aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHitendra Prajapati <hprajapati@mvista.com>2022-09-26 17:10:55 +0530
committerKhem Raj <raj.khem@gmail.com>2022-09-26 18:14:53 -0700
commitde66eb0c0dae0930f9e1ba7a358db1ae6b3f2849 (patch)
tree80ae582e7103066a4d88d01ea8c5c23f8926d317
parentc350665f61ab3e6f36b131852d7e388f90476ef7 (diff)
downloadmeta-openembedded-de66eb0c0dae0930f9e1ba7a358db1ae6b3f2849.tar.gz
wireshark: CVE-2022-3190 Infinite loop in legacy style dissector
Source: https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67 MR: 122044 Type: Security Fix Disposition: Backport from https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67 ChangeID: 13f833dfbd8f76db1ea01984441b212f08e6e4f5 Description: CVE-2022-3190 wireshark: Infinite loop in legacy style dissector. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
-rw-r--r--meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch145
-rw-r--r--meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb1
2 files changed, 146 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
new file mode 100644
index 0000000000..0b987700f5
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
@@ -0,0 +1,145 @@
+From 4585d515b962f3b3a5e81caa64e13e8d9ed2e431 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 26 Sep 2022 12:47:00 +0530
+Subject: [PATCH] CVE-2022-3190
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67]
+CVE : CVE-2022-3190
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-f5ethtrailer.c | 108 +++++++++++++-------------
+ 1 file changed, 56 insertions(+), 52 deletions(-)
+
+diff --git a/epan/dissectors/packet-f5ethtrailer.c b/epan/dissectors/packet-f5ethtrailer.c
+index ed77dfd..b15b0d4 100644
+--- a/epan/dissectors/packet-f5ethtrailer.c
++++ b/epan/dissectors/packet-f5ethtrailer.c
+@@ -2741,69 +2741,73 @@ dissect_dpt_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d
+ static gint
+ dissect_old_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
+ {
+- proto_tree *type_tree = NULL;
+- proto_item *ti = NULL;
+ guint offset = 0;
+- guint processed = 0;
+- f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
+- guint8 type;
+- guint8 len;
+- guint8 ver;
+
+ /* While we still have data in the trailer. For old format trailers, this needs
+ * type, length, version (3 bytes) and for new format trailers, the magic header (4 bytes).
+ * All old format trailers are at least 4 bytes long, so just check for length of magic.
+ */
+- while (tvb_reported_length_remaining(tvb, offset)) {
+- type = tvb_get_guint8(tvb, offset);
+- len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
+- ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
+-
+- if (len <= tvb_reported_length_remaining(tvb, offset) && type >= F5TYPE_LOW
+- && type <= F5TYPE_HIGH && len >= F5_MIN_SANE && len <= F5_MAX_SANE
+- && ver <= F5TRAILER_VER_MAX) {
+- /* Parse out the specified trailer. */
+- switch (type) {
+- case F5TYPE_LOW:
+- ti = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
+- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
+-
+- processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+- if (processed > 0) {
+- tdata->trailer_len += processed;
+- tdata->noise_low = 1;
+- }
+- break;
+- case F5TYPE_MED:
+- ti = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
+- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
+-
+- processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+- if (processed > 0) {
+- tdata->trailer_len += processed;
+- tdata->noise_med = 1;
+- }
+- break;
+- case F5TYPE_HIGH:
+- ti = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
+- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
+-
+- processed =
+- dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+- if (processed > 0) {
+- tdata->trailer_len += processed;
+- tdata->noise_high = 1;
+- }
+- break;
++ while (tvb_reported_length_remaining(tvb, offset) >= F5_MIN_SANE) {
++ /* length field does not include the type and length bytes. Add them back in */
++ guint8 len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
++ if (len > tvb_reported_length_remaining(tvb, offset)
++ || len < F5_MIN_SANE || len > F5_MAX_SANE) {
++ /* Invalid length - either a malformed trailer, corrupt packet, or not f5ethtrailer */
++ return offset;
++ }
++ guint8 type = tvb_get_guint8(tvb, offset);
++ guint8 ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
++
++ /* Parse out the specified trailer. */
++ proto_tree *type_tree = NULL;
++ proto_item *ti = NULL;
++ f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
++ guint processed = 0;
++
++ switch (type) {
++ case F5TYPE_LOW:
++ ti = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
++ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
++
++ processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
++ if (processed > 0) {
++ tdata->trailer_len += processed;
++ tdata->noise_low = 1;
+ }
+- if (processed == 0) {
+- proto_item_set_len(ti, 1);
+- return offset;
++ break;
++ case F5TYPE_MED:
++ ti = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
++ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
++
++ processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
++ if (processed > 0) {
++ tdata->trailer_len += processed;
++ tdata->noise_med = 1;
++ }
++ break;
++ case F5TYPE_HIGH:
++ ti = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
++ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
++
++ processed =
++ dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
++ if (processed > 0) {
++ tdata->trailer_len += processed;
++ tdata->noise_high = 1;
+ }
++ break;
++ default:
++ /* Unknown type - malformed trailer, corrupt packet, or not f5ethtrailer - bali out*/
++ return offset;
++ }
++ if (processed == 0) {
++ /* couldn't process trailer - bali out */
++ proto_item_set_len(ti, 1);
++ return offset;
+ }
+ offset += processed;
+ }
+-return offset;
++ return offset;
+ } /* dissect_old_trailer() */
+
+ /*---------------------------------------------------------------------------*/
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index 38fdbce892..1a4aedc139 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -15,6 +15,7 @@ SRC_URI += " \
file://0002-flex-Remove-line-directives.patch \
file://0003-bison-Remove-line-directives.patch \
file://0004-lemon-Remove-line-directives.patch \
+ file://CVE-2022-3190.patch \
"
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"