Wireshark-dev: [Wireshark-dev] [BUG] Wireshark 1.6.1 improperly parsing 802.11 Beacon

From: Daniel Smith <viscous.liquid@xxxxxxxxx>
Date: Tue, 23 Aug 2011 10:08:37 -0400
Greetings,

Recently my group stumbled on an issue with Wireshark 1.6.1 marking
beacons from one of our AP's as malformed. Upon inspection it was
determine that when parsing the Country IE in the management frame
wireshark would attempt to read the padding character as an additional
entry. In the attached pcap there are two frames from two different
AP's, CW-1a and CW-2a. The frame from CW-1a is the one that gets
marked as malformed. While CW-2a was not flagged malformed, but you
can see in the hex view that the last entry in the Country IE is using
the first two bytes from the vendor tag that follows it.

This has been tested on the following configurations:
Windows XP, Wireshark 1.2.2 - OK
Windows XP, Wireshark 1.6.1 - FAIL
Ubuntu 10.04, Wireshark 1.2.7 - OK
Ubuntu 10.04, Wireshark 1.6.1 - FAIL

This is a non-blocking issue and we just wanted to notify the
wireshark team of the issue we found. So we hope this helps!

V/r,
Daniel P. Smith

Attachment: bad-packets.pcap
Description: Binary data