Overview

File wireshark-0105-CVE-2025-11626.patch of Package wireshark.41124

From 513e5d49724f4a0695c5d2a08ce422c09cb999c8 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Mon, 22 Sep 2025 21:41:00 -0400
Subject: [PATCH] Mongo: Avoid infinite loop in dissect_op_msg_section

If the size of a a OP_MSG data section is indicated as -1, that
leads to advancing the offset by section_len + 1, or zero, which
causes an infinite loop.

The total message and section lengths in Mongo are signed int32s;
it is impossible for them to be negative, and impossible for the
section length to be INT_MAX (since the message length includes
the length of the four byte headers and flag bits.)

Throw an error to avoid the offset moving backwards, an infinite loop,
or signed integer overflow.

Also update some URLs to their new locations.

Fix #20724.

(backported from commit 1ec4709cab382f7077ba66d2e382c2e75ce335c1)
---
 epan/dissectors/packet-mongo.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c
index 346b1324e1..ad89c547d9 100644
--- a/epan/dissectors/packet-mongo.c
+++ b/epan/dissectors/packet-mongo.c
@@ -12,9 +12,9 @@
 
 /*
  * See Mongo Wire Protocol Specification
- * http://www.mongodb.org/display/DOCS/Mongo+Wire+Protocol
+ * https://www.mongodb.com/docs/manual/reference/mongodb-wire-protocol/
  * See also BSON Specification
- * http://bsonspec.org/#/specification
+ * http://bsonspec.org/spec.html
  */
 
 #include "config.h"
@@ -23,6 +23,7 @@
 #include <epan/exceptions.h>
 #include <epan/expert.h>
 #include <epan/proto_data.h>
+#include <epan/exceptions.h>
 #include "packet-tcp.h"
 #include "packet-tls.h"
 #ifdef HAVE_SNAPPY
@@ -287,6 +288,7 @@ static gint ett_mongo_doc_sequence= -1;
 
 static expert_field ei_mongo_document_recursion_exceeded = EI_INIT;
 static expert_field ei_mongo_document_length_bad = EI_INIT;
+static expert_field ei_mongo_section_size_bad = EI_INIT;
 static expert_field ei_mongo_unknown = EI_INIT;
 static expert_field ei_mongo_unsupported_compression = EI_INIT;
 static expert_field ei_mongo_too_large_compressed = EI_INIT;
@@ -822,13 +824,21 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
   gint section_len = -1;   /* Section length */
 
   e_type = tvb_get_guint8(tvb, offset);
-  section_len = tvb_get_letohl(tvb, offset+1);
 
-  ti = proto_tree_add_item(tree, hf_mongo_msg_sections_section, tvb, offset, 1 + section_len, ENC_NA);
+  ti = proto_tree_add_item(tree, hf_mongo_msg_sections_section, tvb, offset, 1, ENC_NA);
   section_tree = proto_item_add_subtree(ti, ett_mongo_section);
   proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_kind, tvb, offset, 1, ENC_LITTLE_ENDIAN);
   offset += 1;
 
+  section_len = tvb_get_letohil(tvb, offset);
+  /* The section length must be strictly smaller than the total message size,
+   * both signed int32s. This prevents signed integer overflow. */
+  if (section_len < 0 || section_len == INT_MAX) {
+    proto_tree_add_expert_format(section_tree, pinfo, &ei_mongo_section_size_bad, tvb, offset, 4, "Bogus Mongo message section size: %i", section_len);
+    THROW(ReportedBoundsError);
+  }
+  proto_item_set_len(ti, 1 + section_len);
+
   switch (e_type) {
     case KIND_BODY:
       section_len = dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
@@ -1523,6 +1533,7 @@ proto_register_mongo(void)
   static ei_register_info ei[] = {
      { &ei_mongo_document_recursion_exceeded, { "mongo.document.recursion_exceeded", PI_MALFORMED, PI_ERROR, "BSON document recursion exceeds", EXPFILL }},
      { &ei_mongo_document_length_bad, { "mongo.document.length.bad",  PI_MALFORMED, PI_ERROR, "BSON document length bad", EXPFILL }},
+     { &ei_mongo_section_size_bad, { "mongo.msg.sections.section.size.bad",  PI_MALFORMED, PI_ERROR, "Bogus Mongo message section size", EXPFILL }},
      { &ei_mongo_unknown, { "mongo.unknown.expert", PI_UNDECODED, PI_WARN, "Unknown Data (not interpreted)", EXPFILL }},
      { &ei_mongo_unsupported_compression, { "mongo.unsupported_compression.expert", PI_UNDECODED, PI_WARN, "This packet was compressed with an unsupported compressor", EXPFILL }},
      { &ei_mongo_too_large_compressed, { "mongo.too_large_compressed.expert", PI_UNDECODED, PI_WARN, "The size of the uncompressed packet exceeded the maximum allowed value", EXPFILL }},
-- 
2.51.0
openSUSE Build Service is sponsored by
Places