Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible change to packet-ssl.c?

From: Evan Huus <eapache () gmail com>
Date: Wed, 9 Apr 2014 22:17:19 -0400
On Wed, Apr 9, 2014 at 7:49 PM, Guy Harris <guy () alum mit edu> wrote:

Should this chunk of code:

    if (tree) {
        if (type && (payload_length <= record_length - 16 - 3)) {
            proto_item_set_text(tree, "%s Record Layer: Heartbeat "
                                "%s",
                                val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
                                type);
            proto_tree_add_item(tls_heartbeat_tree, hf_ssl_heartbeat_message_type,
                                tvb, offset, 1, ENC_BIG_ENDIAN);
            offset += 1;
            proto_tree_add_uint(tls_heartbeat_tree, hf_ssl_heartbeat_message_payload_length,
                                tvb, offset, 2, payload_length);
            offset += 2;
            proto_tree_add_bytes_format(tls_heartbeat_tree, hf_ssl_heartbeat_message_payload,
                                        tvb, offset, payload_length,
                                        NULL, "Payload (%u byte%s)",
                                        payload_length,
                                        plurality(payload_length, "", "s"));
            offset += payload_length;
            proto_tree_add_bytes_format(tls_heartbeat_tree, hf_ssl_heartbeat_message_padding,
                                        tvb, offset, padding_length,
                                        NULL, "Padding and HMAC (%u byte%s)",
                                        padding_length,
                                        plurality(padding_length, "", "s"));
        } else {
            proto_item_set_text(tree,
                                "%s Record Layer: Encrypted Heartbeat",
                                val_to_str_const(*conv_version, ssl_version_short_names, "SSL"));
            proto_item_set_text(tls_heartbeat_tree,
                                "Encrypted Heartbeat Message");
        }
    }

perhaps report an expert info if the payload length is too large?  Why is that treated as a "this is encrypted" 
indication rather than a "somebody's trying to extract whatever's in the server's memory after the request payload" 
indication?


I have no idea why it treats it as an "encrypted" indication; possibly
some old deprecated spec? Anyways, +1 for heartbleed expert info.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: