diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog --- wireshark-1.12.1+g01b65bf/debian/changelog 2015-02-05 10:05:54.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/changelog 2015-04-03 17:18:23.000000000 -0400 @@ -1,3 +1,23 @@ +wireshark (1.12.1+g01b65bf-2~ubuntu14.10.3) utopic-security; urgency=medium + + * Security Update to Address Multiple CVEs (LP: #1440202) + * Additional new patches (from 1.12.4) in debian/patches/ (from vivid + package, renamed for numerical sequence differences in Utopic): + * 29_1.12.4_fix_ATN_CPDLC_crash.patch: Fix ATN-CPDLC dissector crash + (CVE-2015-2187) + * 30_1.12.4_fix_pcapng_crash.patch: Fix pcapng file parser crash + (CVE-2015-2189) + * 31_1.12.4_fix_TNEF_crash.patch: Fix TNEF dissector crash + (CVE-2015-2191) + * 32_1.12.4_fix_SCSI_OSD_crash.patch: Fix SCSI OSD dissector crash + (CVE-2015-2192) + * 33_1.12.4_fix_LLDP_crash.patch: Fix LLDP dissector crash + (CVE-2015-2190) + * 34_1.12.4_fix_WCP_crash.patch: Fix WCP dissector crash + (CVE-2015-2188) + + -- Thomas Ward Fri, 03 Apr 2015 17:12:34 -0400 + wireshark (1.12.1+g01b65bf-2~ubuntu14.10.2) utopic-security; urgency=medium * Security Update to Address Multiple CVEs (LP: #1418211) diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/29_1.12.4_fix_ATN_CPDLC_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/29_1.12.4_fix_ATN_CPDLC_crash.patch --- wireshark-1.12.1+g01b65bf/debian/patches/29_1.12.4_fix_ATN_CPDLC_crash.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/29_1.12.4_fix_ATN_CPDLC_crash.patch 2015-04-03 17:09:25.000000000 -0400 @@ -0,0 +1,147 @@ +From 13bdc0f9721164b49cb0bf755c151c97cf430d70 Mon Sep 17 00:00:00 2001 +From: Pascal Quantin +Date: Wed, 25 Feb 2015 17:49:31 +0100 +Subject: [PATCH 1/6] ATN-CPDLC: never put a break in a TRY block + +It will skip the execution of ENDTRY block + +Bug: 9952 +Change-Id: I55af248b7d31cf1b75aae695ef8c149367791820 +Reviewed-on: https://code.wireshark.org/review/7391 +Petri-Dish: Pascal Quantin +Tested-by: Petri Dish Buildbot +Reviewed-by: Pascal Quantin +(cherry picked from commit 1a3dd349233a4ee3e69295c8e79f9a216027037e) +Conflicts: + epan/dissectors/packet-atn-cpdlc.c +Reviewed-on: https://code.wireshark.org/review/7392 +Reviewed-on: https://code.wireshark.org/review/7702 +Reviewed-by: Peter Wu +Reviewed-by: Balint Reczey +Tested-by: Balint Reczey +--- + asn1/atn-cpdlc/packet-atn-cpdlc-template.c | 18 ++++++++++-------- + epan/dissectors/packet-atn-cpdlc.c | 22 ++++++++++++---------- + 2 files changed, 22 insertions(+), 18 deletions(-) + +diff --git a/asn1/atn-cpdlc/packet-atn-cpdlc-template.c b/asn1/atn-cpdlc/packet-atn-cpdlc-template.c +index b0ba23c..1050754 100644 +--- a/asn1/atn-cpdlc/packet-atn-cpdlc-template.c ++++ b/asn1/atn-cpdlc/packet-atn-cpdlc-template.c +@@ -227,17 +227,18 @@ dissect_atn_cpdlc_heur( + TRY { + dissect_ProtectedGroundPDUs_PDU(tvb, pinfo, NULL); + is_atn_cpdlc = TRUE; +- is_pm = TRUE; +- break;} ++ is_pm = TRUE;} + CATCH_ALL{ + is_atn_cpdlc = FALSE; + is_pm = FALSE;} + ENDTRY; ++ if (is_atn_cpdlc) { ++ break; ++ } + TRY { + dissect_GroundPDUs_PDU(tvb, pinfo, NULL); + is_pm = FALSE; +- is_atn_cpdlc = TRUE; +- break;} ++ is_atn_cpdlc = TRUE;} + CATCH_ALL{ + is_atn_cpdlc = FALSE; + is_pm = FALSE;} +@@ -247,17 +248,18 @@ dissect_atn_cpdlc_heur( + TRY { + dissect_ProtectedAircraftPDUs_PDU(tvb, pinfo, NULL); + is_atn_cpdlc = TRUE; +- is_pm = TRUE; +- break;} ++ is_pm = TRUE;} + CATCH_ALL { + is_atn_cpdlc = FALSE; + is_pm = FALSE; } + ENDTRY; ++ if (is_atn_cpdlc) { ++ break; ++ } + TRY{ + dissect_AircraftPDUs_PDU(tvb, pinfo, NULL); + is_atn_cpdlc = TRUE; +- is_pm = FALSE; +- break;} ++ is_pm = FALSE;} + CATCH_ALL{ + is_atn_cpdlc = FALSE; + is_pm = FALSE;} +diff --git a/epan/dissectors/packet-atn-cpdlc.c b/epan/dissectors/packet-atn-cpdlc.c +index e21ffa7..526f130 100644 +--- a/epan/dissectors/packet-atn-cpdlc.c ++++ b/epan/dissectors/packet-atn-cpdlc.c +@@ -5424,17 +5424,18 @@ dissect_atn_cpdlc_heur( + TRY { + dissect_ProtectedGroundPDUs_PDU(tvb, pinfo, NULL); + is_atn_cpdlc = TRUE; +- is_pm = TRUE; +- break;} ++ is_pm = TRUE;} + CATCH_ALL{ + is_atn_cpdlc = FALSE; + is_pm = FALSE;} + ENDTRY; ++ if (is_atn_cpdlc) { ++ break; ++ } + TRY { + dissect_GroundPDUs_PDU(tvb, pinfo, NULL); + is_pm = FALSE; +- is_atn_cpdlc = TRUE; +- break;} ++ is_atn_cpdlc = TRUE;} + CATCH_ALL{ + is_atn_cpdlc = FALSE; + is_pm = FALSE;} +@@ -5444,17 +5445,18 @@ dissect_atn_cpdlc_heur( + TRY { + dissect_ProtectedAircraftPDUs_PDU(tvb, pinfo, NULL); + is_atn_cpdlc = TRUE; +- is_pm = TRUE; +- break;} ++ is_pm = TRUE;} + CATCH_ALL { + is_atn_cpdlc = FALSE; + is_pm = FALSE; } + ENDTRY; ++ if (is_atn_cpdlc) { ++ break; ++ } + TRY{ + dissect_AircraftPDUs_PDU(tvb, pinfo, NULL); + is_atn_cpdlc = TRUE; +- is_pm = FALSE; +- break;} ++ is_pm = FALSE;} + CATCH_ALL{ + is_atn_cpdlc = FALSE; + is_pm = FALSE;} +@@ -7918,7 +7920,7 @@ void proto_register_atn_cpdlc (void) + NULL, HFILL }}, + + /*--- End of included file: packet-atn-cpdlc-hfarr.c ---*/ +-#line 316 "../../asn1/atn-cpdlc/packet-atn-cpdlc-template.c" ++#line 318 "../../asn1/atn-cpdlc/packet-atn-cpdlc-template.c" + }; + + static gint *ett[] = { +@@ -8069,7 +8071,7 @@ void proto_register_atn_cpdlc (void) + &ett_atn_cpdlc_WindSpeed, + + /*--- End of included file: packet-atn-cpdlc-ettarr.c ---*/ +-#line 320 "../../asn1/atn-cpdlc/packet-atn-cpdlc-template.c" ++#line 322 "../../asn1/atn-cpdlc/packet-atn-cpdlc-template.c" + &ett_atn_cpdlc + }; + +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/30_1.12.4_fix_pcapng_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/30_1.12.4_fix_pcapng_crash.patch --- wireshark-1.12.1+g01b65bf/debian/patches/30_1.12.4_fix_pcapng_crash.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/30_1.12.4_fix_pcapng_crash.patch 2015-04-03 17:09:36.000000000 -0400 @@ -0,0 +1,40 @@ +From bf4ed6e1ed9f3b29c9a7208e37a332aebe6b5ca5 Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Mon, 26 Jan 2015 11:38:33 -0800 +Subject: [PATCH 2/6] Pcapng: Don't fetch past the end of a GArray. + +Due to an off-by-one error an invalid ISB interface ID could make us +fetch past the end of a GArray. Found using American Fuzzy Lop. + +Bug: 10895 +Change-Id: I7d4049ad7a386ae7e8013b8e741d54a31f353f1f +Reviewed-on: https://code.wireshark.org/review/6798 +Petri-Dish: Gerald Combs +Tested-by: Petri Dish Buildbot +Reviewed-by: Gerald Combs +(cherry picked from commit a835c85e3d662343d7283f1dcdacb8a11d1d0727) +Conflicts: wiretap/pcapng.c +Reviewed-on: https://code.wireshark.org/review/6801 +Reviewed-on: https://code.wireshark.org/review/7704 +Reviewed-by: Balint Reczey +Tested-by: Balint Reczey +--- + wiretap/pcapng.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/wiretap/pcapng.c b/wiretap/pcapng.c +index 45f1ad3..bb40dca 100644 +--- a/wiretap/pcapng.c ++++ b/wiretap/pcapng.c +@@ -2385,7 +2385,7 @@ pcapng_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset) + pcapng_debug0("pcapng_read: block type BLOCK_TYPE_ISB"); + *data_offset += bytes_read; + pcapng_debug1("pcapng_read: *data_offset is updated to %" G_GINT64_MODIFIER "d", *data_offset); +- if (wth->interface_data->len < wblock.data.if_stats.interface_id) { ++ if (wth->interface_data->len <= wblock.data.if_stats.interface_id) { + pcapng_debug1("pcapng_read: BLOCK_TYPE_ISB wblock.if_stats.interface_id %u > number_of_interfaces", wblock.data.if_stats.interface_id); + } else { + /* Get the interface description */ +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/31_1.12.4_fix_TNEF_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/31_1.12.4_fix_TNEF_crash.patch --- wireshark-1.12.1+g01b65bf/debian/patches/31_1.12.4_fix_TNEF_crash.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/31_1.12.4_fix_TNEF_crash.patch 2015-04-03 17:09:46.000000000 -0400 @@ -0,0 +1,42 @@ +From e0752c27a7a67db2fdca6da41e770a5ab41a967b Mon Sep 17 00:00:00 2001 +From: Evan Huus +Date: Sun, 1 Mar 2015 18:33:10 -0500 +Subject: [PATCH 3/6] tnef: fix overflow leading to infinite loop + +Thanks to Vlad Tsyrklevich for the report, and Fabian Yamaguchi for the "joern" +tool which found the bug. + +Bug: 11023 +Change-Id: I53bc998c9934736698e7db5eba09a14e79a7c633 +Reviewed-on: https://code.wireshark.org/review/7461 +Petri-Dish: Evan Huus +Tested-by: Petri Dish Buildbot +Reviewed-by: Evan Huus +(cherry picked from commit 608cf324b3962877e9699f3e81e8f82ac9f1ea14) +Reviewed-on: https://code.wireshark.org/review/7486 +Reviewed-by: Gerald Combs +Reviewed-on: https://code.wireshark.org/review/7706 +Reviewed-by: Balint Reczey +--- + epan/dissectors/packet-tnef.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-tnef.c b/epan/dissectors/packet-tnef.c +index e88a83f..3fdeb7f 100644 +--- a/epan/dissectors/packet-tnef.c ++++ b/epan/dissectors/packet-tnef.c +@@ -607,7 +607,10 @@ static void dissect_tnef(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + } + } + +- offset += length; ++ /* check for overflow */ ++ if (offset + length > (guint32)offset) { ++ offset += length; ++ } + + proto_tree_add_item(attr_tree, hf_tnef_attribute_checksum, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset += 2; +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/32_1.12.4_fix_SCSI_OSD_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/32_1.12.4_fix_SCSI_OSD_crash.patch --- wireshark-1.12.1+g01b65bf/debian/patches/32_1.12.4_fix_SCSI_OSD_crash.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/32_1.12.4_fix_SCSI_OSD_crash.patch 2015-04-03 17:09:56.000000000 -0400 @@ -0,0 +1,41 @@ +From 06a6d4306a09d7d69d9aed1a793aff172a2aa0b3 Mon Sep 17 00:00:00 2001 +From: Evan Huus +Date: Sun, 1 Mar 2015 18:45:24 -0500 +Subject: [PATCH 4/6] scsi-osd: fix overflow leading to infinite loop + +Thanks to Vlad Tsyrklevich for the report. + +Bug: 11024 +Change-Id: I9defc6fc72339b2f6ba12b46172b776d798647cd +Reviewed-on: https://code.wireshark.org/review/7463 +Petri-Dish: Evan Huus +Tested-by: Petri Dish Buildbot +Reviewed-by: Evan Huus +(cherry picked from commit c35ca6c051adb28c321db54cc138f18637977c9a) +Reviewed-on: https://code.wireshark.org/review/7485 +Reviewed-on: https://code.wireshark.org/review/7707 +Reviewed-by: Balint Reczey +Tested-by: Balint Reczey +--- + epan/dissectors/packet-scsi-osd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-scsi-osd.c b/epan/dissectors/packet-scsi-osd.c +index 4aad143..deb00f0 100644 +--- a/epan/dissectors/packet-scsi-osd.c ++++ b/epan/dissectors/packet-scsi-osd.c +@@ -1021,7 +1021,10 @@ dissect_osd2_cdb_continuation(packet_info *pinfo, tvbuff_t *tvb, guint32 offset, + expert_add_info(pinfo, item_length, &ei_osd2_cdb_continuation_descriptor_length_invalid); + return; + } +- offset += length+padlen; ++ /* check for overflow */ ++ if (offset + length + padlen > offset) { ++ offset += length+padlen; ++ } + } + + } +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/33_1.12.4_fix_LLDP_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/33_1.12.4_fix_LLDP_crash.patch --- wireshark-1.12.1+g01b65bf/debian/patches/33_1.12.4_fix_LLDP_crash.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/33_1.12.4_fix_LLDP_crash.patch 2015-04-03 17:10:07.000000000 -0400 @@ -0,0 +1,188 @@ +From 5b715e72143792faf43782f9df01dbdc8ae3676a Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Sat, 21 Feb 2015 18:48:21 -0800 +Subject: [PATCH 5/6] FT_{U}INT64 doesn't work with BASE_CUSTOM. + +This is the 1.12 branch, so we do a quick fix: + +Get rid of the one place we're using it. + +Reject it in tmp_fld_check_assert(), so using it will blow up early in +the initialization process rather than blowing up when dissecting. + +In cases that, with the tmp_fld_check_assert() change, "should not +happen", and where we might *not* be executing in the context of a +dissector (filling in the field label can be done lazily, being deferred +to "print" time, and that doesn't happen in the context of a dissector), +use g_assert_not_reached() rather than DISSECTOR_ASSERT_NOT_REACHED() - +the latter throws an assertion that's not caught if we're not doing +dissection, so we crash anyway. + +Bug: 10983 +Change-Id: Id4cb1b8ed17cab976b8151e41ec6b6b79478214d +Reviewed-on: https://code.wireshark.org/review/7304 +Reviewed-by: Guy Harris +Reviewed-on: https://code.wireshark.org/review/7705 +Reviewed-by: Balint Reczey +Tested-by: Balint Reczey +--- + epan/dissectors/packet-lldp.c | 42 +++++++++++++++++++++--------------------- + epan/proto.c | 18 ++++++++++++------ + 2 files changed, 33 insertions(+), 27 deletions(-) + +diff --git a/epan/dissectors/packet-lldp.c b/epan/dissectors/packet-lldp.c +index b0c6efc..0d1bbbf 100644 +--- a/epan/dissectors/packet-lldp.c ++++ b/epan/dissectors/packet-lldp.c +@@ -876,10 +876,9 @@ media_power_base(gchar *buf, guint32 value) { + option = 0 -> Latitude + option = 1 -> Longitude + */ +-static void +-get_latitude_or_longitude(gchar *buf, int option, guint64 unmasked_value) ++static gchar * ++get_latitude_or_longitude(int option, guint64 value) + { +- guint64 value = (unmasked_value & G_GINT64_CONSTANT(0x03FFFFFFFF000000)) >> 24; + guint64 tempValue = value; + gboolean negativeNum = FALSE; + guint32 integerPortion = 0; +@@ -925,18 +924,8 @@ get_latitude_or_longitude(gchar *buf, int option, guint64 unmasked_value) + direction = "East"; + } + +- g_snprintf(buf, ITEM_LABEL_LENGTH, "%u.%04" G_GINT64_MODIFIER "u degrees %s (0x%16" G_GINT64_MODIFIER "X))", +- integerPortion, tempValue, direction, value); +-} +- +-static void +-latitude_base(gchar *buf, guint64 value) { +- get_latitude_or_longitude(buf, 0, value); +-} +- +-static void +-longitude_base(gchar *buf, guint64 value) { +- get_latitude_or_longitude(buf, 1, value); ++ return wmem_strdup_printf(wmem_packet_scope(), "%u.%04" G_GINT64_MODIFIER "u degrees %s", ++ integerPortion, tempValue, direction); + } + + /* Dissect Chassis Id TLV (Mandatory) */ +@@ -2363,6 +2352,7 @@ dissect_media_tlv(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 o + guint8 subType; + guint8 tempByte; + guint32 LCI_Length; ++ guint64 temp64bit = 0; + + proto_tree *media_flags = NULL; + proto_item *tf = NULL; +@@ -2492,7 +2482,12 @@ dissect_media_tlv(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 o + proto_tree_add_item(tree, hf_media_loc_lat_resolution, tvb, offset, 1, ENC_BIG_ENDIAN); + + /* Get latitude */ +- proto_tree_add_item(tree, hf_media_loc_lat, tvb, offset, 5, ENC_BIG_ENDIAN); ++ temp64bit = tvb_get_ntoh40(tvb, offset); ++ temp64bit = temp64bit & G_GINT64_CONSTANT(0x03FFFFFFFF); ++ if (tree) ++ proto_tree_add_string_format_value(tree, hf_media_loc_lat, tvb, offset, 5, "", "%s (0x%" G_GINT64_MODIFIER "X)", ++ get_latitude_or_longitude(0, temp64bit), ++ temp64bit); + + offset += 5; + +@@ -2500,7 +2495,12 @@ dissect_media_tlv(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 o + proto_tree_add_item(tree, hf_media_loc_long_resolution, tvb, offset, 1, ENC_BIG_ENDIAN); + + /* Get longitude */ +- proto_tree_add_item(tree, hf_media_loc_long, tvb, offset, 5, ENC_BIG_ENDIAN); ++ temp64bit = tvb_get_ntoh40(tvb, offset); ++ temp64bit = temp64bit & G_GINT64_CONSTANT(0x03FFFFFFFF); ++ if (tree) ++ proto_tree_add_string_format_value(tree, hf_media_loc_long, tvb, offset, 5, "", "%s (0x%" G_GINT64_MODIFIER "X)", ++ get_latitude_or_longitude(1, temp64bit), ++ temp64bit); + + offset += 5; + +@@ -4143,16 +4143,16 @@ proto_register_lldp(void) + NULL, 0xFC, NULL, HFILL } + }, + { &hf_media_loc_lat, +- { "Latitude", "lldp.media.loc.latitude", FT_UINT64, BASE_CUSTOM, +- latitude_base, 0x0, NULL, HFILL } ++ { "Latitude", "lldp.media.loc.latitude", FT_STRING, BASE_NONE, ++ NULL, 0x0, NULL, HFILL } + }, + { &hf_media_loc_long_resolution, + { "Longitude Resolution", "lldp.media.loc.long_resolution", FT_UINT8, BASE_DEC, + NULL, 0xFC, NULL, HFILL } + }, + { &hf_media_loc_long, +- { "Longitude", "lldp.media.loc.longitude", FT_UINT64, BASE_CUSTOM, +- longitude_base, 0x0, NULL, HFILL } ++ { "Longitude", "lldp.media.loc.longitude", FT_STRING, BASE_NONE, ++ NULL, 0x0, NULL, HFILL } + }, + { &hf_media_loc_alt_type, + { "Altitude Type", "lldp.media.loc.alt_type", FT_UINT8, BASE_DEC, +diff --git a/epan/proto.c b/epan/proto.c +index ac5ecf9..fc7c5a1 100644 +--- a/epan/proto.c ++++ b/epan/proto.c +@@ -5401,7 +5401,15 @@ tmp_fld_check_assert(header_field_info *hfinfo) + case BASE_OCT: + case BASE_DEC_HEX: + case BASE_HEX_DEC: ++ break; + case BASE_CUSTOM: /* hfinfo_numeric_value_format() treats this as decimal */ ++ if (hfinfo->type == FT_INT64 || ++ hfinfo->type == FT_UINT64) { ++ /* BASE_CUSTOM not supported yet */ ++ g_error("Field '%s' (%s) is a 64-bit field (%s) but is being displayed with BASE_CUSTOM\n", ++ hfinfo->name, hfinfo->abbrev, ++ ftype_name(hfinfo->type)); ++ } + break; + default: + g_error("Field '%s' (%s) is an integral value (%s)" +@@ -6133,6 +6141,7 @@ fill_label_number64(field_info *fi, gchar *label_str, gboolean is_signed) + guint64 value; + char tmp[ITEM_LABEL_LENGTH+1]; + ++ /* DOES NOT HANDLE BASE_CUSTOM */ + /* Pick the proper format string */ + if (is_signed) + format = hfinfo_int64_format(hfinfo); +@@ -6266,8 +6275,7 @@ hfinfo_number_value_format_display(const header_field_info *hfinfo, int display, + return ptr; + + default: +- DISSECTOR_ASSERT_NOT_REACHED(); +- ; ++ g_assert_not_reached(); + } + return ptr; + } +@@ -6358,8 +6366,7 @@ hfinfo_uint64_format(const header_field_info *hfinfo) + format = "0x%016" G_GINT64_MODIFIER "x (%" G_GINT64_MODIFIER "u)"; + break; + default: +- DISSECTOR_ASSERT_NOT_REACHED(); +- ; ++ g_assert_not_reached(); + } + return format; + } +@@ -6387,8 +6394,7 @@ hfinfo_int64_format(const header_field_info *hfinfo) + format = "0x%016" G_GINT64_MODIFIER "x (%" G_GINT64_MODIFIER "d)"; + break; + default: +- DISSECTOR_ASSERT_NOT_REACHED(); +- ; ++ g_assert_not_reached(); + } + return format; + } +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/34_1.12.4_fix_WCP_crash.patch wireshark-1.12.1+g01b65bf/debian/patches/34_1.12.4_fix_WCP_crash.patch --- wireshark-1.12.1+g01b65bf/debian/patches/34_1.12.4_fix_WCP_crash.patch 1969-12-31 19:00:00.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/34_1.12.4_fix_WCP_crash.patch 2015-04-03 17:10:15.000000000 -0400 @@ -0,0 +1,230 @@ +From 2c9b3f3e3f753723ecfd0927b668ae2af6ee5830 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Mon, 12 Jan 2015 20:07:09 -0800 +Subject: [PATCH 6/6] Do bounds checking when decompressing WCP packets. + +Extract the data offset and count only once, and make sure we don't run +past the end of the data we've copied from the packet; have +decompressed_entry() just do the decompression, rather than also +fetching the data offset and count. + +Add some comments while we're at it. + +Bug: 10844 +Change-Id: I2dc2f9594422ffa8f15fd5c57c9dac2e30e363f4 +Reviewed-on: https://code.wireshark.org/review/6514 +Reviewed-by: Guy Harris +(cherry picked from commit b204ff4846fe84b7789893c6b1d9afbdecac5b5d) +Reviewed-on: https://code.wireshark.org/review/6515 +Reviewed-on: https://code.wireshark.org/review/7703 +Reviewed-by: Balint Reczey +Tested-by: Balint Reczey +--- + epan/dissectors/packet-wcp.c | 116 ++++++++++++++++++++++++++++++------------- + 1 file changed, 82 insertions(+), 34 deletions(-) + +diff --git a/epan/dissectors/packet-wcp.c b/epan/dissectors/packet-wcp.c +index bc6b598..f496e3c 100644 +--- a/epan/dissectors/packet-wcp.c ++++ b/epan/dissectors/packet-wcp.c +@@ -108,9 +108,10 @@ + #include + #include + #include ++#include + + #define MAX_WIN_BUF_LEN 0x7fff /* storage size for decompressed data */ +-#define MAX_WCP_BUF_LEN 2048 /* storage size for decompressed data */ ++#define MAX_WCP_BUF_LEN 2048 /* storage size for compressed data */ + #define FROM_DCE 0x80 /* for direction setting */ + + void proto_register_wcp(void); +@@ -397,26 +398,14 @@ static void dissect_wcp( tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { + } + + +-static guint8 *decompressed_entry( guint8 *src, guint8 *dst, int *len, guint8 * buf_start, guint8 *buf_end){ ++static guint8 * ++decompressed_entry(guint8 *dst, guint16 data_offset, ++ guint16 data_cnt, int *len, guint8 * buf_start, guint8 *buf_end) ++{ ++ const guint8 *src; + + /* do the decompression for one field */ + +- guint16 data_offset, data_cnt; +- guint8 tmp = *src; +- +- data_offset = (*(src++) & 0xf) << 8; /* get high byte */ +- data_offset += *(src++); /* add next byte */ +- +- if (( tmp & 0xf0) == 0x10){ /* 2 byte count */ +- data_cnt = *src; +- data_cnt++; +- +- }else { /* one byte count */ +- data_cnt = tmp >> 4; +- data_cnt++; +- } +- +- + src = (dst - 1 - data_offset); + if ( src < buf_start) + src += MAX_WIN_BUF_LEN; +@@ -480,6 +469,7 @@ static tvbuff_t *wcp_uncompress( tvbuff_t *src_tvb, int offset, packet_info *pin + int cnt = tvb_reported_length( src_tvb)-1; /* don't include check byte */ + + guint8 *dst, *src, *buf_start, *buf_end, comp_flag_bits = 0; ++ guint16 data_offset, data_cnt; + guint8 src_buf[ MAX_WCP_BUF_LEN]; + tvbuff_t *tvb; + wcp_window_t *buf_ptr = 0; +@@ -500,32 +490,56 @@ static tvbuff_t *wcp_uncompress( tvbuff_t *src_tvb, int offset, packet_info *pin + return NULL; + } + ++ /* ++ * XXX - this will thow an exception if a snapshot length cut short ++ * the data. We may want to try to dissect the data in that case, ++ * and we may even want to try to decompress it, *but* we will ++ * want to mark the buffer of decompressed data as incomplete, so ++ * that we don't try to use it for decompressing later packets. ++ */ + src = (guint8 *)tvb_memcpy(src_tvb, src_buf, offset, cnt - offset); + dst = buf_ptr->buf_cur; + len = 0; + i = -1; + + while( offset < cnt){ +- ++ /* There are i bytes left for this byte of flag bits */ + if ( --i >= 0){ +- if ( comp_flag_bits & 0x80){ /* if this is a compressed entry */ +- +- if ( !pinfo->fd->flags.visited){ /* if first pass */ +- dst = decompressed_entry( src, dst, &len, buf_start, buf_end); +- if (dst == NULL){ +- expert_add_info_format(pinfo, cd_item, &ei_wcp_uncompressed_data_exceeds, +- "Uncompressed data exceeds maximum buffer length (%d > %d)", +- len, MAX_WCP_BUF_LEN); +- return NULL; +- } ++ /* ++ * There's still at least one more byte left for ++ * the current set of compression flag bits; is ++ * it compressed data or uncompressed data? ++ */ ++ if ( comp_flag_bits & 0x80){ ++ /* This byte is compressed data */ ++ if (!(offset + 1 < cnt)) { ++ /* ++ * The data offset runs past the ++ * end of the data. ++ */ ++ THROW(ReportedBoundsError); + } ++ data_offset = pntoh16(src) & WCP_OFFSET_MASK; + if ((*src & 0xf0) == 0x10){ ++ /* ++ * The count of bytes to copy from ++ * the dictionary window is in the ++ * byte following the data offset. ++ */ ++ if (!(offset + 2 < cnt)) { ++ /* ++ * The data count runs past the ++ * end of the data. ++ */ ++ THROW(ReportedBoundsError); ++ } ++ data_cnt = *(src + 2) + 1; + if ( tree) { + ti = proto_tree_add_item( cd_tree, hf_wcp_long_run, src_tvb, + offset, 3, ENC_NA); + sub_tree = proto_item_add_subtree(ti, ett_wcp_field); + proto_tree_add_uint(sub_tree, hf_wcp_offset, src_tvb, +- offset, 2, pntoh16(src)); ++ offset, 2, data_offset); + + proto_tree_add_item( sub_tree, hf_wcp_long_len, src_tvb, + offset+2, 1, ENC_BIG_ENDIAN); +@@ -533,6 +547,13 @@ static tvbuff_t *wcp_uncompress( tvbuff_t *src_tvb, int offset, packet_info *pin + src += 3; + offset += 3; + }else{ ++ /* ++ * The count of bytes to copy from ++ * the dictionary window is in ++ * the upper 4 bits of the next ++ * byte. ++ */ ++ data_cnt = (*src >> 4) + 1; + if ( tree) { + ti = proto_tree_add_item( cd_tree, hf_wcp_short_run, src_tvb, + offset, 2, ENC_NA); +@@ -540,20 +561,42 @@ static tvbuff_t *wcp_uncompress( tvbuff_t *src_tvb, int offset, packet_info *pin + proto_tree_add_uint( sub_tree, hf_wcp_short_len, src_tvb, + offset, 1, *src); + proto_tree_add_uint(sub_tree, hf_wcp_offset, src_tvb, +- offset, 2, pntoh16(src)); ++ offset, 2, data_offset); + } + src += 2; + offset += 2; + } ++ if ( !pinfo->fd->flags.visited){ /* if first pass */ ++ dst = decompressed_entry(dst, ++ data_offset, data_cnt, &len, ++ buf_start, buf_end); ++ if (dst == NULL){ ++ expert_add_info_format(pinfo, cd_item, &ei_wcp_uncompressed_data_exceeds, ++ "Uncompressed data exceeds maximum buffer length (%d > %d)", ++ len, MAX_WCP_BUF_LEN); ++ return NULL; ++ } ++ } + }else { ++ /* ++ * This byte is uncompressed data; is there ++ * room for it in the buffer of uncompressed ++ * data? ++ */ + if ( ++len >MAX_WCP_BUF_LEN){ ++ /* No - report an error. */ + expert_add_info_format(pinfo, cd_item, &ei_wcp_uncompressed_data_exceeds, + "Uncompressed data exceeds maximum buffer length (%d > %d)", + len, MAX_WCP_BUF_LEN); + return NULL; + } + +- if ( !pinfo->fd->flags.visited){ /* if first pass */ ++ if ( !pinfo->fd->flags.visited){ ++ /* ++ * This is the first pass through ++ * the packets, so copy it to the ++ * buffer of unco,pressed data. ++ */ + *dst = *src; + if ( dst++ == buf_end) + dst = buf_start; +@@ -562,10 +605,15 @@ static tvbuff_t *wcp_uncompress( tvbuff_t *src_tvb, int offset, packet_info *pin + ++offset; + } + ++ /* Skip to the next compression flag bit */ + comp_flag_bits <<= 1; + +- }else { /* compressed data flag */ +- ++ }else { ++ /* ++ * There are no more bytes left for the current ++ * set of compression flag bits, so this byte ++ * is another byte of compression flag bits. ++ */ + comp_flag_bits = *src++; + if (cd_tree) + proto_tree_add_uint(cd_tree, hf_wcp_comp_bits, src_tvb, offset, 1, +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/series wireshark-1.12.1+g01b65bf/debian/patches/series --- wireshark-1.12.1+g01b65bf/debian/patches/series 2015-02-05 10:05:54.000000000 -0500 +++ wireshark-1.12.1+g01b65bf/debian/patches/series 2015-04-03 17:11:38.000000000 -0400 @@ -18,3 +18,9 @@ 26_1.12.3_fix_SMTP_crash_1.patch 27_1.12.3_fix_SMTP_crash_2.patch 28_1.12.3_fix_TLS_crash.patch +29_1.12.4_fix_ATN_CPDLC_crash.patch +30_1.12.4_fix_pcapng_crash.patch +31_1.12.4_fix_TNEF_crash.patch +32_1.12.4_fix_SCSI_OSD_crash.patch +33_1.12.4_fix_LLDP_crash.patch +34_1.12.4_fix_WCP_crash.patch