Wireshark-bugs: [Wireshark-bugs] [Bug 7259] New: GTP Extension headers are dissected incorrectly
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7259
Summary: GTP Extension headers are dissected incorrectly
Product: Wireshark
Version: SVN
Platform: x86
OS/Version: Red Hat
Status: NEW
Severity: Minor
Priority: Low
Component: Wireshark
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: a.pontus@xxxxxxxxx
Created attachment 8439
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8439
Example trace for reproduction and proposed fix
Build Information:
wireshark 1.7.2 (SVN Rev 42623 from /trunk)
Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GTK+ 2.12.12, with Cairo 1.2.4, with Pango 1.17.5, with
GLib 2.15.6, with libpcap, with libz 1.2.3, with POSIX capabilities (Linux),
with SMI 0.4.5, without c-ares, without ADNS, without Lua, without Python, with
GnuTLS 1.4.1, with Gcrypt 1.4.4, without Kerberos, without GeoIP, without
PortAudio, with AirPcap.
Running on Linux 2.6.18-164.el5, with locale en_US.iso88591, with libpcap
version 0.9.4, with libz 1.2.3, GnuTLS 1.4.1, Gcrypt 1.4.4, without AirPcap.
Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-46).
--
The GTP Extension headers are dissected incorrectly, causing the rest of the
packet to be dissected wrongly.
See "<--" comments in the below packet export.
No. Time Source Destination Protocol Length
Info
1 0.000000 10.160.2.255 72.30.38.140 GTP <ICMP> 130
Echo (ping) request id=0x0300, seq=45313/433, ttl=128
Frame 1: 130 bytes on wire (1040 bits), 130 bytes captured (1040 bits)
Ethernet II, Src: Schaffne_22:22:22 (00:22:22:22:22:22), Dst: Intel_11:11:11
(00:11:11:11:11:11)
Internet Protocol Version 6, Src: 1111:1111::1 (1111:1111::1), Dst:
2222:2222::2 (2222:2222::2)
User Datagram Protocol, Src Port: gtp-user (2152), Dst Port: gtp-user (2152)
GPRS Tunneling Protocol
Flags: 0x30
Message Type: T-PDU (0xff)
Length: 60
TEID: 0x04cec0bb <-- Triggering G-PDU TEID
T-PDU Data 60 bytes
Internet Protocol Version 4, Src: 10.160.2.255 (10.160.2.255), Dst:
72.30.38.140 (72.30.38.140)
Internet Control Message Protocol
No. Time Source Destination Protocol Length
Info
2 0.000401 2222:2222::2 1111:1111::1 GTP 102
Error indication
Frame 2: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
Ethernet II, Src: Intel_11:11:11 (00:11:11:11:11:11), Dst: Schaffne_22:22:22
(00:22:22:22:22:22)
Internet Protocol Version 6, Src: 2222:2222::2 (2222:2222::2), Dst:
1111:1111::1 (1111:1111::1)
User Datagram Protocol, Src Port: gtp-user (2152), Dst Port: gtp-user (2152)
GPRS Tunneling Protocol
Flags: 0x36
Message Type: Error indication (0x1a)
Length: 32
TEID: 0x00000000
Sequence number: 0x0000
N-PDU Number: 0x00
Extension header: Unknown (0x40)
[--- Unknown extension header ---]
Next extension header type: Unknown (0x10) <-- Should be 0x00 (i.e., no
more)
TEID Data I: 0xcec0bb85 <-- TEID mismatch (should be 0x04cec0bb)
Unknown extension header <-- GSN address should be here
Found that there was one offset increment too much before checking the next
extension header:
> svn diff
Index: epan/dissectors/packet-gtp.c
===================================================================
--- epan/dissectors/packet-gtp.c (revision 42623)
+++ epan/dissectors/packet-gtp.c (working copy)
@@ -7842,7 +7842,6 @@
/* TODO: This code should be cleaned up to handle more than one
* header and possibly display the header content */
if (next_hdr) {
- offset++;
switch (next_hdr) {
case 1:
/* MBMS support indication */
Removing that increment fixed it:
No. Time Source Destination Protocol Length
Info
1 0.000000 10.160.2.255 72.30.38.140 GTP <ICMP> 130
Echo (ping) request id=0x0300, seq=45313/433, ttl=128
Frame 1: 130 bytes on wire (1040 bits), 130 bytes captured (1040 bits)
Ethernet II, Src: Schaffne_22:22:22 (00:22:22:22:22:22), Dst: Intel_11:11:11
(00:11:11:11:11:11)
Internet Protocol Version 6, Src: 1111:1111::1 (1111:1111::1), Dst:
2222:2222::2 (2222:2222::2)
User Datagram Protocol, Src Port: gtp-user (2152), Dst Port: gtp-user (2152)
GPRS Tunneling Protocol
Flags: 0x30
Message Type: T-PDU (0xff)
Length: 60
TEID: 0x04cec0bb
T-PDU Data 60 bytes
Internet Protocol Version 4, Src: 10.160.2.255 (10.160.2.255), Dst:
72.30.38.140 (72.30.38.140)
Internet Control Message Protocol
No. Time Source Destination Protocol Length
Info
2 0.000401 2222:2222::2 1111:1111::1 GTP 102
Error indication
Frame 2: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
Ethernet II, Src: Intel_11:11:11 (00:11:11:11:11:11), Dst: Schaffne_22:22:22
(00:22:22:22:22:22)
Internet Protocol Version 6, Src: 2222:2222::2 (2222:2222::2), Dst:
1111:1111::1 (1111:1111::1)
User Datagram Protocol, Src Port: gtp-user (2152), Dst Port: gtp-user (2152)
GPRS Tunneling Protocol
Flags: 0x36
Message Type: Error indication (0x1a)
Length: 32
TEID: 0x00000000
Sequence number: 0x0000
N-PDU Number: 0x00
Extension header: Unknown (0x40)
[--- Unknown extension header ---]
Next extension header type: No more extension headers (0x00)
TEID Data I: 0x04cec0bb
GSN address : 2222:2222::2
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.