1From 4585d515b962f3b3a5e81caa64e13e8d9ed2e431 Mon Sep 17 00:00:00 2001 2From: Hitendra Prajapati <hprajapati@mvista.com> 3Date: Mon, 26 Sep 2022 12:47:00 +0530 4Subject: [PATCH] CVE-2022-3190 5 6Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/67326401a595fffbc67eeed48eb6c55d66a55f67] 7CVE : CVE-2022-3190 8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> 9--- 10 epan/dissectors/packet-f5ethtrailer.c | 108 +++++++++++++------------- 11 1 file changed, 56 insertions(+), 52 deletions(-) 12 13diff --git a/epan/dissectors/packet-f5ethtrailer.c b/epan/dissectors/packet-f5ethtrailer.c 14index ed77dfd..b15b0d4 100644 15--- a/epan/dissectors/packet-f5ethtrailer.c 16+++ b/epan/dissectors/packet-f5ethtrailer.c 17@@ -2741,69 +2741,73 @@ dissect_dpt_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d 18 static gint 19 dissect_old_trailer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) 20 { 21- proto_tree *type_tree = NULL; 22- proto_item *ti = NULL; 23 guint offset = 0; 24- guint processed = 0; 25- f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data; 26- guint8 type; 27- guint8 len; 28- guint8 ver; 29 30 /* While we still have data in the trailer. For old format trailers, this needs 31 * type, length, version (3 bytes) and for new format trailers, the magic header (4 bytes). 32 * All old format trailers are at least 4 bytes long, so just check for length of magic. 33 */ 34- while (tvb_reported_length_remaining(tvb, offset)) { 35- type = tvb_get_guint8(tvb, offset); 36- len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION; 37- ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION); 38- 39- if (len <= tvb_reported_length_remaining(tvb, offset) && type >= F5TYPE_LOW 40- && type <= F5TYPE_HIGH && len >= F5_MIN_SANE && len <= F5_MAX_SANE 41- && ver <= F5TRAILER_VER_MAX) { 42- /* Parse out the specified trailer. */ 43- switch (type) { 44- case F5TYPE_LOW: 45- ti = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA); 46- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low); 47- 48- processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata); 49- if (processed > 0) { 50- tdata->trailer_len += processed; 51- tdata->noise_low = 1; 52- } 53- break; 54- case F5TYPE_MED: 55- ti = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA); 56- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med); 57- 58- processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata); 59- if (processed > 0) { 60- tdata->trailer_len += processed; 61- tdata->noise_med = 1; 62- } 63- break; 64- case F5TYPE_HIGH: 65- ti = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA); 66- type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high); 67- 68- processed = 69- dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata); 70- if (processed > 0) { 71- tdata->trailer_len += processed; 72- tdata->noise_high = 1; 73- } 74- break; 75+ while (tvb_reported_length_remaining(tvb, offset) >= F5_MIN_SANE) { 76+ /* length field does not include the type and length bytes. Add them back in */ 77+ guint8 len = tvb_get_guint8(tvb, offset + F5_OFF_LENGTH) + F5_OFF_VERSION; 78+ if (len > tvb_reported_length_remaining(tvb, offset) 79+ || len < F5_MIN_SANE || len > F5_MAX_SANE) { 80+ /* Invalid length - either a malformed trailer, corrupt packet, or not f5ethtrailer */ 81+ return offset; 82+ } 83+ guint8 type = tvb_get_guint8(tvb, offset); 84+ guint8 ver = tvb_get_guint8(tvb, offset + F5_OFF_VERSION); 85+ 86+ /* Parse out the specified trailer. */ 87+ proto_tree *type_tree = NULL; 88+ proto_item *ti = NULL; 89+ f5eth_tap_data_t *tdata = (f5eth_tap_data_t *)data; 90+ guint processed = 0; 91+ 92+ switch (type) { 93+ case F5TYPE_LOW: 94+ ti = proto_tree_add_item(tree, hf_low_id, tvb, offset, len, ENC_NA); 95+ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_low); 96+ 97+ processed = dissect_low_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata); 98+ if (processed > 0) { 99+ tdata->trailer_len += processed; 100+ tdata->noise_low = 1; 101 } 102- if (processed == 0) { 103- proto_item_set_len(ti, 1); 104- return offset; 105+ break; 106+ case F5TYPE_MED: 107+ ti = proto_tree_add_item(tree, hf_med_id, tvb, offset, len, ENC_NA); 108+ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_med); 109+ 110+ processed = dissect_med_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata); 111+ if (processed > 0) { 112+ tdata->trailer_len += processed; 113+ tdata->noise_med = 1; 114+ } 115+ break; 116+ case F5TYPE_HIGH: 117+ ti = proto_tree_add_item(tree, hf_high_id, tvb, offset, len, ENC_NA); 118+ type_tree = proto_item_add_subtree(ti, ett_f5ethtrailer_high); 119+ 120+ processed = 121+ dissect_high_trailer(tvb, pinfo, type_tree, offset, len, ver, tdata); 122+ if (processed > 0) { 123+ tdata->trailer_len += processed; 124+ tdata->noise_high = 1; 125 } 126+ break; 127+ default: 128+ /* Unknown type - malformed trailer, corrupt packet, or not f5ethtrailer - bali out*/ 129+ return offset; 130+ } 131+ if (processed == 0) { 132+ /* couldn't process trailer - bali out */ 133+ proto_item_set_len(ti, 1); 134+ return offset; 135 } 136 offset += processed; 137 } 138-return offset; 139+ return offset; 140 } /* dissect_old_trailer() */ 141 142 /*---------------------------------------------------------------------------*/ 143-- 1442.25.1 145 146