Wireshark-bugs: [Wireshark-bugs] [Bug 6347] New: [ASN.1 PER] Incorrect decoding of BIT STRING ty
Date: Thu, 15 Sep 2011 12:37:03 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6347 Summary: [ASN.1 PER] Incorrect decoding of BIT STRING type Product: Wireshark Version: SVN Platform: Other OS/Version: Windows Vista Status: NEW Severity: Major Priority: Low Component: Wireshark AssignedTo: bugzilla-admin@xxxxxxxxxxxxx ReportedBy: pascal.quantin@xxxxxxxxx Created an attachment (id=7025) --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7025) Fix for ASN.1 PER BIT STRING decoding Build Information: Version 1.7.0 (SVN Rev 39010 from /trunk) Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (32-bit) with GTK+ 2.22.1, with Cairo 1.10.2, with Pango 1.28.3, with GLib 2.26.1, with WinPcap (version unknown), with libz 1.2.5, without POSIX capabilities, with threads support, with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Sep 11 2011), with AirPcap. Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap. Built using Microsoft Visual C++ 9.0 build 30729 Wireshark is Open Source Software released under the GNU General Public License. Check the man page and http://www.wireshark.org for more information. -- The current code fails to decode properly the last bits of a BIT STRING type. Let's take for example this LTE RRC DL DCCH message dump: 20 06 02 68 3a 10 0a 48 32 03 27 80 00 00 00 01 82 90 16 08 08 30 f0 33 43 ab 0b bb 2b 48 1b 1b 7b 68 32 6a 72 19 81 81 88 32 6a 1a 19 a1 b1 80 22 3a 82 92 98 28 0e a8 60 c8 12 f0 27 f7 f4 f4 f2 80 5f b3 27 80 04 00 00 08 00 00 1f 83 20 08 03 53 81 1f 99 c0 32 76 03 ea 05 d1 d4 1c 23 c8 88 40 17 c3 80 20 0e 51 35 af d0 00 06 c0 It decodes as: DL-DCCH-Message message: c1 (0) c1: rrcConnectionReconfiguration (4) rrcConnectionReconfiguration rrc-TransactionIdentifier: 0 criticalExtensions: c1 (0) c1: rrcConnectionReconfiguration-r8 (0) rrcConnectionReconfiguration-r8 dedicatedInfoNASList: 1 item Item 0 DedicatedInfoNAS: 07420149064064f000000000305202c101061e0668756177... radioResourceConfigDedicated srb-ToAddModList: 1 item Item 0 SRB-ToAddMod srb-Identity: 2 rlc-Config: explicitValue (0) explicitValue: am (0) am ul-AM-RLC t-PollRetransmit: ms45 (8) pollPDU: pInfinity (7) pollByte: kBinfinity (14) maxRetxThreshold: t4 (3) dl-AM-RLC t-Reordering: ms35 (7) t-StatusProhibit: ms0 (0) logicalChannelConfig: explicitValue (0) explicitValue ul-SpecificParameters priority: 3 prioritisedBitRate: infinity (7) bucketSizeDuration: ms300 (3) logicalChannelGroup: 0 drb-ToAddModList: 1 item Item 0 DRB-ToAddMod eps-BearerIdentity: 5 drb-Identity: 1 pdcp-Config discardTimer: ms1500 (6) rlc-UM pdcp-SN-Size: len12bits (1) headerCompression: notUsed (0) notUsed: NULL rlc-Config: um-Bi-Directional (1) um-Bi-Directional ul-UM-RLC sn-FieldLength: size10 (1) dl-UM-RLC sn-FieldLength: size10 (1) t-Reordering: ms50 (10) logicalChannelIdentity: 3 logicalChannelConfig ul-SpecificParameters priority: 9 prioritisedBitRate: kBps64 (4) bucketSizeDuration: ms300 (3) logicalChannelGroup: 3 mac-MainConfig: explicitValue (0) explicitValue ul-SCH-Config periodicBSR-Timer: sf10 (1) retxBSR-Timer: sf320 (0) 0... .... ttiBundling: False timeAlignmentTimerDedicated: sf2560 (4) physicalConfigDedicated cqi-ReportConfig cqi-ReportModeAperiodic: rm31 (4) nomPDSCH-RS-EPRE-Offset: 0 cqi-ReportPeriodic: setup (1) setup cqi-PUCCH-ResourceIndex: 2 cqi-pmi-ConfigIndex: 3 cqi-FormatIndicatorPeriodic: subbandCQI (1) subbandCQI k: 1 ri-ConfigIndex: 649 ...1 .... simultaneousAckNackAndCQI: True antennaInfo: explicitValue (0) explicitValue transmissionMode: tm4 (3) codebookSubsetRestriction: n2TxAntenna-tm4 (2) n2TxAntenna-tm4: c0 [bit length 6, 2 LSB pad bits, 1100 00.. decimal value 48] ue-TransmitAntennaSelection: release (0) release: NULL schedulingRequestConfig: setup (1) setup sr-PUCCH-ResourceIndex: 0 sr-ConfigIndex: 3 dsr-TransMax: n32 (3) The field n2TxAntenna-tm4 (6 bits) is decoded as 110000. But by decoding the message manually, we can see that the n2TxAntenna-tm4 corresponds to the 4 LSB of byte 0xAF and the 2 MSB of byte 0xD0. So it should be decoded as 111111. Following a code review, we can see that the function new_octet_aligned_subset_bits is buggy: - the variable remainderval is first used to get the number of MSB needed for the last byte (line 223). - then it is reused to check the buffer length (line 236). - finally, it is used in line 268 as if it contained the number of MSB needed for the last byte. The attached patch fixes the bug and gets the correct decoding for the n2TxAntenna-tm4 field. -- Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 6347] [ASN.1 PER] Incorrect decoding of BIT STRING type
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 6347] [ASN.1 PER] Incorrect decoding of BIT STRING type
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 6347] [ASN.1 PER] Incorrect decoding of BIT STRING type
- Prev by Date: [Wireshark-bugs] [Bug 2814] Conceivably not initialized (Lint Info 771)
- Next by Date: [Wireshark-bugs] [Bug 6347] [ASN.1 PER] Incorrect decoding of BIT STRING type
- Previous by thread: [Wireshark-bugs] [Bug 2814] Conceivably not initialized (Lint Info 771)
- Next by thread: [Wireshark-bugs] [Bug 6347] [ASN.1 PER] Incorrect decoding of BIT STRING type
- Index(es):