Heap-buffer-overflow in dissect_bthci_iso at packet-bthci_iso.c
Summary
In Wireshark-3.5.1rc0, the bthci_iso dissector could crash with a heap-based buffer overflow. This issue also exists in the latest version v3.7.0rc0.
Steps to reproduce
-
The location of the bug in the code. At line 410 in file packet-bthci_iso.c, the fourth parameter
lenoftvb_memcpyis read from the data packet without length check. The heap size of the copy targetmfp->reassembled + mfp->cur_offcan be controlled.
-
The bug requires the construction of two data packets. When
pb_flag == 0x00, insert the data of the first fragment by callingwmem_tree_insert32(chandle_data->start_fragments, pinfo->num, mfp);.
-
Then, the size
mfp->tot_lenof the heap objectmfp->reassembledcan be controlled. -
Finally, the bug is triggered by the second packet when
pb_flag & 0x01at line 410.
What is the current bug behavior?
The bug can cause out-of-bounds memory reads and writes.
Relevant logs and/or screenshots
The Crash State with ASAN:


