Resolves: #2210866 - VMS TCPIPtrace file parser crash

Resolves: #2210867 - NetScaler file parser crash
Resolves: #2210869 - RTPS dissector crash
This commit is contained in:
Michal Ruprich 2023-06-14 10:28:37 +02:00
parent da5c780ce3
commit cffa7e37ec
5 changed files with 263 additions and 1 deletions

View File

@ -0,0 +1,18 @@
From: =?UTF-8?q?Radek=20Vok=C3=A1l?= <rvokal@fedoraproject.org>
Date: Tue, 15 Dec 2009 08:36:27 +0000
Subject: [PATCH] enable Lua support
diff --git a/epan/wslua/template-init.lua b/epan/wslua/template-init.lua
index 3fe2aca..2b48f9b 100644
--- a/epan/wslua/template-init.lua
+++ b/epan/wslua/template-init.lua
@@ -41,7 +41,7 @@ if running_superuser then
local disabled_lib = {}
setmetatable(disabled_lib,{ __index = function() error("this package ".. hint) end } );
- dofile = function() error("dofile " .. hint) end
+-- dofile = function() error("dofile " .. hint) end
loadfile = function() error("loadfile " .. hint) end
loadlib = function() error("loadlib " .. hint) end
require = function() error("require " .. hint) end

View File

@ -0,0 +1,105 @@
From 74017383c8c73f25d12ef847c96854641f88fae4 Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Fri, 19 May 2023 16:29:45 -0700
Subject: [PATCH] netscaler: add more checks to make sure the record is within
the page.
Whie we're at it, restructure some other checks to test-before-casting -
it's OK to test afterwards, but testing before makes it follow the
pattern used elsewhere.
Fixes #19081.
(cherry picked from commit cb190d6839ddcd4596b0205844f45553f1e77105)
---
wiretap/netscaler.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c
index 8dcbd42a089..b94caca0869 100644
--- a/wiretap/netscaler.c
+++ b/wiretap/netscaler.c
@@ -641,6 +641,20 @@ static gboolean nstrace_dump(wtap_dumper *wdh, const wtap_rec *rec,
#define GET_READ_PAGE_SIZE(remaining_file_size) ((gint32)((remaining_file_size>NSPR_PAGESIZE)?NSPR_PAGESIZE:remaining_file_size))
#define GET_READ_PAGE_SIZEV3(remaining_file_size) ((gint32)((remaining_file_size>NSPR_PAGESIZE_TRACE)?NSPR_PAGESIZE_TRACE:remaining_file_size))
+/*
+ * Check whether we have enough room to retrieve the data in the caller.
+ * If not, we have a malformed file.
+ */
+static gboolean nstrace_ensure_buflen(nstrace_t* nstrace, guint offset, guint len, int *err, gchar** err_info)
+{
+ if (offset > nstrace->nstrace_buflen || nstrace->nstrace_buflen - offset < len) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("nstrace: malformed file");
+ return FALSE;
+ }
+ return TRUE;
+}
+
static guint64 ns_hrtime2nsec(guint32 tm)
{
guint32 val = tm & NSPR_HRTIME_MASKTM;
@@ -1114,13 +1114,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int file_version, int *err,
#define PACKET_DESCRIBE(rec,FULLPART,fullpart,ver,type,HEADERVER) \
do {\
- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
/* Make sure the record header is entirely contained in the page */\
- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\
+ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\
*err = WTAP_ERR_BAD_FILE;\
*err_info = g_strdup("nstrace: record header crosses page boundary");\
return FALSE;\
}\
+ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
/* Check sanity of record size */\
if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\
*err = WTAP_ERR_BAD_FILE;\
@@ -1186,6 +1186,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
case NSPR_ABSTIME_V10:
{
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+ return FALSE;
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
if (pletoh16(&fp->nsprRecordSize) == 0) {
*err = WTAP_ERR_BAD_FILE;
@@ -1199,6 +1201,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
case NSPR_RELTIME_V10:
{
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+ return FALSE;
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
if (pletoh16(&fp->nsprRecordSize) == 0) {
*err = WTAP_ERR_BAD_FILE;
@@ -1216,6 +1220,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
default:
{
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
+ return FALSE;
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
if (pletoh16(&fp->nsprRecordSize) == 0) {
*err = WTAP_ERR_BAD_FILE;
@@ -1500,14 +1506,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf,
#define PACKET_DESCRIBE(rec,FULLPART,ver,enumprefix,type,structname,HEADERVER)\
do {\
- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
/* Make sure the record header is entirely contained in the page */\
- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\
+ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\
*err = WTAP_ERR_BAD_FILE;\
*err_info = g_strdup("nstrace: record header crosses page boundary");\
g_free(nstrace_tmpbuff);\
return FALSE;\
}\
+ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
(rec)->rec_type = REC_TYPE_PACKET;\
TIMEDEFV##ver((rec),fp,type);\
FULLPART##SIZEDEFV##ver((rec),fp,ver);\
--
GitLab

View File

@ -0,0 +1,67 @@
From da017472e69453011ea28571f192cbc79cba7f5c Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Thu, 18 May 2023 15:03:23 -0700
Subject: [PATCH] vms: fix the search for the packet length field.
The packet length field is of the form
Total Length = DDD = ^xXXX
where "DDD" is the length in decimal and "XXX" is the length in
hexadecimal.
Search for "length ". not just "Length", as we skip past "Length ", not
just "Length", so if we assume we found "Length " but only found
"Length", we'd skip past the end of the string.
While we're at it, fail if we don't find a length field, rather than
just blithely acting as if the packet length were zero.
Fixes #19083.
(cherry picked from commit db5135826de3a5fdb3618225c2ff02f4207012ca)
---
wiretap/vms.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/wiretap/vms.c b/wiretap/vms.c
index 00da6ff359e..c21b26e6be0 100644
--- a/wiretap/vms.c
+++ b/wiretap/vms.c
@@ -322,6 +322,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
{
char line[VMS_LINE_LENGTH + 1];
int num_items_scanned;
+ gboolean have_pkt_len = FALSE;
guint32 pkt_len = 0;
int pktnum;
int csec = 101;
@@ -378,7 +379,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
return FALSE;
}
}
- if ( (! pkt_len) && (p = strstr(line, "Length"))) {
+ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) {
p += sizeof("Length ");
while (*p && ! g_ascii_isdigit(*p))
p++;
@@ -394,9 +395,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
*err_info = g_strdup_printf("vms: Length field '%s' not valid", p);
return FALSE;
}
+ have_pkt_len = TRUE;
break;
}
} while (! isdumpline(line));
+ if (! have_pkt_len) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup_printf("vms: Length field not found");
+ return FALSE;
+ }
if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
/*
* Probably a corrupt capture file; return an error,
--
GitLab

View File

@ -0,0 +1,64 @@
From 28fdce547c417b868c521f87fb58f71ca6b1e3f7 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Thu, 18 May 2023 13:52:48 -0700
Subject: [PATCH] RTPS: Fixup our g_strlcpy dest_sizes
Use the proper dest_size in various g_strlcpy calls.
Fixes #19085
---
epan/dissectors/packet-rtps.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c
index 2884e86faa1..a39202952f6 100644
--- a/epan/dissectors/packet-rtps.c
+++ b/epan/dissectors/packet-rtps.c
@@ -4944,7 +4944,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
++tk_id;
}
- g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), 40);
+ g_strlcpy(type_name, rtps_util_typecode_id_to_string(tk_id), sizeof(type_name));
/* Structure of the typecode data:
*
@@ -5115,7 +5115,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
member_name, -1, NULL, ndds_40_hack);
}
/* Finally prints the name of the struct (if provided) */
- g_strlcpy(type_name, "}", 40);
+ g_strlcpy(type_name, "}", sizeof(type_name));
break;
} /* end of case UNION */
@@ -5286,7 +5286,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
}
}
/* Finally prints the name of the struct (if provided) */
- g_strlcpy(type_name, "}", 40);
+ g_strlcpy(type_name, "}", sizeof(type_name));
break;
}
@@ -5378,7 +5378,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
offset += 4;
alias_name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, alias_name_length, ENC_ASCII);
offset += alias_name_length;
- g_strlcpy(type_name, alias_name, 40);
+ g_strlcpy(type_name, alias_name, sizeof(type_name));
break;
}
@@ -5413,7 +5413,7 @@ static gint rtps_util_add_typecode(proto_tree *tree, tvbuff_t *tvb, gint offset,
if (tk_id == RTI_CDR_TK_VALUE_PARAM) {
type_id_name = "valueparam";
}
- g_snprintf(type_name, 40, "%s '%s'", type_id_name, value_name);
+ g_snprintf(type_name, sizeof(type_name), "%s '%s'", type_id_name, value_name);
break;
}
} /* switch(tk_id) */
--
GitLab

View File

@ -6,7 +6,7 @@
Summary: Network traffic analyzer Summary: Network traffic analyzer
Name: wireshark Name: wireshark
Version: 2.6.2 Version: 2.6.2
Release: 15%{?dist} Release: 16%{?dist}
Epoch: 1 Epoch: 1
License: GPL+ License: GPL+
Url: http://www.wireshark.org/ Url: http://www.wireshark.org/
@ -63,6 +63,9 @@ Patch27: wireshark-0027-ibm-smc.patch
#Change in libssh header files forces a different technique on finding definitons #Change in libssh header files forces a different technique on finding definitons
Patch28: wireshark-0028-find-libssh.patch Patch28: wireshark-0028-find-libssh.patch
Patch29: wireshark-0029-cve-2023-2858.patch
Patch30: wireshark-0030-cve-2023-2856.patch
Patch31: wireshark-0031-cve-2023-0666.patch
#install tshark together with wireshark GUI #install tshark together with wireshark GUI
Requires: %{name}-cli = %{epoch}:%{version}-%{release} Requires: %{name}-cli = %{epoch}:%{version}-%{release}
@ -311,6 +314,11 @@ getent group usbmon >/dev/null || groupadd -r usbmon
%{_libdir}/pkgconfig/%{name}.pc %{_libdir}/pkgconfig/%{name}.pc
%changelog %changelog
* Wed Jun 14 2023 Michal Ruprich <mruprich@redhat.com> - 1:2.6.2-16
- Resolves: #2210866 - VMS TCPIPtrace file parser crash
- Resolves: #2210867 - NetScaler file parser crash
- Resolves: #2210869 - RTPS dissector crash
* Wed Aug 24 2022 Michal Ruprich <mruprich@redhat.com> - 1:2.6.2-15 * Wed Aug 24 2022 Michal Ruprich <mruprich@redhat.com> - 1:2.6.2-15
- Resolves: #2119126 - Wireshark source rpm fails to build due to looking for incorrect libssh header files - Resolves: #2119126 - Wireshark source rpm fails to build due to looking for incorrect libssh header files