Wireshark-bugs: [Wireshark-bugs] [Bug 8345] New: Malformed IEEE80211 frame triggers DISSECTOR_AS

Date: Sun, 17 Feb 2013 00:38:17 +0000
Bug ID 8345
Summary Malformed IEEE80211 frame triggers DISSECTOR_ASSERT
Classification Unclassified
Product Wireshark
Version 1.9.x (Experimental)
Hardware All
OS All
Status UNCONFIRMED
Severity Minor
Priority Low
Component Wireshark
Assignee [email protected]
Reporter [email protected]

Build Information:
Version 1.9.0-SVN-47696 (SVN Rev 47696 from /trunk)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.10, with Cairo 1.8.6, with Pango 1.30.0, with
GLib 2.32.3, with libpcap, with libz 1.2.3, without POSIX capabilities, without
libnl, with SMI 0.4.8, without c-ares, without ADNS, with Lua 5.1, without
Python, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP,
with PortAudio V19-devel (built Aug 12 2012 22:27:54), with AirPcap.

Running on Mac OS X 10.6.8, build 10K549 (Darwin 10.8.0), with locale .UTF-8,
with libpcap version 1.0.0, with libz 1.2.3, GnuTLS 2.12.19, Gcrypt 1.5.0,
without AirPcap.
Intel(R) Core(TM)2 Duo CPU     T9600  @ 2.80GHz

Built using gcc 4.2.1 (Apple Inc. build 5666) (dot 3).

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Riverbed's Airpcap [1] adapters (along with other wifi sniffing tools) can
(optionally) capture not only well-formed wifi packets but malformed wifi
packets, i.e. 802.11 packets that contains an invalid FCS value.

In some cases these malformed frames trigger a DISSECTOR_ASSERT() in proto.c's
proto_item_set_len().  This happens when packet-ieee80211.c's
dissect_ieee80211_mgt() calls packet-ieee80211.c's get_tagged_parameter_tree()
with a "size" parameter value of -1.

The Wireshark message seen appended to the "Info" column text is:
> [Dissector bug, protocol IEEE 802.11: proto.c:4184: failed assertion "length >= 0"]

The attached trace contains eight frames that trigger this DISSECTOR_ASSERT().
All eight of these frames have a Radiotap header that includes the flag "FCS at
end: True".

With packets #1-2 and #4-8 the four octet packet bytes at offsets 0x32-0x35 are
interpreted as the "incorrect" Frame check sequence.

But these same four assumed FCS octets are also interpreted as the first four
octets of the "IEEE 802.11 wireless LAN management frame".

Packet #3 is handled differently because it is two octets shorter than the
other seven packets and falls into dissect_ieee80211_common's "if (has_fcs)"
but "reported_len < 4", so its processed as "Pretend it doesn't have an FCS."

[1]
http://www.riverbed.com/us/products/cascade/wireshark_enhancements/airpcap.php


You are receiving this mail because:
  • You are watching all bug changes.