mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
wireshark: CVE-2023-2856 VMS TCPIPtrace file parser crash
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
a506fa6eac
commit
c7a5562f77
@@ -0,0 +1,69 @@
|
|||||||
|
From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001
|
||||||
|
From: Guy Harris <gharris@sonic.net>
|
||||||
|
Date: Thu, 18 May 2023 15:03:23 -0700
|
||||||
|
Subject: [PATCH] vms: fix the search for the packet length field.
|
||||||
|
|
||||||
|
The packet length field is of the form
|
||||||
|
|
||||||
|
Total Length = DDD = ^xXXX
|
||||||
|
|
||||||
|
where "DDD" is the length in decimal and "XXX" is the length in
|
||||||
|
hexadecimal.
|
||||||
|
|
||||||
|
Search for "length ". not just "Length", as we skip past "Length ", not
|
||||||
|
just "Length", so if we assume we found "Length " but only found
|
||||||
|
"Length", we'd skip past the end of the string.
|
||||||
|
|
||||||
|
While we're at it, fail if we don't find a length field, rather than
|
||||||
|
just blithely acting as if the packet length were zero.
|
||||||
|
|
||||||
|
Fixes #19083.
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca]
|
||||||
|
CVE: CVE-2023-2856
|
||||||
|
|
||||||
|
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||||
|
---
|
||||||
|
wiretap/vms.c | 9 ++++++++-
|
||||||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/wiretap/vms.c b/wiretap/vms.c
|
||||||
|
index 0aa83ea..5f5fdbb 100644
|
||||||
|
--- a/wiretap/vms.c
|
||||||
|
+++ b/wiretap/vms.c
|
||||||
|
@@ -318,6 +318,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
|
||||||
|
{
|
||||||
|
char line[VMS_LINE_LENGTH + 1];
|
||||||
|
int num_items_scanned;
|
||||||
|
+ gboolean have_pkt_len = FALSE;
|
||||||
|
guint32 pkt_len = 0;
|
||||||
|
int pktnum;
|
||||||
|
int csec = 101;
|
||||||
|
@@ -374,7 +375,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if ( (! pkt_len) && (p = strstr(line, "Length"))) {
|
||||||
|
+ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) {
|
||||||
|
p += sizeof("Length ");
|
||||||
|
while (*p && ! g_ascii_isdigit(*p))
|
||||||
|
p++;
|
||||||
|
@@ -390,9 +391,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
|
||||||
|
*err_info = g_strdup_printf("vms: Length field '%s' not valid", p);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
+ have_pkt_len = TRUE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
} while (! isdumpline(line));
|
||||||
|
+ if (! have_pkt_len) {
|
||||||
|
+ *err = WTAP_ERR_BAD_FILE;
|
||||||
|
+ *err_info = g_strdup_printf("vms: Length field not found");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
|
||||||
|
/*
|
||||||
|
* Probably a corrupt capture file; return an error,
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
||||||
@@ -17,6 +17,7 @@ SRC_URI += " \
|
|||||||
file://0004-lemon-Remove-line-directives.patch \
|
file://0004-lemon-Remove-line-directives.patch \
|
||||||
file://CVE-2022-3190.patch \
|
file://CVE-2022-3190.patch \
|
||||||
file://CVE-2023-2855.patch \
|
file://CVE-2023-2855.patch \
|
||||||
|
file://CVE-2023-2856.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
|
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
|
||||||
|
|||||||
Reference in New Issue
Block a user