Wireshark-dev: Re: [Wireshark-dev] "[UNVERIFIED SENDER]Re: Hierarchy of fields & offsets

From: "Sultan, Hassan" <sultah@xxxxxxxxxx>
Date: Tue, 25 Jul 2017 22:49:38 +0000
Awesome, thanks !

So shall I assume that whenever I detect something of the kind, it's an issue that needs resolved ?

If that's the case I'll be more than happy to add detection for this in my code and run a bunch of captures through it to detect them all (or at least as many as the captures allow me to detect).

Also, is the smb2 case a bug as well ?

Thx,

Hassan

-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxxxx] 
Sent: Tuesday, July 25, 2017 3:45 PM
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Cc: Sultan, Hassan <sultah@xxxxxxxxxx>
Subject: "[UNVERIFIED SENDER]Re: [Wireshark-dev] Hierarchy of fields & offsets

On Jul 25, 2017, at 3:26 PM, Sultan, Hassan via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote:

> Any reason why this is done in this way?

I don't know, but, whatever it is, it's not a *good* reason.

Perhaps they didn't know how to handle a request whose length isn't known until you finish dissecting it.  The answer is "give it an initial length of -1, to cover the rest of the data, and then set the length at the end"; I've changed the MySQL dissector in the master and 2.4 branches to do that.