Wireshark-bugs: [Wireshark-bugs] [Bug 4381] failed to decode NetFlow v9 packets including a 0 le

Date: Thu, 28 Jan 2010 06:51:03 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4381

--- Comment #4 from Hitoshi Irino <irino@xxxxxxxxxxxxxx> 2010-01-28 06:50:59 PST ---
I apologize that my patch makes new bug.
The packet-netflow.c supports NetFlow v9(RFC3954) and IPFIX(RFC5101). Options
Template headers of NetFlow v9 and IPFIX are different. Please check the
section 6.1 in RFC3954 and section 3.4.2.2 in RFC5101.

First 6 bytes in options template are same between NetFlow v9 and IPFIX. But
next 4 bytes are different as follows:
           |   byte 7 and 8      |   byte 9 and 10          
NetFlow v9 | Option Scope Length | Option Length
IPFIX      | Field Count = N + M | Scope Field Count = N
my patch divides processing NetFlow v9 and IPFIX by using value of flowset_id
variable.
The variable options_scope_len has value of Option Scope Length when NetFlow v9
packets come. On the other hand it has value of Field Count when IPFIX packets
come.
The variable option_len has value of Option Length when NetFlow v9 packets
come, it has value of Scope Filed Count when IPFIX packets come.

+    tplt.count = flowset_id == 1 ? tplt.count = 0 : option_scope_len -
option_len;
tplt.count stores the number of fields in a template. The number of fields have
to be counted in for loop when NetFlow v9 packets are decorded. On the other
hand IPFIX option template header has Field Count and Scope Field Count.
'option_scope_len - option_len' means 'Field Count(N+M) - Scope Field Count(N)
= M'

+    if (!v9_template_get(id, &hdrinfo->net_src, hdrinfo->src_id) && option_len
&& option_scope_len && option_len <= V9TEMPLATE_MAX_FIELDS && option_scope_len
<= V9TEMPLATE_MAX_FIELDS) {

When template is not registered (it means v9_template_get returns NULL),
template have to be registered. Hence I rewrote !v9_template_get() instead of
v9_template_get().

Decorded length is used as condtion of for loop when NetFLow v9 is decorded in
for loop beging with line 3285. On the other hand decorded count is used as
condtion when IPFIX.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.