Overview
Wireshark will crash on 32-bit systems while reading a malformed 6LoWPAN packet.
Description
Paul Makowski's report states: dissect_6lowpan_iphc() in /epan/dissectors/packet-6lowpan.c trusts user supplied data when incrementing 'offset'. It is possible for the user to increment 'offset' to a value greater than tvb->length and/or tvb->reported_length, forcing the dissector to attempt dissection out of bounds. If 'offset' is greater than tvb->length or tvb->reported_length, then tvb_length_remaining() or tvb_reported_length_remaining() will return -1 respectively. If tvb_length_remaining() returns -1, then a buffer is allocated 1 byte too short, leading to a partial overwrite of the heap canary. |
Impact
An attacker may trigger a denial of service, causing any active capture or .pcap dissection to crash Wireshark/tshark. |
Solution
Apply an Update |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Paul Makowski working for CERT/CC for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | None |
| Severity Metric: | 1.47 |
| Date Public: | 2011-03-02 |
| Date First Published: | 2011-03-02 |
| Date Last Updated: | 2011-03-29 12:58 UTC |
| Document Revision: | 17 |