Overview

File wireshark-0016-CVE-2026-0962.patch of Package wireshark.42256

commit 825b83e1ed146f6c8fa8f1d7ad2794061b82c895
Author: Gerald Combs <gerald@wireshark.org>
Date:   Mon Jan 12 17:01:48 2026 -0800

    SOME/IP-SD: Fix a buffer overflow
    
    Make sure we don't write past the end of our option port array. Make our
    option count unsigned.
    
    Fixes #20945
    
    (cherry picked from commit 55ec8b3db4968c97115f014fb5974206cdf57454)
    
    Conflicts:
            epan/dissectors/packet-someip-sd.c

diff --git a/epan/dissectors/packet-someip-sd.c b/epan/dissectors/packet-someip-sd.c
index 1a348d3886..b36a2fcd08 100644
--- a/epan/dissectors/packet-someip-sd.c
+++ b/epan/dissectors/packet-someip-sd.c
@@ -269,6 +269,7 @@ static expert_field ei_someipsd_option_unknown;
 static expert_field ef_someipsd_option_wrong_length = EI_INIT;
 static expert_field ef_someipsd_L4_protocol_unsupported = EI_INIT;
 static expert_field ef_someipsd_config_string_malformed = EI_INIT;
+static expert_field ef_someipsd_too_many_options = EI_INIT;
 
 /*** prototypes ***/
 void proto_register_someip_sd(void);
@@ -301,13 +302,13 @@ someip_sd_register_ports(guint32 opt_index, guint32 opt_num, guint32 option_c
 }
 
 static void
-dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum) {
+dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) {
     guint32         offset_orig = offset;
     const guint8   *config_string;
     proto_item     *ti;
     proto_tree     *subtree;
 
-    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Configuration Option", optionnum);
+    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%u: Configuration Option", optionnum);
 
     /* Add common fields */
     proto_tree_add_item(tree, hf_someip_sd_option_length, tvb, offset, 2, ENC_BIG_ENDIAN);
@@ -344,8 +345,8 @@ dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, pr
 }
 
 static void
-dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 offset, guint32 length, int optionnum) {
-    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Load Balancing Option", optionnum);
+dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) {
+    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%u: Load Balancing Option", optionnum);
 
     /* Add common fields */
     proto_tree_add_item(tree, hf_someip_sd_option_length, tvb, offset, 2, ENC_BIG_ENDIAN);
@@ -364,7 +365,7 @@ dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_
 }
 
 static void
-dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum, guint32 option_ports[]) {
+dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum, guint32 option_ports[]) {
     guint8              type = 255;
     const gchar        *description = NULL;
     guint32             l4port = 0;
@@ -377,7 +378,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree
 
     type = tvb_get_guint8(tvb, offset + 2);
     description = val_to_str(type, sd_option_type, "(Unknown Option: %d)");
-    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description);
+    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description);
 
     if (length != SD_OPTION_IPV4_LENGTH) {
         expert_add_info(pinfo, ti_top, &ef_someipsd_option_wrong_length);
@@ -418,7 +419,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree
 }
 
 static void
-dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum, guint32 option_ports[]) {
+dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum, guint32 option_ports[]) {
     guint8              type = 255;
     const gchar        *description = NULL;
     guint32             l4port = 0;
@@ -431,7 +432,7 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree
     type = tvb_get_guint8(tvb, offset + 2);
     description = val_to_str(type, sd_option_type, "(Unknown Option: %d)");
 
-    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description);
+    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description);
 
     if (length != SD_OPTION_IPV6_LENGTH) {
         expert_add_info(pinfo, ti_top, &ef_someipsd_option_wrong_length);
@@ -471,11 +472,11 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree
 }
 
 static void
-dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum) {
+dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) {
     guint32             len = 0;
     proto_item         *ti;
 
-    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%d: %s Option", optionnum,
+    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%u: %s Option", optionnum,
         val_to_str_const(tvb_get_guint8(tvb, offset + 2), sd_option_type, "Unknown"));
 
     expert_add_info(pinfo, ti, &ef_someipsd_option_unknown);
@@ -500,7 +501,7 @@ static int
 dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_item *ti, guint32 offset_orig, guint32 length, guint32 option_ports[], guint *option_count) {
     guint16             real_length = 0;
     guint8              option_type = 0;
-    int                 optionnum = 0;
+    unsigned            optionnum = 0;
     tvbuff_t           *subtvb = NULL;
 
     guint32             offset = offset_orig;
@@ -511,7 +512,11 @@ dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tre
     }
 
     while (tvb_bytes_exist(tvb, offset, SD_OPTION_MINLENGTH)) {
-        ws_assert(optionnum >= 0 && optionnum < SD_MAX_NUM_OPTIONS);
+        if (optionnum >= SD_MAX_NUM_OPTIONS) {
+            expert_add_info(pinfo, ti, &ef_someipsd_too_many_options);
+            return offset;
+        }
+
         option_ports[optionnum] = 0;
 
         real_length = tvb_get_ntohs(tvb, offset) + 3;
@@ -1290,6 +1295,7 @@ proto_register_someip_sd(void) {
         { &ef_someipsd_option_wrong_length,{ "someipsd.option_wrong_length", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Option length is incorrect!", EXPFILL } },
         { &ef_someipsd_L4_protocol_unsupported,{ "someipsd.L4_protocol_unsupported", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Unsupported Layer 4 Protocol!", EXPFILL } },
         { &ef_someipsd_config_string_malformed,{ "someipsd.config_string_malformed", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Configuration String malformed!", EXPFILL } },
+        { &ef_someipsd_too_many_options,{ "someipsd.too_many_options", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Too many options!", EXPFILL } },
     };
 
     /* Register Protocol, Fields, ETTs, Expert Info, Taps, Dissector */
openSUSE Build Service is sponsored by
Places