Skip to content
GitLab
Closed
Issue created by Sharon Brizinov@sean007Contributor

Heap overflow - OOB Read in PVFS2 dissector - dissect_pvfs2_getconfig_response

Summary

Heap overflow of type out-of-bounds read exists in PVFS dissector in the function dissect_pvfs2_getconfig_response. The OOB occurs due to bad use of a pointer which is dereferenced before checking bounds. AFAIK the bug exists since 2005, and while there were some efforts to improve and guard from dangerous edge-cases (see this fix), this specific OOB was left in the code.

Technical Details

Parallel Virtual File System (PVFS) is an open-source parallel file system. Usually its protocol runs over TCP port 3334, but it can also be detected heuristically by identifying the magic sequence 0xbfca0000 and some more attributes related to this protocol.

The protocol has several commands, and one of them is "Get Config". The response to this command should return a textual based config. This response will be parsed by the PVFS2 dissector in the dissect_pvfs2_getconfig_response function. However, due to a minor oversight a OOB read is possible when crafting a special PVFS2 packet.

The bug resides in a for loop which iteratres over all of the "get-config" response config lines. There is a pointer which is used to read the bytes from the config. The dissector will use this pointer to read the data while checking that there are more bytes to read before the end of the packet. However, it seems that the pointer is first being deference to check for a NEWLINE or NULL byte, before checking if end of buffer has reached. So as long as there are enough total_lines, the last cycle of the inner while loop will always lead to a heap overflow OOB read of 1 byte.

poc_2

IMO the fix should be simple - Moving the check (bytes_processed < total_config_bytes) before dereferencing ptr (*ptr != '\n') && (*ptr != '\0')

Steps to reproduce

Use the provided pcap. Run it with address sanitizer or debug tshark manually pvfs_heap_overflow_poc.pcap

What is the current bug behavior?

Heap overflow OOB read of 1 byte

What is the expected correct behavior?

Don't overflow beyond the allocated buffer.

Sample capture file

Attached pvfs_heap_overflow_poc.pcap

Build information

TShark (Wireshark) 3.7.0 (v3.7.0rc0-826-gb3215d99cacb)
Edited by Sharon Brizinov
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information