Actions
Security #2884
closedmpls: heapbuffer overflow in file decode-mpls.c
Git IDs:
4609d5c80acda9adf02f8fb9a6aa8238495bfa13
Severity:
Disclosure Date:
Description
From reporter:
## Input If input of the function int DecodeMPLS(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,uint32_t len, PacketQueue *pq) only consists of a package of source address and dest plus the correct type field and the right number for “shim = *(uint32_t *)pkt”. ## Reason With this network package (source,dest,type,offset of 4 byte), i can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop the network package has a length of 2 byte. After the you don’t proof the length of the package. Later on you try to read at a position, which is empty. At this point the program will crash
I have verified this. If the decoder has to step into the next layer to determine if its IPv4, or IPv6, it does so without checking the packet length.
Updated by Victor Julien over 5 years ago
- Copied to Security #2945: mpls: heapbuffer overflow in file decode-mpls.c (master) added
Updated by Victor Julien over 5 years ago
- Status changed from Assigned to Closed
Updated by Victor Julien over 4 years ago
- Tracker changed from Bug to Security
- CVE set to 2019-10050
- Git IDs updated (diff)
Actions