Wireshark-bugs: [Wireshark-bugs] [Bug 7259] New: GTP Extension headers are dissected incorrectly
Date: Mon, 14 May 2012 16:05:21 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7259

           Summary: GTP Extension headers are dissected incorrectly
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: Red Hat
            Status: NEW
          Severity: Minor
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: a.pontus@xxxxxxxxx


Created attachment 8439
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8439
Example trace for reproduction and proposed fix

Build Information:
wireshark 1.7.2 (SVN Rev 42623 from /trunk)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.12.12, with Cairo 1.2.4, with Pango 1.17.5, with
GLib 2.15.6, with libpcap, with libz 1.2.3, with POSIX capabilities (Linux),
with SMI 0.4.5, without c-ares, without ADNS, without Lua, without Python, with
GnuTLS 1.4.1, with Gcrypt 1.4.4, without Kerberos, without GeoIP, without
PortAudio, with AirPcap.

Running on Linux 2.6.18-164.el5, with locale en_US.iso88591, with libpcap
version 0.9.4, with libz 1.2.3, GnuTLS 1.4.1, Gcrypt 1.4.4, without AirPcap.

Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-46).
--
The GTP Extension headers are dissected incorrectly, causing the rest of the
packet to be dissected wrongly.
See "<--" comments in the below packet export.


No.     Time        Source                Destination           Protocol Length
Info
      1 0.000000    10.160.2.255          72.30.38.140          GTP <ICMP> 130 
  Echo (ping) request  id=0x0300, seq=45313/433, ttl=128

Frame 1: 130 bytes on wire (1040 bits), 130 bytes captured (1040 bits)
Ethernet II, Src: Schaffne_22:22:22 (00:22:22:22:22:22), Dst: Intel_11:11:11
(00:11:11:11:11:11)
Internet Protocol Version 6, Src: 1111:1111::1 (1111:1111::1), Dst:
2222:2222::2 (2222:2222::2)
User Datagram Protocol, Src Port: gtp-user (2152), Dst Port: gtp-user (2152)
GPRS Tunneling Protocol
    Flags: 0x30
    Message Type: T-PDU (0xff)
    Length: 60
    TEID: 0x04cec0bb <-- Triggering G-PDU TEID
T-PDU Data 60 bytes
Internet Protocol Version 4, Src: 10.160.2.255 (10.160.2.255), Dst:
72.30.38.140 (72.30.38.140)
Internet Control Message Protocol


No.     Time        Source                Destination           Protocol Length
Info
      2 0.000401    2222:2222::2          1111:1111::1          GTP      102   
Error indication

Frame 2: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
Ethernet II, Src: Intel_11:11:11 (00:11:11:11:11:11), Dst: Schaffne_22:22:22
(00:22:22:22:22:22)
Internet Protocol Version 6, Src: 2222:2222::2 (2222:2222::2), Dst:
1111:1111::1 (1111:1111::1)
User Datagram Protocol, Src Port: gtp-user (2152), Dst Port: gtp-user (2152)
GPRS Tunneling Protocol
    Flags: 0x36
    Message Type: Error indication (0x1a)
    Length: 32
    TEID: 0x00000000
    Sequence number: 0x0000
    N-PDU Number: 0x00
    Extension header: Unknown (0x40)
    [--- Unknown extension header ---]
    Next extension header type: Unknown (0x10) <-- Should be 0x00 (i.e., no
more)
    TEID Data I: 0xcec0bb85 <-- TEID mismatch (should be 0x04cec0bb)
    Unknown extension header <-- GSN address should be here



Found that there was one offset increment too much before checking the next
extension header:
> svn diff
Index: epan/dissectors/packet-gtp.c
===================================================================
--- epan/dissectors/packet-gtp.c        (revision 42623)
+++ epan/dissectors/packet-gtp.c        (working copy)
@@ -7842,7 +7842,6 @@
             /* TODO: This code should be cleaned up to handle more than one
             * header and possibly display the header content */
             if (next_hdr) {
-                offset++;
                 switch (next_hdr) {
                 case 1:
                     /* MBMS support indication */



Removing that increment fixed it:

No.     Time        Source                Destination           Protocol Length
Info
      1 0.000000    10.160.2.255          72.30.38.140          GTP <ICMP> 130 
  Echo (ping) request  id=0x0300, seq=45313/433, ttl=128

Frame 1: 130 bytes on wire (1040 bits), 130 bytes captured (1040 bits)
Ethernet II, Src: Schaffne_22:22:22 (00:22:22:22:22:22), Dst: Intel_11:11:11
(00:11:11:11:11:11)
Internet Protocol Version 6, Src: 1111:1111::1 (1111:1111::1), Dst:
2222:2222::2 (2222:2222::2)
User Datagram Protocol, Src Port: gtp-user (2152), Dst Port: gtp-user (2152)
GPRS Tunneling Protocol
    Flags: 0x30
    Message Type: T-PDU (0xff)
    Length: 60
    TEID: 0x04cec0bb
T-PDU Data 60 bytes
Internet Protocol Version 4, Src: 10.160.2.255 (10.160.2.255), Dst:
72.30.38.140 (72.30.38.140)
Internet Control Message Protocol

No.     Time        Source                Destination           Protocol Length
Info
      2 0.000401    2222:2222::2          1111:1111::1          GTP      102   
Error indication

Frame 2: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
Ethernet II, Src: Intel_11:11:11 (00:11:11:11:11:11), Dst: Schaffne_22:22:22
(00:22:22:22:22:22)
Internet Protocol Version 6, Src: 2222:2222::2 (2222:2222::2), Dst:
1111:1111::1 (1111:1111::1)
User Datagram Protocol, Src Port: gtp-user (2152), Dst Port: gtp-user (2152)
GPRS Tunneling Protocol
    Flags: 0x36
    Message Type: Error indication (0x1a)
    Length: 32
    TEID: 0x00000000
    Sequence number: 0x0000
    N-PDU Number: 0x00
    Extension header: Unknown (0x40)
    [--- Unknown extension header ---]
    Next extension header type: No more extension headers (0x00)
    TEID Data I: 0x04cec0bb
    GSN address : 2222:2222::2

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.