Wireshark-dev: Re: [Wireshark-dev] [PATCH] ieee80211 integer overflow

From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Mon, 11 Dec 2006 16:43:55 -0800
Thanks for finding this!  Looking at the code, is there any reason
dissect_vendor_ie_wpawme(), dissect_vendor_ie_rsn(),
dissect_vendor_ie_aironet(), and dissect_rsn_ie() need to access the
packet data directly via tvb_get_ptr()?  Would it be better to convert
them to use other tvb_get_* routines?

Neil Kettle wrote:
> Hi all - the following is caused by an integer overflow in buggy pointer arithmetic
> in the calculation of the length parameter for the g_snprintf call...
> This is likely unexploitable due to a combination of the restrictions of the bytes
> we may write ('0'->'9', 'A'->'F') and stack layout (that is, because the
> function is static and called from only one stack frame, who itself is
> called from only one stack frame, the compiler inlines both functions with a
> larger stack frame)... Thus, if test-packet does not crash wireshark then
> you have been saved by your compiler...
> 
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread -1239308624 (LWP 12869)]
> 0xb71c6c07 in dissect_vendor_ie_rsn (ietree=0x87208e8, tree=0x87208e8, tvb=0x870d530, offset=14,
> tag_len=255,
>     tag_val=0x8724b2e "") at packet-ieee80211.c:1418
> 1418                            pos += g_snprintf(pos, out_buff + SHORT_STR - pos, "%02X",
> (gdb) x/x tag_val_off
> 0x31340000:     Cannot access memory at address 0x31340000
> 
> (on another note, my mail address has changed from njk4@xxxxxxxxxx (AUTHORS))
> 
> Thanks
> ------------------------------------------------------------------------------
> Neil Kettle
> (mu-b@xxxxxxxxx)
> (njk@xxxxxxxxxxxxxxxxxxxxxxx)
> 
>     "Computer Science is no more about computers
>         than astronomy is about telescopes."
> 

------------------------------------------------------------------------

Index: epan/dissectors/packet-ieee80211.c
===================================================================
--- epan/dissectors/packet-ieee80211.c	(revision 20082)
+++ epan/dissectors/packet-ieee80211.c	(working copy)
@@ -1401,11 +1401,10 @@
 dissect_vendor_ie_rsn(proto_tree * ietree, proto_tree * tree, tvbuff_t
* tvb,
 	int offset, guint32 tag_len, const guint8 *tag_val)
 {
-	guint32 tag_val_off = 0;
 	char out_buff[SHORT_STR], *pos;
 	guint i;

-	if (tag_val_off + 4 <= tag_len && !memcmp(tag_val, RSN_OUI"\x04", 4)) {
+	if (tag_len >= 4 && !memcmp(tag_val, RSN_OUI"\x04", 4)) {
 		/* IEEE 802.11i / Key Data Encapsulation / Data Type=4 - PMKID.
 		 * This is only used within EAPOL-Key frame Key Data. */
 		pos = out_buff;
@@ -1416,7 +1415,9 @@
 		}
 		for (i = 0; i < tag_len - 4; i++) {
 			pos += g_snprintf(pos, out_buff + SHORT_STR - pos, "%02X",
-				tag_val[tag_val_off + 4 + i]);
+				tag_val[i + 4]);
+      if ( pos >= out_buff + SHORT_STR )
+        break;
 		}
 		proto_tree_add_string(tree, tag_interpretation, tvb, offset,
 			tag_len, out_buff);


------------------------------------------------------------------------

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev