Wireshark-bugs: [Wireshark-bugs] [Bug 12624] New: Infinite loop in dissect_mmse()
| Bug ID |
12624
|
| Summary |
Infinite loop in dissect_mmse()
|
| Product |
Wireshark
|
| Version |
1.12.8
|
| Hardware |
x86-64
|
| OS |
All
|
| Status |
UNCONFIRMED
|
| Severity |
Major
|
| Priority |
Low
|
| Component |
Dissection engine (libwireshark)
|
| Assignee |
bugzilla-admin@wireshark.org
|
| Reporter |
c.benedict@prometheuscomputing.com
|
| CC |
c.benedict@prometheuscomputing.com
|
Created attachment 14736 [details]
Sample generated by AFL
Build Information:
TShark 1.12.8 (v1.12.8-7-ga5131f2 from unknown)
Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.48.1, with libpcap, with libz 1.2.8, with POSIX
capabilities (Linux), with libnl 3, without SMI, with c-ares 1.11.0, without
Lua, without Python, with GnuTLS 3.4.14, with Gcrypt 1.7.1, with MIT Kerberos,
with GeoIP.
Running on Linux 4.6.3-1-ARCH, with locale en_US.utf8, with libpcap version
1.7.4, with libz 1.2.8.
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
Built using clang 4.2.1 Compatible Clang 3.8.0 (tags/RELEASE_380/final).
--
This issue was uncovered with AFL (http://lcamtuf.coredump.cx/afl/)
This infinite loop is caused by an overly large length being returned by
tvb_get_guintvar at packet-mmse.c line 1254. This causes the offset variable to
overflow and triggers an infinite loop.
This has been observed in tshark 1.12.x but does not occur in 2.0.x.
Credit goes to Chris Benedict, Aurelien Delaitre, NIST SAMATE Project,
https://samate.nist.gov
You are receiving this mail because:
- You are watching all bug changes.
