packet-smb2: correctly dissect dcerpc traffic over different named pipe handles
authorStefan Metzmacher <metze@samba.org>
Wed, 21 Jan 2015 07:17:19 +0000 (08:17 +0100)
committerAlexis La Goutte <alexis.lagoutte@gmail.com>
Thu, 22 Jan 2015 13:29:31 +0000 (13:29 +0000)
Change-Id: Id98d1c7e28d88f6cd50f5ef770eec95e57008458
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/6709
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
epan/dissectors/packet-dcerpc.c
epan/dissectors/packet-smb2.c

index 745b9b0833b0556f820ce596981e9a7114122c8f..bafc8ee61693069a9121ea4d3a190e60b342f2e6 100644 (file)
@@ -5145,7 +5145,7 @@ dissect_dcerpc_cn_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void
 {
     dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo);
 
-    decode_data->dcetransporttype = DCE_TRANSPORT_UNKNOWN;
+    decode_data->dcetransporttype = DCE_CN_TRANSPORT_SMBPIPE;
     return dissect_dcerpc_cn_bs_body(tvb, pinfo, tree);
 }
 
index a83a9562c1ab82e669fd3f6e151eb192afe0a9ca..5ab837e175b67b6a4f76d301717f850ebc2d833e 100644 (file)
@@ -4054,6 +4054,27 @@ dissect_smb2_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *t
        return offset;
 }
 
+static void
+smb2_set_dcerpc_file_id(packet_info *pinfo, smb2_info_t *si)
+{
+       guint64 persistent;
+
+       if (si == NULL) {
+               return;
+       }
+       if (si->saved == NULL) {
+               return;
+       }
+
+       /*
+        * the first 8 bytes are the persistent part of the file handle
+        */
+       persistent =  si->saved->policy_hnd.uuid.Data1;
+       persistent |= ((guint64)si->saved->policy_hnd.uuid.Data2) << 32;
+       persistent |= ((guint64)si->saved->policy_hnd.uuid.Data3) << 48;
+
+       dcerpc_set_transport_salt(persistent, pinfo);
+}
 
 static int
 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, guint32 datalen, proto_tree *top_tree)
@@ -4188,6 +4209,7 @@ dissect_smb2_write_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
 
        /* data or dcerpc ?*/
        if (length && si->tree && si->tree->share_type == SMB2_SHARE_TYPE_PIPE) {
+               smb2_set_dcerpc_file_id(pinfo, si);
                offset = dissect_file_data_dcerpc(tvb, pinfo, tree, offset, length, si->top_tree);
                return offset;
        }
@@ -4764,12 +4786,14 @@ dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, pro
 static void
 dissect_smb2_ioctl_data_in(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
 {
+       smb2_set_dcerpc_file_id(pinfo, si);
        dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, TRUE);
 }
 
 static void
 dissect_smb2_ioctl_data_out(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
 {
+       smb2_set_dcerpc_file_id(pinfo, si);
        dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, FALSE);
 }
 
@@ -5004,6 +5028,7 @@ dissect_smb2_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
         * STATUS_PENDING read and thus a named pipe (==dcerpc)
         */
        if (length && ( (si->tree && si->tree->share_type == SMB2_SHARE_TYPE_PIPE)||(si->flags & SMB2_FLAGS_ASYNC_CMD))) {
+               smb2_set_dcerpc_file_id(pinfo, si);
                offset = dissect_file_data_dcerpc(tvb, pinfo, tree, offset, length, si->top_tree);
                return offset;
        }