2 * Routines for {fragment,segment} reassembly
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include <epan/packet.h>
33 #include <epan/reassemble.h>
35 #include <epan/emem.h>
37 #include <epan/dissectors/packet-dcerpc.h>
39 typedef struct _fragment_key {
45 typedef struct _dcerpc_fragment_key {
50 } dcerpc_fragment_key;
52 static void LINK_FRAG(fragment_data *fd_head,fragment_data *fd)
56 /* add fragment to list, keep list sorted */
57 for(fd_i= fd_head; fd_i->next;fd_i=fd_i->next) {
58 if (fd->offset < fd_i->next->offset )
65 /* copy a fragment key to heap store to insert in the hash */
66 static void *fragment_key_copy(const void *k)
68 const fragment_key* key = (const fragment_key*) k;
69 fragment_key *new_key = g_slice_new(fragment_key);
71 COPY_ADDRESS(&new_key->src, &key->src);
72 COPY_ADDRESS(&new_key->dst, &key->dst);
73 new_key->id = key->id;
77 /* copy a dcerpc fragment key to heap store to insert in the hash */
78 static void *dcerpc_fragment_key_copy(const void *k)
80 const dcerpc_fragment_key* key = (const dcerpc_fragment_key*) k;
82 dcerpc_fragment_key *new_key = g_slice_new(dcerpc_fragment_key);
84 COPY_ADDRESS(&new_key->src, &key->src);
85 COPY_ADDRESS(&new_key->dst, &key->dst);
86 new_key->id = key->id;
87 new_key->act_id = key->act_id;
94 fragment_equal(gconstpointer k1, gconstpointer k2)
96 const fragment_key* key1 = (const fragment_key*) k1;
97 const fragment_key* key2 = (const fragment_key*) k2;
99 /*key.id is the first item to compare since item is most
100 likely to differ between sessions, thus shortcircuiting
101 the comparasion of addresses.
103 return ( ( (key1->id == key2->id) &&
104 (ADDRESSES_EQUAL(&key1->src, &key2->src)) &&
105 (ADDRESSES_EQUAL(&key1->dst, &key2->dst))
111 fragment_hash(gconstpointer k)
113 const fragment_key* key = (const fragment_key*) k;
121 /* More than likely: in most captures src and dst addresses are the
122 same, and would hash the same.
123 We only use id as the hash as an optimization.
125 for (i = 0; i < key->src.len; i++)
126 hash_val += key->src.data[i];
127 for (i = 0; i < key->dst.len; i++)
128 hash_val += key->dst.data[i];
137 dcerpc_fragment_equal(gconstpointer k1, gconstpointer k2)
139 const dcerpc_fragment_key* key1 = (const dcerpc_fragment_key*) k1;
140 const dcerpc_fragment_key* key2 = (const dcerpc_fragment_key*) k2;
142 /*key.id is the first item to compare since item is most
143 likely to differ between sessions, thus shortcircuiting
144 the comparison of addresses.
146 return (((key1->id == key2->id)
147 && (ADDRESSES_EQUAL(&key1->src, &key2->src))
148 && (ADDRESSES_EQUAL(&key1->dst, &key2->dst))
149 && (memcmp (&key1->act_id, &key2->act_id, sizeof (e_uuid_t)) == 0))
154 dcerpc_fragment_hash(gconstpointer k)
156 const dcerpc_fragment_key* key = (const dcerpc_fragment_key*) k;
162 hash_val += key->act_id.Data1;
163 hash_val += key->act_id.Data2 << 16;
164 hash_val += key->act_id.Data3;
169 typedef struct _reassembled_key {
175 reassembled_equal(gconstpointer k1, gconstpointer k2)
177 const reassembled_key* key1 = (const reassembled_key*) k1;
178 const reassembled_key* key2 = (const reassembled_key*) k2;
181 * We assume that the frame numbers are unlikely to be equal,
182 * so we check them first.
184 return key1->frame == key2->frame && key1->id == key2->id;
188 reassembled_hash(gconstpointer k)
190 const reassembled_key* key = (const reassembled_key*) k;
196 * For a fragment hash table entry, free the associated fragments.
197 * The entry value (fd_chain) is freed herein and the entry is freed
198 * when fragment_free_key() [or dcerpc_fragment_free_key()] is called
199 * (as a consequence of returning TRUE from this function).
202 free_all_fragments(gpointer key_arg _U_, gpointer value, gpointer user_data _U_)
204 fragment_data *fd_head, *tmp_fd;
206 /* g_hash_table_new_full() was used to supply a function
207 * to free the key and the addresses.
209 for (fd_head = value; fd_head != NULL; fd_head = tmp_fd) {
210 tmp_fd=fd_head->next;
212 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED))
213 g_free(fd_head->data);
214 g_slice_free(fragment_data, fd_head);
220 /* ------------------------- */
221 static fragment_data *new_head(const guint32 flags)
223 fragment_data *fd_head;
224 /* If head/first structure in list only holds no other data than
225 * 'datalen' then we don't have to change the head of the list
226 * even if we want to keep it sorted
228 fd_head=g_slice_new0(fragment_data);
230 fd_head->flags=flags;
235 * For a reassembled-packet hash table entry, free the fragment data
236 * to which the value refers.
239 free_all_reassembled_fragments(gpointer key_arg _U_, gpointer value,
240 gpointer user_data _U_)
242 fragment_data *fd_head;
244 for (fd_head = value; fd_head != NULL; fd_head = fd_head->next) {
245 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED)) {
246 g_free(fd_head->data);
249 * A reassembled packet is inserted into the
250 * hash table once for every frame that made
251 * up the reassembled packet; clear the data
252 * pointer so that we only free the data the
253 * first time we see it.
255 fd_head->data = NULL;
263 fragment_free_key(void *ptr)
265 fragment_key *key = (fragment_key *)ptr;
269 * Free up the copies of the addresses from the old key.
271 g_free((gpointer)key->src.data);
272 g_free((gpointer)key->dst.data);
274 g_slice_free(fragment_key, key);
279 dcerpc_fragment_free_key(void *ptr)
281 dcerpc_fragment_key *key = (dcerpc_fragment_key *)ptr;
285 * Free up the copies of the addresses from the old key.
287 g_free((gpointer)key->src.data);
288 g_free((gpointer)key->dst.data);
290 g_slice_free(dcerpc_fragment_key, key);
295 * Initialize a fragment table.
298 fragment_table_init(GHashTable **fragment_table)
300 if (*fragment_table != NULL) {
302 * The fragment hash table exists.
304 * Remove all entries and free fragment data for each entry.
306 * If slices are used (GLIB >= 2.10)
307 * the keys are freed by calling fragment_free_key()
308 * and the values are freed in free_all_fragments().
310 * free_all_fragments()
311 * will free the address data associated with the key
313 g_hash_table_foreach_remove(*fragment_table,
314 free_all_fragments, NULL);
316 /* The fragment table does not exist. Create it */
317 *fragment_table = g_hash_table_new_full(fragment_hash,
318 fragment_equal, fragment_free_key, NULL);
323 dcerpc_fragment_table_init(GHashTable **fragment_table)
325 if (*fragment_table != NULL) {
327 * The fragment hash table exists.
329 * Remove all entries and free fragment data for each entry.
331 * If slices are used (GLIB >= 2.10)
332 * the keys are freed by calling dcerpc_fragment_free_key()
333 * and the values are freed in free_all_fragments().
335 * free_all_fragments()
336 * will free the adrress data associated with the key
338 g_hash_table_foreach_remove(*fragment_table,
339 free_all_fragments, NULL);
341 /* The fragment table does not exist. Create it */
342 *fragment_table = g_hash_table_new_full(dcerpc_fragment_hash,
343 dcerpc_fragment_equal, dcerpc_fragment_free_key, NULL);
348 * Initialize a reassembled-packet table.
351 reassembled_table_init(GHashTable **reassembled_table)
353 if (*reassembled_table != NULL) {
355 * The reassembled-packet hash table exists.
357 * Remove all entries and free reassembled packet
358 * data for each entry.
360 g_hash_table_foreach_remove(*reassembled_table,
361 free_all_reassembled_fragments, NULL);
363 /* The fragment table does not exist. Create it */
364 *reassembled_table = g_hash_table_new(reassembled_hash,
369 /* This function cleans up the stored state and removes the reassembly data and
370 * (with one exception) all allocated memory for matching reassembly.
373 * If the PDU was already completely reassembled, then the buffer containing the
374 * reassembled data WILL NOT be free()d, and the pointer to that buffer will be
376 * Othervise the function will return NULL.
378 * So, if you call fragment_delete and it returns non-NULL, YOU are responsible to
379 * g_free() that buffer.
382 fragment_delete(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table)
384 fragment_data *fd_head, *fd;
386 unsigned char *data=NULL;
388 /* create key to search hash with */
389 key.src = pinfo->src;
390 key.dst = pinfo->dst;
393 fd_head = g_hash_table_lookup(fragment_table, &key);
396 /* We do not recognize this as a PDU we have seen before. return */
401 /* loop over all partial fragments and free any buffers */
402 for(fd=fd_head->next;fd;){
403 fragment_data *tmp_fd;
406 if( !(fd->flags&FD_NOT_MALLOCED) )
408 g_slice_free(fragment_data, fd);
411 g_slice_free(fragment_data, fd_head);
412 g_hash_table_remove(fragment_table, &key);
417 /* This function is used to check if there is partial or completed reassembly state
418 * matching this packet. I.e. Is there reassembly going on or not for this packet?
421 fragment_get(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table)
423 fragment_data *fd_head;
426 /* create key to search hash with */
427 key.src = pinfo->src;
428 key.dst = pinfo->dst;
431 fd_head = g_hash_table_lookup(fragment_table, &key);
436 /* id *must* be the frame number for this to work! */
438 fragment_get_reassembled(const guint32 id, GHashTable *reassembled_table)
440 fragment_data *fd_head;
443 /* create key to search hash with */
446 fd_head = g_hash_table_lookup(reassembled_table, &key);
452 fragment_get_reassembled_id(const packet_info *pinfo, const guint32 id, GHashTable *reassembled_table)
454 fragment_data *fd_head;
457 /* create key to search hash with */
458 key.frame = pinfo->fd->num;
460 fd_head = g_hash_table_lookup(reassembled_table, &key);
465 /* This function can be used to explicitly set the total length (if known)
466 * for reassembly of a PDU.
467 * This is useful for reassembly of PDUs where one may have the total length specified
468 * in the first fragment instead of as for, say, IPv4 where a flag indicates which
469 * is the last fragment.
471 * Such protocols might fragment_add with a more_frags==TRUE for every fragment
472 * and just tell the reassembly engine the expected total length of the reassembled data
473 * using fragment_set_tot_len immediately after doing fragment_add for the first packet.
475 * Note that for FD_BLOCKSEQUENCE tot_len is the index for the tail fragment.
476 * i.e. since the block numbers start at 0, if we specify tot_len==2, that
477 * actually means we want to defragment 3 blocks, block 0, 1 and 2.
480 fragment_set_tot_len(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table,
481 const guint32 tot_len)
483 fragment_data *fd_head;
486 /* create key to search hash with */
487 key.src = pinfo->src;
488 key.dst = pinfo->dst;
491 fd_head = g_hash_table_lookup(fragment_table, &key);
494 fd_head->datalen = tot_len;
495 fd_head->flags |= FD_DATALEN_SET;
502 fragment_get_tot_len(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table)
504 fragment_data *fd_head;
507 /* create key to search hash with */
508 key.src = pinfo->src;
509 key.dst = pinfo->dst;
512 fd_head = g_hash_table_lookup(fragment_table, &key);
515 return fd_head->datalen;
522 /* This function will set the partial reassembly flag for a fh.
523 When this function is called, the fh MUST already exist, i.e.
524 the fh MUST be created by the initial call to fragment_add() before
525 this function is called.
526 Also note that this function MUST be called to indicate a fh will be
527 extended (increase the already stored data)
531 fragment_set_partial_reassembly(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table)
533 fragment_data *fd_head;
536 /* create key to search hash with */
537 key.src = pinfo->src;
538 key.dst = pinfo->dst;
541 fd_head = g_hash_table_lookup(fragment_table, &key);
544 * XXX - why not do all the stuff done early in "fragment_add_work()",
545 * turning off FD_DEFRAGMENTED and pointing the fragments' data
546 * pointers to the appropriate part of the already-reassembled
547 * data, and clearing the data length and "reassembled in" frame
548 * number, here? We currently have a hack in the TCP dissector
549 * not to set the "reassembled in" value if the "partial reassembly"
550 * flag is set, so that in the first pass through the packets
551 * we don't falsely set a packet as reassembled in that packet
552 * if the dissector decided that even more reassembly was needed.
555 fd_head->flags |= FD_PARTIAL_REASSEMBLY;
560 * This function gets rid of an entry from a fragment table, given
561 * a pointer to the key for that entry; it also frees up the key
562 * and the addresses in it.
563 * Note: If we use slices keys are freed by fragment_free_key()
564 [or dcerpc_fragment_free_key()] being called
565 * during g_hash_table_remove().
568 fragment_unhash(GHashTable *fragment_table, fragment_key *key)
571 * Remove the entry from the fragment table.
573 g_hash_table_remove(fragment_table, key);
576 * Free the key itself.
581 * This function adds fragment_data structure to a reassembled-packet
582 * hash table, using the frame numbers of each of the frames from
583 * which it was reassembled as keys, and sets the "reassembled_in"
587 fragment_reassembled(fragment_data *fd_head, const packet_info *pinfo,
588 GHashTable *reassembled_table, const guint32 id)
590 reassembled_key *new_key;
593 if (fd_head->next == NULL) {
595 * This was not fragmented, so there's no fragment
596 * table; just hash it using the current frame number.
598 new_key = se_alloc(sizeof(reassembled_key));
599 new_key->frame = pinfo->fd->num;
601 g_hash_table_insert(reassembled_table, new_key, fd_head);
604 * Hash it with the frame numbers for all the frames.
606 for (fd = fd_head->next; fd != NULL; fd = fd->next){
607 new_key = se_alloc(sizeof(reassembled_key));
608 new_key->frame = fd->frame;
610 g_hash_table_insert(reassembled_table, new_key,
614 fd_head->flags |= FD_DEFRAGMENTED;
615 fd_head->reassembled_in = pinfo->fd->num;
619 * This function adds a new fragment to the fragment hash table.
620 * If this is the first fragment seen for this datagram, a new entry
621 * is created in the hash table, otherwise this fragment is just added
622 * to the linked list of fragments for this packet.
623 * The list of fragments for a specific datagram is kept sorted for
626 * Returns a pointer to the head of the fragment data list if we have all the
627 * fragments, NULL otherwise.
629 * This function assumes frag_offset being a byte offset into the defragment
633 * Once the fh is defragmented (= FD_DEFRAGMENTED set), it can be
634 * extended using the FD_PARTIAL_REASSEMBLY flag. This flag should be set
635 * using fragment_set_partial_reassembly() before calling fragment_add
636 * with the new fragment. FD_TOOLONGFRAGMENT and FD_MULTIPLETAILS flags
637 * are lowered when a new extension process is started.
640 fragment_add_work(fragment_data *fd_head, tvbuff_t *tvb, const int offset,
641 const packet_info *pinfo, const guint32 frag_offset,
642 const guint32 frag_data_len, const gboolean more_frags)
647 unsigned char *old_data;
649 /* create new fd describing this fragment */
650 fd = g_slice_new(fragment_data);
653 fd->frame = pinfo->fd->num;
654 if (fd->frame > fd_head->frame)
655 fd_head->frame = fd->frame;
656 fd->offset = frag_offset;
657 fd->len = frag_data_len;
661 * If it was already defragmented and this new fragment goes beyond
662 * data limits, set flag in already empty fds & point old fds to malloc'ed data.
664 if(fd_head->flags & FD_DEFRAGMENTED && (frag_offset+frag_data_len) >= fd_head->datalen &&
665 fd_head->flags & FD_PARTIAL_REASSEMBLY){
666 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
668 fd_i->data = fd_head->data + fd_i->offset;
669 fd_i->flags |= FD_NOT_MALLOCED;
671 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
673 fd_head->flags &= ~(FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY|FD_DATALEN_SET);
674 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
676 fd_head->reassembled_in=0;
681 * This is the tail fragment in the sequence.
683 if (fd_head->flags & FD_DATALEN_SET) {
684 /* ok we have already seen other tails for this packet
685 * it might be a duplicate.
687 if (fd_head->datalen != (fd->offset + fd->len) ){
688 /* Oops, this tail indicates a different packet
689 * len than the previous ones. Something's wrong.
691 fd->flags |= FD_MULTIPLETAILS;
692 fd_head->flags |= FD_MULTIPLETAILS;
695 /* this was the first tail fragment, now we know the
696 * length of the packet
698 fd_head->datalen = fd->offset + fd->len;
699 fd_head->flags |= FD_DATALEN_SET;
706 /* If the packet is already defragmented, this MUST be an overlap.
707 * The entire defragmented packet is in fd_head->data.
708 * Even if we have previously defragmented this packet, we still
709 * check it. Someone might play overlap and TTL games.
711 if (fd_head->flags & FD_DEFRAGMENTED) {
712 guint32 end_offset = fd->offset + fd->len;
713 fd->flags |= FD_OVERLAP;
714 fd_head->flags |= FD_OVERLAP;
715 /* make sure it's not too long */
716 if (end_offset > fd_head->datalen || end_offset < fd->offset || end_offset < fd->len) {
717 fd->flags |= FD_TOOLONGFRAGMENT;
718 fd_head->flags |= FD_TOOLONGFRAGMENT;
720 /* make sure it doesn't conflict with previous data */
721 else if ( memcmp(fd_head->data+fd->offset,
722 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
723 fd->flags |= FD_OVERLAPCONFLICT;
724 fd_head->flags |= FD_OVERLAPCONFLICT;
726 /* it was just an overlap, link it and return */
727 LINK_FRAG(fd_head,fd);
733 /* If we have reached this point, the packet is not defragmented yet.
734 * Save all payload in a buffer until we can defragment.
735 * XXX - what if we didn't capture the entire fragment due
736 * to a too-short snapshot length?
738 fd->data = g_malloc(fd->len);
739 tvb_memcpy(tvb, fd->data, offset, fd->len);
740 LINK_FRAG(fd_head,fd);
743 if( !(fd_head->flags & FD_DATALEN_SET) ){
744 /* if we dont know the datalen, there are still missing
745 * packets. Cheaper than the check below.
752 * Check if we have received the entire fragment.
753 * This is easy since the list is sorted and the head is faked.
755 * First, we compute the amount of contiguous data that's
756 * available. (The check for fd_i->offset <= max rules out
757 * fragments that don't start before or at the end of the
758 * previous fragment, i.e. fragments that have a gap between
759 * them and the previous fragment.)
762 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
763 if ( ((fd_i->offset)<=max) &&
764 ((fd_i->offset+fd_i->len)>max) ){
765 max = fd_i->offset+fd_i->len;
769 if (max < (fd_head->datalen)) {
771 * The amount of contiguous data we have is less than the
772 * amount of data we're trying to reassemble, so we haven't
773 * received all packets yet.
779 if (max > (fd_head->datalen)) {
780 /*XXX not sure if current fd was the TOOLONG*/
781 /*XXX is it fair to flag current fd*/
782 /* oops, too long fragment detected */
783 fd->flags |= FD_TOOLONGFRAGMENT;
784 fd_head->flags |= FD_TOOLONGFRAGMENT;
787 /* we have received an entire packet, defragment it and
790 /* store old data just in case */
791 old_data=fd_head->data;
792 fd_head->data = g_malloc(max);
794 /* add all data fragments */
795 for (dfpos=0,fd_i=fd_head;fd_i;fd_i=fd_i->next) {
797 /* dfpos is always >= than fd_i->offset */
798 /* No gaps can exist here, max_loop(above) does this */
799 /* XXX - true? Can we get fd_i->offset+fd-i->len */
800 /* overflowing, for example? */
801 /* Actually: there is at least one pathological case wherein there can be fragments
802 * on the list which are for offsets greater than max (i.e.: following a gap after max).
803 * (Apparently a "DESEGMENT_UNTIL_FIN" was involved wherein the FIN packet had an offset
804 * less than the highest fragment offset seen. [Seen from a fuzz-test: bug #2470]).
805 * Note that the "overlap" compare must only be done for fragments with (offset+len) <= max
806 * and thus within the newly g_malloc'd buffer.
809 if ( fd_i->offset+fd_i->len > dfpos ) {
810 if (fd_i->offset+fd_i->len > max)
811 g_warning("Reassemble error in frame %u: offset %u + len %u > max %u",
812 pinfo->fd->num, fd_i->offset,
814 else if (dfpos < fd_i->offset)
815 g_warning("Reassemble error in frame %u: dfpos %u < offset %u",
816 pinfo->fd->num, dfpos, fd_i->offset);
817 else if (dfpos-fd_i->offset > fd_i->len)
818 g_warning("Reassemble error in frame %u: dfpos %u - offset %u > len %u",
819 pinfo->fd->num, dfpos, fd_i->offset,
821 else if (!fd_head->data)
822 g_warning("Reassemble error in frame %u: no data",
825 if (fd_i->offset < dfpos) {
826 fd_i->flags |= FD_OVERLAP;
827 fd_head->flags |= FD_OVERLAP;
828 if ( memcmp(fd_head->data+fd_i->offset,
830 MIN(fd_i->len,(dfpos-fd_i->offset))
832 fd_i->flags |= FD_OVERLAPCONFLICT;
833 fd_head->flags |= FD_OVERLAPCONFLICT;
836 memcpy(fd_head->data+dfpos,
837 fd_i->data+(dfpos-fd_i->offset),
838 fd_i->len-(dfpos-fd_i->offset));
841 if (fd_i->offset + fd_i->len < fd_i->offset) /* Integer overflow? */
842 g_warning("Reassemble error in frame %u: offset %u + len %u < offset",
843 pinfo->fd->num, fd_i->offset,
846 if( fd_i->flags & FD_NOT_MALLOCED )
847 fd_i->flags &= ~FD_NOT_MALLOCED;
852 dfpos=MAX(dfpos,(fd_i->offset+fd_i->len));
857 /* mark this packet as defragmented.
858 allows us to skip any trailing fragments */
859 fd_head->flags |= FD_DEFRAGMENTED;
860 fd_head->reassembled_in=pinfo->fd->num;
865 static fragment_data *
866 fragment_add_common(tvbuff_t *tvb, const int offset, const packet_info *pinfo, const guint32 id,
867 GHashTable *fragment_table, const guint32 frag_offset,
868 const guint32 frag_data_len, const gboolean more_frags,
869 const gboolean check_already_added)
871 fragment_key key, *new_key;
872 fragment_data *fd_head;
873 fragment_data *fd_item;
874 gboolean already_added=pinfo->fd->flags.visited;
877 /* dissector shouldn't give us garbage tvb info */
878 DISSECTOR_ASSERT(tvb_bytes_exist(tvb, offset, frag_data_len));
880 /* create key to search hash with */
881 key.src = pinfo->src;
882 key.dst = pinfo->dst;
885 fd_head = g_hash_table_lookup(fragment_table, &key);
888 /* debug output of associated fragments. */
889 /* leave it here for future debugging sessions */
890 if(strcmp(pinfo->current_proto, "DCERPC") == 0) {
891 printf("proto:%s num:%u id:%u offset:%u len:%u more:%u visited:%u\n",
892 pinfo->current_proto, pinfo->fd->num, id, frag_offset, frag_data_len, more_frags, pinfo->fd->flags.visited);
893 if(fd_head != NULL) {
894 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
895 printf("fd_frame:%u fd_offset:%u len:%u datalen:%u\n",
896 fd_item->frame, fd_item->offset, fd_item->len, fd_item->datalen);
903 * "already_added" is true if "pinfo->fd->flags.visited" is true;
904 * if "pinfo->fd->flags.visited", this isn't the first pass, so
905 * we've already done all the reassembly and added all the
908 * If it's not true, but "check_already_added" is true, just check
909 * if we have seen this fragment before, i.e., if we have already
910 * added it to reassembly.
911 * That can be true even if "pinfo->fd->flags.visited" is false
912 * since we sometimes might call a subdissector multiple times.
913 * As an additional check, just make sure we have not already added
914 * this frame to the reassembly list, if there is a reassembly list;
915 * note that the first item in the reassembly list is not a
916 * fragment, it's a data structure for the reassembled packet.
917 * We don't check it because its "frame" member isn't initialized
918 * to anything, and because it doesn't count in any case.
920 * And as another additional check, make sure the fragment offsets are
921 * the same, as otherwise we get into trouble if multiple fragments
924 if (!already_added && check_already_added && fd_head != NULL) {
925 if (pinfo->fd->num <= fd_head->frame) {
926 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
927 if(pinfo->fd->num==fd_item->frame && frag_offset==fd_item->offset){
933 /* have we already added this frame ?*/
935 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
943 /* not found, this must be the first snooped fragment for this
944 * packet. Create list-head.
946 fd_head = new_head(0);
949 * We're going to use the key to insert the fragment,
950 * so allocate a structure for it, and copy the
951 * addresses, allocating new buffers for the address
954 new_key = g_slice_new(fragment_key);
955 COPY_ADDRESS(&new_key->src, &key.src);
956 COPY_ADDRESS(&new_key->dst, &key.dst);
957 new_key->id = key.id;
958 g_hash_table_insert(fragment_table, new_key, fd_head);
961 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
962 frag_data_len, more_frags)) {
964 * Reassembly is complete.
969 * Reassembly isn't complete.
976 fragment_add(tvbuff_t *tvb, const int offset, const packet_info *pinfo, const guint32 id,
977 GHashTable *fragment_table, const guint32 frag_offset,
978 const guint32 frag_data_len, const gboolean more_frags)
980 return fragment_add_common(tvb, offset, pinfo, id, fragment_table,
981 frag_offset, frag_data_len, more_frags, TRUE);
985 * For use when you can have multiple fragments in the same frame added
986 * to the same reassembled PDU, e.g. with ONC RPC-over-TCP.
989 fragment_add_multiple_ok(tvbuff_t *tvb, const int offset, const packet_info *pinfo,
990 const guint32 id, GHashTable *fragment_table,
991 const guint32 frag_offset, const guint32 frag_data_len,
992 const gboolean more_frags)
994 return fragment_add_common(tvb, offset, pinfo, id, fragment_table,
995 frag_offset, frag_data_len, more_frags, FALSE);
999 fragment_add_check(tvbuff_t *tvb, const int offset, const packet_info *pinfo,
1000 const guint32 id, GHashTable *fragment_table,
1001 GHashTable *reassembled_table, const guint32 frag_offset,
1002 const guint32 frag_data_len, const gboolean more_frags)
1004 reassembled_key reass_key;
1005 fragment_key key, *new_key, *old_key;
1006 gpointer orig_key, value;
1007 fragment_data *fd_head;
1010 * If this isn't the first pass, look for this frame in the table
1011 * of reassembled packets.
1013 if (pinfo->fd->flags.visited) {
1014 reass_key.frame = pinfo->fd->num;
1016 return g_hash_table_lookup(reassembled_table, &reass_key);
1019 /* create key to search hash with */
1020 key.src = pinfo->src;
1021 key.dst = pinfo->dst;
1024 /* Looks up a key in the GHashTable, returning the original key and the associated value
1025 * and a gboolean which is TRUE if the key was found. This is useful if you need to free
1026 * the memory allocated for the original key, for example before calling g_hash_table_remove()
1028 if (!g_hash_table_lookup_extended(fragment_table, &key,
1029 &orig_key, &value)) {
1030 /* not found, this must be the first snooped fragment for this
1031 * packet. Create list-head.
1033 fd_head = new_head(0);
1036 * We're going to use the key to insert the fragment,
1037 * so allocate a structure for it, and copy the
1038 * addresses, allocating new buffers for the address
1041 new_key = g_slice_new(fragment_key);
1042 COPY_ADDRESS(&new_key->src, &key.src);
1043 COPY_ADDRESS(&new_key->dst, &key.dst);
1044 new_key->id = key.id;
1045 g_hash_table_insert(fragment_table, new_key, fd_head);
1047 orig_key = new_key; /* for unhashing it later */
1056 * If this is a short frame, then we can't, and don't, do
1057 * reassembly on it. We just give up.
1059 if (tvb_reported_length(tvb) > tvb_length(tvb))
1062 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
1063 frag_data_len, more_frags)) {
1065 * Reassembly is complete.
1066 * Remove this from the table of in-progress
1067 * reassemblies, add it to the table of
1068 * reassembled packets, and return it.
1072 * Remove this from the table of in-progress reassemblies,
1073 * and free up any memory used for it in that table.
1076 fragment_unhash(fragment_table, old_key);
1079 * Add this item to the table of reassembled packets.
1081 fragment_reassembled(fd_head, pinfo, reassembled_table, id);
1085 * Reassembly isn't complete.
1092 fragment_defragment_and_free (fragment_data *fd_head, const packet_info *pinfo)
1094 fragment_data *fd_i = NULL;
1095 fragment_data *last_fd = NULL;
1096 guint32 dfpos = 0, size = 0;
1097 void *old_data = NULL;
1099 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1100 if(!last_fd || last_fd->offset!=fd_i->offset){
1106 /* store old data in case the fd_i->data pointers refer to it */
1107 old_data=fd_head->data;
1108 fd_head->data = g_malloc(size);
1109 fd_head->len = size; /* record size for caller */
1111 /* add all data fragments */
1113 for (fd_i=fd_head->next; fd_i; fd_i=fd_i->next) {
1115 if(!last_fd || last_fd->offset != fd_i->offset) {
1116 /* First fragment or in-sequence fragment */
1117 memcpy(fd_head->data+dfpos, fd_i->data, fd_i->len);
1120 /* duplicate/retransmission/overlap */
1121 fd_i->flags |= FD_OVERLAP;
1122 fd_head->flags |= FD_OVERLAP;
1123 if(last_fd->len != fd_i->len
1124 || memcmp(last_fd->data, fd_i->data, last_fd->len) ) {
1125 fd_i->flags |= FD_OVERLAPCONFLICT;
1126 fd_head->flags |= FD_OVERLAPCONFLICT;
1133 /* we have defragmented the pdu, now free all fragments*/
1134 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1135 if( fd_i->flags & FD_NOT_MALLOCED )
1136 fd_i->flags &= ~FD_NOT_MALLOCED;
1143 /* mark this packet as defragmented.
1144 * allows us to skip any trailing fragments.
1146 fd_head->flags |= FD_DEFRAGMENTED;
1147 fd_head->reassembled_in=pinfo->fd->num;
1151 * This function adds a new fragment to the entry for a reassembly
1154 * The list of fragments for a specific datagram is kept sorted for
1157 * Returns TRUE if we have all the fragments, FALSE otherwise.
1159 * This function assumes frag_number being a block sequence number.
1160 * The bsn for the first block is 0.
1163 fragment_add_seq_work(fragment_data *fd_head, tvbuff_t *tvb, const int offset,
1164 const packet_info *pinfo, const guint32 frag_number,
1165 const guint32 frag_data_len, const gboolean more_frags,
1166 const guint32 flags _U_)
1169 fragment_data *fd_i;
1170 fragment_data *last_fd;
1173 /* if the partial reassembly flag has been set, and we are extending
1174 * the pdu, un-reassemble the pdu. This means pointing old fds to malloc'ed data.
1176 if(fd_head->flags & FD_DEFRAGMENTED && frag_number >= fd_head->datalen &&
1177 fd_head->flags & FD_PARTIAL_REASSEMBLY){
1178 guint32 lastdfpos = 0;
1180 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
1182 if( fd_i->flags & FD_OVERLAP ) {
1183 /* this is a duplicate of the previous
1185 fd_i->data = fd_head->data + lastdfpos;
1187 fd_i->data = fd_head->data + dfpos;
1191 fd_i->flags |= FD_NOT_MALLOCED;
1193 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
1195 fd_head->flags &= ~(FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY|FD_DATALEN_SET);
1196 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
1198 fd_head->reassembled_in=0;
1202 /* create new fd describing this fragment */
1203 fd = g_slice_new(fragment_data);
1206 fd->frame = pinfo->fd->num;
1207 fd->offset = frag_number;
1208 fd->len = frag_data_len;
1213 * This is the tail fragment in the sequence.
1215 if (fd_head->flags&FD_DATALEN_SET) {
1216 /* ok we have already seen other tails for this packet
1217 * it might be a duplicate.
1219 if (fd_head->datalen != fd->offset ){
1220 /* Oops, this tail indicates a different packet
1221 * len than the previous ones. Something's wrong.
1223 fd->flags |= FD_MULTIPLETAILS;
1224 fd_head->flags |= FD_MULTIPLETAILS;
1227 /* this was the first tail fragment, now we know the
1228 * sequence number of that fragment (which is NOT
1229 * the length of the packet!)
1231 fd_head->datalen = fd->offset;
1232 fd_head->flags |= FD_DATALEN_SET;
1236 /* If the packet is already defragmented, this MUST be an overlap.
1237 * The entire defragmented packet is in fd_head->data
1238 * Even if we have previously defragmented this packet, we still check
1239 * check it. Someone might play overlap and TTL games.
1241 if (fd_head->flags & FD_DEFRAGMENTED) {
1242 fd->flags |= FD_OVERLAP;
1243 fd_head->flags |= FD_OVERLAP;
1245 /* make sure it's not past the end */
1246 if (fd->offset > fd_head->datalen) {
1247 /* new fragment comes after the end */
1248 fd->flags |= FD_TOOLONGFRAGMENT;
1249 fd_head->flags |= FD_TOOLONGFRAGMENT;
1250 LINK_FRAG(fd_head,fd);
1253 /* make sure it doesn't conflict with previous data */
1256 for (fd_i=fd_head->next;fd_i && (fd_i->offset!=fd->offset);fd_i=fd_i->next) {
1257 if (!last_fd || last_fd->offset!=fd_i->offset){
1263 /* new fragment overlaps existing fragment */
1264 if(fd_i->len!=fd->len){
1266 * They have different lengths; this
1267 * is definitely a conflict.
1269 fd->flags |= FD_OVERLAPCONFLICT;
1270 fd_head->flags |= FD_OVERLAPCONFLICT;
1271 LINK_FRAG(fd_head,fd);
1274 DISSECTOR_ASSERT(fd_head->len >= dfpos + fd->len);
1275 if ( memcmp(fd_head->data+dfpos,
1276 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
1278 * They have the same length, but the
1279 * data isn't the same.
1281 fd->flags |= FD_OVERLAPCONFLICT;
1282 fd_head->flags |= FD_OVERLAPCONFLICT;
1283 LINK_FRAG(fd_head,fd);
1286 /* it was just an overlap, link it and return */
1287 LINK_FRAG(fd_head,fd);
1291 * New fragment doesn't overlap an existing
1292 * fragment - there was presumably a gap in
1293 * the sequence number space.
1295 * XXX - what should we do here? Is it always
1296 * the case that there are no gaps, or are there
1297 * protcols using sequence numbers where there
1300 * If the former, the check below for having
1301 * received all the fragments should check for
1302 * holes in the sequence number space and for the
1303 * first sequence number being 0. If we do that,
1304 * the only way we can get here is if this fragment
1305 * is past the end of the sequence number space -
1306 * but the check for "fd->offset > fd_head->datalen"
1307 * would have caught that above, so it can't happen.
1309 * If the latter, we don't have a good way of
1310 * knowing whether reassembly is complete if we
1311 * get packet out of order such that the "last"
1312 * fragment doesn't show up last - but, unless
1313 * in-order reliable delivery of fragments is
1314 * guaranteed, an implementation of the protocol
1315 * has no way of knowing whether reassembly is
1318 * For now, we just link the fragment in and
1321 LINK_FRAG(fd_head,fd);
1326 /* If we have reached this point, the packet is not defragmented yet.
1327 * Save all payload in a buffer until we can defragment.
1328 * XXX - what if we didn't capture the entire fragment due
1329 * to a too-short snapshot length?
1331 /* check len, there may be a fragment with 0 len, that is actually the tail */
1333 fd->data = g_malloc(fd->len);
1334 tvb_memcpy(tvb, fd->data, offset, fd->len);
1336 LINK_FRAG(fd_head,fd);
1339 if( !(fd_head->flags & FD_DATALEN_SET) ){
1340 /* if we dont know the sequence number of the last fragment,
1341 * there are definitely still missing packets. Cheaper than
1348 /* check if we have received the entire fragment
1349 * this is easy since the list is sorted and the head is faked.
1350 * common case the whole list is scanned.
1353 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1354 if ( fd_i->offset==max ){
1358 /* max will now be datalen+1 if all fragments have been seen */
1360 if (max <= fd_head->datalen) {
1361 /* we have not received all packets yet */
1366 if (max > (fd_head->datalen+1)) {
1367 /* oops, too long fragment detected */
1368 fd->flags |= FD_TOOLONGFRAGMENT;
1369 fd_head->flags |= FD_TOOLONGFRAGMENT;
1373 /* we have received an entire packet, defragment it and
1374 * free all fragments
1376 fragment_defragment_and_free(fd_head, pinfo);
1382 * This function adds a new fragment to the fragment hash table.
1383 * If this is the first fragment seen for this datagram, a new entry
1384 * is created in the hash table, otherwise this fragment is just added
1385 * to the linked list of fragments for this packet.
1387 * Returns a pointer to the head of the fragment data list if we have all the
1388 * fragments, NULL otherwise.
1390 * This function assumes frag_number being a block sequence number.
1391 * The bsn for the first block is 0.
1394 fragment_add_seq(tvbuff_t *tvb, const int offset, const packet_info *pinfo, const guint32 id,
1395 GHashTable *fragment_table, const guint32 frag_number,
1396 const guint32 frag_data_len, const gboolean more_frags)
1400 /* create key to search hash with */
1401 key.src = pinfo->src;
1402 key.dst = pinfo->dst;
1405 return fragment_add_seq_key(tvb, offset, pinfo,
1406 &key, fragment_key_copy,
1407 fragment_table, frag_number,
1408 frag_data_len, more_frags, 0);
1413 fragment_add_dcerpc_dg(tvbuff_t *tvb, const int offset, const packet_info *pinfo, const guint32 id,
1415 GHashTable *fragment_table, const guint32 frag_number,
1416 const guint32 frag_data_len, const gboolean more_frags)
1418 e_uuid_t *act_id = (e_uuid_t *)v_act_id;
1419 dcerpc_fragment_key key;
1421 /* create key to search hash with */
1422 key.src = pinfo->src;
1423 key.dst = pinfo->dst;
1425 key.act_id = *act_id;
1427 return fragment_add_seq_key(tvb, offset, pinfo,
1428 &key, dcerpc_fragment_key_copy,
1429 fragment_table, frag_number,
1430 frag_data_len, more_frags, 0);
1434 fragment_add_seq_key(tvbuff_t *tvb, const int offset, const packet_info *pinfo,
1435 void *key, fragment_key_copier key_copier,
1436 GHashTable *fragment_table, guint32 frag_number,
1437 const guint32 frag_data_len, const gboolean more_frags,
1438 const guint32 flags)
1440 fragment_data *fd_head;
1441 fd_head = g_hash_table_lookup(fragment_table, key);
1443 /* have we already seen this frame ?*/
1444 if (pinfo->fd->flags.visited) {
1445 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1453 /* not found, this must be the first snooped fragment for this
1454 * packet. Create list-head.
1456 fd_head= new_head(FD_BLOCKSEQUENCE);
1458 if((flags & (REASSEMBLE_FLAGS_NO_FRAG_NUMBER|REASSEMBLE_FLAGS_802_11_HACK))
1461 * This is the last fragment for this packet, and
1462 * is the only one we've seen.
1464 * Either we don't have sequence numbers, in which
1465 * case we assume this is the first fragment for
1466 * this packet, or we're doing special 802.11
1467 * processing, in which case we assume it's one
1468 * of those reassembled packets with a non-zero
1469 * fragment number (see packet-80211.c); just
1470 * return a pointer to the head of the list;
1471 * fragment_add_seq_check will then add it to the table
1472 * of reassembled packets.
1474 fd_head->reassembled_in=pinfo->fd->num;
1479 * We're going to use the key to insert the fragment,
1480 * so copy it to a long-term store.
1482 if(key_copier != NULL)
1483 key = key_copier(key);
1484 g_hash_table_insert(fragment_table, key, fd_head);
1487 * If we weren't given an initial fragment number,
1490 if (flags & REASSEMBLE_FLAGS_NO_FRAG_NUMBER)
1493 if (flags & REASSEMBLE_FLAGS_NO_FRAG_NUMBER) {
1496 * If we weren't given an initial fragment number,
1497 * use the next expected fragment number as the fragment
1498 * number for this fragment.
1500 for (fd = fd_head; fd != NULL; fd = fd->next) {
1501 if (fd->next == NULL)
1502 frag_number = fd->offset + 1;
1508 * XXX I've copied this over from the old separate
1509 * fragment_add_seq_check_work, but I'm not convinced it's doing the
1510 * right thing -- rav
1512 * If we don't have all the data that is in this fragment,
1513 * then we can't, and don't, do reassembly on it.
1515 * If it's the first frame, handle it as an unfragmented packet.
1516 * Otherwise, just handle it as a fragment.
1518 * If "more_frags" isn't set, we get rid of the entry in the
1519 * hash table for this reassembly, as we don't need it any more.
1521 if ((flags & REASSEMBLE_FLAGS_CHECK_DATA_PRESENT) &&
1522 !tvb_bytes_exist(tvb, offset, frag_data_len)) {
1526 * Remove this from the table of in-progress
1527 * reassemblies, and free up any memory used for
1530 if (g_hash_table_lookup_extended(fragment_table, key,
1532 fragment_unhash(fragment_table, (fragment_key *)orig_key);
1535 fd_head -> flags |= FD_DATA_NOT_PRESENT;
1536 return frag_number == 0 ? fd_head : NULL;
1539 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1540 frag_number, frag_data_len, more_frags, flags)) {
1542 * Reassembly is complete.
1547 * Reassembly isn't complete.
1554 * This does the work for "fragment_add_seq_check()" and
1555 * "fragment_add_seq_next()".
1557 * This function assumes frag_number being a block sequence number.
1558 * The bsn for the first block is 0.
1560 * If "no_frag_number" is TRUE, it uses the next expected fragment number
1561 * as the fragment number if there is a reassembly in progress, otherwise
1564 * If "no_frag_number" is FALSE, it uses the "frag_number" argument as
1565 * the fragment number.
1567 * If this is the first fragment seen for this datagram, a new
1568 * "fragment_data" structure is allocated to refer to the reassembled
1571 * This fragment is added to the linked list of fragments for this packet.
1573 * If "more_frags" is false and REASSEMBLE_FLAGS_802_11_HACK (as the name
1574 * implies, a special hack for 802.11) or REASSEMBLE_FLAGS_NO_FRAG_NUMBER
1575 * (implying messages must be in order since there's no sequence number) are
1576 * set in "flags", then this (one element) list is returned.
1578 * If, after processing this fragment, we have all the fragments,
1579 * "fragment_add_seq_check_work()" removes that from the fragment hash
1580 * table if necessary and adds it to the table of reassembled fragments,
1581 * and returns a pointer to the head of the fragment list.
1583 * Otherwise, it returns NULL.
1585 * XXX - Should we simply return NULL for zero-length fragments?
1587 static fragment_data *
1588 fragment_add_seq_check_work(tvbuff_t *tvb, const int offset,
1589 const packet_info *pinfo, const guint32 id,
1590 GHashTable *fragment_table,
1591 GHashTable *reassembled_table,
1592 const guint32 frag_number,
1593 const guint32 frag_data_len,
1594 const gboolean more_frags, const guint32 flags)
1596 reassembled_key reass_key;
1598 fragment_data *fd_head;
1601 * Have we already seen this frame?
1602 * If so, look for it in the table of reassembled packets.
1604 if (pinfo->fd->flags.visited) {
1605 reass_key.frame = pinfo->fd->num;
1607 return g_hash_table_lookup(reassembled_table, &reass_key);
1610 /* create key to search hash with */
1611 key.src = pinfo->src;
1612 key.dst = pinfo->dst;
1615 fd_head = fragment_add_seq_key(tvb, offset, pinfo,
1616 &key, fragment_key_copy,
1617 fragment_table, frag_number,
1618 frag_data_len, more_frags, flags|REASSEMBLE_FLAGS_CHECK_DATA_PRESENT);
1622 if(fd_head->flags & FD_DATA_NOT_PRESENT) {
1623 /* this is the first fragment of a datagram with
1624 * truncated fragments. Don't move it to the
1625 * reassembled table. */
1630 * Reassembly is complete.
1631 * Remove this from the table of in-progress
1632 * reassemblies, add it to the table of
1633 * reassembled packets, and return it.
1635 if (g_hash_table_lookup_extended(fragment_table, &key,
1638 * Remove this from the table of in-progress reassemblies,
1639 * and free up any memory used for it in that table.
1641 fragment_unhash(fragment_table, (fragment_key *)orig_key);
1645 * Add this item to the table of reassembled packets.
1647 fragment_reassembled(fd_head, pinfo, reassembled_table, id);
1651 * Reassembly isn't complete.
1658 fragment_add_seq_check(tvbuff_t *tvb, const int offset,
1659 const packet_info *pinfo, const guint32 id,
1660 GHashTable *fragment_table,
1661 GHashTable *reassembled_table, const guint32 frag_number,
1662 const guint32 frag_data_len, const gboolean more_frags)
1664 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1665 fragment_table, reassembled_table,
1666 frag_number, frag_data_len,
1671 fragment_add_seq_802_11(tvbuff_t *tvb, const int offset,
1672 const packet_info *pinfo, const guint32 id,
1673 GHashTable *fragment_table,
1674 GHashTable *reassembled_table,
1675 const guint32 frag_number, const guint32 frag_data_len,
1676 const gboolean more_frags)
1678 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1679 fragment_table, reassembled_table,
1680 frag_number, frag_data_len,
1682 REASSEMBLE_FLAGS_802_11_HACK);
1686 fragment_add_seq_next(tvbuff_t *tvb, const int offset, const packet_info *pinfo,
1687 const guint32 id, GHashTable *fragment_table,
1688 GHashTable *reassembled_table, const guint32 frag_data_len,
1689 const gboolean more_frags)
1691 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1692 fragment_table, reassembled_table, 0,
1693 frag_data_len, more_frags,
1694 REASSEMBLE_FLAGS_NO_FRAG_NUMBER);
1698 fragment_start_seq_check(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table,
1699 const guint32 tot_len)
1701 fragment_key key, *new_key;
1702 fragment_data *fd_head;
1704 /* Have we already seen this frame ?*/
1705 if (pinfo->fd->flags.visited) {
1709 /* Create key to search hash with */
1710 key.src = pinfo->src;
1711 key.dst = pinfo->dst;
1714 /* Check if fragment data exist for this key */
1715 fd_head = g_hash_table_lookup(fragment_table, &key);
1717 if (fd_head == NULL) {
1718 /* Create list-head. */
1719 fd_head = g_slice_new(fragment_data);
1720 fd_head->next = NULL;
1721 fd_head->datalen = tot_len;
1722 fd_head->offset = 0;
1724 fd_head->flags = FD_BLOCKSEQUENCE|FD_DATALEN_SET;
1725 fd_head->data = NULL;
1726 fd_head->reassembled_in = 0;
1728 * We're going to use the key to insert the fragment,
1729 * so copy it to a long-term store.
1731 new_key = fragment_key_copy(&key);
1732 g_hash_table_insert(fragment_table, new_key, fd_head);
1737 fragment_end_seq_next(const packet_info *pinfo, const guint32 id, GHashTable *fragment_table,
1738 GHashTable *reassembled_table)
1740 reassembled_key reass_key;
1741 reassembled_key *new_key;
1743 fragment_data *fd_head;
1746 * Have we already seen this frame?
1747 * If so, look for it in the table of reassembled packets.
1749 if (pinfo->fd->flags.visited) {
1750 reass_key.frame = pinfo->fd->num;
1752 return g_hash_table_lookup(reassembled_table, &reass_key);
1755 /* create key to search hash with */
1756 key.src = pinfo->src;
1757 key.dst = pinfo->dst;
1760 fd_head = g_hash_table_lookup (fragment_table, &key);
1765 if (fd_head->flags & FD_DATA_NOT_PRESENT) {
1770 fd_head->datalen = fd_head->offset;
1771 fd_head->flags |= FD_DATALEN_SET;
1773 fragment_defragment_and_free (fd_head, pinfo);
1776 * Remove this from the table of in-progress
1777 * reassemblies, add it to the table of
1778 * reassembled packets, and return it.
1780 if (g_hash_table_lookup_extended(fragment_table, &key,
1783 * Remove this from the table of in-progress reassemblies,
1784 * and free up any memory used for it in that table.
1786 fragment_unhash(fragment_table, (fragment_key *)orig_key);
1790 * Add this item to the table of reassembled packets.
1792 fragment_reassembled(fd_head, pinfo, reassembled_table, id);
1793 if (fd_head->next != NULL) {
1794 new_key = se_alloc(sizeof(reassembled_key));
1795 new_key->frame = pinfo->fd->num;
1797 g_hash_table_insert(reassembled_table, new_key, fd_head);
1803 * Fragment data not found.
1810 * Process reassembled data; if we're on the frame in which the data
1811 * was reassembled, put the fragment information into the protocol
1812 * tree, and construct a tvbuff with the reassembled data, otherwise
1813 * just put a "reassembled in" item into the protocol tree.
1816 process_reassembled_data(tvbuff_t *tvb, const int offset, packet_info *pinfo,
1817 const char *name, fragment_data *fd_head, const fragment_items *fit,
1818 gboolean *update_col_infop, proto_tree *tree)
1821 gboolean update_col_info;
1822 proto_item *frag_tree_item;
1824 if (fd_head != NULL && pinfo->fd->num == fd_head->reassembled_in) {
1826 * OK, we've reassembled this.
1827 * Is this something that's been reassembled from more
1828 * than one fragment?
1830 if (fd_head->next != NULL) {
1833 * Allocate a new tvbuff, referring to the
1834 * reassembled payload.
1836 if (fd_head->flags & FD_BLOCKSEQUENCE) {
1837 next_tvb = tvb_new_real_data(fd_head->data,
1838 fd_head->len, fd_head->len);
1840 next_tvb = tvb_new_real_data(fd_head->data,
1841 fd_head->datalen, fd_head->datalen);
1845 * Add the tvbuff to the list of tvbuffs to which
1846 * the tvbuff we were handed refers, so it'll get
1847 * cleaned up when that tvbuff is cleaned up.
1849 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
1851 /* Add the defragmented data to the data source list. */
1852 add_new_data_source(pinfo, next_tvb, name);
1854 /* show all fragments */
1855 if (fd_head->flags & FD_BLOCKSEQUENCE) {
1856 update_col_info = !show_fragment_seq_tree(
1857 fd_head, fit, tree, pinfo, next_tvb, &frag_tree_item);
1859 update_col_info = !show_fragment_tree(fd_head,
1860 fit, tree, pinfo, next_tvb, &frag_tree_item);
1865 * Return a tvbuff with the payload.
1867 next_tvb = tvb_new_subset_remaining(tvb, offset);
1868 pinfo->fragmented = FALSE; /* one-fragment packet */
1869 update_col_info = TRUE;
1871 if (update_col_infop != NULL)
1872 *update_col_infop = update_col_info;
1875 * We don't have the complete reassembled payload, or this
1876 * isn't the final frame of that payload.
1881 * If we know what frame this was reassembled in,
1882 * and if there's a field to use for the number of
1883 * the frame in which the packet was reassembled,
1884 * add it to the protocol tree.
1886 if (fd_head != NULL && fit->hf_reassembled_in != NULL) {
1887 proto_tree_add_uint(tree,
1888 *(fit->hf_reassembled_in), tvb,
1889 0, 0, fd_head->reassembled_in);
1896 * Show a single fragment in a fragment subtree, and put information about
1897 * it in the top-level item for that subtree.
1900 show_fragment(fragment_data *fd, const int offset, const fragment_items *fit,
1901 proto_tree *ft, proto_item *fi, const gboolean first_frag,
1902 const guint32 count, tvbuff_t *tvb, packet_info *pinfo)
1904 proto_item *fei=NULL;
1910 name = g_strdup(proto_registrar_get_name(*(fit->hf_fragment)));
1912 name = g_strdup(proto_registrar_get_name(*(fit->hf_fragments)));
1914 proto_item_set_text(fi, "%u %s (%u byte%s): ", count, name, tvb_length(tvb),
1915 plurality(tvb_length(tvb), "", "s"));
1918 proto_item_append_text(fi, ", ");
1920 proto_item_append_text(fi, "#%u(%u)", fd->frame, fd->len);
1922 if (fd->flags & (FD_OVERLAPCONFLICT
1923 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1924 hf = *(fit->hf_fragment_error);
1926 hf = *(fit->hf_fragment);
1929 fei = proto_tree_add_uint_format(ft, hf,
1930 tvb, offset, fd->len,
1932 "Frame: %u (no data)",
1935 fei = proto_tree_add_uint_format(ft, hf,
1936 tvb, offset, fd->len,
1938 "Frame: %u, payload: %u-%u (%u byte%s)",
1943 plurality(fd->len, "", "s"));
1945 PROTO_ITEM_SET_GENERATED(fei);
1946 mark_frame_as_depended_upon(pinfo, fd->frame);
1947 if (fd->flags & (FD_OVERLAP|FD_OVERLAPCONFLICT
1948 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1949 /* this fragment has some flags set, create a subtree
1950 * for it and display the flags.
1952 proto_tree *fet=NULL;
1954 fet = proto_item_add_subtree(fei, *(fit->ett_fragment));
1955 if (fd->flags&FD_OVERLAP) {
1956 fei=proto_tree_add_boolean(fet,
1957 *(fit->hf_fragment_overlap),
1960 PROTO_ITEM_SET_GENERATED(fei);
1962 if (fd->flags&FD_OVERLAPCONFLICT) {
1963 fei=proto_tree_add_boolean(fet,
1964 *(fit->hf_fragment_overlap_conflict),
1967 PROTO_ITEM_SET_GENERATED(fei);
1969 if (fd->flags&FD_MULTIPLETAILS) {
1970 fei=proto_tree_add_boolean(fet,
1971 *(fit->hf_fragment_multiple_tails),
1974 PROTO_ITEM_SET_GENERATED(fei);
1976 if (fd->flags&FD_TOOLONGFRAGMENT) {
1977 fei=proto_tree_add_boolean(fet,
1978 *(fit->hf_fragment_too_long_fragment),
1981 PROTO_ITEM_SET_GENERATED(fei);
1987 show_fragment_errs_in_col(fragment_data *fd_head, const fragment_items *fit,
1990 if (fd_head->flags & (FD_OVERLAPCONFLICT
1991 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1992 if (check_col(pinfo->cinfo, COL_INFO)) {
1993 col_add_fstr(pinfo->cinfo, COL_INFO,
1994 "[Illegal %s]", fit->tag);
2002 /* This function will build the fragment subtree; it's for fragments
2003 reassembled with "fragment_add()".
2005 It will return TRUE if there were fragmentation errors
2006 or FALSE if fragmentation was ok.
2009 show_fragment_tree(fragment_data *fd_head, const fragment_items *fit,
2010 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
2014 gboolean first_frag;
2016 /* It's not fragmented. */
2017 pinfo->fragmented = FALSE;
2019 *fi = proto_tree_add_item(tree, *(fit->hf_fragments), tvb, 0, -1, ENC_NA);
2020 PROTO_ITEM_SET_GENERATED(*fi);
2022 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
2024 for (fd = fd_head->next; fd != NULL; fd = fd->next) {
2027 for (fd = fd_head->next; fd != NULL; fd = fd->next) {
2028 show_fragment(fd, fd->offset, fit, ft, *fi, first_frag, count, tvb, pinfo);
2032 if (fit->hf_fragment_count) {
2033 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_fragment_count),
2035 PROTO_ITEM_SET_GENERATED(fli);
2038 if (fit->hf_reassembled_length) {
2039 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_reassembled_length),
2040 tvb, 0, 0, tvb_length (tvb));
2041 PROTO_ITEM_SET_GENERATED(fli);
2044 return show_fragment_errs_in_col(fd_head, fit, pinfo);
2047 /* This function will build the fragment subtree; it's for fragments
2048 reassembled with "fragment_add_seq()" or "fragment_add_seq_check()".
2050 It will return TRUE if there were fragmentation errors
2051 or FALSE if fragmentation was ok.
2054 show_fragment_seq_tree(fragment_data *fd_head, const fragment_items *fit,
2055 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
2057 guint32 offset, next_offset, count = 0;
2058 fragment_data *fd, *last_fd;
2060 gboolean first_frag;
2062 /* It's not fragmented. */
2063 pinfo->fragmented = FALSE;
2065 *fi = proto_tree_add_item(tree, *(fit->hf_fragments), tvb, 0, -1, ENC_NA);
2066 PROTO_ITEM_SET_GENERATED(*fi);
2068 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
2073 for (fd = fd_head->next; fd != NULL; fd = fd->next){
2076 for (fd = fd_head->next; fd != NULL; fd = fd->next){
2077 if (last_fd == NULL || last_fd->offset != fd->offset) {
2078 offset = next_offset;
2079 next_offset += fd->len;
2082 show_fragment(fd, offset, fit, ft, *fi, first_frag, count, tvb, pinfo);
2086 if (fit->hf_fragment_count) {
2087 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_fragment_count),
2089 PROTO_ITEM_SET_GENERATED(fli);
2092 if (fit->hf_reassembled_length) {
2093 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_reassembled_length),
2094 tvb, 0, 0, tvb_length (tvb));
2095 PROTO_ITEM_SET_GENERATED(fli);
2098 return show_fragment_errs_in_col(fd_head, fit, pinfo);
2104 * indent-tabs-mode: t
git.samba.org / obnox / wireshark / wip.git / blob