mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-13 17:39:57 +00:00
wireshark: fix CVE-2023-1992 RPCoRDMA dissector crash
Upstream-Status: Backport from https://gitlab.com/colin.mcinnes/wireshark/-/commit/3c8be14c827f1587da3c2b3bb0d9c04faff5741 Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
vkumbhar
Armin Kuster
@@ -0,0 +1,61 @@
|
||||
From 3c8be14c827f1587da3c2b3bb0d9c04faff57413 Mon Sep 17 00:00:00 2001
|
||||
From: John Thacker <johnthacker@gmail.com>
|
||||
Date: Sun, 19 Mar 2023 15:16:39 -0400
|
||||
Subject: [PATCH] RPCoRDMA: Frame end cleanup for global write offsets
|
||||
|
||||
Add a frame end routine for a global which is assigned to packet
|
||||
scoped memory. It really should be made proto data, but is used
|
||||
in a function in the header (that doesn't take the packet info
|
||||
struct as an argument) and this fix needs to be made in stable
|
||||
branches.
|
||||
|
||||
Fix #18852
|
||||
|
||||
Upstream-Status: Backport [https://gitlab.com/colin.mcinnes/wireshark/-/commit/3c8be14c827f1587da3c2b3bb0d9c04faff5741]
|
||||
CVE: CVE-2023-1992
|
||||
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
|
||||
---
|
||||
epan/dissectors/packet-rpcrdma.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c
|
||||
index 76085c7..9d57bae 100644
|
||||
--- a/epan/dissectors/packet-rpcrdma.c
|
||||
+++ b/epan/dissectors/packet-rpcrdma.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include <epan/addr_resolv.h>
|
||||
|
||||
#include "packet-rpcrdma.h"
|
||||
+#include "packet-frame.h"
|
||||
#include "packet-infiniband.h"
|
||||
#include "packet-iwarp-ddp-rdmap.h"
|
||||
|
||||
@@ -270,6 +271,18 @@ void rpcrdma_insert_offset(gint offset)
|
||||
wmem_array_append_one(gp_rdma_write_offsets, offset);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Reset the array of write offsets at the end of the frame. These
|
||||
+ * are packet scoped, so they don't need to be freed, but we want
|
||||
+ * to ensure that the global doesn't point to no longer allocated
|
||||
+ * memory in a later packet.
|
||||
+ */
|
||||
+static void
|
||||
+reset_write_offsets(void)
|
||||
+{
|
||||
+ gp_rdma_write_offsets = NULL;
|
||||
+}
|
||||
+
|
||||
/* Get conversation state, it is created if it does not exist */
|
||||
static rdma_conv_info_t *get_rdma_conv_info(packet_info *pinfo)
|
||||
{
|
||||
@@ -1392,6 +1405,7 @@ dissect_rpcrdma(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data
|
||||
if (write_size > 0 && !pinfo->fd->visited) {
|
||||
/* Initialize array of write chunk offsets */
|
||||
gp_rdma_write_offsets = wmem_array_new(wmem_packet_scope(), sizeof(gint));
|
||||
+ register_frame_end_routine(pinfo, reset_write_offsets);
|
||||
TRY {
|
||||
/*
|
||||
* Call the upper layer dissector to get a list of offsets
|
||||
--
|
||||
2.40.1
|
||||
@@ -25,6 +25,7 @@ SRC_URI += " \
|
||||
file://CVE-2023-0667.patch \
|
||||
file://CVE-2023-0668.patch \
|
||||
file://CVE-2023-2906.patch \
|
||||
file://CVE-2023-1992.patch \
|
||||
"
|
||||
|
||||
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
|
||||
|
||||
Reference in New Issue
Block a user