2 files changed, 109 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch
new file mode 100644
index 0000000000..b4718f4607
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch
@@ -0,0 +1,108 @@
+From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Tue, 16 May 2023 12:05:07 -0700
+Subject: [PATCH] candump: check for a too-long frame length.
+If the frame length is longer than the maximum, report an error in the
+file.
+Fixes #19062, preventing the overflow on a buffer on the stack (assuming
+your compiler doesn't call a bounds-checknig version of memcpy() if the
+size of the target space is known).
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb]
+CVE: CVE-2023-2855
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ wiretap/candump.c | 39 +++++++++++++++++++++++++++++++--------
+ 1 file changed, 31 insertions(+), 8 deletions(-)
+diff --git a/wiretap/candump.c b/wiretap/candump.c
+index 0def7bc..3f7c2b2 100644
+--- a/wiretap/candump.c
+++ b/wiretap/candump.c
+@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off,
+                                   wtap_rec *rec, Buffer *buf,
+                                   int *err, gchar **err_info);
+ 
+-static void
+-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+static gboolean
+candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err,
+                     gchar **err_info)
+ {
+     static const char *can_proto_name    = "can-hostendian";
+     static const char *canfd_proto_name  = "canfd";
+@@ -59,6 +60,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+     {
+         canfd_frame_t canfd_frame = {0};
+ 
+        /*
+         * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame.
+         */
+        if (msg->data.length > CANFD_MAX_DLEN) {
+            *err = WTAP_ERR_BAD_FILE;
+            if (err_info != NULL) {
+               *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u",
+                                             msg->data.length, CANFD_MAX_DLEN);
+            }
+            return FALSE;
+        }
+
+         canfd_frame.can_id = msg->id;
+         canfd_frame.flags  = msg->flags;
+         canfd_frame.len    = msg->data.length;
+@@ -70,6 +83,18 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+     {
+         can_frame_t can_frame = {0};
+ 
+        /*
+         * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame.
+         */
+        if (msg->data.length > CAN_MAX_DLEN) {
+            *err = WTAP_ERR_BAD_FILE;
+            if (err_info != NULL) {
+               *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u",
+                                             msg->data.length, CAN_MAX_DLEN);
+            }
+            return FALSE;
+        }
+
+         can_frame.can_id  = msg->id;
+         can_frame.can_dlc = msg->data.length;
+         memcpy(can_frame.data, msg->data.data, msg->data.length);
+@@ -84,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg)
+ 
+     rec->rec_header.packet_header.caplen = packet_length;
+     rec->rec_header.packet_header.len    = packet_length;
+
+    return TRUE;
+ }
+ 
+ static gboolean
+@@ -190,9 +217,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info,
+     ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh));
+ #endif
+ 
+-    candump_write_packet(rec, buf, &msg);
+-
+-    return TRUE;
+    return candump_write_packet(rec, buf, &msg, err, err_info);
+ }
+ 
+ static gboolean
+@@ -216,9 +241,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec,
+     if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info))
+         return FALSE;
+ 
+-    candump_write_packet(rec, buf, &msg);
+-
+-    return TRUE;
+    return candump_write_packet(rec, buf, &msg, err, err_info);
+ }
+ 
+ /*
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index 1a4aedc139..b1f484803e 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -16,6 +16,7 @@ SRC_URI += " \
    file://0003-bison-Remove-line-directives.patch \
    file://0004-lemon-Remove-line-directives.patch \
    file://CVE-2022-3190.patch \
+    file://CVE-2023-2855.patch \
 "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch new file mode 100644 index 0000000000..b4718f4607 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch
@@ -0,0 +1,108 @@
		1	From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001
		2	From: Guy Harris <gharris@sonic.net>
		3	Date: Tue, 16 May 2023 12:05:07 -0700
		4	Subject: [PATCH] candump: check for a too-long frame length.
		5
		6	If the frame length is longer than the maximum, report an error in the
		7	file.
		8
		9	Fixes #19062, preventing the overflow on a buffer on the stack (assuming
		10	your compiler doesn't call a bounds-checknig version of memcpy() if the
		11	size of the target space is known).
		12
		13	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb]
		14	CVE: CVE-2023-2855
		15
		16	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		17	---
		18	wiretap/candump.c \| 39 +++++++++++++++++++++++++++++++--------
		19	1 file changed, 31 insertions(+), 8 deletions(-)
		20
		21	diff --git a/wiretap/candump.c b/wiretap/candump.c
		22	index 0def7bc..3f7c2b2 100644
		23	--- a/wiretap/candump.c
		24	+++ b/wiretap/candump.c
		25	@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off,
		26	wtap_rec rec, Buffer buf,
		27	int err, gchar *err_info);
		28
		29	-static void
		30	-candump_write_packet(wtap_rec rec, Buffer buf, const msg_t *msg)
		31	+static gboolean
		32	+candump_write_packet(wtap_rec rec, Buffer buf, const msg_t msg, int err,
		33	+ gchar **err_info)
		34	{
		35	static const char *can_proto_name = "can-hostendian";
		36	static const char *canfd_proto_name = "canfd";
		37	@@ -59,6 +60,18 @@ candump_write_packet(wtap_rec rec, Buffer buf, const msg_t *msg)
		38	{
		39	canfd_frame_t canfd_frame = {0};
		40
		41	+ /*
		42	+ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame.
		43	+ */
		44	+ if (msg->data.length > CANFD_MAX_DLEN) {
		45	+ *err = WTAP_ERR_BAD_FILE;
		46	+ if (err_info != NULL) {
		47	+ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u",
		48	+ msg->data.length, CANFD_MAX_DLEN);
		49	+ }
		50	+ return FALSE;
		51	+ }
		52	+
		53	canfd_frame.can_id = msg->id;
		54	canfd_frame.flags = msg->flags;
		55	canfd_frame.len = msg->data.length;
		56	@@ -70,6 +83,18 @@ candump_write_packet(wtap_rec rec, Buffer buf, const msg_t *msg)
		57	{
		58	can_frame_t can_frame = {0};
		59
		60	+ /*
		61	+ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame.
		62	+ */
		63	+ if (msg->data.length > CAN_MAX_DLEN) {
		64	+ *err = WTAP_ERR_BAD_FILE;
		65	+ if (err_info != NULL) {
		66	+ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u",
		67	+ msg->data.length, CAN_MAX_DLEN);
		68	+ }
		69	+ return FALSE;
		70	+ }
		71	+
		72	can_frame.can_id = msg->id;
		73	can_frame.can_dlc = msg->data.length;
		74	memcpy(can_frame.data, msg->data.data, msg->data.length);
		75	@@ -84,6 +109,8 @@ candump_write_packet(wtap_rec rec, Buffer buf, const msg_t *msg)
		76
		77	rec->rec_header.packet_header.caplen = packet_length;
		78	rec->rec_header.packet_header.len = packet_length;
		79	+
		80	+ return TRUE;
		81	}
		82
		83	static gboolean
		84	@@ -190,9 +217,7 @@ candump_read(wtap wth, wtap_rec rec, Buffer buf, int err, gchar **err_info,
		85	ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh));
		86	#endif
		87
		88	- candump_write_packet(rec, buf, &msg);
		89	-
		90	- return TRUE;
		91	+ return candump_write_packet(rec, buf, &msg, err, err_info);
		92	}
		93
		94	static gboolean
		95	@@ -216,9 +241,7 @@ candump_seek_read(wtap wth , gint64 seek_off, wtap_rec rec,
		96	if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info))
		97	return FALSE;
		98
		99	- candump_write_packet(rec, buf, &msg);
		100	-
		101	- return TRUE;
		102	+ return candump_write_packet(rec, buf, &msg, err, err_info);
		103	}
		104
		105	/*
		106	--
		107	2.25.1
		108


diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb index 1a4aedc139..b1f484803e 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -16,6 +16,7 @@ SRC_URI += " \
16	file://0003-bison-Remove-line-directives.patch \	16	file://0003-bison-Remove-line-directives.patch \
17	file://0004-lemon-Remove-line-directives.patch \	17	file://0004-lemon-Remove-line-directives.patch \
18	file://CVE-2022-3190.patch \	18	file://CVE-2022-3190.patch \
		19	file://CVE-2023-2855.patch \
19	"	20	"
20		21
21	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"	22	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"