2011-06-09 21:21:06 +00:00
|
|
|
/* mime_file.c
|
|
|
|
*
|
|
|
|
* MIME file format decoder for the Wiretap library.
|
|
|
|
*
|
2011-07-04 01:39:13 +00:00
|
|
|
* This is for use with Wireshark dissectors that handle file
|
|
|
|
* formats (e.g., because they handle a particular MIME media type).
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-05 01:58:40 +00:00
|
|
|
* It breaks the file into chunks of at most WTAP_MAX_PACKET_SIZE_STANDARD,
|
2011-07-04 01:39:13 +00:00
|
|
|
* each of which is reported as a packet, so that files larger than
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-05 01:58:40 +00:00
|
|
|
* WTAP_MAX_PACKET_SIZE_STANDARD can be handled by reassembly.
|
2011-07-04 01:39:13 +00:00
|
|
|
*
|
|
|
|
* The "MIME file" dissector does the reassembly, and hands the result
|
|
|
|
* off to heuristic dissectors to try to identify the file's contents.
|
|
|
|
*
|
2011-06-09 21:21:06 +00:00
|
|
|
* Wiretap Library
|
2018-04-30 07:47:58 +00:00
|
|
|
*
|
|
|
|
* SPDX-License-Identifier: GPL-2.0-or-later
|
|
|
|
*/
|
2011-06-09 21:21:06 +00:00
|
|
|
|
|
|
|
#include "config.h"
|
|
|
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
|
|
|
#ifdef HAVE_UNISTD_H
|
|
|
|
#include <unistd.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <errno.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <time.h>
|
|
|
|
|
|
|
|
#include "wtap-int.h"
|
|
|
|
#include "file_wrappers.h"
|
2014-07-15 23:40:46 +00:00
|
|
|
#include <wsutil/buffer.h>
|
2011-06-09 21:21:06 +00:00
|
|
|
#include "mime_file.h"
|
|
|
|
|
|
|
|
typedef struct {
|
2011-09-01 09:43:10 +00:00
|
|
|
const guint8 *magic;
|
2011-06-09 22:01:57 +00:00
|
|
|
guint magic_len;
|
2011-06-09 21:21:06 +00:00
|
|
|
} mime_files_t;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Written by Marton Nemeth <nm127@freemail.hu>
|
|
|
|
* Copyright 2009 Marton Nemeth
|
2019-07-28 04:20:27 +00:00
|
|
|
* The JPEG specification can be found at:
|
2011-06-09 21:21:06 +00:00
|
|
|
*
|
2019-07-28 04:20:27 +00:00
|
|
|
* https://www.w3.org/Graphics/JPEG/itu-t81.pdf
|
|
|
|
* https://www.itu.int/rec/T-REC-T.81/en (but you have to pay for it)
|
|
|
|
*
|
|
|
|
* and the JFIF specification can be found at:
|
|
|
|
*
|
|
|
|
* https://www.itu.int/rec/T-REC-T.871-201105-I/en
|
|
|
|
* https://www.w3.org/Graphics/JPEG/jfif3.pdf
|
2011-06-09 21:21:06 +00:00
|
|
|
*/
|
2011-09-01 09:43:10 +00:00
|
|
|
static const guint8 jpeg_jfif_magic[] = { 0xFF, 0xD8, /* SOF */
|
2011-06-09 21:21:06 +00:00
|
|
|
0xFF /* start of the next marker */
|
|
|
|
};
|
|
|
|
|
2012-04-04 20:52:52 +00:00
|
|
|
/* <?xml */
|
2013-01-30 19:26:05 +00:00
|
|
|
static const guint8 xml_magic[] = { '<', '?', 'x', 'm', 'l' };
|
2013-01-30 22:55:32 +00:00
|
|
|
static const guint8 png_magic[] = { 0x89, 'P', 'N', 'G', '\r', '\n', 0x1A, '\n' };
|
2013-01-30 19:26:05 +00:00
|
|
|
static const guint8 gif87a_magic[] = { 'G', 'I', 'F', '8', '7', 'a'};
|
|
|
|
static const guint8 gif89a_magic[] = { 'G', 'I', 'F', '8', '9', 'a'};
|
2013-10-23 01:36:49 +00:00
|
|
|
static const guint8 elf_magic[] = { 0x7F, 'E', 'L', 'F'};
|
2014-01-20 12:19:23 +00:00
|
|
|
static const guint8 btsnoop_magic[] = { 'b', 't', 's', 'n', 'o', 'o', 'p', 0};
|
2015-06-26 13:40:22 +00:00
|
|
|
static const guint8 pcap_magic[] = { 0xA1, 0xB2, 0xC3, 0xD4 };
|
|
|
|
static const guint8 pcap_swapped_magic[] = { 0xD4, 0xC3, 0xB2, 0xA1 };
|
|
|
|
static const guint8 pcapng_premagic[] = { 0x0A, 0x0D, 0x0D, 0x0A };
|
|
|
|
|
|
|
|
/* File does not start with it */
|
|
|
|
static const guint8 pcapng_xmagic[] = { 0x1A, 0x2B, 0x3C, 0x4D };
|
|
|
|
static const guint8 pcapng_swapped_xmagic[] = { 0x4D, 0x3C, 0x2B, 0x1A };
|
2012-04-04 20:52:52 +00:00
|
|
|
|
2011-06-09 21:21:06 +00:00
|
|
|
static const mime_files_t magic_files[] = {
|
2012-04-04 20:52:52 +00:00
|
|
|
{ jpeg_jfif_magic, sizeof(jpeg_jfif_magic) },
|
2013-01-30 19:26:05 +00:00
|
|
|
{ xml_magic, sizeof(xml_magic) },
|
2013-01-30 22:55:32 +00:00
|
|
|
{ png_magic, sizeof(png_magic) },
|
|
|
|
{ gif87a_magic, sizeof(gif87a_magic) },
|
2013-10-23 01:36:49 +00:00
|
|
|
{ gif89a_magic, sizeof(gif89a_magic) },
|
2014-01-20 12:19:23 +00:00
|
|
|
{ elf_magic, sizeof(elf_magic) },
|
2015-06-26 13:40:22 +00:00
|
|
|
{ btsnoop_magic, sizeof(btsnoop_magic) },
|
|
|
|
{ pcap_magic, sizeof(pcap_magic) },
|
|
|
|
{ pcap_swapped_magic, sizeof(pcap_swapped_magic) },
|
|
|
|
{ pcapng_premagic, sizeof(pcapng_premagic) }
|
2011-06-09 21:21:06 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
#define N_MAGIC_TYPES (sizeof(magic_files) / sizeof(magic_files[0]))
|
|
|
|
|
2014-10-09 23:44:15 +00:00
|
|
|
wtap_open_return_val
|
2014-05-09 05:18:49 +00:00
|
|
|
mime_file_open(wtap *wth, int *err, gchar **err_info)
|
2011-06-09 21:21:06 +00:00
|
|
|
{
|
2011-06-09 22:01:57 +00:00
|
|
|
char magic_buf[128]; /* increase buffer size when needed */
|
2011-06-09 21:21:06 +00:00
|
|
|
int bytes_read;
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
gboolean found_file;
|
|
|
|
/* guint file_ok; */
|
2011-06-09 21:21:06 +00:00
|
|
|
guint i;
|
|
|
|
|
2015-06-26 13:40:22 +00:00
|
|
|
guint read_bytes = 12;
|
2011-06-09 21:21:06 +00:00
|
|
|
|
|
|
|
for (i = 0; i < N_MAGIC_TYPES; i++)
|
|
|
|
read_bytes = MAX(read_bytes, magic_files[i].magic_len);
|
|
|
|
|
2012-12-21 03:32:16 +00:00
|
|
|
read_bytes = (guint)MIN(read_bytes, sizeof(magic_buf));
|
2014-05-09 05:18:49 +00:00
|
|
|
bytes_read = file_read(magic_buf, read_bytes, wth->fh);
|
2011-06-09 21:21:06 +00:00
|
|
|
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
if (bytes_read < 0) {
|
2014-05-09 05:18:49 +00:00
|
|
|
*err = file_error(wth->fh, err_info);
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
}
|
|
|
|
if (bytes_read == 0)
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_NOT_MINE;
|
2013-11-08 17:17:57 +00:00
|
|
|
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
found_file = FALSE;
|
|
|
|
for (i = 0; i < N_MAGIC_TYPES; i++) {
|
|
|
|
if ((guint) bytes_read >= magic_files[i].magic_len && !memcmp(magic_buf, magic_files[i].magic, MIN(magic_files[i].magic_len, (guint) bytes_read))) {
|
|
|
|
if (!found_file) {
|
2015-06-26 13:40:22 +00:00
|
|
|
if (magic_files[i].magic == pcapng_premagic) {
|
|
|
|
if (memcmp(magic_buf + 8, pcapng_xmagic, sizeof(pcapng_xmagic)) &&
|
|
|
|
memcmp(magic_buf + 8, pcapng_swapped_xmagic, sizeof(pcapng_swapped_xmagic)))
|
|
|
|
continue;
|
|
|
|
}
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
found_file = TRUE;
|
|
|
|
} else
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_NOT_MINE; /* many files matched, bad file */
|
2011-06-09 21:21:06 +00:00
|
|
|
}
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
}
|
2011-06-09 21:21:06 +00:00
|
|
|
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
if (!found_file)
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_NOT_MINE;
|
2011-06-09 21:21:06 +00:00
|
|
|
|
2014-05-09 05:18:49 +00:00
|
|
|
if (file_seek(wth->fh, 0, SEEK_SET, err) == -1)
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
2011-06-09 21:21:06 +00:00
|
|
|
|
2014-05-09 05:18:49 +00:00
|
|
|
wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_MIME;
|
|
|
|
wth->file_encap = WTAP_ENCAP_MIME;
|
2014-09-28 18:37:06 +00:00
|
|
|
wth->file_tsprec = WTAP_TSPREC_SEC;
|
2018-11-10 22:03:16 +00:00
|
|
|
wth->subtype_read = wtap_full_file_read;
|
|
|
|
wth->subtype_seek_read = wtap_full_file_seek_read;
|
2014-05-09 05:18:49 +00:00
|
|
|
wth->snapshot_length = 0;
|
2011-06-09 21:21:06 +00:00
|
|
|
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_MINE;
|
2011-06-09 21:21:06 +00:00
|
|
|
}
|
2015-01-02 00:45:22 +00:00
|
|
|
|
|
|
|
/*
|
2019-07-26 18:43:17 +00:00
|
|
|
* Editor modelines - https://www.wireshark.org/tools/modelines.html
|
2015-01-02 00:45:22 +00:00
|
|
|
*
|
|
|
|
* Local variables:
|
|
|
|
* c-basic-offset: 8
|
|
|
|
* tab-width: 8
|
|
|
|
* indent-tabs-mode: t
|
|
|
|
* End:
|
|
|
|
*
|
|
|
|
* vi: set shiftwidth=8 tabstop=8 noexpandtab:
|
|
|
|
* :indentSize=8:tabSize=8:noTabs=false:
|
|
|
|
*/
|