Heap-buffer-overflow in reassemble_continuation_state at packet-btsdp.c
Summary
In Wireshark-3.5.1rc0, the SDP dissector could crash with a heap-based buffer overflow. This issue also exists in the latest version v3.7.0rc0.
Steps to reproduce
In line 1727, the third parameter tid_request->continuation_state_length of memcpy is read from the data packet without length check.
The bug requires the construction of two data packets, a request data packet and a response data packet.
- First, the request packet inserts the object
tid_requestinto the global objecttid_requests. The fieldtid_request->continuation_state_lengthis read from the packet bycontinuation_state_length = tvb_get_guint8(tvb, offset).
- Second, the response packet obtains the object
tid_requestbywmem_tree_lookup32_array_le(tid_requests, key). When the value of variabletid_request->continuation_state_lengthis greater than 20, a heap overflow is caused.
What is the current bug behavior?
The bug can cause out-of-bounds memory reads and writes.
Relevant logs and/or screenshots
The Crash State with ASAN:
