Actions
Security #2945
closedmpls: heapbuffer overflow in file decode-mpls.c (master)
Git IDs:
b8ce7f2885cea0ea31c45e9c3dbad4785ae69397
Severity:
Disclosure Date:
Description
From reporter:
## Input If input of the function int DecodeMPLS(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,uint32_t len, PacketQueue *pq) only consists of a package of source address and dest plus the correct type field and the right number for “shim = *(uint32_t *)pkt”. ## Reason With this network package (source,dest,type,offset of 4 byte), i can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop the network package has a length of 2 byte. After the you don’t proof the length of the package. Later on you try to read at a position, which is empty. At this point the program will crash
I have verified this. If the decoder has to step into the next layer to determine if its IPv4, or IPv6, it does so without checking the packet length.
Updated by Victor Julien over 5 years ago
- Copied from Security #2884: mpls: heapbuffer overflow in file decode-mpls.c added
Updated by Victor Julien over 5 years ago
- Status changed from Assigned to Closed
- Private changed from Yes to No
Updated by Victor Julien about 4 years ago
- Tracker changed from Bug to Security
- CVE set to 2019-10050
- Git IDs updated (diff)
Actions