I found an integer overflow at function Process_ipfix_template_withdraw that can be abused in order to crash the process remotely (denial of service):
Program received signal SIGSEGV (current pc: 0x55b9f281a75f)
f 0 55b9f281a75f Process_ipfix_template_withdraw+41
f 1 55b9f281a23f Process_ipfix_templates+100
f 2 55b9f281c337 Process_IPFIX+525
f 3 55b9f2803d4f run+3406
f 4 55b9f2805530 main+5659
f 5 7f5d713112e1 __libc_start_main+241
The function uses size_left as uint32_t which is an unsigned integer (only can holds values between 0 and 2^32), so if we have a size_left with value 1, when the substraction at line 1429 is done (size_left -= 4;), it will overflow and become 4294967293 (0xfffffffd). As this is a value higher than "4", the size check made at line 1443 (if ( size_left < 4 ){(...) size_left = 0; (...)}) will be bypassed. At this point we have a huge loop (while ( size_left )) where the pointer DataPtr will be increased by 4 in each iteration until it reaches an invalid memory address and segfaults.
I hope this information can be useful.
Best regards,
Juan Manuel Fernandez
The text was updated successfully, but these errors were encountered:
Hi!
I found an integer overflow at function
Process_ipfix_template_withdrawthat can be abused in order to crash the process remotely (denial of service):The function uses
size_leftas uint32_t which is an unsigned integer (only can holds values between 0 and 2^32), so if we have asize_leftwith value 1, when the substraction at line 1429 is done (size_left -= 4;), it will overflow and become 4294967293 (0xfffffffd). As this is a value higher than "4", the size check made at line 1443 (if ( size_left < 4 ){(...) size_left = 0; (...)}) will be bypassed. At this point we have a huge loop (while ( size_left )) where the pointerDataPtrwill be increased by 4 in each iteration until it reaches an invalid memory address and segfaults.I hope this information can be useful.
Best regards,
Juan Manuel Fernandez
The text was updated successfully, but these errors were encountered: