Wireshark-bugs: [Wireshark-bugs] [Bug 4894] New: wlan_mgt.tag.interpretation triggers Gtk-ERROR
Date: Sun, 20 Jun 2010 14:09:07 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4894

           Summary: wlan_mgt.tag.interpretation triggers Gtk-ERROR **:
                    Byte index 6 is off end of the line aborting...
           Product: Wireshark
           Version: SVN
          Platform: Other
        OS/Version: Windows XP
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: jyoung@xxxxxxx


Created an attachment (id=4809)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4809)
Bad Wifi frame in Wildpackets format

Build Information:
Version 1.5.0 (SVN Rev 33256 from /trunk)

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.16.6, (32-bit) with GLib 2.22.4, with WinPcap (version
unknown), with libz 1.2.3, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.8.5, with
Gcrypt 1.4.5, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Jun
19 2010), with AirPcap.

Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.1
(packet.dll version 4.1.0.1753), based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 2.8.5, Gcrypt 1.4.5, with AirPcap 4.1.0 build 1622.

Built using Microsoft Visual C++ 9.0 build 30729

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.

--
Wireshark will crash with the following message:

>   Gtk-ERROR **: Byte index 6 is off the end of the line
>   aborting...

This crash is triggered when selecting the "Tag interpretation" field
(wlan_mgt.tag.intrepretation) of the last of the three "Tagged parameters" from
either of the attached single frame trace files (badone.apc or badone.pcap), 

The original trace file, badone.apc, was created with Wildpackets' Omnipeek
Personal.  The second trace file, badone.pcap, was created using Wireshark's
Save as feature.

The source of the crash is that the last Tagged parameter, the "DS Parameter
set: Current Channel: 54" item, has a tag length of 96 but the frame does not
in fact have enough bytes to satisfy the implied 96 byte length request.  

This particular frame was extracted from a bigger trace file using the display
filter:

  wlan_mgt.tag.interpretation == "Current Channel: 54" && !wlan.channel == 54

This filter was created to help find examples of channel bleed --- where a
radio broadcasting on one channel (the value of the
wlan_mgt.tag.interpretation) is received by another radio (the sniffer) tuned
to a different channel (the value of the wlan.channel).   

NOTE: What is not apparent in the badone.pcap version of the trace file is that
this particular wifi frame suffered from a CRC error (wlan.fcs_good == false). 
The process of translating this trace file from the original "WildPackets
Ether/AiroPeek (V9)" format in badone.apc to "Wireshark/tcpdump/... - libpcap"
format in badone.pcap lost some critical information included the state of the
FCS.

Interestingly the source of this particular crash and the usability differences
between the two trace file formats presents several learning opportunities for
both authors of dissectors (how to robustly handle the lack of expected data)
and users of the Wireshark tool-set (wireshark, tshark, editcap, etc.) as
pertains to naively converting from one trace file format to another without
considering the implications of the conversion.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.