Wrong tag offset handling during gquic dissection
Summary
In Wireshark 3.2.7 and the older version. Wireshark run into infinite loop and malloc memoiry continuously while processing this specified gquic pcap.
Steps to reproduce
Open the attached poc.pcap
in wireshark.
What is the current bug behavior?
Wireshark run into infinite loop ,malloc memoiry continuously and no response.
What is the expected correct behavior?
Process this gquic pacap without infinite loop.
Sample capture file
Relevant logs and/or screenshots
The tag offset doesn't advance while processing the wrong gquic
tag.
This was addressed in epan/dissectors/packet-gquic.c
, line 1669
.
The source code could be viewed at https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-gquic.c#L1669
In line 1663
, when process the invalid QUIC Tag
, tag_offset
is invalid and there's no need to process tag_offset any more, we should go end
label to handle this invalid length error instead of tag_offset += tag_len;
Patch scheme is similar to !471 (diffs), which solves the wrong tag len case. This issue is similar to issue 16887, which omits the tag offset
forwarding when it comes to the wrong tag.
i.e.
add the following code before line 1674
and add the definition of ei_gquic_length_invalid
error handler
end:
if (offset + total_tag_len <= offset) {
expert_add_info_format(pinfo, gquic_tree, &ei_gquic_length_invalid,
"Invalid total tag length: %u", total_tag_len);
return offset + tvb_reported_length_remaining(tvb, offset);
}
Build information
All versions are influenced by this bug, and the following version is tested by myself.
3.2.7 (v3.2.7-0-gfb6522d84a3a)
Compiled (64-bit) with Qt 5.12.9, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic
updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled
resampler), with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 10 (2004), build 19041, with Intel(R) Core(TM)
i7-9750H CPU @ 2.60GHz (with SSE4.2), with 16193 MB of physical memory, with
locale Chinese (Simplified)_China.936, with light display mode, without HiDPI,
with Npcap version 0.9997, based on libpcap version 1.9.1, with GnuTLS 3.6.3,
with Gcrypt 1.8.3, with brotli 1.0.2, without AirPcap, binary plugins supported
(19 loaded).
Built using Microsoft Visual Studio 2019 (VC++ 14.27, build 29111).