Wireshark will crash on 32-bit systems while reading a malformed 6LoWPAN packet.
Paul Makowski's report states:
dissect_6lowpan_iphc() in /epan/dissectors/packet-6lowpan.c trusts user supplied data when incrementing 'offset'. It is possible for the user to increment 'offset' to a value greater than tvb->length and/or tvb->reported_length, forcing the dissector to attempt dissection out of bounds. If 'offset' is greater than tvb->length or tvb->reported_length, then tvb_length_remaining() or tvb_reported_length_remaining() will return -1 respectively. If tvb_length_remaining() returns -1, then a buffer is allocated 1 byte too short, leading to a partial overwrite of the heap canary.
An attacker may trigger a denial of service, causing any active capture or .pcap dissection to crash Wireshark/tshark.
Apply an Update
Thanks to Paul Makowski working for CERT/CC for reporting this vulnerability.
This document was written by Jared Allar.
|Date First Published:||2011-03-02|
|Date Last Updated:||2011-03-29 12:58 UTC|