Wireshark-bugs: [Wireshark-bugs] [Bug 10029] New: SAP (Session Announcement Protocol) dissector
Date: Wed, 23 Apr 2014 09:36:49 +0000
Bug ID 10029
Summary SAP (Session Announcement Protocol) dissector reads wrong IP version
Classification Unclassified
Product Wireshark
Version unspecified
Hardware x86
OS Mac OS X 10.8
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Build Information:
TShark 1.11.2 (SVNRev 53411 from /trunk)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.36.0, with libpcap, with libz 1.2.3, without
POSIX
capabilities, with SMI 0.4.8, without c-ares, without ADNS, with Lua 5.1,
without Python, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with
GeoIP.

Running on Mac OS X 10.8.5, build 12F45 (Darwin 12.5.0), with locale
de_DE.UTF-8, with libpcap version 1.1.1, with libz 1.2.5.
      Intel(R) Core(TM) i7-3720QM CPU @ 2.60GHz

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).
--
There's an if statement in the SAP dissector obviously reverted. If it is IPv4
then the dissector tries to read IPv6 origin addresses and vice versa. This
creates a bunch of errors when the data is displayed although it seems to be
correct. Patching the bit to tell it is IPv6 makes the dissector reading an
IPv4 address and the dissection works.

SAP might not be very popular, but it is still odd that nobody spotted this for
so long. The pcap attached to the ISMACryp wiki page nicely demoes the bug.

Here's the code that needs some obvious fixing (if IPv6 then read IPv4?) in 
epan / dissectors / packet-sap.c:

 170     if (is_ipv6)
 171         proto_tree_add_item(sap_tree, hf_sap_originating_source_ipv4, tvb,
offset, addr_len, ENC_BIG_ENDIAN);
 172     else
 173         proto_tree_add_item(sap_tree, hf_sap_originating_source_ipv6, tvb,
offset, addr_len, ENC_NA);


You are receiving this mail because:
  • You are watching all bug changes.