Bug 1814615 (CVE-2020-9430) - CVE-2020-9430 wireshark: injecting a malformed packet may cause WiMax DLMAP dissector to crash due to out-of-bound read
Summary: CVE-2020-9430 wireshark: injecting a malformed packet may cause WiMax DLMAP d...
Alias: CVE-2020-9430
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1814617 1817114 1817115
Blocks: 1814638
TreeView+ depends on / blocked
Reported: 2020-03-18 11:47 UTC by Michael Kaplan
Modified: 2021-06-29 20:27 UTC (History)
9 users (show)

Fixed In Version: wireshark 3.2.2, wireshark 3.0.9, wireshark 2.6.15
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read was discovered in Wireshark when processing WiMax packets. An attacker can trigger the flaw by injecting special packets onto the wire or by convincing a victim user into opening a malformed packet trace file.
Clone Of:
Last Closed: 2021-06-29 20:27:41 UTC

Attachments (Terms of Use)

Description Michael Kaplan 2020-03-18 11:47:18 UTC
WiMax DLMAP dissector crash could be caused by by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file which could result in in crash

Comment 1 Michael Kaplan 2020-03-18 11:47:26 UTC
External References:


Comment 2 Michael Kaplan 2020-03-18 11:49:35 UTC
Created wireshark tracking bugs for this issue:

Affects: fedora-all [bug 1814617]

Comment 4 Riccardo Schirone 2020-03-25 13:51:13 UTC
Function wimax_decode_dlmapc() in msg_dlmap.c checks whether `MIN(tvb_len, tvb_reported_length(tvb))` is greater than mac_len and if that's the case it computes `mac_len - sizeof(mac_crc)`. However, the vulnerable code does not also ensure that mac_len is actually bigger than sizeof(mac_crc). When it is not, a negative value will be passed to function wimax_mac_calc_crc32() which will read memory out-of-bounds.

Comment 5 Riccardo Schirone 2020-03-25 13:53:11 UTC
Code in Red Hat Enteprise Linux 7 is slightly different because `mac_len - (int)sizeof(mac_crc)` is first passed as an argument to `tvb_get_ntohl` which would raise an exception in case of issues. This however does not seem enough to mark the product as not affected.

Note You need to log in before you can comment on or make changes to this bug.