Re: Netflow dissector bug-to-be

[Hadriel Kaplan <HKaplan () acmepacket com>]

On Nov 7, 2010, at 12:33 PM, Jakub Zawadzki wrote:

> On Sun, Nov 07, 2010 at 10:46:47AM -0500, Hadriel Kaplan wrote:
> > Howdy,
> > The current packet-netflow.c dissector has a big "switch (pen_type) {...}" block in dissect_v9_v10_pdu_data(), which 
> > looks up specific known netflow/ipfix fields as it walks netflow v9/10 PDUs.
> >
> > Unfortunately, it's a bit of a hack as pen_type is a guint64 and a switch statement will silently cast it to an int.
>
> > I say "unfortunately", because I discovered to my chagrin that it's a *signed* int, so any case statement can't use 
> > a constant greater than 0x7fffffff, 
> > which given how the current code works, means one can't have a Private Enterprise Number greater than 0x7fff and use 
> > it to define a known field in this code.
> > As it turns out, my Enterprise number is higher than that. (Cace Technology's is just under it, which is why the 
> > current code works for Cace's netflow fields)
>
> Have you tried adding 'U' to your #define? i.e.
>
> instead of just:
>   #define VENDOR_FOO 0xdead
>
> do:
>   #define VENDOR_FOO 0xdeadU
>
> or even better:
>    #define VENDOR_FOO G_GUINT64_CONSTANT(0xdead) /* which should result in 0xdeadLLU */

It won't help - if you force it to be bigger than an int, gcc errors that the switch's case statement is not an 
integer... and apparently ISO C agrees with it: switch/case is defined to use an int size (and since int is 16 bits on 
some systems, makes me wonder if this isn't already failing for Cace's enterprise number on such systems).

-hadriel

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe