1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
From 5a7a80e139396c07d45e70d63c6d3974c50ae5e8 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Sat, 13 May 2023 21:45:16 -0400
Subject: GDSDB: Make sure our offset advances.
add_uint_string() returns the next offset to use, not the number
of bytes consumed. So to consume all the bytes and make sure the
offset advances, return the entire reported tvb length, not the
number of bytes remaining.
Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f
Fixes #19068
Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677]
CVE: CVE-2022-0585 & CVE-2023-2879
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
epan/dissectors/packet-gdsdb.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c
index 95fed7e..950d68f 100644
--- a/epan/dissectors/packet-gdsdb.c
+++ b/epan/dissectors/packet-gdsdb.c
@@ -15,6 +15,7 @@
#include "config.h"
#include <epan/packet.h>
+#include <epan/expert.h>
void proto_register_gdsdb(void);
void proto_reg_handoff_gdsdb(void);
@@ -182,6 +183,8 @@ static int hf_gdsdb_cursor_type = -1;
static int hf_gdsdb_sqlresponse_messages = -1;
#endif
+static expert_field ei_gdsdb_invalid_length = EI_INIT;
+
enum
{
op_void = 0,
@@ -474,7 +477,12 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o
offset, 4, ENC_ASCII|ENC_BIG_ENDIAN);
length = dword_align(tvb_get_ntohl(tvb, offset))+4;
proto_item_set_len(ti, length);
- return offset + length;
+ int ret_offset = offset + length;
+ if (length < 4 || ret_offset < offset) {
+ expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length);
+ return tvb_reported_length(tvb);
+ }
+ return ret_offset;
}
static int add_byte_array(proto_tree *tree, int hf_len, int hf_byte, tvbuff_t *tvb, int offset)
@@ -1407,7 +1415,12 @@ dissect_gdsdb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U
offset, 4, ENC_BIG_ENDIAN);
/* opcode < op_max */
+ int old_offset = offset;
offset = gdsdb_handle_opcode[opcode](tvb, pinfo, gdsdb_tree, offset+4);
+ if (offset <= old_offset) {
+ expert_add_info(NULL, ti, &ei_gdsdb_invalid_length);
+ return tvb_reported_length_remaining(tvb, old_offset);
+ }
if (offset < 0)
{
/* But at this moment we don't know how much we will need */
@@ -2022,12 +2035,20 @@ proto_register_gdsdb(void)
&ett_gdsdb_connect_pref
};
+/* Expert info */
+ static ei_register_info ei[] = {
+ { &ei_gdsdb_invalid_length, { "gdsdb.invalid_length", PI_MALFORMED, PI_ERROR,
+ "Invalid length", EXPFILL }},
+ };
+
proto_gdsdb = proto_register_protocol(
"Firebird SQL Database Remote Protocol",
"FB/IB GDS DB", "gdsdb");
proto_register_field_array(proto_gdsdb, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
+ expert_module_t *expert_gdsdb = expert_register_protocol(proto_gdsdb);
+ expert_register_field_array(expert_gdsdb, ei, array_length(ei));
}
void
--
2.25.1
|
