Wireshark-bugs: [Wireshark-bugs] [Bug 3179] New: Improper decoding of MPLS echo reply IPv4 Inter
Date: Tue, 6 Jan 2009 12:28:39 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3179

           Summary: Improper decoding of MPLS echo reply IPv4 Interface and
                    Label Stack Object
           Product: Wireshark
           Version: 1.0.3
          Platform: Other
        OS/Version: Fedora
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: keithvz@xxxxxxxxxxx


Created an attachment (id=2654)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=2654)
full packet showing the problem

Build Information:
wireshark 1.0.3

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.10.4, with GLib 2.12.3, with libpcap 0.9.4, with libz
1.2.3, without POSIX capabilities, with libpcre 6.6, with SMI 0.4.5, without
ADNS, without Lua, with GnuTLS 1.4.1, with Gcrypt 1.2.3, with MIT Kerberos,
without PortAudio, without AirPcap.

Running on Linux 2.6.23.9-1, with libpcap version 0.9.4.

Built using gcc 4.1.2 20071124 (Red Hat 4.1.2-42).

--
When an MPLS echo reply contains a IPv4 Interface and Label Stack object,
Wireshark is improperly decoding that object.

 IPv4 Interface and Label Stack Object
        Type: IPv4 Interface and Label Stack Object (7)
        Length: 16
        Downstream IPv4 Address: 2.0.0.0 (2.0.0.0)
        Downstream Interface Address: 192.168.155.111 (192.168.155.111)

0040  ad 00 00 02 37 dc 49 63 ad 00 00 03 13 a4 00 07   ....7.Ic........
0050  00 10 02 00 00 00 c0 a8 9b 6f 00 00 00 1e 00 01   .........o......
0060  86 b0                                             ..

Decode starts properly at byte 4F, with a type of 7, this is correct.

Next, decode the length, 0x10 = 16 bytes. Good, length is good.

The next field _should_ be ADDRESS TYPE(1 byte), and a MBZ field (3 bytes of
0x00), then IP address and an interface index(when no IP is available)

See section 3.6 of RFC 4379 (http://tools.ietf.org/html/rfc4379)

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Address Type  |             Must Be Zero                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   IP Address (4 or 16 octets)                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                   Interface (4 or 16 octets)                  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      .                                                               .
      .                                                               .
      .                          Label Stack                          .
      .                                                               .
      .                                                               .
      .                                                               .
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

0050  00 10 02 00 00 00 c0 a8 9b 6f 00 00 00 1e 00 01   .........o......
0060  86 b0

So at offset 0x52, 2 should be the ADDRESS TYPE
offset 0x53-0x55, should be the MBZ field, 000.

Next IP address should be c0 a8 9b 6f = 192.168.155.111.
offset 0x5A-5D is an interface index of 0x0000001E.

The last four bytes are properly being decoded as a Label Stack Element
(however, there should only be one in this packet instead of the shown two, see
attachment) :

Label Stack Element 2, Label: 24, Exp: 3, BOS: 0, TTL: 176
            Label: 24
            Exp: 3
            BOS: 0
            TTL: 176


I hope this helps!

Thanks

Keith


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.