Actions
Bug #3170
closeddefrag: out of bounds read
Affected Versions:
Effort:
Difficulty:
Label:
Description
A missing check for a minimum size of the reassembled packet leads to an out of bounds read:
================================================================= ==594964==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000bda532 at pc 0x563a8ee7c3f3 bp 0x7ffc6087f630 sp 0x7ffc6087f628 READ of size 2 at 0x619000bda532 thread T0 #0 0x563a8ee7c3f2 in Defrag4Reassemble /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/defrag.c:343:25 #1 0x563a8ee729f8 in DefragInsertFrag /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/defrag.c:864:17 #2 0x563a8ee6c035 in Defrag /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/defrag.c:1038:18 #3 0x563a8ee24db2 in DecodeIPV4 /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/decode-ipv4.c:549:22 #4 0x563a8ed44caa in LLVMFuzzerTestOneInput /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/fuzzing/fuzz_decoder_ipv4.c:102:5 #5 0x563a8fce6da2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/fuzzing/playground/decoder_ipv4/fuzz_decoder_ipv4+0x178cda2) ...
Updated by Victor Julien over 5 years ago
- Copied to Bug #3171: defrag: out of bounds read (5.x) added
Updated by Victor Julien about 5 years ago
- Status changed from Assigned to Closed
- Assignee changed from Victor Julien to Jason Ish
- Private changed from Yes to No
Actions