IPv6 with optional header filtering bug

[Shalom Kramer <kpeace1 () gmail com>]

Hi,

I encountered a bug while trying to apply a filter to an ipv6 pcap which
contains IPv6 optional headers.
(link to pcap
http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=http_over_ipv6_with_options.pcap
)

To reproduce the bug simply run:

> *tcpdump -xx -c 1 -s 0 -r http_over_ipv6_with_options.pcap*

    0x0000:  0011 2513 ecdd 00e0 814c 26cc 86dd 6000
    0x0010:  0000 0038 0040 1001 0000 0000 0000 0000
    0x0020:  0000 0000 0133 1001 0000 0000 0000 0000
    0x0030:  0000 0000 0140 3c00 0f02 0000 0200 0600
    0x0040:  0f02 0000 0100 d941 0050 6e90 9103 0000
    0x0050:  0000 a002 1680 ffed 0000 0204 05a0 0402
    0x0060:  080a 5a1e dbed 0000 0000 0103 0307

This will show you how the packet looks when tcpdump doesn't try to apply
any filters.

But once you run:

> *tcpdump -xx -c 1 -s 0 -r /root/pcap/http_over_ipv6_with_options.pcap
"tcp"*

    0x0000:  00e0 814c 26cc 0011 2513 ecdd 86dd 6000
    0x0010:  0000 0028 06ff 1001 0000 0000 0000 0000
    0x0020:  0000 0000 0140 1001 0000 0000 0000 0000
    0x0030:  0000 0000 0133 0050 d941 70c7 07c5 6e90
    0x0040:  9104 a012 1650 14a3 0000 0204 05a0 0402
    0x0050:  080a 00d0 720d 5a1e dbed 0103 0307

As you can see, applying the simple filter will wreck havoc on the poor
innocent packet.

The outcome will be the same if you will filter by "ip6 and tcp" or any
such combinations.
This bug doesn't affect IPv6 packets with no optional headers.

I found this bug when trying to write a program which links with libpcap,
so this is a libpcap bug and not a tcpdump bug.

Anyone encountered this bug? knows how to fix it?

Peace,

Thanks!
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.