From 4585d515b962f3b3a5e81caa64e13e8d9ed2e431 Mon Sep 17 00:00:00 2001
From: Hitendra Prajapati <hprajapati@mvista.com>
Date: Mon, 26 Sep 2022 12:47:00 +0530
Subject: [PATCH] CVE-2022-3190

Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67]
CVE : CVE-2022-3190
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 epan/dissectors/packet-f5ethtrailer.c | 108 +++++++++++++-------------
 1 file changed, 56 insertions(+), 52 deletions(-)

diff --git a/epan/dissectors/packet-f5ethtrailer.c b/epan/dissectors/packet-f5ethtrailer.c
index ed77dfd..b15b0d4 100644
--- a/epan/dissectors/packet-f5ethtrailer.c
+++ b/epan/dissectors/packet-f5ethtrailer.c
@@ -2741,69 +2741,73 @@ dissect_dpt_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d
 static gint
 dissect_old_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
 {
-    proto_tree *type_tree   = NULL;
-    proto_item *ti          = NULL;
     guint offset            = 0;
-    guint processed         = 0;
-    f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
-    guint8 type;
-    guint8 len;
-    guint8 ver;
 
     /* While we still have data in the trailer.  For old format trailers, this needs
      * type, length, version (3 bytes) and for new format trailers, the magic header (4 bytes).
      * All old format trailers are at least 4 bytes long, so just check for length of magic.
      */
-    while (tvb_reported_length_remaining(tvb, offset)) {
-        type = tvb_get_guint8(tvb, offset);
-        len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
-        ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
-
-        if (len <= tvb_reported_length_remaining(tvb, offset) && type >= F5TYPE_LOW
-            && type <= F5TYPE_HIGH && len >= F5_MIN_SANE && len <= F5_MAX_SANE
-            && ver <= F5TRAILER_VER_MAX) {
-            /* Parse out the specified trailer. */
-            switch (type) {
-            case F5TYPE_LOW:
-                ti        = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
-
-                processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
-                if (processed > 0) {
-                    tdata->trailer_len += processed;
-                    tdata->noise_low = 1;
-                }
-                break;
-            case F5TYPE_MED:
-                ti        = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
-
-                processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
-                if (processed > 0) {
-                    tdata->trailer_len += processed;
-                    tdata->noise_med = 1;
-                }
-                break;
-            case F5TYPE_HIGH:
-                ti        = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
-                type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
-
-                processed =
-                    dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
-                if (processed > 0) {
-                    tdata->trailer_len += processed;
-                    tdata->noise_high = 1;
-                }
-                break;
+    while (tvb_reported_length_remaining(tvb, offset) >= F5_MIN_SANE) {
+        /* length field does not include the type and length bytes.  Add them back in */
+        guint8 len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION;
+        if (len > tvb_reported_length_remaining(tvb, offset)
+            || len < F5_MIN_SANE || len > F5_MAX_SANE) {
+            /* Invalid length - either a malformed trailer, corrupt packet, or not f5ethtrailer */
+            return offset;
+        }
+        guint8 type = tvb_get_guint8(tvb, offset);
+        guint8 ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION);
+
+        /* Parse out the specified trailer. */
+        proto_tree *type_tree   = NULL;
+        proto_item *ti          = NULL;
+        f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data;
+        guint processed = 0;
+
+        switch (type) {
+        case F5TYPE_LOW:
+            ti        = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA);
+            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low);
+
+            processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+            if (processed > 0) {
+                tdata->trailer_len += processed;
+                tdata->noise_low = 1;
             }
-            if (processed == 0) {
-                proto_item_set_len(ti, 1);
-                return offset;
+            break;
+        case F5TYPE_MED:
+            ti        = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA);
+            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med);
+
+            processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+            if (processed > 0) {
+                tdata->trailer_len += processed;
+                tdata->noise_med = 1;
+            }
+            break;
+        case F5TYPE_HIGH:
+            ti        = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA);
+            type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high);
+
+            processed =
+                dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata);
+            if (processed > 0) {
+                tdata->trailer_len += processed;
+                tdata->noise_high = 1;
             }
+            break;
+        default:
+            /* Unknown type - malformed trailer, corrupt packet, or not f5ethtrailer - bali out*/
+            return offset;
+        }
+        if (processed == 0) {
+            /* couldn't process trailer - bali out */
+            proto_item_set_len(ti, 1);
+            return offset;
         }
         offset += processed;
     }
-return offset;
+    return offset;
 } /* dissect_old_trailer() */
 
 /*---------------------------------------------------------------------------*/
-- 
2.25.1