ERF: Make ERF wiretap forwards compatible.

Dissector has always been able to cope with unknown record types so pass them through (and call the data dissector from the ERF dissector in this case). Previously was stopping processing on the first unrecognized record which is very unhelpful for otherwise valid files that have new types mixed in. Remove ERF type check altogether from open heuristic as ERF type could be past 48 in future and with more extension headers bit any byte value could be valid. Also allow setting ERF_RECORDS_TO_CHECK to 0 to force skipping the heuristic. Change-Id: I8331eef30ba2e949564f418b3100bd73b8f58116 Reviewed-on: https://code.wireshark.org/review/15361 Reviewed-by: Michael Mann <mmann78@netscape.net> Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2016-03-21 17:32:13 +13:00 · 2016-03-21 17:32:13 +13:00 · ad0e70f10c
parent 0ec5a271ea
commit ad0e70f10c
3 changed files with 7 additions and 11 deletions
--- a/epan/dissectors/packet-erf.c
+++ b/epan/dissectors/packet-erf.c
@ -2481,6 +2481,7 @@ dissect_erf(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
    break;

  default:
+    call_data_dissector(tvb, pinfo, tree);
    break;
  } /* erf type */
  return tvb_captured_length(tvb);
--- a/wiretap/erf.c
+++ b/wiretap/erf.c
@ -237,7 +237,7 @@ extern wtap_open_return_val erf_open(wtap *wth, int *err, gchar **err_info)

  /* number of records to scan before deciding if this really is ERF */
  if ((s = getenv("ERF_RECORDS_TO_CHECK")) != NULL) {
-    if ((n = atoi(s)) > 0 && n < 101) {
+    if ((n = atoi(s)) >= 0 && n < 101) {
      records_for_erf_check = n;
    }
  }
@ -295,12 +295,12 @@ extern wtap_open_return_val erf_open(wtap *wth, int *err, gchar **err_info)
      continue;
    }

-    /* fail on invalid record type, decreasing timestamps or non-zero pad-bits */
-    /* Not all types within this range are decoded, but it is a first filter */
-    if ((header.type & 0x7F) == 0 || (header.type & 0x7F) > ERF_TYPE_MAX ) {
+    /* ERF Type 0 is reserved for ancient legacy records which are not supported, probably not ERF */
+    if ((header.type & 0x7F) == 0) {
      return WTAP_OPEN_NOT_MINE;
    }

+    /* fail on decreasing timestamps */
    if ((ts = pletoh64(&header.ts)) < prevts) {
      /* reassembled AALx records may not be in time order, also records are not in strict time order between physical interfaces, so allow 1 sec fudge */
      if ( ((prevts-ts)>>32) > 1 ) {
@ -680,10 +680,8 @@ static gboolean erf_read_header(wtap *wth, FILE_T fh,
    case ERF_TYPE_TCP_FLOW_COUNTER:
      /* unsupported, continue with default: */
    default:
-      *err = WTAP_ERR_UNSUPPORTED;
-      *err_info = g_strdup_printf("erf: unknown record encapsulation %u",
-                                  erf_header->type);
-      return FALSE;
+      /* let the dissector dissect as unknown record type for forwards compatibility */
+      break;
  }

  {
--- a/wiretap/erf.h
+++ b/wiretap/erf.h
@ -95,9 +95,6 @@
 /* Pad records */
 #define ERF_TYPE_PAD                48

-#define ERF_TYPE_MIN  1   /* sanity checking */
-#define ERF_TYPE_MAX  48  /* sanity checking */
-
 #define ERF_EXT_HDR_TYPE_CLASSIFICATION  3
 #define ERF_EXT_HDR_TYPE_INTERCEPTID     4
 #define ERF_EXT_HDR_TYPE_RAW_LINK        5