wireshark: Fix CVE-2023-2855 & CVE-2023-2856

Backport fixes for: * CVE-2023-2855 - Upstream-Status: Backport from 0181fafb21 * CVE-2023-2856 - Upstream-Status: Backport from db5135826d Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-01-01 13:58:06 +00:00 · 2023-06-07 14:06:53 +05:30 · 2023-06-07 14:06:53 +05:30 · 147b663d83
commit 147b663d83
parent df5a73dfe3
3 changed files with 179 additions and 0 deletions
--- a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch
@ -0,0 +1,108 @@
+From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Tue, 16 May 2023 12:05:07 -0700
+Subject: [PATCH] candump: check for a too-long frame length.
+
+If the frame length is longer than the maximum, report an error in the
+file.
+
+Fixes #19062, preventing the overflow on a buffer on the stack (assuming
+your compiler doesn't call a bounds-checknig version of memcpy() if the
+size of the target space is known).
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb]
+CVE: CVE-2023-2855
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ wiretap/candump.c | 39 +++++++++++++++++++++++++++++++--------
+ 1 file changed, 31 insertions(+), 8 deletions(-)
+
+diff --git a/wiretap/candump.c b/wiretap/candump.c
+index 0def7bc..3f7c2b2 100644
+--- a/wiretap/candump.c
+++ b/wiretap/candump.c
+@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off,
+                                   wtap_rec *rec, Buffer *buf,
+                                   int *err, gchar **err_info);
+ 
+-static void
+-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+static gboolean
+candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err,
+                     gchar **err_info)
+ {
+     static const char *can_proto_name    = "can-hostendian";
+     static const char *canfd_proto_name  = "canfd";
+@@ -59,6 +60,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+     {
+         canfd_frame_t canfd_frame = {0};
+ 
+        /*
+         * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame.
+         */
+        if (msg->data.length > CANFD_MAX_DLEN) {
+            *err = WTAP_ERR_BAD_FILE;
+            if (err_info != NULL) {
+	        *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u",
+                                             msg->data.length, CANFD_MAX_DLEN);
+            }
+            return FALSE;
+        }
+
+         canfd_frame.can_id = msg->id;
+         canfd_frame.flags  = msg->flags;
+         canfd_frame.len    = msg->data.length;
+@@ -70,6 +83,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+     {
+         can_frame_t can_frame = {0};
+ 
+        /*
+         * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame.
+         */
+        if (msg->data.length > CAN_MAX_DLEN) {
+            *err = WTAP_ERR_BAD_FILE;
+            if (err_info != NULL) {
+	        *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u",
+                                             msg->data.length, CAN_MAX_DLEN);
+            }
+            return FALSE;
+        }
+
+         can_frame.can_id  = msg->id;
+         can_frame.can_dlc = msg->data.length;
+         memcpy(can_frame.data, msg->data.data, msg->data.length);
+@@ -84,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+ 
+     rec->rec_header.packet_header.caplen = packet_length;
+     rec->rec_header.packet_header.len    = packet_length;
+
+    return TRUE;
+ }
+ 
+ static gboolean
+@@ -190,9 +217,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info,
+     ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh));
+ #endif
+ 
+-    candump_write_packet(rec, buf, &msg);
+-
+-    return TRUE;
+    return candump_write_packet(rec, buf, &msg, err, err_info);
+ }
+ 
+ static gboolean
+@@ -216,9 +241,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec,
+     if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info))
+         return FALSE;
+ 
+-    candump_write_packet(rec, buf, &msg);
+-
+-    return TRUE;
+    return candump_write_packet(rec, buf, &msg, err, err_info);
+ }
+ 
+ /*
+-- 
+2.25.1
+
--- a/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch
@ -0,0 +1,69 @@
+From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Thu, 18 May 2023 15:03:23 -0700
+Subject: [PATCH] vms: fix the search for the packet length field.
+
+The packet length field is of the form
+
+    Total Length = DDD = ^xXXX
+
+where "DDD" is the length in decimal and "XXX" is the length in
+hexadecimal.
+
+Search for "length ". not just "Length", as we skip past "Length ", not
+just "Length", so if we assume we found "Length " but only found
+"Length", we'd skip past the end of the string.
+
+While we're at it, fail if we don't find a length field, rather than
+just blithely acting as if the packet length were zero.
+
+Fixes #19083.
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca]
+CVE: CVE-2023-2856
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ wiretap/vms.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/wiretap/vms.c b/wiretap/vms.c
+index 0aa83ea..5f5fdbb 100644
+--- a/wiretap/vms.c
+++ b/wiretap/vms.c
+@@ -318,6 +318,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+ {
+     char    line[VMS_LINE_LENGTH + 1];
+     int     num_items_scanned;
+    gboolean have_pkt_len = FALSE;
+     guint32 pkt_len = 0;
+     int     pktnum;
+     int     csec = 101;
+@@ -374,7 +375,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+                 return FALSE;
+             }
+         }
+-        if ( (! pkt_len) && (p = strstr(line, "Length"))) {
+        if ( (! have_pkt_len) && (p = strstr(line, "Length "))) {
+             p += sizeof("Length ");
+             while (*p && ! g_ascii_isdigit(*p))
+                 p++;
+@@ -390,9 +391,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in
+                 *err_info = g_strdup_printf("vms: Length field '%s' not valid", p);
+                 return FALSE;
+             }
+            have_pkt_len = TRUE;
+             break;
+         }
+     } while (! isdumpline(line));
+    if (! have_pkt_len) {
+        *err = WTAP_ERR_BAD_FILE;
+        *err_info = g_strdup_printf("vms: Length field not found");
+        return FALSE;
+    }
+     if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
+         /*
+          * Probably a corrupt capture file; return an error,
+-- 
+2.25.1
+
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@ -16,6 +16,8 @@ SRC_URI += " \
    file://0003-bison-Remove-line-directives.patch \
    file://0004-lemon-Remove-line-directives.patch \
    file://CVE-2022-3190.patch \
+    file://CVE-2023-2855.patch \
+    file://CVE-2023-2856.patch \
 "

 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"