BT SDP dissector large memory leak
Summary
The BTSDP dissector could leak a large memory, which may cause Denial of Service.
Sample capture file
I put the POC pcap file in the attachment. mem-leak-poc
Steps to reproduce
method1: Use address sanitizer to compile tshark, and then run the following command:
tshark -r mem-leak-poc
Then, address sanitizer would catch:
==1624062==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 2097184 byte(s) in 1 object(s) allocated from:
#0 0x55d415ce8f2d in malloc /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x7fa9f7f96e98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98)
SUMMARY: AddressSanitizer: 2097184 byte(s) leaked in 1 allocation(s).
method2: Use valgrind to catch memory leak point, run the following command:
valgrind --leak-check=full tshark -r mem-leak-poc
Then, valgrind would catch:
==1696369== HEAP SUMMARY: ==1696369== in use at exit: 2,159,142 bytes in 233 blocks ==1696369== total heap usage: 91,507 allocs, 91,274 frees, 559,497,866 bytes allocated ==1696369== ==1696369== 2,097,184 bytes in 1 blocks are definitely lost in loss record 191 of 191 ==1696369== at 0x483C815: malloc (vg_replace_malloc.c:431) ==1696369== by 0xCD17E98: g_malloc (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6)
==1696369== by 0xCC8FF0A: wmem_block_fast_alloc (wmem_allocator_block_fast.c:96)
==1696369== by 0xCC8FF0A: wmem_block_fast_alloc (wmem_allocator_block_fast.c:86)
==1696369== by 0xCC8FF67: wmem_block_fast_realloc (wmem_allocator_block_fast.c:163)
==1696369== by 0xCC91EAF: wmem_strbuf_grow (wmem_strbuf.c:118)
==1696369== by 0xCC91EAF: wmem_strbuf_append_vprintf (wmem_strbuf.c:196)
==1696369== by 0xCC92057: wmem_strbuf_append_printf (wmem_strbuf.c:208)
==1696369== by 0x7054949: dissect_sdp_type (packet-btsdp.c:3547)
==1696369== by 0x7054915: dissect_sdp_type (packet-btsdp.c:3541)
==1696369== by 0x7057BA6: dissect_sdp_service_search_attribute_request (packet-btsdp.c:4396)
==1696369== by 0x7057BA6: dissect_btsdp (packet-btsdp.c:4547)
==1696369== by 0x7057BA6: dissect_btsdp (packet-btsdp.c:4485)
==1696369== by 0x6E2CB27: call_dissector_through_handle (packet.c:833)
==1696369== by 0x6E2DDDE: call_dissector_work (packet.c:924)
==1696369== by 0x6E2E9F2: dissector_try_uint_new (packet.c:1527)
==1696369==
==1696369== LEAK SUMMARY:
==1696369== definitely lost: 2,097,184 bytes in 1 blocks
==1696369== indirectly lost: 0 bytes in 0 blocks
==1696369== possibly lost: 0 bytes in 0 blocks
==1696369== still reachable: 61,958 bytes in 232 blocks
==1696369== suppressed: 0 bytes in 0 blocks
I'd like to request a CVE ID for this vulnerability. Thank you!