Stack Buffer Overflow in parse_vms_packet Function
Description
A stack buffer overflow vulnerability has been discovered in Wireshark's parse_vms_packet
function. This vulnerability is triggered during a READ operation leading to a signal abort (SIGABRT), and could allow an attacker to crash the application leading to a denial of service. Depending on how the application is used, it could potentially be exploited to execute arbitrary code in the context of the application, but this would require further investigation.
This overflow occurs at offset 497 within the function frame when reading a line
char array, specifically at the location vms.c:383
. The relevant code segment causing the overflow is:
381: if ( (! pkt_len) && (p = strstr(line, "Length"))) {
382: p += sizeof("Length ");
383: while (*p && ! g_ascii_isdigit(*p))
Tested on: Ubuntu 22.04.2 LTS
Steps to reproduce:
Open the trigger file using a Wireshark binary compiled with the -DENABLE_ASAN option:
$ tshark -r trigger
=================================================================
==264046==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcd21 at pc 0x7fffdfaf46cd bp 0x7fffffffca80 sp 0x7fffffffca70
READ of size 1 at 0x7fffffffcd21 thread T0
#0 0x7fffdfaf46cc in parse_vms_packet /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/vms.c:383
#1 0x7fffdfb34583 in wtap_read /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/wtap.c:1555
#2 0x55555558eb8f in process_cap_file_single_pass /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3534
#3 0x55555558eb8f in process_cap_file /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3746
#4 0x55555558eb8f in main /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:2260
#5 0x7fffdf629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7fffdf629e3f in __libc_start_main_impl ../csu/libc-start.c:392
#7 0x555555591754 in _start (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/tshark+0x3d754)
Address 0x7fffffffcd21 is located in stack of thread T0 at offset 497 in frame
#0 0x7fffdfaf37ff in parse_vms_packet /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/vms.c:322
This frame has 8 object(s):
[48, 52) 'pkt_len' (line 325)
[64, 68) 'pktnum' (line 326)
[80, 84) 'csec' (line 327)
[96, 104) 'endp' (line 331)
[128, 184) 'tm' (line 328)
[224, 227) 'lbuf' (line 504)
[240, 244) 'mon' (line 329)
[256, 497) 'line' (line 323) <== Memory access at offset 497 overflows this variable
...
...
I'd also like to request a CVE ID for this vulnerability.
Please let me know if you need any additional information.
Regards,
Huáscar