due to mishandling of header field lengths. This is fixed in wireshark-3.6.2, but may still affect older releases. Wireshark does not handle invalid lengths of certain protocol fields correctly, which can lead to crashes. Wireshark may crash when parsing certain CMS packets such as Control Message Stream or Post. Due to mishandling of header field lengths, it is possible to crash Wireshark by sending specially crafted CMS packets. For example, when parsing the CMS Post command, Wireshark may crash if a packet of length 255 is encountered. It is possible to create a capture file that causes Wireshark to crash in this manner. An example of such a file is available at https://github.com/wireshark/wireshark/blob/master/src/ capturing/crash_cms.pcap. Another method to cause Wireshark to crash is to send a specially crafted CMS packet to Wireshark. An example of such a packet is available at https://github.com/wireshark/wireshark/blob/master/src/ capturing/cmsg.pcap. Since Wireshark does not handle invalid lengths of certain protocol fields correctly, it is possible to crash Wireshark by sending specially crafted CMS packets. An example of such a packet is available at https://github.com/wireshark/wires

Wireshark may crash when parsing certain Ethernet frames

Wireshark may crash when parsing certain Ethernet frames. This is a result of mishandling of header field lengths. This issue is fixed in wireshark-3.6.2, but may still affect older releases. Wireshark does not handle invalid lengths of certain protocol fields correctly, which can lead to crashes. Wireshark may crash when parsing certain CMS packets such as Control Message Stream or Post. Due to mishandling of header field lengths, it is possible to crash Wireshark by sending specially crafted CMS packets. For example, when parsing the CMS Post command, Wireshark may crash if a packet of length 255 is encountered. An example of such a file is available at https://github.com/wireshark/wireshark/blob/master/src/ capturing/crash_cms.pcap
An example of such a packet is available at https://github.com/wireshark/wireshark/blob/master/src/ capturing/cmsg.pcap

Fix for CVE-2022-0561

The following is a list of steps to avoid crashes in Wireshark due to mishandling of header field lengths. This is fixed in wireshark-3.6.2, but may still affect older releases:
1. Make sure that the packet length of all fields is within the valid range and not an invalid length.
2. Make sure that the packet length field of each protocol is not set to a value longer than 255 bytes or 0xffff bytes.
3. If Wireshark crashes while parsing a CMS packet, ensure that there are no more than 255 bytes in total between the EOL tag and header data (inclusive)

Detecting Wireshark Crashes

Due to CMS Packets
In order to detect Wireshark crashes due to CMS packets, one can use tcpdump to monitor the wire data in a capture file. If tcpdump sees that the length of a header field is less than the length specified in the packet, it will output an error message like "packet too short" and stop monitoring. Depending on what type of problem Wireshark is crashing on, this error message may not occur until after Wireshark has already crashed. Therefore, if you are seeing this error message for any other reason besides a CMS packet, it may be possible that your wireshark process crashed before tcpdump detected it.

Timeline

Published on: 02/14/2022 22:15:00 UTC
Last modified on: 04/01/2022 17:23:00 UTC

References