Buffer overflow in the C12.22 dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Sign up now
*   Login
*   Sign in / Register
    

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2021
*   **CVE-2021-39922.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 2 new advisories · 90a1cfa9
    
    🤖 GitLab Bot 🤖 authored Nov 18, 2021
    
    90a1cfa9

CVE-2021-39922: 2021/CVE-2021-39922.json · master · GitLab.org / cves · GitLab

NULL pointer exception in the Modbus dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file

wnpa-sec-2021-14 · Modbus dissector crash

**Summary**

**Name:** Modbus dissector crash

**Docid:** wnpa-sec-2021-14

**Date:** November 17, 2021

**Affected versions:** 3.4.0 to 3.4.9, 3.2.0 to 3.2.17

**Fixed versions:** 3.4.10, 3.2.18

**References:**  
Wireshark issue 17703  
CVE-2021-39921

**Details****Description**

The Modbuss dissector could crash.

**Impact**

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

**Resolution**

Upgrade to Wireshark 3.4.10, 3.2.18 or later.

CVE-2021-39921: Wireshark · wnpa-sec-2021-14 · Modbus dissector crash

Large loop in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file

wnpa-sec-2021-10 · Bluetooth DHT dissector large loop

**Summary**

**Name:** Bluetooth DHT dissector large loop

**Docid:** wnpa-sec-2021-10

**Date:** November 17, 2021

**Affected versions:** 3.4.0 to 3.4.9, 3.2.0 to 3.2.17

**Fixed versions:** 3.4.10, 3.2.18

**References:**  
Wireshark issue 17677  
CVE-2021-39924

**Details****Description**

The Bluetooth DHT dissector could go into a large loop

**Impact**

It may be possible to make Wireshark consume excessive CPU resources by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

**Resolution**

Upgrade to Wireshark 3.4.10, 3.2.18 or later.

CVE-2021-39924: Wireshark · wnpa-sec-2021-10 · Bluetooth DHT dissector large loop

NULL pointer exception in the IPPUSB dissector in Wireshark 3.4.0 to 3.4.9 allows denial of service via packet injection or crafted capture file

Switch branch/tag

*   cves
*   2021
*   **CVE-2021-39923.json**

Find file BlameHistoryPermalink

*   ![🤖 GitLab Bot 🤖's avatar](https://gitlab.com/uploads/-/system/user/avatar/1786152/avatar.png?width=40 "🤖 GitLab Bot 🤖")
    
    Publishing 0 updated advisories and 1 new advisories · 816e7086
    
    🤖 GitLab Bot 🤖 authored Nov 18, 2021
    
    816e7086
    

**CVE-2021-39923.json** 2.28 KB

EditWeb IDE

**Replace CVE-2021-39923.json**

Attach a file by drag & drop or click to upload

  

Commit message

Cancel

GitLab will create a branch in your fork and start a merge request.

CVE-2021-39923: 2021/CVE-2021-39923.json · master · GitLab.org / cves

Switch branch/tag

*   cves
*   2021
*   **CVE-2021-39922.json**

Find file BlameHistoryPermalink

*   ![🤖 GitLab Bot 🤖's avatar](https://gitlab.com/uploads/-/system/user/avatar/1786152/avatar.png?width=40 "🤖 GitLab Bot 🤖")
    
    Publishing 0 updated advisories and 2 new advisories · 90a1cfa9
    
    🤖 GitLab Bot 🤖 authored Nov 18, 2021
    
    90a1cfa9
    

**CVE-2021-39922.json** 2.44 KB

EditWeb IDE

**Replace CVE-2021-39922.json**

Attach a file by drag & drop or click to upload

  

Commit message

Cancel

GitLab will create a branch in your fork and start a merge request.

CVE-2021-39922: 2021/CVE-2021-39922.json · master · GitLab.org / cves

Uncontrolled Recursion in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file

oss-fuzz found the following:

    [Environment] UBSAN_OPTIONS=silence_unsigned_overflow=1
    +----------------------------------------Release Build Stacktrace----------------------------------------+
    Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_5b331c4a34b1622fa142778a49661cbb953bc75c/revisions/fuzzshark_ip_proto-udp -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/10f87f4bce2fcc49b3e9504e27290d69e61651586b6baf1c82a4ffa9f0fb0efc
    Time ran: 0.3539454936981201
    
    oss-fuzzshark: disabling: ip
    oss-fuzzshark: disabling: udplite
    oss-fuzzshark: disabling: ospf
    oss-fuzzshark: disabling: bgp
    oss-fuzzshark: disabling: dhcp
    oss-fuzzshark: disabling: json
    oss-fuzzshark: disabling: snort
    oss-fuzzshark: configured for dissector: udp in table: ip.proto
    INFO: Running with entropic power schedule (0xFF, 100).
    INFO: Seed: 67020306
    INFO: Loaded 1 modules   (501341 inline 8-bit counters): 501341 [0x55adf70, 0x56285cd),
    INFO: Loaded 1 PC tables (501341 PCs): 501341 [0x56285d0,0x5dceba0),
    /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_5b331c4a34b1622fa142778a49661cbb953bc75c/revisions/fuzzshark_ip_proto-udp: Running 1 inputs 100 time(s) each.
    Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/10f87f4bce2fcc49b3e9504e27290d69e61651586b6baf1c82a4ffa9f0fb0efc
    UndefinedBehaviorSanitizer:DEADLYSIGNAL
    ==4046==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7fff8f4f7fe8 (pc 0x0000005c2f44 bp 0x7fff8f4f8110 sp 0x7fff8f4f7ff0 T4046)
            #0 0x5c2f44 in proto_tree_add_protocol_format wireshark/epan/proto.c:4301:2
            #1 0x58384b in expert_create_tree wireshark/epan/expert.c:512:7
            #2 0x58384b in expert_set_info_vformat wireshark/epan/expert.c:566:9
            #3 0x583df3 in proto_tree_add_expert_internal wireshark/epan/expert.c:672:2
            #4 0x9020cb in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:206:9
            #5 0x90206e in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:195:16
            #6 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #7 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #8 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #9 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #10 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #11 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #12 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #13 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #14 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #15 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #16 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #17 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #18 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #19 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #20 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #21 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #22 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #23 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #24 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #25 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #26 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #27 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #28 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #29 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #30 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #31 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #32 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #33 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #34 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #35 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #36 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #37 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #38 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #39 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #40 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #41 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #42 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #43 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #44 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #45 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #46 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #47 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #48 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #49 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #50 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #51 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #52 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #53 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #54 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #55 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #56 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #57 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #58 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #59 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #60 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #61 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #62 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #63 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #64 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #65 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #66 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #67 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #68 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #69 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #70 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #71 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #72 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #73 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #74 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #75 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #76 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #77 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #78 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #79 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #80 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #81 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #82 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #83 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #84 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #85 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #86 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #87 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #88 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #89 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #90 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #91 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #92 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #93 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #94 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #95 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #96 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #97 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #98 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #99 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #100 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #101 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #102 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #103 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #104 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #105 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #106 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #107 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #108 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #109 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #110 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #111 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #112 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #113 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #114 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #115 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #116 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #117 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #118 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #119 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #120 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #121 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #122 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #123 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #124 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #125 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #126 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #127 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #128 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #129 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #130 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #131 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #132 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #133 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #134 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #135 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #136 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #137 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #138 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #139 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #140 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #141 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #142 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #143 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #144 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #145 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #146 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #147 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #148 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #149 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #150 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #151 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #152 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #153 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #154 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #155 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #156 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #157 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #158 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #159 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #160 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #161 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #162 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #163 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #164 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #165 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #166 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #167 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #168 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #169 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #170 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #171 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #172 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #173 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #174 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #175 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
            #176 0x901fae in dissect_bencoded_list wireshark/epan/dissectors/packet-bt-dht.c:199:16
            #177 0x900f47 in dissect_bencoded_dict_entry wireshark/epan/dissectors/packet-bt-dht.c:426:16
            #178 0x900f47 in dissect_bencoded_dict wireshark/epan/dissectors/packet-bt-dht.c:525:14
    
    [ ... ]

clusterfuzz-testcase-fuzzshark\_ip\_proto-udp-6084351507431424.pcap

Edited Nov 15, 2021 by

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

CVE-2021-39929: OSS-Fuzz 39756: wireshark:fuzzshark_ip_proto-udp: Stack-overflow in dissect_bencoded_list (#17651) · Issues · Wireshark Foundation / wireshark

Buffer overflow in the Bluetooth HCI_ISO dissector in Wireshark 3.4.0 to 3.4.9 allows denial of service via packet injection or crafted capture file

**Summary**

In Wireshark-3.5.1rc0, the bthci\_iso dissector could crash with a heap-based buffer overflow. This issue also exists in the latest version v3.7.0rc0.

**Steps to reproduce**

*   The location of the bug in the code. At line **410** in file **packet-bthci\_iso.c**, the fourth parameter `len` of `tvb_memcpy` is read from the data packet without length check. The heap size of the copy target `mfp->reassembled + mfp->cur_off` can be controlled. ![image](https://gitlab.com/uploads/325fede28f345e39953a179a6ce6a8c1/image.png)
    
*   The bug requires the construction of two data packets. When `pb_flag == 0x00`, insert the data of the first fragment by calling `wmem_tree_insert32(chandle_data->start_fragments, pinfo->num, mfp);`. ![image](https://gitlab.com/uploads/b0ccd202302bf79d0b92791387c6bf60/image.png)
    
*   Then, the size `mfp->tot_len` of the heap object `mfp->reassembled` can be controlled.
    
*   Finally, the bug is triggered by the second packet when `pb_flag & 0x01` at line **410**.
    

**What is the current bug behavior?**

The bug can cause out-of-bounds memory reads and writes.

**Relevant logs and/or screenshots**

The Crash State with ASAN:

![image](https://gitlab.com/uploads/f14fb7aedb3c5745ba3e1968102cc1d6/image.png)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

CVE-2021-39926: Heap-buffer-overflow in dissect_bthci_iso at packet-bthci_iso.c (#17649) · Issues · Wireshark Foundation / wireshark

Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file

Switch branch/tag

*   cves
*   2021
*   **CVE-2021-39925.json**

Find file BlameHistoryPermalink

*   ![🤖 GitLab Bot 🤖's avatar](https://gitlab.com/uploads/-/system/user/avatar/1786152/avatar.png?width=40 "🤖 GitLab Bot 🤖")
    
    Publishing 0 updated advisories and 2 new advisories · efa5876b
    
    🤖 GitLab Bot 🤖 authored Nov 18, 2021
    
    efa5876b
    

**CVE-2021-39925.json** 2.45 KB

EditWeb IDE

**Replace CVE-2021-39925.json**

Attach a file by drag & drop or click to upload

  

Commit message

Cancel

GitLab will create a branch in your fork and start a merge request.

CVE-2021-39925: 2021/CVE-2021-39925.json · master · GitLab.org / cves

Skip to content

Open Issue created Nov 01, 2021 by **A Wireshark GitLab Utility@ws-gitlab-utility**Developer

**Fuzz job crash output: fuzz-2021-11-01-6716.pcap**

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2021-11-01-6716.pcap

stderr:

    Input file: /var/menagerie/menagerie/attachment_ippusb_print.pcapng
    
    Build host information:
    Linux runner-yq5rrvnm-project-7898047-concurrent-1 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:50:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.3 LTS
    Release:	20.04
    Codename:	focal
    
    CI job ASan Menagerie Fuzz, ID 1733660730: 
    
    Return value:  0
    
    Dissector bug:  0
    
    Valgrind error count:  0
    
    
    
    Git commit
    commit 9207c6f233c96803b0b58bf58aa97ee41a79f8ab
    Author: Gerald Combs <gerald@wireshark.org>
    Date:   Sun Oct 31 16:35:20 2021 +0000
    
        [Automatic update for 2021-10-31]
        
        Update manuf, services enterprise numbers, translations, and other items.
    
    
    Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2  -nVxr
    Running as user "root" and group "root". This could be dangerous.
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==64340==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f0a60f712fa bp 0x7ffcdeb329a0 sp 0x7ffcdeb321a0 T0)
    ==64340==The signal is caused by a READ memory access.
    ==64340==Hint: address points to the zero page.
        #0 0x7f0a60f712fa in dissect_ippusb /builds/wireshark/wireshark/build/../epan/dissectors/packet-ippusb.c:409:113
        #1 0x7f0a63346831 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #2 0x7f0a6333b660 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #3 0x7f0a6333af79 in dissector_try_uint_new /builds/wireshark/wireshark/build/../epan/packet.c:1413:8
        #4 0x7f0a61eaac28 in try_dissect_next_protocol /builds/wireshark/wireshark/build/../epan/dissectors/packet-usb.c:3670:15
        #5 0x7f0a61ea651b in dissect_usb_payload /builds/wireshark/wireshark/build/../epan/dissectors/packet-usb.c:4621:19
        #6 0x7f0a61e9de3b in dissect_usb_common /builds/wireshark/wireshark/build/../epan/dissectors/packet-usb.c:5309:5
        #7 0x7f0a61ea6ff2 in dissect_win32_usb /builds/wireshark/wireshark/build/../epan/dissectors/packet-usb.c:5331:5
        #8 0x7f0a63346831 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #9 0x7f0a6333b660 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #10 0x7f0a63343080 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
        #11 0x7f0a60b70c26 in dissect_frame /builds/wireshark/wireshark/build/../epan/dissectors/packet-frame.c:783:6
        #12 0x7f0a63346831 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #13 0x7f0a6333b660 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #14 0x7f0a63343080 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
        #15 0x7f0a63337684 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
        #16 0x7f0a63336e6f in dissect_record /builds/wireshark/wireshark/build/../epan/packet.c:594:3
        #17 0x7f0a633065e8 in epan_dissect_run_with_taps /builds/wireshark/wireshark/build/../epan/epan.c:598:2
        #18 0x55a3faa94357 in process_packet_second_pass /builds/wireshark/wireshark/build/../tshark.c:3250:5
        #19 0x55a3faa9288e in process_cap_file_second_pass /builds/wireshark/wireshark/build/../tshark.c:3389:9
        #20 0x55a3faa8c9b6 in process_cap_file /builds/wireshark/wireshark/build/../tshark.c:3650:28
        #21 0x55a3faa864c8 in main /builds/wireshark/wireshark/build/../tshark.c:2102:16
        #22 0x7f0a565540b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #23 0x55a3fa9b543d in _start (/builds/wireshark/wireshark/_install/bin/tshark+0x5b43d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/wireshark/wireshark/build/../epan/dissectors/packet-ippusb.c:409:113 in dissect_ippusb
    ==64340==ABORTING
    
    fuzz-test.sh stderr:
    Running as user "root" and group "root". This could be dangerous.

_no debug trace_

Tag

#dos