[pcap-ng-format] Proposal for new "custom" option codes

Michael Richardson mcr at sandelman.ca
Sun Jul 26 16:14:54 UTC 2015 

Hadriel Kaplan <the.real.hadriel at gmail.com> wrote:
    > On Wed, Jul 22, 2015 at 1:54 PM, Guy Harris <guy at alum.mit.edu> wrote:
    >> 
    >> One problem with binary options, however, is that, if it contains
    >> values where byte order matters (integral or floating-point values
    >> larger than one byte), and a file written by a machine with one byte
    >> order is read, processed, and written by a machine with the opposite
    >> byte order (we ignore the PDP-11 here, which we can probably safely do
    >> :-)), unless the program writing it understands the binary option in
    >> question (either with built-in code or plugins), it can't write the
    >> option in question out and have it be properly interpreted by some
    >> other program, as the byte order of the data in the option will no
    >> longer match the byte order specified by the SHB of the section
    >> containing it.

    > Right, so for the draft's text one of the things I was going to propose
    > it say is something like:

    > "Implementers writing Custom Binary Options should be aware that a
    > PCAPNG file can be re-written by machines using a different endianness

Good text and warning:

    > Therefore, the Custom Binary Option should either encode all of their
    > fields in a consistent manner, such as always in big-endian or always
    > little-endian format, regardless of the host platform's endianness; or
    > the Custom Binary Option should encode some flag in its payload to
    > indicate which endianness the payload is written in."

I am worried about:

> What triggered this though is a proposed change someone uploaded to
> Wireshark's gerrit review site recently, to enable hooking a dissector into
> the frame's comment - because they were putting information in the frame
> comments that they wanted to read back when opening a file.

as a vector for buffer-overflow attacks.  We can't really do anything about
it, but it's just a flag that went up.  On my first read, I understood
that someone was going to stick *code* in there, but then I re-read it...

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

More information about the pcap-ng-format mailing list