Wireshark-dev: [Wireshark-dev] [PATCH] ieee80211 integer overflow
From: Neil Kettle <mu-b@xxxxxxxxx>
Date: Sun, 10 Dec 2006 00:10:57 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all - the following is caused by an integer overflow in buggy pointer arithmetic
in the calculation of the length parameter for the g_snprintf call...
This is likely unexploitable due to a combination of the restrictions of the bytes
we may write ('0'->'9', 'A'->'F') and stack layout (that is, because the
function is static and called from only one stack frame, who itself is
called from only one stack frame, the compiler inlines both functions with a
larger stack frame)... Thus, if test-packet does not crash wireshark then
you have been saved by your compiler...

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1239308624 (LWP 12869)]
0xb71c6c07 in dissect_vendor_ie_rsn (ietree=0x87208e8, tree=0x87208e8, tvb=0x870d530, offset=14,
tag_len=255,
    tag_val=0x8724b2e "") at packet-ieee80211.c:1418
1418                            pos += g_snprintf(pos, out_buff + SHORT_STR - pos, "%02X",
(gdb) x/x tag_val_off
0x31340000:     Cannot access memory at address 0x31340000

(on another note, my mail address has changed from njk4@xxxxxxxxxx (AUTHORS))

Thanks
- ------------------------------------------------------------------------------
Neil Kettle
(mu-b@xxxxxxxxx)
(njk@xxxxxxxxxxxxxxxxxxxxxxx)

    "Computer Science is no more about computers
        than astronomy is about telescopes."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFe1CR+gf4mLMNJygRCCP8AKDMrenFfkmuQmP6K4LvCPHEFfhhSwCfe9Sq
yEZovSxr4Vbj72tsesaJ5IQ=
=3B/Q
-----END PGP SIGNATURE-----
Index: epan/dissectors/packet-ieee80211.c
===================================================================
--- epan/dissectors/packet-ieee80211.c	(revision 20082)
+++ epan/dissectors/packet-ieee80211.c	(working copy)
@@ -1401,11 +1401,10 @@
 dissect_vendor_ie_rsn(proto_tree * ietree, proto_tree * tree, tvbuff_t * tvb,
 	int offset, guint32 tag_len, const guint8 *tag_val)
 {
-	guint32 tag_val_off = 0;
 	char out_buff[SHORT_STR], *pos;
 	guint i;
 
-	if (tag_val_off + 4 <= tag_len && !memcmp(tag_val, RSN_OUI"\x04", 4)) {
+	if (tag_len >= 4 && !memcmp(tag_val, RSN_OUI"\x04", 4)) {
 		/* IEEE 802.11i / Key Data Encapsulation / Data Type=4 - PMKID.
 		 * This is only used within EAPOL-Key frame Key Data. */
 		pos = out_buff;
@@ -1416,7 +1415,9 @@
 		}
 		for (i = 0; i < tag_len - 4; i++) {
 			pos += g_snprintf(pos, out_buff + SHORT_STR - pos, "%02X",
-				tag_val[tag_val_off + 4 + i]);
+				tag_val[i + 4]);
+      if ( pos >= out_buff + SHORT_STR )
+        break;
 		}
 		proto_tree_add_string(tree, tag_interpretation, tvb, offset,
 			tag_len, out_buff);

Attachment: test-packet
Description: Binary data