fix for bug 1226:

reported by Benjamin Meyer WireShark marks DCE RPC FACKs as "malformed" if they do not have a body. According to DCE RPC Spec. 1.1 FACKs "may contain" a body PTU. I am unable to build WireShark (lack of time to install all neccessary stuff) but I looked at the SourceCode. I think, at least this has to be fixed: file: epan/dissectors/packet-dcerpc.c function: static gboolean dissect_dcerpc_dg (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) *snip* case PDU_FACK dissect_dcerpc_dg_fack (tvb, offset, pinfo, dcerpc_tree, &hdr); break; *snap* I guess, it should look like "case PDU_NOCALL:" directly above. svn path=/trunk/; revision=19952
2006-11-21 21:11:18 +00:00 · 2006-11-21 21:11:18 +00:00 · 2b66ba9604
parent c8837b810a
commit 2b66ba9604
1 changed files with 4 additions and 1 deletions
--- a/epan/dissectors/packet-dcerpc.c
+++ b/epan/dissectors/packet-dcerpc.c
@ -4981,7 +4981,10 @@ dissect_dcerpc_dg (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
        break;

    case PDU_FACK:
-        dissect_dcerpc_dg_fack (tvb, offset, pinfo, dcerpc_tree, &hdr);
+        /* Body is optional */
+        /* XXX - we assume "frag_len" is the length of the body */
+        if (hdr.frag_len != 0)
+            dissect_dcerpc_dg_fack (tvb, offset, pinfo, dcerpc_tree, &hdr);
        break;

    case PDU_REJECT: