wireshark: DEC DNA routing protocol processing error lets remote users deny service (CVE-2015-3182)
It was found that Wireshark crashes when processing (with “tshark -nr genbroad.snoop”) a sample file from the Wireshark wiki page:
wget ‘http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=genbroad.snoop’ -O genbroad.snoop
Additional details:
- crash reason: strlen() called on invalid pointer (value 0x56998680 == 1452902016)
- the function set_dnet_address at packet-dec-dnart.c:355
- it is called 4 times
- the 2nd time is the one when the value is set
- the variable is called addr in the context of /epan/dissectors/packet-dec-dnart.c:357, function set_dnet_address
- the variable is called pinfo
src>data in the upper frames - in this function, this macro modifies the value:
SET_ADDRESS(paddr_tgt, AT_STRINGZ, 1,
wmem_strdup(pinfo->pool, addr)); - it should set paddr_tgt->data = addr, but the value gets garbled
by the ctlq instruction:
..
|0x7ffff4d85522 dnet_address+50>callq 0x7ffff4b0d4b0 _strdup@plt> |0x7ffff4d85527 dnet_address+55>cltq
..
Reference: https://bugzilla.redhat.com/show\_bug.cgi?id=1219409
https://ask.wireshark.org/questions/42658/vulnerability-cve-2015-3182-wireshark-dec-dna-routing-protocol-processing-error-lets-remote-users-deny-service
(from redmine: issue id 4298, created on 2015-06-12, closed on 2015-08-07)
- Relations:
- child #4299 (closed)
- child #4300 (closed)
- child #4301 (closed)
- child #4302 (closed)