**Description** A heap buffer overflow vulnerability has been discovered in Wireshark's `nstrace_read_v10` function. This vulnerability may allow an attacker to execute arbitrary code, or cause a denial of service by crashing the application. Tested on: Ubuntu 22.04.2 LTS **Details** The offending code resides in `pint.h` and `netscaler.c` files of the Wireshark application. The faulty logic in `netscaler.c` appears to be due to improper bounds checking before using the `pletoh16` function on `fp->nsprRecordSize` (netscaler.c:1220). The `pletoh16` function defined in `pint.h` attempts to read 16 bits of data from the pointer `p` passed to it (pint.h:91). However, if the pointer `p` is too close to the end of the allocated heap buffer, reading 16 bits of data might surpass the boundaries of the allocated buffer space. This is precisely what occurs in this case, where `fp->nsprRecordSize` is located only one byte away from the end of an 8192-byte allocated heap buffer, causing a heap buffer overflow when `pletoh16` attempts to read two bytes from `fp->nsprRecordSize`. **Steps to reproduce:** Open the trigger file using a Wireshark binary compiled with the **-DENABLE_ASAN** option: ``` $ tshark -r trigger ================================================================= ==528223==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000101100 at pc 0x7fffdfab1bd6 bp 0x7fffffffcd20 sp 0x7fffffffcd10 READ of size 2 at 0x625000101100 thread T0 #0 0x7fffdfab1bd5 in pletoh32 /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wsutil/pint.h:106 #1 0x7fffdfab1bd5 in nstrace_read_v10 /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/netscaler.c:1181 #2 0x7fffdfb34583 in wtap_read /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/wtap.c:1555 #3 0x55555558eb8f in process_cap_file_single_pass /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3534 #4 0x55555558eb8f in process_cap_file /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3746 #5 0x55555558eb8f in main /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:2260 #6 0x7fffdf629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #7 0x7fffdf629e3f in __libc_start_main_impl ../csu/libc-start.c:392 #8 0x555555591754 in _start (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/tshark+0x3d754) 0x625000101100 is located 0 bytes to the right of 8192-byte region [0x6250000ff100,0x625000101100) allocated by thread T0 here: #0 0x7ffff74b4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7fffdfd24738 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e738) ... ... ``` I'd also like to request a CVE ID for this vulnerability. Please let me know if you need any additional information. Regards,\ Huáscar [trigger](/uploads/0bbb0d46dd3664340c802411b4bdbf9f/trigger) [ASAN.txt](/uploads/193e124328316c6e5f9737105e727546/ASAN.txt) [GDB_Backtrace.txt](/uploads/b014390efe7e32451d26676f0f94c28c/GDB_Backtrace.txt)