diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog --- wireshark-1.12.1+g01b65bf/debian/changelog 2014-12-12 11:25:07.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/changelog 2015-02-04 15:55:29.000000000 -0500 @@ -1,3 +1,20 @@ +wireshark (1.12.1+g01b65bf-2~ubuntu14.10.2) utopic-security; urgency=medium + + * Security Update to Address Multiple CVEs (LP: #1418211) + * Additional new patches (from 1.12.3) in debian/patches/: + * 22_1.12.3_fix_LPP_crash.patch: Fix LPP dissector crash. + (CVE-2015-0561) + * 23_1.12.3_fix_WCCP_crash_1.patch, 24_1.12.3_fix_WCCP_crash_2.patch: + Fix WCCP dissector crash. (CVE-2015-0559, CVE-2015-0560) + * 25_1.12.3_fix_DEC_DNA_crash.patch: Fix DEC DNA Routing Protocol + dissector crash (CVE-2015-0562) + * 26_1.12.3_fix_SMTP_crash_1.patch, 27_1.12.3_fix_SMTP_crash_2.patch: + Fix SMTP dissector crash. (CVE-2015-0563) + * 28_1.12.3_fix_TLS_crash.patch: Fix TLS/SSL decryption crash. + (CVE-2015-0564) + + -- Thomas Ward Wed, 04 Feb 2015 15:49:13 -0500 + wireshark (1.12.1+g01b65bf-2~ubuntu14.10.1) utopic-security; urgency=medium * Security Update to Address Multiple CVEs (LP: #1397091) diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/22_1.12.3_fix_LPP_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/22_1.12.3_fix_LPP_crash.patch --- wireshark-1.12.1+g01b65bf/debian/patches/22_1.12.3_fix_LPP_crash.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/22_1.12.3_fix_LPP_crash.patch 2015-02-04 15:43:56.000000000 -0500 @@ -0,0 +1,683 @@ +From 1c14dd927d4db6d65522e190ca88e2580f59c0fb Mon Sep 17 00:00:00 2001 +From: Pascal Quantin +Date: Fri, 12 Dec 2014 15:19:58 +0100 +Subject: [PATCH 3/8] LPP: avoid doing an out of bound access in case the PER + decoding gives an invalid value + +Bug: 10773 +Change-Id: I4fcde84d7be1e42729b6ec0763064e9885951468 +Reviewed-on: https://code.wireshark.org/review/5729 +Reviewed-by: Pascal Quantin +(cherry picked from commit 8e96830156bea314207b97315ccebd605317f142) +Reviewed-on: https://code.wireshark.org/review/5730 +(cherry picked from commit edc1a29b9efe9e4298a80550ac71a78abc8f0511) +Reviewed-on: https://code.wireshark.org/review/6426 +Reviewed-by: Balint Reczey +--- + asn1/lpp/lpp.cnf | 4 +- + epan/dissectors/packet-lpp.c | 144 ++++++++++++++++++++++--------------------- + 2 files changed, 76 insertions(+), 72 deletions(-) + +diff --git a/asn1/lpp/lpp.cnf b/asn1/lpp/lpp.cnf +index e2622cc..68d5602 100644 +--- a/asn1/lpp/lpp.cnf ++++ b/asn1/lpp/lpp.cnf +@@ -268,7 +268,9 @@ PolygonPoints/degreesLongitude DISPLAY=BASE_CUSTOM STRINGS=&lpp_degreesLongitude + %(DEFAULT_BODY)s + + #.FN_FTR PeriodicalReportingCriteria/reportingInterval +- proto_item_append_text(actx->created_item, "%s", interval[idx]); ++ if (idx < 10) { ++ proto_item_append_text(actx->created_item, "%s", interval[idx]); ++ } + + #.FN_BODY ReportingDuration VAL_PTR = &duration + guint32 duration; +diff --git a/epan/dissectors/packet-lpp.c b/epan/dissectors/packet-lpp.c +index 189a82f..336de9e 100644 +--- a/epan/dissectors/packet-lpp.c ++++ b/epan/dissectors/packet-lpp.c +@@ -2900,7 +2900,7 @@ dissect_lpp_GNSS_ID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pro + + static int + dissect_lpp_T_sbas_IDs(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 1325 "../../asn1/lpp/lpp.cnf" ++#line 1327 "../../asn1/lpp/lpp.cnf" + tvbuff_t *sbas_IDs_tvb = NULL; + int len; + +@@ -3111,7 +3111,7 @@ dissect_lpp_GNSS_SupportList(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx + + static int + dissect_lpp_T_gnss_ids(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 1299 "../../asn1/lpp/lpp.cnf" ++#line 1301 "../../asn1/lpp/lpp.cnf" + tvbuff_t *gnss_ids_tvb = NULL; + int len; + +@@ -3190,7 +3190,7 @@ dissect_lpp_GNSS_ReferenceLocationSupport(tvbuff_t *tvb _U_, int offset _U_, asn + + static int + dissect_lpp_T_ionoModel(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 1178 "../../asn1/lpp/lpp.cnf" ++#line 1180 "../../asn1/lpp/lpp.cnf" + tvbuff_t *ionoModel_tvb = NULL; + int len; + +@@ -3322,7 +3322,7 @@ dissect_lpp_GNSS_DifferentialCorrectionsSupport(tvbuff_t *tvb _U_, int offset _U + + static int + dissect_lpp_T_clockModel(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 1195 "../../asn1/lpp/lpp.cnf" ++#line 1197 "../../asn1/lpp/lpp.cnf" + tvbuff_t *clockModel_tvb = NULL; + int len; + +@@ -3359,7 +3359,7 @@ dissect_lpp_T_clockModel(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_ + + static int + dissect_lpp_T_orbitModel(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 1221 "../../asn1/lpp/lpp.cnf" ++#line 1223 "../../asn1/lpp/lpp.cnf" + tvbuff_t *orbitModel_tvb = NULL; + int len; + +@@ -3482,7 +3482,7 @@ dissect_lpp_GNSS_AcquisitionAssistanceSupport(tvbuff_t *tvb _U_, int offset _U_, + + static int + dissect_lpp_T_almanacModel(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 1247 "../../asn1/lpp/lpp.cnf" ++#line 1249 "../../asn1/lpp/lpp.cnf" + tvbuff_t *almanacModel_tvb = NULL; + int len; + +@@ -3536,7 +3536,7 @@ dissect_lpp_GNSS_AlmanacSupport(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *a + + static int + dissect_lpp_T_utc_Model(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 1276 "../../asn1/lpp/lpp.cnf" ++#line 1278 "../../asn1/lpp/lpp.cnf" + tvbuff_t *utc_Model_tvb = NULL; + int len; + +@@ -3704,7 +3704,7 @@ dissect_lpp_A_GNSS_ProvideCapabilities(tvbuff_t *tvb _U_, int offset _U_, asn1_c + + static int + dissect_lpp_T_otdoa_Mode(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 343 "../../asn1/lpp/lpp.cnf" ++#line 345 "../../asn1/lpp/lpp.cnf" + tvbuff_t *otdoa_Mode_tvb = NULL; + int len; + +@@ -3837,7 +3837,7 @@ dissect_lpp_OTDOA_ProvideCapabilities(tvbuff_t *tvb _U_, int offset _U_, asn1_ct + + static int + dissect_lpp_T_ecid_MeasSupported(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 1377 "../../asn1/lpp/lpp.cnf" ++#line 1379 "../../asn1/lpp/lpp.cnf" + tvbuff_t *ecid_MeasSupported_tvb = NULL; + int len; + +@@ -4211,7 +4211,7 @@ dissect_lpp_T_gnss_WeekOrDay(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 4095U, NULL, FALSE); + +-#line 1124 "../../asn1/lpp/lpp.cnf" ++#line 1126 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " (days for glonass, weeks otherwise)"); + + +@@ -4225,7 +4225,7 @@ dissect_lpp_T_gnss_Toe(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 255U, NULL, FALSE); + +-#line 1127 "../../asn1/lpp/lpp.cnf" ++#line 1129 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " (units of 15 mns for glonass, hours otherwise)"); + + +@@ -4239,7 +4239,7 @@ dissect_lpp_T_t_toeLimit(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_ + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 15U, NULL, FALSE); + +-#line 1130 "../../asn1/lpp/lpp.cnf" ++#line 1132 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " (units of 30 mns for glonass, hours otherwise)"); + + +@@ -4435,7 +4435,7 @@ dissect_lpp_T_gnss_TOD_Req(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _ + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 3599U, NULL, FALSE); + +-#line 1133 "../../asn1/lpp/lpp.cnf" ++#line 1135 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " s"); + + +@@ -4449,7 +4449,7 @@ dissect_lpp_T_gnss_TOD_FracReq(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *ac + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 999U, NULL, FALSE); + +-#line 1136 "../../asn1/lpp/lpp.cnf" ++#line 1138 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " ms"); + + +@@ -4811,7 +4811,7 @@ dissect_lpp_INTEGER_0_999(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U + + static int + dissect_lpp_T_notificationOfLeapSecond(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 363 "../../asn1/lpp/lpp.cnf" ++#line 365 "../../asn1/lpp/lpp.cnf" + tvbuff_t *notificationOfLeapSecond_tvb = NULL; + offset = dissect_per_bit_string(tvb, offset, actx, tree, -1, + 2, 2, FALSE, ¬ificationOfLeapSecond_tvb, NULL); +@@ -4819,7 +4819,7 @@ dissect_lpp_T_notificationOfLeapSecond(tvbuff_t *tvb _U_, int offset _U_, asn1_c + + + +-#line 367 "../../asn1/lpp/lpp.cnf" ++#line 369 "../../asn1/lpp/lpp.cnf" + if (notificationOfLeapSecond_tvb) { + actx->created_item = proto_tree_add_uint(tree, hf_index, notificationOfLeapSecond_tvb, 0, 1, tvb_get_bits8(notificationOfLeapSecond_tvb, 0, 2)); + } +@@ -5495,7 +5495,7 @@ dissect_lpp_GNSS_ReferenceLocation(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t + + static int + dissect_lpp_T_dataID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 381 "../../asn1/lpp/lpp.cnf" ++#line 383 "../../asn1/lpp/lpp.cnf" + tvbuff_t *dataID_tvb = NULL; + offset = dissect_per_bit_string(tvb, offset, actx, tree, -1, + 2, 2, FALSE, &dataID_tvb, NULL); +@@ -5503,7 +5503,7 @@ dissect_lpp_T_dataID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pr + + + +-#line 385 "../../asn1/lpp/lpp.cnf" ++#line 387 "../../asn1/lpp/lpp.cnf" + if (dataID_tvb) { + actx->created_item = proto_tree_add_uint(tree, hf_index, dataID_tvb, 0, 1, tvb_get_bits8(dataID_tvb, 0, 2)); + } +@@ -5714,7 +5714,7 @@ dissect_lpp_T_deltaT(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pr + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + -128, 127U, NULL, FALSE); + +-#line 462 "../../asn1/lpp/lpp.cnf" ++#line 464 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " s"); + + +@@ -5762,7 +5762,7 @@ dissect_lpp_T_dgnss_RefTime(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 3599U, NULL, FALSE); + +-#line 465 "../../asn1/lpp/lpp.cnf" ++#line 467 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " s"); + + +@@ -6316,7 +6316,7 @@ dissect_lpp_INTEGER_M4194304_4194303(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx + + static int + dissect_lpp_T_cnavMo(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 684 "../../asn1/lpp/lpp.cnf" ++#line 686 "../../asn1/lpp/lpp.cnf" + gint64 cnavMo; + int curr_offset = offset; + offset = dissect_per_constrained_integer_64b(tvb, offset, actx, tree, hf_index, +@@ -6325,7 +6325,7 @@ dissect_lpp_T_cnavMo(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pr + + + +-#line 689 "../../asn1/lpp/lpp.cnf" ++#line 691 "../../asn1/lpp/lpp.cnf" + PROTO_ITEM_SET_HIDDEN(actx->created_item); + actx->created_item = proto_tree_add_int64_format_value(tree, hf_index, tvb, curr_offset>>3, (offset+7-curr_offset)>>3, + cnavMo, "%e semi-circles (%"G_GINT64_MODIFIER"d)", +@@ -6339,7 +6339,7 @@ dissect_lpp_T_cnavMo(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pr + + static int + dissect_lpp_T_cnavE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 698 "../../asn1/lpp/lpp.cnf" ++#line 700 "../../asn1/lpp/lpp.cnf" + guint64 cnavE; + int curr_offset = offset; + offset = dissect_per_constrained_integer_64b(tvb, offset, actx, tree, hf_index, +@@ -6348,7 +6348,7 @@ dissect_lpp_T_cnavE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pro + + + +-#line 703 "../../asn1/lpp/lpp.cnf" ++#line 705 "../../asn1/lpp/lpp.cnf" + PROTO_ITEM_SET_HIDDEN(actx->created_item); + actx->created_item = proto_tree_add_uint64_format_value(tree, hf_index, tvb, curr_offset>>3, (offset+7-curr_offset)>>3, + cnavE, "%e (%"G_GINT64_MODIFIER"u)", +@@ -6362,7 +6362,7 @@ dissect_lpp_T_cnavE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pro + + static int + dissect_lpp_T_cnavOmega(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 712 "../../asn1/lpp/lpp.cnf" ++#line 714 "../../asn1/lpp/lpp.cnf" + gint64 cnavOmega; + int curr_offset = offset; + offset = dissect_per_constrained_integer_64b(tvb, offset, actx, tree, hf_index, +@@ -6371,7 +6371,7 @@ dissect_lpp_T_cnavOmega(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, + + + +-#line 717 "../../asn1/lpp/lpp.cnf" ++#line 719 "../../asn1/lpp/lpp.cnf" + PROTO_ITEM_SET_HIDDEN(actx->created_item); + actx->created_item = proto_tree_add_int64_format_value(tree, hf_index, tvb, curr_offset>>3, (offset+7-curr_offset)>>3, + cnavOmega, "%e semi-circles (%"G_GINT64_MODIFIER"d)", +@@ -6385,7 +6385,7 @@ dissect_lpp_T_cnavOmega(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, + + static int + dissect_lpp_T_cnavOMEGA0(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 726 "../../asn1/lpp/lpp.cnf" ++#line 728 "../../asn1/lpp/lpp.cnf" + gint64 cnavOMEGA0; + int curr_offset = offset; + offset = dissect_per_constrained_integer_64b(tvb, offset, actx, tree, hf_index, +@@ -6394,7 +6394,7 @@ dissect_lpp_T_cnavOMEGA0(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_ + + + +-#line 731 "../../asn1/lpp/lpp.cnf" ++#line 733 "../../asn1/lpp/lpp.cnf" + PROTO_ITEM_SET_HIDDEN(actx->created_item); + actx->created_item = proto_tree_add_int64_format_value(tree, hf_index, tvb, curr_offset>>3, (offset+7-curr_offset)>>3, + cnavOMEGA0, "%e semi-circles (%"G_GINT64_MODIFIER"d)", +@@ -6408,7 +6408,7 @@ dissect_lpp_T_cnavOMEGA0(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_ + + static int + dissect_lpp_T_cnavIo(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 743 "../../asn1/lpp/lpp.cnf" ++#line 745 "../../asn1/lpp/lpp.cnf" + gint64 cnavIo; + int curr_offset = offset; + offset = dissect_per_constrained_integer_64b(tvb, offset, actx, tree, hf_index, +@@ -6417,7 +6417,7 @@ dissect_lpp_T_cnavIo(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pr + + + +-#line 748 "../../asn1/lpp/lpp.cnf" ++#line 750 "../../asn1/lpp/lpp.cnf" + PROTO_ITEM_SET_HIDDEN(actx->created_item); + actx->created_item = proto_tree_add_int64_format_value(tree, hf_index, tvb, curr_offset>>3, (offset+7-curr_offset)>>3, + cnavIo, "%e semi-circles (%"G_GINT64_MODIFIER"d)", +@@ -6466,7 +6466,7 @@ dissect_lpp_T_gloEn(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pro + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 31U, NULL, FALSE); + +-#line 778 "../../asn1/lpp/lpp.cnf" ++#line 780 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " days"); + + +@@ -6477,7 +6477,7 @@ dissect_lpp_T_gloEn(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pro + + static int + dissect_lpp_T_gloP1(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 781 "../../asn1/lpp/lpp.cnf" ++#line 783 "../../asn1/lpp/lpp.cnf" + tvbuff_t *gloP1_tvb = NULL; + offset = dissect_per_bit_string(tvb, offset, actx, tree, -1, + 2, 2, FALSE, &gloP1_tvb, NULL); +@@ -6485,7 +6485,7 @@ dissect_lpp_T_gloP1(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pro + + + +-#line 785 "../../asn1/lpp/lpp.cnf" ++#line 787 "../../asn1/lpp/lpp.cnf" + if (gloP1_tvb) { + actx->created_item = proto_tree_add_uint(tree, hf_index, gloP1_tvb, 0, 1, tvb_get_bits8(gloP1_tvb, 0, 2)); + proto_item_append_text(actx->created_item, " mn"); +@@ -6690,7 +6690,7 @@ dissect_lpp_T_gnss_TOD(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 3599U, NULL, FALSE); + +-#line 851 "../../asn1/lpp/lpp.cnf" ++#line 853 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " s"); + + +@@ -6704,7 +6704,7 @@ dissect_lpp_T_gnss_TODfrac(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _ + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 999U, NULL, FALSE); + +-#line 854 "../../asn1/lpp/lpp.cnf" ++#line 856 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " ms"); + + +@@ -6822,7 +6822,7 @@ dissect_lpp_T_intCodePhase(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _ + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 127U, NULL, FALSE); + +-#line 872 "../../asn1/lpp/lpp.cnf" ++#line 874 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " ms"); + + +@@ -6893,7 +6893,7 @@ dissect_lpp_T_confidence_r10(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 100U, NULL, FALSE); + +-#line 857 "../../asn1/lpp/lpp.cnf" ++#line 859 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " %%"); + + +@@ -7047,7 +7047,7 @@ dissect_lpp_T_gloAlm_NA(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 1U, 1461U, NULL, FALSE); + +-#line 974 "../../asn1/lpp/lpp.cnf" ++#line 976 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " days"); + + +@@ -7222,7 +7222,7 @@ dissect_lpp_T_gnss_Utc_WNt(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _ + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 255U, NULL, FALSE); + +-#line 1031 "../../asn1/lpp/lpp.cnf" ++#line 1033 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " weeks"); + + +@@ -7236,7 +7236,7 @@ dissect_lpp_T_gnss_Utc_DeltaTls(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *a + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + -128, 127U, NULL, FALSE); + +-#line 1034 "../../asn1/lpp/lpp.cnf" ++#line 1036 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " s"); + + +@@ -7250,7 +7250,7 @@ dissect_lpp_T_gnss_Utc_WNlsf(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 255U, NULL, FALSE); + +-#line 1037 "../../asn1/lpp/lpp.cnf" ++#line 1039 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " weeks"); + + +@@ -7264,7 +7264,7 @@ dissect_lpp_T_gnss_Utc_DN(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + -128, 127U, NULL, FALSE); + +-#line 1040 "../../asn1/lpp/lpp.cnf" ++#line 1042 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " days"); + + +@@ -7278,7 +7278,7 @@ dissect_lpp_T_gnss_Utc_DeltaTlsf(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t * + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + -128, 127U, NULL, FALSE); + +-#line 1043 "../../asn1/lpp/lpp.cnf" ++#line 1045 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " s"); + + +@@ -7313,7 +7313,7 @@ dissect_lpp_T_utcDeltaTls(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + -128, 127U, NULL, FALSE); + +-#line 1055 "../../asn1/lpp/lpp.cnf" ++#line 1057 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " s"); + + +@@ -7327,7 +7327,7 @@ dissect_lpp_T_utcWNot(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, p + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 8191U, NULL, FALSE); + +-#line 1061 "../../asn1/lpp/lpp.cnf" ++#line 1063 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " weeks"); + + +@@ -7341,7 +7341,7 @@ dissect_lpp_T_utcWNlsf(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 255U, NULL, FALSE); + +-#line 1064 "../../asn1/lpp/lpp.cnf" ++#line 1066 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " weeks"); + + +@@ -7355,7 +7355,7 @@ dissect_lpp_T_utcDN(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pro + offset = dissect_per_bit_string(tvb, offset, actx, tree, hf_index, + 4, 4, FALSE, NULL, NULL); + +-#line 1067 "../../asn1/lpp/lpp.cnf" ++#line 1069 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " days"); + + +@@ -7369,7 +7369,7 @@ dissect_lpp_T_utcDeltaTlsf(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _ + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + -128, 127U, NULL, FALSE); + +-#line 1070 "../../asn1/lpp/lpp.cnf" ++#line 1072 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " s"); + + +@@ -7405,7 +7405,7 @@ dissect_lpp_T_nA(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_ + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 1U, 1461U, NULL, FALSE); + +-#line 1073 "../../asn1/lpp/lpp.cnf" ++#line 1075 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " days"); + + +@@ -7416,7 +7416,7 @@ dissect_lpp_T_nA(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_ + + static int + dissect_lpp_T_kp(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 1085 "../../asn1/lpp/lpp.cnf" ++#line 1087 "../../asn1/lpp/lpp.cnf" + tvbuff_t *kp_tvb = NULL; + offset = dissect_per_bit_string(tvb, offset, actx, tree, -1, + 2, 2, FALSE, &kp_tvb, NULL); +@@ -7424,7 +7424,7 @@ dissect_lpp_T_kp(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_ + + + +-#line 1089 "../../asn1/lpp/lpp.cnf" ++#line 1091 "../../asn1/lpp/lpp.cnf" + if (kp_tvb) { + actx->created_item = proto_tree_add_uint(tree, hf_index, kp_tvb, 0, 1, tvb_get_bits8(kp_tvb, 0, 2)); + } +@@ -7458,7 +7458,7 @@ dissect_lpp_T_utcWNt(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pr + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 255U, NULL, FALSE); + +-#line 1106 "../../asn1/lpp/lpp.cnf" ++#line 1108 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " weeks"); + + +@@ -7472,7 +7472,7 @@ dissect_lpp_T_utcDeltaTls_01(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + -128, 127U, NULL, FALSE); + +-#line 1109 "../../asn1/lpp/lpp.cnf" ++#line 1111 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " s"); + + +@@ -7486,7 +7486,7 @@ dissect_lpp_T_utcWNlsf_01(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 255U, NULL, FALSE); + +-#line 1112 "../../asn1/lpp/lpp.cnf" ++#line 1114 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " weeks"); + + +@@ -7500,7 +7500,7 @@ dissect_lpp_T_utcDN_01(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + -128, 127U, NULL, FALSE); + +-#line 1115 "../../asn1/lpp/lpp.cnf" ++#line 1117 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " days"); + + +@@ -7514,7 +7514,7 @@ dissect_lpp_T_utcDeltaTlsf_01(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *act + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + -128, 127U, NULL, FALSE); + +-#line 1118 "../../asn1/lpp/lpp.cnf" ++#line 1120 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " s"); + + +@@ -8286,7 +8286,7 @@ dissect_lpp_LocationInformationType(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_ + + static int + dissect_lpp_ReportingDuration(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 274 "../../asn1/lpp/lpp.cnf" ++#line 276 "../../asn1/lpp/lpp.cnf" + guint32 duration; + + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, +@@ -8369,7 +8369,9 @@ dissect_lpp_T_reportingInterval(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *a + + + #line 271 "../../asn1/lpp/lpp.cnf" +- proto_item_append_text(actx->created_item, "%s", interval[idx]); ++ if (idx < 10) { ++ proto_item_append_text(actx->created_item, "%s", interval[idx]); ++ } + + + return offset; +@@ -8443,7 +8445,7 @@ dissect_lpp_T_time(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, prot + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 1U, 128U, NULL, FALSE); + +-#line 295 "../../asn1/lpp/lpp.cnf" ++#line 297 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " s"); + + +@@ -8570,7 +8572,7 @@ dissect_lpp_OTDOA_RequestLocationInformation(tvbuff_t *tvb _U_, int offset _U_, + + static int + dissect_lpp_T_requestedMeasurements(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 1357 "../../asn1/lpp/lpp.cnf" ++#line 1359 "../../asn1/lpp/lpp.cnf" + tvbuff_t *requestedMeasurements_tvb = NULL; + int len; + +@@ -9304,7 +9306,7 @@ dissect_lpp_T_gnss_TOD_msec(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 3599999U, NULL, FALSE); + +-#line 1142 "../../asn1/lpp/lpp.cnf" ++#line 1144 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " ms"); + + +@@ -9435,7 +9437,7 @@ dissect_lpp_T_deltaGNSS_TOD(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 127U, NULL, FALSE); + +-#line 1151 "../../asn1/lpp/lpp.cnf" ++#line 1153 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " ms"); + + +@@ -9509,7 +9511,7 @@ dissect_lpp_T_gnss_CodePhaseAmbiguity(tvbuff_t *tvb _U_, int offset _U_, asn1_ct + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 127U, NULL, FALSE); + +-#line 1154 "../../asn1/lpp/lpp.cnf" ++#line 1156 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " ms"); + + +@@ -9523,7 +9525,7 @@ dissect_lpp_T_cNo(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 63U, NULL, FALSE); + +-#line 1157 "../../asn1/lpp/lpp.cnf" ++#line 1159 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " dB-Hz"); + + +@@ -9555,7 +9557,7 @@ dissect_lpp_T_integerCodePhase(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *ac + offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, + 0U, 127U, NULL, FALSE); + +-#line 1166 "../../asn1/lpp/lpp.cnf" ++#line 1168 "../../asn1/lpp/lpp.cnf" + proto_item_append_text(actx->created_item, " ms"); + + +@@ -9717,7 +9719,7 @@ dissect_lpp_A_GNSS_ProvideLocationInformation(tvbuff_t *tvb _U_, int offset _U_, + + static int + dissect_lpp_T_error_Resolution(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 307 "../../asn1/lpp/lpp.cnf" ++#line 309 "../../asn1/lpp/lpp.cnf" + tvbuff_t *error_Resolution_tvb = NULL; + offset = dissect_per_bit_string(tvb, offset, actx, tree, -1, + 2, 2, FALSE, &error_Resolution_tvb, NULL); +@@ -9725,7 +9727,7 @@ dissect_lpp_T_error_Resolution(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *ac + + + +-#line 311 "../../asn1/lpp/lpp.cnf" ++#line 313 "../../asn1/lpp/lpp.cnf" + if (error_Resolution_tvb) { + actx->created_item = proto_tree_add_uint(tree, hf_index, error_Resolution_tvb, 0, 1, tvb_get_bits8(error_Resolution_tvb, 0, 2)); + } +@@ -9738,7 +9740,7 @@ dissect_lpp_T_error_Resolution(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *ac + + static int + dissect_lpp_T_error_Value(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 319 "../../asn1/lpp/lpp.cnf" ++#line 321 "../../asn1/lpp/lpp.cnf" + tvbuff_t *error_Value_tvb = NULL; + offset = dissect_per_bit_string(tvb, offset, actx, tree, -1, + 5, 5, FALSE, &error_Value_tvb, NULL); +@@ -9746,7 +9748,7 @@ dissect_lpp_T_error_Value(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U + + + +-#line 323 "../../asn1/lpp/lpp.cnf" ++#line 325 "../../asn1/lpp/lpp.cnf" + if (error_Value_tvb) { + actx->created_item = proto_tree_add_uint(tree, hf_index, error_Value_tvb, 0, 1, tvb_get_bits8(error_Value_tvb, 0, 5)); + } +@@ -9759,7 +9761,7 @@ dissect_lpp_T_error_Value(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U + + static int + dissect_lpp_T_error_NumSamples(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 331 "../../asn1/lpp/lpp.cnf" ++#line 333 "../../asn1/lpp/lpp.cnf" + tvbuff_t *error_NumSamples_tvb = NULL; + offset = dissect_per_bit_string(tvb, offset, actx, tree, -1, + 3, 3, FALSE, &error_NumSamples_tvb, NULL); +@@ -9767,7 +9769,7 @@ dissect_lpp_T_error_NumSamples(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *ac + + + +-#line 335 "../../asn1/lpp/lpp.cnf" ++#line 337 "../../asn1/lpp/lpp.cnf" + if (error_NumSamples_tvb) { + actx->created_item = proto_tree_add_uint(tree, hf_index, error_NumSamples_tvb, 0, 1, tvb_get_bits8(error_NumSamples_tvb, 0, 3)); + } +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/23_1.12.3_fix_WCCP_crash_1.patch wireshark-1.12.1+g01b65bf/debian/patches/23_1.12.3_fix_WCCP_crash_1.patch --- wireshark-1.12.1+g01b65bf/debian/patches/23_1.12.3_fix_WCCP_crash_1.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/23_1.12.3_fix_WCCP_crash_1.patch 2015-02-04 15:44:07.000000000 -0500 @@ -0,0 +1,67 @@ +From 6812cfb6d64c34293500782e8573ead43233d7b9 Mon Sep 17 00:00:00 2001 +From: Evan Huus +Date: Tue, 25 Nov 2014 20:16:05 -0500 +Subject: [PATCH 1/8] wccp: use pinfo-scope memory for addresses + +They may be accessed during the print phase, at which point packet-scope memory +has already been freed. + +Bug: 10720 +Change-Id: Ia2b160fd9de4ccaa3a4b8d9cb70fb9b32d4e08a0 +Reviewed-on: https://code.wireshark.org/review/5496 +Reviewed-by: Evan Huus +(cherry picked from commit e843c6797db98bfceab382d5d7e76727e1014f5e) +Conflicts: + epan/dissectors/packet-wccp.c +Reviewed-on: https://code.wireshark.org/review/6057 +Reviewed-by: Pascal Quantin +(cherry picked from commit dea8d025f19481a31e70b810458a009981c13078) +Reviewed-on: https://code.wireshark.org/review/6425 +Reviewed-by: Michael Mann +--- + epan/dissectors/packet-wccp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/epan/dissectors/packet-wccp.c b/epan/dissectors/packet-wccp.c +index 07e8fed..26f003e 100644 +--- a/epan/dissectors/packet-wccp.c ++++ b/epan/dissectors/packet-wccp.c +@@ -506,7 +506,7 @@ static void dissect_timer_scale_capability(tvbuff_t *tvb, int curr_offset, + + static void + find_wccp_address_table(tvbuff_t *tvb, int offset, guint16 length, +- packet_info *pinfo _U_, proto_tree *wccp_tree _U_) ++ packet_info *pinfo, proto_tree *wccp_tree _U_) + { + guint16 type; + guint16 item_length; +@@ -528,7 +528,7 @@ find_wccp_address_table(tvbuff_t *tvb, int offset, guint16 length, + + if (type == WCCP2r1_ADDRESS_TABLE) + { +- dissect_wccp2r1_address_table_info(tvb, offset+4, item_length, NULL, NULL); ++ dissect_wccp2r1_address_table_info(tvb, offset+4, item_length, pinfo, NULL); + /* no need to decode the rest */ + return; + } +@@ -1916,7 +1916,7 @@ dissect_wccp2r1_address_table_info(tvbuff_t *tvb, int offset, + case 1: + if (wccp_wccp_address_table.table_ipv4 == NULL) + wccp_wccp_address_table.table_ipv4 = (guint32 *) +- wmem_alloc(wmem_packet_scope(), wccp_wccp_address_table.table_length * 4); ++ wmem_alloc(pinfo->pool, wccp_wccp_address_table.table_length * 4); + if ((address_length != 4) && (pinfo && info_tree)) { + expert_add_info_format(pinfo, tf, &ei_wccp_length_bad, + "The Address length must be 4, but I found %d for IPv4 addresses. Correcting this.", +@@ -1927,7 +1927,7 @@ dissect_wccp2r1_address_table_info(tvbuff_t *tvb, int offset, + case 2: + if (wccp_wccp_address_table.table_ipv6 == NULL) + wccp_wccp_address_table.table_ipv6 = (struct e_in6_addr *) +- wmem_alloc(wmem_packet_scope(), wccp_wccp_address_table.table_length * sizeof(struct e_in6_addr)); ++ wmem_alloc(pinfo->pool, wccp_wccp_address_table.table_length * sizeof(struct e_in6_addr)); + if ((address_length != 16) && (pinfo && info_tree)) { + expert_add_info_format(pinfo, tf, &ei_wccp_length_bad, + "The Address length must be 16, but I found %d for IPv6 addresses. Correcting this", +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/24_1.12.3_fix_WCCP_crash_2.patch wireshark-1.12.1+g01b65bf/debian/patches/24_1.12.3_fix_WCCP_crash_2.patch --- wireshark-1.12.1+g01b65bf/debian/patches/24_1.12.3_fix_WCCP_crash_2.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/24_1.12.3_fix_WCCP_crash_2.patch 2015-02-04 15:44:19.000000000 -0500 @@ -0,0 +1,47 @@ +From 7f8e46c6f41194c55909e052664e6f40040fe6ff Mon Sep 17 00:00:00 2001 +From: Pascal Quantin +Date: Fri, 26 Dec 2014 19:52:38 +0100 +Subject: [PATCH 4/8] WCCP: initialize address table to 0 + +It prevents an uninitialized access later on if an exception is triggered before filling the table + +Bug: 10806 +Change-Id: I8f75fb18cd8d033013c34093f9d6c8762f23452b +Reviewed-on: https://code.wireshark.org/review/6056 +Reviewed-by: Pascal Quantin +(cherry picked from commit a442a1c0e815fd61416cf408bd74d85a042ccc6a) +Conflicts: + epan/dissectors/packet-wccp.c +Reviewed-on: https://code.wireshark.org/review/6058 +(cherry picked from commit adce5fa31f01e7894465b42de98b9a7ee69c152a) +Reviewed-on: https://code.wireshark.org/review/6464 +Reviewed-by: Michael Mann +--- + epan/dissectors/packet-wccp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-wccp.c b/epan/dissectors/packet-wccp.c +index 26f003e..875d0d5 100644 +--- a/epan/dissectors/packet-wccp.c ++++ b/epan/dissectors/packet-wccp.c +@@ -1916,7 +1916,7 @@ dissect_wccp2r1_address_table_info(tvbuff_t *tvb, int offset, + case 1: + if (wccp_wccp_address_table.table_ipv4 == NULL) + wccp_wccp_address_table.table_ipv4 = (guint32 *) +- wmem_alloc(pinfo->pool, wccp_wccp_address_table.table_length * 4); ++ wmem_alloc0(pinfo->pool, wccp_wccp_address_table.table_length * 4); + if ((address_length != 4) && (pinfo && info_tree)) { + expert_add_info_format(pinfo, tf, &ei_wccp_length_bad, + "The Address length must be 4, but I found %d for IPv4 addresses. Correcting this.", +@@ -1927,7 +1927,7 @@ dissect_wccp2r1_address_table_info(tvbuff_t *tvb, int offset, + case 2: + if (wccp_wccp_address_table.table_ipv6 == NULL) + wccp_wccp_address_table.table_ipv6 = (struct e_in6_addr *) +- wmem_alloc(pinfo->pool, wccp_wccp_address_table.table_length * sizeof(struct e_in6_addr)); ++ wmem_alloc0(pinfo->pool, wccp_wccp_address_table.table_length * sizeof(struct e_in6_addr)); + if ((address_length != 16) && (pinfo && info_tree)) { + expert_add_info_format(pinfo, tf, &ei_wccp_length_bad, + "The Address length must be 16, but I found %d for IPv6 addresses. Correcting this", +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/25_1.12.3_fix_DEC_DNA_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/25_1.12.3_fix_DEC_DNA_crash.patch --- wireshark-1.12.1+g01b65bf/debian/patches/25_1.12.3_fix_DEC_DNA_crash.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/25_1.12.3_fix_DEC_DNA_crash.patch 2015-02-04 15:44:31.000000000 -0500 @@ -0,0 +1,56 @@ +From 1bc3b8adb2ef850a0b90542bfac5f4b90f051e92 Mon Sep 17 00:00:00 2001 +From: Evan Huus +Date: Tue, 25 Nov 2014 20:27:07 -0500 +Subject: [PATCH 6/8] dec-dnart: use pinfo-scoped memory for addresses + +They may be accessed during the print phase, at which point packet-scope memory +has already been freed. + +Bug: 10724 +Change-Id: Ifcf5fc0c0857614edf85349b12dfe605abf6fef7 +Reviewed-on: https://code.wireshark.org/review/5498 +Reviewed-by: Michael Mann +(cherry picked from commit 8ae9b5363ef210813767bb0cf3af2603092f914c) +Reviewed-on: https://code.wireshark.org/review/6427 +--- + epan/dissectors/packet-dec-dnart.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/epan/dissectors/packet-dec-dnart.c b/epan/dissectors/packet-dec-dnart.c +index bd8761e..a4f644e 100644 +--- a/epan/dissectors/packet-dec-dnart.c ++++ b/epan/dissectors/packet-dec-dnart.c +@@ -350,12 +350,13 @@ dnet_ntoa(const guint8 *data) + } + + static void +-set_dnet_address(address *paddr_src, address *paddr_tgt) ++set_dnet_address(packet_info *pinfo, address *paddr_src, address *paddr_tgt) + { + if (paddr_tgt->type != AT_STRINGZ && paddr_src->type == AT_ETHER) { + char *addr = dnet_ntoa((const guint8 *)paddr_src->data); + if (addr != NULL) +- SET_ADDRESS(paddr_tgt, AT_STRINGZ, 1, addr); ++ SET_ADDRESS(paddr_tgt, AT_STRINGZ, 1, ++ wmem_strdup(pinfo->pool, addr)); + } + } + +@@ -376,10 +377,10 @@ dissect_dec_rt(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + col_set_str(pinfo->cinfo, COL_PROTOCOL, "DEC DNA"); + col_clear(pinfo->cinfo, COL_INFO); + +- set_dnet_address(&pinfo->dl_src, &pinfo->net_src); +- set_dnet_address(&pinfo->dl_src, &pinfo->src); +- set_dnet_address(&pinfo->dl_dst, &pinfo->net_dst); +- set_dnet_address(&pinfo->dl_dst, &pinfo->dst); ++ set_dnet_address(pinfo, &pinfo->dl_src, &pinfo->net_src); ++ set_dnet_address(pinfo, &pinfo->dl_src, &pinfo->src); ++ set_dnet_address(pinfo, &pinfo->dl_dst, &pinfo->net_dst); ++ set_dnet_address(pinfo, &pinfo->dl_dst, &pinfo->dst); + + offset += 2; + msg_flags = tvb_get_guint8(tvb, offset); +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/26_1.12.3_fix_SMTP_crash_1.patch wireshark-1.12.1+g01b65bf/debian/patches/26_1.12.3_fix_SMTP_crash_1.patch --- wireshark-1.12.1+g01b65bf/debian/patches/26_1.12.3_fix_SMTP_crash_1.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/26_1.12.3_fix_SMTP_crash_1.patch 2015-02-04 15:44:44.000000000 -0500 @@ -0,0 +1,235 @@ +From 2fbc60f12763f35226430885f448587b117fb87c Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Thu, 1 Jan 2015 17:53:24 -0800 +Subject: [PATCH 7/8] When deccoding base-64, the result is the length of the + *decoded* result. + +That way, for example, format_text() calls on the decoded result don't +go past the end of the decoded result. + +Fix some more indentation while we're at it. + +Conflicts: + epan/dissectors/packet-smtp.c + +Bug: 10823 +Change-Id: Iff40c89a2e5734b7f6a21ea8b654cb0869aac774 +Reviewed-on: https://code.wireshark.org/review/6225 +Reviewed-by: Guy Harris +Reviewed-on: https://code.wireshark.org/review/6465 +Reviewed-by: Balint Reczey +--- + epan/dissectors/packet-smtp.c | 87 ++++++++++++++++++++++++++++--------------- + 1 file changed, 57 insertions(+), 30 deletions(-) + +diff --git a/epan/dissectors/packet-smtp.c b/epan/dissectors/packet-smtp.c +index e3b9a00..988a4ba 100644 +--- a/epan/dissectors/packet-smtp.c ++++ b/epan/dissectors/packet-smtp.c +@@ -369,6 +369,7 @@ dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + fragment_head *frag_msg = NULL; + tvbuff_t *next_tvb; + guint8 *decrypt = NULL; ++ size_t decrypt_len; + guint8 *base64_string = NULL; + guint8 line_code[3]; + +@@ -577,10 +578,13 @@ dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + (pinfo->fd->num >= session_state->first_auth_frame) && + ((session_state->last_auth_frame == 0) || (pinfo->fd->num <= session_state->last_auth_frame))) { + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen); +- if ((stmp_decryption_enabled) && (ws_base64_decode_inplace(decrypt) > 0)) { ++ if ((stmp_decryption_enabled) && ++ ((decrypt_len = ws_base64_decode_inplace(decrypt)) > 0)) { + line = decrypt; ++ linelen = (int)decrypt_len; + } else { + line = tvb_get_ptr(tvb, loffset, linelen); ++ decrypt_len = linelen; + } + } else { + line = tvb_get_ptr(tvb, loffset, linelen); +@@ -834,37 +838,41 @@ dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + if (decrypt == NULL) { + /* This line wasn't already decrypted through the state machine */ + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen); ++ decrypt_len = linelen; + if (stmp_decryption_enabled) { +- if (ws_base64_decode_inplace(decrypt) == 0) { ++ if ((decrypt_len = ws_base64_decode_inplace(decrypt)) == 0) { + /* Go back to the original string */ + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen); ++ decrypt_len = linelen; + } + } + } + proto_tree_add_string(smtp_tree, hf_smtp_username, tvb, + loffset, linelen, decrypt); +- col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", decrypt); ++ col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", format_text(decrypt, decrypt_len)); + } else if (session_state->password_frame == pinfo->fd->num) { + if (decrypt == NULL) { + /* This line wasn't already decrypted through the state machine */ + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen); ++ decrypt_len = linelen; + if (stmp_decryption_enabled) { +- if (ws_base64_decode_inplace(decrypt) == 0) { ++ if ((decrypt_len = ws_base64_decode_inplace(decrypt)) == 0) { + /* Go back to the original string */ + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen); ++ decrypt_len = linelen; + } + } + } + proto_tree_add_string(smtp_tree, hf_smtp_password, tvb, + loffset, linelen, decrypt); +- col_append_fstr(pinfo->cinfo, COL_INFO, "Pass: %s", decrypt); ++ col_append_fstr(pinfo->cinfo, COL_INFO, "Pass: %s", format_text(decrypt, decrypt_len)); + } else if (session_state->ntlm_rsp_frame == pinfo->fd->num) { + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen); + if (stmp_decryption_enabled) { + if (ws_base64_decode_inplace(decrypt) == 0) { + /* Go back to the original string */ + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen); +- col_append_str(pinfo->cinfo, COL_INFO, decrypt); ++ col_append_str(pinfo->cinfo, COL_INFO, format_text(decrypt, linelen)); + proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb, + loffset, linelen, ENC_ASCII|ENC_NA); + } +@@ -874,7 +882,7 @@ dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + } + } + else { +- col_append_str(pinfo->cinfo, COL_INFO, decrypt); ++ col_append_str(pinfo->cinfo, COL_INFO, format_text(decrypt, linelen)); + proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb, + loffset, linelen, ENC_ASCII|ENC_NA); + } +@@ -901,55 +909,72 @@ dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb, + loffset + 5, linelen - 5, ENC_ASCII|ENC_NA); + +- if (decrypt == NULL) { ++ if (linelen >= 11) { ++ if (decrypt == NULL) { + /* This line wasn't already decrypted through the state machine */ + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset + 11, linelen - 11); ++ decrypt_len = linelen - 11; + if (stmp_decryption_enabled) { +- if (ws_base64_decode_inplace(decrypt) == 0) { ++ if ((decrypt_len = ws_base64_decode_inplace(decrypt)) == 0) { + /* Go back to the original string */ + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset + 11, linelen - 11); ++ decrypt_len = linelen - 11; + } + } ++ } ++ proto_tree_add_string(cmdresp_tree, hf_smtp_username, tvb, loffset + 11, linelen - 11, decrypt); ++ col_append_str(pinfo->cinfo, COL_INFO, ++ format_text(tvb_get_string(wmem_packet_scope(), tvb, loffset, 11), 11)); ++ col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", format_text(decrypt, decrypt_len)); + } + proto_tree_add_string(cmdresp_tree, hf_smtp_username, tvb, loffset + 11, linelen - 11, decrypt); +- col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, 11)); +- col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", decrypt); ++ col_append_str(pinfo->cinfo, COL_INFO, ++ format_text(tvb_get_string(wmem_packet_scope(), tvb, loffset, 11), 11)); ++ col_append_fstr(pinfo->cinfo, COL_INFO, "User: %s", format_text(decrypt, linelen - 11)); + } + else if ((linelen > 5) && (session_state->ntlm_req_frame == pinfo->fd->num) ) { + proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb, + loffset + 5, linelen - 5, ENC_ASCII|ENC_NA); +- decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset + 10, linelen - 10); +- if (stmp_decryption_enabled) { +- if (ws_base64_decode_inplace(decrypt) == 0) { ++ if (linelen >= 10) { ++ decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset + 10, linelen - 10); ++ if (stmp_decryption_enabled) { ++ if ((decrypt_len = ws_base64_decode_inplace(decrypt)) == 0) { + /* Go back to the original string */ + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset + 10, linelen - 10); +- col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, 10)); +- col_append_str(pinfo->cinfo, COL_INFO, decrypt); ++ col_append_str(pinfo->cinfo, COL_INFO, ++ format_text(tvb_get_string(wmem_packet_scope(), tvb, loffset, 10), 10)); ++ col_append_str(pinfo->cinfo, COL_INFO, format_text(decrypt, linelen - 10)); ++ } ++ else { ++ base64_string = tvb_get_string(wmem_packet_scope(), tvb, loffset + 10, linelen - 10); ++ col_append_str(pinfo->cinfo, COL_INFO, ++ format_text(tvb_get_string(wmem_packet_scope(), tvb, loffset, 10), 10)); ++ dissect_ntlm_auth(tvb, pinfo, cmdresp_tree, base64_string); ++ } + } + else { +- base64_string = tvb_get_string(wmem_packet_scope(), tvb, loffset + 10, linelen - 10); +- col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, 10)); +- dissect_ntlm_auth(tvb, pinfo, cmdresp_tree, base64_string); ++ col_append_str(pinfo->cinfo, COL_INFO, ++ format_text(tvb_get_string(wmem_packet_scope(), tvb, loffset, 10), 10)); ++ col_append_str(pinfo->cinfo, COL_INFO, format_text(decrypt, linelen - 10)); + } + } +- else { +- col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, 10)); +- col_append_str(pinfo->cinfo, COL_INFO, decrypt); +- } + } + else if ((linelen > 5) && (session_state->user_pass_cmd_frame == pinfo->fd->num) ) { + proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb, + loffset + 5, linelen - 5, ENC_ASCII|ENC_NA); +- col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, 11)); ++ col_append_str(pinfo->cinfo, COL_INFO, ++ format_text(tvb_get_string(wmem_packet_scope(), tvb, loffset, 11), 11)); + decode_plain_auth(tvb, pinfo, cmdresp_tree, loffset + 11, linelen - 11); + } + else if (linelen > 5) { + proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb, + loffset + 5, linelen - 5, ENC_ASCII|ENC_NA); +- col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen)); ++ col_append_str(pinfo->cinfo, COL_INFO, ++ format_text(tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen), linelen)); + } + else { +- col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen)); ++ col_append_str(pinfo->cinfo, COL_INFO, ++ format_text(tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen), linelen)); + } + + if (smtp_data_desegment && !spd_frame_data->more_frags) { +@@ -1095,7 +1120,8 @@ dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + if (linelen >= 4) { + if ((stmp_decryption_enabled) && (code == 334)) { + decrypt = tvb_get_string(wmem_packet_scope(), tvb, offset + 4, linelen - 4); +- if (ws_base64_decode_inplace(decrypt) > 0) { ++ decrypt_len = linelen - 4; ++ if ((decrypt_len = ws_base64_decode_inplace(decrypt)) > 0) { + if (g_ascii_strncasecmp(decrypt, "NTLMSSP", 7) == 0) { + base64_string = tvb_get_string(wmem_packet_scope(), tvb, loffset + 4, linelen - 4); + col_append_fstr(pinfo->cinfo, COL_INFO, "%d ", code); +@@ -1107,7 +1133,7 @@ dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + proto_tree_add_string(cmdresp_tree, hf_smtp_rsp_parameter, tvb, + offset + 4, linelen - 4, (const char*)decrypt); + +- col_append_fstr(pinfo->cinfo, COL_INFO, "%d %s", code, decrypt); ++ col_append_fstr(pinfo->cinfo, COL_INFO, "%d %s", code, format_text(decrypt, decrypt_len)); + } + } else { + decrypt = NULL; +@@ -1119,10 +1145,11 @@ dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + offset + 4, linelen - 4, ENC_ASCII|ENC_NA); + + col_append_fstr(pinfo->cinfo, COL_INFO, "%d %s", code, +- tvb_get_string(wmem_packet_scope(), tvb, offset + 4, linelen - 4)); ++ format_text(tvb_get_string(wmem_packet_scope(), tvb, offset + 4, linelen - 4), linelen - 4)); + } + } else { +- col_append_str(pinfo->cinfo, COL_INFO, tvb_get_string(wmem_packet_scope(), tvb, offset, linelen)); ++ col_append_str(pinfo->cinfo, COL_INFO, ++ format_text(tvb_get_string(wmem_packet_scope(), tvb, offset, linelen), linelen)); + } + } + } +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/27_1.12.3_fix_SMTP_crash_2.patch wireshark-1.12.1+g01b65bf/debian/patches/27_1.12.3_fix_SMTP_crash_2.patch --- wireshark-1.12.1+g01b65bf/debian/patches/27_1.12.3_fix_SMTP_crash_2.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/27_1.12.3_fix_SMTP_crash_2.patch 2015-02-04 15:48:43.000000000 -0500 @@ -0,0 +1,70 @@ +From 0abe88bb797529f340377ad2d42f102a6b55151a Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Thu, 1 Jan 2015 21:49:40 -0800 +Subject: [PATCH 8/8] Always set decrypt_len when setting decrypt. + +This may not always be necessary, but.... + +Conflicts: + epan/dissectors/packet-smtp.c + +Change-Id: I9741d606c8c15b945335cf24b182cbd6b75fb310 +Reviewed-on: https://code.wireshark.org/review/6233 +Reviewed-by: Guy Harris +Reviewed-on: https://code.wireshark.org/review/6466 +Reviewed-by: Balint Reczey +--- + epan/dissectors/packet-smtp.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-smtp.c b/epan/dissectors/packet-smtp.c +index 988a4ba..053cddb 100644 +--- a/epan/dissectors/packet-smtp.c ++++ b/epan/dissectors/packet-smtp.c +@@ -369,7 +369,7 @@ dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + fragment_head *frag_msg = NULL; + tvbuff_t *next_tvb; + guint8 *decrypt = NULL; +- size_t decrypt_len; ++ size_t decrypt_len = 0; + guint8 *base64_string = NULL; + guint8 line_code[3]; + +@@ -868,10 +868,12 @@ dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + col_append_fstr(pinfo->cinfo, COL_INFO, "Pass: %s", format_text(decrypt, decrypt_len)); + } else if (session_state->ntlm_rsp_frame == pinfo->fd->num) { + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen); ++ decrypt_len = linelen; + if (stmp_decryption_enabled) { +- if (ws_base64_decode_inplace(decrypt) == 0) { ++ if ((decrypt_len = ws_base64_decode_inplace(decrypt)) == 0) { + /* Go back to the original string */ + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset, linelen); ++ decrypt_len = linelen; + col_append_str(pinfo->cinfo, COL_INFO, format_text(decrypt, linelen)); + proto_tree_add_item(smtp_tree, hf_smtp_command_line, tvb, + loffset, linelen, ENC_ASCII|ENC_NA); +@@ -937,10 +939,12 @@ dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + loffset + 5, linelen - 5, ENC_ASCII|ENC_NA); + if (linelen >= 10) { + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset + 10, linelen - 10); ++ decrypt_len = linelen - 10; + if (stmp_decryption_enabled) { + if ((decrypt_len = ws_base64_decode_inplace(decrypt)) == 0) { + /* Go back to the original string */ + decrypt = tvb_get_string(wmem_packet_scope(), tvb, loffset + 10, linelen - 10); ++ decrypt_len = linelen - 10; + col_append_str(pinfo->cinfo, COL_INFO, + format_text(tvb_get_string(wmem_packet_scope(), tvb, loffset, 10), 10)); + col_append_str(pinfo->cinfo, COL_INFO, format_text(decrypt, linelen - 10)); +@@ -1117,6 +1121,7 @@ dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + code); + + decrypt = NULL; ++ decrypt_len = 0; + if (linelen >= 4) { + if ((stmp_decryption_enabled) && (code == 334)) { + decrypt = tvb_get_string(wmem_packet_scope(), tvb, offset + 4, linelen - 4); +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/28_1.12.3_fix_TLS_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/28_1.12.3_fix_TLS_crash.patch --- wireshark-1.12.1+g01b65bf/debian/patches/28_1.12.3_fix_TLS_crash.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/28_1.12.3_fix_TLS_crash.patch 2015-02-04 15:48:54.000000000 -0500 @@ -0,0 +1,40 @@ +From f4f119946a4070f5aa9826c8c41e435760cd81f7 Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Fri, 2 Jan 2015 14:06:42 -0800 +Subject: [PATCH 4/8] Make sure we don't underrun a buffer when decrypting SSL. + +Discovered by Noam Rathaus. + +Change-Id: Ia0275601b2a825ba616656064d9a6eca109e34fa +Reviewed-on: https://code.wireshark.org/review/6256 +Petri-Dish: Gerald Combs +Reviewed-by: Gerald Combs +Tested-by: Petri Dish Buildbot +Reviewed-by: Evan Huus +(cherry picked from commit d3581aecda62d2a51ea7088fd46975415b03ec57) +Reviewed-on: https://code.wireshark.org/review/6324 +(cherry picked from commit f5e435ab8bccaf64ca93dc6e2330090b2e99e532) +Reviewed-on: https://code.wireshark.org/review/6428 +Reviewed-by: Michael Mann +--- + epan/dissectors/packet-ssl-utils.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c +index 194efea..eb9cb1a 100644 +--- a/epan/dissectors/packet-ssl-utils.c ++++ b/epan/dissectors/packet-ssl-utils.c +@@ -3193,6 +3193,10 @@ ssl_decrypt_record(SslDecryptSession*ssl,SslDecoder* decoder, gint ct, + + /* strip padding for GenericBlockCipher */ + if (decoder->cipher_suite->mode == MODE_CBC) { ++ if (inl < 1) { /* Should this check happen earlier? */ ++ ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl); ++ return -1; ++ } + pad=out_str->data[inl-1]; + if (worklen <= pad) { + ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n", +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/series wireshark-1.12.1+g01b65bf/debian/patches/series --- wireshark-1.12.1+g01b65bf/debian/patches/series 2014-12-12 10:38:27.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/series 2015-02-04 15:48:54.000000000 -0500 @@ -11,3 +11,10 @@ 19_1.12.2_fix_NCP_crash_2.patch 20_1.12.2_fix_SigComp_crash.patch 21_1.12.2_fix_AMQP_crash.patch +22_1.12.3_fix_LPP_crash.patch +23_1.12.3_fix_WCCP_crash_1.patch +24_1.12.3_fix_WCCP_crash_2.patch +25_1.12.3_fix_DEC_DNA_crash.patch +26_1.12.3_fix_SMTP_crash_1.patch +27_1.12.3_fix_SMTP_crash_2.patch +28_1.12.3_fix_TLS_crash.patch