diff mbox series

[meta-networking,kirkstone] wireshark: CVE-2022-3190 Infinite loop in legacy style dissector

Message ID 20220926114055.4607-1-hprajapati@mvista.com
State Under Review
Headers show
Series [meta-networking,kirkstone] wireshark: CVE-2022-3190 Infinite loop in legacy style dissector | expand

Commit Message

Hitendra Prajapati Sept. 26, 2022, 11:40 a.m. UTC
Source: https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
MR: 122044
Type: Security Fix
Disposition: Backport from https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
ChangeID: 13f833dfbd8f76db1ea01984441b212f08e6e4f5
Description:
          CVE-2022-3190 wireshark: Infinite loop in legacy style dissector.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../wireshark/files/CVE-2022-3190.patch       | 145 ++++++++++++++++++
 .../wireshark/wireshark_3.4.12.bb             |   1 +
 2 files changed, 146 insertions(+)
 create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch

Comments

akuster808 Sept. 26, 2022, 5:47 p.m. UTC | #1
Any reason why updating to the latest stable 3.14.16 version is not 
appropriate?
- armin

On 9/26/22 07:40, Hitendra Prajapati wrote:
> Source: https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
> MR: 122044
> Type: Security Fix
> Disposition: Backport from https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67
> ChangeID: 13f833dfbd8f76db1ea01984441b212f08e6e4f5
> Description:
>            CVE-2022-3190 wireshark: Infinite loop in legacy style dissector.
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
>   .../wireshark/files/CVE-2022-3190.patch       | 145 ++++++++++++++++++
>   .../wireshark/wireshark_3.4.12.bb             |   1 +
>   2 files changed, 146 insertions(+)
>   create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
>
> diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
> new file mode 100644
> index 0000000000..0b987700f5
> --- /dev/null
> +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
> @@ -0,0 +1,145 @@
> +From 4585d515b962f3b3a5e81caa64e13e8d9ed2e431 Mon Sep 17 00:00:00 2001
> +From: Hitendra Prajapati <hprajapati@mvista.com>
> +Date: Mon, 26 Sep 2022 12:47:00 +0530
> +Subject: [PATCH] CVE-2022-3190
> +
> +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67]
> +CVE : CVE-2022-3190
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + epan/dissectors/packet-f5ethtrailer.c | 108 +++++++++++++-------------
> + 1 file changed, 56 insertions(+), 52 deletions(-)
> +
> +diff --git a/epan/dissectors/packet-f5ethtrailer.c b/epan/dissectors/packet-f5ethtrailer.c
> +index ed77dfd..b15b0d4 100644
> +--- a/epan/dissectors/packet-f5ethtrailer.c
> ++++ b/epan/dissectors/packet-f5ethtrailer.c
> +@@ -2741,69 +2741,73 @@ dissect_dpt_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d
> + static gint
> + dissect_old_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
> + {
> +-    proto_tree *type_tree   = NULL;
> +-    proto_item *ti          = NULL;
> +     guint offset            = 0;
> +-    guint processed         = 0;
> +-    f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
> +-    guint8 type;
> +-    guint8 len;
> +-    guint8 ver;
> +
> +     /* While we still have data in the trailer.  For old format trailers, this needs
> +      * type, length, version (3 bytes) and for new format trailers, the magic header (4 bytes).
> +      * All old format trailers are at least 4 bytes long, so just check for length of magic.
> +      */
> +-    while (tvb_reported_length_remaining(tvb, offset)) {
> +-        type = tvb_get_guint8(tvb, offset);
> +-        len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
> +-        ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
> +-
> +-        if (len <= tvb_reported_length_remaining(tvb, offset) && type >= F5TYPE_LOW
> +-            && type <= F5TYPE_HIGH && len >= F5_MIN_SANE && len <= F5_MAX_SANE
> +-            && ver <= F5TRAILER_VER_MAX) {
> +-            /* Parse out the specified trailer. */
> +-            switch (type) {
> +-            case F5TYPE_LOW:
> +-                ti        = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
> +-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
> +-
> +-                processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
> +-                if (processed > 0) {
> +-                    tdata->trailer_len += processed;
> +-                    tdata->noise_low = 1;
> +-                }
> +-                break;
> +-            case F5TYPE_MED:
> +-                ti        = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
> +-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
> +-
> +-                processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
> +-                if (processed > 0) {
> +-                    tdata->trailer_len += processed;
> +-                    tdata->noise_med = 1;
> +-                }
> +-                break;
> +-            case F5TYPE_HIGH:
> +-                ti        = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
> +-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
> +-
> +-                processed =
> +-                    dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
> +-                if (processed > 0) {
> +-                    tdata->trailer_len += processed;
> +-                    tdata->noise_high = 1;
> +-                }
> +-                break;
> ++    while (tvb_reported_length_remaining(tvb, offset) >= F5_MIN_SANE) {
> ++        /* length field does not include the type and length bytes.  Add them back in */
> ++        guint8 len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
> ++        if (len > tvb_reported_length_remaining(tvb, offset)
> ++            || len < F5_MIN_SANE || len > F5_MAX_SANE) {
> ++            /* Invalid length - either a malformed trailer, corrupt packet, or not f5ethtrailer */
> ++            return offset;
> ++        }
> ++        guint8 type = tvb_get_guint8(tvb, offset);
> ++        guint8 ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
> ++
> ++        /* Parse out the specified trailer. */
> ++        proto_tree *type_tree   = NULL;
> ++        proto_item *ti          = NULL;
> ++        f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
> ++        guint processed = 0;
> ++
> ++        switch (type) {
> ++        case F5TYPE_LOW:
> ++            ti        = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
> ++            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
> ++
> ++            processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
> ++            if (processed > 0) {
> ++                tdata->trailer_len += processed;
> ++                tdata->noise_low = 1;
> +             }
> +-            if (processed == 0) {
> +-                proto_item_set_len(ti, 1);
> +-                return offset;
> ++            break;
> ++        case F5TYPE_MED:
> ++            ti        = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
> ++            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
> ++
> ++            processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
> ++            if (processed > 0) {
> ++                tdata->trailer_len += processed;
> ++                tdata->noise_med = 1;
> ++            }
> ++            break;
> ++        case F5TYPE_HIGH:
> ++            ti        = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
> ++            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
> ++
> ++            processed =
> ++                dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
> ++            if (processed > 0) {
> ++                tdata->trailer_len += processed;
> ++                tdata->noise_high = 1;
> +             }
> ++            break;
> ++        default:
> ++            /* Unknown type - malformed trailer, corrupt packet, or not f5ethtrailer - bali out*/
> ++            return offset;
> ++        }
> ++        if (processed == 0) {
> ++            /* couldn't process trailer - bali out */
> ++            proto_item_set_len(ti, 1);
> ++            return offset;
> +         }
> +         offset += processed;
> +     }
> +-return offset;
> ++    return offset;
> + } /* dissect_old_trailer() */
> +
> + /*---------------------------------------------------------------------------*/
> +--
> +2.25.1
> +
> diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
> index 38fdbce892..1a4aedc139 100644
> --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
> +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
> @@ -15,6 +15,7 @@ SRC_URI += " \
>       file://0002-flex-Remove-line-directives.patch \
>       file://0003-bison-Remove-line-directives.patch \
>       file://0004-lemon-Remove-line-directives.patch \
> +    file://CVE-2022-3190.patch \
>   "
>   
>   UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#98953): https://lists.openembedded.org/g/openembedded-devel/message/98953
> Mute This Topic: https://lists.openembedded.org/mt/93924739/3616698
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
diff mbox series

Patch

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
new file mode 100644
index 0000000000..0b987700f5
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
@@ -0,0 +1,145 @@ 
+From 4585d515b962f3b3a5e81caa64e13e8d9ed2e431 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 26 Sep 2022 12:47:00 +0530
+Subject: [PATCH] CVE-2022-3190
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67]
+CVE : CVE-2022-3190
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-f5ethtrailer.c | 108 +++++++++++++-------------
+ 1 file changed, 56 insertions(+), 52 deletions(-)
+
+diff --git a/epan/dissectors/packet-f5ethtrailer.c b/epan/dissectors/packet-f5ethtrailer.c
+index ed77dfd..b15b0d4 100644
+--- a/epan/dissectors/packet-f5ethtrailer.c
++++ b/epan/dissectors/packet-f5ethtrailer.c
+@@ -2741,69 +2741,73 @@ dissect_dpt_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d
+ static gint
+ dissect_old_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
+ {
+-    proto_tree *type_tree   = NULL;
+-    proto_item *ti          = NULL;
+     guint offset            = 0;
+-    guint processed         = 0;
+-    f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
+-    guint8 type;
+-    guint8 len;
+-    guint8 ver;
+ 
+     /* While we still have data in the trailer.  For old format trailers, this needs
+      * type, length, version (3 bytes) and for new format trailers, the magic header (4 bytes).
+      * All old format trailers are at least 4 bytes long, so just check for length of magic.
+      */
+-    while (tvb_reported_length_remaining(tvb, offset)) {
+-        type = tvb_get_guint8(tvb, offset);
+-        len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
+-        ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
+-
+-        if (len <= tvb_reported_length_remaining(tvb, offset) && type >= F5TYPE_LOW
+-            && type <= F5TYPE_HIGH && len >= F5_MIN_SANE && len <= F5_MAX_SANE
+-            && ver <= F5TRAILER_VER_MAX) {
+-            /* Parse out the specified trailer. */
+-            switch (type) {
+-            case F5TYPE_LOW:
+-                ti        = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
+-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
+-
+-                processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+-                if (processed > 0) {
+-                    tdata->trailer_len += processed;
+-                    tdata->noise_low = 1;
+-                }
+-                break;
+-            case F5TYPE_MED:
+-                ti        = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
+-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
+-
+-                processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+-                if (processed > 0) {
+-                    tdata->trailer_len += processed;
+-                    tdata->noise_med = 1;
+-                }
+-                break;
+-            case F5TYPE_HIGH:
+-                ti        = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
+-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
+-
+-                processed =
+-                    dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+-                if (processed > 0) {
+-                    tdata->trailer_len += processed;
+-                    tdata->noise_high = 1;
+-                }
+-                break;
++    while (tvb_reported_length_remaining(tvb, offset) >= F5_MIN_SANE) {
++        /* length field does not include the type and length bytes.  Add them back in */
++        guint8 len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
++        if (len > tvb_reported_length_remaining(tvb, offset)
++            || len < F5_MIN_SANE || len > F5_MAX_SANE) {
++            /* Invalid length - either a malformed trailer, corrupt packet, or not f5ethtrailer */
++            return offset;
++        }
++        guint8 type = tvb_get_guint8(tvb, offset);
++        guint8 ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
++
++        /* Parse out the specified trailer. */
++        proto_tree *type_tree   = NULL;
++        proto_item *ti          = NULL;
++        f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
++        guint processed = 0;
++
++        switch (type) {
++        case F5TYPE_LOW:
++            ti        = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
++            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
++
++            processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
++            if (processed > 0) {
++                tdata->trailer_len += processed;
++                tdata->noise_low = 1;
+             }
+-            if (processed == 0) {
+-                proto_item_set_len(ti, 1);
+-                return offset;
++            break;
++        case F5TYPE_MED:
++            ti        = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
++            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
++
++            processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
++            if (processed > 0) {
++                tdata->trailer_len += processed;
++                tdata->noise_med = 1;
++            }
++            break;
++        case F5TYPE_HIGH:
++            ti        = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
++            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
++
++            processed =
++                dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
++            if (processed > 0) {
++                tdata->trailer_len += processed;
++                tdata->noise_high = 1;
+             }
++            break;
++        default:
++            /* Unknown type - malformed trailer, corrupt packet, or not f5ethtrailer - bali out*/
++            return offset;
++        }
++        if (processed == 0) {
++            /* couldn't process trailer - bali out */
++            proto_item_set_len(ti, 1);
++            return offset;
+         }
+         offset += processed;
+     }
+-return offset;
++    return offset;
+ } /* dissect_old_trailer() */
+ 
+ /*---------------------------------------------------------------------------*/
+-- 
+2.25.1
+
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index 38fdbce892..1a4aedc139 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -15,6 +15,7 @@  SRC_URI += " \
     file://0002-flex-Remove-line-directives.patch \
     file://0003-bison-Remove-line-directives.patch \
     file://0004-lemon-Remove-line-directives.patch \
+    file://CVE-2022-3190.patch \
 "
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"