mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
wireshark: Fix CVE-2023-2858 & CVE-2023-2879
Backport fixes for: * CVE-2023-2858 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105 * CVE-2023-2879 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
c7a5562f77
commit
c7f4255d0e
@@ -0,0 +1,95 @@
|
|||||||
|
From cb190d6839ddcd4596b0205844f45553f1e77105 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Guy Harris <gharris@sonic.net>
|
||||||
|
Date: Fri, 19 May 2023 16:29:45 -0700
|
||||||
|
Subject: [PATCH] netscaler: add more checks to make sure the record is within
|
||||||
|
the page.
|
||||||
|
|
||||||
|
Whie we're at it, restructure some other checks to test-before-casting -
|
||||||
|
it's OK to test afterwards, but testing before makes it follow the
|
||||||
|
pattern used elsewhere.
|
||||||
|
|
||||||
|
Fixes #19081.
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105]
|
||||||
|
CVE: CVE-2023-2858
|
||||||
|
|
||||||
|
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||||
|
---
|
||||||
|
wiretap/netscaler.c | 15 ++++++++++-----
|
||||||
|
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c
|
||||||
|
index 01a7f6d..4fa020b 100644
|
||||||
|
--- a/wiretap/netscaler.c
|
||||||
|
+++ b/wiretap/netscaler.c
|
||||||
|
@@ -1091,13 +1091,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int *err, gchar **err_info)
|
||||||
|
|
||||||
|
#define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \
|
||||||
|
do {\
|
||||||
|
- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
|
||||||
|
/* Make sure the record header is entirely contained in the page */\
|
||||||
|
- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\
|
||||||
|
+ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\
|
||||||
|
*err = WTAP_ERR_BAD_FILE;\
|
||||||
|
*err_info = g_strdup("nstrace: record header crosses page boundary");\
|
||||||
|
return FALSE;\
|
||||||
|
}\
|
||||||
|
+ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
|
||||||
|
/* Check sanity of record size */\
|
||||||
|
if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\
|
||||||
|
*err = WTAP_ERR_BAD_FILE;\
|
||||||
|
@@ -1162,6 +1162,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
|
||||||
|
|
||||||
|
case NSPR_ABSTIME_V10:
|
||||||
|
{
|
||||||
|
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
|
||||||
|
+ return FALSE;
|
||||||
|
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
|
||||||
|
if (pletoh16(&fp->nsprRecordSize) == 0) {
|
||||||
|
*err = WTAP_ERR_BAD_FILE;
|
||||||
|
@@ -1175,6 +1177,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
|
||||||
|
|
||||||
|
case NSPR_RELTIME_V10:
|
||||||
|
{
|
||||||
|
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
|
||||||
|
+ return FALSE;
|
||||||
|
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
|
||||||
|
if (pletoh16(&fp->nsprRecordSize) == 0) {
|
||||||
|
*err = WTAP_ERR_BAD_FILE;
|
||||||
|
@@ -1192,6 +1196,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
|
||||||
|
|
||||||
|
default:
|
||||||
|
{
|
||||||
|
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
|
||||||
|
+ return FALSE;
|
||||||
|
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
|
||||||
|
if (pletoh16(&fp->nsprRecordSize) == 0) {
|
||||||
|
*err = WTAP_ERR_BAD_FILE;
|
||||||
|
@@ -1475,14 +1481,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf,
|
||||||
|
|
||||||
|
#define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\
|
||||||
|
do {\
|
||||||
|
- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
|
||||||
|
/* Make sure the record header is entirely contained in the page */\
|
||||||
|
- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\
|
||||||
|
+ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\
|
||||||
|
*err = WTAP_ERR_BAD_FILE;\
|
||||||
|
*err_info = g_strdup("nstrace: record header crosses page boundary");\
|
||||||
|
g_free(nstrace_tmpbuff);\
|
||||||
|
return FALSE;\
|
||||||
|
}\
|
||||||
|
+ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
|
||||||
|
(rec)->rec_type = REC_TYPE_PACKET;\
|
||||||
|
TIMEDEFV##ver((rec),fp,type);\
|
||||||
|
FULLPART##SIZEDEFV##ver((rec),fp,ver);\
|
||||||
|
@@ -1589,7 +1595,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf,
|
||||||
|
g_free(nstrace_tmpbuff);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset];
|
||||||
|
if (nspr_getv20recordsize(hdp) == 0) {
|
||||||
|
*err = WTAP_ERR_BAD_FILE;
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
||||||
@@ -0,0 +1,37 @@
|
|||||||
|
From 118815ca7c9f82c1f83f8f64d9e0e54673f31677 Mon Sep 17 00:00:00 2001
|
||||||
|
From: John Thacker <johnthacker@gmail.com>
|
||||||
|
Date: Sat, 13 May 2023 21:45:16 -0400
|
||||||
|
Subject: [PATCH] GDSDB: Make sure our offset advances.
|
||||||
|
|
||||||
|
add_uint_string() returns the next offset to use, not the number
|
||||||
|
of bytes consumed. So to consume all the bytes and make sure the
|
||||||
|
offset advances, return the entire reported tvb length, not the
|
||||||
|
number of bytes remaining.
|
||||||
|
|
||||||
|
Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f
|
||||||
|
Fixes #19068
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677]
|
||||||
|
CVE: CVE-2023-2879
|
||||||
|
|
||||||
|
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||||
|
---
|
||||||
|
epan/dissectors/packet-gdsdb.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c
|
||||||
|
index 75bcfb9..950d68f 100644
|
||||||
|
--- a/epan/dissectors/packet-gdsdb.c
|
||||||
|
+++ b/epan/dissectors/packet-gdsdb.c
|
||||||
|
@@ -480,7 +480,7 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o
|
||||||
|
int ret_offset = offset + length;
|
||||||
|
if (length < 4 || ret_offset < offset) {
|
||||||
|
expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length);
|
||||||
|
- return tvb_reported_length_remaining(tvb, offset);
|
||||||
|
+ return tvb_reported_length(tvb);
|
||||||
|
}
|
||||||
|
return ret_offset;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
||||||
@@ -18,6 +18,8 @@ SRC_URI += " \
|
|||||||
file://CVE-2022-3190.patch \
|
file://CVE-2022-3190.patch \
|
||||||
file://CVE-2023-2855.patch \
|
file://CVE-2023-2855.patch \
|
||||||
file://CVE-2023-2856.patch \
|
file://CVE-2023-2856.patch \
|
||||||
|
file://CVE-2023-2858.patch \
|
||||||
|
file://CVE-2023-2879.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
|
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
|
||||||
|
|||||||
Reference in New Issue
Block a user