Project

General

Profile

Actions
Copy link

Security #7067

closed
PA PA

defrag: off by one leads to possible evasion

Security #7067: defrag: off by one leads to possible evasion

Added by Philippe Antoine almost 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
Label:
CVE:
2024-45796
Git IDs:
Severity:
HIGH
Disclosure Date:
09/04/2024

Description

Files

Download all files
lolc.pcap (129 KB) lolc.pcap Philippe Antoine, 06/11/2024 08:15 AM
lole.pcap (300 Bytes) lole.pcap Philippe Antoine, 06/11/2024 08:55 AM

Subtasks 1 (0 open1 closed)

Security #7215: defrag: off by one leads to possible evasion (7.0.x backport)ClosedPhilippe AntoineActions

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #1

Ouch `tracker->ip_hdr_offset` 4 is greater than GET_PKT_LEN(r) 0

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #2

Do you have pcap?

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #3

  • File lol.pcap added

The pcap does trigger only on fuzz_decodepcapfile, not on suricata

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #4

Here is a pcap reproducer

I had to do mergecap -a -w lolc.pcap lolb.pcap lolb.pcap because fuzzing runs the input twice (to check for leaks)

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #5

  • File deleted (lol.pcap)

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #6

Minimized reproducer

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #7

  • Status changed from New to Assigned

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #8

  • Status changed from Assigned to In Review

Gitlab MR

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #9

  • Label Needs backport to 7.0 added

OT Updated by OISF Ticketbot over 1 year ago Actions
Copy link
 #10

  • Subtask #7215 added

OT Updated by OISF Ticketbot over 1 year ago Actions
Copy link
 #11

  • Label deleted (Needs backport to 7.0)

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #12

  • Tracker changed from Bug to Security
  • Severity set to MODERATE
  • Disclosure Date set to 09/04/2024

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #13

  • Assignee changed from Victor Julien to Philippe Antoine

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #14

  • Severity changed from MODERATE to HIGH

HIGH as it could potentially lead to loss of visibility, and thus policy bypass.

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #15

  • Subject changed from defrag: DEBUG_VALIDATE_BUG_ON(len > UINT16_MAX); to defrag: off by one leads to possible evasion

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #18

  • Private changed from Yes to No
Actions
Copy link

Also available in: PDF Atom