Wireshark-bugs: [Wireshark-bugs] [Bug 2401] New: Wireshark will crush when decoding wimax SBC-RE

Date: Wed, 2 Apr 2008 03:20:26 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2401

           Summary: Wireshark will crush when decoding wimax SBC-REQ/SBC-RSP
           Product: Wireshark
           Version: 0.99.7
          Platform: All
        OS/Version: All
            Status: ASSIGNED
          Severity: Critical
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: chris.yang@xxxxxxxxxxx


Build Information:
Version 0.99.7

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.1, with GLib 2.14.3, with WinPcap (version unknown),
with libz 1.2.3, with libpcre 6.4, with SMI 0.4.5, with ADNS, with Lua 5.1,
with
GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio PortAudio
V19-devel, with AirPcap.

Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5, without
AirPcap.

Built using Microsoft Visual C++ 8.0 build 50727

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
The MAC PDU that causes the problem:
0000   00 40 44 00 66 83 1a 03 04 00 00 00 00 19 0d 03
0010   01 00 04 02 00 00 05 01 00 06 01 00 1c 01 00 93
0020   01 00 96 01 10 97 02 00 3c 9e 01 00 9f 02 00 00
0030   a7 01 01 ab 01 00 ae 02 00 2c af 01 00 cc 01 4a
0040   2e c0 fd 9e

The the decode result should be:
    PDU (68 bytes) - Generic MAC Header, SBC-REQ, CRC
        Generic MAC Header (6 bytes)
            0... .... .... .... .... .... = MAC Header Type: Generic (0x000000)
            .0.. .... .... .... .... .... = MAC Encryption Control: Not
encrypted (0x000000)
            ..0. .... .... .... .... .... = MAC Sub-type Bit 5: Mesh subheader
is absent (0x000000)
            ...0 .... .... .... .... .... = MAC Sub-type Bit 4: ARQ feedback
payload is absent (0x000000)
            .... 0... .... .... .... .... = MAC Sub-type Bit 3: The subheader
is not extended (0x000000)
            .... .0.. .... .... .... .... = MAC Sub-type Bit 2: Fragmentation
subheader is absent (0x000000)
            .... ..0. .... .... .... .... = MAC Sub-type Bit 1: Packing
subheader is absent (0x000000)
            .... ...0 .... .... .... .... = MAC Sub-type Bit 0: Fast-feedback
allocation subheader(DL)/Grant management subheader(UL) is absent (0x000000)
            .... .... 0... .... .... .... = Extended Sub-header Field: Extended
subheader is absent (0x000000)
            .... .... .1.. .... .... .... = CRC Indicator: CRC is included
(0x000001)
            .... .... ..00 .... .... .... = Encryption Key Sequence: 0x000000
            .... .... .... 0... .... .... = Reserved: 0
            .... .... .... .000 0100 0100 = Length: 68
            Connection ID: 102
            Header Check Sequence: 0x83
        SS Basic Capability Request (SBC-REQ) (58 bytes)
            MAC Management Message Type: 26
            Maximum Transmit Power: 0x00000000
                TLV type: 3
                TLV length: 4
                TLV value: Maximum Transmit Power (0x00000000)
                    BPSK: -64.00 dBm
                    QPSK: -64.00 dBm
                    QAM16: -64.00 dBm
                    QAM64: -64.00 dBm
            Security Negotiation Parameters (13 bytes)
                TLV type: 25
                TLV length: 13
                TLV value: Security Negotiation Parameters (13 bytes)
(0x03010004...)
                    MAC (Message Authentication Code) Mode: 0x00
                        TLV type: 3
                        TLV length: 1
                        TLV value: MAC (Message Authentication Code) Mode
(0x00)
                            .... ...0 = HMAC: not supported
                            .... ..0. = Reserved: not supported
                            .... .0.. = 64-bit Short-HMAC: not supported
                            .... 0... = 80-bit Short-HMAC: not supported
                            ...0 .... = 96-bit Short-HMAC: not supported
                            ..0. .... = CMAC: not supported
                            00.. .... = Reserved: 0x00
                    PN Window Size: 0
                        TLV type: 4
                        TLV length: 2
                        TLV value: PN Window Size (0x0000)
                            PN Window Size: 0
                            Maximum concurrent transactions (0 indicates no
limit): 0
                            Maximum number of security associations supported
by the SS: 0
            HO Trigger Metric Support: 0x00
                TLV type: 28
                TLV length: 1
                TLV value: HO Trigger Metric Support (0x00)
                    .... ...0 = BS CINR Mean: not supported
                    .... ..0. = BS RSSI Mean: not supported
                    .... .0.. = BS Relative Delay: not supported
                    .... 0... = BS RTD: not supported
                    0000 .... = Reserved: 0x00
            Current transmitted power: 0x00
                TLV type: 147
                TLV length: 1
                TLV value: Current transmitted power (0x00)
                    Current Transmitted Power: 2147483648.00 dBm (Value: 0x0)
            OFDMA SS FFT Sizes: 0x10
                TLV type: 150
                TLV length: 1
                TLV value: OFDMA SS FFT Sizes (0x10)
                    .... ...0 = Reserved: 0x00
                    .... ..0. = FFT-2048: not supported
                    .... .0.. = FFT-128: not supported
                    .... 0... = FFT-512: not supported
                    ...1 .... = FFT-1024: supported
                    000. .... = Reserved: 0x00
            OFDMA SS Demodulator: 003C
                TLV type: 151
                TLV length: 2
                TLV value: OFDMA SS Demodulator (0x003c)
                    .... .... .... ...0 = 64-QAM: not supported
                    .... .... .... ..0. = BTC: not supported
                    .... .... .... .1.. = CTC: supported
                    .... .... .... 1... = STC: supported
                    .... .... ...1 .... = CC with Optional Interleaver:
supported
                    .... .... ..1. .... = HARQ Chase: supported
                    .... .... .0.. .... = HARQ CTC_IR: not supported
                    .... .... 0... .... = Reserved: 0x0000
                    .... ...0 .... .... = HARQ CC_IR: not supported
                    .... ..0. .... .... = LDPC: not supported
                    .... .0.. .... .... = Dedicated Pilots: not supported
                    .... 0... .... .... = Reserved: 0x0000
            OFDMA AAS Private Map Support: 0x00
                TLV type: 158
                TLV length: 1
                TLV value: OFDMA AAS Private Map Support (0x00)
                    .... ...0 = H-ARQ MAP Capability: not supported
                    .... ..0. = Private Map Support: not supported
                    .... .0.. = Reduced Private Map Support: not supported
                    .... 0... = Private Map Chain Enable: not supported
                    ...0 .... = Private Map DL Frame Offset: not supported
                    ..0. .... = Private Map UL Frame Offset: not supported
                    00.. .... = Private Map Chain Concurrency: 0x00
            OFDMA AAS Capability: 0x0000
                TLV type: 159
                TLV length: 2
                TLV value: OFDMA AAS Capability (0x0000)
                    .... .... .... ...0 = AAS Zone: not supported
                    .... .... .... ..0. = AAS Diversity Map Scan (AAS DLFP):
not supported
                    .... .... .... .0.. = AAS-FBCK-RSP Support: not supported
                    .... .... .... 0... = Downlink AAS Preamble: not supported
                    .... .... ...0 .... = Uplink AAS Preamble: not supported
                    0000 0000 000. .... = Reserved: 0x0000
            Association Type Support: 0x01
                TLV type: 167
                TLV length: 1
                TLV value: Association Type Support (0x01)
                    .... ...1 = Scanning Without Association: association not
supported: Yes (1)
                    .... ..0. = Association Level 0: scanning or association
without coordination: No (0x00)
                    .... .0.. = Association Level 1: association with
coordination: No (0x00)
                    .... 0... = Association Level 2: network assisted
association: No (0x00)
                    ...0 .... = Desired Association Support: No (0x00)
                    000. .... = Reserved: 0x00
            The Minimum Number Of Frames That SS Takes To Switch From The Open
Loop Power Control Scheme To The Closed Loop Power Control Scheme Or Vice
Versa: 0
                TLV type: 171
                TLV length: 1
                TLV value: The Minimum Number Of Frames That SS Takes To Switch
>From The Open Loop Power Control Scheme To The Closed Loop Power Control Scheme
Or Vice Versa (0x00)
                    The Minimum Number Of Frames That SS Takes To Switch From
The Open Loop Power Control Scheme To The Closed Loop Power Control Scheme Or
Vice Versa: 0
            OFDMA MS CSIT Capability: 0x2c
                TLV type: 174
                TLV length: 2
                TLV value: OFDMA MS CSIT Capability (0x002c)
                    .... .... .... ...0 = CSIT Compatibility Type A: not
supported
                    .... .... .... ..0. = CSIT Compatibility Type B: not
supported
                    .... .... .... .1.. = Power Assignment Capability:
supported
                    .... .... ..10 1... = Sounding Response Time Capability:
min(2, Next Frame) (0x0005)
                    .... ..00 00.. .... = Max Number Of Simultaneous Sounding
Instructions: 0
                    .... .0.. .... .... = SS Does Not Support P Values Of 9 And
18 When Supporting CSIT Type A: not supported
                    0000 0... .... .... = Reserved: 0x0000
            Maximum Number Of Burst Per Frame Capability In HARQ: 0x00
                TLV type: 175
                TLV length: 1
                TLV value: Maximum Number Of Burst Per Frame Capability In HARQ
(0x00)
                    .... .000 = Maximum Number Of UL HARQ Burst Per HARQ
Enabled MS Per Frame (default(0)=1): 0
                    .... 0... = Whether The Maximum Number Of UL HARQ Bursts
Per Frame (i.e. Bits# 2-0) Includes The One Non-HARQ Burst: No
                    0000 .... = Maximum Numbers Of DL HARQ Bursts Per HARQ
Enabled Of MS Per Frame (default(0)=1): 0
            OFDMA parameters sets: 0x4a
                TLV type: 204
                TLV length: 1
                TLV value: OFDMA parameters sets (0x4a)
                    .... ...0 = Support OFDMA PHY parameter set A: 0x00
                    .... ..1. = Support OFDMA PHY parameter set B: 0x01
                    ...0 10.. = HARQ parameters set: HARQ set 3 (0x02)
                    ..0. .... = Support OFDMA MAC parameters set A: 0x00
                    .1.. .... = Support OFDMA MAC parameters set B: 0x01
                    0... .... = Reserved: 0x00
        CRC: 0x2ec0fd9e


But the wimax "msg_sbc.c" file has bugs in struct "hf_sbc". I attached the diff
file.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.