Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 87f5cff0cfca11f43851cb3d7d49dd96ced7fe03 / . / meta-openembedded / meta-networking / recipes-support / wireshark / files / CVE-2022-3190.patch
blob: 0b987700f5d2aa46a81bd45f03d8e3ee39048238 [file] [log] [blame]
Andrew Geissler87f5cff2022-09-30 13:13:31 -0500[diff] [blame^]1From 4585d515b962f3b3a5e81caa64e13e8d9ed2e431 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Mon, 26 Sep 2022 12:47:00 +0530
4Subject: [PATCH] CVE-2022-3190
5
6Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67]
7CVE : CVE-2022-3190
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 epan/dissectors/packet-f5ethtrailer.c | 108 +++++++++++++-------------
11 1 file changed, 56 insertions(+), 52 deletions(-)
12
13diff --git a/epan/dissectors/packet-f5ethtrailer.c b/epan/dissectors/packet-f5ethtrailer.c
14index ed77dfd..b15b0d4 100644
15--- a/epan/dissectors/packet-f5ethtrailer.c
16+++ b/epan/dissectors/packet-f5ethtrailer.c
17@@ -2741,69 +2741,73 @@ dissect_dpt_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d
18 static gint
19 dissect_old_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
20 {
21- proto_tree *type_tree = NULL;
22- proto_item *ti = NULL;
23 guint offset = 0;
24- guint processed = 0;
25- f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
26- guint8 type;
27- guint8 len;
28- guint8 ver;
29
30 /* While we still have data in the trailer. For old format trailers, this needs
31 * type, length, version (3 bytes) and for new format trailers, the magic header (4 bytes).
32 * All old format trailers are at least 4 bytes long, so just check for length of magic.
33 */
34- while (tvb_reported_length_remaining(tvb, offset)) {
35- type = tvb_get_guint8(tvb, offset);
36- len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
37- ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
38-
39- if (len <= tvb_reported_length_remaining(tvb, offset) && type >= F5TYPE_LOW
40- && type <= F5TYPE_HIGH && len >= F5_MIN_SANE && len <= F5_MAX_SANE
41- && ver <= F5TRAILER_VER_MAX) {
42- /* Parse out the specified trailer. */
43- switch (type) {
44- case F5TYPE_LOW:
45- ti = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
46- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
47-
48- processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
49- if (processed > 0) {
50- tdata->trailer_len += processed;
51- tdata->noise_low = 1;
52- }
53- break;
54- case F5TYPE_MED:
55- ti = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
56- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
57-
58- processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
59- if (processed > 0) {
60- tdata->trailer_len += processed;
61- tdata->noise_med = 1;
62- }
63- break;
64- case F5TYPE_HIGH:
65- ti = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
66- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
67-
68- processed =
69- dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
70- if (processed > 0) {
71- tdata->trailer_len += processed;
72- tdata->noise_high = 1;
73- }
74- break;
75+ while (tvb_reported_length_remaining(tvb, offset) >= F5_MIN_SANE) {
76+ /* length field does not include the type and length bytes. Add them back in */
77+ guint8 len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
78+ if (len > tvb_reported_length_remaining(tvb, offset)
79+ || len < F5_MIN_SANE || len > F5_MAX_SANE) {
80+ /* Invalid length - either a malformed trailer, corrupt packet, or not f5ethtrailer */
81+ return offset;
82+ }
83+ guint8 type = tvb_get_guint8(tvb, offset);
84+ guint8 ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
85+
86+ /* Parse out the specified trailer. */
87+ proto_tree *type_tree = NULL;
88+ proto_item *ti = NULL;
89+ f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
90+ guint processed = 0;
91+
92+ switch (type) {
93+ case F5TYPE_LOW:
94+ ti = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
95+ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
96+
97+ processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
98+ if (processed > 0) {
99+ tdata->trailer_len += processed;
100+ tdata->noise_low = 1;
101 }
102- if (processed == 0) {
103- proto_item_set_len(ti, 1);
104- return offset;
105+ break;
106+ case F5TYPE_MED:
107+ ti = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
108+ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
109+
110+ processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
111+ if (processed > 0) {
112+ tdata->trailer_len += processed;
113+ tdata->noise_med = 1;
114+ }
115+ break;
116+ case F5TYPE_HIGH:
117+ ti = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
118+ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
119+
120+ processed =
121+ dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
122+ if (processed > 0) {
123+ tdata->trailer_len += processed;
124+ tdata->noise_high = 1;
125 }
126+ break;
127+ default:
128+ /* Unknown type - malformed trailer, corrupt packet, or not f5ethtrailer - bali out*/
129+ return offset;
130+ }
131+ if (processed == 0) {
132+ /* couldn't process trailer - bali out */
133+ proto_item_set_len(ti, 1);
134+ return offset;
135 }
136 offset += processed;
137 }
138-return offset;
139+ return offset;
140 } /* dissect_old_trailer() */
141
142 /*---------------------------------------------------------------------------*/
143--
1442.25.1
145