Wireshark-bugs: [Wireshark-bugs] [Bug 4188] New: DCE RPC dissection fails if multiple ctx were n

Date Prev · Date Next · Thread Prev · Thread Next
Date: Sun, 1 Nov 2009 02:06:52 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4188

           Summary: DCE RPC dissection fails if multiple ctx were negotiated
           Product: Wireshark
           Version: 1.3.x (Experimental)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: nepenthesdev@xxxxxxxxx



Markus <nepenthesdev@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3878|                            |review_for_checkin?
               Flag|                            |


Created an attachment (id=3878)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3878)
the patch

Build Information:
TShark 1.3.0

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.20.1, with libpcap 1.0.0, with libz 1.2.3.3, without POSIX
capabilities, with libpcre 7.8, without SMI, without c-ares, with ADNS, without
Lua, without Python, without GnuTLS, without Gcrypt, with MIT Kerberos, without
GeoIP.

Running on Linux 2.6.28-16-generic, with libpcap version 1.0.0.

Built using gcc 4.4.0 20090419 (prerelease) [gcc-4_4-branch revision 146360].

--
Wireshark fails dissecting dce rpc bind acks, if the bind request had more than
1 ctx.
As the protocol is a mess, and therefore hard to explain, I have a capture,
packet #34 fails to dissect the DCE RPC data, you can enforce dissection by
'decode as' SRVSVC.
If you want the packets, let me know, I'm not attaching by default as they may
contain sensible informations, as the packet capture is a attack backtrace from
a honeypot.

I tracked the problem down to a bug in epan/dissectors/packet-dcerpc.c, and
even created a working patch, which is attached.

Another thing is, it would be easier to spot such bugs if the code was indented
properly, but I'll open another bug for that.
The patch does not try to fix the indenting.

I have wireshark 1.07 and compiled tshark 1.2.2 and 1.3 from source to verify
it is still broken and I'm not wasting my time on a closed bug, and it still
applies to all versions.

The patch attached is for wireshark-1.2.2.tar.gz


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.