The header ftypes-int.h should not be used outside of epan/ftypes
because it is a private header.
The functions fvalue_free() and fvalue_cleanup() need not and should
not be macros either.
Registering a preference module for a protocol filter name with
upper case letters aborts the program. Relax this restriction to
conform with the rules for protocols. The recommendation is still
to use all lower-case letters.
Fixes 070aeddf76.
Unlike other header fields in filter expressions protocol names
cannot contain upper-case letters. Remove that restriction. This
should make start-up slightly faster as it remove an extra loop
for each protocol filter name.
This was added in 9ead15a6eb but
I don't see a reason to have different rules for protocols and
fields, it seems the README.developer was just being vague and
conflating PROTOABBREV with PROTOFILTERNAME.
The recommendation for lower case is a style recommendation,
and it's a good one, but it should be applied uniformly. As
long as we are not enforcing this for all field filter values
there is no point in enforcing it just for protocol names and
actually it is detrimental, e.g:
hi2operations
HI2Operations.IRIsContent
HI2Operations.UUS1_Content_element
HI2Operations.iRIContent
HI2Operations.iRISequence
HI2Operations.IRIContent
HI2Operations.iRI_Begin_record_element
HI2Operations.iRI_End_record_element
HI2Operations.iRI_Continue_record_element
HI2Operations.iRI_Report_record_element
(...)
It's weird and unexpected to have this difference and there is
no technical reason to require it. What we should probably do
is not include the protocol name in the FIELDFILTERNAME and
have the registration mechanism append it to the PROTOFILTERNAME.
Also disallow leading '-' everywhere in filter names, not just
protocol filter names. It's a universal requirement.
Wireshark defines the relation of equality A == B as
A any_eq B <=> An == Bn for at least one An, Bn.
More accurately I think this is (formally) an equivalence
relation, not true equality.
Whichever definition for "==" we choose we must keep the
definition of "!=" as !(A == B), otherwise it will
lead to logical contradictions like (A == B) AND (A != B)
being true.
Fix the '!=' relation to match the definition of equality:
A != B <=> !(A == B) <=> A all_ne B <=> An != Bn, for
every n.
This has been the recomended way to write "not equal" for a
long time in the documentation, even to the point where != was
deprecated, but it just wasn't implemented consistently in the
language, which has understandably been a persistent source
of confusion. Even a field that is normally well-behaved
with "!=" like "ip.src" or "ip.dst" will produce unexpected
results with encapsulations like IP-over-IP.
The opcode ALL_NE could have been implemented in the compiler
instead using NOT and ANY_EQ but I chose to implement it in
bytecode. It just seemed more elegant and efficient
but the difference was not very significant.
Keep around "~=" for any_ne relation, in case someone depends
on that, and because we don't have an operator for true equality:
A strict_equal B <=> A all_eq B <=> !(A any_ne B).
If there is only one value then any_ne and all_ne are the same
comparison operation.
Implementing this change did not require fixing any tests so it
is unlikely the relation "~=" (any_ne) will be very useful.
Note that the behaviour of the '<' (less than) comparison relation
is a separate, more subtle issue. In the general case the definition
of '<' that is used is only a partial order.
Reducing the namespace for protocol names makes the display filter grammar
simpler and less ambiguous and error prone. We can't easily impose
stricter restrictions without breaking backward compatibility but names
starting with '-' are a pathological case because of negative numbers
and byte slices and in the unlikely event that any such names exist
they should be fixed.
Mostly straightforward. The only complication was
proto_tree_add_split_bits_crumb which needed some manipulation to
guarantee a non-null tree so we could use its memory scope.
This is one of the last non-dissector uses of wmem_packet_scope!
Add the heur_dtbl_entry_t entry as deregistered when deleting a
heuristics dissector. The UDP dissector is storing a pointer to
this in proto_data and may access the entry during reload Lua
plugins until all packets are redissected.
Implement little endian support for tvb_get_bits family of functions.
The big/little endian refers to bit numbering within an octet. In big
endian, the most significant bit is considered bit 0, while in little
endian the least significant bit is considered bit 0.
Add encoding parameters to proto tree bits format family functions.
Specify ENC_BIG_ENDIAN in all dissectors using these functions except in
USB HID that requires ENC_LITTLE_ENDIAN to work correctly.
When formatting bits values, always display most significant bit on the
leftmost position regardless of the encoding. This results in no gaps
between octets and makes the displayed value comprehensible.
Close#4478Fix#17014
I was hoping to avoid this, since the ptvcursor should already be
implicitly scoped to the tree it is working on. But there are a bunch of
call sites where the passed tree can be NULL (?) and a few places where
the tree is explicitly set/reset after creation, so requiring an
explicit scope is safer.
Avoids global memory pools in favour of ones the compiler can verify.
A few helpers weren't in exception-throwing paths and can just free
unscoped memory. The macro in proto.c is only used in contexts with a
tree, so just use the tree's scope there.
proto.c:6480:19: warning: Although the value stored to 'hf_str_val' is used in the enclosing expression, the value is never actually read from 'hf_str_val' [deadcode.DeadStores]
proto.c:6524:19: warning: Although the value stored to 'hf_str_val' is used in the enclosing expression, the value is never actually read from 'hf_str_val' [deadcode.DeadStores]
A few of them just needed scratch memory, so allocate and free it
manually after doing any exception-raising checks.
A few others were returning memory, and needed conversion to accept a
wmem scope argument.
This header was installed incorrectly to epan/wmem_scopes.h.
Instead of creating additional installation rules for a single
header in a subfolder (kept for backward compatibility) just
rename the standard "epan/wmem/wmem.h" include to
"epan/wmem_scopes.h" and fix the documentation.
Now the header is installed *correctly* to epan/wmem_scopes.h.
Replace most instances of ws_debug_printf() except in
epan/dissectors and dissector plugins.
Some replacements use printf(), some use ws_debug(), and
some were removed because they were dead or judged to be
temporary.
Most of the time, the return value tells us nothing useful, as we've
already decided that we're perfectly willing to live with string
truncation. Hopefully this keeps Coverity from whining that those
routines could return an error code (NARRATOR: They don't) and thus that
we're ignoring the possibility of failure (as indicated, we've already
decided that we can live with string truncation, so truncation is *NOT*
a failure).
ptvcursor_new_subtree_levels() just needs to do a wmem_realloc() on the
subtree array; that will take care of ensuring the old data is in the
new array.
If the proto tree is more than 8 levels deep, the subtree_lvl array
length is extended, by allocating a new area and copying everything into
that new area. However the old array length wasn't calculated correctly,
so only part of the subtree_lvl array was copied, causing a crash after
two ptvcursor_pop_subtree() calls.
It's not a valid field type, it's only a hack to support regular
expression matching in packet-matching expressions.
Instead, in the packet-matching code, have a separate syntax tree type
for Perl-compatible regular expressions, and a separate instruction to
load one into a register, and have the "matching" operator for field
types take a GRegex * as the second argument.
It's a fake "field" type, used only for "field" values in
packet-matching expressions to do regular-expression matching. There is
*no* reason to allow fields of that type.
Don't bother checking the representation type when generating the string
representation of a field value. If a developer manages to get past all
the tests for FT_PCRE to register and add an instance of that field to
the protocol tree, either 1) the one and only string representation of
an FT_PCRE value is what they want, in which case, whatever, or 2) it's
*not* what they want, in which case, if they file a bug, ask a question
on a mailing list, or ask a question on the Q&A site, we can explain to
them that what they're doing is bogus.
Show the first octet of the option, giving the filter type.
Only display the rest of the option as a string if the type is 0,
meaning it's a libpcap-style filter string.
While we're at it, clean up the dissection of the rest of the options:
* do more proto_tree_add_item_ret_XXX to get the option value;
* don't bother constructing a string for the value if we don't have to;
* use proto_tree_add_item_ret_display_string for string values, so we
know they're printable.
Add a new timestamp encoding format ENC_TIME_NSECS, like ENC_TIME_SEC but
for nanosecond values. Needed for my work-in-progress dissector for Apple
push notifications.
Instead *_register_plugin() is turned into a noop (with a warning).
The test suit is failing with ENABLE_PLUGINS=Off (it was already failing
before and this patch didn't affect that).
Closes#17202.
Replace the somewhat weird field format
"[Checksum: [missing]]"
with
"Checksum: 0x0000 [ignored or illegal value]"
Improve code redability and fix XXX comment.
Instead of giving a stack trace when the caller passed bad params,
raise a dissector bug, telling what the callee sees. This should
result in a better user experience.
Simplify code where possible.
Keep glib assertion for dead code due to compiler complains.
Set the FI_BITS_OFFSET and FI_BITS_SIZE flags appropriately on [u]int[64]
(and thus chars and booleans) where the bitmask is passed in on the
header_field_info. Also set the flags on bitmask items by ORing the bitmasks
from the constituent fields. These flags are only used right now in the
packet diagram.
This makes the packet diagram display those types of fields correctly without
having to use proto_item_set_bits_offset_len(), so long as the bitmask is
correct and the field width of the type matches the octet length. (If it
doesn't match, that's a dissector bug.)
split bit items are a more complicated case and still not handled correctly.
Pull the value-formatting code in proto_custom_set into
proto_item_fill_display_label. Use that in FieldInformation::toString
instead of fvalue_to_string_repr. Fixes#16911.
Move the maximum number of tree items and maximum tree depth to
preferences instead of hardcoded values. Refer to issue #12584 for
an example VNC capture where real data exceeds the current limit.