Wireshark-bugs: [Wireshark-bugs] [Bug 12122] OCFS2 Dissector does not function properly on Linux

Date: Thu, 01 Sep 2016 20:31:14 +0000

Comment # 6 on bug 12122 from
Any Idea when these fixes will be incorporated into the downloadable wireshark
versions at wwww.wireshark.org (https://www.wireshark.org/download.html)?


(In reply to Makoto Shimamura from comment #5)
> Created attachment 14873 [details]
> Patch for OCFS2 dissector
> 
> Hello, 
> 
> I encountered the same situation with version 2.0.5 built in Linux.
> During analysis with gdb, I found the dissector treats message length in
> "FA55" message as little endian. 
> It is actually big endian (at least in observed packets), so the dissector
> believes the message has very big size and it must reassemble with following
> packets.
> e.g.) Message length 0x0050 is parsed as 0x5000, but the following packets
> are not related to the message at all. Therefore message reconstruction
> fails.
> 
> The attached patch fixes the issue by using tvb_get_ntohs() instead of
> tvb_get_letohs().
> 
> 
> This patch also includes another two fixes.
> First, after I fixed the main problem above, the dissector claims some
> "Proxy AST" and "Convert lock" messages malformed, mistakenly. 
> It is because the dissector tries to obtain LVB data which actually is not
> included in the message.
> So this patch also fixes this by adding code to check LVB-related flags.
> 
> Second is for keepalive req/resp messages that are always shown as "Unknown
> type (0x00)". This patch changes them to "Keepalive Request" and "Keepalive
> Response".
> 
> I also don't have spec of OCFS2 protocol, please confirm and excuse me if
> any mistake.


You are receiving this mail because:
  • You are watching all bug changes.