SLSK (SoulSeek) dissector excessive memory and CPU consumption - denial of service
Summary
It is possible to reach an infinite loop in the SLSK (SoulSeek) dissector by generating a specifically crafted SLSK packet such that will create unlimited hf_slsk_user
fields by manipulating the reading pointer to the same place each time. The packet will consume an excessive amount of memory and 100% core cpu, which eventually lead to a denial of service via packet injection or crafted capture file.
Technical details
In the SLSK (SoulSeek) dissector, str_len
is defined as int
while some lengths from the protocol are defined as unsigned long. A mismatch causes an integer overflow which forces offset
to never advance and to keep reading the same data from the packet from the same offset forever.
Steps to reproduce
Open the provided pcaps with Wireshark poc_SoulSeek_dos.pcap
What is the current bug behavior?
Wireshark will get stuck while trying to allocate inf number of items on the tree.
What is the expected correct behavior?
Stop dissecting the packet and declare it as malformed.
Sample capture file
Open the provided pcaps with Wireshark poc_SoulSeek_dos.pcap
Build information
TShark (Wireshark) 3.7.0 (v3.7.0rc0-844-g14a1dfbe1083)```