ATN-ULCS and possibly other ASN.1 PER dissector large loops - denial of service
Summary
This one was found using a fuzzer - it's possible to reach an infinite loop by crafting a special ATN-ULCS packet with inf number of "null" elements.
In some cases Wireshark will be able to load a single packet like this, but it will use uncontrolled amount of memory and cpu. So by sending a couple of these packets it's quite easy to crash Wireshark/tshark.
the dissect_atn_ulcs_NULL
function will get called countless number of times.
Steps to reproduce
Run the provided pcap atn_ulcs_inf_null_items_dos.pcap
What is the current bug behavior?
Bad parsing leads to Wireshark trying to load many items to the tree which uses many mem and cpu resources.
What is the expected correct behavior?
Ignore the malformed packet
Sample capture file
Provided atn_ulcs_inf_null_items_dos.pcap
Relevant logs and/or screenshots
[Protocols in frame: eth:ethertype:ip:cotp:atn-ulcs]
..
..
..
ISO 8073/X.224 COTP Connection-Oriented Transport Protocol
Length: 7
PDU Type: DT Data (0x0f)
Destination reference: 0xe131
TPDU number: 0x7f0800ff
1... .... .... .... .... .... .... .... = Last data unit: Yes
ICAO Doc9705 ULCS Session (ISO 8326/8327-1:1994)
1111 1... = SPDU Type: Short Connect Accept (SAC) SPDU (0x1f)
ICAO Doc9705 ULCS Presentation (ISO 8822/8823-1:1994)
Short Presentation Connect PPDU (CP) (0x02)
ICAO Doc9705 ULCS ACSE (ISO 8649/8650-1:1996)
ACSE-apdu: aarq (0)
aarq
protocol-version: 00 [bit length 1, 7 LSB pad bits, 0... .... decimal value 0]
0... .... = version1: False
application-context-name: 1.24.8.4096.0.13.0.5.64.0.15 (iso.24.8.4096.0.13.0.5.64.0.15)
called-AP-title: ap-title-form1 (1)
ap-title-form1: rdnSequence (0)
rdnSequence: 15805 items
Item 0
RelativeDistinguishedName: 15805 items
Item 0
AttributeTypeAndValue
null: NULL
Item 1
AttributeTypeAndValue
null: NULL
Item 2
AttributeTypeAndValue
null: NULL
Item 3
AttributeTypeAndValue
null: NULL
Item 4
AttributeTypeAndValue
Item ....
AttributeTypeAndValue
Build information
TShark (Wireshark) 3.7.0 (v3.7.0rc0-844-g14a1dfbe1083)