Wireshark mailing list archives

Re: How to stop dissection in middle of malformed packet?


From: Dmitry Lazurkin <dilaz03 () gmail com>
Date: Thu, 17 Nov 2016 00:04:03 +0300

Thanks. I wiil try to test trick with offset.


On 11/17/2016 12:00 AM, Pascal Quantin wrote:
Hi Dmitry,

2016-11-16 21:51 GMT+01:00 Dmitry Lazurkin <dilaz03 () gmail com <mailto:dilaz03 () gmail com>>:

    Thank you for reply.

    After return dissection function continue parsing rest of packet.
    I think this is not good.


The trend lately was to remove any exception triggering from the dissectors code, and keep them in the proto_tree_add_XXX functions. So addind them back might not be a good idea. I did not look at the kafka code, but you probably have ways to stop dissection by incrementing offset enough to reach the end of the packet for example.

Pascal.

    PS. Question about dissection of kafka strings, bytes and arrays.


    On 11/16/2016 11:29 PM, Alexis La Goutte wrote:
    Hi,

    You need to add a expert info and return
    There is already check on proto_tree_add_* function to detect
    malformed value (and automally return)

    Cheers

    On Wed, Nov 16, 2016 at 5:57 PM, Dmitry Lazurkin
    <dilaz03 () gmail com <mailto:dilaz03 () gmail com>> wrote:

        Hello.

        I read packet header and try to read string length and string
        data. But
        string length field has illegal value. I add expert info. But
        how to
        stop dissection after adding expert info? I can not dissect
        rest of
        packet at this point. I can return error code from this
        function, but
        calling tree may be too big. May be exists more graceful
        solution?
        Something like exceptions in C++.

        PS. I found DISSECTOR_VERIFY_DATA in mailing lists, but it is not
        implemented in source code.


        ___________________________________________________________________________
        Sent via:    Wireshark-dev mailing list
        <wireshark-dev () wireshark org
        <mailto:wireshark-dev () wireshark org>>
        Archives: https://www.wireshark.org/lists/wireshark-dev
        <https://www.wireshark.org/lists/wireshark-dev>
        Unsubscribe:
        https://www.wireshark.org/mailman/options/wireshark-dev
        <https://www.wireshark.org/mailman/options/wireshark-dev>
                     mailto:wireshark-dev-request () wireshark org
        <mailto:wireshark-dev-request () wireshark org>?subject=unsubscribe




    ___________________________________________________________________________
    Sent via:    Wireshark-dev mailing list<wireshark-dev () wireshark org> <mailto:wireshark-dev () wireshark org>
    Archives:https://www.wireshark.org/lists/wireshark-dev
    <https://www.wireshark.org/lists/wireshark-dev>
    Unsubscribe:https://www.wireshark.org/mailman/options/wireshark-dev
    <https://www.wireshark.org/mailman/options/wireshark-dev>
                  mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
    <mailto:wireshark-dev-request () wireshark org?subject=unsubscribe>
    ___________________________________________________________________________
    Sent via:    Wireshark-dev mailing list
    <wireshark-dev () wireshark org <mailto:wireshark-dev () wireshark org>>
    Archives: https://www.wireshark.org/lists/wireshark-dev
    <https://www.wireshark.org/lists/wireshark-dev> Unsubscribe:
    https://www.wireshark.org/mailman/options/wireshark-dev
<https://www.wireshark.org/mailman/options/wireshark-dev> mailto:wireshark-dev-request () wireshark org <mailto:wireshark-dev-request () wireshark org>?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
              mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread: