Skip to content
GitLab
Closed
Issue created by Dr. Lars Völker@LarsVoelkerContributor

ISO15765 and ISO10681 dissectors corrupt memory and Wireshark may crash

Summary

Traces with a lot of ISO15765 consecutive segments (e.g. 32) corrupt memory, so that Wireshark can crash (Wireshark 4.0) or hang (Wireshark 3.6). The same happens with the ISO10681 dissector.

I have a patch prepared and will create a MR.

Detailed Analysis

The following line of packet-iso15765.c may write behind the "frag_id_high" array: frag_id += ((iso15765_frame->frag_id_high[frag_id]++) * 16);

This overflows the header of the next memory chunk. In my analysis the table inside the iso15765_frame_table map.

When after 32 flows, the table needs to be resized with wmem_map_grow and the old chunk is freed. Since the position of the previous chunk was corrupted, Wireshark crashes.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information