Rename dissector_handle_get_long_name() and
dissector_handle_get_short_name() to
dissector_handle_get_protocol_long_name() and
dissector_handle_get_protocol_short_name(), to clarify that they fetch
names for the protocol that the dissector dissects, not for the
dissector *itself*. Leave a deprecated
dissector_handle_get_short_name() wrapper, and export
dissector_handle_get_protocol_long_name(), as it's now used in some
dissectors.
Change some calls to dissector_handle_get_description() back to
dissector_handle_get_protocol_short_name(), as they appear to be made in
order to display a *protocol* name.
Rename some methods, variables, enums, and table column names to reflect
cases where the dissector description is being used.
Similar to work done in !8070 and !8072 to move off a function
that was deprecated in Qt5 and obsoleted in Qt6. Also migrate to
syntax laid out in !4560 and !4565.
It defaults to the short name of the protocol dissected by the
descriptor, but it's now possible to register a dissector with an
explicit description.
This is mainly for use in the Decode As UI. It handles the case where
the same protocol might have different "Decode As..."-specifiable
dissectors for different situations.
As noted in the comment for e5951765d8,
mechanisms by which a dissector can attempt to infer the protocol over
which its protocol was transported aren't reliable.
To add to that, another failure case for inferring it from the previous
entry in the pinfo->layers list is a packet transported over TCP using
MPTCP, as the previous entry would be MPTCP, not TCP.
So we provide multiple CoAP dissectors:
- CoAP over WebSockets;
- CoAP over TCP, TLS, or other byte-stream protocols;
- CoAP over other transports;
and have them pass the transport type to a common dissection routine.
We then register the appropriate dissectors in various dissector tables,
and register the CoAP-over-other-transports dissector as the "coap"
dissector.
According to RFC 8489:
Sec 1: "All STUN messages start with a fixed header that includes a method,
a class, and the transaction ID".
Sec 14.7: "The value of the attribute is computed as the CRC-32 of the STUN
message up to (but excluding) the FINGERPRINT attribute itself".
Even if the RFCs are not cristal clear, it seems that the "TCP Stream
length" field (described in RFC 4571) should be excluded from the CRC-32
calculation.
The proto_item_XXX_text() routines and proto_tree_add_XXX_format[_value]
functions allow dissectors to alter the representation string for
a protocol tree item with data that may come from arbitrary packet data.
These values are displayed by tshark or wireshark, so they should made
into printable, valid UTF-8.
This means that dissectors no longer need to call format_text before using
those functions (though, if they want to produce some other kind of
printable string, such as with format_text_wsp, they still can.)
Also, mark when appending and prepending text truncates a string that
was not previously truncated (except for a small number of cases where
it is difficult to determine if it was truncated before.)
Part of #18317
A given protocol's packet format may depend, for example, on which
lower-level protocol is transporting the protocol in question. For
example, protocols that run atop both byte-stream protocols such as TCP
and TLS, and packet-oriented protocols such as UDP or DTLS, might begin
the packet with a length when running atop a byte-stream protocol, to
indicate where this packet ends and the next packet begins in the byte
stream, but not do so when running atop a packet-oriented protocol.
Dissectors can handle this in various ways:
For example, the dissector could attempt to determine the protocol over
which the packet was transported.
Unfortunately, many of those mechanisms do so by fetching data from the
packet_info structure, and many items in that structure act as global
variables, so that, for example, if there are two two PDUs for protocol
A inside a TCP segment, and the first protocol for PDU A contains a PDU
for protocol B, and protocol B's dissector, or a dissector it calls,
modifies the information in the packet_info structure so that it no
longer indicates that the parent protocol is TCP, the second PDU for
protocol A might not be correctly dissected.
Another such mechanism is to query the previous element in the layers
structure of the packet_info structure, which is a list of protocol IDs.
Unfortunately, that is not a list of earlier protocols in the protocol
stack, it's a list of earlier protocols in the dissection, which means
that, in the above example, when the second PDU for protocol A is
dissected, the list is {...,TCP,A,B,...,A}, which means that the
previous element in the list is not TCP, so, again, the second PDU for
protocol A will not be correctly dissected.
An alternative is to have multiple dissectors for the same protocol,
with the part of the protocol that's independent of the protocol
transporting the PDU being dissected by common code. Protocol B might
have an "over a byte-stream transport" dissector and an "over a packet
transport" dissector, with the first dissector being registered for use
over TCP and TLS and the other dissector being registered for use over
packet protocols. This mechanism, unlike the other mechanisms, is not
dependent on information in the packet_info structure that might be
affected by dissectors other than the one for the protocol that
transports protocol B.
Furthermore, in a LINKTYPE_WIRESHARK_UPPER_PDU pcap or pcapng packet for
protocol B, there might not be any information to indicate the protocol
that transports protocol B, so there would have to be separate
dissectors for protocol B, with separate names, so that a tag giving the
protocol name would differ for B-over-byte-stream and B-over-packets.
So:
We rename EXP_PDU_TAG_PROTO_NAME and EXP_PDU_TAG_HEUR_PROTO_NAME to
EXP_PDU_TAG_DISSECTOR_NAME and EXP_PDU_TAG_HEUR_DISSECTOR_NAME, to
emphasize that they are *not* protocol names, they are dissector names
(which has always been the case - if there's a protocol with that name,
but no dissector with that name, Wireshark will not be able to handle
the packet, as it will try to look up a dissector given that name and
fail).
We fix that exported PDU dissector to refer to those tags as dissector
names, not protocol names.
We update documentation to refer to them as DISSECTOR_NAME tags, not
PROTO_NAME tags. (If there is any documentation for this outside the
Wireshark source, it should be updated as well.)
We add comments for calls to dissector_handle_get_dissector_name() where
the dissector name is shown to the user, to indicate that it might be
that the protocol name should be used.
We update the TLS and DTLS dissectors to show the encapsulated protocol
as the string returned by dissector_handle_get_long_name(); as the
default is "Application Data", it appeaers that a descriptive name,
rather than a short API name, should be used. (We continue to use the
dissector name in debugging messages, to indicate which dissector was
called.)
Prevent crash due to premature menu object deletion caused by call to
QCoreApplication::processEvents() by executing the slot only after menu
handling has finished.
Fixes#18251 and #18270
The data argument to oscore_dissect(), so don't mark it as unused.
As long as we're declaring a proto_reg_handoff_oscore(), we should
define one; it can serve as a container if we ever have any phase-2
(handoff phase) registration work to do.
Pass in the correct length of the percent decoded string, which
is not necessarily the same as the value calculated from the offsets.
Fix#18322. Fix#18325.
Qt6 removed QComboBox:currentIndexChanged(QString), which had
previously been deprecated in favor of the version with an int.
Switch to using the supported function, so that the comboboxes
work.
The models used for the resolved addresses require that the
source models be set first before setting other properties,
so do that so that filtering works.
For some reason the portTypeModel has to indicate that the
port number column is numeric in order for the ports to
numerically sort instead of lexicographically, so do that too.
Add the Ethernet addresses in their specific groups (Addresses,
Manufacturers, Well-Known Hosts) instead of adding them all
to the Well-Known hosts groups, so that that filtering works.
Fix#18087
Strip the timestamps and function names from extcap errors before
displaying them in a dialog. This keeps us from spewing
```
Error by extcap pipe: ** (falcodump:24913) 15:08:20.263535 [falcodump
WARNING] extcap/falcodump.cpp:593 -- main(): cloudtrail plugin error:
failed to list objects: ExpiredToken: The provided token has expired.
status code: 400, request id: M2PYJOT4JGVAA6B9, host id:
+4V8Q+DGV+80Jd3fdc7tODyVdTRvepNgCD9zuvXeL7kzvp2oikaoi9CLMW+UKt/
aR1G2UXIqyQ8=
```
at the user.
Check for warning messages and set our dialog type accordingly.
QComboBox::currentIndexChanged(QString) has been marked
obsolete for a while and finally removed in Qt 6 in favor
of currentIndexChanged(int) and currentTextChanged(const QString)
Use QComboBox::currentTextChanged(const QString) instead.
Also do a little bit of checking to see if the return value
of dcerpc_get_proto_sub_dissector is NULL.
Fix#18319.
It is correct to pass in the memory address immediately past
the end of our buffer, as g_utf8_prev_char() does not deference
it until after decrementing it once, and we want to find the final
UTF-8 character start. Starting one byte earlier truncates the string
more than necessary.
This effectively reverts 4b6224a673
which noted that Coverity flagged this as a memory access error,
although it is not. This is possibly because it was written as
&label_str[ITEM_LABEL_LENGTH]. All versions of the ISO C standard
starting with C99 have indicated (6.5.3.2) than in such a case
"neither the & operator nor the unary * that is implied by the [] is
evaluated and the result is as if the & operator were removed and the
[] operator were changed to a + operator" and (6.5.6) that referring
to the memory address one past the last element of an array object
"shall not produce an overflow" and is not undefined (so long as it
not deferenced.)
However, Coverity may not have been aware of this, so rewrite
the expression using the + operator in the hopes of avoiding
false positive Coverity errors.
QFileDialog.accept() emits the filesSelected signal when the
dialog is accepted but before it calls QDialog.accept().
Connect our dialogAccepted function the filesSelected signal
instead of the accepted signal, so that all the exporting
happens sooner, before the ExportDissectionDialog gets
closed (and then deleted, since DeleteOnClose is set on the
dialog.)
This fixes use-after-free and segfaults in Qt 6.3 (which changed
things so that QDialog and widgets that inherit from it get closed
earlier.) Fix#18318
After percent decoding a key or value in x-www-form-urlencoded,
decode the string as UTF-8 (substituting REPLACEMENT CHARACTER
as needed) per https://url.spec.whatwg.org/#urlencoded-parsing
Passing an unvalidated string to proto_tree_add_string() results
in the string being treated as UTF-8, but odd things happen when
e.g. exporting packet dissections (See #18317). This prevents
production of invalid JSON and XML.
Only UTF-8 is conforming according to WHATWG, though ideally
a charset parameter in the media string should be respected,
and there should be expert infos if the string did not decode
as UTF-8 cleanly.
Pascal Quantin