endif
if (capture_child) {
gchar *msg = ws_strdup_vprintf(user_format, user_ap);
- sync_pipe_write_errmsgs_to_parent(2, msg, "");
+ sync_pipe_write_errmsgs_to_parent(sync_pipe_fd, msg, "");
g_free(msg);
} else {
ws_log_console_writer(domain, level, file, line, func, mft, user_format, user_ap);
@@ -6052,7 +6087,7 @@ dumpcap_log_writer(const char *domain, enum ws_log_level level,
/* to parent especially formatted if dumpcap running as child. */
if (capture_child) {
gchar *msg = ws_strdup_vprintf(user_format, user_ap);
- sync_pipe_write_errmsgs_to_parent(2, msg, "");
+ sync_pipe_write_errmsgs_to_parent(sync_pipe_fd, msg, "");
g_free(msg);
} else if(ws_log_msg_is_active(domain, level)) {
ws_log_console_writer(domain, level, file, line, func, mft, user_format, user_ap);
@@ -6071,7 +6106,7 @@ report_packet_count(unsigned int packet_count)
if (capture_child) {
ws_debug("Packets: %u", packet_count);
- sync_pipe_write_uint_msg(2, SP_PACKET_COUNT, packet_count);
+ sync_pipe_write_uint_msg(sync_pipe_fd, SP_PACKET_COUNT, packet_count);
} else {
count += packet_count;
fprintf(stderr, "\rPackets: %u ", count);
@@ -6092,7 +6127,7 @@ report_new_capture_file(const char *filename)
#endif
report_capture_filename = filename;
} else {
- sync_pipe_write_string_msg(2, SP_FILE, filename);
+ sync_pipe_write_string_msg(sync_pipe_fd, SP_FILE, filename);
}
} else {
#ifdef SIGINFO
@@ -6132,7 +6167,7 @@ report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg)
if (capture_child) {
snprintf(tmp, sizeof(tmp), "%u:%s", i, errmsg);
ws_debug("Capture filter error: %s", errmsg);
- sync_pipe_write_string_msg(2, SP_BAD_FILTER, tmp);
+ sync_pipe_write_string_msg(sync_pipe_fd, SP_BAD_FILTER, tmp);
} else {
/*
* clopts_step_invalid_capfilter in test/suite-clopts.sh MUST match
@@ -6155,7 +6190,7 @@ report_capture_error(const char *error_msg, const char *secondary_error_msg)
if (capture_child) {
ws_debug("Primary Error: %s", error_msg);
ws_debug("Secondary Error: %s", secondary_error_msg);
- sync_pipe_write_errmsgs_to_parent(2, error_msg, secondary_error_msg);
+ sync_pipe_write_errmsgs_to_parent(sync_pipe_fd, error_msg, secondary_error_msg);
} else {
cmdarg_err("%s", error_msg);
if (secondary_error_msg[0] != '\0')
@@ -6173,7 +6208,7 @@ report_packet_drops(guint32 received, guint32 pcap_drops, guint32 drops, guint32
ws_debug("Packets received/dropped on interface '%s': %u/%u (pcap:%u/dumpcap:%u/flushed:%u/ps_ifdrop:%u)",
name, received, total_drops, pcap_drops, drops, flushed, ps_ifdrop);
- sync_pipe_write_string_msg(2, SP_DROPS, tmp);
+ sync_pipe_write_string_msg(sync_pipe_fd, SP_DROPS, tmp);
g_free(tmp);
} else {
fprintf(stderr,

49
wireshark-0010-CVE-2024-8250.patch
View File

@ -1,49 +0,0 @@
From 66dcd56f1eae615697b6588ac4778a61a5576391 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sun, 28 Jul 2024 08:24:20 -0400
Subject: [PATCH] ntlmssp: Don't insert a key created on the stack into a hash
table
We could change this table to an autoreset wmem_map as well.
Fix #19943
---
epan/dissectors/packet-ntlmssp.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c
index 7e1d754ee35..ff825ddee55 100644
--- a/epan/dissectors/packet-ntlmssp.c
+++ b/epan/dissectors/packet-ntlmssp.c
@@ -2438,7 +2438,9 @@ decrypt_data_payload(tvbuff_t *tvb, int offset, uint32_t encrypted_block_length,
decrypted_payloads = g_slist_prepend(decrypted_payloads,
packet_ntlmssp_info->decrypted_payload);
if (key != NULL) {
- g_hash_table_insert(hash_packet, key, packet_ntlmssp_info);
+ uint8_t *perm_key = g_new(uint8_t, NTLMSSP_KEY_LEN);
+ memcpy(perm_key, key, NTLMSSP_KEY_LEN);
+ g_hash_table_insert(hash_packet, perm_key, packet_ntlmssp_info);
}
/* Do the decryption of the payload */
@@ -2888,7 +2890,7 @@ header_hash(const void *pointer)
static gboolean
header_equal(gconstpointer pointer1, gconstpointer pointer2)
{
- if (!memcmp(pointer1, pointer2, 16)) {
+ if (!memcmp(pointer1, pointer2, NTLMSSP_KEY_LEN)) {
return TRUE;
}
else {
@@ -2899,7 +2901,7 @@ header_equal(const void *pointer1, const void *pointer2)
static void
ntlmssp_init_protocol(void)
{
- hash_packet = g_hash_table_new(header_hash, header_equal);
+ hash_packet = g_hash_table_new_full(header_hash, header_equal, g_free, NULL);
}
static void
--
GitLab

164
wireshark-0011-CVE-2024-9781.patch
View File

@ -1,164 +0,0 @@
From cad248ce3bf53026cc837fedeaca65d0f20ea3b5 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Tue, 8 Oct 2024 11:56:28 -0700
Subject: [PATCH] AppleTalk: Make sure we have valid addresses
Make sure ATP, ZIP, and ASP have valid addresses. Use sizeof instead of
a hard-coded value in a few places.
Fixes #20114
(cherry picked from commit 3de741321f85c205c0a8266c40f33cb0013bd1d2)
Conflicts:
epan/dissectors/packet-atalk.c
epan/dissectors/packet-reload-framing.c
---
epan/dissectors/packet-atalk.c | 44 ++++++++++++++++++++++++----------
1 file changed, 32 insertions(+), 12 deletions(-)
epan/dissectors/packet-reload-framing.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/epan/dissectors/packet-atalk.c b/epan/dissectors/packet-atalk.c
index 396e7af5194..065d6aedb68 100644
--- a/epan/dissectors/packet-atalk.c
+++ b/epan/dissectors/packet-atalk.c
@@ -232,9 +232,18 @@ static int hf_asp_attn_code = -1;
static int hf_asp_seq = -1;
static int hf_asp_size = -1;
+/*
+ * Structure used to represent a DDP address; gives the layout of the
+ * data pointed to by an Appletalk "address" structure.
+ */
+struct atalk_ddp_addr {
+ guint16 net;
+ guint8 node;
+};
+
typedef struct {
guint32 conversation;
- guint8 src[4];
+ guint8 src[sizeof(struct atalk_ddp_addr)];
guint16 tid;
} asp_request_key;
@@ -502,6 +511,10 @@ static const value_string asp_error_vals[] = {
{0, NULL } };
value_string_ext asp_error_vals_ext = VALUE_STRING_EXT_INIT(asp_error_vals);
+static bool is_ddp_address(address *addr) {
+ return addr->type == atalk_address_type && addr->len == sizeof(struct atalk_ddp_addr);
+}
+
/*
* hf_index must be a FT_UINT_STRING type
* Are these always in a Mac extended character set? Should we have a
@@ -744,6 +757,12 @@ dissect_atp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
conversation_t *conversation;
asp_request_val *request_val = NULL;
+ // ATP is carried over DDP
+ if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) {
+ return 0;
+ }
+
+
col_set_str(pinfo->cinfo, COL_PROTOCOL, "ATP");
ctrlinfo = tvb_get_guint8(tvb, offset);
@@ -770,7 +789,7 @@ dissect_atp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
asp_request_key request_key;
request_key.conversation = conversation->conv_index;
- memcpy(request_key.src, (!atp_asp_dsi_info.reply)?pinfo->src.data:pinfo->dst.data, 4);
+ memcpy(request_key.src, (!atp_asp_dsi_info.reply)?pinfo->src.data:pinfo->dst.data, sizeof(struct atalk_ddp_addr));
request_key.tid = atp_asp_dsi_info.tid;
request_val = (asp_request_val *) wmem_map_lookup(atp_request_hash, &request_key);
@@ -1018,7 +1037,7 @@ get_transaction(tvbuff_t *tvb, packet_info *pinfo, struct atp_asp_dsi_info *atp_
conversation = find_or_create_conversation(pinfo);
request_key.conversation = conversation->conv_index;
- memcpy(request_key.src, (!atp_asp_dsi_info->reply)?pinfo->src.data:pinfo->dst.data, 4);
+ memcpy(request_key.src, (!atp_asp_dsi_info->reply)?pinfo->src.data:pinfo->dst.data, sizeof(struct atalk_ddp_addr));
request_key.tid = atp_asp_dsi_info->tid;
request_val = (asp_request_val *) wmem_map_lookup(asp_request_hash, &request_key);
@@ -1051,6 +1070,11 @@ dissect_asp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
if (data == NULL)
return 0;
+ // ASP is carried over ATP/DDP
+ if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) {
+ return 0;
+ }
+
col_set_str(pinfo->cinfo, COL_PROTOCOL, "ASP");
col_clear(pinfo->cinfo, COL_INFO);
@@ -1183,15 +1207,6 @@ dissect_asp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
/* -----------------------------
ZIP protocol cf. inside appletalk chap. 8
*/
-/*
- * Structure used to represent a DDP address; gives the layout of the
- * data pointed to by an Appletalk "address" structure.
- */
-struct atalk_ddp_addr {
- guint16 net;
- guint8 node;
-};
-
static int atalk_str_len(const address* addr _U_)
{
@@ -1241,6 +1256,11 @@ dissect_atp_zip(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
if (data == NULL)
return 0;
+ // ATP ZIP is carried over DDP
+ if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) {
+ return 0;
+ }
+
col_set_str(pinfo->cinfo, COL_PROTOCOL, "ZIP");
col_clear(pinfo->cinfo, COL_INFO);
diff --git a/epan/dissectors/packet-reload-framing.c b/epan/dissectors/packet-reload-framing.c
index eac1744c315..688068bbe61 100644
--- a/epan/dissectors/packet-reload-framing.c
+++ b/epan/dissectors/packet-reload-framing.c
@@ -124,8 +124,14 @@ dissect_reload_framing_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tr
effective_length = tvb_captured_length(tvb);
/* First, make sure we have enough data to do the check. */
- if (effective_length < MIN_HDR_LENGTH)
+ if (effective_length < MIN_HDR_LENGTH) {
return 0;
+ }
+
+ /* Next, make sure we can create transaction ID keys. */
+ if (!(pinfo->src.data && pinfo->dst.data)) {
+ return 0;
+ }
conversation = find_conversation_pinfo(pinfo, 0);
if (conversation)
@@ -194,14 +200,14 @@ dissect_reload_framing_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tr
transaction_id_key[1].length = 1;
transaction_id_key[1].key = &pinfo->srcport;
transaction_id_key[2].length = (pinfo->src.len) / (guint)sizeof(guint32);
- transaction_id_key[2].key = (guint32 *)g_malloc(pinfo->src.len);
+ transaction_id_key[2].key = (guint32 *)wmem_alloc(wmem_file_scope(), pinfo->src.len);
memcpy(transaction_id_key[2].key, pinfo->src.data, pinfo->src.len);
}
else {
transaction_id_key[1].length = 1;
transaction_id_key[1].key = &pinfo->destport;
transaction_id_key[2].length = (pinfo->dst.len) / (guint)sizeof(guint32);
- transaction_id_key[2].key = (guint32 *)g_malloc(pinfo->dst.len);
+ transaction_id_key[2].key = (guint32 *)wmem_alloc(wmem_file_scope(), pinfo->dst.len);
memcpy(transaction_id_key[2].key, pinfo->dst.data, pinfo->dst.len);
}
transaction_id_key[3].length=0;

16
wireshark.spec
View File

@ -1,12 +1,12 @@
%undefine __cmake_in_source_build
%global with_lua 1
%global with_maxminddb 1
%global plugins_version 4.2
%global plugins_version 4.4
Summary: Network traffic analyzer
Name: wireshark
Version: 4.2.6
Release: 4%{?dist}
Version: 4.4.2
Release: 1%{?dist}
Epoch: 1
License: BSD-1-Clause AND BSD-2-Clause AND BSD-3-Clause AND MIT AND GPL-2.0-or-later AND LGPL-2.0-or-later AND Zlib AND ISC AND (BSD-3-Clause OR GPL-2.0-only) AND (GPL-2.0-or-later AND Zlib)
Url: http://www.wireshark.org/
@ -28,9 +28,6 @@ Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch
Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch
Patch7: wireshark-0007-cmakelists.patch
Patch8: wireshark-0008-pkgconfig.patch
Patch9: wireshark-0009-sync-pipe-stderr-messages.patch
Patch10: wireshark-0010-CVE-2024-8250.patch
Patch11: wireshark-0011-CVE-2024-9781.patch
#install tshark together with wireshark GUI
Requires: %{name}-cli = %{epoch}:%{version}-%{release}
@ -210,7 +207,7 @@ fi
%files cli
%license COPYING
%doc AUTHORS INSTALL NEWS README*
%doc AUTHORS INSTALL README*
%{_bindir}/capinfos
%{_bindir}/captype
%{_bindir}/editcap
@ -283,6 +280,11 @@ fi
%{_libdir}/pkgconfig/%{name}.pc
%changelog
* Thu Nov 28 2024 Michal Ruprich <mruprich@redhat.com> - 1:4.4.2-1
- Resolves: RHEL-69442 - Rebase wireshark to 4.4.2
- Resolves: RHEL-68453 - Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark
- Resolves: RHEL-68452 - Buffer Over-read in Wireshark
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:4.2.6-4
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018