Project

General

Profile

Actions

Security #2945

closed

mpls: heapbuffer overflow in file decode-mpls.c (master)

Added by Victor Julien over 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
Git IDs:

b8ce7f2885cea0ea31c45e9c3dbad4785ae69397

Severity:
Disclosure Date:

Description

From reporter:

## Input
If input of the function int DecodeMPLS(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t
*pkt,uint32_t len, PacketQueue *pq) only consists of a package of source address and dest plus the correct type
field and the right number for “shim = *(uint32_t *)pkt”.
## Reason
With this network package (source,dest,type,offset of 4 byte), i can manipulate the control flow, such that the
condition to leave the loop is true. After leaving the loop the network package has a length of 2 byte.
After the you don’t proof the length of the package. Later on you try to read at a position, which is empty.
At this point the program will crash

I have verified this. If the decoder has to step into the next layer to determine if its IPv4, or IPv6, it does so without checking the packet length.


Related issues 1 (0 open1 closed)

Copied from Suricata - Security #2884: mpls: heapbuffer overflow in file decode-mpls.cClosedJason IshActions
Actions #1

Updated by Victor Julien over 5 years ago

  • Copied from Security #2884: mpls: heapbuffer overflow in file decode-mpls.c added
Actions #2

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to Closed
  • Private changed from Yes to No
Actions #3

Updated by Victor Julien about 4 years ago

  • Tracker changed from Bug to Security
  • CVE set to 2019-10050
  • Git IDs updated (diff)
Actions

Also available in: Atom PDF