Wireshark-bugs: [Wireshark-bugs] [Bug 2509] New: SCCP dissector - assoc->calling_ssn or assoc-> called_ssn leaks to next packets

From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 28 Apr 2008 06:23:30 -0700 (PDT)

http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2509

           Summary: SCCP dissector - assoc->calling_ssn or assoc->called_ssn
                    leaks to next packets
           Product: Wireshark
           Version: SVN
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: j.pedro.fonseca@xxxxxxxxxxxxxxx


Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
Hi,

The SCCP dissector uses a global variable "assoc" to keep state information
about the packet being dissected. The fields "calling_ssn" and "called_ssn" are
used to make the decision on what subdissector to call next (for example,
ssn=142 means that the RANAP dissector must be used)

It appears that, in some cases, the assoc variable isn't cleared before
dissecting the next packet. This way, the calling_ssn or called_ssn fields keep
the values from the previous packet, and the wrong dissector is called.

The problem can be fixed by changing the lines:

if (called && assoc)
    assoc->called_ssn = ssn;
else if (assoc)
    assoc->calling_ssn = ssn;



to



if (called && assoc) {
    assoc->called_ssn = ssn;
    assoc->calling_ssn = INVALID_SSN;
} else if (assoc) { 
    assoc->calling_ssn = ssn;
    assoc->called_ssn = INVALID_SSN;
}


Note that there are two instances of the above lines on the source code. Both
must be fixed.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.