2 * Routines for {fragment,segment} reassembly
4 * $Id: reassemble.c,v 1.43 2003/09/25 01:50:41 tpot Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include <epan/packet.h>
33 #include "reassemble.h"
36 typedef struct _fragment_key {
42 static GMemChunk *fragment_key_chunk = NULL;
43 static GMemChunk *fragment_data_chunk = NULL;
44 static int fragment_init_count = 200;
46 #define LINK_FRAG(fd_head,fd) \
47 { fragment_data *fd_i; \
48 /* add fragment to list, keep list sorted */ \
49 for(fd_i=(fd_head);fd_i->next;fd_i=fd_i->next){ \
50 if( ((fd)->offset) < (fd_i->next->offset) ) \
53 (fd)->next=fd_i->next; \
58 fragment_equal(gconstpointer k1, gconstpointer k2)
60 const fragment_key* key1 = (const fragment_key*) k1;
61 const fragment_key* key2 = (const fragment_key*) k2;
63 /*key.id is the first item to compare since item is most
64 likely to differ between sessions, thus shortcircuiting
65 the comparasion of addresses.
67 return ( ( (key1->id == key2->id) &&
68 (ADDRESSES_EQUAL(&key1->src, &key2->src)) &&
69 (ADDRESSES_EQUAL(&key1->dst, &key2->dst))
75 fragment_hash(gconstpointer k)
77 const fragment_key* key = (const fragment_key*) k;
85 /* More than likely: in most captures src and dst addresses are the
86 same, and would hash the same.
87 We only use id as the hash as an optimization.
89 for (i = 0; i < key->src.len; i++)
90 hash_val += key->src.data[i];
91 for (i = 0; i < key->dst.len; i++)
92 hash_val += key->dst.data[i];
100 typedef struct _reassembled_key {
105 static GMemChunk *reassembled_key_chunk = NULL;
108 reassembled_equal(gconstpointer k1, gconstpointer k2)
110 const reassembled_key* key1 = (const reassembled_key*) k1;
111 const reassembled_key* key2 = (const reassembled_key*) k2;
114 * We assume that the frame numbers are unlikely to be equal,
115 * so we check them first.
117 return key1->frame == key2->frame && key1->id == key2->id;
121 reassembled_hash(gconstpointer k)
123 const reassembled_key* key = (const reassembled_key*) k;
129 * For a fragment hash table entry, free the address data to which the key
130 * refers and the fragment data to which the value refers.
131 * (The actual key and value structures get freed by "reassemble_init()".)
134 free_all_fragments(gpointer key_arg, gpointer value, gpointer user_data _U_)
136 fragment_key *key = key_arg;
137 fragment_data *fd_head;
140 * Grr. I guess the theory here is that freeing
141 * something sure as heck modifies it, so you
142 * want to ban attempts to free it, but, alas,
143 * if we make the "data" field of an "address"
144 * structure not a "const", the compiler whines if
145 * we try to make it point into the data for a packet,
146 * as that's a "const" array (and should be, as dissectors
147 * shouldn't trash it).
149 * So we cast the complaint into oblivion, and rely on
150 * the fact that these addresses are known to have had
151 * their data mallocated, i.e. they don't point into,
152 * say, the middle of the data for a packet.
154 g_free((gpointer)key->src.data);
155 g_free((gpointer)key->dst.data);
157 for (fd_head = value; fd_head != NULL; fd_head = fd_head->next) {
158 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED))
159 g_free(fd_head->data);
166 * For a reassembled-packet hash table entry, free the fragment data
167 * to which the value refers.
168 * (The actual value structures get freed by "reassemble_init()".)
171 free_all_reassembled_fragments(gpointer key_arg _U_, gpointer value,
172 gpointer user_data _U_)
174 fragment_data *fd_head;
176 for (fd_head = value; fd_head != NULL; fd_head = fd_head->next) {
177 if(fd_head->data && !(fd_head->flags&FD_NOT_MALLOCED)) {
178 g_free(fd_head->data);
181 * A reassembled packet is inserted into the
182 * hash table once for every frame that made
183 * up the reassembled packet; clear the data
184 * pointer so that we only free the data the
185 * first time we see it.
187 fd_head->data = NULL;
195 * Initialize a fragment table.
198 fragment_table_init(GHashTable **fragment_table)
200 if (*fragment_table != NULL) {
202 * The fragment hash table exists.
204 * Remove all entries and free fragment data for
205 * each entry. (The key and value data is freed
206 * by "reassemble_init()".)
208 g_hash_table_foreach_remove(*fragment_table,
209 free_all_fragments, NULL);
211 /* The fragment table does not exist. Create it */
212 *fragment_table = g_hash_table_new(fragment_hash,
218 * Initialize a reassembled-packet table.
221 reassembled_table_init(GHashTable **reassembled_table)
223 if (*reassembled_table != NULL) {
225 * The reassembled-packet hash table exists.
227 * Remove all entries and free reassembled packet
228 * data for each entry. (The key data is freed
229 * by "reassemble_init()".)
231 g_hash_table_foreach_remove(*reassembled_table,
232 free_all_reassembled_fragments, NULL);
234 /* The fragment table does not exist. Create it */
235 *reassembled_table = g_hash_table_new(reassembled_hash,
241 * Free up all space allocated for fragment keys and data and
245 reassemble_init(void)
247 if (fragment_key_chunk != NULL)
248 g_mem_chunk_destroy(fragment_key_chunk);
249 if (fragment_data_chunk != NULL)
250 g_mem_chunk_destroy(fragment_data_chunk);
251 if (reassembled_key_chunk != NULL)
252 g_mem_chunk_destroy(reassembled_key_chunk);
253 fragment_key_chunk = g_mem_chunk_new("fragment_key_chunk",
254 sizeof(fragment_key),
255 fragment_init_count * sizeof(fragment_key),
257 fragment_data_chunk = g_mem_chunk_new("fragment_data_chunk",
258 sizeof(fragment_data),
259 fragment_init_count * sizeof(fragment_data),
261 reassembled_key_chunk = g_mem_chunk_new("reassembled_key_chunk",
262 sizeof(reassembled_key),
263 fragment_init_count * sizeof(reassembled_key),
267 /* This function cleans up the stored state and removes the reassembly data and
268 * (with one exception) all allocated memory for matching reassembly.
271 * If the PDU was already completely reassembled, then the buffer containing the
272 * reassembled data WILL NOT be free()d, and the pointer to that buffer will be
274 * Othervise the function will return NULL.
276 * So, if you call fragment_delete and it returns non-NULL, YOU are responsible to
277 * g_free() that buffer.
280 fragment_delete(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
282 fragment_data *fd_head, *fd;
284 unsigned char *data=NULL;
286 /* create key to search hash with */
287 key.src = pinfo->src;
288 key.dst = pinfo->dst;
291 fd_head = g_hash_table_lookup(fragment_table, &key);
294 /* We do not recognize this as a PDU we have seen before. return*/
299 /* loop over all partial fragments and free any buffers */
300 for(fd=fd_head->next;fd;){
301 fragment_data *tmp_fd;
304 if( !(fd->flags&FD_NOT_MALLOCED) )
306 g_mem_chunk_free(fragment_data_chunk, fd);
309 g_mem_chunk_free(fragment_data_chunk, fd_head);
310 g_hash_table_remove(fragment_table, &key);
315 /* This function is used to check if there is partial or completed reassembly state
316 * matching this packet. I.e. Are there reassembly going on or not for this packet?
319 fragment_get(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
321 fragment_data *fd_head;
324 /* create key to search hash with */
325 key.src = pinfo->src;
326 key.dst = pinfo->dst;
329 fd_head = g_hash_table_lookup(fragment_table, &key);
334 /* This function can be used to explicitely set the total length (if known)
335 * for reassembly of a PDU.
336 * This is useful for reassembly of PDUs where one may have the total length specified
337 * in the first fragment instead of as for, say, IPv4 where a flag indicates which
338 * is the last fragment.
340 * Such protocols might fragment_add with a more_frags==TRUE for every fragment
341 * and just tell the reassembly engine the expected total length of the reassembled data
342 * using fragment_set_tot_len immediately after doing fragment_add for the first packet.
344 * note that for FD_BLOCKSEQUENCE tot_len is the index for the tail fragment.
345 * i.e. since the block numbers start at 0, if we specify tot_len==2, that
346 * actually means we want to defragment 3 blocks, block 0, 1 and 2.
349 fragment_set_tot_len(packet_info *pinfo, guint32 id, GHashTable *fragment_table,
352 fragment_data *fd_head;
355 /* create key to search hash with */
356 key.src = pinfo->src;
357 key.dst = pinfo->dst;
360 fd_head = g_hash_table_lookup(fragment_table, &key);
363 fd_head->datalen = tot_len;
370 fragment_get_tot_len(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
372 fragment_data *fd_head;
375 /* create key to search hash with */
376 key.src = pinfo->src;
377 key.dst = pinfo->dst;
380 fd_head = g_hash_table_lookup(fragment_table, &key);
383 return fd_head->datalen;
390 /* This function will set the partial reassembly flag for a fh.
391 When this function is called, the fh MUST already exist, i.e.
392 the fh MUST be created by the initial call to fragment_add() before
393 this function is called.
394 Also note that this function MUST be called to indicate a fh will be
395 extended (increase the already stored data)
399 fragment_set_partial_reassembly(packet_info *pinfo, guint32 id, GHashTable *fragment_table)
401 fragment_data *fd_head;
404 /* create key to search hash with */
405 key.src = pinfo->src;
406 key.dst = pinfo->dst;
409 fd_head = g_hash_table_lookup(fragment_table, &key);
412 fd_head->flags |= FD_PARTIAL_REASSEMBLY;
417 * This function gets rid of an entry from a fragment table, given
418 * a pointer to the key for that entry; it also frees up the key
419 * and the addresses in it.
422 fragment_unhash(GHashTable *fragment_table, fragment_key *key)
425 * Free up the copies of the addresses from the old key.
427 g_free((gpointer)key->src.data);
428 g_free((gpointer)key->dst.data);
431 * Remove the entry from the fragment table.
433 g_hash_table_remove(fragment_table, key);
436 * Free the key itself.
438 g_mem_chunk_free(fragment_key_chunk, key);
442 * This function adds fragment_data structure to a reassembled-packet
443 * hash table, using the frame numbers of each of the frames from
444 * which it was reassembled as keys, and sets the "reassembled_in"
448 fragment_reassembled(fragment_data *fd_head, packet_info *pinfo,
449 GHashTable *reassembled_table, guint32 id)
451 reassembled_key *new_key;
454 if (fd_head->next == NULL) {
456 * This was not fragmented, so there's no fragment
457 * table; just hash it using the current frame number.
459 new_key = g_mem_chunk_alloc(reassembled_key_chunk);
460 new_key->frame = pinfo->fd->num;
462 g_hash_table_insert(reassembled_table, new_key, fd_head);
465 * Hash it with the frame numbers for all the frames.
467 for (fd = fd_head->next; fd != NULL; fd = fd->next){
468 new_key = g_mem_chunk_alloc(reassembled_key_chunk);
469 new_key->frame = fd->frame;
471 g_hash_table_insert(reassembled_table, new_key,
475 fd_head->flags |= FD_DEFRAGMENTED;
476 fd_head->reassembled_in = pinfo->fd->num;
480 * This function adds a new fragment to the fragment hash table.
481 * If this is the first fragment seen for this datagram, a new entry
482 * is created in the hash table, otherwise this fragment is just added
483 * to the linked list of fragments for this packet.
484 * The list of fragments for a specific datagram is kept sorted for
487 * Returns a pointer to the head of the fragment data list if we have all the
488 * fragments, NULL otherwise.
490 * This function assumes frag_offset being a byte offset into the defragment
494 * Once the fh is defragmented (= FD_DEFRAGMENTED set), it can be
495 * extended using the FD_PARTIAL_REASSEMBLY flag. This flag should be set
496 * using fragment_set_partial_reassembly() before calling fragment_add
497 * with the new fragment. FD_TOOLONGFRAGMENT and FD_MULTIPLETAILS flags
498 * are lowered when a new extension process is started.
501 fragment_add_work(fragment_data *fd_head, tvbuff_t *tvb, int offset,
502 packet_info *pinfo, guint32 frag_offset,
503 guint32 frag_data_len, gboolean more_frags)
508 unsigned char *old_data;
510 /* create new fd describing this fragment */
511 fd = g_mem_chunk_alloc(fragment_data_chunk);
514 fd->frame = pinfo->fd->num;
515 fd->offset = frag_offset;
516 fd->len = frag_data_len;
520 * If it was already defragmented and this new fragment goes beyond
521 * data limits, set flag in already empty fds & point old fds to malloc'ed data.
523 if(fd_head->flags & FD_DEFRAGMENTED && (frag_offset+frag_data_len) >= fd_head->datalen &&
524 fd_head->flags & FD_PARTIAL_REASSEMBLY){
525 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
527 fd_i->data = fd_head->data + fd_i->offset;
528 fd_i->flags |= FD_NOT_MALLOCED;
530 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
532 fd_head->flags ^= FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY;
533 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
539 * This is the tail fragment in the sequence.
541 if (fd_head->datalen) {
542 /* ok we have already seen other tails for this packet
543 * it might be a duplicate.
545 if (fd_head->datalen != (fd->offset + fd->len) ){
546 /* Oops, this tail indicates a different packet
547 * len than the previous ones. Somethings wrong
549 fd->flags |= FD_MULTIPLETAILS;
550 fd_head->flags |= FD_MULTIPLETAILS;
553 /* this was the first tail fragment, now we know the
554 * length of the packet
556 fd_head->datalen = fd->offset + fd->len;
563 /* If the packet is already defragmented, this MUST be an overlap.
564 * The entire defragmented packet is in fd_head->data
565 * Even if we have previously defragmented this packet, we still check
566 * check it. Someone might play overlap and TTL games.
568 if (fd_head->flags & FD_DEFRAGMENTED) {
569 fd->flags |= FD_OVERLAP;
570 fd_head->flags |= FD_OVERLAP;
571 /* make sure its not too long */
572 if (fd->offset + fd->len > fd_head->datalen) {
573 fd->flags |= FD_TOOLONGFRAGMENT;
574 fd_head->flags |= FD_TOOLONGFRAGMENT;
575 LINK_FRAG(fd_head,fd);
578 /* make sure it doesnt conflict with previous data */
579 if ( memcmp(fd_head->data+fd->offset,
580 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
581 fd->flags |= FD_OVERLAPCONFLICT;
582 fd_head->flags |= FD_OVERLAPCONFLICT;
583 LINK_FRAG(fd_head,fd);
586 /* it was just an overlap, link it and return */
587 LINK_FRAG(fd_head,fd);
593 /* If we have reached this point, the packet is not defragmented yet.
594 * Save all payload in a buffer until we can defragment.
595 * XXX - what if we didn't capture the entire fragment due
596 * to a too-short snapshot length?
598 fd->data = g_malloc(fd->len);
599 tvb_memcpy(tvb, fd->data, offset, fd->len);
600 LINK_FRAG(fd_head,fd);
603 if( !(fd_head->datalen) ){
604 /* if we dont know the datalen, there are still missing
605 * packets. Cheaper than the check below.
611 /* check if we have received the entire fragment
612 * this is easy since the list is sorted and the head is faked.
615 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
616 if ( ((fd_i->offset)<=max) &&
617 ((fd_i->offset+fd_i->len)>max) ){
618 max = fd_i->offset+fd_i->len;
622 if (max < (fd_head->datalen)) {
623 /* we have not received all packets yet */
628 if (max > (fd_head->datalen)) {
629 /*XXX not sure if current fd was the TOOLONG*/
630 /*XXX is it fair to flag current fd*/
631 /* oops, too long fragment detected */
632 fd->flags |= FD_TOOLONGFRAGMENT;
633 fd_head->flags |= FD_TOOLONGFRAGMENT;
637 /* we have received an entire packet, defragment it and
640 /* store old data just in case */
641 old_data=fd_head->data;
642 fd_head->data = g_malloc(max);
644 /* add all data fragments */
645 for (dfpos=0,fd_i=fd_head;fd_i;fd_i=fd_i->next) {
647 if (fd_i->offset < dfpos) {
648 fd_i->flags |= FD_OVERLAP;
649 fd_head->flags |= FD_OVERLAP;
650 if ( memcmp(fd_head->data+fd_i->offset,
652 MIN(fd_i->len,(dfpos-fd_i->offset))
654 fd_i->flags |= FD_OVERLAPCONFLICT;
655 fd_head->flags |= FD_OVERLAPCONFLICT;
658 /* dfpos is always >= than fd_i->offset */
659 /* No gaps can exist here, max_loop(above) does this */
660 if( fd_i->offset+fd_i->len > dfpos )
661 memcpy(fd_head->data+dfpos, fd_i->data+(dfpos-fd_i->offset),
662 fd_i->len-(dfpos-fd_i->offset));
663 if( fd_i->flags & FD_NOT_MALLOCED )
664 fd_i->flags ^= FD_NOT_MALLOCED;
669 dfpos=MAX(dfpos,(fd_i->offset+fd_i->len));
675 /* mark this packet as defragmented.
676 allows us to skip any trailing fragments */
677 fd_head->flags |= FD_DEFRAGMENTED;
678 fd_head->reassembled_in=pinfo->fd->num;
684 fragment_add_common(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
685 GHashTable *fragment_table, guint32 frag_offset,
686 guint32 frag_data_len, gboolean more_frags,
687 gboolean check_already_added)
689 fragment_key key, *new_key;
690 fragment_data *fd_head;
691 fragment_data *fd_item;
692 gboolean already_added=pinfo->fd->flags.visited;
694 /* create key to search hash with */
695 key.src = pinfo->src;
696 key.dst = pinfo->dst;
699 fd_head = g_hash_table_lookup(fragment_table, &key);
702 * "already_added" is true if "pinfo->fd->flags.visited" is true;
703 * if "pinfo->fd->flags.visited", this isn't the first pass, so
704 * we've already done all the reassembly and added all the
707 * If it's not true, but "check_already_added" is true, just check
708 * if we have seen this fragment before, i.e., if we have already
709 * added it to reassembly.
710 * That can be true even if "pinfo->fd->flags.visited" is false
711 * since we sometimes might call a subdissector multiple times.
712 * As an additional check, just make sure we have not already added
713 * this frame to the reassembly list, if there is a reassembly list;
714 * note that the first item in the reassembly list is not a
715 * fragment, it's a data structure for the reassembled packet.
716 * We don't check it because its "frame" member isn't initialized
717 * to anything, and because it doesn't count in any case.
719 if (!already_added && check_already_added && fd_head != NULL) {
720 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
721 if(pinfo->fd->num==fd_item->frame){
726 /* have we already added this frame ?*/
728 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
736 /* not found, this must be the first snooped fragment for this
737 * packet. Create list-head.
739 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
741 /* head/first structure in list only holds no other data than
742 * 'datalen' then we don't have to change the head of the list
743 * even if we want to keep it sorted
751 fd_head->reassembled_in=0;
754 * We're going to use the key to insert the fragment,
755 * so allocate a structure for it, and copy the
756 * addresses, allocating new buffers for the address
759 new_key = g_mem_chunk_alloc(fragment_key_chunk);
760 COPY_ADDRESS(&new_key->src, &key.src);
761 COPY_ADDRESS(&new_key->dst, &key.dst);
762 new_key->id = key.id;
763 g_hash_table_insert(fragment_table, new_key, fd_head);
766 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
767 frag_data_len, more_frags)) {
769 * Reassembly is complete.
774 * Reassembly isn't complete.
781 fragment_add(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
782 GHashTable *fragment_table, guint32 frag_offset,
783 guint32 frag_data_len, gboolean more_frags)
785 return fragment_add_common(tvb, offset, pinfo, id, fragment_table,
786 frag_offset, frag_data_len, more_frags, TRUE);
790 * For use when you can have multiple fragments in the same frame added
791 * to the same reassembled PDU, e.g. with ONC RPC-over-TCP.
794 fragment_add_multiple_ok(tvbuff_t *tvb, int offset, packet_info *pinfo,
795 guint32 id, GHashTable *fragment_table,
796 guint32 frag_offset, guint32 frag_data_len,
799 return fragment_add_common(tvb, offset, pinfo, id, fragment_table,
800 frag_offset, frag_data_len, more_frags, FALSE);
804 fragment_add_check(tvbuff_t *tvb, int offset, packet_info *pinfo,
805 guint32 id, GHashTable *fragment_table,
806 GHashTable *reassembled_table, guint32 frag_offset,
807 guint32 frag_data_len, gboolean more_frags)
809 reassembled_key reass_key;
810 fragment_key key, *new_key, *old_key;
811 gpointer orig_key, value;
812 fragment_data *fd_head;
815 * If this isn't the first pass, look for this frame in the table
816 * of reassembled packets.
818 if (pinfo->fd->flags.visited) {
819 reass_key.frame = pinfo->fd->num;
821 return g_hash_table_lookup(reassembled_table, &reass_key);
824 /* create key to search hash with */
825 key.src = pinfo->src;
826 key.dst = pinfo->dst;
829 if (!g_hash_table_lookup_extended(fragment_table, &key,
830 &orig_key, &value)) {
831 /* not found, this must be the first snooped fragment for this
832 * packet. Create list-head.
834 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
836 /* head/first structure in list only holds no other data than
837 * 'datalen' then we don't have to change the head of the list
838 * even if we want to keep it sorted
846 fd_head->reassembled_in=0;
849 * We're going to use the key to insert the fragment,
850 * so allocate a structure for it, and copy the
851 * addresses, allocating new buffers for the address
854 new_key = g_mem_chunk_alloc(fragment_key_chunk);
855 COPY_ADDRESS(&new_key->src, &key.src);
856 COPY_ADDRESS(&new_key->dst, &key.dst);
857 new_key->id = key.id;
858 g_hash_table_insert(fragment_table, new_key, fd_head);
860 orig_key = new_key; /* for unhashing it later */
869 * If this is a short frame, then we can't, and don't, do
870 * reassembly on it. We just give up.
872 if (tvb_reported_length(tvb) > tvb_length(tvb))
875 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
876 frag_data_len, more_frags)) {
878 * Reassembly is complete.
879 * Remove this from the table of in-progress
880 * reassemblies, add it to the table of
881 * reassembled packets, and return it.
885 * Remove this from the table of in-progress reassemblies,
886 * and free up any memory used for it in that table.
889 fragment_unhash(fragment_table, old_key);
892 * Add this item to the table of reassembled packets.
894 fragment_reassembled(fd_head, pinfo, reassembled_table, id);
898 * Reassembly isn't complete.
905 * This function adds a new fragment to the entry for a reassembly
908 * The list of fragments for a specific datagram is kept sorted for
911 * Returns TRUE if we have all the fragments, FALSE otherwise.
913 * This function assumes frag_number being a block sequence number.
914 * The bsn for the first block is 0.
917 fragment_add_seq_work(fragment_data *fd_head, tvbuff_t *tvb, int offset,
918 packet_info *pinfo, guint32 frag_number,
919 guint32 frag_data_len, gboolean more_frags)
923 fragment_data *last_fd;
924 guint32 max, dfpos, size;
926 /* create new fd describing this fragment */
927 fd = g_mem_chunk_alloc(fragment_data_chunk);
930 fd->frame = pinfo->fd->num;
931 fd->offset = frag_number;
932 fd->len = frag_data_len;
937 * This is the tail fragment in the sequence.
939 if (fd_head->datalen) {
940 /* ok we have already seen other tails for this packet
941 * it might be a duplicate.
943 if (fd_head->datalen != fd->offset ){
944 /* Oops, this tail indicates a different packet
945 * len than the previous ones. Somethings wrong
947 fd->flags |= FD_MULTIPLETAILS;
948 fd_head->flags |= FD_MULTIPLETAILS;
951 /* this was the first tail fragment, now we know the
952 * sequence number of that fragment (which is NOT
953 * the length of the packet!)
955 fd_head->datalen = fd->offset;
959 /* If the packet is already defragmented, this MUST be an overlap.
960 * The entire defragmented packet is in fd_head->data
961 * Even if we have previously defragmented this packet, we still check
962 * check it. Someone might play overlap and TTL games.
964 if (fd_head->flags & FD_DEFRAGMENTED) {
965 fd->flags |= FD_OVERLAP;
966 fd_head->flags |= FD_OVERLAP;
968 /* make sure it's not past the end */
969 if (fd->offset > fd_head->datalen) {
970 /* new fragment comes after the end */
971 fd->flags |= FD_TOOLONGFRAGMENT;
972 fd_head->flags |= FD_TOOLONGFRAGMENT;
973 LINK_FRAG(fd_head,fd);
976 /* make sure it doesnt conflict with previous data */
979 for (fd_i=fd_head->next;fd_i->offset!=fd->offset;fd_i=fd_i->next) {
980 if (!last_fd || last_fd->offset!=fd_i->offset){
986 /* new fragment overlaps existing fragment */
987 if(fd_i->len!=fd->len){
989 * They have different lengths; this
990 * is definitely a conflict.
992 fd->flags |= FD_OVERLAPCONFLICT;
993 fd_head->flags |= FD_OVERLAPCONFLICT;
994 LINK_FRAG(fd_head,fd);
997 g_assert(fd_head->len >= dfpos + fd->len);
998 if ( memcmp(fd_head->data+dfpos,
999 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
1001 * They have the same length, but the
1002 * data isn't the same.
1004 fd->flags |= FD_OVERLAPCONFLICT;
1005 fd_head->flags |= FD_OVERLAPCONFLICT;
1006 LINK_FRAG(fd_head,fd);
1009 /* it was just an overlap, link it and return */
1010 LINK_FRAG(fd_head,fd);
1014 * New fragment doesn't overlap an existing
1015 * fragment - there was presumably a gap in
1016 * the sequence number space.
1018 * XXX - what should we do here? Is it always
1019 * the case that there are no gaps, or are there
1020 * protcols using sequence numbers where there
1023 * If the former, the check below for having
1024 * received all the fragments should check for
1025 * holes in the sequence number space and for the
1026 * first sequence number being 0. If we do that,
1027 * the only way we can get here is if this fragment
1028 * is past the end of the sequence number space -
1029 * but the check for "fd->offset > fd_head->datalen"
1030 * would have caught that above, so it can't happen.
1032 * If the latter, we don't have a good way of
1033 * knowing whether reassembly is complete if we
1034 * get packet out of order such that the "last"
1035 * fragment doesn't show up last - but, unless
1036 * in-order reliable delivery of fragments is
1037 * guaranteed, an implementation of the protocol
1038 * has no way of knowing whether reassembly is
1041 * For now, we just link the fragment in and
1044 LINK_FRAG(fd_head,fd);
1049 /* If we have reached this point, the packet is not defragmented yet.
1050 * Save all payload in a buffer until we can defragment.
1051 * XXX - what if we didn't capture the entire fragment due
1052 * to a too-short snapshot length?
1054 fd->data = g_malloc(fd->len);
1055 tvb_memcpy(tvb, fd->data, offset, fd->len);
1056 LINK_FRAG(fd_head,fd);
1059 if( !(fd_head->datalen) ){
1060 /* if we dont know the sequence number of the last fragment,
1061 * there are definitely still missing packets. Cheaper than
1068 /* check if we have received the entire fragment
1069 * this is easy since the list is sorted and the head is faked.
1072 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1073 if ( fd_i->offset==max ){
1077 /* max will now be datalen+1 if all fragments have been seen */
1079 if (max <= fd_head->datalen) {
1080 /* we have not received all packets yet */
1085 if (max > (fd_head->datalen+1)) {
1086 /* oops, too long fragment detected */
1087 fd->flags |= FD_TOOLONGFRAGMENT;
1088 fd_head->flags |= FD_TOOLONGFRAGMENT;
1092 /* we have received an entire packet, defragment it and
1093 * free all fragments
1097 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1098 if(!last_fd || last_fd->offset!=fd_i->offset){
1103 fd_head->data = g_malloc(size);
1104 fd_head->len = size; /* record size for caller */
1106 /* add all data fragments */
1108 for (dfpos=0,fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1110 if(!last_fd || last_fd->offset!=fd_i->offset){
1111 memcpy(fd_head->data+dfpos,fd_i->data,fd_i->len);
1114 /* duplicate/retransmission/overlap */
1115 fd_i->flags |= FD_OVERLAP;
1116 fd_head->flags |= FD_OVERLAP;
1117 if( (last_fd->len!=fd_i->datalen)
1118 || memcmp(last_fd->data, fd_i->data, last_fd->len) ){
1119 fd->flags |= FD_OVERLAPCONFLICT;
1120 fd_head->flags |= FD_OVERLAPCONFLICT;
1127 /* we have defragmented the pdu, now free all fragments*/
1128 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1135 /* mark this packet as defragmented.
1136 allows us to skip any trailing fragments */
1137 fd_head->flags |= FD_DEFRAGMENTED;
1138 fd_head->reassembled_in=pinfo->fd->num;
1144 * This function adds a new fragment to the fragment hash table.
1145 * If this is the first fragment seen for this datagram, a new entry
1146 * is created in the hash table, otherwise this fragment is just added
1147 * to the linked list of fragments for this packet.
1149 * Returns a pointer to the head of the fragment data list if we have all the
1150 * fragments, NULL otherwise.
1152 * This function assumes frag_number being a block sequence number.
1153 * The bsn for the first block is 0.
1156 fragment_add_seq(tvbuff_t *tvb, int offset, packet_info *pinfo, guint32 id,
1157 GHashTable *fragment_table, guint32 frag_number,
1158 guint32 frag_data_len, gboolean more_frags)
1160 fragment_key key, *new_key;
1161 fragment_data *fd_head;
1163 /* create key to search hash with */
1164 key.src = pinfo->src;
1165 key.dst = pinfo->dst;
1168 fd_head = g_hash_table_lookup(fragment_table, &key);
1170 /* have we already seen this frame ?*/
1171 if (pinfo->fd->flags.visited) {
1172 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1180 /* not found, this must be the first snooped fragment for this
1181 * packet. Create list-head.
1183 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
1185 /* head/first structure in list only holds no other data than
1186 * 'datalen' then we don't have to change the head of the list
1187 * even if we want to keep it sorted
1193 fd_head->flags=FD_BLOCKSEQUENCE;
1195 fd_head->reassembled_in=0;
1198 * We're going to use the key to insert the fragment,
1199 * so allocate a structure for it, and copy the
1200 * addresses, allocating new buffers for the address
1203 new_key = g_mem_chunk_alloc(fragment_key_chunk);
1204 COPY_ADDRESS(&new_key->src, &key.src);
1205 COPY_ADDRESS(&new_key->dst, &key.dst);
1206 new_key->id = key.id;
1207 g_hash_table_insert(fragment_table, new_key, fd_head);
1210 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1211 frag_number, frag_data_len, more_frags)) {
1213 * Reassembly is complete.
1218 * Reassembly isn't complete.
1225 * This does the work for "fragment_add_seq_check()" and
1226 * "fragment_add_seq_next()".
1228 * This function assumes frag_number being a block sequence number.
1229 * The bsn for the first block is 0.
1231 * If "no_frag_number" is TRUE, it uses the next expected fragment number
1232 * as the fragment number if there is a reassembly in progress, otherwise
1235 * If "no_frag_number" is FALSE, it uses the "frag_number" argument as
1236 * the fragment number.
1238 * If this is the first fragment seen for this datagram, a new
1239 * "fragment_data" structure is allocated to refer to the reassembled,
1242 * if "more_frags" is false, the structure is not added to
1243 * the hash table, and not given any fragments to refer to,
1244 * but is just returned;
1246 * if "more_frags" is true, this fragment is added to the linked
1247 * list of fragments for this packet, and the "fragment_data"
1248 * structure is put into the hash table.
1250 * Otherwise, this fragment is just added to the linked list of fragments
1253 * Returns a pointer to the head of the fragment data list, and removes
1254 * that from the fragment hash table if necessary and adds it to the
1255 * table of reassembled fragments, if we have all the fragments or if
1256 * this is the only fragment and "more_frags" is false, returns NULL
1260 fragment_add_seq_check_work(tvbuff_t *tvb, int offset, packet_info *pinfo,
1261 guint32 id, GHashTable *fragment_table,
1262 GHashTable *reassembled_table, guint32 frag_number,
1263 guint32 frag_data_len, gboolean more_frags,
1264 gboolean no_frag_number)
1266 reassembled_key reass_key;
1267 fragment_key key, *new_key, *old_key;
1268 gpointer orig_key, value;
1269 fragment_data *fd_head, *fd;
1272 * Have we already seen this frame?
1273 * If so, look for it in the table of reassembled packets.
1275 if (pinfo->fd->flags.visited) {
1276 reass_key.frame = pinfo->fd->num;
1278 return g_hash_table_lookup(reassembled_table, &reass_key);
1281 /* create key to search hash with */
1282 key.src = pinfo->src;
1283 key.dst = pinfo->dst;
1286 if (!g_hash_table_lookup_extended(fragment_table, &key,
1287 &orig_key, &value)) {
1288 /* not found, this must be the first snooped fragment for this
1289 * packet. Create list-head.
1291 fd_head=g_mem_chunk_alloc(fragment_data_chunk);
1293 /* head/first structure in list only holds no other data than
1294 * 'datalen' then we don't have to change the head of the list
1295 * even if we want to keep it sorted
1301 fd_head->flags=FD_BLOCKSEQUENCE;
1303 fd_head->reassembled_in=0;
1307 * This is the last snooped fragment for this
1308 * packet as well; that means it's the only
1309 * fragment. Just add it to the table of
1310 * reassembled packets, and return it.
1312 fragment_reassembled(fd_head, pinfo,
1313 reassembled_table, id);
1318 * We're going to use the key to insert the fragment,
1319 * so allocate a structure for it, and copy the
1320 * addresses, allocating new buffers for the address
1323 new_key = g_mem_chunk_alloc(fragment_key_chunk);
1324 COPY_ADDRESS(&new_key->src, &key.src);
1325 COPY_ADDRESS(&new_key->dst, &key.dst);
1326 new_key->id = key.id;
1327 g_hash_table_insert(fragment_table, new_key, fd_head);
1329 orig_key = new_key; /* for unhashing it later */
1332 * If we weren't given an initial fragment number,
1344 * If we weren't given an initial fragment number,
1345 * use the next expected fragment number as the fragment
1346 * number for this fragment.
1348 if (no_frag_number) {
1349 for (fd = fd_head; fd != NULL; fd = fd->next) {
1350 if (fd->next == NULL)
1351 frag_number = fd->offset + 1;
1357 * If we don't have all the data that is in this fragment,
1358 * then we can't, and don't, do reassembly on it.
1360 * If it's the first frame, handle it as an unfragmented packet.
1361 * Otherwise, just handle it as a fragment.
1363 * If "more_frags" isn't set, we get rid of the entry in the
1364 * hash table for this reassembly, as we don't need it any more.
1366 if (!tvb_bytes_exist(tvb, offset, frag_data_len)) {
1369 * Remove this from the table of in-progress
1370 * reassemblies, and free up any memory used for
1374 fragment_unhash(fragment_table, old_key);
1376 return frag_number == 0 ? fd_head : NULL;
1379 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1380 frag_number, frag_data_len, more_frags)) {
1382 * Reassembly is complete.
1383 * Remove this from the table of in-progress
1384 * reassemblies, add it to the table of
1385 * reassembled packets, and return it.
1389 * Remove this from the table of in-progress reassemblies,
1390 * and free up any memory used for it in that table.
1393 fragment_unhash(fragment_table, old_key);
1396 * Add this item to the table of reassembled packets.
1398 fragment_reassembled(fd_head, pinfo, reassembled_table, id);
1402 * Reassembly isn't complete.
1409 fragment_add_seq_check(tvbuff_t *tvb, int offset, packet_info *pinfo,
1410 guint32 id, GHashTable *fragment_table,
1411 GHashTable *reassembled_table, guint32 frag_number,
1412 guint32 frag_data_len, gboolean more_frags)
1414 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1415 fragment_table, reassembled_table, frag_number, frag_data_len,
1420 fragment_add_seq_next(tvbuff_t *tvb, int offset, packet_info *pinfo,
1421 guint32 id, GHashTable *fragment_table,
1422 GHashTable *reassembled_table, guint32 frag_data_len,
1423 gboolean more_frags)
1425 return fragment_add_seq_check_work(tvb, offset, pinfo, id,
1426 fragment_table, reassembled_table, 0, frag_data_len,
1431 * Process reassembled data; if we're on the frame in which the data
1432 * was reassembled, put the fragment information into the protocol
1433 * tree, and construct a tvbuff with the reassembled data, otherwise
1434 * just put a "reassembled in" item into the protocol tree.
1437 process_reassembled_data(tvbuff_t *tvb, int offset, packet_info *pinfo,
1438 char *name, fragment_data *fd_head, const fragment_items *fit,
1439 gboolean *update_col_infop, proto_tree *tree)
1442 gboolean update_col_info;
1444 if (fd_head != NULL && pinfo->fd->num == fd_head->reassembled_in) {
1446 * OK, we've reassembled this.
1447 * Is this something that's been reassembled from more
1448 * than one fragment?
1450 if (fd_head->next != NULL) {
1453 * Allocate a new tvbuff, referring to the
1454 * reassembled payload.
1456 if (fd_head->flags & FD_BLOCKSEQUENCE) {
1457 next_tvb = tvb_new_real_data(fd_head->data,
1458 fd_head->len, fd_head->len);
1460 next_tvb = tvb_new_real_data(fd_head->data,
1461 fd_head->datalen, fd_head->datalen);
1465 * Add the tvbuff to the list of tvbuffs to which
1466 * the tvbuff we were handed refers, so it'll get
1467 * cleaned up when that tvbuff is cleaned up.
1469 tvb_set_child_real_data_tvbuff(tvb, next_tvb);
1471 /* Add the defragmented data to the data source list. */
1472 add_new_data_source(pinfo, next_tvb, name);
1474 /* show all fragments */
1475 if (fd_head->flags & FD_BLOCKSEQUENCE) {
1476 update_col_info = !show_fragment_seq_tree(
1477 fd_head, fit, tree, pinfo, next_tvb);
1479 update_col_info = !show_fragment_tree(fd_head,
1480 fit, tree, pinfo, next_tvb);
1485 * Return a tvbuff with the payload.
1487 next_tvb = tvb_new_subset(tvb, offset, -1, -1);
1488 pinfo->fragmented = FALSE; /* one-fragment packet */
1489 update_col_info = TRUE;
1491 if (update_col_infop != NULL)
1492 *update_col_infop = update_col_info;
1495 * We don't have the complete reassembled payload, or this
1496 * isn't the final frame of that payload.
1501 * If we know what frame this was reassembled in,
1502 * and if there's a field to use for the number of
1503 * the frame in which the packet was reassembled,
1504 * add it to the protocol tree.
1506 if (fd_head != NULL && fit->hf_reassembled_in != NULL) {
1507 proto_tree_add_uint(tree,
1508 *(fit->hf_reassembled_in), tvb,
1509 0, 0, fd_head->reassembled_in);
1516 * Show a single fragment in a fragment subtree.
1519 show_fragment(fragment_data *fd, int offset, const fragment_items *fit,
1520 proto_tree *ft, tvbuff_t *tvb)
1522 if (fd->flags & (FD_OVERLAP|FD_OVERLAPCONFLICT
1523 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1524 /* this fragment has some flags set, create a subtree
1525 * for it and display the flags.
1527 proto_tree *fet=NULL;
1528 proto_item *fei=NULL;
1531 if (fd->flags & (FD_OVERLAPCONFLICT
1532 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1533 hf = *(fit->hf_fragment_error);
1535 hf = *(fit->hf_fragment);
1537 fei = proto_tree_add_uint_format(ft, hf,
1538 tvb, offset, fd->len,
1540 "Frame: %u, payload: %u-%u",
1544 fet = proto_item_add_subtree(fei, *(fit->ett_fragment));
1545 if (fd->flags&FD_OVERLAP) {
1546 proto_tree_add_boolean(fet,
1547 *(fit->hf_fragment_overlap),
1551 if (fd->flags&FD_OVERLAPCONFLICT) {
1552 proto_tree_add_boolean(fet,
1553 *(fit->hf_fragment_overlap_conflict),
1557 if (fd->flags&FD_MULTIPLETAILS) {
1558 proto_tree_add_boolean(fet,
1559 *(fit->hf_fragment_multiple_tails),
1563 if (fd->flags&FD_TOOLONGFRAGMENT) {
1564 proto_tree_add_boolean(fet,
1565 *(fit->hf_fragment_too_long_fragment),
1570 /* nothing of interest for this fragment */
1571 proto_tree_add_uint_format(ft, *(fit->hf_fragment),
1572 tvb, offset, fd->len,
1574 "Frame: %u, payload: %u-%u",
1583 show_fragment_errs_in_col(fragment_data *fd_head, const fragment_items *fit,
1586 if (fd_head->flags & (FD_OVERLAPCONFLICT
1587 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
1588 if (check_col(pinfo->cinfo, COL_INFO)) {
1589 col_add_fstr(pinfo->cinfo, COL_INFO,
1590 "[Illegal %s]", fit->tag);
1598 /* This function will build the fragment subtree; it's for fragments
1599 reassembled with "fragment_add()".
1601 It will return TRUE if there were fragmentation errors
1602 or FALSE if fragmentation was ok.
1605 show_fragment_tree(fragment_data *fd_head, const fragment_items *fit,
1606 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
1612 /* It's not fragmented. */
1613 pinfo->fragmented = FALSE;
1615 fi = proto_tree_add_item(tree, *(fit->hf_fragments),
1617 ft = proto_item_add_subtree(fi, *(fit->ett_fragments));
1618 for (fd = fd_head->next; fd != NULL; fd = fd->next)
1619 show_fragment(fd, fd->offset, fit, ft, tvb);
1621 return show_fragment_errs_in_col(fd_head, fit, pinfo);
1624 /* This function will build the fragment subtree; it's for fragments
1625 reassembled with "fragment_add_seq()" or "fragment_add_seq_check()".
1627 It will return TRUE if there were fragmentation errors
1628 or FALSE if fragmentation was ok.
1631 show_fragment_seq_tree(fragment_data *fd_head, const fragment_items *fit,
1632 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
1634 guint32 offset, next_offset;
1635 fragment_data *fd, *last_fd;
1639 /* It's not fragmented. */
1640 pinfo->fragmented = FALSE;
1642 fi = proto_tree_add_item(tree, *(fit->hf_fragments),
1644 ft = proto_item_add_subtree(fi, *(fit->ett_fragments));
1648 for (fd = fd_head->next; fd != NULL; fd = fd->next){
1649 if (last_fd == NULL || last_fd->offset != fd->offset) {
1650 offset = next_offset;
1651 next_offset += fd->len;
1654 show_fragment(fd, offset, fit, ft, tvb);
1657 return show_fragment_errs_in_col(fd_head, fit, pinfo);
git.samba.org / obnox / wireshark / wip.git / blob