BT SDP dissector infinite loop
Summary
The BTSDP dissector could go into an infinite loop. It can make Wireshark consume excessive CPU resources by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
Sample capture file
I put the POC pcap file in the attachment. loop-poc.pcap
Steps to reproduce
method1: Run the following command:
tshark -r loop-poc.pcap
method2: Drag the file to the Wireshark on the GUI.
What is the current bug behavior?
The Wireshark is in an infinite loop, and the CPU usage remains 100%.
Technical Details
I tried to analyze the cause of the problem and found that the infinite loop appeared in dissect_sdp_type(). When the following code snippet was executed, the program repeatedly entered this loop or entered recursion, causing the Wireshark DoS.
while (bytes_to_go > 0) {
if (!first) {
wmem_strbuf_append(info_buf, ", ");
} else {
first = 0;
}
size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid,
service_did_vendor_id, service_did_vendor_id_source,
service_hdp_data_exchange_specification, service_info, &substr);
if (size < 1) {
break;
}
wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr));
offset += size ;
bytes_to_go -= size;
}
wmem_strbuf_append(info_buf, "} ");
break;
I'd like to request a CVE ID for this vulnerability. Thank you!