Wireshark-bugs: [Wireshark-bugs] [Bug 4188] New: DCE RPC dissection fails if multiple ctx were n
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4188
Summary: DCE RPC dissection fails if multiple ctx were negotiated
Product: Wireshark
Version: 1.3.x (Experimental)
Platform: All
OS/Version: All
Status: NEW
Severity: Major
Priority: Medium
Component: TShark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: nepenthesdev@xxxxxxxxx
Markus <nepenthesdev@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3878| |review_for_checkin?
Flag| |
Created an attachment (id=3878)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3878)
the patch
Build Information:
TShark 1.3.0
Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.20.1, with libpcap 1.0.0, with libz 1.2.3.3, without POSIX
capabilities, with libpcre 7.8, without SMI, without c-ares, with ADNS, without
Lua, without Python, without GnuTLS, without Gcrypt, with MIT Kerberos, without
GeoIP.
Running on Linux 2.6.28-16-generic, with libpcap version 1.0.0.
Built using gcc 4.4.0 20090419 (prerelease) [gcc-4_4-branch revision 146360].
--
Wireshark fails dissecting dce rpc bind acks, if the bind request had more than
1 ctx.
As the protocol is a mess, and therefore hard to explain, I have a capture,
packet #34 fails to dissect the DCE RPC data, you can enforce dissection by
'decode as' SRVSVC.
If you want the packets, let me know, I'm not attaching by default as they may
contain sensible informations, as the packet capture is a attack backtrace from
a honeypot.
I tracked the problem down to a bug in epan/dissectors/packet-dcerpc.c, and
even created a working patch, which is attached.
Another thing is, it would be easier to spot such bugs if the code was indented
properly, but I'll open another bug for that.
The patch does not try to fix the indenting.
I have wireshark 1.07 and compiled tshark 1.2.2 and 1.3 from source to verify
it is still broken and I'm not wasting my time on a closed bug, and it still
applies to all versions.
The patch attached is for wireshark-1.2.2.tar.gz
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.