Sometimes if we cant decrypt a DCERPC packet decrypted_tvb is NULL.
do not pass a NULL pointer to show_stub_data() since this will dump
core.
svn path=/trunk/; revision=8890
0.
In "dcerpc_try_handoff()", remove the authentication padding from the
stub data handed to the subdissector - that's not really stub data for
the subdissector, and it should throw an exception if the request or
response would go into the authentication padding. Don't even try to
dissect the remaining stub data if the authentication padding value
consumes all the stub data or would consume even more than that.
Show any "Long frame" data before the authentication padding, and show
the authentication padding as the stuff at the very end of the stub
data, after the "Long frame" data.
Catch all exceptions when dissecting authentication information, so that
even if it's bad or we don't have all of it, we still dissect the stub
data.
Try dissecting authentication trailer information even if we don't have
all of it in the tvbuff - we want an exception to be thrown if we don't.
Don't try to dissect it if it eats into the stub data, however.
Don't bother catching exceptions in "dissect_auth_verf()" - we now
always catch exceptions in above it in the DCE RPC dissector call tree.
Use CATCH_ALL and "show_exception()" when calling the sub-dissector for
a connection-oriented PDU; that means we won't have to worry about
adding new exception types unless they're types that we should rethrow.
svn path=/trunk/; revision=8759
stub data even if there's a problem dissecting the verifier.
Show stub data as "Encrypted stub data" if it's encrypted, "Decrypted
stub data" if it was encrypted but we decrypted it, and "Stub data" if
it wasn't encrypted.
Don't attempt to decrypt data unless it was encrypted (i.e., the
authentication level is "Packet privacy".
Get rid of "decrypted_data" member of "packet_info" structure - we don't
need it any more.
svn path=/trunk/; revision=8743
from being Ordo(n^2) into being Ordo(n)
Makes it slightly faster when n (the number of pointers) is >10.000
The mother of all dcerpc packets (containing one array of >10.000 pointers)
was a bit slow.
It is still slow but at least completes in out lifetime.
svn path=/trunk/; revision=8647
handling encrypted request/response PDUs. Instead of having
dissection function pointers which perform both decryption and
dissection, the function pointers now only decrypt the DCERPC fragment
payload. Dissection is handled by the dcerpc_try_handoff() function
(with DCERPC fragment reassembly if necessary).
Details:
- Move the dcerpc_auth_info struct into dcerpc.h as it is now used in
the function prototype for the decryption function handlers.
- decode_encrypted_data() was refactored to take a boolean request
parameter instead of passing the DCERPC PDU packet type.
- A tvbuff_t * data field was added to dcerpc_auth to hold the
verifier. This is passed as an argument to the decryption function
handlers.
- Dissection of verifiers in request and response PDUs was moved to
before the payload.
- The dissect_dcerpc_cn_stub() function was refactored to perform
the decryption process and hand decrypted data to the reassembly
code instead of performing the decryption after reassembly.
- Removed references to decrypted_info_t as it's not necessary
anymore.
Code was tested using encrypted and unencrypted fragmented PDUs.
Before this commit ethereal could not dissect unencrypted (!)
fragmented PDUs correctly.
svn path=/trunk/; revision=8546
in dcerpc_auth_info since auth_level is an unsigned type. Zero is
not a valid authentication level anyway (s13.1.2.1, p611 CAE spec).
Remove two inscrutable debugging comments that don't seem to mean anything.
svn path=/trunk/; revision=8545
The tap listener will try to parse this pointer at a much later stage where the stack frame where this object lived will have dissapeared and possible got overwritten.
best that can happen is that service response times for dcerpc interfaces is screwed up
more probable is that we get a coredump
svn path=/trunk/; revision=8455
somewhat. Now the dynamic initialisation of the value_string is contained
in the value_string_from_subdissectors() function instead of being
distributed amongst the dcerpc dissectors.
svn path=/trunk/; revision=8123
data when decrypting it, as, at least for NTLMSSP encryption, the stub
*and* the authentication padding are encrypted as a single lump.
svn path=/trunk/; revision=8058
to the dissector that handles the particular authentication flavour. This
gets rid of a couple of ugly switch statements and allows other authentication
modules to be written easily.
svn path=/trunk/; revision=8026
list rather than duplicating this information in the dissector. Some
of the opnum strings were starting to get out of date as developers
forgot to update the information in both places.
svn path=/trunk/; revision=7936
tvb_get_string() - takes a tvbuff, an offset, and a length as
arguments, allocates a buffer big enough to hold a string with
the specified number of bytes plus an added null terminator
(i.e., length+1), copies the specified number of bytes from the
tvbuff, at the specified offset, to that buffer and puts in a
null terminator, and returns a pointer to that buffer (or throws
an exception before allocating the buffer if that many bytes
aren't available in the tvbuff);
tvb_get_stringz() - takes a tvbuff, an offset, and a pointer to
a "gint" as arguments, gets the size of the null-terminated
string starting at the specified offset in the tvbuff (throwing
an exception if the null terminator isn't found), allocates a
buffer big enough to hold that string, copies the string to that
buffer, and returns a pointer to that buffer and stores the
length of the string (including the terminating null) in the
variable pointed to by the "gint" pointer.
Replace many pieces of code allocating a buffer and copying a string
with calls to "tvb_get_string()" (for one thing, "tvb_get_string()"
doesn't require you to remember that the argument to
"tvb_get_nstringz0()" is the size of the buffer into which you're
copying the string, which might be the length of the string to be copied
*plus 1*).
Don't use fixed-length buffers for null-terminated strings (even if the
code that generates those packets has a #define to limit the length of
the string). Use "tvb_get_stringz()", instead.
In some cases where a value is fetched but is only used to pass an
argument to a "proto_tree_add_XXX" routine, use "proto_tree_add_item()"
instead.
svn path=/trunk/; revision=7859
throwing an exception, if the bytes to be compared aren't available in
the tvbuff, we don't need to check for their existence before calling
those routines.
svn path=/trunk/; revision=7826
multiple NetBIOS-over-TCP session service messages in a TCP segment, and
they can contain the final portions of different DCERPC calls. Don't
assume a frame number is sufficient to identify DCE RPC calls.
svn path=/trunk/; revision=7777
Also, recommit a change lost in the hardware failure which was to note the
type of a DCE/RPC fragment when noting it in COL_INFO. A fragment can be
either a first, middle, last or whole (first+last) fragment.
svn path=/trunk/; revision=7666
*before* attempting to allocate a buffer for a string, if the copy into
the buffer will thrown an exception; that prevents us from
1) leaking memory if we can allocate the buffer (we'd throw an
exception before we freed the buffer);
2) crashing if we can't allocate the buffer because the length
is bogus and large.
svn path=/trunk/; revision=7658
encrypted if appropriate; this change adds a "show_stub_data()" to
handle that, and that routine also cleans up the stub data display a bit
in some other ways.
svn path=/trunk/; revision=7654
null) to the "fragment_items" structure, and don't pass that value into
"process_reassembled_data()", just have it use the value in the
"fragment_items" structure passed to it.
Make "process_reassembled_data()" capable of handling reassembly done by
"fragment_add_seq_check()", and use it in the ATP and 802.11 dissectors;
give them "reassembled_in" fields. Make "process_reassembled_data()"
handle only the case of a completed reassembly (fd_head != NULL) so that
we can use it in those dissectors without gunking the code up too much.
svn path=/trunk/; revision=7513
fragmented.
"PFC_NOT_FRAGMENTED()" is checked early in "dissect_dcerpc_cn_stub()";
there's no need to check it again in either of the code paths after
that, as we know it's true in the first code path and false in the second.
svn path=/trunk/; revision=7460
when doing reassembly.
In some additional places, use "tvb_bytes_exist()" to check whether we
have enough data to do reassembly, rather than checking to see if the
frame is short (it might be short but we might still have enough data to
do reassembly).
In DCE RPC, use the fragment length from the header as the number of
bytes of fragment data.
There's no need to check "pinfo->fragmented" before doing reassembly in
the DCERPC-over-SMB-pipes code - either we have all the data or we
don't.
In SNA and WTP reassembly, add a check to make sure we have all the data
to be reassembled.
svn path=/trunk/; revision=7282
give it a byte-order argument, and move it to "epan/tvbuff.c".
Use it to handle UCS-2 strings in version 1 of the Service Location
Protocol. In SRVLOC V1, use registered fields that are already there
for SRVLOC V2, and add some as needed. Fix some field names.
svn path=/trunk/; revision=7186
gunk stuck in there to make NTLMSSP happy (perhaps the encrypted body
length has to be a multiple of 16 bytes or something such as that for
the encryption to work).
No packet in any capture I have appears to be misdissected if you get
rid of the mod 4 stuff, so I'm removing it.
svn path=/trunk/; revision=7181
"dissect_ndr_char_cvstring()" and "dissect_ndr_wchar_cvstring()", to
indicate that they're for conformant varying strings.
Rename "dissect_ndr_character_array()" to "dissect_ndr_cvstring()", to
indicate that it's for conformant varying strings.
svn path=/trunk/; revision=7096
Ronnie Sahlberg