Bug 1263769 (CVE-2015-5155)

Summary: CVE-2015-5155 openslp: Packet with crafted "nextoffset" and "extid" values causes DoS
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: carnil, security-response-team, vcrhonek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
[REJECTED CVE] A vulnerability has been identified in Openslp in ParseExtension() function in slp_message.c file. Attacker can force the function to enter the infinte loop causing denial of service via packet with crafted "nextoffset" value and "extid" value.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-23 10:27:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1263771    

Description Adam Mariš 2015-09-16 16:05:42 UTC 
A vulnerability in ParseExtension() function in openslp was reported. Attacker can force the function to enter the infinte loop causing denial of service via packet with crafted "nextoffset" value and "extid" value.

Vulnerable code in openslp-1.2.1/common/slp_message.c:


int ParseExtension(SLPBuffer buffer, SLPMessage message)

/* Parse extensions *after* all standard protocol fields are parsed
*/

/*--------------------------------------------------------------------------*/

{
	int extid;
	int nextoffset;
	int result = SLP_ERROR_OK;
	extoffset = message->header.extoffset;
	while(nextoffset)
	{
		//here,buffer->start value is stable ,and we can
		control nextoffset,so we can control buffer->curpos
		buffer->curpos = buffer->start + nextoffset;
		if(buffer->curpos + 5 >= buffer->end)
		{
			/* Extension takes us past the end of the buffer */
			result = SLP_ERROR_PARSE_ERROR;
			goto CLEANUP;
		}
		extid = AsUINT16(buffer->curpos);
		buffer->curpos += 2;
		//here,wo can control nextoffset by make a crafted packet
		nextoffset = AsUINT24(buffer->curpos);
		buffer->curpos += 3;
		switch(extid)
		{
			case SLP_EXTENSION_ID_REG_PID:
			if(message->header.functionid == SLP_FUNCT_SRVREG)
			{
				/* check to see if buffer is large enough to contain the 4
				byte pid */
				if(buffer->curpos + 4 > buffer->end)
				{
					result = SLP_ERROR_PARSE_ERROR;
					goto CLEANUP;
				}
				message->body.srvreg.pid = AsUINT32(buffer->curpos);
				buffer->curpos += 4;
			}
			break;
			default:

			if (extid >= 0x4000 && extid <= 0x7FFF )
			{
				/* This is a required extension. We better error out */
				result = SLP_ERROR_MESSAGE_NOT_SUPPORTED;

				goto CLEANUP;

			}
			break;
		}

	}
	CLEANUP:
	return result;
}
Comment 1 Adam Mariš 2015-09-17 07:41:08 UTC 
Public via:

http://seclists.org/oss-sec/2015/q3/559
Comment 2 Adam Mariš 2015-09-18 07:23:49 UTC 
Acknowledgements:

Red Hat would like to thank Qinghao Tang of QIHU 360 for reporting this issue.
Comment 4 Stefan Cornelius 2015-09-23 10:27:07 UTC 
I believe this is a dupe of CVE-2010-3609. It's hard to be 100% sure without a confirmation of the researcher. I've asked for that confirmation on http://www.openwall.com/lists/oss-security/2015/09/19/1 (no response yet).

*** This bug has been marked as a duplicate of bug 684294 ***
Comment 5 Doran Moppert 2020-02-10 04:30:18 UTC 
Statement:

This flaw was found to be a duplicate of CVE-2010-3609. Please see https://access.redhat.com/security/cve/CVE-2010-3609 for information about affected products and security errata.