Wireshark DCP-ETSI Protocol Dissector Heap Buffer Overflow Vulnerability Leading to Denial-of-Service

A heap buffer overflow vulnerability has been identified in the DCP-ETSI protocol dissector of Wireshark. This issue is present in versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. The vulnerability arises in the Reed-Solomon forward error correction code path, where the decoder can write attacker-controlled data past the allocated heap buffer, leading to a crash. The issue occurs during the reassembly of fragmented DCP-ETSI PFT packets over UDP, automatically dissected by the application.

Impact

Exploitation of this vulnerability causes Wireshark to crash, as demonstrated by the AddressSanitizer output indicating a heap-buffer-overflow error.

Reproduction

The vulnerability can be reproduced by loading a crafted PCAP file containing DCP-ETSI PFT fragments with forward error correction enabled, into Wireshark versions 4.6.0 to 4.6.4 or 4.4.0 to 4.4.14. Wireshark should be started with the 'WIRESHARK_DEBUG_WMEM_OVERRIDE=simple' environment variable to ensure that the AddressSanitizer can detect the heap overflow. Once the file is opened, the DCP-ETSI dissector will automatically process the packets, and the heap buffer overflow will occur, causing Wireshark to crash.

Remediation

Users are advised to upgrade to Wireshark versions 4.6.5, 4.4.15 or later.