diff options
| author | João Valverde <j@v6e.pt> | 2022-06-18 10:43:24 +0100 |
|---|---|---|
| committer | A Wireshark GitLab Utility <gerald+gitlab-utility@wireshark.org> | 2022-06-21 15:10:08 +0000 |
| commit | 47348ae598127aa8bd46d5c650c6f1f77eef2bc4 (patch) | |
| tree | 1179e3c8534e96408d0e54412b8554e8ec835e98 /docbook | |
| parent | d372ed34830e69dc15c3533d4ef65873e3404f3c (diff) | |
dfilter: Add support for literal strings with null bytes
Before:
Filter: frame matches "abc\x00def"
dftest: \x00 (NUL byte) cannot be used with a regular string.
frame matches "abc\x00def"
^~~~
Filter: _ws.ftypes.string == "a string with a \0 byte"
dftest: \0 (NUL byte) cannot be used with a regular string.
_ws.ftypes.string == "a string with a \0 byte"
^~
After:
Filter: frame matches "abc\x00def"
Syntax tree:
0 TEST_MATCHES:
1 FIELD(frame)
1 PCRE(abc\0def)
Instructions:
00000 READ_TREE frame -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_MATCHES reg#0 matches abc\0def
00003 RETURN
Filter: _ws.ftypes.string == "a string with a \0 byte"
Syntax tree:
0 TEST_ANY_EQ:
1 FIELD(_ws.ftypes.string)
1 FVALUE("a string with a \0 byte" <FT_STRING>)
Instructions:
00000 READ_TREE _ws.ftypes.string -> reg#0
00001 IF_FALSE_GOTO 3
00002 ANY_EQ reg#0 == "a string with a \0 byte" <FT_STRING>
00003 RETURN
Fixes issue #16156.
Diffstat (limited to 'docbook')
| -rw-r--r-- | docbook/release-notes.adoc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/docbook/release-notes.adoc b/docbook/release-notes.adoc index 55f81a3588..b3dcb68058 100644 --- a/docbook/release-notes.adoc +++ b/docbook/release-notes.adoc @@ -135,6 +135,9 @@ They previously shipped with Qt 5.12.2. ** The display filter engine now uses PCRE2 instead of GRegex (GLib’s bindings to the older and end-of-life PCRE library). PCRE2 is compatible with PCRE so any user-visible changes should be minimal. Some exotic patterns may now be invalid and require rewriting. +** Literal strings can handle embedded null bytes (the value '\0') correctly. This includes regular expression patterns. + For example the double-quoted string "\0 is a null byte" is a legal literal value. + This may be useful to match byte patterns but note that in general protocol fields with a string type still cannot contain embedded null bytes. * The `text2pcap` command and the “Import from Hex Dump” feature have been updated and enhanced: ** `text2pcap` supports writing the output file in all the capture file formats that wiretap library supports, using the same `-F` option as `editcap`, `mergecap`, and `tshark`. |