The AirPDcapPacketProcess function in epan/crypt/airpdcap.c in the 802.11 dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the relationship between the total length and the capture length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted packet.
www.debian.org/security/2016/dsa-3505
www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
www.securityfocus.com/bid/79382
www.securitytracker.com/id/1034551
bugs.wireshark.org/bugzilla/show_bug.cgi?id=11790
code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=40b283181c63cb28bc6f58d80315eccca6650da0
security.gentoo.org/glsa/201604-05
www.wireshark.org/security/wnpa-sec-2015-42.html