xorl %eax, %eax

CVE-2011-0444: Wireshark MAC-LTE Stack Buffer Overflow

leave a comment »

This issue affects Wireshark 1.2.0 through 1.2.13 as well as 1.4.0 through 1.4.2. Here you can find the original security advisory identifying this bug. As we can read, the vulnerability was discovered by FRAsse and it can be found in epan/dissectors/packet-mac-lte.c file where the MAC-LTE packet dissector resides.

/* Dissect Random Access Reponse (RAR) PDU */
static void dissect_rar(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_item *pdu_ti,
                        gint offset, mac_lte_info *p_mac_lte_info, mac_lte_tap_info *tap_info)
{
    gint     number_of_rars = 0;   /* No of RAR bodies expected following headers */
    guint8   rapids[64];
  ...
    /***************************/
    /* Read the header entries */
    do {
        int start_header_offset = offset;
        proto_tree *rar_header_tree;
  ...
        else {
            /* RAPID case */
            /* TODO: complain if the same RAPID appears twice in same frame? */
            rapids[number_of_rars] = tvb_get_guint8(tvb, offset) & 0x3f;
            proto_tree_add_item(rar_header_tree, hf_mac_lte_rar_rapid, tvb, offset, 1, FALSE);

            proto_item_append_text(rar_header_ti, "(RAPID=%u)", rapids[number_of_rars]);

            number_of_rars++;
        }
  ...
    } while (extension);
  ...
    /* Warn if we don't seem to have reached the end of the frame yet */
    if (tvb_length_remaining(tvb, offset) != 0) {
           expert_add_info_format(pinfo, pdu_ti, PI_MALFORMED, PI_ERROR,
                                  "%u bytes remaining after RAR PDU dissected",
                                  tvb_length_remaining(tvb, offset));
    }
}

As you can read from the local variable definitions, the ‘rapids[]’ array is designed to hold up to 64 entries. However, the processing loop will never perform this check and it will keep copying data leading to a buffer overflow condition. This was fixed by adding the missing check like this:

         proto_item_set_len(rar_header_ti, offset - start_header_offset);
 
-    } while (extension);
+    } while ((extension) && (number_of_rars < 64));
 
     /* Append summary to headers root */

Written by xorl

January 14, 2011 at 19:39

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s