Skip to content
GitLab
Closed
Issue created by Doneing@DoneingCK

Heap-buffer-overflow in dissect_bthci_iso at packet-bthci_iso.c

Summary

In Wireshark-3.5.1rc0, the bthci_iso dissector could crash with a heap-based buffer overflow. This issue also exists in the latest version v3.7.0rc0.

Steps to reproduce

  • The location of the bug in the code. At line 410 in file packet-bthci_iso.c, the fourth parameter len of tvb_memcpy is read from the data packet without length check. The heap size of the copy target mfp->reassembled + mfp->cur_off can be controlled. image

  • The bug requires the construction of two data packets. When pb_flag == 0x00, insert the data of the first fragment by calling wmem_tree_insert32(chandle_data->start_fragments, pinfo->num, mfp);. image

  • Then, the size mfp->tot_len of the heap object mfp->reassembled can be controlled.

  • Finally, the bug is triggered by the second packet when pb_flag & 0x01 at line 410.

What is the current bug behavior?

The bug can cause out-of-bounds memory reads and writes.

Relevant logs and/or screenshots

The Crash State with ASAN:

image

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information