diff options
| author | tron <tron@pkgsrc.org> | 2008-11-25 22:53:54 +0000 |
|---|---|---|
| committer | tron <tron@pkgsrc.org> | 2008-11-25 22:53:54 +0000 |
| commit | 764ea9d6a13894298e6eb7b7380c573fc8bbe53c (patch) | |
| tree | a697a341edec72fc17f8ee76f7c1bdeff7cf361b /net | |
| parent | f85556e344f87d31f09dd3ef26e237622e6b3f16 (diff) | |
| download | pkgsrc-764ea9d6a13894298e6eb7b7380c573fc8bbe53c.tar.gz | |
Add fix for infinite loop in SMTP dissector from Wireshark SVN repository.
This addresses the security vulnerability reported in SA32840.
Diffstat (limited to 'net')
| -rw-r--r-- | net/wireshark/Makefile | 3 | ||||
| -rw-r--r-- | net/wireshark/distinfo | 3 | ||||
| -rw-r--r-- | net/wireshark/patches/patch-ad | 341 |
3 files changed, 345 insertions, 2 deletions
diff --git a/net/wireshark/Makefile b/net/wireshark/Makefile index a71283f89a2..fec56e6da51 100644 --- a/net/wireshark/Makefile +++ b/net/wireshark/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.27 2008/10/22 06:50:23 tron Exp $ +# $NetBSD: Makefile,v 1.28 2008/11/25 22:53:54 tron Exp $ DISTNAME= wireshark-1.0.4 +PKGREVISION= 1 CATEGORIES= net MASTER_SITES= http://www.wireshark.org/download/src/ \ ${MASTER_SITE_SOURCEFORGE:=wireshark/} diff --git a/net/wireshark/distinfo b/net/wireshark/distinfo index b89f2410204..03b92ca619e 100644 --- a/net/wireshark/distinfo +++ b/net/wireshark/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.17 2008/10/26 14:06:52 tron Exp $ +$NetBSD: distinfo,v 1.18 2008/11/25 22:53:54 tron Exp $ SHA1 (wireshark-1.0.4.tar.bz2) = 8e75a6d909a1da803db77f6f86fdd5096e5bbac8 RMD160 (wireshark-1.0.4.tar.bz2) = 741b6618ba34b55079f15d5725a1e9a22a4fc351 @@ -6,3 +6,4 @@ Size (wireshark-1.0.4.tar.bz2) = 13126757 bytes SHA1 (patch-aa) = c155f38e66a553b14778dc73344b46f8614eb9b0 SHA1 (patch-ab) = 5ae79916603f04c2d362c764d39f0c99728e716c SHA1 (patch-ac) = 4e985520ea4b118aea6fc001f256b5de96de7840 +SHA1 (patch-ad) = e19775622ed6facc4ab05ebd09059f78444f6c43 diff --git a/net/wireshark/patches/patch-ad b/net/wireshark/patches/patch-ad new file mode 100644 index 00000000000..06c4150bbda --- /dev/null +++ b/net/wireshark/patches/patch-ad @@ -0,0 +1,341 @@ +$NetBSD: patch-ad,v 1.1 2008/11/25 22:53:55 tron Exp $ + +--- epan/dissectors/packet-smtp.c.orig 2008-10-20 20:19:31.000000000 +0100 ++++ epan/dissectors/packet-smtp.c 2008-11-25 22:30:30.000000000 +0000 +@@ -101,10 +101,6 @@ + "DATA fragments" + }; + +-/* Define media_type/Content type table */ +-static dissector_table_t media_type_dissector_table; +- +- + static dissector_handle_t imf_handle = NULL; + + /* +@@ -179,6 +175,7 @@ + gint length_remaining; + gboolean eom_seen = FALSE; + gint next_offset; ++ gint loffset; + gboolean is_continuation_line; + int cmdlen; + fragment_data *frag_msg = NULL; +@@ -221,21 +218,6 @@ + * longer than what's in the buffer, so the "tvb_get_ptr()" call + * won't throw an exception. + */ +- linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, +- smtp_desegment && pinfo->can_desegment); +- if (linelen == -1) { +- /* +- * We didn't find a line ending, and we're doing desegmentation; +- * tell the TCP dissector where the data for this message starts +- * in the data it handed us, and tell it we need one more byte +- * (we may need more, but we'll try again if what we get next +- * isn't enough), and return. +- */ +- pinfo->desegment_offset = offset; +- pinfo->desegment_len = 1; +- return; +- } +- line = tvb_get_ptr(tvb, offset, linelen); + + frame_data = p_get_proto_data(pinfo->fd, proto_smtp); + +@@ -271,6 +253,42 @@ + + } + ++ if(request) { ++ frame_data = se_alloc(sizeof(struct smtp_proto_data)); ++ ++ frame_data->conversation_id = conversation->index; ++ frame_data->more_frags = TRUE; ++ ++ p_add_proto_data(pinfo->fd, proto_smtp, frame_data); ++ ++ } ++ ++ loffset = offset; ++ while (tvb_offset_exists(tvb, loffset)) { ++ ++ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, ++ smtp_desegment && pinfo->can_desegment); ++ if (linelen == -1) { ++ ++ if(offset == loffset) { ++ /* ++ * We didn't find a line ending, and we're doing desegmentation; ++ * tell the TCP dissector where the data for this message starts ++ * in the data it handed us, and tell it we need one more byte ++ * (we may need more, but we'll try again if what we get next ++ * isn't enough), and return. ++ */ ++ pinfo->desegment_offset = loffset; ++ pinfo->desegment_len = 1; ++ return; ++ } ++ else { ++ linelen = tvb_length_remaining(tvb, loffset); ++ next_offset = loffset + linelen; ++ } ++ } ++ line = tvb_get_ptr(tvb, loffset, linelen); ++ + /* + * Check whether or not this packet is an end of message packet + * We should look for CRLF.CRLF and they may be split. +@@ -286,16 +304,16 @@ + * .CRLF at the begining of the same packet. + */ + +- if ((request_val->crlf_seen && tvb_strneql(tvb, offset, ".\r\n", 3) == 0) || +- tvb_strneql(tvb, offset, "\r\n.\r\n", 5) == 0) { ++ if ((request_val->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0) || ++ tvb_strneql(tvb, loffset, "\r\n.\r\n", 5) == 0) { + + eom_seen = TRUE; + +- } ++ } + +- length_remaining = tvb_length_remaining(tvb, offset); +- if (length_remaining == tvb_reported_length_remaining(tvb, offset) && +- tvb_strneql(tvb, offset + length_remaining - 2, "\r\n", 2) == 0) { ++ length_remaining = tvb_length_remaining(tvb, loffset); ++ if (length_remaining == tvb_reported_length_remaining(tvb, loffset) && ++ tvb_strneql(tvb, loffset + length_remaining - 2, "\r\n", 2) == 0) { + + request_val->crlf_seen = TRUE; + +@@ -314,11 +332,6 @@ + + if (request) { + +- frame_data = se_alloc(sizeof(struct smtp_proto_data)); +- +- frame_data->conversation_id = conversation->index; +- frame_data->more_frags = TRUE; +- + if (request_val->reading_data) { + /* + * This is message data. +@@ -333,6 +346,9 @@ + */ + frame_data->pdu_type = SMTP_PDU_EOM; + request_val->reading_data = FALSE; ++ ++ break; ++ + } else { + /* + * Message data with no EOM. +@@ -344,7 +360,7 @@ + * We are handling a BDAT message. + * Check if we have reached end of the data chunk. + */ +- request_val->msg_read_len += tvb_length_remaining(tvb, offset); ++ request_val->msg_read_len += tvb_length_remaining(tvb, loffset); + + if (request_val->msg_read_len == request_val->msg_tot_len) { + /* +@@ -360,6 +376,8 @@ + */ + frame_data->more_frags = FALSE; + } ++ ++ break; /* no need to go through the remaining lines */ + } + } + } +@@ -450,12 +468,15 @@ + frame_data->pdu_type = request_val->data_seen ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD; + + } +- + } ++ } + +- p_add_proto_data(pinfo->fd, proto_smtp, frame_data); ++ /* ++ * Step past this line. ++ */ ++ loffset = next_offset; + +- } ++ } + } + + /* +@@ -467,6 +488,7 @@ + col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP"); + + if (check_col(pinfo->cinfo, COL_INFO)) { /* Add the appropriate type here */ ++ col_clear(pinfo->cinfo, COL_INFO); + + /* + * If it is a request, we have to look things up, otherwise, just +@@ -481,21 +503,38 @@ + case SMTP_PDU_MESSAGE: + + length_remaining = tvb_length_remaining(tvb, offset); +- col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "DATA fragment" : "Message Body"); ++ col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "C: DATA fragment" : "C: Message Body"); + col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining, + plurality (length_remaining, "", "s")); + break; + + case SMTP_PDU_EOM: + +- col_add_fstr(pinfo->cinfo, COL_INFO, "EOM: %s", +- format_text(line, linelen)); ++ col_set_str(pinfo->cinfo, COL_INFO, "C: ."); ++ + break; + + case SMTP_PDU_CMD: + +- col_add_fstr(pinfo->cinfo, COL_INFO, "Command: %s", +- format_text(line, linelen)); ++ loffset = offset; ++ while (tvb_offset_exists(tvb, loffset)) { ++ /* ++ * Find the end of the line. ++ */ ++ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE); ++ line = tvb_get_ptr(tvb, loffset, linelen); ++ ++ if(loffset == offset) ++ col_append_fstr(pinfo->cinfo, COL_INFO, "C: %s", ++ format_text(line, linelen)); ++ else { ++ col_append_fstr(pinfo->cinfo, COL_INFO, " | %s", ++ format_text(line, linelen)); ++ } ++ ++ loffset = next_offset; ++ ++ } + break; + + } +@@ -503,9 +542,24 @@ + } + else { + +- col_add_fstr(pinfo->cinfo, COL_INFO, "Response: %s", +- format_text(line, linelen)); ++ loffset = offset; ++ while (tvb_offset_exists(tvb, loffset)) { ++ /* ++ * Find the end of the line. ++ */ ++ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE); ++ line = tvb_get_ptr(tvb, loffset, linelen); ++ ++ if(loffset == offset) ++ col_append_fstr(pinfo->cinfo, COL_INFO, "S: %s", ++ format_text(line, linelen)); ++ else { ++ col_append_fstr(pinfo->cinfo, COL_INFO, " | %s", ++ format_text(line, linelen)); ++ } + ++ loffset = next_offset; ++ } + } + } + +@@ -560,8 +614,7 @@ + * DATA command this terminates before sending another + * request, but we should probably handle it. + */ +- proto_tree_add_text(smtp_tree, tvb, offset, linelen, +- "EOM: %s", format_text(line, linelen)); ++ proto_tree_add_text(smtp_tree, tvb, offset, linelen, "C: ."); + + if(smtp_data_desegment) { + +@@ -582,6 +635,15 @@ + * previous command before sending another request, but we + * should probably handle it. + */ ++ ++ loffset = offset; ++ while (tvb_offset_exists(tvb, loffset)) { ++ ++ /* ++ * Find the end of the line. ++ */ ++ linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE); ++ + if (linelen >= 4) + cmdlen = 4; + else +@@ -591,16 +653,16 @@ + /* + * Put the command line into the protocol tree. + */ +- ti = proto_tree_add_text(smtp_tree, tvb, offset, next_offset - offset, ++ ti = proto_tree_add_text(smtp_tree, tvb, loffset, next_offset - loffset, + "Command: %s", +- tvb_format_text(tvb, offset, next_offset - offset)); ++ tvb_format_text(tvb, loffset, next_offset - loffset)); + cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp); + + proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb, +- offset, cmdlen, FALSE); ++ loffset, cmdlen, FALSE); + if (linelen > 5) { + proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb, +- offset + 5, linelen - 5, FALSE); ++ loffset + 5, linelen - 5, FALSE); + } + + if (smtp_data_desegment && !frame_data->more_frags) { +@@ -609,6 +671,13 @@ + frag_msg = fragment_end_seq_next (pinfo, frame_data->conversation_id, smtp_data_segment_table, + smtp_data_reassembled_table); + } ++ ++ /* ++ * Step past this line. ++ */ ++ loffset = next_offset; ++ ++ } + } + + if (smtp_data_desegment) { +@@ -693,8 +762,8 @@ + /* + * If it's not a continuation line, quit. + */ +- if (!is_continuation_line) +- break; ++ /* if (!is_continuation_line) ++ break; */ + + } + +@@ -775,7 +844,6 @@ + }; + module_t *smtp_module; + +- + proto_smtp = proto_register_protocol("Simple Mail Transfer Protocol", + "SMTP", "smtp"); + +@@ -812,11 +880,6 @@ + dissector_add("tcp.port", TCP_PORT_SMTP, smtp_handle); + dissector_add("tcp.port", TCP_PORT_SUBMISSION, smtp_handle); + +- /* +- * Get the content type and Internet media type table +- */ +- media_type_dissector_table = find_dissector_table("media_type"); +- + /* find the IMF dissector */ + imf_handle = find_dissector("imf"); + |