Blame wireshark-1.2.6-smb-find-full-dir-info.patch

Jeff Layton ddc891
From 2856caa1cf3307208864af4c59da8ecb07bc3153 Mon Sep 17 00:00:00 2001
Jeff Layton ddc891
From: Jeff Layton <jlayton@redhat.com>
Jeff Layton ddc891
Date: Mon, 8 Mar 2010 19:43:07 -0500
Jeff Layton ddc891
Subject: [PATCH] packet-smb: add more FIND_FILE dissectors
Jeff Layton ddc891
Jeff Layton ddc891
---
Jeff Layton ddc891
 epan/dissectors/packet-smb.c |  271 ++++++++++++++++++++++++++++++++++++++++++
Jeff Layton ddc891
 1 files changed, 271 insertions(+), 0 deletions(-)
Jeff Layton ddc891
Jeff Layton ddc891
diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c
Jeff Layton ddc891
index 727b290..c9a90b9 100644
Jeff Layton ddc891
--- a/epan/dissectors/packet-smb.c
Jeff Layton ddc891
+++ b/epan/dissectors/packet-smb.c
Jeff Layton ddc891
@@ -10051,6 +10051,8 @@ static const value_string ff2_il_vals[] = {
Jeff Layton ddc891
 	{ 0x0102,	"Find File Full Directory Info"},
Jeff Layton ddc891
 	{ 0x0103,	"Find File Names Info"},
Jeff Layton ddc891
 	{ 0x0104,	"Find File Both Directory Info"},
Jeff Layton ddc891
+	{ 0x0105,	"Find File Full Directory Info"},
Jeff Layton ddc891
+	{ 0x0106,	"Find File Id Both Directory Info"},
Jeff Layton ddc891
 	{ 0x0202,	"Find File UNIX"},
Jeff Layton ddc891
 	{0, NULL}
Jeff Layton ddc891
 };
Jeff Layton ddc891
@@ -13900,6 +13902,267 @@ dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
Jeff Layton ddc891
 }
Jeff Layton ddc891
 
Jeff Layton ddc891
 static int
Jeff Layton ddc891
+dissect_4_3_4_6full(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
Jeff Layton ddc891
+    int offset, guint16 *bcp, gboolean *trunc)
Jeff Layton ddc891
+{
Jeff Layton ddc891
+	int fn_len;
Jeff Layton ddc891
+	const char *fn;
Jeff Layton ddc891
+	int old_offset = offset;
Jeff Layton ddc891
+	proto_item *item = NULL;
Jeff Layton ddc891
+	proto_tree *tree = NULL;
Jeff Layton ddc891
+	smb_info_t *si;
Jeff Layton ddc891
+	guint32 neo;
Jeff Layton ddc891
+	int padcnt;
Jeff Layton ddc891
+
Jeff Layton ddc891
+	si = (smb_info_t *)pinfo->private_data;
Jeff Layton ddc891
+	DISSECTOR_ASSERT(si);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	if(parent_tree){
Jeff Layton ddc891
+		tvb_ensure_bytes_exist(tvb, offset, *bcp);
Jeff Layton ddc891
+		item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
Jeff Layton ddc891
+		    val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
Jeff Layton ddc891
+		tree = proto_item_add_subtree(item, ett_smb_ff2_data);
Jeff Layton ddc891
+	}
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/*
Jeff Layton ddc891
+	 * XXX - I have not seen any of these that contain a resume
Jeff Layton ddc891
+	 * key, even though some of the requests had the "return resume
Jeff Layton ddc891
+	 * key" flag set.
Jeff Layton ddc891
+	 */
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* next entry offset */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(4);
Jeff Layton ddc891
+	neo = tvb_get_letohl(tvb, offset);
Jeff Layton ddc891
+	proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(4);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* file index */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(4);
Jeff Layton ddc891
+	proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(4);
Jeff Layton ddc891
+
Jeff Layton ddc891
+        /* dissect standard 8-byte timestamps */
Jeff Layton ddc891
+	offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
Jeff Layton ddc891
+	if (*trunc) {
Jeff Layton ddc891
+	  return offset;
Jeff Layton ddc891
+	}
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* end of file */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(8);
Jeff Layton ddc891
+	proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(8);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* allocation size */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(8);
Jeff Layton ddc891
+	proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(8);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* Extended File Attributes */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(4);
Jeff Layton ddc891
+	offset = dissect_file_ext_attr(tvb, tree, offset);
Jeff Layton ddc891
+	*bcp -= 4;
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* file name len */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(4);
Jeff Layton ddc891
+	fn_len = tvb_get_letohl(tvb, offset);
Jeff Layton ddc891
+	proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(4);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/*
Jeff Layton ddc891
+	 * EA length.
Jeff Layton ddc891
+	 *
Jeff Layton ddc891
+	 * XXX - in one captures, this has the topmost bit set, and the
Jeff Layton ddc891
+	 * rest of the bits have the value 7.  Is the topmost bit being
Jeff Layton ddc891
+	 * set some indication that the value *isn't* the length of
Jeff Layton ddc891
+	 * the EAs?
Jeff Layton ddc891
+	 */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(4);
Jeff Layton ddc891
+	proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(4);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* skip 4 bytes */
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(4);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(8);
Jeff Layton ddc891
+	proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(8);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* file name */
Jeff Layton ddc891
+	fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
Jeff Layton ddc891
+	CHECK_STRING_SUBR(fn);
Jeff Layton ddc891
+	proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
Jeff Layton ddc891
+		fn);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(fn_len);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	if (check_col(pinfo->cinfo, COL_INFO)) {
Jeff Layton ddc891
+		col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
Jeff Layton ddc891
+		    format_text(fn, strlen(fn)));
Jeff Layton ddc891
+	}
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* skip to next structure */
Jeff Layton ddc891
+	if(neo){
Jeff Layton ddc891
+		padcnt = (old_offset + neo) - offset;
Jeff Layton ddc891
+		if (padcnt < 0) {
Jeff Layton ddc891
+			/*
Jeff Layton ddc891
+			 * XXX - this is bogus; flag it?
Jeff Layton ddc891
+			 */
Jeff Layton ddc891
+			padcnt = 0;
Jeff Layton ddc891
+		}
Jeff Layton ddc891
+		if (padcnt != 0) {
Jeff Layton ddc891
+			CHECK_BYTE_COUNT_SUBR(padcnt);
Jeff Layton ddc891
+			COUNT_BYTES_SUBR(padcnt);
Jeff Layton ddc891
+		}
Jeff Layton ddc891
+	}
Jeff Layton ddc891
+
Jeff Layton ddc891
+	proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
Jeff Layton ddc891
+	proto_item_set_len(item, offset-old_offset);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	*trunc = FALSE;
Jeff Layton ddc891
+	return offset;
Jeff Layton ddc891
+}
Jeff Layton ddc891
+
Jeff Layton ddc891
+static int
Jeff Layton ddc891
+dissect_4_3_4_6_id_both(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
Jeff Layton ddc891
+    int offset, guint16 *bcp, gboolean *trunc)
Jeff Layton ddc891
+{
Jeff Layton ddc891
+	int fn_len, sfn_len;
Jeff Layton ddc891
+	const char *fn, *sfn;
Jeff Layton ddc891
+	int old_offset = offset;
Jeff Layton ddc891
+	proto_item *item = NULL;
Jeff Layton ddc891
+	proto_tree *tree = NULL;
Jeff Layton ddc891
+	smb_info_t *si;
Jeff Layton ddc891
+	guint32 neo;
Jeff Layton ddc891
+	int padcnt;
Jeff Layton ddc891
+
Jeff Layton ddc891
+	si = (smb_info_t *)pinfo->private_data;
Jeff Layton ddc891
+	DISSECTOR_ASSERT(si);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	if(parent_tree){
Jeff Layton ddc891
+		tvb_ensure_bytes_exist(tvb, offset, *bcp);
Jeff Layton ddc891
+		item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
Jeff Layton ddc891
+		    val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
Jeff Layton ddc891
+		tree = proto_item_add_subtree(item, ett_smb_ff2_data);
Jeff Layton ddc891
+	}
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/*
Jeff Layton ddc891
+	 * XXX - I have not seen any of these that contain a resume
Jeff Layton ddc891
+	 * key, even though some of the requests had the "return resume
Jeff Layton ddc891
+	 * key" flag set.
Jeff Layton ddc891
+	 */
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* next entry offset */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(4);
Jeff Layton ddc891
+	neo = tvb_get_letohl(tvb, offset);
Jeff Layton ddc891
+	proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(4);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* file index */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(4);
Jeff Layton ddc891
+	proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(4);
Jeff Layton ddc891
+
Jeff Layton ddc891
+        /* dissect standard 8-byte timestamps */
Jeff Layton ddc891
+	offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
Jeff Layton ddc891
+	if (*trunc) {
Jeff Layton ddc891
+	  return offset;
Jeff Layton ddc891
+	}
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* end of file */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(8);
Jeff Layton ddc891
+	proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(8);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* allocation size */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(8);
Jeff Layton ddc891
+	proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(8);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* Extended File Attributes */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(4);
Jeff Layton ddc891
+	offset = dissect_file_ext_attr(tvb, tree, offset);
Jeff Layton ddc891
+	*bcp -= 4;
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* file name len */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(4);
Jeff Layton ddc891
+	fn_len = tvb_get_letohl(tvb, offset);
Jeff Layton ddc891
+	proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(4);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/*
Jeff Layton ddc891
+	 * EA length.
Jeff Layton ddc891
+	 *
Jeff Layton ddc891
+	 * XXX - in one captures, this has the topmost bit set, and the
Jeff Layton ddc891
+	 * rest of the bits have the value 7.  Is the topmost bit being
Jeff Layton ddc891
+	 * set some indication that the value *isn't* the length of
Jeff Layton ddc891
+	 * the EAs?
Jeff Layton ddc891
+	 */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(4);
Jeff Layton ddc891
+	proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(4);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* short file name len */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(1);
Jeff Layton ddc891
+	sfn_len = tvb_get_guint8(tvb, offset);
Jeff Layton ddc891
+	proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(1);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* reserved byte */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(1);
Jeff Layton ddc891
+	proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(1);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* short file name - it's not always in Unicode */
Jeff Layton ddc891
+	sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
Jeff Layton ddc891
+	CHECK_STRING_SUBR(sfn);
Jeff Layton ddc891
+	proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
Jeff Layton ddc891
+		sfn);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(24);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* reserved bytes */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(2);
Jeff Layton ddc891
+	proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(2);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* file id */
Jeff Layton ddc891
+	CHECK_BYTE_COUNT_SUBR(8);
Jeff Layton ddc891
+	proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(8);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* file name */
Jeff Layton ddc891
+	fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
Jeff Layton ddc891
+	CHECK_STRING_SUBR(fn);
Jeff Layton ddc891
+	proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
Jeff Layton ddc891
+		fn);
Jeff Layton ddc891
+	COUNT_BYTES_SUBR(fn_len);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	if (check_col(pinfo->cinfo, COL_INFO)) {
Jeff Layton ddc891
+		col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
Jeff Layton ddc891
+		    format_text(fn, strlen(fn)));
Jeff Layton ddc891
+	}
Jeff Layton ddc891
+
Jeff Layton ddc891
+	/* skip to next structure */
Jeff Layton ddc891
+	if(neo){
Jeff Layton ddc891
+		padcnt = (old_offset + neo) - offset;
Jeff Layton ddc891
+		if (padcnt < 0) {
Jeff Layton ddc891
+			/*
Jeff Layton ddc891
+			 * XXX - this is bogus; flag it?
Jeff Layton ddc891
+			 */
Jeff Layton ddc891
+			padcnt = 0;
Jeff Layton ddc891
+		}
Jeff Layton ddc891
+		if (padcnt != 0) {
Jeff Layton ddc891
+			CHECK_BYTE_COUNT_SUBR(padcnt);
Jeff Layton ddc891
+			COUNT_BYTES_SUBR(padcnt);
Jeff Layton ddc891
+		}
Jeff Layton ddc891
+	}
Jeff Layton ddc891
+
Jeff Layton ddc891
+	proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
Jeff Layton ddc891
+	proto_item_set_len(item, offset-old_offset);
Jeff Layton ddc891
+
Jeff Layton ddc891
+	*trunc = FALSE;
Jeff Layton ddc891
+	return offset;
Jeff Layton ddc891
+}
Jeff Layton ddc891
+
Jeff Layton ddc891
+static int
Jeff Layton ddc891
 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
Jeff Layton ddc891
     int offset, guint16 *bcp, gboolean *trunc)
Jeff Layton ddc891
 {
Jeff Layton ddc891
@@ -14129,6 +14392,14 @@ dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
Jeff Layton ddc891
 		offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
Jeff Layton ddc891
 		    trunc);
Jeff Layton ddc891
 		break;
Jeff Layton ddc891
+	case 0x0105:	/*Find File Full Directory Info*/
Jeff Layton ddc891
+		offset = dissect_4_3_4_6full(tvb, pinfo, tree, offset, bcp,
Jeff Layton ddc891
+		    trunc);
Jeff Layton ddc891
+		break;
Jeff Layton ddc891
+	case 0x0106:	/*Find File Id Both Directory Info*/
Jeff Layton ddc891
+		offset = dissect_4_3_4_6_id_both(tvb, pinfo, tree, offset, bcp,
Jeff Layton ddc891
+		    trunc);
Jeff Layton ddc891
+		break;
Jeff Layton ddc891
 	case 0x0202:	/*Find File UNIX*/
Jeff Layton ddc891
 		offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
Jeff Layton ddc891
 		    trunc);
Jeff Layton ddc891
-- 
Jeff Layton ddc891
1.6.6.1
Jeff Layton ddc891