http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2401
Summary: Wireshark will crush when decoding wimax SBC-REQ/SBC-RSP
Product: Wireshark
Version: 0.99.7
Platform: All
OS/Version: All
Status: ASSIGNED
Severity: Critical
Priority: Medium
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: chris.yang@xxxxxxxxxxx
Build Information:
Version 0.99.7
Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.12.1, with GLib 2.14.3, with WinPcap (version unknown),
with libz 1.2.3, with libpcre 6.4, with SMI 0.4.5, with ADNS, with Lua 5.1,
with
GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio PortAudio
V19-devel, with AirPcap.
Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5, without
AirPcap.
Built using Microsoft Visual C++ 8.0 build 50727
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
The MAC PDU that causes the problem:
0000 00 40 44 00 66 83 1a 03 04 00 00 00 00 19 0d 03
0010 01 00 04 02 00 00 05 01 00 06 01 00 1c 01 00 93
0020 01 00 96 01 10 97 02 00 3c 9e 01 00 9f 02 00 00
0030 a7 01 01 ab 01 00 ae 02 00 2c af 01 00 cc 01 4a
0040 2e c0 fd 9e
The the decode result should be:
PDU (68 bytes) - Generic MAC Header, SBC-REQ, CRC
Generic MAC Header (6 bytes)
0... .... .... .... .... .... = MAC Header Type: Generic (0x000000)
.0.. .... .... .... .... .... = MAC Encryption Control: Not
encrypted (0x000000)
..0. .... .... .... .... .... = MAC Sub-type Bit 5: Mesh subheader
is absent (0x000000)
...0 .... .... .... .... .... = MAC Sub-type Bit 4: ARQ feedback
payload is absent (0x000000)
.... 0... .... .... .... .... = MAC Sub-type Bit 3: The subheader
is not extended (0x000000)
.... .0.. .... .... .... .... = MAC Sub-type Bit 2: Fragmentation
subheader is absent (0x000000)
.... ..0. .... .... .... .... = MAC Sub-type Bit 1: Packing
subheader is absent (0x000000)
.... ...0 .... .... .... .... = MAC Sub-type Bit 0: Fast-feedback
allocation subheader(DL)/Grant management subheader(UL) is absent (0x000000)
.... .... 0... .... .... .... = Extended Sub-header Field: Extended
subheader is absent (0x000000)
.... .... .1.. .... .... .... = CRC Indicator: CRC is included
(0x000001)
.... .... ..00 .... .... .... = Encryption Key Sequence: 0x000000
.... .... .... 0... .... .... = Reserved: 0
.... .... .... .000 0100 0100 = Length: 68
Connection ID: 102
Header Check Sequence: 0x83
SS Basic Capability Request (SBC-REQ) (58 bytes)
MAC Management Message Type: 26
Maximum Transmit Power: 0x00000000
TLV type: 3
TLV length: 4
TLV value: Maximum Transmit Power (0x00000000)
BPSK: -64.00 dBm
QPSK: -64.00 dBm
QAM16: -64.00 dBm
QAM64: -64.00 dBm
Security Negotiation Parameters (13 bytes)
TLV type: 25
TLV length: 13
TLV value: Security Negotiation Parameters (13 bytes)
(0x03010004...)
MAC (Message Authentication Code) Mode: 0x00
TLV type: 3
TLV length: 1
TLV value: MAC (Message Authentication Code) Mode
(0x00)
.... ...0 = HMAC: not supported
.... ..0. = Reserved: not supported
.... .0.. = 64-bit Short-HMAC: not supported
.... 0... = 80-bit Short-HMAC: not supported
...0 .... = 96-bit Short-HMAC: not supported
..0. .... = CMAC: not supported
00.. .... = Reserved: 0x00
PN Window Size: 0
TLV type: 4
TLV length: 2
TLV value: PN Window Size (0x0000)
PN Window Size: 0
Maximum concurrent transactions (0 indicates no
limit): 0
Maximum number of security associations supported
by the SS: 0
HO Trigger Metric Support: 0x00
TLV type: 28
TLV length: 1
TLV value: HO Trigger Metric Support (0x00)
.... ...0 = BS CINR Mean: not supported
.... ..0. = BS RSSI Mean: not supported
.... .0.. = BS Relative Delay: not supported
.... 0... = BS RTD: not supported
0000 .... = Reserved: 0x00
Current transmitted power: 0x00
TLV type: 147
TLV length: 1
TLV value: Current transmitted power (0x00)
Current Transmitted Power: 2147483648.00 dBm (Value: 0x0)
OFDMA SS FFT Sizes: 0x10
TLV type: 150
TLV length: 1
TLV value: OFDMA SS FFT Sizes (0x10)
.... ...0 = Reserved: 0x00
.... ..0. = FFT-2048: not supported
.... .0.. = FFT-128: not supported
.... 0... = FFT-512: not supported
...1 .... = FFT-1024: supported
000. .... = Reserved: 0x00
OFDMA SS Demodulator: 003C
TLV type: 151
TLV length: 2
TLV value: OFDMA SS Demodulator (0x003c)
.... .... .... ...0 = 64-QAM: not supported
.... .... .... ..0. = BTC: not supported
.... .... .... .1.. = CTC: supported
.... .... .... 1... = STC: supported
.... .... ...1 .... = CC with Optional Interleaver:
supported
.... .... ..1. .... = HARQ Chase: supported
.... .... .0.. .... = HARQ CTC_IR: not supported
.... .... 0... .... = Reserved: 0x0000
.... ...0 .... .... = HARQ CC_IR: not supported
.... ..0. .... .... = LDPC: not supported
.... .0.. .... .... = Dedicated Pilots: not supported
.... 0... .... .... = Reserved: 0x0000
OFDMA AAS Private Map Support: 0x00
TLV type: 158
TLV length: 1
TLV value: OFDMA AAS Private Map Support (0x00)
.... ...0 = H-ARQ MAP Capability: not supported
.... ..0. = Private Map Support: not supported
.... .0.. = Reduced Private Map Support: not supported
.... 0... = Private Map Chain Enable: not supported
...0 .... = Private Map DL Frame Offset: not supported
..0. .... = Private Map UL Frame Offset: not supported
00.. .... = Private Map Chain Concurrency: 0x00
OFDMA AAS Capability: 0x0000
TLV type: 159
TLV length: 2
TLV value: OFDMA AAS Capability (0x0000)
.... .... .... ...0 = AAS Zone: not supported
.... .... .... ..0. = AAS Diversity Map Scan (AAS DLFP):
not supported
.... .... .... .0.. = AAS-FBCK-RSP Support: not supported
.... .... .... 0... = Downlink AAS Preamble: not supported
.... .... ...0 .... = Uplink AAS Preamble: not supported
0000 0000 000. .... = Reserved: 0x0000
Association Type Support: 0x01
TLV type: 167
TLV length: 1
TLV value: Association Type Support (0x01)
.... ...1 = Scanning Without Association: association not
supported: Yes (1)
.... ..0. = Association Level 0: scanning or association
without coordination: No (0x00)
.... .0.. = Association Level 1: association with
coordination: No (0x00)
.... 0... = Association Level 2: network assisted
association: No (0x00)
...0 .... = Desired Association Support: No (0x00)
000. .... = Reserved: 0x00
The Minimum Number Of Frames That SS Takes To Switch From The Open
Loop Power Control Scheme To The Closed Loop Power Control Scheme Or Vice
Versa: 0
TLV type: 171
TLV length: 1
TLV value: The Minimum Number Of Frames That SS Takes To Switch
>From The Open Loop Power Control Scheme To The Closed Loop Power Control Scheme
Or Vice Versa (0x00)
The Minimum Number Of Frames That SS Takes To Switch From
The Open Loop Power Control Scheme To The Closed Loop Power Control Scheme Or
Vice Versa: 0
OFDMA MS CSIT Capability: 0x2c
TLV type: 174
TLV length: 2
TLV value: OFDMA MS CSIT Capability (0x002c)
.... .... .... ...0 = CSIT Compatibility Type A: not
supported
.... .... .... ..0. = CSIT Compatibility Type B: not
supported
.... .... .... .1.. = Power Assignment Capability:
supported
.... .... ..10 1... = Sounding Response Time Capability:
min(2, Next Frame) (0x0005)
.... ..00 00.. .... = Max Number Of Simultaneous Sounding
Instructions: 0
.... .0.. .... .... = SS Does Not Support P Values Of 9 And
18 When Supporting CSIT Type A: not supported
0000 0... .... .... = Reserved: 0x0000
Maximum Number Of Burst Per Frame Capability In HARQ: 0x00
TLV type: 175
TLV length: 1
TLV value: Maximum Number Of Burst Per Frame Capability In HARQ
(0x00)
.... .000 = Maximum Number Of UL HARQ Burst Per HARQ
Enabled MS Per Frame (default(0)=1): 0
.... 0... = Whether The Maximum Number Of UL HARQ Bursts
Per Frame (i.e. Bits# 2-0) Includes The One Non-HARQ Burst: No
0000 .... = Maximum Numbers Of DL HARQ Bursts Per HARQ
Enabled Of MS Per Frame (default(0)=1): 0
OFDMA parameters sets: 0x4a
TLV type: 204
TLV length: 1
TLV value: OFDMA parameters sets (0x4a)
.... ...0 = Support OFDMA PHY parameter set A: 0x00
.... ..1. = Support OFDMA PHY parameter set B: 0x01
...0 10.. = HARQ parameters set: HARQ set 3 (0x02)
..0. .... = Support OFDMA MAC parameters set A: 0x00
.1.. .... = Support OFDMA MAC parameters set B: 0x01
0... .... = Reserved: 0x00
CRC: 0x2ec0fd9e
But the wimax "msg_sbc.c" file has bugs in struct "hf_sbc". I attached the diff
file.
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
