diff --git a/CVE-2024-11596.patch b/CVE-2024-11596.patch new file mode 100644 index 0000000000000000000000000000000000000000..552f7fb738301060122585be5454309aa494afff --- /dev/null +++ b/CVE-2024-11596.patch @@ -0,0 +1,166 @@ +From 06e0b0bb0925fe4b99cfb7243cce473031b09dee Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Thu, 14 Nov 2024 10:56:37 -0800 +Subject: [PATCH] ECMP: Exorcise a string buffer arithmetic gremlin + +Use a wmem_strbuf instead of manually allocating a string and managing +its offsets. + +Avoid appending a dangling space to our string. + +Fixes #20214 + +(cherry picked from commit c8e58870733f88f275ca9a6fa115ed085f987d94) + +Conflicts: + epan/dissectors/packet-ecmp.c + +Origin: https://gitlab.com/wireshark/wireshark/-/commit/06e0b0bb0925fe4b99cfb7243cce473031b09dee +--- + epan/dissectors/packet-ecmp.c | 77 ++++++++--------------------------- + 1 file changed, 16 insertions(+), 61 deletions(-) + +diff --git a/epan/dissectors/packet-ecmp.c b/epan/dissectors/packet-ecmp.c +index 578e5ec..7327f06 100644 +--- a/epan/dissectors/packet-ecmp.c ++++ b/epan/dissectors/packet-ecmp.c +@@ -1122,72 +1122,54 @@ static int display_raw_cyclic_data(guint8 display, int offset, guint16 buffer_si + proto_tree_add_bytes_format_value(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, offset-1, 0, NULL, "No data"); + } else { + /* define some variables */ +- gchar* pdata = NULL; /* pointer to array that stores the formatted data string */ +- guint16 idx = 0; /* counts through formatted string array */ +- guint8 value8 = 0; /* placeholder for extracted 8-bit data */ +- guint16 value16 = 0; /* placeholder for extracted 16-bit data */ +- guint32 value32 = 0; /* placeholder for extracted 32-bit data */ ++ wmem_strbuf_t* pdata = wmem_strbuf_create(wmem_packet_scope()); /* formatted data string */ + guint16 num_elements_total = 0; /* contains total number of elements (byte/word/long) to be processed */ + const guint16 num_byte_elements_per_line = 16; /* number of byte (8-bit) elements per line e.g. "1B " (3 chars per element) */ + const guint16 num_word_elements_per_line = 16; /* number of word (16-bit) elements per line e.g. "A81B " (5 chars per element) */ + const guint16 num_long_elements_per_line = 8; /* number of long (32-bit) elements per line e.g. "01F4A81B " (9 chars per element) */ + guint16 num_elements_per_line = 8; /* counts the current number of elements per line */ + guint16 num_elements = 0; /* counts the number of elements in the format string */ +- guint16 format_string_size = 0; /* size of dynamic array to hold the formatted string */ + guint16 a = 0; /* value used for looping */ + int start_offset, line_offset; + +- /* calculate format string array size and other stuff */ +- /* */ +- /* Note: format string does require a nul-terminator (the + 1 in the equations) */ +- /* */ +- /* display = 0: (byte format "1D 24 3F ... A3 " */ +- /* format_string_size = (num_byte_elements_per_line * 3) + 1 */ +- /* */ +- /* display = 1: (word format "1D24 3F84 120B ... 1FA3 " */ +- /* format_string_size = (num_word_elements_per_line * 5) + 1 */ +- /* */ +- /* display = 2: (byte format "1D243F84 9BC08F20 ... 28BB1FA3 " */ +- /* format_string_size = (num_long_elements_per_line * 9) + 1 */ ++ /* calculate number of elements */ + /* */ + if (display == cyclic_display_byte_format) { +- format_string_size = (num_byte_elements_per_line * 3) + 1; /* format_string_size = 49 */ + num_elements_per_line = num_byte_elements_per_line; /* num_elements_per_line = 16 */ + num_elements_total = buffer_size; + } else if (display == cyclic_display_word_format) { +- format_string_size = (num_word_elements_per_line * 5) + 1; /* format_string_size = 81 */ + num_elements_per_line = num_word_elements_per_line; /* num_elements_per_line = 16 */ + num_elements_total = buffer_size >> 1; + } else if (display == cyclic_display_long_format) { +- format_string_size = (num_long_elements_per_line * 9) + 1; /* format_string_size = 73 */ + num_elements_per_line = num_long_elements_per_line; /* num_elements_per_line = 8 */ + num_elements_total = buffer_size >> 2; + } else { +- format_string_size = (num_byte_elements_per_line * 3) + 1; /* format_string_size = 49 */ + num_elements_per_line = num_byte_elements_per_line; /* num_elements_per_line = 16 */ + num_elements_total = buffer_size; + } + +- /* allocate dynamic memory for one line */ +- pdata = (gchar *)wmem_alloc(wmem_packet_scope(), format_string_size); +- + /* OK, let's get started */ +- idx = 0; + num_elements = 0; + + line_offset = start_offset = offset; + /* work through the display elements, 1 byte\word\long at a time */ +- for (a = 0; a < num_elements_total; a++ ) +- { ++ for (a = 0; a < num_elements_total; a++ ) { ++ if (wmem_strbuf_get_len(pdata) > 0) { ++ wmem_strbuf_append_c(pdata, ' '); ++ } ++ + /* use Wireshark accessor function to get the next byte, word, or long data */ + if (display == cyclic_display_byte_format) { +- value8 = tvb_get_guint8(tvb, offset); ++ guint8 value8 = tvb_get_guint8(tvb, offset); ++ wmem_strbuf_append_printf(pdata, "%02x", value8); + offset++; + } else if (display == cyclic_display_word_format) { +- value16 = tvb_get_ntohs(tvb, offset); ++ guint16 value16 = tvb_get_ntohs(tvb, offset); ++ wmem_strbuf_append_printf(pdata, "%04x", value16); + offset += 2; + } else if (display == cyclic_display_long_format) { +- value32 = tvb_get_ntohl(tvb, offset); ++ guint32 value32 = tvb_get_ntohl(tvb, offset); ++ wmem_strbuf_append_printf(pdata, "%08x", value32); + offset += 4; + } + +@@ -1196,47 +1178,20 @@ static int display_raw_cyclic_data(guint8 display, int offset, guint16 buffer_si + + /* check if we hit the max number of byte elements per line */ + if (num_elements >= num_elements_per_line) { +- /* we hit end of the current line */ +- /* add final value to string */ +- if (display == cyclic_display_byte_format) { +- g_snprintf(&pdata[idx], 32, "%02x",value8); +- } else if (display == cyclic_display_word_format) { +- g_snprintf(&pdata[idx], 32, "%04x",value16); +- } else if (display == cyclic_display_long_format) { +- g_snprintf(&pdata[idx], 32, "%08x",value32); +- } +- + /* display the completed line in the sub-tree */ +- proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, offset, offset-line_offset, NULL, "%s", pdata); ++ proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, offset, offset-line_offset, NULL, "%s", wmem_strbuf_get_str(pdata)); + + /* start the line over */ +- idx = 0; ++ wmem_strbuf_truncate(pdata, 0); + num_elements = 0; + line_offset = offset; +- +- } else { +- /* we're still adding to the current line */ +- /* add current value to string */ +- if (display == cyclic_display_byte_format) { +- g_snprintf(&pdata[idx], 32, "%02x ",value8); +- idx += 3; +- } else if (display == cyclic_display_word_format) { +- g_snprintf(&pdata[idx], 32, "%04x ",value16); +- idx += 5; +- } else if (display == cyclic_display_long_format) { +- g_snprintf(&pdata[idx], 32, "%08x ",value32); +- idx += 9; +- } + } + } + + /* if we exited the loop, see if there's a partial line to display */ + if (num_elements > 0) { +- /* add null-terminator to partial line */ +- pdata[idx] = 0x00; +- + /* display the partial line in the sub-tree */ +- proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, start_offset, offset-start_offset, NULL, "%s", pdata); ++ proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, start_offset, offset-start_offset, NULL, "%s", wmem_strbuf_get_str(pdata)); + } + } + return offset; +-- +2.47.0 + diff --git a/wireshark.spec b/wireshark.spec index 1ad9fd1096a9ca176de630e4d0e5402d94b4a1e8..075f08958aea476f09e78af408873b44beb0bfbb 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -5,7 +5,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 3.6.14 -Release: 12 +Release: 13 Epoch: 1 License: GPL+ Url: http://www.wireshark.org/ @@ -41,6 +41,7 @@ Patch22: CVE-2024-4855.patch Patch23: CVE-2024-8250.patch Patch24: CVE-2024-24476.patch Patch25: CVE-2024-8645.patch +Patch26: CVE-2024-11596.patch Requires: xdg-utils Requires: hicolor-icon-theme @@ -215,6 +216,9 @@ exit 0 %{_mandir}/man?/* %changelog +* Tue Nov 26 2024 yaoxin - 1:3.6.14-13 +- Fix CVE-2024-11596 + * Wed Oct 09 2024 yaoxin - 1:3.6.14-12 - Fix CVE-2024-8645