mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
wireshark: Fix CVE-2026-3201
Pick patch from [1] also mentioned in [2] [1] https://gitlab.com/wireshark/wireshark/-/issues/20972 [2] https://security-tracker.debian.org/tracker/CVE-2026-3201 More details : https://nvd.nist.gov/vuln/detail/CVE-2026-3201 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
b48d119e50
commit
e7a359838c
@@ -0,0 +1,55 @@
|
|||||||
|
From 5e80615ebc95c3f57235ab2699b03e45d8071a1c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Mann <mmann78@netscape.net>
|
||||||
|
Date: Mon, 26 Jan 2026 16:44:58 +0000
|
||||||
|
Subject: [PATCH] USB-HID: Bugfix resource exhaustion in
|
||||||
|
parse_report_descriptor()
|
||||||
|
|
||||||
|
Sanity range check was removed in 739666a7f5acc270204980e01b4069caf5060f30, restore it
|
||||||
|
|
||||||
|
AI-Assisted: no
|
||||||
|
Fixes #20972
|
||||||
|
|
||||||
|
(cherry picked from commit 6f753c79b7c8ac382e6383dfabd7d5be6e2b722c)
|
||||||
|
|
||||||
|
CVE: CVE-2026-3201
|
||||||
|
Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/5e80615ebc95c3f57235ab2699b03e45d8071a1c]
|
||||||
|
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||||
|
---
|
||||||
|
epan/dissectors/packet-usb-hid.c | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/epan/dissectors/packet-usb-hid.c b/epan/dissectors/packet-usb-hid.c
|
||||||
|
index 9a402ee..a27606a 100644
|
||||||
|
--- a/epan/dissectors/packet-usb-hid.c
|
||||||
|
+++ b/epan/dissectors/packet-usb-hid.c
|
||||||
|
@@ -3675,6 +3675,7 @@ hid_unpack_signed(guint8 *data, unsigned int idx, unsigned int size, gint32 *val
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#define MAX_REPORT_DESCRIPTOR_COUNT 100000 // Arbitrary
|
||||||
|
static gboolean
|
||||||
|
parse_report_descriptor(report_descriptor_t *rdesc)
|
||||||
|
{
|
||||||
|
@@ -3856,7 +3857,7 @@ parse_report_descriptor(report_descriptor_t *rdesc)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Usage min and max must be on the same page */
|
||||||
|
- if (USAGE_PAGE(usage_min) != USAGE_PAGE(usage_max)) {
|
||||||
|
+ if (USAGE_PAGE(usage_min) != USAGE_PAGE(usage_max)) {
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -3864,6 +3865,10 @@ parse_report_descriptor(report_descriptor_t *rdesc)
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (wmem_array_get_count(field.usages) + usage_max - usage_min >= MAX_REPORT_DESCRIPTOR_COUNT) {
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* min and max are inclusive */
|
||||||
|
wmem_array_grow(field.usages, usage_max - usage_min + 1);
|
||||||
|
for (guint32 j = usage_min; j <= usage_max; j++) {
|
||||||
|
--
|
||||||
|
2.50.1
|
||||||
|
|
||||||
@@ -17,6 +17,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
|
|||||||
file://CVE-2025-13499.patch \
|
file://CVE-2025-13499.patch \
|
||||||
file://CVE-2026-0959.patch \
|
file://CVE-2026-0959.patch \
|
||||||
file://CVE-2026-0962.patch \
|
file://CVE-2026-0962.patch \
|
||||||
|
file://CVE-2026-3201.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src/all-versions"
|
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src/all-versions"
|
||||||
|
|||||||
Reference in New Issue
Block a user