Actions
Security #2945
closedmpls: heapbuffer overflow in file decode-mpls.c (master)
Git IDs:
b8ce7f2885cea0ea31c45e9c3dbad4785ae69397
Severity:
Disclosure Date:
Description
From reporter:
## Input If input of the function int DecodeMPLS(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,uint32_t len, PacketQueue *pq) only consists of a package of source address and dest plus the correct type field and the right number for “shim = *(uint32_t *)pkt”. ## Reason With this network package (source,dest,type,offset of 4 byte), i can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop the network package has a length of 2 byte. After the you don’t proof the length of the package. Later on you try to read at a position, which is empty. At this point the program will crash
I have verified this. If the decoder has to step into the next layer to determine if its IPv4, or IPv6, it does so without checking the packet length.
Actions