Wireshark-users: Re: [Wireshark-users] Malformed packet analysis

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 13 Jan 2014 13:50:14 -0800
On Jan 13, 2014, at 1:09 PM, "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote:

>    It would still be nice to have a better pointer to the issue.

It might be possible to have proto_tree_add_item() do its own check for running past the end of the packet data, rather than relying on the tvb routines to do it, and add an expert item to the tree saying "the packet is too short to include all of field XXX", and then throw the BoundsError exception.

In cases where the field's value is used later, perhaps there should be routines such as

	proto_tree_add_uint_item_ret_val, which adds an FT_UINT* item and returns its value through a pointer;
	proto_tree_add_int_item_ret_val, which adds an FT_INT* item and returns its value through a pointer;
	proto_tree_add_string_item_ret_val, which adds an FT_STRING* item and returns its value through a pointer;

and so on, so that the dissector doesn't need to fetch the value itself.