USB HID dissector crash fixed in 3.2.9, 3.4.1 References: https://www.wireshark.org/security/wnpa-sec-2020-17 https://gitlab.com/wireshark/wireshark/-/issues/16958 https://www.wireshark.org/lists/wireshark-announce/202012/msg00000.html https://www.wireshark.org/lists/wireshark-announce/202012/msg00001.html
Created wireshark tracking bugs for this issue: Affects: fedora-all [bug 1919926]
External References: https://www.wireshark.org/security/wnpa-sec-2020-17
Upstream fix: https://gitlab.com/wireshark/wireshark/-/commit/d5f2657825e63e4126ebd7d13a59f3c6e8a9e4e1
The USB HID dissector (epan/dissectors/packet-usb-hid.c) ends up calling decode_bits_in_field() (via proto_tree_add_bits_item) with a large data_size. Since decode_bits_in_field() did not check the passed argument, this could lead to a heap based buffer overflow when trying to access the 'str' buffer, allocated in the same function through wmem_alloc0().