https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8004
Summary: Incorrect Decoding for TCAP Abort
Product: Wireshark
Version: 1.8.2
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Low
Component: Dissection engine (libwireshark)
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: vineethvijaysv@xxxxxxxxx
Build Information:
wireshark 1.8.2 (SVN Rev Unknown from unknown)
Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (32-bit) with GTK+ 2.22.0, with Cairo 1.10.0, with Pango 1.28.2, with
GLib 2.26.1, with libpcap, with libz 1.2.3.4, without POSIX capabilities,
without SMI, without c-ares, without ADNS, without Lua, without Python, without
GnuTLS, without Gcrypt, without Kerberos, without GeoIP, without PortAudio,
with
AirPcap.
Running on Linux 2.6.35-22-generic, with locale en_IN, with libpcap version
1.1.1, with libz 1.2.3.4, without AirPcap.
Built using gcc 4.4.5.
--
A TCAP abort with user specific reason is being decoded wrongly and resulting
in malformed packet exception.
Relevant ASN specification:
MAP-UserAbortChoice ::= CHOICE {
userSpecificReason [0] NULL,
userResourceLimitation [1] NULL,
resourceUnavailable [2] ResourceUnavailableReason,
applicationProcedureCancellation [3]
ProcedureCancellationReason}
The issue seems to be occurring due to extraction of more data from tvb of
lesser size. To correct the same, following change was made to packet-ber.c
@@ -1147,7 +1146,7 @@
THROW(ReportedBoundsError);
}
- oct = (tvb_length(tvb) == 1)?0:tvb_get_guint8(tvb, offset);
+ oct = tvb_get_guint8(tvb, offset);
offset += 1;
if(!(oct&0x80)) {
The packet decoded correctly , but this led to packet size limited exception.
To correct that, further changes were made to escape sanity checks in
packet-ber.c
@@ -3102,7 +3101,8 @@
else
next_tvb = tvb; /* we didn't make selection on this class/tag
so pass it on */
#endif
- next_tvb = (length_remaining<0)?tvb:tvb_new_subset(tvb, hoffset,
length_remaining, length);
+ next_tvb=tvb_new_subset(tvb, hoffset, length_remaining, length);
+
and
@@ -2100,11 +2099,11 @@
}
/* if we didnt end up at exactly offset, then we ate too many bytes */
- /* if(offset != end_offset) {
+ if(offset != end_offset) {
tvb_ensure_bytes_exist(tvb, offset-2, 2);
cause = proto_tree_add_string_format(tree, hf_ber_error, tvb,
offset-2, 2, "illegal_length", "BER Error: Sequence ate %d too many bytes",
offset-end_offset);
expert_add_info_format(actx->pinfo, cause, PI_MALFORMED, PI_WARN, "BER
Error: too many bytes in Sequence");
- }*/
+ }
Ultimately packet is getting decoded correctly, but would be great if somebody
can suggest the correct way to achieve this.
(Test case capture file attached)
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.