CVE-2023-4511: BT SDP dissector infinite loop (#19258) · Issues · Wireshark Foundation / Wireshark · GitLab

Summary

The BTSDP dissector could go into an infinite loop. It can make Wireshark consume excessive CPU resources by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

Sample capture file

I put the POC pcap file in the attachment. loop-poc.pcap

Steps to reproduce

method1: Run the following command:

method2: Drag the file to the Wireshark on the GUI.

What is the current bug behavior?

The Wireshark is in an infinite loop, and the CPU usage remains 100%.

Technical Details

I tried to analyze the cause of the problem and found that the infinite loop appeared in dissect_sdp_type(). When the following code snippet was executed, the program repeatedly entered this loop or entered recursion, causing the Wireshark DoS.

        while (bytes_to_go > 0) {
            if (!first) {
                wmem_strbuf_append(info_buf, ", ");
            } else {
                first = 0;
            }
            size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid,
                    service_did_vendor_id, service_did_vendor_id_source,
                    service_hdp_data_exchange_specification, service_info, &substr);
            if (size < 1) {
                break;
            }
            wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr));
            offset += size ;
            bytes_to_go -= size;
        }

        wmem_strbuf_append(info_buf, "} ");
        break;

I’d like to request a CVE ID for this vulnerability. Thank you!