Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Bug in packet-eapol.c

From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Thu, 20 Jul 2006 09:22:00 +0000
checked in

On 7/18/06, Michael Stevens <mike@xxxxxxxxxx> wrote:
This section of code prevents disassembly of the data field of RSN Key-Data
packets that are flagged as "Protected". From what I can tell the first
comment is wrong and all group key key data fields are encrypted, not just
WPA. The chained IE fields have a null terminating IE of 0 length to
terminate the chain.

          ti = proto_tree_add_item(eapol_tree, hf_eapol_wpa_keydes_data,
                tvb, offset, eapol_data_len, FALSE);
          if ( (keyinfo & KEY_INFO_ENCR_KEY_DATA_MASK) ||
              !(keyinfo & KEY_INFO_KEY_TYPE_MASK)) {
            /* RSN: EAPOL-Key Key Data is encrypted.
             * WPA: Group Keys use encrypted Key Data.
             * Cannot parse this without knowing the key. */
          } else {
            keydes_tree = proto_item_add_subtree(ti, ett_eapol_keydes_data);
            ieee_80211_add_tagged_parameters(tvb, offset, pinfo,
keydes_tree,
                                             eapol_data_len);
          }

I have tested changing the conditional to use && instead of || and it seems
to
work fine. This would give the behavior of not attempting to disassemble key
data fields of group keys with protected set, which should always be the
case
with group keys. For an example look at frame 28 of the attached capture.


Mike Stevens
Software Engineer
Hobnob, Inc.