All of lore.kernel.org
 help / color / mirror / Atom feed
From: Hitendra Prajapati <hprajapati@mvista.com>
To: openembedded-devel@lists.openembedded.org
Cc: Hitendra Prajapati <hprajapati@mvista.com>
Subject: [meta-networking][kirkstone][PATCH] wireshark: CVE-2022-3190 Infinite loop in legacy style dissector
Date: Mon, 26 Sep 2022 17:10:55 +0530	[thread overview]
Message-ID: <20220926114055.4607-1-hprajapati@mvista.com> (raw)

Source: https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
MR: 122044
Type: Security Fix
Disposition: Backport from https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
ChangeID: 13f833dfbd8f76db1ea01984441b212f08e6e4f5
Description:
          CVE-2022-3190 wireshark: Infinite loop in legacy style dissector.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../wireshark/files/CVE-2022-3190.patch       | 145 ++++++++++++++++++
 .../wireshark/wireshark_3.4.12.bb             |   1 +
 2 files changed, 146 insertions(+)
 create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
new file mode 100644
index 0000000000..0b987700f5
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
@@ -0,0 +1,145 @@
+From 4585d515b962f3b3a5e81caa64e13e8d9ed2e431 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 26 Sep 2022 12:47:00 +0530
+Subject: [PATCH] CVE-2022-3190
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67]
+CVE : CVE-2022-3190
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-f5ethtrailer.c | 108 +++++++++++++-------------
+ 1 file changed, 56 insertions(+), 52 deletions(-)
+
+diff --git a/epan/dissectors/packet-f5ethtrailer.c b/epan/dissectors/packet-f5ethtrailer.c
+index ed77dfd..b15b0d4 100644
+--- a/epan/dissectors/packet-f5ethtrailer.c
++++ b/epan/dissectors/packet-f5ethtrailer.c
+@@ -2741,69 +2741,73 @@ dissect_dpt_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d
+ static gint
+ dissect_old_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
+ {
+-    proto_tree *type_tree   = NULL;
+-    proto_item *ti          = NULL;
+     guint offset            = 0;
+-    guint processed         = 0;
+-    f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
+-    guint8 type;
+-    guint8 len;
+-    guint8 ver;
+ 
+     /* While we still have data in the trailer.  For old format trailers, this needs
+      * type, length, version (3 bytes) and for new format trailers, the magic header (4 bytes).
+      * All old format trailers are at least 4 bytes long, so just check for length of magic.
+      */
+-    while (tvb_reported_length_remaining(tvb, offset)) {
+-        type = tvb_get_guint8(tvb, offset);
+-        len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
+-        ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
+-
+-        if (len <= tvb_reported_length_remaining(tvb, offset) && type >= F5TYPE_LOW
+-            && type <= F5TYPE_HIGH && len >= F5_MIN_SANE && len <= F5_MAX_SANE
+-            && ver <= F5TRAILER_VER_MAX) {
+-            /* Parse out the specified trailer. */
+-            switch (type) {
+-            case F5TYPE_LOW:
+-                ti        = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
+-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
+-
+-                processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+-                if (processed > 0) {
+-                    tdata->trailer_len += processed;
+-                    tdata->noise_low = 1;
+-                }
+-                break;
+-            case F5TYPE_MED:
+-                ti        = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
+-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
+-
+-                processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+-                if (processed > 0) {
+-                    tdata->trailer_len += processed;
+-                    tdata->noise_med = 1;
+-                }
+-                break;
+-            case F5TYPE_HIGH:
+-                ti        = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
+-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
+-
+-                processed =
+-                    dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+-                if (processed > 0) {
+-                    tdata->trailer_len += processed;
+-                    tdata->noise_high = 1;
+-                }
+-                break;
++    while (tvb_reported_length_remaining(tvb, offset) >= F5_MIN_SANE) {
++        /* length field does not include the type and length bytes.  Add them back in */
++        guint8 len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
++        if (len > tvb_reported_length_remaining(tvb, offset)
++            || len < F5_MIN_SANE || len > F5_MAX_SANE) {
++            /* Invalid length - either a malformed trailer, corrupt packet, or not f5ethtrailer */
++            return offset;
++        }
++        guint8 type = tvb_get_guint8(tvb, offset);
++        guint8 ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
++
++        /* Parse out the specified trailer. */
++        proto_tree *type_tree   = NULL;
++        proto_item *ti          = NULL;
++        f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
++        guint processed = 0;
++
++        switch (type) {
++        case F5TYPE_LOW:
++            ti        = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
++            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
++
++            processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
++            if (processed > 0) {
++                tdata->trailer_len += processed;
++                tdata->noise_low = 1;
+             }
+-            if (processed == 0) {
+-                proto_item_set_len(ti, 1);
+-                return offset;
++            break;
++        case F5TYPE_MED:
++            ti        = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
++            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
++
++            processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
++            if (processed > 0) {
++                tdata->trailer_len += processed;
++                tdata->noise_med = 1;
++            }
++            break;
++        case F5TYPE_HIGH:
++            ti        = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
++            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
++
++            processed =
++                dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
++            if (processed > 0) {
++                tdata->trailer_len += processed;
++                tdata->noise_high = 1;
+             }
++            break;
++        default:
++            /* Unknown type - malformed trailer, corrupt packet, or not f5ethtrailer - bali out*/
++            return offset;
++        }
++        if (processed == 0) {
++            /* couldn't process trailer - bali out */
++            proto_item_set_len(ti, 1);
++            return offset;
+         }
+         offset += processed;
+     }
+-return offset;
++    return offset;
+ } /* dissect_old_trailer() */
+ 
+ /*---------------------------------------------------------------------------*/
+-- 
+2.25.1
+
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index 38fdbce892..1a4aedc139 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -15,6 +15,7 @@ SRC_URI += " \
     file://0002-flex-Remove-line-directives.patch \
     file://0003-bison-Remove-line-directives.patch \
     file://0004-lemon-Remove-line-directives.patch \
+    file://CVE-2022-3190.patch \
 "
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
-- 
2.25.1



             reply	other threads:[~2022-09-26 11:41 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-26 11:40 Hitendra Prajapati [this message]
2022-09-26 17:47 ` [oe] [meta-networking][kirkstone][PATCH] wireshark: CVE-2022-3190 Infinite loop in legacy style dissector akuster808

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220926114055.4607-1-hprajapati@mvista.com \
    --to=hprajapati@mvista.com \
    --cc=openembedded-devel@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.