Different QUIC connections can be multiplexed on the same network
5-tuple. Handle this, including checking for Stateless Reset tokens
on all connections on the same 5-tuple.
Create a CONVERSATION_QUIC type using our internal QUIC connection
ID, and set the conversation elements so that subdissectors like
TLS that set conversation data only alter data for the one QUIC
connection instead of all multiplexed connections.
Various failures are expected, per RFC 9000, if zero-length connection
IDs are used when multiplexing connections on the same local IP addresses
and ports.
Fix#17099
When building using msvc implicit changes of the integer sizes in
fmt_dect_nwk_ipei are treated as error due to possible loss of
information.
This is now forecome by explicitely masking the shifted value to fit in
guint16 and by typecasting in calculation to guint16 (the maximum value
that needs to fit here is sum(x=1..x=12)(9x)=702 )
Add basic dissection of S-Format elements MULTI-DISPLAY and
MULTI-KEYPAD. The dissector now holds information regarding control
characters of the DECT charset.
The value for Escaping to proprietary algorithm was wrong and the
Boolean field Y/N was registered using the wrong base, resulting in a
failed assertion during dissection
First steps in dissection of the LCE-PAGE-RESPONSE message. Basic
dissection for S-FORMAT information elements being mandatory or
optional in this message is included.
-Changed the encoding of certain options to their appropriate value, the old values caused compilation error on some machines
-Reverted change #1 in commit c7d3335110290886f6dd56fa640c8b0ca0b7fce5 which caused a packet malformation error due to a data item being read incorrectly.
-Certain lines had a mixture of tabs and spaces which prevented compilation on certain machines
-Replaced protocol abbreviation from mpdccp.mp_* to dccp_mp_* to solve PROTOABBREV error when building
-Changed proto_tree_add_unit to proto_tree_add_item, as suggested for the dissect feature option
-Changed conditional statements to switch case in for MP_ADDADDR
-List MP_OPT as a subtree with relevant MP_SEQ, ID Address and/or subflow.
-Fixed a compilation warning due to an except statement creating subtree for an inexistent tree.
Previous implementation lacked MP_ADDADDR, MP_REMOVEADDR and had an outdated version of MP_PRIO.
Fixed a bug where the dissector had an incorrect offset of 1 byte, resulting in it incorrectly reading headers and data, something resulting in malformed packets.
==207143==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f59752e0f00 at pc 0x7f5971cd0737 bp 0x7ffe881b1ef0 sp 0x7ffe881b1ee8
READ of size 4 at 0x7f59752e0f00 thread T0
#0 0x7f5971cd0736 in setup_rlc_mac_priv epan/dissectors/packet-gsm_abis_pgsl.c:194:8
#1 0x7f5971ccfc89 in dissect_gprs_data epan/dissectors/packet-gsm_abis_pgsl.c:357:3
#2 0x7f5971ccf6ea in dissect_abis_pgsl epan/dissectors/packet-gsm_abis_pgsl.c:477:3
#3 0x7f5974483daa in call_dissector_through_handle epan/packet.c:822:9
#4 0x7f5974478c05 in call_dissector_work epan/packet.c:920:9
If a field name has been written to the json dumper for
a bytes element (Base64), then a Base64 value must be written
later, even if the value is zero length.
Move the JSON_DUMPER_FLAGS_NO_DEBUG flag to the json_dumper header,
and use it in the protobuf dissector, so that errors in the JSON
dumper state transitions do not abort the application through a
ws_error() call. Use DISSECTOR_ASSERT in that case, since it should
happen only with a dissector bug (as with the zero bytes elements
issue fixed here), not with malformed packets.
Only instantiate the json_dumper and create its output string if
we intend on displaying its output, instead of doing so whenever
we have a message type name.
Fix#18730.
Previously the length was ignored and if a Sequence contains more then
one extensions (in the ellipsis) then the value of the second was
wrongly added to the value of the previous one.
Once we have a full MCTP message, we can decode its type (including IC
field). This change adds type decode support, for the types present in
packet-mctp.h.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
This change adds support for trivially-encapsulated MCTP protocols,
starting with NCSI-over-MCTP.
We need to handle this slightly different from the existing MCTP-based
protocols (MCTP control protocol and NVMe-MI), as the inner protocol is
unaware of the type byte and (optional) checksum tailer. So, add a new
dissector table, "mctp.encap-type" for these, meaning we can just hook
into the raw NC-SI dissector.
We also add the type definition for MCTP-over-ethernet, as defined in
the NCSI-over-MCTP specification.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
We have a few hard-coded MCTP type definitions in use (for MCTP control
protocol, and NVMe-MI) already, and we're about to add a couple more.
This change adds a header for packet-mctp, just with the type
definitions, and uses it for the current types.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Naming of variables, i.e. for header fields was inconsistent (dlc_ vs
dect_dlc_). This is now changed to use the abbreviation (dect_dlc_) on
all global places.
The DECT-DLC dissector now reassembles fragments before handing them
over to the NWK layer. Most of this is done by reusing of the reassembly code
from packet-lapdm.c.
A few HS-DSCH conversations are created when calling add_hsdsch_bind,
such as when a RadioLinkReconfigurationPrepare procedure has
a id-HSDSCH-MACdFlows-to-Add element. This method should add
the CommunicationContextID to the conversation just like the
other ways of creating the conversation. This provides a UEID
for a unique key for RLC reassembly.
The notification context field was parsed as a 4-byte fixed-length field but is defined as type OcaBlob (variable length).
This fix parses the notification context as an OcaBlob parameter while maintaining the field `ocp1.context`.
Clear the object_identifier_id global at the beginning of
each QCStatement, in case the statementId BER has errors and
does not put a value in the ptr. (call_ber_oid_callback correctly
handles being passed a NULL.)
Fix#18552.
This adds BPv7 source and destination as first-class text addresses for the packet.
This fixes proto-data used for decode-as table editing outside of a layer.
In the case of RDP traffic, the conversation usually starts with 3 TPKT packets
and then switch to TLS. The SSL dissector was setting the conversation dissector
without specifying any start packet which were leading to have the 3 first packets
interpreted as invalid SSL records (which they are as it's TPKT packets). This patch
fixes by specifying the first true SSL packet.
The RDPUDP protocol transports TLS or DTLS records, but as the payload of RDPUDP is small,
most of the time records are splitted over multiple RDPUDP packets. This patch adds
support for desegmentation in RDPUDP so that we interpret the results of the SSL
dissector and we can give back untreated content when dissecting the next packet.
AMD and UMD PDUs can be larger than 255 bytes, so the
offset should not be stored in a guint8. Otherwise,
the offset overflows and the last 256 bytes of the PDU
are added as an extra "fragment."
epan/dissectors/packet-usb-ccid.c filter= usbccid.dwFeatures.stopIccClk - mask has odd number of digits 0x100 expected max for FT_BOOLEAN is 8
epan/dissectors/packet-usb-ccid.c filter= usbccid.dwFeatures.nadValNot0accept - mask has odd number of digits 0x200 expected max for FT_BOOLEAN is 8
epan/dissectors/packet-usb-ccid.c filter= usbccid.dwFeatures.autoIfsd - mask has odd number of digits 0x400 expected max for FT_BOOLEAN is 8
display_extension_block is supposed to return the current offset,
not the number of bytes remaining. The number of bytes remaining
can be less than the current offset and cause an infinite loop.
In the case of an error, set lastheader and return the current
offset in order to break out of the main processing loop.
Fix#18711.
3GPP TS 25.427 and TS 25.435 both say that the Payload CRC IE
may only be present if the frame contains payload for E-DCH
frames, even where the setup of the transport bearer indicated
that the CRC would be present otherwise. So if there's no payload
and the CRC is missing, treat that as missing-but-expected rather
than marking the packet as malformed.
Take the opportunity to switch to proto_tree_add_checksum, which
handles all the various cases. Ping #8859
Set the direction based on request type in a similar manner as it done
for other URB types, i.e. set source to host on URB submit. Correctly
set bus number based on locationID upper 8 bits.
Fixes#16768
IEEE 802.11-2020, Section 12.4.7.6 says that an SAE Confirm message,
with a status code not equal to SUCCESS, shall indicate that a peer
rejects a previously sent SAE Confirm message. In this case, the Confirm
message may not carry a Send-Confirm field or a Confirm field, as
hostapd does. So we simply ignore possible fields following Status code.
Signed-off-by: Chien Wong <m@xv97.com>
Use tvb_find_guint8 and tvb_ws_mepbrk to find the
token boundaries for www-form-urlencoded. Use tvb_memcpy
to copy groups of bytes that don't have special characters
like + or %.
This is considerably more optimized (e.g. find_guint8 uses
memchr) than the naive loop, and speeds up the relevant part
by up to 10x.
Also handle cases where value is empty and there is no =
by splitting on &, instead of looking for the next =.
Together with bd1f2cc996, fix#13779.
Formerly only the class specific dissectors could be registered for
bulk, control and interrupt endpoints. While this is sufficient for
major classes, there are some classes that only use one or two of
possible class/subclass/protocol triple values. Allow registering
specific triples so appropriate dissector can be automatically selected
based on CONFIGURATION DESCRIPTOR data.
Register DFU Run-Time and DFU Mode triples so user no longer needs to
manually set Decode As for USB DFU.
Add fragment_add_check_with_fallback() and use it in USBLL dissector
instead of fragment_add_check() to avoid last fragment retransmissions
from being treated as separate transfers. With this change, the last
fragment retransmissions are correctly grouped together with the rest
of the transfer.
Only skip single fragment reassembly if retransmission is not possible
at the protocol level, i.e. for SETUP DATA0 (when it is not merged with
OUT data) and for isochronous transfers. The reassembly must not be
skipped for other transfers (especially for full-speed bulk) because
otherwise it wouldn't be possible to group retransmissions together with
the first data packet.
Do not use DATA0/DATA1 tracking for isochronous transfers. Isochronous
data cannot be retransmitted because there are no handshakes (there is
no ACK nor NAK after isochronous data packets).
Add support for DTLS Connection ID when using Block Ciphers
with the deprecated extention type (53) from
draft-ietf-tls-dtls-connection-id-07.
Closes#18705
The loopback and unspecified addresses are repeated. Keep
only the "special purpose" field, in accordance with the
IANA registry (and unlike RFC 4291) to remove the redundancy.
Add the "Unique Local Unicast" range to address space field,
also from the IANA registry.
Unique-Local and Link-Local are still repeated in both fields.
Oh well...
Add a safeguard to limit the maximum number of iterations.
Do not allocate a new buffer for every loop iterations in a loop that
depends on the result of the decompression routine.
Either allocate the buffer once or free after use. Defensive programming
is more important than speed in this case.
UDP port 49999 is not IANA registered, so add some heuristics
to the NXP 802.15.4 sniffer so that it doesn't claim packets
from other protocols that have chosen that ephemeral port.
Don't return 0 after already adding things to the tree; do that
check in the heuristics.
Fix#18695
This parameter was introduced as a safeguard for bugs
that generate an unbounded string but its utility for
that purpose is doubtful and the way it is being used
creates problems with invalid truncation of UTF-8
strings.
Rename wmem_strbuf_sized_new() with a better name.
GSMTAP has had support for various other ISDN related protocols as
sub-types of the GSMTAP_TYPE_E1T1 type. We've recently started to work
on V5 (ITU-T G.964/G.965) and introduced a new sub-type for this.
Let's add the related dispatch from packet-gsmtap.c to packet-v5ef.c
The ofp_stats struct length field includes the fixed 4 bytes.
If the length is smaller than that, report the length error
and break out. In particular, a value of zero can cause
infinite loops if this isn't done.
There's no point in trying to decompress a message with
length zero, and some of the third party decompression
libraries (e.g. zstd) can give unexpected results that
lead to infinite loops if we do so. A message length zero
is almost surely a file with errors.
display_extension_block is supposed to return the current offset,
not the number of bytes remaining, which can be less than the current
offset and cause an infinite loop. In the case of errors, set
lastheader and return the current offset to break out of loops.
Adds missing NULL-termination in headerfield list in
dissect_dect_mitel_eth_mac_con_ind and removes handover to general data
dissector as this is path is no longer reached due to handling the
different message types within this dissector.
Only dissectors are using this function and there is no use case,
as far as I know, that requires its use. Any limitation of length
is imposed transparently by the UI backend.
This function is problematic because it is not Unicode aware and
will truncate a string on an arbitrary byte boundary for multibyte
strings.
Replace its use with a normal strbuf without a length limite and
remove the function because it is not useful and the ITEM_LABEL_LENGTH
parameter does not belong in wmem anyway.
CitrixAGBasic Authentication has Base64 encoded values. The result of
Base64 decoding is not guaranteed to be valid UTF-8 (or ASCII), so
verify it.
Also add the username and password to the credentials tap.
Fix#18677.
The dynamic hf entries for HTTP2 read from the UAT should be
changed when the UAT is changed or reset, not on each file
load and file close. If a field is added as a column, coloring
rule, or filter, and the capture file is changed, deregistering
the field and reregistering it can cause a crash.
Use the same approach as with HTTP and SIP, slightly modified
because in HTTP2 the header fields hash contains the static
headers as well, to prevent adding duplicate entries via the UAT.
Fix#14768
When CIMD indicates that a message was sent in the 7 bit GSM alphabet,
each character has been converted to ASCII or ISO-8559-1 with the
use of combining escape sequences for characters not present in
the destination encoding. Properly convert back to GSM 7 bit encoding
and then to UTF-8 for display.
Fix#18676.
Return an struct containing error information. This simplifies
the interface to more easily provide richer diagnostics in the future.
Add an error code besides a human-readable error string to allow
checking programmatically for errors in a robust manner. Currently
there is only a generic error code, it is expected to increase
in the future.
Move error location information to the struct. Change callers and
implementation to use the new interface.
Adds dissection of the SYNC message type with the following payloads:
* FREQ_CTRL_MODE_IND
* FREQ_CTRL_MODE_CFM
* SET_FREQUENCY
* START_MAC_SLAVE_MODE_IND
* SYSTEM_SEARCH_IND
* SYSTEM_SEARCH_CFM
* PHASE_OFS_WITH_RSSI_IND
The dissection of the DECT-MITEL-RFP protocol is based upon findings
that resulted in rfpproxy, so I think it is a good idea to also name the
author in the source file
This is the begin of a basic dissection of the proprietary protocol used
by the Mitel OMM/RFP communicatino over TCP. Currently no decryption is
supported so there is the need of external decryption.
The ETH protocol has an two byte field that is only used when
transported over RAW Ethernet and a length indicator in that case.
Those two fields are not present if the ETH protocol is encapsulated
in the OMM/RFP communication protocol.
To make this dissector also useable when used after dissecting
DECT-MITEL-RFP distinguishing between both packet structures has
been included.
The wmem_strbuf_new_label() creates a new buffer with a length limit
in octets. With multibyte strings this is likely to generate invalid
UTF-8 errors.
Remove the artificial limit on the value size. The
function proto_tree_add_string() sets the value, and truncating
that to an arbitrary limit is not really correct.
The display label will be truncated to a preset length by the UI.
This mechanism uses ws_label_strcpy() and is designed to avoid
the invalid truncation.
While here use wmem_strbuf_get_str() instead of wmem_strbuf_finalize().
Accepted best practice is to let the scope free the memory.
Removing the finalize call avoids an unnecessary realloc.
Fixes#18653.
For signed exponential Golomb, fix a typo when testing if
value was even or odd that resulted in a no-op. This was
mapping all overflows to G_MININT32 instead of half of them
to G_MAXINT32.
Use tvb_new_octet_aligned when adding addresses (strings or bytes)
that are not byte aligned. That is not only clearer code, but also
prevents attempting to add unvalidated strings.
Since we're aligning the fields properly, get rid of the extra
fields for the MSB of the first field and LSB of the last field.
Fix#18664
RFC 3261 does not put a limit on the maximum size of Call-ID.
(Some implementations do, such as at 256 bytes.) Truncating
it can produce invalid UTF-8 if there's also errors that
turn into UTF-8 replacement characteres.
A reduced size is still used for the hash table lookup.
Add an expert info warning if Call-ID is missing, as it's
a mandatory field.
Fix#18620.
Instead of using tvb_get_bits and proto_tree_add_uint,
use a bitmask in the field info and proto_tree_add_item.
This means that when epan/print.c writes PDML or JSON,
the value written is the correctly masked value (PDML also
includes the unmasked value.)
When proto_tree_add_uint is used, the value written to
PDML and JSON is the original value from the packet buffer,
not properly shifted.
Using a bitmask in the field definition allows us to use
proto_tree_add_item, which means that when print.c writes
PDML and JSON, the value written is the correctly masked
value (PDML also includes the unmasked value.)
When functions like proto_tree_add_uint are used instead,
the value written to PDML and JSON is the original value
from the packet buffer, not properly shifted.
Instead of using tvb_get_bits32 and proto_tree_add_uint,
use a bitmask in the field info and proto_tree_add_item.
This means that when epan/print.c writes PDML or JSON,
the value written is the correctly masked value (PDML also
includes the unmasked value.)
When proto_tree_add_uint is used, the value written to
PDML and JSON is the original value from the packet buffer,
not properly shifted.
It's possible, in the case of errors, for the result of
g_uri_unescape_string not to be valid UTF-8, either if originally
some other encoding was percent-encoded, or if there were errors.
Check for it.
Fix#18658.
Add strings with proto_tree_add_item or tvb_get_string_enc;
avoid using tvb_get_raw_bytes_as_string.
Use UTF-8 as the encoding to future-proof, according to
Locomation.
Use tvb_find_line_end() to split the lines, which does almost
all the needed logic and simplifies the code.
Fix#18632
maxseqtobeacked needs to be increased when it's lower than
nextseq, not the other way around, otherwise we can get repeated
extra TCP ACKed unseen segment messages.
Since sequence analysis is always on the absolute sequence
numbers, not relative, it needs to use LT_SEQ to handle wraparound.
Fix#18558. Fix#18633.
It's possible to have multiplexed PPP MP that occurs in several
layers in the same frame, so we need to check that we're in the
right packet and also the right layer. process_reassembled_data
does that, so check to see if it returned a tvb instead of
just checking the frame number. Prevents some DISSECTOR BUG errors
when the buffer isn't actually available.
This change adds a small dissector for the NVMe-MI protocol, typically
for tunelling Administration commands over an MCTP (over I2C) channel.
We just decode the request and response headers, and leave the payload
as raw data.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
This change adds a very basic dissector for the MCTP control protocol -
just the header fields, leaving the raw payload data.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
This change adds a protocol dissector for the Management Component
Transport Protocol (MCTP). This is a failry simple datagram-based
protocol for messaging between components within a single platform,
typically over I2C, serial or PCIe.
This dissector just implements the header fields, and sequence-number
based message reassembly. Inner protocols will be added as follow-up
changes.
Linux has support for AF_MCTP data, so decode from the MCTP SLL ltype.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Jianwei Mao
Harald Welte
Pau Espin