Make the DCE/RPC heuristics a bit more discriminating by checking
a few more header fields for illegal values. Reduces false positives.
Change-Id: Ic3d6c7ce62b64b2042922adb104294600b0db673
Reviewed-on: https://code.wireshark.org/review/38028
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Also simplify some boolean logic in packet-dcerpc.c.
All reported by cppcheck.
Change-Id: I2075f2ec10dc777ad7635da4ef056d17fc5b0be0
Reviewed-on: https://code.wireshark.org/review/37609
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
The static arrays are supposed to be arrays of const pointers to int,
not arrays of non-const pointers to const int.
Fixing that means some bugs (scribbling on what's *supposed* to be a
const array) will be caught (see packet-ieee80211-radiotap.c for
examples, the first of which inspired this change and the second of
which was discovered while testing compiles with this change), and
removes the need for some annoying casts.
Also make some of those arrays static while we're at it.
Update documentation and dissector-generator tools.
Change-Id: I789da5fc60aadc15797cefecfd9a9fbe9a130ccc
Reviewed-on: https://code.wireshark.org/review/37517
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I1d14ffe928e1b303eee7e95a45a9617ffcfb151b
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/35707
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This function should not be used for anything else than debug, as stated
in its name.
Bug: 15989
Change-Id: Ie2a99f3487169fcf2d00c06e7fc5d61086f32969
Reviewed-on: https://code.wireshark.org/review/34954
Petri-Dish: Pascal Quantin <pascal@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
Commit f57cf9e56c introduced a DISSECTOR_ASSERT()
that revealed a deficiency in pidl: currently pidl unconditionally adds calls to
dissect_deferred_pointers() which breaks dissecting any RPC function that
has only scalar arguments:
Warn Dissector bug, protocol RPCMDSSVC, in packet 51:
epan/dissectors/packet-dcerpc.c:2940:
failed assertion "list_ndr_pointer_list"
Bug: 16022
Change-Id: I9d3522a3e17ef79b9a8a5acb018104ab398a512a
Reviewed-on: https://code.wireshark.org/review/34364
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Microsoft reshuffled their documentation - almost all of it moved from
msdn.microsoft.com to docs.microsoft.com. Some blogs moved to
devblogs.microsoft.com; the comments *didn't* move, so in one case we go
to the Wayback Machine - the link isn't dead, but it formats horribly,
at least on my browser, but the archived version formats OK.
Use the Wayback Machine for some URLs, and update others.
Update the sections for MS-ADTS.
Point to the HTML versions of some RFCs and I-Ds.
Change-Id: I344b20f880de63f1ae2a4e3f9ff98af78a7fe139
Reviewed-on: https://code.wireshark.org/review/34101
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The title of a decode_as_t was used by the GTK UI. It's no
longer required for Qt.
Change-Id: Ibd9d4acbe9cad2c1af520340d04e550326a97ebe
Reviewed-on: https://code.wireshark.org/review/33557
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This allows taps that can fail to report an error and fail; a failed
tap's packet routine won't be called again, so they don't have to keep
track of whether they've failed themselves.
We make the return value from the packet routine an enum.
Don't have a separate type for the per-packet routine for "follow" taps;
they're expected to act like tap packet routines, so just use the type
for tap packet routines.
One tap packet routine returned -1; that's not a valid return value, and
wasn't one before this change (the return value was a boolean), so
presume the intent was "don't redraw".
Another tap routine's early return, without doing any work, returned
TRUE; this is presumably an error (no work done, no need to redraw), so
presumably it should be "don't redraw".
Clean up some white space while we're at it.
Change-Id: Ia7d2b717b2cace4b13c2b886e699aa4d79cc82c8
Reviewed-on: https://code.wireshark.org/review/31283
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Make the time stamp precision a 4-bit bitfield, so, when combined with
the other bitfields, we have 32 bits. That means we put the flags at
the same structure level as the time stamp precision, so they can be
combined; that gets rid of an extra "flags." for references to the flags.
Put the two pointers next to each other, and after a multiple of 8 bytes
worth of other fields, so that there's no padding before or between them.
It's still not down to 64 bytes, which is the next lower power of 2, so
there's more work to do.
Change-Id: I6f3e9d9f6f48137bbee8f100c152d2c42adb8fbe
Reviewed-on: https://code.wireshark.org/review/31213
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Instead of creating the pointers list early, defer it to the point when
a new list item is added. This avoids the need for a dummy element.
This happens to fix the memory leak in bug 14735 as well (verified with
both ASAN and valgrind).
Change-Id: I3b169dfc447bd7465d06c26e0bd9dfd4225b1307
Bug: 14735
Reviewed-on: https://code.wireshark.org/review/30115
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Observe that the "current_depth" and "len_ndr_pointer_list" just track
the length of the current singly linked list in order to insert (append)
or remove [the last] element (a linked list of lists and a linked list
of pointers respectively). Replace these callers by equivalents that do
not require explicit length tracking, internally they both have to do a
O(n) lookup anyway.
There used to be a case where "current_depth" could run out-of-sync, no
longer tracking the actual list length: when the callback (tnpd->fnct or
tnpd->callback) triggers an exception. I believe this was unintentional.
No functional change intended, but this should make further changes to
the data structures easier.
Change-Id: I3cb13aba22caa87dc7baba411cf34f47792f7bb7
Ping-Bug: 14735
Fixes: v2.5.0rc0-292-g6bd87bdd5d ("dcerpc: improve greatly the speed of processing of DCERPC packets")
Reviewed-on: https://code.wireshark.org/review/30114
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
dcerpc_hooks_init_protos is unused since v1.11.3-rc1-34-g01c8945438.
uuid_dissector_table was added in v2.1.0rc0-391-ge0e574d167 and was not
used outside the file, so mark it as static.
Change-Id: I6113fbaf1f2e2e6241b91b659711986d6e6ded66
Reviewed-on: https://code.wireshark.org/review/30116
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Some flags in the connectionless PDU header are "reserved for
implementation", which presumably means an implementation can set them
to 0 or 1 and use it to send information to a compatible implementation;
others are "reserved for future use" and "must be set to 0".
Don't test the "reserved for implementation" flags in the heuristic, and
show them as "Reserved for implementation" and show the others as
"Reserved for future use (MBZ)".
Bug: 14942
Change-Id: Iff40f155e057301096fec1dbb68f71d041508ff1
Reviewed-on: https://code.wireshark.org/review/28598
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The search doesn't use the fields we change (if it did, we probably
shouldn't change them, as the old binding might not be found), so don't
change them.
Instead, when we allocate a *new* binding structure, put the new values
into *that* structure.
Squelches a "casting away constness" warning.
Change-Id: I6dbd1a4cbc2415373f4926f443f9756c8113c0be
Reviewed-on: https://code.wireshark.org/review/25841
Reviewed-by: Guy Harris <guy@alum.mit.edu>
For the moment this mirrors the port_type enumeration (PT_XXX), but the
intent is to move away from using "port types", eliminating most (if not
all)
Added conversation_pt_to_endpoint_type() so that conversations deal with the
correct enumeration. This is for dissector that use pinfo->ptype as input
to conversation APIs. Explicit use of port types are converted to using
ENDPOINT_XXX type.
Change-Id: Ia0bf553a3943b702c921f185407e03ce93ebf0ef
Reviewed-on: https://code.wireshark.org/review/24166
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
This makes it easier to identify the simpler/common conversations
Change-Id: I7094f23e49156ee27f5f72c8e130308470f3e462
Reviewed-on: https://code.wireshark.org/review/24145
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
That allows a parallel typedef of ws_in4_addr for guint32.
Change-Id: I03b230247065e0e3840eb87635315a8e523ef562
Reviewed-on: https://code.wireshark.org/review/24073
Reviewed-by: Guy Harris <guy@alum.mit.edu>
That produces better error messages, giving the name of the offending
field.
Change-Id: I155ac29c68ecd7811cc9752980db9cdc37fea72e
Reviewed-on: https://code.wireshark.org/review/23685
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change-Id: I0e5d3967a26b79c899b0d219317e2963969cba6b
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/17809
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I70786cc561d248529167445e12190159d818ebcb
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/17811
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
It's not a requirement, but some dissectors didn't provide a static
summary because expert "format" was used.
While at it, fix a misleading expert info description, rename expert
info variables to ei_... and remove an unused hf entry.
Change-Id: Ib81a0d0a3950b3c90954d0053b8dae49dbb0cd51
Reviewed-on: https://code.wireshark.org/review/20567
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Instead of using one big linked list, we use a stack of list once all the pointers of one level have been handled the list is removed from the stack and we go to the level before.
Because of this the lists are much smaller and far less CPU is spent iterating on the objects or inserting objects in the list
Bug: 10544
Change-Id: I432aaf5b4b781411c92da92abe9c5503034b65dc
Reviewed-on: https://code.wireshark.org/review/4598
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a simple dissection function for DCE/RPC that just calls tcp_dissect_pdus
and doesn't do any heuristics checks. This can be used to handle cases
where TCP PDU is too small for DCE/RPC heuristics checks and user
knows the data is DCE/RPC and can set it through Decode As.
Bug: 6392
Change-Id: I9e4960282ea64d20499f7d5a330f48f30a092b30
Reviewed-on: https://code.wireshark.org/review/21951
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Many of the register_init_routine/register_cleanup_routine functions
are for initializing and cleaning up a GHashtable.
wmem_map_new_autoreset can do that automatically, so convert many
of the simple cases.
Change-Id: I93e1f435845fd5a5e5286487e9f0092fae052f3e
Reviewed-on: https://code.wireshark.org/review/19912
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Dario Lombardo <lomato@gmail.com>
Tested-by: Dario Lombardo <lomato@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Register all reassembly tables with a central unit, allowing the
central unit to have the callback that initializes and destroys
the reassembly tables, rather than have dissectors do it individually.
Change-Id: Ic92619c06fb5ba6f1c3012f613cae14982e101d4
Reviewed-on: https://code.wireshark.org/review/19834
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Also use g_hash_table_new_full to ease the free procedure.
Change-Id: I0a411cccbd651cca18e94a048722bf5520903deb
Reviewed-on: https://code.wireshark.org/review/19691
Reviewed-by: Michael Mann <mmann78@netscape.net>
This emphasizes that there is no such thing as *the* routine to
construct a subset tvbuff; you need to choose one of
tvb_new_subset_remaining() (if you want a new tvbuff that contains
everything past a certain point in an existing tvbuff),
tvb_new_subset_length() (if you want a subset that contains everything
past a certain point, for some number of bytes, in an existing tvbuff),
and tvb_new_subset_length_caplen() (for all other cases).
Many of the calls to tvb_new_subset_length_caplen() should really be
calling one of the other routines; that's the next step. (This also
makes it easier to find the calls that need fixing.)
Change-Id: Ieb3d676d8cda535451c119487d7cd3b559221f2b
Reviewed-on: https://code.wireshark.org/review/19597
Reviewed-by: Guy Harris <guy@alum.mit.edu>
It's the *absence* of flag bits, so you can't test whether it's set;
don't have a field for it. This gets rid of a dissector assertion.
Add some more URLs for information about DCE RPC and MS-RPC.
Change-Id: I53e8f11692c66e16ae2ec7fd4ba8eb90b0673da4
Reviewed-on: https://code.wireshark.org/review/18648
Reviewed-by: Guy Harris <guy@alum.mit.edu>
As all this information belongs together I'm moving it into a subtree.
Change-Id: I839a5a6294360976a78b4b43f219e30381b4f516
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/17878
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I28325d655ccd5d363aac89e49e5333b3d75f68a2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/17810
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: Ieeb9de0f54a22afc3adcd52d8af2c45e8b82b0ab
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/17808
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I951a317da795c94ac6518be73cb2c836e7afb836
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/17807
Reviewed-by: Michael Mann <mmann78@netscape.net>
Add an FT_CHAR type, which is like FT_UINT8 except that the value is
displayed as a C-style character constant.
Allow use of C-style character constants in filter expressions; they can
be used in comparisons with all integral types, and in "contains"
operators.
Use that type for some fields that appear (based on the way they're
displayed, or on the use of C-style character constants in their
value_string tables) to be 1-byte characters rather than 8-bit numbers.
Change-Id: I39a9f0dda0bd7f4fa02a9ca8373216206f4d7135
Reviewed-on: https://code.wireshark.org/review/17787
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Have all dissector tables have a "supports Decode As" flag, which
defaults to FALSE, and which is set to TRUE if a register_decode_as()
refers to it.
When adding a dissector to a dissector table with a given key, only add
it for Decode As if the dissector table supports it.
For non-FT_STRING dissector tables, always check for multiple entries
for the same protocol with different dissectors, and report an error if
we found them.
This means there's no need for the creator of a dissector table to
specify whether duplicates of that sort should be allowed - we always do
the check when registering something for "Decode As" (in a non-FT_STRING
dissector table), and just don't bother registering anything for "Decode
As" if the dissector table doesn't support "Decode As", so there's no
check done for those dissector tables.
Change-Id: I4a1fdea3bddc2af27a65cfbca23edc99b26c0eed
Reviewed-on: https://code.wireshark.org/review/17402
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Bug: 12720
Change-Id: Ib9c9eb2e60c35b23b4c6b4898b036bcdc442fc84
Reviewed-on: https://code.wireshark.org/review/17041
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
remove the checks in dissect_ndr_ucarray_core() where a block or bytes
dissection function is called and an exception is thrown if the offset
wraps around, i.e. the final offset is lower than the initial one
the block functions eventually call proto_tree_add_item(), which throws
an exception if necessary
the bytes functions end up calling functions to dissect basic types.
insert calls to tvb_ensure_bytes_exist() if those functions increase our
offset without reading data. thus, an exception is thrown if there's an
overflow.
remove some unnecessary if (tree) checks while at it
Change-Id: I8006399ae20934daeec231246debe247f8dedbf0
Reviewed-on: https://code.wireshark.org/review/15832
Reviewed-by: Anders Broman <a.broman58@gmail.com>