## Summary The Kismet dissector in `packet-kismet.c` has a heap-buffer-overflow: when it receives a crafted packet on TCP port 2501, it calls `tvb_find_line_end_remaining()` to get a line from the TVB, then passes the pointer and length to `format_text_internal()` in `str_util.c`, which reads 1 byte past the end of a 2048-byte heap-allocated buffer. It's a classic OOB read vuln (and might lead to crash). ## Steps to reproduce Run this pcap with ASAN: [mega-ultimate-vuln-kismet-heapoverflow.pcap](/uploads/612e6a16c4e79fcef1345e4b3b6b90a6/mega-ultimate-vuln-kismet-heapoverflow.pcap) ## What is the current bug behavior? The Kismet dissector at `packet-kismet.c:70-71`: ```c tvb_find_line_end_remaining(tvb, offset, &linelen, &next_offset); line = tvb_get_ptr(tvb, offset, linelen); ``` Then passes `line` and `linelen` to `format_text()` at line 119: ```c format_text(pinfo->pool, (char*)line, linelen); ``` `format_text_internal()` in `str_util.c` iterates over the buffer and expands non-printable characters. The 1-byte OOB read occurs when `linelen` extends exactly to the end of the allocated TVB backing buffer (2048 bytes), and `format_text_internal` reads one byte past it. ## Relevant logs and/or screenshots ``` ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0001e8a80 READ of size 1 at 0x61d0001e8a80 thread T0 #0 format_text_internal (libwsutil.so.0) #1 format_text (libwsutil.so.0) #2 dissect_kismet (libwireshark.so.0 / packet-kismet.c) #3 call_dissector_through_handle (packet.c) ... 0x61d0001e8a80 is located 0 bytes to the right of 2048-byte region ``` ## Build information ``` TShark (Wireshark) 4.6.4 (Git commit f7c4a74874d9). Copyright 1998-2026 Gerald Combs <gerald@wireshark.org> and contributors. Licensed under the terms of the GNU General Public License (version 2 or later). This is free software; see the file named COPYING in the distribution. There is NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compile-time info: Bit width: 64-bit Compiler: Clang 17.0.0 (clang-1700.6.4.2) GLib: 2.86.4 With: +Gcrypt 1.12.1 +LZ4 1.10.0 +GnuTLS 3.8.12 and PKCS#11 +MaxMind +Kerberos (MIT) +nghttp2 1.68.0 +libpcap +nghttp3 1.15.0 +libsmi 0.5.0 +PCRE2 10.47 2025-10-21 +libxml2 2.9.13 +zlib 1.2.12 +Lua 5.5.0 +Zstandard 1.5.7 Without: -brotli -Snappy -zlib-ng -POSIX capabilities -xxhash Runtime info: OS: macOS 26.3.1, build 25D2128 (Darwin 25.3.0) CPU: Apple M1 Max Memory: 32768 MB of physical memory GLib: 2.88.0 Locale: LC_TYPE=en_US.UTF-8 Plugins: supported, 0 loaded With: +c-ares 1.34.6 +libsmi 0.5.0 +PCRE2 10.47 2025-10-21 +Gcrypt 1.12.1 +LZ4 1.10.0 +zlib 1.2.12 +GnuTLS 3.8.12 +nghttp2 1.68.1 +Zstandard 1.5.7 +libpcap 1.10.1 +nghttp3 1.15.0 ```