Bug#1003827: buster-pu: package wireshark/2.6.20-0+deb10u3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
* CVE-2021-22207: Excessive memory consumption in the MS-WSP dissector.
(Closes: #987853)
* CVE-2021-22235: Crash in the DNP dissector.
* CVE-2021-39921: NULL pointer exception in the Modbus dissector.
* CVE-2021-39922: Buffer overflow in the C12.22 dissector.
* CVE-2021-39923: Large loop in the PNRP dissector.
* CVE-2021-39924: Large loop in the Bluetooth DHT dissector.
* CVE-2021-39928: NULL pointer exception in the IEEE 802.11 dissector.
* CVE-2021-39929: Uncontrolled Recursion in the Bluetooth DHT dissector.
diff -Nru wireshark-2.6.20/debian/changelog wireshark-2.6.20/debian/changelog
--- wireshark-2.6.20/debian/changelog 2021-12-09 15:35:23.000000000 +0200
+++ wireshark-2.6.20/debian/changelog 2022-01-16 14:46:43.000000000 +0200
@@ -1,3 +1,18 @@
+wireshark (2.6.20-0+deb10u3) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2021-22207: Excessive memory consumption in the MS-WSP dissector.
+ (Closes: #987853)
+ * CVE-2021-22235: Crash in the DNP dissector.
+ * CVE-2021-39921: NULL pointer exception in the Modbus dissector.
+ * CVE-2021-39922: Buffer overflow in the C12.22 dissector.
+ * CVE-2021-39923: Large loop in the PNRP dissector.
+ * CVE-2021-39924: Large loop in the Bluetooth DHT dissector.
+ * CVE-2021-39928: NULL pointer exception in the IEEE 802.11 dissector.
+ * CVE-2021-39929: Uncontrolled Recursion in the Bluetooth DHT dissector.
+
+ -- Adrian Bunk <bunk@debian.org> Sun, 16 Jan 2022 14:46:43 +0200
+
wireshark (2.6.20-0+deb10u2) buster-security; urgency=medium
* debian/watch: Get upstream releases from gitlab
diff -Nru wireshark-2.6.20/debian/patches/0001-MS-WSP-Don-t-allocate-huge-amounts-of-memory.patch wireshark-2.6.20/debian/patches/0001-MS-WSP-Don-t-allocate-huge-amounts-of-memory.patch
--- wireshark-2.6.20/debian/patches/0001-MS-WSP-Don-t-allocate-huge-amounts-of-memory.patch 1970-01-01 02:00:00.000000000 +0200
+++ wireshark-2.6.20/debian/patches/0001-MS-WSP-Don-t-allocate-huge-amounts-of-memory.patch 2022-01-16 14:46:43.000000000 +0200
@@ -0,0 +1,70 @@
+From 8747a91cccb52f916a20e1d772dd58751a87ad0e Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Mon, 19 Apr 2021 10:39:01 -0700
+Subject: MS-WSP: Don't allocate huge amounts of memory.
+
+Add a couple of memory allocation sanity checks, one of which
+fixes #17331.
+---
+ epan/dissectors/packet-mswsp.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/epan/dissectors/packet-mswsp.c b/epan/dissectors/packet-mswsp.c
+index 295192a0ab..e6600e06b4 100644
+--- a/epan/dissectors/packet-mswsp.c
++++ b/epan/dissectors/packet-mswsp.c
+@@ -313,8 +313,10 @@ struct CTableColumn {
+ guint16 lengthoffset;
+ char name[PROP_LENGTH];
+ };
+-/* minimum size in bytes on the wire CTableColumn can be */
++/* Minimum size in bytes on the wire CTableColumn can be */
+ #define MIN_CTABLECOL_SIZE 32
++/* Maximum sane size in bytes on the wire CTableColumn can be. Arbitrary. */
++#define MAX_CTABLECOL_SIZE 5000
+
+ /* 2.2.3.10 */
+
+@@ -3970,6 +3972,8 @@ static int vvalue_tvb_lpwstr(tvbuff_t *tvb, int offset, void *val)
+ return 4 + vvalue_tvb_lpwstr_len(tvb, offset + 4, 0, val);
+ }
+
++/* Maximum sane vector size. Arbitrary. */
++#define MAX_VT_VECTOR_SIZE 5000
+ static int vvalue_tvb_vector_internal(tvbuff_t *tvb, int offset, struct vt_vector *val, struct vtype_data *type, guint num)
+ {
+ const int offset_in = offset;
+@@ -3984,18 +3988,14 @@ static int vvalue_tvb_vector_internal(tvbuff_t *tvb, int offset, struct vt_vecto
+ * here, before making a possibly-doomed attempt to allocate
+ * memory for it.
+ *
+- * First, check for an overflow.
++ * First, check for sane values.
+ */
+- if ((guint64)elsize * (guint64)num > G_MAXUINT) {
+- /*
+- * We never have more than G_MAXUINT bytes in a tvbuff,
+- * so this will *definitely* fail.
+- */
++ if (num > MAX_VT_VECTOR_SIZE) {
+ THROW(ReportedBoundsError);
+ }
+
+ /*
+- * No overflow; now make sure we at least have that data.
++ * No huge numbers from the wire; now make sure we at least have that data.
+ */
+ tvb_ensure_bytes_exist(tvb, offset, elsize * num);
+
+@@ -5851,7 +5851,7 @@ static int dissect_CPMSetBindings(tvbuff_t *tvb, packet_info *pinfo, proto_tree
+
+ /* Sanity check size value */
+ column_size = num*MIN_CTABLECOL_SIZE;
+- if (column_size > tvb_reported_length_remaining(tvb, offset))
++ if (num > MAX_CTABLECOL_SIZE || column_size > tvb_reported_length_remaining(tvb, offset))
+ {
+ expert_add_info(pinfo, ti, &ei_mswsp_msg_cpmsetbinding_ccolumns);
+ return tvb_reported_length(tvb);
+--
+2.20.1
+
diff -Nru wireshark-2.6.20/debian/patches/0002-dnp-plug-a-memory-leak.patch wireshark-2.6.20/debian/patches/0002-dnp-plug-a-memory-leak.patch
--- wireshark-2.6.20/debian/patches/0002-dnp-plug-a-memory-leak.patch 1970-01-01 02:00:00.000000000 +0200
+++ wireshark-2.6.20/debian/patches/0002-dnp-plug-a-memory-leak.patch 2022-01-16 14:46:43.000000000 +0200
@@ -0,0 +1,26 @@
+From ab0c151cfea07dfd3944802b013eee8a33c12798 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Sun, 23 May 2021 13:55:48 -0700
+Subject: dnp: plug a memory leak.
+
+If we're throwing away the data, *throw away the data* - free it, as
+we're not using it as the backing data for a tvbuff.
+---
+ epan/dissectors/packet-dnp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/epan/dissectors/packet-dnp.c b/epan/dissectors/packet-dnp.c
+index d3c418168b..b517fb376c 100644
+--- a/epan/dissectors/packet-dnp.c
++++ b/epan/dissectors/packet-dnp.c
+@@ -3428,6 +3428,7 @@ dissect_dnp3_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void*
+ else
+ {
+ /* CRC error - throw away the data. */
++ g_free(al_buffer);
+ next_tvb = NULL;
+ }
+ }
+--
+2.20.1
+
diff -Nru wireshark-2.6.20/debian/patches/0003-DNP-use-the-proper-free-function.patch wireshark-2.6.20/debian/patches/0003-DNP-use-the-proper-free-function.patch
--- wireshark-2.6.20/debian/patches/0003-DNP-use-the-proper-free-function.patch 1970-01-01 02:00:00.000000000 +0200
+++ wireshark-2.6.20/debian/patches/0003-DNP-use-the-proper-free-function.patch 2022-01-16 14:46:43.000000000 +0200
@@ -0,0 +1,30 @@
+From b47a073499d51942364f1be853c9be9526916599 Mon Sep 17 00:00:00 2001
+From: Pascal Quantin <pascal@wireshark.org>
+Date: Sat, 26 Jun 2021 10:31:59 +0200
+Subject: DNP: use the proper free function
+
+g618661b22e introduced a free for a so called memory leak (which wasn't
+a real leak due to the pinfo->pool garbage collector) but used the wrong
+free function. Let's keep the explicit free but use the right function.
+
+Closes #17462
+---
+ epan/dissectors/packet-dnp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-dnp.c b/epan/dissectors/packet-dnp.c
+index b517fb376c..f2112f39d8 100644
+--- a/epan/dissectors/packet-dnp.c
++++ b/epan/dissectors/packet-dnp.c
+@@ -3428,7 +3428,7 @@ dissect_dnp3_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void*
+ else
+ {
+ /* CRC error - throw away the data. */
+- g_free(al_buffer);
++ wmem_free(pinfo->pool, al_buffer);
+ next_tvb = NULL;
+ }
+ }
+--
+2.20.1
+
diff -Nru wireshark-2.6.20/debian/patches/0004-Modbus-Add-null-pointer-checks.patch wireshark-2.6.20/debian/patches/0004-Modbus-Add-null-pointer-checks.patch
--- wireshark-2.6.20/debian/patches/0004-Modbus-Add-null-pointer-checks.patch 1970-01-01 02:00:00.000000000 +0200
+++ wireshark-2.6.20/debian/patches/0004-Modbus-Add-null-pointer-checks.patch 2022-01-16 14:46:43.000000000 +0200
@@ -0,0 +1,39 @@
+From 6ed9d2068d054304d8f88851a7c906412f33a217 Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Mon, 1 Nov 2021 11:12:56 -0700
+Subject: Modbus: Add null pointer checks.
+
+Fixes #17703.
+---
+ epan/dissectors/packet-mbtcp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/epan/dissectors/packet-mbtcp.c b/epan/dissectors/packet-mbtcp.c
+index c142fecb3b..eca5243b3f 100644
+--- a/epan/dissectors/packet-mbtcp.c
++++ b/epan/dissectors/packet-mbtcp.c
+@@ -1026,6 +1026,10 @@ dissect_modbus_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *modbus_tre
+ guint16 reg_base=0, diagnostic_code;
+ guint32 group_byte_cnt, group_word_cnt;
+
++ if (!pkt_info) {
++ return 0;
++ }
++
+ switch (function_code) {
+
+ case READ_COILS:
+@@ -1209,6 +1213,10 @@ dissect_modbus_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *modbus_tr
+
+ proto_item *request_frame_item;
+
++ if (!pkt_info) {
++ return 0;
++ }
++
+ if (pkt_info->request_found == TRUE) {
+ request_frame_item = proto_tree_add_uint(modbus_tree, hf_modbus_request_frame, tvb, 0, 0, pkt_info->req_frame_num);
+ PROTO_ITEM_SET_GENERATED(request_frame_item);
+--
+2.20.1
+
diff -Nru wireshark-2.6.20/debian/patches/0005-C12.22-Track-our-allocation-sizes.patch wireshark-2.6.20/debian/patches/0005-C12.22-Track-our-allocation-sizes.patch
--- wireshark-2.6.20/debian/patches/0005-C12.22-Track-our-allocation-sizes.patch 1970-01-01 02:00:00.000000000 +0200
+++ wireshark-2.6.20/debian/patches/0005-C12.22-Track-our-allocation-sizes.patch 2022-01-16 14:46:43.000000000 +0200
@@ -0,0 +1,288 @@
+From 992469ecbf1b8b4e86431fa77cc56813b60522d3 Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Tue, 26 Oct 2021 18:15:50 -0700
+Subject: C12.22: Track our allocation sizes.
+
+Add an allocated size element to the TOP_ELEMENT_CONTROL struct and use
+it to make sure we're not trying to read past the end of a buffer in
+canonify_unencrypted_header. Fixes #17636.
+---
+ .../asn1/c1222/packet-c1222-template.c | 55 +++++++++++-----
+ epan/dissectors/packet-c1222.c | 63 +++++++++++++------
+ 2 files changed, 84 insertions(+), 34 deletions(-)
+
+diff --git a/epan/dissectors/asn1/c1222/packet-c1222-template.c b/epan/dissectors/asn1/c1222/packet-c1222-template.c
+index 795ab84ea6..81001b1d1d 100644
+--- a/epan/dissectors/asn1/c1222/packet-c1222-template.c
++++ b/epan/dissectors/asn1/c1222/packet-c1222-template.c
+@@ -160,6 +160,19 @@ static guint32 calling_AP_title_len = 0;
+ static guint32 key_id_element_len = 0;
+ static guint32 iv_element_len = 0;
+
++/* these are the related allocation sizes (which might be different from the lengths) */
++static guint32 aSO_context_allocated = 0;
++static guint32 called_AP_title_allocated = 0;
++static guint32 called_AP_invocation_id_allocated = 0;
++static guint32 calling_AE_qualifier_allocated = 0;
++static guint32 calling_AP_invocation_id_allocated = 0;
++static guint32 mechanism_name_allocated = 0;
++static guint32 calling_authentication_value_allocated = 0;
++static guint32 user_information_allocated = 0;
++static guint32 calling_AP_title_allocated = 0;
++static guint32 key_id_element_allocated = 0;
++static guint32 iv_element_allocated = 0;
++
+ #include "packet-c1222-ett.c"
+
+ static expert_field ei_c1222_command_truncated = EI_INIT;
+@@ -282,11 +295,13 @@ static uat_t *c1222_uat;
+ #define FILL_TABLE(fieldname) \
+ length = offset - start_offset; \
+ fieldname = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, start_offset, length); \
+- fieldname##_len = length;
++ fieldname##_len = length; \
++ fieldname##_allocated = length;
+ #define FILL_TABLE_TRUNCATE(fieldname, len) \
+ length = 1 + 2*(offset - start_offset); \
+ fieldname = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, start_offset, length); \
+- fieldname##_len = len;
++ fieldname##_len = len; \
++ fieldname##_allocated = length;
+ #define FILL_TABLE_APTITLE(fieldname) \
+ length = offset - start_offset; \
+ switch (tvb_get_guint8(tvb, start_offset)) { \
+@@ -294,6 +309,7 @@ static uat_t *c1222_uat;
+ tvb_ensure_bytes_exist(tvb, start_offset, length); \
+ fieldname##_len = length + c1222_baseoid_len; \
+ fieldname = (guint8 *)wmem_alloc(wmem_packet_scope(), fieldname##_len); \
++ fieldname##_allocated = fieldname##_len; \
+ fieldname[0] = 0x06; /* create absolute OID tag */ \
+ fieldname[1] = (fieldname##_len - 2) & 0xff; \
+ memcpy(&(fieldname[2]), c1222_baseoid, c1222_baseoid_len); \
+@@ -303,6 +319,7 @@ static uat_t *c1222_uat;
+ default: \
+ fieldname = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, start_offset, length); \
+ fieldname##_len = length; \
++ fieldname##_allocated = length; \
+ break; \
+ }
+
+@@ -616,21 +633,23 @@ typedef struct tagTOP_ELEMENT_CONTROL
+ guint8 **element;
+ /* pointer to element length */
+ guint32 *length;
++ /* pointer to element allocated size */
++ guint32 *allocated;
+ } TOP_ELEMENT_CONTROL;
+
+ static const TOP_ELEMENT_CONTROL canonifyTable[] = {
+- { FALSE, FALSE, 0xA1, TRUE, &aSO_context, &aSO_context_len },
+- { TRUE , FALSE, 0xA2, TRUE, &called_AP_title, &called_AP_title_len },
+- { FALSE, FALSE, 0xA4, TRUE, &called_AP_invocation_id, &called_AP_invocation_id_len },
+- { FALSE, FALSE, 0xA7, TRUE, &calling_AE_qualifier, &calling_AE_qualifier_len },
+- { TRUE, FALSE, 0xA8, TRUE, &calling_AP_invocation_id, &calling_AP_invocation_id_len },
+- { FALSE, FALSE, 0x8B, TRUE, &mechanism_name, &mechanism_name_len },
+- { FALSE, FALSE, 0xAC, TRUE, &calling_authentication_value, &calling_authentication_value_len },
+- { TRUE , TRUE , 0xBE, TRUE, &user_information, &user_information_len },
+- { FALSE, FALSE, 0xA6, TRUE, &calling_AP_title, &calling_AP_title_len },
+- { FALSE, FALSE, 0xAC, FALSE, &key_id_element, &key_id_element_len },
+- { FALSE, FALSE, 0xAC, FALSE, &iv_element, &iv_element_len },
+- { FALSE, FALSE, 0x0, TRUE, NULL, NULL }
++ { FALSE, FALSE, 0xA1, TRUE, &aSO_context, &aSO_context_len, &aSO_context_allocated },
++ { TRUE , FALSE, 0xA2, TRUE, &called_AP_title, &called_AP_title_len, &called_AP_title_allocated },
++ { FALSE, FALSE, 0xA4, TRUE, &called_AP_invocation_id, &called_AP_invocation_id_len, &called_AP_invocation_id_allocated },
++ { FALSE, FALSE, 0xA7, TRUE, &calling_AE_qualifier, &calling_AE_qualifier_len, &calling_AE_qualifier_allocated },
++ { TRUE, FALSE, 0xA8, TRUE, &calling_AP_invocation_id, &calling_AP_invocation_id_len, &calling_AP_invocation_id_allocated },
++ { FALSE, FALSE, 0x8B, TRUE, &mechanism_name, &mechanism_name_len, &mechanism_name_allocated },
++ { FALSE, FALSE, 0xAC, TRUE, &calling_authentication_value, &calling_authentication_value_len, &calling_authentication_value_allocated },
++ { TRUE , TRUE , 0xBE, TRUE, &user_information, &user_information_len, &user_information_allocated },
++ { FALSE, FALSE, 0xA6, TRUE, &calling_AP_title, &calling_AP_title_len, &calling_AP_title_allocated },
++ { FALSE, FALSE, 0xAC, FALSE, &key_id_element, &key_id_element_len, &key_id_element_allocated },
++ { FALSE, FALSE, 0xAC, FALSE, &iv_element, &iv_element_len, &iv_element_allocated },
++ { FALSE, FALSE, 0x0, TRUE, NULL, NULL, NULL }
+ };
+
+ static void
+@@ -720,11 +739,12 @@ static gboolean
+ canonify_unencrypted_header(guchar *buff, guint32 *offset, guint32 buffsize)
+ {
+ const TOP_ELEMENT_CONTROL *t = canonifyTable;
+- guint32 len;
++ guint32 len, allocated;
+
+ for (t = canonifyTable; t->element != NULL; t++)
+ {
+ len = *(t->length);
++ allocated = *(t->allocated);
+ if (t->required && *(t->element) == NULL)
+ return FALSE;
+ if (*(t->element) != NULL) {
+@@ -741,6 +761,11 @@ canonify_unencrypted_header(guchar *buff, guint32 *offset, guint32 buffsize)
+ if (buffsize < *offset + len) {
+ return FALSE;
+ }
++ /* bail out if our we're trying to read past the end of our element */
++ /* the network is always hostile */
++ if (allocated < len) {
++ return FALSE;
++ }
+ memcpy(&buff[*offset], *(t->element), len);
+ (*offset) += len;
+ if (t->addtag) {
+diff --git a/epan/dissectors/packet-c1222.c b/epan/dissectors/packet-c1222.c
+index b7213dfdcd..d7f3953da7 100644
+--- a/epan/dissectors/packet-c1222.c
++++ b/epan/dissectors/packet-c1222.c
+@@ -198,6 +198,19 @@ static guint32 calling_AP_title_len = 0;
+ static guint32 key_id_element_len = 0;
+ static guint32 iv_element_len = 0;
+
++/* these are the related allocation sizes (which might be different from the lengths) */
++static guint32 aSO_context_allocated = 0;
++static guint32 called_AP_title_allocated = 0;
++static guint32 called_AP_invocation_id_allocated = 0;
++static guint32 calling_AE_qualifier_allocated = 0;
++static guint32 calling_AP_invocation_id_allocated = 0;
++static guint32 mechanism_name_allocated = 0;
++static guint32 calling_authentication_value_allocated = 0;
++static guint32 user_information_allocated = 0;
++static guint32 calling_AP_title_allocated = 0;
++static guint32 key_id_element_allocated = 0;
++static guint32 iv_element_allocated = 0;
++
+
+ /*--- Included file: packet-c1222-ett.c ---*/
+ #line 1 "./asn1/c1222/packet-c1222-ett.c"
+@@ -211,7 +224,7 @@ static gint ett_c1222_Calling_authentication_value_c1222_U = -1;
+ static gint ett_c1222_Calling_authentication_value_c1221_U = -1;
+
+ /*--- End of included file: packet-c1222-ett.c ---*/
+-#line 164 "./asn1/c1222/packet-c1222-template.c"
++#line 177 "./asn1/c1222/packet-c1222-template.c"
+
+ static expert_field ei_c1222_command_truncated = EI_INIT;
+ static expert_field ei_c1222_bad_checksum = EI_INIT;
+@@ -333,11 +346,13 @@ static uat_t *c1222_uat;
+ #define FILL_TABLE(fieldname) \
+ length = offset - start_offset; \
+ fieldname = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, start_offset, length); \
+- fieldname##_len = length;
++ fieldname##_len = length; \
++ fieldname##_allocated = length;
+ #define FILL_TABLE_TRUNCATE(fieldname, len) \
+ length = 1 + 2*(offset - start_offset); \
+ fieldname = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, start_offset, length); \
+- fieldname##_len = len;
++ fieldname##_len = len; \
++ fieldname##_allocated = length;
+ #define FILL_TABLE_APTITLE(fieldname) \
+ length = offset - start_offset; \
+ switch (tvb_get_guint8(tvb, start_offset)) { \
+@@ -345,6 +360,7 @@ static uat_t *c1222_uat;
+ tvb_ensure_bytes_exist(tvb, start_offset, length); \
+ fieldname##_len = length + c1222_baseoid_len; \
+ fieldname = (guint8 *)wmem_alloc(wmem_packet_scope(), fieldname##_len); \
++ fieldname##_allocated = fieldname##_len; \
+ fieldname[0] = 0x06; /* create absolute OID tag */ \
+ fieldname[1] = (fieldname##_len - 2) & 0xff; \
+ memcpy(&(fieldname[2]), c1222_baseoid, c1222_baseoid_len); \
+@@ -354,6 +370,7 @@ static uat_t *c1222_uat;
+ default: \
+ fieldname = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, start_offset, length); \
+ fieldname##_len = length; \
++ fieldname##_allocated = length; \
+ break; \
+ }
+
+@@ -667,21 +684,23 @@ typedef struct tagTOP_ELEMENT_CONTROL
+ guint8 **element;
+ /* pointer to element length */
+ guint32 *length;
++ /* pointer to element allocated size */
++ guint32 *allocated;
+ } TOP_ELEMENT_CONTROL;
+
+ static const TOP_ELEMENT_CONTROL canonifyTable[] = {
+- { FALSE, FALSE, 0xA1, TRUE, &aSO_context, &aSO_context_len },
+- { TRUE , FALSE, 0xA2, TRUE, &called_AP_title, &called_AP_title_len },
+- { FALSE, FALSE, 0xA4, TRUE, &called_AP_invocation_id, &called_AP_invocation_id_len },
+- { FALSE, FALSE, 0xA7, TRUE, &calling_AE_qualifier, &calling_AE_qualifier_len },
+- { TRUE, FALSE, 0xA8, TRUE, &calling_AP_invocation_id, &calling_AP_invocation_id_len },
+- { FALSE, FALSE, 0x8B, TRUE, &mechanism_name, &mechanism_name_len },
+- { FALSE, FALSE, 0xAC, TRUE, &calling_authentication_value, &calling_authentication_value_len },
+- { TRUE , TRUE , 0xBE, TRUE, &user_information, &user_information_len },
+- { FALSE, FALSE, 0xA6, TRUE, &calling_AP_title, &calling_AP_title_len },
+- { FALSE, FALSE, 0xAC, FALSE, &key_id_element, &key_id_element_len },
+- { FALSE, FALSE, 0xAC, FALSE, &iv_element, &iv_element_len },
+- { FALSE, FALSE, 0x0, TRUE, NULL, NULL }
++ { FALSE, FALSE, 0xA1, TRUE, &aSO_context, &aSO_context_len, &aSO_context_allocated },
++ { TRUE , FALSE, 0xA2, TRUE, &called_AP_title, &called_AP_title_len, &called_AP_title_allocated },
++ { FALSE, FALSE, 0xA4, TRUE, &called_AP_invocation_id, &called_AP_invocation_id_len, &called_AP_invocation_id_allocated },
++ { FALSE, FALSE, 0xA7, TRUE, &calling_AE_qualifier, &calling_AE_qualifier_len, &calling_AE_qualifier_allocated },
++ { TRUE, FALSE, 0xA8, TRUE, &calling_AP_invocation_id, &calling_AP_invocation_id_len, &calling_AP_invocation_id_allocated },
++ { FALSE, FALSE, 0x8B, TRUE, &mechanism_name, &mechanism_name_len, &mechanism_name_allocated },
++ { FALSE, FALSE, 0xAC, TRUE, &calling_authentication_value, &calling_authentication_value_len, &calling_authentication_value_allocated },
++ { TRUE , TRUE , 0xBE, TRUE, &user_information, &user_information_len, &user_information_allocated },
++ { FALSE, FALSE, 0xA6, TRUE, &calling_AP_title, &calling_AP_title_len, &calling_AP_title_allocated },
++ { FALSE, FALSE, 0xAC, FALSE, &key_id_element, &key_id_element_len, &key_id_element_allocated },
++ { FALSE, FALSE, 0xAC, FALSE, &iv_element, &iv_element_len, &iv_element_allocated },
++ { FALSE, FALSE, 0x0, TRUE, NULL, NULL, NULL }
+ };
+
+ static void
+@@ -771,11 +790,12 @@ static gboolean
+ canonify_unencrypted_header(guchar *buff, guint32 *offset, guint32 buffsize)
+ {
+ const TOP_ELEMENT_CONTROL *t = canonifyTable;
+- guint32 len;
++ guint32 len, allocated;
+
+ for (t = canonifyTable; t->element != NULL; t++)
+ {
+ len = *(t->length);
++ allocated = *(t->allocated);
+ if (t->required && *(t->element) == NULL)
+ return FALSE;
+ if (*(t->element) != NULL) {
+@@ -792,6 +812,11 @@ canonify_unencrypted_header(guchar *buff, guint32 *offset, guint32 buffsize)
+ if (buffsize < *offset + len) {
+ return FALSE;
+ }
++ /* bail out if our we're trying to read past the end of our element */
++ /* the network is always hostile */
++ if (allocated < len) {
++ return FALSE;
++ }
+ memcpy(&buff[*offset], *(t->element), len);
+ (*offset) += len;
+ if (t->addtag) {
+@@ -1520,7 +1545,7 @@ static int dissect_MESSAGE_PDU(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_
+
+
+ /*--- End of included file: packet-c1222-fn.c ---*/
+-#line 1004 "./asn1/c1222/packet-c1222-template.c"
++#line 1029 "./asn1/c1222/packet-c1222-template.c"
+
+ /**
+ * Dissects a a full (reassembled) C12.22 message.
+@@ -1912,7 +1937,7 @@ void proto_register_c1222(void) {
+ "OCTET_STRING_SIZE_CONSTR002", HFILL }},
+
+ /*--- End of included file: packet-c1222-hfarr.c ---*/
+-#line 1291 "./asn1/c1222/packet-c1222-template.c"
++#line 1316 "./asn1/c1222/packet-c1222-template.c"
+ };
+
+ /* List of subtrees */
+@@ -1935,7 +1960,7 @@ void proto_register_c1222(void) {
+ &ett_c1222_Calling_authentication_value_c1221_U,
+
+ /*--- End of included file: packet-c1222-ettarr.c ---*/
+-#line 1301 "./asn1/c1222/packet-c1222-template.c"
++#line 1326 "./asn1/c1222/packet-c1222-template.c"
+ };
+
+ static ei_register_info ei[] = {
+--
+2.20.1
+
diff -Nru wireshark-2.6.20/debian/patches/0006-PNRP-Exit-our-main-loop.patch wireshark-2.6.20/debian/patches/0006-PNRP-Exit-our-main-loop.patch
--- wireshark-2.6.20/debian/patches/0006-PNRP-Exit-our-main-loop.patch 1970-01-01 02:00:00.000000000 +0200
+++ wireshark-2.6.20/debian/patches/0006-PNRP-Exit-our-main-loop.patch 2022-01-16 14:46:43.000000000 +0200
@@ -0,0 +1,66 @@
+From f61c6c711fcaf7af5c1d843ec4bba1749e857d89 Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Tue, 26 Oct 2021 09:57:23 -0700
+Subject: PNRP: Exit our main loop.
+
+Make sure our main loop offset advances. Fixes #17684.
+---
+ epan/dissectors/packet-pnrp.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/epan/dissectors/packet-pnrp.c b/epan/dissectors/packet-pnrp.c
+index 56a274eedb..c9da1e02f1 100644
+--- a/epan/dissectors/packet-pnrp.c
++++ b/epan/dissectors/packet-pnrp.c
+@@ -21,6 +21,7 @@
+ #include "config.h"
+
+ #include <epan/packet.h>
++#include <epan/exceptions.h>
+ #include <epan/reassemble.h>
+
+ #define PROTONAME "Peer Name Resolution Protocol"
+@@ -388,11 +389,11 @@ static const fragment_items pnrp_frag_items = {
+ static int dissect_pnrp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
+ {
+ /* Variable declaration */
+- gint offset;
++ int offset, start_offset;
+ gint padding_bytes;
+ guint8 message_type;
+ guint16 field_type;
+- guint16 data_length;
++ unsigned data_length;
+ proto_item *ti;
+ proto_tree *pnrp_tree;
+ proto_item *pnrp_header_item;
+@@ -484,6 +485,7 @@ static int dissect_pnrp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
+ *------------------------------*/
+
+ /* The following part has dynamic length depending on message type */
++ start_offset = offset;
+ while (tvb_reported_length_remaining(tvb, offset) > 0) {
+ /* Determine the Field Type */
+ field_type = tvb_get_ntohs(tvb,offset );
+@@ -568,7 +570,6 @@ static int dissect_pnrp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
+ }
+ break;
+
+-
+ default:
+ proto_tree_add_item(pnrp_message_tree, hf_pnrp_message_flags, tvb, offset + 4, data_length -4, ENC_BIG_ENDIAN);
+ offset += data_length;
+@@ -869,6 +870,10 @@ static int dissect_pnrp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
+ offset += data_length;
+ break;
+ }
++ // SPLIT_CONTROLS might reset our offset.
++ if (start_offset <= offset) {
++ THROW(ReportedBoundsError);
++ }
+ }
+ return offset;
+
+--
+2.20.1
+
diff -Nru wireshark-2.6.20/debian/patches/0007-BT-DHT-Fix-another-loop-and-add-NULL-checks.patch wireshark-2.6.20/debian/patches/0007-BT-DHT-Fix-another-loop-and-add-NULL-checks.patch
--- wireshark-2.6.20/debian/patches/0007-BT-DHT-Fix-another-loop-and-add-NULL-checks.patch 1970-01-01 02:00:00.000000000 +0200
+++ wireshark-2.6.20/debian/patches/0007-BT-DHT-Fix-another-loop-and-add-NULL-checks.patch 2022-01-16 14:46:43.000000000 +0200
@@ -0,0 +1,63 @@
+From 3f4d95b877f67cfc9ae29d992d4d817a0b2b131b Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Mon, 25 Oct 2021 18:29:08 -0700
+Subject: BT-DHT: Fix another loop and add NULL checks.
+
+Make sure dissect_bt_dht_values even when we have a zero-length string.
+Add a couple of NULL checks. Fixes #17677.
+---
+ epan/dissectors/packet-bt-dht.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/epan/dissectors/packet-bt-dht.c b/epan/dissectors/packet-bt-dht.c
+index 78ee7261e8..5c308f91f0 100644
+--- a/epan/dissectors/packet-bt-dht.c
++++ b/epan/dissectors/packet-bt-dht.c
+@@ -55,6 +55,7 @@ static int hf_port = -1;
+ static int hf_truncated_data = -1;
+
+ static expert_field ei_int_string = EI_INIT;
++static expert_field ei_invalid_len = EI_INIT;
+
+ /* tree types */
+ static gint ett_bt_dht = -1;
+@@ -264,6 +265,13 @@ dissect_bt_dht_values(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint
+ {
+ string_len = bencoded_string_length(tvb, &offset);
+
++ if (string_len == 0)
++ {
++ expert_add_info(pinfo, ti, &ei_invalid_len);
++ // Fail hard here rather than potentially looping excessively.
++ return tvb_reported_length_remaining(tvb, offset);
++ }
++
+ /* 4 bytes ip, 2 bytes port */
+ for( ; string_len>=6; string_len-=6, offset+=6 )
+ {
+@@ -460,9 +468,9 @@ dissect_bencoded_dict_entry(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+ return 0;
+ }
+
+- if( strlen(key)==1 )
++ if(key && strlen(key)==1 )
+ key = val_to_str_const( key[0], short_key_name_value_string, key );
+- if( strlen(val)==1 )
++ if(val && strlen(val)==1 )
+ val = val_to_str_const( val[0], short_val_name_value_string, val );
+
+ proto_item_set_text( ti, "%s: %s", key, val );
+@@ -622,7 +630,9 @@ proto_register_bt_dht(void)
+
+ static ei_register_info ei[] = {
+ { &ei_int_string, { "bt-dht.invalid_string", PI_MALFORMED, PI_ERROR,
+- "String must contain an integer", EXPFILL }}
++ "String must contain an integer", EXPFILL }},
++ { &ei_invalid_len, { "bt-dht.invalid_length", PI_MALFORMED, PI_ERROR,
++ "Invalid length", EXPFILL }},
+ };
+
+ /* Setup protocol subtree array */
+--
+2.20.1
+
diff -Nru wireshark-2.6.20/debian/patches/0008-802.11-Radio-Add-null-pointer-checks.patch wireshark-2.6.20/debian/patches/0008-802.11-Radio-Add-null-pointer-checks.patch
--- wireshark-2.6.20/debian/patches/0008-802.11-Radio-Add-null-pointer-checks.patch 1970-01-01 02:00:00.000000000 +0200
+++ wireshark-2.6.20/debian/patches/0008-802.11-Radio-Add-null-pointer-checks.patch 2022-01-16 14:46:43.000000000 +0200
@@ -0,0 +1,75 @@
+From ef25de9f6575b43ba34eaac68073471fe446beab Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Mon, 1 Nov 2021 10:57:16 -0700
+Subject: 802.11 Radio: Add null pointer checks.
+
+Fixes #17704.
+---
+ epan/dissectors/packet-ieee80211-radio.c | 30 +++++++++++++-----------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/epan/dissectors/packet-ieee80211-radio.c b/epan/dissectors/packet-ieee80211-radio.c
+index 8b80c5b920..ad81f79a6e 100644
+--- a/epan/dissectors/packet-ieee80211-radio.c
++++ b/epan/dissectors/packet-ieee80211-radio.c
+@@ -576,7 +576,7 @@ dissect_wlan_radio_phdr (tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
+ /* this frame has already been seen, so get its info structure */
+ wlan_radio_info = (struct wlan_radio *) p_get_proto_data(wmem_file_scope(), pinfo, proto_wlan_radio, 0);
+
+- if (wlan_radio_info->aggregate) {
++ if (wlan_radio_info && wlan_radio_info->aggregate) {
+ phy = wlan_radio_info->aggregate->phy;
+ phy_info = &wlan_radio_info->aggregate->phy_info;
+ }
+@@ -1042,7 +1042,7 @@ dissect_wlan_radio_phdr (tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
+ }
+
+ /* data field calculation */
+- if (wlan_radio_info->aggregate) {
++ if (wlan_radio_info && wlan_radio_info->aggregate) {
+ agg_preamble = preamble;
+ if (wlan_radio_info->prior_aggregate_data != 0) {
+ preamble = 0;
+@@ -1068,7 +1068,7 @@ dissect_wlan_radio_phdr (tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
+ }
+ preamble = 32 + 4 * info_ac->nss[0] * (info_ac->has_stbc ? info_ac->stbc+1 : 1);
+
+- if (wlan_radio_info->aggregate) {
++ if (wlan_radio_info && wlan_radio_info->aggregate) {
+ agg_preamble = preamble;
+ if (wlan_radio_info->prior_aggregate_data != 0) {
+ preamble = 0;
+@@ -1154,17 +1154,19 @@ dissect_wlan_radio_phdr (tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
+ p_item = proto_tree_add_uint(d_tree, hf_wlan_radio_preamble, tvb, 0, 0, preamble);
+ PROTO_ITEM_SET_GENERATED(p_item);
+ }
+- if (wlan_radio_info->aggregate) {
+- proto_tree *agg_tree;
+-
+- p_item = proto_tree_add_none_format(d_tree, hf_wlan_radio_aggregate, tvb, 0, 0,
+- "This MPDU is part of an A-MPDU");
+- agg_tree = proto_item_add_subtree(item, ett_wlan_radio_aggregate);
+- PROTO_ITEM_SET_GENERATED(p_item);
+- if (wlan_radio_info->aggregate->duration) {
+- proto_item *aitem = proto_tree_add_uint(agg_tree, hf_wlan_radio_aggregate_duration, tvb, 0, 0,
+- wlan_radio_info->aggregate->duration);
+- PROTO_ITEM_SET_GENERATED(aitem);
++ if (wlan_radio_info) {
++ if (wlan_radio_info->aggregate) {
++ proto_tree *agg_tree;
++
++ p_item = proto_tree_add_none_format(d_tree, hf_wlan_radio_aggregate, tvb, 0, 0,
++ "This MPDU is part of an A-MPDU");
++ agg_tree = proto_item_add_subtree(item, ett_wlan_radio_aggregate);
++ PROTO_ITEM_SET_GENERATED(p_item);
++ if (wlan_radio_info->aggregate->duration) {
++ proto_item *aitem = proto_tree_add_uint(agg_tree, hf_wlan_radio_aggregate_duration, tvb, 0, 0,
++ wlan_radio_info->aggregate->duration);
++ PROTO_ITEM_SET_GENERATED(aitem);
++ }
+ }
+ }
+ if (wlan_radio_info->ifs) {
+--
+2.20.1
+
diff -Nru wireshark-2.6.20/debian/patches/0009-BT-DHT-Exit-a-loop.patch wireshark-2.6.20/debian/patches/0009-BT-DHT-Exit-a-loop.patch
--- wireshark-2.6.20/debian/patches/0009-BT-DHT-Exit-a-loop.patch 1970-01-01 02:00:00.000000000 +0200
+++ wireshark-2.6.20/debian/patches/0009-BT-DHT-Exit-a-loop.patch 2022-01-16 14:46:43.000000000 +0200
@@ -0,0 +1,47 @@
+From 1b41369210bb53a0645bf4c4612fac3e3f3e3b0f Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Mon, 11 Oct 2021 13:00:50 -0700
+Subject: BT-DHT: Exit a loop.
+
+Always make sure our offset advances in dissect_bencoded_list.
+Fixes #17651.
+---
+ epan/dissectors/packet-bt-dht.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/epan/dissectors/packet-bt-dht.c b/epan/dissectors/packet-bt-dht.c
+index 5c308f91f0..69c38532b2 100644
+--- a/epan/dissectors/packet-bt-dht.c
++++ b/epan/dissectors/packet-bt-dht.c
+@@ -182,6 +182,7 @@ dissect_bencoded_list(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint
+ offset += 1;
+ while( (one_byte=tvb_get_guint8(tvb,offset)) != 'e' )
+ {
++ guint start_offset = offset;
+ switch( one_byte )
+ {
+ /* a integer */
+@@ -199,14 +200,14 @@ dissect_bencoded_list(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint
+ /* a string */
+ default:
+ offset = dissect_bencoded_string( tvb, pinfo, sub_tree, offset, &result, FALSE, "String" );
+- if (offset == 0)
+- {
+- proto_tree_add_expert(sub_tree, pinfo, &ei_int_string, tvb, offset, -1);
+- /* if offset is not going on, there is no chance to exit the loop, then return*/
+- return 0;
+- }
+ break;
+ }
++ if (offset <= start_offset)
++ {
++ proto_tree_add_expert(sub_tree, pinfo, &ei_int_string, tvb, offset, -1);
++ /* if offset is not going on, there is no chance to exit the loop, then return*/
++ return 0;
++ }
+ }
+ proto_tree_add_item(sub_tree, hf_bencoded_list_terminator, tvb, offset, 1, ENC_ASCII|ENC_NA);
+ offset += 1;
+--
+2.20.1
+
diff -Nru wireshark-2.6.20/debian/patches/series wireshark-2.6.20/debian/patches/series
--- wireshark-2.6.20/debian/patches/series 2021-12-09 15:35:23.000000000 +0200
+++ wireshark-2.6.20/debian/patches/series 2022-01-16 14:46:43.000000000 +0200
@@ -10,3 +10,12 @@
0002-Kafka-Limit-our-decompression-size.patch
0003-Kafka-Decrease-our-maximum-decompression-buffer-size.patch
0004-BT-SDP-Don-t-overrun-our-continuation-state-buffer.patch
+0001-MS-WSP-Don-t-allocate-huge-amounts-of-memory.patch
+0002-dnp-plug-a-memory-leak.patch
+0003-DNP-use-the-proper-free-function.patch
+0004-Modbus-Add-null-pointer-checks.patch
+0005-C12.22-Track-our-allocation-sizes.patch
+0006-PNRP-Exit-our-main-loop.patch
+0007-BT-DHT-Fix-another-loop-and-add-NULL-checks.patch
+0008-802.11-Radio-Add-null-pointer-checks.patch
+0009-BT-DHT-Exit-a-loop.patch
Reply to: