Wireshark mailing list archives
Possible change to packet-ssl.c?
From: Guy Harris <guy () alum mit edu>
Date: Wed, 9 Apr 2014 16:49:43 -0700
Should this chunk of code:
if (tree) {
if (type && (payload_length <= record_length - 16 - 3)) {
proto_item_set_text(tree, "%s Record Layer: Heartbeat "
"%s",
val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
type);
proto_tree_add_item(tls_heartbeat_tree, hf_ssl_heartbeat_message_type,
tvb, offset, 1, ENC_BIG_ENDIAN);
offset += 1;
proto_tree_add_uint(tls_heartbeat_tree, hf_ssl_heartbeat_message_payload_length,
tvb, offset, 2, payload_length);
offset += 2;
proto_tree_add_bytes_format(tls_heartbeat_tree, hf_ssl_heartbeat_message_payload,
tvb, offset, payload_length,
NULL, "Payload (%u byte%s)",
payload_length,
plurality(payload_length, "", "s"));
offset += payload_length;
proto_tree_add_bytes_format(tls_heartbeat_tree, hf_ssl_heartbeat_message_padding,
tvb, offset, padding_length,
NULL, "Padding and HMAC (%u byte%s)",
padding_length,
plurality(padding_length, "", "s"));
} else {
proto_item_set_text(tree,
"%s Record Layer: Encrypted Heartbeat",
val_to_str_const(*conv_version, ssl_version_short_names, "SSL"));
proto_item_set_text(tls_heartbeat_tree,
"Encrypted Heartbeat Message");
}
}
perhaps report an expert info if the payload length is too large? Why is that treated as a "this is encrypted"
indication rather than a "somebody's trying to extract whatever's in the server's memory after the request payload"
indication?
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Possible change to packet-ssl.c? Guy Harris (Apr 09)
- Re: Possible change to packet-ssl.c? Evan Huus (Apr 09)
- Re: Possible change to packet-ssl.c? Peter Wu (Apr 10)