A given protocol's packet format may depend, for example, on which
lower-level protocol is transporting the protocol in question. For
example, protocols that run atop both byte-stream protocols such as TCP
and TLS, and packet-oriented protocols such as UDP or DTLS, might begin
the packet with a length when running atop a byte-stream protocol, to
indicate where this packet ends and the next packet begins in the byte
stream, but not do so when running atop a packet-oriented protocol.
Dissectors can handle this in various ways:
For example, the dissector could attempt to determine the protocol over
which the packet was transported.
Unfortunately, many of those mechanisms do so by fetching data from the
packet_info structure, and many items in that structure act as global
variables, so that, for example, if there are two two PDUs for protocol
A inside a TCP segment, and the first protocol for PDU A contains a PDU
for protocol B, and protocol B's dissector, or a dissector it calls,
modifies the information in the packet_info structure so that it no
longer indicates that the parent protocol is TCP, the second PDU for
protocol A might not be correctly dissected.
Another such mechanism is to query the previous element in the layers
structure of the packet_info structure, which is a list of protocol IDs.
Unfortunately, that is not a list of earlier protocols in the protocol
stack, it's a list of earlier protocols in the dissection, which means
that, in the above example, when the second PDU for protocol A is
dissected, the list is {...,TCP,A,B,...,A}, which means that the
previous element in the list is not TCP, so, again, the second PDU for
protocol A will not be correctly dissected.
An alternative is to have multiple dissectors for the same protocol,
with the part of the protocol that's independent of the protocol
transporting the PDU being dissected by common code. Protocol B might
have an "over a byte-stream transport" dissector and an "over a packet
transport" dissector, with the first dissector being registered for use
over TCP and TLS and the other dissector being registered for use over
packet protocols. This mechanism, unlike the other mechanisms, is not
dependent on information in the packet_info structure that might be
affected by dissectors other than the one for the protocol that
transports protocol B.
Furthermore, in a LINKTYPE_WIRESHARK_UPPER_PDU pcap or pcapng packet for
protocol B, there might not be any information to indicate the protocol
that transports protocol B, so there would have to be separate
dissectors for protocol B, with separate names, so that a tag giving the
protocol name would differ for B-over-byte-stream and B-over-packets.
So:
We rename EXP_PDU_TAG_PROTO_NAME and EXP_PDU_TAG_HEUR_PROTO_NAME to
EXP_PDU_TAG_DISSECTOR_NAME and EXP_PDU_TAG_HEUR_DISSECTOR_NAME, to
emphasize that they are *not* protocol names, they are dissector names
(which has always been the case - if there's a protocol with that name,
but no dissector with that name, Wireshark will not be able to handle
the packet, as it will try to look up a dissector given that name and
fail).
We fix that exported PDU dissector to refer to those tags as dissector
names, not protocol names.
We update documentation to refer to them as DISSECTOR_NAME tags, not
PROTO_NAME tags. (If there is any documentation for this outside the
Wireshark source, it should be updated as well.)
We add comments for calls to dissector_handle_get_dissector_name() where
the dissector name is shown to the user, to indicate that it might be
that the protocol name should be used.
We update the TLS and DTLS dissectors to show the encapsulated protocol
as the string returned by dissector_handle_get_long_name(); as the
default is "Application Data", it appeaers that a descriptive name,
rather than a short API name, should be used. (We continue to use the
dissector name in debugging messages, to indicate which dissector was
called.)
Prevent crash due to premature menu object deletion caused by call to
QCoreApplication::processEvents() by executing the slot only after menu
handling has finished.
Fixes#18251 and #18270
The data argument to oscore_dissect(), so don't mark it as unused.
As long as we're declaring a proto_reg_handoff_oscore(), we should
define one; it can serve as a container if we ever have any phase-2
(handoff phase) registration work to do.
Pass in the correct length of the percent decoded string, which
is not necessarily the same as the value calculated from the offsets.
Fix#18322. Fix#18325.
Qt6 removed QComboBox:currentIndexChanged(QString), which had
previously been deprecated in favor of the version with an int.
Switch to using the supported function, so that the comboboxes
work.
The models used for the resolved addresses require that the
source models be set first before setting other properties,
so do that so that filtering works.
For some reason the portTypeModel has to indicate that the
port number column is numeric in order for the ports to
numerically sort instead of lexicographically, so do that too.
Add the Ethernet addresses in their specific groups (Addresses,
Manufacturers, Well-Known Hosts) instead of adding them all
to the Well-Known hosts groups, so that that filtering works.
Fix#18087
Strip the timestamps and function names from extcap errors before
displaying them in a dialog. This keeps us from spewing
```
Error by extcap pipe: ** (falcodump:24913) 15:08:20.263535 [falcodump
WARNING] extcap/falcodump.cpp:593 -- main(): cloudtrail plugin error:
failed to list objects: ExpiredToken: The provided token has expired.
status code: 400, request id: M2PYJOT4JGVAA6B9, host id:
+4V8Q+DGV+80Jd3fdc7tODyVdTRvepNgCD9zuvXeL7kzvp2oikaoi9CLMW+UKt/
aR1G2UXIqyQ8=
```
at the user.
Check for warning messages and set our dialog type accordingly.
QComboBox::currentIndexChanged(QString) has been marked
obsolete for a while and finally removed in Qt 6 in favor
of currentIndexChanged(int) and currentTextChanged(const QString)
Use QComboBox::currentTextChanged(const QString) instead.
Also do a little bit of checking to see if the return value
of dcerpc_get_proto_sub_dissector is NULL.
Fix#18319.
It is correct to pass in the memory address immediately past
the end of our buffer, as g_utf8_prev_char() does not deference
it until after decrementing it once, and we want to find the final
UTF-8 character start. Starting one byte earlier truncates the string
more than necessary.
This effectively reverts 4b6224a673
which noted that Coverity flagged this as a memory access error,
although it is not. This is possibly because it was written as
&label_str[ITEM_LABEL_LENGTH]. All versions of the ISO C standard
starting with C99 have indicated (6.5.3.2) than in such a case
"neither the & operator nor the unary * that is implied by the [] is
evaluated and the result is as if the & operator were removed and the
[] operator were changed to a + operator" and (6.5.6) that referring
to the memory address one past the last element of an array object
"shall not produce an overflow" and is not undefined (so long as it
not deferenced.)
However, Coverity may not have been aware of this, so rewrite
the expression using the + operator in the hopes of avoiding
false positive Coverity errors.
QFileDialog.accept() emits the filesSelected signal when the
dialog is accepted but before it calls QDialog.accept().
Connect our dialogAccepted function the filesSelected signal
instead of the accepted signal, so that all the exporting
happens sooner, before the ExportDissectionDialog gets
closed (and then deleted, since DeleteOnClose is set on the
dialog.)
This fixes use-after-free and segfaults in Qt 6.3 (which changed
things so that QDialog and widgets that inherit from it get closed
earlier.) Fix#18318
After percent decoding a key or value in x-www-form-urlencoded,
decode the string as UTF-8 (substituting REPLACEMENT CHARACTER
as needed) per https://url.spec.whatwg.org/#urlencoded-parsing
Passing an unvalidated string to proto_tree_add_string() results
in the string being treated as UTF-8, but odd things happen when
e.g. exporting packet dissections (See #18317). This prevents
production of invalid JSON and XML.
Only UTF-8 is conforming according to WHATWG, though ideally
a charset parameter in the media string should be respected,
and there should be expert infos if the string did not decode
as UTF-8 cleanly.
It's not needed.
Instead, have get_transaction() return the request_val; the caller can
fetch the command from its "value" member.
While wee're at it, update some of the web reference information for
DSI.
Add lricon.svg and lriconinst.svg, which provide the core graphic
element for the various Logray icons. Add lricon*.png, which were
created using the templates at
https://developer.apple.com/design/resources/. Add Logray.icns,
logray.ico, and lograyinst.ico, and use them in various packaging
resources.
The specification never hit RFC status, it wasn't implemented or
deployed and the ECN nonce stuff was moved to HISTORIC recently..
So remove support from the dissector, freeing parameter type
0x8001, which was also never assigned by IANA.
The "seq" field in several structures is either a transaction ID from
ATP for AppleTalk or a request ID from DSI for AFP-over-TCP. Call it
tid.
The "aspinfo" structure is really information from ATP *and* ASP for
AppleTalk or from DSI for AFP-over-TCP. Call it atp_asp_dsi_info.
Among other things, this prevents confusing "aspinfo.seq" from the ASP
sequence number, which it is *NOT*.
Add the "length < caplen" expert info regardless of whether the "frame"
protocol is referenced by a packet-matching expression, just as we do
with the "fractional time component of the absolute frame time is >=
1000000000" expert info.
Fixes#18312.
Fix tvb_find_guint16 when there is a partial match (first byte
matches but second byte does not) in the buffer before an
actual match.
The function claims that it takes negative offsets and a negative
maxlength value (for "to the end of the buffer.") Convert those to
absolute offsets and limits at the start of the function rather than
repeatedly having special checks for negatives.
Fix the "number of bytes searched so far" calculation, which was only
correct for negative offsets (but only used when there was a partial
match.)
Add Percent-encoding to the list of encoding types that Show
Packet Bytes can handle.
There's a function added to glib 2.66 to handle this for arbitrary
bytes that might have internal nulls (and which allows the result
to be non UTF-8), but we don't require that version yet, so extend
the existing function.
Related to #1084
Guy Harris