Skip to content

Commit 5f46d71

Browse files
anusurivijayakuster
authored andcommitted
wireshark: Fix for CVE-2023-4511
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
1 parent 182c474 commit 5f46d71

2 files changed

Lines changed: 82 additions & 0 deletions

File tree

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
From ef9c79ae81b00a63aa8638076ec81dc9482972e9 Mon Sep 17 00:00:00 2001
2+
From: John Thacker <johnthacker@gmail.com>
3+
Date: Thu, 10 Aug 2023 05:29:09 -0400
4+
Subject: [PATCH] btsdp: Keep offset advancing
5+
6+
hf_data_element_value is a FT_NONE, so we can add the item with
7+
the expected length and get_hfi_length() will adjust the length
8+
without throwing an exception. There's no need to add it with
9+
zero length and call proto_item_set_len. Also, don't increment
10+
the offset by 0 instead of the real length when there isn't
11+
enough data in the packet, as that can lead to failing to advance
12+
the offset.
13+
14+
When dissecting a sequence type (sequence or alternative) and
15+
recursing into the sequence member, instead of using the main
16+
packet tvb directly, create a subset using the indicated length
17+
of the sequence. That will properly throw an exception if a
18+
contained item is larger than the containing sequence, instead of
19+
dissecting the same bytes as several different items (inside
20+
the sequence recursively, as well in the outer loop.)
21+
22+
Fix #19258
23+
24+
Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9]
25+
CVE: CVE-2023-4511
26+
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
27+
---
28+
epan/dissectors/packet-btsdp.c | 15 ++++++++-------
29+
1 file changed, 8 insertions(+), 7 deletions(-)
30+
31+
diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c
32+
index 397ece7..eb7f5fa 100644
33+
--- a/epan/dissectors/packet-btsdp.c
34+
+++ b/epan/dissectors/packet-btsdp.c
35+
@@ -1925,13 +1925,11 @@ dissect_data_element(proto_tree *tree, proto_tree **next_tree,
36+
offset += len - length;
37+
}
38+
39+
- pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, 0, ENC_NA);
40+
+ pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, length, ENC_NA);
41+
if (length > tvb_reported_length_remaining(tvb, offset)) {
42+
expert_add_info(pinfo, pitem, &ei_data_element_value_large);
43+
- length = 0;
44+
- }
45+
- proto_item_set_len(pitem, length);
46+
- if (length == 0)
47+
+ proto_item_append_text(pitem, ": MISSING");
48+
+ } else if (length == 0)
49+
proto_item_append_text(pitem, ": MISSING");
50+
51+
if (next_tree) *next_tree = proto_item_add_subtree(pitem, ett_btsdp_data_element_value);
52+
@@ -3523,6 +3521,8 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
53+
gint bytes_to_go = size;
54+
gint first = 1;
55+
wmem_strbuf_t *substr;
56+
+ tvbuff_t *next_tvb = tvb_new_subset_length(tvb, offset, size);
57+
+ gint next_offset = 0;
58+
59+
ti = proto_tree_add_item(next_tree, (type == 6) ? hf_data_element_value_sequence : hf_data_element_value_alternative,
60+
tvb, offset, size, ENC_NA);
61+
@@ -3537,14 +3537,15 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
62+
first = 0;
63+
}
64+
65+
- size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid,
66+
+ size = dissect_sdp_type(st, pinfo, next_tvb, next_offset,
67+
+ attribute, service_uuid,
68+
service_did_vendor_id, service_did_vendor_id_source,
69+
service_hdp_data_exchange_specification, service_info, &substr);
70+
if (size < 1) {
71+
break;
72+
}
73+
wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr));
74+
- offset += size ;
75+
+ next_offset += size;
76+
bytes_to_go -= size;
77+
}
78+
79+
--
80+
2.25.1
81+

meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ SRC_URI += " \
2828
file://CVE-2023-1992.patch \
2929
file://CVE-2022-4345.patch \
3030
file://CVE-2024-0208.patch \
31+
file://CVE-2023-4511.patch \
3132
"
3233

3334
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"

0 commit comments

Comments
 (0)