Project

General

Profile

Actions

Security #4484

closed

Security #4483: heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti

Infinite loops in when using InspectionBufferMultipleForList

Added by Jeff Lucovsky over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
CVE:
Git IDs:

234cafdcfe84f2d83c4e08244e78fe656af525d1
07669cd70a1cd699919eeb4c8097898ffe40f5d3
2f3524f7e23d437cbc1424382f3aa6fdbacc79ae
e49b5358f9e075dd85365d8451180684f79e5825

Severity:
MODERATE
Disclosure Date:

Description

From https://github.com/OISF/suricata/pull/5622#discussion_r626686822

POC is in #4476 once the buffer overflow gets fixed

Root cause is integer loss of precision casting local_id to uint16_t when there can more than 65536 buffers in a transaction

This may be not the case for dns.query as the maximum PDU length is 65536
But this is definitely the case for MQTT (subscribe topics) where Suricata default maximum PDU is 1Mbyte


Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #4477: Infinite loops in when using InspectionBufferMultipleForListClosedPhilippe AntoineActions
Actions #1

Updated by Jeff Lucovsky over 3 years ago

  • Copied from Bug #4477: Infinite loops in when using InspectionBufferMultipleForList added
Actions #2

Updated by Philippe Antoine over 3 years ago

  • Assignee changed from Philippe Antoine to Shivani Bhardwaj
  • Target version changed from 7.0.0-beta1 to 6.0.3
Actions #3

Updated by Shivani Bhardwaj over 3 years ago

  • Status changed from New to In Progress
Actions #4

Updated by Victor Julien over 3 years ago

  • Status changed from In Progress to Closed
Actions #5

Updated by Victor Julien over 3 years ago

  • Tracker changed from Bug to Security
  • Git IDs updated (diff)
  • Severity set to MODERATE
Actions #6

Updated by Victor Julien over 3 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF