tvb_generic_clone_offset_len uses tvb_bytes_exist to check that the
requested tvb data is actually available. It did not expect negative
values, that would result in an overly large memory allocation.
Bug: 14678
Change-Id: Ie80095a381e55ca5dbbd5c9d835243549d0b212e
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7179
Reviewed-on: https://code.wireshark.org/review/27526
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This will no longer be a valid way to check for remaining data.
Change-Id: I5533b8efc3344f0f8e28d873e5363256a014ab05
Reviewed-on: https://code.wireshark.org/review/27525
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
These are 16-bit fields, not 32-bit. Fixes a malformed packet exception.
While at it, rename fields to match draft-ietf-quic-tls-11-6-g4b762033,
these fields were inconssitently named in draft-11.
Bug: 13881
Change-Id: I797d2b4a24a4f4a9b340db736de0000acd52e639
Reviewed-on: https://code.wireshark.org/review/27491
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Bug 13741 showed a case where the BGP dissector's failure to validate the
length of the Path Attribute record allowed a pathological BGP UPDATE packet to
generate more than one million items in the protocol tree by repeatedly
dissecting certain segments of the packet.
It's easy enough to detect when the Path Attribute length cannot be valid, so
let's do so. When the condition arises, let's raise an Expert Info error in
the same style and format as used elsewhere in the same routine, and abandon
dissection of the Path Attributes list.
With this check in place, an incorrect length computation is revealed at a
callsite. This would only have prevented a small (less than 5 bytes) Path
Attribute from being dissected if it was at the very end of the Path Attributes
list, but the bounds checking added in this change makes this problem much more
apparent, so we fix the length computation while we're here.
Testing Done: Built wireshark on Linux amd64. Using bgp.pcap from the Sample
Captures page on the wiki, verified that the dissection of the UPDATE
packets were unaltered by this fix. Using the capture attached to bug 13741
(clusterfuzz-testcase-minimized-6689222578667520.pcap), verified that the
packet no longer triggers the "too many items" exception, instead we see
an Expert Info for each oversized Path Attribute length, and eventually an
exception for "length of contained item exceeds length of containing item".
30,000 iterations of fuzz test with bgp.pcap as input, and many iterations
of randpkt-test too. Crafted a packet with a 3-byte ATOMIC_AGGREGATE Path
Attribute at the end of the Path Attributes list; Before this change, an
exception is raised during dissection, but after this change it is dissected
correctly.
Bug: 13741
Change-Id: I80f506b114a61e5b060d93b59bed6b94fb188b3e
Reviewed-on: https://code.wireshark.org/review/27466
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Previously, checksum code would override the expert_field summary
string configured by dissectors, and display the generic "Bad checksum"
string in the Expert Information dialog.
This change uses the configured expert_field summary string instead.
eg: "CRC-S1 incorrect [should be 0xff]" instead of "Bad checksum [should
be 0xff]"
This fixes problem #2 in the linked bug.
Bug: 14425
Change-Id: I168b2be92ec2d8d6f956beeaf6292574bc1d9dab
Reviewed-on: https://code.wireshark.org/review/25758
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Per RFC 2782, the name should follow the "_Service._Proto.Name" format.
If a malformed packet does not adhere to this and provides a zero-length
name, then wmem_strsplit returns NULL.
Bug: 14681
Change-Id: I7b9935238a9800a1526c8b694fd2c63d3b488d0b
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7416
Reviewed-on: https://code.wireshark.org/review/27499
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
proto_tree_add_split_bits_item_ret_val can handle bits from an arbitrary
sized buffer, as long as it covers no more than 64 bits. If the
octet-aligned mask covers up to 32 bits, then this mask is also shown.
If this mask was larger than 64 bits, then undefined behavior could
occur, so check for that.
For larger masks, instead of "= GmPRS Terminal Type: Unknown (96)",
display "7 bits = GmPRS Terminal Type: Unknown (96)" instead.
Bug: 13613
Change-Id: I111cf6a0705f999e42d83bfe57ac84f414946d0b
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1158
Reviewed-on: https://code.wireshark.org/review/27517
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There were a few undissected fields in the VHT MCS Set and some of the fields
were not being placed under the correct sub tree.
Change-Id: I0dc4be1b69d371f59cc74fa06205a3cba2a65c54
Reviewed-on: https://code.wireshark.org/review/27385
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
(Wireshark hasn't been strictly a C program for a while, and we now
allow C99-and-later comments in the C code.)
Change-Id: Ic68e053eed7aae1971a800cf74135bc86d211e97
Reviewed-on: https://code.wireshark.org/review/27520
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Avoids a warning in epan/dissectors/packet-enip.c due to "time"
appearing in a comment.
Change-Id: I88b6856425c09fc3b8cb2edc345047062a07b662
Reviewed-on: https://code.wireshark.org/review/27516
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Those should always be reported, as they indicate that a block type
plugin is trying to do something we don't allow.
We should probably have a mechanism by which ws_g_warning() messages are
logged to the standard error for command-line programs, logged to an
error message window for GUI programs, and logged to some form of system
log for daemons. For now, it's a good way to log non-fatal errors that
should always be shown in *some* fashion, as well as to mark messages
that should be handled in the form described in the previous sentence.
Change-Id: Ieedf87fc2dd3184a4466ae69af01f799165c1b70
Reviewed-on: https://code.wireshark.org/review/27519
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The dissect_q931_number_ie (and indirectly dissect_q931_cause_ie_unsafe)
write to the "q931_pi" structure which seems private to the q931
dissector, but can in fact be called through other dissectors (isup) as
well. Normally this structure is initialized in "dissect_q931_pdu" and
invalidated at the end of the function, but a malformed packet can
prevent the cleanup. In the next packet, a different dissector can thus
trigger a use-after-free via "dissect_q931_number_ie".
Rename "dissect_q931_cause_ie_unsafe" since "unsafe" meant that external
dissectors could not call it directly (see commit a83a87e9ca).
Based on commit 197ceddab1, it seems that the intended purpose of the
structure is to provide information to the VoIP Calls dialog, but it
would only be used when called through dissect_q931_pdu. Dissectors like
isup have their own routines to provide call information, but as a
side-effect of code sharing the problematic code path was reached.
Bug: 14689
Change-Id: I871525db560f24690ade9a0b944c6d0e655ed34b
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6711
Reviewed-on: https://code.wireshark.org/review/27495
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Given that we're not using GTK+, the answer to the question is "no".
Change-Id: Ib0e512909993830b1462d1fe3eada9265d9b1cdf
Reviewed-on: https://code.wireshark.org/review/27515
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Fix memleaks and complaint when trying to load non-JSON file as JSON:
"GError set over the top of a previous GError or uninitialized memory."
Change-Id: If5ab04dbb757636f66130bf1f8de1a45748bf541
Fixes: v2.9.0rc0-276-g73a1e98f4e ("wsutil: use json-glib instead of jsmn if present.")
Reviewed-on: https://code.wireshark.org/review/27469
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
The full translation table responses for the v15 format of batman-adv
contain a list of vlans and then a list of entries for these VLANs. The
VLANs itself contain a checksum that is done over the entries which belong
to these VLANs.
The checkum must be correct or otherwise the receiver will not be able to
finish its synchronization of the remote translation table. Having this
information available for filtering is essential to understand such a
situation and to analyze why a node continues to send full table
requests.
Change-Id: I90f3d3d2c19ac85c1c5a6474cf1877583cfd1139
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Reviewed-on: https://code.wireshark.org/review/27442
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
The multicast implementation in batman-adv exists in two different versions
which are incompatible. But their TVLV format for announcing the feature
itself is the same and can be supported by the current dissector.
Change-Id: I0e3012375912355e47adbb9d0e4f91fc7510156b
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Reviewed-on: https://code.wireshark.org/review/27443
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Fix compilation error:
.../wireshark/epan/dissectors/packet-ieee80211.c:2641:27:
error: ‘ht_info_service_interval_granularity_flags’ defined but not used
[-Werror=unused-const-variable=]
Change-Id: I0e6e8a46b2bd58923847220f675fe6e4d6a34aef
Reviewed-on: https://code.wireshark.org/review/27498
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Johannes made changes in the handling of LTF Symbols and LTF Symbol count
which are sort of backward compatible.
This brings us into conformance with those.
The specification can be found here: http://www.radiotap.org/fields/HE.html
Change-Id: I82e5458fa871b42549fabd0bcb49f6366c10d8bb
Reviewed-on: https://code.wireshark.org/review/27370
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The HT Information element has changed since IEEE802.11n. This updates
that element to bring it in conformance with IEEE802.11-2016.
Change-Id: Ifa380b9a4dee00e0b2f07f5aabb6a18579aa8f71
Reviewed-on: https://code.wireshark.org/review/27371
Petri-Dish: Richard Sharpe <realrichardsharpe@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
A use-after-free is possible through the following path:
// returns wmem_packet_scope() memory
coinfo->ctype_str = val_to_str(coinfo->ctype_value, vals_ctype, "Unknown Type %u");
// leaks packet scoped memory into conversation
coap_trans = wmem_new0(wmem_file_scope(), coap_transaction);
coap_trans->req_ctype_str = coinfo->ctype_str; // <-- oops
// next packet: use-after-free of packet scoped memory
coinfo->ctype_str = coap_trans->req_ctype_str;
This could be fixed by duplicating "ctype_str" with wmem_file_scope, but
since all "ctype_str" strings are constant, make the problematic
"ctype_str" assignment also constant for unknown types (the numeric type
is also stored in "ctype_value" if necessary).
Change-Id: I6249e076fa282bbe0982b8c709788e27f6fdf86e
Fixes: v2.9.0rc0-317-g46fcf452ac ("coap: Store ctype values in transaction tracking")
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8196
Reviewed-on: https://code.wireshark.org/review/27477
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Apparently, some versions of Bison also generate global generations of
yylval, or its appropriately-prefixed equivalent, in pure parsers.
Suppress -Wshadow in Bison-generated code as well as Berkeley
YACC-generated code.
Change-Id: I7b3e6260d338cd8f0c9eea9d7cf248f1ac65c755
Reviewed-on: https://code.wireshark.org/review/27484
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Don't tell the user that, if they run out of space or go over their disk
quote, they should report that as a Wireshark bug; instead, tell them
that they're going to need to free up some space or do the capture to a
different file system.
Clean up some argument types, and get rid of tabs in indentation, while
we're at it.
Change-Id: I7839f38c14253a114e7e02e762243df5e09682ef
Ping-Bug: 14677
Reviewed-on: https://code.wireshark.org/review/27472
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Several graphics files are not listed in the symbol that defines
the dependancy for document building. Adding these files to the
WSUG_GRPAHICS symbol makes the list consistent.
Bug: 14676
Change-Id: I3016a1994473f90df460d726773c8470dbedd3bc
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-on: https://code.wireshark.org/review/27471
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When the string "str" is empty, "str+1" is invalid. This function can be
called from functions using SET_ELEM_VARS in packet-gsm_a_common.c which
appear to check the length first, but packet-etsi_card_app_toolkit.c and
packet-camel.c do not. Err on the safe side and do not add the item.
Change-Id: I6bd559593bb10ff0b8bf08a48d828613e3d8ccf5
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4311
Reviewed-on: https://code.wireshark.org/review/27470
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The previous fix for the infinite loop in bug 13347 resulted in loop
termination after one round, resulting in ignoring all but the last
packet in a TCP segment.
Observe that the purpose of this loop is to collect all packets where
"tp->seq" refers to the first offset and "tcp->lastseq" refers to the
last position of the packet. If a full packet "tp" is found, then the
previous packet ends at "tp->seq-1" instead of "tp->lastseq-1" (assuming
no overlapping TCP segments).
The infinite loop from bug 13347 occured because of a single packet of
length 1 (tp->seq=0, tp->lastseq=0) and lastseq-1 overflowed. To address
that, terminate the loop once the begin is reached (tp->seq == 0).
Bug: 14650
Change-Id: Ibef382a09c6481b1024dd64dbc8bde904025f057
Fixes: v2.3.0rc0-2153-gee185445f4 ("rtmpt: Ensure sequence count is incremented for stored fragments")
Reviewed-on: https://code.wireshark.org/review/27319
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
1. Feedback Mode: Should only use the lower 4 bits.
2. Axis Response: Add more enumerated values
3. Axis Status: Add more bit interpretations
4. Add more Motion Attributes
5. Minor cleanup
Change-Id: I0a6568ca263afb8d7827961907cb7d0a42b376f4
Reviewed-on: https://code.wireshark.org/review/27400
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Tests that the documented "-z hosts,ipv4" filter actually works and that
the resolved addresses table is correct (it implicitly tests that the
definition of WS_INET_ADDRSTRLEN in wsutil/inet_addr.h is sane).
Change-Id: If7babe665ea5ecb37e38078a9809c88873cb323c
Ping-Bug: 14667
Reviewed-on: https://code.wireshark.org/review/27454
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Respect the "ipv4" and "ipv6" filters and actually restrict the output.
Change-Id: I06ee62ee2c85cb45fb33a52e86ce3698452d175f
Fixes: v1.11.0-rc1-2592-ge3cccd17f4 ("Get rid of some users the addrinfo_list.")
Reviewed-on: https://code.wireshark.org/review/27452
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
1. Convert lots of things to use the new BASE_UNIT_STRING feature
2. ANSI Symbol: Print size correctly in generated response
3. Attribute Status is a 1 byte value in Get/Set_Attribute_Lists
4. Forward Open: Indicate this is a Safety connection in info column. This is useful because Safety connections aren't obvious from the CIP Class like other connections (eg: Motion)
Change-Id: I8cb00fd0141d75a3e9425d8e618b1f54d12807be
Reviewed-on: https://code.wireshark.org/review/27447
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add back the PROGRAM_NAME_GTK definition, since its links might be left
over from a previous install. Remove the PROGRAM_NAME_QT references,
since it's been the same as PROGRAM_NAME for quite a while.
Change-Id: I79724a6a1c9861ffae9aed6a59d48205a40941cd
Reviewed-on: https://code.wireshark.org/review/27459
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
On Windows, epan/addr_resolv.c has a different definition of structures
"hashipv4_t" (and "hashipv6_t") because the size of the "ip" member is
dependent on "WS_INET_ADDRSTRLEN". A mismatch resulted in two different
structures where the "name" field got shifted (resulting in empty names
in the resolved addresses table due to leading nul bytes).
Since including ws2tcpip.h for the appropriate definition results in
various compile errors (config.h, packet-dcerpc-misc.h, ...) and the
larger definition is actually not needed, just use constants again.
Bug: 14667
Change-Id: I4f8b300eb977be55f16ac40cacc78a5549e2732f
Fixes: v2.5.0rc0-1503-gde1b26a3c6 ("More ws_inet_ntop() tweaks.")
Reviewed-on: https://code.wireshark.org/review/27453
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Migrate the Additional Tasks page to nsDialog. Create it using NSIS
Dialog Designer.
Migrate the Modern UI code (WinPcapPage.ini and USBPcapPage.ini) to
Modern UI2.
Use LogicLib flow control instead of Gotos+labels in more places.
Change-Id: I1a3733f0202ca372456074f43e5ae23b1da4e1b9
Reviewed-on: https://code.wireshark.org/review/27449
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>