From 6e702707c320a12a91c85a4627f99db607d42f55 Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Thu, 28 Mar 2024 16:05:02 +0530 Subject: wireshark: Backport fix for CVE-2024-2955 Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/6fd3af5e999c71df67c2cdcefb96d0dc4afa5341] Signed-off-by: Ashish Sharma Signed-off-by: Armin Kuster --- .../wireshark/files/CVE-2024-2955.patch | 52 ++++++++++++++++++++++ .../recipes-support/wireshark/wireshark_3.2.18.bb | 1 + 2 files changed, 53 insertions(+) create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch (limited to 'meta-networking') diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch new file mode 100644 index 0000000000..347943d422 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch @@ -0,0 +1,52 @@ +From 6fd3af5e999c71df67c2cdcefb96d0dc4afa5341 Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Wed, 6 Mar 2024 20:40:42 -0500 +Subject: [PATCH] t38: Allocate forced defragmented memory in correct scope + +Fragment data can't be allocated in pinfo->pool scope, as it +outlives the frame. Set it to be freed when the associated tvb +is freed, as done in the main reassemble.c code. + +Fix #19695 + +CVE: CVE-2024-2955 +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/6fd3af5e999c71df67c2cdcefb96d0dc4afa5341] +Signed-off-by: Ashish Sharma + + epan/dissectors/asn1/t38/packet-t38-template.c | 3 ++- + epan/dissectors/packet-t38.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/asn1/t38/packet-t38-template.c b/epan/dissectors/asn1/t38/packet-t38-template.c +index 7b856626865..526b313d054 100644 +--- a/epan/dissectors/asn1/t38/packet-t38-template.c ++++ b/epan/dissectors/asn1/t38/packet-t38-template.c +@@ -325,8 +325,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id) + last_fd=fd_i; + } + +- data = (guint8 *) wmem_alloc(pinfo->pool, size); ++ data = (guint8 *) g_malloc(size); + fd_head->tvb_data = tvb_new_real_data(data, size, size); ++ tvb_set_free_cb(fd_head->tvb_data, g_free); + fd_head->len = size; /* record size for caller */ + + /* add all data fragments */ +diff --git a/epan/dissectors/packet-t38.c b/epan/dissectors/packet-t38.c +index ca95ae8b64e..5083c936c5a 100644 +--- a/epan/dissectors/packet-t38.c ++++ b/epan/dissectors/packet-t38.c +@@ -355,8 +355,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id) + last_fd=fd_i; + } + +- data = (guint8 *) wmem_alloc(pinfo->pool, size); ++ data = (guint8 *) g_malloc(size); + fd_head->tvb_data = tvb_new_real_data(data, size, size); ++ tvb_set_free_cb(fd_head->tvb_data, g_free); + fd_head->len = size; /* record size for caller */ + + /* add all data fragments */ +-- +GitLab + diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index 8af0e6aa52..534b1a2f36 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb @@ -24,6 +24,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz file://CVE-2024-0208.patch \ file://CVE-2023-1992.patch \ file://CVE-2023-4511.patch \ + file://CVE-2024-2955.patch \ " UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -- cgit v1.2.3-54-g00ecf