xorl %eax, %eax

Wireshark IPMI Dissector Buffer Overrun (Bug 3559)

leave a comment »

It was officially reported on 20 June 2009 by yami as a fuzzing result including the PCAP capture file. This issue affects only 1.2.0 release of Wireshark and it is located in IPMI protocol dissector. The buggy code is located at epan/dissectors/packet-ipmi-se.c where the sub-dissectors for IPMI can be found.

/* Common for Get EE/Set EE/Rearm
 */
static void
add_events(tvbuff_t *tvb, int offs, proto_tree *tree, const struct true_false_string *tfs,
                const char *desc)
{
        static const int *bsel[4][8] = {
                { &hf_ipmi_se_XX_b1_0, &hf_ipmi_se_XX_b1_1, &hf_ipmi_se_XX_b1_2, &hf_ipmi_se_XX_b1_3,
                        &hf_ipmi_se_XX_b1_4, &hf_ipmi_se_XX_b1_5, &hf_ipmi_se_XX_b1_6, &hf_ipmi_se_XX_b1_7 },
                { &hf_ipmi_se_XX_b2_0, &hf_ipmi_se_XX_b2_1, &hf_ipmi_se_XX_b2_2, &hf_ipmi_se_XX_b2_3,
                        &hf_ipmi_se_XX_b2_4, &hf_ipmi_se_XX_b2_5, &hf_ipmi_se_XX_b2_6, NULL },
                { &hf_ipmi_se_XX_b3_0, &hf_ipmi_se_XX_b3_1, &hf_ipmi_se_XX_b3_2, &hf_ipmi_se_XX_b3_3,
                        &hf_ipmi_se_XX_b3_4, &hf_ipmi_se_XX_b3_5, &hf_ipmi_se_XX_b3_6, &hf_ipmi_se_XX_b3_7 },
                { &hf_ipmi_se_XX_b4_0, &hf_ipmi_se_XX_b4_1, &hf_ipmi_se_XX_b4_2, &hf_ipmi_se_XX_b4_3,
                        &hf_ipmi_se_XX_b4_4, &hf_ipmi_se_XX_b4_5, &hf_ipmi_se_XX_b4_6, NULL }
        };
        static const int *tsel[] = { &ett_ipmi_se_XX_b1, &ett_ipmi_se_XX_b2, &ett_ipmi_se_XX_b3, &ett_ipmi_se_XX_b4 };
        proto_item *ti;
        proto_tree *s_tree;
        int len = tvb_length(tvb);
        int i, j, val, msk;

        for (i = 0; offs < len; i++, offs++) {
                val = tvb_get_guint8(tvb, offs);
                ti = proto_tree_add_text(tree, tvb, offs, 1, "%s (byte %d)", desc, i);
                s_tree = proto_item_add_subtree(ti, *tsel&#91;i&#93;);
                for (j = 7; j >= 0; j--) {
                        if (!bsel[i][j]) {
                                continue;
                        }
                        msk = 1 << j;
                        proto_tree_add_boolean_format_value(s_tree, *bsel&#91;i&#93;&#91;j&#93;, tvb, offs, 1,
                                        val & msk, "%s", (val & msk) ? tfs->true_string : tfs->false_string);
                }
        }
}

The above routine is used to add an event to the IPMI message. As you can see, bsel[][] array is declared with sizes bsel[4][8]. However, the for loop that follows up does not check whether ‘i’ is less than 4. Consequently, if ‘offs’ is less than tvb’s length, this loop can iterate more than 4 times and thus lead to out of bound access during proto_item_add_subtree() since tsel[] contains only 4 elements, and then during bsel[][] iteration. This was patched by adding the missing check to the first loop like this:

– for (i = 0; offs < len; i++, offs++) { + for (i = 0; (offs < len) && (i < 4); i++, offs++) { val = tvb_get_guint8(tvb, offs); [/sourcecode]

Written by xorl

July 31, 2009 at 11:50

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s