rpms / wireshark

Clone
Source Code
GIT

Blame SOURCES/wireshark-1.10.14-CVE-2015-3810.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta
  1.   a65ffbd4662fa47a63754ccabbab5287fb9d14a7
  2.   SOURCES
  3.   wireshark-1.10.14-CVE-2015-3810.patch
Blob History Raw
dbc6ab 
diff --git a/epan/dissectors/packet-http.c b/epan/dissectors/packet-http.c
dbc6ab 
index 225a7eb..e3e81f7 100644
dbc6ab 
--- a/epan/dissectors/packet-http.c
dbc6ab 
+++ b/epan/dissectors/packet-http.c
dbc6ab 
@@ -2625,6 +2625,10 @@ dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
dbc6ab 
 	} else {
dbc6ab 
 		while (tvb_reported_length_remaining(tvb, offset) != 0) {
dbc6ab 
 			if (conv_data->upgrade == UPGRADE_WEBSOCKET && pinfo->fd->num >= conv_data->startframe) {
dbc6ab 
+				/* Websockets is a stream of data, preserve
dbc6ab 
+				 * desegmentation functionality. */
dbc6ab 
+				if (pinfo->can_desegment > 0)
dbc6ab 
+					pinfo->can_desegment++;
dbc6ab 
 				call_dissector_only(websocket_handle, tvb_new_subset_remaining(tvb, offset), pinfo, tree, NULL);
dbc6ab 
 				break;
dbc6ab 
 			}
dbc6ab 
diff --git a/epan/dissectors/packet-websocket.c b/epan/dissectors/packet-websocket.c
dbc6ab 
index e02825d..561e206 100644
dbc6ab 
--- a/epan/dissectors/packet-websocket.c
dbc6ab 
+++ b/epan/dissectors/packet-websocket.c
dbc6ab 
@@ -31,6 +31,7 @@
dbc6ab 
 #include <epan/expert.h>
dbc6ab 
 #include <epan/prefs.h>
dbc6ab
dbc6ab 
+#include "packet-tcp.h"
dbc6ab
dbc6ab 
 /*
dbc6ab 
  * The information used comes from:
dbc6ab 
@@ -152,7 +153,7 @@ tvb_unmasked(tvbuff_t *tvb, const guint offset, guint payload_length, const guin
dbc6ab 
 }
dbc6ab
dbc6ab 
 static int
dbc6ab 
-dissect_websocket_payload(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *ws_tree, guint8 opcode, guint payload_length, guint8 mask, const guint8* masking_key)
dbc6ab 
+dissect_websocket_payload(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *ws_tree, guint8 opcode, guint payload_length, gboolean mask, const guint8* masking_key)
dbc6ab 
 {
dbc6ab 
   guint offset = 0;
dbc6ab 
   proto_item *ti_unmask, *ti;
dbc6ab 
@@ -301,65 +302,35 @@ dissect_websocket_payload(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, p
dbc6ab 
 }
dbc6ab
dbc6ab
dbc6ab 
-static int
dbc6ab 
-dissect_websocket(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
dbc6ab 
+static void
dbc6ab 
+dissect_websocket_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
dbc6ab 
 {
dbc6ab 
   proto_item *ti, *ti_len;
dbc6ab 
-  guint8 fin, opcode, mask;
dbc6ab 
-  guint length, short_length, payload_length, recurse_length;
dbc6ab 
-  guint payload_offset, mask_offset, recurse_offset;
dbc6ab 
+  guint8 fin, opcode;
dbc6ab 
+  gboolean mask;
dbc6ab 
+  guint short_length, payload_length;
dbc6ab 
+  guint payload_offset, mask_offset;
dbc6ab 
   proto_tree *ws_tree = NULL;
dbc6ab 
   const guint8 *masking_key = NULL;
dbc6ab 
   tvbuff_t *tvb_payload = NULL;
dbc6ab
dbc6ab 
-  length = tvb_length(tvb);
dbc6ab 
-  if(length<2){
dbc6ab 
-    pinfo->desegment_len = 2;
dbc6ab 
-    return 0;
dbc6ab 
-  }
dbc6ab 
-
dbc6ab 
   short_length = tvb_get_guint8(tvb, 1) & MASK_WS_PAYLOAD_LEN;
dbc6ab 
+  mask_offset = 2;
dbc6ab 
   if(short_length==126){
dbc6ab 
-    if(length < 2+2){
dbc6ab 
-      pinfo->desegment_len = 2+2;
dbc6ab 
-      return 0;
dbc6ab 
-    }
dbc6ab 
     payload_length = tvb_get_ntohs(tvb, 2);
dbc6ab 
-    mask_offset = 2+2;
dbc6ab 
-  }
dbc6ab 
-  else if(short_length==127){
dbc6ab 
-    if(length < 2+8){
dbc6ab 
-      pinfo->desegment_len = 2+8;
dbc6ab 
-      return 0;
dbc6ab 
-    }
dbc6ab 
-	/* warning C4244: '=' : conversion from 'guint64' to 'guint ', possible loss of data */
dbc6ab 
+    mask_offset += 2;
dbc6ab 
+  } else if (short_length==127) {
dbc6ab 
+    /* warning C4244: '=' : conversion from 'guint64' to 'guint ', possible loss of data */
dbc6ab 
     payload_length = (guint)tvb_get_ntoh64(tvb, 2);
dbc6ab 
-    mask_offset = 2+8;
dbc6ab 
-  }
dbc6ab 
-  else{
dbc6ab 
+    mask_offset += 8;
dbc6ab 
+  } else {
dbc6ab 
     payload_length = short_length;
dbc6ab 
-    mask_offset = 2;
dbc6ab 
   }
dbc6ab
dbc6ab 
   /* Mask */
dbc6ab 
-  mask = (tvb_get_guint8(tvb, 1) & MASK_WS_MASK) >> 4;
dbc6ab 
+  mask = (tvb_get_guint8(tvb, 1) & MASK_WS_MASK) != 0;
dbc6ab 
   payload_offset = mask_offset + (mask ? 4 : 0);
dbc6ab
dbc6ab 
-  if (payload_offset + payload_length < payload_length) {
dbc6ab 
-    /* Integer overflow, which means the packet contains a ridiculous
dbc6ab 
-     * payload length. Just take what we've got available.
dbc6ab 
-     * See bug https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8448 */
dbc6ab 
-    payload_length = tvb_reported_length_remaining(tvb, payload_offset);
dbc6ab 
-  }
dbc6ab 
-
dbc6ab 
-  if(length < payload_offset + payload_length){
dbc6ab 
-    /* XXXX Warning desegment_len is 32 bits */
dbc6ab 
-    pinfo->desegment_len = payload_offset + payload_length - length;
dbc6ab 
-    return 0;
dbc6ab 
-  }
dbc6ab 
-
dbc6ab 
-  /* We've got the entire message! */
dbc6ab 
-
dbc6ab 
   col_set_str(pinfo->cinfo, COL_PROTOCOL, "WebSocket");
dbc6ab 
   col_set_str(pinfo->cinfo, COL_INFO, "WebSocket");
dbc6ab
dbc6ab 
@@ -402,18 +373,49 @@ dissect_websocket(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *dat
dbc6ab
dbc6ab 
   tvb_payload = tvb_new_subset_remaining(tvb, payload_offset);
dbc6ab 
   dissect_websocket_payload(tvb_payload, pinfo, tree, ws_tree, opcode, payload_length, mask, masking_key);
dbc6ab 
+}
dbc6ab 
+
dbc6ab 
+static guint
dbc6ab 
+get_websocket_frame_length(packet_info *pinfo _U_, tvbuff_t *tvb, int offset)
dbc6ab 
+{
dbc6ab 
+  guint frame_length, payload_length;
dbc6ab 
+  gboolean mask;
dbc6ab 
+
dbc6ab 
+  frame_length = 2;                 /* flags, opcode and Payload length */
dbc6ab 
+  mask = tvb_get_guint8(tvb, offset + 1) & MASK_WS_MASK;
dbc6ab 
+
dbc6ab 
+  payload_length = tvb_get_guint8(tvb, offset + 1) & MASK_WS_PAYLOAD_LEN;
dbc6ab 
+  offset += 2; /* Skip flags, opcode and Payload length */
dbc6ab
dbc6ab 
-  /* Call this function recursively, to see if we have enough data to parse another websocket message */
dbc6ab 
+  /* Check for Extended Payload Length. */
dbc6ab 
+  if (payload_length == 126) {
dbc6ab 
+    if (tvb_reported_length_remaining(tvb, offset) < 2)
dbc6ab 
+      return 0; /* Need more data. */
dbc6ab
dbc6ab 
-  recurse_offset = payload_offset + payload_length;
dbc6ab 
-  if(length > recurse_offset){
dbc6ab 
-    recurse_length = dissect_websocket(tvb_new_subset_remaining(tvb, payload_offset+payload_length), pinfo, tree, data);
dbc6ab 
-    if(pinfo->desegment_len) pinfo->desegment_offset += recurse_offset;
dbc6ab 
-    return recurse_offset + recurse_length;
dbc6ab 
+    payload_length = tvb_get_ntohs(tvb, offset);
dbc6ab 
+    frame_length += 2;              /* Extended payload length */
dbc6ab 
+  } else if (payload_length == 127) {
dbc6ab 
+    if (tvb_reported_length_remaining(tvb, offset) < 8)
dbc6ab 
+      return 0; /* Need more data. */
dbc6ab 
+
dbc6ab 
+    payload_length = (guint)tvb_get_ntoh64(tvb, offset);
dbc6ab 
+    frame_length += 8;              /* Extended payload length */
dbc6ab 
   }
dbc6ab 
-  return recurse_offset;
dbc6ab 
+
dbc6ab 
+  if (mask)
dbc6ab 
+    frame_length += 4;              /* Masking-key */
dbc6ab 
+  frame_length += payload_length;   /* Payload data */
dbc6ab 
+  return frame_length;
dbc6ab 
 }
dbc6ab
dbc6ab 
+static int
dbc6ab 
+dissect_websocket(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
dbc6ab 
+{
dbc6ab 
+  /* Need at least two bytes for flags, opcode and Payload length. */
dbc6ab 
+  tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 2,
dbc6ab 
+                   get_websocket_frame_length, dissect_websocket_frame);
dbc6ab 
+  return tvb_length(tvb);
dbc6ab 
+}
dbc6ab
dbc6ab 
 void
dbc6ab 
 proto_register_websocket(void)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation