A vulnerability in ParseExtension() function in openslp was reported. Attacker can force the function to enter the infinte loop causing denial of service via packet with crafted "nextoffset" value and "extid" value. Vulnerable code in openslp-1.2.1/common/slp_message.c: int ParseExtension(SLPBuffer buffer, SLPMessage message) /* Parse extensions *after* all standard protocol fields are parsed */ /*--------------------------------------------------------------------------*/ { int extid; int nextoffset; int result = SLP_ERROR_OK; extoffset = message->header.extoffset; while(nextoffset) { //here,buffer->start value is stable ,and we can control nextoffset,so we can control buffer->curpos buffer->curpos = buffer->start + nextoffset; if(buffer->curpos + 5 >= buffer->end) { /* Extension takes us past the end of the buffer */ result = SLP_ERROR_PARSE_ERROR; goto CLEANUP; } extid = AsUINT16(buffer->curpos); buffer->curpos += 2; //here,wo can control nextoffset by make a crafted packet nextoffset = AsUINT24(buffer->curpos); buffer->curpos += 3; switch(extid) { case SLP_EXTENSION_ID_REG_PID: if(message->header.functionid == SLP_FUNCT_SRVREG) { /* check to see if buffer is large enough to contain the 4 byte pid */ if(buffer->curpos + 4 > buffer->end) { result = SLP_ERROR_PARSE_ERROR; goto CLEANUP; } message->body.srvreg.pid = AsUINT32(buffer->curpos); buffer->curpos += 4; } break; default: if (extid >= 0x4000 && extid <= 0x7FFF ) { /* This is a required extension. We better error out */ result = SLP_ERROR_MESSAGE_NOT_SUPPORTED; goto CLEANUP; } break; } } CLEANUP: return result; }
Public via: http://seclists.org/oss-sec/2015/q3/559
Acknowledgements: Red Hat would like to thank Qinghao Tang of QIHU 360 for reporting this issue.
I believe this is a dupe of CVE-2010-3609. It's hard to be 100% sure without a confirmation of the researcher. I've asked for that confirmation on http://www.openwall.com/lists/oss-security/2015/09/19/1 (no response yet). *** This bug has been marked as a duplicate of bug 684294 ***
Statement: This flaw was found to be a duplicate of CVE-2010-3609. Please see https://access.redhat.com/security/cve/CVE-2010-3609 for information about affected products and security errata.