Project

General

Profile

Actions
Copy link

Security #2884

closed

mpls: heapbuffer overflow in file decode-mpls.c

Added by Jason Ish about 5 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
4.1.4
Affected Versions:
Label:
CVE:
2019-10050
Git IDs:

4609d5c80acda9adf02f8fb9a6aa8238495bfa13

Severity:
Disclosure Date:

Description

From reporter:

## Input
If input of the function int DecodeMPLS(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t
*pkt,uint32_t len, PacketQueue *pq) only consists of a package of source address and dest plus the correct type
field and the right number for “shim = *(uint32_t *)pkt”.
## Reason
With this network package (source,dest,type,offset of 4 byte), i can manipulate the control flow, such that the
condition to leave the loop is true. After leaving the loop the network package has a length of 2 byte.
After the you don’t proof the length of the package. Later on you try to read at a position, which is empty.
At this point the program will crash

I have verified this. If the decoder has to step into the next layer to determine if its IPv4, or IPv6, it does so without checking the packet length.

Related issues 1 (0 open1 closed)

Copied to Suricata - Security #2945: mpls: heapbuffer overflow in file decode-mpls.c (master)ClosedJason IshActions
Actions
Copy link
 #1

Updated by Victor Julien almost 5 years ago

  • Copied to Security #2945: mpls: heapbuffer overflow in file decode-mpls.c (master) added
Actions
Copy link
 #2

Updated by Victor Julien almost 5 years ago

  • Status changed from Assigned to Closed
Actions
Copy link
 #3

Updated by Victor Julien almost 5 years ago

  • Private changed from Yes to No
Actions
Copy link
 #4

Updated by Victor Julien over 3 years ago

  • Tracker changed from Bug to Security
  • CVE set to 2019-10050
  • Git IDs updated (diff)
Actions
Copy link

Also available in: Atom PDF