Bug 13741 showed a case where the BGP dissector's failure to validate the
length of the Path Attribute record allowed a pathological BGP UPDATE packet to
generate more than one million items in the protocol tree by repeatedly
dissecting certain segments of the packet.
It's easy enough to detect when the Path Attribute length cannot be valid, so
let's do so. When the condition arises, let's raise an Expert Info error in
the same style and format as used elsewhere in the same routine, and abandon
dissection of the Path Attributes list.
With this check in place, an incorrect length computation is revealed at a
callsite. This would only have prevented a small (less than 5 bytes) Path
Attribute from being dissected if it was at the very end of the Path Attributes
list, but the bounds checking added in this change makes this problem much more
apparent, so we fix the length computation while we're here.
Testing Done: Built wireshark on Linux amd64. Using bgp.pcap from the Sample
Captures page on the wiki, verified that the dissection of the UPDATE
packets were unaltered by this fix. Using the capture attached to bug 13741
(clusterfuzz-testcase-minimized-6689222578667520.pcap), verified that the
packet no longer triggers the "too many items" exception, instead we see
an Expert Info for each oversized Path Attribute length, and eventually an
exception for "length of contained item exceeds length of containing item".
30,000 iterations of fuzz test with bgp.pcap as input, and many iterations
of randpkt-test too. Crafted a packet with a 3-byte ATOMIC_AGGREGATE Path
Attribute at the end of the Path Attributes list; Before this change, an
exception is raised during dissection, but after this change it is dissected
correctly.
Bug: 13741
Change-Id: I80f506b114a61e5b060d93b59bed6b94fb188b3e
Reviewed-on: https://code.wireshark.org/review/27466
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
https://www.iana.org/assignments/bgp-parameters/bgp-parameters.xhtmlhttps://tools.ietf.org/html/rfc4893
-------------------------------------------
NEW BGP speakers carry AS path information expressed in terms of 4-
octet Autonomous Systems numbers by using the existing AS_PATH
attribute, except that each AS number in this attribute is encoded
not as a 2-octet, but as a 4-octet entity. The same applies to the
AGGREGATOR attribute - NEW BGP speakers use the same attribute,
except that the AS carried in this attribute is encoded as a 4-octet
entity.
-------------------------------------------
Change-Id: I4ccfc2c18e8777a800211dd285550723ac0da872
Reviewed-on: https://code.wireshark.org/review/26647
Petri-Dish: Graham Bloice <graham.bloice@trihedral.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
NLRIs can contain path identifiers as defined in RFC7911.
This commit adopts the IPv4 heuristic to IPv6 to detect usage
of additional path identifier.
Bug: 14241
Change-Id: I6b99c079b12d1f9a3e05b152a5540a621076e965
Reviewed-on: https://code.wireshark.org/review/26157
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
AS23456 is reserved in RFC6793 for 32-bit AS number range as AS_TRANS.
Add an additional text "(AS_TRANS)" to AS 23456 items.
Bug: 14305
Change-Id: I1a0ea9e07c74b7e409cb32e2da55dbf233a2348d
Reviewed-on: https://code.wireshark.org/review/25172
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
According to RFC 5492 [1], paragraph 5, Data field of BGP
notification for Open message error/unsupported capability must
list the set of unsupported capabilities
Bug: 14274
Change-Id: Iacd33b5c83bc234652d2a5444f0029640d33e1c5
Reviewed-on: https://code.wireshark.org/review/24829
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Bug: 14200
Change-Id: I6d8ac6aae952db21e69fa323fb1e74782d95d1c4
Reviewed-on: https://code.wireshark.org/review/24362
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Bug: 14241
Change-Id: I5e66b034cf5cd14e2557e5b7bfa3045c2232d1ae
Reviewed-on: https://code.wireshark.org/review/24553
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
Display LACP Port Key/root Bridge Priority in Dec and Hex
mSTP => MSTP
Change-Id: I7079250da134e4bb60d2d5373bfdf2f31235f07a
Ping-Bug: 14200
Reviewed-on: https://code.wireshark.org/review/24401
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
That allows a parallel typedef of ws_in4_addr for guint32.
Change-Id: I03b230247065e0e3840eb87635315a8e523ef562
Reviewed-on: https://code.wireshark.org/review/24073
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Passing multiple labels information with BGP has come to be used
together with segment routing.
Change-Id: Ifd45eb0a875ed4a166e44441955e5e42ce84a7ca
Reviewed-on: https://code.wireshark.org/review/22944
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Issue reported by Kura
Bug: 13872
Change-Id: I054839a9e141fa4a882114b150842366c090d012
Reviewed-on: https://code.wireshark.org/review/22537
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Bug: 12296
Change-Id: Ib49396e2822f6ee0082aedd39ed8636379bbd75a
Reviewed-on: https://code.wireshark.org/review/21726
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Also added display of lower-order four bits of the Attribute Flags ("unused").
Current implementation of displaying path attribute flags shows flag description twice if the flag was set.
For example, with Optional and Length set, the attribute flags were displayed as follows:
Flags: 0x90, Optional, Length: Optional, Non-transitive, Complete, Extended Length
1... .... = Optional: Optional
.0.. .... = Transitive: Non-transitive
..0. .... = Partial: Complete
...1 .... = Length: Extended length
Now they are displayed as follows:
Flags: 0x90, Optional, Extended-Length, Non-transitive, Complete
1... .... = Optional: Set
.0.. .... = Transitive: Not set
..0. .... = Partial: Not set
...1 .... = Extended-Length: Set
.... 0000 = Unused: 0x0
Change-Id: Iec3c92ac2383dd3f736598b089a74f0f3c165bae
Reviewed-on: https://code.wireshark.org/review/20732
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Field 'Type Code' (bgp.update.path_attribute.type_code) has a conflicting entry in its value_string: 29 is at indices 19 (LINK_STATE) and 20 (Deprecated))
Change-Id: Ifd0c7a2a095d2b216115b94ca0b71e0dca2213ee
Reviewed-on: https://code.wireshark.org/review/20741
Reviewed-by: Michael Mann <mmann78@netscape.net>
not limited to len = 4 (can be a multiple of 4)
Bug: 13521
Change-Id: I668dbff6d8a7b0a4260da31393bb70d2c5431455
Reviewed-on: https://code.wireshark.org/review/20705
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
RFC5575 says Route Distinguisher is inserted between "length" and "NLRI
value" fields when the BGP NLRI type is VPNv4 Flow Spec (AFI=1,
SAFI=134) and this is the same for VPNv6 and L2VPN.
This patch fixes the BGP dissector to decode the missing Route
Distinguisher field in Flow Spec NLRI decoder.
Change-Id: Ib45d96bb399b80be69ca70ea552d2c07b07a9782
Signed-off-by: IWASE Yusuke <iwase.yusuke0@gmail.com>
Reviewed-on: https://code.wireshark.org/review/20653
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I87454ea95bc64a39e4e60ba374e9cafb574e744c
Reviewed-on: https://code.wireshark.org/review/20501
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I7cb6f73efb1e37eba977dc6912041d5969989696
Reviewed-on: https://code.wireshark.org/review/20399
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Shutdown communication is now also allowed on Admin Reset NOTIFICATION messages:
https://tools.ietf.org/rfcdiff?url2=draft-ietf-idr-shutdown-04.txt
Change-Id: I6450d3d5de5aef4bd709ba2b211ca717784b00a7
Reviewed-on: https://code.wireshark.org/review/19886
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Do the NLRI length checks in the switch cases for each route type, and
do them for *all* route types, rather than throwing a random check in
for one particular route type.
There is no need to fail up front for unknown route types; at least
dissect the type and length, and fail in the switch statement.
Dissect the route descriptor in each of the switch cases, after the
length check, rather than doing it up front.
Add a comment noting where the prefix route type comes from.
Change-Id: Iae26ecd467d4b36dbcf52e7998bd2881405281aa
Reviewed-on: https://code.wireshark.org/review/19774
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This emphasizes that there is no such thing as *the* routine to
construct a subset tvbuff; you need to choose one of
tvb_new_subset_remaining() (if you want a new tvbuff that contains
everything past a certain point in an existing tvbuff),
tvb_new_subset_length() (if you want a subset that contains everything
past a certain point, for some number of bytes, in an existing tvbuff),
and tvb_new_subset_length_caplen() (for all other cases).
Many of the calls to tvb_new_subset_length_caplen() should really be
calling one of the other routines; that's the next step. (This also
makes it easier to find the calls that need fixing.)
Change-Id: Ieb3d676d8cda535451c119487d7cd3b559221f2b
Reviewed-on: https://code.wireshark.org/review/19597
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Parse the communication bits of a BGP Cease NOTIFICATION:
Border Gateway Protocol - NOTIFICATION Message
Marker: ffffffffffffffffffffffffffffffff
Length: 146
Type: NOTIFICATION Message (3)
Major error Code: Cease (6)
Minor error Code (Cease): Administratively Shutdown (2)
BGP Shutdown Communication Length: 124
Shutdown Communication: NTT will perform maintenance on this router. This is tracked in TICKET-1-24824294. Contact noc@ntt.net for more information.
Draft at https://tools.ietf.org/html/draft-ietf-idr-shutdown-01, sample
file taken from from http://instituut.net/~job/shutdown.pcap
Change-Id: I2ab633883cc69e560ff79cb6239e02fcffd71e10
Reviewed-on: https://code.wireshark.org/review/19144
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When decode_prefix4() gets called with more prefixes the length of
proto_tree_add_subtree_format() should not be the total length.
As the "Withdrawn route" part was the only one where decode_prefix4() has
been called with a tlen not equal 0 we can eliminate the tlen parameter.
Bug: 13146
Change-Id: I708dec2cecbed6054b60190104b82c72d54e8037
Reviewed-on: https://code.wireshark.org/review/18852
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Parses large communities as specified in https://tools.ietf.org/html/draft-heitz-idr-large-community-04
Path Attribute - LARGE_COMMUNITY: 65536:1:1 65536:1:2 65536:1:3
Flags: 0xc0, Optional, Transitive: Optional, Transitive, Complete
1... .... = Optional: Optional
.1.. .... = Transitive: Transitive
..0. .... = Partial: Complete
...0 .... = Length: Regular length
Type Code: LARGE_COMMUNITY (32)
Length: 36
Large communities: 65536:1:1
Global Administrator: 65536
Local Data Part 1: 1
Local Data Part 2: 1
Large communities: 65536:1:2
Global Administrator: 65536
Local Data Part 1: 1
Local Data Part 2: 2
Large communities: 65536:1:3
Global Administrator: 65536
Local Data Part 1: 1
Local Data Part 2: 3
Bug: 13083
Change-Id: I8db0601f621ceb6fb2e170ed9bfc2747091495ee
Reviewed-on: https://code.wireshark.org/review/18172
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This patch introduces new APIs to allow dissectors to have a preference for
a (TCP) port, but the underlying data is actually part of Decode As functionality.
For now the APIs are intentionally separate from the regular APIs that register a
dissector within a dissector table. It may be possible to eventually combine the
two so that all dissectors that register with a dissector table have an opportunity
to "automatically" have a preference to adjust the "table value" through the
preferences dialog.
The tcp.port dissector table was used as the guinea pig. This will eventually be
expanded to other dissector tables as well (most notably UDP ports). Some
dissectors that "shared" a TCP/UDP port preference were also converted. It also
removed the need for some preference callback functions (mostly when the callback
function was the proto_reg_handoff function) so there is cleanup around that.
Dissectors that has a port preference whose default was 0 were switched to using
the dissector_add_for_decode_as_with_preference API rather than dissector_add_uint_with_preference
Also added comments for TCP ports used that aren't IANA registered.
Change-Id: I99604f95d426ad345f4b494598d94178b886eb67
Reviewed-on: https://code.wireshark.org/review/17724
Reviewed-by: Michael Mann <mmann78@netscape.net>
Bug: 12891
Change-Id: I70ed7f8a08122c559128b8df4d65e03be8201e1a
Reviewed-on: https://code.wireshark.org/review/17683
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Palúch <Peter.Paluch@fri.uniza.sk>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
This patch contains a partial rewrite of the BGP dissector for Extended
Communities. The changes were primarily motivated by my dissatisfaction
with the generally unreadable way in which the types, names and values of
BGP Extended Communities were displayed in Wireshark GUI. The rewrite
provides a hopefully more readable and eye-pleasing way of displaying the
extended communities. I have also corrected numerous other flaws with the
Extended Community dissector I stumbled across.
In particular, the changes encompass the following:
1.) The Type octet of an Extended Community is now analyzed including its
Authority and Transitivity bits. These were not dissected before.
2.) Dissection for EVPN Extended Community was improved. The original
implementation blindly assumed that there is just a single subtype and
decoded the community ignoring the actual subtype.
3.) I have removed the hf_bgp_ext_com_value_unknown16 and ..._unknown32.
The current code uses a different approach to display values of unrecognized
communities, and for recognized communities, there are no "unknown"
subfields.
4.) Removed a couple of variables declared at the
dissect_bgp_update_ext_com() level. These stored the result of a
tvb_get_...() call but the value was used only once. I have replaced them
with the direct use of tvb_get_...()
5.) Moved duplicate code to add the Type value into the community_tree from
each branch in the switch(com_type_high_byte) out of it and placed it before
the switch().
6.) Reworked the style in which individual communities are displayed. Each
community item (collapsed) is now displayed using the following label
format:
Community name: Values [Generic community type]
Examples:
Route Target: 1:1 [Transitive 2-Octet AS-Specific]
Unknown subtype 0x01: 0x8081 0x0000 0x2800 [Non-Transitive Opaque]
Unknown type 0x88 subtype 0x00: 0x0000 0x0000 0x0000 [Unknown community]
6.) To keep the filter names more consistent, changed names of selected filters:
bgp.ext_com.type_high -> bgp.ext_com.type
bgp.ext_com.type_low -> bgp.ext_com.stype_unknown
In particular, I do not want to call the subtype as bgp.ext_com.type_low
because that filter applied only to unrecognized subtypes even though its
name would suggest to users that they can filter any community based on it.
7.) Numerous corrections in text labels, names and labels that have been
incorrect or incomplete.
Bug: 12794
Change-Id: I9653dbbc8a8f85d0cd2753dd12fd537f0a604cf3
Reviewed-on: https://code.wireshark.org/review/17377
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Bug:12601
Change-Id: I555ee8097ea81e1afa8f2f5b2aba8fce60742016
Reviewed-on: https://code.wireshark.org/review/17107
Reviewed-by: Michael Mann <mmann78@netscape.net>
afi can take only one of the 2 above values, according to the
check at the beginning of the function.
Change-Id: I6652a5c64b4fbc8d2e907afb3b4f66d187ff9745
Reviewed-on: https://code.wireshark.org/review/17011
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Petri-Dish: Jaap Keuter <jaap.keuter@xs4all.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Vadim Fedorenko