Wireshark-dev: Re: [Wireshark-dev] Malformed packets in CORBA protocol plugin
Date: Fri, 8 Dec 2006 17:53:10 +0000
wireshark-dev-bounces@xxxxxxxxxxxxx wrote on 07/12/2006 14:21:24:

> Hi,
> You should try to see in packet-giop.c what happens after the output of:
>   ServiceContextList
>     Sequence Length: 0
> 
> My guess is that a sequence length of zero isn't handled properly. I
> have little time to look at this currently...
> 

OK, I now know where it is going wrong, but I don't know the right way
to fix it.

In my packet-quentinv3.c file the code generated has a function
called start_dissecting. This gets called for every recognised
packet and is throwing a ReportedBoundsError exception.

It looks like this is because it is trying to add a new tree item
for a 0 length sequence, so it shouldn't really need to.

Following this through. The call tree that throws the exception is :-

start_dissecting ->
  proto_tree_add_item ->
    alloc_field_info ->
      get_hfi_and_length ->

In get_hfi_and_length the code that throws reads :-

                switch (hfinfo->type) {

                case FT_PROTOCOL:
                        /*
                         * We allow this to be zero-length - for
                         * example, an ONC RPC NULL procedure has
                         * neither arguments nor reply, so the
                         * payload for that protocol is empty.
                         *
                         * However, if the length is negative, the
                         * start offset is *past* the byte past the
                         * end of the tvbuff, so we throw an
                         * exception.
                         */
                        *length = tvb_length_remaining(tvb, start);
                        if (*length < 0) {
                                /*
                                 * Use "tvb_ensure_bytes_exist()"
                                 * to force the appropriate exception
                                 * to be thrown.
                                 */
                                tvb_ensure_bytes_exist(tvb, start, 0);
                        }

For the case where it throws *length = -1

I now need someone who undall this code to advise the best place to
fix it. I guess the dissector shouldn't add a tree item if there are
no arguments, but that requires changes to the python that generates
that file.

Thanks for any help

Andy Ling