Wireshark-bugs: [Wireshark-bugs] [Bug 11152] Wireshark decodes some valid RTP packets as STUN pa
Comment # 4
on bug 11152
from Guy Harris
(In reply to Guy Harris from comment #3)
> The STUN heuristic dissector is recognizing the RTP packets as TURN
> ChannelData packets. There *is* a check, early in dissect_stun_message() in
> packet-stun.c, for valid ChannelData messages, including a check of the
> value of the putative length field, so either that check is somehow being
> bypassed or is letting the packets in question pass the test.
Surprisingly, those packets pass the test, which *does* check the Length field
to see whether it's appropriate for the actual length of the packet.
That field overlaps the "Sequence Number" field of RTP packets. A long enough
sequence of RTP packets, with sequence numbers incrementing by 1 for each
packet, might well contain a packet that, by pure bad luck, *happens* to have a
sequence number that would also be a valid length, so the two heuristics
collide here. That's what happens for those two packets.
Perhaps we should mark the entire UDP "conversation" (between the two IP
address/UDP port endpoints) as being an RTP conversation once a single packet
has been dissected as RTP.
You are receiving this mail because:
- You are watching all bug changes.
