[v3.1] wireshark: DEC DNA routing protocol processing error lets remote users deny service (CVE-2015-3182)
It was found that Wireshark crashes when processing (with “tshark -nr genbroad.snoop”) a sample file from the Wireshark wiki page:
wget ‘http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=genbroad.snoop’ -O genbroad.snoop
Additional details:
•crash reason: strlen() called on invalid pointer (value 0x56998680 ==
1452902016)
•the function set_dnet_address at packet-dec-dnart.c:355
•it is called 4 times
•the 2nd time is the one when the value is set
•the variable is called addr in the context of
/epan/dissectors/packet-dec-dnart.c:357, function set_dnet_address
•the variable is called pinfosrc>data in the upper frames
•in this function, this macro modifies the value:
SET_ADDRESS(paddr_tgt, AT_STRINGZ, 1,
wmem_strdup(pinfo->pool, addr));
•it should set paddr_tgt->data = addr, but the value gets garbled by
the ctlq instruction:
.. |0x7ffff4d85522 dnet_address+50>callq 0x7ffff4b0d4b0
_strdup@plt>|0x7ffff4d85527 dnet_address+55>cltq
..
Reference: https://bugzilla.redhat.com/show\_bug.cgi?id=1219409
https://ask.wireshark.org/questions/42658/vulnerability-cve-2015-3182-wireshark-dec-dna-routing-protocol-processing-error-lets-remote-users-deny-service
(from redmine: issue id 4300, created on 2015-06-12, closed on 2015-08-07)
- Relations:
- parent #4298 (closed)
- Changesets:
- Revision 6f6fdc26 by Natanael Copa on 2015-07-09T13:43:04Z:
main/wireshark: security upgrade to 1.12.5 (CVE-2015-3182)
fixes #4300