In some cases these malformed frames trigger a DISSECTOR_ASSERT() in proto.c's proto_item_set_len(). This happens when packet-ieee80211.c's dissect_ieee80211_mgt() calls packet-ieee80211.c's get_tagged_parameter_tree() with a "size" parameter value of -1.
From me:
Replace by proto_tree_add_item with -1 length (and use FT_NONE ftype)
svn path=/trunk/; revision=47795
and a couple of SET_ADDRESS()s.
Use proto_tree_add_item() instead of proto_tree_add_ether() called with a
pointer into the TVB.
Leave a comment for a place where a bunch of code in several case statements
could probably be collapsed into much less code.
svn path=/trunk/; revision=46682
- Use/create extended value strings as appropriate;
- Reformat hf[] entries;
- Do whitespace, & etc changes to use a consistent formatting style;
- Reformat some long lines;
- Localize some variables; remove some unneeded initializers;
- expert...() shouldnt be called under 'if (tree)' (packet-wimaxasncp);
- Move proto_register...() & etc to the end of the file (packet-ieee80211);
- Misc.
svn path=/trunk/; revision=46489
are like the non-TVB versions except that they take a TVB and an offset
instead of (frequently) a pointer into the TVB.
Calling tvb_get_ptr() before modifying the rest of the fields should help fix
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7960 (though I can't
reproduce that problem).
Replace a bunch of calls like:
SET_ADDRESS(..., AT_XXX, length, tvb_get_ptr(tvb, offset, length));
with:
TVB_SET_ADDRESS(..., AT_XXX, tvb, offset, length);
svn path=/trunk/; revision=46324
There are a handful of fields in the IEEE802.11 dissector that are comprised of
a 16-bit value. The hf array for these fields has the necessary masks to
correctly parse a 16-bit value, yet some of the fields were being added as 1
byte. This patch corrects these fields with a proto_tree_add_item approach
(instead of proto_tree_add_[uint|boolean]).
svn path=/trunk/; revision=45828
The changes fix definite problems or
are done "just in case" for cases not esily determined
to be a problem by quick inspection.
Note: in some cases for loop index variables have been renamed
to ensure all required codes changes detected.
##backport
svn path=/trunk/; revision=45477
wlan_mgt.ht.capabilities bits 8-15 incorrectly decoded (from wrong packet offset)
The bug is that the code defines the bit fields as 16 bit, but increments the
offset in-between decoding B0-B7 and B8-B15 which causes the wrong bits to be
decoded.
Also fix to change "Capability" to "Capabilities" to match spec
From me : Fix wrong length for A-MPDU
svn path=/trunk/; revision=45431
The reassembled fragments tree in the Packet Details view is awesome, but it
lacks one thing: a field that exposes the reassembled data.
tcp.data already exists for exposing a single TCP segment's payload as a byte
array. It would be handy to have something similar for a single application
layer PDU when TCP segment reassembly is involved. I propose
tcp.reassembled.data, named and placed after the already existing field
tcp.reassembled.length.
My primary use case for this feature is outputting tcp.reassembled.data with
tshark for further processing with a script.
The attached patch implements this very feature. Because the reassembled
fragment tree code is general purpose, i.e. not specific to just TCP, any
dissector that relies upon it can add a similar field very cheaply. In that
vein I've also implemented ip.reassembled.data and ipv6.reassembled.data, which
expose reassembled fragment data as a single byte stream for IPv4 and IPv6,
respectively. All other protocols that use the reassembly code have been left
alone, other than inserting NULL into their initializer lists for the newly
introduced struct field reassemble.h:fragment_items.hf_reassembled_data.
svn path=/trunk/; revision=44802
TKIP dissection : wrong IS_TKIP macro
In [1] "11.4.2.2 TKIP MPDU formats", we could see below sentence.
"WEPSeed[1] is not used to construct the TSC, but is set to (TSC1 | 0x20) &
0x7f."
But the IS_TKIP macro only checks (WEPSeed[1] & 0x20).
So sometimes IS_TKIP macro mis-dissects a CCMP frame as a TKIP frame.
This patch changes IS_TKIP macro to do more better check.
[1] IEEE Std 802.11.-2012
#BACKPORT(1.8, 1.6)
svn path=/trunk/; revision=44790
Also (for a few files):
- create/use some extended value strings;
- remove unneeded #include files;
- remove unneeded variable initialization;
- re-order fcns slightly so prefs_reg_handoff...() at end, etc
svn path=/trunk/; revision=44438
it as appropriate in the code to read Network Instruments Observer
captures (rather than tweaking the "protected" flag in the packet data),
and use that flag in the 802.11 dissector.
Fix indentation while we're at it (tabs are not *ipso facto* 4 spaces).
svn path=/trunk/; revision=43795
implicitly by the #define name and string they were defined to; not all
UATs neatly fit into any of the categories, so some of them were put
into categories that weren't obviously correct for them, and one - the
display filter macro UAT - wasn't put into any category at all (which
caused crashes when editing them, as the GUI code that handled UAT
changes from a dialog assumed the category field was non-null).
The category was, in practice, used only to decide, in the
aforementioned GUI code, whether the packet summary pane needed to be
updated or not. It also offered no option of "don't update the packet
summary pane *and* don't redissect anything", which is what would be
appropriate for the display filter macro UAT.
Replace the category with a set of fields indicating what the UAT
affects; we currently offer "dissection", which applies to most UATs
(any UAT in libwireshark presumably affects dissection at a minimum) and
"the set of named fields that exist". Changing any UAT that affects
dissection requires a redissection; changing any UAT that affects the
set of named fields that exist requires a redissection *and* rebuilding
the packet summary pane.
Perhaps we also need "filtering", so that if you change a display filter
macro, we re-filter, in case the display is currently filtered with a
display filter that uses a macro that changed.
svn path=/trunk/; revision=43603
Wireshark > 1.4 does not correctly read Association ID for PS Poll packets
Wireless Frame with subtype 0x1a don't interpret the Association ID (always 0).
Fix :
proto_tree_add_uint() wasn't changed to proto_tree_add_item()
#BACKPORT
svn path=/trunk/; revision=43556
Look before we loop
Check the value of various key count parameters against the size of their
parent tag *before* we start looping on them.
Stick an expert error on the field and bound the loop at a sane point if the
count is bogus.
svn path=/trunk/; revision=42631
Add wlan.ra field value to wlan.addr
The (hidden) field wlan.addr==xx:xx:xx:xx:xx:xx currently matches wlan.da,
wlan.bssid, wlan.sa and wlan.da fields but not wlan.ra field.
svn path=/trunk/; revision=42597
802.11s Decoding Bug (Mesh Control Field)
Wrong offset use to dissector Mesh Extended Address(bug from the revision 39314)
svn path=/trunk/; revision=42105
registered OUIs from manuf and allow custom dissectors for
Organizationally Specific TLVs. Fixes bug 7080.
Use uint_get_manuf_name() and uint_get_manuf_name_if_known(), rather
than tvb_get_manuf_name() and tvb_get_manuf_name_if_known(), in cases
where we've fetched the OUI.
Have the ECP/VDP dissector also display registered OUIs from manuf.
Get rid of the OUI_CISCO_2 OUI from tlv_oui_subtype_vals, as that can
come from the manuf file. Leave in comments explaining why, for now, we
aren't using the manuf file for *all* the OUIs.
svn path=/trunk/; revision=42055
In some cases:
Use val_to_str_const() instead of val_to_str();
Reformat long lines;
Do some general whitespace changes.
svn path=/trunk/; revision=41587
Remove tag_len parameter - it was redundant.
The length passed no longer contains the vendor id.
- add_tagged_field / TAG_VENDOR_SPECIFIC_IE:
Reorder so that the ieee "standard" vendor ids come fist,
after that the really vendor specific stuff.
svn path=/trunk/; revision=41027
for (i = 1; i <= N; i++)
...
the type of "i" must have, as its maximum value, a value >= the maximum
value of N; otherwise, if N is equal to the maximum value that fits in
"i", the loop willnever terminate. (If that requires "i" to be larger
than you'd like, do the loop as
for (i = 0; i < N; i++)
...
which doesn't have that problem.)
Clean up the "i = 1" clause's white space in those for loops.
svn path=/trunk/; revision=41010
anything that can run Wireshark (it might be slower), and if the maximum
count value is 16-bit, you can loop forever if the maximum count value
happens to be 65535.
(Yes, this means that
guint i, j;
...
for (i = 0; i < j; i++)
...
risks looping forever if j is 2^32-1, and the same applies to 64-bit
counters. There are probably fewer protocols with 32-bit counts, and
probably even fewer with 64-bit counts, but the way it should be done in
those cases, for safety, is
i = 0;
for (;;) {
if (i >= j)
break;
...
if (i == j - 1)
break;
}
or something such as that.)
Fixes bug 6809.
#BACKPORT
Will schedule for 1.6.x.
svn path=/trunk/; revision=40967
Mesh Peering Management reason code field interpreted as status code
The Mesh Peering Management tag displays a status code instead of a reason code
svn path=/trunk/; revision=40132
It's tedious to parse the blockack bitmap by hand, showing it in wireshark
directly is much nicer. Attached patch does so, only for compressed BA for now.
From me: made it filterable.
svn path=/trunk/; revision=40126
1. If there's no character encoding (ENC_ASCII, ...) specified
then use ENC_ASCII.
2. For all but FT_UINT_STRING, always use ENC_NA
(replacing any existing True/1/FALSE/0
/ENC_BIG_ENDIAN/ENC_LITTLE_ENDIAN).
svn path=/trunk/; revision=39426
Move sniffer meta data parsing to separate files
packet-ieee80211.c includes dissectors for three different styles
of IEEE 802.11 sniffer meta data (like signal strength). Move these
to separate files in the same style as a fourth format (radiotap)
was already handled, so that packet-ieee80211.c focuses on the
actual IEEE 802.11 frame dissecting.
This reverts
http://anonsvn.wireshark.org/viewvc?revision=23911&view=revision
Objections?
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6443
svn path=/trunk/; revision=39379
Wi-Fi P2P: Show frame name in col_info
Make it easier to find specific P2P frames by adding the name of the P2P
Public Action frames into col_info.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6443
svn path=/trunk/; revision=39367
Specifically: Replace FALSE|0 and TRUE|1 by ENC_BIG_ENDIAN|ENC_LITTLE_ENDIAN as
the encoding parameter for proto_tree_add_item() calls which directly reference
an item in hf[] which has a type of:
FT_BOOLEAN
FT_IPv4
FT_EUI64
FT_GUID
FT_UINT_STRING
Also: For type FT_ITv6 use ENC_NA. (This was missed in SVN #39260)
svn path=/trunk/; revision=39328
Clean up IEEE 802.11 dissector - fixed fields
Many of the fixed fields use similar bitfield construction in the proto_tree. Use proto_tree_add_bitmask() to avoid having to implement the same subtree and item addition separately for each field.
svn path=/trunk/; revision=39322
Clean up IEEE 802.11 dissector - fixed fields
The fixed field identifiers were defined to have specific values. However, this is used only within the parser and does not correspond to any specific packet field. As such, there is no need for the specific values to be maintained and an enum makes it simpler to add and remove these fields as needed.
svn path=/trunk/; revision=39315
Clean up IEEE 802.11 dissector - fixed fields
The app_fixed_field() function has grown to overly complex and long function. Split it into separate helper functions for each fixed field and a table of dissector functions. This makes it easier to extend and maintain the implementation.
svn path=/trunk/; revision=39314
WPA IE pairwise cipher suite dissector uses incorrect value_string list
From me :
* Use correct value_string for WPA Key MGMT...
svn path=/trunk/; revision=39311
Wireshark encounters error while parsing ieee80211 QoS Null data.
The error is because of invalid read when trying to read mesh_flags
(after the header), which doesn't exist.
svn path=/trunk/; revision=39295
Specifically: Replace FALSE|0 and TRUE|1 by ENC_BIG_ENDIAN|ENC_LITTLE_ENDIAN as
the encoding parameter for proto_tree_add_item() calls which directly reference
an item in hf[] which has a type of:
FT_UINT8
FT_UINT16
FT_UINT24
FT_UINT32
FT_UINT64
FT_INT8
FT_INT16
FT_INT24
FT_INT32
FT_INT64
FT_FLOAT
FT_DOUBLE
svn path=/trunk/; revision=39288
FT_NONE
FT_BYTES
FT_IPV6
FT_IPXNET
FT_OID
Note: Encoding field set to ENC_NA only if the field was previously TRUE|FALSE|ENC_LITTLE_ENDIAN|ENC_BIG_ENDIAN
svn path=/trunk/; revision=39260
Dissector for ieee802.11e QoS Info field of QoS Capability Element(46) is missed
From me :
* Fix checkAPIs error (Found non-ASCII characters)
svn path=/trunk/; revision=39193
IEEE 802.11 dissector shows duplicated proto item for Action category
Action frame dissecting is first adding hf_ieee80211_action (wlan_mgt.fixed.action) field before the category-based processing. Immediately after that, the per-category implementations are adding FIELD_CATEGORY_CODE (hf_ieee80211_ff_category_code, i.e., wlan_mgt.fixed.category_code) to the proto tree for the exact same octet. Remove hf_ieee80211_action to avoid the duplicated item in the tree. In addition, remove the now unused action_item and action_tree variables.
svn path=/trunk/; revision=39169
If the GAS Query Request/Response Length field is incorrect, the
dissector function may return a value that is larger than the remaining
packet buffer. This results in a Tagged parameters item being added with
-1 byte length since tvb_reported_length_remaining() reports -1 once the
offset goes beyond the end of the packet. Clicking on that item results
in Wireshark dying on Gtk-ERROR. Note: this does not show up in tshark
and as such, cannot apparently be triggered with fuzz-test.sh.
Fix this by refusing to dissect GAS frames that have too large length
field value. In addition, verify that tvb_reported_length_remaining() is
returning a value larger than 0 instead of non-zero (which could be -1)
to make the IEEE 802.11 dissector more robust against this type of
issues.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6345
svn path=/trunk/; revision=39024
- Dissect ANQP Network Authentication Type
- Dissect ANQP Domain Name List
- Dissect Interworking element
- Dissect Roaming Consortium element
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6339
svn path=/trunk/; revision=39023
ieee80211: Support multiple ANQP info elements in response
ANQP Query Response may include multiple ANQP info elements. Parse each
one of these separately. In addition, clean up three ANQP subtrees to
avoid the unnecessary subtree at higher layer and instead, use a
separate subtree for each ANQP info elements.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6339
svn path=/trunk/; revision=39008
ieee80211: Show ANQP adv proto on subtree title line
This makes it easier to get the most significant information from the
Advertisement Protocol element in GAS messages without having to expand
subtrees.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6339
svn path=/trunk/; revision=39007
ieee80211: Do not add duplicate tag number/len for adv proto
dissect_advertisement_protocol() is used both for ANQP and for parsing
IEs. The tag number/length fields need to be added only for ANQP to
avoid adding duplicate entries in the proto tree.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6339
svn path=/trunk/; revision=39006
Wireshark improperly parsing 802.11 Beacon Country Information tag
From me:
Fix this issue (miss the optionnal Pad field for Country Tag)
svn path=/trunk/; revision=38878
so precede their field names with "wlan.". Fix some of their long names
and descriptions (no need to spell out "Internet Protocol" or "Medium
Access Control", for example).
Give the "Number of Channels" field a more reasonable name (and one that
avoids the problem of spelling "unknown" incorrectly).
svn path=/trunk/; revision=38559
Update 802.11s packet dissecting to the ratified standard (v12.0)
[PATCH 8/9] add support for Root Announcement (RANN) IEs
svn path=/trunk/; revision=38281
Update 802.11s packet dissecting to the ratified standard (v12.0)
[PATCH 8/9] add support for Root Announcement (RANN) IEs
svn path=/trunk/; revision=38280
Update 802.11s packet dissecting to the ratified standard (v12.0)
[PATCH 7/9] update parsing of mesh control field
During development of the 80211s standard, a "mesh header" was conceived. This mesh header has been renamed the "mesh control field". Further, the conditions under which it is expected to appear have also changed. Specifically, the mesh control field appears in multihop action frames and mesh data frames. In the former case, it appears after the action category and action code, so no special header parsing is required to parse it.
The latter case is a bit more complicated. We know the mesh control field is present if the data frame was transmitted by a mesh STA, AND the new "Mesh Control Present" bit in the QoS control field is set. This second thing is easy enough to check. But the first thing is not. So we continue to rely on heuristics. Specifically, we only expect the mesh control field for valid from-ds/to-ds settings, and if the mesh control field itself is valid.
Other relevant changes in this patch include:
-- rename mesh_header to mesh_control as appropriate
-- consider the mesh control field to be part of the header when accounting for payload padding.
-- parse some of the qos fields earlier so they can be used to determine if the mesh control field is present.
-- use existing mesh control parsing code instead of duplicating it.
svn path=/trunk/; revision=38279
Update 802.11s packet dissecting to the ratified standard (v12.0)
[PATCH 6/9] update mesh path discovery (hwmp) IEs to 802.11s v12
This includes adding the new mesh reason codes
From me
Fix checkAPI Errors (the blurb field matches the field name)
svn path=/trunk/; revision=38278
Update 802.11s packet dissecting to the ratified standard (v12.0)
[PATCH 5/9] make pre-80211s marvell mesh use its own data structures
The pre-80211s legacy mesh networking developed by marvell has some similarities to the latest 80211s mesh networking. However, there are enough differences in naming and convention that they should have their own data. For clarity, we break up the marvell and 80211s mesh dissection.
Note that as of this patch, 80211s parsing uses the legacy data structures. That will change in subsequent patches in this set.
svn path=/trunk/; revision=38277
Update 802.11s packet dissecting to the ratified standard (v12.0)
Subject: [PATCH 4/9] eliminate obsolete non-standard 80211s peer link action frame code
The peer link action frame no longer exists. Its data now appears in the self-protected action frame and the peering management IE.
Note that this leaves a gap in the internal field codes that is addressed in a subsequent patch.
svn path=/trunk/; revision=38276
Update 802.11s packet dissecting to the ratified standard (v12.0)
[PATCH 3/9] add support for 802.11s v12.0 mesh peering management IE
The v12.0 mesh peering management IE replaces the exiting mesh peer link management IE and has a slightly different format.
From me
Fix checkAPI Errors (the blurb field matches the field name)
Remove unused hf_ieee80211_mesh_mgt_pl_reason_code
svn path=/trunk/; revision=38275
Update 802.11s packet dissecting to the ratified standard (v12.0)
[PATCH 2/9] add support for 802.11s v12.0 action frame fixed fields
From me
Fix checkAPI Errors (the blurb field matches the field name)
svn path=/trunk/; revision=38274
Update 802.11s packet dissecting to the ratified standard (v12.0)
[PATCH 1/9] update mesh ID and mesh config IEs to latest 80211s draft (v12)
svn path=/trunk/; revision=38273
802.11 Association Response Packet's "Status Code" field is imprecisely decoded/described.
From me :
* Display Reason code in decimal (not Hexa)
* Check list from last standard (802.11-2007, 802.11r-2008, 802.11n-2009, 802.11w-2009 & 802.11z-2011)
* Add link to 802.11z-2010 documentation
svn path=/trunk/; revision=37927
Removed "key prefix" need within GUI so it's a little more intuitive (because
that's what this bug is complaining about). Slight backwards compatibility
issue with UAT (because key prefix was in previous keys), but all development
(including fix for BUG 1123 that created UAT) has just been on SVN and not
released.
Also adjusted AirPCap (airpcap_loader.c) to account for the lack of "key
prefix".
Addressed some memory leaks/excess string creation.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5985
svn path=/trunk/; revision=37888
802.11 Disassociation Packet's "Reason Code" field is imprecisely decoded/described
From me :
* Display Reason code in decimal (not Hexa)
* Update list from last standard (802.11-2007 & 802.11n-2009)
svn path=/trunk/; revision=37668
Specifically WPA/WME sub dissector
* Rework from scratch VS WPA/WME dissector
* Replace proto_tree_add_text/string (ugly hf_ieee80211_tag_interpretation header field...) by proto_tree_add_item
* Make item filterable
* and other stuff...
Based on WMM_Specification_1-1
svn path=/trunk/; revision=37486