It was reported that Wireshark's SMTP dissector could crash. It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. This is reported to affect Wireshark versions 1.12.0 to 1.12.2, and 1.10.0 to 1.10.11. It is fixed in versions 1.12.3 and 1.10.12. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10823 External References: https://www.wireshark.org/security/wnpa-sec-2015-04.html
Created wireshark tracking bugs for this issue: Affects: fedora-all [bug 1180196]
upstream fix ============ https://code.wireshark.org/review/gitweb?p=wireshark.git;a=patch;h=0e3d6b0c74a0e04625cf80b426728deaa9204d7a
Analysis ======== In the function dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) of smtp dissector if ((session_state->auth_state != SMTP_AUTH_STATE_NONE) && (pinfo->fd->num >= session_state->first_auth_frame) && ((session_state->last_auth_frame == 0) || (pinfo->fd->num <= session_state->last_auth_frame))) { decrypt = tvb_get_ephemeral_string(tvb, loffset, linelen); if ((stmp_decryption_enabled) && (epan_base64_decode(decrypt) > 0)) { line = decrypt; } else { line = tvb_get_ptr(tvb, loffset, linelen); } } else { line = tvb_get_ptr(tvb, loffset, linelen); } linep = line; lineend = line + linelen; decoding base-64, the result is the length of the decoded result as it would be different , so linelen should be assigned the value of epan_base64_decode(decrypt) which calculates wrongly the lineend at lineend = line + linelen; which is used in while loop which can lead to crash while (linep < lineend && *linep != ' ') { ... }
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2393 https://rhn.redhat.com/errata/RHSA-2015-2393.html
Statement: This issue did not affect the version of wireshark as shipped with Red Hat Enterprise Linux 5 and 6.