From b995814ef8e573d392b6480fbf4acec3589ebbf9 Mon Sep 17 00:00:00 2001 From: zhanghua1831 Date: Thu, 17 Dec 2020 14:27:48 +0800 Subject: [PATCH] CVE-2020-9430 --- CVE-2020-9430-1.patch | 71 +++++++++++++++++++++++++++++++++++++++++++ CVE-2020-9430-2.patch | 34 +++++++++++++++++++++ wireshark.spec | 7 ++++- 3 files changed, 111 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-9430-1.patch create mode 100644 CVE-2020-9430-2.patch diff --git a/CVE-2020-9430-1.patch b/CVE-2020-9430-1.patch new file mode 100644 index 0000000..8383aa6 --- /dev/null +++ b/CVE-2020-9430-1.patch @@ -0,0 +1,71 @@ +From 93d6b03a67953b82880cdbdcf0d30e2a3246d790 Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Fri, 7 Feb 2020 11:17:35 -0800 +Subject: [PATCH] WiMax DLMAP: Add a length check. + +Make sure we have enough data for a CRC. + +Bug: 16368 +Change-Id: I03a2532061a5cf5e28cb65c83dd4ab90654d1679 +Reviewed-on: https://code.wireshark.org/review/36051 +Reviewed-by: Gerald Combs +--- + plugins/epan/wimax/.editorconfig | 10 ++++++++++ + plugins/epan/wimax/msg_dlmap.c | 9 ++++++++- + 2 files changed, 18 insertions(+), 1 deletion(-) + create mode 100644 plugins/epan/wimax/.editorconfig + +diff --git a/plugins/epan/wimax/.editorconfig b/plugins/epan/wimax/.editorconfig +new file mode 100644 +index 0000000..541cd9d +--- /dev/null ++++ b/plugins/epan/wimax/.editorconfig +@@ -0,0 +1,10 @@ ++# ++# Editor configuration ++# ++# https://editorconfig.org/ ++# ++ ++[msg_dlmap.[ch]] ++indent_style = tab ++indent_size = tab ++ +diff --git a/plugins/epan/wimax/msg_dlmap.c b/plugins/epan/wimax/msg_dlmap.c +index 05f8714..c2cdf54 100644 +--- a/plugins/epan/wimax/msg_dlmap.c ++++ b/plugins/epan/wimax/msg_dlmap.c +@@ -593,6 +593,7 @@ static int hf_dlmap_reduced_aas_spid = -1; + static expert_field ei_dlmap_not_implemented = EI_INIT; + static expert_field ei_crc16 = EI_INIT; + static expert_field ei_mac_header_compress_dlmap_crc = EI_INIT; ++static expert_field ei_mac_header_invalid_length = EI_INIT; + + /* Copied and renamed from proto.c because global value_strings don't work for plugins */ + static const value_string plugin_proto_checksum_vals[] = { +@@ -2383,7 +2384,12 @@ gint wimax_decode_dlmapc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *base_tre + + /* CRC is always appended */ + /* check the length */ +- if (MIN(tvb_len, tvb_reported_length(tvb)) >= mac_len) ++ if (mac_len <= sizeof(mac_crc)) ++ { ++ expert_add_info_format(pinfo, ti, &ei_mac_header_invalid_length, ++ "Invalid length: %d.", mac_len); ++ } ++ else if (MIN(tvb_len, tvb_reported_length(tvb)) >= mac_len) + { + /* calculate the CRC */ + calculated_crc = wimax_mac_calc_crc32(tvb_get_ptr(tvb, 0, mac_len - (int)sizeof(mac_crc)), mac_len - (int)sizeof(mac_crc)); +@@ -3436,6 +3442,7 @@ void proto_register_mac_mgmt_msg_dlmap(void) + { &ei_dlmap_not_implemented, { "wmx.dlmap.not_implemented", PI_UNDECODED, PI_WARN, "Not implemented", EXPFILL }}, + { &ei_crc16, { "wmx.dlmap.bad_checksum", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }}, + { &ei_mac_header_compress_dlmap_crc, { "wmx.compress_dlmap.bad_checksum", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }}, ++ { &ei_mac_header_invalid_length, { "wmx.compress_dlmap.invalid_length", PI_MALFORMED, PI_ERROR, "Invalid length", EXPFILL }}, + }; + + expert_module_t* expert_mac_mgmt_msg_dlmap; +-- +2.7.4 + + diff --git a/CVE-2020-9430-2.patch b/CVE-2020-9430-2.patch new file mode 100644 index 0000000..a320b59 --- /dev/null +++ b/CVE-2020-9430-2.patch @@ -0,0 +1,34 @@ +From 6b98dc63701b1da1cc7681cb383dabb0b7007d73 Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Wed, 12 Feb 2020 12:07:52 -0800 +Subject: [PATCH] WiMax DLMAP: Fix a large loop. + +Make sure we advance our offset. + +Bug: 16383 +Ping-Bug: 16368 +Change-Id: I4949cb0988601dbe545d0bc22de4d654b4e61204 +Reviewed-on: https://code.wireshark.org/review/36085 +Reviewed-by: Gerald Combs +Petri-Dish: Gerald Combs +Reviewed-by: Anders Broman +(cherry picked from commit 6dad599a8a1bda8b8e999cc4a7e460140e4ecc0a) +Reviewed-on: https://code.wireshark.org/review/36094 +--- + plugins/epan/wimax/msg_dlmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/plugins/epan/wimax/msg_dlmap.c b/plugins/epan/wimax/msg_dlmap.c +index c2cdf54..6961d55 100644 +--- a/plugins/epan/wimax/msg_dlmap.c ++++ b/plugins/epan/wimax/msg_dlmap.c +@@ -2388,6 +2388,7 @@ gint wimax_decode_dlmapc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *base_tre + { + expert_add_info_format(pinfo, ti, &ei_mac_header_invalid_length, + "Invalid length: %d.", mac_len); ++ return sizeof(mac_crc); + } + else if (MIN(tvb_len, tvb_reported_length(tvb)) >= mac_len) + { +-- +2.7.4 diff --git a/wireshark.spec b/wireshark.spec index f961169..c2a13ec 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -1,6 +1,6 @@ Name: wireshark Version: 2.6.2 -Release: 15 +Release: 16 Epoch: 1 Summary: Network traffic analyzer License: GPL+ @@ -45,6 +45,8 @@ Patch6030: CVE-2020-25862.patch Patch6031: CVE-2020-25863.patch Patch6032: wireshark-initialize-point-in-end_string.patch Patch6033: CVE-2020-28030.patch +Patch6034: CVE-2020-9430-1.patch +Patch6035: CVE-2020-9430-2.patch Requires: %{name}-help = %{epoch}:%{version}-%{release} Requires(pre): shadow-utils @@ -152,6 +154,9 @@ getent group usbmon >/dev/null || groupadd -r usbmon %{_mandir}/man?/* %changelog +* Wed Dec 16 2020 zhanghua - 2.6.2-16 +- fix CVE-2020-9430 + * Mon Nov 07 2020 wangxiao - 2.6.2-15 - fix CVE-2020-28030 malformed packet on wire could make GQUIC protocol dissector loop -- Gitee