https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14596
Bug ID: 14596
Summary: SSL reassembly results in multiple "Reassembled SSL
segments" items and duplicate dissections
Product: Wireshark
Version: Git
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: Normal
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: pe...@lekensteyn.nl
CC: anders.bro...@ericsson.com
Target Milestone: ---
Created attachment 16257
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16257&action=edit
TLS capture with two HTTP requests fragmented over multiple TLS records
Build Information:
Wireshark 2.9.0 (v2.9.0rc0-71-g55f6f659)
Copyright 1998-2018 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.10.1, with libpcap, with POSIX capabilities
(Linux),
with libnl 3, with GLib 2.56.0, with zlib 1.2.11, without SMI, with c-ares
1.13.0, with Lua 5.2.4, with GnuTLS 3.5.18, with Gcrypt 1.8.2, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.31.0, with LZ4, with Snappy,
with libxml2 2.9.8, with QtMultimedia, with SBC, with SpanDSP, without bcg729.
Running on Linux 4.15.15-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31988 MB of physical memory, with locale en_GB.UTF-8, with
libpcap version 1.8.1, with GnuTLS 3.5.18, with Gcrypt 1.8.2, with zlib 1.2.11,
binary plugins supported (0 loaded).
Built using clang 4.2.1 Compatible Clang 6.0.0 (tags/RELEASE_600/final).
--
Description:
When a capture file contains multiple TLS records which (when reassembled)
consist of multiple PDUs (say, HTTP), it could result in multiple "Reassembled
SSL segments" and multiple dissections for exactly the same data.
Reproducer:
tshark -r repro3.pcap -ossl.keylog_file:repro.keys -O ssl -2 -Y frame.number==9
Expected result: A single tree with:
[13 Reassembled SSL segments (48 bytes): #8(2), #8(4), #8(4), #8(4), #8(4),
#8(4), #8(4), #8(4), #8(4), #8(4), #9(4), #9(4), #9(2)]
Hypertext Transfer Protocol
(this matches output from "tshark" without the "-2" option)
Actual result: multiple items:
[13 Reassembled SSL segments (48 bytes): #8(2), #8(4), #8(4), #8(4), #8(4),
#8(4), #8(4), #8(4), #8(4), #8(4), #9(4), #9(4), #9(2)]
[13 Reassembled SSL segments (48 bytes): #8(2), #8(4), #8(4), #8(4), #8(4),
#8(4), #8(4), #8(4), #8(4), #8(4), #9(4), #9(4), #9(2)]
[13 Reassembled SSL segments (48 bytes): #8(2), #8(4), #8(4), #8(4), #8(4),
#8(4), #8(4), #8(4), #8(4), #8(4), #9(4), #9(4), #9(2)]
Hypertext Transfer Protocol
Hypertext Transfer Protocol
Hypertext Transfer Protocol
Additional information:
This seems a pitfall with the reassembly API. Whenever a single frame contains
multiple fragments, checking for a match of "reassembled_in" is not sufficient.
In the TLS dissector, the fix for bug 11079 somehow did not completely solve
this issue.
repro.keys
CLIENT_RANDOM b745d206903a2f6c35c2e9818c3a0238d32688ebbdff363430515710cd9d7ba3
bc386f0885ce95c1b650faba055aa178f8409b9b9f5f06a0827bc6ef488191357794168766d03a1e455d3a1d74ac192f
--
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe