[oss-fuzz] openflow_v6: infinite loop (dissect_openflow_bundle_control_v6)

This issue was migrated from bug 14420 in our old bug tracker.

Original bug information:

Reporter: Jakub Zawadzki
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: Linux
Platform: x86
Version: Git

Attachments:

ossfuzz_628a6c2a4d80f176f8f6e40201ad5185b9df3920_openflow_v6_loop.pcap: Sample capture file to reproduce the problem

See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7327

Jakub Zawadzki said:

Created attachment 16124 Sample capture file to reproduce the problem

Build Information: TShark (Wireshark) 2.5.1 (v2.5.1rc0-73-ge438cf2e)

Copyright 1998-2018 Gerald Combs <gerald@‍wireshark.org> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) without libpcap, with GLib 2.42.2, with zlib 1.2.8, without SMI, without c-ares, without Lua, without GnuTLS, with Gcrypt 1.6.3, without Kerberos, without GeoIP, without nghttp2, without LZ4, without Snappy, without libxml2.

Running on Linux 3.17.4-301.fc21.x86_64, with Intel(R) Xeon(R) CPU E5530 @ 2.40GHz (with SSE4.2), with 24093 MB of physical memory, with locale en_US.UTF-8, with Gcrypt 1.6.3, with zlib 1.2.8.

Built using gcc 4.9.2 20150212 (Red Hat 4.9.2-6).

Opening attached pcap without tree cause infinite loop, with tree warning:

WARNING **: Dissector bug, protocol openflow_v6, in packet 1: More than 1000000 items in the tree -- possible infinite loop

Top backtrace:

(gdb) bt
#0  dissect_openflow_bundle_control_v6 (length=552, offset=526, tree=0x0, pinfo=0x24b21e8, tvb=0x2475c00) at packet-openflow_v6.c:5854
#1  dissect_openflow_message_v6 (tvb=tvb@entry=0x2475c00, pinfo=pinfo@entry=0x24b21e8, tree=0x0, offset=<optimized out>, offset@entry=0) at packet-openflow_v6.c:5998
#2  0x00007fb673898b41 in dissect_openflow_v6 (tvb=0x2475c00, pinfo=0x24b21e8, tree=0x0, data=<optimized out>) at packet-openflow_v6.c:6032
#3  0x00007fb67322731b in call_dissector_through_handle (handle=handle@entry=0x7fb668964220, tvb=tvb@entry=0x2475c00, pinfo=pinfo@entry=0x24b21e8, tree=tree@entry=0x0, data=data@entry=0x0) at packet.c:694
#4  0x00007fb6732282b2 in call_dissector_work (handle=0x7fb668964220, tvb=0x2475c00, pinfo_arg=0x24b21e8, tree=0x0, add_proto_name=1, data=0x0) at packet.c:779
#5  0x00007fb673229ed2 in call_dissector_with_data (handle=<optimized out>, tvb=0x2475c00, pinfo=0x24b21e8, tree=0x0, data=<optimized out>) at packet.c:3105
#6  0x00007fb67387f6bd in dissect_openflow_tcp_pdu (tvb=0x2475c00, pinfo=0x24b21e8, tree=0x0, data=<optimized out>) at packet-openflow.c:91
#7  0x00007fb673a88e6d in tcp_dissect_pdus (tvb=tvb@entry=0x2475b20, pinfo=pinfo@entry=0x24b21e8, tree=tree@entry=0x0, proto_desegment=1, fixed_len=fixed_len@entry=8, get_pdu_len=get_pdu_len@entry=
    0x7fb67387f770 <get_openflow_pdu_length>, dissect_pdu=0x7fb67387f650 <dissect_openflow_tcp_pdu>, dissector_data=0x7ffff18ad6e0) at packet-tcp.c:3612
#8  0x00007fb67387f645 in dissect_openflow (tvb=tvb@entry=0x2475b20, pinfo=pinfo@entry=0x24b21e8, tree=tree@entry=0x0, data=data@entry=0x7ffff18ad6e0) at packet-openflow.c:105
#9  0x00007fb67387f804 in dissect_openflow_heur (tvb=0x2475b20, pinfo=0x24b21e8, tree=0x0, data=0x7ffff18ad6e0) at packet-openflow.c:126


Loop is in packet-openflow_v6.c lines 5853-5854

5852	    /* struct ofp_bundle_prop_header properties[0];  */
5853	    while (offset < length) {
5854	        offset = dissect_openflow_bundle_prop_v6(tvb, pinfo, tree, offset, length);
5855	    }

for offset=526, dissect_openflow_bundle_prop_v6() is returning same offset.

Problem was found in sample from oss-fuzz IP corpus (sha1: 628a6c2a4d80f176f8f6e40201ad5185b9df3920).

added crash libwireshark oslinux versiondev labels

Gerrit Code Review said:

Change 25780 had a related patch set uploaded by Pascal Quantin: OpenFlow 1.5: add extra property length checks

https://code.wireshark.org/review/25780

Gerrit Code Review said:

Change 25780 merged by Anders Broman: OpenFlow 1.5: add extra property length checks

https://code.wireshark.org/review/25780

Gerrit Code Review said:

Change 25787 had a related patch set uploaded by Pascal Quantin: OpenFlow 1.5: add extra property length checks

https://code.wireshark.org/review/25787

Gerrit Code Review said:

Change 25787 merged by Pascal Quantin: OpenFlow 1.5: add extra property length checks

https://code.wireshark.org/review/25787

Alexis La Goutte said:

Do you have check other open flow dissector?

closed