pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/net/wireshark Add fix for infinite loop in SMTP dissec...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/bda48bc8627e
branches:  trunk
changeset: 550663:bda48bc8627e
user:      tron <tron%pkgsrc.org@localhost>
date:      Tue Nov 25 22:53:54 2008 +0000

description:
Add fix for infinite loop in SMTP dissector from Wireshark SVN repository.
This addresses the security vulnerability reported in SA32840.

diffstat:

 net/wireshark/Makefile         |    3 +-
 net/wireshark/distinfo         |    3 +-
 net/wireshark/patches/patch-ad |  341 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 345 insertions(+), 2 deletions(-)

diffs (truncated from 371 to 300 lines):

diff -r f7a71ab95685 -r bda48bc8627e net/wireshark/Makefile
--- a/net/wireshark/Makefile    Tue Nov 25 19:11:39 2008 +0000
+++ b/net/wireshark/Makefile    Tue Nov 25 22:53:54 2008 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.27 2008/10/22 06:50:23 tron Exp $
+# $NetBSD: Makefile,v 1.28 2008/11/25 22:53:54 tron Exp $
 
 DISTNAME=              wireshark-1.0.4
+PKGREVISION=           1
 CATEGORIES=            net
 MASTER_SITES=          http://www.wireshark.org/download/src/ \
                        ${MASTER_SITE_SOURCEFORGE:=wireshark/}
diff -r f7a71ab95685 -r bda48bc8627e net/wireshark/distinfo
--- a/net/wireshark/distinfo    Tue Nov 25 19:11:39 2008 +0000
+++ b/net/wireshark/distinfo    Tue Nov 25 22:53:54 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.17 2008/10/26 14:06:52 tron Exp $
+$NetBSD: distinfo,v 1.18 2008/11/25 22:53:54 tron Exp $
 
 SHA1 (wireshark-1.0.4.tar.bz2) = 8e75a6d909a1da803db77f6f86fdd5096e5bbac8
 RMD160 (wireshark-1.0.4.tar.bz2) = 741b6618ba34b55079f15d5725a1e9a22a4fc351
@@ -6,3 +6,4 @@
 SHA1 (patch-aa) = c155f38e66a553b14778dc73344b46f8614eb9b0
 SHA1 (patch-ab) = 5ae79916603f04c2d362c764d39f0c99728e716c
 SHA1 (patch-ac) = 4e985520ea4b118aea6fc001f256b5de96de7840
+SHA1 (patch-ad) = e19775622ed6facc4ab05ebd09059f78444f6c43
diff -r f7a71ab95685 -r bda48bc8627e net/wireshark/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/wireshark/patches/patch-ad    Tue Nov 25 22:53:54 2008 +0000
@@ -0,0 +1,341 @@
+$NetBSD: patch-ad,v 1.1 2008/11/25 22:53:55 tron Exp $
+
+--- epan/dissectors/packet-smtp.c.orig 2008-10-20 20:19:31.000000000 +0100
++++ epan/dissectors/packet-smtp.c      2008-11-25 22:30:30.000000000 +0000
+@@ -101,10 +101,6 @@
+       "DATA fragments"
+ };
+ 
+-/* Define media_type/Content type table */
+-static dissector_table_t media_type_dissector_table;
+-
+-
+ static  dissector_handle_t imf_handle = NULL;
+ 
+ /*
+@@ -179,6 +175,7 @@
+     gint                    length_remaining;
+     gboolean                eom_seen = FALSE;
+     gint                    next_offset;
++    gint                    loffset;
+     gboolean                is_continuation_line;
+     int                     cmdlen;
+     fragment_data           *frag_msg = NULL;
+@@ -221,21 +218,6 @@
+      * longer than what's in the buffer, so the "tvb_get_ptr()" call
+      * won't throw an exception.
+      */
+-    linelen = tvb_find_line_end(tvb, offset, -1, &next_offset,
+-      smtp_desegment && pinfo->can_desegment);
+-    if (linelen == -1) {
+-      /*
+-       * We didn't find a line ending, and we're doing desegmentation;
+-       * tell the TCP dissector where the data for this message starts
+-       * in the data it handed us, and tell it we need one more byte
+-       * (we may need more, but we'll try again if what we get next
+-       * isn't enough), and return.
+-       */
+-      pinfo->desegment_offset = offset;
+-      pinfo->desegment_len = 1;
+-      return;
+-    }
+-    line = tvb_get_ptr(tvb, offset, linelen);
+ 
+     frame_data = p_get_proto_data(pinfo->fd, proto_smtp);
+ 
+@@ -271,6 +253,42 @@
+ 
+       }
+ 
++      if(request) {
++      frame_data = se_alloc(sizeof(struct smtp_proto_data));
++
++      frame_data->conversation_id = conversation->index;
++      frame_data->more_frags = TRUE;
++
++      p_add_proto_data(pinfo->fd, proto_smtp, frame_data);    
++
++      }
++
++    loffset = offset;
++    while (tvb_offset_exists(tvb, loffset)) {
++
++    linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset,
++      smtp_desegment && pinfo->can_desegment);
++    if (linelen == -1) {
++
++      if(offset == loffset) {
++      /*
++       * We didn't find a line ending, and we're doing desegmentation;
++       * tell the TCP dissector where the data for this message starts
++       * in the data it handed us, and tell it we need one more byte
++       * (we may need more, but we'll try again if what we get next
++       * isn't enough), and return.
++       */
++      pinfo->desegment_offset = loffset;
++      pinfo->desegment_len = 1;
++      return;
++      }
++      else {
++      linelen = tvb_length_remaining(tvb, loffset);
++      next_offset = loffset + linelen;
++      }
++    }
++    line = tvb_get_ptr(tvb, loffset, linelen);
++
+       /*
+        * Check whether or not this packet is an end of message packet
+        * We should look for CRLF.CRLF and they may be split.
+@@ -286,16 +304,16 @@
+        * .CRLF at the begining of the same packet.
+        */
+ 
+-      if ((request_val->crlf_seen && tvb_strneql(tvb, offset, ".\r\n", 3) == 0) ||
+-          tvb_strneql(tvb, offset, "\r\n.\r\n", 5) == 0) {
++      if ((request_val->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0) ||
++          tvb_strneql(tvb, loffset, "\r\n.\r\n", 5) == 0) {
+ 
+         eom_seen = TRUE;
+ 
+-      }
++      } 
+ 
+-      length_remaining = tvb_length_remaining(tvb, offset);
+-      if (length_remaining == tvb_reported_length_remaining(tvb, offset) &&
+-          tvb_strneql(tvb, offset + length_remaining - 2, "\r\n", 2) == 0) {
++      length_remaining = tvb_length_remaining(tvb, loffset);
++      if (length_remaining == tvb_reported_length_remaining(tvb, loffset) &&
++          tvb_strneql(tvb, loffset + length_remaining - 2, "\r\n", 2) == 0) {
+ 
+         request_val->crlf_seen = TRUE;
+ 
+@@ -314,11 +332,6 @@
+ 
+       if (request) {
+ 
+-      frame_data = se_alloc(sizeof(struct smtp_proto_data));
+-
+-      frame_data->conversation_id = conversation->index;
+-      frame_data->more_frags = TRUE;
+-
+       if (request_val->reading_data) {
+         /*
+          * This is message data.
+@@ -333,6 +346,9 @@
+            */
+           frame_data->pdu_type = SMTP_PDU_EOM;
+           request_val->reading_data = FALSE;
++          
++          break;
++          
+         } else {
+           /*
+            * Message data with no EOM.
+@@ -344,7 +360,7 @@
+              * We are handling a BDAT message.
+              * Check if we have reached end of the data chunk.
+              */
+-            request_val->msg_read_len += tvb_length_remaining(tvb, offset);
++            request_val->msg_read_len += tvb_length_remaining(tvb, loffset);
+ 
+               if (request_val->msg_read_len == request_val->msg_tot_len) {
+               /* 
+@@ -360,6 +376,8 @@
+                  */
+                 frame_data->more_frags = FALSE;
+               }
++              
++              break; /* no need to go through the remaining lines */
+             }
+           }
+         }
+@@ -450,12 +468,15 @@
+           frame_data->pdu_type = request_val->data_seen ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD;
+ 
+         }
+-
+       }
++      }
+ 
+-      p_add_proto_data(pinfo->fd, proto_smtp, frame_data);
++      /*
++       * Step past this line.
++       */
++      loffset = next_offset;
+ 
+-      }
++    }
+     }
+ 
+     /*
+@@ -467,6 +488,7 @@
+       col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP");
+ 
+     if (check_col(pinfo->cinfo, COL_INFO)) {  /* Add the appropriate type here */
++      col_clear(pinfo->cinfo, COL_INFO);
+ 
+       /*
+        * If it is a request, we have to look things up, otherwise, just
+@@ -481,21 +503,38 @@
+       case SMTP_PDU_MESSAGE:
+ 
+         length_remaining = tvb_length_remaining(tvb, offset);
+-        col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "DATA fragment" : "Message Body");
++        col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "C: DATA fragment" : "C: Message Body");
+         col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining,
+                         plurality (length_remaining, "", "s"));
+         break;
+ 
+       case SMTP_PDU_EOM:
+ 
+-        col_add_fstr(pinfo->cinfo, COL_INFO, "EOM: %s",
+-            format_text(line, linelen));
++        col_set_str(pinfo->cinfo, COL_INFO, "C: .");
++
+         break;
+ 
+       case SMTP_PDU_CMD:
+ 
+-        col_add_fstr(pinfo->cinfo, COL_INFO, "Command: %s",
+-            format_text(line, linelen));
++        loffset = offset;
++        while (tvb_offset_exists(tvb, loffset)) {
++          /*
++           * Find the end of the line.
++           */
++          linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
++          line = tvb_get_ptr(tvb, loffset, linelen);
++
++          if(loffset == offset) 
++            col_append_fstr(pinfo->cinfo, COL_INFO, "C: %s",
++                         format_text(line, linelen));
++          else {
++            col_append_fstr(pinfo->cinfo, COL_INFO, " | %s",
++                         format_text(line, linelen));
++          }
++
++          loffset = next_offset;
++
++        }
+         break;
+ 
+       }
+@@ -503,9 +542,24 @@
+       }
+       else {
+ 
+-      col_add_fstr(pinfo->cinfo, COL_INFO, "Response: %s",
+-          format_text(line, linelen));
++        loffset = offset;
++        while (tvb_offset_exists(tvb, loffset)) {
++          /*
++           * Find the end of the line.
++           */
++          linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
++          line = tvb_get_ptr(tvb, loffset, linelen);
++
++          if(loffset == offset) 
++            col_append_fstr(pinfo->cinfo, COL_INFO, "S: %s",
++                         format_text(line, linelen));
++          else {
++            col_append_fstr(pinfo->cinfo, COL_INFO, " | %s",
++                         format_text(line, linelen));
++          }
+ 
++          loffset = next_offset;
++        }
+       }
+     }
+ 
+@@ -560,8 +614,7 @@
+          * DATA command this terminates before sending another
+          * request, but we should probably handle it.
+          */
+-        proto_tree_add_text(smtp_tree, tvb, offset, linelen,
+-            "EOM: %s", format_text(line, linelen));
++        proto_tree_add_text(smtp_tree, tvb, offset, linelen, "C: .");
+ 
+         if(smtp_data_desegment) {
+ 
+@@ -582,6 +635,15 @@
+          * previous command before sending another request, but we
+          * should probably handle it.
+          */
++
++        loffset = offset;
++      while (tvb_offset_exists(tvb, loffset)) {
++
++        /*
++         * Find the end of the line.
++         */



Home | Main Index | Thread Index | Old Index