Bug ID |
11023
|
Summary |
Infinite loop DoS in TNEF dissector
|
Product |
Wireshark
|
Version |
1.99.x (Experimental)
|
Hardware |
x86
|
OS |
Mac OS X 10.9
|
Status |
UNCONFIRMED
|
Severity |
Normal
|
Priority |
Low
|
Component |
Dissection engine (libwireshark)
|
Assignee |
[email protected]
|
Reporter |
[email protected]
|
Created attachment 13484 [details]
TNEF DoS
Build Information:
Version 1.99.2 (v1.99.2-0-gb2db3bf from master)
Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (32-bit) with Qt 4.8.6, with libpcap, without POSIX capabilities, with
libz 1.2.3, with GLib 2.16.3, with SMI 0.4.8, without c-ares, without ADNS,
with
Lua 5.2, with GnuTLS 2.12.19, with Gcrypt 1.4.3, with MIT Kerberos, with GeoIP,
without PortAudio, with AirPcap.
Running on Mac OS X 10.9.5, build 13F34 (Darwin 13.4.0), with locale C, with
libpcap version 1.3.0 - Apple version 41, with libz 1.2.5, with GnuTLS 2.12.19,
with Gcrypt 1.4.3, without AirPcap.
Built using gcc 4.2.1 (Apple Inc. build 5666) (dot 3).
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
Hello, there is an infinite loop condition in the TNEF dissector in
epan/dissectors/packet-tnef.c:dissect_tnef() on 32-bit platforms. Specifically,
the length variable is user-controlled and added to the offset variable if the
tag is set to ATT_OWNER or ATT_SENT_FOR (other paths exercise bound checks)
allowing an attacker to cause an infinite loop. I've attached a packet capture
exercising this bug.
You are receiving this mail because:
- You are watching all bug changes.