Information

File: lspci.c
Function: lspci_process()

When reaching this function we can be in an Out-Of-Bound read situation, meaning that “s->end < s->p”.
This can lead to that “pkglen + 1” will be 0, triggering a memory allocation of zero bytes.
Later on, the “STRNCPY(, , pkglen + 1)” macro will use “pkglen + 1 - 1” == “-1”, doing the following set of actions:

  1. strncpy(dst,src,-1)
  2. dst[-1] = 0
    As “strncpy()” receives a length of type “size_t”, the value “-1” will be interpreted as “4GB”, allowing an unlimited string copy.

Code Snippet:

static void
lspci_process(STREAM s)
{
	unsigned int pkglen;
	static char *rest = NULL;
	char *buf;

	pkglen = s->end - s->p;
	/* str_handle_lines requires null terminated strings */
	buf = xmalloc(pkglen + 1);
	STRNCPY(buf, (char *) s->p, pkglen + 1);
	str_handle_lines(buf, &rest, lspci_process_line, NULL);
	xfree(buf);
}


References:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20179