All fragment errors are bounds errors that go past the contained length,
but they do not necessarily involve going past the reported length,
so the checks for FragmentBoundsError should reflect that.
With some forms of reassembly, like IP fragmentation, we don't know how
big the PDU/reassembled packet is until reassembly is complete, so we
probably use tvb_new_subset_remaining() to create fragments and the tvb's
reported length is equal to its contained length. In these cases
ReportedBoundsError would be otherwise thrown, except when the existing
checks for FragmentBoundsError intervene.
However, with other forms of reassembly, like various PDUs carried over TCP,
we know the total PDU length, so we use tvb_new_subset_length[_caplen](),
setting the proper reported length, but not changing the contained
length when reassembly is not performed. In those cases, a bounds error
that occurs due to lack of reassembly is otherwise a ContainedBoundsError,
not a ReportedBoundsError.
In both cases, a bounds error caused by an unreassembled fragment should
be a FragmentBoundsError for the existing reasons. It is not necessarily
a malformed packet (to the extent reassembly is not performed because of a
malformed error elsewhere, that should be reported separately) and can
likely be avoided by changing preferences (e.g., turning reassembly
preferences on, turning off checksum verification, etc.) Otherwise it
is probably a dissector bug.
Implement little endian support for tvb_get_bits family of functions.
The big/little endian refers to bit numbering within an octet. In big
endian, the most significant bit is considered bit 0, while in little
endian the least significant bit is considered bit 0.
Add encoding parameters to proto tree bits format family functions.
Specify ENC_BIG_ENDIAN in all dissectors using these functions except in
USB HID that requires ENC_LITTLE_ENDIAN to work correctly.
When formatting bits values, always display most significant bit on the
leftmost position regardless of the encoding. This results in no gaps
between octets and makes the displayed value comprehensible.
Close#4478Fix#17014
A few of them just needed scratch memory, so allocate and free it
manually after doing any exception-raising checks.
A few others were returning memory, and needed conversion to accept a
wmem scope argument.
This header was installed incorrectly to epan/wmem_scopes.h.
Instead of creating additional installation rules for a single
header in a subfolder (kept for backward compatibility) just
rename the standard "epan/wmem/wmem.h" include to
"epan/wmem_scopes.h" and fix the documentation.
Now the header is installed *correctly* to epan/wmem_scopes.h.
It is to tvb_reported_length_remaining() as
tvb_ensure_captured_length_remaining() is to
tvb_captured_length_remaining() - it throws an exception if the offset
is out of range.
(Note that an offset that's just past the end of the {reported,
captured} data is *not* out of range, it just means that there is no
data remaining. Anything *past* that is out of range and thus invalid.)
Add an encoding for "unpacked" 3GPP TS 23.038 7-bit strings, in which
each code position is in a byte of its own, rather than with the code
positions packed into 7 bits. Rename the packed encoding to explicitly
indicate that it's packed.
Add an encoding for ETSI TS 102 221 Annex A strings.
Use the new encodings.
Change-Id: I2fad824ca417dcd089fabfdf06f28529c7ee9e87
Signed-off-by: Filipe Laíns <lains@archlinux.org>
Reviewed-on: https://code.wireshark.org/review/37949
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add some ENC_ values for various flavors of packed BCD, and use that
instead of explicitly calling tvb_bcd_dig_to_wmem_packet_str() and
adding the result.
Change-Id: I07511d9d09c9231b610c121cd6ffb3b16fb017a9
Reviewed-on: https://code.wireshark.org/review/36952
Reviewed-by: Guy Harris <gharris@sonic.net>
tvb_find_line_end(), unlike a tvb_find_guint8() looking for an LF,
returns a length that *doesn't* include the line ending, *regardless* of
whether the line ends with CR-LF or just LF, so the query string we
extract is just the query, without any of the line ending.
Update some comments while we're at it to note that the "next_offset"
pointer argument to tvb_find_line_end() and tvb_find_line_end_unquoted()
can be NULL, in which case the offset *past* the line ending isn't
returned. (We pass tvb_find_line_end() NULL in the aforementioned call,
because, in that particular case, we don't care about the next line.)
Change-Id: I1c9746e32c61a79f8cb636d577a2e14a07ecab17
Reviewed-on: https://code.wireshark.org/review/35566
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add "native" support for the "zig-zag" version of a varint in proto.[ch] and
tvbuff.[ch]. Convert the use of varint in the KAFKA dissector to use the (new)
"native" API.
Ping-Bug: 15988
Change-Id: Ia83569203877df8c780f4f182916ed6327d0ec6c
Reviewed-on: https://code.wireshark.org/review/34386
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That's what the remaining calls to tvb_get_nstringz() and
tvb_get_nstringz0() are being used to do, even though those routines
were not intended for that purpose - the calls are extracting from a
text protcool, meaning that the strings are *not* null-terminate in the
packet.
Strings - even null-terminated ones - should, in almost all cases, be
extracted by tvb_get_string_enc() or routines that call it, so that an
encoding is specified. In the few cases where we're fetching strings
only to be compared to ASCII constants, or to parse as numbers, we can
get away with this.
Change-Id: I29f0532902c4ade2207de7f06db69c32eafd4132
Reviewed-on: https://code.wireshark.org/review/34072
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The latest iteration of Microsoft updates to SMB3 added compression to
the protocol. This commit implements decompressing and dissecting
compressed payloads.
The compression algorithms that can be used are "Plain LZ77",
"LZ77+Huffman" and "LZNT1" which you can read more about in the
[MS-XCA] documentation. This set of algorithm is sometimes referred to
as XPRESS.
This commit reuses the existing uncompression API scheme already in
place with zlib and brotli and adds 3 tvb_uncompress_*() function
implemented in:
* epan/tvbuff_lz77.c
* epan/tvbuff_lz77huff.c
* epan/tvbuff_lznt1.c
A new function wmem_array_try_index() was added to the wmem_array API
to make bound checked reads that fail gracefully. New tests for it
have been added as well.
Since both reads (tvb) and writes (wmem_array) are bound checked the
risk for buffer overruns is drastically reduced. LZ77+Huffman has
decoding tables and special care was taken to bound check these.
Simplified versions of the implementations were succesfully tested
against AFL (American Fuzzy Lop) for ~150 millions executions each.
The SMB2/3 dissector was changed to deal with the new transform header
for compressed packets (new protocol_id value) and READ request
flags (COMPRESSED). Badly compressed or encrypted packets are now
reported as such, and the decryption test suite was changed to reflect
that.
This commit also adds a test capture with 1 packet compressed with
each algorithm as returned by Windows Server 2019, along with 3
matching tests in test/suite_dissection.py
Change-Id: I2b84f56541f2f4ee7d886152794b993987dd10e7
Reviewed-on: https://code.wireshark.org/review/33855
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
This is intended to be a replacement for get_token_len (from strutil.h) when its used on a tvb. It should be a little safer and remove the need for a dissector to use tvb_get_ptr.
Change-Id: Ib2d4a79718b6fba4eb9acc0129b13be6c8199a43
Reviewed-on: https://code.wireshark.org/review/30892
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This allows dissectors to check if a portion of the tvb is an ascii string while hiding the use of tvb_get_ptr.
Change-Id: Iaec7559dcfdefb8a5ae23e099ced45e90e611f8f
Reviewed-on: https://code.wireshark.org/review/30291
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We no longer have TVBUFF_ values corresponding to different types of
tvbuff; we have, instead, a set of method pointers for the different
types. Refer to the types by name, rather than by TVBUFF_ value.
Expand the description of some fields in the tvbuff structure.
Change-Id: I38b5281df247ddd66b4e39abfc129053a012d241
Reviewed-on: https://code.wireshark.org/review/27036
Reviewed-by: Guy Harris <guy@alum.mit.edu>
In tvb_new_subset_length_caplen(), the captured length argument is
backing_length and the reported length argument is reported_length. The
length argument to tvb_new_subset_length() is a reported length, not a
captured length, so call it reported_length, not backing_length.
Change-Id: Ibfb30e15bdd885d3c0fd66e2b4b07c4a45327f14
Reviewed-on: https://code.wireshark.org/review/26863
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add 8-bit, 16-bit, 24-bit, and 32-bit "fetch signed value" routines, and
use them rather than casting the result of the 8/16/24/32-bit "fetch
unsigned value" routines to a signed type (which, BTW, isn't sufficient
for 24-bit values, so this appears to fix a bug
in epan/dissectors/packet-zbee-zcl.c).
Use numbers rather than sizeof()s in various tvb_get_ routines.
Change-Id: I0e48a57fac9f70fe42de815c3fa915f1592548bd
Reviewed-on: https://code.wireshark.org/review/26844
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
At one point, I remember a discussion resulting in the official name of
the next-generation replacement for pcap format being changed to
"pcapng", with no hyphen.
Make Wireshark reflect that.
Change-Id: Ie66fb13a0fe3a8682143106dab601952e9154e2a
Reviewed-on: https://code.wireshark.org/review/25214
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Used to support variable length in QUIC protocol
Bug: 13881
Change-Id: Ia274b1530152376c5fb4e364fc4cf5ab246be1b3
Reviewed-on: https://code.wireshark.org/review/24990
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Craig Jackson <cejackson51@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
That allows a parallel typedef of ws_in4_addr for guint32.
Change-Id: I03b230247065e0e3840eb87635315a8e523ef562
Reviewed-on: https://code.wireshark.org/review/24073
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's only use is in dissectors or other tree creation APIs (where
packet scope is valid), so have it use format_text_wmem with
wmem_packet_scope().
Change-Id: I1f34e284a870c9844c6b27f4ae08a1e7efe54098
Reviewed-on: https://code.wireshark.org/review/19883
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It's only use is in dissectors, so have it use
format_text_wmem with wmem_packet_scope().
Change-Id: I22121324fd47aee32174b65104458ad2ef329bd7
Reviewed-on: https://code.wireshark.org/review/19856
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
format_text_wsp is fed into by tvb_format_text_wsp and tvb_format_stringzpad_wsp
so those functions need to add a wmem allocated parameter as well.
Most of the changes came from tvb_format_text_wsp and tvb_format_stringzpad_wsp
being changed more so than format_text_wsp.
Change-Id: I52214ca107016f0e96371a9a8430aa89336f91d7
Reviewed-on: https://code.wireshark.org/review/19851
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Hex digits 0xa through 0xe are '*', '#', 'a', 'b', and 'c',
respectively.
Constify the dgt_set_t argument to tvb_bcd_dig_to_wmem_packet_str(),
while we're at it.
Bug: 13316
Change-Id: I7586f35d23fd262453779d99946e7ccad4b6ffab
Reviewed-on: https://code.wireshark.org/review/19620
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This emphasizes that there is no such thing as *the* routine to
construct a subset tvbuff; you need to choose one of
tvb_new_subset_remaining() (if you want a new tvbuff that contains
everything past a certain point in an existing tvbuff),
tvb_new_subset_length() (if you want a subset that contains everything
past a certain point, for some number of bytes, in an existing tvbuff),
and tvb_new_subset_length_caplen() (for all other cases).
Many of the calls to tvb_new_subset_length_caplen() should really be
calling one of the other routines; that's the next step. (This also
makes it easier to find the calls that need fixing.)
Change-Id: Ieb3d676d8cda535451c119487d7cd3b559221f2b
Reviewed-on: https://code.wireshark.org/review/19597
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: I75c0165948325c2e50918706d8a821411761727b
Signed-off-by: Francesco Fondelli <francesco.fondelli@gmail.com>
Reviewed-on: https://code.wireshark.org/review/17734
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
By analogy to ipv4.h.
Change-Id: I147565b332024b1bb88e9cd15889255773d04524
Reviewed-on: https://code.wireshark.org/review/13034
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't just define it yourself.
(And especially don't define it yourself if you're already including
epan/ipv6-utils.h.)
Change-Id: I9970d0edecef0c820b2a7fdce34509b54e7b3106
Reviewed-on: https://code.wireshark.org/review/13020
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Almost all replacements were done awhile ago, just put the final nail in the coffin.
Change-Id: I0a708d886da5a500c2a1e2c9ee2736794bdb9411
Reviewed-on: https://code.wireshark.org/review/12206
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The remaining calls seem to fall into 3 categories:
1. passing it to tvb_find_line_end when -1 (for length) will do.
2. duplicating the checking of tvb_reported_length_remaining, which is already in use near the tvb_ensure_length_remaining call.
3. Those that (probably) need tvb_ensure_capture_length_remaining
Change-Id: I1e77695251e055644bcbbb89f3c181c65d1671ca
Reviewed-on: https://code.wireshark.org/review/10268
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Routines that don't take a tvbuff as an argument shouldn't have tvb_ in
the name.
Change-Id: I3550256551e30b3f329cbbfca71ef27c727d29c0
Reviewed-on: https://code.wireshark.org/review/7302
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This combines the SSE4.2 instructions usage, with pre-compiled
pattern searching usage, for a faster pbrk search method.
Testing against large files of HTTP and SIP, there is about
a 5% performance improvement by using pre-"compiled" patterns
for guint8_pbrk() instead of passing it the search string and
having it build the match array every time.
Similar to regular expressions, "compiling" the pattern match array
in advance only once and using the "compiled" patterns for
the searches is faster than compiling it every time.
Change-Id: Ifcbc14a6c93f32d15663a10d974bacdca5119a8e
Ping-Bug: 10798
Reviewed-on: https://code.wireshark.org/review/6990
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I79c613cbdd8dc939dd4c29ebc477fb6eefd5bfc4
Reviewed-on: https://code.wireshark.org/review/6371
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Also change bytestring_to_str to match bytes_to_ep_str_punct functionality (limiting byte string size)
Change-Id: Idb958c7f0c203d103629469302b81fa922714f7e
Reviewed-on: https://code.wireshark.org/review/6369
Reviewed-by: Michael Mann <mmann78@netscape.net>
Changed all remaining code in wslua that was using emem, to use wmem or
simpler methods.
Bug: 9927
Change-Id: I3d19a770e0fd77d996bdb6b61a76a722cc2bcd55
Reviewed-on: https://code.wireshark.org/review/6109
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Moshe Kaplan