Vulnerability Note VU#215900
Wireshark 6LoWPAN denial of service vulnerability
Wireshark will crash on 32-bit systems while reading a malformed 6LoWPAN packet.
Paul Makowski's report states:
dissect_6lowpan_iphc() in /epan/dissectors/packet-6lowpan.c trusts user supplied data when incrementing 'offset'. It is possible for the user to increment 'offset' to a value greater than tvb->length and/or tvb->reported_length, forcing the dissector to attempt dissection out of bounds. If 'offset' is greater than tvb->length or tvb->reported_length, then tvb_length_remaining() or tvb_reported_length_remaining() will return -1 respectively. If tvb_length_remaining() returns -1, then a buffer is allocated 1 byte too short, leading to a partial overwrite of the heap canary.
An attacker may trigger a denial of service, causing any active capture or .pcap dissection to crash Wireshark/tshark.
Apply an Update
Upgrade to Wireshark 1.4.4. Several other security related fixes are also included in this version.
Vendor Information (Learn More)
If you are a vendor and your product is affected, let
|Vendor||Status||Date Notified||Date Updated|
|Debian GNU/Linux||Affected||-||29 Mar 2011|
|Red Hat, Inc.||Affected||-||29 Mar 2011|
|Wireshark||Affected||04 Feb 2011||02 Mar 2011|
Thanks to Paul Makowski working for CERT/CC for reporting this vulnerability.
This document was written by Jared Allar.
02 Mar 2011
Date First Published:
02 Mar 2011
Date Last Updated:
29 Mar 2011
If you have feedback, comments, or additional information about this vulnerability, please send us email.