summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorrtr <rtr>2008-11-26 07:47:06 +0000
committerrtr <rtr>2008-11-26 07:47:06 +0000
commit9a30d6b59882bf3d89048995205252ff8fbe3cdf (patch)
tree6859f6aa8e8225220d35fe1d2c8b13cf94ace617
parent9865111bb9b779840f6d4511c89216765e5f2ed3 (diff)
downloadpkgsrc-9a30d6b59882bf3d89048995205252ff8fbe3cdf.tar.gz
pullup ticket #2598 - requested by tron
wireshark: patch for security fixes revisions pulled up: pkgsrc/net/wireshark/Makefile 1.28 pkgsrc/net/wireshark/distinfo 1.18 pkgsrc/net/wireshark/patches/patch-ad 1.1 Module Name: pkgsrc Committed By: tron Date: Tue Nov 25 22:53:55 UTC 2008 Modified Files: pkgsrc/net/wireshark: Makefile distinfo Added Files: pkgsrc/net/wireshark/patches: patch-ad Log Message: Add fix for infinite loop in SMTP dissector from Wireshark SVN repository. This addresses the security vulnerability reported in SA32840.
-rw-r--r--net/wireshark/Makefile3
-rw-r--r--net/wireshark/distinfo4
-rw-r--r--net/wireshark/patches/patch-ad341
3 files changed, 346 insertions, 2 deletions
diff --git a/net/wireshark/Makefile b/net/wireshark/Makefile
index 646d0e1dfb7..fc67cf085a4 100644
--- a/net/wireshark/Makefile
+++ b/net/wireshark/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.26.4.1 2008/10/22 11:31:17 rtr Exp $
+# $NetBSD: Makefile,v 1.26.4.2 2008/11/26 07:47:06 rtr Exp $
DISTNAME= wireshark-1.0.4
+PKGREVISION= 1
CATEGORIES= net
MASTER_SITES= http://www.wireshark.org/download/src/ \
${MASTER_SITE_SOURCEFORGE:=wireshark/}
diff --git a/net/wireshark/distinfo b/net/wireshark/distinfo
index 06ce4619237..b6a9431d37e 100644
--- a/net/wireshark/distinfo
+++ b/net/wireshark/distinfo
@@ -1,7 +1,9 @@
-$NetBSD: distinfo,v 1.15.4.1 2008/10/22 11:31:17 rtr Exp $
+$NetBSD: distinfo,v 1.15.4.2 2008/11/26 07:47:06 rtr Exp $
SHA1 (wireshark-1.0.4.tar.bz2) = 8e75a6d909a1da803db77f6f86fdd5096e5bbac8
RMD160 (wireshark-1.0.4.tar.bz2) = 741b6618ba34b55079f15d5725a1e9a22a4fc351
Size (wireshark-1.0.4.tar.bz2) = 13126757 bytes
SHA1 (patch-aa) = c155f38e66a553b14778dc73344b46f8614eb9b0
SHA1 (patch-ab) = 5ae79916603f04c2d362c764d39f0c99728e716c
+SHA1 (patch-ac) = 4e985520ea4b118aea6fc001f256b5de96de7840
+SHA1 (patch-ad) = e19775622ed6facc4ab05ebd09059f78444f6c43
diff --git a/net/wireshark/patches/patch-ad b/net/wireshark/patches/patch-ad
new file mode 100644
index 00000000000..8aa16ed2428
--- /dev/null
+++ b/net/wireshark/patches/patch-ad
@@ -0,0 +1,341 @@
+$NetBSD: patch-ad,v 1.1.2.2 2008/11/26 07:47:06 rtr Exp $
+
+--- epan/dissectors/packet-smtp.c.orig 2008-10-20 20:19:31.000000000 +0100
++++ epan/dissectors/packet-smtp.c 2008-11-25 22:30:30.000000000 +0000
+@@ -101,10 +101,6 @@
+ "DATA fragments"
+ };
+
+-/* Define media_type/Content type table */
+-static dissector_table_t media_type_dissector_table;
+-
+-
+ static dissector_handle_t imf_handle = NULL;
+
+ /*
+@@ -179,6 +175,7 @@
+ gint length_remaining;
+ gboolean eom_seen = FALSE;
+ gint next_offset;
++ gint loffset;
+ gboolean is_continuation_line;
+ int cmdlen;
+ fragment_data *frag_msg = NULL;
+@@ -221,21 +218,6 @@
+ * longer than what's in the buffer, so the "tvb_get_ptr()" call
+ * won't throw an exception.
+ */
+- linelen = tvb_find_line_end(tvb, offset, -1, &next_offset,
+- smtp_desegment && pinfo->can_desegment);
+- if (linelen == -1) {
+- /*
+- * We didn't find a line ending, and we're doing desegmentation;
+- * tell the TCP dissector where the data for this message starts
+- * in the data it handed us, and tell it we need one more byte
+- * (we may need more, but we'll try again if what we get next
+- * isn't enough), and return.
+- */
+- pinfo->desegment_offset = offset;
+- pinfo->desegment_len = 1;
+- return;
+- }
+- line = tvb_get_ptr(tvb, offset, linelen);
+
+ frame_data = p_get_proto_data(pinfo->fd, proto_smtp);
+
+@@ -271,6 +253,42 @@
+
+ }
+
++ if(request) {
++ frame_data = se_alloc(sizeof(struct smtp_proto_data));
++
++ frame_data->conversation_id = conversation->index;
++ frame_data->more_frags = TRUE;
++
++ p_add_proto_data(pinfo->fd, proto_smtp, frame_data);
++
++ }
++
++ loffset = offset;
++ while (tvb_offset_exists(tvb, loffset)) {
++
++ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset,
++ smtp_desegment && pinfo->can_desegment);
++ if (linelen == -1) {
++
++ if(offset == loffset) {
++ /*
++ * We didn't find a line ending, and we're doing desegmentation;
++ * tell the TCP dissector where the data for this message starts
++ * in the data it handed us, and tell it we need one more byte
++ * (we may need more, but we'll try again if what we get next
++ * isn't enough), and return.
++ */
++ pinfo->desegment_offset = loffset;
++ pinfo->desegment_len = 1;
++ return;
++ }
++ else {
++ linelen = tvb_length_remaining(tvb, loffset);
++ next_offset = loffset + linelen;
++ }
++ }
++ line = tvb_get_ptr(tvb, loffset, linelen);
++
+ /*
+ * Check whether or not this packet is an end of message packet
+ * We should look for CRLF.CRLF and they may be split.
+@@ -286,16 +304,16 @@
+ * .CRLF at the begining of the same packet.
+ */
+
+- if ((request_val->crlf_seen && tvb_strneql(tvb, offset, ".\r\n", 3) == 0) ||
+- tvb_strneql(tvb, offset, "\r\n.\r\n", 5) == 0) {
++ if ((request_val->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0) ||
++ tvb_strneql(tvb, loffset, "\r\n.\r\n", 5) == 0) {
+
+ eom_seen = TRUE;
+
+- }
++ }
+
+- length_remaining = tvb_length_remaining(tvb, offset);
+- if (length_remaining == tvb_reported_length_remaining(tvb, offset) &&
+- tvb_strneql(tvb, offset + length_remaining - 2, "\r\n", 2) == 0) {
++ length_remaining = tvb_length_remaining(tvb, loffset);
++ if (length_remaining == tvb_reported_length_remaining(tvb, loffset) &&
++ tvb_strneql(tvb, loffset + length_remaining - 2, "\r\n", 2) == 0) {
+
+ request_val->crlf_seen = TRUE;
+
+@@ -314,11 +332,6 @@
+
+ if (request) {
+
+- frame_data = se_alloc(sizeof(struct smtp_proto_data));
+-
+- frame_data->conversation_id = conversation->index;
+- frame_data->more_frags = TRUE;
+-
+ if (request_val->reading_data) {
+ /*
+ * This is message data.
+@@ -333,6 +346,9 @@
+ */
+ frame_data->pdu_type = SMTP_PDU_EOM;
+ request_val->reading_data = FALSE;
++
++ break;
++
+ } else {
+ /*
+ * Message data with no EOM.
+@@ -344,7 +360,7 @@
+ * We are handling a BDAT message.
+ * Check if we have reached end of the data chunk.
+ */
+- request_val->msg_read_len += tvb_length_remaining(tvb, offset);
++ request_val->msg_read_len += tvb_length_remaining(tvb, loffset);
+
+ if (request_val->msg_read_len == request_val->msg_tot_len) {
+ /*
+@@ -360,6 +376,8 @@
+ */
+ frame_data->more_frags = FALSE;
+ }
++
++ break; /* no need to go through the remaining lines */
+ }
+ }
+ }
+@@ -450,12 +468,15 @@
+ frame_data->pdu_type = request_val->data_seen ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD;
+
+ }
+-
+ }
++ }
+
+- p_add_proto_data(pinfo->fd, proto_smtp, frame_data);
++ /*
++ * Step past this line.
++ */
++ loffset = next_offset;
+
+- }
++ }
+ }
+
+ /*
+@@ -467,6 +488,7 @@
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP");
+
+ if (check_col(pinfo->cinfo, COL_INFO)) { /* Add the appropriate type here */
++ col_clear(pinfo->cinfo, COL_INFO);
+
+ /*
+ * If it is a request, we have to look things up, otherwise, just
+@@ -481,21 +503,38 @@
+ case SMTP_PDU_MESSAGE:
+
+ length_remaining = tvb_length_remaining(tvb, offset);
+- col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "DATA fragment" : "Message Body");
++ col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "C: DATA fragment" : "C: Message Body");
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining,
+ plurality (length_remaining, "", "s"));
+ break;
+
+ case SMTP_PDU_EOM:
+
+- col_add_fstr(pinfo->cinfo, COL_INFO, "EOM: %s",
+- format_text(line, linelen));
++ col_set_str(pinfo->cinfo, COL_INFO, "C: .");
++
+ break;
+
+ case SMTP_PDU_CMD:
+
+- col_add_fstr(pinfo->cinfo, COL_INFO, "Command: %s",
+- format_text(line, linelen));
++ loffset = offset;
++ while (tvb_offset_exists(tvb, loffset)) {
++ /*
++ * Find the end of the line.
++ */
++ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
++ line = tvb_get_ptr(tvb, loffset, linelen);
++
++ if(loffset == offset)
++ col_append_fstr(pinfo->cinfo, COL_INFO, "C: %s",
++ format_text(line, linelen));
++ else {
++ col_append_fstr(pinfo->cinfo, COL_INFO, " | %s",
++ format_text(line, linelen));
++ }
++
++ loffset = next_offset;
++
++ }
+ break;
+
+ }
+@@ -503,9 +542,24 @@
+ }
+ else {
+
+- col_add_fstr(pinfo->cinfo, COL_INFO, "Response: %s",
+- format_text(line, linelen));
++ loffset = offset;
++ while (tvb_offset_exists(tvb, loffset)) {
++ /*
++ * Find the end of the line.
++ */
++ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
++ line = tvb_get_ptr(tvb, loffset, linelen);
++
++ if(loffset == offset)
++ col_append_fstr(pinfo->cinfo, COL_INFO, "S: %s",
++ format_text(line, linelen));
++ else {
++ col_append_fstr(pinfo->cinfo, COL_INFO, " | %s",
++ format_text(line, linelen));
++ }
+
++ loffset = next_offset;
++ }
+ }
+ }
+
+@@ -560,8 +614,7 @@
+ * DATA command this terminates before sending another
+ * request, but we should probably handle it.
+ */
+- proto_tree_add_text(smtp_tree, tvb, offset, linelen,
+- "EOM: %s", format_text(line, linelen));
++ proto_tree_add_text(smtp_tree, tvb, offset, linelen, "C: .");
+
+ if(smtp_data_desegment) {
+
+@@ -582,6 +635,15 @@
+ * previous command before sending another request, but we
+ * should probably handle it.
+ */
++
++ loffset = offset;
++ while (tvb_offset_exists(tvb, loffset)) {
++
++ /*
++ * Find the end of the line.
++ */
++ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
++
+ if (linelen >= 4)
+ cmdlen = 4;
+ else
+@@ -591,16 +653,16 @@
+ /*
+ * Put the command line into the protocol tree.
+ */
+- ti = proto_tree_add_text(smtp_tree, tvb, offset, next_offset - offset,
++ ti = proto_tree_add_text(smtp_tree, tvb, loffset, next_offset - loffset,
+ "Command: %s",
+- tvb_format_text(tvb, offset, next_offset - offset));
++ tvb_format_text(tvb, loffset, next_offset - loffset));
+ cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
+
+ proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb,
+- offset, cmdlen, FALSE);
++ loffset, cmdlen, FALSE);
+ if (linelen > 5) {
+ proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
+- offset + 5, linelen - 5, FALSE);
++ loffset + 5, linelen - 5, FALSE);
+ }
+
+ if (smtp_data_desegment && !frame_data->more_frags) {
+@@ -609,6 +671,13 @@
+ frag_msg = fragment_end_seq_next (pinfo, frame_data->conversation_id, smtp_data_segment_table,
+ smtp_data_reassembled_table);
+ }
++
++ /*
++ * Step past this line.
++ */
++ loffset = next_offset;
++
++ }
+ }
+
+ if (smtp_data_desegment) {
+@@ -693,8 +762,8 @@
+ /*
+ * If it's not a continuation line, quit.
+ */
+- if (!is_continuation_line)
+- break;
++ /* if (!is_continuation_line)
++ break; */
+
+ }
+
+@@ -775,7 +844,6 @@
+ };
+ module_t *smtp_module;
+
+-
+ proto_smtp = proto_register_protocol("Simple Mail Transfer Protocol",
+ "SMTP", "smtp");
+
+@@ -812,11 +880,6 @@
+ dissector_add("tcp.port", TCP_PORT_SMTP, smtp_handle);
+ dissector_add("tcp.port", TCP_PORT_SUBMISSION, smtp_handle);
+
+- /*
+- * Get the content type and Internet media type table
+- */
+- media_type_dissector_table = find_dissector_table("media_type");
+-
+ /* find the IMF dissector */
+ imf_handle = find_dissector("imf");
+