MATE: no Match if multiple AVP with same name
Summary
[Wireshark-dev] MATE Stop for multi-occurrence field
If a packet has multiple occurrences of a field, Match does not continue after first AVP of that name.
Steps to reproduce
Logs are for capture attached to #12184 (closed).
220402_MATE_addr_Every.txt
220402_MATE_addr_Strict.txt
Transform start_cond {
Match Strict (addr=192.168.5.159) (mgs_addr=addr_192);
};
Transform stop_cond {
Match Strict (addr=195.122.207.107) (mgs_addr=addr_195);
};
Pdu ip_pdu Proto frame Transport frame {
Extract frame From frame.number;
Extract addr From ip.addr;
Transform start_cond, stop_cond;
};
Done;
What is the current bug behavior?
If the first AVP (attribute) with name matching the extracted field matches, then transform is processed.
The second attribute of the same name is not checked.
If the first AVP with name matching the field does not match, then no transform and does not continue to check additional attributes.
** (wireshark:9900) 19:03:51.328586 [MATE MESSAGE] -- avpl_transform: src=0000027EF4A8CF00 op=0000027EF4B4B9E0
** (wireshark:9900) 19:03:51.329878 [MATE MESSAGE] -- new_avpl_pairs_match: 0000027EF4B35090 src=0000027EF4A8CF00 op=0000027EF4A8CAB0 name='ip_pdu'
** (wireshark:9900) 19:03:51.331230 [MATE MESSAGE] -- match_avp: addr=192.168.5.159; vs. addr=192.168.5.159;
** (wireshark:9900) 19:03:51.333623 [MATE MESSAGE] -- copy_avp: 0000027EF4B350F0 addr=192.168.5.159;
** (wireshark:9900) 19:03:51.335821 [MATE MESSAGE] -- insert_avp: inserting 0000027EF4A8CF90 in 0000027EF4B35090 before 0000027EF4B350A0;
** (wireshark:9900) 19:03:51.342247 [MATE MESSAGE] -- avpl: 0000027EF4B35090 new len: 1
** (wireshark:9900) 19:03:51.344392 [MATE MESSAGE] -- merge_avpl: 0000027EF4A8CF00 0000027EF4A8C9C0
** (wireshark:9900) 19:03:51.346518 [MATE MESSAGE] -- copy_avp: 0000027EF4B35150 mgs_addr=addr_192;
** (wireshark:9900) 19:03:51.348679 [MATE MESSAGE] -- insert_avp: inserting 0000027EF4A8CB10 in 0000027EF4A8CF00 before 0000027EF4A8CF10;
** (wireshark:9900) 19:03:51.351968 [MATE MESSAGE] -- avpl: 0000027EF4A8CF00 new len: 4
** (wireshark:9900) 19:03:51.356275 [MATE MESSAGE] -- delete_avpl: 0000027EF4B35090
** (wireshark:9900) 19:03:51.358539 [MATE MESSAGE] -- avpl: 0000027EF4B35090 new len: 0
** (wireshark:9900) 19:03:51.360792 [MATE MESSAGE] -- extract_last_avp: got avp: 0000027EF4B350F0
** (wireshark:9900) 19:03:51.363047 [MATE MESSAGE] -- delete_avp: 0000027EF4B350F0 addr=192.168.5.159;
** (wireshark:9900) 19:03:51.365278 [MATE MESSAGE] -- extract_last_avp: got avp: 0000000000000000
** (wireshark:9900) 19:03:51.367548 [MATE MESSAGE] -- avpl_transform: src=0000027EF4A8CF00 op=0000027EF4B4BC20
** (wireshark:9900) 19:03:51.371744 [MATE MESSAGE] -- new_avpl_pairs_match: 0000027EF4B35180 src=0000027EF4A8CF00 op=0000027EF4A8CB40 name='ip_pdu'
** (wireshark:9900) 19:03:51.375051 [MATE MESSAGE] -- match_avp: addr=192.168.5.159; vs. addr=195.122.207.107;
** (wireshark:9900) 19:03:51.377292 [MATE MESSAGE] -- delete_avpl: 0000027EF4B35180
** (wireshark:9900) 19:03:51.379534 [MATE MESSAGE] -- extract_last_avp: got avp: 0000000000000000
What is the expected correct behavior?
If the match fails, don't proceed to next co
. Instead loop through cs
looking for more AVP with the same name.
epan/mate/mate_util.c (new_avpl_pairs_match
):
} else {
// Matching attributes found, now try to find a matching data AVP for the condition.
if (match_avp(cs->avp, co->avp)) {
insert_avp_before_node(newavpl, newavpl->null.prev, cs->avp, copy_avps);
last_match = co->avp->n;
cs = cs->next;
} else {
failed_match = co->avp->n;
}
co = co->next;
}
Sample capture file
(If possible attach a sample capture file, not screenshot of dissection, showing this issue)
Relevant logs and/or screenshots
(Paste any relevant logs here)
(Paste any relevant screenshots here)
Build information
3.7.0-CDC_220304 (v3.7.0rc0-1649-gbac95c28d1f0)
Compiled (64-bit) using Microsoft Visual Studio 2019 (VC++ 14.29, build 30140),
with GLib 2.66.4, with PCRE2, with zlib 1.2.11, with Qt 5.15.2, with libpcap,
with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with
Kerberos (MIT), with MaxMind, with nghttp2 1.44.0, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.10, with libsmi 0.4.8, with
QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with
SpeexDSP (using bundled resampler), with Minizip.
Running on 64-bit Windows 10 (21H2), build 19044, with Intel(R) Xeon(R) CPU
E5645 @ 2.40GHz (with SSE4.2), with 8190 MB of physical memory, with GLib
2.66.4, with PCRE2 10.39 2021-10-29, with Qt 5.15.2, with Npcap version 1.60,
based on libpcap version 1.10.2-PRE-GIT, with c-ares 1.17.0, with GnuTLS 3.6.3,
with Gcrypt 1.8.3, with nghttp2 1.44.0, with brotli 1.0.9, with LZ4 1.9.3, with
Zstandard 1.4.0, with AirPcap 4.1.0 build 1622, with light display mode, without
HiDPI, with LC_TYPE=English_United States.utf8, with binary plugins (21 loaded).