Menu

CVE-2019-10053

Software: suricata, v. 4.1.3.
Language: C
Risk: medium / high
Type: integer overflow / forbidden memory read access / heapbuffer overflow

Description: This bug was found by libFuzzer.

If *input of the function *SSHParseBanner (SshState *state, SshHeader *header, const uint8_t *input, uint32_t input_len)* only consists of one special character **'\n'**, the program runs into a heap buffer overflow.

## Reason: at **line 76** in the function *SSHParseBanner*, the program searches for a '\r'. If nothing found, then it matches the input with a '\n'. After this point line_len is 0. And this is the problem. At line 97, we subtract -4 from line_len and we get a negative integer. Unfortunately, input_len is an unsigned integer and small negative integers are now very big unsigned integers. The result is that the **input_len** is much higher than the given buffer. The function *BasicSearch* needs the length and will crash by reading too much memory space because of the high input_len value. This results in a heap-buffer-overflow.

Status: published

Customers & Partners

Digital Hub Bonn Techboost Deutsche Börse Bosch GmbH Telekom HTGF Deutsche Cyber-Sicherheitsorganisation Intevation Sopra Steria Deutsche Börse Venture Network Allianz für Cyber-Sicherheit Cyber Security Cluster Bonn