* Common routines for smb packet dissection
* Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
*
- * $Id: packet-smb-common.c,v 1.2 2000/02/14 04:05:53 guy Exp $
+ * $Id: packet-smb-common.c,v 1.20 2004/04/03 03:50:44 guy Exp $
*
* Ethereal - Network traffic analyzer
- * By Gerald Combs <gerald@zing.org>
+ * By Gerald Combs <gerald@ethereal.com>
* Copyright 1998 Gerald Combs
*
* Copied from packet-pop.c
- *
+ *
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
+#include "packet-smb-common.h"
+/*
+ * Share type values - used in LANMAN and in SRVSVC.
+ *
+ * XXX - should we dissect share type values, at least in SRVSVC, as
+ * a subtree with bitfields, as the 0x80000000 bit appears to be a
+ * hidden bit, with some number of bits at the bottom being the share
+ * type?
+ *
+ * Does LANMAN use that bit?
+ */
+const value_string share_type_vals[] = {
+ {0, "Directory tree"},
+ {1, "Printer queue"},
+ {2, "Communications device"},
+ {3, "IPC"},
+ {0x80000000, "Hidden Directory tree"},
+ {0x80000001, "Hidden Printer queue"},
+ {0x80000002, "Hidden Communications device"},
+ {0x80000003, "Hidden IPC"},
+ {0, NULL}
+};
-#include "packet-smb-common.h"
+int display_ms_string(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_index, char **data)
+{
+ char *str;
+ gint len;
+ /* display a string from the tree and return the new offset */
+ str = tvb_get_stringz(tvb, offset, &len);
+ proto_tree_add_string(tree, hf_index, tvb, offset, len, str);
-int display_ms_value( char *Name, int len, const u_char *pd, int offset,
- frame_data *fd, proto_tree *tree)
+ /* Return a copy of the string if requested */
-{/* display an entry from the tree and return the length */
+ if (data)
+ *data = str;
+ else
+ g_free(str);
- guint32 Temp32;
-
- if( len == 1)
- Temp32 = GBYTE(pd, offset);
- else if( len == 2)
- Temp32 = GSHORT(pd, offset);
- else if( len == 4)
- Temp32 = GWORD(pd, offset);
-
-/* this is an error if we didn't hit one of those three */
- else
- return 0;
+ return offset+len;
+}
- proto_tree_add_text( tree, offset, len, "%s: %u", Name, Temp32);
-
- return len;
-}
-int display_ms_string( char *Name, const u_char *pd, int offset,
- frame_data *fd, proto_tree *tree)
+int display_unicode_string(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_index, char **data)
+{
+ char *str, *p;
+ int len;
+ int charoffset;
+ guint16 character;
-{/* display a string from the tree and return the amount to move offset */
-
- proto_tree_add_text( tree, offset, strlen( &pd[offset]) + 1, "%s: %s ",
- Name, &pd[offset]);
-
- return strlen( &pd[offset]) + 1;
-}
+ /* display a unicode string from the tree and return new offset */
+
+ /*
+ * Get the length of the string.
+ * XXX - is it a bug or a feature that this will throw an exception
+ * if we don't find the '\0'? I think it's a feature.
+ */
+ len = 0;
+ while ((character = tvb_get_letohs(tvb, offset + len)) != '\0')
+ len += 2;
+ len += 2; /* count the '\0' too */
+
+ /*
+ * Allocate a buffer for the string; "len" is the length in
+ * bytes, not the length in characters.
+ */
+ str = g_malloc(len/2);
+ /*
+ * XXX - this assumes the string is just ISO 8859-1; we need
+ * to better handle multiple character sets in Ethereal,
+ * including Unicode/ISO 10646, and multiple encodings of
+ * that character set (UCS-2, UTF-8, etc.).
+ */
+ charoffset = offset;
+ p = str;
+ while ((character = tvb_get_letohs(tvb, charoffset)) != '\0') {
+ *p++ = (char) character;
+ charoffset += 2;
+ }
+ *p = '\0';
+
+ proto_tree_add_string(tree, hf_index, tvb, offset, len, str);
-int display_unicode_string( char *Name, const u_char *pd, int offset,
- frame_data *fd, proto_tree *tree){
-
-/* display a unicode string from the tree and return amount to move offset */
-
- char Temp[100], *OutPtr;
- const char *InPtr;
-
- InPtr = &pd[ offset]; /* point to unicode string */
- OutPtr = Temp; /* point to temp space */
-
- while ( *InPtr){ /* copy every other byte */
- *OutPtr++ = *InPtr;
- InPtr += 2;
- }
- *OutPtr = 0; /* terminate out string */
-
- proto_tree_add_text( tree, offset, strlen( Temp) * 2 + 2, "%s: %s ",
- Name, Temp);
-
- return strlen( Temp) * 2 + 2;
+ if (data)
+ *data = str;
+ else
+ g_free(str);
+
+ return offset+len;
}
+/* Max string length for displaying Unicode strings. */
+#define MAX_UNICODE_STR_LEN 256
-void
-dissect_smb_unknown( const u_char *pd, int offset, frame_data *fd,
- proto_tree *tree){
+/* Turn a little-endian Unicode '\0'-terminated string into a string we
+ can display.
+ XXX - for now, we just handle the ISO 8859-1 characters.
+ If exactlen==TRUE then us_lenp contains the exact len of the string in
+ bytes. It might not be null terminated !
+ bc specifies the number of bytes in the byte parameters; Windows 2000,
+ at least, appears, in some cases, to put only 1 byte of 0 at the end
+ of a Unicode string if the byte count
+*/
+static gchar *
+unicode_to_str(tvbuff_t *tvb, int offset, int *us_lenp, gboolean exactlen,
+ guint16 bc)
+{
+ static gchar str[3][MAX_UNICODE_STR_LEN+3+1];
+ static gchar *cur;
+ gchar *p;
+ guint16 uchar;
+ int len;
+ int us_len;
+ gboolean overflow = FALSE;
-/* display data as unknown */
-
- proto_tree_add_text(tree, offset, END_OF_FRAME, "Data (%u bytes)",
- END_OF_FRAME);
+ if (cur == &str[0][0]) {
+ cur = &str[1][0];
+ } else if (cur == &str[1][0]) {
+ cur = &str[2][0];
+ } else {
+ cur = &str[0][0];
+ }
+ p = cur;
+ len = MAX_UNICODE_STR_LEN;
+ us_len = 0;
+ for (;;) {
+ if (bc == 0)
+ break;
+ if (bc == 1) {
+ /* XXX - explain this */
+ if (!exactlen)
+ us_len += 1; /* this is a one-byte null terminator */
+ break;
+ }
+ uchar = tvb_get_letohs(tvb, offset);
+ if (uchar == 0) {
+ us_len += 2; /* this is a two-byte null terminator */
+ break;
+ }
+ if (len > 0) {
+ if ((uchar & 0xFF00) == 0)
+ *p++ = (gchar) uchar; /* ISO 8859-1 */
+ else
+ *p++ = '?'; /* not 8859-1 */
+ len--;
+ } else
+ overflow = TRUE;
+ offset += 2;
+ bc -= 2;
+ us_len += 2;
+ if(exactlen){
+ if(us_len>= *us_lenp){
+ break;
+ }
+ }
+ }
+ if (overflow) {
+ /* Note that we're not showing the full string. */
+ *p++ = '.';
+ *p++ = '.';
+ *p++ = '.';
+ }
+ *p = '\0';
+ *us_lenp = us_len;
+ return cur;
+}
+/* nopad == TRUE : Do not add any padding before this string
+ * exactlen == TRUE : len contains the exact len of the string in bytes.
+ * bc: pointer to variable with amount of data left in the byte parameters
+ * region
+ */
+const gchar *
+get_unicode_or_ascii_string(tvbuff_t *tvb, int *offsetp,
+ gboolean useunicode, int *len, gboolean nopad, gboolean exactlen,
+ guint16 *bcp)
+{
+ static gchar str[3][MAX_UNICODE_STR_LEN+3+1];
+ static gchar *cur;
+ const gchar *string;
+ int string_len;
+ int copylen;
+ gboolean overflow = FALSE;
+
+ if (*bcp == 0) {
+ /* Not enough data in buffer */
+ return NULL;
+ }
+ if (useunicode) {
+ if ((!nopad) && (*offsetp % 2)) {
+ /*
+ * XXX - this should be an offset relative to the beginning of the SMB,
+ * not an offset relative to the beginning of the frame; if the stuff
+ * before the SMB has an odd number of bytes, an offset relative to
+ * the beginning of the frame will give the wrong answer.
+ */
+ (*offsetp)++; /* Looks like a pad byte there sometimes */
+ (*bcp)--;
+ if (*bcp == 0) {
+ /* Not enough data in buffer */
+ return NULL;
+ }
+ }
+ if(exactlen){
+ string_len = *len;
+ if (string_len < 0) {
+ /* This probably means it's a very large unsigned number; just set
+ it to the largest signed number, so that we throw the appropriate
+ exception. */
+ string_len = INT_MAX;
+ }
+ }
+ string = unicode_to_str(tvb, *offsetp, &string_len, exactlen, *bcp);
+ } else {
+ if(exactlen){
+ /*
+ * The string we return must be null-terminated.
+ */
+ if (cur == &str[0][0]) {
+ cur = &str[1][0];
+ } else if (cur == &str[1][0]) {
+ cur = &str[2][0];
+ } else {
+ cur = &str[0][0];
+ }
+ copylen = *len;
+ if (copylen < 0) {
+ /* This probably means it's a very large unsigned number; just set
+ it to the largest signed number, so that we throw the appropriate
+ exception. */
+ copylen = INT_MAX;
+ }
+ tvb_ensure_bytes_exist(tvb, *offsetp, copylen);
+ if (copylen > MAX_UNICODE_STR_LEN) {
+ copylen = MAX_UNICODE_STR_LEN;
+ overflow = TRUE;
+ }
+ tvb_memcpy(tvb, (guint8 *)cur, *offsetp, copylen);
+ cur[copylen] = '\0';
+ if (overflow)
+ strcat(cur, "...");
+ string_len = *len;
+ string = cur;
+ } else {
+ string_len = tvb_strsize(tvb, *offsetp);
+ string = tvb_get_ptr(tvb, *offsetp, string_len);
+ }
+ }
+ *len = string_len;
+ return string;
}
+int
+dissect_smb_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
+{
+ /* display data as unknown */
+ proto_tree_add_text(tree, tvb, offset, -1, "Data (%u bytes)",
+ tvb_reported_length_remaining(tvb, offset));
-void
-display_flags( struct flag_array_type *flag_array, int length,
- const u_char *pd, int offset, proto_tree *tree){
+ return offset+tvb_length_remaining(tvb, offset);
+}
-/* Display a bit fields using the flag_array information. */
-/* See packet-smb-common.h for definition of the flag_array structure */
+/* Dissect a NTLM response. This is documented at
+ http://ubiqx.org/cifs/SMB.html#8, para 2.8.5.3 */
+static int hf_ntlmv2_response = -1;
+static int hf_ntlmv2_response_hmac = -1;
+static int hf_ntlmv2_response_header = -1;
+static int hf_ntlmv2_response_reserved = -1;
+static int hf_ntlmv2_response_time = -1;
+static int hf_ntlmv2_response_chal = -1;
+static int hf_ntlmv2_response_unknown = -1;
+static int hf_ntlmv2_response_name = -1;
+static int hf_ntlmv2_response_name_type = -1;
+static int hf_ntlmv2_response_name_len = -1;
-/*** NOTE: currently only handles values that are 1, 2, or 4 octets wide.*/
-/*** This should be expanded to handle any bit width. */
+static gint ett_ntlmv2_response = -1;
+static gint ett_ntlmv2_response_name = -1;
-/* NOTE: the last entry must have the mask value = 0, this is the end of */
-/* array flag */
+/* Name types */
+const value_string ntlm_name_types[] = {
+ { NTLM_NAME_END, "End of list" },
+ { NTLM_NAME_NB_HOST, "NetBIOS host name" },
+ { NTLM_NAME_NB_DOMAIN, "NetBIOS domain name" },
+ { NTLM_NAME_DNS_HOST, "DNS host name" },
+ { NTLM_NAME_DNS_DOMAIN, "DNS domain name" },
+ { 0, NULL }
+};
- struct flag_array_type *array_ptr = flag_array;
+int
+dissect_ntlmv2_response(tvbuff_t *tvb, proto_tree *tree, int offset, int len)
+{
+ proto_item *ntlmv2_item = NULL;
+ proto_tree *ntlmv2_tree = NULL;
- guint32 flags;
-
- if ( length == 1) flags = GBYTE( pd, offset);
- if ( length == 2) flags = GSHORT( pd, offset);
- if ( length == 4) flags = GWORD( pd, offset);
-
+ /* Dissect NTLMv2 bits&pieces */
- while( array_ptr->mask) {
- proto_tree_add_text( tree, offset, 2, "%s%s%s%s",
- decode_boolean_bitfield( flags, array_ptr->mask,
- length * 8, "",""),
- array_ptr->pre_string,
- ((flags & array_ptr->mask) ? array_ptr->true_string :
- array_ptr->false_string),
- array_ptr->post_string);
-
- ++array_ptr;
+ if (tree) {
+ ntlmv2_item = proto_tree_add_item(
+ tree, hf_ntlmv2_response, tvb,
+ offset, len, TRUE);
+ ntlmv2_tree = proto_item_add_subtree(
+ ntlmv2_item, ett_ntlmv2_response);
}
-}
+
+ proto_tree_add_item(
+ ntlmv2_tree, hf_ntlmv2_response_hmac, tvb,
+ offset, 16, TRUE);
+
+ offset += 16;
+
+ proto_tree_add_item(
+ ntlmv2_tree, hf_ntlmv2_response_header, tvb,
+ offset, 4, TRUE);
+
+ offset += 4;
+
+ proto_tree_add_item(
+ ntlmv2_tree, hf_ntlmv2_response_reserved, tvb,
+ offset, 4, TRUE);
+
+ offset += 4;
+
+ offset = dissect_smb_64bit_time(
+ tvb, ntlmv2_tree, offset, hf_ntlmv2_response_time);
+
+ proto_tree_add_item(
+ ntlmv2_tree, hf_ntlmv2_response_chal, tvb,
+ offset, 8, TRUE);
+
+ offset += 8;
+
+ proto_tree_add_item(
+ ntlmv2_tree, hf_ntlmv2_response_unknown, tvb,
+ offset, 4, TRUE);
+
+ offset += 4;
+
+ /* Variable length list of names */
+
+ while(1) {
+ guint16 name_type = tvb_get_letohs(tvb, offset);
+ guint16 name_len = tvb_get_letohs(tvb, offset + 2);
+ proto_tree *name_tree = NULL;
+ proto_item *name_item = NULL;
+ char *name = NULL;
+
+ if (ntlmv2_tree) {
+ name_item = proto_tree_add_item(
+ ntlmv2_tree, hf_ntlmv2_response_name,
+ tvb, offset, 0, TRUE);
+ name_tree = proto_item_add_subtree(
+ name_item, ett_ntlmv2_response_name);
+ }
+
+ /* Dissect name header */
+
+ proto_tree_add_item(
+ name_tree, hf_ntlmv2_response_name_type, tvb,
+ offset, 2, TRUE);
+
+ offset += 2;
+
+ proto_tree_add_item(
+ name_tree, hf_ntlmv2_response_name_len, tvb,
+ offset, 2, TRUE);
+
+ offset += 2;
+
+ /* Dissect name */
+
+ if (name_len > 0) {
+ name = tvb_fake_unicode(
+ tvb, offset, name_len / 2, TRUE);
+
+ proto_tree_add_text(
+ name_tree, tvb, offset, name_len,
+ "Name: %s", name);
+ } else
+ name = g_strdup("NULL");
+
+ if (name_type == 0)
+ proto_item_append_text(
+ name_item, "%s",
+ val_to_str(name_type, ntlm_name_types,
+ "Unknown"));
+ else
+ proto_item_append_text(
+ name_item, "%s, %s",
+ val_to_str(name_type, ntlm_name_types,
+ "Unknown"), name);
+
+ g_free(name);
+
+ offset += name_len;
+
+ proto_item_set_len(name_item, name_len + 4);
+
+ if (name_type == 0) /* End of list */
+ break;
+ };
+
+ return offset;
+}
+
+void register_smb_common(int proto_smb)
+{
+ static hf_register_info hf[] = {
+
+ { &hf_ntlmv2_response,
+ { "NTLMv2 Response", "smb.ntlmv2response", FT_BYTES,
+ BASE_HEX, NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_hmac,
+ { "HMAC", "smb.ntlmv2response.hmac", FT_BYTES, BASE_HEX,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_header,
+ { "Header", "smb.ntlmv2response.header", FT_UINT32,
+ BASE_HEX, NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_reserved,
+ { "Reserved", "smb.ntlmv2response.reserved", FT_UINT32,
+ BASE_HEX, NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_time,
+ { "Time", "smb.ntlmv2response.time", FT_ABSOLUTE_TIME,
+ BASE_NONE, NULL, 0, "", HFILL }},
+
+ { &hf_ntlmv2_response_chal,
+ { "Client challenge", "smb.ntlmv2response.chal", FT_BYTES,
+ BASE_HEX, NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_unknown,
+ { "Unknown", "smb.ntlmv2response.unknown", FT_UINT32,
+ BASE_HEX, NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_name,
+ { "Name", "smb.ntlmv2response.name", FT_STRING, BASE_NONE,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_name_type,
+ { "Name type", "smb.ntlmv2response.name.type", FT_UINT32,
+ BASE_DEC, VALS(ntlm_name_types), 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_name_len,
+ { "Name len", "smb.ntlmv2response.name.len", FT_UINT32,
+ BASE_DEC, NULL, 0x0, "", HFILL }}
+ };
+
+ static gint *ett[] = {
+ &ett_ntlmv2_response,
+ &ett_ntlmv2_response_name
+ };
+
+ proto_register_subtree_array(ett, array_length(ett));
+ proto_register_field_array(proto_smb, hf, array_length(hf));
+}