https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117
Peter Wu <pe...@lekensteyn.nl> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|INCOMPLETE |CONFIRMED
--- Comment #4 from Peter Wu <pe...@lekensteyn.nl> ---
It is not really a NewSessionTicket message, but heuristics think that it is
one.
Notice that in frame 12, a ChangeCipherSpec message is sent by the server.
Following that, in frame 13 it should be interpreted as an encrypted handshake
message using the AES256-GCM cipher.
The handshake record fragment should be interpreted as:
04 00 00 00 00 00 00 00 - 8 bytes nonce_explicit
52 29 db 6b ... - 32 bytes aed-ciphered content
It is however interpreted as:
04 - handshake type NewSessionTicket
00 00 00 - handshake message length (offset_end=9)
00 00 00 00 - ticket_lifetime_hint (offset=9+4=13, note: offset_end < offset)
52 29 - length of ticket vector (outside boundaries of handshake msg -> error)
Two issues that need to be solved:
- heuristics should probably assume encrypted data after ChangeCipherSpec
message
- malformed packets can trigger the dissection bug. It could have prevented by
passing a subset tvb of the handshake, resulting in a "malformed packet"
exception while trying to add "ticket_lifetime_hint" rather than blowing up in
the "ticket" vector dissection.
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
