Ethereal-dev: [Ethereal-dev] a bug about rfcode filter when dissecting encrypted protocol

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Buding Chen" <budingc@xxxxxxxxxxxx>
Date: Thu, 20 Jun 2002 11:09:41 +0800
Hi, all:
    I am dissecting some encrypted protocols (sorry I can't talk about it in
detail) in Ethereal v0.9.3, I have to get data_ptr by using "(guint8
*)tvb_get_ptr(...)" and do our algorithm.
    However, there is a bug described below: After inputing some available
filter in "Open Capture File" dialog box, the routine will do
epan_dissect_run(...) in function read_packet(...) at file.c:799. Then the
argument "buf" will be modified by encrypting protocol. So if this packet
passes rfcode, the routine will do epan_dissect_run(...) in function
add_packet_to_packet_list(...) at file.c:663. But the "buf" has been
encrypted that the subdissectors can't konw, it is encrypted again. The data
is not correct any longer.
    I have one way to resolve it:

file.c:796
  if (cf->rfcode) {
+  const u_char *buf_new = g_malloc(fdata->cap_len);
+  memcpy(buf_new, buf, fdata->cap_len);
    edt = epan_dissect_new(TRUE, FALSE);
    epan_dissect_prime_dfilter(edt, cf->rfcode);
-    epan_dissect_run(edt, pseudo_header, buf, fdata, NULL);
+   epan_dissect_run(edt, pseudo_header, buf_new, fdata, NULL);
    passed = dfilter_apply_edt(cf->rfcode, edt);
    epan_dissect_free(edt);
+   g_free(buf_new);
  }

    How do you think about it?
    Dose any one have a better way to dissect encrypted protocol rather than
using "(guint8 *)tvb_get_ptr(...)"?

B.R.
Buding