https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4908
Summary: NFS NULL procedure not being decoded if it spans
multiple frames
Product: Wireshark
Version: 1.4.0
Platform: Other
OS/Version: Windows XP
Status: NEW
Severity: Normal
Priority: Low
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: fschorr@xxxxxxxxxxx
Build Information:
Version 1.4.0rc1 (SVN Rev 33190 from /trunk-1.4)
Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.16.6, (32-bit) with GLib 2.22.4, with WinPcap (version
unknown), with libz 1.2.3, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.8.5, with
Gcrypt 1.4.5, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Jun
9 2010), with AirPcap.
Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.1
(packet.dll version 4.1.0.1753), based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap.
Built using Microsoft Visual C++ 9.0 build 30729
--
NFS NULL procedure not being decoded if it spans multiple frames is being
caused in this example by the NFSv4 NULL containing a GSS Token with a Kerberos
"service ticket" that spans multiple frames when TCP is set to reasemble TCP
streams. In the attached capture the NFS NULL request is in frame 1, 2 and 4.
The problem seems to be caused by is_heur being set in the following "if"
statements from routine dissect_rpc_fragment()because the PDU length is greater
then the bytes remaining in TVB or in other words the PDU length is larger then
then TCP data for one frame.
if (rpc_desegment) {
seglen = tvb_length_remaining(tvb, offset + 4);
if ((gint)len > seglen && pinfo->can_desegment) {
/*
* This frame doesn't have all of the
* data for this message, but we can do
* reassembly on it.
*
* If this is a heuristic dissector, just
* return 0 - we don't want to try to get
* more data, as that's too likely to cause
* us to misidentify this as valid.
*
* XXX - this means that we won't
* recognize the first fragment of a
* multi-fragment RPC operation unless
* we've already identified this
* conversation as being an RPC
* conversation (and thus aren't running
* heuristically) - that would be a problem
* if, for example, the first segment were
* the beginning of a large NFS WRITE.
*
* If this isn't a heuristic dissector,
* we've already identified this conversation
* as containing data for this protocol, as we
* saw valid data in previous frames. Try to
* get more data.
*/
if (is_heur)
return 0; /* not valid */
else {
pinfo->desegment_offset = offset;
pinfo->desegment_len = len - seglen;
return -((gint32) pinfo->desegment_len);
}
}
is_heur is being set in routine dissect_rpc_tcp_heur(). It appears that this
routine is the dissector entry point when packet_rpc dissector is called. It
appears that only heur_dissector_add is being used to register the RPC
dissector for non-port 111 dissection.
I've looked at programming a special case to handle this situation but so far I
haven't made sense out of the comments just above the "if (is_heur)" line
above. I haven't tried removing the "if (is_heur)" test yet to see if the NULL
would decode and to see what would break!
Thanks,
Frank
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
