From 7521cc6f7d96c5540f4de9296b3c3980791ff437 Mon Sep 17 00:00:00 2001 From: liningjie Date: Fri, 28 Jul 2023 15:37:19 +0800 Subject: [PATCH] Fix CVE-2023-3648 --- CVE-2023-3648.patch | 110 ++++++++++++++++++++++++++++++++++++++++++++ wireshark.spec | 6 ++- 2 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-3648.patch diff --git a/CVE-2023-3648.patch b/CVE-2023-3648.patch new file mode 100644 index 0000000..eb2e9bc --- /dev/null +++ b/CVE-2023-3648.patch @@ -0,0 +1,110 @@ +From 9339b02956215b6a42e7fe4d16f10767c1f1819d Mon Sep 17 00:00:00 2001 +From: liningjie +Date: Fri, 28 Jul 2023 15:30:13 +0800 +Subject: [PATCH] kafka: Don't use after free + +Neither tvb_new_child_real_data() nor tvb_composite_append() copy +the real data buffer that they're given. So we can't free a +decompressed buffer after making it a tvb. + +We can realloc if the output size is smaller. + +Fix #19105 +--- + epan/dissectors/packet-kafka.c | 32 +++++++++++++++++++++++--------- + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/epan/dissectors/packet-kafka.c b/epan/dissectors/packet-kafka.c +index c36bcfd..1895406 100644 +--- a/epan/dissectors/packet-kafka.c ++++ b/epan/dissectors/packet-kafka.c +@@ -1674,25 +1674,31 @@ decompress_lz4(tvbuff_t *tvb, packet_info *pinfo, int offset, guint32 length, tv + dst_size = (size_t)lz4_info.contentSize; + } + ++ size_t out_size; + do { + src_size = length - src_offset; // set the number of available octets + if (src_size == 0) { + goto end; + } +- decompressed_buffer = (guchar*)wmem_alloc(pinfo->pool, dst_size); +- rc = LZ4F_decompress(lz4_ctxt, decompressed_buffer, &dst_size, ++ ++ decompressed_buffer = wmem_alloc(pinfo->pool, dst_size); ++ out_size = dst_size; ++ rc = LZ4F_decompress(lz4_ctxt, decompressed_buffer, &out_size, + &data[src_offset], &src_size, NULL); + if (LZ4F_isError(rc)) { + goto end; + } +- if (dst_size == 0) { ++ if (out_size != dst_size) { ++ decompressed_buffer = (guint8 *)wmem_realloc(pinfo->pool, decompressed_buffer, out_size); ++ } ++ if (out_size == 0) { + goto end; + } + if (!composite_tvb) { + composite_tvb = tvb_new_composite(); + } + tvb_composite_append(composite_tvb, +- tvb_new_child_real_data(tvb, (guint8*)decompressed_buffer, (guint)dst_size, (gint)dst_size)); ++ tvb_new_child_real_data(tvb, (guint8*)decompressed_buffer, (guint)out_size, (gint)out_size)); + src_offset += src_size; // bump up the offset for the next iteration + } while (rc > 0); + +@@ -1725,7 +1731,7 @@ static gboolean + decompress_snappy(tvbuff_t *tvb, packet_info *pinfo, int offset, guint32 length, tvbuff_t **decompressed_tvb, int *decompressed_offset) + { + guint8 *data = (guint8*)tvb_memdup(pinfo->pool, tvb, offset, length); +- size_t uncompressed_size; ++ size_t uncompressed_size, out_size; + snappy_status rc = SNAPPY_OK; + tvbuff_t *composite_tvb = NULL; + gboolean ret = FALSE; +@@ -1761,16 +1767,20 @@ decompress_snappy(tvbuff_t *tvb, packet_info *pinfo, int offset, guint32 length, + goto end; + } + guint8 *decompressed_buffer = (guint8*)wmem_alloc(pinfo->pool, uncompressed_size); +- rc = snappy_uncompress(&data[pos], chunk_size, decompressed_buffer, &uncompressed_size); ++ out_size = uncompressed_size; ++ rc = snappy_uncompress(&data[pos], chunk_size, decompressed_buffer, &out_size); + if (rc != SNAPPY_OK) { + goto end; + } ++ if (out_size != uncompressed_size) { ++ decompressed_buffer = (guint8 *)wmem_realloc(pinfo->pool, decompressed_buffer, out_size); ++ } + + if (!composite_tvb) { + composite_tvb = tvb_new_composite(); + } + tvb_composite_append(composite_tvb, +- tvb_new_child_real_data(tvb, decompressed_buffer, (guint)uncompressed_size, (gint)uncompressed_size)); ++ tvb_new_child_real_data(tvb, decompressed_buffer, (guint)out_size, (gint)out_size)); + pos += chunk_size; + } + +@@ -1784,12 +1794,16 @@ decompress_snappy(tvbuff_t *tvb, packet_info *pinfo, int offset, guint32 length, + + guint8 *decompressed_buffer = (guint8*)wmem_alloc(pinfo->pool, uncompressed_size); + +- rc = snappy_uncompress(data, length, decompressed_buffer, &uncompressed_size); ++ out_size = uncompressed_size; ++ rc = snappy_uncompress(data, length, decompressed_buffer, &out_size); + if (rc != SNAPPY_OK) { + goto end; + } ++ if (out_size != uncompressed_size) { ++ decompressed_buffer = (guint8 *)wmem_realloc(pinfo->pool, decompressed_buffer, out_size); ++ } + +- *decompressed_tvb = tvb_new_child_real_data(tvb, decompressed_buffer, (guint)uncompressed_size, (gint)uncompressed_size); ++ *decompressed_tvb = tvb_new_child_real_data(tvb, decompressed_buffer, (guint)out_size, (gint)out_size); + *decompressed_offset = 0; + + } +-- +2.41.0.windows.3 + diff --git a/wireshark.spec b/wireshark.spec index d6e05dc..23c8c78 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -5,7 +5,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 3.6.3 -Release: 2 +Release: 3 Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -22,6 +22,7 @@ Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch Patch7: wireshark-0007-cmakelists.patch Patch8: CVE-2022-3190.patch +Patch9: CVE-2023-3648.patch Requires: xdg-utils Requires: hicolor-icon-theme @@ -196,6 +197,9 @@ exit 0 %{_mandir}/man?/* %changelog +* Fri Jul 28 2023 liningjie - 1:3.6.3-3 +- Fix CVE-2023-3648 + * Tue Sep 27 2022 liyuxiang - 1:3.6.3-2 - fix CVE-2022-3190 -- Gitee