Fix
==10365== Conditional jump or move depends on uninitialised value(s)
==10365== at 0x81514B4: get_hfi_length (epan/proto.c:5981)
==10365== by 0x815A0A5: proto_tree_add_pi (epan/proto.c:5953)
==10365== by 0x815F41B: proto_tree_add_uint64 (epan/proto.c:5542)
==10365== by 0x6BF362C: dissect_msg_tag (epan/dissectors/packet-cose.c:462)
==10365== by 0x6BF1A27: dissect_cose_mac (epan/dissectors/packet-cose.c:656)
==10365== by 0x813511A: call_dissector_through_handle (epan/packet.c:757)
==10365== by 0x8130E58: call_dissector_work (epan/packet.c:850)
==10365== by 0x8131604: dissector_try_string_new (epan/packet.c:1751)
==10365== by 0x8131686: dissector_try_string (epan/packet.c:1776)
==10365== by 0x6BD8C60: dissect_coap_payload (epan/dissectors/packet-coap.c:1115)
==10365== by 0x6BDAD34: dissect_coap_message (epan/dissectors/packet-coap.c:1403)
==10365== by 0x6BD8ECB: dissect_coap (epan/dissectors/packet-coap.c:1526)
==10365==
==10365== Conditional jump or move depends on uninitialised value(s)
==10365== at 0x81517EC: get_hfi_length (epan/proto.c:6115)
==10365== by 0x815A0A5: proto_tree_add_pi (epan/proto.c:5953)
==10365== by 0x815F41B: proto_tree_add_uint64 (epan/proto.c:5542)
==10365== by 0x6BF362C: dissect_msg_tag (epan/dissectors/packet-cose.c:462)
==10365== by 0x6BF1A27: dissect_cose_mac (epan/dissectors/packet-cose.c:656)
==10365== by 0x813511A: call_dissector_through_handle (epan/packet.c:757)
==10365== by 0x8130E58: call_dissector_work (epan/packet.c:850)
==10365== by 0x8131604: dissector_try_string_new (epan/packet.c:1751)
==10365== by 0x8131686: dissector_try_string (epan/packet.c:1776)
==10365== by 0x6BD8C60: dissect_coap_payload (epan/dissectors/packet-coap.c:1115)
==10365== by 0x6BDAD34: dissect_coap_message (epan/dissectors/packet-coap.c:1403)
==10365== by 0x6BD8ECB: dissect_coap (epan/dissectors/packet-coap.c:1526)
and
==10365== Conditional jump or move depends on uninitialised value(s)
==10365== at 0x748EB90: hash_by_guid (epan/dissectors/packet-rtps.c:6006)
==10365== by 0xC522FD5: wmem_map_lookup (wsutil/wmem/wmem_map.c:264)
==10365== by 0x74A2E33: rtps_util_detect_coherent_set_end_empty_data_case (epan/dissectors/packet-rtps.c:3294)
==10365== by 0x74A1054: dissect_RTPS_DATA (epan/dissectors/packet-rtps.c:10829)
==10365== by 0x748E606: dissect_rtps_submessage_v2 (epan/dissectors/packet-rtps.c:12064)
==10365== by 0x748DFBE: dissect_rtps_submessages (epan/dissectors/packet-rtps.c:12439)
==10365== by 0x74A3FC9: dissect_rtps (epan/dissectors/packet-rtps.c:12357)
==10365== by 0x748EDD2: dissect_rtps_udp (epan/dissectors/packet-rtps.c:12459)
==10365== by 0x81334CA: dissector_try_heuristic (epan/packet.c:2864)
==10365== by 0x76A8FF6: decode_udp_ports (epan/dissectors/packet-udp.c:712)
==10365== by 0x76AB875: dissect (epan/dissectors/packet-udp.c:1267)
==10365== by 0x76A9DAD: dissect_udp (epan/dissectors/packet-udp.c:1273)
Fixes#18785
This parameter was introduced as a safeguard for bugs
that generate an unbounded string but its utility for
that purpose is doubtful and the way it is being used
creates problems with invalid truncation of UTF-8
strings.
Rename wmem_strbuf_sized_new() with a better name.
Have a "CoAP for TMF" dissector that the user can use Decode As to
assign to a UDP port.
Have a "coap_tmf_media_type" dissector table in which the TMF code can
register itself for the media type "application/octet-stream".
Have the "CoAP for TMF" dissector pass a "this is for TMF" flag to the
common dissection code. In the common dissection code, if that flag is
set, first try the media type with the "coap_tmf_media_type" dissector
table before trying it in the regular "media_type" table.
This allows a user to specify UDP ports that 1) should be decoded as
CoAP and 2) should have an application/octet-stream payload dissected as
a TMF message, which should address concerns raised for Thread in issue
As noted in the comment for e5951765d8,
mechanisms by which a dissector can attempt to infer the protocol over
which its protocol was transported aren't reliable.
To add to that, another failure case for inferring it from the previous
entry in the pinfo->layers list is a packet transported over TCP using
MPTCP, as the previous entry would be MPTCP, not TCP.
So we provide multiple CoAP dissectors:
- CoAP over WebSockets;
- CoAP over TCP, TLS, or other byte-stream protocols;
- CoAP over other transports;
and have them pass the transport type to a common dissection routine.
We then register the appropriate dissectors in various dissector tables,
and register the CoAP-over-other-transports dissector as the "coap"
dissector.
A conversation in Wireshark might have two endpoints or might have no
endpoints; few if any have one endpoint. Distinguish between
conversations and endpoints.
Only use value of Content-Format to dissect the content in the
current packet. Accept is used to tell which format is expected
in the reply.
Fixes: #17536
As requested [here][1], help with replacing calls to
`wmem_packet_scope()` with references to `pinfo->pool`.
My principles were:
* Plugins chosen semi-randomly.
* When a calling function already has a `pinfo` argument, just use that.
* Remove `_U_` from its signature if it was there.
* Don't go more than 2 or 3 levels deep of changing signatures.
* If a function is clearly allocing memory to return, change the
function signature to take a `wmem_allocator_t *`. Otherwise, either
that or take a `packet_info *` as seems to make sense.
* No mention of `wmem_packet_scope()` should remain in the files I've
touched.
* I didn't always succeed at this, but I made a dent.
[1]: https://www.wireshark.org/lists/wireshark-dev/202107/msg00052.html
This header was installed incorrectly to epan/wmem_scopes.h.
Instead of creating additional installation rules for a single
header in a subfolder (kept for backward compatibility) just
rename the standard "epan/wmem/wmem.h" include to
"epan/wmem_scopes.h" and fix the documentation.
Now the header is installed *correctly* to epan/wmem_scopes.h.
Only do retransmission detection for CON and NON type messages.
Change-Id: I5b5d93800918a98d4d321d1dcd0f3090b485ba9e
Reviewed-on: https://code.wireshark.org/review/37842
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The M bit is used in Block1 Option in a request and in Block2 Option
in a response. Use this to determine when to prefix the block number
information with "End of".
Change-Id: I11c741b15f97f68d668d6cbec97660a6ea392dc1
Reviewed-on: https://code.wireshark.org/review/37629
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add items for block_payload and block_length to be used for block
analysis when reassembly is not complete.
Change-Id: I969cac9a50903431c727a2fc424eca464f0167d7
Reviewed-on: https://code.wireshark.org/review/37622
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Any private or vendor-specific options are not invalid, so mark them
as unknown. Move expert info to option entry. Add the unknown option
number to the item.
Change-Id: I567c397787d4afddffdca407a8c2e39db828ab83
Reviewed-on: https://code.wireshark.org/review/37562
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Use the raw value for the block "More Flag", not the already adjusted one.
Change-Id: I13ddd24c4f9b9201798d18abe008945879f03774
Reviewed-on: https://code.wireshark.org/review/37442
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
-Update dissection of the OSCORE option.
-Enable zero-length Sender and Recipient ID.
-Add ID Context field in preferences.
-Update context derivation to rfc8613.
-Extend context lookup to include ID context.
-Fix Observe responses.
Bug: 16585
Change-Id: Ib9823a54cf535be3559e1c41a19b8b612458777f
Reviewed-on: https://code.wireshark.org/review/37314
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Do not assume that having a TCP port means that CoAP is running directly
over TCP: this is not the case with MQTT for example (see bug 14591 for
a capture). Instead explicitly check that the parent dissector is TCP or
TLS.
Bug: 15910
Change-Id: Ib4880623b8525fe6be52a685397005eac86da135
Reviewed-on: https://code.wireshark.org/review/35879
Petri-Dish: Pascal Quantin <pascal@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The current implementation assumes a wrong OSCORE option type
"21". RFC 8613 was release in July 2019 and defines an OSCORE option
type of "9". See: https://tools.ietf.org/html/rfc8613#section-2
Change-Id: I5fea8dffc2d1586f891b2b3b9fa42183b138e0ab
Reviewed-on: https://code.wireshark.org/review/35163
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
Petri-Dish: Pascal Quantin <pascal@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
- switch from tcp_dissect_pdus() to pinfo based reassembly as the header
size is variable
- use the proper message length when dissecting the payload
- reuse the conversation from the TCP disector instead of creating a new
one and breaking the TCP analysis
Ping-Bug: 15910
Change-Id: Ie2689363a01343bbb45cba6a48ce3475521954ec
Reviewed-on: https://code.wireshark.org/review/34987
Petri-Dish: Pascal Quantin <pascal@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The observe option has different values for request and response. For
request it identifies register or deregister, and for response it is a
sequence number for reordering detection. RFC 7641 chapter 2.
Change-Id: I09515864997a32f7259e344532ea770b74030b04
Reviewed-on: https://code.wireshark.org/review/34368
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Use both Token and Message ID in request/response tracking and retransmission
detection. The token is the same when using observables but the message id is
increasing.
Change-Id: I545416ce139328e6a8eb67258d7b51bddb6b278e
Reviewed-on: https://code.wireshark.org/review/34367
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Support is limited to message framing.
Bug: 15910
Change-Id: Ia27c0b8428842618af00720441a9ef9cf163fecb
Reviewed-on: https://code.wireshark.org/review/34001
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Show as expert info and in info column. Link to first request/response.
Change-Id: I990d9a5aec5904dabe22bcb103426a8549cef31b
Reviewed-on: https://code.wireshark.org/review/32615
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In frame 121, piv_len was 1 while piv was NULL. Ensure that both piv and
piv_len are reset to avoid this. Adjust another check to ensure that piv
and piv_len are in sync (probably not necessary, but it seems the
intention).
Bug: 15172
Change-Id: If8636d32f3273d6707749c807bd7d676ca9ab96d
Fixes: v2.5.2rc0-9-g830ea5731a ("CoAP: Hooks to OSCORE")
Reviewed-on: https://code.wireshark.org/review/30100
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In the long run, we'd like to remove the time stamp from the frame_data
structure, as, in Wireshark, and in TShark in two-pass mode, there's one
allocated for every frame in the file, and shrinking the size of that
structure reduces the memory usage.
This removes one obstacle to that.
Change-Id: Ia8f87522cd974555c57e0ac1e742b097e8b0f2fc
Reviewed-on: https://code.wireshark.org/review/29881
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Change from proto_tree_add_string() to proto_tree_add_item() for strings
which is fetched from the packet.
Change-Id: Iae6538977b2ecf69f83c62b47ac02198f5f09d54
Reviewed-on: https://code.wireshark.org/review/29348
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This change was based on a incomplete/incorrect implementation of
LwM2M and is not correct because the payload encoding is mandatory
in the response.
This reverts commit 46fcf452ac.
This reverts commit b1e0cb01b3.
Change-Id: I89ae1f84e2735ad049a0f7c9045175940bed25cb
Reviewed-on: https://code.wireshark.org/review/27770
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Add one fixed table for OMA (Normative) defined resource names and
one table for user defined resource names. All resources are identified
by a object ID and a resource ID.
Show number of elements in arrays instead of number of bytes.
Next iteration will add proper hf entries for OMA elements.
Change-Id: I4d6c053a7c448cc65692ba1d1e92a2033ff3b397
Reviewed-on: https://code.wireshark.org/review/27551
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
A use-after-free is possible through the following path:
// returns wmem_packet_scope() memory
coinfo->ctype_str = val_to_str(coinfo->ctype_value, vals_ctype, "Unknown Type %u");
// leaks packet scoped memory into conversation
coap_trans = wmem_new0(wmem_file_scope(), coap_transaction);
coap_trans->req_ctype_str = coinfo->ctype_str; // <-- oops
// next packet: use-after-free of packet scoped memory
coinfo->ctype_str = coap_trans->req_ctype_str;
This could be fixed by duplicating "ctype_str" with wmem_file_scope, but
since all "ctype_str" strings are constant, make the problematic
"ctype_str" assignment also constant for unknown types (the numeric type
is also stored in "ctype_value" if necessary).
Change-Id: I6249e076fa282bbe0982b8c709788e27f6fdf86e
Fixes: v2.9.0rc0-317-g46fcf452ac ("coap: Store ctype values in transaction tracking")
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8196
Reviewed-on: https://code.wireshark.org/review/27477
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Transfer ctype values from GET request to response to be able
to decode the payload correctly.
Change-Id: Ida7598aefbd3f245dd487d50562539395f130ac4
Reviewed-on: https://code.wireshark.org/review/27163
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
Add support for decrypting Observe responses with Partial IV within the
response. CoAP prioritizes the Partial IV from the response if present,
if not it passes Partial IV from the corresponding request.
Bug: 14417
Change-Id: Icb0f782de67bd0507db4f1f2a2ea90c72a4b6f0a
Reviewed-on: https://code.wireshark.org/review/25483
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
OSCORE plaintext contains CoAP code, some CoAP options and CoAP payload.
To avoid code duplication, CoAP dissection of these fields used by
OSCORE is generalized and exported in packet-coap.h. Exported functions
and their subroutines now operate explicitly on local variables. This
allows OSCORE dissector to pass its header fields.
Use of "offset_end" instead of "coap_length" to denote the end of
message.
Bug: 14417
Change-Id: If51b0d585ab29d46c1c550fbf264fd3765ed4c32
Reviewed-on: https://code.wireshark.org/review/25482
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Structure oscore_info_t carries parameters needed by OSCORE for
decryption. These parameters are communicated in the CoAP layer within
the Object-Security option. To decrypt a response, OSCORE needs the
parameters from the corresponding request. Matching of responses to
requests on the CoAP layer is leveraged to pass the correct parameters
to OSCORE. This change adds an oscore_info_t pointer to coap_info and
coap_transaction structures in order to pass the parameters on to the
OSCORE dissector. Dissection of Object-Security option is reworked to
make use of the new coap_info element, instead of relying on local
variables.
Bug: 14417
Change-Id: I173057ba95407675aaa539ddbff51d02337551bc
Reviewed-on: https://code.wireshark.org/review/25481
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
This field is generated so mark it so. It may also be usable so
make it visible.
Change-Id: I10d951f234f1fba240059bc791b40d25dede07a9
Reviewed-on: https://code.wireshark.org/review/25350
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Jan Romann