1263769 – (CVE-2015-5155) CVE-2015-5155 openslp: Packet with crafted "nextoffset" and "extid" values causes DoS

Bug 1263769 (CVE-2015-5155) - CVE-2015-5155 openslp: Packet with crafted "nextoffset" and "extid" values causes DoS

Summary: CVE-2015-5155 openslp: Packet with crafted "nextoffset" and "extid" values ca...

Keywords:
Status:	CLOSED DUPLICATE of bug 684294
Alias:	CVE-2015-5155
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1263771
TreeView+	depends on / blocked

Reported:	2015-09-16 16:05 UTC by Adam Mariš
Modified:	2021-02-17 04:55 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-09-23 10:27:07 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2015-09-16 16:05:42 UTC

A vulnerability in ParseExtension() function in openslp was reported. Attacker can force the function to enter the infinte loop causing denial of service via packet with crafted "nextoffset" value and "extid" value.

Vulnerable code in openslp-1.2.1/common/slp_message.c:


int ParseExtension(SLPBuffer buffer, SLPMessage message)

/* Parse extensions *after* all standard protocol fields are parsed
*/

/*--------------------------------------------------------------------------*/

{
	int extid;
	int nextoffset;
	int result = SLP_ERROR_OK;
	extoffset = message->header.extoffset;
	while(nextoffset)
	{
		//here,buffer->start value is stable ,and we can
		control nextoffset,so we can control buffer->curpos
		buffer->curpos = buffer->start + nextoffset;
		if(buffer->curpos + 5 >= buffer->end)
		{
			/* Extension takes us past the end of the buffer */
			result = SLP_ERROR_PARSE_ERROR;
			goto CLEANUP;
		}
		extid = AsUINT16(buffer->curpos);
		buffer->curpos += 2;
		//here,wo can control nextoffset by make a crafted packet
		nextoffset = AsUINT24(buffer->curpos);
		buffer->curpos += 3;
		switch(extid)
		{
			case SLP_EXTENSION_ID_REG_PID:
			if(message->header.functionid == SLP_FUNCT_SRVREG)
			{
				/* check to see if buffer is large enough to contain the 4
				byte pid */
				if(buffer->curpos + 4 > buffer->end)
				{
					result = SLP_ERROR_PARSE_ERROR;
					goto CLEANUP;
				}
				message->body.srvreg.pid = AsUINT32(buffer->curpos);
				buffer->curpos += 4;
			}
			break;
			default:

			if (extid >= 0x4000 && extid <= 0x7FFF )
			{
				/* This is a required extension. We better error out */
				result = SLP_ERROR_MESSAGE_NOT_SUPPORTED;

				goto CLEANUP;

			}
			break;
		}

	}
	CLEANUP:
	return result;
}

Comment 1 Adam Mariš 2015-09-17 07:41:08 UTC

Public via:

http://seclists.org/oss-sec/2015/q3/559

Comment 2 Adam Mariš 2015-09-18 07:23:49 UTC

Acknowledgements:

Red Hat would like to thank Qinghao Tang of QIHU 360 for reporting this issue.

Comment 4 Stefan Cornelius 2015-09-23 10:27:07 UTC

I believe this is a dupe of CVE-2010-3609. It's hard to be 100% sure without a confirmation of the researcher. I've asked for that confirmation on http://www.openwall.com/lists/oss-security/2015/09/19/1 (no response yet).

*** This bug has been marked as a duplicate of bug 684294 ***

Comment 5 Doran Moppert 2020-02-10 04:30:18 UTC

Statement:

This flaw was found to be a duplicate of CVE-2010-3609. Please see https://access.redhat.com/security/cve/CVE-2010-3609 for information about affected products and security errata.

Note You need to log in before you can comment on or make changes to this bug.