wireshark: fix CVE-2025-11626

Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/513e5d49724f4a0695c5d2a08ce422c09cb999c8

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

meta-networking/recipes-support/wireshark/files/CVE-2025-11626.patch

@@ -0,0 +1,99 @@
+From 4c79e54f4294b49a6549ae52b7b0a56b27540a40 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Mon, 22 Sep 2025 21:41:00 -0400
+Subject: [PATCH] Mongo: Avoid infinite loop in dissect_op_msg_section
+
+If the size of a a OP_MSG data section is indicated as -1, that
+leads to advancing the offset by section_len + 1, or zero, which
+causes an infinite loop.
+
+The total message and section lengths in Mongo are signed int32s;
+it is impossible for them to be negative, and impossible for the
+section length to be INT_MAX (since the message length includes
+the length of the four byte headers and flag bits.)
+
+Throw an error to avoid the offset moving backwards, an infinite loop,
+or signed integer overflow.
+
+Also update some URLs to their new locations.
+
+Fix #20724.
+
+(backported from commit 1ec4709cab382f7077ba66d2e382c2e75ce335c1)
+
+CVE: CVE-2025-11626
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/513e5d49724f4a0695c5d2a08ce422c09cb999c8]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-mongo.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c
+index 44cfde8..8290275 100644
+--- a/epan/dissectors/packet-mongo.c
++++ b/epan/dissectors/packet-mongo.c
+@@ -12,17 +12,19 @@
+ 
+ /*
+  * See Mongo Wire Protocol Specification
+- * http://www.mongodb.org/display/DOCS/Mongo+Wire+Protocol
++ * https://www.mongodb.com/docs/manual/reference/mongodb-wire-protocol/
+  * See also BSON Specification
+- * http://bsonspec.org/#/specification
++ * http://bsonspec.org/spec.html
+  */
+ 
+ #include "config.h"
+ 
++#include <stdint.h>
+ #include <epan/packet.h>
+ #include <epan/exceptions.h>
+ #include <epan/expert.h>
+ #include <epan/proto_data.h>
++#include <epan/exceptions.h>
+ #include "packet-tcp.h"
+ #include "packet-tls.h"
+ #ifdef HAVE_SNAPPY
+@@ -278,6 +280,7 @@ static gint ett_mongo_doc_sequence= -1;
+ 
+ static expert_field ei_mongo_document_recursion_exceeded = EI_INIT;
+ static expert_field ei_mongo_document_length_bad = EI_INIT;
++static expert_field ei_mongo_section_size_bad = EI_INIT;
+ static expert_field ei_mongo_unknown = EI_INIT;
+ static expert_field ei_mongo_unsupported_compression = EI_INIT;
+ static expert_field ei_mongo_too_large_compressed = EI_INIT;
+@@ -784,13 +787,21 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
+   gint section_len = -1;   /* Section length */
+ 
+   e_type = tvb_get_guint8(tvb, offset);
+-  section_len = tvb_get_letohl(tvb, offset+1);
+ 
+-  ti = proto_tree_add_item(tree, hf_mongo_msg_sections_section, tvb, offset, 1 + section_len, ENC_NA);
++  ti = proto_tree_add_item(tree, hf_mongo_msg_sections_section, tvb, offset, 1, ENC_NA);
+   section_tree = proto_item_add_subtree(ti, ett_mongo_section);
+   proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_kind, tvb, offset, 1, ENC_LITTLE_ENDIAN);
+   offset += 1;
+ 
++  section_len = tvb_get_letohil(tvb, offset);
++  /* The section length must be strictly smaller than the total message size,
++   * both signed int32s. This prevents signed integer overflow. */
++  if (section_len < 0 || section_len == INT32_MAX) {
++    proto_tree_add_expert_format(section_tree, pinfo, &ei_mongo_section_size_bad, tvb, offset, 4, "Bogus Mongo message section size: %i", section_len);
++    THROW(ReportedBoundsError);
++  }
++  proto_item_set_len(ti, 1 + section_len);
++
+   switch (e_type) {
+     case KIND_BODY:
+       dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
+@@ -1445,6 +1456,7 @@ proto_register_mongo(void)
+   static ei_register_info ei[] = {
+      { &ei_mongo_document_recursion_exceeded, { "mongo.document.recursion_exceeded", PI_MALFORMED, PI_ERROR, "BSON document recursion exceeds", EXPFILL }},
+      { &ei_mongo_document_length_bad, { "mongo.document.length.bad",  PI_MALFORMED, PI_ERROR, "BSON document length bad", EXPFILL }},
++     { &ei_mongo_section_size_bad, { "mongo.msg.sections.section.size.bad",  PI_MALFORMED, PI_ERROR, "Bogus Mongo message section size", EXPFILL }},
+      { &ei_mongo_unknown, { "mongo.unknown.expert", PI_UNDECODED, PI_WARN, "Unknown Data (not interpreted)", EXPFILL }},
+      { &ei_mongo_unsupported_compression, { "mongo.unsupported_compression.expert", PI_UNDECODED, PI_WARN, "This packet was compressed with an unsupported compressor", EXPFILL }},
+      { &ei_mongo_too_large_compressed, { "mongo.too_large_compressed.expert", PI_UNDECODED, PI_WARN, "The size of the uncompressed packet exceeded the maximum allowed value", EXPFILL }},
+-- 
+2.50.1
+

meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb

@@ -32,6 +32,7 @@ SRC_URI += " \
     file://CVE-2023-6175.patch \
     file://CVE-2024-2955.patch \
     file://CVE-2025-13499.patch \
+    file://CVE-2025-11626.patch \
 "
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"