Add support for NTTIME_hyper and NTTIME_1sec

It's hyper with 8 bytes alignment it can have 1/100000 sec resolution or 1sec resolution Bug: 10541 Change-Id: Iecc4c6d1bd1695a4c02db72e1617134254810cd9 Reviewed-on: https://code.wireshark.org/review/4606 Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2014-10-10 20:30:59 -04:00 · 2014-10-10 20:30:59 -04:00 · 29afac24a5
parent b3490c20ce
commit 29afac24a5
5 changed files with 39 additions and 9 deletions
--- a/epan/dissectors/packet-dcerpc-nt.c
+++ b/epan/dissectors/packet-dcerpc-nt.c
@ -470,6 +470,22 @@ dissect_ndr_nt_NTTIME (tvbuff_t *tvb, int offset,
 	return offset;
 }

+int
+dissect_ndr_nt_NTTIME_hyper (tvbuff_t *tvb, int offset,
+			packet_info *pinfo _U_, proto_tree *tree,
+			dcerpc_info *di, guint8 *drep _U_, int hf_index, gboolean onesec_resolution)
+{
+	if(di->conformant_run){
+		/*just a run to handle conformant arrays, nothing to dissect */
+		return offset;
+	}
+
+	ALIGN_TO_8_BYTES;
+
+	offset = dissect_nt_64bit_time_opt(tvb, tree, offset, hf_index, onesec_resolution);
+	return offset;
+}
+
 /* Define this symbol to display warnings about request/response and
   policy handle hash table collisions.	 This happens when a packet with
   the same conversation, smb fid and dcerpc call id occurs.  I think this
--- a/epan/dissectors/packet-dcerpc-nt.h
+++ b/epan/dissectors/packet-dcerpc-nt.h
@ -153,6 +153,10 @@ dissect_ndr_nt_NTTIME (tvbuff_t *tvb, int offset,
 			packet_info *pinfo, proto_tree *tree,
 			dcerpc_info *di, guint8 *drep, int hf_index);
 int
+dissect_ndr_nt_NTTIME_hyper (tvbuff_t *tvb, int offset,
+				packet_info *pinfo, proto_tree *tree,
+				dcerpc_info *di, guint8 *drep, int hf_index, gboolean onesec_resolution);
+int
 dissect_ndr_nt_LOGON_HOURS(tvbuff_t *tvb, int offset,
 			packet_info *pinfo, proto_tree *parent_tree,
 			dcerpc_info *di, guint8 *drep);
--- a/epan/dissectors/packet-windows-common.c
+++ b/epan/dissectors/packet-windows-common.c
@ -1129,7 +1129,7 @@ value_string_ext ms_country_codes_ext = VALUE_STRING_EXT_INIT(ms_country_codes);
 *	Copyright (C) Andrew Tridgell 1992-1998
 */
 static gboolean
-nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
+nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv, gboolean onesec_resolution)
 {
 	guint64 d;
 	gint64 secs;
@ -1144,6 +1144,10 @@ nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)

 	d = ((guint64)filetime_high << 32) | filetime_low;

+	if (onesec_resolution) {
+		d *= 10000000;
+	}
+
 	/* Split into seconds and nanoseconds. */
 	secs = d / 10000000;
 	nsecs = (int)((d % 10000000)*100);
@ -1164,13 +1168,13 @@ nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
 }

 int
-dissect_nt_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
+dissect_nt_64bit_time_opt(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, gboolean onesec_resolution _U_)
 {
-	return dissect_nt_64bit_time_ex(tvb, tree, offset, hf_date, NULL);
+	return dissect_nt_64bit_time_ex(tvb, tree, offset, hf_date, NULL, FALSE);
 }

 int
-dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, proto_item **createdItem)
+dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, proto_item **createdItem, gboolean onesec_resolution)
 {
 	guint32 filetime_high, filetime_low;
 	nstime_t ts;
@ -1196,8 +1200,8 @@ dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_dat
 			    "%s: Infinity (absolute time)",
 			    proto_registrar_get_name(hf_date));
 		} else {
-			if (nt_time_to_nstime(filetime_high, filetime_low, &ts)) {
-				item = proto_tree_add_time(tree, hf_date, tvb,
+			if (nt_time_to_nstime(filetime_high, filetime_low, &ts, onesec_resolution)) {
+				proto_tree_add_time(tree, hf_date, tvb,
 				    offset, 8, &ts);
 			} else {
 				item = proto_tree_add_text(tree, tvb, offset, 8,
@ -1215,6 +1219,11 @@ dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_dat
 	return offset;
 }

+int
+dissect_nt_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
+{
+	return dissect_nt_64bit_time_opt(tvb, tree, offset, hf_date, FALSE);
+}

 /* Well-known SIDs defined in http://support.microsoft.com/kb/243330 */

--- a/epan/dissectors/packet-windows-common.h
+++ b/epan/dissectors/packet-windows-common.h
@ -242,9 +242,10 @@ extern value_string_ext ms_country_codes_ext;

 WS_DLL_PUBLIC
 int dissect_nt_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date);
-
 WS_DLL_PUBLIC
-int dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, proto_item **createdItem);
+int dissect_nt_64bit_time_opt(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, gboolean onesec_resolution);
+WS_DLL_PUBLIC
+int dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, proto_item **createdItem, gboolean onesec_resolution);

 /*
 *  SIDs and RIDs
--- a/plugins/opcua/opcua_simpletypes.c
+++ b/plugins/opcua/opcua_simpletypes.c
@ -664,7 +664,7 @@ proto_item* parseDouble(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIn
 proto_item* parseDateTime(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex)
 {
    proto_item *item = NULL;
-    *pOffset = dissect_nt_64bit_time_ex(tvb, tree, *pOffset, hfIndex, &item);
+    *pOffset = dissect_nt_64bit_time_ex(tvb, tree, *pOffset, hfIndex, &item, FALSE);
    return item;
 }