aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch
blob: 0b987700f5d2aa46a81bd45f03d8e3ee39048238 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

From 4585d515b962f3b3a5e81caa64e13e8d9ed2e431 Mon Sep 17 00:00:00 2001
From: Hitendra Prajapati <hprajapati@mvista.com>
Date: Mon, 26 Sep 2022 12:47:00 +0530
Subject: [PATCH] CVE-2022-3190

Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67]
CVE : CVE-2022-3190
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 epan/dissectors/packet-f5ethtrailer.c | 108 +++++++++++++-------------
 1 file changed, 56 insertions(+), 52 deletions(-)

diff --git a/epan/dissectors/packet-f5ethtrailer.c b/epan/dissectors/packet-f5ethtrailer.c
index ed77dfd..b15b0d4 100644
--- a/epan/dissectors/packet-f5ethtrailer.c
+++ b/epan/dissectors/packet-f5ethtrailer.c
@@ -2741,69 +2741,73 @@ dissect_dpt_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d
 static gint
 dissect_old_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
 {
-    proto_tree *type_tree   = NULL;
-    proto_item *ti          = NULL;
     guint offset            = 0;
-    guint processed         = 0;
-    f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
-    guint8 type;
-    guint8 len;
-    guint8 ver;
 
     /* While we still have data in the trailer.  For old format trailers, this needs
      * type, length, version (3 bytes) and for new format trailers, the magic header (4 bytes).
      * All old format trailers are at least 4 bytes long, so just check for length of magic.
      */
-    while (tvb_reported_length_remaining(tvb, offset)) {
-        type = tvb_get_guint8(tvb, offset);
-        len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
-        ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
-
-        if (len <= tvb_reported_length_remaining(tvb, offset) && type >= F5TYPE_LOW
-            && type <= F5TYPE_HIGH && len >= F5_MIN_SANE && len <= F5_MAX_SANE
-            && ver <= F5TRAILER_VER_MAX) {
-            /* Parse out the specified trailer. */
-            switch (type) {
-            case F5TYPE_LOW:
-                ti        = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
-
-                processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
-                if (processed > 0) {
-                    tdata->trailer_len += processed;
-                    tdata->noise_low = 1;
-                }
-                break;
-            case F5TYPE_MED:
-                ti        = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
-
-                processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
-                if (processed > 0) {
-                    tdata->trailer_len += processed;
-                    tdata->noise_med = 1;
-                }
-                break;
-            case F5TYPE_HIGH:
-                ti        = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
-
-                processed =
-                    dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
-                if (processed > 0) {
-                    tdata->trailer_len += processed;
-                    tdata->noise_high = 1;
-                }
-                break;
+    while (tvb_reported_length_remaining(tvb, offset) >= F5_MIN_SANE) {
+        /* length field does not include the type and length bytes.  Add them back in */
+        guint8 len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
+        if (len > tvb_reported_length_remaining(tvb, offset)
+            || len < F5_MIN_SANE || len > F5_MAX_SANE) {
+            /* Invalid length - either a malformed trailer, corrupt packet, or not f5ethtrailer */
+            return offset;
+        }
+        guint8 type = tvb_get_guint8(tvb, offset);
+        guint8 ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
+
+        /* Parse out the specified trailer. */
+        proto_tree *type_tree   = NULL;
+        proto_item *ti          = NULL;
+        f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
+        guint processed = 0;
+
+        switch (type) {
+        case F5TYPE_LOW:
+            ti        = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
+            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
+
+            processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+            if (processed > 0) {
+                tdata->trailer_len += processed;
+                tdata->noise_low = 1;
             }
-            if (processed == 0) {
-                proto_item_set_len(ti, 1);
-                return offset;
+            break;
+        case F5TYPE_MED:
+            ti        = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
+            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
+
+            processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+            if (processed > 0) {
+                tdata->trailer_len += processed;
+                tdata->noise_med = 1;
+            }
+            break;
+        case F5TYPE_HIGH:
+            ti        = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
+            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
+
+            processed =
+                dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+            if (processed > 0) {
+                tdata->trailer_len += processed;
+                tdata->noise_high = 1;
             }
+            break;
+        default:
+            /* Unknown type - malformed trailer, corrupt packet, or not f5ethtrailer - bali out*/
+            return offset;
+        }
+        if (processed == 0) {
+            /* couldn't process trailer - bali out */
+            proto_item_set_len(ti, 1);
+            return offset;
         }
         offset += processed;
     }
-return offset;
+    return offset;
 } /* dissect_old_trailer() */
 
 /*---------------------------------------------------------------------------*/
-- 
2.25.1
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-18 06:41:38 +0000