Wireshark SPI parsing is broken

asked 2025-08-04 08:50:58 +0000

cmouse
1 ●1

Tested versions: 4.0.17, 4.4.8

I was doing some ESP traffic analysis when I discovered at least following bug in wireshark and also a documentation issue.

I am decrypting IKEv2 ESP traffic:

SPI must be provided as unsigned long or as *, because there is a bug in get_esp_sa, which requires that SPI contains a * or it won't be treated as string. Maybe this check should be 'x' instead?
Encryption key must be in 0x format. This is not really mentioned anywhere.

For the SPI issue, this could fix it:

diff -urN a/epan/dissectors/packet-ipsec.c b/epan/dissectors/packet-ipsec.c
--- a/epan/dissectors/packet-ipsec.c    2025-08-04 08:49:08.051429961 +0000
+++ b/epan/dissectors/packet-ipsec.c    2025-08-04 08:49:43.277147173 +0000
@@ -1088,8 +1088,8 @@
   if((filter_len == 1) && (filter[0] == IPSEC_SA_WILDCARDS_ANY))
     return true;

-  /* If the filter has a wildcard, treat SPI as a string */
-  if (strchr(filter, IPSEC_SA_WILDCARDS_ANY) != NULL) {
+  /* If the filter has an x, treat SPI as a string */
+  if (strchr(filter, 'x') != NULL) {
     char spi_string[IPSEC_SPI_LEN_MAX];

     snprintf(spi_string, IPSEC_SPI_LEN_MAX,"0x%08x", spi);

edit retag flag offensive close merge delete

add a comment

answered 2025-08-04 14:27:00 +0000

Chuckc
3093 ●6 ●638 ●20

Could you open a enhancement request or bug report in Gitlab issues.

2054: ESP: validate keys in UAT. added a TODO to the input code. (epan/dissectors/packet-ipsec.c):

  /* TODO: check format of spi */

It would be good if uat_esp_sa_record_update_cb() did validation similar to ikev1_uat_data_update_cb() and ikev2_uat_data_update_cb() in epan/dissectors/packet-isakmp.c.

And documentation can be added to the WSUG similar to the IKEv2 sectiion:
11.11. IKEv2 decryption table