Vulnerability Note VU#215900
Wireshark 6LoWPAN denial of service vulnerability
Wireshark will crash on 32-bit systems while reading a malformed 6LoWPAN packet.
Paul Makowski's report states:
dissect_6lowpan_iphc() in /epan/dissectors/packet-6lowpan.c trusts user supplied data when incrementing 'offset'. It is possible for the user to increment 'offset' to a value greater than tvb->length and/or tvb->reported_length, forcing the dissector to attempt dissection out of bounds. If 'offset' is greater than tvb->length or tvb->reported_length, then tvb_length_remaining() or tvb_reported_length_remaining() will return -1 respectively. If tvb_length_remaining() returns -1, then a buffer is allocated 1 byte too short, leading to a partial overwrite of the heap canary.
An attacker may trigger a denial of service, causing any active capture or .pcap dissection to crash Wireshark/tshark.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian GNU/Linux||Affected||-||29 Mar 2011|
|Red Hat, Inc.||Affected||-||29 Mar 2011|
|Wireshark||Affected||04 Feb 2011||02 Mar 2011|
CVSS Metrics (Learn More)
Thanks to Paul Makowski working for CERT/CC for reporting this vulnerability.
This document was written by Jared Allar.
- CVE IDs: Unknown
- Date Public: 02 Mar 2011
- Date First Published: 02 Mar 2011
- Date Last Updated: 29 Mar 2011
- Severity Metric: 1.47
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.