Wireshark-bugs: [Wireshark-bugs] [Bug 13103] New: Exception with last unknown Cisco AVP availabl
Date: Mon, 07 Nov 2016 12:52:53 +0000
Bug ID 13103
Summary Exception with last unknown Cisco AVP available in a SCCRQ message
Product Wireshark
Version 2.2.1
Hardware x86-64
OS Windows 7
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter Jewgenij.Bytschkow@t-systems.com

Created attachment 15045 [details]
two sample SCCRQ packets with Cisco AVP 111 as the last AVP

Build Information:
Version 2.2.1 (v2.2.1-0-ga6fbd27 from master-2.2)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.6.1, with WinPcap (4_1_3), with GLib 2.42.0, with
zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with QtMultimedia,
with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with locale
German_Germany.1252, with WinPcap version 4.1.3 (packet.dll version
4.1.0.2980),
based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15,
with Gcrypt 1.6.2, without AirPcap.
       Intel(R) Core(TM) i5-3340M CPU @ 2.70GHz (with SSE4.2), with 8065MB of
physical memory.


Built using Microsoft Visual C++ 12.0 build 40629

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Cisco AVPs like e.g. 56, 57, 110 (unknown) included in a SCCRQ control message
(see attached SCCRQ.pcap) can be correctly presented in Wireshark 2.2.1, but
the last AVP 111 also available in the same SCCRQ message is shown as
"(Error/Malformed): Malformed Packet (Exception occurred)":

Frame 1: 189 bytes on wire (1512 bits), 189 bytes captured (1512 bits)
Ethernet II, Src: VkCorpor_c9:02:40 (00:16:b0:c9:02:40), Dst: Hectroni_1c:09:c8
(00:15:90:1c:09:c8)
Internet Protocol Version 4, Src: 10.29.31.7, Dst: 10.29.31.10
User Datagram Protocol, Src Port: 1701, Dst Port: 1701
Layer 2 Tunneling Protocol
    Packet Type: Control Message Tunnel Id=0 Session Id=0
        1... .... .... .... = Type: Control Message (1)
        .1.. .... .... .... = Length Bit: Length field is present
        .... 1... .... .... = Sequence Bit: Ns and Nr fields are present
        .... ..0. .... .... = Offset bit: Offset size field is not present
        .... ...0 .... .... = Priority: No priority
        .... .... .... 0010 = Version: 2
    Length: 147
    Tunnel ID: 0
    Session ID: 0
    Ns: 0
    Nr: 0
    Control Message AVP
         Message Type: Start_Control_Request (1)
    Protocol Version AVP
    Framing Capabilities AVP
    Firmware Revision AVP
    Host Name AVP
    Vendor Name AVP
    Assigned Tunnel ID AVP
    Receive Window Size AVP
    Challenge AVP
    Unknown (56) AVP
        0... .... .... .... = Mandatory: False
        .0.. .... .... .... = Hidden: False
        .... ..00 0000 0110 = Length: 6
        Vendor ID: Reserved (0)
        AVP Type: Unknown (56)
    Unknown (57) AVP
        0... .... .... .... = Mandatory: False
        .0.. .... .... .... = Hidden: False
        .... ..00 0000 0110 = Length: 6
        Vendor ID: Reserved (0)
        AVP Type: Unknown (57)
    Vendor ciscoSystems: Unknown (110) AVP
        0... .... .... .... = Mandatory: False
        .0.. .... .... .... = Hidden: False
        .... ..00 0000 0110 = Length: 6
        Vendor ID: ciscoSystems (9)
        Type: Unknown (110)
[Malformed Packet: L2TP]   <<< !!! Cisco AVP 111 here is not malformed, but
cannot be shown correctly by Wireshark 2.2.1 !!!
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]

With Wireshark v1.12.13 (v1.12.13-0-g969649d from master-1.12), the
presentation of the same SCCRQ packet and all the included AVPs (also Cisco AVP
111) in Wireshark was yet correct, without exception error:

Frame 1: 189 bytes on wire (1512 bits), 189 bytes captured (1512 bits)
Ethernet II, Src: VkCorpor_c9:02:40 (00:16:b0:c9:02:40), Dst: Hectroni_1c:09:c8
(00:15:90:1c:09:c8)
Internet Protocol Version 4, Src: 10.29.31.7, Dst: 10.29.31.10
User Datagram Protocol, Src Port: 1701, Dst Port: 1701
Layer 2 Tunneling Protocol
    ...
    Unknown (56) AVP
        0... .... .... .... = Mandatory: False
        .0.. .... .... .... = Hidden: False
        .... ..00 0000 0110 = Length: 6
        Vendor ID: Reserved (0)
        AVP Type: Unknown (56)
        Unknown AVP
    Unknown (57) AVP
        0... .... .... .... = Mandatory: False
        .0.. .... .... .... = Hidden: False
        .... ..00 0000 0110 = Length: 6
        Vendor ID: Reserved (0)
        AVP Type: Unknown (57)
        Unknown AVP
    Vendor ciscoSystems: Unknown (110) AVP
        0... .... .... .... = Mandatory: False
        .0.. .... .... .... = Hidden: False
        .... ..00 0000 0110 = Length: 6
        Vendor ID: ciscoSystems (9)
        Type: Unknown (110)
        Vendor-Specific AVP
    Vendor ciscoSystems: Unknown (111) AVP  <<< AVP 111 is shown correctly (OK)
        0... .... .... .... = Mandatory: False
        .0.. .... .... .... = Hidden: False
        .... ..00 0000 0110 = Length: 6
        Vendor ID: ciscoSystems (9)
        Type: Unknown (111)
        Vendor-Specific AVP

The issue could be caused not only by the specific Cisco AVP 111, but probably
by any last(!) unknown AVP available in a Control Message. The developers have
to check this point.

The same bug occurs also with the last Wireshark developer build (tested on
06-Nov-2016). The behavior should be corrected in order to eliminate
"Error/Malformed" messages of Wireshark and to let correctly present also the
last unknown AVP in a L2TP control message.


You are receiving this mail because:
  • You are watching all bug changes.