Wireshark-bugs: [Wireshark-bugs] [Bug 8250] GOOSE dissector incorrectly parsing status number an
Date: Tue, 22 Jan 2013 10:01:28 +0000

changed bug 8250

What Removed Added
Hardware x86-64 All
OS Linux (other) All

Comment # 1 on bug 8250 from
packet-goose.c is a machine-generated dissector, so it should not be modified;
the files that generate it (or the generator) should be modified.

The ASN.1 file for GOOSE (asn1/goose/goose.asn) says:


IECGoosePdu ::= SEQUENCE {
    gocbRef                [0] IMPLICIT VisibleString,
    timeAllowedtoLive    [1] IMPLICIT INTEGER,
    datSet                [2] IMPLICIT VisibleString,
    goID                [3] IMPLICIT VisibleString OPTIONAL,
    t                    [4] IMPLICIT UtcTime,
    stNum                [5] IMPLICIT INTEGER,
    sqNum                [6] IMPLICIT INTEGER,
    test                [7] IMPLICIT BOOLEAN DEFAULT FALSE,
    confRev                [8] IMPLICIT INTEGER,
    ndsCom                [9] IMPLICIT BOOLEAN DEFAULT FALSE,
    numDatSetEntries    [10] IMPLICIT INTEGER,
    allData                [11] IMPLICIT SEQUENCE OF Data --,
--    security            [12] ANY OPTIONAL
                             -- reserved for digital signature
}

so stNum and sqNum are specified as INTEGER, which the ASN.1-to-dissector
generator turns, I think, into FT_INT32.

In theory, especially with BER, INTEGER should turn into an FT_INT that handles
arbitrary-size bignums; unfortunately, we don't implement such a type.

If you add

#.FIELD_ATTR
IECGoosePdu/stNum  TYPE = FT_UINT32  DISPLAY = BASE_DEC
IECGoosePdu/sqNum  TYPE = FT_UINT32  DISPLAY = BASE_DEC

to asn1/goose/goose.cnf, that causes the generated dissector to make
goose.stNum and goose.sqNum FT_UINT32 fields.

I'm not sure whether the BER decoding code handles integer values > 2^31-1,
however.  If you just change FT_INT32 to FT_UINT32 in
epan/dissectors/packet-goose.c (which is what the above change to
asn1/goose/goose.cnf will do if you regenerate the dissector), does the
resulting dissector properly handle stNum and sqNum values > 2^31-1?


You are receiving this mail because:
  • You are watching all bug changes.