mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-05-09 17:59:26 +00:00
wireshark: Fix CVE-2022-0585-CVE-2023-2879
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Hitendra Prajapati
committed by
Armin Kuster
Armin Kuster
parent
9135c7ea73
commit
d9ba954b6a
@@ -0,0 +1,93 @@
|
|||||||
|
From 5a7a80e139396c07d45e70d63c6d3974c50ae5e8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: John Thacker <johnthacker@gmail.com>
|
||||||
|
Date: Sat, 13 May 2023 21:45:16 -0400
|
||||||
|
Subject: GDSDB: Make sure our offset advances.
|
||||||
|
|
||||||
|
add_uint_string() returns the next offset to use, not the number
|
||||||
|
of bytes consumed. So to consume all the bytes and make sure the
|
||||||
|
offset advances, return the entire reported tvb length, not the
|
||||||
|
number of bytes remaining.
|
||||||
|
|
||||||
|
Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f
|
||||||
|
|
||||||
|
Fixes #19068
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677]
|
||||||
|
CVE: CVE-2022-0585 & CVE-2023-2879
|
||||||
|
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||||
|
---
|
||||||
|
epan/dissectors/packet-gdsdb.c | 23 ++++++++++++++++++++++-
|
||||||
|
1 file changed, 22 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c
|
||||||
|
index 95fed7e..950d68f 100644
|
||||||
|
--- a/epan/dissectors/packet-gdsdb.c
|
||||||
|
+++ b/epan/dissectors/packet-gdsdb.c
|
||||||
|
@@ -15,6 +15,7 @@
|
||||||
|
#include "config.h"
|
||||||
|
|
||||||
|
#include <epan/packet.h>
|
||||||
|
+#include <epan/expert.h>
|
||||||
|
|
||||||
|
void proto_register_gdsdb(void);
|
||||||
|
void proto_reg_handoff_gdsdb(void);
|
||||||
|
@@ -182,6 +183,8 @@ static int hf_gdsdb_cursor_type = -1;
|
||||||
|
static int hf_gdsdb_sqlresponse_messages = -1;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+static expert_field ei_gdsdb_invalid_length = EI_INIT;
|
||||||
|
+
|
||||||
|
enum
|
||||||
|
{
|
||||||
|
op_void = 0,
|
||||||
|
@@ -474,7 +477,12 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o
|
||||||
|
offset, 4, ENC_ASCII|ENC_BIG_ENDIAN);
|
||||||
|
length = dword_align(tvb_get_ntohl(tvb, offset))+4;
|
||||||
|
proto_item_set_len(ti, length);
|
||||||
|
- return offset + length;
|
||||||
|
+ int ret_offset = offset + length;
|
||||||
|
+ if (length < 4 || ret_offset < offset) {
|
||||||
|
+ expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length);
|
||||||
|
+ return tvb_reported_length(tvb);
|
||||||
|
+ }
|
||||||
|
+ return ret_offset;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int add_byte_array(proto_tree *tree, int hf_len, int hf_byte, tvbuff_t *tvb, int offset)
|
||||||
|
@@ -1407,7 +1415,12 @@ dissect_gdsdb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U
|
||||||
|
offset, 4, ENC_BIG_ENDIAN);
|
||||||
|
|
||||||
|
/* opcode < op_max */
|
||||||
|
+ int old_offset = offset;
|
||||||
|
offset = gdsdb_handle_opcode[opcode](tvb, pinfo, gdsdb_tree, offset+4);
|
||||||
|
+ if (offset <= old_offset) {
|
||||||
|
+ expert_add_info(NULL, ti, &ei_gdsdb_invalid_length);
|
||||||
|
+ return tvb_reported_length_remaining(tvb, old_offset);
|
||||||
|
+ }
|
||||||
|
if (offset < 0)
|
||||||
|
{
|
||||||
|
/* But at this moment we don't know how much we will need */
|
||||||
|
@@ -2022,12 +2035,20 @@ proto_register_gdsdb(void)
|
||||||
|
&ett_gdsdb_connect_pref
|
||||||
|
};
|
||||||
|
|
||||||
|
+/* Expert info */
|
||||||
|
+ static ei_register_info ei[] = {
|
||||||
|
+ { &ei_gdsdb_invalid_length, { "gdsdb.invalid_length", PI_MALFORMED, PI_ERROR,
|
||||||
|
+ "Invalid length", EXPFILL }},
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
proto_gdsdb = proto_register_protocol(
|
||||||
|
"Firebird SQL Database Remote Protocol",
|
||||||
|
"FB/IB GDS DB", "gdsdb");
|
||||||
|
|
||||||
|
proto_register_field_array(proto_gdsdb, hf, array_length(hf));
|
||||||
|
proto_register_subtree_array(ett, array_length(ett));
|
||||||
|
+ expert_module_t *expert_gdsdb = expert_register_protocol(proto_gdsdb);
|
||||||
|
+ expert_register_field_array(expert_gdsdb, ei, array_length(ei));
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
||||||
@@ -19,6 +19,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
|
|||||||
file://CVE-2023-0668.patch \
|
file://CVE-2023-0668.patch \
|
||||||
file://CVE-2023-2906.patch \
|
file://CVE-2023-2906.patch \
|
||||||
file://CVE-2023-3649.patch \
|
file://CVE-2023-3649.patch \
|
||||||
|
file://CVE-2022-0585-CVE-2023-2879.patch \
|
||||||
"
|
"
|
||||||
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
|
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user