new file mode 100644
@@ -0,0 +1,108 @@
+From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Tue, 16 May 2023 12:05:07 -0700
+Subject: [PATCH] candump: check for a too-long frame length.
+
+If the frame length is longer than the maximum, report an error in the
+file.
+
+Fixes #19062, preventing the overflow on a buffer on the stack (assuming
+your compiler doesn't call a bounds-checknig version of memcpy() if the
+size of the target space is known).
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb]
+CVE: CVE-2023-2855
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ wiretap/candump.c | 39 +++++++++++++++++++++++++++++++--------
+ 1 file changed, 31 insertions(+), 8 deletions(-)
+
+diff --git a/wiretap/candump.c b/wiretap/candump.c
+index 0def7bc..3f7c2b2 100644
+--- a/wiretap/candump.c
++++ b/wiretap/candump.c
+@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off,
+ wtap_rec *rec, Buffer *buf,
+ int *err, gchar **err_info);
+
+-static void
+-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
++static gboolean
++candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err,
++ gchar **err_info)
+ {
+ static const char *can_proto_name = "can-hostendian";
+ static const char *canfd_proto_name = "canfd";
+@@ -59,6 +60,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+ {
+ canfd_frame_t canfd_frame = {0};
+
++ /*
++ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame.
++ */
++ if (msg->data.length > CANFD_MAX_DLEN) {
++ *err = WTAP_ERR_BAD_FILE;
++ if (err_info != NULL) {
++ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u",
++ msg->data.length, CANFD_MAX_DLEN);
++ }
++ return FALSE;
++ }
++
+ canfd_frame.can_id = msg->id;
+ canfd_frame.flags = msg->flags;
+ canfd_frame.len = msg->data.length;
+@@ -70,6 +83,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+ {
+ can_frame_t can_frame = {0};
+
++ /*
++ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame.
++ */
++ if (msg->data.length > CAN_MAX_DLEN) {
++ *err = WTAP_ERR_BAD_FILE;
++ if (err_info != NULL) {
++ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u",
++ msg->data.length, CAN_MAX_DLEN);
++ }
++ return FALSE;
++ }
++
+ can_frame.can_id = msg->id;
+ can_frame.can_dlc = msg->data.length;
+ memcpy(can_frame.data, msg->data.data, msg->data.length);
+@@ -84,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+
+ rec->rec_header.packet_header.caplen = packet_length;
+ rec->rec_header.packet_header.len = packet_length;
++
++ return TRUE;
+ }
+
+ static gboolean
+@@ -190,9 +217,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info,
+ ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh));
+ #endif
+
+- candump_write_packet(rec, buf, &msg);
+-
+- return TRUE;
++ return candump_write_packet(rec, buf, &msg, err, err_info);
+ }
+
+ static gboolean
+@@ -216,9 +241,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec,
+ if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info))
+ return FALSE;
+
+- candump_write_packet(rec, buf, &msg);
+-
+- return TRUE;
++ return candump_write_packet(rec, buf, &msg, err, err_info);
+ }
+
+ /*
+--
+2.25.1
+
new file mode 100644
@@ -0,0 +1,69 @@
+From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Thu, 18 May 2023 15:03:23 -0700
+Subject: [PATCH] vms: fix the search for the packet length field.
+
+The packet length field is of the form
+
+ Total Length = DDD = ^xXXX
+
+where "DDD" is the length in decimal and "XXX" is the length in
+hexadecimal.
+
+Search for "length ". not just "Length", as we skip past "Length ", not
+just "Length", so if we assume we found "Length " but only found
+"Length", we'd skip past the end of the string.
+
+While we're at it, fail if we don't find a length field, rather than
+just blithely acting as if the packet length were zero.
+
+Fixes #19083.
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca]
+CVE: CVE-2023-2856
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ wiretap/vms.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/wiretap/vms.c b/wiretap/vms.c
+index 0aa83ea..5f5fdbb 100644
+--- a/wiretap/vms.c
++++ b/wiretap/vms.c
+@@ -318,6 +318,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+ {
+ char line[VMS_LINE_LENGTH + 1];
+ int num_items_scanned;
++ gboolean have_pkt_len = FALSE;
+ guint32 pkt_len = 0;
+ int pktnum;
+ int csec = 101;
+@@ -374,7 +375,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+ return FALSE;
+ }
+ }
+- if ( (! pkt_len) && (p = strstr(line, "Length"))) {
++ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) {
+ p += sizeof("Length ");
+ while (*p && ! g_ascii_isdigit(*p))
+ p++;
+@@ -390,9 +391,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+ *err_info = g_strdup_printf("vms: Length field '%s' not valid", p);
+ return FALSE;
+ }
++ have_pkt_len = TRUE;
+ break;
+ }
+ } while (! isdumpline(line));
++ if (! have_pkt_len) {
++ *err = WTAP_ERR_BAD_FILE;
++ *err_info = g_strdup_printf("vms: Length field not found");
++ return FALSE;
++ }
+ if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
+ /*
+ * Probably a corrupt capture file; return an error,
+--
+2.25.1
+
@@ -16,6 +16,8 @@ SRC_URI += " \
file://0003-bison-Remove-line-directives.patch \
file://0004-lemon-Remove-line-directives.patch \
file://CVE-2022-3190.patch \
+ file://CVE-2023-2855.patch \
+ file://CVE-2023-2856.patch \
"
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
Backport fixes for: * CVE-2023-2855 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb * CVE-2023-2856 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../wireshark/files/CVE-2023-2855.patch | 108 ++++++++++++++++++ .../wireshark/files/CVE-2023-2856.patch | 69 +++++++++++ .../wireshark/wireshark_3.4.12.bb | 2 + 3 files changed, 179 insertions(+) create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch