wireshark 4.2.7: Fix CVE-2024-9781

Upstream Repository: https://gitlab.com/wireshark/wireshark.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-9781 Type: Security Fix CVE: CVE-2024-9781 Score: 7.8 Patch: https://gitlab.com/wireshark/wireshark/-/commit/cad248ce3bf5 Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Shubham Pushpkar <spushpka@cisco.com> 2025-01-07 06:17:39 -0800
committer: Armin Kuster <akuster808@gmail.com> 2025-01-20 19:26:03 -0500
commit: 19bb449400be8043836258fe54d961d32d712197 (patch)
tree: 4822a6016da256a5b791effbff540b1a4de47529
parent: 05ad9e725f85bd0b0dc7e851324a16e55446c994 (diff)
download: meta-openembedded-19bb449400be8043836258fe54d961d32d712197.tar.gz
2 files changed, 134 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-9781.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-9781.patch
new file mode 100644
index 0000000000..eb8c733da7
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2024-9781.patch
@@ -0,0 +1,133 @@
+From f32965be7c80ca6eb330d0e9b34f0c563db7d869 Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Tue, 8 Oct 2024 11:56:28 -0700
+Subject: [PATCH] AppleTalk: Make sure we have valid addresses
+Make sure ATP, ZIP, and ASP have valid addresses. Use sizeof instead of
+a hard-coded value in a few places.
+Fixes #20114
+(cherry picked from commit 3de741321f85c205c0a8266c40f33cb0013bd1d2)
+Conflicts:
+        epan/dissectors/packet-atalk.c
+CVE: CVE-2024-9781
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cad248ce3bf5]
+(cherry picked from commit cad248ce3bf53026cc837fedeaca65d0f20ea3b5)
+Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
+---
+ epan/dissectors/packet-atalk.c | 44 ++++++++++++++++++++++++----------
+ 1 file changed, 32 insertions(+), 12 deletions(-)
+diff --git a/epan/dissectors/packet-atalk.c b/epan/dissectors/packet-atalk.c
+index 396e7af519..065d6aedb6 100644
+--- a/epan/dissectors/packet-atalk.c
+++ b/epan/dissectors/packet-atalk.c
+@@ -232,9 +232,18 @@ static int hf_asp_attn_code     = -1;
+ static int hf_asp_seq           = -1;
+ static int hf_asp_size          = -1;
+ 
+/*
+ * Structure used to represent a DDP address; gives the layout of the
+ * data pointed to by an Appletalk "address" structure.
+ */
+struct atalk_ddp_addr {
+  guint16 net;
+  guint8 node;
+};
+
+ typedef struct {
+   guint32 conversation;
+-  guint8  src[4];
+  guint8  src[sizeof(struct atalk_ddp_addr)];
+   guint16 tid;
+ } asp_request_key;
+ 
+@@ -502,6 +511,10 @@ static const value_string asp_error_vals[] = {
+   {0,                   NULL } };
+ value_string_ext asp_error_vals_ext = VALUE_STRING_EXT_INIT(asp_error_vals);
+ 
+static bool is_ddp_address(address *addr) {
+  return addr->type == atalk_address_type && addr->len == sizeof(struct atalk_ddp_addr);
+}
+
+ /*
+  * hf_index must be a FT_UINT_STRING type
+  * Are these always in a Mac extended character set?  Should we have a
+@@ -744,6 +757,12 @@ dissect_atp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+   conversation_t  *conversation;
+   asp_request_val *request_val   = NULL;
+ 
+  // ATP is carried over DDP
+  if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) {
+    return 0;
+  }
+
+
+   col_set_str(pinfo->cinfo, COL_PROTOCOL, "ATP");
+ 
+   ctrlinfo = tvb_get_guint8(tvb, offset);
+@@ -770,7 +789,7 @@ dissect_atp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+     asp_request_key request_key;
+ 
+     request_key.conversation = conversation->conv_index;
+-    memcpy(request_key.src, (!atp_asp_dsi_info.reply)?pinfo->src.data:pinfo->dst.data, 4);
+    memcpy(request_key.src, (!atp_asp_dsi_info.reply)?pinfo->src.data:pinfo->dst.data, sizeof(struct atalk_ddp_addr));
+     request_key.tid = atp_asp_dsi_info.tid;
+ 
+     request_val = (asp_request_val *) wmem_map_lookup(atp_request_hash, &request_key);
+@@ -1018,7 +1037,7 @@ get_transaction(tvbuff_t *tvb, packet_info *pinfo, struct atp_asp_dsi_info *atp_
+   conversation = find_or_create_conversation(pinfo);
+ 
+   request_key.conversation = conversation->conv_index;
+-  memcpy(request_key.src, (!atp_asp_dsi_info->reply)?pinfo->src.data:pinfo->dst.data, 4);
+  memcpy(request_key.src, (!atp_asp_dsi_info->reply)?pinfo->src.data:pinfo->dst.data, sizeof(struct atalk_ddp_addr));
+   request_key.tid = atp_asp_dsi_info->tid;
+ 
+   request_val = (asp_request_val *) wmem_map_lookup(asp_request_hash, &request_key);
+@@ -1051,6 +1070,11 @@ dissect_asp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
+   if (data == NULL)
+     return 0;
+ 
+  // ASP is carried over ATP/DDP
+  if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) {
+    return 0;
+  }
+
+   col_set_str(pinfo->cinfo, COL_PROTOCOL, "ASP");
+   col_clear(pinfo->cinfo, COL_INFO);
+ 
+@@ -1183,15 +1207,6 @@ dissect_asp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
+ /* -----------------------------
+    ZIP protocol cf. inside appletalk chap. 8
+ */
+-/*
+- * Structure used to represent a DDP address; gives the layout of the
+- * data pointed to by an Appletalk "address" structure.
+- */
+-struct atalk_ddp_addr {
+-    guint16 net;
+-    guint8  node;
+-};
+-
+ 
+ static int atalk_str_len(const address* addr _U_)
+ {
+@@ -1241,6 +1256,11 @@ dissect_atp_zip(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
+   if (data == NULL)
+     return 0;
+ 
+  // ATP ZIP is carried over DDP
+  if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) {
+    return 0;
+  }
+
+   col_set_str(pinfo->cinfo, COL_PROTOCOL, "ZIP");
+   col_clear(pinfo->cinfo, COL_INFO);
+ 
+-- 
+2.44.1
diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb
index b80710683c..d68b082bb3 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/wireshark-${PV}.tar.xz \
           file://0002-flex-Remove-line-directives.patch \
           file://0004-lemon-Remove-line-directives.patch \
           file://0001-UseLemon.cmake-do-not-use-lemon-data-from-the-host.patch \
+           file://CVE-2024-9781.patch \
           "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
author	Shubham Pushpkar <spushpka@cisco.com>	2025-01-07 06:17:39 -0800
committer	Armin Kuster <akuster808@gmail.com>	2025-01-20 19:26:03 -0500
commit	19bb449400be8043836258fe54d961d32d712197 (patch)
tree	4822a6016da256a5b791effbff540b1a4de47529
parent	05ad9e725f85bd0b0dc7e851324a16e55446c994 (diff)
download	meta-openembedded-19bb449400be8043836258fe54d961d32d712197.tar.gz

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-9781.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-9781.patch new file mode 100644 index 0000000000..eb8c733da7 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2024-9781.patch
@@ -0,0 +1,133 @@
		1	From f32965be7c80ca6eb330d0e9b34f0c563db7d869 Mon Sep 17 00:00:00 2001
		2	From: Gerald Combs <gerald@wireshark.org>
		3	Date: Tue, 8 Oct 2024 11:56:28 -0700
		4	Subject: [PATCH] AppleTalk: Make sure we have valid addresses
		5
		6	Make sure ATP, ZIP, and ASP have valid addresses. Use sizeof instead of
		7	a hard-coded value in a few places.
		8
		9	Fixes #20114
		10
		11	(cherry picked from commit 3de741321f85c205c0a8266c40f33cb0013bd1d2)
		12
		13	Conflicts:
		14	epan/dissectors/packet-atalk.c
		15
		16	CVE: CVE-2024-9781
		17	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cad248ce3bf5]
		18
		19	(cherry picked from commit cad248ce3bf53026cc837fedeaca65d0f20ea3b5)
		20	Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
		21	---
		22	epan/dissectors/packet-atalk.c \| 44 ++++++++++++++++++++++++----------
		23	1 file changed, 32 insertions(+), 12 deletions(-)
		24
		25	diff --git a/epan/dissectors/packet-atalk.c b/epan/dissectors/packet-atalk.c
		26	index 396e7af519..065d6aedb6 100644
		27	--- a/epan/dissectors/packet-atalk.c
		28	+++ b/epan/dissectors/packet-atalk.c
		29	@@ -232,9 +232,18 @@ static int hf_asp_attn_code = -1;
		30	static int hf_asp_seq = -1;
		31	static int hf_asp_size = -1;
		32
		33	+/*
		34	+ * Structure used to represent a DDP address; gives the layout of the
		35	+ * data pointed to by an Appletalk "address" structure.
		36	+ */
		37	+struct atalk_ddp_addr {
		38	+ guint16 net;
		39	+ guint8 node;
		40	+};
		41	+
		42	typedef struct {
		43	guint32 conversation;
		44	- guint8 src[4];
		45	+ guint8 src[sizeof(struct atalk_ddp_addr)];
		46	guint16 tid;
		47	} asp_request_key;
		48
		49	@@ -502,6 +511,10 @@ static const value_string asp_error_vals[] = {
		50	{0, NULL } };
		51	value_string_ext asp_error_vals_ext = VALUE_STRING_EXT_INIT(asp_error_vals);
		52
		53	+static bool is_ddp_address(address *addr) {
		54	+ return addr->type == atalk_address_type && addr->len == sizeof(struct atalk_ddp_addr);
		55	+}
		56	+
		57	/*
		58	* hf_index must be a FT_UINT_STRING type
		59	* Are these always in a Mac extended character set? Should we have a
		60	@@ -744,6 +757,12 @@ dissect_atp(tvbuff_t tvb, packet_info pinfo, proto_tree tree, void data _U_)
		61	conversation_t *conversation;
		62	asp_request_val *request_val = NULL;
		63
		64	+ // ATP is carried over DDP
		65	+ if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) {
		66	+ return 0;
		67	+ }
		68	+
		69	+
		70	col_set_str(pinfo->cinfo, COL_PROTOCOL, "ATP");
		71
		72	ctrlinfo = tvb_get_guint8(tvb, offset);
		73	@@ -770,7 +789,7 @@ dissect_atp(tvbuff_t tvb, packet_info pinfo, proto_tree tree, void data _U_)
		74	asp_request_key request_key;
		75
		76	request_key.conversation = conversation->conv_index;
		77	- memcpy(request_key.src, (!atp_asp_dsi_info.reply)?pinfo->src.data:pinfo->dst.data, 4);
		78	+ memcpy(request_key.src, (!atp_asp_dsi_info.reply)?pinfo->src.data:pinfo->dst.data, sizeof(struct atalk_ddp_addr));
		79	request_key.tid = atp_asp_dsi_info.tid;
		80
		81	request_val = (asp_request_val *) wmem_map_lookup(atp_request_hash, &request_key);
		82	@@ -1018,7 +1037,7 @@ get_transaction(tvbuff_t tvb, packet_info pinfo, struct atp_asp_dsi_info *atp_
		83	conversation = find_or_create_conversation(pinfo);
		84
		85	request_key.conversation = conversation->conv_index;
		86	- memcpy(request_key.src, (!atp_asp_dsi_info->reply)?pinfo->src.data:pinfo->dst.data, 4);
		87	+ memcpy(request_key.src, (!atp_asp_dsi_info->reply)?pinfo->src.data:pinfo->dst.data, sizeof(struct atalk_ddp_addr));
		88	request_key.tid = atp_asp_dsi_info->tid;
		89
		90	request_val = (asp_request_val *) wmem_map_lookup(asp_request_hash, &request_key);
		91	@@ -1051,6 +1070,11 @@ dissect_asp(tvbuff_t tvb, packet_info pinfo, proto_tree tree, void data)
		92	if (data == NULL)
		93	return 0;
		94
		95	+ // ASP is carried over ATP/DDP
		96	+ if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) {
		97	+ return 0;
		98	+ }
		99	+
		100	col_set_str(pinfo->cinfo, COL_PROTOCOL, "ASP");
		101	col_clear(pinfo->cinfo, COL_INFO);
		102
		103	@@ -1183,15 +1207,6 @@ dissect_asp(tvbuff_t tvb, packet_info pinfo, proto_tree tree, void data)
		104	/* -----------------------------
		105	ZIP protocol cf. inside appletalk chap. 8
		106	*/
		107	-/*
		108	- * Structure used to represent a DDP address; gives the layout of the
		109	- * data pointed to by an Appletalk "address" structure.
		110	- */
		111	-struct atalk_ddp_addr {
		112	- guint16 net;
		113	- guint8 node;
		114	-};
		115	-
		116
		117	static int atalk_str_len(const address* addr _U_)
		118	{
		119	@@ -1241,6 +1256,11 @@ dissect_atp_zip(tvbuff_t tvb, packet_info pinfo, proto_tree tree, void data)
		120	if (data == NULL)
		121	return 0;
		122
		123	+ // ATP ZIP is carried over DDP
		124	+ if (!(is_ddp_address(&pinfo->src) && is_ddp_address(&pinfo->dst))) {
		125	+ return 0;
		126	+ }
		127	+
		128	col_set_str(pinfo->cinfo, COL_PROTOCOL, "ZIP");
		129	col_clear(pinfo->cinfo, COL_INFO);
		130
		131	--
		132	2.44.1
		133


diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb index b80710683c..d68b082bb3 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/wireshark-${PV}.tar.xz \
13	file://0002-flex-Remove-line-directives.patch \	13	file://0002-flex-Remove-line-directives.patch \
14	file://0004-lemon-Remove-line-directives.patch \	14	file://0004-lemon-Remove-line-directives.patch \
15	file://0001-UseLemon.cmake-do-not-use-lemon-data-from-the-host.patch \	15	file://0001-UseLemon.cmake-do-not-use-lemon-data-from-the-host.patch \
		16	file://CVE-2024-9781.patch \
16	"	17	"
17		18
18	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"	19	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"