WBXML dissector inf loop - 100% cpu - denial of service
It is possible to reach an infinite loop in the WBXML dissector by generating a specifically crafted WBXML packet due to int overflow vulnerability in the WBXML OPAQUE (0xc3) parsing part of the dissector. The packet will consume 100% core cpu, which eventually lead to a denial of service via packet injection or crafted capture file.
It issue resides in the WBXML OPAQUE 0xc3 parsing due to an integer overflow. a guint32 length is read from the packet and added to guint32 offset, if the result overflow, offset will "go back" and keep on reading the same part over and over again.
parse_wbxml_tag_defined see parseing
off += 1 + len;
A simple solution would be to limit
0x7fffffff - 1.
Steps to reproduce
Run the provided pcap poc_wbxml_udp_dos.pcap
Sample capture file
TShark (Wireshark) 3.7.0 (v3.7.0rc0-844-g14a1dfbe1083)