Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-39926: Heap-buffer-overflow in dissect_bthci_iso at packet-bthci_iso.c (#17649) · Issues · Wireshark Foundation / wireshark

Buffer overflow in the Bluetooth HCI_ISO dissector in Wireshark 3.4.0 to 3.4.9 allows denial of service via packet injection or crafted capture file

CVE
Open in Source
#dos#git

Summary

In Wireshark-3.5.1rc0, the bthci_iso dissector could crash with a heap-based buffer overflow. This issue also exists in the latest version v3.7.0rc0.

Steps to reproduce

  • The location of the bug in the code. At line 410 in file packet-bthci_iso.c, the fourth parameter len of tvb_memcpy is read from the data packet without length check. The heap size of the copy target mfp->reassembled + mfp->cur_off can be controlled. image

  • The bug requires the construction of two data packets. When pb_flag == 0x00, insert the data of the first fragment by calling wmem_tree_insert32(chandle_data->start_fragments, pinfo->num, mfp);. image

  • Then, the size mfp->tot_len of the heap object mfp->reassembled can be controlled.

  • Finally, the bug is triggered by the second packet when pb_flag & 0x01 at line 410.

What is the current bug behavior?

The bug can cause out-of-bounds memory reads and writes.

Relevant logs and/or screenshots

The Crash State with ASAN:

image

To upload designs, you’ll need to enable LFS and have an admin enable hashed storage. More information

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE