Skip to content
GitLab

bpv6 (Bundle) dissector int underflow/overflow leads to inf loop - denial of service

Summary

In the bpv6 protocol evaluate_sdnv function might return negative number which will be used in arithmetic for loop index wireshark___packet-bpv6_c

My short investigation concludes that all loop around these items are affected:

  • hf_block_ciphersuite_param_type
  • hf_block_ciphersuite_result_item_length
  • hf_block_ciphersuite_result_data
  • hf_block_ciphersuite_params_item_length
  • hf_block_ciphersuite_result_type

Please see the attached pcap as an example for the loop around hf_block_ciphersuite_result_type. bundle.block.ciphersuite_result_type.pcap

Build information

TShark (Wireshark) 3.7.0 (v3.7.0rc0-844-g14a1dfbe1083)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information