Wireshark · Ethereal-dev: [Ethereal-dev] EPAN reports BoundsError exception when parses text MEGACO packet

Ethereal-dev: [Ethereal-dev] EPAN reports BoundsError exception when parses text MEGACO packet

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Tarlovskij Eugene" <eugene@xxxxxxxxxxxx>

Date: Fri, 19 May 2006 20:21:58 +0400

Recently I have captured text MEGACO packet which crashed EPAN library.
Unfortunately, I am not able to reproduce and re-capture those packets by
Ethereal. 

Here is a packed which crashed MEGACO dissector:

4d 45 47 41 43 4f 2f 31 20 3c 63 6f 6d 70 61 6e  MEGACO/1 <compan
79 32 2e 63 6f 6d 3e 3a 32 39 34 34 0a 54 72 61  y2.com>:2944.Tra
6e 73 61 63 74 69 6f 6e 3d 36 34 33 38 7b 0a 09  nsaction=6438{..
43 6f 6e 74 65 78 74 3d 2a 7b 0a 09 09 41 75 64  Context=*{...Aud
69 74 56 61 6c 75 65 3d 75 73 65 72 5f 36 7b 41  itValue=user_6{A
75 64 69 74 7b 4d 65 64 69 61 7d 7d 0a 09 7d 0a  udit{Media}}..}.
7d 0a                                            }.

Textual representation of this packet: 

MEGACO/1 <company2.com>:2944
Transaction=6438{
    Context=*{
        AuditValue=user_6{Audit{Media}}
    }
}

I use EPAN sources version 0.99 downloaded from Ethereal website.
BoundsError exception is reported by tvb_format_text routine because
tokenlen parameter is less than (-1).

Invalid tokenlen comes from packet-megaco.c:1348, procedure
dissect_megaco_mediadescriptor	

    tvb_current_offset = tvb_find_guint8(tvb, tvb_previous_offset,
tvb_RBRKT, '=');

Dissector sees word "Media" and tries to find "=" after it.

I have discussed this issue with qualified engineer and it told me:
=======================
I've looked into the IETF document "draft-ietf-megaco-callflows-04.txt",
and it has the sample at pages 162-163.
      Context = 2 {AuditValue = EphA{
         Audit{Media, DigitMap, Events, Signals, Packages, Statistics
   }}

When we send the Transaction (request), Audit sends just a name of
descriptor (here the list of names) like "Media" token. The reply looks
differently:
   MEGACO/1 [209.110.59.34]:25000
   Reply = 1234 {
      Context = 2 {
   AuditValue = EphA {
             Media {
                 TerminationState { ServiceState = InService,
                        Buffer = OFF },
                Stream = 1 {
                    LocalControl { Mode = SendReceive,
                       nt/jit=40 },
                    Local {
   v=0
   o=- 2890844525 2890842816 IN IP4 209.110.59.34
   s=- 
   t= 00 
   c=IN IP4 209.110.59.33
   m=audio 30000 RTP/AVP  0
   a=ptime:30
                   },
and the MediaDescriptor parameters are replied (as the list, without
"=")

The ABNF syntax confirms it: MediaToken is never followed by "=", only "}"
or "{".
=======================

This situation looks like MEGACO dissector bug.

Please tell me am I right about it.

Eugene Tarlovskij


_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev

Prev by Date: [Ethereal-dev] BER errors in H248 dissector (binary MEGACO)
Next by Date: [Ethereal-dev] Re: problem in protocol item tree header field display
Previous by thread: [Ethereal-dev] BER errors in H248 dissector (binary MEGACO)
Next by thread: [Ethereal-dev] COM interfaces registry lookup feature broken?
Index(es):
- Date
- Thread