Bug #3170: defrag: out of bounds read - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #3170

closed

defrag: out of bounds read

Added by Victor Julien about 5 years ago. Updated about 5 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jason Ish

Target version:

4.1.5

Affected Versions:

4.1.4

Effort:

Difficulty:

Label:

Description

A missing check for a minimum size of the reassembled packet leads to an out of bounds read:

=================================================================
==594964==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000bda532 at pc 0x563a8ee7c3f3 bp 0x7ffc6087f630 sp 0x7ffc6087f628
READ of size 2 at 0x619000bda532 thread T0
     #0 0x563a8ee7c3f2 in Defrag4Reassemble /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/defrag.c:343:25
     #1 0x563a8ee729f8 in DefragInsertFrag /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/defrag.c:864:17
     #2 0x563a8ee6c035 in Defrag /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/defrag.c:1038:18
     #3 0x563a8ee24db2 in DecodeIPV4 /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/decode-ipv4.c:549:22
     #4 0x563a8ed44caa in LLVMFuzzerTestOneInput /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/fuzzing/fuzz_decoder_ipv4.c:102:5
     #5 0x563a8fce6da2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/fuzzing/playground/decoder_ipv4/fuzz_decoder_ipv4+0x178cda2)
...

Related issues 1 (0 open — 1 closed)