| Bug ID |
9672
|
| Summary |
Memory corruption in packet-nfs.c
|
| Classification |
Unclassified
|
| Product |
Wireshark
|
| Version |
SVN
|
| Hardware |
x86
|
| OS |
Windows 7
|
| Status |
UNCONFIRMED
|
| Severity |
Major
|
| Priority |
Low
|
| Component |
Dissection engine (libwireshark)
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Build Information:
wireshark 1.11.3 (SVNRev 54856 from /trunk)
--
A remote attacker can create a specially-crafted packet that when processed,
causes Wireshark to crash, due to an out of bounds memcpy.
Steps to replicate:
0) Open Wireshark
1) Under "Protocol Preferences" check the box to allow NFS to "Snoop FH to
filename mappings".
2) Open the attached pcap
Tested on Wireshark svnr54856
This packet causes Wireshark to allocate 0 bytes, and then attempt to copy
~2^32 bytes into the allocated memory, which causes Wireshark to crash.
Relevant Code:
nfs_name_snoop_add_name(civ->xid, tvb,
offset+36, tvb_get_ntohl(tvb, offset+32),
offset, 32, NULL);
nfs_name_snoop_add_name(int xid, tvbuff_t *tvb, int name_offset, int name_len,
int parent_offset,
int parent_len, const char *name)
{
// ... <SNIP> ...
if (name) {
// ... <SNIP> ...
} else {
nns->name_len = name_len;
nns->name = (char *)g_malloc(name_len+1);
memcpy(nns->name, ptr, name_len);
}
You are receiving this mail because:
- You are watching all bug changes.