Wireshark-bugs: [Wireshark-bugs] [Bug 10742] New: Incorrect decoding of BGP packets
Date: Sat, 29 Nov 2014 17:57:41 +0000
Bug ID 10742
Summary Incorrect decoding of BGP packets
Product Wireshark
Version 1.12.1
Hardware x86
OS Debian
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter jadevree@mtu.edu

Build Information:
TShark 1.12.1 (Git Rev Unknown from unknown)

Copyright 1998-2014 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.42.1, with libpcap, with libz 1.2.8, with POSIX
capabilities (Linux), with libnl 3, with SMI 0.4.8, with c-ares 1.10.0, with
Lua
5.2, without Python, with GnuTLS 3.3.8, with Gcrypt 1.6.2, with MIT Kerberos,
with GeoIP.

Running on Linux 3.16.0-4-amd64, with locale en_US.UTF-8, with libpcap version
1.6.2, with libz 1.2.8.
Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz

Built using gcc 4.9.2.

--
Noticed a large number of BGP packets are being flagged as malformed in v1.12.
Downgraded to v1.10 and they are decoded properly again.

Some investigation seems to suggest this diff is the culprit
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=785ebdc13c160ae20c9757c0e12756f4d2d51e79

A simple publically available pcap that demonstrates this is at:
http://packetlife.net/captures/4-byte_AS_numbers_Mixed_Scenario.cap


I think the bug lies in not obeying the length field of 10 here and continuing
the parse the rest of the packet as part of the AS4_PATH attribute instead of
starting a new path attribute.
        Path Attribut - AS4_PATH: 655361 2621441 100794971 2690359360
(2886730497 
            Flags: 0xc0: Optional, Transitive, Complete
                1... .... = Optional: Optional
                .1.. .... = Transitive: Transitive
                ..0. .... = Partial: Complete
                ...0 .... = Length: Regular length
            Type Code: AS4_PATH (17)
            Length: 10
            AS Path segment: 655361 2621441
                Segment type: AS_SEQUENCE (2)
                Segment length (number of ASN): 2
                AS4: 655361
                AS4: 2621441
            AS Path segment: 100794971 2690359360
                Segment type: Unknown (64)
                Segment length (number of ASN): 2
                AS4: 100794971
                AS4: 2690359360
            AS Path segment: (2886730497 
                Segment type: AS_CONFED_SEQUENCE (3)
                Segment length (number of ASN): 4
                AS4: 2886730497

By comparison, v1.10 does this:
        NEW_AS_PATH: 655361 2621441 (13 bytes)
            Flags: 0xc0 (Optional, Transitive, Complete)
                1... .... = Optional: Optional
                .1.. .... = Transitive: Transitive
                ..0. .... = Partial: Complete
                ...0 .... = Length: Regular length
            Type code: NEW_AS_PATH (17)
            Length: 10 bytes
            AS path: 655361 2621441
                AS path segment: 655361 2621441
                    Path segment type: AS_SEQUENCE (2)
                    Path segment length: 2 ASs
                    Path segment value: 655361 2621441
        AS_PATH: 23456 23456 (9 bytes)


You are receiving this mail because:
  • You are watching all bug changes.