Wireshark-bugs: [Wireshark-bugs] [Bug 4908] New: NFS NULL procedure not being decoded if it span
Date: Wed, 23 Jun 2010 14:15:02 -0700 (PDT)

           Summary: NFS NULL procedure not being decoded if it spans
                    multiple frames
           Product: Wireshark
           Version: 1.4.0
          Platform: Other
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: [email protected]
        ReportedBy: [email protected]

Build Information:
Version 1.4.0rc1 (SVN Rev 33190 from /trunk-1.4)

Copyright 1998-2010 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO

Compiled with GTK+ 2.16.6, (32-bit) with GLib 2.22.4, with WinPcap (version
unknown), with libz 1.2.3, without POSIX capabilities, without libpcre, with
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.8.5, with
Gcrypt 1.4.5, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
 9 2010), with AirPcap.

Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.1
(packet.dll version, based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 30729
NFS NULL procedure not being decoded if it spans multiple frames is being
caused in this example by the NFSv4 NULL containing a GSS Token with a Kerberos
"service ticket" that spans multiple frames when TCP is set to reasemble TCP
streams.  In the attached capture the NFS NULL request is in frame 1, 2 and 4.

The problem seems to be caused by is_heur being set in the following "if"
statements from routine dissect_rpc_fragment()because the PDU length is greater
then the bytes remaining in TVB or in other words the PDU length is larger then
then TCP data for one frame.

    if (rpc_desegment) {
        seglen = tvb_length_remaining(tvb, offset + 4);

        if ((gint)len > seglen && pinfo->can_desegment) {
             * This frame doesn't have all of the
             * data for this message, but we can do
             * reassembly on it.
             * If this is a heuristic dissector, just
             * return 0 - we don't want to try to get
             * more data, as that's too likely to cause
             * us to misidentify this as valid.
             * XXX - this means that we won't
             * recognize the first fragment of a
             * multi-fragment RPC operation unless
             * we've already identified this
             * conversation as being an RPC
             * conversation (and thus aren't running
             * heuristically) - that would be a problem
             * if, for example, the first segment were
             * the beginning of a large NFS WRITE.
             * If this isn't a heuristic dissector,
             * we've already identified this conversation
             * as containing data for this protocol, as we
             * saw valid data in previous frames.  Try to
             * get more data.
            if (is_heur)
                return 0;    /* not valid */
            else {
                pinfo->desegment_offset = offset;
                pinfo->desegment_len = len - seglen;
                return -((gint32) pinfo->desegment_len);

is_heur is being set in routine dissect_rpc_tcp_heur().  It appears that this
routine is the dissector entry point when packet_rpc dissector is called.  It
appears that only heur_dissector_add is being used to register the RPC
dissector for non-port 111 dissection.

I've looked at programming a special case to handle this situation but so far I
haven't made sense out of the comments just above the "if (is_heur)" line
above.  I haven't tried removing the "if (is_heur)" test yet to see if the NULL
would decode and to see what would break!



Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.