bpv6 (Bundle) dissector int underflow/overflow leads to inf loop - denial of service
Summary
In the bpv6 protocol evaluate_sdnv
function might return negative number which will be used in arithmetic for loop index
My short investigation concludes that all loop around these items are affected:
- hf_block_ciphersuite_param_type
- hf_block_ciphersuite_result_item_length
- hf_block_ciphersuite_result_data
- hf_block_ciphersuite_params_item_length
- hf_block_ciphersuite_result_type
Please see the attached pcap as an example for the loop around hf_block_ciphersuite_result_type
.
bundle.block.ciphersuite_result_type.pcap
Build information
TShark (Wireshark) 3.7.0 (v3.7.0rc0-844-g14a1dfbe1083)