Hi, I have prepared an update for wireshark in Wheezy.
Please see the diff to previous version attached. A practically
identical changeset has been already accepted to jessie-security.
Changes:
wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u4) wheezy-security; urgency=medium
.
* security fixes from Wireshark 2.0.6:
- The H.225 dissector could crash (CVE-2016-7176)
- The Catapult DCT2000 dissector could crash (CVE-2016-7177)
- The UMTS FP dissector could crash (CVE-2016-7178)
- The Catapult DCT2000 dissector could crash (CVE-2016-7179)
- The IPMI trace dissector could crash (CVE-2016-7180)
I plan uploading the package tomorrow around noon UTC.
Cheers,
Balint
diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog --- wireshark-1.12.1+g01b65bf/debian/changelog 2016-08-14 16:20:37.000000000 +0200 +++ wireshark-1.12.1+g01b65bf/debian/changelog 2016-09-20 18:05:25.000000000 +0200 @@ -1,3 +1,14 @@ +wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u4) wheezy-security; urgency=medium + + * security fixes from Wireshark 2.0.6: + - The H.225 dissector could crash (CVE-2016-7176) + - The Catapult DCT2000 dissector could crash (CVE-2016-7177) + - The UMTS FP dissector could crash (CVE-2016-7178) + - The Catapult DCT2000 dissector could crash (CVE-2016-7179) + - The IPMI trace dissector could crash (CVE-2016-7180) + + -- Balint Reczey <bal...@balintreczey.hu> Tue, 20 Sep 2016 18:05:16 +0200 + wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u3) wheezy-security; urgency=medium * security fixes from Wireshark 1.12.13: diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch --- wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch 1970-01-01 01:00:00.000000000 +0100 +++ wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch 2016-09-20 18:04:38.000000000 +0200 @@ -0,0 +1,695 @@ +From 8b20fac0cdcbeb0266caf5307600e1e1f4912b99 Mon Sep 17 00:00:00 2001 +From: Guy Harris <g...@alum.mit.edu> +Date: Tue, 2 Aug 2016 20:39:34 -0700 +Subject: [PATCH 127/131] Don't snprintf() into a string with one of the + arguments being the same string. + +That doesn't work - you could be writing into the string from which +you're reading. + +Conflicts: + asn1/h225/h225.cnf + epan/dissectors/packet-h225.c + +Bug: 12700 + +Change-Id: I2fc6416e0613791dcd37ef70dbf00aae159008de +Reviewed-on: https://code.wireshark.org/review/16852 +Reviewed-by: Guy Harris <g...@alum.mit.edu> +Reviewed-on: https://code.wireshark.org/review/17800 +Reviewed-by: Balint Reczey <bal...@balintreczey.hu> +--- + asn1/h225/h225.cnf | 58 +++++++++------ + epan/dissectors/packet-h225.c | 168 +++++++++++++++++++++++------------------- + 2 files changed, 127 insertions(+), 99 deletions(-) + +diff --git a/asn1/h225/h225.cnf b/asn1/h225/h225.cnf +index 2bece14..a6ad36b 100644 +--- a/asn1/h225/h225.cnf ++++ b/asn1/h225/h225.cnf +@@ -274,8 +274,12 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber + dissect_h245_FastStart_OLC(value_tvb, %(ACTX)s->pinfo, tree, codec_str); + } + +- /* Add to packet info */ +- g_snprintf(h225_pi->frame_label, 50, "%%s %%s", h225_pi->frame_label, codec_str); ++ /* Add to packet info */ ++ { ++ char temp[50]; ++ g_snprintf(temp, 50, "%%s %%s", h225_pi->frame_label, codec_str); ++ g_strlcpy(h225_pi->frame_label, temp, 50); ++ } + + contains_faststart = TRUE; + h225_pi->is_faststart = TRUE; +@@ -362,10 +366,12 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber + #.FN_FTR Progress-UUIE + /* Add to packet info */ + h225_pi->cs_type = H225_PROGRESS; +- if (contains_faststart == TRUE ) +- g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); +- else +- g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); ++ if (contains_faststart) { ++ char temp[50]; ++ g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); ++ g_strlcpy(h225_pi->frame_label, temp, 50); ++ } else ++ g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); + #.END + #---------------------------------------------------------------------------------------- + #.FN_FTR SetupAcknowledge-UUIE +@@ -389,28 +395,34 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber + #.FN_FTR Setup-UUIE + /* Add to packet info */ + h225_pi->cs_type = H225_SETUP; +- if (contains_faststart == TRUE ) +- g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); +- else +- g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); ++ if (contains_faststart) { ++ char temp[50]; ++ g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); ++ g_strlcpy(h225_pi->frame_label, temp, 50); ++ } else ++ g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); + #.END + #---------------------------------------------------------------------------------------- + #.FN_FTR CallProceeding-UUIE + /* Add to packet info */ + h225_pi->cs_type = H225_CALL_PROCEDING; +- if (contains_faststart == TRUE ) +- g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); +- else +- g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); ++ if (contains_faststart) { ++ char temp[50]; ++ g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); ++ g_strlcpy(h225_pi->frame_label, temp, 50); ++ } else ++ g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); + #.END + #---------------------------------------------------------------------------------------- + #.FN_FTR Alerting-UUIE + /* Add to packet info */ + h225_pi->cs_type = H225_ALERTING; +- if (contains_faststart == TRUE ) +- g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); +- else +- g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); ++ if (contains_faststart) { ++ char temp[50]; ++ g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); ++ g_strlcpy(h225_pi->frame_label, temp, 50); ++ } else ++ g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); + #.END + #---------------------------------------------------------------------------------------- + #.FN_FTR ReleaseComplete-UUIE +@@ -422,10 +434,12 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber + #.FN_FTR Connect-UUIE + /* Add to packet info */ + h225_pi->cs_type = H225_CONNECT; +- if (contains_faststart == TRUE ) +- g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); +- else +- g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); ++ if (contains_faststart) { ++ char temp[50]; ++ g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); ++ g_strlcpy(h225_pi->frame_label, temp, 50); ++ } else ++ g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); + #.END + #---------------------------------------------------------------------------------------- + #.FN_HDR H245TransportAddress +diff --git a/epan/dissectors/packet-h225.c b/epan/dissectors/packet-h225.c +index ae708fd..07bbace 100644 +--- a/epan/dissectors/packet-h225.c ++++ b/epan/dissectors/packet-h225.c +@@ -1182,7 +1182,7 @@ dissect_h225_ProtocolIdentifier(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *a + + static int + dissect_h225_T_h245Ip(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 322 "../../asn1/h225/h225.cnf" ++#line 326 "../../asn1/h225/h225.cnf" + tvbuff_t *value_tvb; + + ipv4_address = 0; +@@ -1422,7 +1422,7 @@ static const per_sequence_t H221NonStandard_sequence[] = { + + static int + dissect_h225_H221NonStandard(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 610 "../../asn1/h225/h225.cnf" ++#line 624 "../../asn1/h225/h225.cnf" + t35CountryCode = 0; + t35Extension = 0; + manufacturerCode = 0; +@@ -1430,7 +1430,7 @@ dissect_h225_H221NonStandard(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_H221NonStandard, H221NonStandard_sequence); + +-#line 614 "../../asn1/h225/h225.cnf" ++#line 628 "../../asn1/h225/h225.cnf" + h221NonStandard = ((t35CountryCode * 256) + t35Extension) * 65536 + manufacturerCode; + proto_tree_add_uint(tree, hf_h221Manufacturer, tvb, (offset>>3)-4, 4, h221NonStandard); + +@@ -1452,7 +1452,7 @@ static const per_choice_t NonStandardIdentifier_choice[] = { + + static int + dissect_h225_NonStandardIdentifier(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 591 "../../asn1/h225/h225.cnf" ++#line 605 "../../asn1/h225/h225.cnf" + gint32 value; + + nsiOID = ""; +@@ -1481,7 +1481,7 @@ dissect_h225_NonStandardIdentifier(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t + + static int + dissect_h225_T_nsp_data(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 625 "../../asn1/h225/h225.cnf" ++#line 639 "../../asn1/h225/h225.cnf" + tvbuff_t *next_tvb = NULL; + + offset = dissect_per_octet_string(tvb, offset, actx, tree, hf_index, +@@ -1504,7 +1504,7 @@ static const per_sequence_t NonStandardParameter_sequence[] = { + + int + dissect_h225_NonStandardParameter(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 623 "../../asn1/h225/h225.cnf" ++#line 637 "../../asn1/h225/h225.cnf" + nsp_handle = NULL; + + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, +@@ -1538,7 +1538,7 @@ static const per_choice_t H245TransportAddress_choice[] = { + + static int + dissect_h225_H245TransportAddress(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 432 "../../asn1/h225/h225.cnf" ++#line 446 "../../asn1/h225/h225.cnf" + ipv4_address=0; + ipv4_port=0; + +@@ -1547,7 +1547,7 @@ dissect_h225_H245TransportAddress(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t + ett_h225_H245TransportAddress, H245TransportAddress_choice, + NULL); + +-#line 438 "../../asn1/h225/h225.cnf" ++#line 452 "../../asn1/h225/h225.cnf" + /* we need this info for TAPing */ + h225_pi->is_h245 = TRUE; + h225_pi->h245_address = ipv4_address; +@@ -1574,7 +1574,7 @@ dissect_h225_H245TransportAddress(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t + + static int + dissect_h225_DialedDigits(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 304 "../../asn1/h225/h225.cnf" ++#line 308 "../../asn1/h225/h225.cnf" + tvbuff_t *value_tvb = NULL; + guint len = 0; + +@@ -1891,7 +1891,7 @@ dissect_h225_PartyNumber(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_ + + static int + dissect_h225_TBCD_STRING(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 717 "../../asn1/h225/h225.cnf" ++#line 731 "../../asn1/h225/h225.cnf" + int min_len, max_len; + gboolean has_extension; + +@@ -2690,13 +2690,13 @@ static const per_sequence_t TunnelledProtocol_sequence[] = { + + int + dissect_h225_TunnelledProtocol(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 568 "../../asn1/h225/h225.cnf" ++#line 582 "../../asn1/h225/h225.cnf" + tpOID = ""; + + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_TunnelledProtocol, TunnelledProtocol_sequence); + +-#line 570 "../../asn1/h225/h225.cnf" ++#line 584 "../../asn1/h225/h225.cnf" + tp_handle = dissector_get_string_handle(tp_dissector_table, tpOID); + + return offset; +@@ -2874,7 +2874,7 @@ dissect_h225_CallType(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, p + + static int + dissect_h225_T_guid(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 542 "../../asn1/h225/h225.cnf" ++#line 556 "../../asn1/h225/h225.cnf" + tvbuff_t *guid_tvb = NULL; + + actx->value_ptr = &guid_tvb; +@@ -3100,8 +3100,12 @@ dissect_h225_FastStart_item(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx + dissect_h245_FastStart_OLC(value_tvb, actx->pinfo, tree, codec_str); + } + +- /* Add to packet info */ +- g_snprintf(h225_pi->frame_label, 50, "%s %s", h225_pi->frame_label, codec_str); ++ /* Add to packet info */ ++ { ++ char temp[50]; ++ g_snprintf(temp, 50, "%s %s", h225_pi->frame_label, codec_str); ++ g_strlcpy(h225_pi->frame_label, temp, 50); ++ } + + contains_faststart = TRUE; + h225_pi->is_faststart = TRUE; +@@ -3677,7 +3681,7 @@ dissect_h225_CircuitIdentifier(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *ac + + static int + dissect_h225_T_standard(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 681 "../../asn1/h225/h225.cnf" ++#line 695 "../../asn1/h225/h225.cnf" + guint32 value_int = (guint32)-1; + gef_ctx_t *gefx; + +@@ -3695,7 +3699,7 @@ dissect_h225_T_standard(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, + + static int + dissect_h225_T_oid(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 690 "../../asn1/h225/h225.cnf" ++#line 704 "../../asn1/h225/h225.cnf" + const gchar *oid_str = NULL; + gef_ctx_t *gefx; + +@@ -3725,14 +3729,14 @@ static const per_choice_t GenericIdentifier_choice[] = { + + int + dissect_h225_GenericIdentifier(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 668 "../../asn1/h225/h225.cnf" ++#line 682 "../../asn1/h225/h225.cnf" + gef_ctx_t *gefx; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, + ett_h225_GenericIdentifier, GenericIdentifier_choice, + NULL); + +-#line 670 "../../asn1/h225/h225.cnf" ++#line 684 "../../asn1/h225/h225.cnf" + gef_ctx_update_key(gef_ctx_get(actx->private_data)); + /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG GenericIdentifier: %s", gef_ctx_get(actx->private_data)->key);*/ + gefx = gef_ctx_get(actx->private_data); +@@ -3749,7 +3753,7 @@ dissect_h225_GenericIdentifier(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *ac + + static int + dissect_h225_T_raw(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 700 "../../asn1/h225/h225.cnf" ++#line 714 "../../asn1/h225/h225.cnf" + tvbuff_t *value_tvb; + gef_ctx_t *gefx; + +@@ -3865,7 +3869,7 @@ static const per_sequence_t EnumeratedParameter_sequence[] = { + + static int + dissect_h225_EnumeratedParameter(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 650 "../../asn1/h225/h225.cnf" ++#line 664 "../../asn1/h225/h225.cnf" + gef_ctx_t *parent_gefx; + + parent_gefx = gef_ctx_get(actx->private_data); +@@ -3874,7 +3878,7 @@ dissect_h225_EnumeratedParameter(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t * + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_EnumeratedParameter, EnumeratedParameter_sequence); + +-#line 655 "../../asn1/h225/h225.cnf" ++#line 669 "../../asn1/h225/h225.cnf" + actx->private_data = parent_gefx; + + return offset; +@@ -3889,7 +3893,7 @@ static const per_sequence_t GenericData_sequence[] = { + + int + dissect_h225_GenericData(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 636 "../../asn1/h225/h225.cnf" ++#line 650 "../../asn1/h225/h225.cnf" + void *priv_data = actx->private_data; + gef_ctx_t *gefx; + +@@ -3903,7 +3907,7 @@ dissect_h225_GenericData(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_ + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_GenericData, GenericData_sequence); + +-#line 646 "../../asn1/h225/h225.cnf" ++#line 660 "../../asn1/h225/h225.cnf" + actx->private_data = priv_data; + + return offset; +@@ -3942,13 +3946,13 @@ dissect_h225_CircuitInfo(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_ + + static int + dissect_h225_FeatureDescriptor(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 660 "../../asn1/h225/h225.cnf" ++#line 674 "../../asn1/h225/h225.cnf" + void *priv_data = actx->private_data; + actx->private_data = gef_ctx_alloc(NULL, "FeatureDescriptor"); + + offset = dissect_h225_GenericData(tvb, offset, actx, tree, hf_index); + +-#line 663 "../../asn1/h225/h225.cnf" ++#line 677 "../../asn1/h225/h225.cnf" + actx->private_data = priv_data; + + return offset; +@@ -3971,7 +3975,7 @@ dissect_h225_SEQUENCE_OF_FeatureDescriptor(tvbuff_t *tvb _U_, int offset _U_, as + + static int + dissect_h225_ParallelH245Control_item(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 333 "../../asn1/h225/h225.cnf" ++#line 337 "../../asn1/h225/h225.cnf" + tvbuff_t *h245_tvb = NULL; + + offset = dissect_per_octet_string(tvb, offset, actx, tree, hf_index, +@@ -4121,19 +4125,21 @@ static const per_sequence_t Setup_UUIE_sequence[] = { + + static int + dissect_h225_Setup_UUIE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 386 "../../asn1/h225/h225.cnf" ++#line 392 "../../asn1/h225/h225.cnf" + contains_faststart = FALSE; + + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_Setup_UUIE, Setup_UUIE_sequence); + +-#line 390 "../../asn1/h225/h225.cnf" ++#line 396 "../../asn1/h225/h225.cnf" + /* Add to packet info */ + h225_pi->cs_type = H225_SETUP; +- if (contains_faststart == TRUE ) +- g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); +- else +- g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); ++ if (contains_faststart) { ++ char temp[50]; ++ g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); ++ g_strlcpy(h225_pi->frame_label, temp, 50); ++ } else ++ g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); + + return offset; + } +@@ -4177,13 +4183,15 @@ dissect_h225_CallProceeding_UUIE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t * + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_CallProceeding_UUIE, CallProceeding_UUIE_sequence); + +-#line 399 "../../asn1/h225/h225.cnf" ++#line 407 "../../asn1/h225/h225.cnf" + /* Add to packet info */ + h225_pi->cs_type = H225_CALL_PROCEDING; +- if (contains_faststart == TRUE ) +- g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); +- else +- g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); ++ if (contains_faststart) { ++ char temp[50]; ++ g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); ++ g_strlcpy(h225_pi->frame_label, temp, 50); ++ } else ++ g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); + + return offset; + } +@@ -4218,13 +4226,15 @@ dissect_h225_Connect_UUIE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_Connect_UUIE, Connect_UUIE_sequence); + +-#line 423 "../../asn1/h225/h225.cnf" ++#line 435 "../../asn1/h225/h225.cnf" + /* Add to packet info */ + h225_pi->cs_type = H225_CONNECT; +- if (contains_faststart == TRUE ) +- g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); +- else +- g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); ++ if (contains_faststart) { ++ char temp[50]; ++ g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); ++ g_strlcpy(h225_pi->frame_label, temp, 50); ++ } else ++ g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); + + return offset; + } +@@ -4257,13 +4267,15 @@ dissect_h225_Alerting_UUIE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _ + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_Alerting_UUIE, Alerting_UUIE_sequence); + +-#line 408 "../../asn1/h225/h225.cnf" ++#line 418 "../../asn1/h225/h225.cnf" + /* Add to packet info */ + h225_pi->cs_type = H225_ALERTING; +- if (contains_faststart == TRUE ) +- g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); +- else +- g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); ++ if (contains_faststart) { ++ char temp[50]; ++ g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); ++ g_strlcpy(h225_pi->frame_label, temp, 50); ++ } else ++ g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); + + return offset; + } +@@ -4285,7 +4297,7 @@ dissect_h225_Information_UUIE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *act + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_Information_UUIE, Information_UUIE_sequence); + +-#line 357 "../../asn1/h225/h225.cnf" ++#line 361 "../../asn1/h225/h225.cnf" + /* Add to packet info */ + h225_pi->cs_type = H225_INFORMATION; + g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); +@@ -4404,7 +4416,7 @@ static const per_choice_t ReleaseCompleteReason_choice[] = { + + int + dissect_h225_ReleaseCompleteReason(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 535 "../../asn1/h225/h225.cnf" ++#line 549 "../../asn1/h225/h225.cnf" + gint32 value; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, +@@ -4440,7 +4452,7 @@ dissect_h225_ReleaseComplete_UUIE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_ReleaseComplete_UUIE, ReleaseComplete_UUIE_sequence); + +-#line 417 "../../asn1/h225/h225.cnf" ++#line 429 "../../asn1/h225/h225.cnf" + /* Add to packet info */ + h225_pi->cs_type = H225_RELEASE_COMPLET; + g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); +@@ -4481,7 +4493,7 @@ static const per_choice_t FacilityReason_choice[] = { + + static int + dissect_h225_FacilityReason(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 459 "../../asn1/h225/h225.cnf" ++#line 473 "../../asn1/h225/h225.cnf" + gint32 value; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, +@@ -4554,7 +4566,7 @@ dissect_h225_Facility_UUIE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _ + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_Facility_UUIE, Facility_UUIE_sequence); + +-#line 378 "../../asn1/h225/h225.cnf" ++#line 384 "../../asn1/h225/h225.cnf" + /* Add to packet info */ + h225_pi->cs_type = H225_FACILITY; + g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); +@@ -4583,13 +4595,15 @@ dissect_h225_Progress_UUIE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _ + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_Progress_UUIE, Progress_UUIE_sequence); + +-#line 363 "../../asn1/h225/h225.cnf" ++#line 367 "../../asn1/h225/h225.cnf" + /* Add to packet info */ + h225_pi->cs_type = H225_PROGRESS; +- if (contains_faststart == TRUE ) +- g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); +- else +- g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); ++ if (contains_faststart) { ++ char temp[50]; ++ g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>"), h225_pi->frame_label); ++ g_strlcpy(h225_pi->frame_label, temp, 50); ++ } else ++ g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); + + return offset; + } +@@ -4600,7 +4614,7 @@ static int + dissect_h225_T_empty_flg(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { + offset = dissect_per_null(tvb, offset, actx, tree, hf_index); + +-#line 347 "../../asn1/h225/h225.cnf" ++#line 351 "../../asn1/h225/h225.cnf" + h225_pi->cs_type = H225_EMPTY; + + return offset; +@@ -4620,7 +4634,7 @@ dissect_h225_Status_UUIE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_ + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_Status_UUIE, Status_UUIE_sequence); + +-#line 351 "../../asn1/h225/h225.cnf" ++#line 355 "../../asn1/h225/h225.cnf" + /* Add to packet info */ + h225_pi->cs_type = H225_STATUS; + g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); +@@ -4659,7 +4673,7 @@ dissect_h225_SetupAcknowledge_UUIE(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, + ett_h225_SetupAcknowledge_UUIE, SetupAcknowledge_UUIE_sequence); + +-#line 372 "../../asn1/h225/h225.cnf" ++#line 378 "../../asn1/h225/h225.cnf" + /* Add to packet info */ + h225_pi->cs_type = H225_SETUP_ACK; + g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "<unknown>")); +@@ -4763,7 +4777,7 @@ dissect_h225_T_h323_message_body(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t * + + static int + dissect_h225_T_h4501SupplementaryService_item(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 556 "../../asn1/h225/h225.cnf" ++#line 570 "../../asn1/h225/h225.cnf" + tvbuff_t *h4501_tvb = NULL; + + offset = dissect_per_octet_string(tvb, offset, actx, tree, hf_index, +@@ -4803,7 +4817,7 @@ dissect_h225_T_h245Tunnelling(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *act + + static int + dissect_h225_H245Control_item(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 340 "../../asn1/h225/h225.cnf" ++#line 344 "../../asn1/h225/h225.cnf" + tvbuff_t *h245_tvb = NULL; + + offset = dissect_per_octet_string(tvb, offset, actx, tree, hf_index, +@@ -4860,7 +4874,7 @@ dissect_h225_CallLinkage(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_ + + static int + dissect_h225_T_messageContent_item(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 578 "../../asn1/h225/h225.cnf" ++#line 592 "../../asn1/h225/h225.cnf" + tvbuff_t *next_tvb = NULL; + + offset = dissect_per_octet_string(tvb, offset, actx, tree, hf_index, +@@ -4896,7 +4910,7 @@ static const per_sequence_t T_tunnelledSignallingMessage_sequence[] = { + + static int + dissect_h225_T_tunnelledSignallingMessage(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 576 "../../asn1/h225/h225.cnf" ++#line 590 "../../asn1/h225/h225.cnf" + tp_handle = NULL; + + offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, +@@ -5744,7 +5758,7 @@ static const per_choice_t GatekeeperRejectReason_choice[] = { + + static int + dissect_h225_GatekeeperRejectReason(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 466 "../../asn1/h225/h225.cnf" ++#line 480 "../../asn1/h225/h225.cnf" + gint32 value; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, +@@ -6046,7 +6060,7 @@ static const per_choice_t RegistrationRejectReason_choice[] = { + + static int + dissect_h225_RegistrationRejectReason(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 521 "../../asn1/h225/h225.cnf" ++#line 535 "../../asn1/h225/h225.cnf" + gint32 value; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, +@@ -6109,7 +6123,7 @@ static const per_choice_t UnregRequestReason_choice[] = { + + static int + dissect_h225_UnregRequestReason(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 473 "../../asn1/h225/h225.cnf" ++#line 487 "../../asn1/h225/h225.cnf" + gint32 value; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, +@@ -6194,7 +6208,7 @@ static const per_choice_t UnregRejectReason_choice[] = { + + static int + dissect_h225_UnregRejectReason(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 480 "../../asn1/h225/h225.cnf" ++#line 494 "../../asn1/h225/h225.cnf" + gint32 value; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, +@@ -6254,7 +6268,7 @@ dissect_h225_CallModel(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, + + static int + dissect_h225_DestinationInfo_item(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 299 "../../asn1/h225/h225.cnf" ++#line 303 "../../asn1/h225/h225.cnf" + + h225_pi->is_destinationInfo = TRUE; + +@@ -6462,7 +6476,7 @@ static const per_choice_t AdmissionRejectReason_choice[] = { + + static int + dissect_h225_AdmissionRejectReason(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 507 "../../asn1/h225/h225.cnf" ++#line 521 "../../asn1/h225/h225.cnf" + gint32 value; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, +@@ -6594,7 +6608,7 @@ static const per_choice_t BandRejectReason_choice[] = { + + static int + dissect_h225_BandRejectReason(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 487 "../../asn1/h225/h225.cnf" ++#line 501 "../../asn1/h225/h225.cnf" + gint32 value; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, +@@ -6646,7 +6660,7 @@ static const per_choice_t DisengageReason_choice[] = { + + static int + dissect_h225_DisengageReason(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 494 "../../asn1/h225/h225.cnf" ++#line 508 "../../asn1/h225/h225.cnf" + gint32 value; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, +@@ -6733,7 +6747,7 @@ static const per_choice_t DisengageRejectReason_choice[] = { + + static int + dissect_h225_DisengageRejectReason(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 500 "../../asn1/h225/h225.cnf" ++#line 514 "../../asn1/h225/h225.cnf" + gint32 value; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, +@@ -6879,7 +6893,7 @@ static const per_choice_t LocationRejectReason_choice[] = { + + static int + dissect_h225_LocationRejectReason(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 514 "../../asn1/h225/h225.cnf" ++#line 528 "../../asn1/h225/h225.cnf" + gint32 value; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, +@@ -7250,7 +7264,7 @@ static const per_choice_t InfoRequestNakReason_choice[] = { + + static int + dissect_h225_InfoRequestNakReason(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 528 "../../asn1/h225/h225.cnf" ++#line 542 "../../asn1/h225/h225.cnf" + gint32 value; + + offset = dissect_per_choice(tvb, offset, actx, tree, hf_index, +@@ -7461,7 +7475,7 @@ static const per_choice_t RasMessage_choice[] = { + + int + dissect_h225_RasMessage(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { +-#line 285 "../../asn1/h225/h225.cnf" ++#line 289 "../../asn1/h225/h225.cnf" + gint32 rasmessage_value; + + call_id_guid = NULL; +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/128_2.0.6_DCT2000-fix-a-buffer-overflow-in-case-of-malformed-p.patch wireshark-1.12.1+g01b65bf/debian/patches/128_2.0.6_DCT2000-fix-a-buffer-overflow-in-case-of-malformed-p.patch --- wireshark-1.12.1+g01b65bf/debian/patches/128_2.0.6_DCT2000-fix-a-buffer-overflow-in-case-of-malformed-p.patch 1970-01-01 01:00:00.000000000 +0100 +++ wireshark-1.12.1+g01b65bf/debian/patches/128_2.0.6_DCT2000-fix-a-buffer-overflow-in-case-of-malformed-p.patch 2016-09-20 18:04:38.000000000 +0200 @@ -0,0 +1,39 @@ +From f6cd7ea19c4e29f34d15f9650db07a02f7b13f2c Mon Sep 17 00:00:00 2001 +From: Pascal Quantin <pascal.quan...@gmail.com> +Date: Tue, 16 Aug 2016 23:52:03 +0200 +Subject: [PATCH 128/131] DCT2000: fix a buffer overflow in case of malformed + packet + +Bug: 12750 +Change-Id: Iff20efa46e000ab4ae77b2edbcb0b9af4634508c +Reviewed-on: https://code.wireshark.org/review/17096 +Reviewed-by: Pascal Quantin <pascal.quan...@gmail.com> +Petri-Dish: Pascal Quantin <pascal.quan...@gmail.com> +Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org> +Reviewed-by: Anders Broman <a.broma...@gmail.com> +(cherry picked from commit 2e37b271c473e1cbd01d62ebe1f3b011fc9fe638) +Reviewed-on: https://code.wireshark.org/review/17106 +(cherry picked from commit 2024fd0427a372e6e1d05f980d05430ef9c8c187) +Reviewed-on: https://code.wireshark.org/review/17798 +Reviewed-by: Balint Reczey <bal...@balintreczey.hu> +--- + epan/dissectors/packet-catapult-dct2000.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/epan/dissectors/packet-catapult-dct2000.c b/epan/dissectors/packet-catapult-dct2000.c +index 2fa25b7..4cef69c 100644 +--- a/epan/dissectors/packet-catapult-dct2000.c ++++ b/epan/dissectors/packet-catapult-dct2000.c +@@ -1587,6 +1587,9 @@ static void attach_fp_info(packet_info *pinfo, gboolean received, const char *pr + + /* Number of channels (for coordinated channels) */ + p_fp_info->num_chans = outhdr_values[i++]; ++ if (p_fp_info->num_chans > MAX_FP_CHANS) { ++ p_fp_info->num_chans = MAX_FP_CHANS; ++ } + + /* EDCH-Common is always T2 */ + if (p_fp_info->channel == CHANNEL_EDCH_COMMON) { +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/129_2.0.6_FP-ensure-that-mac-and-rlc-structures-are-always-all.patch wireshark-1.12.1+g01b65bf/debian/patches/129_2.0.6_FP-ensure-that-mac-and-rlc-structures-are-always-all.patch --- wireshark-1.12.1+g01b65bf/debian/patches/129_2.0.6_FP-ensure-that-mac-and-rlc-structures-are-always-all.patch 1970-01-01 01:00:00.000000000 +0100 +++ wireshark-1.12.1+g01b65bf/debian/patches/129_2.0.6_FP-ensure-that-mac-and-rlc-structures-are-always-all.patch 2016-09-20 18:04:38.000000000 +0200 @@ -0,0 +1,108 @@ +From 8e3411505ad2a420d7ef96eb52f2b1c02b0c4380 Mon Sep 17 00:00:00 2001 +From: Pascal Quantin <pascal.quan...@gmail.com> +Date: Tue, 16 Aug 2016 23:11:12 +0200 +Subject: [PATCH 129/131] FP: ensure that mac and rlc structures are always + allocated + +Rather han checking everywhere that the RLC and MAC info are present in pinfo, +allocate a temporary structure that will be dropped once packet dissection is +over. + +Conflicts: + epan/dissectors/packet-umts_fp.c + +Bug: 12751 +Change-Id: I890430dd0c0b56d641777c15eedbf07fef082904 +Reviewed-on: https://code.wireshark.org/review/17094 +Petri-Dish: Pascal Quantin <pascal.quan...@gmail.com> +Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org> +Reviewed-by: Pascal Quantin <pascal.quan...@gmail.com> +(cherry picked from commit 315bba7c645b75af24215c6303d187b188610bba) +Reviewed-on: https://code.wireshark.org/review/17102 +Reviewed-on: https://code.wireshark.org/review/17801 +Reviewed-by: Balint Reczey <bal...@balintreczey.hu> +--- + epan/dissectors/packet-umts_fp.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +diff --git a/epan/dissectors/packet-umts_fp.c b/epan/dissectors/packet-umts_fp.c +index ca9a346..b9461be 100644 +--- a/epan/dissectors/packet-umts_fp.c ++++ b/epan/dissectors/packet-umts_fp.c +@@ -2675,9 +2675,7 @@ dissect_e_dch_channel_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + ddi_ti = proto_tree_add_bits_ret_val(subframe_header_tree, hf_fp_edch_ddi, tvb, + offset*8 + bit_offset, 6, &ddi, ENC_BIG_ENDIAN); + +- if(rlcinf){ +- rlcinf->rbid[i] = (guint8)ddi; +- } ++ rlcinf->rbid[i] = (guint8)ddi; + /********************************/ + /* Look up data in higher layers*/ + /* Look up the size from this DDI value */ +@@ -2726,6 +2724,9 @@ dissect_e_dch_channel_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + bit_offset = 0; + + macinf = (umts_mac_info *)p_get_proto_data(wmem_file_scope(), pinfo, proto_umts_mac, 0); ++ if (!macinf) { ++ macinf = wmem_new0(wmem_packet_scope(), umts_mac_info); ++ } + /* Add subframe subtree */ + subframe_ti = proto_tree_add_string_format(tree, hf_fp_edch_subframe, tvb, offset, 0, + "", "Subframe %u data", subframes[n].subframe_number); +@@ -3115,7 +3116,13 @@ dissect_hsdsch_channel_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + rlc_info *rlcinf; + + rlcinf = (rlc_info *)p_get_proto_data(wmem_file_scope(), pinfo, proto_rlc, 0); ++ if (!rlcinf) { ++ rlcinf = wmem_new0(wmem_packet_scope(), rlc_info); ++ } + macinf = (umts_mac_info *)p_get_proto_data(wmem_file_scope(), pinfo, proto_umts_mac, 0); ++ if (!macinf) { ++ macinf = wmem_new0(wmem_packet_scope(), umts_mac_info); ++ } + + /**************************************/ + /* HS-DCH data here (type 1 in R7) */ +@@ -3317,7 +3324,14 @@ dissect_hsdsch_type_2_channel_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree + rlc_info *rlcinf; + + rlcinf = (rlc_info *)p_get_proto_data(wmem_file_scope(), pinfo, proto_rlc, 0); ++ if (!rlcinf) { ++ rlcinf = wmem_new0(wmem_packet_scope(), rlc_info); ++ } + macinf = (umts_mac_info *)p_get_proto_data(wmem_file_scope(), pinfo, proto_umts_mac, 0); ++ if (!macinf) { ++ macinf = wmem_new0(wmem_packet_scope(), umts_mac_info); ++ } ++ + /********************************/ + /* HS-DCH type 2 data here */ + +@@ -3555,7 +3569,13 @@ void dissect_hsdsch_common_channel_info(tvbuff_t *tvb, packet_info *pinfo, proto + rlc_info *rlcinf; + + rlcinf = (rlc_info *)p_get_proto_data(wmem_file_scope(), pinfo, proto_rlc, 0); ++ if (!rlcinf) { ++ rlcinf = wmem_new0(wmem_packet_scope(), rlc_info); ++ } + macinf = (umts_mac_info *)p_get_proto_data(wmem_file_scope(), pinfo, proto_umts_mac, 0); ++ if (!macinf) { ++ macinf = wmem_new0(wmem_packet_scope(), umts_mac_info); ++ } + /********************************/ + /* HS-DCH type 2 data here */ + +@@ -4267,6 +4287,9 @@ dissect_fp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + } + + rlcinf = (rlc_info *)p_get_proto_data(wmem_file_scope(), pinfo, proto_rlc, 0); ++ if (!rlcinf) { ++ rlcinf = wmem_new0(wmem_packet_scope(), rlc_info); ++ } + + /* Show release information */ + if (preferences_show_release_info) { +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/130_2.0.6_DCT2000-prevent-a-stack-buffer-overflow.patch wireshark-1.12.1+g01b65bf/debian/patches/130_2.0.6_DCT2000-prevent-a-stack-buffer-overflow.patch --- wireshark-1.12.1+g01b65bf/debian/patches/130_2.0.6_DCT2000-prevent-a-stack-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ wireshark-1.12.1+g01b65bf/debian/patches/130_2.0.6_DCT2000-prevent-a-stack-buffer-overflow.patch 2016-09-20 18:04:38.000000000 +0200 @@ -0,0 +1,40 @@ +From 0d1a93def0350cf0f16f9a28cdc2e854b814eb25 Mon Sep 17 00:00:00 2001 +From: Pascal Quantin <pascal.quan...@gmail.com> +Date: Tue, 16 Aug 2016 23:40:25 +0200 +Subject: [PATCH 130/131] DCT2000: prevent a stack buffer overflow + +Conflicts: + epan/dissectors/packet-catapult-dct2000.c + +Bug: 12752 +Change-Id: I2007082909cea07314ac40d6db32ee9c2804ecdf +Reviewed-on: https://code.wireshark.org/review/17095 +Petri-Dish: Pascal Quantin <pascal.quan...@gmail.com> +Tested-by: Petri Dish Buildbot <buildbot-no-re...@wireshark.org> +Reviewed-by: Pascal Quantin <pascal.quan...@gmail.com> +(cherry picked from commit 3b97fbddc23c065727b0147aab52a27c4aadffe7) +Reviewed-on: https://code.wireshark.org/review/17104 +Reviewed-on: https://code.wireshark.org/review/17802 +Reviewed-by: Balint Reczey <bal...@balintreczey.hu> +--- + epan/dissectors/packet-catapult-dct2000.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-catapult-dct2000.c b/epan/dissectors/packet-catapult-dct2000.c +index 4cef69c..43149c6 100644 +--- a/epan/dissectors/packet-catapult-dct2000.c ++++ b/epan/dissectors/packet-catapult-dct2000.c +@@ -1406,8 +1406,8 @@ static void parse_outhdr_string(const guchar *outhdr_string, gint outhdr_string_ + guint d; + + /* Find digits */ +- for ( ; n < outhdr_string_len; n++) { +- if (!isdigit(outhdr_string[n])) { ++ for ( ; (n < outhdr_string_len) && (number_digits < MAX_OUTHDR_VALUES); n++) { ++ if (!g_ascii_isdigit(outhdr_string[n])) { + break; + } + else { +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/131_2.0.6_IPMI-do-not-use-col_set_str-with-non-const-strings.patch wireshark-1.12.1+g01b65bf/debian/patches/131_2.0.6_IPMI-do-not-use-col_set_str-with-non-const-strings.patch --- wireshark-1.12.1+g01b65bf/debian/patches/131_2.0.6_IPMI-do-not-use-col_set_str-with-non-const-strings.patch 1970-01-01 01:00:00.000000000 +0100 +++ wireshark-1.12.1+g01b65bf/debian/patches/131_2.0.6_IPMI-do-not-use-col_set_str-with-non-const-strings.patch 2016-09-20 18:04:38.000000000 +0200 @@ -0,0 +1,34 @@ +From d3df7f15f5562a73c312f9dce6099f4a44811cc0 Mon Sep 17 00:00:00 2001 +From: Pascal Quantin <pascal.quan...@gmail.com> +Date: Wed, 24 Aug 2016 08:10:27 +0200 +Subject: [PATCH 131/131] IPMI: do not use col_set_str with non const strings + +Bug: 12782 +Change-Id: Ia082ccf5355d7f8dd6073861c59c804fecc96266 +Reviewed-on: https://code.wireshark.org/review/17289 +Reviewed-by: Pascal Quantin <pascal.quan...@gmail.com> +(cherry picked from commit 5213496250aceff086404c568e3718ebc0060934) +Reviewed-on: https://code.wireshark.org/review/17291 +(cherry picked from commit 26daf4ae99b0dfb1e544c8250f36d7a00fd58dac) +Reviewed-on: https://code.wireshark.org/review/17799 +Reviewed-by: Balint Reczey <bal...@balintreczey.hu> +--- + epan/dissectors/packet-ipmi-trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-ipmi-trace.c b/epan/dissectors/packet-ipmi-trace.c +index fa5dc03..4139579 100755 +--- a/epan/dissectors/packet-ipmi-trace.c ++++ b/epan/dissectors/packet-ipmi-trace.c +@@ -303,7 +303,7 @@ dissect_ipmi_trace(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) + + + col_add_fstr(pinfo->cinfo, COL_DEF_SRC, "Channel %d", chn_num); +- col_set_str(pinfo->cinfo, COL_PROTOCOL, ++ col_add_str(pinfo->cinfo, COL_PROTOCOL, + val_to_str(data_type, str_protocol_types, + "Reserved (0x%02x)")); + +-- +2.1.4 + diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/series wireshark-1.12.1+g01b65bf/debian/patches/series --- wireshark-1.12.1+g01b65bf/debian/patches/series 2016-08-12 20:29:06.000000000 +0200 +++ wireshark-1.12.1+g01b65bf/debian/patches/series 2016-09-20 18:04:38.000000000 +0200 @@ -117,3 +117,8 @@ 124_1.12.13_LDSS-check-if-a-conversation-already-exists-before-r.patch 125_1.12.13_proto.c-add-bounds-check-to-proto_tree_add_text-_val.patch 126_proto.c-do-not-perform-bound-checks-in-proto_tree_ad.patch +127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch +128_2.0.6_DCT2000-fix-a-buffer-overflow-in-case-of-malformed-p.patch +129_2.0.6_FP-ensure-that-mac-and-rlc-structures-are-always-all.patch +130_2.0.6_DCT2000-prevent-a-stack-buffer-overflow.patch +131_2.0.6_IPMI-do-not-use-col_set_str-with-non-const-strings.patch
signature.asc
Description: OpenPGP digital signature
