2 * Routines for {fragment,segment} reassembly
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27 #include <epan/packet.h>
28 #include <epan/exceptions.h>
29 #include <epan/reassemble.h>
30 #include <epan/tvbuff-int.h>
32 #include <wsutil/str_util.h>
35 * Functions for reassembly tables where the endpoint addresses, and a
36 * fragment ID, are used as the key.
38 typedef struct _fragment_addresses_key {
42 } fragment_addresses_key;
45 fragment_addresses_hash(gconstpointer k)
47 const fragment_addresses_key* key = (const fragment_addresses_key*) k;
55 /* More than likely: in most captures src and dst addresses are the
56 same, and would hash the same.
57 We only use id as the hash as an optimization.
59 for (i = 0; i < key->src.len; i++)
60 hash_val += key->src.data[i];
61 for (i = 0; i < key->dst.len; i++)
62 hash_val += key->dst.data[i];
71 fragment_addresses_equal(gconstpointer k1, gconstpointer k2)
73 const fragment_addresses_key* key1 = (const fragment_addresses_key*) k1;
74 const fragment_addresses_key* key2 = (const fragment_addresses_key*) k2;
77 * key.id is the first item to compare since it's the item most
78 * likely to differ between sessions, thus short-circuiting
79 * the comparison of addresses.
81 return (key1->id == key2->id) &&
82 (addresses_equal(&key1->src, &key2->src)) &&
83 (addresses_equal(&key1->dst, &key2->dst));
87 * Create a fragment key for temporary use; it can point to non-
88 * persistent data, and so must only be used to look up and
89 * delete entries, not to add them.
92 fragment_addresses_temporary_key(const packet_info *pinfo, const guint32 id,
95 fragment_addresses_key *key = g_slice_new(fragment_addresses_key);
98 * Do a shallow copy of the addresses.
100 key->src = pinfo->src;
101 key->dst = pinfo->dst;
104 return (gpointer)key;
108 * Create a fragment key for permanent use; it must point to persistent
109 * data, so that it can be used to add entries.
112 fragment_addresses_persistent_key(const packet_info *pinfo, const guint32 id,
113 const void *data _U_)
115 fragment_addresses_key *key = g_slice_new(fragment_addresses_key);
118 * Do a deep copy of the addresses.
120 copy_address(&key->src, &pinfo->src);
121 copy_address(&key->dst, &pinfo->dst);
124 return (gpointer)key;
128 fragment_addresses_free_temporary_key(gpointer ptr)
130 fragment_addresses_key *key = (fragment_addresses_key *)ptr;
133 g_slice_free(fragment_addresses_key, key);
137 fragment_addresses_free_persistent_key(gpointer ptr)
139 fragment_addresses_key *key = (fragment_addresses_key *)ptr;
143 * Free up the copies of the addresses from the old key.
145 g_free((gpointer)key->src.data);
146 g_free((gpointer)key->dst.data);
148 g_slice_free(fragment_addresses_key, key);
152 const reassembly_table_functions
153 addresses_reassembly_table_functions = {
154 fragment_addresses_hash,
155 fragment_addresses_equal,
156 fragment_addresses_temporary_key,
157 fragment_addresses_persistent_key,
158 fragment_addresses_free_temporary_key,
159 fragment_addresses_free_persistent_key
163 * Functions for reassembly tables where the endpoint addresses and ports,
164 * and a fragment ID, are used as the key.
166 typedef struct _fragment_addresses_ports_key {
172 } fragment_addresses_ports_key;
175 fragment_addresses_ports_hash(gconstpointer k)
177 const fragment_addresses_ports_key* key = (const fragment_addresses_ports_key*) k;
185 /* More than likely: in most captures src and dst addresses and ports
186 are the same, and would hash the same.
187 We only use id as the hash as an optimization.
189 for (i = 0; i < key->src.len; i++)
190 hash_val += key->src_addr.data[i];
191 for (i = 0; i < key->dst.len; i++)
192 hash_val += key->dst_addr.data[i];
193 hash_val += key->src_port;
194 hash_val += key->dst_port;
203 fragment_addresses_ports_equal(gconstpointer k1, gconstpointer k2)
205 const fragment_addresses_ports_key* key1 = (const fragment_addresses_ports_key*) k1;
206 const fragment_addresses_ports_key* key2 = (const fragment_addresses_ports_key*) k2;
209 * key.id is the first item to compare since it's the item most
210 * likely to differ between sessions, thus short-circuiting
211 * the comparison of addresses and ports.
213 return (key1->id == key2->id) &&
214 (addresses_equal(&key1->src_addr, &key2->src_addr)) &&
215 (addresses_equal(&key1->dst_addr, &key2->dst_addr)) &&
216 (key1->src_port == key2->src_port) &&
217 (key1->dst_port == key2->dst_port);
221 * Create a fragment key for temporary use; it can point to non-
222 * persistent data, and so must only be used to look up and
223 * delete entries, not to add them.
226 fragment_addresses_ports_temporary_key(const packet_info *pinfo, const guint32 id,
227 const void *data _U_)
229 fragment_addresses_ports_key *key = g_slice_new(fragment_addresses_ports_key);
232 * Do a shallow copy of the addresses.
234 key->src_addr = pinfo->src;
235 key->dst_addr = pinfo->dst;
236 key->src_port = pinfo->srcport;
237 key->dst_port = pinfo->destport;
240 return (gpointer)key;
244 * Create a fragment key for permanent use; it must point to persistent
245 * data, so that it can be used to add entries.
248 fragment_addresses_ports_persistent_key(const packet_info *pinfo,
249 const guint32 id, const void *data _U_)
251 fragment_addresses_ports_key *key = g_slice_new(fragment_addresses_ports_key);
254 * Do a deep copy of the addresses.
256 copy_address(&key->src_addr, &pinfo->src);
257 copy_address(&key->dst_addr, &pinfo->dst);
258 key->src_port = pinfo->srcport;
259 key->dst_port = pinfo->destport;
262 return (gpointer)key;
266 fragment_addresses_ports_free_temporary_key(gpointer ptr)
268 fragment_addresses_ports_key *key = (fragment_addresses_ports_key *)ptr;
271 g_slice_free(fragment_addresses_ports_key, key);
275 fragment_addresses_ports_free_persistent_key(gpointer ptr)
277 fragment_addresses_ports_key *key = (fragment_addresses_ports_key *)ptr;
281 * Free up the copies of the addresses from the old key.
283 g_free((gpointer)key->src_addr.data);
284 g_free((gpointer)key->dst_addr.data);
286 g_slice_free(fragment_addresses_ports_key, key);
290 const reassembly_table_functions
291 addresses_ports_reassembly_table_functions = {
292 fragment_addresses_ports_hash,
293 fragment_addresses_ports_equal,
294 fragment_addresses_ports_temporary_key,
295 fragment_addresses_ports_persistent_key,
296 fragment_addresses_ports_free_temporary_key,
297 fragment_addresses_ports_free_persistent_key
300 typedef struct _reassembled_key {
306 reassembled_equal(gconstpointer k1, gconstpointer k2)
308 const reassembled_key* key1 = (const reassembled_key*) k1;
309 const reassembled_key* key2 = (const reassembled_key*) k2;
312 * We assume that the frame numbers are unlikely to be equal,
313 * so we check them first.
315 return key1->frame == key2->frame && key1->id == key2->id;
319 reassembled_hash(gconstpointer k)
321 const reassembled_key* key = (const reassembled_key*) k;
327 reassembled_key_free(gpointer ptr)
329 g_slice_free(reassembled_key, (reassembled_key *)ptr);
333 * For a fragment hash table entry, free the associated fragments.
334 * The entry value (fd_chain) is freed herein and the entry is freed
335 * when the key freeing routine is called (as a consequence of returning
336 * TRUE from this function).
339 free_all_fragments(gpointer key_arg _U_, gpointer value, gpointer user_data _U_)
341 fragment_head *fd_head;
342 fragment_item *tmp_fd;
344 /* g_hash_table_new_full() was used to supply a function
345 * to free the key and anything to which it points
347 for (fd_head = (fragment_head *)value; fd_head != NULL; fd_head = tmp_fd) {
348 tmp_fd=fd_head->next;
350 if(fd_head->tvb_data && !(fd_head->flags&FD_SUBSET_TVB))
351 tvb_free(fd_head->tvb_data);
352 g_slice_free(fragment_item, fd_head);
358 /* ------------------------- */
359 static fragment_head *new_head(const guint32 flags)
361 fragment_head *fd_head;
362 /* If head/first structure in list only holds no other data than
363 * 'datalen' then we don't have to change the head of the list
364 * even if we want to keep it sorted
366 fd_head=g_slice_new0(fragment_head);
368 fd_head->flags=flags;
372 #define FD_VISITED_FREE 0xffff
375 * For a reassembled-packet hash table entry, free the fragment data
376 * to which the value refers and also the key itself.
379 free_all_reassembled_fragments(gpointer key_arg _U_, gpointer value,
382 GPtrArray *allocated_fragments = (GPtrArray *) user_data;
383 fragment_head *fd_head;
385 for (fd_head = (fragment_head *)value; fd_head != NULL; fd_head = fd_head->next) {
387 * A reassembled packet is inserted into the
388 * hash table once for every frame that made
389 * up the reassembled packet; add first seen
390 * fragments to array and later free them in
393 if (fd_head->flags != FD_VISITED_FREE) {
394 if (fd_head->flags & FD_SUBSET_TVB)
395 fd_head->tvb_data = NULL;
396 g_ptr_array_add(allocated_fragments, fd_head);
397 fd_head->flags = FD_VISITED_FREE;
405 free_fragments(gpointer data, gpointer user_data _U_)
407 fragment_item *fd_head = (fragment_item *) data;
409 if (fd_head->tvb_data)
410 tvb_free(fd_head->tvb_data);
411 g_slice_free(fragment_item, fd_head);
415 * Initialize a reassembly table, with specified functions.
418 reassembly_table_init(reassembly_table *table,
419 const reassembly_table_functions *funcs)
421 if (table->temporary_key_func == NULL)
422 table->temporary_key_func = funcs->temporary_key_func;
423 if (table->persistent_key_func == NULL)
424 table->persistent_key_func = funcs->persistent_key_func;
425 if (table->free_temporary_key_func == NULL)
426 table->free_temporary_key_func = funcs->free_temporary_key_func;
427 if (table->fragment_table != NULL) {
429 * The fragment hash table exists.
431 * Remove all entries and free fragment data for each entry.
433 * The keys, and anything to which they point, are freed by
434 * calling the table's key freeing function. The values
435 * are freed in free_all_fragments().
437 g_hash_table_foreach_remove(table->fragment_table,
438 free_all_fragments, NULL);
440 /* The fragment table does not exist. Create it */
441 table->fragment_table = g_hash_table_new_full(funcs->hash_func,
442 funcs->equal_func, funcs->free_persistent_key_func, NULL);
445 if (table->reassembled_table != NULL) {
446 GPtrArray *allocated_fragments;
449 * The reassembled-packet hash table exists.
451 * Remove all entries and free reassembled packet
452 * data and key for each entry.
455 allocated_fragments = g_ptr_array_new();
456 g_hash_table_foreach_remove(table->reassembled_table,
457 free_all_reassembled_fragments, allocated_fragments);
459 g_ptr_array_foreach(allocated_fragments, free_fragments, NULL);
460 g_ptr_array_free(allocated_fragments, TRUE);
462 /* The fragment table does not exist. Create it */
463 table->reassembled_table = g_hash_table_new_full(reassembled_hash,
464 reassembled_equal, reassembled_key_free, NULL);
469 * Destroy a reassembly table.
472 reassembly_table_destroy(reassembly_table *table)
475 * Clear the function pointers.
477 table->temporary_key_func = NULL;
478 table->persistent_key_func = NULL;
479 table->free_temporary_key_func = NULL;
480 if (table->fragment_table != NULL) {
482 * The fragment hash table exists.
484 * Remove all entries and free fragment data for each entry.
486 * The keys, and anything to which they point, are freed by
487 * calling the table's key freeing function. The values
488 * are freed in free_all_fragments().
490 g_hash_table_foreach_remove(table->fragment_table,
491 free_all_fragments, NULL);
494 * Now destroy the hash table.
496 g_hash_table_destroy(table->fragment_table);
497 table->fragment_table = NULL;
499 if (table->reassembled_table != NULL) {
500 GPtrArray *allocated_fragments;
503 * The reassembled-packet hash table exists.
505 * Remove all entries and free reassembled packet
506 * data and key for each entry.
509 allocated_fragments = g_ptr_array_new();
510 g_hash_table_foreach_remove(table->reassembled_table,
511 free_all_reassembled_fragments, allocated_fragments);
513 g_ptr_array_foreach(allocated_fragments, free_fragments, NULL);
514 g_ptr_array_free(allocated_fragments, TRUE);
517 * Now destroy the hash table.
519 g_hash_table_destroy(table->reassembled_table);
520 table->reassembled_table = NULL;
525 * Look up an fd_head in the fragment table, optionally returning the key
528 static fragment_head *
529 lookup_fd_head(reassembly_table *table, const packet_info *pinfo,
530 const guint32 id, const void *data, gpointer *orig_keyp)
535 /* Create key to search hash with */
536 key = table->temporary_key_func(pinfo, id, data);
539 * Look up the reassembly in the fragment table.
541 if (!g_hash_table_lookup_extended(table->fragment_table, key, orig_keyp,
545 table->free_temporary_key_func(key);
547 return (fragment_head *)value;
551 * Insert an fd_head into the fragment table, and return the key used.
554 insert_fd_head(reassembly_table *table, fragment_head *fd_head,
555 const packet_info *pinfo, const guint32 id, const void *data)
560 * We're going to use the key to insert the fragment,
561 * so make a persistent version of it.
563 key = table->persistent_key_func(pinfo, id, data);
564 g_hash_table_insert(table->fragment_table, key, fd_head);
568 /* This function cleans up the stored state and removes the reassembly data and
569 * (with one exception) all allocated memory for matching reassembly.
572 * If the PDU was already completely reassembled, then the tvbuff containing the
573 * reassembled data WILL NOT be free()d, and the pointer to that tvbuff will be
575 * Othervise the function will return NULL.
577 * So, if you call fragment_delete and it returns non-NULL, YOU are responsible
578 * to tvb_free() that tvbuff.
581 fragment_delete(reassembly_table *table, const packet_info *pinfo,
582 const guint32 id, const void *data)
584 fragment_head *fd_head;
586 tvbuff_t *fd_tvb_data=NULL;
589 fd_head = lookup_fd_head(table, pinfo, id, data, &key);
591 /* We do not recognize this as a PDU we have seen before. return */
595 fd_tvb_data=fd_head->tvb_data;
596 /* loop over all partial fragments and free any tvbuffs */
597 for(fd=fd_head->next;fd;){
598 fragment_item *tmp_fd;
601 if (fd->tvb_data && !(fd->flags & FD_SUBSET_TVB))
602 tvb_free(fd->tvb_data);
603 g_slice_free(fragment_item, fd);
606 g_slice_free(fragment_head, fd_head);
607 g_hash_table_remove(table->fragment_table, key);
612 /* This function is used to check if there is partial or completed reassembly state
613 * matching this packet. I.e. Is there reassembly going on or not for this packet?
616 fragment_get(reassembly_table *table, const packet_info *pinfo,
617 const guint32 id, const void *data)
619 return lookup_fd_head(table, pinfo, id, data, NULL);
622 /* id *must* be the frame number for this to work! */
624 fragment_get_reassembled(reassembly_table *table, const guint32 id)
626 fragment_head *fd_head;
629 /* create key to search hash with */
632 fd_head = (fragment_head *)g_hash_table_lookup(table->reassembled_table, &key);
638 fragment_get_reassembled_id(reassembly_table *table, const packet_info *pinfo,
641 fragment_head *fd_head;
644 /* create key to search hash with */
645 key.frame = pinfo->num;
647 fd_head = (fragment_head *)g_hash_table_lookup(table->reassembled_table, &key);
652 /* To specify the offset for the fragment numbering, the first fragment is added with 0, and
653 * afterwards this offset is set. All additional calls to off_seq_check will calculate
654 * the number in sequence in regards to the offset */
656 fragment_add_seq_offset(reassembly_table *table, const packet_info *pinfo, const guint32 id,
657 const void *data, const guint32 fragment_offset)
659 fragment_head *fd_head;
661 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
665 /* Reseting the offset is not allowed */
666 if ( fd_head->fragment_nr_offset != 0 )
669 fd_head->fragment_nr_offset = fragment_offset;
672 /* This function can be used to explicitly set the total length (if known)
673 * for reassembly of a PDU.
674 * This is useful for reassembly of PDUs where one may have the total length specified
675 * in the first fragment instead of as for, say, IPv4 where a flag indicates which
676 * is the last fragment.
678 * Such protocols might fragment_add with a more_frags==TRUE for every fragment
679 * and just tell the reassembly engine the expected total length of the reassembled data
680 * using fragment_set_tot_len immediately after doing fragment_add for the first packet.
682 * Note that for FD_BLOCKSEQUENCE tot_len is the index for the tail fragment.
683 * i.e. since the block numbers start at 0, if we specify tot_len==2, that
684 * actually means we want to defragment 3 blocks, block 0, 1 and 2.
687 fragment_set_tot_len(reassembly_table *table, const packet_info *pinfo,
688 const guint32 id, const void *data, const guint32 tot_len)
690 fragment_head *fd_head;
692 guint32 max_offset = 0;
694 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
698 /* If we're setting a block sequence number, verify that it
699 * doesn't conflict with values set by existing fragments.
700 * XXX - eliminate this check?
703 if (fd_head->flags & FD_BLOCKSEQUENCE) {
705 if (fd->offset > max_offset) {
706 max_offset = fd->offset;
707 if (max_offset > tot_len) {
708 fd_head->error = "Bad total reassembly block count";
709 THROW_MESSAGE(ReassemblyError, fd_head->error);
716 if (fd_head->flags & FD_DEFRAGMENTED) {
717 if (max_offset != tot_len) {
718 fd_head->error = "Defragmented complete but total length not satisfied";
719 THROW_MESSAGE(ReassemblyError, fd_head->error);
723 /* We got this far so the value is sane. */
724 fd_head->datalen = tot_len;
725 fd_head->flags |= FD_DATALEN_SET;
729 fragment_get_tot_len(reassembly_table *table, const packet_info *pinfo,
730 const guint32 id, const void *data)
732 fragment_head *fd_head;
734 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
737 return fd_head->datalen;
744 /* This function will set the partial reassembly flag for a fh.
745 When this function is called, the fh MUST already exist, i.e.
746 the fh MUST be created by the initial call to fragment_add() before
747 this function is called.
748 Also note that this function MUST be called to indicate a fh will be
749 extended (increase the already stored data)
753 fragment_set_partial_reassembly(reassembly_table *table,
754 const packet_info *pinfo, const guint32 id,
757 fragment_head *fd_head;
759 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
762 * XXX - why not do all the stuff done early in "fragment_add_work()",
763 * turning off FD_DEFRAGMENTED and pointing the fragments' data
764 * pointers to the appropriate part of the already-reassembled
765 * data, and clearing the data length and "reassembled in" frame
766 * number, here? We currently have a hack in the TCP dissector
767 * not to set the "reassembled in" value if the "partial reassembly"
768 * flag is set, so that in the first pass through the packets
769 * we don't falsely set a packet as reassembled in that packet
770 * if the dissector decided that even more reassembly was needed.
773 fd_head->flags |= FD_PARTIAL_REASSEMBLY;
778 * This function gets rid of an entry from a fragment table, given
779 * a pointer to the key for that entry.
781 * The key freeing routine will be called by g_hash_table_remove().
784 fragment_unhash(reassembly_table *table, gpointer key)
787 * Remove the entry from the fragment table.
789 g_hash_table_remove(table->fragment_table, key);
793 * This function adds fragment_head structure to a reassembled-packet
794 * hash table, using the frame numbers of each of the frames from
795 * which it was reassembled as keys, and sets the "reassembled_in"
799 fragment_reassembled(reassembly_table *table, fragment_head *fd_head,
800 const packet_info *pinfo, const guint32 id)
802 reassembled_key *new_key;
805 if (fd_head->next == NULL) {
807 * This was not fragmented, so there's no fragment
808 * table; just hash it using the current frame number.
810 new_key = g_slice_new(reassembled_key);
811 new_key->frame = pinfo->num;
813 g_hash_table_insert(table->reassembled_table, new_key, fd_head);
816 * Hash it with the frame numbers for all the frames.
818 for (fd = fd_head->next; fd != NULL; fd = fd->next){
819 new_key = g_slice_new(reassembled_key);
820 new_key->frame = fd->frame;
822 g_hash_table_insert(table->reassembled_table, new_key,
826 fd_head->flags |= FD_DEFRAGMENTED;
827 fd_head->reassembled_in = pinfo->num;
828 fd_head->reas_in_layer_num = pinfo->curr_layer_num;
832 LINK_FRAG(fragment_head *fd_head,fragment_item *fd)
836 /* add fragment to list, keep list sorted */
837 for(fd_i= fd_head; fd_i->next;fd_i=fd_i->next) {
838 if (fd->offset < fd_i->next->offset )
846 * This function adds a new fragment to the fragment hash table.
847 * If this is the first fragment seen for this datagram, a new entry
848 * is created in the hash table, otherwise this fragment is just added
849 * to the linked list of fragments for this packet.
850 * The list of fragments for a specific datagram is kept sorted for
853 * Returns a pointer to the head of the fragment data list if we have all the
854 * fragments, NULL otherwise.
856 * This function assumes frag_offset being a byte offset into the defragment
860 * Once the fh is defragmented (= FD_DEFRAGMENTED set), it can be
861 * extended using the FD_PARTIAL_REASSEMBLY flag. This flag should be set
862 * using fragment_set_partial_reassembly() before calling fragment_add
863 * with the new fragment. FD_TOOLONGFRAGMENT and FD_MULTIPLETAILS flags
864 * are lowered when a new extension process is started.
867 fragment_add_work(fragment_head *fd_head, tvbuff_t *tvb, const int offset,
868 const packet_info *pinfo, const guint32 frag_offset,
869 const guint32 frag_data_len, const gboolean more_frags)
873 guint32 max, dfpos, fraglen;
874 tvbuff_t *old_tvb_data;
877 /* create new fd describing this fragment */
878 fd = g_slice_new(fragment_item);
881 fd->frame = pinfo->num;
882 fd->offset = frag_offset;
883 fd->fragment_nr_offset = 0; /* will only be used with sequence */
884 fd->len = frag_data_len;
889 * Are we adding to an already-completed reassembly?
891 if (fd_head->flags & FD_DEFRAGMENTED) {
893 * Yes. Does this fragment go past the end of the results
894 * of that reassembly?
895 * XXX - shouldn't this be ">"? If frag_offset + frag_data_len
896 * == fd_head->datalen, this overlaps the end of the
897 * reassembly, but doesn't go past it, right?
899 if (frag_offset + frag_data_len >= fd_head->datalen) {
901 * Yes. Have we been requested to continue reassembly?
903 if (fd_head->flags & FD_PARTIAL_REASSEMBLY) {
905 * Yes. Set flag in already empty fds &
906 * point old fds to malloc'ed data.
908 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
909 if( !fd_i->tvb_data ) {
910 fd_i->tvb_data = tvb_new_subset_remaining(fd_head->tvb_data, fd_i->offset);
911 fd_i->flags |= FD_SUBSET_TVB;
913 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
915 fd_head->flags &= ~(FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY|FD_DATALEN_SET);
916 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
918 fd_head->reassembled_in=0;
919 fd_head->reas_in_layer_num = 0;
922 * No. Bail out since we have no idea what to
923 * do with this fragment (and if we keep going
924 * we'll run past the end of a buffer sooner
927 g_slice_free(fragment_item, fd);
930 * This is an attempt to add a fragment to a
931 * reassembly that had already completed.
932 * If it had no error, we don't want to
933 * mark it with an error, and if it had an
934 * error, we don't want to overwrite it, so
935 * we don't set fd_head->error.
937 if (frag_offset >= fd_head->datalen) {
939 * The fragment starts past the end
940 * of the reassembled data.
942 THROW_MESSAGE(ReassemblyError, "New fragment past old data limits");
945 * The fragment starts before the end
946 * of the reassembled data, but
947 * runs past the end. That could
948 * just be a retransmission.
950 THROW_MESSAGE(ReassemblyError, "New fragment overlaps old data (retransmission?)");
955 * No. That means it still overlaps that, so report
956 * this as a problem, possibly a retransmission.
958 g_slice_free(fragment_item, fd);
959 THROW_MESSAGE(ReassemblyError, "New fragment overlaps old data (retransmission?)");
963 /* Do this after we may have bailed out (above) so that we don't leave
964 * fd_head->frame in a bad state if we do */
965 if (fd->frame > fd_head->frame)
966 fd_head->frame = fd->frame;
970 * This is the tail fragment in the sequence.
972 if (fd_head->flags & FD_DATALEN_SET) {
973 /* ok we have already seen other tails for this packet
974 * it might be a duplicate.
976 if (fd_head->datalen != (fd->offset + fd->len) ){
977 /* Oops, this tail indicates a different packet
978 * len than the previous ones. Something's wrong.
980 fd->flags |= FD_MULTIPLETAILS;
981 fd_head->flags |= FD_MULTIPLETAILS;
984 /* This was the first tail fragment; now we know
985 * what the length of the packet should be.
987 fd_head->datalen = fd->offset + fd->len;
988 fd_head->flags |= FD_DATALEN_SET;
994 /* If the packet is already defragmented, this MUST be an overlap.
995 * The entire defragmented packet is in fd_head->data.
996 * Even if we have previously defragmented this packet, we still
997 * check it. Someone might play overlap and TTL games.
999 if (fd_head->flags & FD_DEFRAGMENTED) {
1000 guint32 end_offset = fd->offset + fd->len;
1001 fd->flags |= FD_OVERLAP;
1002 fd_head->flags |= FD_OVERLAP;
1003 /* make sure it's not too long */
1004 if (end_offset > fd_head->datalen || end_offset < fd->offset || end_offset < fd->len) {
1005 fd->flags |= FD_TOOLONGFRAGMENT;
1006 fd_head->flags |= FD_TOOLONGFRAGMENT;
1008 /* make sure it doesn't conflict with previous data */
1009 else if ( tvb_memeql(fd_head->tvb_data, fd->offset,
1010 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
1011 fd->flags |= FD_OVERLAPCONFLICT;
1012 fd_head->flags |= FD_OVERLAPCONFLICT;
1014 /* it was just an overlap, link it and return */
1015 LINK_FRAG(fd_head,fd);
1021 /* If we have reached this point, the packet is not defragmented yet.
1022 * Save all payload in a buffer until we can defragment.
1024 if (!tvb_bytes_exist(tvb, offset, fd->len)) {
1025 g_slice_free(fragment_item, fd);
1028 fd->tvb_data = tvb_clone_offset_len(tvb, offset, fd->len);
1029 LINK_FRAG(fd_head,fd);
1032 if( !(fd_head->flags & FD_DATALEN_SET) ){
1033 /* if we don't know the datalen, there are still missing
1034 * packets. Cheaper than the check below.
1041 * Check if we have received the entire fragment.
1042 * This is easy since the list is sorted and the head is faked.
1044 * First, we compute the amount of contiguous data that's
1045 * available. (The check for fd_i->offset <= max rules out
1046 * fragments that don't start before or at the end of the
1047 * previous fragment, i.e. fragments that have a gap between
1048 * them and the previous fragment.)
1051 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1052 if ( ((fd_i->offset)<=max) &&
1053 ((fd_i->offset+fd_i->len)>max) ){
1054 max = fd_i->offset+fd_i->len;
1058 if (max < (fd_head->datalen)) {
1060 * The amount of contiguous data we have is less than the
1061 * amount of data we're trying to reassemble, so we haven't
1062 * received all packets yet.
1067 /* we have received an entire packet, defragment it and
1068 * free all fragments
1070 /* store old data just in case */
1071 old_tvb_data=fd_head->tvb_data;
1072 data = (guint8 *) g_malloc(fd_head->datalen);
1073 fd_head->tvb_data = tvb_new_real_data(data, fd_head->datalen, fd_head->datalen);
1074 tvb_set_free_cb(fd_head->tvb_data, g_free);
1076 /* add all data fragments */
1077 for (dfpos=0,fd_i=fd_head;fd_i;fd_i=fd_i->next) {
1080 * The loop above that calculates max also
1081 * ensures that the only gaps that exist here
1082 * are ones where a fragment starts past the
1083 * end of the reassembled datagram, and there's
1084 * a gap between the previous fragment and
1087 * A "DESEGMENT_UNTIL_FIN" was involved wherein the
1088 * FIN packet had an offset less than the highest
1089 * fragment offset seen. [Seen from a fuzz-test:
1092 * Note that the "overlap" compare must only be
1093 * done for fragments with (offset+len) <= fd_head->datalen
1094 * and thus within the newly g_malloc'd buffer.
1096 if (fd_i->offset + fd_i->len > dfpos) {
1097 if (fd_i->offset >= fd_head->datalen) {
1099 * Fragment starts after the end
1100 * of the reassembled packet.
1102 * This can happen if the length was
1103 * set after the offending fragment
1104 * was added to the reassembly.
1106 * Flag this fragment, but don't
1107 * try to extract any data from
1108 * it, as there's no place to put
1111 * XXX - add different flag value
1114 fd_i->flags |= FD_TOOLONGFRAGMENT;
1115 fd_head->flags |= FD_TOOLONGFRAGMENT;
1116 } else if (dfpos < fd_i->offset) {
1118 * XXX - can this happen? We've
1119 * already rejected fragments that
1120 * start past the end of the
1121 * reassembled datagram, and
1122 * the loop that calculated max
1123 * should have ruled out gaps,
1124 * but could fd_i->offset +
1125 * fd_i->len overflow?
1127 fd_head->error = "dfpos < offset";
1128 } else if (dfpos - fd_i->offset > fd_i->len)
1129 fd_head->error = "dfpos - offset > len";
1130 else if (!fd_head->tvb_data)
1131 fd_head->error = "no data";
1133 fraglen = fd_i->len;
1134 if (fd_i->offset + fraglen > fd_head->datalen) {
1136 * Fragment goes past the end
1137 * of the packet, as indicated
1138 * by the last fragment.
1140 * This can happen if the
1141 * length was set after the
1142 * offending fragment was
1143 * added to the reassembly.
1145 * Mark it as such, and only
1146 * copy from it what fits in
1149 fd_i->flags |= FD_TOOLONGFRAGMENT;
1150 fd_head->flags |= FD_TOOLONGFRAGMENT;
1151 fraglen = fd_head->datalen - fd_i->offset;
1153 if (fd_i->offset < dfpos) {
1154 guint32 cmp_len = MIN(fd_i->len,(dfpos-fd_i->offset));
1156 fd_i->flags |= FD_OVERLAP;
1157 fd_head->flags |= FD_OVERLAP;
1158 if ( memcmp(data + fd_i->offset,
1159 tvb_get_ptr(fd_i->tvb_data, 0, cmp_len),
1162 fd_i->flags |= FD_OVERLAPCONFLICT;
1163 fd_head->flags |= FD_OVERLAPCONFLICT;
1166 if (fraglen < dfpos - fd_i->offset) {
1168 * XXX - can this happen?
1170 fd_head->error = "fraglen < dfpos - offset";
1173 tvb_get_ptr(fd_i->tvb_data, (dfpos-fd_i->offset), fraglen-(dfpos-fd_i->offset)),
1174 fraglen-(dfpos-fd_i->offset));
1175 dfpos=MAX(dfpos, (fd_i->offset + fraglen));
1179 if (fd_i->offset + fd_i->len < fd_i->offset) {
1180 /* Integer overflow? */
1181 fd_head->error = "offset + len < offset";
1185 if (fd_i->flags & FD_SUBSET_TVB)
1186 fd_i->flags &= ~FD_SUBSET_TVB;
1187 else if (fd_i->tvb_data)
1188 tvb_free(fd_i->tvb_data);
1190 fd_i->tvb_data=NULL;
1195 tvb_add_to_chain(tvb, old_tvb_data);
1196 /* mark this packet as defragmented.
1197 allows us to skip any trailing fragments */
1198 fd_head->flags |= FD_DEFRAGMENTED;
1199 fd_head->reassembled_in=pinfo->num;
1200 fd_head->reas_in_layer_num = pinfo->curr_layer_num;
1202 /* we don't throw until here to avoid leaking old_data and others */
1203 if (fd_head->error) {
1204 THROW_MESSAGE(ReassemblyError, fd_head->error);
1210 static fragment_head *
1211 fragment_add_common(reassembly_table *table, tvbuff_t *tvb, const int offset,
1212 const packet_info *pinfo, const guint32 id,
1213 const void *data, const guint32 frag_offset,
1214 const guint32 frag_data_len, const gboolean more_frags,
1215 const gboolean check_already_added)
1217 fragment_head *fd_head;
1218 fragment_item *fd_item;
1219 gboolean already_added;
1222 /* dissector shouldn't give us garbage tvb info */
1223 DISSECTOR_ASSERT(tvb_bytes_exist(tvb, offset, frag_data_len));
1225 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
1228 /* debug output of associated fragments. */
1229 /* leave it here for future debugging sessions */
1230 if(strcmp(pinfo->current_proto, "DCERPC") == 0) {
1231 printf("proto:%s num:%u id:%u offset:%u len:%u more:%u visited:%u\n",
1232 pinfo->current_proto, pinfo->num, id, frag_offset, frag_data_len, more_frags, pinfo->fd->flags.visited);
1233 if(fd_head != NULL) {
1234 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
1235 printf("fd_frame:%u fd_offset:%u len:%u datalen:%u\n",
1236 fd_item->frame, fd_item->offset, fd_item->len, fd_item->datalen);
1243 * Is this the first pass through the capture?
1245 if (!pinfo->fd->flags.visited) {
1247 * Yes, so we could be doing reassembly. If
1248 * "check_already_added" is true, and fd_head is non-null,
1249 * meaning that this fragment would be added to an
1250 * in-progress reassembly, check if we have seen this
1251 * fragment before, i.e., if we have already added it to
1252 * that reassembly. That can be true even on the first pass
1253 * since we sometimes might call a subdissector multiple
1256 * We check both the frame number and the fragment offset,
1257 * so that we support multiple fragments from the same
1258 * frame being added to the same reassembled PDU.
1260 if (check_already_added && fd_head != NULL) {
1262 * fd_head->frame is the maximum of the frame
1263 * numbers of all the fragments added to this
1264 * reassembly; if this frame is later than that
1265 * frame, we know it hasn't been added yet.
1267 if (pinfo->num <= fd_head->frame) {
1268 already_added = FALSE;
1270 * The first item in the reassembly list
1271 * is not a fragment, it's a data structure
1272 * for the reassembled packet, so we
1273 * start checking with the next item.
1275 for (fd_item = fd_head->next; fd_item;
1276 fd_item = fd_item->next) {
1277 if (pinfo->num == fd_item->frame &&
1278 frag_offset == fd_item->offset) {
1279 already_added = TRUE;
1283 if (already_added) {
1285 * Have we already finished
1288 if (fd_head->flags & FD_DEFRAGMENTED) {
1291 * XXX - can this ever happen?
1293 THROW_MESSAGE(ReassemblyError,
1294 "Frame already added in first pass");
1306 * No, so we've already done all the reassembly and added
1307 * all the fragments. Do we have a reassembly and, if so,
1308 * have we finished reassembling?
1310 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1312 * Yes. This is probably being done after the
1313 * first pass, and we've already done the work
1314 * on the first pass.
1316 * If the reassembly got a fatal error, throw that
1320 THROW_MESSAGE(ReassemblyError, fd_head->error);
1323 * Is it later in the capture than all of the
1324 * fragments in the reassembly?
1326 if (pinfo->num > fd_head->frame) {
1328 * Yes, so report this as a problem,
1329 * possibly a retransmission.
1331 THROW_MESSAGE(ReassemblyError, "New fragment overlaps old data (retransmission?)");
1335 * Does this fragment go past the end of the
1336 * results of that reassembly?
1338 if (frag_offset + frag_data_len > fd_head->datalen) {
1342 if (frag_offset >= fd_head->datalen) {
1344 * The fragment starts past the
1345 * end of the reassembled data.
1347 THROW_MESSAGE(ReassemblyError, "New fragment past old data limits");
1350 * The fragment starts before the end
1351 * of the reassembled data, but
1352 * runs past the end. That could
1353 * just be a retransmission.
1355 THROW_MESSAGE(ReassemblyError, "New fragment overlaps old data (retransmission?)");
1369 /* not found, this must be the first snooped fragment for this
1370 * packet. Create list-head.
1372 fd_head = new_head(0);
1375 * Insert it into the hash table.
1377 insert_fd_head(table, fd_head, pinfo, id, data);
1380 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
1381 frag_data_len, more_frags)) {
1383 * Reassembly is complete.
1388 * Reassembly isn't complete.
1395 fragment_add(reassembly_table *table, tvbuff_t *tvb, const int offset,
1396 const packet_info *pinfo, const guint32 id, const void *data,
1397 const guint32 frag_offset, const guint32 frag_data_len,
1398 const gboolean more_frags)
1400 return fragment_add_common(table, tvb, offset, pinfo, id, data,
1401 frag_offset, frag_data_len, more_frags, TRUE);
1405 * For use when you can have multiple fragments in the same frame added
1406 * to the same reassembled PDU, e.g. with ONC RPC-over-TCP.
1409 fragment_add_multiple_ok(reassembly_table *table, tvbuff_t *tvb,
1410 const int offset, const packet_info *pinfo,
1411 const guint32 id, const void *data,
1412 const guint32 frag_offset,
1413 const guint32 frag_data_len, const gboolean more_frags)
1415 return fragment_add_common(table, tvb, offset, pinfo, id, data,
1416 frag_offset, frag_data_len, more_frags, FALSE);
1420 fragment_add_check(reassembly_table *table, tvbuff_t *tvb, const int offset,
1421 const packet_info *pinfo, const guint32 id,
1422 const void *data, const guint32 frag_offset,
1423 const guint32 frag_data_len, const gboolean more_frags)
1425 reassembled_key reass_key;
1426 fragment_head *fd_head;
1430 * If this isn't the first pass, look for this frame in the table
1431 * of reassembled packets.
1433 if (pinfo->fd->flags.visited) {
1434 reass_key.frame = pinfo->num;
1436 return (fragment_head *)g_hash_table_lookup(table->reassembled_table, &reass_key);
1439 /* Looks up a key in the GHashTable, returning the original key and the associated value
1440 * and a gboolean which is TRUE if the key was found. This is useful if you need to free
1441 * the memory allocated for the original key, for example before calling g_hash_table_remove()
1443 fd_head = lookup_fd_head(table, pinfo, id, data, &orig_key);
1444 if (fd_head == NULL) {
1445 /* not found, this must be the first snooped fragment for this
1446 * packet. Create list-head.
1448 fd_head = new_head(0);
1451 * Save the key, for unhashing it later.
1453 orig_key = insert_fd_head(table, fd_head, pinfo, id, data);
1457 * If this is a short frame, then we can't, and don't, do
1458 * reassembly on it. We just give up.
1460 if (tvb_reported_length(tvb) > tvb_captured_length(tvb))
1463 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
1464 frag_data_len, more_frags)) {
1466 * Reassembly is complete.
1467 * Remove this from the table of in-progress
1468 * reassemblies, add it to the table of
1469 * reassembled packets, and return it.
1473 * Remove this from the table of in-progress reassemblies,
1474 * and free up any memory used for it in that table.
1476 fragment_unhash(table, orig_key);
1479 * Add this item to the table of reassembled packets.
1481 fragment_reassembled(table, fd_head, pinfo, id);
1485 * Reassembly isn't complete.
1492 fragment_defragment_and_free (fragment_head *fd_head, const packet_info *pinfo)
1494 fragment_item *fd_i = NULL;
1495 fragment_item *last_fd = NULL;
1496 guint32 dfpos = 0, size = 0;
1497 tvbuff_t *old_tvb_data = NULL;
1500 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1501 if(!last_fd || last_fd->offset!=fd_i->offset){
1507 /* store old data in case the fd_i->data pointers refer to it */
1508 old_tvb_data=fd_head->tvb_data;
1509 data = (guint8 *) g_malloc(size);
1510 fd_head->tvb_data = tvb_new_real_data(data, size, size);
1511 tvb_set_free_cb(fd_head->tvb_data, g_free);
1512 fd_head->len = size; /* record size for caller */
1514 /* add all data fragments */
1516 for (fd_i=fd_head->next; fd_i; fd_i=fd_i->next) {
1518 if(!last_fd || last_fd->offset != fd_i->offset) {
1519 /* First fragment or in-sequence fragment */
1520 memcpy(data+dfpos, tvb_get_ptr(fd_i->tvb_data, 0, fd_i->len), fd_i->len);
1523 /* duplicate/retransmission/overlap */
1524 fd_i->flags |= FD_OVERLAP;
1525 fd_head->flags |= FD_OVERLAP;
1526 if(last_fd->len != fd_i->len
1527 || tvb_memeql(last_fd->tvb_data, 0, tvb_get_ptr(fd_i->tvb_data, 0, last_fd->len), last_fd->len) ) {
1528 fd_i->flags |= FD_OVERLAPCONFLICT;
1529 fd_head->flags |= FD_OVERLAPCONFLICT;
1536 /* we have defragmented the pdu, now free all fragments*/
1537 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1538 if (fd_i->flags & FD_SUBSET_TVB)
1539 fd_i->flags &= ~FD_SUBSET_TVB;
1540 else if (fd_i->tvb_data)
1541 tvb_free(fd_i->tvb_data);
1542 fd_i->tvb_data=NULL;
1545 tvb_free(old_tvb_data);
1547 /* mark this packet as defragmented.
1548 * allows us to skip any trailing fragments.
1550 fd_head->flags |= FD_DEFRAGMENTED;
1551 fd_head->reassembled_in=pinfo->num;
1552 fd_head->reas_in_layer_num = pinfo->curr_layer_num;
1556 * This function adds a new fragment to the entry for a reassembly
1559 * The list of fragments for a specific datagram is kept sorted for
1562 * Returns TRUE if we have all the fragments, FALSE otherwise.
1564 * This function assumes frag_number being a block sequence number.
1565 * The bsn for the first block is 0.
1568 fragment_add_seq_work(fragment_head *fd_head, tvbuff_t *tvb, const int offset,
1569 const packet_info *pinfo, const guint32 frag_number,
1570 const guint32 frag_data_len, const gboolean more_frags)
1573 fragment_item *fd_i;
1574 fragment_item *last_fd;
1576 guint32 frag_number_work;
1578 /* Enables the use of fragment sequence numbers, which do not start with 0 */
1579 frag_number_work = frag_number;
1580 if ( fd_head->fragment_nr_offset != 0 )
1581 if ( frag_number_work >= fd_head->fragment_nr_offset )
1582 frag_number_work = frag_number - fd_head->fragment_nr_offset;
1584 /* if the partial reassembly flag has been set, and we are extending
1585 * the pdu, un-reassemble the pdu. This means pointing old fds to malloc'ed data.
1587 if(fd_head->flags & FD_DEFRAGMENTED && frag_number_work >= fd_head->datalen &&
1588 fd_head->flags & FD_PARTIAL_REASSEMBLY){
1589 guint32 lastdfpos = 0;
1591 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
1592 if( !fd_i->tvb_data ) {
1593 if( fd_i->flags & FD_OVERLAP ) {
1594 /* this is a duplicate of the previous
1596 fd_i->tvb_data = tvb_new_subset_remaining(fd_head->tvb_data, lastdfpos);
1598 fd_i->tvb_data = tvb_new_subset_remaining(fd_head->tvb_data, dfpos);
1602 fd_i->flags |= FD_SUBSET_TVB;
1604 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
1606 fd_head->flags &= ~(FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY|FD_DATALEN_SET);
1607 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
1609 fd_head->reassembled_in=0;
1610 fd_head->reas_in_layer_num = 0;
1614 /* create new fd describing this fragment */
1615 fd = g_slice_new(fragment_item);
1618 fd->frame = pinfo->num;
1619 fd->offset = frag_number_work;
1620 fd->len = frag_data_len;
1621 fd->tvb_data = NULL;
1626 * This is the tail fragment in the sequence.
1628 if (fd_head->flags&FD_DATALEN_SET) {
1629 /* ok we have already seen other tails for this packet
1630 * it might be a duplicate.
1632 if (fd_head->datalen != fd->offset ){
1633 /* Oops, this tail indicates a different packet
1634 * len than the previous ones. Something's wrong.
1636 fd->flags |= FD_MULTIPLETAILS;
1637 fd_head->flags |= FD_MULTIPLETAILS;
1640 /* this was the first tail fragment, now we know the
1641 * sequence number of that fragment (which is NOT
1642 * the length of the packet!)
1644 fd_head->datalen = fd->offset;
1645 fd_head->flags |= FD_DATALEN_SET;
1649 /* If the packet is already defragmented, this MUST be an overlap.
1650 * The entire defragmented packet is in fd_head->data
1651 * Even if we have previously defragmented this packet, we still check
1652 * check it. Someone might play overlap and TTL games.
1654 if (fd_head->flags & FD_DEFRAGMENTED) {
1655 fd->flags |= FD_OVERLAP;
1656 fd_head->flags |= FD_OVERLAP;
1658 /* make sure it's not past the end */
1659 if (fd->offset > fd_head->datalen) {
1660 /* new fragment comes after the end */
1661 fd->flags |= FD_TOOLONGFRAGMENT;
1662 fd_head->flags |= FD_TOOLONGFRAGMENT;
1663 LINK_FRAG(fd_head,fd);
1666 /* make sure it doesn't conflict with previous data */
1669 for (fd_i=fd_head->next;fd_i && (fd_i->offset!=fd->offset);fd_i=fd_i->next) {
1670 if (!last_fd || last_fd->offset!=fd_i->offset){
1676 /* new fragment overlaps existing fragment */
1677 if(fd_i->len!=fd->len){
1679 * They have different lengths; this
1680 * is definitely a conflict.
1682 fd->flags |= FD_OVERLAPCONFLICT;
1683 fd_head->flags |= FD_OVERLAPCONFLICT;
1684 LINK_FRAG(fd_head,fd);
1687 DISSECTOR_ASSERT(fd_head->len >= dfpos + fd->len);
1688 if (tvb_memeql(fd_head->tvb_data, dfpos,
1689 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
1691 * They have the same length, but the
1692 * data isn't the same.
1694 fd->flags |= FD_OVERLAPCONFLICT;
1695 fd_head->flags |= FD_OVERLAPCONFLICT;
1696 LINK_FRAG(fd_head,fd);
1699 /* it was just an overlap, link it and return */
1700 LINK_FRAG(fd_head,fd);
1704 * New fragment doesn't overlap an existing
1705 * fragment - there was presumably a gap in
1706 * the sequence number space.
1708 * XXX - what should we do here? Is it always
1709 * the case that there are no gaps, or are there
1710 * protcols using sequence numbers where there
1713 * If the former, the check below for having
1714 * received all the fragments should check for
1715 * holes in the sequence number space and for the
1716 * first sequence number being 0. If we do that,
1717 * the only way we can get here is if this fragment
1718 * is past the end of the sequence number space -
1719 * but the check for "fd->offset > fd_head->datalen"
1720 * would have caught that above, so it can't happen.
1722 * If the latter, we don't have a good way of
1723 * knowing whether reassembly is complete if we
1724 * get packet out of order such that the "last"
1725 * fragment doesn't show up last - but, unless
1726 * in-order reliable delivery of fragments is
1727 * guaranteed, an implementation of the protocol
1728 * has no way of knowing whether reassembly is
1731 * For now, we just link the fragment in and
1734 LINK_FRAG(fd_head,fd);
1739 /* If we have reached this point, the packet is not defragmented yet.
1740 * Save all payload in a buffer until we can defragment.
1742 /* check len, there may be a fragment with 0 len, that is actually the tail */
1744 if (!tvb_bytes_exist(tvb, offset, fd->len)) {
1745 /* abort if we didn't capture the entire fragment due
1746 * to a too-short snapshot length */
1747 g_slice_free(fragment_item, fd);
1751 fd->tvb_data = tvb_clone_offset_len(tvb, offset, fd->len);
1753 LINK_FRAG(fd_head,fd);
1756 if( !(fd_head->flags & FD_DATALEN_SET) ){
1757 /* if we don't know the sequence number of the last fragment,
1758 * there are definitely still missing packets. Cheaper than
1765 /* check if we have received the entire fragment
1766 * this is easy since the list is sorted and the head is faked.
1767 * common case the whole list is scanned.
1770 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1771 if ( fd_i->offset==max ){
1775 /* max will now be datalen+1 if all fragments have been seen */
1777 if (max <= fd_head->datalen) {
1778 /* we have not received all packets yet */
1783 if (max > (fd_head->datalen+1)) {
1784 /* oops, too long fragment detected */
1785 fd->flags |= FD_TOOLONGFRAGMENT;
1786 fd_head->flags |= FD_TOOLONGFRAGMENT;
1790 /* we have received an entire packet, defragment it and
1791 * free all fragments
1793 fragment_defragment_and_free(fd_head, pinfo);
1799 * This function adds a new fragment to the fragment hash table.
1800 * If this is the first fragment seen for this datagram, a new entry
1801 * is created in the hash table, otherwise this fragment is just added
1802 * to the linked list of fragments for this packet.
1804 * Returns a pointer to the head of the fragment data list if we have all the
1805 * fragments, NULL otherwise.
1807 * This function assumes frag_number being a block sequence number.
1808 * The bsn for the first block is 0.
1810 static fragment_head *
1811 fragment_add_seq_common(reassembly_table *table, tvbuff_t *tvb,
1812 const int offset, const packet_info *pinfo,
1813 const guint32 id, const void *data,
1814 guint32 frag_number, const guint32 frag_data_len,
1815 const gboolean more_frags, const guint32 flags,
1816 gpointer *orig_keyp)
1818 fragment_head *fd_head;
1821 fd_head = lookup_fd_head(table, pinfo, id, data, &orig_key);
1823 /* have we already seen this frame ?*/
1824 if (pinfo->fd->flags.visited) {
1825 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1826 if (orig_keyp != NULL)
1827 *orig_keyp = orig_key;
1835 /* not found, this must be the first snooped fragment for this
1836 * packet. Create list-head.
1838 fd_head= new_head(FD_BLOCKSEQUENCE);
1840 if((flags & (REASSEMBLE_FLAGS_NO_FRAG_NUMBER|REASSEMBLE_FLAGS_802_11_HACK))
1843 * This is the last fragment for this packet, and
1844 * is the only one we've seen.
1846 * Either we don't have sequence numbers, in which
1847 * case we assume this is the first fragment for
1848 * this packet, or we're doing special 802.11
1849 * processing, in which case we assume it's one
1850 * of those reassembled packets with a non-zero
1851 * fragment number (see packet-80211.c); just
1852 * return a pointer to the head of the list;
1853 * fragment_add_seq_check will then add it to the table
1854 * of reassembled packets.
1856 if (orig_keyp != NULL)
1858 fd_head->reassembled_in=pinfo->num;
1859 fd_head->reas_in_layer_num = pinfo->curr_layer_num;
1863 orig_key = insert_fd_head(table, fd_head, pinfo, id, data);
1864 if (orig_keyp != NULL)
1865 *orig_keyp = orig_key;
1868 * If we weren't given an initial fragment number,
1871 if (flags & REASSEMBLE_FLAGS_NO_FRAG_NUMBER)
1874 if (orig_keyp != NULL)
1875 *orig_keyp = orig_key;
1877 if (flags & REASSEMBLE_FLAGS_NO_FRAG_NUMBER) {
1880 * If we weren't given an initial fragment number,
1881 * use the next expected fragment number as the fragment
1882 * number for this fragment.
1884 for (fd = fd_head; fd != NULL; fd = fd->next) {
1885 if (fd->next == NULL)
1886 frag_number = fd->offset + 1;
1892 * XXX I've copied this over from the old separate
1893 * fragment_add_seq_check_work, but I'm not convinced it's doing the
1894 * right thing -- rav
1896 * If we don't have all the data that is in this fragment,
1897 * then we can't, and don't, do reassembly on it.
1899 * If it's the first frame, handle it as an unfragmented packet.
1900 * Otherwise, just handle it as a fragment.
1902 * If "more_frags" isn't set, we get rid of the entry in the
1903 * hash table for this reassembly, as we don't need it any more.
1905 if ((flags & REASSEMBLE_FLAGS_CHECK_DATA_PRESENT) &&
1906 !tvb_bytes_exist(tvb, offset, frag_data_len)) {
1907 fd_head -> flags |= FD_DATA_NOT_PRESENT;
1908 if (frag_number == 0) {
1914 * Remove this from the table of in-progress
1915 * reassemblies, and free up any memory used for
1918 fragment_unhash(table, *orig_keyp);
1919 free_all_fragments(NULL, fd_head, NULL);
1925 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1926 frag_number, frag_data_len, more_frags)) {
1928 * Reassembly is complete.
1933 * Reassembly isn't complete.
1940 fragment_add_seq(reassembly_table *table, tvbuff_t *tvb, const int offset,
1941 const packet_info *pinfo, const guint32 id, const void *data,
1942 const guint32 frag_number, const guint32 frag_data_len,
1943 const gboolean more_frags, const guint32 flags)
1945 return fragment_add_seq_common(table, tvb, offset, pinfo, id, data,
1946 frag_number, frag_data_len,
1947 more_frags, flags, NULL);
1951 * This does the work for "fragment_add_seq_check()" and
1952 * "fragment_add_seq_next()".
1954 * This function assumes frag_number being a block sequence number.
1955 * The bsn for the first block is 0.
1957 * If "no_frag_number" is TRUE, it uses the next expected fragment number
1958 * as the fragment number if there is a reassembly in progress, otherwise
1961 * If "no_frag_number" is FALSE, it uses the "frag_number" argument as
1962 * the fragment number.
1964 * If this is the first fragment seen for this datagram, a new
1965 * "fragment_head" structure is allocated to refer to the reassembled
1968 * This fragment is added to the linked list of fragments for this packet.
1970 * If "more_frags" is false and REASSEMBLE_FLAGS_802_11_HACK (as the name
1971 * implies, a special hack for 802.11) or REASSEMBLE_FLAGS_NO_FRAG_NUMBER
1972 * (implying messages must be in order since there's no sequence number) are
1973 * set in "flags", then this (one element) list is returned.
1975 * If, after processing this fragment, we have all the fragments,
1976 * "fragment_add_seq_check_work()" removes that from the fragment hash
1977 * table if necessary and adds it to the table of reassembled fragments,
1978 * and returns a pointer to the head of the fragment list.
1980 * Otherwise, it returns NULL.
1982 * XXX - Should we simply return NULL for zero-length fragments?
1984 static fragment_head *
1985 fragment_add_seq_check_work(reassembly_table *table, tvbuff_t *tvb,
1986 const int offset, const packet_info *pinfo,
1987 const guint32 id, const void *data,
1988 const guint32 frag_number,
1989 const guint32 frag_data_len,
1990 const gboolean more_frags, const guint32 flags)
1992 reassembled_key reass_key;
1993 fragment_head *fd_head;
1997 * Have we already seen this frame?
1998 * If so, look for it in the table of reassembled packets.
2000 if (pinfo->fd->flags.visited) {
2001 reass_key.frame = pinfo->num;
2003 return (fragment_head *)g_hash_table_lookup(table->reassembled_table, &reass_key);
2006 fd_head = fragment_add_seq_common(table, tvb, offset, pinfo, id, data,
2007 frag_number, frag_data_len,
2009 flags|REASSEMBLE_FLAGS_CHECK_DATA_PRESENT,
2012 if(fd_head->flags & FD_DATA_NOT_PRESENT) {
2013 /* this is the first fragment of a datagram with
2014 * truncated fragments. Don't move it to the
2015 * reassembled table. */
2020 * Reassembly is complete.
2022 * If this is in the table of in-progress reassemblies,
2023 * remove it from that table. (It could be that this
2024 * was the first and last fragment, so that no
2025 * reassembly was done.)
2027 if (orig_key != NULL)
2028 fragment_unhash(table, orig_key);
2031 * Add this item to the table of reassembled packets.
2033 fragment_reassembled(table, fd_head, pinfo, id);
2037 * Reassembly isn't complete.
2044 fragment_add_seq_check(reassembly_table *table, tvbuff_t *tvb, const int offset,
2045 const packet_info *pinfo, const guint32 id,
2047 const guint32 frag_number, const guint32 frag_data_len,
2048 const gboolean more_frags)
2050 return fragment_add_seq_check_work(table, tvb, offset, pinfo, id, data,
2051 frag_number, frag_data_len,
2056 fragment_add_seq_802_11(reassembly_table *table, tvbuff_t *tvb,
2057 const int offset, const packet_info *pinfo,
2058 const guint32 id, const void *data,
2059 const guint32 frag_number, const guint32 frag_data_len,
2060 const gboolean more_frags)
2062 return fragment_add_seq_check_work(table, tvb, offset, pinfo, id, data,
2063 frag_number, frag_data_len,
2065 REASSEMBLE_FLAGS_802_11_HACK);
2069 fragment_add_seq_next(reassembly_table *table, tvbuff_t *tvb, const int offset,
2070 const packet_info *pinfo, const guint32 id,
2071 const void *data, const guint32 frag_data_len,
2072 const gboolean more_frags)
2074 return fragment_add_seq_check_work(table, tvb, offset, pinfo, id, data,
2075 0, frag_data_len, more_frags,
2076 REASSEMBLE_FLAGS_NO_FRAG_NUMBER);
2080 fragment_start_seq_check(reassembly_table *table, const packet_info *pinfo,
2081 const guint32 id, const void *data,
2082 const guint32 tot_len)
2084 fragment_head *fd_head;
2086 /* Have we already seen this frame ?*/
2087 if (pinfo->fd->flags.visited) {
2091 /* Check if fragment data exists */
2092 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
2094 if (fd_head == NULL) {
2095 /* Create list-head. */
2096 fd_head = g_slice_new(fragment_head);
2097 fd_head->next = NULL;
2098 fd_head->datalen = tot_len;
2099 fd_head->offset = 0;
2100 fd_head->fragment_nr_offset = 0;
2102 fd_head->flags = FD_BLOCKSEQUENCE|FD_DATALEN_SET;
2103 fd_head->tvb_data = NULL;
2104 fd_head->reassembled_in = 0;
2105 fd_head->reas_in_layer_num = 0;
2106 fd_head->error = NULL;
2108 insert_fd_head(table, fd_head, pinfo, id, data);
2113 fragment_end_seq_next(reassembly_table *table, const packet_info *pinfo,
2114 const guint32 id, const void *data)
2116 reassembled_key reass_key;
2117 reassembled_key *new_key;
2118 fragment_head *fd_head;
2122 * Have we already seen this frame?
2123 * If so, look for it in the table of reassembled packets.
2125 if (pinfo->fd->flags.visited) {
2126 reass_key.frame = pinfo->num;
2128 return (fragment_head *)g_hash_table_lookup(table->reassembled_table, &reass_key);
2131 fd_head = lookup_fd_head(table, pinfo, id, data, &orig_key);
2134 if (fd_head->flags & FD_DATA_NOT_PRESENT) {
2139 fd_head->datalen = fd_head->offset;
2140 fd_head->flags |= FD_DATALEN_SET;
2142 fragment_defragment_and_free (fd_head, pinfo);
2145 * Remove this from the table of in-progress reassemblies,
2146 * and free up any memory used for it in that table.
2148 fragment_unhash(table, orig_key);
2151 * Add this item to the table of reassembled packets.
2153 fragment_reassembled(table, fd_head, pinfo, id);
2154 if (fd_head->next != NULL) {
2155 new_key = g_slice_new(reassembled_key);
2156 new_key->frame = pinfo->num;
2158 g_hash_table_insert(table->reassembled_table, new_key, fd_head);
2164 * Fragment data not found.
2171 * Process reassembled data; if we're on the frame in which the data
2172 * was reassembled, put the fragment information into the protocol
2173 * tree, and construct a tvbuff with the reassembled data, otherwise
2174 * just put a "reassembled in" item into the protocol tree.
2177 process_reassembled_data(tvbuff_t *tvb, const int offset, packet_info *pinfo,
2178 const char *name, fragment_head *fd_head, const fragment_items *fit,
2179 gboolean *update_col_infop, proto_tree *tree)
2182 gboolean update_col_info;
2183 proto_item *frag_tree_item;
2185 if (fd_head != NULL && pinfo->num == fd_head->reassembled_in && pinfo->curr_layer_num == fd_head->reas_in_layer_num) {
2187 * OK, we've reassembled this.
2188 * Is this something that's been reassembled from more
2189 * than one fragment?
2191 if (fd_head->next != NULL) {
2194 * Allocate a new tvbuff, referring to the
2195 * reassembled payload, and set
2196 * the tvbuff to the list of tvbuffs to which
2197 * the tvbuff we were handed refers, so it'll get
2198 * cleaned up when that tvbuff is cleaned up.
2200 next_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
2202 /* Add the defragmented data to the data source list. */
2203 add_new_data_source(pinfo, next_tvb, name);
2205 /* show all fragments */
2206 if (fd_head->flags & FD_BLOCKSEQUENCE) {
2207 update_col_info = !show_fragment_seq_tree(
2208 fd_head, fit, tree, pinfo, next_tvb, &frag_tree_item);
2210 update_col_info = !show_fragment_tree(fd_head,
2211 fit, tree, pinfo, next_tvb, &frag_tree_item);
2216 * Return a tvbuff with the payload.
2218 next_tvb = tvb_new_subset_remaining(tvb, offset);
2219 pinfo->fragmented = FALSE; /* one-fragment packet */
2220 update_col_info = TRUE;
2222 if (update_col_infop != NULL)
2223 *update_col_infop = update_col_info;
2226 * We don't have the complete reassembled payload, or this
2227 * isn't the final frame of that payload.
2232 * If we know what frame this was reassembled in,
2233 * and if there's a field to use for the number of
2234 * the frame in which the packet was reassembled,
2235 * add it to the protocol tree.
2237 if (fd_head != NULL && fit->hf_reassembled_in != NULL) {
2238 proto_tree_add_uint(tree,
2239 *(fit->hf_reassembled_in), tvb,
2240 0, 0, fd_head->reassembled_in);
2247 * Show a single fragment in a fragment subtree, and put information about
2248 * it in the top-level item for that subtree.
2251 show_fragment(fragment_item *fd, const int offset, const fragment_items *fit,
2252 proto_tree *ft, proto_item *fi, const gboolean first_frag,
2253 const guint32 count, tvbuff_t *tvb, packet_info *pinfo)
2255 proto_item *fei=NULL;
2261 name = g_strdup(proto_registrar_get_name(*(fit->hf_fragment)));
2263 name = g_strdup(proto_registrar_get_name(*(fit->hf_fragments)));
2265 proto_item_set_text(fi, "%u %s (%u byte%s): ", count, name, tvb_captured_length(tvb),
2266 plurality(tvb_captured_length(tvb), "", "s"));
2269 proto_item_append_text(fi, ", ");
2271 proto_item_append_text(fi, "#%u(%u)", fd->frame, fd->len);
2273 if (fd->flags & (FD_OVERLAPCONFLICT
2274 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
2275 hf = *(fit->hf_fragment_error);
2277 hf = *(fit->hf_fragment);
2280 fei = proto_tree_add_uint_format(ft, hf,
2281 tvb, offset, fd->len,
2283 "Frame: %u (no data)",
2286 fei = proto_tree_add_uint_format(ft, hf,
2287 tvb, offset, fd->len,
2289 "Frame: %u, payload: %u-%u (%u byte%s)",
2294 plurality(fd->len, "", "s"));
2296 PROTO_ITEM_SET_GENERATED(fei);
2297 mark_frame_as_depended_upon(pinfo, fd->frame);
2298 if (fd->flags & (FD_OVERLAP|FD_OVERLAPCONFLICT
2299 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
2300 /* this fragment has some flags set, create a subtree
2301 * for it and display the flags.
2303 proto_tree *fet=NULL;
2305 fet = proto_item_add_subtree(fei, *(fit->ett_fragment));
2306 if (fd->flags&FD_OVERLAP) {
2307 fei=proto_tree_add_boolean(fet,
2308 *(fit->hf_fragment_overlap),
2311 PROTO_ITEM_SET_GENERATED(fei);
2313 if (fd->flags&FD_OVERLAPCONFLICT) {
2314 fei=proto_tree_add_boolean(fet,
2315 *(fit->hf_fragment_overlap_conflict),
2318 PROTO_ITEM_SET_GENERATED(fei);
2320 if (fd->flags&FD_MULTIPLETAILS) {
2321 fei=proto_tree_add_boolean(fet,
2322 *(fit->hf_fragment_multiple_tails),
2325 PROTO_ITEM_SET_GENERATED(fei);
2327 if (fd->flags&FD_TOOLONGFRAGMENT) {
2328 fei=proto_tree_add_boolean(fet,
2329 *(fit->hf_fragment_too_long_fragment),
2332 PROTO_ITEM_SET_GENERATED(fei);
2338 show_fragment_errs_in_col(fragment_head *fd_head, const fragment_items *fit,
2341 if (fd_head->flags & (FD_OVERLAPCONFLICT
2342 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
2343 col_add_fstr(pinfo->cinfo, COL_INFO, "[Illegal %s]", fit->tag);
2350 /* This function will build the fragment subtree; it's for fragments
2351 reassembled with "fragment_add()".
2353 It will return TRUE if there were fragmentation errors
2354 or FALSE if fragmentation was ok.
2357 show_fragment_tree(fragment_head *fd_head, const fragment_items *fit,
2358 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
2362 gboolean first_frag;
2364 /* It's not fragmented. */
2365 pinfo->fragmented = FALSE;
2367 *fi = proto_tree_add_item(tree, *(fit->hf_fragments), tvb, 0, -1, ENC_NA);
2368 PROTO_ITEM_SET_GENERATED(*fi);
2370 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
2372 for (fd = fd_head->next; fd != NULL; fd = fd->next) {
2375 for (fd = fd_head->next; fd != NULL; fd = fd->next) {
2376 show_fragment(fd, fd->offset, fit, ft, *fi, first_frag, count, tvb, pinfo);
2380 if (fit->hf_fragment_count) {
2381 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_fragment_count),
2383 PROTO_ITEM_SET_GENERATED(fli);
2386 if (fit->hf_reassembled_length) {
2387 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_reassembled_length),
2388 tvb, 0, 0, tvb_captured_length (tvb));
2389 PROTO_ITEM_SET_GENERATED(fli);
2392 if (fit->hf_reassembled_data) {
2393 proto_item *fli = proto_tree_add_item(ft, *(fit->hf_reassembled_data),
2394 tvb, 0, tvb_captured_length(tvb), ENC_NA);
2395 PROTO_ITEM_SET_GENERATED(fli);
2398 return show_fragment_errs_in_col(fd_head, fit, pinfo);
2401 /* This function will build the fragment subtree; it's for fragments
2402 reassembled with "fragment_add_seq()" or "fragment_add_seq_check()".
2404 It will return TRUE if there were fragmentation errors
2405 or FALSE if fragmentation was ok.
2408 show_fragment_seq_tree(fragment_head *fd_head, const fragment_items *fit,
2409 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
2411 guint32 offset, next_offset, count = 0;
2412 fragment_item *fd, *last_fd;
2414 gboolean first_frag;
2416 /* It's not fragmented. */
2417 pinfo->fragmented = FALSE;
2419 *fi = proto_tree_add_item(tree, *(fit->hf_fragments), tvb, 0, -1, ENC_NA);
2420 PROTO_ITEM_SET_GENERATED(*fi);
2422 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
2427 for (fd = fd_head->next; fd != NULL; fd = fd->next){
2430 for (fd = fd_head->next; fd != NULL; fd = fd->next){
2431 if (last_fd == NULL || last_fd->offset != fd->offset) {
2432 offset = next_offset;
2433 next_offset += fd->len;
2436 show_fragment(fd, offset, fit, ft, *fi, first_frag, count, tvb, pinfo);
2440 if (fit->hf_fragment_count) {
2441 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_fragment_count),
2443 PROTO_ITEM_SET_GENERATED(fli);
2446 if (fit->hf_reassembled_length) {
2447 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_reassembled_length),
2448 tvb, 0, 0, tvb_captured_length (tvb));
2449 PROTO_ITEM_SET_GENERATED(fli);
2452 if (fit->hf_reassembled_data) {
2453 proto_item *fli = proto_tree_add_item(ft, *(fit->hf_reassembled_data),
2454 tvb, 0, tvb_captured_length(tvb), ENC_NA);
2455 PROTO_ITEM_SET_GENERATED(fli);
2458 return show_fragment_errs_in_col(fd_head, fit, pinfo);
2462 * Editor modelines - http://www.wireshark.org/tools/modelines.html
2467 * indent-tabs-mode: t
2470 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2471 * :indentSize=8:tabSize=8:noTabs=false: