From cd39759a0e3767cea7d3a35f12247c69409160ed Mon Sep 17 00:00:00 2001 From: Wenhua Huang Date: Wed, 12 Nov 2025 14:30:11 +0800 Subject: [PATCH] SUA: Fix trivial signed overflow --- ...ark-0009-Fix-trivial-signed-overflow.patch | 44 +++++++++++++++++++ wireshark.spec | 6 ++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 wireshark-0009-Fix-trivial-signed-overflow.patch diff --git a/wireshark-0009-Fix-trivial-signed-overflow.patch b/wireshark-0009-Fix-trivial-signed-overflow.patch new file mode 100644 index 0000000..c1481ef --- /dev/null +++ b/wireshark-0009-Fix-trivial-signed-overflow.patch @@ -0,0 +1,44 @@ +Origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/22199 + +From be847a28c5e4c0a30096d9e6d037f31a47ee19ee Mon Sep 17 00:00:00 2001 +From: John Thacker +Date: Wed, 5 Nov 2025 19:39:27 -0500 +Subject: [PATCH] SUA: Fix trivial signed overflow + +The literal 256 is an int. When multiplying it by a uint16_t, the +unsigned short is promoted to an int by the integer promotions as +part of the usual arithmetic conversions (because all values of +a uint16_t can be represented by an int.) This eventually can +overflow, because what is wanted here is to combine two uint16_t +into a uint32_t. + +Just make them uint32_t to start with to prevent signed overflow. +Also go ahead and use proto_tree_add_item_ret_uint. + +OSS-Fuzz 458100286 +--- + epan/dissectors/packet-sua.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/epan/dissectors/packet-sua.c b/epan/dissectors/packet-sua.c +index 4e8aa419cc..c348ff10ac 100644 +--- a/epan/dissectors/packet-sua.c ++++ b/epan/dissectors/packet-sua.c +@@ -753,12 +753,11 @@ static const value_string status_type_info_values[] = { + static void + dissect_status_type_parameter(tvbuff_t *parameter_tvb, proto_tree *parameter_tree, proto_item *parameter_item) + { +- uint16_t status_type, status_info; ++ uint32_t status_type, status_info; + +- status_type = tvb_get_ntohs(parameter_tvb, STATUS_TYPE_OFFSET); + status_info = tvb_get_ntohs(parameter_tvb, STATUS_INFO_OFFSET); + +- proto_tree_add_item(parameter_tree, hf_sua_status_type, parameter_tvb, STATUS_TYPE_OFFSET, STATUS_TYPE_LENGTH, ENC_BIG_ENDIAN); ++ proto_tree_add_item_ret_uint(parameter_tree, hf_sua_status_type, parameter_tvb, STATUS_TYPE_OFFSET, STATUS_TYPE_LENGTH, ENC_BIG_ENDIAN, &status_type); + proto_tree_add_uint_format_value(parameter_tree, hf_sua_status_info, parameter_tvb, STATUS_INFO_OFFSET, STATUS_INFO_LENGTH, + status_info, "%s (%u)", val_to_str_const(status_type * 256 * 256 + status_info, status_type_info_values, "unknown"), status_info); + +-- +Gitee + diff --git a/wireshark.spec b/wireshark.spec index a055f9a..9fb1619 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -4,7 +4,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 4.4.10 -Release: 1 +Release: 2 Epoch: 1 License: BSD-1-Clause AND BSD-2-Clause AND BSD-3-Clause AND MIT AND GPL-2.0-or-later AND LGPL-2.0-or-later AND Zlib AND ISC AND (BSD-3-Clause OR GPL-2.0-only) AND (GPL-2.0-or-later AND Zlib) Url: https://www.wireshark.org/ @@ -20,6 +20,7 @@ Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch Patch7: wireshark-0007-cmakelists.patch Patch8: wireshark-0008-pkgconfig.patch +Patch9: wireshark-0009-Fix-trivial-signed-overflow.patch Requires: xdg-utils Requires: hicolor-icon-theme @@ -197,6 +198,9 @@ fi %{_mandir}/man?/* %changelog +* Wed Nov 12 2025 huangwenhua - 1:4.4.10-2 +- SUA: Fix trivial signed overflow + * Sat Oct 11 2025 yaoxin <1024769339@qq.com> - 1:4.4.10-1 - Update to 4.4.10 for fix CVE-2025-11626 -- Gitee