Project

General

Profile

Actions

Security #3176

closed

ipv4: ts field decoding oob read (5.x)

Added by Victor Julien about 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
Git IDs:

4ca83ca4896bbb07fff0ff8225f37a93b08c3374

Severity:
Disclosure Date:

Description

Due to a mistake in the offset at which the flags field it read, a one byte OOB read happens:

 READ of size 1 at 0x6070000006f6 thread T0
 #0 0x59f002 in IPV4OptValidateTimestamp /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/decode-ipv4.c:162:12
 #1 0x59b2a9 in DecodeIPV4Options /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/decode-ipv4.c:378:32
 #2 0x596c2c in DecodeIPV4Packet /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/decode-ipv4.c:527:9
 #3 0x593032 in DecodeIPV4 /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/decode-ipv4.c:540:9


Related issues 1 (0 open1 closed)

Copied from Suricata - Security #3173: ipv4: ts field decoding oob readClosedVictor JulienActions
Actions

Also available in: Atom PDF