Wireshark-bugs: [Wireshark-bugs] [Bug 2128] New: 802.11 fragments truncated with TKIP
Date: Thu, 20 Dec 2007 19:21:13 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2128 Summary: 802.11 fragments truncated with TKIP Product: Wireshark Version: 0.99.6 Platform: PC OS/Version: Windows XP Status: NEW Severity: Normal Priority: Low Component: Wireshark AssignedTo: wireshark-bugs@xxxxxxxxxxxxx ReportedBy: ctuffli@xxxxxxxxx Build Information: Version 0.99.6a (SVN Rev 22276) Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GTK+ 2.10.12, with GLib 2.12.12, with WinPcap (version unknown), with libz 1.2.3, with libpcre 6.4, with Net-SNMP 5.4, with ADNS, with Lua 5.1, with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio PortAudio V19-devel, with AirPcap. Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.1 beta (packet.dll version 4.1.0.902), based on libpcap version 0.9.6 branch, with AirPcap 3.0.0 build 954. Built using Microsoft Visual C++ 6.0 build 8804 Wireshark is Open Source Software released under the GNU General Public License. Check the man page and http://www.wireshark.org for more information. -- With 802.11 fragmentation, wireshark appears to be truncating 8 bytes from each fragment except the last fragment if used in conjunction with TKIP encryption. The error is both in the "Decrypted TKIP data" and "Reassembled 802.11" tabs as well as the size each tab reports. For example, this is the reassembled data from a 512 byte ping (3 fragments). Notice the jumps in the echo data after 0xab and 0x83. 0000 aa aa 03 00 00 00 08 00 45 00 02 1c 00 00 40 00 ........ E.....@. 0010 40 01 1c d0 0a 02 04 03 0a 02 04 0b 08 00 95 ea @....... ........ 0020 52 10 00 01 0a 39 6a 47 18 14 0f 00 08 09 0a 0b R....9jG ........ 0030 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b ........ ........ 0040 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b .... !"# $%&'()*+ 0050 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b ,-./0123 456789:; 0060 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b <=>?@ABC DEFGHIJK 0070 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b LMNOPQRS TUVWXYZ[ 0080 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b \]^_`abc defghijk 0090 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b lmnopqrs tuvwxyz{ 00a0 7c 7d 7e 7f 80 81 82 83 84 85 86 87 88 89 8a 8b |}~..... ........ 00b0 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b ........ ........ 00c0 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ........ ........ 00d0 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 ........ ........ 00e0 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 ........ ........ 00f0 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 ........ ........ 0100 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 ........ ........ 0110 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 01 02 03 ........ ........ 0120 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 ........ ........ 0130 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 ........ .... !"# 0140 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 $%&'()*+ ,-./0123 0150 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 456789:; <=>?@ABC 0160 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 DEFGHIJK LMNOPQRS 0170 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 TUVWXYZ[ \]^_`abc 0180 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 defghijk lmnopqrs 0190 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 tuvwxyz{ |}~..... 01a0 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b ........ ........ 01b0 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ........ ........ 01c0 ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb ........ ........ 01d0 bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb ........ ........ 01e0 cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db ........ ........ 01f0 dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ........ ........ 0200 ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb ........ ........ 0210 fc fd fe ff .... I think the function AirPDcapRsnaMng() should not unconditionally subtract 12 from decrypt_len. Instead it should always subtract out the ICV, and only subtract out the MIC for the final fragment. -- Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
- Follow-Ups:
- [Wireshark-bugs] [Bug 2128] 802.11 fragments truncated with TKIP
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 2128] 802.11 fragments truncated with TKIP
- Prev by Date: [Wireshark-bugs] [Bug 2126] Wireshark 0.99.7 IO Graph Save can cause program to crash
- Next by Date: [Wireshark-bugs] [Bug 2128] 802.11 fragments truncated with TKIP
- Previous by thread: [Wireshark-bugs] [Bug 2127] remove X-KDE-SubstituteUID=true from wireshark.desktop
- Next by thread: [Wireshark-bugs] [Bug 2128] 802.11 fragments truncated with TKIP
- Index(es):