Project

General

Profile

Actions

Bug #3171

closed

defrag: out of bounds read (5.x)

Added by Victor Julien over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

A missing check for a minimum size of the reassembled packet leads to an out of bounds read:

=================================================================
==594964==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000bda532 at pc 0x563a8ee7c3f3 bp 0x7ffc6087f630 sp 0x7ffc6087f628
READ of size 2 at 0x619000bda532 thread T0
     #0 0x563a8ee7c3f2 in Defrag4Reassemble /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/defrag.c:343:25
     #1 0x563a8ee729f8 in DefragInsertFrag /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/defrag.c:864:17
     #2 0x563a8ee6c035 in Defrag /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/defrag.c:1038:18
     #3 0x563a8ee24db2 in DecodeIPV4 /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/src/decode-ipv4.c:549:22
     #4 0x563a8ed44caa in LLVMFuzzerTestOneInput /home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/fuzzing/fuzz_decoder_ipv4.c:102:5
     #5 0x563a8fce6da2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/sirko/Projects/CI/fuzzing/_CPP/suricata/suricata-fuzzing.4.1.4/fuzzing/playground/decoder_ipv4/fuzz_decoder_ipv4+0x178cda2)
...


Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #3170: defrag: out of bounds readClosedJason IshActions
Actions

Also available in: Atom PDF