Heap-buffer-overflow in dissect_bthci_iso at packet-bthci_iso.c
Summary
In Wireshark-3.5.1rc0, the bthci_iso dissector could crash with a heap-based buffer overflow. This issue also exists in the latest version v3.7.0rc0.
Steps to reproduce
-
The location of the bug in the code. At line 410 in file packet-bthci_iso.c, the fourth parameter
len
oftvb_memcpy
is read from the data packet without length check. The heap size of the copy targetmfp->reassembled + mfp->cur_off
can be controlled. -
The bug requires the construction of two data packets. When
pb_flag == 0x00
, insert the data of the first fragment by callingwmem_tree_insert32(chandle_data->start_fragments, pinfo->num, mfp);
. -
Then, the size
mfp->tot_len
of the heap objectmfp->reassembled
can be controlled. -
Finally, the bug is triggered by the second packet when
pb_flag & 0x01
at line 410.
What is the current bug behavior?
The bug can cause out-of-bounds memory reads and writes.
Relevant logs and/or screenshots
The Crash State with ASAN: