Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A integer overflow vulnerability in wifipacp.cpp #182

ZIllR0 opened this Issue Aug 2, 2018 · 2 comments


None yet
2 participants
Copy link

ZIllR0 commented Aug 2, 2018

There is a overflow vulnerability in function handle_prism while handle wifipacp's caplen.

void WifiPacket::handle_prism(const u_char *pc, size_t len)
    cbs->HandlePrism( *this, &hdr, pc + 144, len - 144);

if the caplen < 144, we can cause a integer overflow vulnerability in function handle_80211, which will result in a out-of-bounds read and may allow access to sensitive memory(or just a ddos).

Program received signal SIGSEGV, Segmentation fault.
RAX: 0xe42faad4
RBX: 0x9e9c60 --> 0x0
RCX: 0x23a0
RDX: 0x23a0
RSI: 0x30 ('0')
RDI: 0xffffffffffffff6d
RBP: 0xffffffffffffff71
RSP: 0x7fffffffd340 --> 0x0
RIP: 0x4603fb (<WifiPacket::handle_80211(unsigned char const*, unsigned long)+571>:	xor    r11b,BYTE PTR [rbx+rdx*1])
R8 : 0xffffffffffffff71
R9 : 0x0
R10: 0x7ffff763f280 --> 0xfffed4f0fffed500
R11: 0xe42faad4
R12: 0x7fffffffd3d0 --> 0x6b2320 --> 0x4921b8 --> 0x45d200 (<TFCB::~TFCB()>:	push   r12)
R13: 0x0
R14: 0x0
R15: 0x18
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
   0x4603f2 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+562>:xor    ecx,ecx
   0x4603f4 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+564>:nop    DWORD PTR [rax+0x0]
   0x4603f8 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+568>:mov    r11d,eax
=> 0x4603fb <WifiPacket::handle_80211(unsigned char const*, unsigned long)+571>:xor    r11b,BYTE PTR [rbx+rdx*1]
   0x4603ff <WifiPacket::handle_80211(unsigned char const*, unsigned long)+575>:shr    eax,0x8
   0x460402 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+578>:movzx  edx,r11b
   0x460406 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+582>:xor    eax,DWORD PTR [rdx*4+0x492a40]
   0x46040d <WifiPacket::handle_80211(unsigned char const*, unsigned long)+589>:lea    edx,[rcx+0x1]
0000| 0x7fffffffd340 --> 0x0
0008| 0x7fffffffd348 --> 0x9e9c60 --> 0x0
0016| 0x7fffffffd350 --> 0xffffffffffffff71
0024| 0x7fffffffd358 --> 0x7fffffffd3d0 --> 0x6b2320 --> 0x4921b8 --> 0x45d200 (<TFCB::~TFCB()>:	push   r12)
0032| 0x7fffffffd360 --> 0x77 ('w')
0040| 0x7fffffffd368 --> 0x9e9bd0 --> 0x7ffff61d1b30 --> 0x0
0048| 0x7fffffffd370 --> 0x45c840 (<dl_prism(unsigned char*, pcap_pkthdr const*, unsigned char const*)>:	mov    rcx,rsi)
0056| 0x7fffffffd378 --> 0x4612cf (<WifiPacket::handle_prism(unsigned char const*, unsigned long)+143>:	mov    rax,QWORD PTR [rsp+0x28])
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000004603fb in crc32_ccitt_seed (seed=0xffffffff,
    len=0xffffffffffffff6d, buf=0x9e9c60 "") at wifipcap/wifipcap.cpp:308
308	        crc32 = crc32_ccitt_table[(crc32 ^ buf[i]) & 0xff] ^ (crc32 >> 8);

This comment has been minimized.

Copy link

simsong commented Aug 3, 2018

Wow! That's embarrassing. Thanks for finding it. Fixed in a4e1cd1.

@simsong simsong closed this Aug 3, 2018


This comment has been minimized.

Copy link

ZIllR0 commented Aug 5, 2018

I applied for a CVE ID with this vulnerability and it was assigned to cve-2018-14938.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.