Project

General

Profile

Actions

Security #2945

closed

mpls: heapbuffer overflow in file decode-mpls.c (master)

Added by Victor Julien over 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
Git IDs:

b8ce7f2885cea0ea31c45e9c3dbad4785ae69397

Severity:
Disclosure Date:

Description

From reporter:

## Input
If input of the function int DecodeMPLS(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t
*pkt,uint32_t len, PacketQueue *pq) only consists of a package of source address and dest plus the correct type
field and the right number for “shim = *(uint32_t *)pkt”.
## Reason
With this network package (source,dest,type,offset of 4 byte), i can manipulate the control flow, such that the
condition to leave the loop is true. After leaving the loop the network package has a length of 2 byte.
After the you don’t proof the length of the package. Later on you try to read at a position, which is empty.
At this point the program will crash

I have verified this. If the decoder has to step into the next layer to determine if its IPv4, or IPv6, it does so without checking the packet length.


Related issues 1 (0 open1 closed)

Copied from Suricata - Security #2884: mpls: heapbuffer overflow in file decode-mpls.cClosedJason IshActions
Actions

Also available in: Atom PDF