Wireshark-bugs: [Wireshark-bugs] [Bug 6854] tn3270 dissector: decoding WCC and SF attribute byte
Date: Fri, 6 Apr 2012 14:43:26 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6854 --- Comment #8 from Michael Wojcik <michael.wojcik@xxxxxxxxxxxxxx> 2012-04-06 14:43:25 PDT --- Definitely looks better (and I agree that this dissector was already a substantial piece of work). Issues I noticed in this version: 1. The dissector doesn't recognize a local-mode Read Buffer command. This appears as a record with only a single byte of Telnet data, with the value 02, followed by the Telnet EOR sequence and optionally preceded by the TN3270E five-byte header. So it typically looks like this in the data stream: 00 00 00 00 00 02 ff ef The dissector interprets it as: TN3270 Protocol TN3270E Header (Data Type: 3270_DATA) Bogus value: 2 Command: End of Record which is correct except for the "Bogus value" bit. 2 is a legal 3270 command; it's Read Buffer for locally-attached terminals. (See the IBM 3174 Functional Description, section 2.1.4.) The problem seems to be in dissect_outbound_stream() in tn3270-packet.c, which doesn't include any of the outbound 3270 read commands in its switch statement. 2. The dissector is confused if an escaped 0xff byte appears in some places in the TN3270 data. Since TN3270 is Telnet plus special sauce, 0xff is the Telnet IAC (Interpret As Command) byte and has to be escaped by doubling it in the data stream. I have a test that includes a Read Partition Query command. That test has two cases of escaped 0xff bytes. One is the Partition ID, and the dissector recognizes the doubled 0xff there and handles it. The other, though, is in the Query List, and it causes the dissector to throw an exception and flag it as a malformed packet. The packet ends with a6 ff ff ff ef: query codes a6 and ff, with the latter escaped, followed by the Telnet EOR. The dissector says: ... Query Reply: Implicit Partition (0xa6) [Malformed Packet: TN3270] [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)] [Message: Malformed Packet (Exception occurred)] [Severity level: Error] [Group: Malformed] The query code 0xff is valid - it's the code for "Query Reply (Null)". It appears there's special code to handle the 0xff when it's the Partition ID (in function dissect_read_partition(), where there's an "XXX" comment suggesting that the Telnet base dissector should handle escaped 0xff bytes). I haven't identified the problem with the code, but perhaps the escaped byte is causing the dissector to increment offset one too many times in the loop at the end of dissect_read_partition(). 3. There's a similar escaped-0xff bug when processing a reply from a Read Partition Query. In my case, the terminal emulator responded with, among other things, the Coded Graphic Character Set Identifier 0x000000000006c0ff. Because the last byte is 0xff and it's being sent via Telnet, the 0xff had to be escaped, but the dissector wasn't expecting that and took the second 0xff byte as the start of the next field, leading it to report an unknown Structured Field type. Resolving all of these cases with 0xff escaping may be tricky. If I get a chance, I'll look at the dissector source to see if there's a single place where they could be handled (possibly by doing so in the Telnet dissector, as suggested by that comment in the source). -- Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
- Prev by Date: [Wireshark-bugs] [Bug 7020] Review use of proto_tree_add_text in packet-eap.c
- Next by Date: [Wireshark-bugs] [Bug 6854] tn3270 dissector: decoding WCC and SF attribute bytes incorrectly
- Previous by thread: [Wireshark-bugs] [Bug 6854] tn3270 dissector: decoding WCC and SF attribute bytes incorrectly
- Next by thread: [Wireshark-bugs] [Bug 6854] tn3270 dissector: decoding WCC and SF attribute bytes incorrectly
- Index(es):