Created attachment 633907 [details]
crasher from http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=genbroad.snoop

We normally get these from the wireshark advisories, but here we go:
https://bugzilla.suse.com/show_bug.cgi?id=930078

It was found that Wireshark crashes when processing (with "tshark -nr genbroad.snoop") a same file from the Wireshark wiki page:

wget 'http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=genbroad.snoop' -O genbroad.snoop

Additional details:

* crash reason: strlen() called on invalid pointer (value 0x56998680 == 1452902016)
* the function set_dnet_address at packet-dec-dnart.c:355
* it is called 4 times
* the 2nd time is the one when the value is set
* the variable is called addr in the context of /epan/dissectors/packet-dec-dnart.c:357, function set_dnet_address
* the variable is called pinfo->src->data in the upper frames
* in this function, this macro modifies the value:
SET_ADDRESS(paddr_tgt, AT_STRINGZ, 1,
wmem_strdup(pinfo->pool, addr));
* it should set paddr_tgt->data = addr, but the value gets garbled by the ctlq instruction:
..
|0x7ffff4d85522 dnet_address+50> callq 0x7ffff4b0d4b0 <wmem_strdup@plt>
|0x7ffff4d85527 dnet_address+55> cltq
..

Acknowledgements:
This issue was discovered by Martin Žember of Red Hat.

CVE request:
http://seclists.org/oss-sec/2015/q2/408


Dear maintainer, no submission is required just now - Waiting for upstream release / advisory.