Wireshark-bugs: [Wireshark-bugs] [Bug 12568] New: Wireshark is marking BGP FlowSpec NLRI as malf

Date: Wed, 29 Jun 2016 10:05:54 +0000
Bug ID 12568
Summary Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
Product Wireshark
Version 2.0.4
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 14690 [details]
FlowSpec PCAP

Build Information:
Version 2.0.4 (v2.0.4-0-gdd7746e from master-2.0)

Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with WinPcap (4_1_3), with libz 1.2.8, with
GLib 2.42.0, with SMI 0.4.8, with c-ares 1.11.0, with Lua 5.2, with GnuTLS
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with QtMultimedia,
with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with locale C, with
WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version
1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15, with Gcrypt 1.6.2, without
AirPcap.
       Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (with SSE4.2), with 8052MB of
physical memory.


Built using Microsoft Visual C++ 12.0 build 40629

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger
than 239 bytes.

Please see attached PCAP for details. 

it is most probably happening in "static int decode_flowspec_nlri(proto_tree
*tree, tvbuff_t *tvb, gint offset, guint16 afi, packet_info *pinfo)"



this part seems to be wrong:

tot_flow_len = tvb_get_guint8(tvb, offset);2573     
/* if nlri length is greater than 240 bytes, it is encoded over 2 bytes */
/* with most significant nibble all in one. 240 is encoded 0xf0f0, 241 0xf0f1
*/
/* max possible value value is 4095 Oxffff */

if (tot_flow_len >= 240)
{
         len_16 = tvb_get_ntohs(tvb, offset);
         tot_flow_len = len_16 >> 4; /* move 4 bits to the right to remove
first f */
         offset_len = 2;
     } else {
        offset_len = 1;
    }


You are receiving this mail because:
  • You are watching all bug changes.