Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 6414] New: Incorrect identification of UDP-encapsulated NA

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Fri, 30 Sep 2011 15:45:27 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6414

           Summary: Incorrect identification of UDP-encapsulated
                    NAT-keepalive packets
           Product: Wireshark
           Version: 1.6.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: dsm42@xxxxxxxxx


Created an attachment (id=7121)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7121)
packet-ipsec-udp.c.diff

Build Information:
$ wireshark -v
wireshark 1.6.2 (SVN Rev 38931 from /trunk-1.6)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.12.9, with GLib 2.16.3, with libpcap 0.9.5, with
libz 1.2.3, without POSIX capabilities, without libpcre, with SMI 0.4.8, with
c-ares 1.5.3, with Lua 5.1, without Python, with GnuTLS 2.6.2, with Gcrypt
1.4.3, with MIT Kerberos, without GeoIP, with PortAudio V19-devel (built Nov 14
2008), without AirPcap.

Running on Mac OS 10.5.8 (Darwin 9.8.0), with libpcap version 0.9.5, with libz
1.2.3, GnuTLS 2.6.2, Gcrypt 1.4.3.

Built using gcc 4.0.1 (Apple Inc. build 5488).

--
The packet-ipsec-udp.c dissector incorrectly identifies NAT-keepalive packets
(RFC 3948 section 2.3). The code in the dissector treats any packet with 0xFF
as the first byte as a NAT-keepalive. This causes ESP packets where the first
byte of the SPI is 0xFF to be mis-identified as NAT-keepalive rather than ESP.
Per RFC, NAT-keepalive packets must have a one-octet long payload, with the
value of 0xFF.

The attached patch, created against the svn trunk revision 35224 (HEAD for this
file at time of the bug report), corrects the issue by adding a check of the
payload length when identifying NAT-keepalive. It also corrects the comment
immediately above, which stated that the value of 0 (not 0xFF) identifies
NAT-keepalive.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube