Re: Appropriate action on a protocol failure?

[Guy Harris <guy () alum mit edu>]

On Nov 9, 2009, at 1:24 PM, J.C. Wren wrote:

> My protocol payloads consists of one or more TLV (Type-Length- 
> Values) sequences.  The dissector decodes the various TLVs.  Values  
> represent various parameters to a commands.  Right now if a value is  
> out of range, I use DISSECTOR_ASSERT() for the test.  I know this  
> isn't the best way to do it, but I don't know what it is.

Put an "expert info" entry in, indicating that something's wrong with  
the packet.

> I do want to stop decoding the packet at this point, since it's  
> likely everything following it is munged.

Or not.

I would continue dissection, as you don't *know* that everything  
following it is munged - it might just be a TLV for which you haven't  
updated the dissector yet.  That's what most dissectors do - whether  
the add an "expert info" entry or not, they don't just stop  
dissecting; generally, they only stop dissecting if it's *impossible*  
to continue dissecting.  If the T is invalid, you still have an L, so  
just dissect the appropriate number of bytes as an opaque blob for an  
unknown TLV and skip to what would be the next TLV.  If the V is  
invalid, just skip to the next TLV, again.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe