https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6414
Summary: Incorrect identification of UDP-encapsulated
NAT-keepalive packets
Product: Wireshark
Version: 1.6.2
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Low
Component: Wireshark
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: dsm42@xxxxxxxxx
Created an attachment (id=7121)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7121)
packet-ipsec-udp.c.diff
Build Information:
$ wireshark -v
wireshark 1.6.2 (SVN Rev 38931 from /trunk-1.6)
Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (32-bit) with GTK+ 2.12.9, with GLib 2.16.3, with libpcap 0.9.5, with
libz 1.2.3, without POSIX capabilities, without libpcre, with SMI 0.4.8, with
c-ares 1.5.3, with Lua 5.1, without Python, with GnuTLS 2.6.2, with Gcrypt
1.4.3, with MIT Kerberos, without GeoIP, with PortAudio V19-devel (built Nov 14
2008), without AirPcap.
Running on Mac OS 10.5.8 (Darwin 9.8.0), with libpcap version 0.9.5, with libz
1.2.3, GnuTLS 2.6.2, Gcrypt 1.4.3.
Built using gcc 4.0.1 (Apple Inc. build 5488).
--
The packet-ipsec-udp.c dissector incorrectly identifies NAT-keepalive packets
(RFC 3948 section 2.3). The code in the dissector treats any packet with 0xFF
as the first byte as a NAT-keepalive. This causes ESP packets where the first
byte of the SPI is 0xFF to be mis-identified as NAT-keepalive rather than ESP.
Per RFC, NAT-keepalive packets must have a one-octet long payload, with the
value of 0xFF.
The attached patch, created against the svn trunk revision 35224 (HEAD for this
file at time of the bug report), corrects the issue by adding a check of the
payload length when identifying NAT-keepalive. It also corrects the comment
immediately above, which stated that the value of 0 (not 0xFF) identifies
NAT-keepalive.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.