Project

General

Profile

Actions
Copy link

Security #2946

closed

decode-ethernet: heapbuffer overflow in file decode-ethernet.c (master)

Added by Victor Julien over 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
High
Assignee:
Jason Ish
Target version:
5.0beta1
Affected Versions:
Label:
CVE:
2019-10056
Git IDs:

8d7d6a96a52273dfae17c55aef7098d0d9670aba

Severity:
Disclosure Date:

Description

From reporter:

## Input
Nearly the same as bug 2 but the type is an other, such that the DecodeEthernet(..) is executed e second time.
...
case ETHERNET_TYPE_DCE:
if (unlikely(len < ETHERNET_DCE_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, DCE_PKT_TOO_SMALL);
} else {
DecodeEthernet(tv, dtv, p, pkt + ETHERNET_DCE_HEADER_LEN,
len - ETHERNET_DCE_HEADER_LEN, pq);
}
break ;
...
## Reason
If the package is exactly 28 long, in the first iteration you subtract 14 bytes. Than we have a packet length
of 14. At this point the case distinction says it is a valid packet. After that you cast the packet, but
This packet has not a type and the program will crash at the type case distinction.

If you proof the ethernet packets of a valid minimal max length, it would counter this types of bugs

Related issues 1 (0 open1 closed)

Copied from Suricata - Security #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.cClosedJason IshActions
Actions
Copy link
 #1

Updated by Victor Julien over 5 years ago

  • Copied from Security #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.c added
Actions
Copy link
 #2

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to Closed
  • Private changed from Yes to No
Actions
Copy link
 #3

Updated by Victor Julien about 4 years ago

  • Tracker changed from Bug to Security
  • CVE set to 2019-10056
  • Git IDs updated (diff)
Actions
Copy link

Also available in: Atom PDF