osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

dissectors: various fixes to sysdig packet dissector. 

Mainly:
* added 3 new procexit event params
* avoid sigsegv when sysdig event has
a number of params that is
greater of the wireshark one.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This commit is contained in:
Federico Di Pierro 2021-12-13 14:05:26 +01:00 committed by Federico
parent 6ecc6a2ab4
commit c22b8bcb5f
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
epan/dissectors/packet-sysdig-event.c
View File

@ -214,6 +214,8 @@ static int hf_param_source_uint64 = -1;
static int hf_param_special_string = -1;
static int hf_param_spid_bytes = -1;
static int hf_param_status_bytes = -1;
static int hf_param_ret_bytes = -1;
static int hf_param_core_uint8 = -1;
static int hf_param_suid_bytes = -1;
static int hf_param_tags_bytes = -1;
static int hf_param_target_string = -1;
@ -1258,7 +1260,7 @@ static int * const syscall_symlinkat_x_indexes[] = { &hf_param_res_bytes, &hf_pa
#define syscall_fork_x_indexes syscall_clone_16_x_indexes
#define syscall_vfork_e_indexes no_indexes
#define syscall_vfork_x_indexes syscall_clone_16_x_indexes
static int * const procexit_1_e_indexes[] = { &hf_param_status_bytes, NULL };
static int * const procexit_1_e_indexes[] = { &hf_param_status_bytes, &hf_param_res_bytes, &hf_param_sig_bytes, &hf_param_core_uint8, NULL };
#define procexit_1_x_indexes no_indexes
static int * const syscall_sendfile_e_indexes[] = { &hf_param_out_fd_int64, &hf_param_in_fd_int64, &hf_param_offset_uint64, &hf_param_size_uint64, NULL };
static int * const syscall_sendfile_x_indexes[] = { &hf_param_res_bytes, &hf_param_offset_uint64, NULL };
@ -2174,8 +2176,15 @@ dissect_event_params(tvbuff_t *tvb, wtap_syscall_header* syscall_header, int off
}
for (cur_param = 0; cur_param < syscall_header->nparams; cur_param++) {
if (!hf_indexes[cur_param]) {
// This happens when new params are added to existent events in sysdig,
// if the event is already mapped in wireshark with a lower number of params.
// hf_indexes array size would be < than event being dissected, leading to SIGSEGV.
break;
}
guint32 param_len;
if (syscall_header->record_type == SYSDIG_PARAM_SIZE_V2_LARGE) {
if (syscall_header->record_type == BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE) {
param_len = tvb_get_guint32(tvb, len_offset, encoding);
} else {
param_len = tvb_get_guint16(tvb, len_offset, encoding);
@ -2494,7 +2503,8 @@ proto_register_sysdig_event(void)
{ &hf_param_vpid_bytes, { "vpid", "sysdig.param.vfork.vpid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_vtid_bytes, { "vtid", "sysdig.param.vfork.vtid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_whence_bytes, { "whence", "sysdig.param.llseek.whence", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_ret_bytes, { "ret", "sysdig.param.procexit.ret", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_core_uint8, { "core", "sysdig.param.procexit.core", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL } },
};
/* Setup protocol subtree array */