meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Tue, 23 May 2023 13:52:03 -0700
Subject: [PATCH] XRA: Fix an infinite loop

C compilers don't care what size a value was on the wire. Use
naturally-sized ints, including in dissect_message_channel_mb where we
would otherwise overflow and loop infinitely.

Fixes #19100

Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5]
CVE: CVE-2023-2952

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 epan/dissectors/packet-xra.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c
index 68a8e72..6c7ab74 100644
--- a/epan/dissectors/packet-xra.c
+++ b/epan/dissectors/packet-xra.c
@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
   it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA);
   xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info);
 
-  guint32 tlv_index =0;
+  unsigned tlv_index = 0;
   while (tlv_index < tlv_length) {
     guint8 type = tvb_get_guint8 (tvb, tlv_index);
     ++tlv_index;
@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
   it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA);
   xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info);
 
-  guint32 tlv_index =0;
+  unsigned tlv_index = 0;
   while (tlv_index < tlv_length) {
     guint8 type = tvb_get_guint8 (tvb, tlv_index);
     ++tlv_index;
@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
   it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA);
   xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info);
 
-  guint32 tlv_index =0;
+  unsigned tlv_index = 0;
   while (tlv_index < tlv_length) {
     guint8 type = tvb_get_guint8 (tvb, tlv_index);
     ++tlv_index;
@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da
   it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA);
   xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv);
 
-  guint32 tlv_index =0;
+  unsigned tlv_index = 0;
   tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb;
 
   while (tlv_index < tlv_length) {
@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
   if(packet_start_pointer_field_present) {
     proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer);
 
-    guint16 docsis_start = 3 + packet_start_pointer;
+    unsigned docsis_start = 3 + packet_start_pointer;
     while (docsis_start + 6 < remaining_length) {
       /*DOCSIS header in packet*/
       guint8 fc = tvb_get_guint8(tvb,docsis_start + 0);
@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree
         docsis_start += 1;
         continue;
       }
-      guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
+      unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3);
       if (docsis_start + 6 + docsis_length <= remaining_length) {
         /*DOCSIS packet included in packet*/
         tvbuff_t *docsis_tvb;
@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) {
 static int
 dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) {
 
-  guint16 offset = 0;
+  int offset = 0;
   proto_tree *plc_tree;
   proto_item *plc_item;
   tvbuff_t *mb_tvb;
@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _
 
 static int
 dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) {
-  guint16 offset = 0;
+  int offset = 0;
   proto_tree *ncp_tree;
   proto_item *ncp_item;
   tvbuff_t *ncp_mb_tvb;
-- 
2.25.1