Hi All, Because of a recent discussion on the users list about malformed SSL packets, I discovered a bug in the SSL dissector I am trying to fix. The bug I discoveres appears in a SSL handshake after the change cypher spec. The next SSL handshake record is encrypted. It is indeed shown as a "Encrypted Handshake Message" most of the times. But if the first octet of the Encrypted Handshake happens to be a valid Handshake Type, then the SSL dissector tries to dissect it and fails. This results in a malformed packet.
In trying to solve this, I thought I could use the struct SslDecryptSession which keeps the state of the ssl session. Unfortunately this struct is only filled on the first pass and not in the second pass when the protocol tree is being built. When the SSL session is decrypted, this is not a problem, because the data passed to dissect_ssl3_handshake is already decrypted. But when the SSL session in not decrypted, I need this state information to determine if the next SSL header needs to be dissected. I guess that this approach is simply not possible, since building the protocol tree is like "random access", each packet can be selected at random, so the state information can't be kept. Is there a way to keep some state-information per packet? I don't know exactly what is kept in the conversations, but I guess that it is on a flow basis, not on a packet basis. Are there any other protocols where dissection depends on a per-packet state? How do they do that? If a per-packet state is not possible, then I could fix this bug with the workaround to do a sanity check on the length of the SSL-handshake. But, that would be a workaround, not a fix :( Cheers, Sake _______________________________________________ Wireshark-dev mailing list [EMAIL PROTECTED] http://www.wireshark.org/mailman/listinfo/wireshark-dev
