Add an extra_info_type field to smb_extra_info_t so that we can make
authorgerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7>
Sat, 16 Apr 2005 21:54:32 +0000 (21:54 +0000)
committergerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7>
Sat, 16 Apr 2005 21:54:32 +0000 (21:54 +0000)
sure we're not referencing a fid when we think we're referencing an
smb_nt_transact_info_t pointer.  (A fuzzed capture I have triggers
this behavior).

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@14107 f5534014-38df-0310-8fa8-9805f1628bb7

epan/dissectors/packet-smb-mailslot.c
epan/dissectors/packet-smb-pipe.c
epan/dissectors/packet-smb.c
gtk/smb_stat.c
smb.h
tap-smbstat.c

index 904172d4df81a2d625fe4eddf14adebeeafb1aa5..1fe72fc44e18032845f3fd712510476ba2700a27 100644 (file)
@@ -116,7 +116,7 @@ dissect_mailslot_smb(tvbuff_t *mshdr_tvb, tvbuff_t *setup_tvb,
        }
 
        smb_info = pinfo->private_data;
-       if (smb_info->sip != NULL)
+       if (smb_info->sip != NULL && smb_info->sip->extra_info_type == SMB_EI_TRI)
                tri = smb_info->sip->extra_info;
        else
                tri = NULL;
index bc1ffea3ed286c54777302496b42539b835c69cf..875a3a5b3b012f6a788dceabe39949417e63d552 100644 (file)
@@ -438,9 +438,12 @@ add_detail_level(tvbuff_t *tvb, int offset, int count _U_, packet_info *pinfo,
     proto_tree *tree, int convert _U_, int hf_index)
 {
        struct smb_info *smb_info = pinfo->private_data;
-       smb_transact_info_t *trp = smb_info->sip->extra_info;
+       smb_transact_info_t *trp = NULL;
        guint16 level;
 
+       if (smb_info->sip->extra_info_type == SMB_EI_TRI)
+               trp = smb_info->sip->extra_info;
+
        level = tvb_get_letohs(tvb, offset);
        if (!pinfo->fd->flags.visited)
                trp->info_level = level;        /* remember this for the response */
@@ -2459,7 +2462,7 @@ dissect_response_data(tvbuff_t *tvb, packet_info *pinfo, int convert,
     const struct lanman_desc *lanman, gboolean has_ent_count,
     guint16 ent_count)
 {
-       smb_transact_info_t *trp = smb_info->sip->extra_info;
+       smb_transact_info_t *trp = NULL;
        const item_list_t *resp_data_list;
        int offset, start_offset;
        const char *label;
@@ -2472,6 +2475,9 @@ dissect_response_data(tvbuff_t *tvb, packet_info *pinfo, int convert,
        guint i, j;
        guint16 aux_count;
 
+       if (smb_info->sip->extra_info_type == SMB_EI_TRI)
+               trp = smb_info->sip->extra_info;
+
        /*
         * Find the item table for the matching request's detail level.
         */
@@ -2607,7 +2613,7 @@ dissect_pipe_lanman(tvbuff_t *pd_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
                    packet_info *pinfo, proto_tree *parent_tree)
 {
        smb_info_t *smb_info = pinfo->private_data;
-       smb_transact_info_t *trp = smb_info->sip->extra_info;
+       smb_transact_info_t *trp = NULL;
        int offset = 0, start_offset;
        guint16 cmd;
        guint16 status;
@@ -2624,6 +2630,9 @@ dissect_pipe_lanman(tvbuff_t *pd_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
        proto_item *data_item;
        proto_tree *data_tree;
 
+       if (smb_info->sip->extra_info_type == SMB_EI_TRI)
+               trp = smb_info->sip->extra_info;
+
        if (!proto_is_protocol_enabled(find_protocol_by_id(proto_smb_lanman)))
                return FALSE;
        if (smb_info->request && p_tvb == NULL) {
@@ -3536,7 +3545,7 @@ dissect_pipe_smb(tvbuff_t *sp_tvb, tvbuff_t *s_tvb, tvbuff_t *pd_tvb,
                    smb_info->request ? "Request" : "Response");
        }
 
-       if (smb_info->sip != NULL)
+       if (smb_info->sip != NULL && smb_info->sip->extra_info_type == SMB_EI_TRI)
                tri = smb_info->sip->extra_info;
        else
                tri = NULL;
index 95307db14c06dcc88edeb79c07abbf5232e0cd36..56e2a2a99b51fee37024e1a1f534ee2649ec57be 100644 (file)
@@ -3262,6 +3262,7 @@ dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tre
                /* remember the FID for the processing of the response */
                si = (smb_info_t *)pinfo->private_data;
                si->sip->extra_info=GUINT_TO_POINTER(fid);
+               si->sip->extra_info_type=SMB_EI_FID;
        }
 
        /* read count */
@@ -3385,7 +3386,7 @@ dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tr
 
        /* If we have seen the request, then print which FID this refers to */
        /* first check if we have seen the request */
-       if(si->sip != NULL && si->sip->frame_req>0){
+       if(si->sip != NULL && si->sip->frame_req>0 && si->sip->extra_info_type == SMB_EI_FID){
                fid=GPOINTER_TO_INT(si->sip->extra_info);
                add_fid(tvb, pinfo, tree, 0, 0, (guint16) fid);
        }
@@ -5192,6 +5193,7 @@ dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, i
                /* remember the FID for the processing of the response */
                si = (smb_info_t *)pinfo->private_data;
                si->sip->extra_info=GUINT_TO_POINTER(fid);
+               si->sip->extra_info_type=SMB_EI_FID;
        }
 
        /* offset */
@@ -5300,7 +5302,7 @@ dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
 
        /* If we have seen the request, then print which FID this refers to */
        /* first check if we have seen the request */
-       if(si->sip != NULL && si->sip->frame_req>0){
+       if(si->sip != NULL && si->sip->frame_req>0 && si->sip->extra_info_type==SMB_EI_FID){
                fid=GPOINTER_TO_INT(si->sip->extra_info);
                add_fid(tvb, pinfo, tree, 0, 0, (guint16) fid);
        }
@@ -5406,6 +5408,7 @@ dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
        if (!pinfo->fd->flags.visited) {
                /* remember the FID for the processing of the response */
                si->sip->extra_info=GUINT_TO_POINTER(fid);
+               si->sip->extra_info_type=SMB_EI_FID;
        }
 
        /* offset */
@@ -5534,7 +5537,7 @@ dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
        /* If we have seen the request, then print which FID this refers to */
        si = (smb_info_t *)pinfo->private_data;
        /* first check if we have seen the request */
-       if(si->sip != NULL && si->sip->frame_req>0){
+       if(si->sip != NULL && si->sip->frame_req>0 && si->sip->extra_info_type==SMB_EI_FID){
                add_fid(tvb, pinfo, tree, 0, 0, (guint16) GPOINTER_TO_UINT(si->sip->extra_info));
        }
 
@@ -7573,6 +7576,7 @@ dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree
                                nti = g_mem_chunk_alloc(smb_nt_transact_info_chunk);
                                nti->subcmd = subcmd;
                                sip->extra_info = nti;
+                               sip->extra_info_type = SMB_EI_NTI;
                        }
                }
        } else {
@@ -7650,7 +7654,7 @@ dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo,
        guint16 bcp;
 
        si = (smb_info_t *)pinfo->private_data;
-       if (si->sip != NULL)
+       if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
                nti = si->sip->extra_info;
        else
                nti = NULL;
@@ -7731,7 +7735,7 @@ dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
        int padcnt;
 
        si = (smb_info_t *)pinfo->private_data;
-       if (si->sip != NULL)
+       if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
                nti = si->sip->extra_info;
        else
                nti = NULL;
@@ -7919,7 +7923,7 @@ dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo,
        smb_nt_transact_info_t *nti;
 
        si = (smb_info_t *)pinfo->private_data;
-       if (si->sip != NULL)
+       if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
                nti = si->sip->extra_info;
        else
                nti = NULL;
@@ -7986,7 +7990,7 @@ dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tre
        gboolean save_fragmented;
 
        si = (smb_info_t *)pinfo->private_data;
-       if (si->sip != NULL)
+       if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_NTI)
                nti = si->sip->extra_info;
        else
                nti = NULL;
@@ -9129,7 +9133,7 @@ dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, in
        mask = tvb_get_letohs(tvb, offset);
 
        si = (smb_info_t *)pinfo->private_data;
-       if (si->sip != NULL) {
+       if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
                t2i = si->sip->extra_info;
                if (t2i != NULL) {
                        if (!pinfo->fd->flags.visited)
@@ -9198,7 +9202,7 @@ dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
        const char *fn;
 
        si = (smb_info_t *)pinfo->private_data;
-       if (si->sip != NULL)
+       if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I)
                t2i = si->sip->extra_info;
        else
                t2i = NULL;
@@ -11334,6 +11338,7 @@ dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
                                                t2i->info_level = -1;
                                                t2i->resume_keys = FALSE;
                                                si->sip->extra_info = t2i;
+                                               si->sip->extra_info_type = SMB_EI_T2I;
                                        }
                                }
 
@@ -11490,6 +11495,7 @@ dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
                                        tri->aux_data_descrip = NULL;
                                        tri->info_level = -1;
                                        si->sip->extra_info = tri;
+                                       si->sip->extra_info_type = SMB_EI_TRI;
                                } else {
                                        /*
                                         * We already filled the structure
@@ -11579,7 +11585,7 @@ dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
        gboolean resume_keys = FALSE;
 
        si = (smb_info_t *)pinfo->private_data;
-       if (si->sip != NULL) {
+       if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
                t2i = si->sip->extra_info;
                if (t2i != NULL)
                        resume_keys = t2i->resume_keys;
@@ -11678,7 +11684,7 @@ dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
        gboolean resume_keys = FALSE;
 
        si = (smb_info_t *)pinfo->private_data;
-       if (si->sip != NULL) {
+       if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
                t2i = si->sip->extra_info;
                if (t2i != NULL)
                        resume_keys = t2i->resume_keys;
@@ -12835,7 +12841,7 @@ dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
        dc = tvb_reported_length(tvb);
 
        si = (smb_info_t *)pinfo->private_data;
-       if (si->sip != NULL)
+       if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I)
                t2i = si->sip->extra_info;
        else
                t2i = NULL;
@@ -13002,7 +13008,7 @@ dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, prot
        pc = tvb_reported_length(tvb);
 
        si = (smb_info_t *)pinfo->private_data;
-       if (si->sip != NULL)
+       if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I)
                t2i = si->sip->extra_info;
        else
                t2i = NULL;
@@ -13265,7 +13271,7 @@ dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *
        switch(si->cmd){
        case SMB_COM_TRANSACTION2:
                /* transaction2 */
-               if (si->sip != NULL) {
+               if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_T2I) {
                        t2i = si->sip->extra_info;
                } else
                        t2i = NULL;
@@ -13511,7 +13517,7 @@ dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *
                smb_transact_info_t *tri;
 
                dissected_trans = FALSE;
-               if (si->sip != NULL)
+               if (si->sip != NULL && si->sip->extra_info_type == SMB_EI_TRI)
                        tri = si->sip->extra_info;
                else
                        tri = NULL;
@@ -14852,6 +14858,7 @@ dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
                                }
                                sip->cmd = si->cmd;
                                sip->extra_info = NULL;
+                               sip->extra_info_type = SMB_EI_NONE;
                                g_hash_table_insert(si->ct->unmatched, GUINT_TO_POINTER(pid_mid), sip);
                                new_key = g_mem_chunk_alloc(smb_saved_info_key_chunk);
                                new_key->frame = sip->frame_req;
index 4b87d871d74b5a71068d263c555d2d6a3a24be24..f4036d22c8c35761c422891ff6a6324f777fc1ca 100644 (file)
@@ -101,13 +101,13 @@ smbstat_packet(void *pss, packet_info *pinfo, epan_dissect_t *edt _U_, const voi
 
        add_srt_table_data(&ss->smb_srt_table, si->cmd, &si->sip->req_time, pinfo);
 
-       if(si->cmd==0xA0){
+       if(si->cmd==0xA0 && si->sip->extra_info_type == SMB_EI_NTI){
                smb_nt_transact_info_t *sti=(smb_nt_transact_info_t *)si->sip->extra_info;
 
                if(sti){
                        add_srt_table_data(&ss->nt_trans_srt_table, sti->subcmd, &si->sip->req_time, pinfo);
                }
-       } else if(si->cmd==0x32){
+       } else if(si->cmd==0x32 && si->sip->extra_info == SMB_EI_T2I){
                smb_transact2_info_t *st2i=(smb_transact2_info_t *)si->sip->extra_info;
 
                if(st2i){
diff --git a/smb.h b/smb.h
index 401ee0165c167159c250e279535d6c8257809627..a7d825643aeefaafc58718565265bc5ae67ffc6b 100644 (file)
--- a/smb.h
+++ b/smb.h
@@ -194,12 +194,20 @@ typedef struct {
  */
 #define SMB_SIF_TID_IS_IPC     0x0001
 #define SMB_SIF_IS_CONTINUED   0x0002
+typedef enum {
+       SMB_EI_NONE,    /* Unassigned / NULL */
+       SMB_EI_FID,     /* FID */
+       SMB_EI_NTI,     /* smb_nt_transact_info_t * */
+       SMB_EI_TRI,     /* smb_transact_info_t * */
+       SMB_EI_T2I      /* smb_transact2_info_t * */
+} smb_extra_info_t;
 typedef struct {
        guint32 frame_req, frame_res;
        nstime_t req_time;
        guint16 flags;
        guint8 cmd;
        void *extra_info;
+       smb_extra_info_t extra_info_type;
 } smb_saved_info_t;
 
 /*
index 1b0b487c7d7981ea5762a23e81acbe6a5e24ec2f..6fa63e01d346b1757d88a074a7f48a14c70462eb 100644 (file)
@@ -67,14 +67,14 @@ smbstat_packet(void *pss, packet_info *pinfo, epan_dissect_t *edt _U_, const voi
                return 0;
        }
 
-       if(si->cmd==0xA0){
+       if(si->cmd==0xA0 && si->sip->extra_info_type == SMB_EI_NTI){
                smb_nt_transact_info_t *sti=(smb_nt_transact_info_t *)si->sip->extra_info;
 
                /*nt transaction*/
                if(sti){
                        sp=&(ss->nt_trans[sti->subcmd]);
                }
-       } else if(si->cmd==0x32){
+       } else if(si->cmd==0x32 && si->sip->extra_info_type == SMB_EI_T2I){
                smb_transact2_info_t *st2i=(smb_transact2_info_t *)si->sip->extra_info;
 
                /*transaction2*/