Project

General

Profile

Actions
Copy link

Bug #536

closed

Crash during negotiation if Role Selection Item has a UID length of 0

Added by Andreas Thiel about 12 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Marco Eichelberg
Category:
Library
Target version:
3.6.2
Start date:
2013-07-25
Due date:
% Done:

100%

Estimated time:
Module:
dcmnet
Operating System:
Compiler:

Description

In cases were an application sends a Associate Request with some wrong content, the application crashes.
Mathieu Malaterre reported this effect with storescp.

Example of the crash:

D: PDU Type: Associate Request, PDU Length: 237 + 6 bytes PDU header
D: 01 00 00 00 00 ed 00 01 00 00 47 44 43 4d 5f 53
D: 54 4f 52 45 20 20 20 20 20 20 47 44 43 4d 44 41
D: 53 48 33 20 20 20 20 20 20 20 00 00 00 00 00 00
D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
D: 00 00 00 00 00 00 00 00 00 00 10 00 00 15 31 2e
D: 32 2e 38 34 30 2e 31 30 30 30 38 2e 33 2e 31 2e
D: 31 2e 31 20 00 00 36 01 00 00 00 30 00 00 19 31
D: 2e 32 2e 38 34 30 2e 31 30 30 30 38 2e 35 2e 31
D: 2e 34 2e 31 2e 31 2e 34 40 00 00 11 31 2e 32 2e
D: 38 34 30 2e 31 30 30 30 38 2e 31 2e 32 50 00 00
D: 52 51 00 00 04 00 00 40 00 52 00 00 30 31 2e 32
D: 2e 38 32 36 2e 30 2e 31 2e 33 36 38 30 30 34 33
D: 2e 32 2e 31 31 34 33 2e 31 30 37 2e 31 30 34 2e
D: 31 30 33 2e 31 31 35 2e 32 2e 32 2e 33 54 00 00
D: 04 00 00 31 2e 32 2e 38 34 30 2e 31 30 30 30 38
D: 2e 35 2e

At the end there is the incomming item roleselectionitem

54 00 00 04 00 00 31 2e 32 2e 38 34 30 2e 31 30 30 30 38 2e
35 2e

With Length 4
And a UID length of 0

Logfile:
...
T: Subitem parse: Type 54, Length 0004, Content: 49 46
T: Parsing remaining 14 bytes of User Information
T: Next item type: 32
T: Parsing remaining 6 bytes of User Information
T: Next item type: 30
T: Parsing remaining 65534 bytes of User Information
T: Next item type: 00
T: Parsing remaining 65530 bytes of User Information
T: Parsing remaining 65526 bytes of User Information
T: Next item type: 00
T: Parsing remaining 65522 bytes of User Information
T: Next item type: 00
T: Parsing remaining 65518 bytes of User Information
T: Next item type: 00
T: Parsing remaining 65514 bytes of User Information
T: Next item type: 00
...

This wrong message should be recognized by dcmtk and either ignored or the connection have to be rejected.
Ideally the stack should recognize such pdu missmatch (wrong length of the item 54 coding, no uid length wrong scp/scu role) and stop trying to parse the rest of the pdu.

Files

Download all files
s.log.gz (64.5 KB) s.log.gz Logging of communication with the crash (Mathieu Malaterre) Andreas Thiel, 2013-07-25 21:00
storescp.cfg (8.34 KB) storescp.cfg configuration file for storescp (Mathieu Malaterre) Andreas Thiel, 2013-07-25 21:00
dcmtk_issue_536.bin (243 Bytes) dcmtk_issue_536.bin Marco Eichelberg, 2017-04-16 14:35
Actions
Copy link
 #1

Updated by Jörg Riesmeier about 12 years ago

  • Tracker changed from Feature to Bug

A crash is not a feature but a bug ;)

Actions
Copy link
 #2

Updated by Jörg Riesmeier about 12 years ago

  • Subject changed from Crash during negotiation if roleselction Item as a UID length of 0. to Crash during negotiation if Role Selection Item has a UID length of 0
Actions
Copy link
 #3

Updated by Marco Eichelberg over 8 years ago

This bug has already been fixed by commit 1b6bb760 (December 2015), which fixed
several overflows/underflows in the ACSE code.

Attached is a file that can be sent to storescp using netcat and reproduces
the crash with storescp on DCMTK 3.6.0, but only leads to an error message
with newer versions:

Shell 1: storescp -ll trace 10000
Shell 2: netcat localhost 10000 <dcmtk_issue_536.bin

Closing this issue.

Actions
Copy link

Also available in: Atom PDF