Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 13050] New: [AMQP 1.0] Dissector fails to handle frames with length

Wireshark-bugs: [Wireshark-bugs] [Bug 13050] New: [AMQP 1.0] Dissector fails to handle frames wi

Date: Tue, 25 Oct 2016 22:19:38 +0000

Bug ID	13050
Summary	[AMQP 1.0] Dissector fails to handle frames with length > 64Kb
Product	Wireshark
Version	2.2.1
Hardware	x86-64
OS	All
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	bugzilla-admin@wireshark.org
Reporter	chugzilla77@gmail.com

Build Information:
Running as user "root" and group "root". This could be dangerous.
TShark (Wireshark) 2.2.1 (Git Rev Unknown from unknown)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, without POSIX capabilities, without libnl, with
GLib 2.46.2, with zlib 1.2.7, with SMI 0.4.8, with c-ares 1.10.0, without Lua,
with GnuTLS 3.3.24, with Gcrypt 1.5.3, with MIT Kerberos, with GeoIP.

Running on Linux 3.10.0-511.el7.x86_64, with locale en_US.UTF-8, with libpcap
version 1.5.3, with GnuTLS 3.3.24, with Gcrypt 1.5.3, with zlib 1.2.7.
Dual-Core AMD Opteron(tm) Processor 2216

Built using gcc 4.8.5 20150623 (Red Hat 4.8.5-11).

--
In packet-amqp.c frame lengths are deliberately truncated. This is an error as
frame length is an unsigned 32-bit quantity. The offending code is at line
7383:

    /* XXX: The original code used only the low-order 16 bits of the 32 bit
length
     *      field from the PDU as the length to dissect */
    {
        guint length32;
        length32 = tvb_get_ntohl(tvb, 0);
        length = (length32 < 0x10000U) ? length32 : 0xFFFFU;
        if (length32 > length) {
            expert_add_info(pinfo, ti,
&ei_amqp_amqp_1_0_frame_length_exceeds_65K);
        }
    }


The fix is to just use length32 as-is. There are some ripple effects as the
16-bit length is passed to many other functions.

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 13050] [AMQP 1.0] Dissector fails to handle frames with length > 64Kb
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 13050] [AMQP 1.0] Dissector fails to handle frames with length > 64Kb
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 13050] [AMQP 1.0] Dissector fails to handle frames with length > 64Kb
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 13050] [AMQP 1.0] Dissector fails to handle frames with length > 64Kb
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 13050] [AMQP 1.0] Dissector fails to handle frames with length > 64Kb
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 13050] [AMQP 1.0] Dissector fails to handle frames with length > 64Kb
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 13050] [AMQP 1.0] Dissector fails to handle frames with length > 64Kb
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 13045] ICMPv6: fix dissection of MPL (dissect_mpl_control)
Next by Date: [Wireshark-bugs] [Bug 13050] [AMQP 1.0] Dissector fails to handle frames with length > 64Kb
Previous by thread: [Wireshark-bugs] [Bug 13049] Buildbot crash output: fuzz-2016-10-24-11612.pcap
Next by thread: [Wireshark-bugs] [Bug 13050] [AMQP 1.0] Dissector fails to handle frames with length > 64Kb
Index(es):
- Date
- Thread