In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 3.0.9, and 2.6.0 to 2.6.15, the BACapp dissector could crash. This was addressed in epan/dissectors/packet-bacapp.c by limiting the amount of recursion. References: https://www.wireshark.org/security/wnpa-sec-2020-07.html https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16474 Upstream commit: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6f56fc9496db158218243ea87e3660c874a0bab0
Created wireshark tracking bugs for this issue: Affects: fedora-all [bug 1824158]
Statement: The versions of Wireshark as shipped with Red Hat Enterprise Linux 7 and earlier are not affected by this issue because the commit was introduced in later versions.
External References: https://www.wireshark.org/security/wnpa-sec-2020-07.html
This flaw appears to be caused because the fAbstractSyntaxNType() function in epan/dissectors/packet-bacapp.c calls other functions such as fLogRecord(), fLogMultipleRecord(), fEventParameter(), which in turn call fAbstractSyntaxNType(). A malformed packet could create a condition in which the recursion depth would overflow the stack size because there was no limitation on recursion depth.