Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] pcapng options

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 1 Nov 2012 20:23:41 -0700
On Nov 1, 2012, at 7:45 PM, Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:

> I think editcap is correct. The options are listed as optional. Thus,
> in processing the block, if the block-length tells you that there
> cannot be any options, then you do not need to even process them.

Yes.

> However, the opt_endofopt option makes it easy when processing
> options. Of course it would be possible to keep track of the block
> total length and how much you have already processed, so in that sense
> it is redundant.

And, in fact, given that running past the end a block when processing it is a Very Bad Idea, it is not only *possible* to keep track of the block total length and how much you have already processed, it's *necessary* to keep track of the block total length and how much you have already processed if you don't want your code potentially pwned by a deliberately malformed pcap-ng file (or even just screwed up by an unintentionally malformed pcap-ng file).

> I guess the real question is:
> 
> Is it legal to have a pcap-ng file that contains a block with options
> that does not contain an opt_endofopt option?

My inclination would be to say "yes", to indicate that option processing must stop when you reach the end of the block even if no opt_endofopt option is seen, but also indicate that option processing should stop when an opt_endofopt block is seen, even if there is more data remaining in the block.  So my inclination would be to say:

	option processing MUST stop when you run out of data in the block;

	option processing MUST stop when you see an opt_endofopt block;

	option lists that contain at least one non-opt_endofopt option SHOULD also have an opt_endofopt option at the end;

and possibly change the last SHOULD to MUST in order not to upset code that *doesn't* check for the end of the block, even if that code is insecure.