In some cases, the fds parameter of frame_data_sequence_find is invalid,
causing the software to crash, For example, this command
echo'{"req":"frame","bytes":"yes","proto":"yes","frame":"1" }'|sharkd-
(cherry picked from commit 64155132ea)
Make sure that the packet has an S101 header, before setting the protocol name
with col_set_str(). Otherwise, all TCP packets on port 9000 may be
misidentified as S101 packets.
(cherry picked from commit 8e256b7e69)
g618661b22e introduced a free for a so called memory leak (which wasn't
a real leak due to the pinfo->pool garbage collector) but used the wrong
free function. Let's keep the explicit free but use the right function.
Closes#17462
(cherry picked from commit 029a7fcec5)
Fix parsing of the CTE Info field in the extended advertising header.
The bit-mask of the different fields was wrongly placed.
The text of the different fields all said "CTE Info".
The CTE Time field was added twice.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix parsing of extended advertising when the extended advertising header
is empty. The flag field is excluded when none of the fields are present
and the extended header length field is 0.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix the sync info field length in extended advertising header set to the
wrong length.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
In the past, tvb_reported_length_remaining(), and thus
Tvb:reported_length_remaining(), may have returned -1 if the offset was
invalid. That's no longer the case; the former returns 0, and, as the
latter just returns the former's return value, that's true of the latter
as well.
(cherry picked from commit 6c043d5c73)
It has a "reported length", which is the closes thing to an "actual
length", as it represents the length the packet, or subset thereof, had
on the network, and a "captured length", which is the amount of the
packet that the capture process saved.
In 99.999999999999999999999999999999% of all cases, a dissector should
look at the "reported length", not at the "captured length".
Rename the "len" method to "captured_len", leaving "len" around for
backwards compatibility.
Fix the documentation to reflect reality, to avoid issues such as #15655.
(cherry picked from commit bd9ceaebef)
DSACK blocks (the first SACK block in a TCP SACK option, with right edge
being lower or equal to the ACK filed) are now identified correctly.
Closes#17315
(cherry picked from commit 7179e1d1fb)
The entry was copied and pasted, and the variable name and descriptive
text were changed, but the field name wasn't.
(cherry picked from commit deb6786ed4)
For 802.11n if the bitrate is not supplied then the calculated bitrate is used. This change does the same for 11ac and 11ax.
Sniffer traces taken on recent versions of Macos no longer supply the bitrate for 11ac frames in the RADIOTAP header, this change allows the wireless timeline to work with these traces.
Fixes#17419.
(cherry picked from commit 5202119239)
It runs up to either the end of the option data or the terminating
end-of-options option (readers MUST handle lists of options that
contains an end-of-options option and lists of options that don't).
(cherry picked from commit 2f5c0ffdb2)
We can't unescape characters when expanding a display filter macro.
The escaping must be preserved until the expression is evaluated in
the display filter engine, otherwise it will likely generate a syntax
error in the parser.
In the macro body we allow '$' (or any other char) to be escaped
with backslash (preserving the backslash).
Fixes#17160.
(cherry picked from commit 1dba58789d)
Commit 4bf4ee88f0 removed an else
statement that broke out of the BBFrame processing loop. Without
it, infinite loops might be possible if the GSE frames have bit errors
in the length field.
(cherry picked from commit 0137c24d60)
The ftype-protocol has two components to its value - a tvb, which is
allowed to be be NULL (most notably in _ws.expert), and a string
description. They can also be created from string literals, such as
in display filters. It's possible to compare protocols with a NULL
tvb with protocol terms created from literals, e.g. entering the
display filter "_ws_expert < 1".
Partially revert 69e2603c48 so that
this doesn't crash, by assigning proto_string to the empty string
instead of null when creating from a literal. Fixes#17316
(cherry picked from commit 31297dbb82)
Move the RANAP heuristic dissector registration under the initialization
guard that they're only registered once. Prevents console warnings about
the dissectors already being registered to the sccp and sua tables if
a RANAP preference is changed. (Backported manually to regenerate the
dissector via asn2wrs.py)
If we're throwing away the data, *throw away the data* - free it, as
we're not using it as the backing data for a tvbuff.
(cherry picked from commit 618661b22e)
There's a "break" in some code that appears to be copied and pasted from
a switch statement; the break would exit the loop (and leak memory
allocated within the loop), which does not appear to be the intent, so
it may have been copied over incorrectly. Remove it.
While we're at it, redo the "constant-time append to the end of a loop"
code to be a bit clearer, both to humans reading the code and code
analyzers reading the code.
(cherry picked from commit c73ab16bef)
g_key_file_get_groups() returns a pointer to g_mallocated data; we need
to pass its return value to g_strfreev() when we're done with that data,
to free it up.
(cherry picked from commit 64f3f08702)
Close the directory handle we've opened before returning a failure
indication if pbw_load_proto_file() or load_all_files_in_dir() reports a
failure.
(cherry picked from commit f0abd29e48)
Free the path we've constructed before returning a failure indication if
pbw_load_proto_file() or load_all_files_in_dir() reports a failure.
Also, explicitly compare pbw_load_proto_file()'s return value against 0,
to make it a little clearer that it's *not* a Boolean, it's a return
code (with 0 meaning success and different non-zero values meaning
failure; if it matters *which* failure it is, we should probably have
otherwise we should just make it a Boolean).
(cherry picked from commit f1ffe7d421)
0af60377b4 added an heuristic to detect (unencrypted) padding data;
it is based on the fact that all coalesced QUIC packets must have the
same CID.
Unfortunately it doesn't work when the CID length is 0.
Treat decryption error of SH packets as a non fatal error, report them
as possible padding data misdetectd as coalesced packets and try
decrypting next traffic.
Close#17383
(cherry picked from commit 389a899a18)
Make sure we have enough bytes for Length and Type fields before we read
from tvb.
Using existing msg_len for the checks.
Closes: wireshark/wireshark#17355
(cherry picked from commit fd14396972)
commit 19b3376a24
("LDAP bogus malformed errors: decoding encrypted data")
introduced 2 problems:
- guint decr_len = tvb_reported_length(decr_tvb); was
always called with decr_tvb==NULL
- dissect_ldap_payload() was not called if sasl_tree is NULL,
it needs to be called even if the tree pointer are NULL
in order to have the COL_INFO setup correctly.
I guess this should also be backported to stable branches
(together with 2e6d3b571b
"LDAP: SASL Buffer doesn't include Length field")
https://gitlab.com/wireshark/wireshark/-/issues/17347
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1d623fd541)
SASL Buffer starts after the SASL Buffer Length field. Therefore
we should only mark the bytes without the Length field.
Sample capture can be found in wireshark/wireshark#15128
(cherry picked from commit 2e6d3b571b)
If the proto tree is more than 8 levels deep, the subtree_lvl array
length is extended, by allocating a new area and copying everything into
that new area. However the old array length wasn't calculated correctly,
so only part of the subtree_lvl array was copied, causing a crash after
two ptvcursor_pop_subtree() calls.
(cherry picked from commit fa483ac191)
- parse the number of system call arguments in a way that works for both V1 and V2 event blocks
- returned the correct error string when unable to read the nparams entry from a sysdig event block V2
(cherry picked from commit 7894b1d0ea)
Update the pcap-ng reader and sysdig event dissector to support the second version of the sysdig event block, which was introduced after Wireshark's original implementation
(cherry picked from commit fbe8d3a00f)
When tshark enables synchronous resolution of IP addresses to names,
forces calls to maxmind_db_lookup_ipv4()/_ipv6() to block-wait for the
maxmind response.
Proposed fix for #14691.
(backported from commit c0abaa06f7)
Both subset_find_guint8() and subset_pbrk_guint8() pass the parent
tvbuff to tvb_find_guint8()/tvb_ws_mempbrk_pattern_guint8(), along with
the offset in that tvbuff.
That means that the offset they get back is relative to that tvbuff, so
it must be adjusted to be relative to the tvbuff *they* were handed.
For subsets of frame and "real data" tvbuffs, there's a single lump of
data containing the content of the subset tvbuff, so they go through the
"fast path" and get the offset correct, bypassing the broken code;
that's the vast majority of calls to those routines.
For subsets of *composite* tvbuffs, however, they don't go through the
"fast path", and this bug shows up.
This causes both crashes and misdissection of HTTP if the link-layer is
PPP with Van Jacobson compression, as the decompression uses composite
tvbuffs.
Fixes#17254 and its many soon-to-be-duplicates.
(cherry picked from commit 2ba52cdc0e)