Hi,
I have prepared an update for wireshark in Wheezy.
Please see the diff to previous version attached. A practically
identical changeset has been already accepted to jessie-security.
Changes:
wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u3) wheezy-security; urgency=medium
.
* security fixes from Wireshark 1.12.13:
- The NDS dissector could crash (CVE-2016-6504)
- The PacketBB dissector could crash (CVE-2016-6505)
- The WSP dissector could go into an infinite loop (CVE-2016-6506)
- The MMSE dissector could go into an infinite loop (CVE-2016-6507)
- The RLC dissector could go into a long loop (CVE-2016-6508)
- The LDSS dissector could crash (CVE-2016-6509)
- The RLC dissector could crash (CVE-2016-6510)
- The OpenFlow dissector could go into a long loop (CVE-2016-6511)
* Cherry-pick fix for regressions caused by CVE-2016-6511's fix
I plan uploading the package tomorrow around noon UTC.
Cheers,
Balint
diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog
--- wireshark-1.12.1+g01b65bf/debian/changelog 2016-06-26 20:37:15.000000000 +0200
+++ wireshark-1.12.1+g01b65bf/debian/changelog 2016-08-14 16:20:37.000000000 +0200
@@ -1,3 +1,18 @@
+wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u3) wheezy-security; urgency=medium
+
+ * security fixes from Wireshark 1.12.13:
+ - The NDS dissector could crash (CVE-2016-6504)
+ - The PacketBB dissector could crash (CVE-2016-6505)
+ - The WSP dissector could go into an infinite loop (CVE-2016-6506)
+ - The MMSE dissector could go into an infinite loop (CVE-2016-6507)
+ - The RLC dissector could go into a long loop (CVE-2016-6508)
+ - The LDSS dissector could crash (CVE-2016-6509)
+ - The RLC dissector could crash (CVE-2016-6510)
+ - The OpenFlow dissector could go into a long loop (CVE-2016-6511)
+ * Cherry-pick fix for regressions caused by CVE-2016-6511's fix
+
+ -- Balint Reczey <bal...@balintreczey.hu> Sun, 14 Aug 2016 16:20:12 +0200
+
wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u2) wheezy-security; urgency=high
* security fixes from Wireshark 1.12.12:
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/118_1.12.13_dissect_nds_request-Add-NULL-check.patch wireshark-1.12.1+g01b65bf/debian/patches/118_1.12.13_dissect_nds_request-Add-NULL-check.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/118_1.12.13_dissect_nds_request-Add-NULL-check.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/118_1.12.13_dissect_nds_request-Add-NULL-check.patch 2016-08-12 20:29:06.000000000 +0200
@@ -0,0 +1,33 @@
+From 471830020143111ca694a1153d9ea477343edde7 Mon Sep 17 00:00:00 2001
+From: Michael Mann <mman...@netscape.net>
+Date: Sat, 2 Jul 2016 10:37:20 -0400
+Subject: [PATCH 118/125] dissect_nds_request: Add NULL check
+
+Bug: 12576
+Change-Id: If25d65b58ccc3860a48a48d5dbc4a076a79ad459
+Reviewed-on: https://code.wireshark.org/review/16245
+Reviewed-by: Michael Mann <mman...@netscape.net>
+(cherry picked from commit 9eacbb4d48df647648127b9258f9e5aeeb0c7d99)
+Reviewed-on: https://code.wireshark.org/review/17015
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/dissectors/packet-ncp2222.inc | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-ncp2222.inc b/epan/dissectors/packet-ncp2222.inc
+index 35f0fa6..6c7c4c6 100644
+--- a/epan/dissectors/packet-ncp2222.inc
++++ b/epan/dissectors/packet-ncp2222.inc
+@@ -11803,7 +11803,8 @@ dissect_nds_request(tvbuff_t *tvb, packet_info *pinfo,
+ ; /* nothing */
+ break;
+ }
+- ptvcursor_free(ptvc);
++ if (ptvc != NULL)
++ ptvcursor_free(ptvc);
+
+ /* Free the temporary proto_tree */
+ CLEANUP_CALL_AND_POP;
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/119_1.12.13_packetbb-Prevent-divide-by-0.patch wireshark-1.12.1+g01b65bf/debian/patches/119_1.12.13_packetbb-Prevent-divide-by-0.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/119_1.12.13_packetbb-Prevent-divide-by-0.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/119_1.12.13_packetbb-Prevent-divide-by-0.patch 2016-08-12 20:29:06.000000000 +0200
@@ -0,0 +1,48 @@
+From 5576ce24c69cf38c890f70696285e84d6e4c2932 Mon Sep 17 00:00:00 2001
+From: Michael Mann <mman...@netscape.net>
+Date: Sat, 2 Jul 2016 08:23:34 -0400
+Subject: [PATCH 119/125] packetbb: Prevent divide by 0.
+
+Bug: 12577
+Change-Id: Ibfa605597b786d8dbf1e256ef2ca6dc691498974
+Reviewed-on: https://code.wireshark.org/review/16241
+Petri-Dish: Michael Mann <mman...@netscape.net>
+Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org>
+Reviewed-by: Michael Mann <mman...@netscape.net>
+(cherry picked from commit 94e97e45cf614c7bb8fe90c23df52910246b2c95)
+Reviewed-on: https://code.wireshark.org/review/16244
+(cherry picked from commit 3ce7de0ce8d32ded8e4c0ebf747886b9b5b1b26f)
+Reviewed-on: https://code.wireshark.org/review/17016
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/dissectors/packet-packetbb.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/epan/dissectors/packet-packetbb.c b/epan/dissectors/packet-packetbb.c
+index 28355d4..ac2c3b0 100644
+--- a/epan/dissectors/packet-packetbb.c
++++ b/epan/dissectors/packet-packetbb.c
+@@ -282,12 +282,14 @@ static int dissect_pbb_tlvblock(tvbuff_t *tvb, proto_tree *tree, guint offset,
+ }
+ else {
+ int i;
+- guint8 c = indexEnd - indexStart + 1;
+- tlvValue_tree = proto_item_add_subtree(tlvValue_item, ett_packetbb_tlv_value);
+-
+- for (i=indexStart; i<=indexEnd; i++) {
+- proto_tree_add_item(tlvValue_tree, hf_packetbb_tlv_multivalue, tvb, offset, length/c, ENC_NA);
+- offset += (length/c);
++ guint c = indexEnd - indexStart + 1;
++ if (c > 0) {
++ tlvValue_tree = proto_item_add_subtree(tlvValue_item, ett_packetbb_tlv_value);
++
++ for (i=indexStart; i<=indexEnd; i++) {
++ proto_tree_add_item(tlvValue_tree, hf_packetbb_tlv_multivalue, tvb, offset, length/c, ENC_NA);
++ offset += (length/c);
++ }
+ }
+ }
+ }
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/120_1.12.13_packet-wsp.c-Fix-infinite-loop-in-add_headers.patch wireshark-1.12.1+g01b65bf/debian/patches/120_1.12.13_packet-wsp.c-Fix-infinite-loop-in-add_headers.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/120_1.12.13_packet-wsp.c-Fix-infinite-loop-in-add_headers.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/120_1.12.13_packet-wsp.c-Fix-infinite-loop-in-add_headers.patch 2016-08-12 20:29:06.000000000 +0200
@@ -0,0 +1,66 @@
+From e8148eaee8b2e8c3ed495a49f147bd6433844ee5 Mon Sep 17 00:00:00 2001
+From: Michael Mann <mman...@netscape.net>
+Date: Sat, 9 Jul 2016 09:05:12 -0400
+Subject: [PATCH 120/125] packet-wsp.c: Fix infinite loop in add_headers
+
+# Conflicts:
+# epan/dissectors/packet-wsp.c
+
+Bug: 12594
+Change-Id: Id86d1e5f2db12871bc1b345721e79e57192f01e1
+Reviewed-on: https://code.wireshark.org/review/16355
+Petri-Dish: Michael Mann <mman...@netscape.net>
+Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org>
+Reviewed-by: Michael Mann <mman...@netscape.net>
+(cherry picked from commit a9d5256890c9189c7461bfce6ed6edce5d861499)
+Reviewed-on: https://code.wireshark.org/review/16358
+Reviewed-by: Alexis La Goutte <alexis.lagou...@gmail.com>
+Reviewed-on: https://code.wireshark.org/review/16360
+(cherry picked from commit ee37b7dcdbf86e674a0222f35b1ef1db95fd5c9d)
+Reviewed-on: https://code.wireshark.org/review/17017
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/dissectors/packet-wsp.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/epan/dissectors/packet-wsp.c b/epan/dissectors/packet-wsp.c
+index 7ed42ae..f0e356a 100644
+--- a/epan/dissectors/packet-wsp.c
++++ b/epan/dissectors/packet-wsp.c
+@@ -1743,6 +1743,7 @@ add_headers (proto_tree *tree, tvbuff_t *tvb, int hf, packet_info *pinfo)
+ guint8 hdr_id, val_id, codepage = 1;
+ gint32 tvb_len = tvb_length(tvb);
+ gint32 offset = 0;
++ gint32 save_offset;
+ gint32 hdr_len, hdr_start;
+ gint32 val_len, val_start;
+ gchar *hdr_str, *val_str;
+@@ -1770,15 +1771,25 @@ add_headers (proto_tree *tree, tvbuff_t *tvb, int hf, packet_info *pinfo)
+ if (codepage == 1) { /* Default header code page */
+ DebugLog(("add_headers(code page 0): %s\n",
+ val_to_str_ext_const (hdr_id & 0x7f, &vals_field_names_ext, "Undefined")));
++ save_offset = offset;
+ offset = WellKnownHeader[hdr_id & 0x7F](wsp_headers, tvb,
+ hdr_start, pinfo);
++ /* Make sure we're progressing forward */
++ if (save_offset <= offset) {
++ break;
++ }
+ } else { /* Openwave header code page */
+ /* Here I'm delibarately assuming that Openwave is the only
+ * company that defines a WSP header code page. */
+ DebugLog(("add_headers(code page 0x%02x - assumed to be x-up-1): %s\n",
+ codepage, val_to_str_ext_const (hdr_id & 0x7f, &vals_openwave_field_names_ext, "Undefined")));
++ save_offset = offset;
+ offset = WellKnownOpenwaveHeader[hdr_id & 0x7F](wsp_headers,
+ tvb, hdr_start, pinfo);
++ /* Make sure we're progressing forward */
++ if (save_offset <= offset) {
++ break;
++ }
+ }
+ } else if (hdr_id == 0x7F) { /* HCP shift sequence */
+ codepage = tvb_get_guint8(tvb, offset+1);
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/121_1.12.13_MMSE-remove-proto_tree_add_text-calls.patch wireshark-1.12.1+g01b65bf/debian/patches/121_1.12.13_MMSE-remove-proto_tree_add_text-calls.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/121_1.12.13_MMSE-remove-proto_tree_add_text-calls.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/121_1.12.13_MMSE-remove-proto_tree_add_text-calls.patch 2016-08-12 20:29:06.000000000 +0200
@@ -0,0 +1,101 @@
+From 4d84db5786b79ca1de61491857c46f03c92c0aaf Mon Sep 17 00:00:00 2001
+From: Pascal Quantin <pascal.quan...@gmail.com>
+Date: Sat, 16 Jul 2016 23:24:00 +0200
+Subject: [PATCH 121/125] MMSE: remove proto_tree_add_text calls
+
+Backport changes done previously in master-2.0 branch
+
+Bug: 12624
+Change-Id: Ife4c700a29f5e728743c38ee37541ea496091f89
+Reviewed-on: https://code.wireshark.org/review/16504
+Reviewed-by: Pascal Quantin <pascal.quan...@gmail.com>
+(cherry picked from commit b5a10743258bd016c07ebf6479137fda3d172a0f)
+Reviewed-on: https://code.wireshark.org/review/17018
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/dissectors/packet-mmse.c | 35 ++++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/epan/dissectors/packet-mmse.c b/epan/dissectors/packet-mmse.c
+index 670bfe6..aebcd51 100644
+--- a/epan/dissectors/packet-mmse.c
++++ b/epan/dissectors/packet-mmse.c
+@@ -242,6 +242,9 @@ static int hf_mmse_prev_sent_by_address = -1;
+ static int hf_mmse_prev_sent_date = -1;
+ static int hf_mmse_prev_sent_date_fwd_count = -1;
+ static int hf_mmse_prev_sent_date_date = -1;
++static int hf_mmse_header_uint = -1;
++static int hf_mmse_header_string = -1;
++static int hf_mmse_header_bytes = -1;
+
+ /*
+ * Initialize the subtree pointers
+@@ -1228,14 +1231,15 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
+ guint8 peek = tvb_get_guint8(tvb, offset);
+ const char *hdr_name = val_to_str(field, vals_mm_header_names,
+ "Unknown field (0x%02x)");
++ const char *str;
+ DebugLog(("\t\tUndecoded well-known header: %s\n",
+ hdr_name));
+
+ if (peek & 0x80) { /* Well-known value */
+ length = 1;
+ if (tree) {
+- proto_tree_add_text(mmse_tree, tvb, offset - 1,
+- length + 1,
++ proto_tree_add_uint_format(mmse_tree, hf_mmse_header_uint, tvb, offset - 1,
++ length + 1, peek,
+ "%s: <Well-known value 0x%02x>"
+ " (not decoded)",
+ hdr_name, peek);
+@@ -1243,10 +1247,9 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
+ } else if ((peek == 0) || (peek >= 0x20)) { /* Text */
+ length = get_text_string(tvb, offset, &strval);
+ if (tree) {
+- proto_tree_add_text(mmse_tree, tvb, offset - 1,
+- length + 1, "%s: %s (Not decoded)",
+- hdr_name,
+- format_text(strval, strlen(strval)));
++ str = format_text(strval, strlen(strval));
++ proto_tree_add_string_format(mmse_tree, hf_mmse_header_string, tvb, offset - 1,
++ length + 1, str, "%s: %s (Not decoded)", hdr_name, str);
+ }
+ } else { /* General form with length */
+ if (peek == 0x1F) { /* Value length in guintvar */
+@@ -1258,8 +1261,8 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
+ length = 1 + tvb_get_guint8(tvb, offset);
+ }
+ if (tree) {
+- proto_tree_add_text(mmse_tree, tvb, offset - 1,
+- length + 1, "%s: "
++ proto_tree_add_bytes_format(mmse_tree, hf_mmse_header_bytes, tvb, offset - 1,
++ length + 1, NULL, "%s: "
+ "<Value in general form> (not decoded)",
+ hdr_name);
+ }
+@@ -1633,7 +1636,21 @@ proto_register_mmse(void)
+ HFILL
+ }
+ },
+-
++ { &hf_mmse_header_uint,
++ { "Header Uint Value", "mmse.header.uint",
++ FT_UINT8, BASE_DEC, NULL, 0x00, NULL, HFILL
++ }
++ },
++ { &hf_mmse_header_string,
++ { "Header String Value", "mmse.header.string",
++ FT_STRING, BASE_NONE, NULL, 0x00, NULL, HFILL
++ }
++ },
++ { &hf_mmse_header_bytes,
++ { "Header Byte array", "mmse.header.bytes",
++ FT_BYTES, BASE_NONE, NULL, 0x00, NULL, HFILL
++ }
++ }
+
+
+ };
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/122_1.12.13_RLC-fix-a-stack-overflow-in-rlc_decode_li-function.patch wireshark-1.12.1+g01b65bf/debian/patches/122_1.12.13_RLC-fix-a-stack-overflow-in-rlc_decode_li-function.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/122_1.12.13_RLC-fix-a-stack-overflow-in-rlc_decode_li-function.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/122_1.12.13_RLC-fix-a-stack-overflow-in-rlc_decode_li-function.patch 2016-08-12 20:29:06.000000000 +0200
@@ -0,0 +1,36 @@
+From 4efb64c856fbaaa6e078a5efdce4f4fa45891b6c Mon Sep 17 00:00:00 2001
+From: Pascal Quantin <pascal.quan...@gmail.com>
+Date: Mon, 25 Jul 2016 09:54:06 +0200
+Subject: [PATCH 122/125] RLC: fix a stack overflow in rlc_decode_li function
+
+The test to check whether the array was full or not was off by 1
+
+Bug: 12664
+Change-Id: If2057b71d92c7f03e05b0f4676abc62d5a03ae73
+Reviewed-on: https://code.wireshark.org/review/16640
+Reviewed-by: Pascal Quantin <pascal.quan...@gmail.com>
+(cherry picked from commit 47a5fa850b388fcf4ea762073806f01b459820fe)
+Reviewed-on: https://code.wireshark.org/review/16643
+(cherry picked from commit 604b8929f3ca540862de4f539fae848abb78dfb6)
+Reviewed-on: https://code.wireshark.org/review/17019
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/dissectors/packet-rlc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-rlc.c b/epan/dissectors/packet-rlc.c
+index 993210b..bc0d914 100644
+--- a/epan/dissectors/packet-rlc.c
++++ b/epan/dissectors/packet-rlc.c
+@@ -1828,7 +1828,7 @@ rlc_decode_li(enum rlc_mode mode, tvbuff_t *tvb, packet_info *pinfo, proto_tree
+ li[num_li].tree = tree_add_li(mode, &li[num_li], num_li, li_offs, li_on_2_bytes, tvb, tree);
+ num_li++;
+
+- if (num_li > max_li) {
++ if (num_li >= max_li) {
+ /* OK, so this is not really a malformed packet, but for now,
+ * we will treat it as such, so that it is marked in some way */
+ expert_add_info(pinfo, li[num_li-1].tree, &ei_rlc_li_too_many);
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/123_1.12.13_RLC-fix-a-variable-overflow-in-rlc_decode_li-functio.patch wireshark-1.12.1+g01b65bf/debian/patches/123_1.12.13_RLC-fix-a-variable-overflow-in-rlc_decode_li-functio.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/123_1.12.13_RLC-fix-a-variable-overflow-in-rlc_decode_li-functio.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/123_1.12.13_RLC-fix-a-variable-overflow-in-rlc_decode_li-functio.patch 2016-08-12 20:29:06.000000000 +0200
@@ -0,0 +1,53 @@
+From 810a141bafdf81fc817617d092da77ebbf8ca6d1 Mon Sep 17 00:00:00 2001
+From: Pascal Quantin <pascal.quan...@gmail.com>
+Date: Mon, 25 Jul 2016 09:37:25 +0200
+Subject: [PATCH 123/125] RLC: fix a variable overflow in rlc_decode_li
+ function
+
+Bug: 12660
+Change-Id: I20a423eb9aa72383ac28d176bc60751ed36be9bd
+Reviewed-on: https://code.wireshark.org/review/16639
+Petri-Dish: Pascal Quantin <pascal.quan...@gmail.com>
+Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org>
+Reviewed-by: Pascal Quantin <pascal.quan...@gmail.com>
+(cherry picked from commit 6cf9616df68a4db7e436bb77392586ff9ad84feb)
+Reviewed-on: https://code.wireshark.org/review/16647
+(cherry picked from commit 8f1600761647583dc24a72fde6d614283ec779ab)
+Reviewed-on: https://code.wireshark.org/review/17020
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/dissectors/packet-rlc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/epan/dissectors/packet-rlc.c b/epan/dissectors/packet-rlc.c
+index bc0d914..a448184 100644
+--- a/epan/dissectors/packet-rlc.c
++++ b/epan/dissectors/packet-rlc.c
+@@ -674,12 +674,12 @@ add_description(proto_item *li_ti, proto_item *length_ti,
+
+ /* add information for an LI to 'tree' */
+ static proto_tree *
+-tree_add_li(enum rlc_mode mode, struct rlc_li *li, guint8 li_idx, guint8 hdr_offs,
++tree_add_li(enum rlc_mode mode, struct rlc_li *li, guint8 li_idx, guint32 hdr_offs,
+ gboolean li_is_on_2_bytes, tvbuff_t *tvb, proto_tree *tree)
+ {
+ proto_item *root_ti, *ti;
+ proto_tree *li_tree;
+- guint8 li_offs;
++ guint32 li_offs;
+ guint64 length;
+
+ if (!tree) return NULL;
+@@ -1712,7 +1712,8 @@ static gint16
+ rlc_decode_li(enum rlc_mode mode, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+ struct rlc_li *li, guint8 max_li, gboolean li_on_2_bytes)
+ {
+- guint8 ext, hdr_len, offs = 0, num_li = 0, li_offs;
++ guint32 hdr_len, offs = 0, li_offs;
++ guint8 ext, num_li = 0;
+ guint16 next_bytes, prev_li = 0;
+ proto_item *malformed;
+ guint16 total_len;
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/124_1.12.13_LDSS-check-if-a-conversation-already-exists-before-r.patch wireshark-1.12.1+g01b65bf/debian/patches/124_1.12.13_LDSS-check-if-a-conversation-already-exists-before-r.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/124_1.12.13_LDSS-check-if-a-conversation-already-exists-before-r.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/124_1.12.13_LDSS-check-if-a-conversation-already-exists-before-r.patch 2016-08-12 20:29:06.000000000 +0200
@@ -0,0 +1,61 @@
+From b49c8d37528d3cb6fee8e8576406b5cbaf039a39 Mon Sep 17 00:00:00 2001
+From: Pascal Quantin <pascal.quan...@gmail.com>
+Date: Mon, 25 Jul 2016 13:32:45 +0200
+Subject: [PATCH 124/125] LDSS: check if a conversation already exists before
+ recreating it
+
+Bug: 12662
+Change-Id: I81d91d54544e5865336dc08ffda9fe109fc643ed
+Reviewed-on: https://code.wireshark.org/review/16660
+Reviewed-by: Pascal Quantin <pascal.quan...@gmail.com>
+Petri-Dish: Pascal Quantin <pascal.quan...@gmail.com>
+Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org>
+Reviewed-by: Anders Broman <a.broma...@gmail.com>
+(cherry picked from commit 5a469ddc893f7c1912d0e15cc73bd3011e6cc2fb)
+Reviewed-on: https://code.wireshark.org/review/16663
+(cherry picked from commit e347b39b46e9a90c6d6d55d86768883fb6672589)
+Reviewed-on: https://code.wireshark.org/review/17021
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/dissectors/packet-ldss.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/epan/dissectors/packet-ldss.c b/epan/dissectors/packet-ldss.c
+index 8fd83c1..3e6adc4 100644
+--- a/epan/dissectors/packet-ldss.c
++++ b/epan/dissectors/packet-ldss.c
+@@ -219,17 +219,20 @@ static unsigned int highest_num_seen = 0;
+ static void
+ prepare_ldss_transfer_conv(ldss_broadcast_t *broadcast)
+ {
+- conversation_t *transfer_conv;
+- ldss_transfer_info_t *transfer_info;
+-
+- transfer_info = wmem_new0(wmem_file_scope(), ldss_transfer_info_t);
+- transfer_info->broadcast = broadcast;
+-
+- /* Preparation for later push/pull dissection */
+- transfer_conv = conversation_new (broadcast->num, &broadcast->broadcaster->addr, &broadcast->broadcaster->addr,
+- PT_TCP, broadcast->broadcaster->port, broadcast->broadcaster->port, NO_ADDR2|NO_PORT2);
+- conversation_add_proto_data(transfer_conv, proto_ldss, transfer_info);
+- conversation_set_dissector(transfer_conv, ldss_tcp_handle);
++ if (!find_conversation(broadcast->num, &broadcast->broadcaster->addr, &broadcast->broadcaster->addr,
++ PT_TCP, broadcast->broadcaster->port, broadcast->broadcaster->port, NO_ADDR2|NO_PORT2)) {
++ conversation_t *transfer_conv;
++ ldss_transfer_info_t *transfer_info;
++
++ transfer_info = wmem_new0(wmem_file_scope(), ldss_transfer_info_t);
++ transfer_info->broadcast = broadcast;
++
++ /* Preparation for later push/pull dissection */
++ transfer_conv = conversation_new (broadcast->num, &broadcast->broadcaster->addr, &broadcast->broadcaster->addr,
++ PT_TCP, broadcast->broadcaster->port, broadcast->broadcaster->port, NO_ADDR2|NO_PORT2);
++ conversation_add_proto_data(transfer_conv, proto_ldss, transfer_info);
++ conversation_set_dissector(transfer_conv, ldss_tcp_handle);
++ }
+ }
+
+ /* Broadcasts are searches, offers or promises.
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/125_1.12.13_proto.c-add-bounds-check-to-proto_tree_add_text-_val.patch wireshark-1.12.1+g01b65bf/debian/patches/125_1.12.13_proto.c-add-bounds-check-to-proto_tree_add_text-_val.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/125_1.12.13_proto.c-add-bounds-check-to-proto_tree_add_text-_val.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/125_1.12.13_proto.c-add-bounds-check-to-proto_tree_add_text-_val.patch 2016-08-12 20:29:06.000000000 +0200
@@ -0,0 +1,62 @@
+From 787933902b7063428ee8b425afe6bfb30f247470 Mon Sep 17 00:00:00 2001
+From: Pascal Quantin <pascal.quan...@gmail.com>
+Date: Mon, 25 Jul 2016 11:19:05 +0200
+Subject: [PATCH 125/125] proto.c: add bounds check to
+ proto_tree_add_text(_valist)
+
+Bug: 12659
+Change-Id: I44cb3ce8e647ae2816d5ffa95435068c435a1e5c
+Reviewed-on: https://code.wireshark.org/review/16648
+Petri-Dish: Pascal Quantin <pascal.quan...@gmail.com>
+Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org>
+Reviewed-by: Pascal Quantin <pascal.quan...@gmail.com>
+Reviewed-by: Anders Broman <a.broma...@gmail.com>
+(cherry picked from commit 56706427f53cc64793870bf072c2c06248ae88f3)
+Conflicts:
+ epan/proto.c
+Reviewed-on: https://code.wireshark.org/review/16697
+Reviewed-by: Michael Mann <mman...@netscape.net>
+(cherry picked from commit 32abb637139699bb329719ae68fdb65a7258f1bf)
+Reviewed-on: https://code.wireshark.org/review/17022
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/proto.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/epan/proto.c b/epan/proto.c
+index 2f8d387..a8038c0 100644
+--- a/epan/proto.c
++++ b/epan/proto.c
+@@ -1119,6 +1119,14 @@ proto_tree_add_text(proto_tree *tree, tvbuff_t *tvb, gint start, gint length,
+ va_list ap;
+ header_field_info *hfinfo;
+
++ if (length == -1) {
++ /* If we're fetching until the end of the TVB, only validate
++ * that the offset is within range.
++ */
++ length = 0;
++ }
++ tvb_ensure_bytes_exist(tvb, start, length);
++
+ TRY_TO_FAKE_THIS_ITEM(tree, hf_text_only, hfinfo);
+
+ pi = proto_tree_add_text_node(tree, tvb, start, length);
+@@ -1140,6 +1148,14 @@ proto_tree_add_text_valist(proto_tree *tree, tvbuff_t *tvb, gint start,
+ proto_item *pi;
+ header_field_info *hfinfo;
+
++ if (length == -1) {
++ /* If we're fetching until the end of the TVB, only validate
++ * that the offset is within range.
++ */
++ length = 0;
++ }
++ tvb_ensure_bytes_exist(tvb, start, length);
++
+ TRY_TO_FAKE_THIS_ITEM(tree, hf_text_only, hfinfo);
+
+ pi = proto_tree_add_text_node(tree, tvb, start, length);
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/126_proto.c-do-not-perform-bound-checks-in-proto_tree_ad.patch wireshark-1.12.1+g01b65bf/debian/patches/126_proto.c-do-not-perform-bound-checks-in-proto_tree_ad.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/126_proto.c-do-not-perform-bound-checks-in-proto_tree_ad.patch 1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/126_proto.c-do-not-perform-bound-checks-in-proto_tree_ad.patch 2016-08-12 20:29:06.000000000 +0200
@@ -0,0 +1,73 @@
+From 301713bf64c12dea1239471e8df4577f9335f27a Mon Sep 17 00:00:00 2001
+From: Pascal Quantin <pascal.quan...@gmail.com>
+Date: Thu, 28 Jul 2016 19:56:56 +0200
+Subject: [PATCH] proto.c: do not perform bound checks in
+ proto_tree_add_text(_valist)_internal if tvb is NULL
+
+As seen in bug 12676, some buggy dissectors do not systematically provide a tvb when calling proto_tree_add_XXX functions.
+On stable branch, let's deactivate the bound checks in that case.
+
+Bug: 12676
+Change-Id: Ia3cf0b0972c127f34feca2e097e0ec1fd1753b23
+Reviewed-on: https://code.wireshark.org/review/16752
+Petri-Dish: Pascal Quantin <pascal.quan...@gmail.com>
+Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org>
+Reviewed-by: Pascal Quantin <pascal.quan...@gmail.com>
+(cherry picked from commit 8c7ab5f2b2c18f23c1baa856e30ff8dcb0b7151c)
+Reviewed-on: https://code.wireshark.org/review/17024
+Reviewed-by: Balint Reczey <bal...@balintreczey.hu>
+---
+ epan/proto.c | 28 ++++++++++++++++------------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/epan/proto.c b/epan/proto.c
+index a8038c0..d4346b5 100644
+--- a/epan/proto.c
++++ b/epan/proto.c
+@@ -1119,13 +1119,15 @@ proto_tree_add_text(proto_tree *tree, tvbuff_t *tvb, gint start, gint length,
+ va_list ap;
+ header_field_info *hfinfo;
+
+- if (length == -1) {
+- /* If we're fetching until the end of the TVB, only validate
+- * that the offset is within range.
+- */
+- length = 0;
++ if (tvb) {
++ if (length == -1) {
++ /* If we're fetching until the end of the TVB, only validate
++ * that the offset is within range.
++ */
++ length = 0;
++ }
++ tvb_ensure_bytes_exist(tvb, start, length);
+ }
+- tvb_ensure_bytes_exist(tvb, start, length);
+
+ TRY_TO_FAKE_THIS_ITEM(tree, hf_text_only, hfinfo);
+
+@@ -1148,13 +1150,15 @@ proto_tree_add_text_valist(proto_tree *tree, tvbuff_t *tvb, gint start,
+ proto_item *pi;
+ header_field_info *hfinfo;
+
+- if (length == -1) {
+- /* If we're fetching until the end of the TVB, only validate
+- * that the offset is within range.
+- */
+- length = 0;
++ if (tvb) {
++ if (length == -1) {
++ /* If we're fetching until the end of the TVB, only validate
++ * that the offset is within range.
++ */
++ length = 0;
++ }
++ tvb_ensure_bytes_exist(tvb, start, length);
+ }
+- tvb_ensure_bytes_exist(tvb, start, length);
+
+ TRY_TO_FAKE_THIS_ITEM(tree, hf_text_only, hfinfo);
+
+--
+2.1.4
+
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/series wireshark-1.12.1+g01b65bf/debian/patches/series
--- wireshark-1.12.1+g01b65bf/debian/patches/series 2016-06-26 20:34:08.000000000 +0200
+++ wireshark-1.12.1+g01b65bf/debian/patches/series 2016-08-12 20:29:06.000000000 +0200
@@ -108,3 +108,12 @@
115_1.12.12_802.11_Make-sure-EAPOL-body-is-big-enough-for-a-EAPOL_RSN_K.patch
116_1.12.12_802.11_Fix-previous-change.patch
117_1.12.9_802.11_airpdcap-Don-t-return-error-from-function-returning-.patch
+118_1.12.13_dissect_nds_request-Add-NULL-check.patch
+119_1.12.13_packetbb-Prevent-divide-by-0.patch
+120_1.12.13_packet-wsp.c-Fix-infinite-loop-in-add_headers.patch
+121_1.12.13_MMSE-remove-proto_tree_add_text-calls.patch
+122_1.12.13_RLC-fix-a-stack-overflow-in-rlc_decode_li-function.patch
+123_1.12.13_RLC-fix-a-variable-overflow-in-rlc_decode_li-functio.patch
+124_1.12.13_LDSS-check-if-a-conversation-already-exists-before-r.patch
+125_1.12.13_proto.c-add-bounds-check-to-proto_tree_add_text-_val.patch
+126_proto.c-do-not-perform-bound-checks-in-proto_tree_ad.patch
