mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-17 04:37:19 +00:00
wireshark: fix CVE-2025-11626
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/513e5d49724f4a0695c5d2a08ce422c09cb999c8 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
committed by
Gyorgy Sarvari
parent
2236de2bd3
commit
634719db25
@@ -0,0 +1,99 @@
|
|||||||
|
From 4c79e54f4294b49a6549ae52b7b0a56b27540a40 Mon Sep 17 00:00:00 2001
|
||||||
|
From: John Thacker <johnthacker@gmail.com>
|
||||||
|
Date: Mon, 22 Sep 2025 21:41:00 -0400
|
||||||
|
Subject: [PATCH] Mongo: Avoid infinite loop in dissect_op_msg_section
|
||||||
|
|
||||||
|
If the size of a a OP_MSG data section is indicated as -1, that
|
||||||
|
leads to advancing the offset by section_len + 1, or zero, which
|
||||||
|
causes an infinite loop.
|
||||||
|
|
||||||
|
The total message and section lengths in Mongo are signed int32s;
|
||||||
|
it is impossible for them to be negative, and impossible for the
|
||||||
|
section length to be INT_MAX (since the message length includes
|
||||||
|
the length of the four byte headers and flag bits.)
|
||||||
|
|
||||||
|
Throw an error to avoid the offset moving backwards, an infinite loop,
|
||||||
|
or signed integer overflow.
|
||||||
|
|
||||||
|
Also update some URLs to their new locations.
|
||||||
|
|
||||||
|
Fix #20724.
|
||||||
|
|
||||||
|
(backported from commit 1ec4709cab382f7077ba66d2e382c2e75ce335c1)
|
||||||
|
|
||||||
|
CVE: CVE-2025-11626
|
||||||
|
Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/513e5d49724f4a0695c5d2a08ce422c09cb999c8]
|
||||||
|
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||||
|
---
|
||||||
|
epan/dissectors/packet-mongo.c | 20 ++++++++++++++++----
|
||||||
|
1 file changed, 16 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c
|
||||||
|
index 44cfde8..8290275 100644
|
||||||
|
--- a/epan/dissectors/packet-mongo.c
|
||||||
|
+++ b/epan/dissectors/packet-mongo.c
|
||||||
|
@@ -12,17 +12,19 @@
|
||||||
|
|
||||||
|
/*
|
||||||
|
* See Mongo Wire Protocol Specification
|
||||||
|
- * http://www.mongodb.org/display/DOCS/Mongo+Wire+Protocol
|
||||||
|
+ * https://www.mongodb.com/docs/manual/reference/mongodb-wire-protocol/
|
||||||
|
* See also BSON Specification
|
||||||
|
- * http://bsonspec.org/#/specification
|
||||||
|
+ * http://bsonspec.org/spec.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "config.h"
|
||||||
|
|
||||||
|
+#include <stdint.h>
|
||||||
|
#include <epan/packet.h>
|
||||||
|
#include <epan/exceptions.h>
|
||||||
|
#include <epan/expert.h>
|
||||||
|
#include <epan/proto_data.h>
|
||||||
|
+#include <epan/exceptions.h>
|
||||||
|
#include "packet-tcp.h"
|
||||||
|
#include "packet-tls.h"
|
||||||
|
#ifdef HAVE_SNAPPY
|
||||||
|
@@ -278,6 +280,7 @@ static gint ett_mongo_doc_sequence= -1;
|
||||||
|
|
||||||
|
static expert_field ei_mongo_document_recursion_exceeded = EI_INIT;
|
||||||
|
static expert_field ei_mongo_document_length_bad = EI_INIT;
|
||||||
|
+static expert_field ei_mongo_section_size_bad = EI_INIT;
|
||||||
|
static expert_field ei_mongo_unknown = EI_INIT;
|
||||||
|
static expert_field ei_mongo_unsupported_compression = EI_INIT;
|
||||||
|
static expert_field ei_mongo_too_large_compressed = EI_INIT;
|
||||||
|
@@ -784,13 +787,21 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
|
||||||
|
gint section_len = -1; /* Section length */
|
||||||
|
|
||||||
|
e_type = tvb_get_guint8(tvb, offset);
|
||||||
|
- section_len = tvb_get_letohl(tvb, offset+1);
|
||||||
|
|
||||||
|
- ti = proto_tree_add_item(tree, hf_mongo_msg_sections_section, tvb, offset, 1 + section_len, ENC_NA);
|
||||||
|
+ ti = proto_tree_add_item(tree, hf_mongo_msg_sections_section, tvb, offset, 1, ENC_NA);
|
||||||
|
section_tree = proto_item_add_subtree(ti, ett_mongo_section);
|
||||||
|
proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_kind, tvb, offset, 1, ENC_LITTLE_ENDIAN);
|
||||||
|
offset += 1;
|
||||||
|
|
||||||
|
+ section_len = tvb_get_letohil(tvb, offset);
|
||||||
|
+ /* The section length must be strictly smaller than the total message size,
|
||||||
|
+ * both signed int32s. This prevents signed integer overflow. */
|
||||||
|
+ if (section_len < 0 || section_len == INT32_MAX) {
|
||||||
|
+ proto_tree_add_expert_format(section_tree, pinfo, &ei_mongo_section_size_bad, tvb, offset, 4, "Bogus Mongo message section size: %i", section_len);
|
||||||
|
+ THROW(ReportedBoundsError);
|
||||||
|
+ }
|
||||||
|
+ proto_item_set_len(ti, 1 + section_len);
|
||||||
|
+
|
||||||
|
switch (e_type) {
|
||||||
|
case KIND_BODY:
|
||||||
|
dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
|
||||||
|
@@ -1445,6 +1456,7 @@ proto_register_mongo(void)
|
||||||
|
static ei_register_info ei[] = {
|
||||||
|
{ &ei_mongo_document_recursion_exceeded, { "mongo.document.recursion_exceeded", PI_MALFORMED, PI_ERROR, "BSON document recursion exceeds", EXPFILL }},
|
||||||
|
{ &ei_mongo_document_length_bad, { "mongo.document.length.bad", PI_MALFORMED, PI_ERROR, "BSON document length bad", EXPFILL }},
|
||||||
|
+ { &ei_mongo_section_size_bad, { "mongo.msg.sections.section.size.bad", PI_MALFORMED, PI_ERROR, "Bogus Mongo message section size", EXPFILL }},
|
||||||
|
{ &ei_mongo_unknown, { "mongo.unknown.expert", PI_UNDECODED, PI_WARN, "Unknown Data (not interpreted)", EXPFILL }},
|
||||||
|
{ &ei_mongo_unsupported_compression, { "mongo.unsupported_compression.expert", PI_UNDECODED, PI_WARN, "This packet was compressed with an unsupported compressor", EXPFILL }},
|
||||||
|
{ &ei_mongo_too_large_compressed, { "mongo.too_large_compressed.expert", PI_UNDECODED, PI_WARN, "The size of the uncompressed packet exceeded the maximum allowed value", EXPFILL }},
|
||||||
|
--
|
||||||
|
2.50.1
|
||||||
|
|
||||||
@@ -32,6 +32,7 @@ SRC_URI += " \
|
|||||||
file://CVE-2023-6175.patch \
|
file://CVE-2023-6175.patch \
|
||||||
file://CVE-2024-2955.patch \
|
file://CVE-2024-2955.patch \
|
||||||
file://CVE-2025-13499.patch \
|
file://CVE-2025-13499.patch \
|
||||||
|
file://CVE-2025-11626.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
|
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
|
||||||
|
|||||||
Reference in New Issue
Block a user