Hi,
I have prepared an update for wireshark in Wheezy.
Please see the diff to previous version attached. I have submitted
a practically identical changeset to the Security Team for accepting
it as an update to Jessie's version.
Changes:
wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u2) wheezy-security; urgency=high
.
* security fixes from Wireshark 1.12.12:
- The SPOOLS dissector could go into an infinite loop
Discovered by the CESG (CVE-2016-5350)
- The IEEE 802.11 dissector could crash (CVE-2016-5351)
- The UMTS FP dissector could crash (CVE-2016-5353)
- Some USB dissectors could crash. Discovered by Mateusz Jurczyk
(CVE-2016-5354)
- The Toshiba file parser could crash. Discovered by iDefense Labs
(CVE-2016-5355)
- The CoSine file parser could crash. Discovered by iDefense Labs
(CVE-2016-5356)
- The NetScreen file parser could crash. Discovered by iDefense Labs
(CVE-2016-5357)
- The WBXML dissector could go into an infinite loop.
Discovered by Chris Benedict, Aurelien Delaitre,
NIST SAMATE Project (CVE-2016-5359)
* Fix patch for CVE-2015-8724 released in 1.12.1+g01b65bf-4+deb8u4
to not return error code from a function returning void
The binary packages for amd64 are also available for testing here:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/
Cheers,
Balint
diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog
--- wireshark-1.12.1+g01b65bf/debian/changelog 2016-05-29 00:19:41.000000000 +0200
+++ wireshark-1.12.1+g01b65bf/debian/changelog 2016-06-26 20:37:15.000000000 +0200
@@ -1,3 +1,26 @@
+wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u2) wheezy-security; urgency=high
+
+ * security fixes from Wireshark 1.12.12:
+ - The SPOOLS dissector could go into an infinite loop
+ Discovered by the CESG (CVE-2016-5350)
+ - The IEEE 802.11 dissector could crash (CVE-2016-5351)
+ - The UMTS FP dissector could crash (CVE-2016-5353)
+ - Some USB dissectors could crash. Discovered by Mateusz Jurczyk
+ (CVE-2016-5354)
+ - The Toshiba file parser could crash. Discovered by iDefense Labs
+ (CVE-2016-5355)
+ - The CoSine file parser could crash. Discovered by iDefense Labs
+ (CVE-2016-5356)
+ - The NetScreen file parser could crash. Discovered by iDefense Labs
+ (CVE-2016-5357)
+ - The WBXML dissector could go into an infinite loop.
+ Discovered by Chris Benedict, Aurelien Delaitre,
+ NIST SAMATE Project (CVE-2016-5359)
+ * Fix patch for CVE-2015-8724 released in 1.12.1+g01b65bf-4+deb8u4
+ to not return error code from a function returning void
+
+ -- Balint Reczey <bal...@balintreczey.hu> Sun, 26 Jun 2016 20:35:36 +0200
+
wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u1) wheezy-security; urgency=high
* Backport to wheezy-security
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/105_1.12.12_Toshiba_Fix-packet-length-handling.patch wireshark-1.12.1+g01b65bf/debian/patches/105_1.12.12_Toshiba_Fix-packet-length-handling.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/105_1.12.12_Toshiba_Fix-packet-length-handling.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/105_1.12.12_Toshiba_Fix-packet-length-handling.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,89 @@
+From 1a8ed46c02e2aad04b30ccaf916b4ad553e28467 Mon Sep 17 00:00:00 2001
+From: Guy Harris <g...@alum.mit.edu>
+Date: Fri, 29 Apr 2016 15:19:49 -0700
+Subject: [PATCH 105/117] Fix packet length handling.
+
+Treat the packet length as unsigned - it shouldn't be negative in the
+file. If it is, that'll probably cause the sscanf to fail, so we'll
+report the file as bad.
+
+Check it against WTAP_MAX_PACKET_SIZE to make sure we don't try to
+allocate a huge amount of memory, just as we do in other file readers.
+
+Use the now-validated packet size as the length in
+ws_buffer_assure_space(), so we are certain to have enough space, and
+don't allocate too much space.
+
+Bug: 12394
+Change-Id: If0b79376fc6fe2f49c7b7d7796dee7b7683485cb
+Reviewed-on: https://code.wireshark.org/review/15171
+Reviewed-by: Guy Harris <g...@alum.mit.edu>
+(cherry picked from commit 303680c3eae0263854c80845a660a1784d731533)
+Reviewed-on: https://code.wireshark.org/review/16111
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ wiretap/toshiba.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/wiretap/toshiba.c b/wiretap/toshiba.c
+index 0492514..892a31e 100644
+--- a/wiretap/toshiba.c
++++ b/wiretap/toshiba.c
+@@ -100,11 +100,6 @@ static const char toshiba_hdr_magic[] =
+ static const char toshiba_rec_magic[] = { '[', 'N', 'o', '.' };
+ #define TOSHIBA_REC_MAGIC_SIZE (sizeof toshiba_rec_magic / sizeof toshiba_rec_magic[0])
+
+-/*
+- * XXX - is this the biggest packet we can get?
+- */
+-#define TOSHIBA_MAX_PACKET_LEN 16384
+-
+ static gboolean toshiba_read(wtap *wth, int *err, gchar **err_info,
+ gint64 *data_offset);
+ static gboolean toshiba_seek_read(wtap *wth, gint64 seek_off,
+@@ -255,7 +250,8 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
+ union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
+ char line[TOSHIBA_LINE_LENGTH];
+ int num_items_scanned;
+- int pkt_len, pktnum, hr, min, sec, csec;
++ guint pkt_len;
++ int pktnum, hr, min, sec, csec;
+ char channel[10], direction[10];
+ int i, hex_lines;
+ guint8 *pd;
+@@ -307,12 +303,22 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
+
+ } while (strcmp(line, "OFFSET 0001-0203") != 0);
+
+- num_items_scanned = sscanf(line+64, "LEN=%9d", &pkt_len);
++ num_items_scanned = sscanf(line+64, "LEN=%9u", &pkt_len);
+ if (num_items_scanned != 1) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("toshiba: OFFSET line doesn't have valid LEN item");
+ return FALSE;
+ }
++ if (pkt_len > WTAP_MAX_PACKET_SIZE) {
++ /*
++ * Probably a corrupt capture file; don't blow up trying
++ * to allocate space for an immensely-large packet.
++ */
++ *err = WTAP_ERR_BAD_FILE;
++ *err_info = g_strdup_printf("toshiba: File has %u-byte packet, bigger than maximum of %u",
++ pkt_len, WTAP_MAX_PACKET_SIZE);
++ return FALSE;
++ }
+
+ phdr->rec_type = REC_TYPE_PACKET;
+ phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
+@@ -343,7 +349,7 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
+ }
+
+ /* Make sure we have enough room for the packet */
+- buffer_assure_space(buf, TOSHIBA_MAX_PACKET_LEN);
++ buffer_assure_space(buf, pkt_len);
+ pd = buffer_start_ptr(buf);
+
+ /* Calculate the number of hex dump lines, each
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/106_1.12.12_Toshiba-2_Don-t-treat-the-packet-length-as-unsigned.patch wireshark-1.12.1+g01b65bf/debian/patches/106_1.12.12_Toshiba-2_Don-t-treat-the-packet-length-as-unsigned.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/106_1.12.12_Toshiba-2_Don-t-treat-the-packet-length-as-unsigned.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/106_1.12.12_Toshiba-2_Don-t-treat-the-packet-length-as-unsigned.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,64 @@
+From 5788a9fc9b9a43c2815f2d72f0a04830a92d496f Mon Sep 17 00:00:00 2001
+From: Guy Harris <g...@alum.mit.edu>
+Date: Sun, 1 May 2016 16:29:41 -0700
+Subject: [PATCH 106/117] Don't treat the packet length as unsigned.
+
+The scanf family of functions are as annoyingly bad at handling unsigned
+numbers as strtoul() is - both of them are perfectly willing to accept a
+value beginning with a negative sign as an unsigned value. When using
+strtoul(), you can compensate for this by explicitly checking for a '-'
+as the first character of the string, but you can't do that with
+sscanf().
+
+So revert to having pkt_len be signed, and scanning it with %d, but
+check for a negative value and fail if we see a negative value.
+
+Bug: 12394
+Change-Id: I4b19b95f2e1ffc96dac5c91bff6698c246f52007
+Reviewed-on: https://code.wireshark.org/review/15230
+Reviewed-by: Guy Harris <g...@alum.mit.edu>
+(cherry picked from commit 3270dfac43da861c714df76513456b46765ff47f)
+Reviewed-on: https://code.wireshark.org/review/15232
+(cherry picked from commit edbed5a120e878725ed3ba31484045ee7e817e58)
+Reviewed-on: https://code.wireshark.org/review/16112
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ wiretap/toshiba.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/wiretap/toshiba.c b/wiretap/toshiba.c
+index 892a31e..0e7f0a1 100644
+--- a/wiretap/toshiba.c
++++ b/wiretap/toshiba.c
+@@ -250,8 +250,7 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
+ union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
+ char line[TOSHIBA_LINE_LENGTH];
+ int num_items_scanned;
+- guint pkt_len;
+- int pktnum, hr, min, sec, csec;
++ int pkt_len, pktnum, hr, min, sec, csec;
+ char channel[10], direction[10];
+ int i, hex_lines;
+ guint8 *pd;
+@@ -303,12 +302,17 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
+
+ } while (strcmp(line, "OFFSET 0001-0203") != 0);
+
+- num_items_scanned = sscanf(line+64, "LEN=%9u", &pkt_len);
++ num_items_scanned = sscanf(line+64, "LEN=%9d", &pkt_len);
+ if (num_items_scanned != 1) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("toshiba: OFFSET line doesn't have valid LEN item");
+ return FALSE;
+ }
++ if (pkt_len < 0) {
++ *err = WTAP_ERR_BAD_FILE;
++ *err_info = g_strdup("toshiba: packet header has a negative packet length");
++ return FALSE;
++ }
+ if (pkt_len > WTAP_MAX_PACKET_SIZE) {
+ /*
+ * Probably a corrupt capture file; don't blow up trying
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/107_1.12.12_CoSine_Fix-packet-length-handling.patch wireshark-1.12.1+g01b65bf/debian/patches/107_1.12.12_CoSine_Fix-packet-length-handling.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/107_1.12.12_CoSine_Fix-packet-length-handling.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/107_1.12.12_CoSine_Fix-packet-length-handling.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,208 @@
+From fb514c22fd797bd63042093b8cca8118b66dca3e Mon Sep 17 00:00:00 2001
+From: Guy Harris <g...@alum.mit.edu>
+Date: Fri, 29 Apr 2016 15:46:58 -0700
+Subject: [PATCH 107/117] Fix packet length handling.
+
+Treat the packet length as unsigned - it shouldn't be negative in the
+file. If it is, that'll probably cause the sscanf to fail, so we'll
+report the file as bad.
+
+Check it against WTAP_MAX_PACKET_SIZE to make sure we don't try to
+allocate a huge amount of memory, just as we do in other file readers.
+
+Use the now-validated packet size as the length in
+ws_buffer_assure_space(), so we are certain to have enough space, and
+don't allocate too much space.
+
+Merge the header and packet data parsing routines while we're at it.
+
+Bug: 12395
+Change-Id: I4bf4f62882cf046e3e4ceffe7ab2ff3b178cd612
+Reviewed-on: https://code.wireshark.org/review/15174
+Reviewed-by: Guy Harris <g...@alum.mit.edu>
+(cherry picked from commit f95b7960774e8d6e052edcb768cd030640c8e969)
+Reviewed-on: https://code.wireshark.org/review/16113
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ wiretap/cosine.c | 75 ++++++++++++++++++++++----------------------------------
+ 1 file changed, 29 insertions(+), 46 deletions(-)
+
+diff --git a/wiretap/cosine.c b/wiretap/cosine.c
+index 4b87d53..30517d5 100644
+--- a/wiretap/cosine.c
++++ b/wiretap/cosine.c
+@@ -160,8 +160,6 @@
+ #define COSINE_HEADER_LINES_TO_CHECK 200
+ #define COSINE_LINE_LENGTH 240
+
+-#define COSINE_MAX_PACKET_LEN 65536
+-
+ static gboolean empty_line(const gchar *line);
+ static gint64 cosine_seek_next_packet(wtap *wth, int *err, gchar **err_info,
+ char *hdr);
+@@ -170,10 +168,8 @@ static gboolean cosine_read(wtap *wth, int *err, gchar **err_info,
+ gint64 *data_offset);
+ static gboolean cosine_seek_read(wtap *wth, gint64 seek_off,
+ struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
+-static int parse_cosine_rec_hdr(struct wtap_pkthdr *phdr, const char *line,
+- int *err, gchar **err_info);
+-static gboolean parse_cosine_hex_dump(FILE_T fh, struct wtap_pkthdr *phdr,
+- int pkt_len, Buffer* buf, int *err, gchar **err_info);
++static int parse_cosine_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer* buf,
++ char *line, int *err, gchar **err_info);
+ static int parse_single_hex_dump_line(char* rec, guint8 *buf,
+ guint byte_offset);
+
+@@ -290,7 +286,6 @@ static gboolean cosine_read(wtap *wth, int *err, gchar **err_info,
+ gint64 *data_offset)
+ {
+ gint64 offset;
+- int pkt_len;
+ char line[COSINE_LINE_LENGTH];
+
+ /* Find the next packet */
+@@ -299,14 +294,9 @@ static gboolean cosine_read(wtap *wth, int *err, gchar **err_info,
+ return FALSE;
+ *data_offset = offset;
+
+- /* Parse the header */
+- pkt_len = parse_cosine_rec_hdr(&wth->phdr, line, err, err_info);
+- if (pkt_len == -1)
+- return FALSE;
+-
+- /* Convert the ASCII hex dump to binary data */
+- return parse_cosine_hex_dump(wth->fh, &wth->phdr, pkt_len,
+- wth->frame_buffer, err, err_info);
++ /* Parse the header and convert the ASCII hex dump to binary data */
++ return parse_cosine_packet(wth->fh, &wth->phdr, wth->frame_buffer,
++ line, err, err_info);
+ }
+
+ /* Used to read packets in random-access fashion */
+@@ -314,7 +304,6 @@ static gboolean
+ cosine_seek_read(wtap *wth, gint64 seek_off, struct wtap_pkthdr *phdr,
+ Buffer *buf, int *err, gchar **err_info)
+ {
+- int pkt_len;
+ char line[COSINE_LINE_LENGTH];
+
+ if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
+@@ -328,13 +317,8 @@ cosine_seek_read(wtap *wth, gint64 seek_off, struct wtap_pkthdr *phdr,
+ return FALSE;
+ }
+
+- /* Parse the header */
+- pkt_len = parse_cosine_rec_hdr(phdr, line, err, err_info);
+- if (pkt_len == -1)
+- return FALSE;
+-
+- /* Convert the ASCII hex dump to binary data */
+- return parse_cosine_hex_dump(wth->random_fh, phdr, pkt_len, buf, err,
++ /* Parse the header and convert the ASCII hex dump to binary data */
++ return parse_cosine_packet(wth->random_fh, phdr, buf, line, err,
+ err_info);
+ }
+
+@@ -343,23 +327,26 @@ cosine_seek_read(wtap *wth, gint64 seek_off, struct wtap_pkthdr *phdr,
+ 2002-5-10,20:1:31.4: l2-tx (FR:3/7/1:1), Length:18, Pro:0, Off:0, Pri:0, RM:0, Err:0 [0x4000, 0x0]
+ 2) output to PE without date and time
+ l2-tx (FR:3/7/1:1), Length:18, Pro:0, Off:0, Pri:0, RM:0, Err:0 [0x4000, 0x0] */
+-static int
+-parse_cosine_rec_hdr(struct wtap_pkthdr *phdr, const char *line,
+- int *err, gchar **err_info)
++static gboolean
++parse_cosine_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
++ char *line, int *err, gchar **err_info)
+ {
+ union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
+ int num_items_scanned;
+- int yy, mm, dd, hr, min, sec, csec, pkt_len;
++ int yy, mm, dd, hr, min, sec, csec;
++ guint pkt_len;
+ int pro, off, pri, rm, error;
+ guint code1, code2;
+ char if_name[COSINE_MAX_IF_NAME_LEN] = "", direction[6] = "";
+ struct tm tm;
++ guint8 *pd;
++ int i, hex_lines, n, caplen = 0;
+
+ if (sscanf(line, "%4d-%2d-%2d,%2d:%2d:%2d.%9d:",
+ &yy, &mm, &dd, &hr, &min, &sec, &csec) == 7) {
+ /* appears to be output to a control blade */
+ num_items_scanned = sscanf(line,
+- "%4d-%2d-%2d,%2d:%2d:%2d.%9d: %5s (%127[A-Za-z0-9/:]), Length:%9d, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
++ "%4d-%2d-%2d,%2d:%2d:%2d.%9d: %5s (%127[A-Za-z0-9/:]), Length:%9u, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
+ &yy, &mm, &dd, &hr, &min, &sec, &csec,
+ direction, if_name, &pkt_len,
+ &pro, &off, &pri, &rm, &error,
+@@ -368,12 +355,12 @@ parse_cosine_rec_hdr(struct wtap_pkthdr *phdr, const char *line,
+ if (num_items_scanned != 17) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("cosine: purported control blade line doesn't have code values");
+- return -1;
++ return FALSE;
+ }
+ } else {
+ /* appears to be output to PE */
+ num_items_scanned = sscanf(line,
+- "%5s (%127[A-Za-z0-9/:]), Length:%9d, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
++ "%5s (%127[A-Za-z0-9/:]), Length:%9u, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
+ direction, if_name, &pkt_len,
+ &pro, &off, &pri, &rm, &error,
+ &code1, &code2);
+@@ -381,10 +368,20 @@ parse_cosine_rec_hdr(struct wtap_pkthdr *phdr, const char *line,
+ if (num_items_scanned != 10) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("cosine: header line is neither control blade nor PE output");
+- return -1;
++ return FALSE;
+ }
+ yy = mm = dd = hr = min = sec = csec = 0;
+ }
++ if (pkt_len > WTAP_MAX_PACKET_SIZE) {
++ /*
++ * Probably a corrupt capture file; don't blow up trying
++ * to allocate space for an immensely-large packet.
++ */
++ *err = WTAP_ERR_BAD_FILE;
++ *err_info = g_strdup_printf("cosine: File has %u-byte packet, bigger than maximum of %u",
++ pkt_len, WTAP_MAX_PACKET_SIZE);
++ return FALSE;
++ }
+
+ phdr->rec_type = REC_TYPE_PACKET;
+ phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
+@@ -433,21 +430,8 @@ parse_cosine_rec_hdr(struct wtap_pkthdr *phdr, const char *line,
+ pseudo_header->cosine.rm = rm;
+ pseudo_header->cosine.err = error;
+
+- return pkt_len;
+-}
+-
+-/* Converts ASCII hex dump to binary data. Returns TRUE on success,
+- FALSE if any error is encountered. */
+-static gboolean
+-parse_cosine_hex_dump(FILE_T fh, struct wtap_pkthdr *phdr, int pkt_len,
+- Buffer* buf, int *err, gchar **err_info)
+-{
+- guint8 *pd;
+- gchar line[COSINE_LINE_LENGTH];
+- int i, hex_lines, n, caplen = 0;
+-
+ /* Make sure we have enough room for the packet */
+- buffer_assure_space(buf, COSINE_MAX_PACKET_LEN);
++ buffer_assure_space(buf, pkt_len);
+ pd = buffer_start_ptr(buf);
+
+ /* Calculate the number of hex dump lines, each
+@@ -476,7 +460,6 @@ parse_cosine_hex_dump(FILE_T fh, struct wtap_pkthdr *phdr, int pkt_len,
+ return TRUE;
+ }
+
+-
+ /* Take a string representing one line from a hex dump and converts
+ * the text to binary data. We place the bytes in the buffer at the
+ * specified offset.
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/108_1.12.12_CoSine-2_Don-t-treat-the-packet-length-as-unsigned.patch wireshark-1.12.1+g01b65bf/debian/patches/108_1.12.12_CoSine-2_Don-t-treat-the-packet-length-as-unsigned.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/108_1.12.12_CoSine-2_Don-t-treat-the-packet-length-as-unsigned.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/108_1.12.12_CoSine-2_Don-t-treat-the-packet-length-as-unsigned.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,75 @@
+From ed57db580b07a2a2c9589dc08041660cc74da87a Mon Sep 17 00:00:00 2001
+From: Guy Harris <g...@alum.mit.edu>
+Date: Sun, 1 May 2016 16:22:40 -0700
+Subject: [PATCH 108/117] Don't treat the packet length as unsigned.
+
+The scanf family of functions are as annoyingly bad at handling unsigned
+numbers as strtoul() is - both of them are perfectly willing to accept a
+value beginning with a negative sign as an unsigned value. When using
+strtoul(), you can compensate for this by explicitly checking for a '-'
+as the first character of the string, but you can't do that with
+sscanf().
+
+So revert to having pkt_len be signed, and scanning it with %d, but
+check for a negative value and fail if we see a negative value.
+
+Bug: 12395
+Change-Id: I43b458a73b0934e9a5c2c89d34eac5a8f21a7455
+Reviewed-on: https://code.wireshark.org/review/15223
+Reviewed-by: Guy Harris <g...@alum.mit.edu>
+(cherry picked from commit a66628e425db725df1ac52a3c573a03357060ddd)
+Reviewed-on: https://code.wireshark.org/review/15225
+(cherry picked from commit 1635420a4a024ac500f650bee338e389279d0704)
+Reviewed-on: https://code.wireshark.org/review/16114
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ wiretap/cosine.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/wiretap/cosine.c b/wiretap/cosine.c
+index 30517d5..f722700 100644
+--- a/wiretap/cosine.c
++++ b/wiretap/cosine.c
+@@ -333,8 +333,7 @@ parse_cosine_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
+ {
+ union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
+ int num_items_scanned;
+- int yy, mm, dd, hr, min, sec, csec;
+- guint pkt_len;
++ int yy, mm, dd, hr, min, sec, csec, pkt_len;
+ int pro, off, pri, rm, error;
+ guint code1, code2;
+ char if_name[COSINE_MAX_IF_NAME_LEN] = "", direction[6] = "";
+@@ -346,7 +345,7 @@ parse_cosine_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
+ &yy, &mm, &dd, &hr, &min, &sec, &csec) == 7) {
+ /* appears to be output to a control blade */
+ num_items_scanned = sscanf(line,
+- "%4d-%2d-%2d,%2d:%2d:%2d.%9d: %5s (%127[A-Za-z0-9/:]), Length:%9u, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
++ "%4d-%2d-%2d,%2d:%2d:%2d.%9d: %5s (%127[A-Za-z0-9/:]), Length:%9d, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
+ &yy, &mm, &dd, &hr, &min, &sec, &csec,
+ direction, if_name, &pkt_len,
+ &pro, &off, &pri, &rm, &error,
+@@ -360,7 +359,7 @@ parse_cosine_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
+ } else {
+ /* appears to be output to PE */
+ num_items_scanned = sscanf(line,
+- "%5s (%127[A-Za-z0-9/:]), Length:%9u, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
++ "%5s (%127[A-Za-z0-9/:]), Length:%9d, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
+ direction, if_name, &pkt_len,
+ &pro, &off, &pri, &rm, &error,
+ &code1, &code2);
+@@ -372,6 +371,11 @@ parse_cosine_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
+ }
+ yy = mm = dd = hr = min = sec = csec = 0;
+ }
++ if (pkt_len < 0) {
++ *err = WTAP_ERR_BAD_FILE;
++ *err_info = g_strdup("cosine: packet header has a negative packet length");
++ return FALSE;
++ }
+ if (pkt_len > WTAP_MAX_PACKET_SIZE) {
+ /*
+ * Probably a corrupt capture file; don't blow up trying
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/109_1.12.12_NetScreen_Fix-packet-length-handling.patch wireshark-1.12.1+g01b65bf/debian/patches/109_1.12.12_NetScreen_Fix-packet-length-handling.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/109_1.12.12_NetScreen_Fix-packet-length-handling.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/109_1.12.12_NetScreen_Fix-packet-length-handling.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,226 @@
+From 5386607e78c9b190ca02a5038c8dccb269ca3ce4 Mon Sep 17 00:00:00 2001
+From: Guy Harris <g...@alum.mit.edu>
+Date: Fri, 29 Apr 2016 17:08:11 -0700
+Subject: [PATCH 109/117] Fix packet length handling.
+
+Treat the packet length as unsigned - it shouldn't be negative in the
+file. If it is, that'll probably cause the sscanf to fail, so we'll
+report the file as bad.
+
+Check it against WTAP_MAX_PACKET_SIZE to make sure we don't try to
+allocate a huge amount of memory, just as we do in other file readers.
+
+Use the now-validated packet size as the length in
+ws_buffer_assure_space(), so we are certain to have enough space, and
+don't allocate too much space.
+
+Merge the header and packet data parsing routines while we're at it.
+
+Bug: 12396
+Change-Id: I78ff4e5a429db5d1cf678abd9ac4db4210c92d6b
+Reviewed-on: https://code.wireshark.org/review/15178
+Reviewed-by: Guy Harris <g...@alum.mit.edu>
+(cherry picked from commit 7ffa6593529551cd38297a60bc9bc58bdd1d5837)
+Reviewed-on: https://code.wireshark.org/review/16115
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ wiretap/netscreen.c | 101 +++++++++++++++++++++-------------------------------
+ wiretap/netscreen.h | 3 --
+ 2 files changed, 40 insertions(+), 64 deletions(-)
+
+diff --git a/wiretap/netscreen.c b/wiretap/netscreen.c
+index 42918b1..d1f168e 100644
+--- a/wiretap/netscreen.c
++++ b/wiretap/netscreen.c
+@@ -72,12 +72,8 @@ static gboolean netscreen_read(wtap *wth, int *err, gchar **err_info,
+ static gboolean netscreen_seek_read(wtap *wth, gint64 seek_off,
+ struct wtap_pkthdr *phdr, Buffer *buf,
+ int *err, gchar **err_info);
+-static int parse_netscreen_rec_hdr(struct wtap_pkthdr *phdr, const char *line,
+- char *cap_int, gboolean *cap_dir, char *cap_dst,
+- int *err, gchar **err_info);
+-static gboolean parse_netscreen_hex_dump(FILE_T fh, int pkt_len,
+- const char *cap_int, const char *cap_dst, struct wtap_pkthdr *phdr,
+- Buffer* buf, int *err, gchar **err_info);
++static gboolean parse_netscreen_packet(FILE_T fh, struct wtap_pkthdr *phdr,
++ Buffer* buf, char *line, int *err, gchar **err_info);
+ static int parse_single_hex_dump_line(char* rec, guint8 *buf,
+ guint byte_offset);
+
+@@ -194,27 +190,16 @@ static gboolean netscreen_read(wtap *wth, int *err, gchar **err_info,
+ gint64 *data_offset)
+ {
+ gint64 offset;
+- int pkt_len;
+ char line[NETSCREEN_LINE_LENGTH];
+- char cap_int[NETSCREEN_MAX_INT_NAME_LENGTH];
+- gboolean cap_dir;
+- char cap_dst[13];
+
+ /* Find the next packet */
+ offset = netscreen_seek_next_packet(wth, err, err_info, line);
+ if (offset < 0)
+ return FALSE;
+
+- /* Parse the header */
+- pkt_len = parse_netscreen_rec_hdr(&wth->phdr, line, cap_int, &cap_dir,
+- cap_dst, err, err_info);
+- if (pkt_len == -1)
+- return FALSE;
+-
+- /* Convert the ASCII hex dump to binary data, and fill in some
+- struct wtap_pkthdr fields */
+- if (!parse_netscreen_hex_dump(wth->fh, pkt_len, cap_int,
+- cap_dst, &wth->phdr, wth->frame_buffer, err, err_info))
++ /* Parse the header and convert the ASCII hex dump to binary data */
++ if (!parse_netscreen_packet(wth->fh, &wth->phdr,
++ wth->frame_buffer, line, err, err_info))
+ return FALSE;
+
+ /*
+@@ -242,11 +227,7 @@ netscreen_seek_read(wtap *wth, gint64 seek_off,
+ struct wtap_pkthdr *phdr, Buffer *buf,
+ int *err, gchar **err_info)
+ {
+- int pkt_len;
+ char line[NETSCREEN_LINE_LENGTH];
+- char cap_int[NETSCREEN_MAX_INT_NAME_LENGTH];
+- gboolean cap_dir;
+- char cap_dst[13];
+
+ if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) {
+ return FALSE;
+@@ -260,15 +241,8 @@ netscreen_seek_read(wtap *wth, gint64 seek_off,
+ return FALSE;
+ }
+
+- pkt_len = parse_netscreen_rec_hdr(phdr, line, cap_int, &cap_dir,
+- cap_dst, err, err_info);
+- if (pkt_len == -1)
+- return FALSE;
+-
+- if (!parse_netscreen_hex_dump(wth->random_fh, pkt_len, cap_int,
+- cap_dst, phdr, buf, err, err_info))
+- return FALSE;
+- return TRUE;
++ return parse_netscreen_packet(wth->random_fh, phdr, buf, line,
++ err, err_info);
+ }
+
+ /* Parses a packet record header. There are a few possible formats:
+@@ -288,49 +262,54 @@ netscreen_seek_read(wtap *wth, gint64 seek_off,
+
+
+ */
+-static int
+-parse_netscreen_rec_hdr(struct wtap_pkthdr *phdr, const char *line, char *cap_int,
+- gboolean *cap_dir, char *cap_dst, int *err, gchar **err_info)
++static gboolean
++parse_netscreen_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer* buf,
++ char *line, int *err, gchar **err_info)
+ {
+- int sec;
+- int dsec, pkt_len;
+- char direction[2];
+- char cap_src[13];
++ int sec;
++ int dsec;
++ char cap_int[NETSCREEN_MAX_INT_NAME_LENGTH];
++ char direction[2];
++ guint pkt_len;
++ char cap_src[13];
++ char cap_dst[13];
++ guint8 *pd;
++ gchar *p;
++ int n, i = 0;
++ guint offset = 0;
++ gchar dststr[13];
+
+ phdr->rec_type = REC_TYPE_PACKET;
+ phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
+
+- if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9d:%12s->%12s/",
++ if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9u:%12s->%12s/",
+ &sec, &dsec, cap_int, direction, &pkt_len, cap_src, cap_dst) < 5) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("netscreen: Can't parse packet-header");
+ return -1;
+ }
++ if (pkt_len > WTAP_MAX_PACKET_SIZE) {
++ /*
++ * Probably a corrupt capture file; don't blow up trying
++ * to allocate space for an immensely-large packet.
++ */
++ *err = WTAP_ERR_BAD_FILE;
++ *err_info = g_strdup_printf("netscreen: File has %u-byte packet, bigger than maximum of %u",
++ pkt_len, WTAP_MAX_PACKET_SIZE);
++ return FALSE;
++ }
+
+- *cap_dir = (direction[0] == 'o' ? NETSCREEN_EGRESS : NETSCREEN_INGRESS);
++ /*
++ * If direction[0] is 'o', the direction is NETSCREEN_EGRESS,
++ * otherwise it's NETSCREEN_INGRESS.
++ */
+
+ phdr->ts.secs = sec;
+ phdr->ts.nsecs = dsec * 100000000;
+ phdr->len = pkt_len;
+
+- return pkt_len;
+-}
+-
+-/* Converts ASCII hex dump to binary data, and fills in some struct
+- wtap_pkthdr fields. Returns TRUE on success and FALSE on any error. */
+-static gboolean
+-parse_netscreen_hex_dump(FILE_T fh, int pkt_len, const char *cap_int,
+- const char *cap_dst, struct wtap_pkthdr *phdr, Buffer* buf,
+- int *err, gchar **err_info)
+-{
+- guint8 *pd;
+- gchar line[NETSCREEN_LINE_LENGTH];
+- gchar *p;
+- int n, i = 0, offset = 0;
+- gchar dststr[13];
+-
+ /* Make sure we have enough room for the packet */
+- buffer_assure_space(buf, NETSCREEN_MAX_PACKET_LEN);
++ buffer_assure_space(buf, pkt_len);
+ pd = buffer_start_ptr(buf);
+
+ while(1) {
+@@ -376,7 +355,7 @@ parse_netscreen_hex_dump(FILE_T fh, int pkt_len, const char *cap_int,
+ /* If there is no more data and the line was not empty,
+ * then there must be an error in the file
+ */
+- if(n == -1) {
++ if (n == -1) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("netscreen: cannot parse hex-data");
+ return FALSE;
+@@ -388,7 +367,7 @@ parse_netscreen_hex_dump(FILE_T fh, int pkt_len, const char *cap_int,
+ /* If there was more hex-data than was announced in the len=x
+ * header, then then there must be an error in the file
+ */
+- if(offset > pkt_len) {
++ if (offset > pkt_len) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("netscreen: too much hex-data");
+ return FALSE;
+diff --git a/wiretap/netscreen.h b/wiretap/netscreen.h
+index 78dbc24..4f70f0c 100644
+--- a/wiretap/netscreen.h
++++ b/wiretap/netscreen.h
+@@ -46,9 +46,6 @@
+ #define NETSCREEN_INGRESS FALSE
+ #define NETSCREEN_EGRESS TRUE
+
+-
+-#define NETSCREEN_MAX_PACKET_LEN 65536
+-
+ int netscreen_open(wtap *wth, int *err, gchar **err_info);
+
+ #endif
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/110_1.12.12_NetScree_Don-t-treat-the-packet-length-as-unsigned.patch wireshark-1.12.1+g01b65bf/debian/patches/110_1.12.12_NetScree_Don-t-treat-the-packet-length-as-unsigned.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/110_1.12.12_NetScree_Don-t-treat-the-packet-length-as-unsigned.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/110_1.12.12_NetScree_Don-t-treat-the-packet-length-as-unsigned.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,72 @@
+From db941b25c44cad1738a405f4c5f7fc6ddef49545 Mon Sep 17 00:00:00 2001
+From: Guy Harris <g...@alum.mit.edu>
+Date: Sun, 1 May 2016 16:13:31 -0700
+Subject: [PATCH 110/117] Don't treat the packet length as unsigned.
+
+The scanf family of functions are as annoyingly bad at handling unsigned
+numbers as strtoul() is - both of them are perfectly willing to accept a
+value beginning with a negative sign as an unsigned value. When using
+strtoul(), you can compensate for this by explicitly checking for a '-'
+as the first character of the string, but you can't do that with
+sscanf().
+
+So revert to having pkt_len be signed, and scanning it with %d, but
+check for a negative value and fail if we see a negative value.
+
+Bug: 12396
+Change-Id: I54fe8f61f42c32b5ef33da633ece51bbcda8c95f
+Reviewed-on: https://code.wireshark.org/review/15220
+Reviewed-by: Guy Harris <g...@alum.mit.edu>
+(cherry picked from commit 11edc83b98a61e890d7bb01855389d40e984ea82)
+Reviewed-on: https://code.wireshark.org/review/15222
+(cherry picked from commit 4f4e1cb1b4ffb0c2a7c5ba84a13b412643ea0252)
+Reviewed-on: https://code.wireshark.org/review/16116
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ wiretap/netscreen.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/wiretap/netscreen.c b/wiretap/netscreen.c
+index d1f168e..f0e392a 100644
+--- a/wiretap/netscreen.c
++++ b/wiretap/netscreen.c
+@@ -266,28 +266,33 @@ static gboolean
+ parse_netscreen_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer* buf,
+ char *line, int *err, gchar **err_info)
+ {
++ int pkt_len;
+ int sec;
+ int dsec;
+ char cap_int[NETSCREEN_MAX_INT_NAME_LENGTH];
+ char direction[2];
+- guint pkt_len;
+ char cap_src[13];
+ char cap_dst[13];
+ guint8 *pd;
+ gchar *p;
+ int n, i = 0;
+- guint offset = 0;
++ int offset = 0;
+ gchar dststr[13];
+
+ phdr->rec_type = REC_TYPE_PACKET;
+ phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
+
+- if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9u:%12s->%12s/",
++ if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9d:%12s->%12s/",
+ &sec, &dsec, cap_int, direction, &pkt_len, cap_src, cap_dst) < 5) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("netscreen: Can't parse packet-header");
+ return -1;
+ }
++ if (pkt_len < 0) {
++ *err = WTAP_ERR_BAD_FILE;
++ *err_info = g_strdup("netscreen: packet header has a negative packet length");
++ return FALSE;
++ }
+ if (pkt_len > WTAP_MAX_PACKET_SIZE) {
+ /*
+ * Probably a corrupt capture file; don't blow up trying
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/111_1.12.12_WBXML-add-a-basic-sanity-check-for-offset-overflow.patch wireshark-1.12.1+g01b65bf/debian/patches/111_1.12.12_WBXML-add-a-basic-sanity-check-for-offset-overflow.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/111_1.12.12_WBXML-add-a-basic-sanity-check-for-offset-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/111_1.12.12_WBXML-add-a-basic-sanity-check-for-offset-overflow.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,140 @@
+From 434fe44cdec8755204d7462f5293cdf1b9493a0b Mon Sep 17 00:00:00 2001
+From: Pascal Quantin <pascal.quan...@gmail.com>
+Date: Mon, 9 May 2016 18:03:05 +0200
+Subject: [PATCH 111/117] WBXML: add a basic sanity check for offset overflow
+
+This is a naive approach allowing to detact that something went wrong,
+without the need to replace all proto_tree_add_text() calls as what was
+done in master-2.0 branch.
+
+Bug: 12408
+Change-Id: Ia14905005e17ae322c2fc639ad5e491fa08b0108
+Reviewed-on: https://code.wireshark.org/review/15310
+Reviewed-by: Michael Mann <mman...@netscape.net>
+Reviewed-by: Pascal Quantin <pascal.quan...@gmail.com>
+(cherry picked from commit b8e0d416898bb975a02c1b55883342edc5b4c9c0)
+Reviewed-on: https://code.wireshark.org/review/16117
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/dissectors/packet-wbxml.c | 28 ++++++++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/epan/dissectors/packet-wbxml.c b/epan/dissectors/packet-wbxml.c
+index 0956777..ae5425a 100644
+--- a/epan/dissectors/packet-wbxml.c
++++ b/epan/dissectors/packet-wbxml.c
+@@ -7304,7 +7304,7 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset,
+ const wbxml_decoding *map)
+ {
+ guint32 tvb_len = tvb_reported_length (tvb);
+- guint32 off = offset;
++ guint32 off = offset, last_off;
+ guint32 len;
+ guint str_len;
+ guint32 ent;
+@@ -7323,6 +7323,7 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset,
+ tag_save_literal = NULL; /* Prevents compiler warning */
+
+ DebugLog(("parse_wbxml_tag_defined (level = %u, offset = %u)\n", *level, offset));
++ last_off = off;
+ while (off < tvb_len) {
+ peek = tvb_get_guint8 (tvb, off);
+ DebugLog(("STAG: (top of while) level = %3u, peek = 0x%02X, off = %u, tvb_len = %u\n", *level, peek, off, tvb_len));
+@@ -7694,6 +7695,10 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset,
+ /* TODO: Do I have to reset code page here? */
+ }
+ } /* if (tag & 0x3F) >= 5 */
++ if (off < last_off) {
++ THROW(ReportedBoundsError);
++ }
++ last_off = off;
+ } /* while */
+ DebugLog(("STAG: level = %u, Return: len = %u (end of function body)\n", *level, off - offset));
+ return (off - offset);
+@@ -7711,7 +7716,7 @@ parse_wbxml_tag (proto_tree *tree, tvbuff_t *tvb, guint32 offset,
+ guint8 *codepage_stag, guint8 *codepage_attr)
+ {
+ guint32 tvb_len = tvb_reported_length (tvb);
+- guint32 off = offset;
++ guint32 off = offset, last_off;
+ guint32 len;
+ guint str_len;
+ guint32 ent;
+@@ -7732,6 +7737,7 @@ parse_wbxml_tag (proto_tree *tree, tvbuff_t *tvb, guint32 offset,
+ tag_save_literal = NULL; /* Prevents compiler warning */
+
+ DebugLog(("parse_wbxml_tag (level = %u, offset = %u)\n", *level, offset));
++ last_off = off;
+ while (off < tvb_len) {
+ peek = tvb_get_guint8 (tvb, off);
+ DebugLog(("STAG: (top of while) level = %3u, peek = 0x%02X, off = %u, tvb_len = %u\n", *level, peek, off, tvb_len));
+@@ -8091,6 +8097,10 @@ parse_wbxml_tag (proto_tree *tree, tvbuff_t *tvb, guint32 offset,
+ /* TODO: Do I have to reset code page here? */
+ }
+ } /* if (tag & 0x3F) >= 5 */
++ if (off < last_off) {
++ THROW(ReportedBoundsError);
++ }
++ last_off = off;
+ } /* while */
+ DebugLog(("STAG: level = %u, Return: len = %u (end of function body)\n",
+ *level, off - offset));
+@@ -8126,7 +8136,7 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb,
+ const wbxml_decoding *map)
+ {
+ guint32 tvb_len = tvb_reported_length (tvb);
+- guint32 off = offset;
++ guint32 off = offset, last_off;
+ guint32 len;
+ guint str_len;
+ guint32 ent;
+@@ -8138,6 +8148,7 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb,
+ DebugLog(("parse_wbxml_attr_defined (level = %u, offset = %u)\n",
+ level, offset));
+ /* Parse attributes */
++ last_off = off;
+ while (off < tvb_len) {
+ peek = tvb_get_guint8 (tvb, off);
+ DebugLog(("ATTR: (top of while) level = %3u, peek = 0x%02X, "
+@@ -8330,6 +8341,10 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb,
+ off++;
+ }
+ }
++ if (off < last_off) {
++ THROW(ReportedBoundsError);
++ }
++ last_off = off;
+ } /* End WHILE */
+ DebugLog(("ATTR: level = %u, Return: len = %u (end of function body)\n",
+ level, off - offset));
+@@ -8350,7 +8365,7 @@ parse_wbxml_attribute_list (proto_tree *tree, tvbuff_t *tvb,
+ guint32 offset, guint32 str_tbl, guint8 level, guint8 *codepage_attr)
+ {
+ guint32 tvb_len = tvb_reported_length (tvb);
+- guint32 off = offset;
++ guint32 off = offset, last_off;
+ guint32 len;
+ guint str_len;
+ guint32 ent;
+@@ -8359,6 +8374,7 @@ parse_wbxml_attribute_list (proto_tree *tree, tvbuff_t *tvb,
+
+ DebugLog(("parse_wbxml_attr (level = %u, offset = %u)\n", level, offset));
+ /* Parse attributes */
++ last_off = off;
+ while (off < tvb_len) {
+ peek = tvb_get_guint8 (tvb, off);
+ DebugLog(("ATTR: (top of while) level = %3u, peek = 0x%02X, "
+@@ -8516,6 +8532,10 @@ parse_wbxml_attribute_list (proto_tree *tree, tvbuff_t *tvb,
+ off++;
+ }
+ }
++ if (off < last_off) {
++ THROW(ReportedBoundsError);
++ }
++ last_off = off;
+ } /* End WHILE */
+ DebugLog(("ATTR: level = %u, Return: len = %u (end of function body)\n",
+ level, off - offset));
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/112_1.12.12_UMTS_FP-fix-handling-reserved-C-T-value.patch wireshark-1.12.1+g01b65bf/debian/patches/112_1.12.12_UMTS_FP-fix-handling-reserved-C-T-value.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/112_1.12.12_UMTS_FP-fix-handling-reserved-C-T-value.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/112_1.12.12_UMTS_FP-fix-handling-reserved-C-T-value.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,51 @@
+From 024bf5dfd68da67dd00475a5fea7cfabf03da8fa Mon Sep 17 00:00:00 2001
+From: Evan Huus <eapa...@gmail.com>
+Date: Sat, 4 Jun 2016 13:56:57 -0400
+Subject: [PATCH 112/117] UMTS_FP: fix handling reserved C/T value
+
+The spec puts the reserved value at 0xf but our internal table has 'unknown' at
+0; since all the other values seem to be offset-by-one, just take the modulus
+0xf to avoid running off the end of the table.
+
+# Conflicts:
+# epan/dissectors/packet-umts_fp.c
+
+Bug: 12191
+Change-Id: I83c8fb66797bbdee52a2246fb1eea6e37cbc7eb0
+Reviewed-on: https://code.wireshark.org/review/15722
+Reviewed-by: Evan Huus <eapa...@gmail.com>
+Petri-Dish: Evan Huus <eapa...@gmail.com>
+Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org>
+Reviewed-by: Michael Mann <mman...@netscape.net>
+(cherry picked from commit 7d7190695ce2ff269fdffb04e87139995cde21f4)
+Reviewed-on: https://code.wireshark.org/review/15726
+(cherry picked from commit fb9dcfa8e5df3ea3207335491b86be8cbb21eeaf)
+Reviewed-on: https://code.wireshark.org/review/16118
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/dissectors/packet-umts_fp.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/epan/dissectors/packet-umts_fp.c b/epan/dissectors/packet-umts_fp.c
+index 7d21b83..ca9a346 100644
+--- a/epan/dissectors/packet-umts_fp.c
++++ b/epan/dissectors/packet-umts_fp.c
+@@ -4048,11 +4048,11 @@ fp_set_per_packet_inf_from_conv(umts_fp_conversation_info_t *p_conv_data,
+
+ /* Peek at C/T, different RLC params for different logical channels */
+ /*C/T is 4 bits according to 3GPP TS 25.321, paragraph 9.2.1, from MAC header (not FP)*/
+- c_t = tvb_get_bits8(tvb, tb_bit_off/*(2+p_conv_data->num_dch_in_flow)*8*/, 4); /* c_t = tvb_get_guint8(tvb,offset);*/
+- macinf->lchid[j+chan] = c_t+1;
++ c_t = (tvb_get_bits8(tvb, tb_bit_off/*(2+p_conv_data->num_dch_in_flow)*8*/, 4) + 1) % 0xf; /* c_t = tvb_get_guint8(tvb, offset);*/
++ macinf->lchid[j+chan] = c_t;
+
+- macinf->content[j+chan] = lchId_type_table[c_t+1]; /*Base MAC content on logical channel id (Table is in packet-nbap.h)*/
+- rlcinf->mode[j+chan] = lchId_rlc_map[c_t+1]; /*Based RLC mode on logical channel id*/
++ macinf->content[j+chan] = lchId_type_table[c_t]; /*Base MAC content on logical channel id (Table is in packet-nbap.h)*/
++ rlcinf->mode[j+chan] = lchId_rlc_map[c_t]; /*Based RLC mode on logical channel id*/
+ }
+ }else{
+ fake_lchid = make_fake_lchid(pinfo,p_conv_data->dchs_in_flow_list[chan]);
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/113_1.12.12_SPOOLSS-Try-to-avoid-an-infinite-loop.patch wireshark-1.12.1+g01b65bf/debian/patches/113_1.12.12_SPOOLSS-Try-to-avoid-an-infinite-loop.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/113_1.12.12_SPOOLSS-Try-to-avoid-an-infinite-loop.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/113_1.12.12_SPOOLSS-Try-to-avoid-an-infinite-loop.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,56 @@
+From dd47a5217abcaf6d9085a44e9c1dd8821baf565f Mon Sep 17 00:00:00 2001
+From: Gerald Combs <ger...@wireshark.org>
+Date: Mon, 28 Mar 2016 15:46:33 -0700
+Subject: [PATCH 113/117] SPOOLSS: Try to avoid an infinite loop.
+
+Use tvb_reported_length_remaining in dissect_spoolss_uint16uni. Make
+sure our offset always increments in dissect_spoolss_keybuffer.
+
+Conflicts:
+ epan/dissectors/packet-dcerpc-spoolss.c
+
+Change-Id: I7017c9685bb2fa27161d80a03b8fca4ef630e793
+Reviewed-on: https://code.wireshark.org/review/14687
+Reviewed-by: Gerald Combs <ger...@wireshark.org>
+Petri-Dish: Gerald Combs <ger...@wireshark.org>
+Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org>
+Reviewed-by: Michael Mann <mman...@netscape.net>
+(cherry picked from commit b4d16b4495b732888e12baf5b8a7e9bf2665e22b)
+Reviewed-on: https://code.wireshark.org/review/15248
+(cherry picked from commit 9753ea8db4ea2caeb3365e842e904cbe5681b79e)
+Reviewed-on: https://code.wireshark.org/review/15249
+(cherry picked from commit 80006b0eb062a45479d109796df14c13ca7c5785)
+Reviewed-on: https://code.wireshark.org/review/16119
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/dissectors/packet-dcerpc-spoolss.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/epan/dissectors/packet-dcerpc-spoolss.c b/epan/dissectors/packet-dcerpc-spoolss.c
+index 8cd5419..f6bbea8 100644
+--- a/epan/dissectors/packet-dcerpc-spoolss.c
++++ b/epan/dissectors/packet-dcerpc-spoolss.c
+@@ -1077,7 +1077,7 @@ dissect_spoolss_uint16uni(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
+
+ /* Get remaining data in buffer as a string */
+
+- remaining = tvb_length_remaining(tvb, offset);
++ remaining = tvb_reported_length_remaining(tvb, offset);
+ if (remaining <= 0) {
+ if (data)
+ *data = g_strdup("");
+@@ -6556,9 +6556,10 @@ dissect_spoolss_keybuffer(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ end_offset = tvb_reported_length_remaining(tvb, offset) + 1;
+ }
+
+- while (offset < end_offset)
++ while (offset > 0 && offset < end_offset) {
+ offset = dissect_spoolss_uint16uni(
+ tvb, offset, pinfo, tree, drep, NULL, "Key");
++ }
+
+ return offset;
+ }
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/114_1.12.12_Make-class-type-for-USB-conversations.patch wireshark-1.12.1+g01b65bf/debian/patches/114_1.12.12_Make-class-type-for-USB-conversations.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/114_1.12.12_Make-class-type-for-USB-conversations.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/114_1.12.12_Make-class-type-for-USB-conversations.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,86 @@
+From 5d18307cac7be1e6cc143d216545e0319f539774 Mon Sep 17 00:00:00 2001
+From: Michael Mann <mman...@netscape.net>
+Date: Sun, 1 May 2016 12:55:23 -0400
+Subject: [PATCH 114/117] Make class "type" for USB conversations.
+
+USB dissectors can't assume that only their class type has been passed around in the conversation. Make explicit check that class type expected matches the dissector and stop/prevent dissection if there isn't a match.
+
+Conflicts:
+ epan/dissectors/packet-usb.h
+
+Bug: 12356
+Change-Id: Ib23973a4ebd0fbb51952ffc118daf95e3389a209
+Reviewed-on: https://code.wireshark.org/review/15212
+Petri-Dish: Michael Mann <mman...@netscape.net>
+Reviewed-by: Martin Kaiser <wiresh...@kaiser.cx>
+Petri-Dish: Martin Kaiser <wiresh...@kaiser.cx>
+Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org>
+Reviewed-by: Michael Mann <mman...@netscape.net>
+Reviewed-on: https://code.wireshark.org/review/15214
+Reviewed-on: https://code.wireshark.org/review/16120
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/dissectors/packet-usb-masstorage.c | 5 ++++-
+ epan/dissectors/packet-usb-video.c | 4 ++++
+ epan/dissectors/packet-usb.h | 5 ++++-
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/epan/dissectors/packet-usb-masstorage.c b/epan/dissectors/packet-usb-masstorage.c
+index 8ac950c..7f84a3b 100644
+--- a/epan/dissectors/packet-usb-masstorage.c
++++ b/epan/dissectors/packet-usb-masstorage.c
+@@ -200,9 +200,12 @@ dissect_usb_ms_bulk(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
+ usb_ms_conv_info->itl=wmem_tree_new(wmem_file_scope());
+ usb_ms_conv_info->itlq=wmem_tree_new(wmem_file_scope());
+ usb_conv_info->class_data=usb_ms_conv_info;
++ usb_conv_info->class_data_type = USB_CONV_MASS_STORAGE;
++ } else if (usb_conv_info->class_data_type != USB_CONV_MASS_STORAGE) {
++ /* Don't dissect if another USB type is in the conversation */
++ return 0;
+ }
+
+-
+ is_request=(pinfo->srcport==NO_ENDPOINT);
+
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "USBMS");
+diff --git a/epan/dissectors/packet-usb-video.c b/epan/dissectors/packet-usb-video.c
+index 1a82e20..4ff85cf 100644
+--- a/epan/dissectors/packet-usb-video.c
++++ b/epan/dissectors/packet-usb-video.c
+@@ -1032,6 +1032,10 @@ dissect_usb_video_control_interface_descriptor(proto_tree *parent_tree, tvbuff_t
+ video_conv_info = wmem_new(wmem_file_scope(), video_conv_info_t);
+ video_conv_info->entities = wmem_tree_new(wmem_file_scope());
+ usb_conv_info->class_data = video_conv_info;
++ usb_conv_info->class_data_type = USB_CONV_VIDEO;
++ } else if (usb_conv_info->class_data_type != USB_CONV_VIDEO) {
++ /* Stop dissection if another USB type is in the conversation */
++ return descriptor_len;
+ }
+
+ entity = (video_entity_t*) wmem_tree_lookup32(video_conv_info->entities, entity_id);
+diff --git a/epan/dissectors/packet-usb.h b/epan/dissectors/packet-usb.h
+index f008b1c..68d5b26 100644
+--- a/epan/dissectors/packet-usb.h
++++ b/epan/dissectors/packet-usb.h
+@@ -79,6 +79,8 @@ typedef struct _usb_trans_info_t {
+ usb_conv_info_t *interface_info;
+ } usb_trans_info_t;
+
++enum usb_conv_class_data_type {USB_CONV_UNKNOWN = 0, USB_CONV_AUDIO, USB_CONV_VIDEO, USB_CONV_MASS_STORAGE};
++
+ /* Conversation Structure
+ * there is one such structure for each device/endpoint conversation */
+ struct _usb_conv_info_t {
+@@ -102,7 +104,8 @@ struct _usb_conv_info_t {
+ wmem_tree_t *transactions;
+ usb_trans_info_t *usb_trans_info; /* pointer to the current transaction */
+
+- void *class_data; /* private class/id decode data */
++ void *class_data; /* private class/id decode data */
++ enum usb_conv_class_data_type class_data_type;
+ };
+
+ /* This is what a tap will tap */
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/115_1.12.12_802.11_Make-sure-EAPOL-body-is-big-enough-for-a-EAPOL_RSN_K.patch wireshark-1.12.1+g01b65bf/debian/patches/115_1.12.12_802.11_Make-sure-EAPOL-body-is-big-enough-for-a-EAPOL_RSN_K.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/115_1.12.12_802.11_Make-sure-EAPOL-body-is-big-enough-for-a-EAPOL_RSN_K.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/115_1.12.12_802.11_Make-sure-EAPOL-body-is-big-enough-for-a-EAPOL_RSN_K.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,50 @@
+From 9ab8209542d911de8e39cf7d1bdbec821d1060c3 Mon Sep 17 00:00:00 2001
+From: Michael Mann <mman...@netscape.net>
+Date: Sun, 22 May 2016 20:21:17 -0400
+Subject: [PATCH 115/117] Make sure EAPOL body is big enough for a
+ EAPOL_RSN_KEY.
+
+A pointer to a EAPOL_RSN_KEY is set on the packet presuming the
+whole EAPOL_RSN_KEY is there. That's not always the case for
+fuzzed/malicious captures.
+
+Conflicts:
+ epan/crypt/airpdcap.c
+
+Cherry picking also changes the comparison according to
+commit f42616a6216454656b7b958955d336d7b304714f.
+
+Bug: 11585
+Change-Id: Ib94b8aceef444c7820e43b969596efdb8dbecccd
+Reviewed-on: https://code.wireshark.org/review/15540
+Reviewed-by: Michael Mann <mman...@netscape.net>
+Petri-Dish: Michael Mann <mman...@netscape.net>
+Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org>
+Reviewed-by: Anders Broman <a.broma...@gmail.com>
+(cherry picked from commit 9b0b20b8d5f8c9f7839d58ff6c5900f7e19283b4)
+Reviewed-on: https://code.wireshark.org/review/15544
+(cherry picked from commit f2c0a286479b208b2c4f68afc218dacfc4ac709e)
+Reviewed-on: https://code.wireshark.org/review/16139
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/crypt/airpdcap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
+index be6e059..1152eed 100644
+--- a/epan/crypt/airpdcap.c
++++ b/epan/crypt/airpdcap.c
+@@ -547,8 +547,8 @@ static INT AirPDcapScanForGroupKey(
+
+ /* get and check the body length (IEEE 802.1X-2004, pg. 25) */
+ bodyLength=pntoh16(data+offset+2);
+- if ((tot_len-offset-4) > bodyLength) {
+- AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", "EAPOL body too short", AIRPDCAP_DEBUG_LEVEL_3);
++ if (((tot_len-offset-4) < bodyLength) || (bodyLength < sizeof(EAPOL_RSN_KEY))) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */
++ AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForKeys", "EAPOL body too short", AIRPDCAP_DEBUG_LEVEL_3);
+ return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
+ }
+
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/116_1.12.12_802.11_Fix-previous-change.patch wireshark-1.12.1+g01b65bf/debian/patches/116_1.12.12_802.11_Fix-previous-change.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/116_1.12.12_802.11_Fix-previous-change.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/116_1.12.12_802.11_Fix-previous-change.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,40 @@
+From 9a76c295c93f8697791bdd4d09c735c9eb412f7b Mon Sep 17 00:00:00 2001
+From: Guy Harris <g...@alum.mit.edu>
+Date: Mon, 23 May 2016 18:20:50 -0700
+Subject: [PATCH 116/117] Fix previous change.
+
+In 1.12, an EAPOL_RSN_KEY structure has an extra
+TKIP_GROUP_KEYBYTES_LEN_MAX-byte array at the end; that's not there in
+2.0 and later.
+
+So comparing against sizeof(EAPOL_RSN_KEY) does different things in 1.12
+and 2.x.
+
+Instead, we should compare against RSN_KEY_WITHOUT_KEYBYTES_LEN, as that
+has the same value in 1.12 as sizeof(EAPOL_RSN_KEY) has in 2.x.
+
+Change-Id: I5464c592cf42ae1bab6b878b049c40ef63a5fd51
+Reviewed-on: https://code.wireshark.org/review/15548
+Reviewed-by: Guy Harris <g...@alum.mit.edu>
+Reviewed-on: https://code.wireshark.org/review/16140
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/crypt/airpdcap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
+index 1152eed..1a8119c 100644
+--- a/epan/crypt/airpdcap.c
++++ b/epan/crypt/airpdcap.c
+@@ -547,7 +547,7 @@ static INT AirPDcapScanForGroupKey(
+
+ /* get and check the body length (IEEE 802.1X-2004, pg. 25) */
+ bodyLength=pntoh16(data+offset+2);
+- if (((tot_len-offset-4) < bodyLength) || (bodyLength < sizeof(EAPOL_RSN_KEY))) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */
++ if (((tot_len-offset-4) < bodyLength) || (bodyLength < RSN_KEY_WITHOUT_KEYBYTES_LEN)) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */
+ AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForKeys", "EAPOL body too short", AIRPDCAP_DEBUG_LEVEL_3);
+ return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
+ }
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/117_1.12.9_802.11_airpdcap-Don-t-return-error-from-function-returning-.patch wireshark-1.12.1+g01b65bf/debian/patches/117_1.12.9_802.11_airpdcap-Don-t-return-error-from-function-returning-.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/117_1.12.9_802.11_airpdcap-Don-t-return-error-from-function-returning-.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/117_1.12.9_802.11_airpdcap-Don-t-return-error-from-function-returning-.patch 2016-06-26 20:34:08.000000000 +0200
@@ -0,0 +1,33 @@
+From dd6b2d833612b16a72e3ff8b4c3b14ba03e7a3b7 Mon Sep 17 00:00:00 2001
+From: Balint Reczey <bal...@balintreczey.hu>
+Date: Sat, 25 Jun 2016 23:43:23 +0200
+Subject: [PATCH 117/117] [airpdcap] Don't return error from function returning
+ void
+
+Cherry-picking 8110a703cc1f17222b3010b3993bbf8be21436d4 to lts-1.12.1
+made AirPDcapDecryptWPABroadcastKey() return error code
+while it should return void.
+
+Change-Id: Iee6bc0b7dd61eb80fe27e848db11dfba570d4759
+Reviewed-on: https://code.wireshark.org/review/16141
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/crypt/airpdcap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
+index 1a8119c..37914c3 100644
+--- a/epan/crypt/airpdcap.c
++++ b/epan/crypt/airpdcap.c
+@@ -458,7 +458,7 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption
+ key_len = (sa->wpa.key_ver==AIRPDCAP_WPA_KEY_VER_NOT_CCMP)?TKIP_GROUP_KEY_LEN:CCMP_GROUP_KEY_LEN;
+ if (key_len > key_bytes_len) {
+ /* the key required for this protocol is longer than the key that we just calculated */
+- return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
++ return;
+ }
+
+ /* Decrypted key is now in szEncryptedKey with len of key_len */
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/series wireshark-1.12.1+g01b65bf/debian/patches/series
--- wireshark-1.12.1+g01b65bf/debian/patches/series 2016-05-23 12:42:08.000000000 +0200
+++ wireshark-1.12.1+g01b65bf/debian/patches/series 2016-06-26 20:34:08.000000000 +0200
@@ -95,3 +95,16 @@
102_1.12.11_IAX2-fix-an-infinite-loop.patch
103_1.12.11_GSM-CBCH-fix-an-out-of-bounds-access.patch
104_1.12.11_NCP_Dynamically-allocate-info-string-to-prevent-stack-ov.patch
+105_1.12.12_Toshiba_Fix-packet-length-handling.patch
+106_1.12.12_Toshiba-2_Don-t-treat-the-packet-length-as-unsigned.patch
+107_1.12.12_CoSine_Fix-packet-length-handling.patch
+108_1.12.12_CoSine-2_Don-t-treat-the-packet-length-as-unsigned.patch
+109_1.12.12_NetScreen_Fix-packet-length-handling.patch
+110_1.12.12_NetScree_Don-t-treat-the-packet-length-as-unsigned.patch
+111_1.12.12_WBXML-add-a-basic-sanity-check-for-offset-overflow.patch
+112_1.12.12_UMTS_FP-fix-handling-reserved-C-T-value.patch
+113_1.12.12_SPOOLSS-Try-to-avoid-an-infinite-loop.patch
+114_1.12.12_Make-class-type-for-USB-conversations.patch
+115_1.12.12_802.11_Make-sure-EAPOL-body-is-big-enough-for-a-EAPOL_RSN_K.patch
+116_1.12.12_802.11_Fix-previous-change.patch
+117_1.12.9_802.11_airpdcap-Don-t-return-error-from-function-returning-.patch
