Wireshark-bugs: [Wireshark-bugs] [Bug 12579] New: TCP: nextseq incorrect if TCP_MAX_UNACKED_SEGM

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sat, 02 Jul 2016 20:30:50 +0000
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12579

            Bug ID: 12579
           Summary: TCP: nextseq incorrect if TCP_MAX_UNACKED_SEGMENTS
                    exceeded & FIN true
           Product: Wireshark
           Version: 2.0.4
          Hardware: x86
                OS: Mac OS X 10.11
            Status: UNCONFIRMED
          Severity: Normal
          Priority: Low
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-admin@xxxxxxxxxxxxx
          Reporter: from_wireshark@xxxxxxxxx

Build Information:
Wireshark 2.0.4 (v2.0.4-0-gdd7746e from master-2.0)

Copyright 1998-2016 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
libz 1.2.5, with GLib 2.36.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2,
with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with
QtMultimedia, without AirPcap.

Running on Mac OS X 10.11.5, build 15F34 (Darwin 15.5.0), with locale C, with
libpcap version 1.5.3 - Apple version 54, with libz 1.2.5, with GnuTLS 2.12.19,
with Gcrypt 1.5.0.
Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz (with SSE4.2)

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).
--
If tcp data payload (tcp.len) is present, FIN is set, and we've
exceeded TCP_MAX_UNACKED_SEGMENTS, then we don't calculate next
sequence number correctly.

The code to consider the FIN already exists, but is inside of an if
statement that is there for an unrelated purpose, checking for
too many unacked segments to suppress adding sequences to the fwd list.

I've pushed my proposed fix for this into the wireshark code submission system:
Change-Id: Idb68cea4b4dcba39461019c08db09367cbfc6d68
at
https://code.wireshark.org/review/#q,Idb68cea4b4dcba39461019c08db09367cbfc6d68,n,z

To generate an demonstration packet, copy and paste this into
the commandline

openssl base64 -d << EOF | \
        gzip -dc | \
        text2pcap - demonstration-invalid-nextseq-packet.pcap
H4sICBAheFcCA3NhbXBsZS1wYWNrZXQuaGV4AJ3YTW6DMBRF4XlWcZfw/hzMcgyF
/S+hmCSt1FF1pCcLKTnPTL4JZmaSrmPOLnNFqtrvw3NRXzU2WZ//mT/Zw8zvrKlS
dqgW1b1ink+NoSjZ+OyN1/OVxec2n2czja59ve85tZeWRZtp3XWc2pq6ydcry5nl
rq3rPOe8F/s9/V6/zZdcQ0fMpTFvq5ktQ+16H/vnXFmb2b+Dn+zJsoVlnWUrywbL
NpbtLPti2cGyE2VuLHOWBcuSZcUy5s2ZN2fenHlz5s2ZN2fenHlz5s2ZN2fegnkL
5i2Yt2DegnkL5i2Yt2DegnkL5i2Yt2DegnkL5i2Yt2DeknlL5i2Zt2TeknlL5i2Z
t2TeknlL5i2Zt2TeknlL5i2Zt2Teinkr5q2Yt2Leinkr5q2Yt2Leinkr5q2Yt2Le
inkr5q2Yt2LeGvPWmLfGvDXmrTFv7ePt9Wnmz7y/1Mx5fAPaUGWSbhIAAA==
EOF

-- 
You are receiving this mail because:
You are watching all bug changes.