Wireshark mailing list archives
Re: pcapng options
From: Guy Harris <guy () alum mit edu>
Date: Thu, 1 Nov 2012 20:23:41 -0700
On Nov 1, 2012, at 7:45 PM, Richard Sharpe <realrichardsharpe () gmail com> wrote:
I think editcap is correct. The options are listed as optional. Thus, in processing the block, if the block-length tells you that there cannot be any options, then you do not need to even process them.
Yes.
However, the opt_endofopt option makes it easy when processing options. Of course it would be possible to keep track of the block total length and how much you have already processed, so in that sense it is redundant.
And, in fact, given that running past the end a block when processing it is a Very Bad Idea, it is not only *possible* to keep track of the block total length and how much you have already processed, it's *necessary* to keep track of the block total length and how much you have already processed if you don't want your code potentially pwned by a deliberately malformed pcap-ng file (or even just screwed up by an unintentionally malformed pcap-ng file).
I guess the real question is: Is it legal to have a pcap-ng file that contains a block with options that does not contain an opt_endofopt option?
My inclination would be to say "yes", to indicate that option processing must stop when you reach the end of the block even if no opt_endofopt option is seen, but also indicate that option processing should stop when an opt_endofopt block is seen, even if there is more data remaining in the block. So my inclination would be to say: option processing MUST stop when you run out of data in the block; option processing MUST stop when you see an opt_endofopt block; option lists that contain at least one non-opt_endofopt option SHOULD also have an opt_endofopt option at the end; and possibly change the last SHOULD to MUST in order not to upset code that *doesn't* check for the end of the block, even if that code is insecure. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- pcapng options Marc Petit-Huguenin (Nov 01)
- Re: pcapng options Richard Sharpe (Nov 01)
- Re: pcapng options Guy Harris (Nov 01)
- Re: pcapng options Jasper Bongertz (Nov 02)
- IETF standard? [was Re: pcapng options] Marc Petit-Huguenin (Nov 02)
- Re: IETF standard? [was Re: pcapng options] Guy Harris (Nov 02)
- Re: IETF standard? [was Re: pcapng options] Marc Petit-Huguenin (Nov 02)
- Re: IETF standard? [was Re: pcapng options] Michael Tuexen (Nov 02)
- Re: pcapng options Guy Harris (Nov 01)
- Re: pcapng options Richard Sharpe (Nov 01)