Vulnerability Note VU#215900

Wireshark 6LoWPAN denial of service vulnerability

Original Release date: 02 Mar 2011 | Last revised: 29 Mar 2011


Wireshark will crash on 32-bit systems while reading a malformed 6LoWPAN packet.


Paul Makowski's report states:

dissect_6lowpan_iphc() in /epan/dissectors/packet-6lowpan.c trusts user supplied data when incrementing 'offset'. It is possible for the user to increment 'offset' to a value greater than tvb->length and/or tvb->reported_length, forcing the dissector to attempt dissection out of bounds. If 'offset' is greater than tvb->length or tvb->reported_length, then tvb_length_remaining() or tvb_reported_length_remaining() will return -1 respectively. If tvb_length_remaining() returns -1, then a buffer is allocated 1 byte too short, leading to a partial overwrite of the heap canary.


An attacker may trigger a denial of service, causing any active capture or .pcap dissection to crash Wireshark/tshark.


Apply an Update
Upgrade to Wireshark 1.4.4. Several other security related fixes are also included in this version.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected-29 Mar 2011
Red Hat, Inc.Affected-29 Mar 2011
WiresharkAffected04 Feb 201102 Mar 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Paul Makowski working for CERT/CC for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: Unknown
  • Date Public: 02 Mar 2011
  • Date First Published: 02 Mar 2011
  • Date Last Updated: 29 Mar 2011
  • Severity Metric: 1.47
  • Document Revision: 16


If you have feedback, comments, or additional information about this vulnerability, please send us email.