From 2856caa1cf3307208864af4c59da8ecb07bc3153 Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Mon, 8 Mar 2010 19:43:07 -0500 Subject: [PATCH] packet-smb: add more FIND_FILE dissectors --- epan/dissectors/packet-smb.c | 271 ++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 271 insertions(+), 0 deletions(-) diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c index 727b290..c9a90b9 100644 --- a/epan/dissectors/packet-smb.c +++ b/epan/dissectors/packet-smb.c @@ -10051,6 +10051,8 @@ static const value_string ff2_il_vals[] = { { 0x0102, "Find File Full Directory Info"}, { 0x0103, "Find File Names Info"}, { 0x0104, "Find File Both Directory Info"}, + { 0x0105, "Find File Full Directory Info"}, + { 0x0106, "Find File Id Both Directory Info"}, { 0x0202, "Find File UNIX"}, {0, NULL} }; @@ -13900,6 +13902,267 @@ dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, } static int +dissect_4_3_4_6full(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, + int offset, guint16 *bcp, gboolean *trunc) +{ + int fn_len; + const char *fn; + int old_offset = offset; + proto_item *item = NULL; + proto_tree *tree = NULL; + smb_info_t *si; + guint32 neo; + int padcnt; + + si = (smb_info_t *)pinfo->private_data; + DISSECTOR_ASSERT(si); + + if(parent_tree){ + tvb_ensure_bytes_exist(tvb, offset, *bcp); + item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s", + val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)")); + tree = proto_item_add_subtree(item, ett_smb_ff2_data); + } + + /* + * XXX - I have not seen any of these that contain a resume + * key, even though some of the requests had the "return resume + * key" flag set. + */ + + /* next entry offset */ + CHECK_BYTE_COUNT_SUBR(4); + neo = tvb_get_letohl(tvb, offset); + proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo); + COUNT_BYTES_SUBR(4); + + /* file index */ + CHECK_BYTE_COUNT_SUBR(4); + proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE); + COUNT_BYTES_SUBR(4); + + /* dissect standard 8-byte timestamps */ + offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc); + if (*trunc) { + return offset; + } + + /* end of file */ + CHECK_BYTE_COUNT_SUBR(8); + proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE); + COUNT_BYTES_SUBR(8); + + /* allocation size */ + CHECK_BYTE_COUNT_SUBR(8); + proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE); + COUNT_BYTES_SUBR(8); + + /* Extended File Attributes */ + CHECK_BYTE_COUNT_SUBR(4); + offset = dissect_file_ext_attr(tvb, tree, offset); + *bcp -= 4; + + /* file name len */ + CHECK_BYTE_COUNT_SUBR(4); + fn_len = tvb_get_letohl(tvb, offset); + proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len); + COUNT_BYTES_SUBR(4); + + /* + * EA length. + * + * XXX - in one captures, this has the topmost bit set, and the + * rest of the bits have the value 7. Is the topmost bit being + * set some indication that the value *isn't* the length of + * the EAs? + */ + CHECK_BYTE_COUNT_SUBR(4); + proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE); + COUNT_BYTES_SUBR(4); + + /* skip 4 bytes */ + COUNT_BYTES_SUBR(4); + + CHECK_BYTE_COUNT_SUBR(8); + proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE); + COUNT_BYTES_SUBR(8); + + /* file name */ + fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp); + CHECK_STRING_SUBR(fn); + proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len, + fn); + COUNT_BYTES_SUBR(fn_len); + + if (check_col(pinfo->cinfo, COL_INFO)) { + col_append_fstr(pinfo->cinfo, COL_INFO, " %s", + format_text(fn, strlen(fn))); + } + + /* skip to next structure */ + if(neo){ + padcnt = (old_offset + neo) - offset; + if (padcnt < 0) { + /* + * XXX - this is bogus; flag it? + */ + padcnt = 0; + } + if (padcnt != 0) { + CHECK_BYTE_COUNT_SUBR(padcnt); + COUNT_BYTES_SUBR(padcnt); + } + } + + proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn))); + proto_item_set_len(item, offset-old_offset); + + *trunc = FALSE; + return offset; +} + +static int +dissect_4_3_4_6_id_both(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, + int offset, guint16 *bcp, gboolean *trunc) +{ + int fn_len, sfn_len; + const char *fn, *sfn; + int old_offset = offset; + proto_item *item = NULL; + proto_tree *tree = NULL; + smb_info_t *si; + guint32 neo; + int padcnt; + + si = (smb_info_t *)pinfo->private_data; + DISSECTOR_ASSERT(si); + + if(parent_tree){ + tvb_ensure_bytes_exist(tvb, offset, *bcp); + item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s", + val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)")); + tree = proto_item_add_subtree(item, ett_smb_ff2_data); + } + + /* + * XXX - I have not seen any of these that contain a resume + * key, even though some of the requests had the "return resume + * key" flag set. + */ + + /* next entry offset */ + CHECK_BYTE_COUNT_SUBR(4); + neo = tvb_get_letohl(tvb, offset); + proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo); + COUNT_BYTES_SUBR(4); + + /* file index */ + CHECK_BYTE_COUNT_SUBR(4); + proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE); + COUNT_BYTES_SUBR(4); + + /* dissect standard 8-byte timestamps */ + offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc); + if (*trunc) { + return offset; + } + + /* end of file */ + CHECK_BYTE_COUNT_SUBR(8); + proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE); + COUNT_BYTES_SUBR(8); + + /* allocation size */ + CHECK_BYTE_COUNT_SUBR(8); + proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE); + COUNT_BYTES_SUBR(8); + + /* Extended File Attributes */ + CHECK_BYTE_COUNT_SUBR(4); + offset = dissect_file_ext_attr(tvb, tree, offset); + *bcp -= 4; + + /* file name len */ + CHECK_BYTE_COUNT_SUBR(4); + fn_len = tvb_get_letohl(tvb, offset); + proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len); + COUNT_BYTES_SUBR(4); + + /* + * EA length. + * + * XXX - in one captures, this has the topmost bit set, and the + * rest of the bits have the value 7. Is the topmost bit being + * set some indication that the value *isn't* the length of + * the EAs? + */ + CHECK_BYTE_COUNT_SUBR(4); + proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE); + COUNT_BYTES_SUBR(4); + + /* short file name len */ + CHECK_BYTE_COUNT_SUBR(1); + sfn_len = tvb_get_guint8(tvb, offset); + proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len); + COUNT_BYTES_SUBR(1); + + /* reserved byte */ + CHECK_BYTE_COUNT_SUBR(1); + proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE); + COUNT_BYTES_SUBR(1); + + /* short file name - it's not always in Unicode */ + sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp); + CHECK_STRING_SUBR(sfn); + proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24, + sfn); + COUNT_BYTES_SUBR(24); + + /* reserved bytes */ + CHECK_BYTE_COUNT_SUBR(2); + proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE); + COUNT_BYTES_SUBR(2); + + /* file id */ + CHECK_BYTE_COUNT_SUBR(8); + proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE); + COUNT_BYTES_SUBR(8); + + /* file name */ + fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp); + CHECK_STRING_SUBR(fn); + proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len, + fn); + COUNT_BYTES_SUBR(fn_len); + + if (check_col(pinfo->cinfo, COL_INFO)) { + col_append_fstr(pinfo->cinfo, COL_INFO, " %s", + format_text(fn, strlen(fn))); + } + + /* skip to next structure */ + if(neo){ + padcnt = (old_offset + neo) - offset; + if (padcnt < 0) { + /* + * XXX - this is bogus; flag it? + */ + padcnt = 0; + } + if (padcnt != 0) { + CHECK_BYTE_COUNT_SUBR(padcnt); + COUNT_BYTES_SUBR(padcnt); + } + } + + proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn))); + proto_item_set_len(item, offset-old_offset); + + *trunc = FALSE; + return offset; +} + +static int dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc) { @@ -14129,6 +14392,14 @@ dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo, offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp, trunc); break; + case 0x0105: /*Find File Full Directory Info*/ + offset = dissect_4_3_4_6full(tvb, pinfo, tree, offset, bcp, + trunc); + break; + case 0x0106: /*Find File Id Both Directory Info*/ + offset = dissect_4_3_4_6_id_both(tvb, pinfo, tree, offset, bcp, + trunc); + break; case 0x0202: /*Find File UNIX*/ offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp, trunc); -- 1.6.6.1