Overview

File wireshark-0014-CVE-2026-0959.patch of Package wireshark.42256

commit 5bfd4035f52f3dbc499a1963c42cedbb194b7eec
Author: John Thacker <johnthacker@gmail.com>
Date:   Sun Jan 11 03:11:02 2026 +0000

    ieee80211: Avoid using a fixed array for multi-link per-STA subelements
    
    Since this processes to the end of the TVB, there might be more than 16.
    Simplify the logic and only test for a set link_id in one place. This
    also gets rid of a possible use of an uninitialized value on error.
    
    Fix #20939, OSS-Fuzz 474458885
    
    
    (cherry picked from commit 4b48ee36f1829d6d3d009bf9871af523ce8e3ace)
    
    Co-authored-by: John Thacker <johnthacker@gmail.com>

diff --git a/epan/dissectors/packet-ieee80211.c b/epan/dissectors/packet-ieee80211.c
index e3bde319b5..c76c4b2759 100644
--- a/epan/dissectors/packet-ieee80211.c
+++ b/epan/dissectors/packet-ieee80211.c
@@ -28301,7 +28301,7 @@ dissect_multi_link(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
   guint8 multi_link_type = multi_link_control & 0x0007;
   guint16 present = multi_link_control >> 4;
   int elt = 0, hf_index;
-  int local_link_ids[16];
+  wmem_strbuf_t *link_id_list = wmem_strbuf_create(pinfo->pool);
 
   control = proto_tree_add_item(tree, hf_ieee80211_eht_multi_link_control, tvb,
                                 offset, 2, ENC_LITTLE_ENDIAN);
@@ -28590,9 +28590,6 @@ dissect_multi_link(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
                                            multi_link_type, &link_id);
 
       offset += overhead; /* Account for the overhead in the subelt */
-      if (link_id != -1) {
-        local_link_ids[elt] = link_id;
-      }
       break;
     case 221:
       /* Add an expert info saying there are none so far? */
@@ -28603,18 +28600,13 @@ dissect_multi_link(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
       break;
     }
     if (link_id != -1) {
+      wmem_strbuf_append_printf(link_id_list, (elt == 0) ? "%d" : "_%d", link_id);
       elt++;
     }
   }
   proto_tree_add_uint(tree, hf_index, tvb, 0, 0, elt);
 
   if (elt) {
-    wmem_strbuf_t *link_id_list = wmem_strbuf_new_sized(pinfo->pool, elt * 2);
-    for (int i = 0; i < elt; i++) {
-      if (local_link_ids[i] != -1) {
-        wmem_strbuf_append_printf(link_id_list, (i == 0) ? "%d" : "_%d", local_link_ids[i]);
-      }
-    }
     proto_tree_add_string(tree, hf_ieee80211_eht_multi_link_link_id_list, tvb,
                           0, 0, link_id_list->str);
   }
openSUSE Build Service is sponsored by
Places