osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
wireshark/epan/dissectors/packet-multipart.c

1177 lines
42 KiB
C
Raw Blame History

/* packet-multipart.c
* Routines for multipart media encapsulation dissection
* Copyright 2004, Anders Broman.
* Copyright 2004, Olivier Biot.
*
* Refer to the AUTHORS file or the AUTHORS section in the man page
* for contacting the author(s) of this file.
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
*
* SPDX-License-Identifier: GPL-2.0-or-later
*
* References for "media-type multipart/mixed :
* https://www.iana.org/assignments/media-types/index.html
* https://tools.ietf.org/html/rfc2045
* https://tools.ietf.org/html/rfc2046
* https://tools.ietf.org/html/rfc2047
* https://tools.ietf.org/html/rfc2048
* https://tools.ietf.org/html/rfc2049
*
* Part of the code is modeled from the SIP and HTTP dissectors
*
* General format of a MIME multipart document:
* [ preamble line-end ]
* dash-boundary transport-padding line-end
* body-part
* *encapsulation
* close-delimiter transport-padding
* [ line-end epilogue ]
*
* Where:
* dash-boundary := "--" boundary
* encapsulation := delimiter transport-padding line-end body-part
* delimiter := line-end body-part
* close-delimiter := delimiter "--"
* body-part := MIME-part-headers [ line-end *OCTET ]
* transport-padding := *LWSP-char
*
* Note that line-end is often a LF instead of a CRLF.
*/
#include "config.h"
#include <epan/packet.h>
#include <epan/expert.h>
#include <epan/media_params.h>
#include <epan/prefs.h>
#include <wsutil/str_util.h>
#include "packet-imf.h"
#include "packet-dcerpc.h"
#include "packet-gssapi.h"
#include "packet-http.h"
void proto_register_multipart(void);
void proto_reg_handoff_multipart(void);
/* Dissector table for media requiring special attention in multipart
* encapsulation. */
static dissector_table_t multipart_media_subdissector_table;
/* Initialize the protocol and registered fields */
static int proto_multipart = -1;
/* Generated from convert_proto_tree_add_text.pl */
static int hf_multipart_trailer = -1;
static int hf_multipart_boundary = -1;
static int hf_multipart_first_boundary = -1;
static int hf_multipart_last_boundary = -1;
static int hf_multipart_preamble = -1;
/* Initialize the subtree pointers */
static gint ett_multipart = -1;
static gint ett_multipart_main = -1;
static gint ett_multipart_body = -1;
/* Generated from convert_proto_tree_add_text.pl */
static expert_field ei_multipart_no_required_parameter = EI_INIT;
static expert_field ei_multipart_decryption_not_possible = EI_INIT;
/* Not sure that compact_name exists for multipart, but choose to keep
* the structure from SIP dissector, all the content- is also from SIP */
typedef struct {
const char *name;
const char *compact_name;
} multipart_header_t;
static const multipart_header_t multipart_headers[] = {
{ "Unknown-header", NULL }, /* Pad so that the real headers start at index 1 */
{ "Content-Description", NULL },
{ "Content-Disposition", NULL },
{ "Content-Encoding", "e" },
{ "Content-Id", NULL },
{ "Content-Language", NULL },
{ "Content-Length", "l" },
{ "Content-Transfer-Encoding", NULL },
{ "Content-Type", "c" },
{ "OriginalContent", NULL }
};
#define POS_CONTENT_DESCRIPTION 1
#define POS_CONTENT_DISPOSITION 2
#define POS_CONTENT_ENCODING 3
#define POS_CONTENT_ID 4
#define POS_CONTENT_LANGUAGE 5
#define POS_CONTENT_LENGTH 6
#define POS_CONTENT_TRANSFER_ENCODING 7
#define POS_CONTENT_TYPE 8
#define POS_ORIGINALCONTENT 9
/* Initialize the header fields */
static gint hf_multipart_type = -1;
static gint hf_multipart_part = -1;
static gint hf_multipart_sec_token_len = -1;
static gint hf_header_array[] = {
-1, /* "Unknown-header" - Pad so that the real headers start at index 1 */
-1, /* "Content-Description" */
-1, /* "Content-Disposition" */
-1, /* "Content-Encoding" */
-1, /* "Content-Id" */
-1, /* "Content-Language" */
-1, /* "Content-Length" */
-1, /* "Content-Transfer-Encoding" */
-1, /* "Content-Type" */
-1, /* "OriginalContent" */
};
/* Define media_type/Content type table */
static dissector_table_t media_type_dissector_table;
/* Data and media dissector handles */
static dissector_handle_t media_handle;
static dissector_handle_t gssapi_handle;
/* Determines if bodies with no media type dissector should be displayed
* as raw text, may cause problems with images sound etc
* TODO improve to check for different content types ?
*/
static gboolean display_unknown_body_as_text = FALSE;
static gboolean remove_base64_encoding = FALSE;
#ifdef HAVE_ZLIB
static gboolean uncompress_data = TRUE;
#endif
typedef struct {
const char *type; /* Type of multipart */
char *boundary; /* Boundary string (enclosing quotes removed if any) */
guint boundary_length; /* Length of the boundary string */
char *protocol; /* Protocol string if encrypted multipart (enclosing quotes removed if any) */
guint protocol_length; /* Length of the protocol string */
char *orig_content_type; /* Content-Type of original message */
char *orig_parameters; /* Parameters for Content-Type of original message */
} multipart_info_t;
static gint
find_first_boundary(tvbuff_t *tvb, gint start, const guint8 *boundary,
gint boundary_len, gint *boundary_line_len, gboolean *last_boundary);
static gint
find_next_boundary(tvbuff_t *tvb, gint start, const guint8 *boundary,
gint boundary_len, gint *boundary_line_len, gboolean *last_boundary);
static gint
process_preamble(proto_tree *tree, tvbuff_t *tvb, multipart_info_t *m_info,
gboolean *last_boundary);
static gint
process_body_part(proto_tree *tree, tvbuff_t *tvb,
http_message_info_t *input_message_info, multipart_info_t *m_info,
packet_info *pinfo, gint start, gint idx,
gboolean *last_boundary);
static gint
is_known_multipart_header(const char *header_str, guint len);
/* Return a tvb that contains the binary representation of a base64
string */
static tvbuff_t *
base64_decode(packet_info *pinfo, tvbuff_t *b64_tvb, char *name)
{
char *data;
tvbuff_t *tvb;
data = tvb_get_string_enc(pinfo->pool, b64_tvb, 0, tvb_reported_length(b64_tvb), ENC_ASCII);
tvb = base64_to_tvb(b64_tvb, data);
add_new_data_source(pinfo, tvb, name);
return tvb;
}
/*
* Unfold and clean up a MIME-like header, and process LWS as follows:
* o Preserves LWS in quoted text
* o Remove LWS before and after a separator
* o Remove trailing LWS
* o Replace other LWS with a single space
* Set value to the start of the value
* Return the cleaned-up RFC2822 header (buffer must be freed).
*/
static char *
unfold_and_compact_mime_header(wmem_allocator_t *pool, const char *lines, gint *first_colon_offset)
{
const char *p = lines;
char c;
char *ret, *q;
char sep_seen = 0; /* Did we see a separator ":;," */
char lws = FALSE; /* Did we see LWS (incl. folding) */
gint colon = -1;
if (! lines) return NULL;
c = *p;
ret = (char *)wmem_alloc(pool, strlen(lines) + 1);
q = ret;
while (c) {
if (c == ':') {
lws = FALSE; /* Prevent leading LWS from showing up */
if (colon == -1) {/* First colon */
colon = (gint) (q - ret);
}
*(q++) = sep_seen = c;
p++;
} else if (c == ';' || c == ',' || c == '=') {
lws = FALSE; /* Prevent leading LWS from showing up */
*(q++) = sep_seen = c;
p++;
} else if (c == ' ' || c == '\t') {
lws = TRUE;
p++;
} else if (c == '\n') {
lws = FALSE; /* Skip trailing LWS */
if ((c = *(p+1))) {
if (c == ' ' || c == '\t') { /* Header unfolding */
lws = TRUE;
p += 2;
} else {
*q = c = 0; /* Stop */
}
}
} else if (c == '\r') {
lws = FALSE;
if ((c = *(p+1))) {
if (c == '\n') {
if ((c = *(p+2))) {
if (c == ' ' || c == '\t') { /* Header unfolding */
lws = TRUE;
p += 3;
} else {
*q = c = 0; /* Stop */
}
}
} else if (c == ' ' || c == '\t') { /* Header unfolding */
lws = TRUE;
p += 2;
} else {
*q = c = 0; /* Stop */
}
}
} else if (c == '"') { /* Start of quoted-string */
lws = FALSE;
*(q++) = c;
while (c) {
c = *(q++) = *(++p);
if (c == '\\') {
/* First part of a quoted-pair; copy the other part,
without checking if it's a quote */
c = *(q++) = *(++p);
} else {
if (c == '"') {
p++; /* Skip closing quote */
break;
}
}
}
/* if already zero terminated now, rewind one char to avoid an "off by one" */
if(c == 0) {
q--;
}
} else { /* Regular character */
if (sep_seen) {
sep_seen = 0;
} else {
if (lws) {
*(q++) = ' ';
}
}
lws = FALSE;
*(q++) = c;
p++; /* OK */
}
if (c) {
c = *p;
}
}
*q = 0;
*first_colon_offset = colon;
return (ret);
}
/* Retrieve the media information from pinfo->private_data,
* and compute the boundary string and its length.
* Return a pointer to a filled-in multipart_info_t, or NULL on failure.
*
* Boundary delimiters must not appear within the encapsulated material,
* and must be no longer than 70 characters, not counting the two
* leading hyphens. (quote from rfc2046)
*/
static multipart_info_t *
get_multipart_info(packet_info *pinfo, http_message_info_t *message_info)
{
char *start_boundary, *start_protocol = NULL;
multipart_info_t *m_info = NULL;
const char *type = pinfo->match_string;
char *parameters;
gint dummy;
/*
* We need both a content type AND parameters
* for multipart dissection.
*/
if (type == NULL) {
return NULL;
}
if (message_info == NULL) {
return NULL;
}
if (message_info->media_str == NULL) {
return NULL;
}
/* Clean up the parameters */
parameters = unfold_and_compact_mime_header(pinfo->pool, message_info->media_str, &dummy);
start_boundary = ws_find_media_type_parameter(pinfo->pool, parameters, "boundary");
if (!start_boundary) {
return NULL;
}
if (strncmp(type, "multipart/encrypted", sizeof("multipart/encrypted") - 1) == 0) {
start_protocol = ws_find_media_type_parameter(pinfo->pool, parameters, "protocol");
if (!start_protocol) {
return NULL;
}
}
/*
* There is a value for the boundary string
*/
m_info = wmem_new(pinfo->pool, multipart_info_t);
m_info->type = type;
m_info->boundary = start_boundary;
m_info->boundary_length = (guint)strlen(start_boundary);
if(start_protocol) {
m_info->protocol = start_protocol;
m_info->protocol_length = (guint)strlen(start_protocol);
} else {
m_info->protocol = NULL;
m_info->protocol_length = -1;
}
m_info->orig_content_type = NULL;
m_info->orig_parameters = NULL;
return m_info;
}
/*
* The first boundary does not implicitly contain the leading
* line-end sequence.
*
* Return the offset to the 1st byte of the boundary delimiter line.
* Set boundary_line_len to the length of the entire boundary delimiter.
* Set last_boundary to TRUE if we've seen the last-boundary delimiter.
*/
static gint
find_first_boundary(tvbuff_t *tvb, gint start, const guint8 *boundary,
gint boundary_len, gint *boundary_line_len, gboolean *last_boundary)
{
gint offset = start, next_offset, line_len, boundary_start;
while (tvb_offset_exists(tvb, offset + 2 + boundary_len)) {
boundary_start = offset;
if (((tvb_strneql(tvb, offset, (const guint8 *)"--", 2) == 0)
&& (tvb_strneql(tvb, offset + 2, boundary, boundary_len) == 0)))
{
/* Boundary string; now check if last */
if ((tvb_reported_length_remaining(tvb, offset + 2 + boundary_len + 2) >= 0)
&& (tvb_strneql(tvb, offset + 2 + boundary_len,
(const guint8 *)"--", 2) == 0)) {
*last_boundary = TRUE;
} else {
*last_boundary = FALSE;
}
/* Look for line end of the boundary line */
line_len = tvb_find_line_end(tvb, offset, -1, &offset, FALSE);
if (line_len == -1) {
*boundary_line_len = -1;
} else {
*boundary_line_len = offset - boundary_start;
}
return boundary_start;
}
line_len = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
if (line_len == -1) {
return -1;
}
offset = next_offset;
}
return -1;
}
/*
* Unless the first boundary, subsequent boundaries include a line-end sequence
* before the dashed boundary string.
*
* Return the offset to the 1st byte of the boundary delimiter line.
* Set boundary_line_len to the length of the entire boundary delimiter.
* Set last_boundary to TRUE if we've seen the last-boundary delimiter.
*/
static gint
find_next_boundary(tvbuff_t *tvb, gint start, const guint8 *boundary,
gint boundary_len, gint *boundary_line_len, gboolean *last_boundary)
{
gint offset = start, next_offset, line_len, boundary_start;
while (tvb_offset_exists(tvb, offset + 2 + boundary_len)) {
line_len = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
if (line_len == -1) {
return -1;
}
boundary_start = offset + line_len;
if (((tvb_strneql(tvb, next_offset, (const guint8 *)"--", 2) == 0)
&& (tvb_strneql(tvb, next_offset + 2, boundary, boundary_len) == 0)))
{
/* Boundary string; now check if last */
if ((tvb_reported_length_remaining(tvb, next_offset + 2 + boundary_len + 2) >= 0)
&& (tvb_strneql(tvb, next_offset + 2 + boundary_len,
(const guint8 *)"--", 2) == 0)) {
*last_boundary = TRUE;
} else {
*last_boundary = FALSE;
}
/* Look for line end of the boundary line */
line_len = tvb_find_line_end(tvb, next_offset, -1, &offset, FALSE);
if (line_len == -1) {
*boundary_line_len = -1;
} else {
*boundary_line_len = offset - boundary_start;
}
return boundary_start;
/* check if last before CRLF; some ignore the standard, so there is no CRLF before the boundary */
} else if ((tvb_strneql(tvb, boundary_start - 2, (const guint8 *)"--", 2) == 0)
&& (tvb_strneql(tvb, boundary_start - (2 + boundary_len), boundary, boundary_len) == 0)
&& (tvb_strneql(tvb, boundary_start - (2 + boundary_len + 2),
(const guint8 *)"--", 2) == 0)) {
boundary_start -= 2 + boundary_len + 2;
*boundary_line_len = next_offset - boundary_start;
*last_boundary = TRUE;
return boundary_start;
}
offset = next_offset;
}
return -1;
}
/*
* Process the multipart preamble:
* [ preamble line-end ] dashed-boundary transport-padding line-end
*
* Return the offset to the start of the first body-part.
*/
static gint
process_preamble(proto_tree *tree, tvbuff_t *tvb, multipart_info_t *m_info,
gboolean *last_boundary)
{
gint boundary_start, boundary_line_len;
const guint8 *boundary = (guint8 *)m_info->boundary;
gint boundary_len = m_info->boundary_length;
boundary_start = find_first_boundary(tvb, 0, boundary, boundary_len,
&boundary_line_len, last_boundary);
if (boundary_start == 0) {
proto_tree_add_item(tree, hf_multipart_first_boundary, tvb, boundary_start, boundary_line_len, ENC_NA|ENC_ASCII);
return boundary_start + boundary_line_len;
} else if (boundary_start > 0) {
if (boundary_line_len > 0) {
gint body_part_start = boundary_start + boundary_line_len;
proto_tree_add_item(tree, hf_multipart_preamble, tvb, 0, boundary_start, ENC_NA);
proto_tree_add_item(tree, hf_multipart_first_boundary, tvb, boundary_start, boundary_line_len, ENC_NA|ENC_ASCII);
return body_part_start;
}
}
return -1;
}
static void
dissect_kerberos_encrypted_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gssapi_encrypt_info_t* encrypt)
{
tvbuff_t *kerberos_tvb;
gint offset = 0, len;
guint8 *data;
proto_tree_add_item(tree, hf_multipart_sec_token_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset += 4;
len = tvb_reported_length_remaining(tvb, offset);
DISSECTOR_ASSERT(tvb_bytes_exist(tvb, offset, len));
data = (guint8 *)tvb_memdup(pinfo->pool, tvb, offset, len);
kerberos_tvb = tvb_new_child_real_data(tvb, data, len, len);
add_new_data_source(pinfo, kerberos_tvb, "Kerberos Data");
call_dissector_with_data(gssapi_handle, kerberos_tvb, pinfo, tree, encrypt);
}
/*
* Process a multipart body-part:
* MIME-part-headers [ line-end *OCTET ]
* line-end dashed-boundary transport-padding line-end
*
* If applicable, call a media subdissector.
*
* Return the offset to the start of the next body-part.
*/
static gint
process_body_part(proto_tree *tree, tvbuff_t *tvb,
http_message_info_t *input_message_info, multipart_info_t *m_info,
packet_info *pinfo, gint start, gint idx,
gboolean *last_boundary)
{
proto_tree *subtree;
proto_item *ti;
gint offset = start, next_offset = 0;
http_message_info_t message_info = { input_message_info->type, NULL, NULL, NULL };
gint body_start, boundary_start, boundary_line_len;
gchar *content_type_str = NULL;
gchar *content_trans_encoding_str = NULL;
#ifdef HAVE_ZLIB
gchar *content_encoding_str = NULL;
#endif
char *filename = NULL;
char *mimetypename = NULL;
gboolean last_field = FALSE;
gboolean is_raw_data = FALSE;
const guint8 *boundary = (guint8 *)m_info->boundary;
gint boundary_len = m_info->boundary_length;
ti = proto_tree_add_item(tree, hf_multipart_part, tvb, start, 0, ENC_ASCII|ENC_NA);
subtree = proto_item_add_subtree(ti, ett_multipart_body);
/* find the next boundary to find the end of this body part */
boundary_start = find_next_boundary(tvb, offset, boundary, boundary_len,
&boundary_line_len, last_boundary);
if (boundary_start <= 0) {
return -1;
}
/*
* Process the MIME-part-headers
*/
while (!last_field)
{
gint colon_offset;
char *hdr_str;
char *header_str;
/* Look for the end of the header (denoted by cr)
* 3:d argument to imf_find_field_end() maxlen; must be last offset in the tvb.
*/
next_offset = imf_find_field_end(tvb, offset, tvb_reported_length_remaining(tvb, offset)+offset, &last_field);
/* the following should never happen */
/* If cr not found, won't have advanced - get out to avoid infinite loop! */
/*
if (next_offset == offset) {
break;
}
*/
if (last_field && (next_offset+2) <= boundary_start) {
/* Add the extra CRLF of the last field */
next_offset += 2;
} else if((next_offset-2) == boundary_start) {
/* if CRLF is the start of next boundary it belongs to the boundary and not the field,
so it's the last field without CRLF */
last_field = TRUE;
next_offset -= 2;
} else if (next_offset > boundary_start) {
/* if there is no CRLF between last field and next boundary - trim it! */
next_offset = boundary_start;
}
hdr_str = tvb_get_string_enc(pinfo->pool, tvb, offset, next_offset - offset, ENC_ASCII);
colon_offset = 0;
header_str = unfold_and_compact_mime_header(pinfo->pool, hdr_str, &colon_offset);
if (colon_offset <= 0) {
/* if there is no colon it's no header, so break and add complete line to the body */
next_offset = offset;
break;
} else {
gint hf_index;
hf_index = is_known_multipart_header(header_str, colon_offset);
if (hf_index == -1) {
if(isprint_string(header_str)) {
proto_tree_add_format_text(subtree, tvb, offset, next_offset - offset);
} else {
/* if the header name is unknown and not printable, break and add complete line to the body */
next_offset = offset;
break;
}
} else {
char *value_str = wmem_strdup(pinfo->pool, header_str + colon_offset + 1);
proto_tree_add_string_format(subtree,
hf_header_array[hf_index], tvb,
offset, next_offset - offset,
(const char *)value_str, "%s",
tvb_format_text(pinfo->pool, tvb, offset, next_offset - offset));
switch (hf_index) {
case POS_ORIGINALCONTENT:
{
char *semicolonp;
/* The Content-Type starts at colon_offset + 1 or after the type parameter */
char* type_str = ws_find_media_type_parameter(pinfo->pool, value_str, "type");
if(type_str != NULL) {
value_str = type_str;
}
semicolonp = strchr(value_str, ';');
if (semicolonp != NULL) {
*semicolonp = '\0';
m_info->orig_parameters = wmem_strdup(pinfo->pool,
semicolonp + 1);
}
m_info->orig_content_type = wmem_ascii_strdown(pinfo->pool, value_str, -1);
}
break;
case POS_CONTENT_TYPE:
{
/* The Content-Type starts at colon_offset + 1 */
char *semicolonp = strchr(value_str, ';');
if (semicolonp != NULL) {
*semicolonp = '\0';
message_info.media_str = wmem_strdup(pinfo->pool, semicolonp + 1);
} else {
message_info.media_str = NULL;
}
content_type_str = wmem_ascii_strdown(pinfo->pool, value_str, -1);
/* Show content-type in root 'part' label */
proto_item_append_text(ti, " (%s)", content_type_str);
/* find the "name" parameter in case we don't find a content disposition "filename" */
mimetypename = ws_find_media_type_parameter(pinfo->pool, message_info.media_str, "name");
if(strncmp(content_type_str, "application/octet-stream",
sizeof("application/octet-stream")-1) == 0) {
is_raw_data = TRUE;
}
/* there are only 2 body parts possible and each part has specific content types */
if(m_info->protocol && idx == 0
&& (is_raw_data || g_ascii_strncasecmp(content_type_str, m_info->protocol,
strlen(m_info->protocol)) != 0))
{
return -1;
}
}
break;
case POS_CONTENT_ENCODING:
{
/* The Content-Encoding starts at colon_offset + 1 */
char *crp = strchr(value_str, '\r');
if (crp != NULL) {
*crp = '\0';
}
#ifdef HAVE_ZLIB
content_encoding_str = wmem_ascii_strdown(pinfo->pool, value_str, -1);
#endif
}
break;
case POS_CONTENT_TRANSFER_ENCODING:
{
/* The Content-Transferring starts at colon_offset + 1 */
char *crp = strchr(value_str, '\r');
if (crp != NULL) {
*crp = '\0';
}
content_trans_encoding_str = wmem_ascii_strdown(pinfo->pool, value_str, -1);
}
break;
case POS_CONTENT_DISPOSITION:
{
/* find the "filename" parameter */
filename = ws_find_media_type_parameter(pinfo->pool, value_str, "filename");
}
break;
case POS_CONTENT_ID:
message_info.content_id = wmem_strdup(pinfo->pool, value_str);
break;
default:
break;
}
}
}
offset = next_offset;
}
body_start = next_offset;
/*
* Process the body
*/
{
gint body_len = boundary_start - body_start;
tvbuff_t *tmp_tvb = tvb_new_subset_length(tvb, body_start, body_len);
/*
* If multipart subtype is encrypted the protcol string was set.
*
* See MS-WSMV section 2.2.9.1.2.1 "HTTP Headers":
*
* https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wsmv/b79927c2-96be-4801-aa68-180db95593f9
*
* There are only 2 body parts possible, and each part has specific
* content types.
*/
if(m_info->protocol && idx == 1 && is_raw_data)
{
gssapi_encrypt_info_t encrypt;
memset(&encrypt, 0, sizeof(encrypt));
encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
dissect_kerberos_encrypted_message(tmp_tvb, pinfo, subtree, &encrypt);
if(encrypt.gssapi_decrypted_tvb){
tmp_tvb = encrypt.gssapi_decrypted_tvb;
is_raw_data = FALSE;
content_type_str = m_info->orig_content_type;
message_info.media_str = m_info->orig_parameters;
} else if(encrypt.gssapi_encrypted_tvb) {
tmp_tvb = encrypt.gssapi_encrypted_tvb;
proto_tree_add_expert(tree, pinfo, &ei_multipart_decryption_not_possible, tmp_tvb, 0, -1);
}
}
if (!is_raw_data &&
content_type_str) {
/*
* subdissection
*/
gboolean dissected;
/*
* Try and remove any content transfer encoding so that each sub-dissector
* doesn't have to do it itself
*
*/
if(content_trans_encoding_str && remove_base64_encoding) {
if(!g_ascii_strncasecmp(content_trans_encoding_str, "base64", 6))
tmp_tvb = base64_decode(pinfo, tmp_tvb, filename ? filename : (mimetypename ? mimetypename : content_type_str));
}
#ifdef HAVE_ZLIB
if(content_encoding_str && uncompress_data) {
if(g_ascii_strncasecmp(content_encoding_str,"gzip",4) == 0 ||
g_ascii_strncasecmp(content_encoding_str,"deflate",7) == 0 ||
g_ascii_strncasecmp(content_encoding_str,"x-gzip",6) == 0 ||
g_ascii_strncasecmp(content_encoding_str,"x-deflate",9) == 0){
/* The body is gzip:ed */
tvbuff_t *uncompress_tvb = tvb_uncompress(tmp_tvb, 0, body_len);
if (uncompress_tvb) {
tmp_tvb = uncompress_tvb;
add_new_data_source(pinfo, tmp_tvb, "gunzipped data");
}
}
}
#endif
/*
* First try the dedicated multipart dissector table
*/
dissected = dissector_try_string(multipart_media_subdissector_table,
content_type_str, tmp_tvb, pinfo, subtree, &message_info);
if (! dissected) {
/*
* Fall back to the default media dissector table
*/
dissected = dissector_try_string(media_type_dissector_table,
content_type_str, tmp_tvb, pinfo, subtree, &message_info);
}
if (! dissected) {
const char *save_match_string = pinfo->match_string;
pinfo->match_string = content_type_str;
call_dissector_with_data(media_handle, tmp_tvb, pinfo, subtree, &message_info);
pinfo->match_string = save_match_string;
}
message_info.media_str = NULL; /* Shares same memory as content_type_str */
} else {
call_data_dissector(tmp_tvb, pinfo, subtree);
}
proto_item_set_len(ti, boundary_start - start);
if (*last_boundary == TRUE) {
proto_tree_add_item(tree, hf_multipart_last_boundary, tvb, boundary_start, boundary_line_len, ENC_NA|ENC_ASCII);
} else {
proto_tree_add_item(tree, hf_multipart_boundary, tvb, boundary_start, boundary_line_len, ENC_NA|ENC_ASCII);
}
return boundary_start + boundary_line_len;
}
}
/*
* Call this method to actually dissect the multipart body.
* NOTE - Only do so if a boundary string has been found!
*/
static int dissect_multipart(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
{
proto_tree *subtree;
proto_item *ti;
proto_item *type_ti;
http_message_info_t *message_info = (http_message_info_t *)data;
multipart_info_t *m_info = get_multipart_info(pinfo, message_info);
gint header_start = 0;
gint body_index = 0;
gboolean last_boundary = FALSE;
if (m_info == NULL) {
/*
* We can't get the required multipart information
*/
proto_tree_add_expert(tree, pinfo, &ei_multipart_no_required_parameter, tvb, 0, -1);
call_data_dissector(tvb, pinfo, tree);
return tvb_reported_length(tvb);
}
/* Add stuff to the protocol tree */
ti = proto_tree_add_item(tree, proto_multipart,
tvb, 0, -1, ENC_NA);
subtree = proto_item_add_subtree(ti, ett_multipart);
proto_item_append_text(ti, ", Type: %s, Boundary: \"%s\"",
m_info->type, m_info->boundary);
/* Show multi-part type as a generated field */
type_ti = proto_tree_add_string(subtree, hf_multipart_type,
tvb, 0, 0, pinfo->match_string);
proto_item_set_generated(type_ti);
/*
* Make no entries in Protocol column and Info column on summary display,
* but stop sub-dissectors from clearing entered text in summary display.
*/
col_set_fence(pinfo->cinfo, COL_INFO);
/*
* Process the multipart preamble
*/
header_start = process_preamble(subtree, tvb, m_info, &last_boundary);
if (header_start == -1) {
call_data_dissector(tvb, pinfo, subtree);
return tvb_reported_length(tvb);
}
/*
* Process the encapsulated bodies
*/
while (last_boundary == FALSE) {
header_start = process_body_part(subtree, tvb, message_info, m_info,
pinfo, header_start, body_index++, &last_boundary);
if (header_start == -1) {
return tvb_reported_length(tvb);
}
}
/*
* Process the multipart trailer
*/
if (tvb_reported_length_remaining(tvb, header_start) > 0) {
proto_tree_add_item(subtree, hf_multipart_trailer, tvb, header_start, -1, ENC_NA);
}
return tvb_reported_length(tvb);
}
/* Returns index of method in multipart_headers */
static gint
is_known_multipart_header(const char *header_str, guint len)
{
guint i;
for (i = 1; i < array_length(multipart_headers); i++) {
if (len == strlen(multipart_headers[i].name) &&
g_ascii_strncasecmp(header_str, multipart_headers[i].name, len) == 0)
return i;
if (multipart_headers[i].compact_name != NULL &&
len == strlen(multipart_headers[i].compact_name) &&
g_ascii_strncasecmp(header_str, multipart_headers[i].compact_name, len) == 0)
return i;
}
return -1;
}
/*
* Register the protocol with Wireshark.
*
* This format is required because a script is used to build the C function
* that calls all the protocol registration.
*/
void
proto_register_multipart(void)
{
/* Setup list of header fields See Section 1.6.1 for details */
static hf_register_info hf[] = {
{ &hf_multipart_type,
{ "Type",
"mime_multipart.type",
FT_STRING, BASE_NONE, NULL, 0x00,
"MIME multipart encapsulation type", HFILL
}
},
{ &hf_multipart_part,
{ "Encapsulated multipart part",
"mime_multipart.part",
FT_STRING, BASE_NONE, NULL, 0x00,
NULL, HFILL
}
},
{ &hf_multipart_sec_token_len,
{ "Length of security token",
"mime_multipart.header.sectoken-length",
FT_UINT32, BASE_DEC, NULL, 0x00,
"Length of the Kerberos BLOB which follows this token", HFILL
}
},
{ &hf_header_array[POS_CONTENT_DESCRIPTION],
{ "Content-Description",
"mime_multipart.header.content-description",
FT_STRING, BASE_NONE, NULL, 0x00,
"Content-Description Header", HFILL
}
},
{ &hf_header_array[POS_CONTENT_DISPOSITION],
{ "Content-Disposition",
"mime_multipart.header.content-disposition",
FT_STRING, BASE_NONE, NULL, 0x00,
"RFC 2183: Content-Disposition Header", HFILL
}
},
{ &hf_header_array[POS_CONTENT_ENCODING],
{ "Content-Encoding",
"mime_multipart.header.content-encoding",
FT_STRING, BASE_NONE, NULL, 0x00,
"Content-Encoding Header", HFILL
}
},
{ &hf_header_array[POS_CONTENT_ID],
{ "Content-Id",
"mime_multipart.header.content-id",
FT_STRING, BASE_NONE, NULL, 0x00,
"RFC 2045: Content-Id Header", HFILL
}
},
{ &hf_header_array[POS_CONTENT_LANGUAGE],
{ "Content-Language",
"mime_multipart.header.content-language",
FT_STRING, BASE_NONE, NULL, 0x00,
"Content-Language Header", HFILL
}
},
{ &hf_header_array[POS_CONTENT_LENGTH],
{ "Content-Length",
"mime_multipart.header.content-length",
FT_STRING, BASE_NONE, NULL, 0x0,
"Content-Length Header", HFILL
}
},
{ &hf_header_array[POS_CONTENT_TRANSFER_ENCODING],
{ "Content-Transfer-Encoding",
"mime_multipart.header.content-transfer-encoding",
FT_STRING, BASE_NONE, NULL, 0x00,
"RFC 2045: Content-Transfer-Encoding Header", HFILL
}
},
{ &hf_header_array[POS_CONTENT_TYPE],
{ "Content-Type",
"mime_multipart.header.content-type",
FT_STRING, BASE_NONE,NULL,0x0,
"Content-Type Header", HFILL
}
},
{ &hf_header_array[POS_ORIGINALCONTENT],
{ "OriginalContent",
"mime_multipart.header.originalcontent",
FT_STRING, BASE_NONE,NULL,0x0,
"Original Content-Type Header", HFILL
}
},
/* Generated from convert_proto_tree_add_text.pl */
{ &hf_multipart_first_boundary, { "First boundary", "mime_multipart.first_boundary", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_multipart_preamble, { "Preamble", "mime_multipart.preamble", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_multipart_last_boundary, { "Last boundary", "mime_multipart.last_boundary", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_multipart_boundary, { "Boundary", "mime_multipart.boundary", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_multipart_trailer, { "Trailer", "mime_multipart.trailer", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }},
};
/*
* Preferences
*/
module_t *multipart_module;
expert_module_t* expert_multipart;
/*
* Setup protocol subtree array
*/
static gint *ett[] = {
&ett_multipart,
&ett_multipart_main,
&ett_multipart_body,
};
static ei_register_info ei[] = {
{ &ei_multipart_no_required_parameter, { "mime_multipart.no_required_parameter", PI_PROTOCOL, PI_ERROR, "The multipart dissector could not find a required parameter.", EXPFILL }},
{ &ei_multipart_decryption_not_possible, { "mime_multipart.decryption_not_possible", PI_UNDECODED, PI_WARN, "The multipart dissector could not decrypt the message.", EXPFILL }},
};
/*
* Register the protocol name and description
*/
proto_multipart = proto_register_protocol(
"MIME Multipart Media Encapsulation",
"MIME multipart",
"mime_multipart");
/*
* Required function calls to register
* the header fields and subtrees used.
*/
proto_register_field_array(proto_multipart, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
expert_multipart = expert_register_protocol(proto_multipart);
expert_register_field_array(expert_multipart, ei, array_length(ei));
multipart_module = prefs_register_protocol(proto_multipart, NULL);
prefs_register_bool_preference(multipart_module,
"display_unknown_body_as_text",
"Display bodies without media type as text",
"Display multipart bodies with no media type dissector"
" as raw text (may cause problems with binary data).",
&display_unknown_body_as_text);
prefs_register_bool_preference(multipart_module,
"remove_base64_encoding",
"Remove base64 encoding from bodies",
"Remove any base64 content-transfer encoding from bodies. "
"This supports export of the body and its further dissection.",
&remove_base64_encoding);
#ifdef HAVE_ZLIB
prefs_register_bool_preference(multipart_module,
"uncompress_data",
"Uncompress parts which are compressed",
"Uncompress parts which are compressed. GZIP for example. "
"This supports export of the body and its further dissection.",
&uncompress_data);
#endif
/*
* Dissectors requiring different behavior in cases where the media
* is contained in a multipart entity should register their multipart
* dissector in the dissector table below, which is similar to the
* "media_type" dissector table defined in the HTTP dissector code.
*/
multipart_media_subdissector_table = register_dissector_table(
"multipart_media_type",
"Internet media type (for multipart processing)",
proto_multipart, FT_STRING, BASE_NONE);
}
/* If this dissector uses sub-dissector registration add a registration routine.
This format is required because a script is used to find these routines and
create the code that calls these routines.
*/
void
proto_reg_handoff_multipart(void)
{
dissector_handle_t multipart_handle;
/*
* When we cannot display the data, call the data dissector.
* When there is no dissector for the given media, call the media dissector.
*/
media_handle = find_dissector_add_dependency("media", proto_multipart);
gssapi_handle = find_dissector_add_dependency("gssapi", proto_multipart);
/*
* Get the content type and Internet media type table
*/
media_type_dissector_table = find_dissector_table("media_type");
/*
* Handle for multipart dissection
*/
multipart_handle = create_dissector_handle(
dissect_multipart, proto_multipart);
dissector_add_string("media_type",
"multipart/mixed", multipart_handle);
dissector_add_string("media_type",
"multipart/related", multipart_handle);
dissector_add_string("media_type",
"multipart/alternative", multipart_handle);
dissector_add_string("media_type",
"multipart/form-data", multipart_handle);
dissector_add_string("media_type",
"multipart/report", multipart_handle);
dissector_add_string("media_type",
"multipart/signed", multipart_handle);
dissector_add_string("media_type",
"multipart/encrypted", multipart_handle);
/*
* Supply an entry to use for unknown multipart subtype.
* See RFC 2046, section 5.1.3
*/
dissector_add_string("media_type",
"multipart/", multipart_handle);
}
/*
* Editor modelines - https://www.wireshark.org/tools/modelines.html
*
* Local variables:
* c-basic-offset: 4
* tab-width: 8
* indent-tabs-mode: nil
* End:
*
* vi: set shiftwidth=4 tabstop=8 expandtab:
* :indentSize=4:tabSize=8:noTabs=true:
*/
Reference in New Issue View Git Blame Copy Permalink