Ethereal-dev: [Ethereal-dev] [Fwd: Bug in socks (4) - wrong / no dissection of SOCKS v4a infor

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Yaniv Kaul <ykaul@xxxxxxxxxxxx>
Date: Tue, 01 Jun 2004 17:41:38 +0200
I'd appreciate if this can be checked in, or rejected if there's a problem with it.

-------- Original Message --------
Subject: Bug in socks (4) - wrong / no dissection of SOCKS v4a information - partial patch
Date: 	Mon, 16 Feb 2004 10:54:47 +0200
From: 	Yaniv Kaul <ykaul@xxxxxxxxxxxx>
To: 	Ethereal ' <ethereal-dev@xxxxxxxxxxxx>



1. There's no dissection of the domain name, if the remote address is 0.0.0.x (i.e., using SOCKS 4a) 2. The remote address in subsequent packets remains 0.0.0.x, although it should have been switched to the remote address replied by the server.

Attached pleae find a patch against current CVS to the first problem, the second is messier. I'd be happy if someone can also take a look at the patch and comment. I'm not sure it's complete.

SOCKS v4a is documented in http://www.socks.nec.com/protocol/socks4a.protocol.



--- packet-socks.orig.c	2004-02-16 10:44:56.000000000 +0200
+++ packet-socks.c	2004-02-16 10:50:30.000000000 +0200
@@ -118,6 +118,7 @@
 static int hf_socks_ip_dst = -1;
 static int hf_socks_ip6_dst = -1;
 static int hf_user_name = -1;
+static int hf_v4a_dns_name = -1;
 static int hf_socks_dstport = -1;
 static int hf_socks_cmd = -1;
 static int hf_socks_results = -1;
@@ -457,6 +458,8 @@
 
 
 	guint command;
+	unsigned char ipaddr[4];
+	guint username_len;
 
 					/* Display command from client */
 	if (compare_packet( hash_info->connect_row)){
@@ -477,6 +480,7 @@
 		offset += 2;
 
 						/* Do destination address */
+		tvb_memcpy(tvb, ipaddr, offset, 4);
 		proto_tree_add_item( tree, hf_socks_ip_dst, tvb, offset,
 				4, FALSE);
 
@@ -486,9 +490,13 @@
 /* Should perhaps do TCP reassembly as well */
 		if ( tvb_offset_exists(tvb, offset)) {
 						/* display user name 	*/
+			username_len = tvb_strsize(tvb, offset);
 			proto_tree_add_string( tree, hf_user_name, tvb, offset,
 				tvb_strsize(tvb, offset),
 				tvb_get_ptr(tvb, offset, -1));
+			offset += username_len;
+			if(ipaddr[0] == 0 && ipaddr[1] == 0 && ipaddr[2]==0 && ipaddr[3] !=0) /* 0.0.0.x , where x!=0 means v4a support */
+				proto_tree_add_string( tree, hf_v4a_dns_name, tvb, offset, tvb_strsize(tvb, offset), tvb_get_ptr(tvb, offset, -1));
 		}
 
 	}
@@ -1151,6 +1159,10 @@
                 		 NULL, 0x0, "", HFILL
                 	}
                 },
+		{ &hf_v4a_dns_name,
+			{ "SOCKS v4a Remote Domain Name", "socks.v4a_dns_name", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL
+			}
+		},
 		{ &hf_socks_dstport,
 			{ "Remote Port", "socks.dstport", FT_UINT16,
 				BASE_DEC, NULL, 0x0, "", HFILL