Wireshark-bugs: [Wireshark-bugs] [Bug 10361] New: UDP checksum miscomputed over wrong set of byt

Date: Tue, 12 Aug 2014 00:15:03 +0000
Bug ID 10361
Summary UDP checksum miscomputed over wrong set of bytes due to non-use of UDP.length
Product Wireshark
Version 1.12.0
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Minor
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Build Information:
Version 1.12.0 (v1.12.0-0-g4fab41a from master-1.12)

Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.10.2, with Pango 1.34.0, with
GLib 2.38.0, with WinPcap (4_1_3), with libz 1.2.5, with SMI 0.4.8, with c-ares
1.9.1, with Lua 5.2, without Python, with GnuTLS 3.1.22, with Gcrypt 1.6.0,
without Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 31 2014),
with
AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 3.1.22, Gcrypt 1.6.0, without AirPcap.
AMD Phenom(tm) II P860 Triple-Core Processor, with 3834MB of physical memory.


Built using Microsoft Visual C++ 10.0 build 40219

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
The dissector for UDP has been modified in recent versions to parse UDP PDUs
(protocol data units) incorrectly, using the computed size of a conveying IP
payload rather than the EXPLICIT length specified in the UDP header.


http://anonsvn.wireshark.org/wireshark/trunk-1.6/epan/dissectors/packet-udp.c
and
http://anonsvn.wireshark.org/wireshark/trunk-1.8/epan/dissectors/packet-udp.c

show that the UDP PDU length computation used to be:
udph->uh_ulen = udph->uh_sum_cov = tvb_get_ntohs(tvb, offset+4);

I believe it was broken here:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blobdiff;f=epan/dissectors/packet-udp.c;h=5730403cc6e0b8690914c69b6c5999e82f46ec71;hp=800feade14b4340d9d15306e7bb8d333033ad0a6;hb=HEAD;hpb=d803c5bf9cd7722ef82a8213ddfefdcd0c2a1697

+    udph->uh_ulen = pinfo->iplen - pinfo->iphdrlen;
-    udph->uh_ulen = tvb_reported_length(tvb);


This defect turned up during protocol stress testing where the containing IP
payload size was deliberately larger than the actual UDP PDU length.
Admittedly, that is an unusual situation. Nevertheless, since each UDP PDU
explicitly carries its own length, it is an error to use some other measure for
that length.

I suspect that the above change was made by someone who did not want to go to
the trouble of instead raising a dissector alert that the UDP PDU length
differed from the size of the containing IP payload. Yet correct parsing of
UDP, together with an alert that the UDP PDU differs in size from the conveying
payload, is the approach that should be taken.


You are receiving this mail because:
  • You are watching all bug changes.