This will no longer be a valid way to check for remaining data.
Change-Id: I5533b8efc3344f0f8e28d873e5363256a014ab05
Reviewed-on: https://code.wireshark.org/review/27525
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
These are 16-bit fields, not 32-bit. Fixes a malformed packet exception.
While at it, rename fields to match draft-ietf-quic-tls-11-6-g4b762033,
these fields were inconssitently named in draft-11.
Bug: 13881
Change-Id: I797d2b4a24a4f4a9b340db736de0000acd52e639
Reviewed-on: https://code.wireshark.org/review/27491
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Bug 13741 showed a case where the BGP dissector's failure to validate the
length of the Path Attribute record allowed a pathological BGP UPDATE packet to
generate more than one million items in the protocol tree by repeatedly
dissecting certain segments of the packet.
It's easy enough to detect when the Path Attribute length cannot be valid, so
let's do so. When the condition arises, let's raise an Expert Info error in
the same style and format as used elsewhere in the same routine, and abandon
dissection of the Path Attributes list.
With this check in place, an incorrect length computation is revealed at a
callsite. This would only have prevented a small (less than 5 bytes) Path
Attribute from being dissected if it was at the very end of the Path Attributes
list, but the bounds checking added in this change makes this problem much more
apparent, so we fix the length computation while we're here.
Testing Done: Built wireshark on Linux amd64. Using bgp.pcap from the Sample
Captures page on the wiki, verified that the dissection of the UPDATE
packets were unaltered by this fix. Using the capture attached to bug 13741
(clusterfuzz-testcase-minimized-6689222578667520.pcap), verified that the
packet no longer triggers the "too many items" exception, instead we see
an Expert Info for each oversized Path Attribute length, and eventually an
exception for "length of contained item exceeds length of containing item".
30,000 iterations of fuzz test with bgp.pcap as input, and many iterations
of randpkt-test too. Crafted a packet with a 3-byte ATOMIC_AGGREGATE Path
Attribute at the end of the Path Attributes list; Before this change, an
exception is raised during dissection, but after this change it is dissected
correctly.
Bug: 13741
Change-Id: I80f506b114a61e5b060d93b59bed6b94fb188b3e
Reviewed-on: https://code.wireshark.org/review/27466
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Previously, checksum code would override the expert_field summary
string configured by dissectors, and display the generic "Bad checksum"
string in the Expert Information dialog.
This change uses the configured expert_field summary string instead.
eg: "CRC-S1 incorrect [should be 0xff]" instead of "Bad checksum [should
be 0xff]"
This fixes problem #2 in the linked bug.
Bug: 14425
Change-Id: I168b2be92ec2d8d6f956beeaf6292574bc1d9dab
Reviewed-on: https://code.wireshark.org/review/25758
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Per RFC 2782, the name should follow the "_Service._Proto.Name" format.
If a malformed packet does not adhere to this and provides a zero-length
name, then wmem_strsplit returns NULL.
Bug: 14681
Change-Id: I7b9935238a9800a1526c8b694fd2c63d3b488d0b
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7416
Reviewed-on: https://code.wireshark.org/review/27499
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There were a few undissected fields in the VHT MCS Set and some of the fields
were not being placed under the correct sub tree.
Change-Id: I0dc4be1b69d371f59cc74fa06205a3cba2a65c54
Reviewed-on: https://code.wireshark.org/review/27385
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The dissect_q931_number_ie (and indirectly dissect_q931_cause_ie_unsafe)
write to the "q931_pi" structure which seems private to the q931
dissector, but can in fact be called through other dissectors (isup) as
well. Normally this structure is initialized in "dissect_q931_pdu" and
invalidated at the end of the function, but a malformed packet can
prevent the cleanup. In the next packet, a different dissector can thus
trigger a use-after-free via "dissect_q931_number_ie".
Rename "dissect_q931_cause_ie_unsafe" since "unsafe" meant that external
dissectors could not call it directly (see commit a83a87e9ca).
Based on commit 197ceddab1, it seems that the intended purpose of the
structure is to provide information to the VoIP Calls dialog, but it
would only be used when called through dissect_q931_pdu. Dissectors like
isup have their own routines to provide call information, but as a
side-effect of code sharing the problematic code path was reached.
Bug: 14689
Change-Id: I871525db560f24690ade9a0b944c6d0e655ed34b
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6711
Reviewed-on: https://code.wireshark.org/review/27495
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The full translation table responses for the v15 format of batman-adv
contain a list of vlans and then a list of entries for these VLANs. The
VLANs itself contain a checksum that is done over the entries which belong
to these VLANs.
The checkum must be correct or otherwise the receiver will not be able to
finish its synchronization of the remote translation table. Having this
information available for filtering is essential to understand such a
situation and to analyze why a node continues to send full table
requests.
Change-Id: I90f3d3d2c19ac85c1c5a6474cf1877583cfd1139
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Reviewed-on: https://code.wireshark.org/review/27442
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
The multicast implementation in batman-adv exists in two different versions
which are incompatible. But their TVLV format for announcing the feature
itself is the same and can be supported by the current dissector.
Change-Id: I0e3012375912355e47adbb9d0e4f91fc7510156b
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Reviewed-on: https://code.wireshark.org/review/27443
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Fix compilation error:
.../wireshark/epan/dissectors/packet-ieee80211.c:2641:27:
error: ‘ht_info_service_interval_granularity_flags’ defined but not used
[-Werror=unused-const-variable=]
Change-Id: I0e6e8a46b2bd58923847220f675fe6e4d6a34aef
Reviewed-on: https://code.wireshark.org/review/27498
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Johannes made changes in the handling of LTF Symbols and LTF Symbol count
which are sort of backward compatible.
This brings us into conformance with those.
The specification can be found here: http://www.radiotap.org/fields/HE.html
Change-Id: I82e5458fa871b42549fabd0bcb49f6366c10d8bb
Reviewed-on: https://code.wireshark.org/review/27370
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The HT Information element has changed since IEEE802.11n. This updates
that element to bring it in conformance with IEEE802.11-2016.
Change-Id: Ifa380b9a4dee00e0b2f07f5aabb6a18579aa8f71
Reviewed-on: https://code.wireshark.org/review/27371
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
A use-after-free is possible through the following path:
// returns wmem_packet_scope() memory
coinfo->ctype_str = val_to_str(coinfo->ctype_value, vals_ctype, "Unknown Type %u");
// leaks packet scoped memory into conversation
coap_trans = wmem_new0(wmem_file_scope(), coap_transaction);
coap_trans->req_ctype_str = coinfo->ctype_str; // <-- oops
// next packet: use-after-free of packet scoped memory
coinfo->ctype_str = coap_trans->req_ctype_str;
This could be fixed by duplicating "ctype_str" with wmem_file_scope, but
since all "ctype_str" strings are constant, make the problematic
"ctype_str" assignment also constant for unknown types (the numeric type
is also stored in "ctype_value" if necessary).
Change-Id: I6249e076fa282bbe0982b8c709788e27f6fdf86e
Fixes: v2.9.0rc0-317-g46fcf452ac ("coap: Store ctype values in transaction tracking")
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8196
Reviewed-on: https://code.wireshark.org/review/27477
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When the string "str" is empty, "str+1" is invalid. This function can be
called from functions using SET_ELEM_VARS in packet-gsm_a_common.c which
appear to check the length first, but packet-etsi_card_app_toolkit.c and
packet-camel.c do not. Err on the safe side and do not add the item.
Change-Id: I6bd559593bb10ff0b8bf08a48d828613e3d8ccf5
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4311
Reviewed-on: https://code.wireshark.org/review/27470
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The previous fix for the infinite loop in bug 13347 resulted in loop
termination after one round, resulting in ignoring all but the last
packet in a TCP segment.
Observe that the purpose of this loop is to collect all packets where
"tp->seq" refers to the first offset and "tcp->lastseq" refers to the
last position of the packet. If a full packet "tp" is found, then the
previous packet ends at "tp->seq-1" instead of "tp->lastseq-1" (assuming
no overlapping TCP segments).
The infinite loop from bug 13347 occured because of a single packet of
length 1 (tp->seq=0, tp->lastseq=0) and lastseq-1 overflowed. To address
that, terminate the loop once the begin is reached (tp->seq == 0).
Bug: 14650
Change-Id: Ibef382a09c6481b1024dd64dbc8bde904025f057
Fixes: v2.3.0rc0-2153-gee185445f4 ("rtmpt: Ensure sequence count is incremented for stored fragments")
Reviewed-on: https://code.wireshark.org/review/27319
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
1. Feedback Mode: Should only use the lower 4 bits.
2. Axis Response: Add more enumerated values
3. Axis Status: Add more bit interpretations
4. Add more Motion Attributes
5. Minor cleanup
Change-Id: I0a6568ca263afb8d7827961907cb7d0a42b376f4
Reviewed-on: https://code.wireshark.org/review/27400
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
1. Convert lots of things to use the new BASE_UNIT_STRING feature
2. ANSI Symbol: Print size correctly in generated response
3. Attribute Status is a 1 byte value in Get/Set_Attribute_Lists
4. Forward Open: Indicate this is a Safety connection in info column. This is useful because Safety connections aren't obvious from the CIP Class like other connections (eg: Motion)
Change-Id: I8cb00fd0141d75a3e9425d8e618b1f54d12807be
Reviewed-on: https://code.wireshark.org/review/27447
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Dissector for the VESA DisplayPort AUX channel protocol.
Bug: 14651
Change-Id: I5c0c7668bda969086d9d6e5069aad87e929f6340
Reviewed-on: https://code.wireshark.org/review/27311
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Previously info was appended to the end of the info set by
an underlying protocol (mostly rlc/rrc)
Change-Id: I7fe0d8d485f81ed2c108099e76d15c887108164f
Reviewed-on: https://code.wireshark.org/review/27399
Reviewed-by: Anders Broman <a.broman58@gmail.com>
A rare case was matching against both dch and pch checks
Change-Id: I1aa01636355a6fb5d0804b184f3f9b58bec99ffd
Reviewed-on: https://code.wireshark.org/review/27367
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
You either need to tell mktime() that 1) DST/Summer Time is in effect,
2) DST/Summer Time isn't in effect, or 3) we don't know whether
DST/Summer Time is in effect, you figure it out.
We set tm_isdst to -1, to choose option 3), which is what we want.
Fixes Coverity CID 1435496.
Change-Id: Iff24e51807ab42c0e6d9629f72848ad9f8d325fb
Reviewed-on: https://code.wireshark.org/review/27404
Reviewed-by: Guy Harris <guy@alum.mit.edu>
If a variable is a count of items, and we're looping while the count is
non-zero, we need to decrement it after every item we process.
Fixes Coverity CID 1435501.
Change-Id: Iabb0cb6276d4bcf4b1bdea9ec3ba943dac1b9938
Reviewed-on: https://code.wireshark.org/review/27402
Reviewed-by: Guy Harris <guy@alum.mit.edu>
"aux_smb_fid_type_string" is used as "%s" argument for g_strdup_printf,
there is no need to clone it. I checked all calls and "fid_type" should
always be valid, but in case of a bug, let's not return a NULL pointer
but "?". Found by Clang Static Analyzer.
Change-Id: I09896638eb5512f22b3d1a227462499e12cedcde
Reviewed-on: https://code.wireshark.org/review/27349
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: ronnie sahlberg <ronniesahlberg@gmail.com>
Additional 65 characteristics to be done later.
Change-Id: Ic7d9a868619d26a49b8e322d1f9bde0ab3753319
Reviewed-on: https://code.wireshark.org/review/27361
Petri-Dish: Michal Labedzki <michal.labedzki@wireshark.org>
Reviewed-by: Michal Labedzki <michal.labedzki@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Implement "usage" of those chatacteristics.
Change-Id: I708537909b89f29df19e3bbac339ee37e890f2d0
Reviewed-on: https://code.wireshark.org/review/27360
Petri-Dish: Michal Labedzki <michal.labedzki@wireshark.org>
Reviewed-by: Michal Labedzki <michal.labedzki@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
According to 3GPP TS 29.244 v15.1.0
Change-Id: I1d55314a269ee615bc1730eba70fed095cec3075
Reviewed-on: https://code.wireshark.org/review/27338
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
If zbee_security_parse_key fails, the cloned label was leaked. Updating
The keyring contents was also leaked. Found by Clang Static Analyzer.
Change-Id: I5ef8e890f5b2b37d562b7f7a85b046bea9559841
Reviewed-on: https://code.wireshark.org/review/27347
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
If this not the first data segment and the data is somehow empty
(overlap?) or if the packet is out-of-order, the whole data fragment and
follow_record_t structure was leaked. Found by Clang Static Analyzer.
Change-Id: I81dc7749c738938b14d2cf4ad41e624b15099da6
Fixes: v2.3.0rc0-1449-g66fa31415f ("tcp: Fix Follow TCP tap data and when its tapped.")
Reviewed-on: https://code.wireshark.org/review/27348
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
When built with -DCMAKE_BUILD_WITH_INSTALL_RPATH=1, make-taps and
make-dissectors fail to run because they cannot locate libwsutil.so.0.
Since v2.9.0rc0-178-gbb81bef535 ("glib: Get rid of GLIB_CHECK_VERSION as
we now require 2.32.0") wsutil is definitely no longer needed.
Change-Id: Ida269fdb5f2cba979e3776f57c1a6bf3d546fe5d
Reviewed-on: https://code.wireshark.org/review/27329
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: Ie0aa418e0515b56f0abfbab4f4c5ebc9edd7b81b
Reviewed-on: https://code.wireshark.org/review/27314
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
1. Add attribute table similar to the other CIP related dissectors. Currently, this just adds 2 attributes. More will come in separate reviews. (Still clarifying some information in the Spec)
2. Minor wording updates to match spec
Change-Id: I667b8e465d576020471c8e7fc10b43e25ea573dd
Reviewed-on: https://code.wireshark.org/review/27180
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Jim Young <jim.young.ws@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
added flag 6/2 PDIU
Change-Id: Iab0cf7a1def8d0c9949df83b41478ac1f23b3844
Reviewed-on: https://code.wireshark.org/review/27318
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Peter Wu