Project

General

Profile

Actions

Security #4486

closed

Security #4485: heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti

Infinite loops in when using InspectionBufferMultipleForList

Added by Jeff Lucovsky about 1 year ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
CVE:
Git IDs:

fdc93130aaf9f4b97ad4ffa305f20d7b0b8be589

Severity:
MODERATE

Description

From https://github.com/OISF/suricata/pull/5622#discussion_r626686822

POC is in #4476 once the buffer overflow gets fixed

Root cause is integer loss of precision casting local_id to uint16_t when there can more than 65536 buffers in a transaction

This may be not the case for dns.query as the maximum PDU length is 65536
But this is definitely the case for MQTT (subscribe topics) where Suricata default maximum PDU is 1Mbyte


Related issues

Copied from Bug #4477: Infinite loops in when using InspectionBufferMultipleForListClosedPhilippe AntoineActions
Actions #1

Updated by Jeff Lucovsky about 1 year ago

  • Copied from Bug #4477: Infinite loops in when using InspectionBufferMultipleForList added
Actions #2

Updated by Philippe Antoine about 1 year ago

  • Assignee changed from Philippe Antoine to Jeff Lucovsky
  • Target version changed from 7.0rc1 to 5.0.6
Actions #3

Updated by Jeff Lucovsky about 1 year ago

  • Target version changed from 5.0.6 to 5.0.7
Actions #4

Updated by Jeff Lucovsky about 1 year ago

  • Status changed from New to In Progress

Cherry-pick(s):
- 31312a918acba597042bdc76701373bc7957b403

Actions #5

Updated by Jeff Lucovsky about 1 year ago

  • Status changed from In Progress to In Review
Actions #6

Updated by Victor Julien about 1 year ago

  • Tracker changed from Bug to Security
  • Severity set to MODERATE
Actions #7

Updated by Victor Julien 12 months ago

  • Status changed from In Review to Closed
  • Affected Versions 5.0.6 added
  • Affected Versions deleted (6.0.2)
Actions #8

Updated by Victor Julien 12 months ago

  • Git IDs updated (diff)
Actions #9

Updated by Victor Julien 11 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF