Wireshark-bugs: [Wireshark-bugs] [Bug 5137] New: SSL record reassembly issue

Date: Wed, 25 Aug 2010 04:04:43 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5137

           Summary: SSL record reassembly issue
           Product: Wireshark
           Version: 1.2.1
          Platform: x86-64
        OS/Version: SuSE
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: dpantke@xxxxxxxxxxx


Build Information:
wireshark 1.2.1

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.18.6, with GLib 2.22.4, with libpcap 1.0.0, with libz
1.2.3, with POSIX capabilities (Linux), with libpcre 7.9, with SMI 0.4.5, with
c-ares 1.6.0, with Lua 5.1, with GnuTLS 2.4.1, with Gcrypt 1.4.4, with MIT
Kerberos, with GeoIP, with PortAudio V19-devel (built Oct 24 2009), without
AirPcap.

Running on Linux 2.6.31.12-0.2-desktop, with libpcap version 1.0.0, GnuTLS
2.4.1, Gcrypt 1.4.4.

Built using gcc 4.4.1 [gcc-4_4-branch revision 150839].

--
It appears that SSL record decoding is encountering a problem where the SSL
record header spans TCP segments. In this instance, Wireshark never picks up
the record, and so that, and all subsequent SSL records in the TCP stream, are
listed as a "malformed packet".

Attached is the capture showing the issue. The frame of note is 30722. In this
frame, the SSL decoder has reassembled all of the TCP segments for this record,
but if you examine the end of the record data, you'll see the start of a new
record. However, the last byte of the length header is in frame 30749. Frame
30750 then shows as Malformed Packet, and all further SSL record in the stream
are listed as Malformed.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.