Wireshark-dev: Re: [Wireshark-dev] [Patch] Fix for bug #1163: "Dissector bug. ISO8073COTP proto
From: "Graeme Lunt" <[email protected]>
Date: Mon, 6 Nov 2006 18:35:25 +0100

> Attached is a patch to fix bug #1163: "Dissector bug. ISO8073 COTP 
> protocol."  The SES dissector was incorrectly believing it had PDUs 
> within the COTP PDUs.  I added an additional heuristic check 
> to see if 
> the length of the SES PDU is 0, then return false since it 
> can't be zero length.

This patch (r19733) breaks the dissection of X.400 and X.500 protocols, and
probably other things besides. 
I think that the heuristic is incorrect.

Have a look at frame 20 in:


There is a "Give Tokens PDU" which has a parameter length of 0 and then a
"DATA TRANSFER (DT) PDU", also with a parameter length of 0. Note the length
indicates the length of the parameter, not the session PDU.

A quick look at the standard for the content of a GIVE TOKENS SPDU (as an
example) says 
"the parameter shall not be present if either:
 1) Protocol Version 1 is selected; or
 2) the GIVE TOKENS SPDU is being used to introduce a concatentated sequence
of SPDUs"

In this case both are true, so the parameter cannot be present and therefore
a length of 0 is perfectly valid. 

If you want me to dig any deeper, let me know.