From: akuster808 <akuster808@gmail.com>
To: Hitendra Prajapati <hprajapati@mvista.com>,
openembedded-devel@lists.openembedded.org
Subject: Re: [oe] [meta-networking][mickledore][PATCH] wireshark: CVE-2023-2952 XRA dissector infinite loop
Date: Thu, 15 Jun 2023 08:13:22 -0400 [thread overview]
Message-ID: <612fc55c-d63b-9d09-665f-e14dee470bf8@gmail.com> (raw)
In-Reply-To: <20230612112806.10324-1-hprajapati@mvista.com>
On 6/12/23 7:28 AM, Hitendra Prajapati wrote:
> Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
This does not apply, there are other wireshark patches stacked up in
stable/mickledore-nut that you can rebase on .
- armin
> ---
> .../wireshark/files/CVE-2023-2952.patch | 98 +++++++++++++++++++
> .../wireshark/wireshark_3.4.12.bb | 1 +
> 2 files changed, 99 insertions(+)
> create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
>
> diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
> new file mode 100644
> index 000000000..41b02bb3f
> --- /dev/null
> +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
> @@ -0,0 +1,98 @@
> +From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001
> +From: Gerald Combs <gerald@wireshark.org>
> +Date: Tue, 23 May 2023 13:52:03 -0700
> +Subject: [PATCH] XRA: Fix an infinite loop
> +
> +C compilers don't care what size a value was on the wire. Use
> +naturally-sized ints, including in dissect_message_channel_mb where we
> +would otherwise overflow and loop infinitely.
> +
> +Fixes #19100
> +
> +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5]
> +CVE: CVE-2023-2952
> +
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + epan/dissectors/packet-xra.c | 16 ++++++++--------
> + 1 file changed, 8 insertions(+), 8 deletions(-)
> +
> +diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c
> +index 68a8e72..6c7ab74 100644
> +--- a/epan/dissectors/packet-xra.c
> ++++ b/epan/dissectors/packet-xra.c
> +@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
> + it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA);
> + xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info);
> +
> +- guint32 tlv_index =0;
> ++ unsigned tlv_index = 0;
> + while (tlv_index < tlv_length) {
> + guint8 type = tvb_get_guint8 (tvb, tlv_index);
> + ++tlv_index;
> +@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
> + it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA);
> + xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info);
> +
> +- guint32 tlv_index =0;
> ++ unsigned tlv_index = 0;
> + while (tlv_index < tlv_length) {
> + guint8 type = tvb_get_guint8 (tvb, tlv_index);
> + ++tlv_index;
> +@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
> + it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA);
> + xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info);
> +
> +- guint32 tlv_index =0;
> ++ unsigned tlv_index = 0;
> + while (tlv_index < tlv_length) {
> + guint8 type = tvb_get_guint8 (tvb, tlv_index);
> + ++tlv_index;
> +@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da
> + it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA);
> + xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv);
> +
> +- guint32 tlv_index =0;
> ++ unsigned tlv_index = 0;
> + tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb;
> +
> + while (tlv_index < tlv_length) {
> +@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
> + if(packet_start_pointer_field_present) {
> + proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer);
> +
> +- guint16 docsis_start = 3 + packet_start_pointer;
> ++ unsigned docsis_start = 3 + packet_start_pointer;
> + while (docsis_start + 6 < remaining_length) {
> + /*DOCSIS header in packet*/
> + guint8 fc = tvb_get_guint8(tvb,docsis_start + 0);
> +@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
> + docsis_start += 1;
> + continue;
> + }
> +- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
> ++ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
> + if (docsis_start + 6 + docsis_length <= remaining_length) {
> + /*DOCSIS packet included in packet*/
> + tvbuff_t *docsis_tvb;
> +@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) {
> + static int
> + dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) {
> +
> +- guint16 offset = 0;
> ++ int offset = 0;
> + proto_tree *plc_tree;
> + proto_item *plc_item;
> + tvbuff_t *mb_tvb;
> +@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _
> +
> + static int
> + dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) {
> +- guint16 offset = 0;
> ++ int offset = 0;
> + proto_tree *ncp_tree;
> + proto_item *ncp_item;
> + tvbuff_t *ncp_mb_tvb;
> +--
> +2.25.1
> +
> diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
> index 693a16793..7d49c3c27 100644
> --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
> +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
> @@ -16,6 +16,7 @@ SRC_URI += " \
> file://0003-bison-Remove-line-directives.patch \
> file://0004-lemon-Remove-line-directives.patch \
> file://CVE-2022-3190.patch \
> + file://CVE-2023-2952.patch \
> "
>
> UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#103213): https://lists.openembedded.org/g/openembedded-devel/message/103213
> Mute This Topic: https://lists.openembedded.org/mt/99480576/3616698
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2023-06-15 12:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-12 11:28 [meta-networking][mickledore][PATCH] wireshark: CVE-2023-2952 XRA dissector infinite loop Hitendra Prajapati
2023-06-15 12:13 ` akuster808 [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=612fc55c-d63b-9d09-665f-e14dee470bf8@gmail.com \
--to=akuster808@gmail.com \
--cc=hprajapati@mvista.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.