Wireshark-bugs: [Wireshark-bugs] [Bug 10887] New: packet-smcr.c incorrectly dissecting non-smcr

Date: Sat, 24 Jan 2015 02:59:07 +0000
Bug ID 10887
Summary packet-smcr.c incorrectly dissecting non-smcr packet.
Product Wireshark
Version 1.99.x (Experimental)
Hardware x86
OS All
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 13405 [details]
Sample trace showing frame (frame 20) incorrectly tagged as SMC-R

Build Information:
Wireshark 1.99.2 (v1.99.2rc0-852-g7ed097c from master)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.8.8, with Pango 1.28.1, with
libpcap, without POSIX capabilities, without libnl, with libz 1.2.3, with GLib
2.28.8, without SMI, without c-ares, without ADNS, with Lua 5.1, with GnuTLS
2.8.5, with Gcrypt 1.4.5, with MIT Kerberos, without GeoIP, without PortAudio,
with AirPcap.

Running on Linux 2.6.32-431.30.1.el6.x86_64, with locale en_US.utf8, with
libpcap version 1.4.0, with libz 1.2.3, with GnuTLS 2.8.5, with Gcrypt 1.4.5,
without AirPcap.
      Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz (with SSE4.2)

Built using gcc 4.4.7 20120313 (Red Hat 4.4.7-4).

--
A coding error in packet-smcr.c, dissect_smcr_tcp_heur() is calling
tvb_memeql() with a size of 1 byte, instead of 4 bytes.  This error greatly
increases the chances of flagging a non-SMCR frame as SMCR.  

In addition to the bug, a bit definition (Failover Indication) is missing from
the RBME Control.  

Attaching a capture of the mis-identified frame.   There is no capture for the
Failover.  I noticed this in a code review.  

The following patch addresses both issues:

--- packet-smcr.c.orig    2015-01-23 18:14:33.114341666 -0500
+++ packet-smcr.c    2015-01-23 21:29:59.628293591 -0500
@@ -260,6 +260,7 @@
 static int hf_smcr_rmbe_ctrl_urgent_pending = -1;
 static int hf_smcr_rmbe_ctrl_urgent_present = -1;
 static int hf_smcr_rmbe_ctrl_cons_update_requested = -1;
+static int hf_smcr_rmbe_ctrl_failover_validation = -1;
 static int hf_smcr_rmbe_ctrl_peer_conn_state_flags = -1;
 static int hf_smcr_rmbe_ctrl_peer_sending_done = -1;
 static int hf_smcr_rmbe_ctrl_peer_closed_conn = -1;
@@ -726,6 +727,8 @@
             tvb, offset, FLAG_BYTE_LEN, ENC_BIG_ENDIAN);
     proto_tree_add_item(rmbe_ctrl_rw_status_flag_tree,
hf_smcr_rmbe_ctrl_cons_update_requested,
             tvb, offset, FLAG_BYTE_LEN, ENC_BIG_ENDIAN);
+    proto_tree_add_item(rmbe_ctrl_rw_status_flag_tree,
hf_smcr_rmbe_ctrl_failover_validation,
+            tvb, offset, FLAG_BYTE_LEN, ENC_BIG_ENDIAN);
     offset += FLAG_BYTE_LEN;
     rmbe_ctrl_peer_conn_state_flag_item =
         proto_tree_add_item(tree, hf_smcr_rmbe_ctrl_peer_conn_state_flags,
tvb, offset, FLAG_BYTE_LEN, ENC_BIG_ENDIAN);
@@ -884,7 +887,7 @@
 dissect_smcr_tcp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
     void *data)
 {
-    if (tvb_memeql(tvb, CLC_MSG_BYTE_0, SMCR_CLC_ID, sizeof(SMCR_CLC_ID) !=
0)) return FALSE;
+    if (tvb_memeql(tvb, CLC_MSG_BYTE_0, SMCR_CLC_ID, sizeof(SMCR_CLC_ID) - 1)
!= 0) return FALSE;
     dissect_smcr_tcp(tvb, pinfo, tree, data);
     return TRUE;
 }
@@ -1369,6 +1372,11 @@
         "smcr.rmbe.ctrl.cons.update.requested",
         FT_BOOLEAN, 8, NULL, 0x10, NULL, HFILL}},

+        { &hf_smcr_rmbe_ctrl_failover_validation, {
+        "Failover Validation Indicator",
+        "smcr.rmbe.ctrl.failover.validation",
+        FT_BOOLEAN, 8, NULL, 0x08, NULL, HFILL}},
+
         { &hf_smcr_rmbe_ctrl_peer_conn_state_flags, {
         "Peer Connection State Flags",
         "smcr.rmbe.ctrl.peer.conn.state.flags",


You are receiving this mail because:
  • You are watching all bug changes.