* [meta-networking][kirkstone][PATCH] wireshark: CVE-2022-3190 Infinite loop in legacy style dissector
@ 2022-09-26 11:40 Hitendra Prajapati
2022-09-26 17:47 ` [oe] " akuster808
0 siblings, 1 reply; 2+ messages in thread
From: Hitendra Prajapati @ 2022-09-26 11:40 UTC (permalink / raw)
To: openembedded-devel; +Cc: Hitendra Prajapati
Source: https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
MR: 122044
Type: Security Fix
Disposition: Backport from https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
ChangeID: 13f833dfbd8f76db1ea01984441b212f08e6e4f5
Description:
CVE-2022-3190 wireshark: Infinite loop in legacy style dissector.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
.../wireshark/files/CVE-2022-3190.patch | 145 ++++++++++++++++++
.../wireshark/wireshark_3.4.12.bb | 1 +
2 files changed, 146 insertions(+)
create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
new file mode 100644
index 0000000000..0b987700f5
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
@@ -0,0 +1,145 @@
+From 4585d515b962f3b3a5e81caa64e13e8d9ed2e431 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 26 Sep 2022 12:47:00 +0530
+Subject: [PATCH] CVE-2022-3190
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67]
+CVE : CVE-2022-3190
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-f5ethtrailer.c | 108 +++++++++++++-------------
+ 1 file changed, 56 insertions(+), 52 deletions(-)
+
+diff --git a/epan/dissectors/packet-f5ethtrailer.c b/epan/dissectors/packet-f5ethtrailer.c
+index ed77dfd..b15b0d4 100644
+--- a/epan/dissectors/packet-f5ethtrailer.c
++++ b/epan/dissectors/packet-f5ethtrailer.c
+@@ -2741,69 +2741,73 @@ dissect_dpt_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d
+ static gint
+ dissect_old_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
+ {
+- proto_tree *type_tree = NULL;
+- proto_item *ti = NULL;
+ guint offset = 0;
+- guint processed = 0;
+- f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
+- guint8 type;
+- guint8 len;
+- guint8 ver;
+
+ /* While we still have data in the trailer. For old format trailers, this needs
+ * type, length, version (3 bytes) and for new format trailers, the magic header (4 bytes).
+ * All old format trailers are at least 4 bytes long, so just check for length of magic.
+ */
+- while (tvb_reported_length_remaining(tvb, offset)) {
+- type = tvb_get_guint8(tvb, offset);
+- len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
+- ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
+-
+- if (len <= tvb_reported_length_remaining(tvb, offset) && type >= F5TYPE_LOW
+- && type <= F5TYPE_HIGH && len >= F5_MIN_SANE && len <= F5_MAX_SANE
+- && ver <= F5TRAILER_VER_MAX) {
+- /* Parse out the specified trailer. */
+- switch (type) {
+- case F5TYPE_LOW:
+- ti = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
+- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
+-
+- processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+- if (processed > 0) {
+- tdata->trailer_len += processed;
+- tdata->noise_low = 1;
+- }
+- break;
+- case F5TYPE_MED:
+- ti = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
+- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
+-
+- processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+- if (processed > 0) {
+- tdata->trailer_len += processed;
+- tdata->noise_med = 1;
+- }
+- break;
+- case F5TYPE_HIGH:
+- ti = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
+- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
+-
+- processed =
+- dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+- if (processed > 0) {
+- tdata->trailer_len += processed;
+- tdata->noise_high = 1;
+- }
+- break;
++ while (tvb_reported_length_remaining(tvb, offset) >= F5_MIN_SANE) {
++ /* length field does not include the type and length bytes. Add them back in */
++ guint8 len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
++ if (len > tvb_reported_length_remaining(tvb, offset)
++ || len < F5_MIN_SANE || len > F5_MAX_SANE) {
++ /* Invalid length - either a malformed trailer, corrupt packet, or not f5ethtrailer */
++ return offset;
++ }
++ guint8 type = tvb_get_guint8(tvb, offset);
++ guint8 ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
++
++ /* Parse out the specified trailer. */
++ proto_tree *type_tree = NULL;
++ proto_item *ti = NULL;
++ f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
++ guint processed = 0;
++
++ switch (type) {
++ case F5TYPE_LOW:
++ ti = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
++ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
++
++ processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
++ if (processed > 0) {
++ tdata->trailer_len += processed;
++ tdata->noise_low = 1;
+ }
+- if (processed == 0) {
+- proto_item_set_len(ti, 1);
+- return offset;
++ break;
++ case F5TYPE_MED:
++ ti = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
++ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
++
++ processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
++ if (processed > 0) {
++ tdata->trailer_len += processed;
++ tdata->noise_med = 1;
++ }
++ break;
++ case F5TYPE_HIGH:
++ ti = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
++ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
++
++ processed =
++ dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
++ if (processed > 0) {
++ tdata->trailer_len += processed;
++ tdata->noise_high = 1;
+ }
++ break;
++ default:
++ /* Unknown type - malformed trailer, corrupt packet, or not f5ethtrailer - bali out*/
++ return offset;
++ }
++ if (processed == 0) {
++ /* couldn't process trailer - bali out */
++ proto_item_set_len(ti, 1);
++ return offset;
+ }
+ offset += processed;
+ }
+-return offset;
++ return offset;
+ } /* dissect_old_trailer() */
+
+ /*---------------------------------------------------------------------------*/
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index 38fdbce892..1a4aedc139 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -15,6 +15,7 @@ SRC_URI += " \
file://0002-flex-Remove-line-directives.patch \
file://0003-bison-Remove-line-directives.patch \
file://0004-lemon-Remove-line-directives.patch \
+ file://CVE-2022-3190.patch \
"
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [oe] [meta-networking][kirkstone][PATCH] wireshark: CVE-2022-3190 Infinite loop in legacy style dissector
2022-09-26 11:40 [meta-networking][kirkstone][PATCH] wireshark: CVE-2022-3190 Infinite loop in legacy style dissector Hitendra Prajapati
@ 2022-09-26 17:47 ` akuster808
0 siblings, 0 replies; 2+ messages in thread
From: akuster808 @ 2022-09-26 17:47 UTC (permalink / raw)
To: Hitendra Prajapati, openembedded-devel
Any reason why updating to the latest stable 3.14.16 version is not
appropriate?
- armin
On 9/26/22 07:40, Hitendra Prajapati wrote:
> Source: https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
> MR: 122044
> Type: Security Fix
> Disposition: Backport from https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
> ChangeID: 13f833dfbd8f76db1ea01984441b212f08e6e4f5
> Description:
> CVE-2022-3190 wireshark: Infinite loop in legacy style dissector.
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
> .../wireshark/files/CVE-2022-3190.patch | 145 ++++++++++++++++++
> .../wireshark/wireshark_3.4.12.bb | 1 +
> 2 files changed, 146 insertions(+)
> create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
>
> diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
> new file mode 100644
> index 0000000000..0b987700f5
> --- /dev/null
> +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
> @@ -0,0 +1,145 @@
> +From 4585d515b962f3b3a5e81caa64e13e8d9ed2e431 Mon Sep 17 00:00:00 2001
> +From: Hitendra Prajapati <hprajapati@mvista.com>
> +Date: Mon, 26 Sep 2022 12:47:00 +0530
> +Subject: [PATCH] CVE-2022-3190
> +
> +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67]
> +CVE : CVE-2022-3190
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + epan/dissectors/packet-f5ethtrailer.c | 108 +++++++++++++-------------
> + 1 file changed, 56 insertions(+), 52 deletions(-)
> +
> +diff --git a/epan/dissectors/packet-f5ethtrailer.c b/epan/dissectors/packet-f5ethtrailer.c
> +index ed77dfd..b15b0d4 100644
> +--- a/epan/dissectors/packet-f5ethtrailer.c
> ++++ b/epan/dissectors/packet-f5ethtrailer.c
> +@@ -2741,69 +2741,73 @@ dissect_dpt_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d
> + static gint
> + dissect_old_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
> + {
> +- proto_tree *type_tree = NULL;
> +- proto_item *ti = NULL;
> + guint offset = 0;
> +- guint processed = 0;
> +- f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
> +- guint8 type;
> +- guint8 len;
> +- guint8 ver;
> +
> + /* While we still have data in the trailer. For old format trailers, this needs
> + * type, length, version (3 bytes) and for new format trailers, the magic header (4 bytes).
> + * All old format trailers are at least 4 bytes long, so just check for length of magic.
> + */
> +- while (tvb_reported_length_remaining(tvb, offset)) {
> +- type = tvb_get_guint8(tvb, offset);
> +- len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
> +- ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
> +-
> +- if (len <= tvb_reported_length_remaining(tvb, offset) && type >= F5TYPE_LOW
> +- && type <= F5TYPE_HIGH && len >= F5_MIN_SANE && len <= F5_MAX_SANE
> +- && ver <= F5TRAILER_VER_MAX) {
> +- /* Parse out the specified trailer. */
> +- switch (type) {
> +- case F5TYPE_LOW:
> +- ti = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
> +- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
> +-
> +- processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
> +- if (processed > 0) {
> +- tdata->trailer_len += processed;
> +- tdata->noise_low = 1;
> +- }
> +- break;
> +- case F5TYPE_MED:
> +- ti = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
> +- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
> +-
> +- processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
> +- if (processed > 0) {
> +- tdata->trailer_len += processed;
> +- tdata->noise_med = 1;
> +- }
> +- break;
> +- case F5TYPE_HIGH:
> +- ti = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
> +- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
> +-
> +- processed =
> +- dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
> +- if (processed > 0) {
> +- tdata->trailer_len += processed;
> +- tdata->noise_high = 1;
> +- }
> +- break;
> ++ while (tvb_reported_length_remaining(tvb, offset) >= F5_MIN_SANE) {
> ++ /* length field does not include the type and length bytes. Add them back in */
> ++ guint8 len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
> ++ if (len > tvb_reported_length_remaining(tvb, offset)
> ++ || len < F5_MIN_SANE || len > F5_MAX_SANE) {
> ++ /* Invalid length - either a malformed trailer, corrupt packet, or not f5ethtrailer */
> ++ return offset;
> ++ }
> ++ guint8 type = tvb_get_guint8(tvb, offset);
> ++ guint8 ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
> ++
> ++ /* Parse out the specified trailer. */
> ++ proto_tree *type_tree = NULL;
> ++ proto_item *ti = NULL;
> ++ f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
> ++ guint processed = 0;
> ++
> ++ switch (type) {
> ++ case F5TYPE_LOW:
> ++ ti = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
> ++ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
> ++
> ++ processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
> ++ if (processed > 0) {
> ++ tdata->trailer_len += processed;
> ++ tdata->noise_low = 1;
> + }
> +- if (processed == 0) {
> +- proto_item_set_len(ti, 1);
> +- return offset;
> ++ break;
> ++ case F5TYPE_MED:
> ++ ti = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
> ++ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
> ++
> ++ processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
> ++ if (processed > 0) {
> ++ tdata->trailer_len += processed;
> ++ tdata->noise_med = 1;
> ++ }
> ++ break;
> ++ case F5TYPE_HIGH:
> ++ ti = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
> ++ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
> ++
> ++ processed =
> ++ dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
> ++ if (processed > 0) {
> ++ tdata->trailer_len += processed;
> ++ tdata->noise_high = 1;
> + }
> ++ break;
> ++ default:
> ++ /* Unknown type - malformed trailer, corrupt packet, or not f5ethtrailer - bali out*/
> ++ return offset;
> ++ }
> ++ if (processed == 0) {
> ++ /* couldn't process trailer - bali out */
> ++ proto_item_set_len(ti, 1);
> ++ return offset;
> + }
> + offset += processed;
> + }
> +-return offset;
> ++ return offset;
> + } /* dissect_old_trailer() */
> +
> + /*---------------------------------------------------------------------------*/
> +--
> +2.25.1
> +
> diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
> index 38fdbce892..1a4aedc139 100644
> --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
> +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
> @@ -15,6 +15,7 @@ SRC_URI += " \
> file://0002-flex-Remove-line-directives.patch \
> file://0003-bison-Remove-line-directives.patch \
> file://0004-lemon-Remove-line-directives.patch \
> + file://CVE-2022-3190.patch \
> "
>
> UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#98953): https://lists.openembedded.org/g/openembedded-devel/message/98953
> Mute This Topic: https://lists.openembedded.org/mt/93924739/3616698
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-09-26 17:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-26 11:40 [meta-networking][kirkstone][PATCH] wireshark: CVE-2022-3190 Infinite loop in legacy style dissector Hitendra Prajapati
2022-09-26 17:47 ` [oe] " akuster808
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.