2 * Routines for {fragment,segment} reassembly
4 * $Id: reassemble.c,v 1.38 2003/04/30 22:13:05 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include <epan/packet.h>
33 #include "reassemble.h"
36 typedef struct _fragment_key {
42 static GMemChunk *fragment_key_chunk = NULL;
43 static GMemChunk *fragment_data_chunk = NULL;
44 static int fragment_init_count = 200;
46 #define LINK_FRAG(fd_head,fd) \
47 { fragment_data *fd_i; \
48 /* add fragment to list, keep list sorted */ \
49 for(fd_i=(fd_head);fd_i->next;fd_i=fd_i->next){ \
50 if( ((fd)->offset) < (fd_i->next->offset) ) \
53 (fd)->next=fd_i->next; \
58 fragment_equal(gconstpointer k1, gconstpointer k2)
60 const fragment_key* key1 = (const fragment_key*) k1;
61 const fragment_key* key2 = (const fragment_key*) k2;
63 /*key.id is the first item to compare since item is most
64 likely to differ between sessions, thus shortcircuiting
65 the comparasion of addresses.
67 return ( ( (key1->id == key2->id) &&
68 (ADDRESSES_EQUAL(&key1->src, &key2->src)) &&
69 (ADDRESSES_EQUAL(&key1->dst, &key2->dst))
75 fragment_hash(gconstpointer k)
77 const fragment_key* key = (const fragment_key*) k;
85 /* More than likely: in most captures src and dst addresses are the
86 same, and would hash the same.
87 We only use id as the hash as an optimization.
89 for (i = 0; i < key->src.len; i++)
90 hash_val += key->src.data[i];
91 for (i = 0; i < key->dst.len; i++)
92 hash_val += key->dst.data[i];
101 * XXX - we use the frame number as the key (we can't use the frame_data
102 * structure, as in Tethereal there's only one such structure).
104 * This won't work if there's more than one form of reassembly using
105 * the reassembled-packet hash tables going on in the frame, and two
106 * or more are using the same protocol and thus the same hash table.
108 * We could use the addresses, or the reassembly ID, to distinguish
109 * between the reassemblies, if necessary.
111 * Hopefully, we won't see anything perverse such as that (say, some
112 * form of IP-in-IP tunneling, with fragments of an IP datagram
113 * tunneled inside IP datagrams that are themselves fragmented).
116 reassembled_equal(gconstpointer k1, gconstpointer k2)
118 return ((guint32)k1 == (guint32)k2);
122 reassembled_hash(gconstpointer k)
128 * For a fragment hash table entry, free the address data to which the key
129 * refers and the fragment data to which the value refers.
130 * (The actual key and value structures get freed by "reassemble_init()".)
133 free_all_fragments(gpointer key_arg, gpointer value, gpointer user_data _U_)
135 fragment_key *key = key_arg;
136 fragment_data *fd_head;
139 * Grr. I guess the theory here is that freeing
140 * something sure as heck modifies it, so you
141 * want to ban attempts to free it, but, alas,
142 * if we make the "data" field of an "address"
143 * structure not a "const", the compiler whines if
144 * we try to make it point into the data for a packet,
145 * as that's a "const" array (and should be, as dissectors
146 * shouldn't trash it).
148 * So we cast the complaint into oblivion, and rely on
149 * the fact that these addresses are known to have had
150 * their data mallocated, i.e. they don't point into,
151 * say, the middle of the data for a packet.
153 g_free((gpointer)key->src.data);
154 g_free((gpointer)key->dst.data);
156 for (fd_head = value; fd_head != NULL; fd_head = fd_head->next) {
157 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED))
158 g_free(fd_head->data);
165 * For a reassembled-packet hash table entry, free the fragment data
166 * to which the value refers.
167 * (The actual value structures get freed by "reassemble_init()".)
170 free_all_reassembled_fragments(gpointer key_arg _U_, gpointer value,
171 gpointer user_data _U_)
173 fragment_data *fd_head;
175 for (fd_head = value; fd_head != NULL; fd_head = fd_head->next) {
176 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED)) {
177 g_free(fd_head->data);
180 * A reassembled packet is inserted into the
181 * hash table once for every frame that made
182 * up the reassembled packet; clear the data
183 * pointer so that we only free the data the
184 * first time we see it.
186 fd_head->data = NULL;
194 * Initialize a fragment table.
197 fragment_table_init(GHashTable **fragment_table)
199 if (*fragment_table != NULL) {
201 * The fragment hash table exists.
203 * Remove all entries and free fragment data for
204 * each entry. (The key and value data is freed
205 * by "reassemble_init()".)
207 g_hash_table_foreach_remove(*fragment_table,
208 free_all_fragments, NULL);
210 /* The fragment table does not exist. Create it */
211 *fragment_table = g_hash_table_new(fragment_hash,
217 * Initialize a reassembled-packet table.
220 reassembled_table_init(GHashTable **reassembled_table)
222 if (*reassembled_table != NULL) {
224 * The reassembled-packet hash table exists.
226 * Remove all entries and free fragment data for
227 * each entry. (The key and value data is freed
228 * by "reassemble_init()".)
230 g_hash_table_foreach_remove(*reassembled_table,
231 free_all_reassembled_fragments, NULL);
233 /* The fragment table does not exist. Create it */
234 *reassembled_table = g_hash_table_new(reassembled_hash,
240 * Free up all space allocated for fragment keys and data.
243 reassemble_init(void)
245 if (fragment_key_chunk != NULL)
246 g_mem_chunk_destroy(fragment_key_chunk);
247 if (fragment_data_chunk != NULL)
248 g_mem_chunk_destroy(fragment_data_chunk);
249 fragment_key_chunk = g_mem_chunk_new("fragment_key_chunk",
250 sizeof(fragment_key),
251 fragment_init_count * sizeof(fragment_key),
253 fragment_data_chunk = g_mem_chunk_new("fragment_data_chunk",
254 sizeof(fragment_data),
255 fragment_init_count * sizeof(fragment_data),
260 /* This function cleans up the stored state and removes the reassembly data and
261 * (with one exception) all allocated memory for matching reassembly.
264 * If the PDU was already completely reassembled, then the buffer containing the
265 * reassembled data WILL NOT be free()d, and the pointer to that buffer will be
267 * Othervise the function will return NULL.
269 * So, if you call fragment_delete and it returns non-NULL, YOU are responsible to
270 * g_free() that buffer.
273 fragment_delete(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
275 fragment_data *fd_head, *fd;
277 unsigned char *data=NULL;
279 /* create key to search hash with */
280 key.src = pinfo->src;
281 key.dst = pinfo->dst;
284 fd_head = g_hash_table_lookup(fragment_table, &key);
287 /* We do not recognize this as a PDU we have seen before. return*/
292 /* loop over all partial fragments and free any buffers */
293 for(fd=fd_head->next;fd;){
294 fragment_data *tmp_fd;
297 if( !(fd->flags&FD_NOT_MALLOCED) )
299 g_mem_chunk_free(fragment_data_chunk, fd);
302 g_mem_chunk_free(fragment_data_chunk, fd_head);
303 g_hash_table_remove(fragment_table, &key);
308 /* This function is used to check if there is partial or completed reassembly state
309 * matching this packet. I.e. Are there reassembly going on or not for this packet?
312 fragment_get(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
314 fragment_data *fd_head;
317 /* create key to search hash with */
318 key.src = pinfo->src;
319 key.dst = pinfo->dst;
322 fd_head = g_hash_table_lookup(fragment_table, &key);
327 /* This function can be used to explicitely set the total length (if known)
328 * for reassembly of a PDU.
329 * This is useful for reassembly of PDUs where one may have the total length specified
330 * in the first fragment instead of as for, say, IPv4 where a flag indicates which
331 * is the last fragment.
333 * Such protocols might fragment_add with a more_frags==TRUE for every fragment
334 * and just tell the reassembly engine the expected total length of the reassembled data
335 * using fragment_set_tot_len immediately after doing fragment_add for the first packet.
337 * note that for FD_BLOCKSEQUENCE tot_len is the index for the tail fragment.
338 * i.e. since the block numbers start at 0, if we specify tot_len==2, that
339 * actually means we want to defragment 3 blocks, block 0, 1 and 2.
342 fragment_set_tot_len(packet_info *pinfo, guint32 id, GHashTable *fragment_table,
345 fragment_data *fd_head;
348 /* create key to search hash with */
349 key.src = pinfo->src;
350 key.dst = pinfo->dst;
353 fd_head = g_hash_table_lookup(fragment_table, &key);
356 fd_head->datalen = tot_len;
363 fragment_get_tot_len(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
365 fragment_data *fd_head;
368 /* create key to search hash with */
369 key.src = pinfo->src;
370 key.dst = pinfo->dst;
373 fd_head = g_hash_table_lookup(fragment_table, &key);
376 return fd_head->datalen;
383 /* This function will set the partial reassembly flag for a fh.
384 When this function is called, the fh MUST already exist, i.e.
385 the fh MUST be created by the initial call to fragment_add() before
386 this function is called.
387 Also note that this function MUST be called to indicate a fh will be
388 extended (increase the already stored data)
392 fragment_set_partial_reassembly(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
394 fragment_data *fd_head;
397 /* create key to search hash with */
398 key.src = pinfo->src;
399 key.dst = pinfo->dst;
402 fd_head = g_hash_table_lookup(fragment_table, &key);
405 fd_head->flags |= FD_PARTIAL_REASSEMBLY;
410 * This function gets rid of an entry from a fragment table, given
411 * a pointer to the key for that entry; it also frees up the key
412 * and the addresses in it.
415 fragment_unhash(GHashTable *fragment_table, fragment_key *key)
418 * Free up the copies of the addresses from the old key.
420 g_free((gpointer)key->src.data);
421 g_free((gpointer)key->dst.data);
424 * Remove the entry from the fragment table.
426 g_hash_table_remove(fragment_table, key);
429 * Free the key itself.
431 g_mem_chunk_free(fragment_key_chunk, key);
435 * This function adds fragment_data structure to a reassembled-packet
436 * hash table, using the frame numbers of each of the frames from
437 * which it was reassembled as keys, and sets the "reassembled_in"
441 fragment_reassembled(fragment_data *fd_head, packet_info *pinfo,
442 GHashTable *reassembled_table)
446 if (fd_head->next == NULL) {
448 * This was not fragmented, so there's no fragment
449 * table; just hash it using the current frame number.
451 g_hash_table_insert(reassembled_table, (gpointer)pinfo->fd->num,
455 * Hash it with the frame numbers for all the frames.
457 for (fd = fd_head->next; fd != NULL; fd = fd->next){
458 g_hash_table_insert(reassembled_table,
459 (gpointer)fd->frame, fd_head);
462 fd_head->reassembled_in = pinfo->fd->num;
466 * This function adds a new fragment to the fragment hash table.
467 * If this is the first fragment seen for this datagram, a new entry
468 * is created in the hash table, otherwise this fragment is just added
469 * to the linked list of fragments for this packet.
470 * The list of fragments for a specific datagram is kept sorted for
473 * Returns a pointer to the head of the fragment data list if we have all the
474 * fragments, NULL otherwise.
476 * This function assumes frag_offset being a byte offset into the defragment
480 * Once the fh is defragmented (= FD_DEFRAGMENTED set), it can be
481 * extended using the FD_PARTIAL_REASSEMBLY flag. This flag should be set
482 * using fragment_set_partial_reassembly() before calling fragment_add
483 * with the new fragment. FD_TOOLONGFRAGMENT and FD_MULTIPLETAILS flags
484 * are lowered when a new extension process is started.
487 fragment_add_work(fragment_data *fd_head, tvbuff_t *tvb, int offset,
488 packet_info *pinfo, guint32 frag_offset,
489 guint32 frag_data_len, gboolean more_frags)
494 unsigned char *old_data;
496 /* create new fd describing this fragment */
497 fd = g_mem_chunk_alloc(fragment_data_chunk);
500 fd->frame = pinfo->fd->num;
501 fd->offset = frag_offset;
502 fd->len = frag_data_len;
506 * If it was already defragmented and this new fragment goes beyond
507 * data limits, set flag in already empty fds & point old fds to malloc'ed data.
509 if(fd_head->flags & FD_DEFRAGMENTED && (frag_offset+frag_data_len) >= fd_head->datalen &&
510 fd_head->flags & FD_PARTIAL_REASSEMBLY){
511 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
513 fd_i->data = fd_head->data + fd_i->offset;
514 fd_i->flags |= FD_NOT_MALLOCED;
516 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
518 fd_head->flags ^= FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY;
519 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
525 * This is the tail fragment in the sequence.
527 if (fd_head->datalen) {
528 /* ok we have already seen other tails for this packet
529 * it might be a duplicate.
531 if (fd_head->datalen != (fd->offset + fd->len) ){
532 /* Oops, this tail indicates a different packet
533 * len than the previous ones. Somethings wrong
535 fd->flags |= FD_MULTIPLETAILS;
536 fd_head->flags |= FD_MULTIPLETAILS;
539 /* this was the first tail fragment, now we know the
540 * length of the packet
542 fd_head->datalen = fd->offset + fd->len;
549 /* If the packet is already defragmented, this MUST be an overlap.
550 * The entire defragmented packet is in fd_head->data
551 * Even if we have previously defragmented this packet, we still check
552 * check it. Someone might play overlap and TTL games.
554 if (fd_head->flags & FD_DEFRAGMENTED) {
555 fd->flags |= FD_OVERLAP;
556 fd_head->flags |= FD_OVERLAP;
557 /* make sure its not too long */
558 if (fd->offset + fd->len > fd_head->datalen) {
559 fd->flags |= FD_TOOLONGFRAGMENT;
560 fd_head->flags |= FD_TOOLONGFRAGMENT;
561 LINK_FRAG(fd_head,fd);
564 /* make sure it doesnt conflict with previous data */
565 if ( memcmp(fd_head->data+fd->offset,
566 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
567 fd->flags |= FD_OVERLAPCONFLICT;
568 fd_head->flags |= FD_OVERLAPCONFLICT;
569 LINK_FRAG(fd_head,fd);
572 /* it was just an overlap, link it and return */
573 LINK_FRAG(fd_head,fd);
579 /* If we have reached this point, the packet is not defragmented yet.
580 * Save all payload in a buffer until we can defragment.
581 * XXX - what if we didn't capture the entire fragment due
582 * to a too-short snapshot length?
584 fd->data = g_malloc(fd->len);
585 tvb_memcpy(tvb, fd->data, offset, fd->len);
586 LINK_FRAG(fd_head,fd);
589 if( !(fd_head->datalen) ){
590 /* if we dont know the datalen, there are still missing
591 * packets. Cheaper than the check below.
597 /* check if we have received the entire fragment
598 * this is easy since the list is sorted and the head is faked.
601 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
602 if ( ((fd_i->offset)<=max) &&
603 ((fd_i->offset+fd_i->len)>max) ){
604 max = fd_i->offset+fd_i->len;
608 if (max < (fd_head->datalen)) {
609 /* we have not received all packets yet */
614 if (max > (fd_head->datalen)) {
615 /*XXX not sure if current fd was the TOOLONG*/
616 /*XXX is it fair to flag current fd*/
617 /* oops, too long fragment detected */
618 fd->flags |= FD_TOOLONGFRAGMENT;
619 fd_head->flags |= FD_TOOLONGFRAGMENT;
623 /* we have received an entire packet, defragment it and
626 /* store old data just in case */
627 old_data=fd_head->data;
628 fd_head->data = g_malloc(max);
630 /* add all data fragments */
631 for (dfpos=0,fd_i=fd_head;fd_i;fd_i=fd_i->next) {
633 if (fd_i->offset < dfpos) {
634 fd_i->flags |= FD_OVERLAP;
635 fd_head->flags |= FD_OVERLAP;
636 if ( memcmp(fd_head->data+fd_i->offset,
638 MIN(fd_i->len,(dfpos-fd_i->offset))
640 fd_i->flags |= FD_OVERLAPCONFLICT;
641 fd_head->flags |= FD_OVERLAPCONFLICT;
644 /* dfpos is always >= than fd_i->offset */
645 /* No gaps can exist here, max_loop(above) does this */
646 if( fd_i->offset+fd_i->len > dfpos )
647 memcpy(fd_head->data+dfpos, fd_i->data+(dfpos-fd_i->offset),
648 fd_i->len-(dfpos-fd_i->offset));
649 if( fd_i->flags & FD_NOT_MALLOCED )
650 fd_i->flags ^= FD_NOT_MALLOCED;
655 dfpos=MAX(dfpos,(fd_i->offset+fd_i->len));
661 /* mark this packet as defragmented.
662 allows us to skip any trailing fragments */
663 fd_head->flags |= FD_DEFRAGMENTED;
664 fd_head->reassembled_in=pinfo->fd->num;
670 fragment_add_common(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
671 GHashTable *fragment_table, guint32 frag_offset,
672 guint32 frag_data_len, gboolean more_frags,
673 gboolean check_already_added)
675 fragment_key key, *new_key;
676 fragment_data *fd_head;
677 fragment_data *fd_item;
678 gboolean already_added=pinfo->fd->flags.visited;
680 /* create key to search hash with */
681 key.src = pinfo->src;
682 key.dst = pinfo->dst;
685 fd_head = g_hash_table_lookup(fragment_table, &key);
688 * "already_added" is true if "pinfo->fd->flags.visited" is true;
689 * if "pinfo->fd->flags.visited", this isn't the first pass, so
690 * we've already done all the reassembly and added all the
693 * If it's not true, but "check_already_added" is true, just check
694 * if we have seen this fragment before, i.e., if we have already
695 * added it to reassembly.
696 * That can be true even if "pinfo->fd->flags.visited" is false
697 * since we sometimes might call a subdissector multiple times.
698 * As an additional check, just make sure we have not already added
699 * this frame to the reassembly list, if there is a reassembly list;
700 * note that the first item in the reassembly list is not a
701 * fragment, it's a data structure for the reassembled packet.
702 * We don't check it because its "frame" member isn't initialized
703 * to anything, and because it doesn't count in any case.
705 if (!already_added && check_already_added && fd_head != NULL) {
706 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
707 if(pinfo->fd->num==fd_item->frame){
712 /* have we already added this frame ?*/
714 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
722 /* not found, this must be the first snooped fragment for this
723 * packet. Create list-head.
725 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
727 /* head/first structure in list only holds no other data than
728 * 'datalen' then we don't have to change the head of the list
729 * even if we want to keep it sorted
737 fd_head->reassembled_in=0;
740 * We're going to use the key to insert the fragment,
741 * so allocate a structure for it, and copy the
742 * addresses, allocating new buffers for the address
745 new_key = g_mem_chunk_alloc(fragment_key_chunk);
746 COPY_ADDRESS(&new_key->src, &key.src);
747 COPY_ADDRESS(&new_key->dst, &key.dst);
748 new_key->id = key.id;
749 g_hash_table_insert(fragment_table, new_key, fd_head);
752 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
753 frag_data_len, more_frags)) {
755 * Reassembly is complete.
760 * Reassembly isn't complete.
767 fragment_add(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
768 GHashTable *fragment_table, guint32 frag_offset,
769 guint32 frag_data_len, gboolean more_frags)
771 return fragment_add_common(tvb, offset, pinfo, id, fragment_table,
772 frag_offset, frag_data_len, more_frags, TRUE);
776 * For use when you can have multiple fragments in the same frame added
777 * to the same reassembled PDU, e.g. with ONC RPC-over-TCP.
780 fragment_add_multiple_ok(tvbuff_t *tvb, int offset, packet_info *pinfo,
781 guint32 id, GHashTable *fragment_table,
782 guint32 frag_offset, guint32 frag_data_len,
785 return fragment_add_common(tvb, offset, pinfo, id, fragment_table,
786 frag_offset, frag_data_len, more_frags, FALSE);
790 fragment_add_check(tvbuff_t *tvb, int offset, packet_info *pinfo,
791 guint32 id, GHashTable *fragment_table,
792 GHashTable *reassembled_table, guint32 frag_offset,
793 guint32 frag_data_len, gboolean more_frags)
795 fragment_key key, *new_key, *old_key;
796 gpointer orig_key, value;
797 fragment_data *fd_head;
800 * If this isn't the first pass, look for this frame in the table
801 * of reassembled packets.
803 if (pinfo->fd->flags.visited)
804 return g_hash_table_lookup(reassembled_table,
805 (gpointer)pinfo->fd->num);
807 /* create key to search hash with */
808 key.src = pinfo->src;
809 key.dst = pinfo->dst;
812 if (!g_hash_table_lookup_extended(fragment_table, &key,
813 &orig_key, &value)) {
814 /* not found, this must be the first snooped fragment for this
815 * packet. Create list-head.
817 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
819 /* head/first structure in list only holds no other data than
820 * 'datalen' then we don't have to change the head of the list
821 * even if we want to keep it sorted
829 fd_head->reassembled_in=0;
832 * We're going to use the key to insert the fragment,
833 * so allocate a structure for it, and copy the
834 * addresses, allocating new buffers for the address
837 new_key = g_mem_chunk_alloc(fragment_key_chunk);
838 COPY_ADDRESS(&new_key->src, &key.src);
839 COPY_ADDRESS(&new_key->dst, &key.dst);
840 new_key->id = key.id;
841 g_hash_table_insert(fragment_table, new_key, fd_head);
843 orig_key = new_key; /* for unhashing it later */
852 * If this is a short frame, then we can't, and don't, do
853 * reassembly on it. We just give up.
855 if (tvb_reported_length(tvb) > tvb_length(tvb))
858 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
859 frag_data_len, more_frags)) {
861 * Reassembly is complete.
862 * Remove this from the table of in-progress
863 * reassemblies, add it to the table of
864 * reassembled packets, and return it.
868 * Remove this from the table of in-progress reassemblies,
869 * and free up any memory used for it in that table.
872 fragment_unhash(fragment_table, old_key);
875 * Add this item to the table of reassembled packets.
877 fragment_reassembled(fd_head, pinfo, reassembled_table);
881 * Reassembly isn't complete.
888 * This function adds a new fragment to the entry for a reassembly
891 * The list of fragments for a specific datagram is kept sorted for
894 * Returns TRUE if we have all the fragments, FALSE otherwise.
896 * This function assumes frag_number being a block sequence number.
897 * The bsn for the first block is 0.
900 fragment_add_seq_work(fragment_data *fd_head, tvbuff_t *tvb, int offset,
901 packet_info *pinfo, guint32 frag_number,
902 guint32 frag_data_len, gboolean more_frags)
906 fragment_data *last_fd;
907 guint32 max, dfpos, size;
909 /* create new fd describing this fragment */
910 fd = g_mem_chunk_alloc(fragment_data_chunk);
913 fd->frame = pinfo->fd->num;
914 fd->offset = frag_number;
915 fd->len = frag_data_len;
920 * This is the tail fragment in the sequence.
922 if (fd_head->datalen) {
923 /* ok we have already seen other tails for this packet
924 * it might be a duplicate.
926 if (fd_head->datalen != fd->offset ){
927 /* Oops, this tail indicates a different packet
928 * len than the previous ones. Somethings wrong
930 fd->flags |= FD_MULTIPLETAILS;
931 fd_head->flags |= FD_MULTIPLETAILS;
934 /* this was the first tail fragment, now we know the
935 * sequence number of that fragment (which is NOT
936 * the length of the packet!)
938 fd_head->datalen = fd->offset;
942 /* If the packet is already defragmented, this MUST be an overlap.
943 * The entire defragmented packet is in fd_head->data
944 * Even if we have previously defragmented this packet, we still check
945 * check it. Someone might play overlap and TTL games.
947 if (fd_head->flags & FD_DEFRAGMENTED) {
948 fd->flags |= FD_OVERLAP;
949 fd_head->flags |= FD_OVERLAP;
951 /* make sure it's not past the end */
952 if (fd->offset > fd_head->datalen) {
953 /* new fragment comes after the end */
954 fd->flags |= FD_TOOLONGFRAGMENT;
955 fd_head->flags |= FD_TOOLONGFRAGMENT;
956 LINK_FRAG(fd_head,fd);
959 /* make sure it doesnt conflict with previous data */
962 for (fd_i=fd_head->next;fd_i->offset!=fd->offset;fd_i=fd_i->next) {
963 if (!last_fd || last_fd->offset!=fd_i->offset){
969 /* new fragment overlaps existing fragment */
970 if(fd_i->len!=fd->len){
972 * They have different lengths; this
973 * is definitely a conflict.
975 fd->flags |= FD_OVERLAPCONFLICT;
976 fd_head->flags |= FD_OVERLAPCONFLICT;
977 LINK_FRAG(fd_head,fd);
980 g_assert(fd_head->len >= dfpos + fd->len);
981 if ( memcmp(fd_head->data+dfpos,
982 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
984 * They have the same length, but the
985 * data isn't the same.
987 fd->flags |= FD_OVERLAPCONFLICT;
988 fd_head->flags |= FD_OVERLAPCONFLICT;
989 LINK_FRAG(fd_head,fd);
992 /* it was just an overlap, link it and return */
993 LINK_FRAG(fd_head,fd);
997 * New fragment doesn't overlap an existing
998 * fragment - there was presumably a gap in
999 * the sequence number space.
1001 * XXX - what should we do here? Is it always
1002 * the case that there are no gaps, or are there
1003 * protcols using sequence numbers where there
1006 * If the former, the check below for having
1007 * received all the fragments should check for
1008 * holes in the sequence number space and for the
1009 * first sequence number being 0. If we do that,
1010 * the only way we can get here is if this fragment
1011 * is past the end of the sequence number space -
1012 * but the check for "fd->offset > fd_head->datalen"
1013 * would have caught that above, so it can't happen.
1015 * If the latter, we don't have a good way of
1016 * knowing whether reassembly is complete if we
1017 * get packet out of order such that the "last"
1018 * fragment doesn't show up last - but, unless
1019 * in-order reliable delivery of fragments is
1020 * guaranteed, an implementation of the protocol
1021 * has no way of knowing whether reassembly is
1024 * For now, we just link the fragment in and
1027 LINK_FRAG(fd_head,fd);
1032 /* If we have reached this point, the packet is not defragmented yet.
1033 * Save all payload in a buffer until we can defragment.
1034 * XXX - what if we didn't capture the entire fragment due
1035 * to a too-short snapshot length?
1037 fd->data = g_malloc(fd->len);
1038 tvb_memcpy(tvb, fd->data, offset, fd->len);
1039 LINK_FRAG(fd_head,fd);
1042 if( !(fd_head->datalen) ){
1043 /* if we dont know the sequence number of the last fragment,
1044 * there are definitely still missing packets. Cheaper than
1051 /* check if we have received the entire fragment
1052 * this is easy since the list is sorted and the head is faked.
1055 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1056 if ( fd_i->offset==max ){
1060 /* max will now be datalen+1 if all fragments have been seen */
1062 if (max <= fd_head->datalen) {
1063 /* we have not received all packets yet */
1068 if (max > (fd_head->datalen+1)) {
1069 /* oops, too long fragment detected */
1070 fd->flags |= FD_TOOLONGFRAGMENT;
1071 fd_head->flags |= FD_TOOLONGFRAGMENT;
1075 /* we have received an entire packet, defragment it and
1076 * free all fragments
1080 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1081 if(!last_fd || last_fd->offset!=fd_i->offset){
1086 fd_head->data = g_malloc(size);
1087 fd_head->len = size; /* record size for caller */
1089 /* add all data fragments */
1091 for (dfpos=0,fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1093 if(!last_fd || last_fd->offset!=fd_i->offset){
1094 memcpy(fd_head->data+dfpos,fd_i->data,fd_i->len);
1097 /* duplicate/retransmission/overlap */
1098 fd_i->flags |= FD_OVERLAP;
1099 fd_head->flags |= FD_OVERLAP;
1100 if( (last_fd->len!=fd_i->datalen)
1101 || memcmp(last_fd->data, fd_i->data, last_fd->len) ){
1102 fd->flags |= FD_OVERLAPCONFLICT;
1103 fd_head->flags |= FD_OVERLAPCONFLICT;
1110 /* we have defragmented the pdu, now free all fragments*/
1111 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1118 /* mark this packet as defragmented.
1119 allows us to skip any trailing fragments */
1120 fd_head->flags |= FD_DEFRAGMENTED;
1121 fd_head->reassembled_in=pinfo->fd->num;
1127 * This function adds a new fragment to the fragment hash table.
1128 * If this is the first fragment seen for this datagram, a new entry
1129 * is created in the hash table, otherwise this fragment is just added
1130 * to the linked list of fragments for this packet.
1132 * Returns a pointer to the head of the fragment data list if we have all the
1133 * fragments, NULL otherwise.
1135 * This function assumes frag_number being a block sequence number.
1136 * The bsn for the first block is 0.
1139 fragment_add_seq(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
1140 GHashTable *fragment_table, guint32 frag_number,
1141 guint32 frag_data_len, gboolean more_frags)
1143 fragment_key key, *new_key;
1144 fragment_data *fd_head;
1146 /* create key to search hash with */
1147 key.src = pinfo->src;
1148 key.dst = pinfo->dst;
1151 fd_head = g_hash_table_lookup(fragment_table, &key);
1153 /* have we already seen this frame ?*/
1154 if (pinfo->fd->flags.visited) {
1155 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1163 /* not found, this must be the first snooped fragment for this
1164 * packet. Create list-head.
1166 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
1168 /* head/first structure in list only holds no other data than
1169 * 'datalen' then we don't have to change the head of the list
1170 * even if we want to keep it sorted
1176 fd_head->flags=FD_BLOCKSEQUENCE;
1178 fd_head->reassembled_in=0;
1181 * We're going to use the key to insert the fragment,
1182 * so allocate a structure for it, and copy the
1183 * addresses, allocating new buffers for the address
1186 new_key = g_mem_chunk_alloc(fragment_key_chunk);
1187 COPY_ADDRESS(&new_key->src, &key.src);
1188 COPY_ADDRESS(&new_key->dst, &key.dst);
1189 new_key->id = key.id;
1190 g_hash_table_insert(fragment_table, new_key, fd_head);
1193 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1194 frag_number, frag_data_len, more_frags)) {
1196 * Reassembly is complete.
1201 * Reassembly isn't complete.
1208 * This does the work for "fragment_add_seq_check()" and
1209 * "fragment_add_seq_next()".
1211 * This function assumes frag_number being a block sequence number.
1212 * The bsn for the first block is 0.
1214 * If "no_frag_number" is TRUE, it uses the next expected fragment number
1215 * as the fragment number if there is a reassembly in progress, otherwise
1218 * If "no_frag_number" is FALSE, it uses the "frag_number" argument as
1219 * the fragment number.
1221 * If this is the first fragment seen for this datagram, a new
1222 * "fragment_data" structure is allocated to refer to the reassembled,
1225 * if "more_frags" is false, the structure is not added to
1226 * the hash table, and not given any fragments to refer to,
1227 * but is just returned;
1229 * if "more_frags" is true, this fragment is added to the linked
1230 * list of fragments for this packet, and the "fragment_data"
1231 * structure is put into the hash table.
1233 * Otherwise, this fragment is just added to the linked list of fragments
1236 * Returns a pointer to the head of the fragment data list, and removes
1237 * that from the fragment hash table if necessary and adds it to the
1238 * table of reassembled fragments, if we have all the fragments or if
1239 * this is the only fragment and "more_frags" is false, returns NULL
1243 fragment_add_seq_check_work(tvbuff_t *tvb, int offset, packet_info *pinfo,
1244 guint32 id, GHashTable *fragment_table,
1245 GHashTable *reassembled_table, guint32 frag_number,
1246 guint32 frag_data_len, gboolean more_frags,
1247 gboolean no_frag_number)
1249 fragment_key key, *new_key, *old_key;
1250 gpointer orig_key, value;
1251 fragment_data *fd_head, *fd;
1254 * Have we already seen this frame?
1255 * If so, look for it in the table of reassembled packets.
1257 if (pinfo->fd->flags.visited)
1258 return g_hash_table_lookup(reassembled_table,
1259 (gpointer)pinfo->fd->num);
1261 /* create key to search hash with */
1262 key.src = pinfo->src;
1263 key.dst = pinfo->dst;
1266 if (!g_hash_table_lookup_extended(fragment_table, &key,
1267 &orig_key, &value)) {
1268 /* not found, this must be the first snooped fragment for this
1269 * packet. Create list-head.
1271 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
1273 /* head/first structure in list only holds no other data than
1274 * 'datalen' then we don't have to change the head of the list
1275 * even if we want to keep it sorted
1281 fd_head->flags=FD_BLOCKSEQUENCE;
1283 fd_head->reassembled_in=0;
1287 * This is the last snooped fragment for this
1288 * packet as well; that means it's the only
1289 * fragment. Just add it to the table of
1290 * reassembled packets, and return it.
1292 fragment_reassembled(fd_head, pinfo,
1298 * We're going to use the key to insert the fragment,
1299 * so allocate a structure for it, and copy the
1300 * addresses, allocating new buffers for the address
1303 new_key = g_mem_chunk_alloc(fragment_key_chunk);
1304 COPY_ADDRESS(&new_key->src, &key.src);
1305 COPY_ADDRESS(&new_key->dst, &key.dst);
1306 new_key->id = key.id;
1307 g_hash_table_insert(fragment_table, new_key, fd_head);
1309 orig_key = new_key; /* for unhashing it later */
1312 * If we weren't given an initial fragment number,
1324 * If we weren't given an initial fragment number,
1325 * use the next expected fragment number as the fragment
1326 * number for this fragment.
1328 if (no_frag_number) {
1329 for (fd = fd_head; fd != NULL; fd = fd->next) {
1330 if (fd->next == NULL)
1331 frag_number = fd->offset + 1;
1337 * If we don't have all the data that is in this fragment,
1338 * then we can't, and don't, do reassembly on it.
1340 * If it's the first frame, handle it as an unfragmented packet.
1341 * Otherwise, just handle it as a fragment.
1343 * If "more_frags" isn't set, we get rid of the entry in the
1344 * hash table for this reassembly, as we don't need it any more.
1346 if (!tvb_bytes_exist(tvb, offset, frag_data_len)) {
1349 * Remove this from the table of in-progress
1350 * reassemblies, and free up any memory used for
1354 fragment_unhash(fragment_table, old_key);
1356 return frag_number == 0 ? fd_head : NULL;
1359 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1360 frag_number, frag_data_len, more_frags)) {
1362 * Reassembly is complete.
1363 * Remove this from the table of in-progress
1364 * reassemblies, add it to the table of
1365 * reassembled packets, and return it.
1369 * Remove this from the table of in-progress reassemblies,
1370 * and free up any memory used for it in that table.
1373 fragment_unhash(fragment_table, old_key);
1376 * Add this item to the table of reassembled packets.
1378 fragment_reassembled(fd_head, pinfo, reassembled_table);
1382 * Reassembly isn't complete.
1389 fragment_add_seq_check(tvbuff_t *tvb, int offset, packet_info *pinfo,
1390 guint32 id, GHashTable *fragment_table,
1391 GHashTable *reassembled_table, guint32 frag_number,
1392 guint32 frag_data_len, gboolean more_frags)
1394 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1395 fragment_table, reassembled_table, frag_number, frag_data_len,
1400 fragment_add_seq_next(tvbuff_t *tvb, int offset, packet_info *pinfo,
1401 guint32 id, GHashTable *fragment_table,
1402 GHashTable *reassembled_table, guint32 frag_data_len,
1403 gboolean more_frags)
1405 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1406 fragment_table, reassembled_table, 0, frag_data_len,
1411 * Process reassembled data; if we're on the frame in which the data
1412 * was reassembled, put the fragment information into the protocol
1413 * tree, and construct a tvbuff with the reassembled data, otherwise
1414 * just put a "reassembled in" item into the protocol tree.
1417 process_reassembled_data(tvbuff_t *tvb, packet_info *pinfo, char *name,
1418 fragment_data *fd_head, const fragment_items *fit,
1419 gboolean *update_col_infop, proto_tree *tree)
1422 gboolean update_col_info;
1424 if (pinfo->fd->num == fd_head->reassembled_in) {
1426 * OK, we have the complete reassembled payload.
1427 * Allocate a new tvbuff, referring to the reassembled
1430 if (fd_head->flags & FD_BLOCKSEQUENCE) {
1431 next_tvb = tvb_new_real_data(fd_head->data,
1432 fd_head->len, fd_head->len);
1434 next_tvb = tvb_new_real_data(fd_head->data,
1435 fd_head->datalen, fd_head->datalen);
1439 * Add the tvbuff to the list of tvbuffs to which
1440 * the tvbuff we were handed refers, so it'll get
1441 * cleaned up when that tvbuff is cleaned up.
1443 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
1445 /* Add the defragmented data to the data source list. */
1446 add_new_data_source(pinfo, next_tvb, name);
1448 /* show all fragments */
1449 if (fd_head->flags & FD_BLOCKSEQUENCE) {
1450 update_col_info = !show_fragment_seq_tree(fd_head,
1451 fit, tree, pinfo, next_tvb);
1453 update_col_info = !show_fragment_tree(fd_head,
1454 fit, tree, pinfo, next_tvb);
1456 if (update_col_infop != NULL)
1457 *update_col_infop = update_col_info;
1459 /* We don't have the complete reassembled payload. */
1463 * If there's a field to use for the number of
1464 * the frame in which the packet was reassembled,
1465 * add it to the protocol tree.
1467 if (fit->hf_reassembled_in != NULL) {
1468 proto_tree_add_uint(tree,
1469 *(fit->hf_reassembled_in), tvb,
1470 0, 0, fd_head->reassembled_in);
1477 * Show a single fragment in a fragment subtree.
1480 show_fragment(fragment_data *fd, int offset, const fragment_items *fit,
1481 proto_tree *ft, tvbuff_t *tvb)
1483 if (fd->flags & (FD_OVERLAP|FD_OVERLAPCONFLICT
1484 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1485 /* this fragment has some flags set, create a subtree
1486 * for it and display the flags.
1488 proto_tree *fet=NULL;
1489 proto_item *fei=NULL;
1492 if (fd->flags & (FD_OVERLAPCONFLICT
1493 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1494 hf = *(fit->hf_fragment_error);
1496 hf = *(fit->hf_fragment);
1498 fei = proto_tree_add_uint_format(ft, hf,
1499 tvb, offset, fd->len,
1501 "Frame:%u payload:%u-%u",
1505 fet = proto_item_add_subtree(fei, *(fit->ett_fragment));
1506 if (fd->flags&FD_OVERLAP) {
1507 proto_tree_add_boolean(fet,
1508 *(fit->hf_fragment_overlap),
1512 if (fd->flags&FD_OVERLAPCONFLICT) {
1513 proto_tree_add_boolean(fet,
1514 *(fit->hf_fragment_overlap_conflict),
1518 if (fd->flags&FD_MULTIPLETAILS) {
1519 proto_tree_add_boolean(fet,
1520 *(fit->hf_fragment_multiple_tails),
1524 if (fd->flags&FD_TOOLONGFRAGMENT) {
1525 proto_tree_add_boolean(fet,
1526 *(fit->hf_fragment_too_long_fragment),
1531 /* nothing of interest for this fragment */
1532 proto_tree_add_uint_format(ft, *(fit->hf_fragment),
1533 tvb, offset, fd->len,
1535 "Frame:%u payload:%u-%u",
1544 show_fragment_errs_in_col(fragment_data *fd_head, const fragment_items *fit,
1547 if (fd_head->flags & (FD_OVERLAPCONFLICT
1548 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1549 if (check_col(pinfo->cinfo, COL_INFO)) {
1550 col_add_fstr(pinfo->cinfo, COL_INFO,
1551 "[Illegal %s]", fit->tag);
1559 /* This function will build the fragment subtree; it's for fragments
1560 reassembled with "fragment_add()".
1562 It will return TRUE if there were fragmentation errors
1563 or FALSE if fragmentation was ok.
1566 show_fragment_tree(fragment_data *fd_head, const fragment_items *fit,
1567 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
1573 /* It's not fragmented. */
1574 pinfo->fragmented = FALSE;
1576 fi = proto_tree_add_item(tree, *(fit->hf_fragments),
1578 ft = proto_item_add_subtree(fi, *(fit->ett_fragments));
1579 for (fd = fd_head->next; fd != NULL; fd = fd->next)
1580 show_fragment(fd, fd->offset, fit, ft, tvb);
1582 return show_fragment_errs_in_col(fd_head, fit, pinfo);
1585 /* This function will build the fragment subtree; it's for fragments
1586 reassembled with "fragment_add_seq()" or "fragment_add_seq_check()".
1588 It will return TRUE if there were fragmentation errors
1589 or FALSE if fragmentation was ok.
1592 show_fragment_seq_tree(fragment_data *fd_head, const fragment_items *fit,
1593 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
1595 guint32 offset, next_offset;
1596 fragment_data *fd, *last_fd;
1600 /* It's not fragmented. */
1601 pinfo->fragmented = FALSE;
1603 fi = proto_tree_add_item(tree, *(fit->hf_fragments),
1605 ft = proto_item_add_subtree(fi, *(fit->ett_fragments));
1609 for (fd = fd_head->next; fd != NULL; fd = fd->next){
1610 if (last_fd == NULL || last_fd->offset != fd->offset) {
1611 offset = next_offset;
1612 next_offset += fd->len;
1615 show_fragment(fd, offset, fit, ft, tvb);
1618 return show_fragment_errs_in_col(fd_head, fit, pinfo);