Wireshark-dev: Re: [Wireshark-dev] Bug in packet-eapol.c
From: "ronnie sahlberg" <[email protected]>
Date: Thu, 20 Jul 2006 09:22:00 +0000
checked in

On 7/18/06, Michael Stevens <[email protected]> wrote:
This section of code prevents disassembly of the data field of RSN Key-Data
packets that are flagged as "Protected". From what I can tell the first
comment is wrong and all group key key data fields are encrypted, not just
WPA. The chained IE fields have a null terminating IE of 0 length to
terminate the chain.

          ti = proto_tree_add_item(eapol_tree, hf_eapol_wpa_keydes_data,
                tvb, offset, eapol_data_len, FALSE);
          if ( (keyinfo & KEY_INFO_ENCR_KEY_DATA_MASK) ||
              !(keyinfo & KEY_INFO_KEY_TYPE_MASK)) {
            /* RSN: EAPOL-Key Key Data is encrypted.
             * WPA: Group Keys use encrypted Key Data.
             * Cannot parse this without knowing the key. */
          } else {
            keydes_tree = proto_item_add_subtree(ti, ett_eapol_keydes_data);
            ieee_80211_add_tagged_parameters(tvb, offset, pinfo,

I have tested changing the conditional to use && instead of || and it seems
work fine. This would give the behavior of not attempting to disassemble key
data fields of group keys with protected set, which should always be the
with group keys. For an example look at frame 28 of the attached capture.

Mike Stevens
Software Engineer
Hobnob, Inc.