MBIM Dissector - Unchecked buffer_length Leads to Infinite Loop (crash/dos) 漏洞概述 在Wireshark的MBIM协议解析器中, 被直接用作 循环的迭代次数,而没有进行任何验证。如果 的值异常大,会导致解析器进入无限循环,从而引发拒绝服务(DoS)。 影响范围 软件: Wireshark 组件: MBIM Dissector ( ) 触发条件: 解析包含异常大 值的MBIM消息时。 修复方案 在解析MBIM消息时,对 进行验证,确保其值在合理范围内,避免将其直接用于循环控制。 POC代码 ```c File: packet-mbim.c Function: packet_mbim_tlv_list() Encapsulation: EVENT_TRACING_FOR_WINDOWS_MESSAGES (ETW) (WTAP 212 / DLT 290) In the MBIM Dissector, info->buff_len is read as uint32 from the MBIM COMMAND_MSG header (line 7731) and passed directly to mbim_dissect_tlv_list() as buffer_length with no validation against actual packet size. Therefore, a malformed value of huge value causes the while (tlv_offset buff_len = 0x02000000 (33554432) and CEB_MS_WIP_POLICY. MBIM dissector queues it for fragment reassembly. Packet 2: MBIM fragment 2 - completes reassembly. The reassembled MBIM message triggers mbim_dissect_tlv_list() with buffer_length=33554432. The while loop iterates 67 million times at 8 bytes per iteration.