From: Anil Dongare <[email protected]> Upstream Repository: https://gitlab.com/wireshark/wireshark.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0962 Type: Security Fix CVE: CVE-2026-0962 Score: 6.5 Patch: https://gitlab.com/wireshark/wireshark/-/commit/825b83e1ed14 Signed-off-by: Anil Dongare <[email protected]> --- .../wireshark/files/CVE-2026-0962.patch | 152 ++++++++++++++++++ .../wireshark/wireshark_4.2.14.bb | 1 + 2 files changed, 153 insertions(+) create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2026-0962.patch diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2026-0962.patch b/meta-networking/recipes-support/wireshark/files/CVE-2026-0962.patch new file mode 100644 index 0000000000..c9a3723ba9 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2026-0962.patch @@ -0,0 +1,152 @@ +From 912286bc877a2914f089a063dbf5fa8037efd709 Mon Sep 17 00:00:00 2001 +From: Gerald Combs <[email protected]> +Date: Mon, 12 Jan 2026 17:01:48 -0800 +Subject: [PATCH] SOME/IP-SD: Fix a buffer overflow + +Make sure we don't write past the end of our option port array. Make our +option count unsigned. + +Fixes #20945 + +(cherry picked from commit 55ec8b3db4968c97115f014fb5974206cdf57454) + +Conflicts: + epan/dissectors/packet-someip-sd.c +(cherry picked from commit 825b83e1ed146f6c8fa8f1d7ad2794061b82c895) + +CVE: CVE-2026-0962 +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/825b83e1ed14] + +Backport Changes: +- In the epan/dissectors/packet-someip-sd.c file, the variable + ef_someipsd_too_many_options was added in place of ei_someipsd_too_many_options + to maintain consistency with the existing expert_field naming conventions. +- This update is already included in Wireshark version 4.4 with the following + commit: https://gitlab.com/wireshark/wireshark/-/commit/9e59a18db82f + +Signed-off-by: Anil Dongare <[email protected]> +--- + epan/dissectors/packet-someip-sd.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/epan/dissectors/packet-someip-sd.c b/epan/dissectors/packet-someip-sd.c +index 85144d5925..7088ee5210 100644 +--- a/epan/dissectors/packet-someip-sd.c ++++ b/epan/dissectors/packet-someip-sd.c +@@ -242,6 +242,7 @@ static expert_field ef_someipsd_option_unknown = EI_INIT; + static expert_field ef_someipsd_option_wrong_length = EI_INIT; + static expert_field ef_someipsd_L4_protocol_unsupported = EI_INIT; + static expert_field ef_someipsd_config_string_malformed = EI_INIT; ++static expert_field ef_someipsd_too_many_options = EI_INIT; + + /*** prototypes ***/ + void proto_register_someip_sd(void); +@@ -274,13 +275,13 @@ someip_sd_register_ports(guint32 opt_index, guint32 opt_num, guint32 option_coun + } + + static void +-dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum) { ++dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) { + guint32 offset_orig = offset; + const guint8 *config_string; + proto_item *ti; + proto_tree *subtree; + +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Configuration Option", optionnum); ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%u: Configuration Option", optionnum); + + /* Add common fields */ + proto_tree_add_item(tree, hf_someip_sd_option_length, tvb, offset, 2, ENC_BIG_ENDIAN); +@@ -317,8 +318,8 @@ dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, pr + } + + static void +-dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 offset, guint32 length, int optionnum) { +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Load Balancing Option", optionnum); ++dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) { ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%u Load Balancing Option", optionnum); + + /* Add common fields */ + proto_tree_add_item(tree, hf_someip_sd_option_length, tvb, offset, 2, ENC_BIG_ENDIAN); +@@ -337,7 +338,7 @@ dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_ + } + + static void +-dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum, guint32 option_ports[]) { ++dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum, guint32 option_ports[]) { + guint8 type = 255; + const gchar *description = NULL; + guint32 l4port = 0; +@@ -350,7 +351,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree + + type = tvb_get_guint8(tvb, offset + 2); + description = val_to_str(type, sd_option_type, "(Unknown Option: %d)"); +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description); ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description); + + if (length != SD_OPTION_IPV4_LENGTH) { + expert_add_info(pinfo, ti_top, &ef_someipsd_option_wrong_length); +@@ -391,7 +392,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree + } + + static void +-dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum, guint32 option_ports[]) { ++dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum, guint32 option_ports[]) { + guint8 type = 255; + const gchar *description = NULL; + guint32 l4port = 0; +@@ -404,7 +405,7 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree + type = tvb_get_guint8(tvb, offset + 2); + description = val_to_str(type, sd_option_type, "(Unknown Option: %d)"); + +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description); ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description); + + if (length != SD_OPTION_IPV6_LENGTH) { + expert_add_info(pinfo, ti_top, &ef_someipsd_option_wrong_length); +@@ -444,11 +445,11 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree + } + + static void +-dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum) { ++dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) { + guint32 len = 0; + proto_item *ti; + +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%d: %s Option", optionnum, ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%u: %s Option", optionnum, + val_to_str_const(tvb_get_guint8(tvb, offset + 2), sd_option_type, "Unknown")); + + expert_add_info(pinfo, ti, &ef_someipsd_option_unknown); +@@ -473,7 +474,7 @@ static int + dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_item *ti, guint32 offset_orig, guint32 length, guint32 option_ports[], guint *option_count) { + guint16 real_length = 0; + guint8 option_type = 0; +- int optionnum = 0; ++ unsigned optionnum = 0; + tvbuff_t *subtvb = NULL; + + guint32 offset = offset_orig; +@@ -484,7 +485,11 @@ dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tre + } + + while (tvb_bytes_exist(tvb, offset, SD_OPTION_MINLENGTH)) { +- ws_assert(optionnum >= 0 && optionnum < SD_MAX_NUM_OPTIONS); ++ if (optionnum >= SD_MAX_NUM_OPTIONS) { ++ expert_add_info(pinfo, ti, &ef_someipsd_too_many_options); ++ return offset; ++ } ++ + option_ports[optionnum] = 0; + + real_length = tvb_get_ntohs(tvb, offset) + 3; +@@ -1195,6 +1200,7 @@ proto_register_someip_sd(void) { + { &ef_someipsd_option_wrong_length,{ "someipsd.option_wrong_length", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Option length is incorrect!", EXPFILL } }, + { &ef_someipsd_L4_protocol_unsupported,{ "someipsd.L4_protocol_unsupported", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Unsupported Layer 4 Protocol!", EXPFILL } }, + { &ef_someipsd_config_string_malformed,{ "someipsd.config_string_malformed", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Configuration String malformed!", EXPFILL } }, ++ { &ef_someipsd_too_many_options,{ "someipsd.too_many_options", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Too many options!", EXPFILL } }, + }; + + /* Register Protocol, Fields, ETTs, Expert Info, Taps, Dissector */ +-- +2.43.7 diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb index c313075ea4..d3fbbc8f3a 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb @@ -15,6 +15,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz file://0001-UseLemon.cmake-do-not-use-lemon-data-from-the-host.patch \ file://CVE-2025-9817.patch \ file://CVE-2025-13499.patch \ + file://CVE-2026-0962.patch \ " UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src/all-versions"; -- 2.44.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124388): https://lists.openembedded.org/g/openembedded-devel/message/124388 Mute This Topic: https://lists.openembedded.org/mt/117791927/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
