Wireshark CVE-2017-17935 Denial of Service Vulnerability

 

Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Component: TShark (show other bugs)
Version: 2.2.11
Hardware: x86 Windows 7

 

Reported: 2017-12-26 08:48 UTC by Young
Modified: 2017-12-28 15:28 UTC (History)

 

Build Information:
None
--
Hi,
When I audit the code of wireshark, I find that there is a potential buffer underflow error in File_read_line function in epan/wslua/wslua_file.c in line 194.
177 static int File_read_line(lua_State *L, FILE_T ft) {
178     static gchar linebuff[MAX_LINE_LENGTH];
179     gint64 pos_before = file_tell(ft);
180     gint length = 0;
181
182     if (file_gets(linebuff, MAX_LINE_LENGTH, ft) == NULL) {
183         /* No characters found, or error */
184         /* *err = file_error(ft, err_info); */
185         /* io.lines() and file:read() requires nil on EOF */
186         lua_pushnil(L);
187         return 0;
188     }
189
190     /* Set length (avoiding strlen()) */
191     length = (gint)(file_tell(ft) - pos_before);
192
193     /* ...but don't want to include newline in line length */
194     if (linebuff[length-1] == '\n') {
195         length--;
196         /* Nor do we want '\r' (as will be written when log is created on windows) */
197         if (length > 0 && linebuff[length - 1] == '\r') {
198             length--;
199         }
200         linebuff[length] = '\0';
201     }
202
203     lua_pushlstring(L, linebuff, length);
204     return 1;
205 }
Evidence:
There is a vulnerablity named CVE-2014-5161. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5161)
Below is the patch.
diff --git a/wiretap/catapult_dct2000.c b/wiretap/catapult_dct2000.c
index be9b75e..c8cf46d 100644 (file)
--- a/wiretap/catapult_dct2000.c
+++ b/wiretap/catapult_dct2000.c
@@ -805,12 +805,12 @@ read_new_line(FILE_T fh, gint64 *offset, gint *length,
     *offset = *offset + *length;
     /* ...but don't want to include newline in line length */
-    if (linebuff[*length-1] == '\n') {
+    if (*length > 0 && linebuff[*length-1] == '\n') {
         linebuff[*length-1] = '\0';
         *length = *length - 1;
     }
     /* Nor do we want '\r' (as will be written when log is created on windows) */
-    if (linebuff[*length-1] == '\r') {
+    if (*length > 0 && linebuff[*length-1] == '\r') {
         linebuff[*length-1] = '\0';
         *length = *length - 1;
     }
(ref: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blobdiff;f=wiretap/catapult_dct2000.c;h=c8cf46d53b78c4d55926af3eb5815b53f61ac35a;hp=be9b75eeee0c95a25b2414133c4054a19e7e7691;hb=16f8ba1bed579344df373bf38fff552ab8baf380;hpb=6ed95406e308efa2d6346ebef2468eaea051fd01)
As you can see, File_read_line function is very similar to read_new_line function.
So, File_read_line function is vulnerable.
read_new_line function before patch.
 790 static gboolean
 791 read_new_line(FILE_T fh, gint64 *offset, gint *length,
 792               gchar *linebuff, size_t linebuffsize, int *err, gchar **err_info)
 793 {
 794     /* Read in a line */
 795     gint64 pos_before = file_tell(fh);
 796
 797     if (file_gets(linebuff, (int)linebuffsize - 1, fh) == NULL) {
 798         /* No characters found, or error */
 799         *err = file_error(fh, err_info);
 800         return FALSE;
 801     }
 802
 803     /* Set length (avoiding strlen()) and offset.. */
 804     *length = (gint)(file_tell(fh) - pos_before);
 805     *offset = *offset + *length;
 806
 807     /* ...but don't want to include newline in line length */
 808     if (linebuff[*length-1] == '\n') {
 809         linebuff[*length-1] = '\0';
 810         *length = *length - 1;
 811     }
 812     /* Nor do we want '\r' (as will be written when log is created on windows) */
 813     if (linebuff[*length-1] == '\r') {
 814         linebuff[*length-1] = '\0';
 815         *length = *length - 1;
 816     }
 817
 818     return TRUE;
 819 }
(ref: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wiretap/catapult_dct2000.c;h=be9b75eeee0c95a25b2414133c4054a19e7e7691;hb=be9b75eeee0c95a25b2414133c4054a19e7e7691)
Comment 1Gerrit Code Review 2017-12-26 11:50:05 UTC
Change 24997 had a related patch set uploaded by Martin Mathieson:
potential buffer underflow in File_read_line function in epan/wslua/wslua_file.c
https://code.wireshark.org/review/24997
Comment 2Gerrit Code Review 2017-12-26 20:21:07 UTC
Change 24997 merged by Anders Broman:
potential buffer underflow in File_read_line function in epan/wslua/wslua_file.c
https://code.wireshark.org/review/24997
Comment 3Gerrit Code Review 2017-12-28 13:09:18 UTC
Change 25034 had a related patch set uploaded by Michael Mann:
potential buffer underflow in File_read_line function in epan/wslua/wslua_file.c
https://code.wireshark.org/review/25034
Comment 4Gerrit Code Review 2017-12-28 13:09:36 UTC
Change 25035 had a related patch set uploaded by Michael Mann:
potential buffer underflow in File_read_line function in epan/wslua/wslua_file.c
https://code.wireshark.org/review/25035
Comment 5Gerrit Code Review 2017-12-28 15:28:03 UTC
Change 25035 merged by Michael Mann:
potential buffer underflow in File_read_line function in epan/wslua/wslua_file.c
https://code.wireshark.org/review/25035
Comment 6Gerrit Code Review 2017-12-28 15:28:20 UTC
Change 25034 merged by Michael Mann:
potential buffer underflow in File_read_line function in epan/wslua/wslua_file.c
https://code.wireshark.org/review/25034
Vulnerable: Wireshark Wireshark 2.2.11
Wireshark Wireshark 2.2.10
Wireshark Wireshark 2.2.9
Wireshark Wireshark 2.2.8
Wireshark Wireshark 2.2.7
Wireshark Wireshark 2.2.6
Wireshark Wireshark 2.2.5
Wireshark Wireshark 2.2.4
Wireshark Wireshark 2.2.3
Wireshark Wireshark 2.2.2
Wireshark Wireshark 2.2.1
Wireshark Wireshark 2.2
Wireshark Wireshark 1.12.13
Wireshark Wireshark 1.12.12
Wireshark Wireshark 1.12.11
Wireshark Wireshark 1.12.10
Wireshark Wireshark 1.12.8
Wireshark Wireshark 1.12.7
Wireshark Wireshark 1.12.6
Wireshark Wireshark 1.12.3
Wireshark Wireshark 1.12.2
Wireshark Wireshark 1.12.1
Wireshark Wireshark 1.12
Wireshark Wireshark 1.10.14
Wireshark Wireshark 1.10.13
Wireshark Wireshark 1.10.12
Wireshark Wireshark 1.10.11
Wireshark Wireshark 1.10.10
Wireshark Wireshark 1.10.8
Wireshark Wireshark 1.10.7
Wireshark Wireshark 1.10.6
Wireshark Wireshark 1.10.5
Wireshark Wireshark 1.10.4
Wireshark Wireshark 1.10.3
Wireshark Wireshark 1.10.2
Wireshark Wireshark 1.10.1
Wireshark Wireshark 1.10
Wireshark Wireshark 1.8.13
Wireshark Wireshark 1.8.11
Wireshark Wireshark 1.8.10
Wireshark Wireshark 1.8.9
Wireshark Wireshark 1.8.7
Wireshark Wireshark 1.8.6
Wireshark Wireshark 1.8.5
Wireshark Wireshark 1.8.4
Wireshark Wireshark 1.5
Wireshark Wireshark 1.4.3
Wireshark Wireshark 1.2.18
Wireshark Wireshark 1.2.17
Wireshark Wireshark 1.2.16
Wireshark Wireshark 1.2.10
Wireshark Wireshark 1.2.9
Wireshark Wireshark 1.2.8
Wireshark Wireshark 1.2.7
Wireshark Wireshark 1.2.6
Wireshark Wireshark 1.2.5
Wireshark Wireshark 1.2.4
Wireshark Wireshark 1.2.3
Wireshark Wireshark 1.2.2
Wireshark Wireshark 1.2.1
Wireshark Wireshark 1.2
Wireshark Wireshark 1.0.15
Wireshark Wireshark 1.0.14
Wireshark Wireshark 1.0.13
Wireshark Wireshark 1.0.12
Wireshark Wireshark 1.0.11
Wireshark Wireshark 1.0.10
Wireshark Wireshark 1.0.9
Wireshark Wireshark 1.0.8
Wireshark Wireshark 1.0.7
Wireshark Wireshark 1.0.6
Wireshark Wireshark 1.0.5
Wireshark Wireshark 1.0.4
Wireshark Wireshark 1.0.3
Wireshark Wireshark 1.0.2
Wireshark Wireshark 1.0.1
Wireshark Wireshark 1.0
Wireshark Wireshark 0.99.8
Wireshark Wireshark 0.99.7
Wireshark Wireshark 0.99.6
Wireshark Wireshark 0.99.5
Wireshark Wireshark 0.99.4
Wireshark Wireshark 0.99.3
Wireshark Wireshark 0.99.2
Wireshark Wireshark 0.99.1
Wireshark Wireshark 0.99
Wireshark Wireshark 0.10.14
Wireshark Wireshark 0.10.13
Wireshark Wireshark 0.10.12
Wireshark Wireshark 0.10.11
Wireshark Wireshark 0.10.10
Wireshark Wireshark 0.10.9
Wireshark Wireshark 0.10.8
Wireshark Wireshark 0.10.7
Wireshark Wireshark 0.10.6
Wireshark Wireshark 0.10.4
Wireshark Wireshark 0.10.3
Wireshark Wireshark 0.10.2
Wireshark Wireshark 0.10.1
Wireshark Wireshark 0.10
Wireshark Wireshark 0.9.14
Wireshark Wireshark 0.9.10
Wireshark Wireshark 0.9.6
Wireshark Wireshark 0.9.5
Wireshark Wireshark 0.9.2
Wireshark Wireshark 0.8.20
Wireshark Wireshark 0.8.19
Wireshark Wireshark 0.8.16
Wireshark Wireshark 0.7.9
Wireshark Wireshark 0.6
Wireshark Wireshark 1.8.8
Wireshark Wireshark 1.8.3
Wireshark Wireshark 1.8.2
Wireshark Wireshark 1.8.1
Wireshark Wireshark 1.5.1
Wireshark Wireshark 1.4.0
Wireshark Wireshark 1.2.15
Wireshark Wireshark 1.2.14
Wireshark Wireshark 1.2.13
Wireshark Wireshark 1.2.12
Wireshark Wireshark 1.2.11
Wireshark Wireshark 1.12.9
Wireshark Wireshark 1.12.5
Wireshark Wireshark 1.12.4
Wireshark Wireshark 1.10.9
Wireshark Wireshark 1.10
Wireshark Wireshark 1.0.16
Wireshark Wireshark 0.99.6A
Wireshark Wireshark 0.99
Wireshark Wireshark 0.9.8
Wireshark Wireshark 0.9.7
Wireshark Wireshark 0.10
Redhat Enterprise Linux 7
Redhat Enterprise Linux 6
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Redhat Enterprise Linux 5

Leave a Reply