2 * Routines for {fragment,segment} reassembly
4 * $Id: reassemble.c,v 1.9 2002/02/03 23:28:38 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include <epan/packet.h>
33 #include "reassemble.h"
35 typedef struct _fragment_key {
41 static GMemChunk *fragment_key_chunk = NULL;
42 static GMemChunk *fragment_data_chunk = NULL;
43 static int fragment_init_count = 200;
45 #define LINK_FRAG(fd_head,fd) \
46 { fragment_data *fd_i; \
47 /* add fragment to list, keep list sorted */ \
48 for(fd_i=(fd_head);fd_i->next;fd_i=fd_i->next){ \
49 if( ((fd)->offset) < (fd_i->next->offset) ) \
52 (fd)->next=fd_i->next; \
57 fragment_equal(gconstpointer k1, gconstpointer k2)
59 fragment_key* key1 = (fragment_key*) k1;
60 fragment_key* key2 = (fragment_key*) k2;
62 /*key.id is the first item to compare since item is most
63 likely to differ between sessions, thus shortcircuiting
64 the comparasion of addresses.
66 return ( ( (key1->id == key2->id) &&
67 (ADDRESSES_EQUAL(&key1->src, &key2->src)) &&
68 (ADDRESSES_EQUAL(&key1->dst, &key2->dst))
74 fragment_hash(gconstpointer k)
76 fragment_key* key = (fragment_key*) k;
84 /* More than likely: in most captures src and dst addresses are the
85 same, and would hash the same.
86 We only use id as the hash as an optimization.
88 for (i = 0; i < key->src.len; i++)
89 hash_val += key->src.data[i];
90 for (i = 0; i < key->dst.len; i++)
91 hash_val += key->dst.data[i];
100 * For a hash table entry, free the address data to which the key refers
101 * and the fragment data to which the value refers.
102 * (The actual key and value structures get freed by "reassemble_init()".)
105 free_all_fragments(gpointer key_arg, gpointer value, gpointer user_data)
107 fragment_key *key = key_arg;
108 fragment_data *fd_head;
111 * Grr. I guess the theory here is that freeing
112 * something sure as heck modifies it, so you
113 * want to ban attempts to free it, but, alas,
114 * if we make the "data" field of an "address"
115 * structure not a "const", the compiler whines if
116 * we try to make it point into the data for a packet,
117 * as that's a "const" array (and should be, as dissectors
118 * shouldn't trash it).
120 * So we cast the complaint into oblivion, and rely on
121 * the fact that these addresses are known to have had
122 * their data mallocated, i.e. they don't point into,
123 * say, the middle of the data for a packet.
125 g_free((gpointer)key->src.data);
126 g_free((gpointer)key->dst.data);
128 for (fd_head = value; fd_head != NULL; fd_head = fd_head->next) {
129 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED))
130 g_free(fd_head->data);
137 * Initialize a fragment table.
140 fragment_table_init(GHashTable **fragment_table)
142 if (*fragment_table != NULL) {
144 * The fragment hash table exists.
146 * Remove all entries and free fragment data for
147 * each entry. (The key and value data is freed
148 * by "reassemble_init()".)
150 g_hash_table_foreach_remove(*fragment_table,
151 free_all_fragments, NULL);
153 /* The fragment table does not exist. Create it */
154 *fragment_table = g_hash_table_new(fragment_hash,
160 * Free up all space allocated for fragment keys and data.
163 reassemble_init(void)
165 if (fragment_key_chunk != NULL)
166 g_mem_chunk_destroy(fragment_key_chunk);
167 if (fragment_data_chunk != NULL)
168 g_mem_chunk_destroy(fragment_data_chunk);
169 fragment_key_chunk = g_mem_chunk_new("fragment_key_chunk",
170 sizeof(fragment_key),
171 fragment_init_count * sizeof(fragment_key),
173 fragment_data_chunk = g_mem_chunk_new("fragment_data_chunk",
174 sizeof(fragment_data),
175 fragment_init_count * sizeof(fragment_data),
179 /* This function cleans up the stored state and removes the reassembly data and
180 * (with one exception) all allocated memory for matching reassembly.
183 * If the PDU was already completely reassembled, then the buffer containing the
184 * reassembled data WILL NOT be free()d, and the pointer to that buffer will be
186 * Othervise the function will return NULL.
188 * So, if you call fragment_delete and it returns non-NULL, YOU are responsible to
189 * g_free() that buffer.
192 fragment_delete(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
194 fragment_data *fd_head, *fd;
196 unsigned char *data=NULL;
198 /* create key to search hash with */
199 key.src = pinfo->src;
200 key.dst = pinfo->dst;
203 fd_head = g_hash_table_lookup(fragment_table, &key);
206 /* We do not recognize this as a PDU we have seen before. return*/
211 /* loop over all partial fragments and free any buffers */
212 for(fd=fd_head->next;fd;){
213 fragment_data *tmp_fd;
216 if( !(fd->flags&FD_NOT_MALLOCED) )
218 g_mem_chunk_free(fragment_data_chunk, fd);
221 g_mem_chunk_free(fragment_data_chunk, fd_head);
222 g_hash_table_remove(fragment_table, &key);
227 /* This function is used to check if there is partial or completed reassembly state
228 * matching this packet. I.e. Are there reassembly going on or not for this packet?
231 fragment_get(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
233 fragment_data *fd_head;
236 /* create key to search hash with */
237 key.src = pinfo->src;
238 key.dst = pinfo->dst;
241 fd_head = g_hash_table_lookup(fragment_table, &key);
246 /* This function can be used to explicitely set the total length (if known)
247 * for reassembly of a PDU.
248 * This is useful for reassembly of PDUs where one may have the total length specified
249 * in the first fragment instead of as for, say, IPv4 where a flag indicates which
250 * is the last fragment.
252 * Such protocols might fragment_add with a more_frags==TRUE for every fragment
253 * and just tell the reassembly engine the expected total length of the reassembled data
254 * using fragment_set_tot_len immediately after doing fragment_add for the first packet.
256 * note that for FD_BLOCKSEQUENCE tot_len is the index for the tail fragment.
257 * i.e. since the block numbers start at 0, if we specify tot_len==2, that
258 * actually means we want to defragment 3 blocks, block 0, 1 and 2.
261 fragment_set_tot_len(packet_info *pinfo, guint32 id, GHashTable *fragment_table,
264 fragment_data *fd_head;
267 /* create key to search hash with */
268 key.src = pinfo->src;
269 key.dst = pinfo->dst;
272 fd_head = g_hash_table_lookup(fragment_table, &key);
275 fd_head->datalen = tot_len;
282 /* This function will set the partial reassembly flag for a fh.
283 When this function is called, the fh MUST already exist, i.e.
284 the fh MUST be created by the initial call to fragment_add() before
285 this function is called.
286 Also note that this function MUST be called to indicate a fh will be
287 extended (increase the already stored data)
291 fragment_set_partial_reassembly(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
293 fragment_data *fd_head;
296 /* create key to search hash with */
297 key.src = pinfo->src;
298 key.dst = pinfo->dst;
301 fd_head = g_hash_table_lookup(fragment_table, &key);
304 fd_head->flags |= FD_PARTIAL_REASSEMBLY;
308 * This function adds a new fragment to the fragment hash table.
309 * If this is the first fragment seen for this datagram, a new entry
310 * is created in the hash table, otherwise this fragment is just added
311 * to the linked list of fragments for this packet.
312 * The list of fragments for a specific datagram is kept sorted for
315 * Returns a pointer to the head of the fragment data list if we have all the
316 * fragments, NULL otherwise.
318 * This function assumes frag_offset being a byte offset into the defragment
322 * Once the fh is defragmented (= FD_DEFRAGMENTED set), it can be
323 * extended using the FD_PARTIAL_REASSEMBLY flag. This flag should be set
324 * using fragment_set_partial_reassembly() before calling fragment_add
325 * with the new fragment. FD_TOOLONGFRAGMENT and FD_MULTIPLETAILS flags
326 * are lowered when a new extension process is started.
329 fragment_add(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
330 GHashTable *fragment_table, guint32 frag_offset,
331 guint32 frag_data_len, gboolean more_frags)
333 fragment_key key, *new_key;
334 fragment_data *fd_head;
338 unsigned char *old_data;
340 /* create key to search hash with */
341 key.src = pinfo->src;
342 key.dst = pinfo->dst;
345 fd_head = g_hash_table_lookup(fragment_table, &key);
347 /* have we already seen this frame ?*/
348 if (pinfo->fd->flags.visited) {
349 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
357 /* not found, this must be the first snooped fragment for this
358 * packet. Create list-head.
360 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
361 /* head/first structure in list only holds no other data than
362 * 'datalen' then we don't have to change the head of the list
363 * even if we want to keep it sorted
373 * We're going to use the key to insert the fragment,
374 * so allocate a structure for it, and copy the
375 * addresses, allocating new buffers for the address
378 new_key = g_mem_chunk_alloc(fragment_key_chunk);
379 COPY_ADDRESS(&new_key->src, &key.src);
380 COPY_ADDRESS(&new_key->dst, &key.dst);
381 new_key->id = key.id;
382 g_hash_table_insert(fragment_table, new_key, fd_head);
385 /* create new fd describing this fragment */
386 fd = g_mem_chunk_alloc(fragment_data_chunk);
389 fd->frame = pinfo->fd->num;
390 fd->offset = frag_offset;
391 fd->len = frag_data_len;
395 * If it was already defragmented and this new fragment goes beyond
396 * data limits, set flag in already empty fds & point old fds to malloc'ed data.
398 if(fd_head->flags & FD_DEFRAGMENTED && (frag_offset+frag_data_len) >= fd_head->datalen &&
399 fd_head->flags & FD_PARTIAL_REASSEMBLY){
400 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
402 fd_i->data = fd_head->data + fd_i->offset;
403 fd_i->flags |= FD_NOT_MALLOCED;
405 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
407 fd_head->flags ^= FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY;
408 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
414 * This is the tail fragment in the sequence.
416 if (fd_head->datalen) {
417 /* ok we have already seen other tails for this packet
418 * it might be a duplicate.
420 if (fd_head->datalen != (fd->offset + fd->len) ){
421 /* Oops, this tail indicates a different packet
422 * len than the previous ones. Somethings wrong
424 fd->flags |= FD_MULTIPLETAILS;
425 fd_head->flags |= FD_MULTIPLETAILS;
428 /* this was the first tail fragment, now we know the
429 * length of the packet
431 fd_head->datalen = fd->offset + fd->len;
438 /* If the packet is already defragmented, this MUST be an overlap.
439 * The entire defragmented packet is in fd_head->data
440 * Even if we have previously defragmented this packet, we still check
441 * check it. Someone might play overlap and TTL games.
443 if (fd_head->flags & FD_DEFRAGMENTED) {
444 fd->flags |= FD_OVERLAP;
445 fd_head->flags |= FD_OVERLAP;
446 /* make sure its not too long */
447 if (fd->offset + fd->len > fd_head->datalen) {
448 fd->flags |= FD_TOOLONGFRAGMENT;
449 fd_head->flags |= FD_TOOLONGFRAGMENT;
450 LINK_FRAG(fd_head,fd);
453 /* make sure it doesnt conflict with previous data */
454 if ( memcmp(fd_head->data+fd->offset,
455 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
456 fd->flags |= FD_OVERLAPCONFLICT;
457 fd_head->flags |= FD_OVERLAPCONFLICT;
458 LINK_FRAG(fd_head,fd);
461 /* it was just an overlap, link it and return */
462 LINK_FRAG(fd_head,fd);
468 /* If we have reached this point, the packet is not defragmented yet.
469 * Save all payload in a buffer until we can defragment.
470 * XXX - what if we didn't capture the entire fragment due
471 * to a too-short snapshot length?
473 fd->data = g_malloc(fd->len);
474 tvb_memcpy(tvb, fd->data, offset, fd->len);
475 LINK_FRAG(fd_head,fd);
478 if( !(fd_head->datalen) ){
479 /* if we dont know the datalen, there are still missing
480 * packets. Cheaper than the check below.
486 /* check if we have received the entire fragment
487 * this is easy since the list is sorted and the head is faked.
490 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
491 if ( ((fd_i->offset)<=max) &&
492 ((fd_i->offset+fd_i->len)>max) ){
493 max = fd_i->offset+fd_i->len;
497 if (max < (fd_head->datalen)) {
498 /* we have not received all packets yet */
503 if (max > (fd_head->datalen)) {
504 /*XXX not sure if current fd was the TOOLONG*/
505 /*XXX is it fair to flag current fd*/
506 /* oops, too long fragment detected */
507 fd->flags |= FD_TOOLONGFRAGMENT;
508 fd_head->flags |= FD_TOOLONGFRAGMENT;
512 /* we have received an entire packet, defragment it and
515 /* store old data just in case */
516 old_data=fd_head->data;
517 fd_head->data = g_malloc(max);
519 /* add all data fragments */
520 for (dfpos=0,fd_i=fd_head;fd_i;fd_i=fd_i->next) {
522 if (fd_i->offset < dfpos) {
523 fd_i->flags |= FD_OVERLAP;
524 fd_head->flags |= FD_OVERLAP;
525 if ( memcmp(fd_head->data+fd_i->offset,
527 MIN(fd_i->len,(dfpos-fd_i->offset))
529 fd_i->flags |= FD_OVERLAPCONFLICT;
530 fd_head->flags |= FD_OVERLAPCONFLICT;
533 /* dfpos is always >= than fd_i->offset */
534 /* No gaps can exist here, max_loop(above) does this */
535 if( fd_i->offset+fd_i->len > dfpos )
536 memcpy(fd_head->data+dfpos, fd_i->data+(dfpos-fd_i->offset),
537 fd_i->len-(dfpos-fd_i->offset));
538 if( fd_i->flags & FD_NOT_MALLOCED )
539 fd_i->flags ^= FD_NOT_MALLOCED;
544 dfpos=MAX(dfpos,(fd_i->offset+fd_i->len));
550 /* mark this packet as defragmented.
551 allows us to skip any trailing fragments */
552 fd_head->flags |= FD_DEFRAGMENTED;
560 * This function adds a new fragment to the fragment hash table.
561 * If this is the first fragment seen for this datagram, a new entry
562 * is created in the hash table, otherwise this fragment is just added
563 * to the linked list of fragments for this packet.
564 * The list of fragments for a specific datagram is kept sorted for
567 * Returns a pointer to the head of the fragment data list if we have all the
568 * fragments, NULL otherwise.
570 * This function assumes frag_offset being a block sequence number.
571 * the bsn for the first block is 0.
574 fragment_add_seq(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
575 GHashTable *fragment_table, guint32 frag_offset,
576 guint32 frag_data_len, gboolean more_frags)
578 fragment_key key, *new_key;
579 fragment_data *fd_head;
582 fragment_data *last_fd;
583 guint32 max, dfpos, size;
585 /* create key to search hash with */
586 key.src = pinfo->src;
587 key.dst = pinfo->dst;
590 fd_head = g_hash_table_lookup(fragment_table, &key);
592 /* have we already seen this frame ?*/
593 if (pinfo->fd->flags.visited) {
594 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
602 /* not found, this must be the first snooped fragment for this
603 * packet. Create list-head.
605 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
606 /* head/first structure in list only holds no other data than
607 * 'datalen' then we don't have to change the head of the list
608 * even if we want to keep it sorted
614 fd_head->flags=FD_BLOCKSEQUENCE;
618 * We're going to use the key to insert the fragment,
619 * so allocate a structure for it, and copy the
620 * addresses, allocating new buffers for the address
623 new_key = g_mem_chunk_alloc(fragment_key_chunk);
624 COPY_ADDRESS(&new_key->src, &key.src);
625 COPY_ADDRESS(&new_key->dst, &key.dst);
626 new_key->id = key.id;
627 g_hash_table_insert(fragment_table, new_key, fd_head);
630 /* create new fd describing this fragment */
631 fd = g_mem_chunk_alloc(fragment_data_chunk);
634 fd->frame = pinfo->fd->num;
635 fd->offset = frag_offset;
636 fd->len = frag_data_len;
641 * This is the tail fragment in the sequence.
643 if (fd_head->datalen) {
644 /* ok we have already seen other tails for this packet
645 * it might be a duplicate.
647 if (fd_head->datalen != fd->offset ){
648 /* Oops, this tail indicates a different packet
649 * len than the previous ones. Somethings wrong
651 fd->flags |= FD_MULTIPLETAILS;
652 fd_head->flags |= FD_MULTIPLETAILS;
655 /* this was the first tail fragment, now we know the
656 * length of the packet
658 fd_head->datalen = fd->offset;
662 /* If the packet is already defragmented, this MUST be an overlap.
663 * The entire defragmented packet is in fd_head->data
664 * Even if we have previously defragmented this packet, we still check
665 * check it. Someone might play overlap and TTL games.
667 if (fd_head->flags & FD_DEFRAGMENTED) {
668 fd->flags |= FD_OVERLAP;
669 fd_head->flags |= FD_OVERLAP;
671 /* make sure its not too long */
672 if (fd->offset > fd_head->datalen) {
673 fd->flags |= FD_TOOLONGFRAGMENT;
674 fd_head->flags |= FD_TOOLONGFRAGMENT;
675 LINK_FRAG(fd_head,fd);
678 /* make sure it doesnt conflict with previous data */
680 for (fd_i=fd_head->next;fd_i->offset!=fd->offset;fd_i=fd_i->next) {
683 if(fd_i->datalen!=fd->datalen){
684 fd->flags |= FD_OVERLAPCONFLICT;
685 fd_head->flags |= FD_OVERLAPCONFLICT;
686 LINK_FRAG(fd_head,fd);
689 if ( memcmp(fd_head->data+dfpos,
690 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
691 fd->flags |= FD_OVERLAPCONFLICT;
692 fd_head->flags |= FD_OVERLAPCONFLICT;
693 LINK_FRAG(fd_head,fd);
696 /* it was just an overlap, link it and return */
697 LINK_FRAG(fd_head,fd);
701 /* If we have reached this point, the packet is not defragmented yet.
702 * Save all payload in a buffer until we can defragment.
703 * XXX - what if we didn't capture the entire fragment due
704 * to a too-short snapshot length?
706 fd->data = g_malloc(fd->len);
707 tvb_memcpy(tvb, fd->data, offset, fd->len);
708 LINK_FRAG(fd_head,fd);
711 if( !(fd_head->datalen) ){
712 /* if we dont know the datalen, there are still missing
713 * packets. Cheaper than the check below.
719 /* check if we have received the entire fragment
720 * this is easy since the list is sorted and the head is faked.
723 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
724 if ( fd_i->offset==max ){
728 /* max will now be datalen+1 if all fragments have been seen */
730 if (max <= fd_head->datalen) {
731 /* we have not received all packets yet */
736 if (max > (fd_head->datalen+1)) {
737 /* oops, too long fragment detected */
738 fd->flags |= FD_TOOLONGFRAGMENT;
739 fd_head->flags |= FD_TOOLONGFRAGMENT;
743 /* we have received an entire packet, defragment it and
748 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
749 if(!last_fd || last_fd->offset!=fd_i->offset){
754 fd_head->data = g_malloc(size);
755 fd_head->len = size; /* record size for caller */
757 /* add all data fragments */
759 for (dfpos=0,fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
761 if(!last_fd || last_fd->offset!=fd_i->offset){
762 memcpy(fd_head->data+dfpos,fd_i->data,fd_i->len);
765 /* duplicate/retransmission/overlap */
766 if( (last_fd->len!=fd_i->datalen)
767 || memcmp(last_fd->data, fd_i->data, last_fd->len) ){
768 fd->flags |= FD_OVERLAPCONFLICT;
769 fd_head->flags |= FD_OVERLAPCONFLICT;
776 /* we have defragmented the pdu, now free all fragments*/
777 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
784 /* mark this packet as defragmented.
785 allows us to skip any trailing fragments */
786 fd_head->flags |= FD_DEFRAGMENTED;