Wireshark-bugs: [Wireshark-bugs] [Bug 2687] New: Failure to dissect long SASL wrapped LDAP respo
Date: Sun, 6 Jul 2008 02:23:37 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2687

           Summary: Failure to dissect long SASL wrapped LDAP response
           Product: Wireshark
           Version: 1.0.1
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: mykaul@xxxxxxxxx


Created an attachment (id=1965)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=1965)
packet-ldap.c.diff

Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
Wireshark 1.0.0, win32, fails to de-segment (TCP level?) and properly dissect a
pretty long (229959 bytes entire conversation) SASL wrapped LDAP response.
Regretfully, I cannot share the capture, but the first packet that is not
desgemented or dissected in any way (just shows as TCP payload) is (partial):
0000   00 1a 4a 16 45 5b 00 e0 81 58 df d2 08 00 45 00  ..J.E[...X....E.
0010   05 dc 0a 32 40 00 7f 06 b6 5f ac 12 00 0a ac 12  ...2@...._......
0020   dd 5b 01 85 04 6f 45 8d a8 34 af 22 1e e4 50 10  .[...oE..4."..P.
0030   fc 6b f5 dc 00 00 00 03 6c c9 60 83 03 6c c4 06  .k......l.`..l..
0040   09 2a 86 48 86 f7 12 01 02 02 02 01 11 00 ff ff  .*.H............
0050   ff ff 08 ae f4 9e f4 35 2f ce dc d3 82 f1 55 e9  .......5/.....U.
0060   31 69 c4 2b 93 b2 85 fc 80 14 30 84 00 03 6c 7c  1i.+......0...l|
0070   02 01 31 64 84 00 03 6c 73 04 40 43 4e 3d 41 67  ..1d...ls.@CN=Ag
0080   67 72 65 67 61 74 65 2c 43 4e 3d 53 63 68 65 6d  gregate,CN=Schem
...
Notice from offeset 0x36 (after the TCP header) - the size of the SASL buffer
is 00 03 6c c9 (224457 bytes), then the usual LDAP ASN.1: 0x60, then 0x83, (3
bytes of length which is now 0x36cc4 -> correctly 5 bytes less than the SASL
buffer, followed by the Kerberos 5 OID, and so on.
Please note that previos LDAP request and responses were nicely dissected. It's
just this long response that doesn't play nice. The unbind request at the end
of all this also looks nice.

that may explain it (from packet-ldap.c) marked with bold/italic/underline:

/* check for a SASL header, i.e. assume it is SASL if 
         * 1, first four bytes (SASL length) is an integer 

         *    with a value that must be <64k and >2
         *    (>2 to fight false positives, 0x00000000 is a common
         *        "random" tcp payload)
         * (no SASL ldap PDUs are ever going to be >64k in size?)

         *
         * 2, we must have a conversation and the auth type must
         *    be LDAP_AUTH_SASL
         */
        sasl_len=tvb_get_ntohl(tvb, 0);

        if( sasl_len<2 ){
                goto this_was_not_sasl;

        }

        if( sasl_len>65535 ){
                goto this_was_not_sasl;
        }


Apparently, the above assumption is wrong.

Please find attached patch against SVN 25526 to fix the problem. My >64K
capture is working fine with it. The fix:
1. Defines LDAP_SASL_MAX_BUF to 4*64*1024 - in packet-ldap.h
2. Uses it - in packet-ldap.c instead of the hard-coded 65535 value below.
3. Documents this in the comments.

It's obviously incomplete, in the sense that SASL buffers probably may be
bigger than my above 4*64K, but it fixes my issue and leaves room for fixing it
in a general manner.

Comments are welcome


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.