Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 3953] New: H248 dissector fails on poorly formed AuditRepl

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 27 Aug 2009 07:47:03 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3953

           Summary: H248 dissector fails on poorly formed AuditReply packet
                    from Media Gateway
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: Debian
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: alindber@xxxxxxxxx



Alex Lindberg <alindber@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3578|                            |review_for_checkin?
               Flag|                            |


Created an attachment (id=3578)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3578)
Example packet

Build Information:
$ ./tshark -v
TShark 1.3.0 (SVN Rev 29548 from /trunk)

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.20.4, with libpcap 1.0.0, with libz 1.2.3.3, without POSIX
capabilities, with libpcre 7.8, with SMI 0.4.8, with c-ares 1.6.0, with Lua
5.1,
without Python, with GnuTLS 2.8.3, with Gcrypt 1.4.4, with MIT Kerberos,
without
GeoIP.

Running on Linux 2.6.26-2-686, with libpcap version 1.0.0, GnuTLS 2.8.3, Gcrypt
1.4.4.

Built using gcc 4.3.4.

--
A h248 packet containing an "auditValueReply" fails when decoding fields not
tagged correctly.  Wireshark/tshark does not attempt to decode the rest of the
packet.

"contextAuditResult" is defined as a TerminationIDList.

"TerminationIDList" is a SEQUENCE of 
  terminatinoIDList
  terminationAuditResult

In the problem packet the decode faults in terminationIDList and never decodes
termiationAuditResult.  Here is the generated output of tshark:

Example:
CommandReply: auditValueReply (5)
  auditValueReply: contextAuditResult (0)
    contextAuditResult: 2 items
      BER Error: Wrong field in SQ OF(tag 0 expected 16)
        [Expert Info (Warn/Malformed): BER Error: Wrong field in Sequence Of]
        [Message: BER Error: Wrong field in Sequence Of]
        [Severity level: Warn]
        [Group: Malformed]
      BER Error: Wrong field in SQ OF(tag 1 expected 16)
        [Expert Info (Warn/Malformed): BER Error: Wrong field in Sequence Of]
        [Message: BER Error: Wrong field in Sequence Of]
        [Severity level: Warn]
        [Group: Malformed]

Note that the decode shows the H248 version as 1.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube