diff -u wireshark-0.99.6rel/debian/changelog wireshark-0.99.6rel/debian/changelog --- wireshark-0.99.6rel/debian/changelog +++ wireshark-0.99.6rel/debian/changelog @@ -1,3 +1,85 @@ +wireshark (0.99.6rel-3ubuntu0.2) gutsy-security; urgency=low + + * SECURITY UPDATE: (LP: #172283) + + CVE-2007-6438 + - Vulnerability in the SMB dissector in Wireshark 0.99.6 allows remote + attackers to cause a denial of service via unknown vectors. + + CVE-2007-6539 + - Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause + a denial of service (infinite or large loop) via the (1) IPv6 or (2) + USB dissector, which can trigger resource consumption or a crash. + + CVE-2007-6441 + - The WiMAX dissector in Wireshark (formerly Ethereal) 0.99.6 allows + remote attackers to cause a denial of service (crash) via unknown + vectors related to "unaligned access on some platforms." + + CVE-2007-6450 + - The RPL dissector in Wireshark (formerly Ethereal) 0.9.8 to 0.99.6 + allows remote attackers to cause a denial of service (infinite loop) + via unknown vectors. + + CVE-2007-6451 + - vulnerability in the CIP dissector in Wireshark (formerly Ethereal) + 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service + (crash) via unknown vectors that trigger allocation of large amounts + of memory. + + CVE-2008-1070 + - The SCTP dissector in Wireshark (formerly Ethereal) 0.99.5 through + 0.99.7 allows remote attackers to cause a denial of service (crash) + via a malformed packet. + + CVE-2008-1071 + - The SNMP dissector in Wireshark (formerly Ethereal) 0.99.6 through + 0.99.7 allows remote attackers to cause a denial of service (crash) + via a malformed packet. (not vulnerable in Gutsy) + + CVE-2008-1072 + - The TFTP dissector in Wireshark (formerly Ethereal) 0.6.0 through + 0.99.7, when running on Ubuntu 7.10, allows remote attackers to caus + e a denial of service (crash or memory consumption) via a malformed + packet, possibly related to a Cairo library bug. + + + debian/patches/13_CVE-2007-6438.dpatch + - Applied patch by upstream + - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/ + dissectors/packet-smb.c?r1=23412&r2=23593&pathrev=23593 + + debian/patches/13_CVE-2007-6439.dpatch + - Applied patch by upstream + - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/ + dissectors/packet-ipv6.c?r1=23412&r2=23593&pathrev=23593 + - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/ + dissectors/packet-usb.c?r1=23412&r2=23593&pathrev=23593 + + debian/patches/13_CVE-2007-6441.dpatch + - Applied patch by upstream + - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/plugins/ + wimax/wimax_bits.h?r1=23412&r2=23787&pathrev=23555 + + debian/patches/13_CVE-2007-6450.dpatch + - Applied patch by upstream + - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/ + dissectors/packet-rpl.c?r1=23412&r2=23687&pathrev=23687 + + debian/patches/13_CVE-2007-6451.dpatch + - Applied patch by upstream + - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/ + dissectors/packet-cip.c?r1=23412&r2=12070&pathrev=12070 + + debian/patches/14_CVE-2008-1070.dpatch + - Applied patch by upastream + - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/ + dissectors/packet-sctp.c?r1=24295&r2=24471&pathrev=24563 + + debian/patches/14_CVE-2008-1072.dpatch + - Applied patch by upstream + - http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/ + dissectors/packet-tftp.c?r1=23412&r2=23962&pathrev=23962 + + * References + + http://www.wireshark.org/security/wnpa-sec-2007-03.html + - CVE-2007-6438 + - CVE-2007-6439 + - CVE-2007-6441 + - CVE-2007-6450 + - CVE-2007-6451 + + http://www.wireshark.org/security/wnpa-sec-2008-01.html + - CVE-2008-1070 + - CVE-2008-1071 (not vulnerable in gutsy and dont patched.) + - CVE-2008-1072 + + -- Emanuele Gentili Mon, 24 Mar 2008 03:21:13 +0100 + wireshark (0.99.6rel-3ubuntu0.1) gutsy-security; urgency=low * SECURITY UPDATE: (LP: #164501) diff -u wireshark-0.99.6rel/debian/patches/00list wireshark-0.99.6rel/debian/patches/00list --- wireshark-0.99.6rel/debian/patches/00list +++ wireshark-0.99.6rel/debian/patches/00list @@ -23,0 +24,7 @@ +13_CVE-2007-6438 +13_CVE-2007-6439 +13_CVE-2007-6441 +13_CVE-2007-6450 +13_CVE-2007-6451 +14_CVE-2008-1072 +14_CVE-2008-1070 only in patch2: unchanged: --- wireshark-0.99.6rel.orig/debian/patches/14_CVE-2008-1070.dpatch +++ wireshark-0.99.6rel/debian/patches/14_CVE-2008-1070.dpatch @@ -0,0 +1,27 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 14_CVE-2008-1070.dpatch by Emanuele Gentili +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad wireshark-0.99.6rel~/epan/dissectors/packet-sctp.c wireshark-0.99.6rel/epan/dissectors/packet-sctp.c +--- wireshark-0.99.6rel~/epan/dissectors/packet-sctp.c 2007-07-05 21:24:57.000000000 +0200 ++++ wireshark-0.99.6rel/epan/dissectors/packet-sctp.c 2008-03-25 15:18:35.000000000 +0100 +@@ -2088,6 +2088,8 @@ + g_free(fragment); + } + ++/* msg->messages is se_ allocated, no need to free it */ ++ + g_free(msg); + } + +@@ -2481,6 +2483,7 @@ + message->reassembled_in = fragment; + message->len = len; + message->data = se_alloc(len); ++ message->next = NULL; + + /* now copy all fragments */ + if (begin->fragment->tsn > end->fragment->tsn) { only in patch2: unchanged: --- wireshark-0.99.6rel.orig/debian/patches/14_CVE-2008-1072.dpatch +++ wireshark-0.99.6rel/debian/patches/14_CVE-2008-1072.dpatch @@ -0,0 +1,30 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 14_CVE-2008-1072.dpatch by Emanuele Gentili +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad wireshark-0.99.6rel~/epan/dissectors/packet-tftp.c wireshark-0.99.6rel/epan/dissectors/packet-tftp.c +--- wireshark-0.99.6rel~/epan/dissectors/packet-tftp.c 2007-07-05 21:25:02.000000000 +0200 ++++ wireshark-0.99.6rel/epan/dissectors/packet-tftp.c 2008-03-24 03:18:02.000000000 +0100 +@@ -51,6 +51,10 @@ + #include + #include + ++#ifdef NEED_G_ASCII_STRCASECMP_H ++#include "g_ascii_strcasecmp.h" ++#endif ++ + /* Things we may want to remember for a whole conversation */ + typedef struct _tftp_conv_info_t { + guint16 blocksize; +@@ -139,7 +143,7 @@ + } + + /* Special code to handle individual options */ +- if (!strcasecmp((const char *)optionname, "blksize") && ++ if (!g_ascii_strcasecmp((const char *)optionname, "blksize") && + opcode == TFTP_OACK) { + gint blocksize = strtol((const char *)optionvalue, NULL, 10); + if (blocksize < 8 || blocksize > 65464) { only in patch2: unchanged: --- wireshark-0.99.6rel.orig/debian/patches/13_CVE-2007-6451.dpatch +++ wireshark-0.99.6rel/debian/patches/13_CVE-2007-6451.dpatch @@ -0,0 +1,64 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 13_CVE-2007-6451.dpatch by Emanuele Gentili +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad wireshark-0.99.6rel~/epan/dissectors/packet-cip.c wireshark-0.99.6rel/epan/dissectors/packet-cip.c +--- wireshark-0.99.6rel~/epan/dissectors/packet-cip.c 2007-07-05 21:24:56.000000000 +0200 ++++ wireshark-0.99.6rel/epan/dissectors/packet-cip.c 2008-03-24 02:34:34.000000000 +0100 +@@ -1053,7 +1053,7 @@ + /* Add reply status to info column */ + if(check_col(pinfo->cinfo, COL_INFO)) + { +- col_append_fstr( pinfo->cinfo, COL_INFO, "%s", ++ col_append_str( pinfo->cinfo, COL_INFO, + val_to_str( ( tvb_get_guint8( tvb, offset+2 ) ), + cip_gs_vals , "Unknown Response (%x)") ); + } +@@ -1086,7 +1086,7 @@ + pi = proto_tree_add_text( item_tree, tvb, offset+4+add_stat_size, item_length-4-add_stat_size, "Command Specific data" ); + cmd_data_tree = proto_item_add_subtree( pi, ett_cmd_data ); + +- if( gen_status == CI_GRC_SUCCESS ) ++ if( gen_status == CI_GRC_SUCCESS || gen_status == CI_GRC_SERVICE_ERROR ) + { + /* Success responses */ + +@@ -1224,7 +1224,7 @@ + */ + + if(check_col(pinfo->cinfo, COL_INFO)) +- col_append_fstr( pinfo->cinfo, COL_INFO, ", "); ++ col_append_str( pinfo->cinfo, COL_INFO, ", "); + + dissect_cip_data( temp_tree, tvb, offset+serv_offset+4, serv_length, pinfo ); + } +@@ -1304,7 +1304,7 @@ + /* Add service to info column */ + if(check_col(pinfo->cinfo, COL_INFO)) + { +- col_append_fstr( pinfo->cinfo, COL_INFO, "%s", ++ col_append_str( pinfo->cinfo, COL_INFO, + val_to_str( ( tvb_get_guint8( tvb, offset ) & 0x7F ), + cip_sc_vals , "Unknown Service (%x)") ); + } +@@ -1520,7 +1520,7 @@ + */ + + if(check_col(pinfo->cinfo, COL_INFO)) +- col_append_fstr( pinfo->cinfo, COL_INFO, ": "); ++ col_append_str( pinfo->cinfo, COL_INFO, ": "); + + dissect_cip_data( temp_tree, tvb, offset+2+req_path_size+4, msg_req_siz, pinfo ); + +@@ -1583,7 +1583,7 @@ + */ + + if(check_col(pinfo->cinfo, COL_INFO)) +- col_append_fstr( pinfo->cinfo, COL_INFO, ", "); ++ col_append_str( pinfo->cinfo, COL_INFO, ", "); + + dissect_cip_data( temp_tree, tvb, offset+serv_offset+6, serv_length, pinfo ); + } only in patch2: unchanged: --- wireshark-0.99.6rel.orig/debian/patches/13_CVE-2007-6438.dpatch +++ wireshark-0.99.6rel/debian/patches/13_CVE-2007-6438.dpatch @@ -0,0 +1,37 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 13_CVE-2007-6438.dpatch by Emanuele Gentili +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad wireshark-0.99.6rel~/epan/dissectors/packet-smb.c wireshark-0.99.6rel/epan/dissectors/packet-smb.c +--- wireshark-0.99.6rel~/epan/dissectors/packet-smb.c 2007-07-05 21:24:59.000000000 +0200 ++++ wireshark-0.99.6rel/epan/dissectors/packet-smb.c 2008-03-24 01:26:45.000000000 +0100 +@@ -10271,7 +10271,7 @@ + /* search pattern */ + fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, FALSE, &bc); + CHECK_STRING_TRANS(fn); +- if(!t2i->name){ ++ if(t2i && !t2i->name){ + t2i->name = se_strdup(fn); + } + proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len, +@@ -10368,7 +10368,7 @@ + proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len, + fn); + COUNT_BYTES_TRANS(fn_len); +- if(!t2i->name){ ++ if(t2i && !t2i->name){ + t2i->name = se_strdup(fn); + } + +@@ -14587,7 +14587,7 @@ + PROTO_ITEM_SET_GENERATED(item); + } + +- if (check_col(pinfo->cinfo, COL_INFO)) { ++ if (t2i && check_col(pinfo->cinfo, COL_INFO)) { + col_append_fstr(pinfo->cinfo, COL_INFO, ", %s", + val_to_str(t2i->subcmd, + trans2_cmd_vals, only in patch2: unchanged: --- wireshark-0.99.6rel.orig/debian/patches/13_CVE-2007-6441.dpatch +++ wireshark-0.99.6rel/debian/patches/13_CVE-2007-6441.dpatch @@ -0,0 +1,94 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 13_CVE-2007-6441.dpatch by Emanuele Gentili +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad wireshark-0.99.6rel~/plugins/wimax/wimax_bits.h wireshark-0.99.6rel/plugins/wimax/wimax_bits.h +--- wireshark-0.99.6rel~/plugins/wimax/wimax_bits.h 2007-07-05 21:22:32.000000000 +0200 ++++ wireshark-0.99.6rel/plugins/wimax/wimax_bits.h 2008-03-24 02:06:55.000000000 +0100 +@@ -33,8 +33,6 @@ + * Functions for working with nibbles and bits + */ + +-#define AS16(x) g_htons(*((guint16*)(x))) +-#define AS32(x) g_htonl(*((guint32*)(x))) + + /* SWAR functions */ + #define _BITS(n,hi,lo) (((n)>>(lo))&((1<<(((hi)-(lo))+1))-1)) +@@ -60,37 +58,35 @@ + /* extract the byte at the given nibble address 'n' of buffer 'b' */ + #define NIB_BYTE(n,b) \ + (n) & 1 \ +- ? (g_ntohs( *(guint16 *)((b)+(n)/2) ) >> 4) & BYTE_MASK \ ++ ? (pntohs( (b)+(n)/2 ) >> 4) & BYTE_MASK \ + : (b)[(n)/2] + /* +- ? (AS16((b)+(n)/2) >> 4) & BYTE_MASK \ ++ ? (pletohs((b)+(n)/2) >> 4) & BYTE_MASK \ + */ + + /* extract 12 bits at the given nibble address */ + #define NIB_BITS12(n,b) \ + (NIB_NIBBLE(n,b+1) | (NIB_BYTE(n,b) << 4)) + +-#define AS16(x) g_htons(*((guint16*)(x))) +-#define AS32(x) g_htonl(*((guint32*)(x))) + + /* extract the word at the given nibble address 'n' of buffer 'b' */ + #define NIB_WORD(n,b) \ + (n) & 1 \ +- ? (gint)((g_ntohl(*(guint32 *)((b) + (n)/2)) >> 12) & 0x0000FFFF) \ +- : g_ntohs(*(guint16 *)((b) + (n)/2)) ++ ? (gint)((pntohl(((b) + (n)/2)) >> 12) & 0x0000FFFF) \ ++ : pntohs((b) + (n)/2) + /* +- : AS16((b) + (n)/2) +- ? (AS32((b)+(n)/2) >> 12) & 0x0000FFFF \ ++ : pletohs((b) + (n)/2) ++ ? (pletohl((b)+(n)/2) >> 12) & 0x0000FFFF \ + */ + + /* extract the word at the given nibble address 'n' of buffer 'b' */ + #define NIB_LONG(n,b) \ + (n) & 1 \ +- ? (g_ntohl(*(guint32 *)((b) + (n)/2)) << 4) | (((b)[(n)/2 + 4] >> 4) & NIBBLE_MASK) \ +- : g_ntohl(*(guint32 *)((b) + (n)/2)) ++ ? (pntohl(((b) + (n)/2)) << 4) | (((b)[(n)/2 + 4] >> 4) & NIBBLE_MASK) \ ++ : pntohl((b) + (n)/2) + /* +- ? (AS32((b) + (n)/2) << 4) | (((b)[(n)/2 + 4] >> 4) & NIBBLE_MASK) \ +- : AS32((b) + (n)/2) ++ ? (pletohl((b) + (n)/2) << 4) | (((b)[(n)/2 + 4] >> 4) & NIBBLE_MASK) \ ++ : pletohl((b) + (n)/2) + */ + + /* Only currently used with nib == 1 or 2 */ +@@ -160,7 +156,7 @@ + * num ... length of bitfield + */ + #define BIT_BITS16(bit, buf, num) \ +- (( AS16(buf+ADDR16(bit)) >> SHIFT16(bit,num) ) & MASK16(num)) ++ (( pletohs(buf+ADDR16(bit)) >> SHIFT16(bit,num) ) & MASK16(num)) + + /* extract bitfield up to 24 bits + * bit ... bit address +@@ -169,14 +165,14 @@ + */ + + #define BIT_BITS32(bit, buf, num) \ +- ((AS32(buf+ADDR32(bit)) >> SHIFT32(bit,num) ) & MASK32(num)) ++ ((pletohl(buf+ADDR32(bit)) >> SHIFT32(bit,num) ) & MASK32(num)) + + /* bitfield up to 32 bits */ + #define BIT_BITS64a(bit, buf, num) \ +- ((AS32(buf+ADDR32(bit)) & MASK64a(bit)) << SHIFT64a(bit,num)) ++ ((pletohl(buf+ADDR32(bit)) & MASK64a(bit)) << SHIFT64a(bit,num)) + + #define BIT_BITS64b(bit, buf, num) \ +- ((AS32(buf+ADDR32(bit)+4) >> SHIFT64b(bit,num) ) & MASK64b(bit,num)) ++ ((pletohl(buf+ADDR32(bit)+4) >> SHIFT64b(bit,num) ) & MASK64b(bit,num)) + + #define BIT_BITS64(bit, buf, num) \ + ( (OFFSET32(bit)+(num)) <= 32 \ only in patch2: unchanged: --- wireshark-0.99.6rel.orig/debian/patches/13_CVE-2007-6450.dpatch +++ wireshark-0.99.6rel/debian/patches/13_CVE-2007-6450.dpatch @@ -0,0 +1,29 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 13_CVE-2007-6450.dpatch by Emanuele Gentili +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad wireshark-0.99.6rel~/epan/dissectors/packet-rpl.c wireshark-0.99.6rel/epan/dissectors/packet-rpl.c +--- wireshark-0.99.6rel~/epan/dissectors/packet-rpl.c 2007-07-05 21:24:58.000000000 +0200 ++++ wireshark-0.99.6rel/epan/dissectors/packet-rpl.c 2008-03-24 02:14:16.000000000 +0100 +@@ -148,11 +148,16 @@ + reported_length = tvb_reported_length_remaining(tvb, offset); + if (reported_length > sublen) + reported_length = sublen; ++ if ( length > 0) { + dissect_rpl_container(tvb_new_subset(tvb, + offset, length, reported_length), + pinfo, rpl_container_tree); +- +- offset += sublen; ++ offset += reported_length; ++ } else { ++ /* no more data, exit the loop */ ++ offset += reported_length; ++ break; ++ } + } + break; + only in patch2: unchanged: --- wireshark-0.99.6rel.orig/debian/patches/13_CVE-2007-6439.dpatch +++ wireshark-0.99.6rel/debian/patches/13_CVE-2007-6439.dpatch @@ -0,0 +1,152 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 13_CVE-2007-6439.dpatch by Emanuele Gentili +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad wireshark-0.99.6rel~/epan/dissectors/packet-ipv6.c wireshark-0.99.6rel/epan/dissectors/packet-ipv6.c +--- wireshark-0.99.6rel~/epan/dissectors/packet-ipv6.c 2007-07-05 21:25:02.000000000 +0200 ++++ wireshark-0.99.6rel/epan/dissectors/packet-ipv6.c 2008-03-24 01:48:31.000000000 +0100 +@@ -61,6 +61,7 @@ + + static int proto_ipv6 = -1; + static int hf_ipv6_version = -1; ++static int hf_ip_version = -1; + static int hf_ipv6_class = -1; + static int hf_ipv6_flow = -1; + static int hf_ipv6_plen = -1; +@@ -136,6 +137,7 @@ + static int hf_ipv6_shim6_opt_fii = -1; + + static gint ett_ipv6 = -1; ++static gint ett_ipv6_version = -1; + static gint ett_ipv6_shim6 = -1; + static gint ett_ipv6_shim6_option = -1; + static gint ett_ipv6_shim6_locators = -1; +@@ -775,7 +777,7 @@ + } + + static void +-dissect_shim6_opt_loc_pref(proto_tree * opt_tree, tvbuff_t * tvb, gint *offset, gint len) ++dissect_shim6_opt_loc_pref(proto_tree * opt_tree, tvbuff_t * tvb, gint *offset, gint len, packet_info *pinfo) + { + proto_tree * subtree; + proto_item * it; +@@ -791,6 +793,15 @@ + + optlen = tvb_get_guint8(tvb, p); + proto_tree_add_item(opt_tree, hf_ipv6_shim6_opt_elemlen, tvb, p, 1, FALSE); ++ ++ if (optlen < 1 || optlen > 3) { ++ it = proto_tree_add_text(opt_tree, tvb, p, 1, ++ "Invalid element length: %u", optlen); ++ expert_add_info_format(pinfo, it, PI_MALFORMED, PI_ERROR, ++ "Invalid element length: %u", optlen); ++ return; ++ } ++ + p++; + + /* Locator Preferences */ +@@ -823,7 +834,7 @@ + + + static int +-dissect_shimopts(tvbuff_t *tvb, int offset, proto_tree *tree) ++dissect_shimopts(tvbuff_t *tvb, int offset, proto_tree *tree, packet_info *pinfo) + { + int len, total_len; + gint p; +@@ -874,7 +885,7 @@ + dissect_shim6_opt_loclist(opt_tree, tvb, &p); + break; + case SHIM6_OPT_LOCPREF: +- dissect_shim6_opt_loc_pref(opt_tree, tvb, &p, offset+len+4); ++ dissect_shim6_opt_loc_pref(opt_tree, tvb, &p, offset+len+4, pinfo); + if (total_len-(len+4) > 0) + proto_tree_add_text(opt_tree, tvb, p, total_len-(len+4), "Padding"); + break; +@@ -1206,7 +1217,7 @@ + + /* Options */ + while (p < offset+len) { +- p += dissect_shimopts(tvb, p, shim_tree); ++ p += dissect_shimopts(tvb, p, shim_tree, pinfo); + } + } + } +@@ -1257,13 +1268,20 @@ + SET_ADDRESS(&pinfo->dst, AT_IPv6, 16, tvb_get_ptr(tvb, offset + IP6H_DST, 16)); + + if (tree) { ++ proto_tree* pt; ++ proto_item* pi; ++ + /* !!! specify length */ + ti = proto_tree_add_item(tree, proto_ipv6, tvb, offset, 40, FALSE); + ipv6_tree = proto_item_add_subtree(ti, ett_ipv6); + + /* !!! warning: version also contains 4 Bit priority */ +- proto_tree_add_item(ipv6_tree, hf_ipv6_version, tvb, ++ pi = proto_tree_add_item(ipv6_tree, hf_ipv6_version, tvb, ++ offset + offsetof(struct ip6_hdr, ip6_vfc), 1, FALSE); ++ pt = proto_item_add_subtree(pi,ett_ipv6_version); ++ pi = proto_tree_add_item(pt, hf_ip_version, tvb, + offset + offsetof(struct ip6_hdr, ip6_vfc), 1, FALSE); ++ PROTO_ITEM_SET_GENERATED(pi); + + proto_tree_add_item(ipv6_tree, hf_ipv6_class, tvb, + offset + offsetof(struct ip6_hdr, ip6_flow), 4, FALSE); +@@ -1504,6 +1522,10 @@ + { &hf_ipv6_version, + { "Version", "ipv6.version", + FT_UINT8, BASE_DEC, NULL, 0xF0, "", HFILL }}, ++ { &hf_ip_version, ++ { "This field makes the filter \"ip.version == 6\" possible", ++"ip.version", ++ FT_UINT8, BASE_DEC, NULL, 0xF0, "", HFILL }}, + { &hf_ipv6_class, + { "Traffic class", "ipv6.class", + FT_UINT32, BASE_HEX, NULL, 0x0FF00000, "", HFILL }}, +@@ -1827,6 +1849,7 @@ + }; + static gint *ett[] = { + &ett_ipv6, ++ &ett_ipv6_version, + &ett_ipv6_shim6, + &ett_ipv6_shim6_option, + &ett_ipv6_shim6_locators, +diff -urNad wireshark-0.99.6rel~/epan/dissectors/packet-usb.c wireshark-0.99.6rel/epan/dissectors/packet-usb.c +--- wireshark-0.99.6rel~/epan/dissectors/packet-usb.c 2007-07-05 21:24:58.000000000 +0200 ++++ wireshark-0.99.6rel/epan/dissectors/packet-usb.c 2008-03-24 01:53:52.000000000 +0100 +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include "packet-usb.h" + +@@ -506,6 +507,7 @@ + usb_trans_info->interface_info=se_alloc(sizeof(usb_conv_info_t)); + usb_trans_info->interface_info->interfaceClass=tvb_get_guint8(tvb, offset); + usb_trans_info->interface_info->transactions=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "usb transactions"); ++ usb_trans_info->interface_info->class_data=NULL; + } + offset++; + +@@ -652,6 +654,13 @@ + proto_tree_add_item(tree, hf_usb_bLength, tvb, offset, 1, TRUE); + bLength = tvb_get_guint8(tvb, offset); + offset++; ++ if (bLength < 3) { ++ item = proto_tree_add_text(parent_tree, tvb, offset - 1, 1, ++ "Invalid bLength: %u", bLength); ++ expert_add_info_format(pinfo, item, PI_MALFORMED, PI_ERROR, ++ "Invalid bLength: %u", bLength); ++ return offset; ++ } + + /* bDescriptorType */ + proto_tree_add_item(tree, hf_usb_bDescriptorType, tvb, offset, 1, TRUE);