https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4217
Summary: Integer overflow in ZBEE zdp discovery dissector
Product: Wireshark
Version: SVN
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Medium
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: roe.anthony@xxxxxxxxx
Build Information:
>From SVN source.
--
Hi, during a cursory audit of the ZBEE zdp discovery dissector, I came across
the following vulnerability. It appears to be an integer overflow which could
be leveraged to corrupt process heap memory.
Since the data copy is 0xFF bytes and the allocated chunk would be (0 + 8 bytes
padding), the resulting memory copy operation will corrupt heap management
structures and could result in execution of code. However, the most likely
result of this corruption would be denial of service. Thanks for all of the
excellent hard work on Wireshark, great work folks.
Details:
-----------------------
File:packet-zbee-zdp-discovery.c
Function:
dissect_zbee_zdp_req_set_user_desc(tvbuff_t *tvb, packet_info *pinfo,
proto_tree *tree)
-----------------------
Get the user length from the packet, this value is a guint8 (unsigned char):
if (pinfo->zbee_stack_vers >= ZBEE_VERSION_2007) {
//get byte value from packet into byte sized var (0x100)
user_length = zbee_parse_uint(tree, hf_zbee_zdp_user_length, tvb,
&offset, sizeof(guint8), NULL);
}
else {
/* No Length field in ZigBee 2003 & earlier, uses a fixed length of 16.
*/
user_length = 16;
}
//Set user_length to 0xff here
...
user = ep_alloc(user_length+1); //0 size allocated?
//0xff bytes copied
user = tvb_memcpy(tvb, user, offset, user_length);
//Null appended.
user[user_length] = '\0';
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
