wireshark: patch CVE-2026-0962

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0962

Backport the commit that is referenced in the related gitlab issue[1].

[1]: https://gitlab.com/wireshark/wireshark/-/issues/20945

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

meta-networking/recipes-support/wireshark/files/CVE-2026-0962.patch

@@ -0,0 +1,131 @@
+From 4b1c045a4639b54a0aea717667a30c01c683001c Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Mon, 12 Jan 2026 17:01:48 -0800
+Subject: [PATCH] SOME/IP-SD: Fix a buffer overflow
+
+Make sure we don't write past the end of our option port array. Make our
+option count unsigned.
+
+Fixes #20945
+
+(cherry picked from commit 55ec8b3db4968c97115f014fb5974206cdf57454)
+
+Conflicts:
+	epan/dissectors/packet-someip-sd.c
+
+CVE: CVE-2026-0962
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/825b83e1ed146f6c8fa8f1d7ad2794061b82c895]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ epan/dissectors/packet-someip-sd.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/epan/dissectors/packet-someip-sd.c b/epan/dissectors/packet-someip-sd.c
+index 85144d5..79935bb 100644
+--- a/epan/dissectors/packet-someip-sd.c
++++ b/epan/dissectors/packet-someip-sd.c
+@@ -242,6 +242,7 @@ static expert_field ef_someipsd_option_unknown = EI_INIT;
+ static expert_field ef_someipsd_option_wrong_length = EI_INIT;
+ static expert_field ef_someipsd_L4_protocol_unsupported = EI_INIT;
+ static expert_field ef_someipsd_config_string_malformed = EI_INIT;
++static expert_field ef_someipsd_too_many_options = EI_INIT;
+ 
+ /*** prototypes ***/
+ void proto_register_someip_sd(void);
+@@ -274,7 +275,7 @@ someip_sd_register_ports(guint32 opt_index, guint32 opt_num, guint32 option_coun
+ }
+ 
+ static void
+-dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum) {
++dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) {
+     guint32         offset_orig = offset;
+     const guint8   *config_string;
+     proto_item     *ti;
+@@ -317,7 +318,7 @@ dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, pr
+ }
+ 
+ static void
+-dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 offset, guint32 length, int optionnum) {
++dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) {
+     tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Load Balancing Option", optionnum);
+ 
+     /* Add common fields */
+@@ -337,7 +338,7 @@ dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_
+ }
+ 
+ static void
+-dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum, guint32 option_ports[]) {
++dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum, guint32 option_ports[]) {
+     guint8              type = 255;
+     const gchar        *description = NULL;
+     guint32             l4port = 0;
+@@ -350,7 +351,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree
+ 
+     type = tvb_get_guint8(tvb, offset + 2);
+     description = val_to_str(type, sd_option_type, "(Unknown Option: %d)");
+-    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description);
++    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description);
+ 
+     if (length != SD_OPTION_IPV4_LENGTH) {
+         expert_add_info(pinfo, ti_top, &ef_someipsd_option_wrong_length);
+@@ -391,7 +392,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree
+ }
+ 
+ static void
+-dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum, guint32 option_ports[]) {
++dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum, guint32 option_ports[]) {
+     guint8              type = 255;
+     const gchar        *description = NULL;
+     guint32             l4port = 0;
+@@ -404,7 +405,7 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree
+     type = tvb_get_guint8(tvb, offset + 2);
+     description = val_to_str(type, sd_option_type, "(Unknown Option: %d)");
+ 
+-    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description);
++    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description);
+ 
+     if (length != SD_OPTION_IPV6_LENGTH) {
+         expert_add_info(pinfo, ti_top, &ef_someipsd_option_wrong_length);
+@@ -444,11 +445,11 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree
+ }
+ 
+ static void
+-dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, int optionnum) {
++dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset, guint32 length, unsigned optionnum) {
+     guint32             len = 0;
+     proto_item         *ti;
+ 
+-    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%d: %s Option", optionnum,
++    tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%u: %s Option", optionnum,
+         val_to_str_const(tvb_get_guint8(tvb, offset + 2), sd_option_type, "Unknown"));
+ 
+     expert_add_info(pinfo, ti, &ef_someipsd_option_unknown);
+@@ -473,7 +474,7 @@ static int
+ dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_item *ti, guint32 offset_orig, guint32 length, guint32 option_ports[], guint *option_count) {
+     guint16             real_length = 0;
+     guint8              option_type = 0;
+-    int                 optionnum = 0;
++    unsigned            optionnum = 0;
+     tvbuff_t           *subtvb = NULL;
+ 
+     guint32             offset = offset_orig;
+@@ -484,7 +485,10 @@ dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tre
+     }
+ 
+     while (tvb_bytes_exist(tvb, offset, SD_OPTION_MINLENGTH)) {
+-        ws_assert(optionnum >= 0 && optionnum < SD_MAX_NUM_OPTIONS);
++        if (optionnum >= SD_MAX_NUM_OPTIONS) {
++            expert_add_info(pinfo, ti, &ef_someipsd_too_many_options);
++            return offset;
++        }
+         option_ports[optionnum] = 0;
+ 
+         real_length = tvb_get_ntohs(tvb, offset) + 3;
+@@ -1195,6 +1199,7 @@ proto_register_someip_sd(void) {
+         { &ef_someipsd_option_wrong_length,{ "someipsd.option_wrong_length", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Option length is incorrect!", EXPFILL } },
+         { &ef_someipsd_L4_protocol_unsupported,{ "someipsd.L4_protocol_unsupported", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Unsupported Layer 4 Protocol!", EXPFILL } },
+         { &ef_someipsd_config_string_malformed,{ "someipsd.config_string_malformed", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Configuration String malformed!", EXPFILL } },
++        { &ef_someipsd_too_many_options,{ "someipsd.too_many_options", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Too many options!", EXPFILL } },
+     };
+ 
+     /* Register Protocol, Fields, ETTs, Expert Info, Taps, Dissector */

meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb

@@ -14,6 +14,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
            file://0004-lemon-Remove-line-directives.patch \
            file://0001-UseLemon.cmake-do-not-use-lemon-data-from-the-host.patch \
            file://CVE-2025-9817.patch \
+           file://CVE-2026-0962.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src/all-versions"