Actions
Security #2946
closeddecode-ethernet: heapbuffer overflow in file decode-ethernet.c (master)
Git IDs:
8d7d6a96a52273dfae17c55aef7098d0d9670aba
Severity:
Disclosure Date:
Description
From reporter:
## Input Nearly the same as bug 2 but the type is an other, such that the DecodeEthernet(..) is executed e second time. ... case ETHERNET_TYPE_DCE: if (unlikely(len < ETHERNET_DCE_HEADER_LEN)) { ENGINE_SET_INVALID_EVENT(p, DCE_PKT_TOO_SMALL); } else { DecodeEthernet(tv, dtv, p, pkt + ETHERNET_DCE_HEADER_LEN, len - ETHERNET_DCE_HEADER_LEN, pq); } break ; ... ## Reason If the package is exactly 28 long, in the first iteration you subtract 14 bytes. Than we have a packet length of 14. At this point the case distinction says it is a valid packet. After that you cast the packet, but This packet has not a type and the program will crash at the type case distinction.
If you proof the ethernet packets of a valid minimal max length, it would counter this types of bugs
Updated by Victor Julien over 5 years ago
- Copied from Security #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.c added
Updated by Victor Julien over 5 years ago
- Status changed from Assigned to Closed
- Private changed from Yes to No
Updated by Victor Julien over 4 years ago
- Tracker changed from Bug to Security
- CVE set to 2019-10056
- Git IDs updated (diff)
Actions