Wireshark-bugs: [Wireshark-bugs] [Bug 2153] New: Bugs in the RTMP(T) decoder

Date: Wed, 2 Jan 2008 15:16:00 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2153

           Summary: Bugs in the RTMP(T) decoder
           Product: Wireshark
           Version: SVN
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: mflerackers@xxxxxxxxxx


Build Information:
Version 0.99.8-SVN-23967 (SVN Rev 23967)
--
I found a few annoying bugs in the new RTMP (Real Time Messaging Protocol)
decoder:

* The ObjectID is wrong if the header length is not 12. This is because the
header length is stored in the first two bits and the ObjectID in the next 6 of
the first byte. When reading the ObjectID it should be masked with 0x3F.

* RTMP packets are decoded wrong if the Body size is larger than 128. Even
though the body size can be larger than 128, the payload after the header can
be at most 128. If it is bigger, the first packet contains only the first 128
bytes, and the rest of the data follows in blocks of 128 bytes with a 1 byte
header with the same ObjectID as the first message. So the one byte header is
0xC0 | ObjectID.

* Numbers in AMF streams are parsed wrong, they are parsed as 3 times 0x00
followed by a short (3 * (1 + 2) = 9 bytes), they should be read as 0x00
followed by a double in network byte order  (1 + 8 = 9 bytes). This bug causes
wrong decodes when the number is not 0, as a type is read from the middle of a
number.

The first and third issue is easy to fix. For the third you need a memory which
remembers how big a packet with a certain ObjectID was, as a one byte header
doesn't contain the size. Also packets with different ObjectID's can be
interleaved, so it's not a question of remembering the last Body size, it
should really be associated with the ObjectID.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.