Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 3317] pop/imf: malformed packet and a superfluous newline

Date: Tue, 23 Nov 2010 18:14:32 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3317

--- Comment #6 from Bill Meier <wmeier@xxxxxxxxxxx> 2010-11-23 21:14:30 EST ---
(In reply to comment #0)
> 
> malformed packet 25 says :"Contact wireshark devs ..." so I do it :-)
> 

The "Internet Message Format" (IMF) dissector is trying to dissect encrypted
binary data in the attached capture as plain_text. 

In all the IMF  frames except #27, the attempt to dissect the Message Header
field fails completely so the message is just shown as "Message Text".

In frame #27, the binary message is such that there's a ":" as the last byte of
the message. Due to a bug in the dissector this particular case causes the
dissector to think there's a valid but unknown header field.

I'll fix that.  [Committed in SVN # 35017]

That being said, it seems to me that the IMF dissector shouldn't even be trying
to do a dissection of binary data since there presumably can always be just
enough valid bytes (eg:  ":"  eventually followed by \r) to cause the dissector
to think it (sort of) has a field header.

I don't have any experience about the handling of TLS inside of a protocol so
I'll not address that. 

(I'd be curious to know how other dissectors handle this: what do they do if
handed a payload might be encrypted but which hasn't been decrypted ? Is there
something that indicates that the payload hasn't been decrypted and thus no
dissection should be attempted ?)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.