Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 9138] New: Malformed NORM packet

Wireshark-bugs: [Wireshark-bugs] [Bug 9138] New: Malformed NORM packet

Date: Thu, 12 Sep 2013 16:19:29 +0000

Bug ID	9138
Summary	Malformed NORM packet
Classification	Unclassified
Product	Wireshark
Version	1.8.6
Hardware	x86
OS	SuSE
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	bugzilla-admin@wireshark.org
Reporter	robert.pierce09@gmail.com

Build Information:
NORM treats UDP packet as NORM packet
--
In reference to :
http://ask.wireshark.org/questions/24577/malformed-norm-packets

When using the NORM protocol dissector I receive a malformed packet error on
every CMD CC packet.  The packets seems to start out fine, but when it gets to
the Congestion Control subtree, Wireshark seems to go into an infinite loop and
prints out hundreds of Congestion Control subrees completely filled with
zeroes.  Each CMD CC packet I receive ends up being around 2074 bytes in
length, which compared to the NORM sample capture on your website that says the
CMD CC packet length was 78 bytes, is way too big.

Cmaynard answered by saying this :

"Section 4.2.3.4 of RFC 3940 states, "The list length can be inferred from the
length of the NORM_CMD(CC) message."

It looks like Wireshark is assuming that all remaining bytes in the packet are
part of the "cc_node_list", rather than stopping dissection according to the
hdr_len field in the NORM Common Message Header.

To quote:

The 8-bit "hdr_len" field indicates the number of 32-bit words that
comprise the given message's header portion.  This is used to
facilitate header extensions that may be applied.  The presence of
header extensions are implied when the "hdr_len" value is greater
than the base value for the given message "type".

Please file a bug and attach a sample capture file for testing. It need only be
a single packet."

Unfortunately I cannot submit a sample capture. So any fixes that you suggest I
will have to apply myself.

Thanks!

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9138] Malformed NORM packet
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 9132] wireshark nightly crashes analyzing rtp for phone call
Next by Date: [Wireshark-bugs] [Bug 9138] Malformed NORM packet
Previous by thread: [Wireshark-bugs] [Bug 9137] New: When a new user joins the ask.wireshark.org community, the message contains redundant "Q&A" text.
Next by thread: [Wireshark-bugs] [Bug 9138] Malformed NORM packet
Index(es):
- Date
- Thread