Project

General

Profile

Bug #2902

rust/dhcp: panic in dhcp parser

Added by Jason Ish about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

From reporter:

==14370== ERROR: libFuzzer: deadly signal
...
/home/sirko/Projects/CI/fuzzing/suricata-fuzzing.2/rust/src/dhcp/parser.rs:126:23
#17 0x56083d83ff5b in suricata::dhcp::parser::parse_option::hab72aeff1560bad1 /home/sirko/Projects/CI/fuzzing/suricata-
fuzzing.2/rust/<::nom::macros::named macros>:38:46
#18 0x56083d80582b in suricata::dhcp::parser::dhcp_parse::h5f41b0fc5736d132 /home/sirko/Projects/CI/fuzzing/suricata-
fuzzing.2/rust/src/dhcp/parser.rs:205:22
#19 0x56083d7e4e8f in suricata::dhcp::dhcp::DHCPState::parse::h7ace958910b14aac /home/sirko/Projects/CI/fuzzing/suricata-
fuzzing.2/rust/src/dhcp/dhcp.rs:146:14
#20 0x56083d72dfbc in rust_fuzzer_test_input /home/sirko/Projects/CI/fuzzing/suricata-fuzzing.2/rust/fuzz/fuzz_targets/
fuzz_dhcp.rs:7:4
#21 0x56083d9b2744 in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::h29c9181044b7489b
/home/sirko/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4a41319/src/lib.rs:11:8
#22 0x56083d9f984d in std::panicking::try::do_call::hd66afc279650fe66
/rustc/0f88167f89fffe321590c5148f21b7d51d44388d/src/libstd/panicking.rs:293:39
#23 0x56083da0afe8 in __rust_maybe_catch_panic /rustc/0f88167f89fffe321590c5148f21b7d51d44388d/src/libpanic_abort/
lib.rs:29:4
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

The error is from an attempt to parse len - 1 bytes without first checking that len is > 0.


Related issues

Copied to Bug #2947: rust/dhcp: panic in dhcp parser (master)ClosedJason IshActions
#1

Updated by Victor Julien about 1 year ago

  • Copied to Bug #2947: rust/dhcp: panic in dhcp parser (master) added
#2

Updated by Victor Julien about 1 year ago

  • Status changed from Assigned to Closed
#3

Updated by Victor Julien about 1 year ago

  • Private changed from Yes to No

Also available in: Atom PDF