WiMax DLMAP dissector crash could be caused by by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file which could result in in crash
External References: https://www.wireshark.org/security/wnpa-sec-2020-04
Created wireshark tracking bugs for this issue: Affects: fedora-all [bug 1814617]
Upstream fix: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7ce2ca316c7450a6e2ca2fc50b2c24a92a64383e https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6dad599a8a1bda8b8e999cc4a7e460140e4ecc0a
Function wimax_decode_dlmapc() in msg_dlmap.c checks whether `MIN(tvb_len, tvb_reported_length(tvb))` is greater than mac_len and if that's the case it computes `mac_len - sizeof(mac_crc)`. However, the vulnerable code does not also ensure that mac_len is actually bigger than sizeof(mac_crc). When it is not, a negative value will be passed to function wimax_mac_calc_crc32() which will read memory out-of-bounds.
Code in Red Hat Enteprise Linux 7 is slightly different because `mac_len - (int)sizeof(mac_crc)` is first passed as an argument to `tvb_get_ntohl` which would raise an exception in case of issues. This however does not seem enough to mark the product as not affected.