Actions
Security #2902
closedrust/dhcp: panic in dhcp parser
Git IDs:
41aab88ddc7bb593cf1be58e137af85b8bf553f5
Severity:
Disclosure Date:
Description
From reporter:
==14370== ERROR: libFuzzer: deadly signal ... /home/sirko/Projects/CI/fuzzing/suricata-fuzzing.2/rust/src/dhcp/parser.rs:126:23 #17 0x56083d83ff5b in suricata::dhcp::parser::parse_option::hab72aeff1560bad1 /home/sirko/Projects/CI/fuzzing/suricata- fuzzing.2/rust/<::nom::macros::named macros>:38:46 #18 0x56083d80582b in suricata::dhcp::parser::dhcp_parse::h5f41b0fc5736d132 /home/sirko/Projects/CI/fuzzing/suricata- fuzzing.2/rust/src/dhcp/parser.rs:205:22 #19 0x56083d7e4e8f in suricata::dhcp::dhcp::DHCPState::parse::h7ace958910b14aac /home/sirko/Projects/CI/fuzzing/suricata- fuzzing.2/rust/src/dhcp/dhcp.rs:146:14 #20 0x56083d72dfbc in rust_fuzzer_test_input /home/sirko/Projects/CI/fuzzing/suricata-fuzzing.2/rust/fuzz/fuzz_targets/ fuzz_dhcp.rs:7:4 #21 0x56083d9b2744 in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::h29c9181044b7489b /home/sirko/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4a41319/src/lib.rs:11:8 #22 0x56083d9f984d in std::panicking::try::do_call::hd66afc279650fe66 /rustc/0f88167f89fffe321590c5148f21b7d51d44388d/src/libstd/panicking.rs:293:39 #23 0x56083da0afe8 in __rust_maybe_catch_panic /rustc/0f88167f89fffe321590c5148f21b7d51d44388d/src/libpanic_abort/ lib.rs:29:4 NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal
The error is from an attempt to parse len - 1 bytes without first checking that len is > 0.
Actions