WiMax DLMAP dissector crash could be caused by by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file which could result in in crash
Created wireshark tracking bugs for this issue:
Affects: fedora-all [bug 1814617]
Function wimax_decode_dlmapc() in msg_dlmap.c checks whether `MIN(tvb_len, tvb_reported_length(tvb))` is greater than mac_len and if that's the case it computes `mac_len - sizeof(mac_crc)`. However, the vulnerable code does not also ensure that mac_len is actually bigger than sizeof(mac_crc). When it is not, a negative value will be passed to function wimax_mac_calc_crc32() which will read memory out-of-bounds.
Code in Red Hat Enteprise Linux 7 is slightly different because `mac_len - (int)sizeof(mac_crc)` is first passed as an argument to `tvb_get_ntohl` which would raise an exception in case of issues. This however does not seem enough to mark the product as not affected.