https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16526
Bug ID: 16526
Summary: MIME Files Format/pcapng: Simple Packet Block parsed
incorrectly
Product: Wireshark
Version: Git
Hardware: x86-64
OS: Linux
Status: UNCONFIRMED
Severity: Trivial
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: boolean...@gmail.com
Target Milestone: ---
Created attachment 17738
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17738&action=edit
Artificially-created pcapng file to demonstrate the SPB issue
Build Information:
TShark (Wireshark) 3.3.0 (v3.3.0rc0-1124-g0eb92d7aa0fc)
Copyright 1998-2020 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), without libnl,
with GLib 2.56.4, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with
Lua
5.2.4, with GnuTLS 3.5.18 and PKCS #11 support, with Gcrypt 1.8.1, with MIT
Kerberos, without MaxMind DB resolver, with nghttp2 1.30.0, with brotli, with
LZ4, with Zstandard, with Snappy, with libxml2 2.9.4.
Running on Linux 5.3.0-46-generic, with Intel(R) Core(TM) i5-2500K CPU @
3.30GHz
(with SSE4.2), with 15907 MB of physical memory, with locale
LC_CTYPE=en_CA.UTF-8, LC_NUMERIC=en_CA.UTF-8, LC_TIME=en_CA.UTF-8,
LC_COLLATE=C,
LC_MONETARY=en_CA.UTF-8, LC_MESSAGES=en_CA.UTF-8, LC_PAPER=en_CA.UTF-8,
LC_NAME=en_CA.UTF-8, LC_ADDRESS=en_CA.UTF-8, LC_TELEPHONE=en_CA.UTF-8,
LC_MEASUREMENT=en_CA.UTF-8, LC_IDENTIFICATION=en_CA.UTF-8, with libpcap version
1.8.1, with GnuTLS 3.5.18, with Gcrypt 1.8.1, with brotli 1.0.4, with zlib
1.2.11, binary plugins supported (0 loaded).
Built using gcc 7.5.0.
--
When a pcapng file is loaded in the MIME Files Format file format, Simple
Packet Blocks (SPBs) are not correctly parsed/displayed if the original packet
length is greater than the captured packet length (snap length). It appears as
though the dissector is treating the SPB "Original Packet Length" field as if
it holds the actual length of the packet data, when this is not strictly true
according to section 4.4 of the pcapng spec.
Note:
This is specific to the MIME Files Format dissector. The pcapng reader used to
load the file normally to inspect its traffic acts properly.
Steps to reproduce:
1) Use the attached mockup pcapng file. It consists of a standard SHB, an IDB
with a snaplen set to 45, and three SPBs, each of which has 45 bytes of data,
but the "Original Packet Length" field set to 50.
2) Load this file in Wireshark using the MIME Files Format file type.
3) Expand the "PCAPNG File Format" tree.
Actual results:
1) SHB and IDB appear as expeected and parse correctly in the protocol tree.
2) The first SPB appears in the protocol tree. Under its "Block Data" entry,
there's a field called "Packet Length" with a value of 50.
3) Beneath that, the "Packet Data" entry, when clicked, selects 50 bytes in the
bytes view. This actually extends past the end of the packet data, and
erroneously also parses 3 bytes of padding, and the first 2 bytes of the SHB's
trailing length field.
4) Dissection stops here with a "Malformed packet (exception occurred)" expert
warning.
Expected results:
1) SHB, IDB, and three SPBs should appear.
2) The length of the "Packet Data" entry in a SPB should be the lesser of the
value of the SPB's Packet Length and the IDB's Snap Length fields.
3) (optional enhancement) The "Packet Length" field for SPB dissection should
be renamed "Original Packet Length" to make the discrepancy clearer.
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
