Wireshark-bugs: [Wireshark-bugs] [Bug 8169] New: Possible infinite loop in nwmtp dissector
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 07 Jan 2013 14:19:55 +0000
Bug ID 8169
Summary Possible infinite loop in nwmtp dissector
Classification Unclassified
Product Wireshark
Version 1.8.4
Hardware x86
OS All
Status UNCONFIRMED
Severity Minor
Priority Low
Component Wireshark
Assignee bugzilla-admin@wireshark.org
Reporter me@moshekaplan.com 

Build Information:
wireshark 1.8.4 (SVN Rev Unknown from unknown)

Compiled (64-bit) with GTK+ 2.24.10, with Cairo 1.10.2, with Pango 1.30.0, with
GLib 2.32.3, with libpcap, with libz 1.2.3.4, without POSIX capabilities,
without SMI, without c-ares, without ADNS, without Lua, without Python, without
GnuTLS, without Gcrypt, without Kerberos, without GeoIP, without PortAudio,
with
AirPcap.

Running on Linux 3.2.0-29-generic, with locale en_US.UTF-8, with libpcap
version
1.1.1, with libz 1.2.3.4, without AirPcap.

Built using gcc 4.6.3.
--
File: packet-nwmtp.c

Bug: An attacker can cause a DoS via an infinite loop.

Summary: The len (a guint32) is able to wrap around, causing it to re-examine
previous values.

Relevant Code:

int offset
guint32 len;

offset = 0;

...

while (tvb_reported_length_remaining(tvb, offset) > 0) {
    ...
    len = tvb_get_ntohl(tvb, offset + 8);
    ...
    next_tvb = tvb_new_subset(tvb, offset + 12, len, len);
    ...
    offset += len + 12;
}
Notes:

This would require a 2GB+ capture file, as the call to tvb_new_subset() takes a
signed integer, and immediately raises an error if it's < -1. Therefore, len
cannot be larger than 2**31-1.

That means that crafting input for this infinite loop requires:

1) crafting 2-3 'mtp' entries inside the packet.

2) a 2GB+ capture file

This is in addition to requiring a manual selection of 'Decode as'.

You are receiving this mail because:
  • You are watching all bug changes.