2 * Routines for {fragment,segment} reassembly
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
29 #include <epan/packet.h>
31 #include <epan/reassemble.h>
34 * Functions for reassembly tables where the endpoint addresses, and a
35 * fragment ID, are used as the key.
37 typedef struct _fragment_addresses_key {
41 } fragment_addresses_key;
44 fragment_addresses_hash(gconstpointer k)
46 const fragment_addresses_key* key = (const fragment_addresses_key*) k;
54 /* More than likely: in most captures src and dst addresses are the
55 same, and would hash the same.
56 We only use id as the hash as an optimization.
58 for (i = 0; i < key->src.len; i++)
59 hash_val += key->src.data[i];
60 for (i = 0; i < key->dst.len; i++)
61 hash_val += key->dst.data[i];
70 fragment_addresses_equal(gconstpointer k1, gconstpointer k2)
72 const fragment_addresses_key* key1 = (const fragment_addresses_key*) k1;
73 const fragment_addresses_key* key2 = (const fragment_addresses_key*) k2;
76 * key.id is the first item to compare since it's the item most
77 * likely to differ between sessions, thus short-circuiting
78 * the comparison of addresses.
80 return (key1->id == key2->id) &&
81 (ADDRESSES_EQUAL(&key1->src, &key2->src)) &&
82 (ADDRESSES_EQUAL(&key1->dst, &key2->dst));
86 * Create a fragment key for temporary use; it can point to non-
87 * persistent data, and so must only be used to look up and
88 * delete entries, not to add them.
91 fragment_addresses_temporary_key(const packet_info *pinfo, const guint32 id,
94 fragment_addresses_key *key = g_slice_new(fragment_addresses_key);
97 * Do a shallow copy of the addresses.
99 key->src = pinfo->src;
100 key->dst = pinfo->dst;
103 return (gpointer)key;
107 * Create a fragment key for permanent use; it must point to persistent
108 * data, so that it can be used to add entries.
111 fragment_addresses_persistent_key(const packet_info *pinfo, const guint32 id,
112 const void *data _U_)
114 fragment_addresses_key *key = g_slice_new(fragment_addresses_key);
117 * Do a deep copy of the addresses.
119 COPY_ADDRESS(&key->src, &pinfo->src);
120 COPY_ADDRESS(&key->dst, &pinfo->dst);
123 return (gpointer)key;
127 fragment_addresses_free_temporary_key(gpointer ptr)
129 fragment_addresses_key *key = (fragment_addresses_key *)ptr;
132 g_slice_free(fragment_addresses_key, key);
136 fragment_addresses_free_persistent_key(gpointer ptr)
138 fragment_addresses_key *key = (fragment_addresses_key *)ptr;
142 * Free up the copies of the addresses from the old key.
144 g_free((gpointer)key->src.data);
145 g_free((gpointer)key->dst.data);
147 g_slice_free(fragment_addresses_key, key);
151 const reassembly_table_functions
152 addresses_reassembly_table_functions = {
153 fragment_addresses_hash,
154 fragment_addresses_equal,
155 fragment_addresses_temporary_key,
156 fragment_addresses_persistent_key,
157 fragment_addresses_free_temporary_key,
158 fragment_addresses_free_persistent_key
162 * Functions for reassembly tables where the endpoint addresses and ports,
163 * and a fragment ID, are used as the key.
165 typedef struct _fragment_addresses_ports_key {
171 } fragment_addresses_ports_key;
174 fragment_addresses_ports_hash(gconstpointer k)
176 const fragment_addresses_ports_key* key = (const fragment_addresses_ports_key*) k;
184 /* More than likely: in most captures src and dst addresses and ports
185 are the same, and would hash the same.
186 We only use id as the hash as an optimization.
188 for (i = 0; i < key->src.len; i++)
189 hash_val += key->src_addr.data[i];
190 for (i = 0; i < key->dst.len; i++)
191 hash_val += key->dst_addr.data[i];
192 hash_val += key->src_port;
193 hash_val += key->dst_port;
202 fragment_addresses_ports_equal(gconstpointer k1, gconstpointer k2)
204 const fragment_addresses_ports_key* key1 = (const fragment_addresses_ports_key*) k1;
205 const fragment_addresses_ports_key* key2 = (const fragment_addresses_ports_key*) k2;
208 * key.id is the first item to compare since it's the item most
209 * likely to differ between sessions, thus short-circuiting
210 * the comparison of addresses and ports.
212 return (key1->id == key2->id) &&
213 (ADDRESSES_EQUAL(&key1->src_addr, &key2->src_addr)) &&
214 (ADDRESSES_EQUAL(&key1->dst_addr, &key2->dst_addr)) &&
215 (key1->src_port == key2->src_port) &&
216 (key1->dst_port == key2->dst_port);
220 * Create a fragment key for temporary use; it can point to non-
221 * persistent data, and so must only be used to look up and
222 * delete entries, not to add them.
225 fragment_addresses_ports_temporary_key(const packet_info *pinfo, const guint32 id,
226 const void *data _U_)
228 fragment_addresses_ports_key *key = g_slice_new(fragment_addresses_ports_key);
231 * Do a shallow copy of the addresses.
233 key->src_addr = pinfo->src;
234 key->dst_addr = pinfo->dst;
235 key->src_port = pinfo->srcport;
236 key->dst_port = pinfo->destport;
239 return (gpointer)key;
243 * Create a fragment key for permanent use; it must point to persistent
244 * data, so that it can be used to add entries.
247 fragment_addresses_ports_persistent_key(const packet_info *pinfo,
248 const guint32 id, const void *data _U_)
250 fragment_addresses_ports_key *key = g_slice_new(fragment_addresses_ports_key);
253 * Do a deep copy of the addresses.
255 COPY_ADDRESS(&key->src_addr, &pinfo->src);
256 COPY_ADDRESS(&key->dst_addr, &pinfo->dst);
257 key->src_port = pinfo->srcport;
258 key->dst_port = pinfo->destport;
261 return (gpointer)key;
265 fragment_addresses_ports_free_temporary_key(gpointer ptr)
267 fragment_addresses_ports_key *key = (fragment_addresses_ports_key *)ptr;
270 g_slice_free(fragment_addresses_ports_key, key);
274 fragment_addresses_ports_free_persistent_key(gpointer ptr)
276 fragment_addresses_ports_key *key = (fragment_addresses_ports_key *)ptr;
280 * Free up the copies of the addresses from the old key.
282 g_free((gpointer)key->src_addr.data);
283 g_free((gpointer)key->dst_addr.data);
285 g_slice_free(fragment_addresses_ports_key, key);
289 const reassembly_table_functions
290 addresses_ports_reassembly_table_functions = {
291 fragment_addresses_ports_hash,
292 fragment_addresses_ports_equal,
293 fragment_addresses_ports_temporary_key,
294 fragment_addresses_ports_persistent_key,
295 fragment_addresses_ports_free_temporary_key,
296 fragment_addresses_ports_free_persistent_key
299 typedef struct _reassembled_key {
305 reassembled_equal(gconstpointer k1, gconstpointer k2)
307 const reassembled_key* key1 = (const reassembled_key*) k1;
308 const reassembled_key* key2 = (const reassembled_key*) k2;
311 * We assume that the frame numbers are unlikely to be equal,
312 * so we check them first.
314 return key1->frame == key2->frame && key1->id == key2->id;
318 reassembled_hash(gconstpointer k)
320 const reassembled_key* key = (const reassembled_key*) k;
326 * For a fragment hash table entry, free the associated fragments.
327 * The entry value (fd_chain) is freed herein and the entry is freed
328 * when the key freeing routine is called (as a consequence of returning
329 * TRUE from this function).
332 free_all_fragments(gpointer key_arg _U_, gpointer value, gpointer user_data _U_)
334 fragment_data *fd_head, *tmp_fd;
336 /* g_hash_table_new_full() was used to supply a function
337 * to free the key and anything to which it points
339 for (fd_head = (fragment_data *)value; fd_head != NULL; fd_head = tmp_fd) {
340 tmp_fd=fd_head->next;
342 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED))
343 g_free(fd_head->data);
344 g_slice_free(fragment_data, fd_head);
350 /* ------------------------- */
351 static fragment_data *new_head(const guint32 flags)
353 fragment_data *fd_head;
354 /* If head/first structure in list only holds no other data than
355 * 'datalen' then we don't have to change the head of the list
356 * even if we want to keep it sorted
358 fd_head=g_slice_new0(fragment_data);
360 fd_head->flags=flags;
364 #define FD_VISITED_FREE 0xffff
367 * For a reassembled-packet hash table entry, free the fragment data
368 * to which the value refers and also the key itself.
371 free_all_reassembled_fragments(gpointer key_arg, gpointer value,
374 GPtrArray *allocated_fragments = (GPtrArray *) user_data;
375 fragment_data *fd_head;
377 for (fd_head = (fragment_data *)value; fd_head != NULL; fd_head = fd_head->next) {
379 * A reassembled packet is inserted into the
380 * hash table once for every frame that made
381 * up the reassembled packet; add first seen
382 * fragments to array and later free them in
385 if (fd_head->flags != FD_VISITED_FREE) {
386 if (fd_head->flags & FD_NOT_MALLOCED)
387 fd_head->data = NULL;
388 g_ptr_array_add(allocated_fragments, fd_head);
389 fd_head->flags = FD_VISITED_FREE;
393 g_slice_free(reassembled_key, (reassembled_key *)key_arg);
399 free_fragments(gpointer data, gpointer user_data _U_)
401 fragment_data *fd_head = (fragment_data *) data;
403 g_free(fd_head->data);
404 g_slice_free(fragment_data, fd_head);
408 * Initialize a reassembly table, with specified functions.
411 reassembly_table_init(reassembly_table *table,
412 const reassembly_table_functions *funcs)
414 if (table->temporary_key_func == NULL)
415 table->temporary_key_func = funcs->temporary_key_func;
416 if (table->persistent_key_func == NULL)
417 table->persistent_key_func = funcs->persistent_key_func;
418 if (table->free_temporary_key_func == NULL)
419 table->free_temporary_key_func = funcs->free_temporary_key_func;
420 if (table->fragment_table != NULL) {
422 * The fragment hash table exists.
424 * Remove all entries and free fragment data for each entry.
426 * The keys, and anything to which they point, are freed by
427 * calling the table's key freeing function. The values
428 * are freed in free_all_fragments().
430 g_hash_table_foreach_remove(table->fragment_table,
431 free_all_fragments, NULL);
433 /* The fragment table does not exist. Create it */
434 table->fragment_table = g_hash_table_new_full(funcs->hash_func,
435 funcs->equal_func, funcs->free_persistent_key_func, NULL);
438 if (table->reassembled_table != NULL) {
439 GPtrArray *allocated_fragments;
442 * The reassembled-packet hash table exists.
444 * Remove all entries and free reassembled packet
445 * data and key for each entry.
448 allocated_fragments = g_ptr_array_new();
449 g_hash_table_foreach_remove(table->reassembled_table,
450 free_all_reassembled_fragments, allocated_fragments);
452 g_ptr_array_foreach(allocated_fragments, free_fragments, NULL);
453 g_ptr_array_free(allocated_fragments, TRUE);
455 /* The fragment table does not exist. Create it */
456 table->reassembled_table = g_hash_table_new(reassembled_hash,
462 * Destroy a reassembly table.
465 reassembly_table_destroy(reassembly_table *table)
467 if (table->fragment_table != NULL) {
469 * The fragment hash table exists.
471 * Remove all entries and free fragment data for each entry.
473 * The keys, and anything to which they point, are freed by
474 * calling the table's key freeing function. The values
475 * are freed in free_all_fragments().
477 g_hash_table_foreach_remove(table->fragment_table,
478 free_all_fragments, NULL);
480 g_hash_table_destroy(table->fragment_table);
481 table->fragment_table = NULL;
486 * Look up an fd_head in the fragment table, optionally returning the key
489 static fragment_data *
490 lookup_fd_head(reassembly_table *table, const packet_info *pinfo,
491 const guint32 id, const void *data, gpointer *orig_keyp)
496 /* Create key to search hash with */
497 key = table->temporary_key_func(pinfo, id, data);
500 * Look up the reassembly in the fragment table.
502 if (!g_hash_table_lookup_extended(table->fragment_table, key, orig_keyp,
506 table->free_temporary_key_func(key);
508 return (fragment_data *)value;
512 * Insert an fd_head into the fragment table, and return the key used.
515 insert_fd_head(reassembly_table *table, fragment_data *fd_head,
516 const packet_info *pinfo, const guint32 id, const void *data)
521 * We're going to use the key to insert the fragment,
522 * so make a persistent version of it.
524 key = table->persistent_key_func(pinfo, id, data);
525 g_hash_table_insert(table->fragment_table, key, fd_head);
529 /* This function cleans up the stored state and removes the reassembly data and
530 * (with one exception) all allocated memory for matching reassembly.
533 * If the PDU was already completely reassembled, then the buffer containing the
534 * reassembled data WILL NOT be free()d, and the pointer to that buffer will be
536 * Othervise the function will return NULL.
538 * So, if you call fragment_delete and it returns non-NULL, YOU are responsible to
539 * g_free() that buffer.
542 fragment_delete(reassembly_table *table, const packet_info *pinfo,
543 const guint32 id, const void *data)
545 fragment_data *fd_head, *fd;
546 unsigned char *fd_data=NULL;
549 fd_head = lookup_fd_head(table, pinfo, id, data, &key);
551 /* We do not recognize this as a PDU we have seen before. return */
555 fd_data=fd_head->data;
556 /* loop over all partial fragments and free any buffers */
557 for(fd=fd_head->next;fd;){
558 fragment_data *tmp_fd;
561 if( !(fd->flags&FD_NOT_MALLOCED) )
563 g_slice_free(fragment_data, fd);
566 g_slice_free(fragment_data, fd_head);
567 g_hash_table_remove(table->fragment_table, key);
572 /* This function is used to check if there is partial or completed reassembly state
573 * matching this packet. I.e. Is there reassembly going on or not for this packet?
576 fragment_get(reassembly_table *table, const packet_info *pinfo,
577 const guint32 id, const void *data)
579 return lookup_fd_head(table, pinfo, id, data, NULL);
582 /* id *must* be the frame number for this to work! */
584 fragment_get_reassembled(reassembly_table *table, const guint32 id)
586 fragment_data *fd_head;
589 /* create key to search hash with */
592 fd_head = (fragment_data *)g_hash_table_lookup(table->reassembled_table, &key);
598 fragment_get_reassembled_id(reassembly_table *table, const packet_info *pinfo,
601 fragment_data *fd_head;
604 /* create key to search hash with */
605 key.frame = pinfo->fd->num;
607 fd_head = (fragment_data *)g_hash_table_lookup(table->reassembled_table, &key);
612 /* This function can be used to explicitly set the total length (if known)
613 * for reassembly of a PDU.
614 * This is useful for reassembly of PDUs where one may have the total length specified
615 * in the first fragment instead of as for, say, IPv4 where a flag indicates which
616 * is the last fragment.
618 * Such protocols might fragment_add with a more_frags==TRUE for every fragment
619 * and just tell the reassembly engine the expected total length of the reassembled data
620 * using fragment_set_tot_len immediately after doing fragment_add for the first packet.
622 * Note that for FD_BLOCKSEQUENCE tot_len is the index for the tail fragment.
623 * i.e. since the block numbers start at 0, if we specify tot_len==2, that
624 * actually means we want to defragment 3 blocks, block 0, 1 and 2.
627 fragment_set_tot_len(reassembly_table *table, const packet_info *pinfo,
628 const guint32 id, const void *data, const guint32 tot_len)
630 fragment_data *fd_head;
632 guint32 max_offset = 0;
634 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
638 /* Verify that the length (or block sequence number) we're setting
639 * doesn't conflict with values set by existing fragments.
642 if (fd_head->flags & FD_BLOCKSEQUENCE) {
644 if (fd->offset > max_offset) {
645 max_offset = fd->offset;
646 THROW_MESSAGE_ON(max_offset > tot_len, ReassemblyError, "Bad total reassembly block count");
653 if (fd->offset + fd->len > max_offset) {
654 max_offset = fd->offset + fd->len;
655 THROW_MESSAGE_ON(max_offset > tot_len, ReassemblyError, "Bad total reassembly length");
661 if (fd_head->flags & FD_DEFRAGMENTED) {
662 THROW_MESSAGE_ON(max_offset != tot_len, ReassemblyError, "Defragmented complete but total length not satisfied");
665 /* We got this far so the value is sane. */
666 fd_head->datalen = tot_len;
667 fd_head->flags |= FD_DATALEN_SET;
671 fragment_get_tot_len(reassembly_table *table, const packet_info *pinfo,
672 const guint32 id, const void *data)
674 fragment_data *fd_head;
676 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
679 return fd_head->datalen;
686 /* This function will set the partial reassembly flag for a fh.
687 When this function is called, the fh MUST already exist, i.e.
688 the fh MUST be created by the initial call to fragment_add() before
689 this function is called.
690 Also note that this function MUST be called to indicate a fh will be
691 extended (increase the already stored data)
695 fragment_set_partial_reassembly(reassembly_table *table,
696 const packet_info *pinfo, const guint32 id,
699 fragment_data *fd_head;
701 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
704 * XXX - why not do all the stuff done early in "fragment_add_work()",
705 * turning off FD_DEFRAGMENTED and pointing the fragments' data
706 * pointers to the appropriate part of the already-reassembled
707 * data, and clearing the data length and "reassembled in" frame
708 * number, here? We currently have a hack in the TCP dissector
709 * not to set the "reassembled in" value if the "partial reassembly"
710 * flag is set, so that in the first pass through the packets
711 * we don't falsely set a packet as reassembled in that packet
712 * if the dissector decided that even more reassembly was needed.
715 fd_head->flags |= FD_PARTIAL_REASSEMBLY;
720 * This function gets rid of an entry from a fragment table, given
721 * a pointer to the key for that entry.
723 * The key freeing routine will be called by g_hash_table_remove().
726 fragment_unhash(reassembly_table *table, gpointer key)
729 * Remove the entry from the fragment table.
731 g_hash_table_remove(table->fragment_table, key);
735 * This function adds fragment_data structure to a reassembled-packet
736 * hash table, using the frame numbers of each of the frames from
737 * which it was reassembled as keys, and sets the "reassembled_in"
741 fragment_reassembled(reassembly_table *table, fragment_data *fd_head,
742 const packet_info *pinfo, const guint32 id)
744 reassembled_key *new_key;
747 if (fd_head->next == NULL) {
749 * This was not fragmented, so there's no fragment
750 * table; just hash it using the current frame number.
752 new_key = g_slice_new(reassembled_key);
753 new_key->frame = pinfo->fd->num;
755 g_hash_table_insert(table->reassembled_table, new_key, fd_head);
758 * Hash it with the frame numbers for all the frames.
760 for (fd = fd_head->next; fd != NULL; fd = fd->next){
761 new_key = g_slice_new(reassembled_key);
762 new_key->frame = fd->frame;
764 g_hash_table_insert(table->reassembled_table, new_key,
768 fd_head->flags |= FD_DEFRAGMENTED;
769 fd_head->reassembled_in = pinfo->fd->num;
773 LINK_FRAG(fragment_data *fd_head,fragment_data *fd)
777 /* add fragment to list, keep list sorted */
778 for(fd_i= fd_head; fd_i->next;fd_i=fd_i->next) {
779 if (fd->offset < fd_i->next->offset )
787 * This function adds a new fragment to the fragment hash table.
788 * If this is the first fragment seen for this datagram, a new entry
789 * is created in the hash table, otherwise this fragment is just added
790 * to the linked list of fragments for this packet.
791 * The list of fragments for a specific datagram is kept sorted for
794 * Returns a pointer to the head of the fragment data list if we have all the
795 * fragments, NULL otherwise.
797 * This function assumes frag_offset being a byte offset into the defragment
801 * Once the fh is defragmented (= FD_DEFRAGMENTED set), it can be
802 * extended using the FD_PARTIAL_REASSEMBLY flag. This flag should be set
803 * using fragment_set_partial_reassembly() before calling fragment_add
804 * with the new fragment. FD_TOOLONGFRAGMENT and FD_MULTIPLETAILS flags
805 * are lowered when a new extension process is started.
808 fragment_add_work(fragment_data *fd_head, tvbuff_t *tvb, const int offset,
809 const packet_info *pinfo, const guint32 frag_offset,
810 const guint32 frag_data_len, const gboolean more_frags)
815 unsigned char *old_data;
816 const char *error = NULL;
818 /* create new fd describing this fragment */
819 fd = g_slice_new(fragment_data);
822 fd->frame = pinfo->fd->num;
823 fd->offset = frag_offset;
824 fd->len = frag_data_len;
827 /* If it was already defragmented and this new fragment goes beyond the
828 * old data limits... */
829 if(fd_head->flags & FD_DEFRAGMENTED && (frag_offset+frag_data_len) >= fd_head->datalen) {
830 /* If we've been requested to continue reassembly, set flag in
831 * already empty fds & point old fds to malloc'ed data. */
832 if (fd_head->flags & FD_PARTIAL_REASSEMBLY) {
833 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
835 fd_i->data = fd_head->data + fd_i->offset;
836 fd_i->flags |= FD_NOT_MALLOCED;
838 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
840 fd_head->flags &= ~(FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY|FD_DATALEN_SET);
841 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
843 fd_head->reassembled_in=0;
846 /* Otherwise, bail out since we have no idea what to do
847 * with this fragment (and if we keep going we'll run
848 * past the end of a buffer sooner or later).
850 g_slice_free(fragment_data, fd);
851 THROW(ReassemblyError);
855 /* Do this after we may have bailed out (above) so that we don't leave
856 * fd_head->frame in a bad state if we do */
857 if (fd->frame > fd_head->frame)
858 fd_head->frame = fd->frame;
862 * This is the tail fragment in the sequence.
864 if (fd_head->flags & FD_DATALEN_SET) {
865 /* ok we have already seen other tails for this packet
866 * it might be a duplicate.
868 if (fd_head->datalen != (fd->offset + fd->len) ){
869 /* Oops, this tail indicates a different packet
870 * len than the previous ones. Something's wrong.
872 fd->flags |= FD_MULTIPLETAILS;
873 fd_head->flags |= FD_MULTIPLETAILS;
876 /* this was the first tail fragment, now we know the
877 * length of the packet
879 fd_head->datalen = fd->offset + fd->len;
880 fd_head->flags |= FD_DATALEN_SET;
887 /* If the packet is already defragmented, this MUST be an overlap.
888 * The entire defragmented packet is in fd_head->data.
889 * Even if we have previously defragmented this packet, we still
890 * check it. Someone might play overlap and TTL games.
892 if (fd_head->flags & FD_DEFRAGMENTED) {
893 guint32 end_offset = fd->offset + fd->len;
894 fd->flags |= FD_OVERLAP;
895 fd_head->flags |= FD_OVERLAP;
896 /* make sure it's not too long */
897 if (end_offset > fd_head->datalen || end_offset < fd->offset || end_offset < fd->len) {
898 fd->flags |= FD_TOOLONGFRAGMENT;
899 fd_head->flags |= FD_TOOLONGFRAGMENT;
901 /* make sure it doesn't conflict with previous data */
902 else if ( memcmp(fd_head->data+fd->offset,
903 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
904 fd->flags |= FD_OVERLAPCONFLICT;
905 fd_head->flags |= FD_OVERLAPCONFLICT;
907 /* it was just an overlap, link it and return */
908 LINK_FRAG(fd_head,fd);
914 /* If we have reached this point, the packet is not defragmented yet.
915 * Save all payload in a buffer until we can defragment.
916 * XXX - what if we didn't capture the entire fragment due
917 * to a too-short snapshot length?
919 fd->data = (unsigned char *)g_malloc(fd->len);
920 tvb_memcpy(tvb, fd->data, offset, fd->len);
921 LINK_FRAG(fd_head,fd);
924 if( !(fd_head->flags & FD_DATALEN_SET) ){
925 /* if we dont know the datalen, there are still missing
926 * packets. Cheaper than the check below.
933 * Check if we have received the entire fragment.
934 * This is easy since the list is sorted and the head is faked.
936 * First, we compute the amount of contiguous data that's
937 * available. (The check for fd_i->offset <= max rules out
938 * fragments that don't start before or at the end of the
939 * previous fragment, i.e. fragments that have a gap between
940 * them and the previous fragment.)
943 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
944 if ( ((fd_i->offset)<=max) &&
945 ((fd_i->offset+fd_i->len)>max) ){
946 max = fd_i->offset+fd_i->len;
950 if (max < (fd_head->datalen)) {
952 * The amount of contiguous data we have is less than the
953 * amount of data we're trying to reassemble, so we haven't
954 * received all packets yet.
960 if (max > (fd_head->datalen)) {
961 /*XXX not sure if current fd was the TOOLONG*/
962 /*XXX is it fair to flag current fd*/
963 /* oops, too long fragment detected */
964 fd->flags |= FD_TOOLONGFRAGMENT;
965 fd_head->flags |= FD_TOOLONGFRAGMENT;
968 /* we have received an entire packet, defragment it and
971 /* store old data just in case */
972 old_data=fd_head->data;
973 fd_head->data = (unsigned char *)g_malloc(max);
975 /* add all data fragments */
976 for (dfpos=0,fd_i=fd_head;fd_i;fd_i=fd_i->next) {
978 /* dfpos is always >= than fd_i->offset */
979 /* No gaps can exist here, max_loop(above) does this */
980 /* XXX - true? Can we get fd_i->offset+fd-i->len */
981 /* overflowing, for example? */
982 /* Actually: there is at least one pathological case wherein there can be fragments
983 * on the list which are for offsets greater than max (i.e.: following a gap after max).
984 * (Apparently a "DESEGMENT_UNTIL_FIN" was involved wherein the FIN packet had an offset
985 * less than the highest fragment offset seen. [Seen from a fuzz-test: bug #2470]).
986 * Note that the "overlap" compare must only be done for fragments with (offset+len) <= max
987 * and thus within the newly g_malloc'd buffer.
990 if ( fd_i->offset+fd_i->len > dfpos ) {
991 if (fd_i->offset+fd_i->len > max)
992 error = "offset + len > max";
993 else if (dfpos < fd_i->offset)
994 error = "dfpos < offset";
995 else if (dfpos-fd_i->offset > fd_i->len)
996 error = "dfpos - offset > len";
997 else if (!fd_head->data)
1000 if (fd_i->offset < dfpos) {
1001 fd_i->flags |= FD_OVERLAP;
1002 fd_head->flags |= FD_OVERLAP;
1003 if ( memcmp(fd_head->data+fd_i->offset,
1005 MIN(fd_i->len,(dfpos-fd_i->offset))
1007 fd_i->flags |= FD_OVERLAPCONFLICT;
1008 fd_head->flags |= FD_OVERLAPCONFLICT;
1011 memcpy(fd_head->data+dfpos,
1012 fd_i->data+(dfpos-fd_i->offset),
1013 fd_i->len-(dfpos-fd_i->offset));
1016 if (fd_i->offset + fd_i->len < fd_i->offset) { /* Integer overflow? */
1017 error = "offset + len < offset";
1020 if( fd_i->flags & FD_NOT_MALLOCED )
1021 fd_i->flags &= ~FD_NOT_MALLOCED;
1026 dfpos=MAX(dfpos,(fd_i->offset+fd_i->len));
1031 /* mark this packet as defragmented.
1032 allows us to skip any trailing fragments */
1033 fd_head->flags |= FD_DEFRAGMENTED;
1034 fd_head->reassembled_in=pinfo->fd->num;
1036 /* we don't throw until here to avoid leaking old_data and others */
1038 THROW_MESSAGE(ReassemblyError, error);
1044 static fragment_data *
1045 fragment_add_common(reassembly_table *table, tvbuff_t *tvb, const int offset,
1046 const packet_info *pinfo, const guint32 id,
1047 const void *data, const guint32 frag_offset,
1048 const guint32 frag_data_len, const gboolean more_frags,
1049 const gboolean check_already_added)
1051 fragment_data *fd_head;
1052 fragment_data *fd_item;
1053 gboolean already_added=pinfo->fd->flags.visited;
1056 /* dissector shouldn't give us garbage tvb info */
1057 DISSECTOR_ASSERT(tvb_bytes_exist(tvb, offset, frag_data_len));
1059 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
1062 /* debug output of associated fragments. */
1063 /* leave it here for future debugging sessions */
1064 if(strcmp(pinfo->current_proto, "DCERPC") == 0) {
1065 printf("proto:%s num:%u id:%u offset:%u len:%u more:%u visited:%u\n",
1066 pinfo->current_proto, pinfo->fd->num, id, frag_offset, frag_data_len, more_frags, pinfo->fd->flags.visited);
1067 if(fd_head != NULL) {
1068 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
1069 printf("fd_frame:%u fd_offset:%u len:%u datalen:%u\n",
1070 fd_item->frame, fd_item->offset, fd_item->len, fd_item->datalen);
1077 * "already_added" is true if "pinfo->fd->flags.visited" is true;
1078 * if "pinfo->fd->flags.visited", this isn't the first pass, so
1079 * we've already done all the reassembly and added all the
1082 * If it's not true, but "check_already_added" is true, just check
1083 * if we have seen this fragment before, i.e., if we have already
1084 * added it to reassembly.
1085 * That can be true even if "pinfo->fd->flags.visited" is false
1086 * since we sometimes might call a subdissector multiple times.
1087 * As an additional check, just make sure we have not already added
1088 * this frame to the reassembly list, if there is a reassembly list;
1089 * note that the first item in the reassembly list is not a
1090 * fragment, it's a data structure for the reassembled packet.
1091 * We don't check it because its "frame" member isn't initialized
1092 * to anything, and because it doesn't count in any case.
1094 * And as another additional check, make sure the fragment offsets are
1095 * the same, as otherwise we get into trouble if multiple fragments
1098 if (!already_added && check_already_added && fd_head != NULL) {
1099 if (pinfo->fd->num <= fd_head->frame) {
1100 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
1101 if(pinfo->fd->num==fd_item->frame && frag_offset==fd_item->offset){
1107 /* have we already added this frame ?*/
1108 if (already_added) {
1109 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1117 /* not found, this must be the first snooped fragment for this
1118 * packet. Create list-head.
1120 fd_head = new_head(0);
1123 * Insert it into the hash table.
1125 insert_fd_head(table, fd_head, pinfo, id, data);
1128 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
1129 frag_data_len, more_frags)) {
1131 * Reassembly is complete.
1136 * Reassembly isn't complete.
1143 fragment_add(reassembly_table *table, tvbuff_t *tvb, const int offset,
1144 const packet_info *pinfo, const guint32 id, const void *data,
1145 const guint32 frag_offset, const guint32 frag_data_len,
1146 const gboolean more_frags)
1148 return fragment_add_common(table, tvb, offset, pinfo, id, data,
1149 frag_offset, frag_data_len, more_frags, TRUE);
1153 * For use when you can have multiple fragments in the same frame added
1154 * to the same reassembled PDU, e.g. with ONC RPC-over-TCP.
1157 fragment_add_multiple_ok(reassembly_table *table, tvbuff_t *tvb,
1158 const int offset, const packet_info *pinfo,
1159 const guint32 id, const void *data,
1160 const guint32 frag_offset,
1161 const guint32 frag_data_len, const gboolean more_frags)
1163 return fragment_add_common(table, tvb, offset, pinfo, id, data,
1164 frag_offset, frag_data_len, more_frags, FALSE);
1168 fragment_add_check(reassembly_table *table, tvbuff_t *tvb, const int offset,
1169 const packet_info *pinfo, const guint32 id,
1170 const void *data, const guint32 frag_offset,
1171 const guint32 frag_data_len, const gboolean more_frags)
1173 reassembled_key reass_key;
1174 fragment_data *fd_head;
1178 * If this isn't the first pass, look for this frame in the table
1179 * of reassembled packets.
1181 if (pinfo->fd->flags.visited) {
1182 reass_key.frame = pinfo->fd->num;
1184 return (fragment_data *)g_hash_table_lookup(table->reassembled_table, &reass_key);
1187 /* Looks up a key in the GHashTable, returning the original key and the associated value
1188 * and a gboolean which is TRUE if the key was found. This is useful if you need to free
1189 * the memory allocated for the original key, for example before calling g_hash_table_remove()
1191 fd_head = lookup_fd_head(table, pinfo, id, data, &orig_key);
1192 if (fd_head == NULL) {
1193 /* not found, this must be the first snooped fragment for this
1194 * packet. Create list-head.
1196 fd_head = new_head(0);
1199 * Save the key, for unhashing it later.
1201 orig_key = insert_fd_head(table, fd_head, pinfo, id, data);
1205 * If this is a short frame, then we can't, and don't, do
1206 * reassembly on it. We just give up.
1208 if (tvb_reported_length(tvb) > tvb_length(tvb))
1211 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
1212 frag_data_len, more_frags)) {
1214 * Reassembly is complete.
1215 * Remove this from the table of in-progress
1216 * reassemblies, add it to the table of
1217 * reassembled packets, and return it.
1221 * Remove this from the table of in-progress reassemblies,
1222 * and free up any memory used for it in that table.
1224 fragment_unhash(table, orig_key);
1227 * Add this item to the table of reassembled packets.
1229 fragment_reassembled(table, fd_head, pinfo, id);
1233 * Reassembly isn't complete.
1240 fragment_defragment_and_free (fragment_data *fd_head, const packet_info *pinfo)
1242 fragment_data *fd_i = NULL;
1243 fragment_data *last_fd = NULL;
1244 guint32 dfpos = 0, size = 0;
1245 void *old_data = NULL;
1247 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1248 if(!last_fd || last_fd->offset!=fd_i->offset){
1254 /* store old data in case the fd_i->data pointers refer to it */
1255 old_data=fd_head->data;
1256 fd_head->data = (unsigned char *)g_malloc(size);
1257 fd_head->len = size; /* record size for caller */
1259 /* add all data fragments */
1261 for (fd_i=fd_head->next; fd_i; fd_i=fd_i->next) {
1263 if(!last_fd || last_fd->offset != fd_i->offset) {
1264 /* First fragment or in-sequence fragment */
1265 memcpy(fd_head->data+dfpos, fd_i->data, fd_i->len);
1268 /* duplicate/retransmission/overlap */
1269 fd_i->flags |= FD_OVERLAP;
1270 fd_head->flags |= FD_OVERLAP;
1271 if(last_fd->len != fd_i->len
1272 || memcmp(last_fd->data, fd_i->data, last_fd->len) ) {
1273 fd_i->flags |= FD_OVERLAPCONFLICT;
1274 fd_head->flags |= FD_OVERLAPCONFLICT;
1281 /* we have defragmented the pdu, now free all fragments*/
1282 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1283 if( fd_i->flags & FD_NOT_MALLOCED )
1284 fd_i->flags &= ~FD_NOT_MALLOCED;
1291 /* mark this packet as defragmented.
1292 * allows us to skip any trailing fragments.
1294 fd_head->flags |= FD_DEFRAGMENTED;
1295 fd_head->reassembled_in=pinfo->fd->num;
1299 * This function adds a new fragment to the entry for a reassembly
1302 * The list of fragments for a specific datagram is kept sorted for
1305 * Returns TRUE if we have all the fragments, FALSE otherwise.
1307 * This function assumes frag_number being a block sequence number.
1308 * The bsn for the first block is 0.
1311 fragment_add_seq_work(fragment_data *fd_head, tvbuff_t *tvb, const int offset,
1312 const packet_info *pinfo, const guint32 frag_number,
1313 const guint32 frag_data_len, const gboolean more_frags)
1316 fragment_data *fd_i;
1317 fragment_data *last_fd;
1320 /* if the partial reassembly flag has been set, and we are extending
1321 * the pdu, un-reassemble the pdu. This means pointing old fds to malloc'ed data.
1323 if(fd_head->flags & FD_DEFRAGMENTED && frag_number >= fd_head->datalen &&
1324 fd_head->flags & FD_PARTIAL_REASSEMBLY){
1325 guint32 lastdfpos = 0;
1327 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
1329 if( fd_i->flags & FD_OVERLAP ) {
1330 /* this is a duplicate of the previous
1332 fd_i->data = fd_head->data + lastdfpos;
1334 fd_i->data = fd_head->data + dfpos;
1338 fd_i->flags |= FD_NOT_MALLOCED;
1340 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
1342 fd_head->flags &= ~(FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY|FD_DATALEN_SET);
1343 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
1345 fd_head->reassembled_in=0;
1349 /* create new fd describing this fragment */
1350 fd = g_slice_new(fragment_data);
1353 fd->frame = pinfo->fd->num;
1354 fd->offset = frag_number;
1355 fd->len = frag_data_len;
1360 * This is the tail fragment in the sequence.
1362 if (fd_head->flags&FD_DATALEN_SET) {
1363 /* ok we have already seen other tails for this packet
1364 * it might be a duplicate.
1366 if (fd_head->datalen != fd->offset ){
1367 /* Oops, this tail indicates a different packet
1368 * len than the previous ones. Something's wrong.
1370 fd->flags |= FD_MULTIPLETAILS;
1371 fd_head->flags |= FD_MULTIPLETAILS;
1374 /* this was the first tail fragment, now we know the
1375 * sequence number of that fragment (which is NOT
1376 * the length of the packet!)
1378 fd_head->datalen = fd->offset;
1379 fd_head->flags |= FD_DATALEN_SET;
1383 /* If the packet is already defragmented, this MUST be an overlap.
1384 * The entire defragmented packet is in fd_head->data
1385 * Even if we have previously defragmented this packet, we still check
1386 * check it. Someone might play overlap and TTL games.
1388 if (fd_head->flags & FD_DEFRAGMENTED) {
1389 fd->flags |= FD_OVERLAP;
1390 fd_head->flags |= FD_OVERLAP;
1392 /* make sure it's not past the end */
1393 if (fd->offset > fd_head->datalen) {
1394 /* new fragment comes after the end */
1395 fd->flags |= FD_TOOLONGFRAGMENT;
1396 fd_head->flags |= FD_TOOLONGFRAGMENT;
1397 LINK_FRAG(fd_head,fd);
1400 /* make sure it doesn't conflict with previous data */
1403 for (fd_i=fd_head->next;fd_i && (fd_i->offset!=fd->offset);fd_i=fd_i->next) {
1404 if (!last_fd || last_fd->offset!=fd_i->offset){
1410 /* new fragment overlaps existing fragment */
1411 if(fd_i->len!=fd->len){
1413 * They have different lengths; this
1414 * is definitely a conflict.
1416 fd->flags |= FD_OVERLAPCONFLICT;
1417 fd_head->flags |= FD_OVERLAPCONFLICT;
1418 LINK_FRAG(fd_head,fd);
1421 DISSECTOR_ASSERT(fd_head->len >= dfpos + fd->len);
1422 if ( memcmp(fd_head->data+dfpos,
1423 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
1425 * They have the same length, but the
1426 * data isn't the same.
1428 fd->flags |= FD_OVERLAPCONFLICT;
1429 fd_head->flags |= FD_OVERLAPCONFLICT;
1430 LINK_FRAG(fd_head,fd);
1433 /* it was just an overlap, link it and return */
1434 LINK_FRAG(fd_head,fd);
1438 * New fragment doesn't overlap an existing
1439 * fragment - there was presumably a gap in
1440 * the sequence number space.
1442 * XXX - what should we do here? Is it always
1443 * the case that there are no gaps, or are there
1444 * protcols using sequence numbers where there
1447 * If the former, the check below for having
1448 * received all the fragments should check for
1449 * holes in the sequence number space and for the
1450 * first sequence number being 0. If we do that,
1451 * the only way we can get here is if this fragment
1452 * is past the end of the sequence number space -
1453 * but the check for "fd->offset > fd_head->datalen"
1454 * would have caught that above, so it can't happen.
1456 * If the latter, we don't have a good way of
1457 * knowing whether reassembly is complete if we
1458 * get packet out of order such that the "last"
1459 * fragment doesn't show up last - but, unless
1460 * in-order reliable delivery of fragments is
1461 * guaranteed, an implementation of the protocol
1462 * has no way of knowing whether reassembly is
1465 * For now, we just link the fragment in and
1468 LINK_FRAG(fd_head,fd);
1473 /* If we have reached this point, the packet is not defragmented yet.
1474 * Save all payload in a buffer until we can defragment.
1475 * XXX - what if we didn't capture the entire fragment due
1476 * to a too-short snapshot length?
1478 /* check len, there may be a fragment with 0 len, that is actually the tail */
1480 fd->data = (unsigned char *)g_malloc(fd->len);
1481 tvb_memcpy(tvb, fd->data, offset, fd->len);
1483 LINK_FRAG(fd_head,fd);
1486 if( !(fd_head->flags & FD_DATALEN_SET) ){
1487 /* if we dont know the sequence number of the last fragment,
1488 * there are definitely still missing packets. Cheaper than
1495 /* check if we have received the entire fragment
1496 * this is easy since the list is sorted and the head is faked.
1497 * common case the whole list is scanned.
1500 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1501 if ( fd_i->offset==max ){
1505 /* max will now be datalen+1 if all fragments have been seen */
1507 if (max <= fd_head->datalen) {
1508 /* we have not received all packets yet */
1513 if (max > (fd_head->datalen+1)) {
1514 /* oops, too long fragment detected */
1515 fd->flags |= FD_TOOLONGFRAGMENT;
1516 fd_head->flags |= FD_TOOLONGFRAGMENT;
1520 /* we have received an entire packet, defragment it and
1521 * free all fragments
1523 fragment_defragment_and_free(fd_head, pinfo);
1529 * This function adds a new fragment to the fragment hash table.
1530 * If this is the first fragment seen for this datagram, a new entry
1531 * is created in the hash table, otherwise this fragment is just added
1532 * to the linked list of fragments for this packet.
1534 * Returns a pointer to the head of the fragment data list if we have all the
1535 * fragments, NULL otherwise.
1537 * This function assumes frag_number being a block sequence number.
1538 * The bsn for the first block is 0.
1540 static fragment_data *
1541 fragment_add_seq_common(reassembly_table *table, tvbuff_t *tvb,
1542 const int offset, const packet_info *pinfo,
1543 const guint32 id, const void *data,
1544 guint32 frag_number, const guint32 frag_data_len,
1545 const gboolean more_frags, const guint32 flags,
1546 gpointer *orig_keyp)
1548 fragment_data *fd_head;
1551 fd_head = lookup_fd_head(table, pinfo, id, data, &orig_key);
1553 /* have we already seen this frame ?*/
1554 if (pinfo->fd->flags.visited) {
1555 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1556 if (orig_keyp != NULL)
1557 *orig_keyp = orig_key;
1565 /* not found, this must be the first snooped fragment for this
1566 * packet. Create list-head.
1568 fd_head= new_head(FD_BLOCKSEQUENCE);
1570 if((flags & (REASSEMBLE_FLAGS_NO_FRAG_NUMBER|REASSEMBLE_FLAGS_802_11_HACK))
1573 * This is the last fragment for this packet, and
1574 * is the only one we've seen.
1576 * Either we don't have sequence numbers, in which
1577 * case we assume this is the first fragment for
1578 * this packet, or we're doing special 802.11
1579 * processing, in which case we assume it's one
1580 * of those reassembled packets with a non-zero
1581 * fragment number (see packet-80211.c); just
1582 * return a pointer to the head of the list;
1583 * fragment_add_seq_check will then add it to the table
1584 * of reassembled packets.
1586 if (*orig_keyp != NULL)
1588 fd_head->reassembled_in=pinfo->fd->num;
1592 orig_key = insert_fd_head(table, fd_head, pinfo, id, data);
1593 if (orig_keyp != NULL)
1594 *orig_keyp = orig_key;
1597 * If we weren't given an initial fragment number,
1600 if (flags & REASSEMBLE_FLAGS_NO_FRAG_NUMBER)
1603 if (orig_keyp != NULL)
1604 *orig_keyp = orig_key;
1606 if (flags & REASSEMBLE_FLAGS_NO_FRAG_NUMBER) {
1609 * If we weren't given an initial fragment number,
1610 * use the next expected fragment number as the fragment
1611 * number for this fragment.
1613 for (fd = fd_head; fd != NULL; fd = fd->next) {
1614 if (fd->next == NULL)
1615 frag_number = fd->offset + 1;
1621 * XXX I've copied this over from the old separate
1622 * fragment_add_seq_check_work, but I'm not convinced it's doing the
1623 * right thing -- rav
1625 * If we don't have all the data that is in this fragment,
1626 * then we can't, and don't, do reassembly on it.
1628 * If it's the first frame, handle it as an unfragmented packet.
1629 * Otherwise, just handle it as a fragment.
1631 * If "more_frags" isn't set, we get rid of the entry in the
1632 * hash table for this reassembly, as we don't need it any more.
1634 if ((flags & REASSEMBLE_FLAGS_CHECK_DATA_PRESENT) &&
1635 !tvb_bytes_exist(tvb, offset, frag_data_len)) {
1638 * Remove this from the table of in-progress
1639 * reassemblies, and free up any memory used for
1642 fragment_unhash(table, *orig_keyp);
1644 fd_head -> flags |= FD_DATA_NOT_PRESENT;
1645 return frag_number == 0 ? fd_head : NULL;
1648 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1649 frag_number, frag_data_len, more_frags)) {
1651 * Reassembly is complete.
1656 * Reassembly isn't complete.
1663 fragment_add_seq(reassembly_table *table, tvbuff_t *tvb, const int offset,
1664 const packet_info *pinfo, const guint32 id, const void *data,
1665 const guint32 frag_number, const guint32 frag_data_len,
1666 const gboolean more_frags, const guint32 flags)
1668 return fragment_add_seq_common(table, tvb, offset, pinfo, id, data,
1669 frag_number, frag_data_len,
1670 more_frags, flags, NULL);
1674 * This does the work for "fragment_add_seq_check()" and
1675 * "fragment_add_seq_next()".
1677 * This function assumes frag_number being a block sequence number.
1678 * The bsn for the first block is 0.
1680 * If "no_frag_number" is TRUE, it uses the next expected fragment number
1681 * as the fragment number if there is a reassembly in progress, otherwise
1684 * If "no_frag_number" is FALSE, it uses the "frag_number" argument as
1685 * the fragment number.
1687 * If this is the first fragment seen for this datagram, a new
1688 * "fragment_data" structure is allocated to refer to the reassembled
1691 * This fragment is added to the linked list of fragments for this packet.
1693 * If "more_frags" is false and REASSEMBLE_FLAGS_802_11_HACK (as the name
1694 * implies, a special hack for 802.11) or REASSEMBLE_FLAGS_NO_FRAG_NUMBER
1695 * (implying messages must be in order since there's no sequence number) are
1696 * set in "flags", then this (one element) list is returned.
1698 * If, after processing this fragment, we have all the fragments,
1699 * "fragment_add_seq_check_work()" removes that from the fragment hash
1700 * table if necessary and adds it to the table of reassembled fragments,
1701 * and returns a pointer to the head of the fragment list.
1703 * Otherwise, it returns NULL.
1705 * XXX - Should we simply return NULL for zero-length fragments?
1707 static fragment_data *
1708 fragment_add_seq_check_work(reassembly_table *table, tvbuff_t *tvb,
1709 const int offset, const packet_info *pinfo,
1710 const guint32 id, const void *data,
1711 const guint32 frag_number,
1712 const guint32 frag_data_len,
1713 const gboolean more_frags, const guint32 flags)
1715 reassembled_key reass_key;
1716 fragment_data *fd_head;
1720 * Have we already seen this frame?
1721 * If so, look for it in the table of reassembled packets.
1723 if (pinfo->fd->flags.visited) {
1724 reass_key.frame = pinfo->fd->num;
1726 return (fragment_data *)g_hash_table_lookup(table->reassembled_table, &reass_key);
1729 fd_head = fragment_add_seq_common(table, tvb, offset, pinfo, id, data,
1730 frag_number, frag_data_len,
1732 flags|REASSEMBLE_FLAGS_CHECK_DATA_PRESENT,
1735 if(fd_head->flags & FD_DATA_NOT_PRESENT) {
1736 /* this is the first fragment of a datagram with
1737 * truncated fragments. Don't move it to the
1738 * reassembled table. */
1743 * Reassembly is complete.
1745 * If this is in the table of in-progress reassemblies,
1746 * remove it from that table. (It could be that this
1747 * was the first and last fragment, so that no
1748 * reassembly was done.)
1750 if (orig_key != NULL)
1751 fragment_unhash(table, orig_key);
1754 * Add this item to the table of reassembled packets.
1756 fragment_reassembled(table, fd_head, pinfo, id);
1760 * Reassembly isn't complete.
1767 fragment_add_seq_check(reassembly_table *table, tvbuff_t *tvb, const int offset,
1768 const packet_info *pinfo, const guint32 id,
1770 const guint32 frag_number, const guint32 frag_data_len,
1771 const gboolean more_frags)
1773 return fragment_add_seq_check_work(table, tvb, offset, pinfo, id, data,
1774 frag_number, frag_data_len,
1779 fragment_add_seq_802_11(reassembly_table *table, tvbuff_t *tvb,
1780 const int offset, const packet_info *pinfo,
1781 const guint32 id, const void *data,
1782 const guint32 frag_number, const guint32 frag_data_len,
1783 const gboolean more_frags)
1785 return fragment_add_seq_check_work(table, tvb, offset, pinfo, id, data,
1786 frag_number, frag_data_len,
1788 REASSEMBLE_FLAGS_802_11_HACK);
1792 fragment_add_seq_next(reassembly_table *table, tvbuff_t *tvb, const int offset,
1793 const packet_info *pinfo, const guint32 id,
1794 const void *data, const guint32 frag_data_len,
1795 const gboolean more_frags)
1797 return fragment_add_seq_check_work(table, tvb, offset, pinfo, id, data,
1798 0, frag_data_len, more_frags,
1799 REASSEMBLE_FLAGS_NO_FRAG_NUMBER);
1803 fragment_start_seq_check(reassembly_table *table, const packet_info *pinfo,
1804 const guint32 id, const void *data,
1805 const guint32 tot_len)
1807 fragment_data *fd_head;
1809 /* Have we already seen this frame ?*/
1810 if (pinfo->fd->flags.visited) {
1814 /* Check if fragment data exists */
1815 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
1817 if (fd_head == NULL) {
1818 /* Create list-head. */
1819 fd_head = g_slice_new(fragment_data);
1820 fd_head->next = NULL;
1821 fd_head->datalen = tot_len;
1822 fd_head->offset = 0;
1824 fd_head->flags = FD_BLOCKSEQUENCE|FD_DATALEN_SET;
1825 fd_head->data = NULL;
1826 fd_head->reassembled_in = 0;
1828 insert_fd_head(table, fd_head, pinfo, id, data);
1833 fragment_end_seq_next(reassembly_table *table, const packet_info *pinfo,
1834 const guint32 id, const void *data)
1836 reassembled_key reass_key;
1837 reassembled_key *new_key;
1838 fragment_data *fd_head;
1842 * Have we already seen this frame?
1843 * If so, look for it in the table of reassembled packets.
1845 if (pinfo->fd->flags.visited) {
1846 reass_key.frame = pinfo->fd->num;
1848 return (fragment_data *)g_hash_table_lookup(table->reassembled_table, &reass_key);
1851 fd_head = lookup_fd_head(table, pinfo, id, data, &orig_key);
1854 if (fd_head->flags & FD_DATA_NOT_PRESENT) {
1859 fd_head->datalen = fd_head->offset;
1860 fd_head->flags |= FD_DATALEN_SET;
1862 fragment_defragment_and_free (fd_head, pinfo);
1865 * Remove this from the table of in-progress reassemblies,
1866 * and free up any memory used for it in that table.
1868 fragment_unhash(table, orig_key);
1871 * Add this item to the table of reassembled packets.
1873 fragment_reassembled(table, fd_head, pinfo, id);
1874 if (fd_head->next != NULL) {
1875 new_key = g_slice_new(reassembled_key);
1876 new_key->frame = pinfo->fd->num;
1878 g_hash_table_insert(table->reassembled_table, new_key, fd_head);
1884 * Fragment data not found.
1891 * Process reassembled data; if we're on the frame in which the data
1892 * was reassembled, put the fragment information into the protocol
1893 * tree, and construct a tvbuff with the reassembled data, otherwise
1894 * just put a "reassembled in" item into the protocol tree.
1897 process_reassembled_data(tvbuff_t *tvb, const int offset, packet_info *pinfo,
1898 const char *name, fragment_data *fd_head, const fragment_items *fit,
1899 gboolean *update_col_infop, proto_tree *tree)
1902 gboolean update_col_info;
1903 proto_item *frag_tree_item;
1905 if (fd_head != NULL && pinfo->fd->num == fd_head->reassembled_in) {
1907 * OK, we've reassembled this.
1908 * Is this something that's been reassembled from more
1909 * than one fragment?
1911 if (fd_head->next != NULL) {
1914 * Allocate a new tvbuff, referring to the
1915 * reassembled payload.
1917 if (fd_head->flags & FD_BLOCKSEQUENCE) {
1918 next_tvb = tvb_new_real_data(fd_head->data,
1919 fd_head->len, fd_head->len);
1921 next_tvb = tvb_new_real_data(fd_head->data,
1922 fd_head->datalen, fd_head->datalen);
1926 * Add the tvbuff to the list of tvbuffs to which
1927 * the tvbuff we were handed refers, so it'll get
1928 * cleaned up when that tvbuff is cleaned up.
1930 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
1932 /* Add the defragmented data to the data source list. */
1933 add_new_data_source(pinfo, next_tvb, name);
1935 /* show all fragments */
1936 if (fd_head->flags & FD_BLOCKSEQUENCE) {
1937 update_col_info = !show_fragment_seq_tree(
1938 fd_head, fit, tree, pinfo, next_tvb, &frag_tree_item);
1940 update_col_info = !show_fragment_tree(fd_head,
1941 fit, tree, pinfo, next_tvb, &frag_tree_item);
1946 * Return a tvbuff with the payload.
1948 next_tvb = tvb_new_subset_remaining(tvb, offset);
1949 pinfo->fragmented = FALSE; /* one-fragment packet */
1950 update_col_info = TRUE;
1952 if (update_col_infop != NULL)
1953 *update_col_infop = update_col_info;
1956 * We don't have the complete reassembled payload, or this
1957 * isn't the final frame of that payload.
1962 * If we know what frame this was reassembled in,
1963 * and if there's a field to use for the number of
1964 * the frame in which the packet was reassembled,
1965 * add it to the protocol tree.
1967 if (fd_head != NULL && fit->hf_reassembled_in != NULL) {
1968 proto_tree_add_uint(tree,
1969 *(fit->hf_reassembled_in), tvb,
1970 0, 0, fd_head->reassembled_in);
1977 * Show a single fragment in a fragment subtree, and put information about
1978 * it in the top-level item for that subtree.
1981 show_fragment(fragment_data *fd, const int offset, const fragment_items *fit,
1982 proto_tree *ft, proto_item *fi, const gboolean first_frag,
1983 const guint32 count, tvbuff_t *tvb, packet_info *pinfo)
1985 proto_item *fei=NULL;
1991 name = g_strdup(proto_registrar_get_name(*(fit->hf_fragment)));
1993 name = g_strdup(proto_registrar_get_name(*(fit->hf_fragments)));
1995 proto_item_set_text(fi, "%u %s (%u byte%s): ", count, name, tvb_length(tvb),
1996 plurality(tvb_length(tvb), "", "s"));
1999 proto_item_append_text(fi, ", ");
2001 proto_item_append_text(fi, "#%u(%u)", fd->frame, fd->len);
2003 if (fd->flags & (FD_OVERLAPCONFLICT
2004 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
2005 hf = *(fit->hf_fragment_error);
2007 hf = *(fit->hf_fragment);
2010 fei = proto_tree_add_uint_format(ft, hf,
2011 tvb, offset, fd->len,
2013 "Frame: %u (no data)",
2016 fei = proto_tree_add_uint_format(ft, hf,
2017 tvb, offset, fd->len,
2019 "Frame: %u, payload: %u-%u (%u byte%s)",
2024 plurality(fd->len, "", "s"));
2026 PROTO_ITEM_SET_GENERATED(fei);
2027 mark_frame_as_depended_upon(pinfo, fd->frame);
2028 if (fd->flags & (FD_OVERLAP|FD_OVERLAPCONFLICT
2029 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
2030 /* this fragment has some flags set, create a subtree
2031 * for it and display the flags.
2033 proto_tree *fet=NULL;
2035 fet = proto_item_add_subtree(fei, *(fit->ett_fragment));
2036 if (fd->flags&FD_OVERLAP) {
2037 fei=proto_tree_add_boolean(fet,
2038 *(fit->hf_fragment_overlap),
2041 PROTO_ITEM_SET_GENERATED(fei);
2043 if (fd->flags&FD_OVERLAPCONFLICT) {
2044 fei=proto_tree_add_boolean(fet,
2045 *(fit->hf_fragment_overlap_conflict),
2048 PROTO_ITEM_SET_GENERATED(fei);
2050 if (fd->flags&FD_MULTIPLETAILS) {
2051 fei=proto_tree_add_boolean(fet,
2052 *(fit->hf_fragment_multiple_tails),
2055 PROTO_ITEM_SET_GENERATED(fei);
2057 if (fd->flags&FD_TOOLONGFRAGMENT) {
2058 fei=proto_tree_add_boolean(fet,
2059 *(fit->hf_fragment_too_long_fragment),
2062 PROTO_ITEM_SET_GENERATED(fei);
2068 show_fragment_errs_in_col(fragment_data *fd_head, const fragment_items *fit,
2071 if (fd_head->flags & (FD_OVERLAPCONFLICT
2072 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
2073 if (check_col(pinfo->cinfo, COL_INFO)) {
2074 col_add_fstr(pinfo->cinfo, COL_INFO,
2075 "[Illegal %s]", fit->tag);
2083 /* This function will build the fragment subtree; it's for fragments
2084 reassembled with "fragment_add()".
2086 It will return TRUE if there were fragmentation errors
2087 or FALSE if fragmentation was ok.
2090 show_fragment_tree(fragment_data *fd_head, const fragment_items *fit,
2091 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
2095 gboolean first_frag;
2097 /* It's not fragmented. */
2098 pinfo->fragmented = FALSE;
2100 *fi = proto_tree_add_item(tree, *(fit->hf_fragments), tvb, 0, -1, ENC_NA);
2101 PROTO_ITEM_SET_GENERATED(*fi);
2103 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
2105 for (fd = fd_head->next; fd != NULL; fd = fd->next) {
2108 for (fd = fd_head->next; fd != NULL; fd = fd->next) {
2109 show_fragment(fd, fd->offset, fit, ft, *fi, first_frag, count, tvb, pinfo);
2113 if (fit->hf_fragment_count) {
2114 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_fragment_count),
2116 PROTO_ITEM_SET_GENERATED(fli);
2119 if (fit->hf_reassembled_length) {
2120 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_reassembled_length),
2121 tvb, 0, 0, tvb_length (tvb));
2122 PROTO_ITEM_SET_GENERATED(fli);
2125 if (fit->hf_reassembled_data) {
2126 proto_item *fli = proto_tree_add_item(ft, *(fit->hf_reassembled_data),
2127 tvb, 0, tvb_length(tvb), ENC_NA);
2128 PROTO_ITEM_SET_GENERATED(fli);
2131 return show_fragment_errs_in_col(fd_head, fit, pinfo);
2134 /* This function will build the fragment subtree; it's for fragments
2135 reassembled with "fragment_add_seq()" or "fragment_add_seq_check()".
2137 It will return TRUE if there were fragmentation errors
2138 or FALSE if fragmentation was ok.
2141 show_fragment_seq_tree(fragment_data *fd_head, const fragment_items *fit,
2142 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
2144 guint32 offset, next_offset, count = 0;
2145 fragment_data *fd, *last_fd;
2147 gboolean first_frag;
2149 /* It's not fragmented. */
2150 pinfo->fragmented = FALSE;
2152 *fi = proto_tree_add_item(tree, *(fit->hf_fragments), tvb, 0, -1, ENC_NA);
2153 PROTO_ITEM_SET_GENERATED(*fi);
2155 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
2160 for (fd = fd_head->next; fd != NULL; fd = fd->next){
2163 for (fd = fd_head->next; fd != NULL; fd = fd->next){
2164 if (last_fd == NULL || last_fd->offset != fd->offset) {
2165 offset = next_offset;
2166 next_offset += fd->len;
2169 show_fragment(fd, offset, fit, ft, *fi, first_frag, count, tvb, pinfo);
2173 if (fit->hf_fragment_count) {
2174 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_fragment_count),
2176 PROTO_ITEM_SET_GENERATED(fli);
2179 if (fit->hf_reassembled_length) {
2180 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_reassembled_length),
2181 tvb, 0, 0, tvb_length (tvb));
2182 PROTO_ITEM_SET_GENERATED(fli);
2185 return show_fragment_errs_in_col(fd_head, fit, pinfo);
2189 * Editor modelines - http://www.wireshark.org/tools/modelines.html
2194 * indent-tabs-mode: t
2197 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2198 * :indentSize=8:tabSize=8:noTabs=false: