Wireshark (#2)

In the packet-usbip.c dissector

            num_of_devs = tvb_get_ntohl(tvb, offset);
            offset += 4;

            if (num_of_devs == 0)
                return expected_size;

            if (tvb_captured_length_remaining(tvb, offset) < (gint) (0x138 * num_of_devs))
                return 0;

            for (i = 0; i < num_of_devs; i++) {
                guint8 num_of_intf = tvb_get_guint8(tvb, offset + 0x137);
                int skip = num_of_intf * 4;

                expected_size += 0x138 + skip;
                offset += 0x138 + skip;
            return expected_size;

Integer overflow with 0x138 * num_of_devs.

Does it lead to memory corruption? I'm not sure. Perhaps, perhaps not. I'm really more looking for the presence of input validation bugs as opposed to what they can affect.


Popular posts from this blog

Linux Kernel Infoleaks

Memory Bugs in Multiple Linux Kernel Drivers using DebugFS

ESP8266 Firmware Buffer Overflows