| Bug ID |
8169
|
| Summary |
Possible infinite loop in nwmtp dissector
|
| Classification |
Unclassified
|
| Product |
Wireshark
|
| Version |
1.8.4
|
| Hardware |
x86
|
| OS |
All
|
| Status |
UNCONFIRMED
|
| Severity |
Minor
|
| Priority |
Low
|
| Component |
Wireshark
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Build Information:
wireshark 1.8.4 (SVN Rev Unknown from unknown)
Compiled (64-bit) with GTK+ 2.24.10, with Cairo 1.10.2, with Pango 1.30.0, with
GLib 2.32.3, with libpcap, with libz 1.2.3.4, without POSIX capabilities,
without SMI, without c-ares, without ADNS, without Lua, without Python, without
GnuTLS, without Gcrypt, without Kerberos, without GeoIP, without PortAudio,
with
AirPcap.
Running on Linux 3.2.0-29-generic, with locale en_US.UTF-8, with libpcap
version
1.1.1, with libz 1.2.3.4, without AirPcap.
Built using gcc 4.6.3.
--
File: packet-nwmtp.c
Bug: An attacker can cause a DoS via an infinite loop.
Summary: The len (a guint32) is able to wrap around, causing it to re-examine
previous values.
Relevant Code:
int offset
guint32 len;
offset = 0;
...
while (tvb_reported_length_remaining(tvb, offset) > 0) {
...
len = tvb_get_ntohl(tvb, offset + 8);
...
next_tvb = tvb_new_subset(tvb, offset + 12, len, len);
...
offset += len + 12;
}
Notes:
This would require a 2GB+ capture file, as the call to tvb_new_subset() takes a
signed integer, and immediately raises an error if it's < -1. Therefore, len
cannot be larger than 2**31-1.
That means that crafting input for this infinite loop requires:
1) crafting 2-3 'mtp' entries inside the packet.
2) a 2GB+ capture file
This is in addition to requiring a manual selection of 'Decode as'.
You are receiving this mail because:
- You are watching all bug changes.