Wireshark mailing list archives

Better dissection in the SMB dissector when captures contain truncated frames/packets

From: Richard Sharpe <realrichardsharpe () gmail com>
Date: Tue, 2 Oct 2012 15:36:28 -0700

Hi folks,

I am often given captures that contain truncated packets.

It annoys me that in many places the SMB dissector does not attempt to
do all it could with the data.

For example, with TRANS2 FIND_FIRST2 it does not bother displaying any
of the files returned if the data is truncated.

The following small patch fixes that, although I want to go through
and do the same for all of the FF2 info levels:

Index: epan/dissectors/packet-smb.c
===================================================================
--- epan/dissectors/packet-smb.c        (revision 43693)
+++ epan/dissectors/packet-smb.c        (working copy)
@@ -14656,8 +14656,20 @@
        si = (smb_info_t *)pinfo->private_data;
        DISSECTOR_ASSERT(si);

+       /*
+        * We check this first before adding the sub-tree so things do not
+        * get ugly.
+        */
+
+       /* next entry offset */
+       CHECK_BYTE_COUNT_SUBR(4);
+       neo = tvb_get_letohl(tvb, offset);
+
+       /* Ensure we have the bytes we need, wich is up to neo */
+       tvb_ensure_bytes_exist(tvb, offset, neo);
+
        if (parent_tree) {
-               tvb_ensure_bytes_exist(tvb, offset, *bcp);
+               /*tvb_ensure_bytes_exist(tvb, offset, *bcp); */
                item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
                    val_to_str(si->info_level, ff2_il_vals, "Unknown
(0x%02x)"));
                tree = proto_item_add_subtree(item, ett_smb_ff2_data);
@@ -14669,9 +14681,6 @@
         * key" flag set.
         */

-       /* next entry offset */
-       CHECK_BYTE_COUNT_SUBR(4);
-       neo = tvb_get_letohl(tvb, offset);
        proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb,
offset, 4, neo);
        COUNT_BYTES_SUBR(4);



-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Better dissection in the SMB dissector when captures contain truncated frames/packets Richard Sharpe (Oct 02)
- Re: Better dissection in the SMB dissector when captures contain truncated frames/packets Jaap Keuter (Oct 02)
  - Re: Better dissection in the SMB dissector when captures contain truncated frames/packets Richard Sharpe (Oct 03)
    - Re: Better dissection in the SMB dissector when captures contain truncated frames/packets Richard Sharpe (Oct 03)