Wireshark-bugs: [Wireshark-bugs] [Bug 1582] New: SSL dissector can go into infinite loop

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 30 Apr 2007 04:11:44 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1582

           Summary: SSL dissector can go into infinite loop
           Product: Wireshark
           Version: 0.99.5
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: Shaun.Voigt@xxxxxxxxxxxxxxxxxxx


Build Information:
Version 0.99.5 (SVN Rev 20677)

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.10.7, with GLib 2.12.7, with WinPcap (version unknown),
with libz 1.2.3, with libpcre 6.4, with Net-SNMP 5.4, with ADNS, with Lua 5.1,
with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio
PortAudio V19-devel, with AirPcap.

Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0
(packet.dll version 4.0.0.755), based on libpcap version 0.9.5, without
AirPcap.

Built using Microsoft Visual C++ 6.0 build 8804

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
The SSL dissector can go into an infinite loop in epan/dissectors/packet-ssl.c
in the function static void dissect_ssl3_hnd_cli_hello(xxx).

In dissect_ssl3_hnd_cli_hello(xxx) an guint16 variable cipher_suite_length is
set from the packet data. If the value read is odd, then an infinite loop
results in the while loop starting with 

  while(cipher_suite_length > 0)
  {
    ...
    cipher_suite_length -= 2;
  }

This can be avoided by either adding a line after

  cipher_suite_length = tvb_get_ntohs(tvb,offset);

to avoid odd values e.g.
  cipher_suite_length = cipher_suite_length & 0xFFFE;

OR modify the while loop thus:

  while (cipher_suite_length > 1) 
  {
    ...

OR if cipher_suite_length is invalid for odd lengths then do something else.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.