From f6b5e5a7ecf73f526c9b440d32ce7e2d50225435 Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Tue, 15 Jun 2004 09:23:59 +0000 Subject: [PATCH] From Greg Morris: Fix a bug in the dissection of multiple NDS messages being sent at the same time that the dissector was attempting to desegment data spanning multiple packets. When a message was encountered during the desegmentation code the dissector would misinterpret the new message as an element in the data stream. Code was added to validate the desegmentation handle and validate which messages actually contain segmented data. svn path=/trunk/; revision=11147 --- packet-ncp-int.h | 3 ++- packet-ncp2222.inc | 22 ++++++++++++++++------ 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/packet-ncp-int.h b/packet-ncp-int.h index d1e1dff833..a7e160b306 100644 --- a/packet-ncp-int.h +++ b/packet-ncp-int.h @@ -6,7 +6,7 @@ * Portions Copyright (c) Gilbert Ramirez 2000-2002 * Portions Copyright (c) Novell, Inc. 2000-2003 * - * $Id: packet-ncp-int.h,v 1.17 2003/09/24 03:34:00 guy Exp $ + * $Id: packet-ncp-int.h,v 1.18 2004/06/15 09:23:59 guy Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs @@ -98,6 +98,7 @@ typedef struct { char object_name[256]; gboolean nds_frag; guint32 nds_end_frag; + guint32 nds_frag_num; } ncp_req_hash_value; void dissect_ncp_request(tvbuff_t*, packet_info*, guint16, diff --git a/packet-ncp2222.inc b/packet-ncp2222.inc index 56768238a3..1d6e426af4 100644 --- a/packet-ncp2222.inc +++ b/packet-ncp2222.inc @@ -11,7 +11,7 @@ * Portions Copyright (c) Gilbert Ramirez 2000-2002 * Portions Copyright (c) Novell, Inc. 2000-2003 * - * $Id: packet-ncp2222.inc,v 1.70 2004/02/29 08:01:22 guy Exp $ + * $Id: packet-ncp2222.inc,v 1.71 2004/06/15 09:23:59 guy Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs @@ -4127,7 +4127,7 @@ nds_defrag(tvbuff_t *tvb, packet_info *pinfo, guint16 nw_connection, guint8 sequ for (i = 0; i < 9; i++) { if (!frags[i].nds_fragmented) { - frags[i].nds_frag = 0; + frags[i].nds_frag = 0xfffffff0; } } /* Check to see if defragmentation is enabeled in the dissector */ @@ -4173,13 +4173,14 @@ nds_defrag(tvbuff_t *tvb, packet_info *pinfo, guint16 nw_connection, guint8 sequ } /* Get the fragment flag */ nds_frag = tvb_get_letohl(tvb, 12); + /* Now we need to find if this is a new fragment or already one defined. */ /* We currently limit the maximum number of simultaneous fragments to 100. */ for (i=0; i<100; i++) { - if (frags[i].nds_frag == nds_frag || frags[i].nds_frag == 0) + if (frags[i].nds_frag == nds_frag || frags[i].nds_frag == 0xfffffff0) { - if (frags[i].nds_frag == 0) + if (frags[i].nds_frag == 0xfffffff0) { frags[i].nds_length = 0; frags[i].nds_frag = nds_frag; @@ -4190,6 +4191,13 @@ nds_defrag(tvbuff_t *tvb, packet_info *pinfo, guint16 nw_connection, guint8 sequ } frag_count = i; + /* is this the end of an existing fragment or just another reply */ + if (nds_frag == 0xffffffff && request_value->nds_frag_num == 0xffffffff) + { + dissect_ncp_reply(tvb, pinfo, nw_connection, sequence, type, tree); + return; + } + /* Now we process the fragments */ if (request_value->nds_frag || (request_value->nds_end_frag == pinfo->fd->num)) { @@ -4263,7 +4271,7 @@ nds_defrag(tvbuff_t *tvb, packet_info *pinfo, guint16 nw_connection, guint8 sequ break; } } - if (frags[i].nds_frag == 0) + if (frags[i].nds_frag == 0xffffffff) { /* Error can't find fragment */ /*g_assert(0);*/ @@ -4784,7 +4792,7 @@ dissect_ncp_reply(tvbuff_t *tvb, packet_info *pinfo, error_string = ncp_error_string(ncp_rec->errors, completion_code); } else { - error_string = "Not OK"; + error_string = "Original Request Packet not Found"; } } if (type == NCP_SERVICE_REPLY && ncp_rec && ncp_rec->func==0x68 && @@ -8222,6 +8230,8 @@ dissect_nds_request(tvbuff_t *tvb, packet_info *pinfo, if (ncp_rec && !ncp_tree) { run_req_cond = TRUE; } + /* Keep track of the Fragment number in the request for defrag logic */ + request_value->nds_frag_num = nds_frag; } /* If we have to handle a request condition, or have to