From 7d9b9143ad013051c8e2339ef74a2abe12c89811 Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Tue, 21 Jul 2020 20:20:17 +0800 Subject: [PATCH] fix CVE-2020-13164 --- CVE-2020-13164.patch | 115 +++++++++++++++++++++++++++++++++++++++++++ wireshark.spec | 9 +++- 2 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-13164.patch diff --git a/CVE-2020-13164.patch b/CVE-2020-13164.patch new file mode 100644 index 0000000..6fa9d59 --- /dev/null +++ b/CVE-2020-13164.patch @@ -0,0 +1,115 @@ +From e6e98eab8e5e0bbc982cfdc808f2469d7cab6c5a Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Tue, 14 Apr 2020 17:10:44 -0700 +Subject: [PATCH] NFS: Add filesystem cycle detection. + +Detect cycles and large depths when snooping full names. + +Bug: 16476 +Change-Id: I4cddf3d6e6c58d1d382a3ea3b3ed09644562c352 +Reviewed-on: https://code.wireshark.org/review/36847 +Reviewed-by: Gerald Combs +Petri-Dish: Gerald Combs +Tested-by: Petri Dish Buildbot +Reviewed-by: Anders Broman +(cherry picked from commit fc6763989c7a7c4e4b0522b12b955e5a285d388a) +Reviewed-on: https://code.wireshark.org/review/36855 +--- + epan/dissectors/packet-nfs.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/epan/dissectors/packet-nfs.c b/epan/dissectors/packet-nfs.c +index 715ee82..60aff65 100644 +--- a/epan/dissectors/packet-nfs.c ++++ b/epan/dissectors/packet-nfs.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -899,6 +900,7 @@ static expert_field ei_nfs_not_vnx_file = EI_INIT; + static expert_field ei_protocol_violation = EI_INIT; + static expert_field ei_nfs_too_many_bitmaps = EI_INIT; + static expert_field ei_nfs4_stateid_deprecated = EI_INIT; ++static expert_field ei_nfs_file_system_cycle = EI_INIT; + + static const true_false_string tfs_read_write = { "Read", "Write" }; + +@@ -936,6 +938,7 @@ typedef struct nfs_name_snoop { + unsigned char *parent; + int full_name_len; + char *full_name; ++ gboolean fs_cycle; + } nfs_name_snoop_t; + + typedef struct nfs_name_snoop_key { +@@ -1199,9 +1202,10 @@ nfs_name_snoop_add_fh(int xid, tvbuff_t *tvb, int fh_offset, int fh_length) + g_hash_table_replace(nfs_name_snoop_matched, key, nns); + } + ++#define NFS_MAX_FS_DEPTH 100 + + static void +-nfs_full_name_snoop(nfs_name_snoop_t *nns, int *len, char **name, char **pos) ++nfs_full_name_snoop(packet_info *pinfo, nfs_name_snoop_t *nns, int *len, char **name, char **pos) + { + nfs_name_snoop_t *parent_nns = NULL; + nfs_name_snoop_key_t key; +@@ -1230,13 +1234,22 @@ nfs_full_name_snoop(nfs_name_snoop_t *nns, int *len, char **name, char **pos) + parent_nns = (nfs_name_snoop_t *)g_hash_table_lookup(nfs_name_snoop_matched, &key); + + if (parent_nns) { +- nfs_full_name_snoop(parent_nns, len, name, pos); ++ unsigned fs_depth = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_nfs, 0)); ++ if (++fs_depth >= NFS_MAX_FS_DEPTH) { ++ nns->fs_cycle = TRUE; ++ return; ++ } ++ p_add_proto_data(pinfo->pool, pinfo, proto_nfs, 0, GUINT_TO_POINTER(fs_depth)); ++ ++ nfs_full_name_snoop(pinfo, parent_nns, len, name, pos); + if (*name) { + /* make sure components are '/' separated */ + *pos += g_snprintf(*pos, (*len+1) - (gulong)(*pos-*name), "%s%s", + ((*pos)[-1] != '/')?"/":"", nns->name); + DISSECTOR_ASSERT((*pos-*name) <= *len); + } ++ fs_depth--; ++ p_add_proto_data(pinfo->pool, pinfo, proto_nfs, 0, GUINT_TO_POINTER(fs_depth)); + return; + } + +@@ -1278,7 +1291,7 @@ nfs_name_snoop_fh(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int fh_of + char *name = NULL, *pos = NULL; + int len = 0; + +- nfs_full_name_snoop(nns, &len, &name, &pos); ++ nfs_full_name_snoop(pinfo, nns, &len, &name, &pos); + if (name) { + nns->full_name = name; + nns->full_name_len = len; +@@ -1330,6 +1343,10 @@ nfs_name_snoop_fh(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int fh_of + } + PROTO_ITEM_SET_GENERATED(fh_item); + } ++ ++ if (nns->fs_cycle) { ++ proto_tree_add_expert(tree, pinfo, &ei_nfs_file_system_cycle, tvb, 0, 0); ++ } + } + } + +@@ -14236,6 +14253,7 @@ proto_register_nfs(void) + "Per RFCs 3530 and 5661 an attribute mask is required but was not provided.", EXPFILL }}, + { &ei_nfs_too_many_bitmaps, { "nfs.too_many_bitmaps", PI_PROTOCOL, PI_NOTE, "Too many bitmap array items", EXPFILL }}, + { &ei_nfs4_stateid_deprecated, { "nfs.stateid.deprecated", PI_PROTOCOL, PI_WARN, "State ID deprecated in CLOSE responses [RFC7530 16.2.5]", EXPFILL }}, ++ { &ei_nfs_file_system_cycle, { "nfs.file_system_cycle", PI_PROTOCOL, PI_WARN, "Possible file system cycle detected", EXPFILL }}, + }; + + module_t *nfs_module; +-- +2.7.4 + diff --git a/wireshark.spec b/wireshark.spec index 6c4a714..22d1f6b 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -1,6 +1,6 @@ Name: wireshark Version: 2.6.2 -Release: 7 +Release: 8 Epoch: 1 Summary: Network traffic analyzer License: GPL+ @@ -37,6 +37,7 @@ Patch6022: CVE-2019-5716.patch Patch6023: CVE-2019-5717.patch Patch6024: CVE-2019-5719.patch Patch6025: CVE-2020-11647.patch +Patch6026: CVE-2020-13164.patch Requires(pre): shadow-utils Requires(post): systemd-udev @@ -143,6 +144,12 @@ getent group usbmon >/dev/null || groupadd -r usbmon %{_mandir}/man?/* %changelog +* Tue Jul 21 2020 wangyue - 2.6.2-8 +- Type:cves +- ID: CVE-2020-13164 +- SUG:restart +- DESC: fix CVE-2020-13164 + * Wed May 13 2020 huanghaitao - 2.6.2-7 - Type:cves - ID: CVE-2020-11647 -- Gitee