2 * Routines for {fragment,segment} reassembly
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include <epan/packet.h>
33 #include <epan/reassemble.h>
35 #include <epan/emem.h>
37 #include <epan/dissectors/packet-dcerpc.h>
39 typedef struct _fragment_key {
45 typedef struct _dcerpc_fragment_key {
50 } dcerpc_fragment_key;
52 #if GLIB_CHECK_VERSION(2,10,0)
54 static GMemChunk *fragment_key_chunk = NULL;
55 static GMemChunk *fragment_data_chunk = NULL;
56 static GMemChunk *dcerpc_fragment_key_chunk = NULL;
57 static int fragment_init_count = 200;
60 static void LINK_FRAG(fragment_data *fd_head,fragment_data *fd)
64 /* add fragment to list, keep list sorted */
65 for(fd_i= fd_head; fd_i->next;fd_i=fd_i->next) {
66 if (fd->offset < fd_i->next->offset )
73 /* copy a fragment key to heap store to insert in the hash */
74 static void *fragment_key_copy(const void *k)
76 const fragment_key* key = (const fragment_key*) k;
77 #if GLIB_CHECK_VERSION(2,10,0)
78 fragment_key *new_key = g_slice_new(fragment_key);
80 fragment_key *new_key = g_mem_chunk_alloc(fragment_key_chunk);
83 COPY_ADDRESS(&new_key->src, &key->src);
84 COPY_ADDRESS(&new_key->dst, &key->dst);
85 new_key->id = key->id;
89 /* copy a dcerpc fragment key to heap store to insert in the hash */
90 static void *dcerpc_fragment_key_copy(const void *k)
92 const dcerpc_fragment_key* key = (const dcerpc_fragment_key*) k;
94 #if GLIB_CHECK_VERSION(2,10,0)
95 dcerpc_fragment_key *new_key = g_slice_new(dcerpc_fragment_key);
97 dcerpc_fragment_key *new_key = g_mem_chunk_alloc(dcerpc_fragment_key_chunk);
100 COPY_ADDRESS(&new_key->src, &key->src);
101 COPY_ADDRESS(&new_key->dst, &key->dst);
102 new_key->id = key->id;
103 new_key->act_id = key->act_id;
110 fragment_equal(gconstpointer k1, gconstpointer k2)
112 const fragment_key* key1 = (const fragment_key*) k1;
113 const fragment_key* key2 = (const fragment_key*) k2;
115 /*key.id is the first item to compare since item is most
116 likely to differ between sessions, thus shortcircuiting
117 the comparasion of addresses.
119 return ( ( (key1->id == key2->id) &&
120 (ADDRESSES_EQUAL(&key1->src, &key2->src)) &&
121 (ADDRESSES_EQUAL(&key1->dst, &key2->dst))
127 fragment_hash(gconstpointer k)
129 const fragment_key* key = (const fragment_key*) k;
137 /* More than likely: in most captures src and dst addresses are the
138 same, and would hash the same.
139 We only use id as the hash as an optimization.
141 for (i = 0; i < key->src.len; i++)
142 hash_val += key->src.data[i];
143 for (i = 0; i < key->dst.len; i++)
144 hash_val += key->dst.data[i];
153 dcerpc_fragment_equal(gconstpointer k1, gconstpointer k2)
155 const dcerpc_fragment_key* key1 = (const dcerpc_fragment_key*) k1;
156 const dcerpc_fragment_key* key2 = (const dcerpc_fragment_key*) k2;
158 /*key.id is the first item to compare since item is most
159 likely to differ between sessions, thus shortcircuiting
160 the comparison of addresses.
162 return (((key1->id == key2->id)
163 && (ADDRESSES_EQUAL(&key1->src, &key2->src))
164 && (ADDRESSES_EQUAL(&key1->dst, &key2->dst))
165 && (memcmp (&key1->act_id, &key2->act_id, sizeof (e_uuid_t)) == 0))
170 dcerpc_fragment_hash(gconstpointer k)
172 const dcerpc_fragment_key* key = (const dcerpc_fragment_key*) k;
178 hash_val += key->act_id.Data1;
179 hash_val += key->act_id.Data2 << 16;
180 hash_val += key->act_id.Data3;
185 typedef struct _reassembled_key {
191 reassembled_equal(gconstpointer k1, gconstpointer k2)
193 const reassembled_key* key1 = (const reassembled_key*) k1;
194 const reassembled_key* key2 = (const reassembled_key*) k2;
197 * We assume that the frame numbers are unlikely to be equal,
198 * so we check them first.
200 return key1->frame == key2->frame && key1->id == key2->id;
204 reassembled_hash(gconstpointer k)
206 const reassembled_key* key = (const reassembled_key*) k;
212 * For a fragment hash table entry, free the associated fragments.
213 * If slices are used (GLIB >= 2.10) the entry value (fd_chain) is
214 * freed herein and the entry is freed when fragment_free_key()
215 * [or dcerpc_fragment_free_key()] is called (as a consequence of
216 * returning TRUE from this function).
217 * If mem_chunks are used, free the address data to which the key
218 * refers; the the actual key and value structures get freed
219 * by "reassemble_cleanup()").
222 free_all_fragments(gpointer key_arg _U_, gpointer value, gpointer user_data _U_)
224 fragment_data *fd_head, *tmp_fd;
226 #if GLIB_CHECK_VERSION(2,10,0)
227 /* If Glib version => 2.10 we do g_hash_table_new_full() and supply a function
228 * to free the key and the addresses.
231 fragment_key *key = key_arg;
233 * Grr. I guess the theory here is that freeing
234 * something sure as heck modifies it, so you
235 * want to ban attempts to free it, but, alas,
236 * if we make the "data" field of an "address"
237 * structure not a "const", the compiler whines if
238 * we try to make it point into the data for a packet,
239 * as that's a "const" array (and should be, as dissectors
240 * shouldn't trash it).
242 * So we cast the complaint into oblivion, and rely on
243 * the fact that these addresses are known to have had
244 * their data mallocated, i.e. they don't point into,
245 * say, the middle of the data for a packet.
247 g_free((gpointer)key->src.data);
248 g_free((gpointer)key->dst.data);
250 for (fd_head = value; fd_head != NULL; fd_head = tmp_fd) {
251 tmp_fd=fd_head->next;
253 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED))
254 g_free(fd_head->data);
255 #if GLIB_CHECK_VERSION(2,10,0)
256 g_slice_free(fragment_data, fd_head);
263 /* ------------------------- */
264 static fragment_data *new_head(const guint32 flags)
266 fragment_data *fd_head;
267 /* If head/first structure in list only holds no other data than
268 * 'datalen' then we don't have to change the head of the list
269 * even if we want to keep it sorted
271 #if GLIB_CHECK_VERSION(2,10,0)
272 fd_head=g_slice_new0(fragment_data);
274 fd_head=g_mem_chunk_alloc0(fragment_data_chunk);
277 fd_head->flags=flags;
282 * For a reassembled-packet hash table entry, free the fragment data
283 * to which the value refers.
284 * (The actual value structures get freed by "reassemble_cleanup()".)
287 free_all_reassembled_fragments(gpointer key_arg _U_, gpointer value,
288 gpointer user_data _U_)
290 fragment_data *fd_head;
292 for (fd_head = value; fd_head != NULL; fd_head = fd_head->next) {
293 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED)) {
294 g_free(fd_head->data);
297 * A reassembled packet is inserted into the
298 * hash table once for every frame that made
299 * up the reassembled packet; clear the data
300 * pointer so that we only free the data the
301 * first time we see it.
303 fd_head->data = NULL;
310 #if GLIB_CHECK_VERSION(2,10,0)
312 fragment_free_key(void *ptr)
314 fragment_key *key = (fragment_key *)ptr;
318 * Free up the copies of the addresses from the old key.
320 g_free((gpointer)key->src.data);
321 g_free((gpointer)key->dst.data);
323 g_slice_free(fragment_key, key);
328 dcerpc_fragment_free_key(void *ptr)
330 dcerpc_fragment_key *key = (dcerpc_fragment_key *)ptr;
334 * Free up the copies of the addresses from the old key.
336 g_free((gpointer)key->src.data);
337 g_free((gpointer)key->dst.data);
339 g_slice_free(dcerpc_fragment_key, key);
344 * Initialize a fragment table.
347 fragment_table_init(GHashTable **fragment_table)
349 if (*fragment_table != NULL) {
351 * The fragment hash table exists.
353 * Remove all entries and free fragment data for each entry.
355 * If slices are used (GLIB >= 2.10)
356 * the keys are freed by calling fragment_free_key()
357 * and the values are freed in free_all_fragments().
359 * If mem_chunks are used, the key and value data
360 * are freed by "reassemble_cleanup()". free_all_fragments()
361 * will free the adrress data associated with the key
363 g_hash_table_foreach_remove(*fragment_table,
364 free_all_fragments, NULL);
366 #if GLIB_CHECK_VERSION(2,10,0)
367 /* The fragment table does not exist. Create it */
368 *fragment_table = g_hash_table_new_full(fragment_hash,
369 fragment_equal, fragment_free_key, NULL);
371 /* The fragment table does not exist. Create it */
372 *fragment_table = g_hash_table_new(fragment_hash,
379 dcerpc_fragment_table_init(GHashTable **fragment_table)
381 if (*fragment_table != NULL) {
383 * The fragment hash table exists.
385 * Remove all entries and free fragment data for each entry.
387 * If slices are used (GLIB >= 2.10)
388 * the keys are freed by calling dcerpc_fragment_free_key()
389 * and the values are freed in free_all_fragments().
391 * If mem_chunks are used, the key and value data
392 * are freed by "reassemble_cleanup()". free_all_fragments()
393 * will free the adrress data associated with the key
395 g_hash_table_foreach_remove(*fragment_table,
396 free_all_fragments, NULL);
398 #if GLIB_CHECK_VERSION(2,10,0)
399 /* The fragment table does not exist. Create it */
400 *fragment_table = g_hash_table_new_full(dcerpc_fragment_hash,
401 dcerpc_fragment_equal, dcerpc_fragment_free_key, NULL);
403 /* The fragment table does not exist. Create it */
404 *fragment_table = g_hash_table_new(dcerpc_fragment_hash,
405 dcerpc_fragment_equal);
411 * Initialize a reassembled-packet table.
414 reassembled_table_init(GHashTable **reassembled_table)
416 if (*reassembled_table != NULL) {
418 * The reassembled-packet hash table exists.
420 * Remove all entries and free reassembled packet
421 * data for each entry. (The key data is freed
422 * by "reassemble_cleanup()".)
424 g_hash_table_foreach_remove(*reassembled_table,
425 free_all_reassembled_fragments, NULL);
427 /* The fragment table does not exist. Create it */
428 *reassembled_table = g_hash_table_new(reassembled_hash,
434 * Free up all space allocated for fragment keys and data and
438 reassemble_cleanup(void)
440 #if GLIB_CHECK_VERSION(2,10,0)
442 if (fragment_key_chunk != NULL)
443 g_mem_chunk_destroy(fragment_key_chunk);
444 if (dcerpc_fragment_key_chunk != NULL)
445 g_mem_chunk_destroy(dcerpc_fragment_key_chunk);
446 if (fragment_data_chunk != NULL)
447 g_mem_chunk_destroy(fragment_data_chunk);
449 fragment_key_chunk = NULL;
450 dcerpc_fragment_key_chunk = NULL;
451 fragment_data_chunk = NULL;
456 reassemble_init(void)
458 #if GLIB_CHECK_VERSION(2,10,0)
460 fragment_key_chunk = g_mem_chunk_new("fragment_key_chunk",
461 sizeof(fragment_key),
462 fragment_init_count * sizeof(fragment_key),
464 dcerpc_fragment_key_chunk = g_mem_chunk_new("dcerpc_fragment_key_chunk",
465 sizeof(dcerpc_fragment_key),
466 fragment_init_count * sizeof(dcerpc_fragment_key),
468 fragment_data_chunk = g_mem_chunk_new("fragment_data_chunk",
469 sizeof(fragment_data),
470 fragment_init_count * sizeof(fragment_data),
475 /* This function cleans up the stored state and removes the reassembly data and
476 * (with one exception) all allocated memory for matching reassembly.
479 * If the PDU was already completely reassembled, then the buffer containing the
480 * reassembled data WILL NOT be free()d, and the pointer to that buffer will be
482 * Othervise the function will return NULL.
484 * So, if you call fragment_delete and it returns non-NULL, YOU are responsible to
485 * g_free() that buffer.
488 fragment_delete(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table)
490 fragment_data *fd_head, *fd;
492 unsigned char *data=NULL;
494 /* create key to search hash with */
495 key.src = pinfo->src;
496 key.dst = pinfo->dst;
499 fd_head = g_hash_table_lookup(fragment_table, &key);
502 /* We do not recognize this as a PDU we have seen before. return */
507 /* loop over all partial fragments and free any buffers */
508 for(fd=fd_head->next;fd;){
509 fragment_data *tmp_fd;
512 if( !(fd->flags&FD_NOT_MALLOCED) )
514 #if GLIB_CHECK_VERSION(2,10,0)
515 g_slice_free(fragment_data, fd);
517 g_mem_chunk_free(fragment_data_chunk, fd);
521 #if GLIB_CHECK_VERSION(2,10,0)
522 g_slice_free(fragment_data, fd_head);
524 g_mem_chunk_free(fragment_data_chunk, fd_head);
526 g_hash_table_remove(fragment_table, &key);
531 /* This function is used to check if there is partial or completed reassembly state
532 * matching this packet. I.e. Is there reassembly going on or not for this packet?
535 fragment_get(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table)
537 fragment_data *fd_head;
540 /* create key to search hash with */
541 key.src = pinfo->src;
542 key.dst = pinfo->dst;
545 fd_head = g_hash_table_lookup(fragment_table, &key);
550 /* id *must* be the frame number for this to work! */
552 fragment_get_reassembled(const guint32 id, GHashTable *reassembled_table)
554 fragment_data *fd_head;
557 /* create key to search hash with */
560 fd_head = g_hash_table_lookup(reassembled_table, &key);
566 fragment_get_reassembled_id(const packet_info *pinfo, const guint32 id, GHashTable *reassembled_table)
568 fragment_data *fd_head;
571 /* create key to search hash with */
572 key.frame = pinfo->fd->num;
574 fd_head = g_hash_table_lookup(reassembled_table, &key);
579 /* This function can be used to explicitly set the total length (if known)
580 * for reassembly of a PDU.
581 * This is useful for reassembly of PDUs where one may have the total length specified
582 * in the first fragment instead of as for, say, IPv4 where a flag indicates which
583 * is the last fragment.
585 * Such protocols might fragment_add with a more_frags==TRUE for every fragment
586 * and just tell the reassembly engine the expected total length of the reassembled data
587 * using fragment_set_tot_len immediately after doing fragment_add for the first packet.
589 * Note that for FD_BLOCKSEQUENCE tot_len is the index for the tail fragment.
590 * i.e. since the block numbers start at 0, if we specify tot_len==2, that
591 * actually means we want to defragment 3 blocks, block 0, 1 and 2.
594 fragment_set_tot_len(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table,
595 const guint32 tot_len)
597 fragment_data *fd_head;
600 /* create key to search hash with */
601 key.src = pinfo->src;
602 key.dst = pinfo->dst;
605 fd_head = g_hash_table_lookup(fragment_table, &key);
608 fd_head->datalen = tot_len;
609 fd_head->flags |= FD_DATALEN_SET;
616 fragment_get_tot_len(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table)
618 fragment_data *fd_head;
621 /* create key to search hash with */
622 key.src = pinfo->src;
623 key.dst = pinfo->dst;
626 fd_head = g_hash_table_lookup(fragment_table, &key);
629 return fd_head->datalen;
636 /* This function will set the partial reassembly flag for a fh.
637 When this function is called, the fh MUST already exist, i.e.
638 the fh MUST be created by the initial call to fragment_add() before
639 this function is called.
640 Also note that this function MUST be called to indicate a fh will be
641 extended (increase the already stored data)
645 fragment_set_partial_reassembly(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table)
647 fragment_data *fd_head;
650 /* create key to search hash with */
651 key.src = pinfo->src;
652 key.dst = pinfo->dst;
655 fd_head = g_hash_table_lookup(fragment_table, &key);
658 * XXX - why not do all the stuff done early in "fragment_add_work()",
659 * turning off FD_DEFRAGMENTED and pointing the fragments' data
660 * pointers to the appropriate part of the already-reassembled
661 * data, and clearing the data length and "reassembled in" frame
662 * number, here? We currently have a hack in the TCP dissector
663 * not to set the "reassembled in" value if the "partial reassembly"
664 * flag is set, so that in the first pass through the packets
665 * we don't falsely set a packet as reassembled in that packet
666 * if the dissector decided that even more reassembly was needed.
669 fd_head->flags |= FD_PARTIAL_REASSEMBLY;
674 * This function gets rid of an entry from a fragment table, given
675 * a pointer to the key for that entry; it also frees up the key
676 * and the addresses in it.
677 * Note: If we use slices keys are freed by fragment_free_key()
678 [or dcerpc_fragment_free_key()] being called
679 * during g_hash_table_remove().
682 fragment_unhash(GHashTable *fragment_table, fragment_key *key)
685 * Remove the entry from the fragment table.
687 g_hash_table_remove(fragment_table, key);
690 * Free the key itself.
692 #if GLIB_CHECK_VERSION(2,10,0)
695 * Free up the copies of the addresses from the old key.
697 g_free((gpointer)key->src.data);
698 g_free((gpointer)key->dst.data);
700 g_mem_chunk_free(fragment_key_chunk, key);
705 * This function adds fragment_data structure to a reassembled-packet
706 * hash table, using the frame numbers of each of the frames from
707 * which it was reassembled as keys, and sets the "reassembled_in"
711 fragment_reassembled(fragment_data *fd_head, const packet_info *pinfo,
712 GHashTable *reassembled_table, const guint32 id)
714 reassembled_key *new_key;
717 if (fd_head->next == NULL) {
719 * This was not fragmented, so there's no fragment
720 * table; just hash it using the current frame number.
722 new_key = se_alloc(sizeof(reassembled_key));
723 new_key->frame = pinfo->fd->num;
725 g_hash_table_insert(reassembled_table, new_key, fd_head);
728 * Hash it with the frame numbers for all the frames.
730 for (fd = fd_head->next; fd != NULL; fd = fd->next){
731 new_key = se_alloc(sizeof(reassembled_key));
732 new_key->frame = fd->frame;
734 g_hash_table_insert(reassembled_table, new_key,
738 fd_head->flags |= FD_DEFRAGMENTED;
739 fd_head->reassembled_in = pinfo->fd->num;
743 * This function adds a new fragment to the fragment hash table.
744 * If this is the first fragment seen for this datagram, a new entry
745 * is created in the hash table, otherwise this fragment is just added
746 * to the linked list of fragments for this packet.
747 * The list of fragments for a specific datagram is kept sorted for
750 * Returns a pointer to the head of the fragment data list if we have all the
751 * fragments, NULL otherwise.
753 * This function assumes frag_offset being a byte offset into the defragment
757 * Once the fh is defragmented (= FD_DEFRAGMENTED set), it can be
758 * extended using the FD_PARTIAL_REASSEMBLY flag. This flag should be set
759 * using fragment_set_partial_reassembly() before calling fragment_add
760 * with the new fragment. FD_TOOLONGFRAGMENT and FD_MULTIPLETAILS flags
761 * are lowered when a new extension process is started.
764 fragment_add_work(fragment_data *fd_head, tvbuff_t *tvb, const int offset,
765 const packet_info *pinfo, const guint32 frag_offset,
766 const guint32 frag_data_len, const gboolean more_frags)
771 unsigned char *old_data;
773 /* create new fd describing this fragment */
774 #if GLIB_CHECK_VERSION(2,10,0)
775 fd = g_slice_new(fragment_data);
777 fd = g_mem_chunk_alloc(fragment_data_chunk);
781 fd->frame = pinfo->fd->num;
782 if (fd->frame > fd_head->frame)
783 fd_head->frame = fd->frame;
784 fd->offset = frag_offset;
785 fd->len = frag_data_len;
789 * If it was already defragmented and this new fragment goes beyond
790 * data limits, set flag in already empty fds & point old fds to malloc'ed data.
792 if(fd_head->flags & FD_DEFRAGMENTED && (frag_offset+frag_data_len) >= fd_head->datalen &&
793 fd_head->flags & FD_PARTIAL_REASSEMBLY){
794 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
796 fd_i->data = fd_head->data + fd_i->offset;
797 fd_i->flags |= FD_NOT_MALLOCED;
799 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
801 fd_head->flags &= ~(FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY|FD_DATALEN_SET);
802 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
804 fd_head->reassembled_in=0;
809 * This is the tail fragment in the sequence.
811 if (fd_head->flags & FD_DATALEN_SET) {
812 /* ok we have already seen other tails for this packet
813 * it might be a duplicate.
815 if (fd_head->datalen != (fd->offset + fd->len) ){
816 /* Oops, this tail indicates a different packet
817 * len than the previous ones. Something's wrong.
819 fd->flags |= FD_MULTIPLETAILS;
820 fd_head->flags |= FD_MULTIPLETAILS;
823 /* this was the first tail fragment, now we know the
824 * length of the packet
826 fd_head->datalen = fd->offset + fd->len;
827 fd_head->flags |= FD_DATALEN_SET;
834 /* If the packet is already defragmented, this MUST be an overlap.
835 * The entire defragmented packet is in fd_head->data.
836 * Even if we have previously defragmented this packet, we still
837 * check it. Someone might play overlap and TTL games.
839 if (fd_head->flags & FD_DEFRAGMENTED) {
840 guint32 end_offset = fd->offset + fd->len;
841 fd->flags |= FD_OVERLAP;
842 fd_head->flags |= FD_OVERLAP;
843 /* make sure it's not too long */
844 if (end_offset > fd_head->datalen || end_offset < fd->offset || end_offset < fd->len) {
845 fd->flags |= FD_TOOLONGFRAGMENT;
846 fd_head->flags |= FD_TOOLONGFRAGMENT;
848 /* make sure it doesn't conflict with previous data */
849 else if ( memcmp(fd_head->data+fd->offset,
850 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
851 fd->flags |= FD_OVERLAPCONFLICT;
852 fd_head->flags |= FD_OVERLAPCONFLICT;
854 /* it was just an overlap, link it and return */
855 LINK_FRAG(fd_head,fd);
861 /* If we have reached this point, the packet is not defragmented yet.
862 * Save all payload in a buffer until we can defragment.
863 * XXX - what if we didn't capture the entire fragment due
864 * to a too-short snapshot length?
866 fd->data = g_malloc(fd->len);
867 tvb_memcpy(tvb, fd->data, offset, fd->len);
868 LINK_FRAG(fd_head,fd);
871 if( !(fd_head->flags & FD_DATALEN_SET) ){
872 /* if we dont know the datalen, there are still missing
873 * packets. Cheaper than the check below.
880 * Check if we have received the entire fragment.
881 * This is easy since the list is sorted and the head is faked.
883 * First, we compute the amount of contiguous data that's
884 * available. (The check for fd_i->offset <= max rules out
885 * fragments that don't start before or at the end of the
886 * previous fragment, i.e. fragments that have a gap between
887 * them and the previous fragment.)
890 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
891 if ( ((fd_i->offset)<=max) &&
892 ((fd_i->offset+fd_i->len)>max) ){
893 max = fd_i->offset+fd_i->len;
897 if (max < (fd_head->datalen)) {
899 * The amount of contiguous data we have is less than the
900 * amount of data we're trying to reassemble, so we haven't
901 * received all packets yet.
907 if (max > (fd_head->datalen)) {
908 /*XXX not sure if current fd was the TOOLONG*/
909 /*XXX is it fair to flag current fd*/
910 /* oops, too long fragment detected */
911 fd->flags |= FD_TOOLONGFRAGMENT;
912 fd_head->flags |= FD_TOOLONGFRAGMENT;
915 /* we have received an entire packet, defragment it and
918 /* store old data just in case */
919 old_data=fd_head->data;
920 fd_head->data = g_malloc(max);
922 /* add all data fragments */
923 for (dfpos=0,fd_i=fd_head;fd_i;fd_i=fd_i->next) {
925 /* dfpos is always >= than fd_i->offset */
926 /* No gaps can exist here, max_loop(above) does this */
927 /* XXX - true? Can we get fd_i->offset+fd-i->len */
928 /* overflowing, for example? */
929 /* Actually: there is at least one pathological case wherein there can be fragments
930 on the list which are for offsets greater than max (i.e.: following a gap after max).
931 (Apparently a "DESEGMENT_UNTIL_FIN" was involved wherein the FIN packet had an offset
932 less than the highest fragment offset seen. [Seen from a fuzz-test: bug #2470]).
933 Note that the "overlap" compare must only be done for fragments with (offset+len) <= max
934 and thus within the newly g_malloc'd buffer.
937 if ( fd_i->offset+fd_i->len > dfpos ) {
938 if (fd_i->offset+fd_i->len > max)
939 g_warning("Reassemble error in frame %u: offset %u + len %u > max %u",
940 pinfo->fd->num, fd_i->offset,
942 else if (dfpos < fd_i->offset)
943 g_warning("Reassemble error in frame %u: dfpos %u < offset %u",
944 pinfo->fd->num, dfpos, fd_i->offset);
945 else if (dfpos-fd_i->offset > fd_i->len)
946 g_warning("Reassemble error in frame %u: dfpos %u - offset %u > len %u",
947 pinfo->fd->num, dfpos, fd_i->offset,
949 else if (!fd_head->data)
950 g_warning("Reassemble error in frame %u: no data",
953 if (fd_i->offset < dfpos) {
954 fd_i->flags |= FD_OVERLAP;
955 fd_head->flags |= FD_OVERLAP;
956 if ( memcmp(fd_head->data+fd_i->offset,
958 MIN(fd_i->len,(dfpos-fd_i->offset))
960 fd_i->flags |= FD_OVERLAPCONFLICT;
961 fd_head->flags |= FD_OVERLAPCONFLICT;
964 memcpy(fd_head->data+dfpos,
965 fd_i->data+(dfpos-fd_i->offset),
966 fd_i->len-(dfpos-fd_i->offset));
969 if (fd_i->offset+fd_i->len < fd_i->offset)
970 g_warning("Reassemble error in frame %u: offset %u + len %u < offset",
971 pinfo->fd->num, fd_i->offset,
974 if( fd_i->flags & FD_NOT_MALLOCED )
975 fd_i->flags &= ~FD_NOT_MALLOCED;
980 dfpos=MAX(dfpos,(fd_i->offset+fd_i->len));
985 /* mark this packet as defragmented.
986 allows us to skip any trailing fragments */
987 fd_head->flags |= FD_DEFRAGMENTED;
988 fd_head->reassembled_in=pinfo->fd->num;
993 static fragment_data *
994 fragment_add_common(tvbuff_t *tvb, const int offset, const packet_info *pinfo, const guint32 id,
995 GHashTable *fragment_table, const guint32 frag_offset,
996 const guint32 frag_data_len, const gboolean more_frags,
997 const gboolean check_already_added)
999 fragment_key key, *new_key;
1000 fragment_data *fd_head;
1001 fragment_data *fd_item;
1002 gboolean already_added=pinfo->fd->flags.visited;
1005 /* dissector shouldn't give us garbage tvb info */
1006 DISSECTOR_ASSERT(tvb_bytes_exist(tvb, offset, frag_data_len));
1008 /* create key to search hash with */
1009 key.src = pinfo->src;
1010 key.dst = pinfo->dst;
1013 fd_head = g_hash_table_lookup(fragment_table, &key);
1016 /* debug output of associated fragments. */
1017 /* leave it here for future debugging sessions */
1018 if(strcmp(pinfo->current_proto, "DCERPC") == 0) {
1019 printf("proto:%s num:%u id:%u offset:%u len:%u more:%u visited:%u\n",
1020 pinfo->current_proto, pinfo->fd->num, id, frag_offset, frag_data_len, more_frags, pinfo->fd->flags.visited);
1021 if(fd_head != NULL) {
1022 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
1023 printf("fd_frame:%u fd_offset:%u len:%u datalen:%u\n",
1024 fd_item->frame, fd_item->offset, fd_item->len, fd_item->datalen);
1031 * "already_added" is true if "pinfo->fd->flags.visited" is true;
1032 * if "pinfo->fd->flags.visited", this isn't the first pass, so
1033 * we've already done all the reassembly and added all the
1036 * If it's not true, but "check_already_added" is true, just check
1037 * if we have seen this fragment before, i.e., if we have already
1038 * added it to reassembly.
1039 * That can be true even if "pinfo->fd->flags.visited" is false
1040 * since we sometimes might call a subdissector multiple times.
1041 * As an additional check, just make sure we have not already added
1042 * this frame to the reassembly list, if there is a reassembly list;
1043 * note that the first item in the reassembly list is not a
1044 * fragment, it's a data structure for the reassembled packet.
1045 * We don't check it because its "frame" member isn't initialized
1046 * to anything, and because it doesn't count in any case.
1048 * And as another additional check, make sure the fragment offsets are
1049 * the same, as otherwise we get into trouble if multiple fragments
1052 if (!already_added && check_already_added && fd_head != NULL) {
1053 if (pinfo->fd->num <= fd_head->frame) {
1054 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
1055 if(pinfo->fd->num==fd_item->frame && frag_offset==fd_item->offset){
1061 /* have we already added this frame ?*/
1062 if (already_added) {
1063 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1071 /* not found, this must be the first snooped fragment for this
1072 * packet. Create list-head.
1074 fd_head = new_head(0);
1077 * We're going to use the key to insert the fragment,
1078 * so allocate a structure for it, and copy the
1079 * addresses, allocating new buffers for the address
1082 #if GLIB_CHECK_VERSION(2,10,0)
1083 new_key = g_slice_new(fragment_key);
1085 new_key = g_mem_chunk_alloc(fragment_key_chunk);
1087 COPY_ADDRESS(&new_key->src, &key.src);
1088 COPY_ADDRESS(&new_key->dst, &key.dst);
1089 new_key->id = key.id;
1090 g_hash_table_insert(fragment_table, new_key, fd_head);
1093 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
1094 frag_data_len, more_frags)) {
1096 * Reassembly is complete.
1101 * Reassembly isn't complete.
1108 fragment_add(tvbuff_t *tvb, const int offset, const packet_info *pinfo, const guint32 id,
1109 GHashTable *fragment_table, const guint32 frag_offset,
1110 const guint32 frag_data_len, const gboolean more_frags)
1112 return fragment_add_common(tvb, offset, pinfo, id, fragment_table,
1113 frag_offset, frag_data_len, more_frags, TRUE);
1117 * For use when you can have multiple fragments in the same frame added
1118 * to the same reassembled PDU, e.g. with ONC RPC-over-TCP.
1121 fragment_add_multiple_ok(tvbuff_t *tvb, const int offset, const packet_info *pinfo,
1122 const guint32 id, GHashTable *fragment_table,
1123 const guint32 frag_offset, const guint32 frag_data_len,
1124 const gboolean more_frags)
1126 return fragment_add_common(tvb, offset, pinfo, id, fragment_table,
1127 frag_offset, frag_data_len, more_frags, FALSE);
1131 fragment_add_check(tvbuff_t *tvb, const int offset, const packet_info *pinfo,
1132 const guint32 id, GHashTable *fragment_table,
1133 GHashTable *reassembled_table, const guint32 frag_offset,
1134 const guint32 frag_data_len, const gboolean more_frags)
1136 reassembled_key reass_key;
1137 fragment_key key, *new_key, *old_key;
1138 gpointer orig_key, value;
1139 fragment_data *fd_head;
1142 * If this isn't the first pass, look for this frame in the table
1143 * of reassembled packets.
1145 if (pinfo->fd->flags.visited) {
1146 reass_key.frame = pinfo->fd->num;
1148 return g_hash_table_lookup(reassembled_table, &reass_key);
1151 /* create key to search hash with */
1152 key.src = pinfo->src;
1153 key.dst = pinfo->dst;
1156 /* Looks up a key in the GHashTable, returning the original key and the associated value
1157 * and a gboolean which is TRUE if the key was found. This is useful if you need to free
1158 * the memory allocated for the original key, for example before calling g_hash_table_remove()
1160 if (!g_hash_table_lookup_extended(fragment_table, &key,
1161 &orig_key, &value)) {
1162 /* not found, this must be the first snooped fragment for this
1163 * packet. Create list-head.
1165 fd_head = new_head(0);
1168 * We're going to use the key to insert the fragment,
1169 * so allocate a structure for it, and copy the
1170 * addresses, allocating new buffers for the address
1173 #if GLIB_CHECK_VERSION(2,10,0)
1174 new_key = g_slice_new(fragment_key);
1176 new_key = g_mem_chunk_alloc(fragment_key_chunk);
1178 COPY_ADDRESS(&new_key->src, &key.src);
1179 COPY_ADDRESS(&new_key->dst, &key.dst);
1180 new_key->id = key.id;
1181 g_hash_table_insert(fragment_table, new_key, fd_head);
1183 orig_key = new_key; /* for unhashing it later */
1192 * If this is a short frame, then we can't, and don't, do
1193 * reassembly on it. We just give up.
1195 if (tvb_reported_length(tvb) > tvb_length(tvb))
1198 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
1199 frag_data_len, more_frags)) {
1201 * Reassembly is complete.
1202 * Remove this from the table of in-progress
1203 * reassemblies, add it to the table of
1204 * reassembled packets, and return it.
1208 * Remove this from the table of in-progress reassemblies,
1209 * and free up any memory used for it in that table.
1212 fragment_unhash(fragment_table, old_key);
1215 * Add this item to the table of reassembled packets.
1217 fragment_reassembled(fd_head, pinfo, reassembled_table, id);
1221 * Reassembly isn't complete.
1228 fragment_defragment_and_free (fragment_data *fd_head, fragment_data *fd,
1229 const packet_info *pinfo)
1231 fragment_data *fd_i = NULL;
1232 fragment_data *last_fd = NULL;
1233 guint32 dfpos = 0, size = 0;
1234 void *old_data = NULL;
1236 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1237 if(!last_fd || last_fd->offset!=fd_i->offset){
1243 /* store old data in case the fd_i->data pointers refer to it */
1244 old_data=fd_head->data;
1245 fd_head->data = g_malloc(size);
1246 fd_head->len = size; /* record size for caller */
1248 /* add all data fragments */
1250 for (fd_i=fd_head->next;fd_i && fd_i->len + dfpos <= size;fd_i=fd_i->next) {
1252 if(!last_fd || last_fd->offset!=fd_i->offset){
1253 memcpy(fd_head->data+dfpos,fd_i->data,fd_i->len);
1256 /* duplicate/retransmission/overlap */
1257 fd_i->flags |= FD_OVERLAP;
1258 fd_head->flags |= FD_OVERLAP;
1259 if( (last_fd->len!=fd_i->len)
1260 || memcmp(last_fd->data, fd_i->data, last_fd->len) ) {
1262 fd->flags |= FD_OVERLAPCONFLICT;
1264 fd_head->flags |= FD_OVERLAPCONFLICT;
1271 /* we have defragmented the pdu, now free all fragments*/
1272 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1273 if( fd_i->flags & FD_NOT_MALLOCED )
1274 fd_i->flags &= ~FD_NOT_MALLOCED;
1281 /* mark this packet as defragmented.
1282 allows us to skip any trailing fragments */
1283 fd_head->flags |= FD_DEFRAGMENTED;
1284 fd_head->reassembled_in=pinfo->fd->num;
1288 * This function adds a new fragment to the entry for a reassembly
1291 * The list of fragments for a specific datagram is kept sorted for
1294 * Returns TRUE if we have all the fragments, FALSE otherwise.
1296 * This function assumes frag_number being a block sequence number.
1297 * The bsn for the first block is 0.
1300 fragment_add_seq_work(fragment_data *fd_head, tvbuff_t *tvb, const int offset,
1301 const packet_info *pinfo, const guint32 frag_number,
1302 const guint32 frag_data_len, const gboolean more_frags,
1303 const guint32 flags _U_)
1306 fragment_data *fd_i;
1307 fragment_data *last_fd;
1310 /* if the partial reassembly flag has been set, and we are extending
1311 * the pdu, un-reassemble the pdu. This means pointing old fds to malloc'ed data.
1313 if(fd_head->flags & FD_DEFRAGMENTED && frag_number >= fd_head->datalen &&
1314 fd_head->flags & FD_PARTIAL_REASSEMBLY){
1315 guint32 lastdfpos = 0;
1317 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
1319 if( fd_i->flags & FD_OVERLAP ) {
1320 /* this is a duplicate of the previous
1322 fd_i->data = fd_head->data + lastdfpos;
1324 fd_i->data = fd_head->data + dfpos;
1328 fd_i->flags |= FD_NOT_MALLOCED;
1330 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
1332 fd_head->flags &= ~(FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY|FD_DATALEN_SET);
1333 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
1335 fd_head->reassembled_in=0;
1339 /* create new fd describing this fragment */
1340 #if GLIB_CHECK_VERSION(2,10,0)
1341 fd = g_slice_new(fragment_data);
1343 fd = g_mem_chunk_alloc(fragment_data_chunk);
1347 fd->frame = pinfo->fd->num;
1348 fd->offset = frag_number;
1349 fd->len = frag_data_len;
1354 * This is the tail fragment in the sequence.
1356 if (fd_head->flags&FD_DATALEN_SET) {
1357 /* ok we have already seen other tails for this packet
1358 * it might be a duplicate.
1360 if (fd_head->datalen != fd->offset ){
1361 /* Oops, this tail indicates a different packet
1362 * len than the previous ones. Something's wrong.
1364 fd->flags |= FD_MULTIPLETAILS;
1365 fd_head->flags |= FD_MULTIPLETAILS;
1368 /* this was the first tail fragment, now we know the
1369 * sequence number of that fragment (which is NOT
1370 * the length of the packet!)
1372 fd_head->datalen = fd->offset;
1373 fd_head->flags |= FD_DATALEN_SET;
1377 /* If the packet is already defragmented, this MUST be an overlap.
1378 * The entire defragmented packet is in fd_head->data
1379 * Even if we have previously defragmented this packet, we still check
1380 * check it. Someone might play overlap and TTL games.
1382 if (fd_head->flags & FD_DEFRAGMENTED) {
1383 fd->flags |= FD_OVERLAP;
1384 fd_head->flags |= FD_OVERLAP;
1386 /* make sure it's not past the end */
1387 if (fd->offset > fd_head->datalen) {
1388 /* new fragment comes after the end */
1389 fd->flags |= FD_TOOLONGFRAGMENT;
1390 fd_head->flags |= FD_TOOLONGFRAGMENT;
1391 LINK_FRAG(fd_head,fd);
1394 /* make sure it doesn't conflict with previous data */
1397 for (fd_i=fd_head->next;fd_i && (fd_i->offset!=fd->offset);fd_i=fd_i->next) {
1398 if (!last_fd || last_fd->offset!=fd_i->offset){
1404 /* new fragment overlaps existing fragment */
1405 if(fd_i->len!=fd->len){
1407 * They have different lengths; this
1408 * is definitely a conflict.
1410 fd->flags |= FD_OVERLAPCONFLICT;
1411 fd_head->flags |= FD_OVERLAPCONFLICT;
1412 LINK_FRAG(fd_head,fd);
1415 DISSECTOR_ASSERT(fd_head->len >= dfpos + fd->len);
1416 if ( memcmp(fd_head->data+dfpos,
1417 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
1419 * They have the same length, but the
1420 * data isn't the same.
1422 fd->flags |= FD_OVERLAPCONFLICT;
1423 fd_head->flags |= FD_OVERLAPCONFLICT;
1424 LINK_FRAG(fd_head,fd);
1427 /* it was just an overlap, link it and return */
1428 LINK_FRAG(fd_head,fd);
1432 * New fragment doesn't overlap an existing
1433 * fragment - there was presumably a gap in
1434 * the sequence number space.
1436 * XXX - what should we do here? Is it always
1437 * the case that there are no gaps, or are there
1438 * protcols using sequence numbers where there
1441 * If the former, the check below for having
1442 * received all the fragments should check for
1443 * holes in the sequence number space and for the
1444 * first sequence number being 0. If we do that,
1445 * the only way we can get here is if this fragment
1446 * is past the end of the sequence number space -
1447 * but the check for "fd->offset > fd_head->datalen"
1448 * would have caught that above, so it can't happen.
1450 * If the latter, we don't have a good way of
1451 * knowing whether reassembly is complete if we
1452 * get packet out of order such that the "last"
1453 * fragment doesn't show up last - but, unless
1454 * in-order reliable delivery of fragments is
1455 * guaranteed, an implementation of the protocol
1456 * has no way of knowing whether reassembly is
1459 * For now, we just link the fragment in and
1462 LINK_FRAG(fd_head,fd);
1467 /* If we have reached this point, the packet is not defragmented yet.
1468 * Save all payload in a buffer until we can defragment.
1469 * XXX - what if we didn't capture the entire fragment due
1470 * to a too-short snapshot length?
1472 /* check len, there may be a fragment with 0 len, that is actually the tail */
1474 fd->data = g_malloc(fd->len);
1475 tvb_memcpy(tvb, fd->data, offset, fd->len);
1477 LINK_FRAG(fd_head,fd);
1480 if( !(fd_head->flags & FD_DATALEN_SET) ){
1481 /* if we dont know the sequence number of the last fragment,
1482 * there are definitely still missing packets. Cheaper than
1489 /* check if we have received the entire fragment
1490 * this is easy since the list is sorted and the head is faked.
1491 * common case the whole list is scanned.
1494 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1495 if ( fd_i->offset==max ){
1499 /* max will now be datalen+1 if all fragments have been seen */
1501 if (max <= fd_head->datalen) {
1502 /* we have not received all packets yet */
1507 if (max > (fd_head->datalen+1)) {
1508 /* oops, too long fragment detected */
1509 fd->flags |= FD_TOOLONGFRAGMENT;
1510 fd_head->flags |= FD_TOOLONGFRAGMENT;
1514 /* we have received an entire packet, defragment it and
1515 * free all fragments
1517 fragment_defragment_and_free(fd_head, fd, pinfo);
1523 * This function adds a new fragment to the fragment hash table.
1524 * If this is the first fragment seen for this datagram, a new entry
1525 * is created in the hash table, otherwise this fragment is just added
1526 * to the linked list of fragments for this packet.
1528 * Returns a pointer to the head of the fragment data list if we have all the
1529 * fragments, NULL otherwise.
1531 * This function assumes frag_number being a block sequence number.
1532 * The bsn for the first block is 0.
1535 fragment_add_seq(tvbuff_t *tvb, const int offset, const packet_info *pinfo, const guint32 id,
1536 GHashTable *fragment_table, const guint32 frag_number,
1537 const guint32 frag_data_len, const gboolean more_frags)
1541 /* create key to search hash with */
1542 key.src = pinfo->src;
1543 key.dst = pinfo->dst;
1546 return fragment_add_seq_key(tvb, offset, pinfo,
1547 &key, fragment_key_copy,
1548 fragment_table, frag_number,
1549 frag_data_len, more_frags, 0);
1554 fragment_add_dcerpc_dg(tvbuff_t *tvb, const int offset, const packet_info *pinfo, const guint32 id,
1556 GHashTable *fragment_table, const guint32 frag_number,
1557 const guint32 frag_data_len, const gboolean more_frags)
1559 e_uuid_t *act_id = (e_uuid_t *)v_act_id;
1560 dcerpc_fragment_key key;
1562 /* create key to search hash with */
1563 key.src = pinfo->src;
1564 key.dst = pinfo->dst;
1566 key.act_id = *act_id;
1568 return fragment_add_seq_key(tvb, offset, pinfo,
1569 &key, dcerpc_fragment_key_copy,
1570 fragment_table, frag_number,
1571 frag_data_len, more_frags, 0);
1575 fragment_add_seq_key(tvbuff_t *tvb, const int offset, const packet_info *pinfo,
1576 void *key, fragment_key_copier key_copier,
1577 GHashTable *fragment_table, guint32 frag_number,
1578 const guint32 frag_data_len, const gboolean more_frags,
1579 const guint32 flags)
1581 fragment_data *fd_head;
1582 fd_head = g_hash_table_lookup(fragment_table, key);
1584 /* have we already seen this frame ?*/
1585 if (pinfo->fd->flags.visited) {
1586 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1594 /* not found, this must be the first snooped fragment for this
1595 * packet. Create list-head.
1597 fd_head= new_head(FD_BLOCKSEQUENCE);
1599 if((flags & (REASSEMBLE_FLAGS_NO_FRAG_NUMBER|REASSEMBLE_FLAGS_802_11_HACK))
1602 * This is the last fragment for this packet, and
1603 * is the only one we've seen.
1605 * Either we don't have sequence numbers, in which
1606 * case we assume this is the first fragment for
1607 * this packet, or we're doing special 802.11
1608 * processing, in which case we assume it's one
1609 * of those reassembled packets with a non-zero
1610 * fragment number (see packet-80211.c); just
1611 * return a pointer to the head of the list;
1612 * fragment_add_seq_check will then add it to the table
1613 * of reassembled packets.
1615 fd_head->reassembled_in=pinfo->fd->num;
1620 * We're going to use the key to insert the fragment,
1621 * so copy it to a long-term store.
1623 if(key_copier != NULL)
1624 key = key_copier(key);
1625 g_hash_table_insert(fragment_table, key, fd_head);
1628 * If we weren't given an initial fragment number,
1631 if (flags & REASSEMBLE_FLAGS_NO_FRAG_NUMBER)
1634 if (flags & REASSEMBLE_FLAGS_NO_FRAG_NUMBER) {
1637 * If we weren't given an initial fragment number,
1638 * use the next expected fragment number as the fragment
1639 * number for this fragment.
1641 for (fd = fd_head; fd != NULL; fd = fd->next) {
1642 if (fd->next == NULL)
1643 frag_number = fd->offset + 1;
1649 * XXX I've copied this over from the old separate
1650 * fragment_add_seq_check_work, but I'm not convinced it's doing the
1651 * right thing -- rav
1653 * If we don't have all the data that is in this fragment,
1654 * then we can't, and don't, do reassembly on it.
1656 * If it's the first frame, handle it as an unfragmented packet.
1657 * Otherwise, just handle it as a fragment.
1659 * If "more_frags" isn't set, we get rid of the entry in the
1660 * hash table for this reassembly, as we don't need it any more.
1662 if ((flags & REASSEMBLE_FLAGS_CHECK_DATA_PRESENT) &&
1663 !tvb_bytes_exist(tvb, offset, frag_data_len)) {
1667 * Remove this from the table of in-progress
1668 * reassemblies, and free up any memory used for
1671 if (g_hash_table_lookup_extended(fragment_table, key,
1673 fragment_unhash(fragment_table, (fragment_key *)orig_key);
1676 fd_head -> flags |= FD_DATA_NOT_PRESENT;
1677 return frag_number == 0 ? fd_head : NULL;
1680 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1681 frag_number, frag_data_len, more_frags, flags)) {
1683 * Reassembly is complete.
1688 * Reassembly isn't complete.
1695 * This does the work for "fragment_add_seq_check()" and
1696 * "fragment_add_seq_next()".
1698 * This function assumes frag_number being a block sequence number.
1699 * The bsn for the first block is 0.
1701 * If "no_frag_number" is TRUE, it uses the next expected fragment number
1702 * as the fragment number if there is a reassembly in progress, otherwise
1705 * If "no_frag_number" is FALSE, it uses the "frag_number" argument as
1706 * the fragment number.
1708 * If this is the first fragment seen for this datagram, a new
1709 * "fragment_data" structure is allocated to refer to the reassembled
1712 * This fragment is added to the linked list of fragments for this packet.
1714 * If "more_frags" is false and REASSEMBLE_FLAGS_802_11_HACK (as the name
1715 * implies, a special hack for 802.11) or REASSEMBLE_FLAGS_NO_FRAG_NUMBER
1716 * (implying messages must be in order since there's no sequence number) are
1717 * set in "flags", then this (one element) list is returned.
1719 * If, after processing this fragment, we have all the fragments,
1720 * "fragment_add_seq_check_work()" removes that from the fragment hash
1721 * table if necessary and adds it to the table of reassembled fragments,
1722 * and returns a pointer to the head of the fragment list.
1724 * Otherwise, it returns NULL.
1726 * XXX - Should we simply return NULL for zero-length fragments?
1728 static fragment_data *
1729 fragment_add_seq_check_work(tvbuff_t *tvb, const int offset,
1730 const packet_info *pinfo, const guint32 id,
1731 GHashTable *fragment_table,
1732 GHashTable *reassembled_table,
1733 const guint32 frag_number,
1734 const guint32 frag_data_len,
1735 const gboolean more_frags, const guint32 flags)
1737 reassembled_key reass_key;
1739 fragment_data *fd_head;
1742 * Have we already seen this frame?
1743 * If so, look for it in the table of reassembled packets.
1745 if (pinfo->fd->flags.visited) {
1746 reass_key.frame = pinfo->fd->num;
1748 return g_hash_table_lookup(reassembled_table, &reass_key);
1751 /* create key to search hash with */
1752 key.src = pinfo->src;
1753 key.dst = pinfo->dst;
1756 fd_head = fragment_add_seq_key(tvb, offset, pinfo,
1757 &key, fragment_key_copy,
1758 fragment_table, frag_number,
1759 frag_data_len, more_frags, flags|REASSEMBLE_FLAGS_CHECK_DATA_PRESENT);
1763 if(fd_head->flags & FD_DATA_NOT_PRESENT) {
1764 /* this is the first fragment of a datagram with
1765 * truncated fragments. Don't move it to the
1766 * reassembled table. */
1771 * Reassembly is complete.
1772 * Remove this from the table of in-progress
1773 * reassemblies, add it to the table of
1774 * reassembled packets, and return it.
1776 if (g_hash_table_lookup_extended(fragment_table, &key,
1779 * Remove this from the table of in-progress reassemblies,
1780 * and free up any memory used for it in that table.
1782 fragment_unhash(fragment_table, (fragment_key *)orig_key);
1786 * Add this item to the table of reassembled packets.
1788 fragment_reassembled(fd_head, pinfo, reassembled_table, id);
1792 * Reassembly isn't complete.
1799 fragment_add_seq_check(tvbuff_t *tvb, const int offset,
1800 const packet_info *pinfo, const guint32 id,
1801 GHashTable *fragment_table,
1802 GHashTable *reassembled_table, const guint32 frag_number,
1803 const guint32 frag_data_len, const gboolean more_frags)
1805 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1806 fragment_table, reassembled_table,
1807 frag_number, frag_data_len,
1812 fragment_add_seq_802_11(tvbuff_t *tvb, const int offset,
1813 const packet_info *pinfo, const guint32 id,
1814 GHashTable *fragment_table,
1815 GHashTable *reassembled_table,
1816 const guint32 frag_number, const guint32 frag_data_len,
1817 const gboolean more_frags)
1819 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1820 fragment_table, reassembled_table,
1821 frag_number, frag_data_len,
1823 REASSEMBLE_FLAGS_802_11_HACK);
1827 fragment_add_seq_next(tvbuff_t *tvb, const int offset, const packet_info *pinfo,
1828 const guint32 id, GHashTable *fragment_table,
1829 GHashTable *reassembled_table, const guint32 frag_data_len,
1830 const gboolean more_frags)
1832 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1833 fragment_table, reassembled_table, 0,
1834 frag_data_len, more_frags,
1835 REASSEMBLE_FLAGS_NO_FRAG_NUMBER);
1839 fragment_start_seq_check(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table,
1840 const guint32 tot_len)
1842 fragment_key key, *new_key;
1843 fragment_data *fd_head;
1845 /* Have we already seen this frame ?*/
1846 if (pinfo->fd->flags.visited) {
1850 /* Create key to search hash with */
1851 key.src = pinfo->src;
1852 key.dst = pinfo->dst;
1855 /* Check if fragment data exist for this key */
1856 fd_head = g_hash_table_lookup(fragment_table, &key);
1858 if (fd_head == NULL) {
1859 /* Create list-head. */
1860 #if GLIB_CHECK_VERSION(2,10,0)
1861 fd_head = g_slice_new(fragment_data);
1863 fd_head = g_mem_chunk_alloc(fragment_data_chunk);
1866 fd_head->next = NULL;
1867 fd_head->datalen = tot_len;
1868 fd_head->offset = 0;
1870 fd_head->flags = FD_BLOCKSEQUENCE|FD_DATALEN_SET;
1871 fd_head->data = NULL;
1872 fd_head->reassembled_in = 0;
1874 * We're going to use the key to insert the fragment,
1875 * so copy it to a long-term store.
1877 new_key = fragment_key_copy(&key);
1878 g_hash_table_insert(fragment_table, new_key, fd_head);
1883 fragment_end_seq_next(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table,
1884 GHashTable *reassembled_table)
1886 reassembled_key reass_key;
1887 reassembled_key *new_key;
1889 fragment_data *fd_head;
1892 * Have we already seen this frame?
1893 * If so, look for it in the table of reassembled packets.
1895 if (pinfo->fd->flags.visited) {
1896 reass_key.frame = pinfo->fd->num;
1898 return g_hash_table_lookup(reassembled_table, &reass_key);
1901 /* create key to search hash with */
1902 key.src = pinfo->src;
1903 key.dst = pinfo->dst;
1906 fd_head = g_hash_table_lookup (fragment_table, &key);
1911 if (fd_head->flags & FD_DATA_NOT_PRESENT) {
1916 fd_head->datalen = fd_head->offset;
1917 fd_head->flags |= FD_DATALEN_SET;
1919 fragment_defragment_and_free (fd_head, NULL, pinfo);
1922 * Remove this from the table of in-progress
1923 * reassemblies, add it to the table of
1924 * reassembled packets, and return it.
1926 if (g_hash_table_lookup_extended(fragment_table, &key,
1929 * Remove this from the table of in-progress reassemblies,
1930 * and free up any memory used for it in that table.
1932 fragment_unhash(fragment_table, (fragment_key *)orig_key);
1936 * Add this item to the table of reassembled packets.
1938 fragment_reassembled(fd_head, pinfo, reassembled_table, id);
1939 if (fd_head->next != NULL) {
1940 new_key = se_alloc(sizeof(reassembled_key));
1941 new_key->frame = pinfo->fd->num;
1943 g_hash_table_insert(reassembled_table, new_key, fd_head);
1949 * Fragment data not found.
1956 * Process reassembled data; if we're on the frame in which the data
1957 * was reassembled, put the fragment information into the protocol
1958 * tree, and construct a tvbuff with the reassembled data, otherwise
1959 * just put a "reassembled in" item into the protocol tree.
1962 process_reassembled_data(tvbuff_t *tvb, const int offset, packet_info *pinfo,
1963 const char *name, fragment_data *fd_head, const fragment_items *fit,
1964 gboolean *update_col_infop, proto_tree *tree)
1967 gboolean update_col_info;
1968 proto_item *frag_tree_item;
1970 if (fd_head != NULL && pinfo->fd->num == fd_head->reassembled_in) {
1972 * OK, we've reassembled this.
1973 * Is this something that's been reassembled from more
1974 * than one fragment?
1976 if (fd_head->next != NULL) {
1979 * Allocate a new tvbuff, referring to the
1980 * reassembled payload.
1982 if (fd_head->flags & FD_BLOCKSEQUENCE) {
1983 next_tvb = tvb_new_real_data(fd_head->data,
1984 fd_head->len, fd_head->len);
1986 next_tvb = tvb_new_real_data(fd_head->data,
1987 fd_head->datalen, fd_head->datalen);
1991 * Add the tvbuff to the list of tvbuffs to which
1992 * the tvbuff we were handed refers, so it'll get
1993 * cleaned up when that tvbuff is cleaned up.
1995 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
1997 /* Add the defragmented data to the data source list. */
1998 add_new_data_source(pinfo, next_tvb, name);
2000 /* show all fragments */
2001 if (fd_head->flags & FD_BLOCKSEQUENCE) {
2002 update_col_info = !show_fragment_seq_tree(
2003 fd_head, fit, tree, pinfo, next_tvb, &frag_tree_item);
2005 update_col_info = !show_fragment_tree(fd_head,
2006 fit, tree, pinfo, next_tvb, &frag_tree_item);
2011 * Return a tvbuff with the payload.
2013 next_tvb = tvb_new_subset_remaining(tvb, offset);
2014 pinfo->fragmented = FALSE; /* one-fragment packet */
2015 update_col_info = TRUE;
2017 if (update_col_infop != NULL)
2018 *update_col_infop = update_col_info;
2021 * We don't have the complete reassembled payload, or this
2022 * isn't the final frame of that payload.
2027 * If we know what frame this was reassembled in,
2028 * and if there's a field to use for the number of
2029 * the frame in which the packet was reassembled,
2030 * add it to the protocol tree.
2032 if (fd_head != NULL && fit->hf_reassembled_in != NULL) {
2033 proto_tree_add_uint(tree,
2034 *(fit->hf_reassembled_in), tvb,
2035 0, 0, fd_head->reassembled_in);
2042 * Show a single fragment in a fragment subtree, and put information about
2043 * it in the top-level item for that subtree.
2046 show_fragment(fragment_data *fd, const int offset, const fragment_items *fit,
2047 proto_tree *ft, proto_item *fi, const gboolean first_frag, const guint32 count, tvbuff_t *tvb)
2049 proto_item *fei=NULL;
2055 name = g_strdup(proto_registrar_get_name(*(fit->hf_fragment)));
2057 name = g_strdup(proto_registrar_get_name(*(fit->hf_fragments)));
2059 proto_item_set_text(fi, "%u %s (%u byte%s): ", count, name, tvb_length(tvb),
2060 plurality(tvb_length(tvb), "", "s"));
2063 proto_item_append_text(fi, ", ");
2065 proto_item_append_text(fi, "#%u(%u)", fd->frame, fd->len);
2067 if (fd->flags & (FD_OVERLAPCONFLICT
2068 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
2069 hf = *(fit->hf_fragment_error);
2071 hf = *(fit->hf_fragment);
2074 fei = proto_tree_add_uint_format(ft, hf,
2075 tvb, offset, fd->len,
2077 "Frame: %u (no data)",
2080 fei = proto_tree_add_uint_format(ft, hf,
2081 tvb, offset, fd->len,
2083 "Frame: %u, payload: %u-%u (%u byte%s)",
2088 plurality(fd->len, "", "s"));
2090 PROTO_ITEM_SET_GENERATED(fei);
2091 if (fd->flags & (FD_OVERLAP|FD_OVERLAPCONFLICT
2092 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
2093 /* this fragment has some flags set, create a subtree
2094 * for it and display the flags.
2096 proto_tree *fet=NULL;
2098 fet = proto_item_add_subtree(fei, *(fit->ett_fragment));
2099 if (fd->flags&FD_OVERLAP) {
2100 fei=proto_tree_add_boolean(fet,
2101 *(fit->hf_fragment_overlap),
2104 PROTO_ITEM_SET_GENERATED(fei);
2106 if (fd->flags&FD_OVERLAPCONFLICT) {
2107 fei=proto_tree_add_boolean(fet,
2108 *(fit->hf_fragment_overlap_conflict),
2111 PROTO_ITEM_SET_GENERATED(fei);
2113 if (fd->flags&FD_MULTIPLETAILS) {
2114 fei=proto_tree_add_boolean(fet,
2115 *(fit->hf_fragment_multiple_tails),
2118 PROTO_ITEM_SET_GENERATED(fei);
2120 if (fd->flags&FD_TOOLONGFRAGMENT) {
2121 fei=proto_tree_add_boolean(fet,
2122 *(fit->hf_fragment_too_long_fragment),
2125 PROTO_ITEM_SET_GENERATED(fei);
2131 show_fragment_errs_in_col(fragment_data *fd_head, const fragment_items *fit,
2134 if (fd_head->flags & (FD_OVERLAPCONFLICT
2135 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
2136 if (check_col(pinfo->cinfo, COL_INFO)) {
2137 col_add_fstr(pinfo->cinfo, COL_INFO,
2138 "[Illegal %s]", fit->tag);
2146 /* This function will build the fragment subtree; it's for fragments
2147 reassembled with "fragment_add()".
2149 It will return TRUE if there were fragmentation errors
2150 or FALSE if fragmentation was ok.
2153 show_fragment_tree(fragment_data *fd_head, const fragment_items *fit,
2154 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
2158 gboolean first_frag;
2160 /* It's not fragmented. */
2161 pinfo->fragmented = FALSE;
2163 *fi = proto_tree_add_item(tree, *(fit->hf_fragments),
2165 PROTO_ITEM_SET_GENERATED(*fi);
2167 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
2169 for (fd = fd_head->next; fd != NULL; fd = fd->next) {
2172 for (fd = fd_head->next; fd != NULL; fd = fd->next) {
2173 show_fragment(fd, fd->offset, fit, ft, *fi, first_frag, count, tvb);
2177 if (fit->hf_fragment_count) {
2178 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_fragment_count),
2180 PROTO_ITEM_SET_GENERATED(fli);
2183 if (fit->hf_reassembled_length) {
2184 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_reassembled_length),
2185 tvb, 0, 0, tvb_length (tvb));
2186 PROTO_ITEM_SET_GENERATED(fli);
2189 return show_fragment_errs_in_col(fd_head, fit, pinfo);
2192 /* This function will build the fragment subtree; it's for fragments
2193 reassembled with "fragment_add_seq()" or "fragment_add_seq_check()".
2195 It will return TRUE if there were fragmentation errors
2196 or FALSE if fragmentation was ok.
2199 show_fragment_seq_tree(fragment_data *fd_head, const fragment_items *fit,
2200 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
2202 guint32 offset, next_offset, count = 0;
2203 fragment_data *fd, *last_fd;
2205 gboolean first_frag;
2207 /* It's not fragmented. */
2208 pinfo->fragmented = FALSE;
2210 *fi = proto_tree_add_item(tree, *(fit->hf_fragments),
2212 PROTO_ITEM_SET_GENERATED(*fi);
2214 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
2219 for (fd = fd_head->next; fd != NULL; fd = fd->next){
2222 for (fd = fd_head->next; fd != NULL; fd = fd->next){
2223 if (last_fd == NULL || last_fd->offset != fd->offset) {
2224 offset = next_offset;
2225 next_offset += fd->len;
2228 show_fragment(fd, offset, fit, ft, *fi, first_frag, count, tvb);
2232 if (fit->hf_fragment_count) {
2233 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_fragment_count),
2235 PROTO_ITEM_SET_GENERATED(fli);
2238 if (fit->hf_reassembled_length) {
2239 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_reassembled_length),
2240 tvb, 0, 0, tvb_length (tvb));
2241 PROTO_ITEM_SET_GENERATED(fli);
2244 return show_fragment_errs_in_col(fd_head, fit, pinfo);
2250 * indent-tabs-mode: t