Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 11477] New: DTLS : reassembly error, protocol DTLS: New fragment overlaps old

Wireshark-bugs: [Wireshark-bugs] [Bug 11477] New: DTLS : reassembly error, protocol DTLS: New fr

Date: Thu, 27 Aug 2015 14:25:17 +0000

Bug ID	11477
Summary	DTLS : reassembly error, protocol DTLS: New fragment overlaps old data
Product	Wireshark
Version	1.12.7
Hardware	x86-64
OS	Windows 7
Status	UNCONFIRMED
Severity	Major
Priority	Medium
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]

Created attachment 13826 [details]
Reassembly error

Build Information:
Version 1.12.7 (v1.12.7-0-g7fc8978 from master-1.12)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.10.2, with Pango 1.34.0, with
GLib 2.38.0, with WinPcap (4_1_3), with libz 1.2.5, with SMI 0.4.8, with c-ares
1.9.1, with Lua 5.2, without Python, with GnuTLS 3.2.15, with Gcrypt 1.6.2,
without Kerberos, with GeoIP, with PortAudio V19-devel (built Aug 12 2015),
with
AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 3.2.15, Gcrypt 1.6.2, without AirPcap.
        Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz, with 3984MB of physical
memory.


Built using Microsoft Visual C++ 10.0 build 40219

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
In attachement file (dtls-pb.pcap), the fragmented handshake Certificate frame
(11 to 15) displays an exception (DTLS : reassembly error, protocol DTLS: New
fragment overlaps old data). But the previous frames (3 to 8) are fine.

After code analysis, the "static void dissect_dtls_handshake" function gets
dtls.handshake.message_seq and the last it used as "id" for insert fd_head in
table via "insert_fd_head(..., id, ...)".

The problem is: there are a dtls.handshake.message_seq for Client to Server and
another for Server to Client. But packet-dtls.c can't make the difference. 

In the pcap sample file there are Server-Client Certificate frames with
dtls.handshake.message_seq with 1 and Client-Server Certificate frames with
dtls.handshake.message_seq with 1 too. So there is a confusion with second
Certificate frames (Client2Server) because fd_head = lookup_fd_head(..., id,
...) return not NULL but the fd_head of first Certificate
frames(Server2Client). An exception is generated with overlap message.

I think "id"=message_seq is not a good key, this id should be a key calculated
with distinguished parameters as udp.srcport + ip.src in order to be sure that
is unique.

You are receiving this mail because:

You are watching all bug changes.

Prev by Date: [Wireshark-bugs] [Bug 8890] DTLS: fix fragment end detection
Next by Date: [Wireshark-bugs] [Bug 11400] Cannot launch GTK+ version of wireshark as a normal user
Previous by thread: [Wireshark-bugs] [Bug 8890] DTLS: fix fragment end detection
Next by thread: [Wireshark-bugs] [Bug 9461] SSL decryption fails on out of order TCP segments
Index(es):
- Date
- Thread