rpms/wireshark
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: #2211412 - XRA dissector infinite loop

Browse Source
This commit is contained in:
Michal Ruprich 2023-06-30 15:06:51 +02:00
parent e9fc1aa3ed
commit d9a4e30892
2 changed files with 102 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
wireshark-0032-cve-2023-2952.patch Normal file
View File

@ -0,0 +1,97 @@
From e18d0e369729b0fff5f76f41cbae67e97c2e52e5 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Tue, 23 May 2023 13:52:03 -0700
Subject: [PATCH] XRA: Fix an infinite loop
C compilers don't care what size a value was on the wire. Use
naturally-sized ints, including in dissect_message_channel_mb where we
would otherwise overflow and loop infinitely.
Fixes #19100
(cherry picked from commit ce87eac0325581b600b3093fcd75080df14ccfda)
Conflicts:
epan/dissectors/packet-xra.c
---
epan/dissectors/packet-xra.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c
index ef8437e9382..4c3713db94b 100644
--- a/epan/dissectors/packet-xra.c
+++ b/epan/dissectors/packet-xra.c
@@ -445,7 +445,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA);
xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info);
- guint32 tlv_index =0;
+ unsigned tlv_index = 0;
while (tlv_index < tlv_length) {
guint8 type = tvb_get_guint8 (tvb, tlv_index);
++tlv_index;
@@ -500,7 +500,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA);
xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info);
- guint32 tlv_index =0;
+ unsigned tlv_index = 0;
while (tlv_index < tlv_length) {
guint8 type = tvb_get_guint8 (tvb, tlv_index);
++tlv_index;
@@ -534,7 +534,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA);
xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info);
- guint32 tlv_index =0;
+ unsigned tlv_index = 0;
while (tlv_index < tlv_length) {
guint8 type = tvb_get_guint8 (tvb, tlv_index);
++tlv_index;
@@ -574,7 +574,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da
it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA);
xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv);
- guint32 tlv_index =0;
+ unsigned tlv_index = 0;
tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb;
while (tlv_index < tlv_length) {
@@ -620,14 +620,14 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
/*If not present, this contains stuff from other packet. We can't do much in this case*/
if(packet_start_pointer_field_present) {
- guint16 docsis_start = 3 + packet_start_pointer;
+ unsigned docsis_start = 3 + packet_start_pointer;
if(docsis_start +6 < remaining_length) {
/*DOCSIS header in packet*/
guint8 fc = tvb_get_guint8(tvb,docsis_start + 0);
if (fc == 0xFF) {
return;
}
- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
+ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
if (docsis_start + 6 + docsis_length <= remaining_length) {
/*DOCSIS packet included in packet*/
tvbuff_t *docsis_tvb;
@@ -797,7 +797,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) {
static int
dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) {
- guint16 offset = 0;
+ int offset = 0;
proto_tree *plc_tree;
proto_item *plc_item;
tvbuff_t *mb_tvb;
@@ -857,7 +857,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _
static int
dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) {
- guint16 offset = 0;
+ int offset = 0;
proto_tree *ncp_tree;
proto_item *ncp_item;
tvbuff_t *ncp_mb_tvb;
--
GitLab

6
wireshark.spec
View File

@ -6,7 +6,7 @@
Summary: Network traffic analyzer Summary: Network traffic analyzer
Name: wireshark Name: wireshark
Version: 2.6.2 Version: 2.6.2
Release: 16%{?dist} Release: 17%{?dist}
Epoch: 1 Epoch: 1
License: GPL+ License: GPL+
Url: http://www.wireshark.org/ Url: http://www.wireshark.org/
@ -66,6 +66,7 @@ Patch28: wireshark-0028-find-libssh.patch
Patch29: wireshark-0029-cve-2023-2858.patch Patch29: wireshark-0029-cve-2023-2858.patch
Patch30: wireshark-0030-cve-2023-2856.patch Patch30: wireshark-0030-cve-2023-2856.patch
Patch31: wireshark-0031-cve-2023-0666.patch Patch31: wireshark-0031-cve-2023-0666.patch
Patch32: wireshark-0032-cve-2023-2952.patch
#install tshark together with wireshark GUI #install tshark together with wireshark GUI
Requires: %{name}-cli = %{epoch}:%{version}-%{release} Requires: %{name}-cli = %{epoch}:%{version}-%{release}
@ -314,6 +315,9 @@ getent group usbmon >/dev/null || groupadd -r usbmon
%{_libdir}/pkgconfig/%{name}.pc %{_libdir}/pkgconfig/%{name}.pc
%changelog %changelog
* Fri Jun 30 2023 Michal Ruprich <mruprich@redhat.com> - 1:2.6.2-17
- Resolves: #2211412 - XRA dissector infinite loop
* Wed Jun 14 2023 Michal Ruprich <mruprich@redhat.com> - 1:2.6.2-16 * Wed Jun 14 2023 Michal Ruprich <mruprich@redhat.com> - 1:2.6.2-16
- Resolves: #2210866 - VMS TCPIPtrace file parser crash - Resolves: #2210866 - VMS TCPIPtrace file parser crash
- Resolves: #2210867 - NetScaler file parser crash - Resolves: #2210867 - NetScaler file parser crash