Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 12568] New: Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length

Wireshark-bugs: [Wireshark-bugs] [Bug 12568] New: Wireshark is marking BGP FlowSpec NLRI as malf

Date: Wed, 29 Jun 2016 10:05:54 +0000

Bug ID	12568
Summary	Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
Product	Wireshark
Version	2.0.4
Hardware	All
OS	All
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]

Created attachment 14690 [details]
FlowSpec PCAP

Build Information:
Version 2.0.4 (v2.0.4-0-gdd7746e from master-2.0)

Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with WinPcap (4_1_3), with libz 1.2.8, with
GLib 2.42.0, with SMI 0.4.8, with c-ares 1.11.0, with Lua 5.2, with GnuTLS
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with QtMultimedia,
with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with locale C, with
WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version
1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15, with Gcrypt 1.6.2, without
AirPcap.
       Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (with SSE4.2), with 8052MB of
physical memory.


Built using Microsoft Visual C++ 12.0 build 40629

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger
than 239 bytes.

Please see attached PCAP for details. 

it is most probably happening in "static int decode_flowspec_nlri(proto_tree
*tree, tvbuff_t *tvb, gint offset, guint16 afi, packet_info *pinfo)"



this part seems to be wrong:

tot_flow_len = tvb_get_guint8(tvb, offset);2573     
/* if nlri length is greater than 240 bytes, it is encoded over 2 bytes */
/* with most significant nibble all in one. 240 is encoded 0xf0f0, 241 0xf0f1
*/
/* max possible value value is 4095 Oxffff */

if (tot_flow_len >= 240)
{
         len_16 = tvb_get_ntohs(tvb, offset);
         tot_flow_len = len_16 >> 4; /* move 4 bits to the right to remove
first f */
         offset_len = 2;
     } else {
        offset_len = 1;
    }

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 12529] Support the -e flag to choose specific fields to show for output formats other than than CSV, such as PDML and JSON
Next by Date: [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
Previous by thread: [Wireshark-bugs] [Bug 12567] Wireshark requires strict format for SPI field of ESP/SA configuration option
Next by thread: [Wireshark-bugs] [Bug 12568] Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes
Index(es):
- Date
- Thread