[meta-networking][mickledore][PATCH] wireshark: CVE-2023-2952 XRA dissector infinite loop

All of lore.kernel.org
 help / color / mirror / Atom feed

* [meta-networking][mickledore][PATCH] wireshark: CVE-2023-2952 XRA dissector infinite loop
@ 2023-06-12 11:28 Hitendra Prajapati
  2023-06-15 12:13 ` [oe] " akuster808
  0 siblings, 1 reply; 2+ messages in thread
From: Hitendra Prajapati @ 2023-06-12 11:28 UTC (permalink / raw)
  To: openembedded-devel; +Cc: Hitendra Prajapati

Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../wireshark/files/CVE-2023-2952.patch       | 98 +++++++++++++++++++
 .../wireshark/wireshark_3.4.12.bb             |  1 +
 2 files changed, 99 insertions(+)
 create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
new file mode 100644
index 000000000..41b02bb3f
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
@@ -0,0 +1,98 @@
+From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Tue, 23 May 2023 13:52:03 -0700
+Subject: [PATCH] XRA: Fix an infinite loop
+
+C compilers don't care what size a value was on the wire. Use
+naturally-sized ints, including in dissect_message_channel_mb where we
+would otherwise overflow and loop infinitely.
+
+Fixes #19100
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5]
+CVE: CVE-2023-2952
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-xra.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c
+index 68a8e72..6c7ab74 100644
+--- a/epan/dissectors/packet-xra.c
++++ b/epan/dissectors/packet-xra.c
+@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
+   it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info);
+ 
+-  guint32 tlv_index =0;
++  unsigned tlv_index = 0;
+   while (tlv_index < tlv_length) {
+     guint8 type = tvb_get_guint8 (tvb, tlv_index);
+     ++tlv_index;
+@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
+   it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info);
+ 
+-  guint32 tlv_index =0;
++  unsigned tlv_index = 0;
+   while (tlv_index < tlv_length) {
+     guint8 type = tvb_get_guint8 (tvb, tlv_index);
+     ++tlv_index;
+@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
+   it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info);
+ 
+-  guint32 tlv_index =0;
++  unsigned tlv_index = 0;
+   while (tlv_index < tlv_length) {
+     guint8 type = tvb_get_guint8 (tvb, tlv_index);
+     ++tlv_index;
+@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da
+   it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA);
+   xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv);
+ 
+-  guint32 tlv_index =0;
++  unsigned tlv_index = 0;
+   tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb;
+ 
+   while (tlv_index < tlv_length) {
+@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
+   if(packet_start_pointer_field_present) {
+     proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer);
+ 
+-    guint16 docsis_start = 3 + packet_start_pointer;
++    unsigned docsis_start = 3 + packet_start_pointer;
+     while (docsis_start + 6 < remaining_length) {
+       /*DOCSIS header in packet*/
+       guint8 fc = tvb_get_guint8(tvb,docsis_start + 0);
+@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
+         docsis_start += 1;
+         continue;
+       }
+-      guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
++      unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
+       if (docsis_start + 6 + docsis_length <= remaining_length) {
+         /*DOCSIS packet included in packet*/
+         tvbuff_t *docsis_tvb;
+@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) {
+ static int
+ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) {
+ 
+-  guint16 offset = 0;
++  int offset = 0;
+   proto_tree *plc_tree;
+   proto_item *plc_item;
+   tvbuff_t *mb_tvb;
+@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _
+ 
+ static int
+ dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) {
+-  guint16 offset = 0;
++  int offset = 0;
+   proto_tree *ncp_tree;
+   proto_item *ncp_item;
+   tvbuff_t *ncp_mb_tvb;
+-- 
+2.25.1
+
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index 693a16793..7d49c3c27 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -16,6 +16,7 @@ SRC_URI += " \
     file://0003-bison-Remove-line-directives.patch \
     file://0004-lemon-Remove-line-directives.patch \
     file://CVE-2022-3190.patch \
+    file://CVE-2023-2952.patch \
 "
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
-- 
2.25.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [oe] [meta-networking][mickledore][PATCH] wireshark: CVE-2023-2952 XRA dissector infinite loop
  2023-06-12 11:28 [meta-networking][mickledore][PATCH] wireshark: CVE-2023-2952 XRA dissector infinite loop Hitendra Prajapati
@ 2023-06-15 12:13 ` akuster808
  0 siblings, 0 replies; 2+ messages in thread
From: akuster808 @ 2023-06-15 12:13 UTC (permalink / raw)
  To: Hitendra Prajapati, openembedded-devel



On 6/12/23 7:28 AM, Hitendra Prajapati wrote:
> Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>

This does not apply, there are other wireshark patches stacked up in 
stable/mickledore-nut that you can rebase on .

- armin
> ---
>   .../wireshark/files/CVE-2023-2952.patch       | 98 +++++++++++++++++++
>   .../wireshark/wireshark_3.4.12.bb             |  1 +
>   2 files changed, 99 insertions(+)
>   create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
>
> diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
> new file mode 100644
> index 000000000..41b02bb3f
> --- /dev/null
> +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch
> @@ -0,0 +1,98 @@
> +From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001
> +From: Gerald Combs <gerald@wireshark.org>
> +Date: Tue, 23 May 2023 13:52:03 -0700
> +Subject: [PATCH] XRA: Fix an infinite loop
> +
> +C compilers don't care what size a value was on the wire. Use
> +naturally-sized ints, including in dissect_message_channel_mb where we
> +would otherwise overflow and loop infinitely.
> +
> +Fixes #19100
> +
> +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5]
> +CVE: CVE-2023-2952
> +
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + epan/dissectors/packet-xra.c | 16 ++++++++--------
> + 1 file changed, 8 insertions(+), 8 deletions(-)
> +
> +diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c
> +index 68a8e72..6c7ab74 100644
> +--- a/epan/dissectors/packet-xra.c
> ++++ b/epan/dissectors/packet-xra.c
> +@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
> +   it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA);
> +   xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info);
> +
> +-  guint32 tlv_index =0;
> ++  unsigned tlv_index = 0;
> +   while (tlv_index < tlv_length) {
> +     guint8 type = tvb_get_guint8 (tvb, tlv_index);
> +     ++tlv_index;
> +@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
> +   it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA);
> +   xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info);
> +
> +-  guint32 tlv_index =0;
> ++  unsigned tlv_index = 0;
> +   while (tlv_index < tlv_length) {
> +     guint8 type = tvb_get_guint8 (tvb, tlv_index);
> +     ++tlv_index;
> +@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
> +   it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA);
> +   xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info);
> +
> +-  guint32 tlv_index =0;
> ++  unsigned tlv_index = 0;
> +   while (tlv_index < tlv_length) {
> +     guint8 type = tvb_get_guint8 (tvb, tlv_index);
> +     ++tlv_index;
> +@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da
> +   it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA);
> +   xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv);
> +
> +-  guint32 tlv_index =0;
> ++  unsigned tlv_index = 0;
> +   tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb;
> +
> +   while (tlv_index < tlv_length) {
> +@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
> +   if(packet_start_pointer_field_present) {
> +     proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer);
> +
> +-    guint16 docsis_start = 3 + packet_start_pointer;
> ++    unsigned docsis_start = 3 + packet_start_pointer;
> +     while (docsis_start + 6 < remaining_length) {
> +       /*DOCSIS header in packet*/
> +       guint8 fc = tvb_get_guint8(tvb,docsis_start + 0);
> +@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
> +         docsis_start += 1;
> +         continue;
> +       }
> +-      guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
> ++      unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
> +       if (docsis_start + 6 + docsis_length <= remaining_length) {
> +         /*DOCSIS packet included in packet*/
> +         tvbuff_t *docsis_tvb;
> +@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) {
> + static int
> + dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) {
> +
> +-  guint16 offset = 0;
> ++  int offset = 0;
> +   proto_tree *plc_tree;
> +   proto_item *plc_item;
> +   tvbuff_t *mb_tvb;
> +@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _
> +
> + static int
> + dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) {
> +-  guint16 offset = 0;
> ++  int offset = 0;
> +   proto_tree *ncp_tree;
> +   proto_item *ncp_item;
> +   tvbuff_t *ncp_mb_tvb;
> +--
> +2.25.1
> +
> diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
> index 693a16793..7d49c3c27 100644
> --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
> +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
> @@ -16,6 +16,7 @@ SRC_URI += " \
>       file://0003-bison-Remove-line-directives.patch \
>       file://0004-lemon-Remove-line-directives.patch \
>       file://CVE-2022-3190.patch \
> +    file://CVE-2023-2952.patch \
>   "
>   
>   UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#103213): https://lists.openembedded.org/g/openembedded-devel/message/103213
> Mute This Topic: https://lists.openembedded.org/mt/99480576/3616698
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-06-15 12:13 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-06-12 11:28 [meta-networking][mickledore][PATCH] wireshark: CVE-2023-2952 XRA dissector infinite loop Hitendra Prajapati
2023-06-15 12:13 ` [oe] " akuster808

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.