Hi list,
Revisiting the Q.931 dissector I made a new patch which clears out the
following situation.
A long Q.931 message was sent from a host which offloaded part of the
TCP/IP processing to the network card. Since the resulting frame was
longer than 1514 octets it falls in two parts. This invalidated the TCP
checksum. The TCP dissector can detect this, when this feature is enabled.
See the attached capture file.
With a detected invalid TCP checksum desegmentation is supressed. So the
information element length is larger than the actual remaining size of the
TVB. This results in a failure when a tvb_new_subset is created to pass
to the H225 dissector.
The attached patch limits the information element length in case
desegmentation is turned off/supressed, so a valid tvb_subset can be
created and dissection can continue longer.
Thanx,
Jaap
Index: packet-q931.c
===================================================================
--- packet-q931.c (revision 16554)
+++ packet-q931.c (working copy)
@@ -45,6 +45,10 @@
#include <epan/lapd_sapi.h>
#include "packet-tpkt.h"
+#ifndef min
+#define min(a,b) (((a)<(b))?(a):(b))
+#endif
+
/* Q.931 references:
*
* http://www.acacia-net.com/Clarinet/Protocol/q9313svn.htm
@@ -2625,6 +2629,13 @@
if (info_element_len > 1) {
/*
+ * If we don't desegment limit the length
+ * to the actual size in the frame
+ */
+ if (pinfo->can_desegment) {
+ info_element_len = min(info_element_len, tvb_length_remaining(tvb, offset + 4));
+ }
+ /*
* Do we have a handle for the H.225
* dissector?
*/
Attachment:
splitq931.cap
Description: Binary data
