| Bug ID |
11024
|
| Summary |
Infinite loop DoS in SCSI OSD dissector
|
| Product |
Wireshark
|
| Version |
1.99.x (Experimental)
|
| Hardware |
x86
|
| OS |
Mac OS X 10.9
|
| Status |
UNCONFIRMED
|
| Severity |
Normal
|
| Priority |
Low
|
| Component |
Dissection engine (libwireshark)
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Build Information:
Version 1.99.2 (v1.99.2-0-gb2db3bf from master)
Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (32-bit) with Qt 4.8.6, with libpcap, without POSIX capabilities, with
libz 1.2.3, with GLib 2.16.3, with SMI 0.4.8, without c-ares, without ADNS,
with
Lua 5.2, with GnuTLS 2.12.19, with Gcrypt 1.4.3, with MIT Kerberos, with GeoIP,
without PortAudio, with AirPcap.
Running on Mac OS X 10.9.5, build 13F34 (Darwin 13.4.0), with locale C, with
libpcap version 1.3.0 - Apple version 41, with libz 1.2.5, with GnuTLS 2.12.19,
with Gcrypt 1.4.3, without AirPcap.
Built using gcc 4.2.1 (Apple Inc. build 5666) (dot 3).
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
Hello, there is a possible infinite loop condition in
epan/dissectors/packet-scsi-osd.c:dissect_osd2_cdb_continuation().
Specifically, on 32-bit platforms the 'length' variable is user-controlled and
added to the offset without bounds check, allowing an attacker to specify a
large value causing the offset to overflow to the start of the last element
causing an infinite loop. Unfortunately, due to lack of example data exercising
the OSD2 dissectors I was unable to synthesize a packet capture exercising this
condition.
You are receiving this mail because:
- You are watching all bug changes.