2 * Routines for {fragment,segment} reassembly
4 * $Id: reassemble.c,v 1.28 2002/12/19 11:22:38 sahlberg Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include <epan/packet.h>
33 #include "reassemble.h"
36 typedef struct _fragment_key {
42 static GMemChunk *fragment_key_chunk = NULL;
43 static GMemChunk *fragment_data_chunk = NULL;
44 static int fragment_init_count = 200;
46 #define LINK_FRAG(fd_head,fd) \
47 { fragment_data *fd_i; \
48 /* add fragment to list, keep list sorted */ \
49 for(fd_i=(fd_head);fd_i->next;fd_i=fd_i->next){ \
50 if( ((fd)->offset) < (fd_i->next->offset) ) \
53 (fd)->next=fd_i->next; \
58 fragment_equal(gconstpointer k1, gconstpointer k2)
60 const fragment_key* key1 = (const fragment_key*) k1;
61 const fragment_key* key2 = (const fragment_key*) k2;
63 /*key.id is the first item to compare since item is most
64 likely to differ between sessions, thus shortcircuiting
65 the comparasion of addresses.
67 return ( ( (key1->id == key2->id) &&
68 (ADDRESSES_EQUAL(&key1->src, &key2->src)) &&
69 (ADDRESSES_EQUAL(&key1->dst, &key2->dst))
75 fragment_hash(gconstpointer k)
77 const fragment_key* key = (const fragment_key*) k;
85 /* More than likely: in most captures src and dst addresses are the
86 same, and would hash the same.
87 We only use id as the hash as an optimization.
89 for (i = 0; i < key->src.len; i++)
90 hash_val += key->src.data[i];
91 for (i = 0; i < key->dst.len; i++)
92 hash_val += key->dst.data[i];
101 * XXX - we use the frame_data structure for a frame as the key
102 * structure, with the frame number as the item compared.
104 * This won't work if there's more than one form of reassembly using
105 * the reassembled-packet hash tables going on in the frame, and two
106 * or more are using the same protocol and thus the same hash table.
108 * We could use the addresses, or the reassembly ID, to distinguish
109 * between the reassemblies, if necessary.
111 * Hopefully, we won't see anything perverse such as that (say, some
112 * form of IP-in-IP tunneling, with fragments of an IP datagram
113 * tunneled inside IP datagrams that are themselves fragmented).
116 reassembled_equal(gconstpointer k1, gconstpointer k2)
118 const frame_data* key1 = (const frame_data*) k1;
119 const frame_data* key2 = (const frame_data*) k2;
121 return (key1->num == key2->num);
125 reassembled_hash(gconstpointer k)
127 const frame_data* key = (const frame_data*) k;
133 * For a fragment hash table entry, free the address data to which the key
134 * refers and the fragment data to which the value refers.
135 * (The actual key and value structures get freed by "reassemble_init()".)
138 free_all_fragments(gpointer key_arg, gpointer value, gpointer user_data _U_)
140 fragment_key *key = key_arg;
141 fragment_data *fd_head;
144 * Grr. I guess the theory here is that freeing
145 * something sure as heck modifies it, so you
146 * want to ban attempts to free it, but, alas,
147 * if we make the "data" field of an "address"
148 * structure not a "const", the compiler whines if
149 * we try to make it point into the data for a packet,
150 * as that's a "const" array (and should be, as dissectors
151 * shouldn't trash it).
153 * So we cast the complaint into oblivion, and rely on
154 * the fact that these addresses are known to have had
155 * their data mallocated, i.e. they don't point into,
156 * say, the middle of the data for a packet.
158 g_free((gpointer)key->src.data);
159 g_free((gpointer)key->dst.data);
161 for (fd_head = value; fd_head != NULL; fd_head = fd_head->next) {
162 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED))
163 g_free(fd_head->data);
170 * For a reassembled-packet hash table entry, free the fragment data
171 * to which the value refers.
172 * (The actual value structures get freed by "reassemble_init()".)
175 free_all_reassembled_fragments(gpointer key_arg _U_, gpointer value,
176 gpointer user_data _U_)
178 fragment_data *fd_head;
180 for (fd_head = value; fd_head != NULL; fd_head = fd_head->next) {
181 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED))
182 g_free(fd_head->data);
189 * Initialize a fragment table.
192 fragment_table_init(GHashTable **fragment_table)
194 if (*fragment_table != NULL) {
196 * The fragment hash table exists.
198 * Remove all entries and free fragment data for
199 * each entry. (The key and value data is freed
200 * by "reassemble_init()".)
202 g_hash_table_foreach_remove(*fragment_table,
203 free_all_fragments, NULL);
205 /* The fragment table does not exist. Create it */
206 *fragment_table = g_hash_table_new(fragment_hash,
212 * Initialize a reassembled-packet table.
215 reassembled_table_init(GHashTable **reassembled_table)
217 if (*reassembled_table != NULL) {
219 * The reassembled-packet hash table exists.
221 * Remove all entries and free fragment data for
222 * each entry. (The key and value data is freed
223 * by "reassemble_init()".)
225 g_hash_table_foreach_remove(*reassembled_table,
226 free_all_reassembled_fragments, NULL);
228 /* The fragment table does not exist. Create it */
229 *reassembled_table = g_hash_table_new(reassembled_hash,
235 * Free up all space allocated for fragment keys and data.
238 reassemble_init(void)
240 if (fragment_key_chunk != NULL)
241 g_mem_chunk_destroy(fragment_key_chunk);
242 if (fragment_data_chunk != NULL)
243 g_mem_chunk_destroy(fragment_data_chunk);
244 fragment_key_chunk = g_mem_chunk_new("fragment_key_chunk",
245 sizeof(fragment_key),
246 fragment_init_count * sizeof(fragment_key),
248 fragment_data_chunk = g_mem_chunk_new("fragment_data_chunk",
249 sizeof(fragment_data),
250 fragment_init_count * sizeof(fragment_data),
255 /* This function cleans up the stored state and removes the reassembly data and
256 * (with one exception) all allocated memory for matching reassembly.
259 * If the PDU was already completely reassembled, then the buffer containing the
260 * reassembled data WILL NOT be free()d, and the pointer to that buffer will be
262 * Othervise the function will return NULL.
264 * So, if you call fragment_delete and it returns non-NULL, YOU are responsible to
265 * g_free() that buffer.
268 fragment_delete(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
270 fragment_data *fd_head, *fd;
272 unsigned char *data=NULL;
274 /* create key to search hash with */
275 key.src = pinfo->src;
276 key.dst = pinfo->dst;
279 fd_head = g_hash_table_lookup(fragment_table, &key);
282 /* We do not recognize this as a PDU we have seen before. return*/
287 /* loop over all partial fragments and free any buffers */
288 for(fd=fd_head->next;fd;){
289 fragment_data *tmp_fd;
292 if( !(fd->flags&FD_NOT_MALLOCED) )
294 g_mem_chunk_free(fragment_data_chunk, fd);
297 g_mem_chunk_free(fragment_data_chunk, fd_head);
298 g_hash_table_remove(fragment_table, &key);
303 /* This function is used to check if there is partial or completed reassembly state
304 * matching this packet. I.e. Are there reassembly going on or not for this packet?
307 fragment_get(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
309 fragment_data *fd_head;
312 /* create key to search hash with */
313 key.src = pinfo->src;
314 key.dst = pinfo->dst;
317 fd_head = g_hash_table_lookup(fragment_table, &key);
322 /* This function can be used to explicitely set the total length (if known)
323 * for reassembly of a PDU.
324 * This is useful for reassembly of PDUs where one may have the total length specified
325 * in the first fragment instead of as for, say, IPv4 where a flag indicates which
326 * is the last fragment.
328 * Such protocols might fragment_add with a more_frags==TRUE for every fragment
329 * and just tell the reassembly engine the expected total length of the reassembled data
330 * using fragment_set_tot_len immediately after doing fragment_add for the first packet.
332 * note that for FD_BLOCKSEQUENCE tot_len is the index for the tail fragment.
333 * i.e. since the block numbers start at 0, if we specify tot_len==2, that
334 * actually means we want to defragment 3 blocks, block 0, 1 and 2.
337 fragment_set_tot_len(packet_info *pinfo, guint32 id, GHashTable *fragment_table,
340 fragment_data *fd_head;
343 /* create key to search hash with */
344 key.src = pinfo->src;
345 key.dst = pinfo->dst;
348 fd_head = g_hash_table_lookup(fragment_table, &key);
351 fd_head->datalen = tot_len;
358 fragment_get_tot_len(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
360 fragment_data *fd_head;
363 /* create key to search hash with */
364 key.src = pinfo->src;
365 key.dst = pinfo->dst;
368 fd_head = g_hash_table_lookup(fragment_table, &key);
371 return fd_head->datalen;
378 /* This function will set the partial reassembly flag for a fh.
379 When this function is called, the fh MUST already exist, i.e.
380 the fh MUST be created by the initial call to fragment_add() before
381 this function is called.
382 Also note that this function MUST be called to indicate a fh will be
383 extended (increase the already stored data)
387 fragment_set_partial_reassembly(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
389 fragment_data *fd_head;
392 /* create key to search hash with */
393 key.src = pinfo->src;
394 key.dst = pinfo->dst;
397 fd_head = g_hash_table_lookup(fragment_table, &key);
400 fd_head->flags |= FD_PARTIAL_REASSEMBLY;
405 * This function adds a new fragment to the fragment hash table.
406 * If this is the first fragment seen for this datagram, a new entry
407 * is created in the hash table, otherwise this fragment is just added
408 * to the linked list of fragments for this packet.
409 * The list of fragments for a specific datagram is kept sorted for
412 * Returns a pointer to the head of the fragment data list if we have all the
413 * fragments, NULL otherwise.
415 * This function assumes frag_offset being a byte offset into the defragment
419 * Once the fh is defragmented (= FD_DEFRAGMENTED set), it can be
420 * extended using the FD_PARTIAL_REASSEMBLY flag. This flag should be set
421 * using fragment_set_partial_reassembly() before calling fragment_add
422 * with the new fragment. FD_TOOLONGFRAGMENT and FD_MULTIPLETAILS flags
423 * are lowered when a new extension process is started.
426 fragment_add(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
427 GHashTable *fragment_table, guint32 frag_offset,
428 guint32 frag_data_len, gboolean more_frags)
430 fragment_key key, *new_key;
431 fragment_data *fd_head;
435 unsigned char *old_data;
437 /* create key to search hash with */
438 key.src = pinfo->src;
439 key.dst = pinfo->dst;
442 fd_head = g_hash_table_lookup(fragment_table, &key);
444 /* have we already seen this frame ?*/
445 if (pinfo->fd->flags.visited) {
446 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
454 /* not found, this must be the first snooped fragment for this
455 * packet. Create list-head.
457 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
458 /* head/first structure in list only holds no other data than
459 * 'datalen' then we don't have to change the head of the list
460 * even if we want to keep it sorted
470 * We're going to use the key to insert the fragment,
471 * so allocate a structure for it, and copy the
472 * addresses, allocating new buffers for the address
475 new_key = g_mem_chunk_alloc(fragment_key_chunk);
476 COPY_ADDRESS(&new_key->src, &key.src);
477 COPY_ADDRESS(&new_key->dst, &key.dst);
478 new_key->id = key.id;
479 g_hash_table_insert(fragment_table, new_key, fd_head);
482 /* create new fd describing this fragment */
483 fd = g_mem_chunk_alloc(fragment_data_chunk);
486 fd->frame = pinfo->fd->num;
487 fd->offset = frag_offset;
488 fd->len = frag_data_len;
492 * If it was already defragmented and this new fragment goes beyond
493 * data limits, set flag in already empty fds & point old fds to malloc'ed data.
495 if(fd_head->flags & FD_DEFRAGMENTED && (frag_offset+frag_data_len) >= fd_head->datalen &&
496 fd_head->flags & FD_PARTIAL_REASSEMBLY){
497 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
499 fd_i->data = fd_head->data + fd_i->offset;
500 fd_i->flags |= FD_NOT_MALLOCED;
502 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
504 fd_head->flags ^= FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY;
505 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
511 * This is the tail fragment in the sequence.
513 if (fd_head->datalen) {
514 /* ok we have already seen other tails for this packet
515 * it might be a duplicate.
517 if (fd_head->datalen != (fd->offset + fd->len) ){
518 /* Oops, this tail indicates a different packet
519 * len than the previous ones. Somethings wrong
521 fd->flags |= FD_MULTIPLETAILS;
522 fd_head->flags |= FD_MULTIPLETAILS;
525 /* this was the first tail fragment, now we know the
526 * length of the packet
528 fd_head->datalen = fd->offset + fd->len;
535 /* If the packet is already defragmented, this MUST be an overlap.
536 * The entire defragmented packet is in fd_head->data
537 * Even if we have previously defragmented this packet, we still check
538 * check it. Someone might play overlap and TTL games.
540 if (fd_head->flags & FD_DEFRAGMENTED) {
541 fd->flags |= FD_OVERLAP;
542 fd_head->flags |= FD_OVERLAP;
543 /* make sure its not too long */
544 if (fd->offset + fd->len > fd_head->datalen) {
545 fd->flags |= FD_TOOLONGFRAGMENT;
546 fd_head->flags |= FD_TOOLONGFRAGMENT;
547 LINK_FRAG(fd_head,fd);
550 /* make sure it doesnt conflict with previous data */
551 if ( memcmp(fd_head->data+fd->offset,
552 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
553 fd->flags |= FD_OVERLAPCONFLICT;
554 fd_head->flags |= FD_OVERLAPCONFLICT;
555 LINK_FRAG(fd_head,fd);
558 /* it was just an overlap, link it and return */
559 LINK_FRAG(fd_head,fd);
565 /* If we have reached this point, the packet is not defragmented yet.
566 * Save all payload in a buffer until we can defragment.
567 * XXX - what if we didn't capture the entire fragment due
568 * to a too-short snapshot length?
570 fd->data = g_malloc(fd->len);
571 tvb_memcpy(tvb, fd->data, offset, fd->len);
572 LINK_FRAG(fd_head,fd);
575 if( !(fd_head->datalen) ){
576 /* if we dont know the datalen, there are still missing
577 * packets. Cheaper than the check below.
583 /* check if we have received the entire fragment
584 * this is easy since the list is sorted and the head is faked.
587 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
588 if ( ((fd_i->offset)<=max) &&
589 ((fd_i->offset+fd_i->len)>max) ){
590 max = fd_i->offset+fd_i->len;
594 if (max < (fd_head->datalen)) {
595 /* we have not received all packets yet */
600 if (max > (fd_head->datalen)) {
601 /*XXX not sure if current fd was the TOOLONG*/
602 /*XXX is it fair to flag current fd*/
603 /* oops, too long fragment detected */
604 fd->flags |= FD_TOOLONGFRAGMENT;
605 fd_head->flags |= FD_TOOLONGFRAGMENT;
609 /* we have received an entire packet, defragment it and
612 /* store old data just in case */
613 old_data=fd_head->data;
614 fd_head->data = g_malloc(max);
616 /* add all data fragments */
617 for (dfpos=0,fd_i=fd_head;fd_i;fd_i=fd_i->next) {
619 if (fd_i->offset < dfpos) {
620 fd_i->flags |= FD_OVERLAP;
621 fd_head->flags |= FD_OVERLAP;
622 if ( memcmp(fd_head->data+fd_i->offset,
624 MIN(fd_i->len,(dfpos-fd_i->offset))
626 fd_i->flags |= FD_OVERLAPCONFLICT;
627 fd_head->flags |= FD_OVERLAPCONFLICT;
630 /* dfpos is always >= than fd_i->offset */
631 /* No gaps can exist here, max_loop(above) does this */
632 if( fd_i->offset+fd_i->len > dfpos )
633 memcpy(fd_head->data+dfpos, fd_i->data+(dfpos-fd_i->offset),
634 fd_i->len-(dfpos-fd_i->offset));
635 if( fd_i->flags & FD_NOT_MALLOCED )
636 fd_i->flags ^= FD_NOT_MALLOCED;
641 dfpos=MAX(dfpos,(fd_i->offset+fd_i->len));
647 /* mark this packet as defragmented.
648 allows us to skip any trailing fragments */
649 fd_head->flags |= FD_DEFRAGMENTED;
655 * This function adds a new fragment to the entry for a reassembly
658 * The list of fragments for a specific datagram is kept sorted for
661 * Returns TRUE if we have all the fragments, FALSE otherwise.
663 * This function assumes frag_number being a block sequence number.
664 * The bsn for the first block is 0.
667 fragment_add_seq_work(fragment_data *fd_head, tvbuff_t *tvb, int offset,
668 packet_info *pinfo, guint32 frag_number,
669 guint32 frag_data_len, gboolean more_frags)
673 fragment_data *last_fd;
674 guint32 max, dfpos, size;
676 /* create new fd describing this fragment */
677 fd = g_mem_chunk_alloc(fragment_data_chunk);
680 fd->frame = pinfo->fd->num;
681 fd->offset = frag_number;
682 fd->len = frag_data_len;
687 * This is the tail fragment in the sequence.
689 if (fd_head->datalen) {
690 /* ok we have already seen other tails for this packet
691 * it might be a duplicate.
693 if (fd_head->datalen != fd->offset ){
694 /* Oops, this tail indicates a different packet
695 * len than the previous ones. Somethings wrong
697 fd->flags |= FD_MULTIPLETAILS;
698 fd_head->flags |= FD_MULTIPLETAILS;
701 /* this was the first tail fragment, now we know the
702 * length of the packet
704 fd_head->datalen = fd->offset;
708 /* If the packet is already defragmented, this MUST be an overlap.
709 * The entire defragmented packet is in fd_head->data
710 * Even if we have previously defragmented this packet, we still check
711 * check it. Someone might play overlap and TTL games.
713 if (fd_head->flags & FD_DEFRAGMENTED) {
714 fd->flags |= FD_OVERLAP;
715 fd_head->flags |= FD_OVERLAP;
717 /* make sure its not too long */
718 if (fd->offset > fd_head->datalen) {
719 fd->flags |= FD_TOOLONGFRAGMENT;
720 fd_head->flags |= FD_TOOLONGFRAGMENT;
721 LINK_FRAG(fd_head,fd);
724 /* make sure it doesnt conflict with previous data */
727 for (fd_i=fd_head->next;fd_i->offset!=fd->offset;fd_i=fd_i->next) {
728 if (!last_fd || last_fd->offset!=fd_i->offset){
733 if(fd_i->datalen!=fd->datalen){
734 fd->flags |= FD_OVERLAPCONFLICT;
735 fd_head->flags |= FD_OVERLAPCONFLICT;
736 LINK_FRAG(fd_head,fd);
739 g_assert(fd_head->len >= dfpos + fd->len);
740 if ( memcmp(fd_head->data+dfpos,
741 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
742 fd->flags |= FD_OVERLAPCONFLICT;
743 fd_head->flags |= FD_OVERLAPCONFLICT;
744 LINK_FRAG(fd_head,fd);
747 /* it was just an overlap, link it and return */
748 LINK_FRAG(fd_head,fd);
752 /* If we have reached this point, the packet is not defragmented yet.
753 * Save all payload in a buffer until we can defragment.
754 * XXX - what if we didn't capture the entire fragment due
755 * to a too-short snapshot length?
757 fd->data = g_malloc(fd->len);
758 tvb_memcpy(tvb, fd->data, offset, fd->len);
759 LINK_FRAG(fd_head,fd);
762 if( !(fd_head->datalen) ){
763 /* if we dont know the datalen, there are still missing
764 * packets. Cheaper than the check below.
770 /* check if we have received the entire fragment
771 * this is easy since the list is sorted and the head is faked.
774 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
775 if ( fd_i->offset==max ){
779 /* max will now be datalen+1 if all fragments have been seen */
781 if (max <= fd_head->datalen) {
782 /* we have not received all packets yet */
787 if (max > (fd_head->datalen+1)) {
788 /* oops, too long fragment detected */
789 fd->flags |= FD_TOOLONGFRAGMENT;
790 fd_head->flags |= FD_TOOLONGFRAGMENT;
794 /* we have received an entire packet, defragment it and
799 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
800 if(!last_fd || last_fd->offset!=fd_i->offset){
805 fd_head->data = g_malloc(size);
806 fd_head->len = size; /* record size for caller */
808 /* add all data fragments */
810 for (dfpos=0,fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
812 if(!last_fd || last_fd->offset!=fd_i->offset){
813 memcpy(fd_head->data+dfpos,fd_i->data,fd_i->len);
816 /* duplicate/retransmission/overlap */
817 fd_i->flags |= FD_OVERLAP;
818 fd_head->flags |= FD_OVERLAP;
819 if( (last_fd->len!=fd_i->datalen)
820 || memcmp(last_fd->data, fd_i->data, last_fd->len) ){
821 fd->flags |= FD_OVERLAPCONFLICT;
822 fd_head->flags |= FD_OVERLAPCONFLICT;
829 /* we have defragmented the pdu, now free all fragments*/
830 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
837 /* mark this packet as defragmented.
838 allows us to skip any trailing fragments */
839 fd_head->flags |= FD_DEFRAGMENTED;
845 * This function adds a new fragment to the fragment hash table.
846 * If this is the first fragment seen for this datagram, a new entry
847 * is created in the hash table, otherwise this fragment is just added
848 * to the linked list of fragments for this packet.
850 * Returns a pointer to the head of the fragment data list if we have all the
851 * fragments, NULL otherwise.
853 * This function assumes frag_number being a block sequence number.
854 * The bsn for the first block is 0.
857 fragment_add_seq(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
858 GHashTable *fragment_table, guint32 frag_number,
859 guint32 frag_data_len, gboolean more_frags)
861 fragment_key key, *new_key;
862 fragment_data *fd_head;
864 /* create key to search hash with */
865 key.src = pinfo->src;
866 key.dst = pinfo->dst;
869 fd_head = g_hash_table_lookup(fragment_table, &key);
871 /* have we already seen this frame ?*/
872 if (pinfo->fd->flags.visited) {
873 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
881 /* not found, this must be the first snooped fragment for this
882 * packet. Create list-head.
884 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
885 /* head/first structure in list only holds no other data than
886 * 'datalen' then we don't have to change the head of the list
887 * even if we want to keep it sorted
893 fd_head->flags=FD_BLOCKSEQUENCE;
897 * We're going to use the key to insert the fragment,
898 * so allocate a structure for it, and copy the
899 * addresses, allocating new buffers for the address
902 new_key = g_mem_chunk_alloc(fragment_key_chunk);
903 COPY_ADDRESS(&new_key->src, &key.src);
904 COPY_ADDRESS(&new_key->dst, &key.dst);
905 new_key->id = key.id;
906 g_hash_table_insert(fragment_table, new_key, fd_head);
909 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
910 frag_number, frag_data_len, more_frags)) {
912 * Reassembly is complete.
917 * Reassembly isn't complete.
924 * This function gets rid of an entry from a fragment table, given
925 * a pointer to the key for that entry; it also frees up the key
926 * and the addresses in it.
929 fragment_unhash(GHashTable *fragment_table, fragment_key *key)
932 * Free up the copies of the addresses from the old key.
934 g_free((gpointer)key->src.data);
935 g_free((gpointer)key->dst.data);
938 * Remove the entry from the fragment table.
940 g_hash_table_remove(fragment_table, key);
943 * Free the key itself.
945 g_mem_chunk_free(fragment_key_chunk, key);
949 * This function adds fragment_data structure to a reassembled-packet
950 * hash table, using the frame data structure as the key.
953 fragment_reassembled(fragment_data *fd_head, packet_info *pinfo,
954 GHashTable *reassembled_table)
956 g_hash_table_insert(reassembled_table, pinfo->fd, fd_head);
960 * This does the work for "fragment_add_seq_check()" and
961 * "fragment_add_seq_next()".
963 * This function assumes frag_number being a block sequence number.
964 * The bsn for the first block is 0.
966 * If "no_frag_number" is TRUE, it uses the next expected fragment number
967 * as the fragment number if there is a reassembly in progress, otherwise
970 * If "no_frag_number" is FALSE, it uses the "frag_number" argument as
971 * the fragment number.
973 * If this is the first fragment seen for this datagram, a new
974 * "fragment_data" structure is allocated to refer to the reassembled,
977 * if "more_frags" is false, the structure is not added to
978 * the hash table, and not given any fragments to refer to,
979 * but is just returned;
981 * if "more_frags" is true, this fragment is added to the linked
982 * list of fragments for this packet, and the "fragment_data"
983 * structure is put into the hash table.
985 * Otherwise, this fragment is just added to the linked list of fragments
988 * Returns a pointer to the head of the fragment data list, and removes
989 * that from the fragment hash table if necessary and adds it to the
990 * table of reassembled fragments, if we have all the fragments or if
991 * this is the only fragment and "more_frags" is false, returns NULL
995 fragment_add_seq_check_work(tvbuff_t *tvb, int offset, packet_info *pinfo,
996 guint32 id, GHashTable *fragment_table,
997 GHashTable *reassembled_table, guint32 frag_number,
998 guint32 frag_data_len, gboolean more_frags,
999 gboolean no_frag_number)
1001 fragment_key key, *new_key, *old_key;
1002 gpointer orig_key, value;
1003 fragment_data *fd_head, *fd;
1006 * Have we already seen this frame?
1007 * If so, look for it in the table of reassembled packets.
1009 if (pinfo->fd->flags.visited)
1010 return g_hash_table_lookup(reassembled_table, pinfo->fd);
1012 /* create key to search hash with */
1013 key.src = pinfo->src;
1014 key.dst = pinfo->dst;
1017 if (!g_hash_table_lookup_extended(fragment_table, &key,
1018 &orig_key, &value)) {
1019 /* not found, this must be the first snooped fragment for this
1020 * packet. Create list-head.
1022 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
1024 /* head/first structure in list only holds no other data than
1025 * 'datalen' then we don't have to change the head of the list
1026 * even if we want to keep it sorted
1032 fd_head->flags=FD_BLOCKSEQUENCE;
1037 * This is the last snooped fragment for this
1038 * packet as well; that means it's the only
1039 * fragment. Just add it to the table of
1040 * reassembled packets, and return it.
1042 fragment_reassembled(fd_head, pinfo,
1048 * We're going to use the key to insert the fragment,
1049 * so allocate a structure for it, and copy the
1050 * addresses, allocating new buffers for the address
1053 new_key = g_mem_chunk_alloc(fragment_key_chunk);
1054 COPY_ADDRESS(&new_key->src, &key.src);
1055 COPY_ADDRESS(&new_key->dst, &key.dst);
1056 new_key->id = key.id;
1057 g_hash_table_insert(fragment_table, new_key, fd_head);
1059 orig_key = new_key; /* for unhashing it later */
1062 * If we weren't given an initial fragment number,
1074 * If we weren't given an initial fragment number,
1075 * use the next expected fragment number as the fragment
1076 * number for this fragment.
1078 if (no_frag_number) {
1079 for (fd = fd_head; fd != NULL; fd = fd->next) {
1080 if (fd->next == NULL)
1081 frag_number = fd->offset + 1;
1087 * If this is a short frame, then we can't, and don't, do
1090 * If it's the first frame, handle it as an unfragmented packet.
1091 * Otherwise, just handle it as a fragment.
1093 * If "more_frags" isn't set, we get rid of the entry in the
1094 * hash table for this reassembly, as we don't need it any more.
1096 if (tvb_reported_length(tvb) > tvb_length(tvb)) {
1099 * Remove this from the table of in-progress
1100 * reassemblies, and free up any memory used for
1104 fragment_unhash(fragment_table, old_key);
1106 return frag_number == 0 ? fd_head : NULL;
1109 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1110 frag_number, frag_data_len, more_frags)) {
1112 * Reassembly is complete.
1113 * Remove this from the table of in-progress
1114 * reassemblies, add it to the table of
1115 * reassembled packets, and return it.
1119 * Remove this from the table of in-progress reassemblies,
1120 * and free up any memory used for it in that table.
1123 fragment_unhash(fragment_table, old_key);
1126 * Add this item to the table of reassembled packets.
1128 fragment_reassembled(fd_head, pinfo, reassembled_table);
1132 * Reassembly isn't complete.
1139 fragment_add_seq_check(tvbuff_t *tvb, int offset, packet_info *pinfo,
1140 guint32 id, GHashTable *fragment_table,
1141 GHashTable *reassembled_table, guint32 frag_number,
1142 guint32 frag_data_len, gboolean more_frags)
1144 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1145 fragment_table, reassembled_table, frag_number, frag_data_len,
1150 fragment_add_seq_next(tvbuff_t *tvb, int offset, packet_info *pinfo,
1151 guint32 id, GHashTable *fragment_table,
1152 GHashTable *reassembled_table, guint32 frag_data_len,
1153 gboolean more_frags)
1155 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1156 fragment_table, reassembled_table, 0, frag_data_len,
1161 * Show a single fragment in a fragment subtree.
1164 show_fragment(fragment_data *fd, int offset, const fragment_items *fit,
1165 proto_tree *ft, tvbuff_t *tvb)
1167 if (fd->flags & (FD_OVERLAP|FD_OVERLAPCONFLICT
1168 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1169 /* this fragment has some flags set, create a subtree
1170 * for it and display the flags.
1172 proto_tree *fet=NULL;
1173 proto_item *fei=NULL;
1176 if (fd->flags & (FD_OVERLAPCONFLICT
1177 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1178 hf = *(fit->hf_fragment_error);
1180 hf = *(fit->hf_fragment);
1182 fei = proto_tree_add_uint_format(ft, hf,
1183 tvb, offset, fd->len,
1185 "Frame:%u payload:%u-%u",
1189 fet = proto_item_add_subtree(fei, *(fit->ett_fragment));
1190 if (fd->flags&FD_OVERLAP) {
1191 proto_tree_add_boolean(fet,
1192 *(fit->hf_fragment_overlap),
1196 if (fd->flags&FD_OVERLAPCONFLICT) {
1197 proto_tree_add_boolean(fet,
1198 *(fit->hf_fragment_overlap_conflict),
1202 if (fd->flags&FD_MULTIPLETAILS) {
1203 proto_tree_add_boolean(fet,
1204 *(fit->hf_fragment_multiple_tails),
1208 if (fd->flags&FD_TOOLONGFRAGMENT) {
1209 proto_tree_add_boolean(fet,
1210 *(fit->hf_fragment_too_long_fragment),
1215 /* nothing of interest for this fragment */
1216 proto_tree_add_uint_format(ft, *(fit->hf_fragment),
1217 tvb, offset, fd->len,
1219 "Frame:%u payload:%u-%u",
1228 show_fragment_errs_in_col(fragment_data *fd_head, const fragment_items *fit,
1231 if (fd_head->flags & (FD_OVERLAPCONFLICT
1232 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1233 if (check_col(pinfo->cinfo, COL_INFO)) {
1234 col_add_fstr(pinfo->cinfo, COL_INFO,
1235 "[Illegal %s]", fit->tag);
1243 /* This function will build the fragment subtree; it's for fragments
1244 reassembled with "fragment_add()".
1246 It will return TRUE if there were fragmentation errors
1247 or FALSE if fragmentation was ok.
1250 show_fragment_tree(fragment_data *fd_head, const fragment_items *fit,
1251 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
1257 /* It's not fragmented. */
1258 pinfo->fragmented = FALSE;
1260 fi = proto_tree_add_item(tree, *(fit->hf_fragments),
1262 ft = proto_item_add_subtree(fi, *(fit->ett_fragments));
1263 for (fd = fd_head->next; fd != NULL; fd = fd->next)
1264 show_fragment(fd, fd->offset, fit, ft, tvb);
1266 return show_fragment_errs_in_col(fd_head, fit, pinfo);
1269 /* This function will build the fragment subtree; it's for fragments
1270 reassembled with "fragment_add_seq()" or "fragment_add_seq_check()".
1272 It will return TRUE if there were fragmentation errors
1273 or FALSE if fragmentation was ok.
1276 show_fragment_seq_tree(fragment_data *fd_head, const fragment_items *fit,
1277 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
1279 guint32 offset, next_offset;
1280 fragment_data *fd, *last_fd;
1284 /* It's not fragmented. */
1285 pinfo->fragmented = FALSE;
1287 fi = proto_tree_add_item(tree, *(fit->hf_fragments),
1289 ft = proto_item_add_subtree(fi, *(fit->ett_fragments));
1293 for (fd = fd_head->next; fd != NULL; fd = fd->next){
1294 if (last_fd == NULL || last_fd->offset != fd->offset) {
1295 offset = next_offset;
1296 next_offset += fd->len;
1299 show_fragment(fd, offset, fit, ft, tvb);
1302 return show_fragment_errs_in_col(fd_head, fit, pinfo);