1999-10-29 01:11:23 +00:00
|
|
|
/* packet-rpc.c
|
|
|
|
|
* Routines for rpc dissection
|
|
|
|
|
* Copyright 1999, Uwe Girlich <Uwe.Girlich@philosys.de>
|
|
|
|
|
*
|
1999-11-15 14:57:38 +00:00
|
|
|
* $Id: packet-rpc.c,v 1.14 1999/11/15 14:57:38 nneul Exp $
|
1999-10-29 01:11:23 +00:00
|
|
|
*
|
|
|
|
|
* Ethereal - Network traffic analyzer
|
|
|
|
|
* By Gerald Combs <gerald@unicom.net>
|
|
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
|
*
|
|
|
|
|
* Copied from packet-smb.c
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
|
# include "config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
|
|
|
# include <sys/types.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include <glib.h>
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <string.h>
|
1999-11-15 14:57:38 +00:00
|
|
|
#include <ctype.h>
|
1999-10-29 01:11:23 +00:00
|
|
|
#include "packet.h"
|
|
|
|
|
#include "conversation.h"
|
|
|
|
|
#include "packet-rpc.h"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
const value_string rpc_msg_type[3] = {
|
|
|
|
|
{ RPC_CALL, "Call" },
|
|
|
|
|
{ RPC_REPLY, "Reply" },
|
|
|
|
|
{ 0, NULL }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const value_string rpc_reply_state[3] = {
|
|
|
|
|
{ MSG_ACCEPTED, "accepted" },
|
|
|
|
|
{ MSG_DENIED, "denied" },
|
|
|
|
|
{ 0, NULL }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const value_string rpc_auth_flavor[5] = {
|
|
|
|
|
{ AUTH_NULL, "AUTH_NULL" },
|
|
|
|
|
{ AUTH_UNIX, "AUTH_UNIX" },
|
|
|
|
|
{ AUTH_SHORT, "AUTH_SHORT" },
|
|
|
|
|
{ AUTH_DES, "AUTH_DES" },
|
|
|
|
|
{ 0, NULL }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const value_string rpc_accept_state[6] = {
|
|
|
|
|
{ SUCCESS, "RPC executed successfully" },
|
|
|
|
|
{ PROG_UNAVAIL, "remote hasn't exported program" },
|
|
|
|
|
{ PROG_MISMATCH, "remote can't support version #" },
|
|
|
|
|
{ PROC_UNAVAIL, "program can't support procedure" },
|
|
|
|
|
{ GARBAGE_ARGS, "procedure can't decode params" },
|
|
|
|
|
{ 0, NULL }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const value_string rpc_reject_state[3] = {
|
|
|
|
|
{ RPC_MISMATCH, "RPC_MISMATCH" },
|
|
|
|
|
{ AUTH_ERROR, "AUTH_ERROR" },
|
|
|
|
|
{ 0, NULL }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const value_string rpc_auth_state[6] = {
|
|
|
|
|
{ AUTH_BADCRED, "bad credential (seal broken)" },
|
|
|
|
|
{ AUTH_REJECTEDCRED, "client must begin new session" },
|
|
|
|
|
{ AUTH_BADVERF, "bad verifier (seal broken)" },
|
|
|
|
|
{ AUTH_REJECTEDVERF, "verifier expired or replayed" },
|
|
|
|
|
{ AUTH_TOOWEAK, "rejected for security reasons" },
|
|
|
|
|
{ 0, NULL }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* the protocol number */
|
|
|
|
|
static int proto_rpc = -1;
|
1999-11-15 14:57:38 +00:00
|
|
|
static int hf_rpc_xid = -1;
|
|
|
|
|
static int hf_rpc_msgtype = -1;
|
|
|
|
|
static int hf_rpc_rpcversion = -1;
|
|
|
|
|
static int hf_rpc_program = -1;
|
|
|
|
|
static int hf_rpc_programversion = -1;
|
|
|
|
|
static int hf_rpc_procedure = -1;
|
|
|
|
|
static int hf_rpc_cred_flavor = -1;
|
|
|
|
|
static int hf_rpc_cred_length = -1;
|
|
|
|
|
static int hf_rpc_verify_flavor = -1;
|
|
|
|
|
static int hf_rpc_verify_length = -1;
|
1999-10-29 01:11:23 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Hash table with info on RPC program numbers */
|
|
|
|
|
GHashTable *rpc_progs;
|
|
|
|
|
|
|
|
|
|
/* Hash table with info on RPC procedure numbers */
|
|
|
|
|
GHashTable *rpc_procs;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/***********************************/
|
|
|
|
|
/* Hash array with procedure names */
|
|
|
|
|
/***********************************/
|
|
|
|
|
|
|
|
|
|
/* compare 2 keys */
|
|
|
|
|
gint
|
|
|
|
|
rpc_proc_equal(gconstpointer k1, gconstpointer k2)
|
|
|
|
|
{
|
|
|
|
|
rpc_proc_info_key* key1 = (rpc_proc_info_key*) k1;
|
|
|
|
|
rpc_proc_info_key* key2 = (rpc_proc_info_key*) k2;
|
|
|
|
|
|
|
|
|
|
return ((key1->prog == key2->prog &&
|
|
|
|
|
key1->vers == key2->vers &&
|
|
|
|
|
key1->proc == key2->proc) ?
|
|
|
|
|
TRUE : FALSE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* calculate a hash key */
|
|
|
|
|
guint
|
|
|
|
|
rpc_proc_hash(gconstpointer k)
|
|
|
|
|
{
|
|
|
|
|
rpc_proc_info_key* key = (rpc_proc_info_key*) k;
|
|
|
|
|
|
|
|
|
|
return (key->prog ^ (key->vers<<16) ^ (key->proc<<24));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* insert some entries */
|
|
|
|
|
void
|
|
|
|
|
rpc_init_proc_table(guint prog, guint vers, const vsff *proc_table)
|
|
|
|
|
{
|
|
|
|
|
const vsff *proc;
|
|
|
|
|
|
|
|
|
|
for (proc = proc_table ; proc->strptr!=NULL; proc++) {
|
|
|
|
|
rpc_proc_info_key *key;
|
|
|
|
|
rpc_proc_info_value *value;
|
|
|
|
|
|
|
|
|
|
key = (rpc_proc_info_key *) g_malloc(sizeof(rpc_proc_info_key));
|
|
|
|
|
key->prog = prog;
|
|
|
|
|
key->vers = vers;
|
|
|
|
|
key->proc = proc->value;
|
|
|
|
|
|
|
|
|
|
value = (rpc_proc_info_value *) g_malloc(sizeof(rpc_proc_info_value));
|
|
|
|
|
value->name = proc->strptr;
|
|
|
|
|
value->dissect_call = proc->dissect_call;
|
|
|
|
|
value->dissect_reply = proc->dissect_reply;
|
|
|
|
|
|
|
|
|
|
g_hash_table_insert(rpc_procs,key,value);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*----------------------------------------*/
|
|
|
|
|
/* end of Hash array with procedure names */
|
|
|
|
|
/*----------------------------------------*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*********************************/
|
|
|
|
|
/* Hash array with program names */
|
|
|
|
|
/*********************************/
|
|
|
|
|
|
|
|
|
|
/* compare 2 keys */
|
|
|
|
|
gint
|
|
|
|
|
rpc_prog_equal(gconstpointer k1, gconstpointer k2)
|
|
|
|
|
{
|
|
|
|
|
rpc_prog_info_key* key1 = (rpc_prog_info_key*) k1;
|
|
|
|
|
rpc_prog_info_key* key2 = (rpc_prog_info_key*) k2;
|
|
|
|
|
|
|
|
|
|
return ((key1->prog == key2->prog) ?
|
|
|
|
|
TRUE : FALSE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* calculate a hash key */
|
|
|
|
|
guint
|
|
|
|
|
rpc_prog_hash(gconstpointer k)
|
|
|
|
|
{
|
|
|
|
|
rpc_prog_info_key* key = (rpc_prog_info_key*) k;
|
|
|
|
|
|
|
|
|
|
return (key->prog);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
rpc_init_prog(int proto, guint32 prog, int ett)
|
|
|
|
|
{
|
|
|
|
|
rpc_prog_info_key *key;
|
|
|
|
|
rpc_prog_info_value *value;
|
1999-11-15 14:32:16 +00:00
|
|
|
char *uc_progname = NULL, *lc_progname = NULL;
|
1999-10-29 01:11:23 +00:00
|
|
|
|
|
|
|
|
key = (rpc_prog_info_key *) g_malloc(sizeof(rpc_prog_info_key));
|
|
|
|
|
key->prog = prog;
|
|
|
|
|
|
|
|
|
|
value = (rpc_prog_info_value *) g_malloc(sizeof(rpc_prog_info_value));
|
|
|
|
|
value->proto = proto;
|
|
|
|
|
value->ett = ett;
|
1999-11-15 14:32:16 +00:00
|
|
|
|
|
|
|
|
lc_progname = proto_registrar_get_abbrev(proto);
|
|
|
|
|
if ( lc_progname )
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
uc_progname = strdup(lc_progname);
|
|
|
|
|
for (i=0; i<strlen(uc_progname); i++)
|
|
|
|
|
{
|
|
|
|
|
uc_progname[i] = toupper(uc_progname[i]);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
value->progname = uc_progname;
|
1999-10-29 01:11:23 +00:00
|
|
|
|
|
|
|
|
g_hash_table_insert(rpc_progs,key,value);
|
|
|
|
|
}
|
|
|
|
|
|
1999-11-11 21:22:00 +00:00
|
|
|
/* return the name associated with a previously registered program. This
|
|
|
|
|
should probably eventually be expanded to use the rpc YP/NIS map
|
|
|
|
|
so that it can give names for programs not handled by ethereal */
|
|
|
|
|
char *rpc_prog_name(guint32 prog)
|
|
|
|
|
{
|
|
|
|
|
char *progname = NULL;
|
|
|
|
|
rpc_prog_info_key rpc_prog_key;
|
|
|
|
|
rpc_prog_info_value *rpc_prog;
|
|
|
|
|
|
|
|
|
|
rpc_prog_key.prog = prog;
|
|
|
|
|
if ((rpc_prog = g_hash_table_lookup(rpc_progs,&rpc_prog_key)) == NULL) {
|
|
|
|
|
progname = "Unknown";
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
progname = rpc_prog->progname;
|
|
|
|
|
}
|
|
|
|
|
return progname;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
1999-10-29 01:11:23 +00:00
|
|
|
/*--------------------------------------*/
|
|
|
|
|
/* end of Hash array with program names */
|
|
|
|
|
/*--------------------------------------*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Init the hash tables. It will be called from ethereal_proto_init().
|
|
|
|
|
* ethereal_proto_init() calls later proto_init(), which calls
|
|
|
|
|
* register_all_protocols().
|
|
|
|
|
* The proto_register_<some rpc program> functions use these hash tables
|
|
|
|
|
* here, so we need this order!
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
init_dissect_rpc()
|
|
|
|
|
{
|
|
|
|
|
rpc_progs = g_hash_table_new(rpc_prog_hash, rpc_prog_equal);
|
|
|
|
|
rpc_procs = g_hash_table_new(rpc_proc_hash, rpc_proc_equal);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* static array, first quick implementation, I'll switch over to GList soon */
|
|
|
|
|
rpc_call_info rpc_call_table[RPC_CALL_TABLE_LENGTH];
|
|
|
|
|
guint32 rpc_call_index = 0;
|
|
|
|
|
guint32 rpc_call_firstfree = 0;
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
rpc_call_insert(rpc_call_info *call)
|
|
|
|
|
{
|
|
|
|
|
/* some space left? */
|
|
|
|
|
if (rpc_call_firstfree<RPC_CALL_TABLE_LENGTH) {
|
|
|
|
|
/* some space left */
|
|
|
|
|
/* take the first free entry */
|
|
|
|
|
rpc_call_index = rpc_call_firstfree;
|
|
|
|
|
/* increase this limit */
|
|
|
|
|
rpc_call_firstfree++;
|
|
|
|
|
/* rpc_call_firstfree may now be RPC_CALL_TABLE_LENGTH */
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
/* no space left */
|
|
|
|
|
/* the next entry, with wrap around */
|
|
|
|
|
rpc_call_index = (rpc_call_index+1) % rpc_call_firstfree;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* put the entry in */
|
|
|
|
|
memcpy(&rpc_call_table[rpc_call_index],call,sizeof(*call));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
rpc_call_info*
|
|
|
|
|
rpc_call_lookup(rpc_call_info *call)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
i = rpc_call_index;
|
|
|
|
|
do {
|
|
|
|
|
if (
|
|
|
|
|
rpc_call_table[i].xid == call->xid &&
|
|
|
|
|
rpc_call_table[i].conversation == call->conversation
|
|
|
|
|
) {
|
|
|
|
|
return &rpc_call_table[i];
|
|
|
|
|
}
|
|
|
|
|
if (rpc_call_firstfree) {
|
|
|
|
|
/* decrement by one, go to rpc_call_firstfree-1
|
|
|
|
|
at the start of the list */
|
|
|
|
|
i = (i-1+rpc_call_firstfree) % rpc_call_firstfree;
|
|
|
|
|
}
|
|
|
|
|
} while (i!=rpc_call_index);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
unsigned int
|
1999-11-15 14:17:20 +00:00
|
|
|
rpc_roundup(unsigned int a)
|
1999-10-29 01:11:23 +00:00
|
|
|
{
|
|
|
|
|
unsigned int mod = a % 4;
|
|
|
|
|
return a + ((mod)? 4-mod : 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
1999-11-05 07:16:23 +00:00
|
|
|
int
|
|
|
|
|
dissect_rpc_uint32(const u_char *pd, int offset, frame_data *fd, proto_tree *tree,
|
|
|
|
|
char* name, char* type)
|
|
|
|
|
{
|
|
|
|
|
guint32 value;
|
|
|
|
|
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,4)) return offset;
|
|
|
|
|
value = EXTRACT_UINT(pd, offset+0);
|
|
|
|
|
|
|
|
|
|
if (tree) {
|
|
|
|
|
proto_tree_add_text(tree, offset, 4,
|
1999-11-15 14:17:20 +00:00
|
|
|
"%s: %u", name, value);
|
1999-11-05 07:16:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
offset += 4;
|
|
|
|
|
return offset;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
dissect_rpc_uint64(const u_char *pd, int offset, frame_data *fd, proto_tree *tree,
|
|
|
|
|
char* name, char* type)
|
|
|
|
|
{
|
|
|
|
|
guint32 value_low;
|
|
|
|
|
guint32 value_high;
|
|
|
|
|
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,8)) return offset;
|
|
|
|
|
value_high = EXTRACT_UINT(pd, offset+0);
|
|
|
|
|
value_low = EXTRACT_UINT(pd, offset+4);
|
|
|
|
|
|
|
|
|
|
if (tree) {
|
|
|
|
|
if (value_high)
|
|
|
|
|
proto_tree_add_text(tree, offset, 8,
|
1999-11-15 14:17:20 +00:00
|
|
|
"%s: %x%08x", name, value_high, value_low);
|
1999-11-05 07:16:23 +00:00
|
|
|
else
|
|
|
|
|
proto_tree_add_text(tree, offset, 8,
|
1999-11-15 14:17:20 +00:00
|
|
|
"%s: %u", name, value_low);
|
1999-11-05 07:16:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
offset += 8;
|
|
|
|
|
return offset;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* arbitrary limit */
|
1999-11-12 15:12:23 +00:00
|
|
|
#define RPC_STRING_MAXBUF 2048
|
1999-11-05 07:16:23 +00:00
|
|
|
|
|
|
|
|
int
|
|
|
|
|
dissect_rpc_string(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, char* name)
|
|
|
|
|
{
|
|
|
|
|
proto_item *string_item;
|
|
|
|
|
proto_tree *string_tree = NULL;
|
|
|
|
|
|
|
|
|
|
guint32 string_length;
|
|
|
|
|
guint32 string_fill;
|
|
|
|
|
guint32 string_length_full;
|
|
|
|
|
char string_buffer[RPC_STRING_MAXBUF];
|
|
|
|
|
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,4)) return offset;
|
|
|
|
|
string_length = EXTRACT_UINT(pd,offset+0);
|
1999-11-15 14:17:20 +00:00
|
|
|
string_length_full = rpc_roundup(string_length);
|
1999-11-05 07:16:23 +00:00
|
|
|
string_fill = string_length_full - string_length;
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset+4,string_length_full)) return offset;
|
|
|
|
|
if (string_length>=sizeof(string_buffer)) return offset;
|
|
|
|
|
memcpy(string_buffer,pd+offset+4,string_length);
|
|
|
|
|
string_buffer[string_length] = '\0';
|
|
|
|
|
if (tree) {
|
|
|
|
|
string_item = proto_tree_add_text(tree,offset+0,
|
|
|
|
|
4+string_length_full,
|
|
|
|
|
"%s: %s", name, string_buffer);
|
|
|
|
|
if (string_item) {
|
|
|
|
|
string_tree = proto_item_add_subtree(string_item, ETT_RPC_STRING);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (string_tree) {
|
|
|
|
|
proto_tree_add_text(string_tree,offset+0,4,
|
|
|
|
|
"length: %u", string_length);
|
|
|
|
|
proto_tree_add_text(string_tree,offset+4,string_length,
|
|
|
|
|
"text: %s", string_buffer);
|
|
|
|
|
if (string_fill)
|
|
|
|
|
proto_tree_add_text(string_tree,offset+4+string_length,string_fill,
|
|
|
|
|
"fill bytes: opaque data");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
offset += 4 + string_length_full;
|
|
|
|
|
return offset;
|
|
|
|
|
}
|
|
|
|
|
|
1999-11-11 16:20:25 +00:00
|
|
|
int
|
|
|
|
|
dissect_rpc_string_item(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int hfindex)
|
|
|
|
|
{
|
|
|
|
|
proto_item *string_item;
|
|
|
|
|
proto_tree *string_tree = NULL;
|
|
|
|
|
|
|
|
|
|
guint32 string_length;
|
|
|
|
|
guint32 string_fill;
|
|
|
|
|
guint32 string_length_full;
|
|
|
|
|
char string_buffer[RPC_STRING_MAXBUF];
|
|
|
|
|
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,4)) return offset;
|
|
|
|
|
string_length = EXTRACT_UINT(pd,offset+0);
|
1999-11-15 14:17:20 +00:00
|
|
|
string_length_full = rpc_roundup(string_length);
|
1999-11-11 16:20:25 +00:00
|
|
|
string_fill = string_length_full - string_length;
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset+4,string_length_full)) return offset;
|
|
|
|
|
if (string_length>=sizeof(string_buffer)) return offset;
|
|
|
|
|
memcpy(string_buffer,pd+offset+4,string_length);
|
|
|
|
|
string_buffer[string_length] = '\0';
|
|
|
|
|
if (tree) {
|
|
|
|
|
string_item = proto_tree_add_text(tree,offset+0,
|
|
|
|
|
4+string_length_full,
|
|
|
|
|
"%s: %s", proto_registrar_get_name(hfindex), string_buffer);
|
|
|
|
|
proto_tree_add_item_hidden(tree, hfindex, offset+4,
|
|
|
|
|
string_length, string_buffer);
|
|
|
|
|
if (string_item) {
|
|
|
|
|
string_tree = proto_item_add_subtree(string_item, ETT_RPC_STRING);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (string_tree) {
|
|
|
|
|
proto_tree_add_text(string_tree,offset+0,4,
|
|
|
|
|
"length: %u", string_length);
|
|
|
|
|
proto_tree_add_text(string_tree,offset+4,string_length,
|
|
|
|
|
"text: %s", string_buffer);
|
|
|
|
|
if (string_fill)
|
|
|
|
|
proto_tree_add_text(string_tree,offset+4+string_length,string_fill,
|
|
|
|
|
"fill bytes: opaque data");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
offset += 4 + string_length_full;
|
|
|
|
|
return offset;
|
|
|
|
|
}
|
|
|
|
|
|
1999-11-05 07:16:23 +00:00
|
|
|
|
1999-10-29 01:11:23 +00:00
|
|
|
void
|
|
|
|
|
dissect_rpc_auth( const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
|
|
|
|
|
{
|
|
|
|
|
guint flavor;
|
|
|
|
|
guint length;
|
|
|
|
|
guint length_full;
|
|
|
|
|
|
|
|
|
|
/* both checks are made outside */
|
|
|
|
|
/* if (!BYTES_ARE_IN_FRAME(offset,8)) return; */
|
|
|
|
|
flavor = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
length = EXTRACT_UINT(pd,offset+4);
|
1999-11-15 14:17:20 +00:00
|
|
|
length_full = rpc_roundup(length);
|
1999-10-29 01:11:23 +00:00
|
|
|
/* if (!BYTES_ARE_IN_FRAME(offset+8,full_length)) return; */
|
|
|
|
|
|
|
|
|
|
if (tree) {
|
|
|
|
|
proto_tree_add_text(tree,offset+0,4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"Flavor: %s (%u)", val_to_str(flavor,rpc_auth_flavor,"Unknown"),flavor);
|
1999-10-29 01:11:23 +00:00
|
|
|
proto_tree_add_text(tree,offset+4,4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"Length: %u", length);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
offset += 8;
|
|
|
|
|
|
|
|
|
|
switch (flavor) {
|
|
|
|
|
case AUTH_UNIX: {
|
|
|
|
|
guint stamp;
|
|
|
|
|
guint uid;
|
|
|
|
|
guint gid;
|
|
|
|
|
guint gids_count;
|
|
|
|
|
guint gids_i;
|
|
|
|
|
guint gids_entry;
|
|
|
|
|
proto_item *gitem;
|
|
|
|
|
proto_tree *gtree = NULL;
|
|
|
|
|
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,4)) return;
|
|
|
|
|
stamp = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
if (tree)
|
|
|
|
|
proto_tree_add_text(tree,offset+0,4,
|
|
|
|
|
"stamp: 0x%08x", stamp);
|
|
|
|
|
offset += 4;
|
|
|
|
|
|
1999-11-05 07:16:23 +00:00
|
|
|
offset = dissect_rpc_string(pd,offset,fd,tree,"machinename");
|
1999-10-29 01:11:23 +00:00
|
|
|
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,4)) return;
|
|
|
|
|
uid = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
if (tree)
|
|
|
|
|
proto_tree_add_text(tree,offset+0,4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"uid: %u", uid);
|
1999-10-29 01:11:23 +00:00
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,4)) return;
|
|
|
|
|
gid = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
if (tree)
|
|
|
|
|
proto_tree_add_text(tree,offset+0,4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"gid: %u", gid);
|
1999-10-29 01:11:23 +00:00
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,4)) return;
|
|
|
|
|
gids_count = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
if (tree) {
|
|
|
|
|
gitem = proto_tree_add_text(tree, offset, 4+gids_count*4,
|
|
|
|
|
"gids");
|
|
|
|
|
gtree = proto_item_add_subtree(gitem, ETT_RPC_GIDS);
|
|
|
|
|
}
|
|
|
|
|
offset += 4;
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,4*gids_count)) return;
|
|
|
|
|
for (gids_i = 0 ; gids_i < gids_count ; gids_i++) {
|
|
|
|
|
gids_entry = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
if (gtree)
|
|
|
|
|
proto_tree_add_text(gtree, offset, 4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"%u", gids_entry);
|
1999-10-29 01:11:23 +00:00
|
|
|
offset+=4;
|
|
|
|
|
}
|
|
|
|
|
/* how can I NOW change the gitem to print a list with
|
|
|
|
|
the first 16 gids? */
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
/*
|
|
|
|
|
case AUTH_SHORT:
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
*/
|
|
|
|
|
/* I have no tcpdump file with such a packet to verify the
|
|
|
|
|
info from the RFC 1050 */
|
|
|
|
|
/*
|
|
|
|
|
case AUTH_DES:
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
*/
|
|
|
|
|
default:
|
|
|
|
|
if (length_full) {
|
|
|
|
|
if (tree)
|
|
|
|
|
proto_tree_add_text(tree,offset,
|
|
|
|
|
length_full, "opaque data");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
dissect_rpc_cred( const u_char *pd, int offset, frame_data *fd, proto_tree *tree )
|
|
|
|
|
{
|
|
|
|
|
guint length;
|
|
|
|
|
guint length_full;
|
|
|
|
|
proto_item *citem;
|
|
|
|
|
proto_tree *ctree;
|
|
|
|
|
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,8)) return offset;
|
|
|
|
|
length = EXTRACT_UINT(pd,offset+4);
|
1999-11-15 14:17:20 +00:00
|
|
|
length_full = rpc_roundup(length);
|
1999-10-29 01:11:23 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset+8,length_full)) return offset;
|
|
|
|
|
|
|
|
|
|
if (tree) {
|
|
|
|
|
citem = proto_tree_add_text(tree, offset, 8+length_full,
|
|
|
|
|
"Credentials");
|
|
|
|
|
ctree = proto_item_add_subtree(citem, ETT_RPC_CRED);
|
|
|
|
|
dissect_rpc_auth(pd, offset, fd, ctree);
|
|
|
|
|
}
|
|
|
|
|
offset += 8 + length_full;
|
|
|
|
|
|
|
|
|
|
return offset;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
dissect_rpc_verf( const u_char *pd, int offset, frame_data *fd, proto_tree *tree )
|
|
|
|
|
{
|
|
|
|
|
unsigned int length;
|
|
|
|
|
unsigned int length_full;
|
|
|
|
|
proto_item *vitem;
|
|
|
|
|
proto_tree *vtree;
|
|
|
|
|
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,8)) return offset;
|
|
|
|
|
length = EXTRACT_UINT(pd,offset+4);
|
1999-11-15 14:17:20 +00:00
|
|
|
length_full = rpc_roundup(length);
|
1999-10-29 01:11:23 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset+8,length_full)) return offset;
|
|
|
|
|
|
|
|
|
|
if (tree) {
|
|
|
|
|
vitem = proto_tree_add_text(tree, offset, 8+length_full,
|
|
|
|
|
"Verifier");
|
|
|
|
|
vtree = proto_item_add_subtree(vitem, ETT_RPC_VERF);
|
|
|
|
|
dissect_rpc_auth(pd, offset, fd, vtree);
|
|
|
|
|
}
|
|
|
|
|
offset += 8 + length_full;
|
|
|
|
|
|
|
|
|
|
return offset;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
1999-11-14 20:44:52 +00:00
|
|
|
gboolean
|
|
|
|
|
dissect_rpc( const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
|
1999-10-29 01:11:23 +00:00
|
|
|
{
|
1999-11-14 20:44:52 +00:00
|
|
|
guint32 msg_type;
|
|
|
|
|
rpc_call_info rpc_key;
|
|
|
|
|
rpc_call_info *rpc_call = NULL;
|
|
|
|
|
rpc_prog_info_value *rpc_prog = NULL;
|
|
|
|
|
rpc_prog_info_key rpc_prog_key;
|
|
|
|
|
|
1999-10-29 01:11:23 +00:00
|
|
|
unsigned int xid;
|
|
|
|
|
unsigned int rpcvers;
|
|
|
|
|
unsigned int prog;
|
|
|
|
|
unsigned int vers = 0;
|
|
|
|
|
unsigned int proc = 0;
|
|
|
|
|
int proto = 0;
|
|
|
|
|
int ett = 0;
|
|
|
|
|
|
|
|
|
|
unsigned int reply_state;
|
|
|
|
|
unsigned int accept_state;
|
|
|
|
|
unsigned int reject_state;
|
|
|
|
|
|
|
|
|
|
char *msg_type_name = NULL;
|
|
|
|
|
char *progname;
|
|
|
|
|
char *procname = NULL;
|
|
|
|
|
static char procname_static[20];
|
|
|
|
|
|
|
|
|
|
unsigned int vers_low;
|
|
|
|
|
unsigned int vers_high;
|
|
|
|
|
|
|
|
|
|
unsigned int auth_state;
|
|
|
|
|
|
|
|
|
|
proto_item *rpc_item=NULL;
|
|
|
|
|
proto_tree *rpc_tree = NULL;
|
|
|
|
|
|
|
|
|
|
proto_item *pitem=NULL;
|
|
|
|
|
proto_tree *ptree = NULL;
|
|
|
|
|
int offset_old = offset;
|
|
|
|
|
|
|
|
|
|
rpc_call_info rpc_call_msg;
|
|
|
|
|
rpc_proc_info_key key;
|
|
|
|
|
rpc_proc_info_value *value = NULL;
|
|
|
|
|
conversation_t* conversation;
|
For ONC RPC, when constructing conversations, use a null address as the
destination address for calls and the source address of the reply - we
should't require the server address to be the same for a call and reply,
as they may not be on a multi-homed server (clients presumably check the
XID only, or perhaps the XID and the port whence the reply came,
although with TI-RPC I don't think they can check the port without
checking the address as well).
This requires that the conversation code not assume that the source and
destination addresses for a given packet in a conversation have the same
type, so, when comparing addresses for equality, it must explicitly
check the address types.
In said code, also check the port numbers before we check the addresses
- testing ports is cheaper, as they're just integers, and there's
probably a decent chance that you won't see two conversations between
different pairs of hosts and the *same* pair of ports in a capture file,
so the cheaper port tests are probably decently likely to fail first.
svn path=/trunk/; revision=1031
1999-11-14 21:16:58 +00:00
|
|
|
static address null_address = { AT_NONE, 0, NULL };
|
1999-10-29 01:11:23 +00:00
|
|
|
|
|
|
|
|
dissect_function_t *dissect_function = NULL;
|
|
|
|
|
|
1999-11-14 20:44:52 +00:00
|
|
|
/*
|
|
|
|
|
* Check to see whether this looks like an RPC call or reply.
|
|
|
|
|
*/
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,8)) {
|
|
|
|
|
/* Captured data in packet isn't enough to let us tell. */
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* both directions need at least this */
|
|
|
|
|
msg_type = EXTRACT_UINT(pd,offset+4);
|
|
|
|
|
|
|
|
|
|
switch (msg_type) {
|
|
|
|
|
|
|
|
|
|
case RPC_CALL:
|
|
|
|
|
/* check for RPC call */
|
|
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,16)) {
|
|
|
|
|
/* Captured data in packet isn't enough to let us
|
|
|
|
|
tell. */
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* XID can be anything, we don't check it.
|
|
|
|
|
We already have the message type.
|
|
|
|
|
Check whether an RPC version number of 2 is in the
|
|
|
|
|
location where it would be, and that an RPC program
|
|
|
|
|
number we know about is in the locaton where it would be. */
|
|
|
|
|
rpc_prog_key.prog = EXTRACT_UINT(pd,offset+12);
|
|
|
|
|
if (EXTRACT_UINT(pd,offset+8) != 2 ||
|
|
|
|
|
((rpc_prog = g_hash_table_lookup(rpc_progs, &rpc_prog_key))
|
|
|
|
|
== NULL)) {
|
|
|
|
|
/* They're not, so it's probably not an RPC call. */
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case RPC_REPLY:
|
For ONC RPC, when constructing conversations, use a null address as the
destination address for calls and the source address of the reply - we
should't require the server address to be the same for a call and reply,
as they may not be on a multi-homed server (clients presumably check the
XID only, or perhaps the XID and the port whence the reply came,
although with TI-RPC I don't think they can check the port without
checking the address as well).
This requires that the conversation code not assume that the source and
destination addresses for a given packet in a conversation have the same
type, so, when comparing addresses for equality, it must explicitly
check the address types.
In said code, also check the port numbers before we check the addresses
- testing ports is cheaper, as they're just integers, and there's
probably a decent chance that you won't see two conversations between
different pairs of hosts and the *same* pair of ports in a capture file,
so the cheaper port tests are probably decently likely to fail first.
svn path=/trunk/; revision=1031
1999-11-14 21:16:58 +00:00
|
|
|
/* Check for RPC reply. A reply must match a call that
|
|
|
|
|
we've seen, and the reply must be sent to the same
|
|
|
|
|
port and address that the call came from, and must
|
|
|
|
|
come from the port to which the call was sent. (We
|
|
|
|
|
don't worry about the address to which the call was
|
|
|
|
|
sent and from which the reply was sent, because there's
|
|
|
|
|
no guarantee that the reply will come from the address
|
|
|
|
|
to which the call was sent.) */
|
|
|
|
|
conversation = find_conversation(&null_address, &pi.dst,
|
1999-11-14 20:44:52 +00:00
|
|
|
pi.ptype, pi.srcport, pi.destport);
|
|
|
|
|
if (conversation == NULL) {
|
|
|
|
|
/* We haven't seen an RPC call for that conversation,
|
|
|
|
|
so we can't check for a reply to that call. */
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
For ONC RPC, when constructing conversations, use a null address as the
destination address for calls and the source address of the reply - we
should't require the server address to be the same for a call and reply,
as they may not be on a multi-homed server (clients presumably check the
XID only, or perhaps the XID and the port whence the reply came,
although with TI-RPC I don't think they can check the port without
checking the address as well).
This requires that the conversation code not assume that the source and
destination addresses for a given packet in a conversation have the same
type, so, when comparing addresses for equality, it must explicitly
check the address types.
In said code, also check the port numbers before we check the addresses
- testing ports is cheaper, as they're just integers, and there's
probably a decent chance that you won't see two conversations between
different pairs of hosts and the *same* pair of ports in a capture file,
so the cheaper port tests are probably decently likely to fail first.
svn path=/trunk/; revision=1031
1999-11-14 21:16:58 +00:00
|
|
|
|
|
|
|
|
/* The XIDs of the call and reply must match. */
|
1999-11-14 20:44:52 +00:00
|
|
|
rpc_key.xid = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
rpc_key.conversation = conversation;
|
|
|
|
|
if ((rpc_call = rpc_call_lookup(&rpc_key)) == NULL) {
|
|
|
|
|
/* The XID doesn't match a call from that
|
|
|
|
|
conversation, so it's probably not an RPC reply. */
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
/* The putative message type field contains neither
|
|
|
|
|
RPC_CALL nor RPC_REPLY, so it's not an RPC call or
|
|
|
|
|
reply. */
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
1999-10-29 01:11:23 +00:00
|
|
|
if (check_col(fd, COL_PROTOCOL))
|
|
|
|
|
col_add_str(fd, COL_PROTOCOL, "RPC");
|
|
|
|
|
|
|
|
|
|
if (tree) {
|
|
|
|
|
rpc_item = proto_tree_add_item(tree, proto_rpc, offset, END_OF_FRAME, NULL);
|
|
|
|
|
if (rpc_item) {
|
|
|
|
|
rpc_tree = proto_item_add_subtree(rpc_item, ETT_RPC);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
xid = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree,offset+0,4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"XID: 0x%x (%u)", xid, xid);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
1999-11-05 07:16:23 +00:00
|
|
|
msg_type_name = val_to_str(msg_type,rpc_msg_type,"%u");
|
1999-10-29 01:11:23 +00:00
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree,offset+4,4,
|
1999-11-15 14:57:38 +00:00
|
|
|
"Message Type: %s (%u)",
|
1999-10-29 01:11:23 +00:00
|
|
|
msg_type_name, msg_type);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
offset += 8;
|
|
|
|
|
|
|
|
|
|
if (msg_type==RPC_CALL) {
|
1999-11-14 20:44:52 +00:00
|
|
|
/* we know already the proto-entry, the ETT-const,
|
|
|
|
|
and "rpc_prog" */
|
1999-10-29 01:11:23 +00:00
|
|
|
proto = rpc_prog->proto;
|
|
|
|
|
ett = rpc_prog->ett;
|
|
|
|
|
progname = rpc_prog->progname;
|
|
|
|
|
|
|
|
|
|
rpcvers = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree,offset+0,4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"RPC Version: %u", rpcvers);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
prog = EXTRACT_UINT(pd,offset+4);
|
|
|
|
|
|
|
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree,offset+4,4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"Program: %s (%u)", progname, prog);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (check_col(fd, COL_PROTOCOL)) {
|
1999-10-29 02:25:54 +00:00
|
|
|
/* Set the protocol name to the underlying
|
|
|
|
|
program name. */
|
|
|
|
|
col_add_fstr(fd, COL_PROTOCOL, "%s", progname);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
1999-11-14 20:44:52 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset+8,4))
|
|
|
|
|
return TRUE;
|
1999-10-29 01:11:23 +00:00
|
|
|
vers = EXTRACT_UINT(pd,offset+8);
|
|
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree,offset+8,4,
|
1999-10-29 02:25:54 +00:00
|
|
|
"Program Version: %u",vers);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
1999-11-14 20:44:52 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset+12,4))
|
|
|
|
|
return TRUE;
|
1999-10-29 01:11:23 +00:00
|
|
|
proc = EXTRACT_UINT(pd,offset+12);
|
|
|
|
|
|
|
|
|
|
key.prog = prog;
|
|
|
|
|
key.vers = vers;
|
|
|
|
|
key.proc = proc;
|
|
|
|
|
|
|
|
|
|
value = g_hash_table_lookup(rpc_procs,&key);
|
|
|
|
|
if (value != NULL) {
|
|
|
|
|
dissect_function = value->dissect_call;
|
|
|
|
|
procname = value->name;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
/* happens only with strange program versions or
|
|
|
|
|
non-existing dissectors */
|
|
|
|
|
dissect_function = NULL;
|
1999-11-05 07:16:23 +00:00
|
|
|
sprintf(procname_static, "proc-%u", proc);
|
1999-10-29 01:11:23 +00:00
|
|
|
procname = procname_static;
|
|
|
|
|
}
|
|
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree,offset+12,4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"Procedure: %s (%u)", procname, proc);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
1999-10-29 02:25:54 +00:00
|
|
|
if (check_col(fd, COL_INFO)) {
|
|
|
|
|
col_add_fstr(fd, COL_INFO,"V%u %s %s XID 0x%x",
|
|
|
|
|
vers,
|
1999-10-29 01:11:23 +00:00
|
|
|
procname,
|
1999-10-29 02:25:54 +00:00
|
|
|
msg_type_name,
|
|
|
|
|
xid);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
For ONC RPC, when constructing conversations, use a null address as the
destination address for calls and the source address of the reply - we
should't require the server address to be the same for a call and reply,
as they may not be on a multi-homed server (clients presumably check the
XID only, or perhaps the XID and the port whence the reply came,
although with TI-RPC I don't think they can check the port without
checking the address as well).
This requires that the conversation code not assume that the source and
destination addresses for a given packet in a conversation have the same
type, so, when comparing addresses for equality, it must explicitly
check the address types.
In said code, also check the port numbers before we check the addresses
- testing ports is cheaper, as they're just integers, and there's
probably a decent chance that you won't see two conversations between
different pairs of hosts and the *same* pair of ports in a capture file,
so the cheaper port tests are probably decently likely to fail first.
svn path=/trunk/; revision=1031
1999-11-14 21:16:58 +00:00
|
|
|
/* Keep track of the address and port whence the call came,
|
|
|
|
|
and the port to which the call is being sent, so that
|
|
|
|
|
we can match up calls wityh replies. (We don't worry
|
|
|
|
|
about the address to which the call was sent and from
|
|
|
|
|
which the reply was sent, because there's no
|
|
|
|
|
guarantee that the reply will come from the address
|
|
|
|
|
to which the call was sent.) */
|
|
|
|
|
conversation = find_conversation(&pi.src, &null_address,
|
|
|
|
|
pi.ptype, pi.srcport, pi.destport);
|
1999-10-29 01:11:23 +00:00
|
|
|
if (conversation == NULL) {
|
|
|
|
|
/* It's not part of any conversation - create a new one. */
|
For ONC RPC, when constructing conversations, use a null address as the
destination address for calls and the source address of the reply - we
should't require the server address to be the same for a call and reply,
as they may not be on a multi-homed server (clients presumably check the
XID only, or perhaps the XID and the port whence the reply came,
although with TI-RPC I don't think they can check the port without
checking the address as well).
This requires that the conversation code not assume that the source and
destination addresses for a given packet in a conversation have the same
type, so, when comparing addresses for equality, it must explicitly
check the address types.
In said code, also check the port numbers before we check the addresses
- testing ports is cheaper, as they're just integers, and there's
probably a decent chance that you won't see two conversations between
different pairs of hosts and the *same* pair of ports in a capture file,
so the cheaper port tests are probably decently likely to fail first.
svn path=/trunk/; revision=1031
1999-11-14 21:16:58 +00:00
|
|
|
conversation = conversation_new(&pi.src, &null_address,
|
|
|
|
|
pi.ptype, pi.srcport, pi.destport, NULL);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* prepare the key data */
|
|
|
|
|
rpc_call_msg.xid = xid;
|
|
|
|
|
rpc_call_msg.conversation = conversation;
|
|
|
|
|
|
|
|
|
|
/* look up the request */
|
|
|
|
|
if (rpc_call_lookup(&rpc_call_msg)) {
|
|
|
|
|
/* duplicate request */
|
|
|
|
|
if (check_col(fd, COL_INFO)) {
|
1999-10-29 02:25:54 +00:00
|
|
|
col_append_fstr(fd, COL_INFO, " dup XID 0x%x", xid);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
/* prepare the value data */
|
|
|
|
|
rpc_call_msg.replies = 0;
|
|
|
|
|
rpc_call_msg.prog = prog;
|
|
|
|
|
rpc_call_msg.vers = vers;
|
|
|
|
|
rpc_call_msg.proc = proc;
|
|
|
|
|
rpc_call_msg.proc_info = value;
|
|
|
|
|
/* store it */
|
|
|
|
|
rpc_call_insert(&rpc_call_msg);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
offset += 16;
|
|
|
|
|
|
|
|
|
|
offset = dissect_rpc_cred(pd, offset, fd, rpc_tree);
|
|
|
|
|
offset = dissect_rpc_verf(pd, offset, fd, rpc_tree);
|
|
|
|
|
|
|
|
|
|
/* go to the next dissector */
|
|
|
|
|
/* goto dissect_rpc_prog; */
|
|
|
|
|
|
|
|
|
|
} /* end of RPC call */
|
|
|
|
|
else if (msg_type == RPC_REPLY)
|
|
|
|
|
{
|
1999-11-14 20:44:52 +00:00
|
|
|
/* we know already the type from the calling routine,
|
|
|
|
|
and we already have "rpc_call" set above. */
|
1999-10-29 01:11:23 +00:00
|
|
|
prog = rpc_call->prog;
|
|
|
|
|
vers = rpc_call->vers;
|
|
|
|
|
proc = rpc_call->proc;
|
|
|
|
|
if (rpc_call->proc_info != NULL) {
|
|
|
|
|
dissect_function = rpc_call->proc_info->dissect_reply;
|
|
|
|
|
if (rpc_call->proc_info->name != NULL) {
|
|
|
|
|
procname = rpc_call->proc_info->name;
|
|
|
|
|
}
|
|
|
|
|
else {
|
1999-11-05 07:16:23 +00:00
|
|
|
sprintf(procname_static, "proc-%u", proc);
|
1999-10-29 01:11:23 +00:00
|
|
|
procname = procname_static;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
dissect_function = NULL;
|
1999-11-05 07:16:23 +00:00
|
|
|
sprintf(procname_static, "proc-%u", proc);
|
1999-10-29 01:11:23 +00:00
|
|
|
procname = procname_static;
|
|
|
|
|
}
|
|
|
|
|
rpc_call->replies++;
|
|
|
|
|
|
|
|
|
|
rpc_prog_key.prog = prog;
|
|
|
|
|
if ((rpc_prog = g_hash_table_lookup(rpc_progs,&rpc_prog_key)) == NULL) {
|
|
|
|
|
proto = 0;
|
|
|
|
|
ett = 0;
|
|
|
|
|
progname = "Unknown";
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
proto = rpc_prog->proto;
|
|
|
|
|
ett = rpc_prog->ett;
|
|
|
|
|
progname = rpc_prog->progname;
|
1999-10-29 02:25:54 +00:00
|
|
|
|
|
|
|
|
if (check_col(fd, COL_PROTOCOL)) {
|
|
|
|
|
/* Set the protocol name to the underlying
|
|
|
|
|
program name. */
|
|
|
|
|
col_add_fstr(fd, COL_PROTOCOL, "%s",
|
|
|
|
|
progname);
|
|
|
|
|
}
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
1999-10-29 02:25:54 +00:00
|
|
|
if (check_col(fd, COL_INFO)) {
|
|
|
|
|
col_add_fstr(fd, COL_INFO,"V%u %s %s XID 0x%x",
|
|
|
|
|
vers,
|
1999-10-29 01:11:23 +00:00
|
|
|
procname,
|
1999-10-29 02:25:54 +00:00
|
|
|
msg_type_name,
|
|
|
|
|
xid);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree,0,0,
|
1999-11-05 07:16:23 +00:00
|
|
|
"Program: %s (%u)",
|
1999-10-29 01:11:23 +00:00
|
|
|
progname, prog);
|
|
|
|
|
proto_tree_add_text(rpc_tree,0,0,
|
1999-10-29 02:25:54 +00:00
|
|
|
"Program Version: %u", vers);
|
1999-10-29 01:11:23 +00:00
|
|
|
proto_tree_add_text(rpc_tree,0,0,
|
1999-11-05 07:16:23 +00:00
|
|
|
"Procedure: %s (%u)", procname, proc);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (rpc_call->replies>1) {
|
|
|
|
|
if (check_col(fd, COL_INFO)) {
|
1999-10-29 02:25:54 +00:00
|
|
|
col_append_fstr(fd, COL_INFO, " dup XID 0x%x", xid);
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
1999-11-14 20:44:52 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,4))
|
|
|
|
|
return TRUE;
|
1999-10-29 01:11:23 +00:00
|
|
|
reply_state = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree,offset+0, 4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"Reply State: %s (%u)",
|
1999-10-29 01:11:23 +00:00
|
|
|
val_to_str(reply_state,rpc_reply_state,"Unknown"),
|
|
|
|
|
reply_state);
|
|
|
|
|
}
|
|
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
|
|
if (reply_state == MSG_ACCEPTED) {
|
|
|
|
|
offset = dissect_rpc_verf(pd, offset, fd, rpc_tree);
|
1999-11-14 20:44:52 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,4))
|
|
|
|
|
return TRUE;
|
1999-10-29 01:11:23 +00:00
|
|
|
accept_state = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree,offset+0, 4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"Accept State: %s (%u)",
|
1999-10-29 01:11:23 +00:00
|
|
|
val_to_str(accept_state,rpc_accept_state,"Unknown"),
|
|
|
|
|
accept_state);
|
|
|
|
|
}
|
|
|
|
|
offset += 4;
|
|
|
|
|
switch (accept_state) {
|
|
|
|
|
case SUCCESS:
|
|
|
|
|
/* now goto the lower protocol */
|
|
|
|
|
goto dissect_rpc_prog;
|
|
|
|
|
break;
|
|
|
|
|
case PROG_MISMATCH:
|
1999-11-14 20:44:52 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,8))
|
|
|
|
|
return TRUE;
|
1999-10-29 01:11:23 +00:00
|
|
|
vers_low = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
vers_high = EXTRACT_UINT(pd,offset+4);
|
|
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree,
|
|
|
|
|
offset+0, 4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"min. Program Version: %u",
|
1999-10-29 01:11:23 +00:00
|
|
|
vers_low);
|
|
|
|
|
proto_tree_add_text(rpc_tree,
|
|
|
|
|
offset+4, 4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"max. Program Version: %u",
|
1999-10-29 01:11:23 +00:00
|
|
|
vers_high);
|
|
|
|
|
}
|
|
|
|
|
offset += 8;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
/* void */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
} else if (reply_state == MSG_DENIED) {
|
1999-11-14 20:44:52 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,4))
|
|
|
|
|
return TRUE;
|
1999-10-29 01:11:23 +00:00
|
|
|
reject_state = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree, offset+0, 4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"Reject State: %s (%u)",
|
1999-10-29 01:11:23 +00:00
|
|
|
val_to_str(reject_state,rpc_reject_state,"Unknown"),
|
|
|
|
|
reject_state);
|
|
|
|
|
}
|
|
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
|
|
if (reject_state==RPC_MISMATCH) {
|
1999-11-14 20:44:52 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,8))
|
|
|
|
|
return TRUE;
|
1999-10-29 01:11:23 +00:00
|
|
|
vers_low = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
vers_high = EXTRACT_UINT(pd,offset+4);
|
|
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree,
|
|
|
|
|
offset+0, 4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"min. RPC Version: %u",
|
1999-10-29 01:11:23 +00:00
|
|
|
vers_low);
|
|
|
|
|
proto_tree_add_text(rpc_tree,
|
|
|
|
|
offset+4, 4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"max. RPC Version: %u",
|
1999-10-29 01:11:23 +00:00
|
|
|
vers_high);
|
|
|
|
|
}
|
|
|
|
|
offset += 8;
|
|
|
|
|
} else if (reject_state==AUTH_ERROR) {
|
1999-11-14 20:44:52 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset,4))
|
|
|
|
|
return TRUE;
|
1999-10-29 01:11:23 +00:00
|
|
|
auth_state = EXTRACT_UINT(pd,offset+0);
|
|
|
|
|
if (rpc_tree) {
|
|
|
|
|
proto_tree_add_text(rpc_tree,
|
|
|
|
|
offset+0, 4,
|
1999-11-05 07:16:23 +00:00
|
|
|
"Authentication error: %s (%u)",
|
1999-10-29 01:11:23 +00:00
|
|
|
val_to_str(auth_state,rpc_auth_state,"Unknown"),
|
|
|
|
|
auth_state);
|
|
|
|
|
}
|
|
|
|
|
offset += 4;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} /* end of RPC reply */
|
|
|
|
|
|
|
|
|
|
dissect_rpc_prog:
|
|
|
|
|
/* I know, goto is evil but it works as it is. */
|
|
|
|
|
|
|
|
|
|
/* now we know, that RPC was shorter */
|
|
|
|
|
if (rpc_item) {
|
|
|
|
|
proto_item_set_len(rpc_item, offset - offset_old);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* create here the program specific sub-tree */
|
|
|
|
|
if (tree) {
|
|
|
|
|
pitem = proto_tree_add_item(tree, proto, offset, END_OF_FRAME);
|
|
|
|
|
if (pitem)
|
|
|
|
|
ptree = proto_item_add_subtree(pitem, ett);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* call a specific dissection */
|
|
|
|
|
if (dissect_function != NULL) {
|
|
|
|
|
offset = dissect_function(pd, offset, fd, ptree);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* dissect any remaining bytes (incomplete dissection) as pure data in
|
|
|
|
|
the ptree */
|
|
|
|
|
dissect_data(pd, offset, fd, ptree);
|
1999-11-14 20:44:52 +00:00
|
|
|
|
|
|
|
|
return TRUE;
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* will be called from file.c on every new file open */
|
|
|
|
|
void
|
|
|
|
|
rpc_init_protocol(void)
|
|
|
|
|
{
|
|
|
|
|
rpc_call_index = 0;
|
|
|
|
|
rpc_call_firstfree = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* will be called once from register.c at startup time */
|
|
|
|
|
void
|
|
|
|
|
proto_register_rpc(void)
|
|
|
|
|
{
|
1999-11-15 14:57:38 +00:00
|
|
|
static hf_register_info hf[] = {
|
|
|
|
|
{ &hf_rpc_xid, {
|
|
|
|
|
"XID", "rpc.xid", FT_UINT32, BASE_HEX,
|
|
|
|
|
NULL, 0, "XID" }},
|
|
|
|
|
{ &hf_rpc_msgtype, {
|
|
|
|
|
"Message Type", "rpc.msgtyp", FT_UINT32, BASE_HEX,
|
|
|
|
|
NULL, 0, "Message Type" }},
|
|
|
|
|
{ &hf_rpc_rpcversion, {
|
|
|
|
|
"RPC Version", "rpc.version", FT_UINT32, BASE_HEX,
|
|
|
|
|
NULL, 0, "RPC Version" }},
|
|
|
|
|
{ &hf_rpc_program, {
|
|
|
|
|
"Program", "rpc.program", FT_UINT32, BASE_HEX,
|
|
|
|
|
NULL, 0, "Program" }},
|
|
|
|
|
{ &hf_rpc_programversion, {
|
|
|
|
|
"Program Version", "rpc.programversion", FT_UINT32,
|
|
|
|
|
BASE_HEX, NULL, 0, "Program Version" }},
|
|
|
|
|
{ &hf_rpc_procedure, {
|
|
|
|
|
"Procedure", "rpc.procedure", FT_UINT32, BASE_HEX,
|
|
|
|
|
NULL, 0, "Procedure" }},
|
|
|
|
|
{ &hf_rpc_cred_flavor, {
|
|
|
|
|
"Flavor", "rpc.cred.flavor", FT_UINT32, BASE_HEX,
|
|
|
|
|
NULL, 0, "Flavor" }},
|
|
|
|
|
{ &hf_rpc_cred_length, {
|
|
|
|
|
"Length", "rpc.cred.length", FT_UINT32, BASE_HEX,
|
|
|
|
|
NULL, 0, "Length" }},
|
|
|
|
|
{ &hf_rpc_verify_flavor, {
|
|
|
|
|
"Flavor", "rpc.verify.flavor", FT_UINT32, BASE_HEX,
|
|
|
|
|
NULL, 0, "Flavor" }},
|
|
|
|
|
{ &hf_rpc_verify_length, {
|
|
|
|
|
"Length", "rpc.verify.length", FT_UINT32, BASE_HEX,
|
|
|
|
|
NULL, 0, "Length" }},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
1999-10-29 01:11:23 +00:00
|
|
|
proto_rpc = proto_register_protocol("Remote Procedure Call", "rpc");
|
1999-11-15 14:57:38 +00:00
|
|
|
proto_register_field_array(proto_rpc, hf, array_length(hf));
|
1999-10-29 01:11:23 +00:00
|
|
|
}
|