1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Tue, 16 May 2023 12:05:07 -0700
Subject: [PATCH] candump: check for a too-long frame length.
If the frame length is longer than the maximum, report an error in the
file.
Fixes #19062, preventing the overflow on a buffer on the stack (assuming
your compiler doesn't call a bounds-checknig version of memcpy() if the
size of the target space is known).
Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb]
CVE: CVE-2023-2855
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
wiretap/candump.c | 47 ++++++++++++++++++++++++++++++++++-------------
1 file changed, 34 insertions(+), 13 deletions(-)
diff --git a/wiretap/candump.c b/wiretap/candump.c
index 3eb17dd..954b509 100644
--- a/wiretap/candump.c
+++ b/wiretap/candump.c
@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off,
wtap_rec *rec, Buffer *buf,
int *err, gchar **err_info);
-static void
-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+static gboolean
+candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err,
+ gchar **err_info)
{
static const char *can_proto_name = "can-hostendian";
static const char *canfd_proto_name = "canfd";
@@ -57,9 +58,20 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
if (msg->is_fd)
{
- canfd_frame_t canfd_frame;
+ canfd_frame_t canfd_frame = {0};
+
+ /*
+ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame.
+ */
+ if (msg->data.length > CANFD_MAX_DLEN) {
+ *err = WTAP_ERR_BAD_FILE;
+ if (err_info != NULL) {
+ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u",
+ msg->data.length, CANFD_MAX_DLEN);
+ }
+ return FALSE;
+ }
- memset(&canfd_frame, 0, sizeof(canfd_frame));
canfd_frame.can_id = msg->id;
canfd_frame.flags = msg->flags;
canfd_frame.len = msg->data.length;
@@ -69,10 +81,21 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
}
else
{
- can_frame_t can_frame;
+ can_frame_t can_frame = {0};
+
+ /*
+ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame.
+ */
+ if (msg->data.length > CAN_MAX_DLEN) {
+ *err = WTAP_ERR_BAD_FILE;
+ if (err_info != NULL) {
+ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u",
+ msg->data.length, CAN_MAX_DLEN);
+ }
+ return FALSE;
+ }
- memset(&can_frame, 0, sizeof(can_frame));
- can_frame.can_id = msg->id;
+ can_frame.can_id = msg->id;
can_frame.can_dlc = msg->data.length;
memcpy(can_frame.data, msg->data.data, msg->data.length);
@@ -86,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
rec->rec_header.packet_header.caplen = packet_length;
rec->rec_header.packet_header.len = packet_length;
+
+ return TRUE;
}
static gboolean
@@ -193,9 +218,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info,
ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh));
#endif
- candump_write_packet(rec, buf, &msg);
-
- return TRUE;
+ return candump_write_packet(rec, buf, &msg, err, err_info);
}
static gboolean
@@ -219,9 +242,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec,
if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info))
return FALSE;
- candump_write_packet(rec, buf, &msg);
-
- return TRUE;
+ return candump_write_packet(rec, buf, &msg, err, err_info);
}
/*
--
2.25.1
|