Heap-buffer-overflow in reassemble_continuation_state at packet-btsdp.c
Summary
In Wireshark-3.5.1rc0, the SDP dissector could crash with a heap-based buffer overflow. This issue also exists in the latest version v3.7.0rc0.
Steps to reproduce
In line 1727, the third parameter
tid_request->continuation_state_length
of memcpy is read from the data packet without length check.
The bug requires the construction of two data packets, a request data packet and a response data packet.
- First, the request packet inserts the object
tid_request
into the global objecttid_requests
. The fieldtid_request->continuation_state_length
is read from the packet bycontinuation_state_length = tvb_get_guint8(tvb, offset)
.
- Second, the response packet obtains the object
tid_request
bywmem_tree_lookup32_array_le(tid_requests, key)
. When the value of variabletid_request->continuation_state_length
is greater than 20, a heap overflow is caused.
What is the current bug behavior?
The bug can cause out-of-bounds memory reads and writes.
Relevant logs and/or screenshots
The Crash State with ASAN: