"New fragment overlaps old data" error for custom plugin

asked 2025-04-05 07:21:26 +0000

Linxiao Yu gravatar image

updated 2025-04-06 12:38:53 +0000

Hi, everyone. I'm developing C plugin for dissecting a proxy protocol called VMess, which lies between TCP and TLS, i.e., the typical protocol stack should be TCP/VMess/TLS/HTTP. After reading the source code and some docs, I used the function reassemble_streaming_data_and_call_subdissector to pass data to TLS handle. Things go right until Frame 78 in the attached capture file, where calling reassemble_streaming_data_and_call_subdissector raises [Reassembly error, protocol VMESS: New fragment overlaps old data (retransmission?)].

With some debugging, I found it is line 1674 of reassemble.c that raises the error, the reason is frag_offset + frag_data_len > fd_head->datalen, I'm sorry but I could not figure it out since this function is quite complex for me to understand. Previous reassembly before Frame 78 is normal, and the decryption for VMess and TLS are both correct, where HTTP/2 payload could be seen.

I have also checked that the function tcp_dissect_pdus passes the right tvb to VMess dissector, so this error really confused me a lot. I have tried building the plugin for both Wireshark Version 4.3.0 and 4.5.0, but the error sticks.

The source code of my plugin and the test .pcap file along with VMess keylog (proxy_keylog.txt) and TLS keylog (keylog.txt) are given in the links. Using proxy_keylog.txt is similar to adding TLS keylog file, put the file path in the Preferences->Protocol->VMess->Key Log Filename should work.

The routine that causes the error is dissect_decrypted_vmess_data, line 424 in packet-vmess.c, it calls reassemble_streaming_data_and_call_subdissector (line 450) on the decrypted VMess tvb to pass payload to TLS handle. Any suggestions, including how to debug reassemble_streaming_data_and_call_subdissector properly, are sincerely appreciated!

Wireshark Version: Version 4.5.0 and Version 4.3.0.

UPDATE 1: After some debugging, I found that in reassemble.h, it is the function process_reassembled_data which causes the issue, in line 2874~2880

/* show all fragments */ if (fd_head->flags & FD_BLOCKSEQUENCE) { update_col_info = !show_fragment_seq_tree( fd_head, fit, tree, pinfo, next_tvb, &frag_tree_item); } else { update_col_info = !show_fragment_tree(fd_head, fit, tree, pinfo, next_tvb, &frag_tree_item); }

jumps to function desegment_tcp in packet-tcp.c when show_fragment_tree returns. It seems that there might be some exceptions thrown, but I could not figure why yet. After commenting these lines out, the dissection seems to be normal. And the graphic view is not affected.

edit retag flag offensive close merge delete