diff mbox series

[meta-networkin,scarthgap] wireshark: Fix CVE-2026-3201

Message ID 20260310090524.271469-1-hprajapati@mvista.com
State New
Headers show
Series [meta-networkin,scarthgap] wireshark: Fix CVE-2026-3201 | expand

Commit Message

Hitendra Prajapati March 10, 2026, 9:05 a.m. UTC 
Pick patch from [1] also mentioned in [2]

[1] https://gitlab.com/wireshark/wireshark/-/issues/20972
[2] https://security-tracker.debian.org/tracker/CVE-2026-3201

More details : https://nvd.nist.gov/vuln/detail/CVE-2026-3201

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../wireshark/files/CVE-2026-3201.patch       | 55 +++++++++++++++++++
 .../wireshark/wireshark_4.2.14.bb             |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2026-3201.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2026-3201.patch b/meta-networking/recipes-support/wireshark/files/CVE-2026-3201.patch
new file mode 100644
index 0000000000..178125fed9
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2026-3201.patch
@@ -0,0 +1,55 @@ 
+From 5e80615ebc95c3f57235ab2699b03e45d8071a1c Mon Sep 17 00:00:00 2001
+From: Michael Mann <mmann78@netscape.net>
+Date: Mon, 26 Jan 2026 16:44:58 +0000
+Subject: [PATCH] USB-HID: Bugfix resource exhaustion in
+ parse_report_descriptor()
+
+Sanity range check was removed in 739666a7f5acc270204980e01b4069caf5060f30, restore it
+
+AI-Assisted: no
+Fixes #20972
+
+(cherry picked from commit 6f753c79b7c8ac382e6383dfabd7d5be6e2b722c)
+
+CVE: CVE-2026-3201
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/5e80615ebc95c3f57235ab2699b03e45d8071a1c]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-usb-hid.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-usb-hid.c b/epan/dissectors/packet-usb-hid.c
+index 9a402ee..a27606a 100644
+--- a/epan/dissectors/packet-usb-hid.c
++++ b/epan/dissectors/packet-usb-hid.c
+@@ -3675,6 +3675,7 @@ hid_unpack_signed(guint8 *data, unsigned int idx, unsigned int size, gint32 *val
+     return FALSE;
+ }
+ 
++#define MAX_REPORT_DESCRIPTOR_COUNT 100000 // Arbitrary
+ static gboolean
+ parse_report_descriptor(report_descriptor_t *rdesc)
+ {
+@@ -3856,7 +3857,7 @@ parse_report_descriptor(report_descriptor_t *rdesc)
+                         }
+ 
+                         /* Usage min and max must be on the same page */
+-                        if (USAGE_PAGE(usage_min) != USAGE_PAGE(usage_max)) {
++                        if (USAGE_PAGE(usage_min) != USAGE_PAGE(usage_max))  {
+                             goto err;
+                         }
+ 
+@@ -3864,6 +3865,10 @@ parse_report_descriptor(report_descriptor_t *rdesc)
+                             goto err;
+                         }
+ 
++                        if (wmem_array_get_count(field.usages) + usage_max - usage_min >= MAX_REPORT_DESCRIPTOR_COUNT) {
++                            goto err;
++                        }
++
+                         /* min and max are inclusive */
+                         wmem_array_grow(field.usages, usage_max - usage_min + 1);
+                         for (guint32 j = usage_min; j <= usage_max; j++) {
+-- 
+2.50.1
+
diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
index 81c300fcb5..dbf7017514 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
@@ -17,6 +17,7 @@  SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
            file://CVE-2025-13499.patch \
            file://CVE-2026-0959.patch \
            file://CVE-2026-0962.patch \
+           file://CVE-2026-3201.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src/all-versions"