In the RDP dynamic channel, even inside a connection, channel ids aren't unique,
so an id can be reused for different channels. That most notably happens when
the server opens a channels and the client answers that it's not available. Then
the next connection attempt on another channel will reuse the channel id.
This patch fixes that by indexing dynamic channels with a multimap.
After some recent changes, the last known stmt id is stored so that
it can be used in cases where it is not included with a response
(and the last prepared statement should be used instead.)
However, much like the overall state variable, this needs to be stored
in per-frame data, so that it works with random access to frames,
instead of only being in conversation data and only working in a
sequential pass.
Our current code doesn't allow truly disabling decoding via
Decode As for something with a default handle through the GUI,
but if the decode_as_entries configuration file has such an
entry (which it could if edited manually), don't crash from
attempting to lookup information about the NULL protocol handle
to set a nonexistent preference.
Some protocols such as FTP might create TCP conversations in
advance before the concerned packets are even parsed. This was
bringing an issue with the completeness value.
Fix#19092
The DecodeAsItem determines the default dissector programmatically
when the table or value is changed. Other classes don't need to update it.
There's a value for the default dissector for a table and value written to
the decode_as_entries configuration file, but that has never affected
anything, because the actual default dissector is used. It is only
useful for information when inspecting or viewing the file.
When selecting a value for Decode As, values that appear in the
current packet are added as a combobox. Currently it only adds
the values from the last layer that contains a protocol. Add
the values from all the layers where the protocol appears to the
combobox instead.
Implement GSS-API session encryption for PostgreSQL, with a
dissector that is called if it has been negotiated. Note
that the Kerberos decryption preference has to be set to attempt
decryption (and it won't work without loading secrets.)
Fix#19082
Forward declare incomplete types for the dcerpc dissector structs
used as a pointers by gssapi functions, so that dissectors that
include packet-gssapi.h no longer have to include packet-dcerpc.h
(unless actually using something from that header).
Sometimes the same key gets reused in a fragment reassembled_table.
In some cases this means we should be using additional key information,
like layer number, though fragment_add_seq_next can trigger this
fairly easily (and it even appears intentional with
reassemble_octet_string in packet-ber.c).
The same reassembled data is entered with multiple keys in the
reassembled table for multiple frames. In order to ensure that
data is deleted when no key refers to it anymore, but also allow
new entries to replace old keys, use reference counting. It is
simpler than the current approach of freeing all the data at
the end when the table is destroyed, and avoids leaking data.
This is about 95% of the leaks in #19034
Whie we're at it, restructure some other checks to test-before-casting -
it's OK to test afterwards, but testing before makes it follow the
pattern used elsewhere.
Fixes#19081.
If the OOO TCP preference is set, but the tcp analysis struct doesn't
have the OOO segments, because the preference wasn't set when it
was created, don't try to reassemble out of order.
This is an indication of dissecting in an inconsistent state, with
changed preferences but old conversation data created with the old
preference settings. Hopefully it's just a temporary dissection
from a GUI refresh.
Related to #19079
Use the current state for the given frame, not the state of
the connection, which is the most recent state from the sequential
pass through the file, not necessarily the current state for a frame
when doing random access on a later pass.
A tvbuffer from real data is not automatically freed unless made
into a child of another tvb (and in that case it would likely be
freed at the end of a packet.) Store only the real data, which is
allocated at file scope, in the file scoped table. Create a tvb
on demand in packets that need it, making it a child of the main
tvb so it gets freed.
Switch the hash table to an auto reset wmem map, eliminating the
need for an init routine.
*data_offset has whatever value happens to be there, and it's not
guaranteed to have been set to any useful value, especially when the
first packet is being read.
If we've allocated a buffer of compressed data or a buffer into which
we're uncompressing that data, and we get an error, free those buffers.
If we've allocated a buffer of compressed data, and we *don't* get an
error reading or uncompressing that data, free it once we're finished
uncompressing it.
If blf_pull_logcontainer_into_memory() gets a short read when reading co
pressed data, report it as Yet Another Internal Error, so it doesn't get
treated as an EOF by callers.
Before the recent fixes, blf_pull_logcontainer_into_memory() just
returned either "success" or "failure", and the latter was always turned
into an internal error; the recent fixes let
blf_pull_logcontainer_into_memory() return more information about the
error, including returning whatever the error was from
wtap_read_bytes_or_eof(), which could be WTAP_ERR_SHORT_READ, which, as
per the above, got treated a an EOF.
This all needs much reworking, with the help of something approximating
a detailed description of the file format.
When reading the text from an app text message, allocate a buffer one
byte larger than the size of the message, and set that byte to '\0'
after reading the message text, to ensure that the text is
null-terminated and can be safely handed to routines that process C
strings.
Fixes#19084.
The length of a string transcoded from UTF-16 to UTF-8 can be
shorter (or longer) than the original length in bytes in the packet.
Use the new string length, not the original length.
Use format_text_string, which is a convenience function that
calls strlen.
Fix#19086
When we have multiple capture sources, for each one that is a pcapng
source and supplies its own IDBs, don't create a fake IDB with invalid
linktype WTAP_ENCAP_UNKNOWN and write it to the output file.
Instead, use the IDBs from the source, remapping them as necessary.
For non-pcapng sources, store the output IDB interface ID and write
EPBs using that, since now the input interface ID and the output
interface ID are not necessarily the same, if some of the other
sources are not pcapng.
Update the capture tests that use multiple FIFO sources, because now we
don't add two extra IDBs, one for each FIFO. Instead there are
3 * 11 == 33 total IDBs.
This prevents some various incompatibilites in Wireshark and other
tools when a file has interfaces of more than one link type, and also
has IDBs with an illegal WTAP_ENCAP_UNKNOWN link type.
Fix#19080
The packet length field is of the form
Total Length = DDD = ^xXXX
where "DDD" is the length in decimal and "XXX" is the length in
hexadecimal.
Search for "length ". not just "Length", as we skip past "Length ", not
just "Length", so if we assume we found "Length " but only found
"Length", we'd skip past the end of the string.
While we're at it, fail if we don't find a length field, rather than
just blithely acting as if the packet length were zero.
Fixes#19083.
sip.msg_hdr is a FT_STRING, so adding the entire rest of the packet
and changing the length later isn't ideal. If there's a message body,
then the value of the field will also contain the body, since changing
the length of an item later doesn't change the value, just the bytes
the item covers. This means that tshark -T fields, -T pdml, -T json,
the context menu Copy->Value, a custom column, etc. all have the wrong
value.
In addition, if the message body has null characters, which is quite
possible with various media types (e.g., SMS over SIP), a spurious
_ws.string.trailing_stray_characters Expert Info item will be added
(with no obvious cause to a user.)
Also change sip.msg_body from a FT_NONE to a FT_BYTES with
BASE_NO_DISPLAY_VALUE so that the value reflects the message body
as well without affecting the lack of display label in the tree.
(Unlike the message header, the body is not guaranteed to be any
particular encoding or a string at all. For forcing interpretation
of the body as a string, the "Display Raw Text" preference of SIP
is already available.)
Fix#15136
Speak of dumpcap writing a "capture file" rather than a "pcap file".
Use .pcapng rather than .pcap as the extension in sample capture file
names.
In the description of the -i option, explicitly mention the -P option as
being overridden if more than one -i option is specified.
Issue #19073 has a capture where the client sends a null version
in its prelogin packet. Just ignore that.
Also for now, always use at least TDS version 7.0 if we have a
prelogin packet.
The last parameter of register_dissector_table() indicates the
base for integer tables, indicates case sensitivity for string
tables, and is ignored for other tables (FT_NONE, FT_GUID).
It can be a little difficult to remember what the code is doing
when reading it, and which of 0 and 1 is sensitive and which is
insensitive (0 is sensitive, the default).
Add STRING_CASE_SENSITIVE and STRING_CASE_INSENSITIVE.
Check in tools/fix-encoding-args.pl for STRING-like tables that use
BASE_NONE, TRUE, or FALSE, and convert them to the new values.
Gerald Combs