ZigBee ZCL - uncontrolled memory allocations lead to denial of service
Summary
It is possible to reach an uncontrolled number of memory allocations the ZigBee ZCL dissector due to the ability to create bags of unknown type which will force Wireshark to create huge arrays without ever advancing the offset pointer.
In the dissect_zcl_set_type
function if elements_num
is a big number and in the current offset
there is no known ZCL type (see ZCL Data Types ZBEE_ZCL_*
) then the dissect_zcl_attr_data
function will never advance the offset
pointer and uncontrolled number of items will get allocated.
Steps to reproduce
Run this pcap - zigbee_zcl_udp.pcap
Sample capture file
Use this pcap - zigbee_zcl_udp.pcap
Build information
TShark (Wireshark) 3.7.0 (v3.7.0rc0-844-g14a1dfbe1083)