I found an integer overflow at function Process_ipfix_template_withdraw that can be abused in order to crash the process remotely (denial of service):
Program received signal SIGSEGV (current pc: 0x55b9f281a75f)
f 0 55b9f281a75f Process_ipfix_template_withdraw+41
f 1 55b9f281a23f Process_ipfix_templates+100
f 2 55b9f281c337 Process_IPFIX+525
f 3 55b9f2803d4f run+3406
f 4 55b9f2805530 main+5659
f 5 7f5d713112e1 __libc_start_main+241
The function uses size_left as uint32_t which is an unsigned integer (only can holds values between 0 and 2^32), so if we have a size_left with value 1, when the substraction at line 1429 is done (size_left -= 4;), it will overflow and become 4294967293 (0xfffffffd). As this is a value higher than "4", the size check made at line 1443 (if ( size_left < 4 ){(...) size_left = 0; (...)}) will be bypassed. At this point we have a huge loop (while ( size_left )) where the pointer DataPtr will be increased by 4 in each iteration until it reaches an invalid memory address and segfaults.
phaag
commented
5 years ago
Hi!
I found an integer overflow at function
Process_ipfix_template_withdrawthat can be abused in order to crash the process remotely (denial of service):The function uses
size_leftas uint32_t which is an unsigned integer (only can holds values between 0 and 2^32), so if we have asize_leftwith value 1, when the substraction at line 1429 is done (size_left -= 4;), it will overflow and become 4294967293 (0xfffffffd). As this is a value higher than "4", the size check made at line 1443 (if ( size_left < 4 ){(...) size_left = 0; (...)}) will be bypassed. At this point we have a huge loop (while ( size_left )) where the pointerDataPtrwill be increased by 4 in each iteration until it reaches an invalid memory address and segfaults.I hope this information can be useful.
Best regards, Juan Manuel Fernandez