2 bugs do make a right in Wireshark

Lets look at the current Wireshark source.

table_length =  tvb_get_ntohl(tvb, offset);

Looks like it's grabbing a 32bit integer.

  tf = proto_tree_add_item(info_tree, hf_address_table_length, tvb, offset, 4, ENC_BIG_ENDIAN);
  element_tree = proto_item_add_subtree(tf, ett_table_element);

And it uses up 4 bytes with that EAT(4).

  if (wccp_wccp_address_table->in_use == FALSE) {
    wccp_wccp_address_table->family = family;
    wccp_wccp_address_table->table_length =  table_length;

    /* check if the length is valid and allocate the tables if needed */
    switch (wccp_wccp_address_table->family) {
    case 1:
      if (wccp_wccp_address_table->table_ipv4 == NULL)
        wccp_wccp_address_table->table_ipv4 = (guint32 *)
          wmem_alloc0(pinfo->pool, wccp_wccp_address_table->table_length * 4);

We have an integer overflow in the alloc on 32 bit systems (where size_t is 32bits). These are potentially useful since you can get a heap overflow if you have an alloc size mismatch with the size of the buffer being used. Bug 1.

No wait..

Lets double check some things.

static gint
dissect_wccp2r1_address_table_info(tvbuff_t *tvb, int offset, int length,
                                   packet_info *pinfo, proto_tree *info_tree, wc
cp_address_table* wccp_wccp_address_table)
  guint16 address_length;
  guint32 i;
  gint16 family;
  guint16 table_length;
  proto_tree *element_tree;
  proto_item *tf;

Uh oh. Looks like table_length is declared as 16bit.. even though the code I showed earlier believes its 32 bits. Bug 2.

/* with version 2.01 we now have a address table which is possibly present */

typedef struct wccp_address_table {
  gboolean in_use;
  gint16 family;
  gint16 version;
  guint16 table_length;
  guint32 *table_ipv4;
  struct e_in6_addr *table_ipv6;
} wccp_address_table;

Given that table_length is 16bits, the alloc() function earlier won't integer overflow.

2 bugs don't make a right. Except, in this case, they do.


Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

InfoSect's Month of Pointless Bugs (#1, #2)

InfoSect's Month of Pointless Bugs (#3)