ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online

Wireshark-dev: Re: [Wireshark-dev] How to stop dissection in middle of malformed packet?

From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Wed, 16 Nov 2016 22:00:51 +0100
Hi Dmitry,

2016-11-16 21:51 GMT+01:00 Dmitry Lazurkin <dilaz03@xxxxxxxxx>:

Thank you for reply.

After return dissection function continue parsing rest of packet. I think this is not good.


The trend lately was to remove any exception triggering from the dissectors code, and keep them in the proto_tree_add_XXX functions. So addind them back might not be a good idea.
I did not look at the kafka code, but you probably have ways to stop dissection by incrementing offset enough to reach the end of the packet for example.

Pascal.

PS. Question about dissection of kafka strings, bytes and arrays.


On 11/16/2016 11:29 PM, Alexis La Goutte wrote:
Hi,

You need to add a expert info and return
There is already check on proto_tree_add_* function to detect malformed value (and automally return)

Cheers

On Wed, Nov 16, 2016 at 5:57 PM, Dmitry Lazurkin <dilaz03@xxxxxxxxx> wrote:
Hello.

I read packet header and try to read string length and string data. But
string length field has illegal value. I add expert info. But how to
stop dissection after adding expert info? I can not dissect rest of
packet at this point. I can return error code from this function, but
calling tree may be too big. May be exists more graceful solution?
Something like exceptions in C++.

PS. I found DISSECTOR_VERIFY_DATA in mailing lists, but it is not
implemented in source code.


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe