## Summary The websocket_uncompress func in packet-websocket.c inflates compressed WebSocket frames in a do { inflate() } while loop with no limit on total decompressed output. Each iteration grows a wmem_file_scope() buffer via wmem_realloc() until Z_STREAM_END — no size cap, no warning, no abort. A single WebSocket frame containing a 101KB deflate bomb expands to 100MB of memory. A 1MB frame reaches 1GB. The attacker only needs a pcap / live capture with an HTTP 101 upgrade negotiating permessage-deflate followed by one compressed binary frame. I'm not sure if this is intended or not, so I preferred to report it. ## AI assistance None ## Sample capture file [websocket_zlib_bomb.pcap](/uploads/1f72df80dba88dd2cbe495c6146ff4c7/websocket_zlib_bomb.pcap) ## Steps to reproduce ASAN_OPTIONS=detect_leaks=0:allocator_may_return_null=0:max_allocation_size_mb=50 tshark -r /poc/websocket_zlib_bomb.pcap -Y websocket ## What is the current bug behavior? ``` Running as user "root" and group "root". This could be dangerous. ** (tshark:7) 09:43:11.398138 [(none) MESSAGE] -- JSON Dictionary: No config.txt or jsonmain.xml found (using generic mode) ================================================================= ==7==ERROR: AddressSanitizer: requested allocation size 0x3215864 (0x3216868 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x3200000 (thread T0) #0 0xffffb6b7646c in realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:85 #1 0xffff98235de8 in g_realloc (/lib/aarch64-linux-gnu/libglib-2.0.so.0+0x65de8) (BuildId: d0e89b6e877018ef77a15d9f851c171759683b8d) #2 0xffff98375fa8 in wmem_realloc /src/wsutil/wmem/wmem_core.c:82 #3 0xffff98379f40 in wmem_block_realloc_jumbo /src/wsutil/wmem/wmem_allocator_block.c:825 #4 0xffff9837a4ec in wmem_block_realloc /src/wsutil/wmem/wmem_allocator_block.c:925 #5 0xffff983760f0 in wmem_realloc /src/wsutil/wmem/wmem_core.c:96 #6 0xffffa4efab00 in websocket_uncompress /src/epan/dissectors/packet-websocket.c:304 #7 0xffffa4efb328 in dissect_websocket_data_frame /src/epan/dissectors/packet-websocket.c:403 #8 0xffffa4efc444 in dissect_websocket_payload /src/epan/dissectors/packet-websocket.c:625 #9 0xffffa4efd72c in dissect_websocket_frame /src/epan/dissectors/packet-websocket.c:762 #10 0xffffa4bfb70c in tcp_dissect_pdus /src/epan/dissectors/packet-tcp.c:5814 #11 0xffffa4efd9b0 in dissect_websocket /src/epan/dissectors/packet-websocket.c:805 #12 0xffffa650db04 in call_dissector_through_handle /src/epan/packet.c:945 #13 0xffffa650e208 in call_dissector_work /src/epan/packet.c:1036 #14 0xffffa6519134 in call_dissector_only /src/epan/packet.c:3688 #15 0xffffa3b4efbc in dissect_http_on_stream /src/epan/dissectors/packet-http.c:4445 #16 0xffffa3b4f7e4 in dissect_http_tcp /src/epan/dissectors/packet-http.c:4513 #17 0xffffa650db04 in call_dissector_through_handle /src/epan/packet.c:945 #18 0xffffa650e208 in call_dissector_work /src/epan/packet.c:1036 #19 0xffffa65112cc in dissector_try_uint_with_data /src/epan/packet.c:1766 #20 0xffffa4c09e8c in decode_tcp_ports /src/epan/dissectors/packet-tcp.c:8265 #21 0xffffa4c0ab1c in process_tcp_payload /src/epan/dissectors/packet-tcp.c:8362 #22 0xffffa4bf8f78 in desegment_tcp /src/epan/dissectors/packet-tcp.c:5291 #23 0xffffa4c0b330 in dissect_tcp_payload /src/epan/dissectors/packet-tcp.c:8435 #24 0xffffa4c1743c in dissect_tcp /src/epan/dissectors/packet-tcp.c:9832 #25 0xffffa650db04 in call_dissector_through_handle /src/epan/packet.c:945 #26 0xffffa650e208 in call_dissector_work /src/epan/packet.c:1036 #27 0xffffa65112cc in dissector_try_uint_with_data /src/epan/packet.c:1766 #28 0xffffa3ce22c8 in ip_try_dissect /src/epan/dissectors/packet-ip.c:1888 #29 0xffffa3ce5e70 in dissect_ip_v4 /src/epan/dissectors/packet-ip.c:2486 ==7==HINT: if you don't care about these errors you may set allocator_may_return_null=1 SUMMARY: AddressSanitizer: allocation-size-too-big ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:85 in realloc ==7==ABORTING ``` ## What is the expected correct behavior? ## Build information ``` Running as user "root" and group "root". This could be dangerous. ** (tshark:7) 09:50:34.914933 [(none) MESSAGE] -- JSON Dictionary: No config.txt or jsonmain.xml found (using generic mode) TShark (Wireshark) 4.7.0 (Git Rev Unknown from unknown). Copyright 1998-2026 Gerald Combs <gerald@wireshark.org> and contributors. Licensed under the terms of the GNU General Public License (version 2 or later). This is free software; see the file named COPYING in the distribution. There is NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compile-time info: Bit width: 64-bit Compiler: GCC 13.3.0 GLib: 2.80.0 With: +Gcrypt 1.10.3 +libxml2 2.9.14 +PCRE2 10.42 2022-12-11 +libpcap +Lua 5.4.6 +zlib 1.3 Without: -brotli -LZ4 -Snappy -GnuTLS -MaxMind -xxhash -Kerberos -nghttp2 -zlib-ng -libnl -nghttp3 -Zstandard -libsmi -POSIX capabilities Runtime info: OS: Linux 6.12.76-linuxkit CPU: Memory: 7835 MB of physical memory GLib: 2.80.0 Locale: LC_TYPE=C Plugins: disabled at compile time With: +c-ares 1.27.0 +PCRE2 10.42 2022-12-11 +Gcrypt 1.10.3 +zlib 1.3 +libpcap 1.10.4 (with TPACKET_V3) ```