wireshark: Fix CVE-2022-0585-CVE-2023-2879

Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-05-07 17:19:23 +00:00 · 2023-11-14 11:14:16 +05:30
parent 9135c7ea73
commit d9ba954b6a
2 changed files with 94 additions and 0 deletions
@@ -0,0 +1,93 @@
+From 5a7a80e139396c07d45e70d63c6d3974c50ae5e8 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Sat, 13 May 2023 21:45:16 -0400
+Subject: GDSDB: Make sure our offset advances.
+
+add_uint_string() returns the next offset to use, not the number
+of bytes consumed. So to consume all the bytes and make sure the
+offset advances, return the entire reported tvb length, not the
+number of bytes remaining.
+
+Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f
+
+Fixes #19068
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677]
+CVE: CVE-2022-0585 & CVE-2023-2879
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-gdsdb.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c
+index 95fed7e..950d68f 100644
+--- a/epan/dissectors/packet-gdsdb.c
+++ b/epan/dissectors/packet-gdsdb.c
+@@ -15,6 +15,7 @@
+ #include "config.h"
+ 
+ #include <epan/packet.h>
+#include <epan/expert.h>
+ 
+ void proto_register_gdsdb(void);
+ void proto_reg_handoff_gdsdb(void);
+@@ -182,6 +183,8 @@ static int hf_gdsdb_cursor_type = -1;
+ static int hf_gdsdb_sqlresponse_messages = -1;
+ #endif
+ 
+static expert_field ei_gdsdb_invalid_length = EI_INIT;
+
+ enum
+ {
+ 	op_void                   = 0,
+@@ -474,7 +477,12 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o
+ 						offset, 4, ENC_ASCII|ENC_BIG_ENDIAN);
+ 	length = dword_align(tvb_get_ntohl(tvb, offset))+4;
+ 	proto_item_set_len(ti, length);
+-	return offset + length;
+	int ret_offset = offset + length;
+	if (length < 4 || ret_offset < offset) {
+		expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length);
+		return tvb_reported_length(tvb);
+	}
+	return ret_offset;
+ }
+ 
+ static int add_byte_array(proto_tree *tree, int hf_len, int hf_byte, tvbuff_t *tvb, int offset)
+@@ -1407,7 +1415,12 @@ dissect_gdsdb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U
+ 								offset, 4, ENC_BIG_ENDIAN);
+ 
+ 		/* opcode < op_max */
+		int old_offset = offset;
+ 		offset = gdsdb_handle_opcode[opcode](tvb, pinfo, gdsdb_tree, offset+4);
+		if (offset <= old_offset) {
+			expert_add_info(NULL, ti, &ei_gdsdb_invalid_length);
+			return tvb_reported_length_remaining(tvb, old_offset);
+		}
+ 		if (offset < 0)
+ 		{
+ 			/* But at this moment we don't know how much we will need */
+@@ -2022,12 +2035,20 @@ proto_register_gdsdb(void)
+ 		&ett_gdsdb_connect_pref
+ 	};
+ 
+/* Expert info */
+	static ei_register_info ei[] = {
+		{ &ei_gdsdb_invalid_length, { "gdsdb.invalid_length", PI_MALFORMED, PI_ERROR,
+			"Invalid length", EXPFILL }},
+	};
+
+ 	proto_gdsdb = proto_register_protocol(
+ 		"Firebird SQL Database Remote Protocol",
+ 		"FB/IB GDS DB", "gdsdb");
+ 
+ 	proto_register_field_array(proto_gdsdb, hf, array_length(hf));
+ 	proto_register_subtree_array(ett, array_length(ett));
+	expert_module_t *expert_gdsdb = expert_register_protocol(proto_gdsdb);
+	expert_register_field_array(expert_gdsdb, ei, array_length(ei));
+ }
+ 
+ void
+-- 
+2.25.1
+
@@ -19,6 +19,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
           file://CVE-2023-0668.patch \
           file://CVE-2023-2906.patch \
           file://CVE-2023-3649.patch \
+           file://CVE-2022-0585-CVE-2023-2879.patch \
           "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"