Implement GSS-API session encryption for PostgreSQL, with a
dissector that is called if it has been negotiated. Note
that the Kerberos decryption preference has to be set to attempt
decryption (and it won't work without loading secrets.)
Fix#19082
Forward declare incomplete types for the dcerpc dissector structs
used as a pointers by gssapi functions, so that dissectors that
include packet-gssapi.h no longer have to include packet-dcerpc.h
(unless actually using something from that header).
Sometimes the same key gets reused in a fragment reassembled_table.
In some cases this means we should be using additional key information,
like layer number, though fragment_add_seq_next can trigger this
fairly easily (and it even appears intentional with
reassemble_octet_string in packet-ber.c).
The same reassembled data is entered with multiple keys in the
reassembled table for multiple frames. In order to ensure that
data is deleted when no key refers to it anymore, but also allow
new entries to replace old keys, use reference counting. It is
simpler than the current approach of freeing all the data at
the end when the table is destroyed, and avoids leaking data.
This is about 95% of the leaks in #19034
Whie we're at it, restructure some other checks to test-before-casting -
it's OK to test afterwards, but testing before makes it follow the
pattern used elsewhere.
Fixes#19081.
If the OOO TCP preference is set, but the tcp analysis struct doesn't
have the OOO segments, because the preference wasn't set when it
was created, don't try to reassemble out of order.
This is an indication of dissecting in an inconsistent state, with
changed preferences but old conversation data created with the old
preference settings. Hopefully it's just a temporary dissection
from a GUI refresh.
Related to #19079
Use the current state for the given frame, not the state of
the connection, which is the most recent state from the sequential
pass through the file, not necessarily the current state for a frame
when doing random access on a later pass.
A tvbuffer from real data is not automatically freed unless made
into a child of another tvb (and in that case it would likely be
freed at the end of a packet.) Store only the real data, which is
allocated at file scope, in the file scoped table. Create a tvb
on demand in packets that need it, making it a child of the main
tvb so it gets freed.
Switch the hash table to an auto reset wmem map, eliminating the
need for an init routine.
*data_offset has whatever value happens to be there, and it's not
guaranteed to have been set to any useful value, especially when the
first packet is being read.
If we've allocated a buffer of compressed data or a buffer into which
we're uncompressing that data, and we get an error, free those buffers.
If we've allocated a buffer of compressed data, and we *don't* get an
error reading or uncompressing that data, free it once we're finished
uncompressing it.
If blf_pull_logcontainer_into_memory() gets a short read when reading co
pressed data, report it as Yet Another Internal Error, so it doesn't get
treated as an EOF by callers.
Before the recent fixes, blf_pull_logcontainer_into_memory() just
returned either "success" or "failure", and the latter was always turned
into an internal error; the recent fixes let
blf_pull_logcontainer_into_memory() return more information about the
error, including returning whatever the error was from
wtap_read_bytes_or_eof(), which could be WTAP_ERR_SHORT_READ, which, as
per the above, got treated a an EOF.
This all needs much reworking, with the help of something approximating
a detailed description of the file format.
When reading the text from an app text message, allocate a buffer one
byte larger than the size of the message, and set that byte to '\0'
after reading the message text, to ensure that the text is
null-terminated and can be safely handed to routines that process C
strings.
Fixes#19084.
The length of a string transcoded from UTF-16 to UTF-8 can be
shorter (or longer) than the original length in bytes in the packet.
Use the new string length, not the original length.
Use format_text_string, which is a convenience function that
calls strlen.
Fix#19086
When we have multiple capture sources, for each one that is a pcapng
source and supplies its own IDBs, don't create a fake IDB with invalid
linktype WTAP_ENCAP_UNKNOWN and write it to the output file.
Instead, use the IDBs from the source, remapping them as necessary.
For non-pcapng sources, store the output IDB interface ID and write
EPBs using that, since now the input interface ID and the output
interface ID are not necessarily the same, if some of the other
sources are not pcapng.
Update the capture tests that use multiple FIFO sources, because now we
don't add two extra IDBs, one for each FIFO. Instead there are
3 * 11 == 33 total IDBs.
This prevents some various incompatibilites in Wireshark and other
tools when a file has interfaces of more than one link type, and also
has IDBs with an illegal WTAP_ENCAP_UNKNOWN link type.
Fix#19080
The packet length field is of the form
Total Length = DDD = ^xXXX
where "DDD" is the length in decimal and "XXX" is the length in
hexadecimal.
Search for "length ". not just "Length", as we skip past "Length ", not
just "Length", so if we assume we found "Length " but only found
"Length", we'd skip past the end of the string.
While we're at it, fail if we don't find a length field, rather than
just blithely acting as if the packet length were zero.
Fixes#19083.
sip.msg_hdr is a FT_STRING, so adding the entire rest of the packet
and changing the length later isn't ideal. If there's a message body,
then the value of the field will also contain the body, since changing
the length of an item later doesn't change the value, just the bytes
the item covers. This means that tshark -T fields, -T pdml, -T json,
the context menu Copy->Value, a custom column, etc. all have the wrong
value.
In addition, if the message body has null characters, which is quite
possible with various media types (e.g., SMS over SIP), a spurious
_ws.string.trailing_stray_characters Expert Info item will be added
(with no obvious cause to a user.)
Also change sip.msg_body from a FT_NONE to a FT_BYTES with
BASE_NO_DISPLAY_VALUE so that the value reflects the message body
as well without affecting the lack of display label in the tree.
(Unlike the message header, the body is not guaranteed to be any
particular encoding or a string at all. For forcing interpretation
of the body as a string, the "Display Raw Text" preference of SIP
is already available.)
Fix#15136
Speak of dumpcap writing a "capture file" rather than a "pcap file".
Use .pcapng rather than .pcap as the extension in sample capture file
names.
In the description of the -i option, explicitly mention the -P option as
being overridden if more than one -i option is specified.
Issue #19073 has a capture where the client sends a null version
in its prelogin packet. Just ignore that.
Also for now, always use at least TDS version 7.0 if we have a
prelogin packet.
The last parameter of register_dissector_table() indicates the
base for integer tables, indicates case sensitivity for string
tables, and is ignored for other tables (FT_NONE, FT_GUID).
It can be a little difficult to remember what the code is doing
when reading it, and which of 0 and 1 is sensitive and which is
insensitive (0 is sensitive, the default).
Add STRING_CASE_SENSITIVE and STRING_CASE_INSENSITIVE.
Check in tools/fix-encoding-args.pl for STRING-like tables that use
BASE_NONE, TRUE, or FALSE, and convert them to the new values.
The Expires header field suggests an expiration interval for all
Contact header field values that do not contain the "expires"
parameter (RFC 3261, section 10.2.1.1) Contacts that contain an
"expires" parameter of 0 still have a expires parameter, and should
not be counted in the number of contacts without one.
This avoids double-counting removed bindings.
Fix#15690
Have blf_pull_logcontainer_into_memory() return a libwiretap error code
and additional information string, including various values being
inconsistent.
(If any of those correspond to identifiable file problems, they should
be reported with WTAP_ERR_BAD_FILE and with a description more relevant
to somebody writing code to write those files.)
Fixes#19063.
Packet fields like tcp.time_relative, smb2.time, and SRT tables depend
on file-scoped data from other frames often computed in the first pass.
Thus redissection is necessary after applying a time shift.
Fix#18999
Add dissectors for navigation messages of the Satellite-based
Augmentation System (on L1 frequency). Includes dissectors for message
types MT1, MT2 - MT6, and MT25.
If the frame length is longer than the maximum, report an error in the
file.
Fixes#19062, preventing the overflow on a buffer on the stack (assuming
your compiler doesn't call a bounds-checknig version of memcpy() if the
size of the target space is known).
As https://docs.gitlab.com/ee/ci/yaml/index.html#allow_failure says:
"The default value for allow_failure is:
- true for manual jobs.
- false for jobs that use when: manual inside rules.
- false in all other cases."
Set "allow_failure: true" for the Documentation job.
[skip ci]
Gerald Combs