Wireshark-bugs: [Wireshark-bugs] [Bug 12624] New: Infinite loop in dissect_mmse()

Date: Sat, 16 Jul 2016 00:05:48 +0000
Bug ID 12624
Summary Infinite loop in dissect_mmse()
Product Wireshark
Version 1.12.8
Hardware x86-64
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]
CC [email protected]

Created attachment 14736 [details]
Sample generated by AFL

Build Information:
TShark 1.12.8 (v1.12.8-7-ga5131f2 from unknown)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.48.1, with libpcap, with libz 1.2.8, with POSIX
capabilities (Linux), with libnl 3, without SMI, with c-ares 1.11.0, without
Lua, without Python, with GnuTLS 3.4.14, with Gcrypt 1.7.1, with MIT Kerberos,
with GeoIP.

Running on Linux 4.6.3-1-ARCH, with locale en_US.utf8, with libpcap version
1.7.4, with libz 1.2.8.
       Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz

Built using clang 4.2.1 Compatible Clang 3.8.0 (tags/RELEASE_380/final).

--
This issue was uncovered with AFL (http://lcamtuf.coredump.cx/afl/)

This infinite loop is caused by an overly large length being returned by
tvb_get_guintvar at packet-mmse.c line 1254. This causes the offset variable to
overflow and triggers an infinite loop.

This has been observed in tshark 1.12.x but does not occur in 2.0.x.

Credit goes to Chris Benedict, Aurelien Delaitre, NIST SAMATE Project,
https://samate.nist.gov


You are receiving this mail because:
  • You are watching all bug changes.