Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 4334] VNC Hextile encoding is incomplete

Date: Wed, 3 Nov 2010 09:01:53 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4334

--- Comment #3 from Yaniv Kaul <mykaul@xxxxxxxxx> 2010-11-03 09:01:51 PDT ---
(In reply to comment #1)
> This is one of the problems I ran into developing the VNC dissector originally.
>  Because the length of the current message isn't known at the beginning, but
> instead it is extended by fields in the middle of the packet (sometimes
> multiple times), I wrote the VNC_BYTES_NEEDED macro:
> 
> #define VNC_BYTES_NEEDED(a)                    \
>     if(a > (guint)tvb_length_remaining(tvb, *offset))    \
>         return a;
> 
> So if more bytes are needed to finish the current dissection process than are
> available in the tvb, then more are requested.  The return from the macro is a
> return from each function such as vnc_hextile_encoding() and is checked by the
> calling function (in this case, vnc_server_framebuffer_update).  That is then
> checked by the calling function (vnc_server_to_client).  The manual method of
> requesting more bytes via desegmentation is used at the end of that function:
> 
>     if(bytes_needed > 0 && vnc_preference_desegment &&
>        pinfo->can_desegment) {
>         length_remaining = tvb_length_remaining(tvb, *offset);
> 
>         pinfo->desegment_offset = start_offset;
>         pinfo->desegment_len = bytes_needed - length_remaining;
>         return;
>     }
> 
> ... as you can see, this is messy and doesn't even work in all cases.
> 
> Ideally, Wireshark would be able to crawl through the message and keep adding
> up the total number of bytes that need desegmentation and then go back and do
> the actual dissection.  Because more bytes are specified throughout the
> message, some dissection work is needed even on the first pass.  I think this
> could be accomplished without changes to Wireshark itself though, so it is
> worth investigating further.  It would be best to somehow use the same
> functions that do the actual dissection to do the first pass dissection so
> prevent duplicating code and introducing problems if only one of the two is
> ever changed.

What's wrong here is:
1. You need to remember which message_type you were dissecting when you needed
more data, so you can come back to it (and not view each call as a new message
to be dissected)
2. You need NOT analyze any data until you have the complete PDU. You do  need
to perform the minimum dissection in order to get the full length of the PDU.
This is, in VNC, quite a lot of work, regretfully. Once you have the complete
PDU, you can go over it and dissect it fully.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.