Wireshark-bugs: [Wireshark-bugs] [Bug 8004] New: Incorrect Decoding for TCAP Abort

Date: Tue, 20 Nov 2012 00:33:03 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8004

           Summary: Incorrect Decoding for TCAP Abort
           Product: Wireshark
           Version: 1.8.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Dissection engine (libwireshark)
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: vineethvijaysv@xxxxxxxxx


Build Information:
wireshark 1.8.2 (SVN Rev Unknown from unknown)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.22.0, with Cairo 1.10.0, with Pango 1.28.2, with
GLib 2.26.1, with libpcap, with libz 1.2.3.4, without POSIX capabilities,
without SMI, without c-ares, without ADNS, without Lua, without Python, without
GnuTLS, without Gcrypt, without Kerberos, without GeoIP, without PortAudio,
with
AirPcap.

Running on Linux 2.6.35-22-generic, with locale en_IN, with libpcap version
1.1.1, with libz 1.2.3.4, without AirPcap.

Built using gcc 4.4.5.

--
A TCAP abort with user specific reason is being decoded wrongly and resulting
in malformed packet exception.

Relevant ASN specification:
MAP-UserAbortChoice ::= CHOICE {
        userSpecificReason      [0] NULL,
        userResourceLimitation  [1] NULL,
        resourceUnavailable     [2] ResourceUnavailableReason,
        applicationProcedureCancellation        [3]
ProcedureCancellationReason}


The issue seems to be occurring due to extraction of more data from tvb of
lesser size. To correct the same, following change was made to packet-ber.c
@@ -1147,7 +1146,7 @@
         THROW(ReportedBoundsError);
     }

-    oct = (tvb_length(tvb) == 1)?0:tvb_get_guint8(tvb, offset);
+    oct = tvb_get_guint8(tvb, offset);
     offset += 1;

     if(!(oct&0x80)) {

The packet decoded correctly , but this led to packet size limited exception.
To correct that, further changes were made to escape sanity checks in
packet-ber.c


@@ -3102,7 +3101,8 @@
             else
                 next_tvb = tvb; /* we didn't make selection on this class/tag
so pass it on */
 #endif
-            next_tvb = (length_remaining<0)?tvb:tvb_new_subset(tvb, hoffset,
length_remaining, length);
+            next_tvb=tvb_new_subset(tvb, hoffset, length_remaining, length);
+


and 

@@ -2100,11 +2099,11 @@
     }

     /* if we didnt end up at exactly offset, then we ate too many bytes */
-   /* if(offset != end_offset) {
+    if(offset != end_offset) {
         tvb_ensure_bytes_exist(tvb, offset-2, 2);
         cause = proto_tree_add_string_format(tree, hf_ber_error, tvb,
offset-2, 2, "illegal_length", "BER Error: Sequence ate %d too many bytes",
offset-end_offset);
         expert_add_info_format(actx->pinfo, cause, PI_MALFORMED, PI_WARN, "BER
Error: too many bytes in Sequence");
-    }*/
+    }

Ultimately packet is getting decoded correctly, but would be great if somebody
can suggest the correct way to achieve this.

(Test case capture file attached)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.