Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 4217] New: Integer overflow in ZBEE zdp discovery dissector

Wireshark-bugs: [Wireshark-bugs] [Bug 4217] New: Integer overflow in ZBEE zdp discovery dissecto

Date: Sun, 8 Nov 2009 17:35:25 -0800 (PST)

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4217

           Summary: Integer overflow in ZBEE zdp discovery dissector
           Product: Wireshark
           Version: SVN
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: roe.anthony@xxxxxxxxx


Build Information:
>From SVN source.
--
Hi, during a cursory audit of the ZBEE zdp discovery dissector, I came across
the following vulnerability. It appears to be an integer overflow which could
be leveraged to corrupt process heap memory. 

Since the data copy is 0xFF bytes and the allocated chunk would be (0 + 8 bytes
padding), the resulting memory copy operation will corrupt heap management
structures and could result in execution of code. However, the most likely
result of this corruption would be denial of service. Thanks for all of the
excellent hard work on Wireshark, great work folks.

Details:
-----------------------
File:packet-zbee-zdp-discovery.c

Function:
dissect_zbee_zdp_req_set_user_desc(tvbuff_t *tvb, packet_info *pinfo,
proto_tree *tree)
-----------------------

Get the user length from the packet, this value is a guint8 (unsigned char):

    if (pinfo->zbee_stack_vers >= ZBEE_VERSION_2007) { 
        //get byte value from packet into byte sized var (0x100) 
        user_length = zbee_parse_uint(tree, hf_zbee_zdp_user_length, tvb,
&offset, sizeof(guint8), NULL); 
    } 
    else { 
        /* No Length field in ZigBee 2003 & earlier, uses a fixed length of 16.
*/ 
        user_length = 16; 
    } 

//Set user_length to 0xff here
...
    user        = ep_alloc(user_length+1); //0 size allocated?

//0xff bytes copied
    user        = tvb_memcpy(tvb, user, offset, user_length);

//Null appended.
    user[user_length] = '\0';


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Follow-Ups:
- [Wireshark-bugs] [Bug 4217] Integer overflow in ZBEE zdp discovery dissector
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 4217] Integer overflow in ZBEE zdp discovery dissector
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 4217] Integer overflow in ZBEE zdp discovery dissector
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 4217] Integer overflow in ZBEE zdp discovery dissector
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 4190] Enhanced the BACnet Info column and context tag numbers
Next by Date: [Wireshark-bugs] [Bug 4217] Integer overflow in ZBEE zdp discovery dissector
Previous by thread: [Wireshark-bugs] [Bug 4037] Automatically scrolling up
Next by thread: [Wireshark-bugs] [Bug 4217] Integer overflow in ZBEE zdp discovery dissector
Index(es):
- Date
- Thread