Wireshark-dev: Re: [Wireshark-dev] [BUG] Wireshark 1.6.1 improperly parsing 802.11 Beacon

From: Alexis La Goutte <alexis.lagoutte@xxxxxxxxx>
Date: Wed, 24 Aug 2011 19:40:04 +0200


On Tue, Aug 23, 2011 at 4:08 PM, Daniel Smith <viscous.liquid@xxxxxxxxx> wrote:
Greetings,

Recently my group stumbled on an issue with Wireshark 1.6.1 marking
beacons from one of our AP's as malformed. Upon inspection it was
determine that when parsing the Country IE in the management frame
wireshark would attempt to read the padding character as an additional
entry. In the attached pcap there are two frames from two different
AP's, CW-1a and CW-2a. The frame from CW-1a is the one that gets
marked as malformed. While CW-2a was not flagged malformed, but you
can see in the hex view that the last entry in the Country IE is using
the first two bytes from the vendor tag that follows it.

This has been tested on the following configurations:
Windows XP, Wireshark 1.2.2 - OK
Windows XP, Wireshark 1.6.1 - FAIL
Ubuntu 10.04, Wireshark 1.2.7 - OK
Ubuntu 10.04, Wireshark 1.6.1 - FAIL

This is a non-blocking issue and we just wanted to notify the
wireshark team of the issue we found. So we hope this helps!

V/r,
Daniel P. Smith
Hi Daniel,

Please open a bug in Bug Tracker  ( https://bugs.wireshark.org/bugzilla/ ) with your sample.
There is big change between Wireshark 1.2.x and 1.6.x in 802.11 dissector

Regards,

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe