Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer overflow in Process_ipfix_template_withdraw (ipfix.c) #171

Closed
X-C3LL opened this issue Jul 7, 2019 · 1 comment
Closed

Integer overflow in Process_ipfix_template_withdraw (ipfix.c) #171

X-C3LL opened this issue Jul 7, 2019 · 1 comment

Comments

@X-C3LL
Copy link

X-C3LL commented Jul 7, 2019

Hi!

I found an integer overflow at function Process_ipfix_template_withdraw that can be abused in order to crash the process remotely (denial of service):

Program received signal SIGSEGV (current pc: 0x55b9f281a75f)


   f 0     55b9f281a75f Process_ipfix_template_withdraw+41
   f 1     55b9f281a23f Process_ipfix_templates+100
   f 2     55b9f281c337 Process_IPFIX+525
   f 3     55b9f2803d4f run+3406
   f 4     55b9f2805530 main+5659
   f 5     7f5d713112e1 __libc_start_main+241

The function uses size_left as uint32_t which is an unsigned integer (only can holds values between 0 and 2^32), so if we have a size_left with value 1, when the substraction at line 1429 is done (size_left -= 4;), it will overflow and become 4294967293 (0xfffffffd). As this is a value higher than "4", the size check made at line 1443 (if ( size_left < 4 ){(...) size_left = 0; (...)}) will be bypassed. At this point we have a huge loop (while ( size_left )) where the pointer DataPtr will be increased by 4 in each iteration until it reaches an invalid memory address and segfaults.

I hope this information can be useful.

Best regards,
Juan Manuel Fernandez

@phaag
Copy link
Owner

phaag commented Jul 27, 2019

Thx! fixed

@phaag phaag closed this as completed Jul 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants