Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Sep 2015 17:40:11 +0800
From: Qinghao Tang <luodalongde@...il.com>
To: secalert@...hat.com, oss-security@...ts.openwall.com
Subject: CVE-2015-5155 - openslp 1.2.1 ParseExtension() DoS vulnerability

HI there,



Greeting! This is Qinghao Tang from QIHU 360  company, China. I am a
security researcher there.I'm writing to report a vulnerability in openslp.



The function ParseExtension() in openslp 1.2.1 exists a vulnerability , an
attacher can cause a denial of service (infinite loop) via a  packet with
crafted "nextoffset" value and "extid" value.


Let`s see how this issue  happened,the code below is from
/openslp-1.2.1/common/slp_message.c:

/*--------------------------------------------------------------------------*/

int ParseExtension(SLPBuffer buffer, SLPMessage message)

/* Parse extensions *after* all standard protocol fields are parsed
*/

/*--------------------------------------------------------------------------*/

{

    int             extid;

    int             nextoffset;

    int             result  = SLP_ERROR_OK;




    nextoffset = message->header.extoffset;

    while(nextoffset)

    {

        //here,buffer->start value is stable ,and we can
control nextoffset,so we can control buffer->curpos

        buffer->curpos = buffer->start + nextoffset;

        if(buffer->curpos + 5 >= buffer->end)

        {

            /* Extension takes us past the end of the buffer */

            result = SLP_ERROR_PARSE_ERROR;

            goto CLEANUP;

        }



        extid = AsUINT16(buffer->curpos);

        buffer->curpos += 2;


        //here,wo can control nextoffset by make a crafted packet

        nextoffset = AsUINT24(buffer->curpos);

        buffer->curpos += 3;



        switch(extid)

        {

        case SLP_EXTENSION_ID_REG_PID:

            if(message->header.functionid == SLP_FUNCT_SRVREG)

            {

                /* check to see if buffer is large enough to contain the 4
byte pid */

                if(buffer->curpos + 4 > buffer->end)

                {

                    result = SLP_ERROR_PARSE_ERROR;

                    goto CLEANUP;

                }



                message->body.srvreg.pid = AsUINT32(buffer->curpos);

                buffer->curpos += 4;

            }

            break;


        default:

            if (extid >= 0x4000 && extid <= 0x7FFF )

            {

                /* This is a required extension.  We better error out */

                result = SLP_ERROR_MESSAGE_NOT_SUPPORTED;

                goto CLEANUP;

            }

            break;

        }

    }


CLEANUP:



    return result;

}

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ