Wireshark-bugs: [Wireshark-bugs] [Bug 1722] New: TCP reassembly missing payload of FIN packet, w
Date: Wed, 1 Aug 2007 18:25:30 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1722

           Summary: TCP reassembly missing payload of FIN packet, when
                    DESEGMENT_UNTIL_FIN is set
           Product: Wireshark
           Version: 0.99.6
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: sunyin51@xxxxxxxxx


Build Information:
Version 0.99.6

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.8.10, with GLib 2.8.5, with libpcap 0.9.4, with libz
1.2.3,
with libpcre 6.4, without Net-SNMP, without ADNS, without Lua, with GnuTLS
1.2.10, with Gcrypt 1.2.2, with MIT Kerberos, without PortAudio, without
AirPcap.

Running on Linux 2.6.16.27-0.9-smp, with libpcap version 0.9.4.

Built using gcc 4.1.0 (SUSE Linux).
--
TCP reassembly missing payload of FIN packet, when DESEGMENT_UNTIL_FIN is set.

When a subdissector on top of TCP set   
   if (pinfo->can_desegment) {
        pinfo->desegment_len = DESEGMENT_UNTIL_FIN;
        return;
    }

then the subdissector should receive the whole reassembled TCP stream in tvb.
But the bug is it is missing the last payload from the FIN packet. Yes FIN
packet may contains some data.

Is this by design? or by mistake? 

suggested fix,
Inside packet-tcp.c function dissect_tcp, around line 2899
inside of 
  if( (tcph->th_flags & TH_FIN)
  &&  (tcpd->fwd->flags&TCP_FLOW_REASSEMBLE_UNTIL_FIN) ){
then inside of 
    if(msp){

      ipfd_head = fragment_add(tvb, offset, pinfo, msp->first_frame,
                        tcp_fragment_table,
                        tcph->th_seq - msp->seq,
                        tcph->th_seglen,
                        FALSE );
then inside of 
      if(ipfd_head){

        next_tvb = tvb_new_real_data(ipfd_head->data, ipfd_head->datalen,
ipfd_head->datalen);


-------------- patch snippet -------------
@@ -2897,10 +2890,10 @@
     if(msp){
       fragment_data *ipfd_head;

-      ipfd_head = fragment_add(tvb, offset-1, pinfo, msp->first_frame,
+      ipfd_head = fragment_add(tvb, offset, pinfo, msp->first_frame,
                        tcp_fragment_table,
                        tcph->th_seq - msp->seq,
-                       1,
+                       tcph->th_seglen,
                        FALSE );
       if(ipfd_head){
         tvbuff_t *next_tvb;
@@ -2908,7 +2901,7 @@
         /* create a new TVB structure for desegmented data
          * datalen-1 to strip the dummy FIN byte off
          */
-        next_tvb = tvb_new_real_data(ipfd_head->data, ipfd_head->datalen-1,
ipfd_head->datalen-1);
+        next_tvb = tvb_new_real_data(ipfd_head->data, ipfd_head->datalen,
ipfd_head->datalen);

         /* add this tvb as a child to the original one */
         tvb_set_child_real_data_tvbuff(tvb, next_tvb);


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.