From 2edce4224d955127c08578e2512046c7946cfde5 Mon Sep 17 00:00:00 2001
From: Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au>
Date: Thu, 18 Aug 2005 10:37:41 +0000
Subject: [PATCH] when kerberos claims a conversation, it only claims it for
 the source port since a KDC MIGTH send the reply back from a different port.

Then comes X.L's capture (ethereal-dev) 816fc4.cap from 16Aug2005 where
the client is reusing the same source port to talk to DNS after finishing
doing the port 88 KDC stuff.


==>

Make kerberos/udp able to test the packet for sanity and reject packets that
do not look like kerberos (even if there was a conversation that said it was kerberos)
and thus let other dissectors have a go at it.


in doubt,   try 816fc4.cap  before and after this patch :-)



svn path=/trunk/; revision=15405
---
 epan/dissectors/packet-kerberos.c | 40 +++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/epan/dissectors/packet-kerberos.c b/epan/dissectors/packet-kerberos.c
index 6abd9fe14e..7216e32d91 100644
--- a/epan/dissectors/packet-kerberos.c
+++ b/epan/dissectors/packet-kerberos.c
@@ -3732,8 +3732,7 @@ dissect_kerberos_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
     if (check_col(pinfo->cinfo, COL_PROTOCOL))
         col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
 
-    (void)dissect_kerberos_common(tvb, pinfo, tree, TRUE, FALSE, NULL);
-    return tvb_length(tvb);
+    return dissect_kerberos_common(tvb, pinfo, tree, TRUE, FALSE, NULL);
 }
 
 static gint
@@ -3836,6 +3835,43 @@ dissect_kerberos_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
 	offset += 4;
     }
 
+    /* Do some sanity checking here, 
+     * All krb5 packets start with a TAG class that is BER_CLASS_APP
+     * and a tag value that is either of the values below:
+     * If it doesnt look like kerberos, return 0 and let someone else have
+     * a go at it.
+     */
+    if (!have_rm) {
+        gint8 tmp_class;
+        gboolean tmp_pc;
+        gint32 tmp_tag;
+
+	get_ber_identifier(tvb, offset, &tmp_class, &tmp_pc, &tmp_tag);
+        if(tmp_class!=BER_CLASS_APP){
+            return 0;
+        }
+        switch(tmp_tag){
+            case KRB5_MSG_AUTHENTICATOR:
+            case KRB5_MSG_ENC_TICKET_PART:
+            case KRB5_MSG_AS_REQ:
+            case KRB5_MSG_AS_REP:
+            case KRB5_MSG_TGS_REQ:
+            case KRB5_MSG_TGS_REP:
+            case KRB5_MSG_AP_REQ:
+            case KRB5_MSG_AP_REP:
+            case KRB5_MSG_ENC_AS_REP_PART:
+            case KRB5_MSG_ENC_TGS_REP_PART:
+            case KRB5_MSG_ENC_AP_REP_PART:
+            case KRB5_MSG_ENC_KRB_PRIV_PART:
+            case KRB5_MSG_SAFE:
+            case KRB5_MSG_PRIV:
+            case KRB5_MSG_ERROR:
+                break;
+            default:
+                return 0;
+        }
+    }
+
     TRY {
 	offset=dissect_ber_choice(pinfo, kerberos_tree, tvb, offset, kerberos_applications_choice, -1, -1, NULL);
     } CATCH_ALL {