[Jaap Keuter <jaap.keuter@xxxxxxxxx>]

Hi,

What about the following patch. Limited, but it's a start.

Thanx,
Jaap

On Thu, 8 Jun 2006, Jaap Keuter wrote:

> Hi Lars,
>
> Thanks for picking this up.
>
> What we could do (would help in my situation) is to check if the method
> does contain only valid ASCII characters. If not fail as SIP.
>
> Possible?
>
> Thanx,
> Jaap
>
> On Thu, 8 Jun 2006, Lars Roland wrote:
>
> > //Hello Jaap,
> >
> > I just subscribed to this list and discoverd your mail in the archive.
> >
> > The request line starts with the Method. Anything before is not SIP and
> > shouldn't be marked as such.
> >
> > Q: Should the heuristics try to discover SIP Packets encapsulated within
> > unknown data?
> > IMO it should only discover SIP Packets, when the tvbuff in question
> > directly starts with a SIP header and contains no unknown leading bytes.
> > The problem here is, that the Request Line starts with the Method, which
> > can contain a lot of different ASCII characters. A heuristic, which
> > detects a SIP Request Line 100% correctly can be very time consuming,
> > because of the complex charset
> >
> > As you noticed the SIP heuristics are too weak at the moment. IMO we
> > should have strong heuristics, which may not detect all syntactically
> > valid SIP packets, but will never detect false positives. Perhaps we
> > should limit the heuristic detection to known SIP methods.
> >
> > Best regards,
> > Lars
> >
> > From// Jaap Keuter <jaap.keuter@xxxxxxxxx
> > <mailto:jaap.keuter@DOMAIN.HIDDEN>> //Date// Wed, 7 Jun 2006 15:32:25
> > +0200 (CEST)
> > ------------------------------------------------------------------------
> >
> > Hi,
> >
> > Now that the dust is settling (until the user community comes barging in
> > ;) let us slowly get back to the real stuff.
> >
> > I've got trouble with SIP heuristics. Currently it tries to see if the
> > packet contains what looks like a few tokens, which are checked to certain
> > criteria. The trouble is that I've got SIP lines packed up in other
> > (binary coded) protocols, which do contain NULL characters. Still the SIP
> > heuristics take that as being part of the request line...... That can't be
> > right, can it? Shouldn't the heuristics take the UDP/TCP payload and take
> > the _zero terminated_ string in there to determine if it is a SIP packet
> > after all?
> >
> > Your thoughts please,
> > Jaap
> >
> >
> >
> >
> >
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>

Index: epan/dissectors/packet-sip.c
===================================================================
--- epan/dissectors/packet-sip.c	(revision 18401)
+++ epan/dissectors/packet-sip.c	(working copy)
@@ -1216,6 +1216,14 @@
 	 */
 	orig_offset = offset;
 	linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
+	if (tvb_strnlen(tvb, offset, linelen) > -1)
+	{
+		/*
+		 * There's a NULL in the line, 
+		 * that's SIP withing another protocol.
+		 */
+		return -2;
+	}
 	line_type = sip_parse_line(tvb, offset, linelen, &token_1_len);
 	if (line_type == OTHER_LINE) {
 		/*