Wireshark mailing list archives

DNP3 dissector bug in multi-fragmented messages

From: Maksym Galemin <Maksym.Galemin () hydrix com>
Date: Thu, 17 Jul 2014 07:54:44 +0000

Hi all,

I'd like to report a bug in DNP3 dissector for reassembled multi-fragment DNP3 packets (DNP3 over TCP). In case of TCP 
retransmissions the DNP3 dissector reassembles invalid DNP3 application layer message by copying the retransmitted TCP 
data straight into the final DNP3 packet without checking if it's a retransmission or not. As a result the dissector 
parses DNP3 application layer payload incorrectly. Please find a capture file in the attachment: here in packet #18 
DNP3 transport layer frame 6 (packet #6) is a retransmission of the frame 1 data (packet #1). Thanks.

----------------------------------------------------------------------------------------------------------
Version 1.10.7 (v1.10.7-0-g6b931a1 from master-1.10)

...

Compiled (32-bit) with GTK+ 2.24.14, with Cairo 1.10.2, with Pango 1.30.1, with
GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, without POSIX capabilities,
without libnl, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without Python,
with GnuTLS 2.12.18, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with
PortAudio V19-devel (built Apr 22 2014), with AirPcap.

Running on 32-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap.
        Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz, with 2047MB of physical memory.


Built using Microsoft Visual C++ 10.0 build 40219
----------------------------------------------------------------------------------------------------------


Cheers,

Maksym Galemin | Software Engineer
Hydrix Pty Ltd
"Our Expertise - Your Competitive Advantage"
maksym.galemin () hydrix com<mailto:maksym.galemin () hydrix com> |direct +61 3 8573 5231 | mob +61 435 844 500
www.hydrix.com<http://www.hydrix.com/> | fax +61 3 8573 5289 | phone +61 3 8573 5299

Attachment: DNP3_dissector_issue.zip
Description: DNP3_dissector_issue.zip

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

DNP3 dissector bug in multi-fragmented messages Maksym Galemin (Jul 17)
- Re: DNP3 dissector bug in multi-fragmented messages Evan Huus (Jul 17)
  - Re: DNP3 dissector bug in multi-fragmented messages Graham Bloice (Jul 17)
    - Re: [SPAM - Invalid Headers] - Re: DNP3 dissector bug in multi-fragmented messages - Email found in subject Maksym Galemin (Jul 18)