## Summary It is possible to reach an infinite loop in the WBXML dissector by generating a specifically crafted WBXML packet due to int overflow vulnerability in the WBXML OPAQUE (0xc3) parsing part of the dissector. The packet will consume 100% core cpu, which eventually lead to a denial of service via packet injection or crafted capture file. It issue resides in the WBXML OPAQUE 0xc3 parsing due to an integer overflow. a guint32 length is read from the packet and added to guint32 offset, if the result overflow, offset will "go back" and keep on reading the same part over and over again. In `parse_wbxml_tag_defined` see parseing `0xc3` --> `off += 1 + len;`  A simple solution would be to limit `len` to `0x7fffffff - 1`. ## Steps to reproduce Run the provided pcap [poc_wbxml_udp_dos.pcap](/uploads/93117abeca1036341a44d3d0bba22b72/poc_wbxml_udp_dos.pcap) ## Sample capture file Attached [poc_wbxml_udp_dos.pcap](/uploads/93117abeca1036341a44d3d0bba22b72/poc_wbxml_udp_dos.pcap) ## Build information ``` TShark (Wireshark) 3.7.0 (v3.7.0rc0-844-g14a1dfbe1083) ```