I stepped through a DICOM capture multiple times, and the result is a little surprising.
I’ve attached an analysis document to the bug and the minimal .pcapng to reproduce.
To me, it looks like the re-assembly does not work anymore, when the TCP traffic has missing frames and retransmits.
At DICOM dissector level I do a plain ‘get more’
pinfo->desegment_len = xxxxxx;
return tvb_captured_length(tvb);
The re-entry happens far too early (and not with the requested amount of bytes). So it’s like its loosing track.
Therefore I looked closer at versions affected. And 1.12.13 is o.k., while, 2.0.0 is not.
To me the wrong decision happens at line Line 3077 (v2.5) in packet-tcp.c
Basically, I’m missing one frame, but it still considers seq to be big enough.
desegment_tcp()
..
if (msp && msp->seq <= seq && msp->nxtpdu > seq) {
..
But this area has not changed between 1.12 and 2.0, so its higher up. I did not managed to create a debug environment for 1.12 yet to narrow in, and don’t understand packet-tcp well enough.
Now my question
- How good is 2.x supposed to be in TCP level reassembly in case of missing packets and retransmits?
- Can anybody help?
Regards
David