- Fix a few minor bugs;
- Remove unneeded #includes;
- Do some whitespace/long_lines formatting changes.
Change-Id: I97239fa20727498604682239cda0e1b87b10f4bc
Reviewed-on: https://code.wireshark.org/review/3434
Petri-Dish: Bill Meier <wmeier@newsguy.com>
Reviewed-by: Bill Meier <wmeier@newsguy.com>
Other minor cleanup while in the area.
Change-Id: Id8d957d3d68a2e3dd5089f490bd59d773e1be967
Reviewed-on: https://code.wireshark.org/review/3427
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This is the first version of a Ceph dissector. It is not complete but
is far enough along to be helpful to many people working with Ceph.
Currently the dissector can fully dissect the Ceph protocol and has
support for full dissection of most common messages. For the other
messages for which full dissection is not available their metadata is
parsed and shown along with the raw data of the different message
sections.
Change-Id: Ic7917a3d01148c6fe2f9ea2c13ecd09ecc06c2d7
Reviewed-on: https://code.wireshark.org/review/1889
Reviewed-by: Bill Meier <wmeier@newsguy.com>
MySQL Response packets within an SSL stream are not correctly decoded.
When not using SSL:
- Decoding works
- Multiple MySQL protocol entries per frame
- Info==Response
With SSL:
- Decoding partly works
- One MySQL protocol entry per fram
- Info==Response Tabular
From me:
call dissect_mysql (with tcp_dissect_pdus..) and not dissect_mysql_pdu !
Bug: 10339
Change-Id: I253f6683105ed23b49a72865fea005e31e2594d8
Reviewed-on: https://code.wireshark.org/review/3412
Reviewed-by: Evan Huus <eapache@gmail.com>
Bug: 10282
Change-Id: Id3e53c53d024a74df0dfb5254e26d4594eb2e9a4
Reviewed-on: https://code.wireshark.org/review/3036
Reviewed-by: Michael Mann <mmann78@netscape.net>
The version of GCC on the OS X 32-bit buildbot isn't smart enough to
figure out that this can't happen (it's one of those "if (xxx) foo =
bar; ... if (xxx) use foo;" cases.)
Change-Id: I04fef2d602c913761ae7832c4f568aaaad398c87
Reviewed-on: https://code.wireshark.org/review/3390
Reviewed-by: Guy Harris <guy@alum.mit.edu>
glib casts the result to glong for no apparent reason (has anybody ever defined
a structure of more than 2^32 bytes?) which was causing a whole bunch of useless
64-to-32-bit conversion warnings.
Change-Id: I70305fb3b03332bb876023acdd107eb1e95fea27
Reviewed-on: https://code.wireshark.org/review/3383
Reviewed-by: Evan Huus <eapache@gmail.com>
Change-Id: I398e9cf4f6882e76644aa758e12c39a39159e95f
Reviewed-on: https://code.wireshark.org/review/3319
Petri-Dish: Michael Mann <mmann78@netscape.net>
Petri-Dish: Evan Huus <eapache@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: Ib6024307e85d6c23decf40e9759f549c19ffe136
Reviewed-on: https://code.wireshark.org/review/3318
Petri-Dish: Michael Mann <mmann78@netscape.net>
Petri-Dish: Evan Huus <eapache@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This patch avoids the following warning with `clang -fsanitize=undefined`:
epan/dissectors/packet-lbtrm.c:1519:36: runtime error: member access within null pointer of type 'lbtrm_hdr_t'
Change-Id: I973caf92547f5d16c0de20908b2b3fbc09227df0
Reviewed-on: https://code.wireshark.org/review/3313
Reviewed-by: Evan Huus <eapache@gmail.com>
The shift `(gint32)0xFF << 24` invokes undefined behavior as it may not
fit in a signed integer. Fix this by explicitly casting 0xFF as
unsigned. Caught by `clang -fsanitize=undefined`.
While at it, convert to tvb_captured_length and add modelines.
Change-Id: I241ff8ed91815369ec0c19719750cee4b6b12343
Reviewed-on: https://code.wireshark.org/review/3311
Reviewed-by: Evan Huus <eapache@gmail.com>
Presumably that was added for tap purposes, but packet-scope is much simpler and
less dangerous. Noticed while investigating the scan-build issues with
stack-local variables being pointed to by globals.
Change-Id: I851d756b103df71079b656e624f7472354c15862
Reviewed-on: https://code.wireshark.org/review/3290
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
If the tvb contained too few data,
ssl_dissect_hnd_hello_ext_session_ticket would then allocate
session_ticket, but not initialize the contents. Fix this by adding a
check for the TVB length.
The same is done for ssl_dissect_hnd_new_ses_ticket. That might, or
might not, be necessary as proto_tree_add_item() is called with the
range. When tree is NULL, ssl is usually NULL too. For clarity (and to
avoid surprises in the future), add it anyway.
Bug: 10330
Change-Id: I469e97542542aaef4cbd660086bedf92ba1c0b6e
Reviewed-on: https://code.wireshark.org/review/3309
Reviewed-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This lets us blow up with oversized 64-bit length values, before casting
them to the 31-bit lengths we can actually handle in Wireshark, rather
than blindly casting them with weird results.
Use that in the MySQL dissector, and, if we get past the test, cast the
lengths to int to squelch warnings.
Change-Id: I3a5e9bd0027fa4ddcb9622f77952dba8f6b23c27
Reviewed-on: https://code.wireshark.org/review/3362
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(this problem showed up in an APDU with two 16bit application ids)
Change-Id: Ie4842181b19db984a693534144fac5e91b217b34
Reviewed-on: https://code.wireshark.org/review/3358
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>
I don't think it's an actual issue, but the new compiler on the mac buildbots
isn't smart enough to tell that.
Change-Id: I759e1afe9c4011d5612be0d15282076be6f5a331
Reviewed-on: https://code.wireshark.org/review/3355
Reviewed-by: Evan Huus <eapache@gmail.com>
What mystical new compiler upgrade is this?
Change-Id: I89b3bfb53b9a19bbfb1cc8339d38cdc4a4652c62
Reviewed-on: https://code.wireshark.org/review/3347
Reviewed-by: Evan Huus <eapache@gmail.com>
Before, several managment packets were dissected incorrectly as
EPHandleDeleteReq's. Now they are dissected with the generic managment
packet dissector.
Change-Id: Id2f0951b91b99ba2340ff77c6285f382436788ef
Reviewed-on: https://code.wireshark.org/review/3328
Reviewed-by: Evan Huus <eapache@gmail.com>
According to RFC 1323, the window scale shift value must not exceed 14.
Detect this and cap at 14 to prevent undefined behavior (shifting by a
too large value).
Caught by `clang -fsanitize=undefined`.
Change-Id: I1acad252b86c7f23e497575b48d9496346327e00
Reviewed-on: https://code.wireshark.org/review/3312
Reviewed-by: Michael Mann <mmann78@netscape.net>
As clang pointed out we end up storing a reference to it in a global and (more
relevantly) pushing that global to a tap which would run after the current frame
has returned.
Thanks to Alexis for bringing this to my attention.
Change-Id: I3aac43a806d217b0dc8a973f6bb2fa48cdd041bb
Reviewed-on: https://code.wireshark.org/review/3289
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: Ic7755a7756589167b4fea5cf42a21419f59ecdae
Reviewed-on: https://code.wireshark.org/review/3301
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Change-Id: Iffd5d81dde15eba12511dc89664d7ea06a70436f
Reviewed-on: https://code.wireshark.org/review/3300
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
transfer type in the endpoint descriptor
Change-Id: I9e23d9825efb30311cd3e04d01548c03b163c276
Reviewed-on: https://code.wireshark.org/review/3299
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Patch "ssl,dtls: simplify keyfile handling" did not account for the use
case where packets are captured and decrypted on the fly using
SSLKEYLOGFILE.
This patch restores that functionality by reading additional lines from
the keylog file when needed (to preserve the benefit of not having to
read the full file) and by watching the open file for deletions.
"Deletion" is detected by comparing st_dev and st_ino. Since these may
be useless on Windows, the size is also checked.
Change-Id: Ieadaef1426a9270587293db28f4dda33b3d17334
Reviewed-on: https://code.wireshark.org/review/3190
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Evan Huus <eapache@gmail.com>
Petri-Dish: Evan Huus <eapache@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Previously, the keylog file would be fully parsed when an encrypted
pre-master secret is encountered or in the ChangeCipherSpec stage. There
was also a lot of duplication in the key logfile parsing.
This patch simplifies the key logfile parsing by using regular
expressions. Rather than scanning the key logfile for a specific key,
do this scan once at ssl init and save the results to a hashtable. The
map for session ID/tickets to master keys already existed, another one
for client random to master key and encrypted pre-master to pre-master
was added. This could later also be wired to the "Export SSL Keys"
menu item for improved reliability (when no session ID or tickets are
available, the client random could be used).
The ssl_{save,restore}_session{,_ticket} functions have been converted
to a single function that looks up a key (sid / client random / encr.
pre-master) to a (pre-)master secret.
Other minor changes: return booleans for some functions that can only
fail/pass. Remove some functions from the ssl-utils header that have
become private a few commits ago. Remove some outstanding issues
from the comments in packet-ssl as they are already done, add myself
to the ssl-utils header.
These changes pass the test suite and the sample Session Ticket-enabled
capture from https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5963
On-the-fly decryption are broken with this patch since keylog files are
read once at the start of a capture. This will be solved in a future
patch.
Change-Id: Idb343abe161950b5f3ff61bee093d0f4ef9655bd
Reviewed-on: https://code.wireshark.org/review/3057
Reviewed-by: Evan Huus <eapache@gmail.com>
Petri-Dish: Evan Huus <eapache@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Also make dissector "new style" using it's already built in basic heuristics.
Change-Id: I8b9b02d1f32cec96a1104c99647795d6fbda4804
Reviewed-on: https://code.wireshark.org/review/3275
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
ssl_print_string uses out->data_len to determine the length of the
printed data, but this was not set. Use ssl_data_set for that and add an
additional DISSECTOR_ASSERT just in case we change something here.
Reported by Alexis La Goutte, found by Clang static analyzer.
Change-Id: I630a9193ff1ece86a0a46924dd86591fedf5c595
Reviewed-on: https://code.wireshark.org/review/3261
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
I intentionally left the fields displayed alone (so they don't exactly match Wireshark GUI), because as Guy points out in bug 6310, not sure its A Bug or A Feature. But at least all types of conversations allowed are in sync with Wireshark GUI.
Bug:6310
Change-Id: I722837df510a39dadc1f9a07a99275509516698c
Reviewed-on: https://code.wireshark.org/review/3212
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I81e43fac5176fdd0805001636991efb7f588a3c0
Reviewed-on: https://code.wireshark.org/review/3252
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>
Change-Id: Icefbaf632e888e84bcb2cc20ae3a6c4744b82fae
Reviewed-on: https://code.wireshark.org/review/3251
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Martin Kaiser <wireshark@kaiser.cx>
There are two cases:
1. btl2cap -> btrfcomm -> btobex
2. btl2cap -> btobex
Case 2 is rare, so according to its name and to avoid confusion
I based on it.
Bug:10316
Change-Id: Ibeabeaf2f8376425460c56bad8fb980b460dd940
Reviewed-on: https://code.wireshark.org/review/3225
Reviewed-by: Evan Huus <eapache@gmail.com>
Bill Meier