Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 5883] New: Dissector bug on SNMP variable bindings with Un

Date: Mon, 2 May 2011 11:22:19 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5883

           Summary: Dissector bug on SNMP variable bindings with
                    Unsigned32 field in INDEX clause
           Product: Wireshark
           Version: 1.4.6
          Platform: Other
        OS/Version: Windows XP
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: sean.van.gorder@xxxxxxxxx


Created an attachment (id=6273)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=6273)
Capture of packet showing the bug

Build Information:
Version 1.4.6 (SVN Rev 36706 from /trunk-1.4)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.16.6, with GLib 2.22.4, with WinPcap (version
unknown), with libz 1.2.3, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3,
with
Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Apr
18 2011), with AirPcap.

Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.2
(packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 21022

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
PROBLEM:

When Wireshark attempts to read an SNMP packet with a variable-bindings item
with an OID containing an index string which includes an entry of type
"Unsigned32", Wireshark will stop dissecting the packet at this index entry and
end with the error:

[Dissector bug, protocol SNMP: proto.c:2761: failed assertion
"DISSECTOR_ASSERT_NOT_REACHED"]

The proto.c line is in the function proto_tree_add_uint, which throws the
exception when called with an hfindex other than FT_UINT8, FT_UINT16,
FT_UINT24, FT_UINT32, or FT_FRAMENUM.



HOW TO REPRODUCE:

To reproduce the problem, Wireshark must first be configured to resolve OIDs. 
On the Preferences screen under "Name Resolution", check "Enable OID
resolution".** Restart Wireshark and return to the "Name Resolution" screen,
click "Edit" next to "SMI (MIB and PIB) modules", click "New" and type in
"IP-FORWARD-MIB". Restart Wireshark again.

In the attached example, Wireshark throws an exception when trying to display
inetCidrRoutePfxLen in the index of inetCidrRouteEntry. This field is of type
InetAddressPrefixLength, which is just Unsigned32 with a restricted range.

If the file "IP-FORWARD-MIB" is edited to use Integer32 instead of
InetAddressPrefixLength for inetCidrRoutePfxLen, the bug does not occur.
Another workaround is to edit InetAddressPrefixLength in the file
"INET-ADDRESS-MIB" to use Integer32 instead of Unsigned32.



**NOTE: If an error message stating "Stopped processing module SNMPv2-SMI"
appears, this is a separate issue (Windows only?) with a workaround. In the
file "SNMPv2-SMI", change the line:

        IMPLICIT INTEGER (0..18446744073709551615)

to:

        IMPLICIT INTEGER (0..4294967295)

This file can be found under Wireshark\snmp\mibs on Windows. On Linux it may be
under /usr/share/snmp/mibs.



WHY IT HAPPENS:

The bug appears to be in packet-snmp-template.c:

case OID_KEY_TYPE_INTEGER: {
    if (IS_FT_INT(k->ft_type)) {
       
proto_tree_add_int(pt_name,k->hfid,tvb,name_offset,name_len,(guint)subids[key_start]);
    } else { /* if it's not an unsigned int let proto_tree_add_uint throw a
warning */
       
proto_tree_add_uint(pt_name,k->hfid,tvb,name_offset,name_len,(guint)subids[key_start]);
    }

Unsigned32 is hard-coded in epan/oids.c to use OID_KEY_TYPE_INTEGER and
FT_UINT64, but proto_tree_add_uint cannot handle FT_UINT64 and will throw the
exception seen above.



HOW TO FIX:

(Disclaimer: I don't have the means to recompile on Windows right now, so I
haven't tested these.)

The simplest fix should be to replace proto_tree_add_uint with
proto_tree_add_uint64 in the above code, since all the unsigned
oid_value_type_t types use FT_UINT64. To avoid later problems, it might be
better to add branches for all 4 possibilities (int, uint, int64, uint64).

Alternately, the functions proto_tree_add_int and proto_tree_add_uint could be
modified to call the 64-bit functions when a 64-bit type is encountered, which
would avoid similar bugs appearing in other dissectors as well. Of course, this
may have side-effects.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.