Wireshark-bugs: [Wireshark-bugs] [Bug 6750] New: [NAS EPS] Protect against empty protocol identi
Date: Thu, 19 Jan 2012 08:08:16 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6750

           Summary: [NAS EPS] Protect against empty protocol identifier
                    contents in PCO
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: Windows 7
            Status: NEW
          Severity: Minor
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: pascal.quantin@xxxxxxxxx


Created attachment 7706
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7706
check protocol identifier length before calling sub dissector

Build Information:
Version 1.7.1 (SVN Rev 40583 from /trunk)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.22.1, with Cairo 1.10.2, with Pango 1.28.3, with
GLib 2.26.1, with WinPcap (version unknown), with libz 1.2.5, without POSIX
capabilities, with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python,
with GnuTLS 2.10.3, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with
PortAudio V19-devel (built Jan 19 2012), with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 30729

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Some test equipments can send weird Protocol Configuration Options IE in the
Attach Accept message with an empty protocol identifier content.
Wireshark will trigger an assert when dissecting those messages because it does
not check the tvb length before calling the sub dissector.

For example the following NAS Attach Accept message:
27 00 00 00 00 01 07 42 01 e1 06 00 00 f1 10 00 0b 00 2b 52 01 c1 01 05 16 03
77 77 77 0d 72 6f 68 64 65 2d 73 63 68 77 61 72 7a 03 63 6f 6d 05 01 ac 16 01
64 27 07 80 80 21 00 00 0a 00 50 0b f6 00 f1 10 00 00 00 00 00 00 00

Will trigger the following assert:
            Protocol Configuration Options
                Element ID: 39
                Length: 7
                [Link direction: Network to MS (1)]
                1... .... = Ext: 0x01
                Configuration Protocol: PPP (0)
                Protocol or Container ID: IP Control Protocol (32801)
                Length: 0x00 (0)
[Malformed Packet: PPP IPCP]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]

With the attached patch(checking the protocol identifier length before calling
the sub dissector), the PCO is decoded correctly:
            Protocol Configuration Options
                Element ID: 39
                Length: 7
                [Link direction: Network to MS (1)]
                1... .... = Ext: 0x01
                Configuration Protocol: PPP (0)
                Protocol or Container ID: IP Control Protocol (32801)
                Length: 0x00 (0)
                Protocol or Container ID: Reserved (10)
                Length: 0x00 (0)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.