Wireshark-bugs: [Wireshark-bugs] [Bug 8309] New: When a segment is missing from an SMB2 PDU, sub

Date: Sun, 10 Feb 2013 19:44:53 +0000
Bug ID 8309
Summary When a segment is missing from an SMB2 PDU, subsequent PDUs are not reassembled.
Classification Unclassified
Product Wireshark
Version unspecified
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Major
Priority Low
Component Wireshark
Assignee [email protected]
Reporter [email protected]

Build Information:
Version 1.9.0-SVN-47200 (SVN Rev 47200 from /trunk)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.24.14, with Cairo 1.10.2, with Pango 1.30.1, with
GLib 2.34.1, with WinPcap (4_1_2), with libz 1.2.5, without POSIX capabilities,
without libnl, with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python,
with GnuTLS 2.12.18, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with
PortAudio V19-devel (built Jan 21 2013), with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, without WinPcap, GnuTLS
2.12.18, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 10.0 build 40219
*******************************************************************************

--
With TCP reassembly enabled, missing frames in a PDU can cause the reported
number SMB2 calls to be far less than that of v1.8.4 or below. Missing frames
not only keep subsequent (multi-frame) PDUs from being reassembled, nothing
above the NetBIOS header is decoded in that flow. 

Cause: In SVN 44542, an ELSE clause was removed from packet-nbns.c at lines
1720-1722: 

    if (tvb_length_remaining(tvb, offset) >= 8
    && tvb_get_guint8(tvb,offset+0) == SESSION_MESSAGE
    && tvb_get_guint8(tvb,offset+5) == 'S'
    && tvb_get_guint8(tvb,offset+6) == 'M'
    && tvb_get_guint8(tvb,offset+7) == 'B') {
        is_cifs = TRUE;
    }
/* Removed without explanation in SVN 44542:
      else {
        is_cifs = FALSE;
    } 
*/    
    if (is_cifs) {
        flags = 0;
/* 
 A bogus value, typically a huge one, gets read here:
*/ 
        length = tvb_get_ntoh24(tvb, offset + 1);   
    } else {
        flags  = tvb_get_guint8(tvb, offset + 1);  
        length = tvb_get_ntohs(tvb, offset + 2);
    }

/* 
The following sanity check is not performed, pinfo->desegment_len gets set  to
‘length’, and at line  2070 of desegment_tcp(), msp->nxtpdu (the ending seq# of
the PDU) gets set to pinfo->desegment_len. 
*/
    if (flags & NBSS_FLAGS_E)
        length += 0x10000;
    }
    if ((flags & (~NBSS_FLAGS_E)) != 0) {
        /*
         * A bogus flag was set; assume it's a continuation.
         */
        goto continuation;
    }

In the attached example capture, 'smb2-subset.cap', pinfo->desegment_len gets
set to 4.8 million bytes in frame 118 which prevents the Write request from
being reassembled at frame 194. 

The attached screenshots of the SRT tables stats taken from the *full* capture
in v1.8.4 and v1.9.0, demonstrates how devastating this bug can be.


You are receiving this mail because:
  • You are watching all bug changes.