Home page logo

wireshark logo Wireshark mailing list archives

Re: Malformed packet analysis
From: Guy Harris <guy () alum mit edu>
Date: Mon, 13 Jan 2014 13:50:14 -0800

On Jan 13, 2014, at 1:09 PM, "Markus Moeller" <huaraz () moeller plus com> wrote:

   It would still be nice to have a better pointer to the issue.

It might be possible to have proto_tree_add_item() do its own check for running past the end of the packet data, rather 
than relying on the tvb routines to do it, and add an expert item to the tree saying "the packet is too short to 
include all of field XXX", and then throw the BoundsError exception.

In cases where the field's value is used later, perhaps there should be routines such as

        proto_tree_add_uint_item_ret_val, which adds an FT_UINT* item and returns its value through a pointer;
        proto_tree_add_int_item_ret_val, which adds an FT_INT* item and returns its value through a pointer;
        proto_tree_add_string_item_ret_val, which adds an FT_STRING* item and returns its value through a pointer;

and so on, so that the dissector doesn't need to fetch the value itself.
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]