Wireshark-bugs: [Wireshark-bugs] [Bug 9672] New: Memory corruption in packet-nfs.c
Date: Mon, 20 Jan 2014 20:33:22 +0000
Bug ID 9672
Summary Memory corruption in packet-nfs.c
Classification Unclassified
Product Wireshark
Version SVN
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter me@moshekaplan.com

Build Information:
wireshark 1.11.3 (SVNRev 54856 from /trunk)
--
A remote attacker can create a specially-crafted packet that when processed,
causes Wireshark to crash, due to an out of bounds memcpy.

Steps to replicate:
0) Open Wireshark
1) Under "Protocol Preferences" check the box to allow NFS to "Snoop FH to
filename mappings".
2) Open the attached pcap

Tested on Wireshark svnr54856

This packet causes Wireshark to allocate 0 bytes, and then attempt to copy
~2^32 bytes into the allocated memory, which causes Wireshark to crash.

Relevant Code:

nfs_name_snoop_add_name(civ->xid, tvb,
    offset+36, tvb_get_ntohl(tvb, offset+32),
    offset, 32, NULL);

nfs_name_snoop_add_name(int xid, tvbuff_t *tvb, int name_offset, int name_len,
int parent_offset,
            int parent_len, const char *name)
{
    // ... <SNIP> ...
    if (name) {
        // ... <SNIP> ...
    } else {
        nns->name_len = name_len;
        nns->name = (char *)g_malloc(name_len+1);
        memcpy(nns->name, ptr, name_len);
    }


You are receiving this mail because:
  • You are watching all bug changes.