Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 2477] Illegal characters in XML output for ssh.padding_str

Date: Tue, 22 Apr 2008 06:31:02 -0700 (PDT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2477


Abhik Sarkar <sarkar.abhik@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sarkar.abhik@xxxxxxxxx




--- Comment #2 from Abhik Sarkar <sarkar.abhik@xxxxxxxxx>  2008-04-22 06:30:59 GMT ---
I can't claim to know SSH as a protocol at all, but this bug somehow caught my
attention. I still can't explain why the difference in behavior exists between
Linux and Windows (I have only a Windows development environment for now)...
print.c, which is responsible for generating the PDML output, doesn't seem to
have any OS specific behavior, so the reason for the difference is really not
clear.

However, the root cause of the issue seems to be an incorrect FT type for the
hf_ssh_padding_string field in packet-ssh.c. 

According to RFC4253: 
random padding
         Arbitrary-length padding, such that the total length of
         (packet_length || padding_length || payload || random padding)
         is a multiple of the cipher block size or 8, whichever is
         larger.  There MUST be at least four bytes of padding.  The
         padding SHOULD consist of random bytes.  The maximum amount of
         padding is 255 bytes.

This indicates that the FT should be FT_BYTES and not FT_STRING. 

The attached patch attempts to solve this issue. Perhaps a better patch would
change padding_string to padding_bytes... but that's probably a big change
which could break things like filtering etc. 

I tested it with the same capture and the resulting PDML does change
accordingly.

Perhaps an SSH expert could have a look at the patch. 

Rob, I am not sure if the change of the field type would break your parser.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.