Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 6347] New: [ASN.1 PER] Incorrect decoding of BIT STRING ty

Date: Thu, 15 Sep 2011 12:37:03 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6347

           Summary: [ASN.1 PER] Incorrect decoding of BIT STRING type
           Product: Wireshark
           Version: SVN
          Platform: Other
        OS/Version: Windows Vista
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: pascal.quantin@xxxxxxxxx


Created an attachment (id=7025)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7025)
Fix for ASN.1 PER BIT STRING decoding

Build Information:
Version 1.7.0 (SVN Rev 39010 from /trunk)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.22.1, with Cairo 1.10.2, with Pango 1.28.3, with
GLib 2.26.1, with WinPcap (version unknown), with libz 1.2.5, without POSIX
capabilities, with threads support, with SMI 0.4.8, with c-ares 1.7.1, with Lua
5.1, without Python, with GnuTLS 2.10.3, with Gcrypt 1.4.6, with MIT Kerberos,
with GeoIP, with PortAudio V19-devel (built Sep 11 2011), with AirPcap.

Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.2
(packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 30729

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
The current code fails to decode properly the last bits of a BIT STRING type.

Let's take for example this LTE RRC DL DCCH message dump: 20 06 02 68 3a 10 0a
48 32 03 27 80 00 00 00 01 82 90 16 08 08 30 f0 33 43 ab 0b bb 2b 48 1b 1b 7b
68 32 6a 72 19 81 81 88 32 6a 1a 19 a1 b1 80 22 3a 82 92 98 28 0e a8 60 c8 12
f0 27 f7 f4 f4 f2 80 5f b3 27 80 04 00 00 08 00 00 1f 83 20 08 03 53 81 1f 99
c0 32 76 03 ea 05 d1 d4 1c 23 c8 88 40 17 c3 80 20 0e 51 35 af d0 00 06 c0

It decodes as:
DL-DCCH-Message
    message: c1 (0)
        c1: rrcConnectionReconfiguration (4)
            rrcConnectionReconfiguration
                rrc-TransactionIdentifier: 0
                criticalExtensions: c1 (0)
                    c1: rrcConnectionReconfiguration-r8 (0)
                        rrcConnectionReconfiguration-r8
                            dedicatedInfoNASList: 1 item
                                Item 0
                                    DedicatedInfoNAS:
07420149064064f000000000305202c101061e0668756177...
                            radioResourceConfigDedicated
                                srb-ToAddModList: 1 item
                                    Item 0
                                        SRB-ToAddMod
                                            srb-Identity: 2
                                            rlc-Config: explicitValue (0)
                                                explicitValue: am (0)
                                                    am
                                                        ul-AM-RLC
                                                            t-PollRetransmit:
ms45 (8)
                                                            pollPDU: pInfinity
(7)
                                                            pollByte:
kBinfinity (14)
                                                            maxRetxThreshold:
t4 (3)
                                                        dl-AM-RLC
                                                            t-Reordering: ms35
(7)
                                                            t-StatusProhibit:
ms0 (0)
                                            logicalChannelConfig: explicitValue
(0)
                                                explicitValue
                                                    ul-SpecificParameters
                                                        priority: 3
                                                        prioritisedBitRate:
infinity (7)
                                                        bucketSizeDuration:
ms300 (3)
                                                        logicalChannelGroup: 0
                                drb-ToAddModList: 1 item
                                    Item 0
                                        DRB-ToAddMod
                                            eps-BearerIdentity: 5
                                            drb-Identity: 1
                                            pdcp-Config
                                                discardTimer: ms1500 (6)
                                                rlc-UM
                                                    pdcp-SN-Size: len12bits (1)
                                                headerCompression: notUsed (0)
                                                    notUsed: NULL
                                            rlc-Config: um-Bi-Directional (1)
                                                um-Bi-Directional
                                                    ul-UM-RLC
                                                        sn-FieldLength: size10
(1)
                                                    dl-UM-RLC
                                                        sn-FieldLength: size10
(1)
                                                        t-Reordering: ms50 (10)
                                            logicalChannelIdentity: 3
                                            logicalChannelConfig
                                                ul-SpecificParameters
                                                    priority: 9
                                                    prioritisedBitRate: kBps64
(4)
                                                    bucketSizeDuration: ms300
(3)
                                                    logicalChannelGroup: 3
                                mac-MainConfig: explicitValue (0)
                                    explicitValue
                                        ul-SCH-Config
                                            periodicBSR-Timer: sf10 (1)
                                            retxBSR-Timer: sf320 (0)
                                            0... .... ttiBundling: False
                                        timeAlignmentTimerDedicated: sf2560 (4)
                                physicalConfigDedicated
                                    cqi-ReportConfig
                                        cqi-ReportModeAperiodic: rm31 (4)
                                        nomPDSCH-RS-EPRE-Offset: 0
                                        cqi-ReportPeriodic: setup (1)
                                            setup
                                                cqi-PUCCH-ResourceIndex: 2
                                                cqi-pmi-ConfigIndex: 3
                                                cqi-FormatIndicatorPeriodic:
subbandCQI (1)
                                                    subbandCQI
                                                        k: 1
                                                ri-ConfigIndex: 649
                                                ...1 ....
simultaneousAckNackAndCQI: True
                                    antennaInfo: explicitValue (0)
                                        explicitValue
                                            transmissionMode: tm4 (3)
                                            codebookSubsetRestriction:
n2TxAntenna-tm4 (2)
                                                n2TxAntenna-tm4: c0 [bit length
6, 2 LSB pad bits, 1100 00.. decimal value 48]
                                            ue-TransmitAntennaSelection:
release (0)
                                                release: NULL
                                    schedulingRequestConfig: setup (1)
                                        setup
                                            sr-PUCCH-ResourceIndex: 0
                                            sr-ConfigIndex: 3
                                            dsr-TransMax: n32 (3)


The field n2TxAntenna-tm4 (6 bits) is decoded as 110000.
But by decoding the message manually, we can see that the n2TxAntenna-tm4
corresponds to the 4 LSB of byte 0xAF and the 2 MSB of byte 0xD0.
So it should be decoded as 111111.

Following a code review, we can see that the function
new_octet_aligned_subset_bits is buggy:
- the variable remainderval is first used to get the number of MSB needed for
the last byte (line 223).
- then it is reused to check the buffer length (line 236).
- finally, it is used in line 268 as if it contained the number of MSB needed
for the last byte.

The attached patch fixes the bug and gets the correct decoding for the
n2TxAntenna-tm4 field.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.