diff options
author | Kevin Bracey <kevin.bracey@arm.com> | 2016-03-30 14:10:14 +0300 |
---|---|---|
committer | Michael Mann <mmann78@netscape.net> | 2016-03-31 03:07:58 +0000 |
commit | d81fe3907b00e00fb05a88eb0812ac874922e835 (patch) | |
tree | 6824b2c9f34f920672a0c5a2ee502959860d4714 /epan/dissectors/packet-6lowpan.c | |
parent | 3467a1f693b0d98292c341ebea8776807c195539 (diff) |
Correct 6LoWPAN NHC datagram size calculations
Length calculations updating "remaining datagram size" for fragmented
6LoWPAN packets with NHC headers were incorrect if there was any elided
option padding.
The current header's unpadded length was subtracted from dgram_size,
when it should have been the padded length - the datagram size is
uncompressed IPv6.
This meant the final nhdr_list entry created to represent the remaining
payload would have its "reported" field too large. Most visible result
of this was that the IPv6 payload length written into the packet by
lowpan_reassemble_ipv6() was too large.
Error probably went unnoticed because the most typical 6LoWPAN options
don't need padding - the RPL option is 6 bytes, and the MPL option is 6
bytes if using 16-bit seeds, making the HbH extension header an aligned
8 bytes.
Bug: 12310
Change-Id: If94e9ca57f88c4ac41f002a689ce1da7097b5bd0
Reviewed-on: https://code.wireshark.org/review/14701
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/dissectors/packet-6lowpan.c')
-rw-r--r-- | epan/dissectors/packet-6lowpan.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/epan/dissectors/packet-6lowpan.c b/epan/dissectors/packet-6lowpan.c index 754b61fd8b..7329119fe8 100644 --- a/epan/dissectors/packet-6lowpan.c +++ b/epan/dissectors/packet-6lowpan.c @@ -2005,7 +2005,7 @@ dissect_6lowpan_iphc_nhc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gi * There are more LOWPAN_NHC structures to parse. Call ourself again * recursively to parse them and build the linked list. */ - nhdr->next = dissect_6lowpan_iphc_nhc(tvb, pinfo, tree, offset, dgram_size - ext_len - (int)sizeof(struct ip6_ext), siid, diid); + nhdr->next = dissect_6lowpan_iphc_nhc(tvb, pinfo, tree, offset, dgram_size - nhdr->reported, siid, diid); } else if (ipv6_ext.ip6e_nxt != IP_PROTO_NONE) { /* Create another next header structure for the remaining payload. */ @@ -2018,7 +2018,7 @@ dissect_6lowpan_iphc_nhc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gi nhdr->next->reported = tvb_reported_length_remaining(tvb, offset); } else { - nhdr->next->reported = dgram_size - ext_len - ext_hlen; + nhdr->next->reported = dgram_size - nhdr->reported; } tvb_memcpy(tvb, LOWPAN_NHDR_DATA(nhdr->next), offset, nhdr->next->length); } |