Wireshark-dev: Re: [Wireshark-dev] Malformed packets in CORBA protocol plugin
Date: Thu, 7 Dec 2006 19:02:37 +0000
> Hi,
> You should try to see in packet-giop.c what happens after the output of:
>   ServiceContextList
>     Sequence Length: 0
> 
> My guess is that a sequence length of zero isn't handled properly. I
> have little time to look at this currently...
> 
> BR
> Anders
> 

I'm struggling a little bit here.

packet-giop.c prints out all the giop stuff including the Sequence Length
field then calls the giop dissector using either
try_explicit_giop_dissector or try_heuristic_giop_dissector.

It looks like it is the heuristic one that is accepting the decode.

This calls the dissect method in my dissector, which appears to recognise
the getRefTime call in my example and returns TRUE having done very 
little.

this then returns to packet-giop.c which calls CLEANUP_CALL_AND_POP

So which is the bit that generates the "Malformed packet" message?
I can't see anything in my dissector, so is it done by the cleanup
call or something later on?

Any help greatfully received

Andy Ling



wireshark-dev-bounces@xxxxxxxxxxxxx wrote on 07/12/2006 12:52:43:

> Hi,
> Perhaps a fault in the GIOP dissector. Can you send the text output of
> the failed decoding?
> BR
> Anders
>

I'm not 100% sure which bit you are after, but the packet
bytes look like :-

Frame 199 (130 bytes on wire, 130 bytes captured)

0000   00 01 af 15 fd df 00 30 48 12 04 d4 08 00 45 00  .......0H.....E.
0010   00 74 11 d2 40 00 80 06 9a e6 0a a5 0b 78 0a a5  .t..@........x..
0020   2d 0a 04 87 04 04 20 52 7c 07 0d a9 71 d6 50 18  -..... R|...q.P.
0030   fd bb 8e 33 00 00 47 49 4f 50 01 02 01 00 40 00  ...3..GIOP....@.
0040   00 00 ec 00 00 00 03 00 00 00 00 00 00 00 1b 00  ................
0050   00 00 14 01 0f 00 52 53 54 45 6d a5 36 00 05 98  ......RSTEm.6...
0060   4a 00 00 00 01 00 00 00 01 00 00 00 02 00 0b 00  J...............
0070   00 00 67 65 74 52 65 66 54 69 6d 65 00 00 00 00  ..getRefTime....
0080   00 00                                            ..

And the decode window above shows:-

General Inter-ORB Protocol Request
  Request id: 236
  Response flags: SYNC_WITH_TARGET (3)
  Reserved: 0 0 0
  TargetAddress Discriminant: 0
  KeyAddr (object key length): 27
  KeyAddr (object key): ....RSTEm.6...J............
  Operation length: 11
  Request operation: getRefTime
  ServiceContextList
    Sequence Length: 0
[Malformed Packet: Q_QUENTINV3]

If I turn off our Q_QUENTINV3 protocol then the last line is not printed.

Another bit of information that might help. If I set the filter to giop
then the info in the main window looks like :-

Q_QUENTINV3 GIOP 1.2 Request 236: getRefTime[Malformed Packet]

Without the giop filter the "[Malformed Packet]" string is missing

Regards

Andy Ling