https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16349
Bug ID: 16349
Summary: DHCP option 77 User Class Option 'Microsoft bug'
Product: Wireshark
Version: 3.2.1
Hardware: x86
OS: Windows 10
Status: UNCONFIRMED
Severity: Major
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: an...@luyer.nl
Target Milestone: ---
Created attachment 17590
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17590&action=edit
DHCP Discover packets triggering [Malformed Packet] message
Build Information:
Wireshark 3.2.1 (v3.2.1-0-gbf38a67724d0)
Copyright 1998-2020 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.12.6, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap,
with SpeexDSP (using bundled resampler), with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 10 (1909), build 18363, with Intel(R) Core(TM)
i7-4710HQ CPU @ 2.50GHz (with SSE4.2), with 16307 MB of physical memory, with
locale Dutch_Netherlands.1252, with Npcap version 0.9986, based on libpcap
version 1.9.1, with GnuTLS 3.6.3, with Gcrypt 1.8.3, with brotli 1.0.2, with
AirPcap 4.1.3 build 3348, binary plugins supported (0 loaded).
Built using Microsoft Visual Studio 2019 (VC++ 14.24, build 28315).
--
The Microsoft 'variation' of RFC 3004 causes a '[Malformed Packet]' when the
"User Class Length" (dhcp.option.user_class.length) exceeds the total length of
the DHCP option 77 User Class Option (dhcp.option.length) because it is a
character and not a length field.
This stops the dissection of the rest of the DHCP packet, including the Vendor
class identifier when containing "MSFT 5.0" indicates the Microsoft variation.
A simple fix is to treat 'dhcp.option.user_class.length >= dhcp.option.length'
as a non-conformant (text) option.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dhcpe/fe8a2dd4-1e8c-4546-bacd-4ae10de02058
tshark -r dhcp-malformed-packet-error.pcapng -Tfields -e frame.number -e
dhcp.option.user_class.length -e _ws.col.Info -e frame.comment
1 79 DHCP Discover - Transaction ID 0xc08056dd[Malformed Packet]
2 79 DHCP Discover - Transaction ID 0xa10c09c7[Malformed Packet]
3 DHCP Discover - Transaction ID 0xa10c09c7 Packet editted
to create a recognized option 77 containing iPXE
4 8 DHCP Discover - Transaction ID 0xa10c09c7 Packet editted
to create a valid option 77
5 1 DHCP Discover - Transaction ID 0xa10c09c7 Packet editted
to create a recognized option 77 containing RRAS.Microsoft
6 79 DHCP Discover - Transaction ID 0xfc534fb6[Malformed Packet]
7 79 DHCP Discover - Transaction ID 0xfc534fb6[Malformed Packet]
8 79 DHCP Discover - Transaction ID 0xfc534fb6[Malformed Packet]
9 79 DHCP Discover - Transaction ID 0xfc534fb6[Malformed Packet]
10 79 DHCP Discover - Transaction ID 0xfc534fb6[Malformed Packet]
11 79 DHCP Discover - Transaction ID 0xb1e5186[Malformed Packet]
12 79 DHCP Discover - Transaction ID 0xb1e5186[Malformed Packet]
13 DHCP Offer - Transaction ID 0xb1e5186
14 79 DHCP Request - Transaction ID 0xb1e5186[Malformed Packet]
15 DHCP ACK - Transaction ID 0xb1e5186
16 DHCP ACK - Transaction ID 0xb1e5186
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
