The LL_REJECT_EXT_IND is an allowed response to the LL_POWER_CONTROL_REQ,
see Core_v5.3, Vol 6, Part B, Section 5.1.17.
Performs control procedure validation one a LL_POWER_CHANGE_IND is sent
Signed-off-by: Rubin Gerritsen <rubin.gerritsen@nordicsemi.no>
Core spec 5.2, Vol 6, Part B, Section 5.3 describes how the link layer should
resolve the scenario where a collision occurs where both link layers initiate
incompabile control procedures.
This commit adds expect information for the case where these conflicts are not
handled according to spec.
Example of an invalid scenario:
M->S: LL_PHY_REQ
S->M: LL_PHY_REQ
S->M: LL_PHY_RSP
M->S: LL_PHY_UPDATE_IND
The correct sequence for this scenario is:
M->S: LL_PHY_REQ
S->M: LL_PHY_REQ
S->M: LL_PHY_RSP
M->S: LL_REJECT_EXT_IND
M->S: LL_PHY_UPDATE_IND
Signed-off-by: Rubin Gerritsen <rubin.gerritsen@nordicsemi.no>
By defining control_proc_add_frame(), control_proc_add_last_frame(), and
control_proc_add_frame_with_instant() a lot of duplicate code can be removed.
This commit makes the checks for the CIS establishment procedure follow the spec.
Previously the dissector had two bugs:
- It allowed both master and slave to initiate this procedure
- The procedure was marked as complete once the LL_CIS_RSP was received.
Signed-off-by: Rubin Gerritsen <rubin.gerritsen@nordicsemi.no>
Moves the check of starting a control procedure before the previous was complete inside
the function control_proc_start(). This check should be beformed before starting any
control procedure. Therefore it is better to simply move it inside the funciton to remove
code duplication.
Signed-off-by: Rubin Gerritsen <rubin.gerritsen@nordicsemi.no>
No one is using this so I'd like to explore other
options first to handle constants in arithmetic
expressions that lack type information.
Reverts 3ddb017a88.
We want at least one letter. Because protocol names can contain
dots and hyphens testing for !isdigit is not enough to make it
dissimilar to decimal numeric expressions.
- Show which options are referenced by entries in entry overview.
- Show IPv6 address in option overview too (before IPv4 only).
- Only register ports of endpoint referenced by SOME/IP services.
Endpoint Options referenced by Service 0xfffe (non SOME/IP) are not
automatically registered to be SOME/IP anymore [improvement].
Calculating ipei_digits happened using signed int arithmetic due to type
promotion rules. Explicitely casting the static number to guint64
ensures usage of unsigned 64bit arithmetics.
The extended location information type field is a four bit value. This
was handled correctly while displaying, but not by interpreting the
value. Hence the according MASK and SHIFT values have been updated.
When procssing BATCH statements, Wireshark did not properly handled keys with length < 0 , which actually means that no value
is sent on the wire..
This fixes it (and as a results, parses properly some result packets it failed to parse properly before).
Signed-off-by: Yaniv Kaul <yaniv.kaul@scylladb.com>
When procssing results, Wireshark did not properly handled keys with length -1, which actually means NULL.
This fixes it (and as a results, parses properly some result packets it failed to parse properly before).
Signed-off-by: Yaniv Kaul <yaniv.kaul@scylladb.com>
Make dfilter byte representation always use ':' for consistency.
Make 1 byte be represented as "XX:" with the colon suffix to
make it nonambiguous that is is a byte and not other type,
like a protocol.
The difference is can be seen in the following programs. In the
before representation it is not obvious at all that the second
"fc" value is a literal bytes value and not the value of the
protocol "fc", although it can be inferred from the lack of
a READ_TREE instruction. In the After we know that "fc:" must
be bytes and not a protocol.
Note that a leading colon is a syntactical expedient to say
"this value with any type is a literal value and not a protocol
field." A terminating colon is just a part of the dfilter
literal bytes syntax.
Before:
Filter: fc == :fc
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(fc <FT_PROTOCOL>)
1 FVALUE(fc <FT_PROTOCOL>)
Instructions:
00000 READ_TREE fc <FT_PROTOCOL> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == fc <FT_PROTOCOL>
After:
Filter: fc == :fc
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(fc <FT_PROTOCOL>)
1 FVALUE(fc: <FT_PROTOCOL>)
Instructions:
00000 READ_TREE fc <FT_PROTOCOL> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == fc: <FT_PROTOCOL>
Remove some unused historical files.
Aggressively disable warnings to keep the lemon source
pristine and avoid the maintenance burden for lemon itself.
Lemon has its own lax policy for warnings that doesn't match our
own and they won't accept external patches to remove the
warnings, so just ignore them. Lemon is just executed to generate
code for the Wireshark build and the minor code issues it has
have no influence at runtime.
For lemon generated code we selectively disable some linting
warnings.
Remove patches for lemon and lempar, they are no longer required
with these changes to silence warnings.
Constant logical expressions are tautologies and almost certainly
user error. Reject them as invalid.
Most of them were already rejected with insufficient type information
but some corner cases were still valid.
Before:
Filter: ${frame.number} == 3
Syntax tree:
0 TEST_ANY_EQ:
1 REFERENCE(frame.number <FT_UINT32>)
1 FVALUE(3 <FT_UINT32>)
Instructions:
00000 READ_REFERENCE ${frame.number <FT_UINT32>} -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == 3 <FT_UINT32>
00003 RETURN
After:
Filter: ${frame.number} == 3
dftest: Constant expression is invalid.
${frame.number} == 3
^~~~~~~~~~~~~~~~~~~~
prev needs to be advanced to ptr on an invalid character even
if there aren't any bytes to copy (because we have two invalid
characters in a row.) Fixup ba7917309aFix#18769.
For ASCII encoding, most bytes are copied directly. Count consecutive
valid bytes in an accumulator and append them all at once when we
get an invalid character with the high bit set, or at the end.
This reduces the number of reallocations and allows larger, more
optimized memcpys.
Fix the following valgrind warnings:
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x78B0849: unescape_and_tvbuffify_telnet_option (epan/dissectors/packet-telnet.c:1043)
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x76917C8: dissect_rohc_ir_rtp_profile_dynamic (epan/dissectors/packet-rohc.c:1667)
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x70DCBF1: dissect_gsm_rlcmac_downlink (epan/dissectors/packet-gsm_rlcmac.c:9770)
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x6C7958E: set_mime_hdr_flags (epan/dissectors/packet-beep.c:392)
Fixes#18742
Remove unparsed lexical type and replace it with identifier
and constant. This separation is still necessary to differentiate
names (fields and function) from literals that look like names
but it has some advantages to do it at the lexical level.
The main advantage is a much cleaner and simplified grammar,
because we only have a single token type for field names, without
any loss of generality (the same name is valid for fields and
function names for example).
The CONSTANT token type is necessary to be different from literal
to provide errors for function rules.
As proto_tree_add_bits_item does not support FT_STRING header fields
dissection of non byte aligned fields containing BCD values has been
rewritten using explicit reading of the BCD values and usage of
proto_tree_add_string
Bitfields are neither allowed to be of type FT_NONE or FT_UINT_BYTES.
This commit fixes this for padding fields (being max 7 bits of zeroes,
thus FT_UINT8) and one field currently named as FT_UINT_BYTES that can
just be represented as FT_BYTES
Underline the whole expression if the error is for the function.
Before:
Filter: frame.number == abs(1, 2)
dftest: Function abs can only accept 1 arguments.
frame.number == abs(1, 2)
^~~
After:
Filter: frame.number == abs(1, 2)
dftest: Function abs can only accept 1 arguments.
frame.number == abs(1, 2)
^~~~~~~~~
The strategy here is to delay resolving literals to values until
we have looked at the entire argument list.
Also we will try to commute the relation in a comparison if
we do not have a type for the return value of the function,
like any other constant.
Before:
Filter: max(1,_ws.ftypes.int8) == 1
dftest: Argument '1' is not valid for max()
max(1,_ws.ftypes.int8) == 1
^
After:
Filter: max(1,_ws.ftypes.int8) == 1
Syntax tree:
0 TEST_ANY_EQ:
1 FUNCTION(max#2):
2 FVALUE(1 <FT_INT8>)
2 FIELD(_ws.ftypes.int8 <FT_INT8>)
1 FVALUE(1 <FT_INT8>)
Instructions:
00000 STACK_PUSH 1 <FT_INT8>
00001 READ_TREE _ws.ftypes.int8 <FT_INT8> -> reg#1
00002 IF_FALSE_GOTO 3
00003 STACK_PUSH reg#1
00004 CALL_FUNCTION max(reg#1, 1 <FT_INT8>) -> reg#0
00005 STACK_POP 2
00006 IF_FALSE_GOTO 8
00007 ANY_EQ reg#0 == 1 <FT_INT8>
00008 RETURN
Filter: max(1,_ws.ftypes.int8) == 1
** (dftest:64938) 01:43:25.950180 [DFilter ERROR] epan/dfilter/sttype-field.c:117 -- sttype_field_ftenum(): Magic num is 0x5cf30031, but should be 0xfc2002cf
Similar to commit dbb9fe2a37, proto_item_fill_display_label
now uses address_to_display for FT_IPv4, FT_IPv6, and FT_FCWWN,
the other three address types that double as field types and which
have optional name resolution.
Add these to the list of types that, if present in a custom column,
has the GUI enable the checkbox to switch between "resolved" (names)
and not (values).
This allows adding custom columns with these field types with both
resolved and non resolved text. Note that the appropriate Name
Resolution preference settings must be enabled for the type as well.
Comparison relations should be allowed to commute but they can not
because we need type information to resolve literals to fvalues. For
that reason an expression like "1 == some.field" is invalid. Solve
that by commuting the relation if the first try did not succeed in
assigning a type to the LHS.
After the second try give up, that means we have a relation with
constants on both sides and that is not semantically valid.
Other relations like "matches" and "contains" are not symmetric and
should not commute anyway.
Before:
Filter: _ws.ftypes.int32 == 10
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(_ws.ftypes.int32 <FT_INT32>)
1 FVALUE(10 <FT_INT32>)
Instructions:
00000 READ_TREE _ws.ftypes.int32 <FT_INT32> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == 10 <FT_INT32>
00003 RETURN
Filter: 10 == _ws.ftypes.int32
dftest: Left side of "==" expression must be a field or function, not 10.
10 == _ws.ftypes.int32
^~
After:
Filter: _ws.ftypes.int32 == 10
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(_ws.ftypes.int32 <FT_INT32>)
1 FVALUE(10 <FT_INT32>)
Instructions:
00000 READ_TREE _ws.ftypes.int32 <FT_INT32> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == 10 <FT_INT32>
00003 RETURN
Filter: 10 == _ws.ftypes.int32
Syntax tree:
0 TEST_ANY_EQ:
1 FVALUE(10 <FT_INT32>)
1 FIELD(_ws.ftypes.int32 <FT_INT32>)
Instructions:
00000 READ_TREE _ws.ftypes.int32 <FT_INT32> -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ 10 <FT_INT32> == reg#0
00003 RETURN
Add all the valid bytes at once when we get to the end of the
length (or hit an invalid sequence) instead of one byte or character
at a time. This makes for a considerable speedup.
When the new-value element of the change-of-discrete choice contains context
tag zero, the tag content should be decoded as a BACnetDateTime. Closes#18747.
Use a consistent style for grammar rules.
Remove a comment that is too generic. The current code should
conform to how Python operates and does not need additional error
checking.
That reduces the number of get_progfile_dir() calls, leaving only the
calls that are done either to 1) get the pathname in order to display it
or 2) get the pathname in order to reset the library path.
That makes it easier to figure out which get_progfile_dir() calls are
made to find the directory in which (non-extcap) binaries from Wireshark
are installed and which - if any - are made to figure out the directory
in which *the currently-running executable* are stored. (Currently,
get_progfile_dir() attemps to get the former, not the latter, so
extcaps in an extcap subdirectory, for example, will get the parent
directory of that subdirectory, *not* the directory in which they weere
installed.)
Different QUIC connections can be multiplexed on the same network
5-tuple. Handle this, including checking for Stateless Reset tokens
on all connections on the same 5-tuple.
Create a CONVERSATION_QUIC type using our internal QUIC connection
ID, and set the conversation elements so that subdissectors like
TLS that set conversation data only alter data for the one QUIC
connection instead of all multiplexed connections.
Various failures are expected, per RFC 9000, if zero-length connection
IDs are used when multiplexing connections on the same local IP addresses
and ports.
Fix#17099
When building using msvc implicit changes of the integer sizes in
fmt_dect_nwk_ipei are treated as error due to possible loss of
information.
This is now forecome by explicitely masking the shifted value to fit in
guint16 and by typecasting in calculation to guint16 (the maximum value
that needs to fit here is sum(x=1..x=12)(9x)=702 )
Add basic dissection of S-Format elements MULTI-DISPLAY and
MULTI-KEYPAD. The dissector now holds information regarding control
characters of the DECT charset.
The value for Escaping to proprietary algorithm was wrong and the
Boolean field Y/N was registered using the wrong base, resulting in a
failed assertion during dissection
First steps in dissection of the LCE-PAGE-RESPONSE message. Basic
dissection for S-FORMAT information elements being mandatory or
optional in this message is included.
-Changed the encoding of certain options to their appropriate value, the old values caused compilation error on some machines
-Reverted change #1 in commit c7d3335110290886f6dd56fa640c8b0ca0b7fce5 which caused a packet malformation error due to a data item being read incorrectly.
-Certain lines had a mixture of tabs and spaces which prevented compilation on certain machines
-Replaced protocol abbreviation from mpdccp.mp_* to dccp_mp_* to solve PROTOABBREV error when building
-Changed proto_tree_add_unit to proto_tree_add_item, as suggested for the dissect feature option
-Changed conditional statements to switch case in for MP_ADDADDR
-List MP_OPT as a subtree with relevant MP_SEQ, ID Address and/or subflow.
-Fixed a compilation warning due to an except statement creating subtree for an inexistent tree.
Previous implementation lacked MP_ADDADDR, MP_REMOVEADDR and had an outdated version of MP_PRIO.
Fixed a bug where the dissector had an incorrect offset of 1 byte, resulting in it incorrectly reading headers and data, something resulting in malformed packets.
Have proto_item_fill_display_label (which is used for custom
columns resolved type and packet diagrams) use address_to_display
for FT_ETHER. This is resolved when name resolution for MAC
Addresses is enabled.
Add FT_ETHER to the list of types that, if present in a custom
column, has the GUI enable the checkbox to switch between "resolved"
and "unresolved" text.
This allows FT_ETHER custom columns to be displayed as either
resolved addresses or unresolved. (Note that to be displayed
as resolved, the column resolved option must be checked and
the name resolution preference enabled.)
Fix#18665
Fix some issues regarding custom columns near the maximum size:
Fix where when near the column limit, a comma was not being added
to separate a value but the first character of the next field was,
resulting in an invalid field.
Create the "result" and the "expr" (resolved and unresolved) separately
to address issue where for multifield custom columns of different
types, the "result" might be truncated without "expr" necessarily
being so. This created problems when concatenating the end of the
result to the expr for certain types later.
Avoid passing a NULL to snprintf for integer columns of BASE_NONE
of unexpected value.
Indicate when the custom column has been truncated, since after
commit e449b560c0 this string value is no longer
used to create the filter and is for display only. Also use
the label truncation function so that truncatation is on UTF-8
boundaries.
Fix#17618
==207143==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f59752e0f00 at pc 0x7f5971cd0737 bp 0x7ffe881b1ef0 sp 0x7ffe881b1ee8
READ of size 4 at 0x7f59752e0f00 thread T0
#0 0x7f5971cd0736 in setup_rlc_mac_priv epan/dissectors/packet-gsm_abis_pgsl.c:194:8
#1 0x7f5971ccfc89 in dissect_gprs_data epan/dissectors/packet-gsm_abis_pgsl.c:357:3
#2 0x7f5971ccf6ea in dissect_abis_pgsl epan/dissectors/packet-gsm_abis_pgsl.c:477:3
#3 0x7f5974483daa in call_dissector_through_handle epan/packet.c:822:9
#4 0x7f5974478c05 in call_dissector_work epan/packet.c:920:9
If a field name has been written to the json dumper for
a bytes element (Base64), then a Base64 value must be written
later, even if the value is zero length.
Move the JSON_DUMPER_FLAGS_NO_DEBUG flag to the json_dumper header,
and use it in the protobuf dissector, so that errors in the JSON
dumper state transitions do not abort the application through a
ws_error() call. Use DISSECTOR_ASSERT in that case, since it should
happen only with a dissector bug (as with the zero bytes elements
issue fixed here), not with malformed packets.
Only instantiate the json_dumper and create its output string if
we intend on displaying its output, instead of doing so whenever
we have a message type name.
Fix#18730.
Previously the length was ignored and if a Sequence contains more then
one extensions (in the ellipsis) then the value of the second was
wrongly added to the value of the previous one.
Once we have a full MCTP message, we can decode its type (including IC
field). This change adds type decode support, for the types present in
packet-mctp.h.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
This change adds support for trivially-encapsulated MCTP protocols,
starting with NCSI-over-MCTP.
We need to handle this slightly different from the existing MCTP-based
protocols (MCTP control protocol and NVMe-MI), as the inner protocol is
unaware of the type byte and (optional) checksum tailer. So, add a new
dissector table, "mctp.encap-type" for these, meaning we can just hook
into the raw NC-SI dissector.
We also add the type definition for MCTP-over-ethernet, as defined in
the NCSI-over-MCTP specification.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
We have a few hard-coded MCTP type definitions in use (for MCTP control
protocol, and NVMe-MI) already, and we're about to add a couple more.
This change adds a header for packet-mctp, just with the type
definitions, and uses it for the current types.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Naming of variables, i.e. for header fields was inconsistent (dlc_ vs
dect_dlc_). This is now changed to use the abbreviation (dect_dlc_) on
all global places.
The DECT-DLC dissector now reassembles fragments before handing them
over to the NWK layer. Most of this is done by reusing of the reassembly code
from packet-lapdm.c.
A few HS-DSCH conversations are created when calling add_hsdsch_bind,
such as when a RadioLinkReconfigurationPrepare procedure has
a id-HSDSCH-MACdFlows-to-Add element. This method should add
the CommunicationContextID to the conversation just like the
other ways of creating the conversation. This provides a UEID
for a unique key for RLC reassembly.
The notification context field was parsed as a 4-byte fixed-length field but is defined as type OcaBlob (variable length).
This fix parses the notification context as an OcaBlob parameter while maintaining the field `ocp1.context`.
Clear the object_identifier_id global at the beginning of
each QCStatement, in case the statementId BER has errors and
does not put a value in the ptr. (call_ber_oid_callback correctly
handles being passed a NULL.)
Fix#18552.
This adds BPv7 source and destination as first-class text addresses for the packet.
This fixes proto-data used for decode-as table editing outside of a layer.
In the case of RDP traffic, the conversation usually starts with 3 TPKT packets
and then switch to TLS. The SSL dissector was setting the conversation dissector
without specifying any start packet which were leading to have the 3 first packets
interpreted as invalid SSL records (which they are as it's TPKT packets). This patch
fixes by specifying the first true SSL packet.
The RDPUDP protocol transports TLS or DTLS records, but as the payload of RDPUDP is small,
most of the time records are splitted over multiple RDPUDP packets. This patch adds
support for desegmentation in RDPUDP so that we interpret the results of the SSL
dissector and we can give back untreated content when dissecting the next packet.
AMD and UMD PDUs can be larger than 255 bytes, so the
offset should not be stored in a guint8. Otherwise,
the offset overflows and the last 256 bytes of the PDU
are added as an extra "fragment."
epan/dissectors/packet-usb-ccid.c filter= usbccid.dwFeatures.stopIccClk - mask has odd number of digits 0x100 expected max for FT_BOOLEAN is 8
epan/dissectors/packet-usb-ccid.c filter= usbccid.dwFeatures.nadValNot0accept - mask has odd number of digits 0x200 expected max for FT_BOOLEAN is 8
epan/dissectors/packet-usb-ccid.c filter= usbccid.dwFeatures.autoIfsd - mask has odd number of digits 0x400 expected max for FT_BOOLEAN is 8
display_extension_block is supposed to return the current offset,
not the number of bytes remaining. The number of bytes remaining
can be less than the current offset and cause an infinite loop.
In the case of an error, set lastheader and return the current
offset in order to break out of the main processing loop.
Fix#18711.
3GPP TS 25.427 and TS 25.435 both say that the Payload CRC IE
may only be present if the frame contains payload for E-DCH
frames, even where the setup of the transport bearer indicated
that the CRC would be present otherwise. So if there's no payload
and the CRC is missing, treat that as missing-but-expected rather
than marking the packet as malformed.
Take the opportunity to switch to proto_tree_add_checksum, which
handles all the various cases. Ping #8859
Set the direction based on request type in a similar manner as it done
for other URB types, i.e. set source to host on URB submit. Correctly
set bus number based on locationID upper 8 bits.
Fixes#16768
IEEE 802.11-2020, Section 12.4.7.6 says that an SAE Confirm message,
with a status code not equal to SUCCESS, shall indicate that a peer
rejects a previously sent SAE Confirm message. In this case, the Confirm
message may not carry a Send-Confirm field or a Confirm field, as
hostapd does. So we simply ignore possible fields following Status code.
Signed-off-by: Chien Wong <m@xv97.com>
Use tvb_find_guint8 and tvb_ws_mepbrk to find the
token boundaries for www-form-urlencoded. Use tvb_memcpy
to copy groups of bytes that don't have special characters
like + or %.
This is considerably more optimized (e.g. find_guint8 uses
memchr) than the naive loop, and speeds up the relevant part
by up to 10x.
Also handle cases where value is empty and there is no =
by splitting on &, instead of looking for the next =.
Together with bd1f2cc996, fix#13779.