new file mode 100644
@@ -0,0 +1,99 @@
+From 4c79e54f4294b49a6549ae52b7b0a56b27540a40 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Mon, 22 Sep 2025 21:41:00 -0400
+Subject: [PATCH] Mongo: Avoid infinite loop in dissect_op_msg_section
+
+If the size of a a OP_MSG data section is indicated as -1, that
+leads to advancing the offset by section_len + 1, or zero, which
+causes an infinite loop.
+
+The total message and section lengths in Mongo are signed int32s;
+it is impossible for them to be negative, and impossible for the
+section length to be INT_MAX (since the message length includes
+the length of the four byte headers and flag bits.)
+
+Throw an error to avoid the offset moving backwards, an infinite loop,
+or signed integer overflow.
+
+Also update some URLs to their new locations.
+
+Fix #20724.
+
+(backported from commit 1ec4709cab382f7077ba66d2e382c2e75ce335c1)
+
+CVE: CVE-2025-11626
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/513e5d49724f4a0695c5d2a08ce422c09cb999c8]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-mongo.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c
+index 44cfde8..8290275 100644
+--- a/epan/dissectors/packet-mongo.c
++++ b/epan/dissectors/packet-mongo.c
+@@ -12,17 +12,19 @@
+
+ /*
+ * See Mongo Wire Protocol Specification
+- * http://www.mongodb.org/display/DOCS/Mongo+Wire+Protocol
++ * https://www.mongodb.com/docs/manual/reference/mongodb-wire-protocol/
+ * See also BSON Specification
+- * http://bsonspec.org/#/specification
++ * http://bsonspec.org/spec.html
+ */
+
+ #include "config.h"
+
++#include <stdint.h>
+ #include <epan/packet.h>
+ #include <epan/exceptions.h>
+ #include <epan/expert.h>
+ #include <epan/proto_data.h>
++#include <epan/exceptions.h>
+ #include "packet-tcp.h"
+ #include "packet-tls.h"
+ #ifdef HAVE_SNAPPY
+@@ -278,6 +280,7 @@ static gint ett_mongo_doc_sequence= -1;
+
+ static expert_field ei_mongo_document_recursion_exceeded = EI_INIT;
+ static expert_field ei_mongo_document_length_bad = EI_INIT;
++static expert_field ei_mongo_section_size_bad = EI_INIT;
+ static expert_field ei_mongo_unknown = EI_INIT;
+ static expert_field ei_mongo_unsupported_compression = EI_INIT;
+ static expert_field ei_mongo_too_large_compressed = EI_INIT;
+@@ -784,13 +787,21 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
+ gint section_len = -1; /* Section length */
+
+ e_type = tvb_get_guint8(tvb, offset);
+- section_len = tvb_get_letohl(tvb, offset+1);
+
+- ti = proto_tree_add_item(tree, hf_mongo_msg_sections_section, tvb, offset, 1 + section_len, ENC_NA);
++ ti = proto_tree_add_item(tree, hf_mongo_msg_sections_section, tvb, offset, 1, ENC_NA);
+ section_tree = proto_item_add_subtree(ti, ett_mongo_section);
+ proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_kind, tvb, offset, 1, ENC_LITTLE_ENDIAN);
+ offset += 1;
+
++ section_len = tvb_get_letohil(tvb, offset);
++ /* The section length must be strictly smaller than the total message size,
++ * both signed int32s. This prevents signed integer overflow. */
++ if (section_len < 0 || section_len == INT32_MAX) {
++ proto_tree_add_expert_format(section_tree, pinfo, &ei_mongo_section_size_bad, tvb, offset, 4, "Bogus Mongo message section size: %i", section_len);
++ THROW(ReportedBoundsError);
++ }
++ proto_item_set_len(ti, 1 + section_len);
++
+ switch (e_type) {
+ case KIND_BODY:
+ dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
+@@ -1445,6 +1456,7 @@ proto_register_mongo(void)
+ static ei_register_info ei[] = {
+ { &ei_mongo_document_recursion_exceeded, { "mongo.document.recursion_exceeded", PI_MALFORMED, PI_ERROR, "BSON document recursion exceeds", EXPFILL }},
+ { &ei_mongo_document_length_bad, { "mongo.document.length.bad", PI_MALFORMED, PI_ERROR, "BSON document length bad", EXPFILL }},
++ { &ei_mongo_section_size_bad, { "mongo.msg.sections.section.size.bad", PI_MALFORMED, PI_ERROR, "Bogus Mongo message section size", EXPFILL }},
+ { &ei_mongo_unknown, { "mongo.unknown.expert", PI_UNDECODED, PI_WARN, "Unknown Data (not interpreted)", EXPFILL }},
+ { &ei_mongo_unsupported_compression, { "mongo.unsupported_compression.expert", PI_UNDECODED, PI_WARN, "This packet was compressed with an unsupported compressor", EXPFILL }},
+ { &ei_mongo_too_large_compressed, { "mongo.too_large_compressed.expert", PI_UNDECODED, PI_WARN, "The size of the uncompressed packet exceeded the maximum allowed value", EXPFILL }},
+--
+2.50.1
+
@@ -32,6 +32,7 @@ SRC_URI += " \
file://CVE-2023-6175.patch \
file://CVE-2024-2955.patch \
file://CVE-2025-13499.patch \
+ file://CVE-2025-11626.patch \
"
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/513e5d49724f4a0695c5d2a08ce422c09cb999c8 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../wireshark/files/CVE-2025-11626.patch | 99 +++++++++++++++++++ .../wireshark/wireshark_3.4.12.bb | 1 + 2 files changed, 100 insertions(+) create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2025-11626.patch