A integer overflow vulnerability in wifipacp.cpp

[ZIllR0]

There is a overflow vulnerability in function handle_prism while handle wifipacp's caplen.

void WifiPacket::handle_prism(const u_char *pc, size_t len)
{
    ....
    cbs->HandlePrism( *this, &hdr, pc + 144, len - 144);
}

if the caplen < 144, we can cause a integer overflow vulnerability in function handle_80211, which will result in a out-of-bounds read and may allow access to sensitive memory(or just a ddos).

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xe42faad4
RBX: 0x9e9c60 --> 0x0
RCX: 0x23a0
RDX: 0x23a0
RSI: 0x30 ('0')
RDI: 0xffffffffffffff6d
RBP: 0xffffffffffffff71
RSP: 0x7fffffffd340 --> 0x0
RIP: 0x4603fb (<WifiPacket::handle_80211(unsigned char const*, unsigned long)+571>:	xor    r11b,BYTE PTR [rbx+rdx*1])
R8 : 0xffffffffffffff71
R9 : 0x0
R10: 0x7ffff763f280 --> 0xfffed4f0fffed500
R11: 0xe42faad4
R12: 0x7fffffffd3d0 --> 0x6b2320 --> 0x4921b8 --> 0x45d200 (<TFCB::~TFCB()>:	push   r12)
R13: 0x0
R14: 0x0
R15: 0x18
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4603f2 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+562>:xor    ecx,ecx
   0x4603f4 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+564>:nop    DWORD PTR [rax+0x0]
   0x4603f8 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+568>:mov    r11d,eax
=> 0x4603fb <WifiPacket::handle_80211(unsigned char const*, unsigned long)+571>:xor    r11b,BYTE PTR [rbx+rdx*1]
   0x4603ff <WifiPacket::handle_80211(unsigned char const*, unsigned long)+575>:shr    eax,0x8
   0x460402 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+578>:movzx  edx,r11b
   0x460406 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+582>:xor    eax,DWORD PTR [rdx*4+0x492a40]
   0x46040d <WifiPacket::handle_80211(unsigned char const*, unsigned long)+589>:lea    edx,[rcx+0x1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd340 --> 0x0
0008| 0x7fffffffd348 --> 0x9e9c60 --> 0x0
0016| 0x7fffffffd350 --> 0xffffffffffffff71
0024| 0x7fffffffd358 --> 0x7fffffffd3d0 --> 0x6b2320 --> 0x4921b8 --> 0x45d200 (<TFCB::~TFCB()>:	push   r12)
0032| 0x7fffffffd360 --> 0x77 ('w')
0040| 0x7fffffffd368 --> 0x9e9bd0 --> 0x7ffff61d1b30 --> 0x0
0048| 0x7fffffffd370 --> 0x45c840 (<dl_prism(unsigned char*, pcap_pkthdr const*, unsigned char const*)>:	mov    rcx,rsi)
0056| 0x7fffffffd378 --> 0x4612cf (<WifiPacket::handle_prism(unsigned char const*, unsigned long)+143>:	mov    rax,QWORD PTR [rsp+0x28])
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000004603fb in crc32_ccitt_seed (seed=0xffffffff,
    len=0xffffffffffffff6d, buf=0x9e9c60 "") at wifipcap/wifipcap.cpp:308
308	        crc32 = crc32_ccitt_table[(crc32 ^ buf[i]) & 0xff] ^ (crc32 >> 8);

[simsong]

Wow! That's embarrassing. Thanks for finding it. Fixed in a4e1cd1.

[ZIllR0]

I applied for a CVE ID with this vulnerability and it was assigned to cve-2018-14938.