Wireshark-bugs: [Wireshark-bugs] [Bug 6391] New: packet-rlc buffer overflow
Date: Sun, 25 Sep 2011 02:00:39 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6391

           Summary: packet-rlc buffer overflow
           Product: Wireshark
           Version: 1.6.1
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: Critical
          Priority: Low
         Component: Wireshark
        AssignedTo: [email protected]
        ReportedBy: [email protected]


Build Information:
Wireshark 1.6.1
linux 2.6.38-11-generic.
gcc 4.5.2
--
[Remote bufferoverflow in Wireshark]

Program: Wireshark.
Version: Latest version (1.6.1)
OS: All platforms

Description:

Wireshark is the world's foremost network protocol analyzer. It has many
modules called dissectors for analyzing specific protocols. When it analyze rlc
packets, there is a bug that allows a remote attacker to get control of victim.

The bug is in ~/epan/dissectors/packet-rlc.c

static void reassemble_message(struct rlc_channel *ch, struct rlc_sdu *sdu,
struct rlc_frag *frag)
{
        ....
        ....

        temp = sdu->frags;
        while (temp) {
                memcpy(sdu->data + offs, temp->data, temp->len);
                /* mark this fragment in reassembled table */
                g_hash_table_insert(reassembled_table, temp, sdu);

                offs += temp->len;
                temp = temp->next;
        }
        ....
        ....
}

It loops to merge fragmented packets. But, as they don't check buffer size,
total fragmented packets can be over a sdu packet size. We can see that size of
len of rlc_sdu and size of len of rlc_frag are the same. 

/* fragment representation */
struct rlc_frag {
        guint32 frame_num;
        struct rlc_channel ch;
        guint16 seq; /* RLC sequence number */
        guint16 li; /* LI within current RLC frame */
        guint16 len; /* length of fragment data */
        guint8 *data; /* store fragment data here */

        struct rlc_frag *next; /* next fragment */
};

struct rlc_sdu {
        tvbuff_t *tvb; /* contains reassembled tvb */
        guint16 len; /* total length of reassembled SDU */
        guint16 fragcnt; /* number of fragments within this SDU */
        guint8 *data; /* reassembled data buffer */

        struct rlc_frag *reassembled_in;
        struct rlc_frag *frags; /* pointer to list of fragments */
        struct rlc_frag *last; /* pointer to last fragment */
};

This can be triggered if fragmented packets's size is bigger than a sdu size.
There is no sanity for checking total fragmented size.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.