Heap overflow - OOB Read in PVFS2 dissector - dissect_pvfs2_getconfig_response
Heap overflow of type out-of-bounds read exists in PVFS dissector in the function
dissect_pvfs2_getconfig_response. The OOB occurs due to bad use of a pointer which is dereferenced before checking bounds. AFAIK the bug exists since 2005, and while there were some efforts to improve and guard from dangerous edge-cases (see this fix), this specific OOB was left in the code.
Parallel Virtual File System (PVFS) is an open-source parallel file system. Usually its protocol runs over TCP port 3334, but it can also be detected heuristically by identifying the magic sequence 0xbfca0000 and some more attributes related to this protocol.
The protocol has several commands, and one of them is "Get Config". The response to this command should return a textual based config. This response will be parsed by the PVFS2 dissector in the
dissect_pvfs2_getconfig_response function. However, due to a minor oversight a OOB read is possible when crafting a special PVFS2 packet.
The bug resides in a
for loop which iteratres over all of the "get-config" response config lines. There is a pointer which is used to read the bytes from the config. The dissector will use this pointer to read the data while checking that there are more bytes to read before the end of the packet. However, it seems that the pointer is first being deference to check for a NEWLINE or NULL byte, before checking if end of buffer has reached. So as long as there are enough
total_lines, the last cycle of the inner
while loop will always lead to a heap overflow OOB read of 1 byte.
IMO the fix should be simple -
Moving the check
(bytes_processed < total_config_bytes) before dereferencing ptr
(*ptr != '\n') && (*ptr != '\0')
Steps to reproduce
Use the provided pcap. Run it with address sanitizer or debug tshark manually pvfs_heap_overflow_poc.pcap
What is the current bug behavior?
Heap overflow OOB read of 1 byte
What is the expected correct behavior?
Don't overflow beyond the allocated buffer.
Sample capture file
TShark (Wireshark) 3.7.0 (v3.7.0rc0-826-gb3215d99cacb)