Wireshark-users: [Wireshark-users] [BUG] BJNP protocol (maybe overflow)

From: Ershov Pavel <owner.mad.epa@xxxxxxxxx>
Date: Sat, 9 Jan 2010 15:46:08 +0300
If you send a packet protocol BJNP (which sends CUPS), then wireshrk displays
it incorrectly. When sending multiple identical packets, displaying changes.

To reproduce this situation, you can use the following code:

    #include <pcap.h>

    int send_packet(unsigned char *data, int len)
    {
      char *dev = "eth2";
      char *errbuf;

      pcap_t *open_live =  pcap_open_live(dev, 65535, 1, 1000, errbuf);
      pcap_sendpacket(open_live, data, len);

      return 0;
    }

    int main(int argc, char *argv[])
    {
      unsigned char bjnp_bad[] =
        "\xff\xff\xff\xff\xff\xff\x0a\x00\x27\x00\x00\x00\x08\x00\x45\x00"
        "\x00\x2c\x00\x00\x40\x00\x40\x11\x48\x70\xc0\xa8\x38\x01\xc0\xa8"
        "\x38\xff\x8b\x5a\x21\xa3\x00\x18\xce\xd2\x42\x4a\x4e\x50\x01\x01"
        "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00";

      send_packet(bjnp_bad, sizeof(bjnp_bad));

      return 0;
    }


Wireshrk displays them in a way (all packets identical):

http://img94.imageshack.us/img94/4608/wireshrk.png


Sorry for my bad english.

Version 1.2.1

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.12, with GLib 2.16.6, with libpcap 1.0.0, with libz
1.2.3, with POSIX capabilities (Linux), with libpcre 7.7, without SMI, without
c-ares, without ADNS, without Lua, with GnuTLS 2.6.2, with Gcrypt 1.4.0, without
Kerberos, with GeoIP, without PortAudio, without AirPcap.

Running on Linux 2.6.29.5-smp, with libpcap version 1.0.0, GnuTLS 2.8.4, Gcrypt
1.4.4.

Built using gcc 4.2.4.