| Bug ID |
8722
|
| Summary |
ASN.1 aligned PER dissector fails to check return value of g_malloc()
|
| Classification |
Unclassified
|
| Product |
Wireshark
|
| Version |
1.11.x (Experimental)
|
| Hardware |
x86
|
| OS |
All
|
| Status |
UNCONFIRMED
|
| Severity |
Major
|
| Priority |
Low
|
| Component |
Dissection engine (libwireshark)
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Build Information:
--
The "dissect_per_restricted_character_string_sorted()" function ins
packet-per.c fails to check the return value of g_malloc() in line 638:
buf = (guint8 *)g_malloc(length+1);
old_offset=offset;
If a large value for the length variable is set e.g 0xffffffff, the malloc
fails and the application crashes with a segmentation fault (invalid write,
tested on Linux).
This may result in a write to the address 0x00000000 later in the same function
at multiple locations (assignments to buf):
if((bits_per_char==8) || (alphabet==NULL)){
here -> buf[char_pos]=val;
} else {
if (val < alphabet_length){
here -> buf[char_pos]=alphabet[val];
} else {
here -> buf[char_pos] = '?'; /* XXX - how to mark this? */
}
}
This bug was found by fuzzing the ULP protocol against the latest git version
of Wireshark.
You are receiving this mail because:
- You are watching all bug changes.