search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
epan/dissectors/pidl/samr/samr.cnf cnf_dissect_lsa_BinaryString => lsarpc_dissect_str...
[wireshark-sm.git] / epan / dissectors / packet-smb2.c
blob4f83d779b94ab7b83ebc057473c36323738ccfea
1 /* packet-smb2.c
2 * Routines for smb2 packet dissection
3 * Ronnie Sahlberg 2005
4 *
5 * For documentation of this protocol, see:
6 *
7 * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/
8 * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/
9 * https://gitlab.com/wireshark/wireshark/-/wikis/SMB2
10 *
11 * If you edit this file, keep the wiki updated as well.
12 *
13 * Wireshark - Network traffic analyzer
14 * By Gerald Combs <gerald@wireshark.org>
15 * Copyright 1998 Gerald Combs
16 *
17 * SPDX-License-Identifier: GPL-2.0-or-later
18 */
19
20 #include "config.h"
21
22
23 #include <epan/packet.h>
24 #include <epan/exceptions.h>
25 #include <epan/prefs.h>
26 #include <epan/expert.h>
27 #include <epan/tap.h>
28 #include <epan/srt_table.h>
29 #include <epan/aftypes.h>
30 #include <epan/to_str.h>
31 #include <epan/strutil.h>
32 #include <epan/asn1.h>
33 #include <epan/reassemble.h>
34 #include <epan/uat.h>
35 #include <epan/tfs.h>
36 #include <wsutil/array.h>
37
38 #include "packet-smb2.h"
39 #include "packet-ntlmssp.h"
40 #include "packet-kerberos.h"
41 #include "packet-windows-common.h"
42 #include "packet-dcerpc-nt.h"
43
44 #include "read_keytab_file.h"
45
46 #include <wsutil/wsgcrypt.h>
47 #include <wsutil/ws_roundup.h>
48 #include <wsutil/crc32.h>
49
50
51 #ifdef _WIN32
52 #include <windows.h>
53 #else
54 /* Defined in winnt.h */
55 #define OWNER_SECURITY_INFORMATION 0x00000001
56 #define GROUP_SECURITY_INFORMATION 0x00000002
57 #define DACL_SECURITY_INFORMATION 0x00000004
58 #define SACL_SECURITY_INFORMATION 0x00000008
59 #define LABEL_SECURITY_INFORMATION 0x00000010
60 #define ATTRIBUTE_SECURITY_INFORMATION 0x00000020
61 #define SCOPE_SECURITY_INFORMATION 0x00000040
62 #define BACKUP_SECURITY_INFORMATION 0x00010000
63 #endif
64
65 //#define DEBUG_SMB2
66 #ifdef DEBUG_SMB2
67 #define DEBUG(...) g_ ## warning(__VA_ARGS__)
68 #define HEXDUMP(p, sz) do_hexdump((const uint8_t *)(p), sz)
69 static void
70 do_hexdump (const uint8_t *data, size_t len)
71 {
72 unsigned n, m;
73
74 for (n = 0; n < len; n += 16) {
75 g_printerr ("%04x: ", n);
76
77 for (m = n; m < n + 16; m++) {
78 if (m > n && (m%4) == 0)
79 g_printerr (" ");
80 if (m < len)
81 g_printerr ("%02x ", data[m]);
82 else
83 g_printerr (" ");
84 }
85
86 g_printerr (" ");
87
88 for (m = n; m < len && m < n + 16; m++)
89 g_printerr ("%c", g_ascii_isprint (data[m]) ? data[m] : '.');
90
91 g_printerr ("\n");
92 }
93 }
94 #else
95 #define DEBUG(...)
96 #define HEXDUMP(...)
97 #endif
98
99 #define NT_STATUS_PENDING 0x00000103
100 #define NT_STATUS_BUFFER_TOO_SMALL 0xC0000023
101 #define NT_STATUS_STOPPED_ON_SYMLINK 0x8000002D
102 #define NT_STATUS_BAD_NETWORK_NAME 0xC00000CC
103
104 void proto_register_smb2(void);
105 void proto_reg_handoff_smb2(void);
106
107 #define SMB2_NORM_HEADER 0xFE
108 #define SMB2_ENCR_HEADER 0xFD
109 #define SMB2_COMP_HEADER 0xFC
110
111 static wmem_map_t *smb2_sessions;
112
113 static const char smb_header_label[] = "SMB2 Header";
114 static const char smb_transform_header_label[] = "SMB2 Transform Header";
115 static const char smb_comp_transform_header_label[] = "SMB2 Compression Transform Header";
116 static const char smb_bad_header_label[] = "Bad SMB2 Header";
117
118 static int proto_smb2;
119 static int hf_smb2_cmd;
120 static int hf_smb2_nt_status;
121 static int hf_smb2_response_to;
122 static int hf_smb2_response_in;
123 static int hf_smb2_time;
124 static int hf_smb2_preauth_hash;
125 static int hf_smb2_header_len;
126 static int hf_smb2_msg_id;
127 static int hf_smb2_header_reserved;
128 static int hf_smb2_tid;
129 static int hf_smb2_aid;
130 static int hf_smb2_sesid;
131 static int hf_smb2_previous_sesid;
132 static int hf_smb2_flags_response;
133 static int hf_smb2_flags_async_cmd;
134 static int hf_smb2_flags_dfs_op;
135 static int hf_smb2_flags_chained;
136 static int hf_smb2_flags_signature;
137 static int hf_smb2_flags_replay_operation;
138 static int hf_smb2_flags_priority_mask;
139 static int hf_smb2_chain_offset;
140 static int hf_smb2_security_blob;
141 static int hf_smb2_ioctl_in_data;
142 static int hf_smb2_ioctl_out_data;
143 static int hf_smb2_unknown;
144 static int hf_smb2_root_directory_mbz;
145 static int hf_smb2_twrp_timestamp;
146 static int hf_smb2_mxac_timestamp;
147 static int hf_smb2_mxac_status;
148 static int hf_smb2_qfid_fid;
149 static int hf_smb2_create_timestamp;
150 static int hf_smb2_oplock;
151 static int hf_smb2_close_flags;
152 static int hf_smb2_notify_flags;
153 static int hf_smb2_last_access_timestamp;
154 static int hf_smb2_last_write_timestamp;
155 static int hf_smb2_last_change_timestamp;
156 static int hf_smb2_current_time;
157 static int hf_smb2_boot_time;
158 static int hf_smb2_filename;
159 static int hf_smb2_filename_len;
160 static int hf_smb2_replace_if;
161 static int hf_smb2_nlinks;
162 static int hf_smb2_delete_pending;
163 static int hf_smb2_is_directory;
164 static int hf_smb2_file_id;
165 static int hf_smb2_allocation_size;
166 static int hf_smb2_end_of_file;
167 static int hf_smb2_tree;
168 static int hf_smb2_find_pattern;
169 static int hf_smb2_find_info_level;
170 static int hf_smb2_find_info_blob;
171 static int hf_smb2_client_guid;
172 static int hf_smb2_server_guid;
173 static int hf_smb2_object_id;
174 static int hf_smb2_birth_volume_id;
175 static int hf_smb2_birth_object_id;
176 static int hf_smb2_domain_id;
177 static int hf_smb2_class;
178 static int hf_smb2_infolevel;
179 static int hf_smb2_infolevel_file_info;
180 static int hf_smb2_infolevel_fs_info;
181 static int hf_smb2_infolevel_sec_info;
182 static int hf_smb2_max_response_size;
183 static int hf_smb2_max_ioctl_in_size;
184 static int hf_smb2_max_ioctl_out_size;
185 static int hf_smb2_flags;
186 static int hf_smb2_required_buffer_size;
187 static int hf_smb2_getinfo_input_size;
188 static int hf_smb2_getinfo_input_offset;
189 static int hf_smb2_getsetinfo_additional;
190 static int hf_smb2_getsetinfo_additionals;
191 static int hf_smb2_getsetinfo_additional_owner;
192 static int hf_smb2_getsetinfo_additional_group;
193 static int hf_smb2_getsetinfo_additional_dacl;
194 static int hf_smb2_getsetinfo_additional_sacl;
195 static int hf_smb2_getsetinfo_additional_label;
196 static int hf_smb2_getsetinfo_additional_attribute;
197 static int hf_smb2_getsetinfo_additional_scope;
198 static int hf_smb2_getsetinfo_additional_backup;
199 static int hf_smb2_getinfo_flags;
200 static int hf_smb2_setinfo_size;
201 static int hf_smb2_setinfo_offset;
202 static int hf_smb2_setinfo_reserved;
203 static int hf_smb2_file_basic_info;
204 static int hf_smb2_file_standard_info;
205 static int hf_smb2_file_internal_info;
206 static int hf_smb2_file_ea_info;
207 static int hf_smb2_file_access_info;
208 static int hf_smb2_file_rename_info;
209 static int hf_smb2_file_link_info;
210 static int hf_smb2_file_disposition_info;
211 static int hf_smb2_file_position_info;
212 static int hf_smb2_file_full_ea_info;
213 static int hf_smb2_file_mode_info;
214 static int hf_smb2_file_alignment_info;
215 static int hf_smb2_file_all_info;
216 static int hf_smb2_file_allocation_info;
217 static int hf_smb2_file_endoffile_info;
218 static int hf_smb2_file_alternate_name_info;
219 static int hf_smb2_file_stream_info;
220 static int hf_smb2_file_pipe_info;
221 static int hf_smb2_file_compression_info;
222 static int hf_smb2_file_network_open_info;
223 static int hf_smb2_file_attribute_tag_info;
224 static int hf_smb2_file_normalized_name_info;
225 static int hf_smb2_fs_info_01;
226 static int hf_smb2_fs_info_03;
227 static int hf_smb2_fs_info_04;
228 static int hf_smb2_fs_info_05;
229 static int hf_smb2_fs_info_06;
230 static int hf_smb2_fs_info_07;
231 static int hf_smb2_fs_objectid_info;
232 static int hf_smb2_fs_posix_info;
233 static int hf_smb2_fs_posix_optimal_transfer_size;
234 static int hf_smb2_fs_posix_block_size;
235 static int hf_smb2_fs_posix_total_blocks;
236 static int hf_smb2_fs_posix_blocks_available;
237 static int hf_smb2_fs_posix_user_blocks_available;
238 static int hf_smb2_fs_posix_total_file_nodes;
239 static int hf_smb2_fs_posix_free_file_nodes;
240 static int hf_smb2_fs_posix_fs_identifier;
241 static int hf_smb2_sec_info_00;
242 static int hf_smb2_quota_info;
243 static int hf_smb2_query_quota_info;
244 static int hf_smb2_qq_single;
245 static int hf_smb2_qq_restart;
246 static int hf_smb2_qq_sidlist_len;
247 static int hf_smb2_qq_start_sid_len;
248 static int hf_smb2_qq_start_sid_offset;
249 static int hf_smb2_fid;
250 static int hf_smb2_write_length;
251 static int hf_smb2_write_data;
252 static int hf_smb2_write_flags;
253 static int hf_smb2_write_flags_write_through;
254 static int hf_smb2_write_flags_write_unbuffered;
255 static int hf_smb2_write_count;
256 static int hf_smb2_write_remaining;
257 static int hf_smb2_read_blob;
258 static int hf_smb2_read_length;
259 static int hf_smb2_read_remaining;
260 static int hf_smb2_read_padding;
261 static int hf_smb2_read_flags;
262 static int hf_smb2_read_flags_unbuffered;
263 static int hf_smb2_read_flags_compressed;
264 static int hf_smb2_file_offset;
265 static int hf_smb2_qfr_length;
266 static int hf_smb2_qfr_usage;
267 static int hf_smb2_qfr_flags;
268 static int hf_smb2_qfr_total_region_entry_count;
269 static int hf_smb2_qfr_region_entry_count;
270 static int hf_smb2_read_data;
271 static int hf_smb2_disposition_delete_on_close;
272 static int hf_smb2_create_disposition;
273 static int hf_smb2_create_chain_offset;
274 static int hf_smb2_create_chain_data;
275 static int hf_smb2_data_offset;
276 static int hf_smb2_extrainfo;
277 static int hf_smb2_create_action;
278 static int hf_smb2_create_rep_flags;
279 static int hf_smb2_create_rep_flags_reparse_point;
280 static int hf_smb2_next_offset;
281 static int hf_smb2_negotiate_context_type;
282 static int hf_smb2_negotiate_context_data_length;
283 static int hf_smb2_negotiate_context_offset;
284 static int hf_smb2_negotiate_context_reserved;
285 static int hf_smb2_negotiate_context_reserved2;
286 static int hf_smb2_negotiate_context_count;
287 static int hf_smb2_hash_alg_count;
288 static int hf_smb2_hash_algorithm;
289 static int hf_smb2_salt_length;
290 static int hf_smb2_salt;
291 static int hf_smb2_cipher_count;
292 static int hf_smb2_cipher_id;
293 static int hf_smb2_signing_alg_count;
294 static int hf_smb2_signing_alg_id;
295 static int hf_smb2_comp_alg_count;
296 static int hf_smb2_comp_alg_id;
297 static int hf_smb2_comp_alg_flags;
298 static int hf_smb2_comp_alg_flags_chained;
299 static int hf_smb2_comp_alg_flags_reserved;
300 static int hf_smb2_netname_neg_id;
301 static int hf_smb2_transport_ctx_flags;
302 static int hf_smb2_rdma_transform_count;
303 static int hf_smb2_rdma_transform_reserved1;
304 static int hf_smb2_rdma_transform_reserved2;
305 static int hf_smb2_rdma_transform_id;
306 static int hf_smb2_posix_reserved;
307 static int hf_smb2_dev;
308 static int hf_smb2_inode;
309 static int hf_smb2_ea_size;
310 static int hf_smb2_ea_flags;
311 static int hf_smb2_ea_name_len;
312 static int hf_smb2_ea_data_len;
313 static int hf_smb2_ea_name;
314 static int hf_smb2_ea_data;
315 static int hf_smb2_position_information;
316 static int hf_smb2_mode_information;
317 static int hf_smb2_mode_file_write_through;
318 static int hf_smb2_mode_file_sequential_only;
319 static int hf_smb2_mode_file_no_intermediate_buffering;
320 static int hf_smb2_mode_file_synchronous_io_alert;
321 static int hf_smb2_mode_file_synchronous_io_nonalert;
322 static int hf_smb2_mode_file_delete_on_close;
323 static int hf_smb2_alignment_information;
324 static int hf_smb2_buffer_code;
325 static int hf_smb2_buffer_code_len;
326 static int hf_smb2_buffer_code_flags_dyn;
327 static int hf_smb2_olb_offset;
328 static int hf_smb2_olb_length;
329 static int hf_smb2_tag;
330 static int hf_smb2_impersonation_level;
331 static int hf_smb2_ioctl_function;
332 static int hf_smb2_ioctl_function_device;
333 static int hf_smb2_ioctl_function_access;
334 static int hf_smb2_ioctl_function_function;
335 static int hf_smb2_fsctl_pipe_wait_timeout;
336 static int hf_smb2_fsctl_pipe_wait_name;
337
338 static int hf_smb2_fsctl_odx_token_type;
339 static int hf_smb2_fsctl_odx_token_idlen;
340 static int hf_smb2_fsctl_odx_token_idraw;
341 static int hf_smb2_fsctl_odx_token_ttl;
342 static int hf_smb2_fsctl_odx_size;
343 static int hf_smb2_fsctl_odx_flags;
344 static int hf_smb2_fsctl_odx_file_offset;
345 static int hf_smb2_fsctl_odx_copy_length;
346 static int hf_smb2_fsctl_odx_xfer_length;
347 static int hf_smb2_fsctl_odx_token_offset;
348
349 static int hf_smb2_fsctl_infoex_enable_integrity;
350 static int hf_smb2_fsctl_infoex_keep_integrity_state;
351 static int hf_smb2_fsctl_infoex_reserved;
352 static int hf_smb2_fsctl_infoex_reserved2;
353 static int hf_smb2_fsctl_infoex_flags;
354 static int hf_smb2_fsctl_infoex_version;
355
356 static int hf_smb2_fsctl_sparse_flag;
357 static int hf_smb2_fsctl_range_offset;
358 static int hf_smb2_fsctl_range_length;
359 static int hf_smb2_ioctl_function_method;
360 static int hf_smb2_ioctl_resiliency_timeout;
361 static int hf_smb2_ioctl_resiliency_reserved;
362 static int hf_smb2_ioctl_shared_virtual_disk_support;
363 static int hf_smb2_ioctl_shared_virtual_disk_handle_state;
364 static int hf_smb2_ioctl_sqos_protocol_version;
365 static int hf_smb2_ioctl_sqos_reserved;
366 static int hf_smb2_ioctl_sqos_options;
367 static int hf_smb2_ioctl_sqos_op_set_logical_flow_id;
368 static int hf_smb2_ioctl_sqos_op_set_policy;
369 static int hf_smb2_ioctl_sqos_op_probe_policy;
370 static int hf_smb2_ioctl_sqos_op_get_status;
371 static int hf_smb2_ioctl_sqos_op_update_counters;
372 static int hf_smb2_ioctl_sqos_logical_flow_id;
373 static int hf_smb2_ioctl_sqos_policy_id;
374 static int hf_smb2_ioctl_sqos_initiator_id;
375 static int hf_smb2_ioctl_sqos_limit;
376 static int hf_smb2_ioctl_sqos_reservation;
377 static int hf_smb2_ioctl_sqos_initiator_name;
378 static int hf_smb2_ioctl_sqos_initiator_node_name;
379 static int hf_smb2_ioctl_sqos_io_count_increment;
380 static int hf_smb2_ioctl_sqos_normalized_io_count_increment;
381 static int hf_smb2_ioctl_sqos_latency_increment;
382 static int hf_smb2_ioctl_sqos_lower_latency_increment;
383 static int hf_smb2_ioctl_sqos_bandwidth_limit;
384 static int hf_smb2_ioctl_sqos_kilobyte_count_increment;
385 static int hf_smb2_ioctl_sqos_time_to_live;
386 static int hf_smb2_ioctl_sqos_status;
387 static int hf_smb2_ioctl_sqos_maximum_io_rate;
388 static int hf_smb2_ioctl_sqos_minimum_io_rate;
389 static int hf_smb2_ioctl_sqos_base_io_size;
390 static int hf_smb2_ioctl_sqos_reserved2;
391 static int hf_smb2_ioctl_sqos_maximum_bandwidth;
392 static int hf_windows_sockaddr_family;
393 static int hf_windows_sockaddr_port;
394 static int hf_windows_sockaddr_in_addr;
395 static int hf_windows_sockaddr_in6_flowinfo;
396 static int hf_windows_sockaddr_in6_addr;
397 static int hf_windows_sockaddr_in6_scope_id;
398 static int hf_smb2_ioctl_network_interface_next_offset;
399 static int hf_smb2_ioctl_network_interface_index;
400 static int hf_smb2_ioctl_network_interface_reserved;
401 static int hf_smb2_ioctl_network_interface_capabilities;
402 static int hf_smb2_ioctl_network_interface_capability_rss;
403 static int hf_smb2_ioctl_network_interface_capability_rdma;
404 static int hf_smb2_ioctl_network_interface_link_speed;
405 static int hf_smb2_ioctl_enumerate_snapshots_num_snapshots;
406 static int hf_smb2_ioctl_enumerate_snapshots_num_snapshots_returned;
407 static int hf_smb2_ioctl_enumerate_snapshots_snapshot_array_size;
408 static int hf_smb2_ioctl_enumerate_snapshots_snapshot;
409 static int hf_smb2_ioctl_get_ntfs_volume_data_volume_serial;
410 static int hf_smb2_ioctl_get_ntfs_volume_data_num_sectors;
411 static int hf_smb2_ioctl_get_ntfs_volume_data_total_clusters;
412 static int hf_smb2_ioctl_get_ntfs_volume_data_free_clusters;
413 static int hf_smb2_ioctl_get_ntfs_volume_data_total_reserved;
414 static int hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_sector;
415 static int hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_cluster;
416 static int hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_file_record_segment;
417 static int hf_smb2_ioctl_get_ntfs_volume_data_clusters_per_file_record_segment;
418 static int hf_smb2_ioctl_get_ntfs_volume_data_mft_valid_data_length;
419 static int hf_smb2_ioctl_get_ntfs_volume_data_mft_start_lcn;
420 static int hf_smb2_ioctl_get_ntfs_volume_data_mft2_start_lcn;
421 static int hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_start;
422 static int hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_end;
423 static int hf_smb2_compression_format;
424 static int hf_smb2_checksum_algorithm;
425 static int hf_smb2_integrity_reserved;
426 static int hf_smb2_integrity_flags;
427 static int hf_smb2_integrity_flags_enforcement_off;
428 static int hf_smb2_FILE_OBJECTID_BUFFER;
429 static int hf_smb2_lease_key;
430 static int hf_smb2_lease_state;
431 static int hf_smb2_lease_state_read_caching;
432 static int hf_smb2_lease_state_handle_caching;
433 static int hf_smb2_lease_state_write_caching;
434 static int hf_smb2_lease_flags;
435 static int hf_smb2_lease_flags_break_ack_required;
436 static int hf_smb2_lease_flags_parent_lease_key_set;
437 static int hf_smb2_lease_flags_break_in_progress;
438 static int hf_smb2_lease_duration;
439 static int hf_smb2_parent_lease_key;
440 static int hf_smb2_lease_epoch;
441 static int hf_smb2_lease_reserved;
442 static int hf_smb2_lease_break_reason;
443 static int hf_smb2_lease_access_mask_hint;
444 static int hf_smb2_lease_share_mask_hint;
445 static int hf_smb2_acct_name;
446 static int hf_smb2_domain_name;
447 static int hf_smb2_host_name;
448 static int hf_smb2_auth_frame;
449 static int hf_smb2_tcon_frame;
450 static int hf_smb2_tdcon_frame;
451 static int hf_smb2_share_type;
452 static int hf_smb2_signature;
453 static int hf_smb2_credit_charge;
454 static int hf_smb2_credits_requested;
455 static int hf_smb2_credits_granted;
456 static int hf_smb2_channel_sequence;
457 static int hf_smb2_dialect_count;
458 static int hf_smb2_security_mode;
459 static int hf_smb2_secmode_flags_sign_required;
460 static int hf_smb2_secmode_flags_sign_enabled;
461 static int hf_smb2_ses_req_flags;
462 static int hf_smb2_ses_req_flags_session_binding;
463 static int hf_smb2_capabilities;
464 static int hf_smb2_cap_dfs;
465 static int hf_smb2_cap_leasing;
466 static int hf_smb2_cap_large_mtu;
467 static int hf_smb2_cap_multi_channel;
468 static int hf_smb2_cap_persistent_handles;
469 static int hf_smb2_cap_directory_leasing;
470 static int hf_smb2_cap_encryption;
471 static int hf_smb2_cap_notifications;
472 static int hf_smb2_dialect;
473 static int hf_smb2_max_trans_size;
474 static int hf_smb2_max_read_size;
475 static int hf_smb2_max_write_size;
476 static int hf_smb2_channel;
477 static int hf_smb2_rdma_v1_offset;
478 static int hf_smb2_rdma_v1_token;
479 static int hf_smb2_rdma_v1_length;
480 static int hf_smb2_session_flags;
481 static int hf_smb2_ses_flags_guest;
482 static int hf_smb2_ses_flags_null;
483 static int hf_smb2_ses_flags_encrypt;
484 static int hf_smb2_share_flags;
485 static int hf_smb2_share_flags_dfs;
486 static int hf_smb2_share_flags_dfs_root;
487 static int hf_smb2_share_flags_restrict_exclusive_opens;
488 static int hf_smb2_share_flags_force_shared_delete;
489 static int hf_smb2_share_flags_allow_namespace_caching;
490 static int hf_smb2_share_flags_access_based_dir_enum;
491 static int hf_smb2_share_flags_force_levelii_oplock;
492 static int hf_smb2_share_flags_enable_hash_v1;
493 static int hf_smb2_share_flags_enable_hash_v2;
494 static int hf_smb2_share_flags_encrypt_data;
495 static int hf_smb2_share_flags_identity_remoting;
496 static int hf_smb2_share_flags_compress_data;
497 static int hf_smb2_share_flags_isolated_transport;
498 static int hf_smb2_share_caching;
499 static int hf_smb2_share_caps;
500 static int hf_smb2_share_caps_dfs;
501 static int hf_smb2_share_caps_continuous_availability;
502 static int hf_smb2_share_caps_scaleout;
503 static int hf_smb2_share_caps_cluster;
504 static int hf_smb2_share_caps_asymmetric;
505 static int hf_smb2_share_caps_redirect_to_owner;
506 static int hf_smb2_create_flags;
507 static int hf_smb2_lock_count;
508 static int hf_smb2_lock_sequence_number;
509 static int hf_smb2_lock_sequence_index;
510 static int hf_smb2_min_count;
511 static int hf_smb2_remaining_bytes;
512 static int hf_smb2_channel_info_offset;
513 static int hf_smb2_channel_info_length;
514 static int hf_smb2_channel_info_blob;
515 static int hf_smb2_ioctl_flags;
516 static int hf_smb2_ioctl_is_fsctl;
517 static int hf_smb2_close_pq_attrib;
518 static int hf_smb2_notify_watch_tree;
519 static int hf_smb2_output_buffer_len;
520 static int hf_smb2_notify_out_data;
521 static int hf_smb2_notify_info;
522 static int hf_smb2_notify_next_offset;
523 static int hf_smb2_notify_action;
524 static int hf_smb2_find_flags;
525 static int hf_smb2_find_flags_restart_scans;
526 static int hf_smb2_find_flags_single_entry;
527 static int hf_smb2_find_flags_index_specified;
528 static int hf_smb2_find_flags_reopen;
529 static int hf_smb2_file_index;
530 static int hf_smb2_file_directory_info;
531 static int hf_smb2_both_directory_info;
532 static int hf_smb2_posix_info;
533 static int hf_smb2_short_name_len;
534 static int hf_smb2_short_name;
535 static int hf_smb2_id_both_directory_info;
536 static int hf_smb2_full_directory_info;
537 static int hf_smb2_lock_info;
538 static int hf_smb2_lock_length;
539 static int hf_smb2_lock_flags;
540 static int hf_smb2_lock_flags_shared;
541 static int hf_smb2_lock_flags_exclusive;
542 static int hf_smb2_lock_flags_unlock;
543 static int hf_smb2_lock_flags_fail_immediately;
544 static int hf_smb2_dhnq_buffer_reserved;
545 static int hf_smb2_dh2x_buffer_timeout;
546 static int hf_smb2_dh2x_buffer_flags;
547 static int hf_smb2_dh2x_buffer_flags_persistent_handle;
548 static int hf_smb2_dh2x_buffer_reserved;
549 static int hf_smb2_dh2x_buffer_create_guid;
550 static int hf_smb2_APP_INSTANCE_buffer_struct_size;
551 static int hf_smb2_APP_INSTANCE_buffer_reserved;
552 static int hf_smb2_APP_INSTANCE_buffer_app_guid;
553 static int hf_smb2_svhdx_open_device_context_version;
554 static int hf_smb2_svhdx_open_device_context_has_initiator_id;
555 static int hf_smb2_svhdx_open_device_context_reserved;
556 static int hf_smb2_svhdx_open_device_context_initiator_id;
557 static int hf_smb2_svhdx_open_device_context_flags;
558 static int hf_smb2_svhdx_open_device_context_originator_flags;
559 static int hf_smb2_svhdx_open_device_context_open_request_id;
560 static int hf_smb2_svhdx_open_device_context_initiator_host_name_len;
561 static int hf_smb2_svhdx_open_device_context_initiator_host_name;
562 static int hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized;
563 static int hf_smb2_svhdx_open_device_context_server_service_version;
564 static int hf_smb2_svhdx_open_device_context_virtual_sector_size;
565 static int hf_smb2_svhdx_open_device_context_physical_sector_size;
566 static int hf_smb2_svhdx_open_device_context_virtual_size;
567 static int hf_smb2_app_instance_version_struct_size;
568 static int hf_smb2_app_instance_version_reserved;
569 static int hf_smb2_app_instance_version_padding;
570 static int hf_smb2_app_instance_version_high;
571 static int hf_smb2_app_instance_version_low;
572 static int hf_smb2_posix_perms;
573 static int hf_smb2_aapl_command_code;
574 static int hf_smb2_aapl_reserved;
575 static int hf_smb2_aapl_server_query_bitmask;
576 static int hf_smb2_aapl_server_query_bitmask_server_caps;
577 static int hf_smb2_aapl_server_query_bitmask_volume_caps;
578 static int hf_smb2_aapl_server_query_bitmask_model_info;
579 static int hf_smb2_aapl_server_query_caps;
580 static int hf_smb2_aapl_server_query_caps_supports_read_dir_attr;
581 static int hf_smb2_aapl_server_query_caps_supports_osx_copyfile;
582 static int hf_smb2_aapl_server_query_caps_unix_based;
583 static int hf_smb2_aapl_server_query_caps_supports_nfs_ace;
584 static int hf_smb2_aapl_server_query_volume_caps;
585 static int hf_smb2_aapl_server_query_volume_caps_support_resolve_id;
586 static int hf_smb2_aapl_server_query_volume_caps_case_sensitive;
587 static int hf_smb2_aapl_server_query_volume_caps_supports_full_sync;
588 static int hf_smb2_aapl_server_query_model_string;
589 static int hf_smb2_aapl_server_query_server_path;
590 static int hf_smb2_error_context_count;
591 static int hf_smb2_error_reserved;
592 static int hf_smb2_error_byte_count;
593 static int hf_smb2_error_data;
594 static int hf_smb2_error_context;
595 static int hf_smb2_error_context_length;
596 static int hf_smb2_error_context_id;
597 static int hf_smb2_error_min_buf_length;
598 static int hf_smb2_error_redir_context;
599 static int hf_smb2_error_redir_struct_size;
600 static int hf_smb2_error_redir_notif_type;
601 static int hf_smb2_error_redir_flags;
602 static int hf_smb2_error_redir_target_type;
603 static int hf_smb2_error_redir_ip_count;
604 static int hf_smb2_error_redir_ip_list;
605 static int hf_smb2_error_redir_res_name;
606 static int hf_smb2_reserved;
607 static int hf_smb2_reserved_random;
608 static int hf_smb2_transform_signature;
609 static int hf_smb2_transform_nonce;
610 static int hf_smb2_transform_msg_size;
611 static int hf_smb2_transform_reserved;
612 static int hf_smb2_transform_flags;
613 static int hf_smb2_transform_flags_encrypted;
614 static int hf_smb2_transform_encrypted_data;
615 static int hf_smb2_protocol_id;
616 static int hf_smb2_comp_transform_orig_size;
617 static int hf_smb2_comp_transform_comp_alg;
618 static int hf_smb2_comp_transform_flags;
619 static int hf_smb2_comp_transform_offset;
620 static int hf_smb2_comp_transform_length;
621 static int hf_smb2_comp_transform_data;
622 static int hf_smb2_comp_transform_orig_payload_size;
623 static int hf_smb2_comp_pattern_v1_pattern;
624 static int hf_smb2_comp_pattern_v1_reserved1;
625 static int hf_smb2_comp_pattern_v1_reserved2;
626 static int hf_smb2_comp_pattern_v1_repetitions;
627 static int hf_smb2_truncated;
628 static int hf_smb2_pipe_fragments;
629 static int hf_smb2_pipe_fragment;
630 static int hf_smb2_pipe_fragment_overlap;
631 static int hf_smb2_pipe_fragment_overlap_conflict;
632 static int hf_smb2_pipe_fragment_multiple_tails;
633 static int hf_smb2_pipe_fragment_too_long_fragment;
634 static int hf_smb2_pipe_fragment_error;
635 static int hf_smb2_pipe_fragment_count;
636 static int hf_smb2_pipe_reassembled_in;
637 static int hf_smb2_pipe_reassembled_length;
638 static int hf_smb2_pipe_reassembled_data;
639 static int hf_smb2_cchunk_resume_key;
640 static int hf_smb2_cchunk_count;
641 static int hf_smb2_cchunk_src_offset;
642 static int hf_smb2_cchunk_dst_offset;
643 static int hf_smb2_cchunk_xfer_len;
644 static int hf_smb2_cchunk_chunks_written;
645 static int hf_smb2_cchunk_bytes_written;
646 static int hf_smb2_cchunk_total_written;
647 static int hf_smb2_reparse_data_buffer;
648 static int hf_smb2_reparse_tag;
649 static int hf_smb2_reparse_guid;
650 static int hf_smb2_reparse_data_length;
651 static int hf_smb2_nfs_type;
652 static int hf_smb2_nfs_symlink_target;
653 static int hf_smb2_nfs_chr_major;
654 static int hf_smb2_nfs_chr_minor;
655 static int hf_smb2_nfs_blk_major;
656 static int hf_smb2_nfs_blk_minor;
657 static int hf_smb2_symlink_error_response;
658 static int hf_smb2_symlink_length;
659 static int hf_smb2_symlink_error_tag;
660 static int hf_smb2_unparsed_path_length;
661 static int hf_smb2_symlink_substitute_name;
662 static int hf_smb2_symlink_print_name;
663 static int hf_smb2_symlink_flags;
664 static int hf_smb2_bad_signature;
665 static int hf_smb2_good_signature;
666 static int hf_smb2_fscc_file_attr;
667 static int hf_smb2_fscc_file_attr_archive;
668 static int hf_smb2_fscc_file_attr_compressed;
669 static int hf_smb2_fscc_file_attr_directory;
670 static int hf_smb2_fscc_file_attr_encrypted;
671 static int hf_smb2_fscc_file_attr_hidden;
672 static int hf_smb2_fscc_file_attr_normal;
673 static int hf_smb2_fscc_file_attr_not_content_indexed;
674 static int hf_smb2_fscc_file_attr_offline;
675 static int hf_smb2_fscc_file_attr_read_only;
676 static int hf_smb2_fscc_file_attr_reparse_point;
677 static int hf_smb2_fscc_file_attr_sparse_file;
678 static int hf_smb2_fscc_file_attr_system;
679 static int hf_smb2_fscc_file_attr_temporary;
680 static int hf_smb2_fscc_file_attr_integrity_stream;
681 static int hf_smb2_fscc_file_attr_no_scrub_data;
682 static int hf_smb2_tree_connect_flags;
683 static int hf_smb2_tc_cluster_reconnect;
684 static int hf_smb2_tc_redirect_to_owner;
685 static int hf_smb2_tc_extension_present;
686 static int hf_smb2_tc_reserved;
687 static int hf_smb2_notification_type;
688 static int hf_smb2_query_info_flags;
689 static int hf_smb2_query_info_flag_restart_scan;
690 static int hf_smb2_query_info_flag_return_single_entry;
691 static int hf_smb2_query_info_flag_index_specified;
692 static int hf_smb2_fscc_refs_snapshot_mgmt_operation;
693 static int hf_smb2_fscc_refs_snapshot_mgmt_namelen;
694 static int hf_smb2_fscc_refs_snapshot_mgmt_input_buffer_len;
695 static int hf_smb2_fscc_refs_snapshot_mgmt_reserved;
696 static int hf_smb2_fscc_refs_snapshot_mgmt_name;
697 static int hf_smb2_fscc_refs_snapshot_query_delta_buffer_startvcn;
698 static int hf_smb2_fscc_refs_snapshot_query_delta_buffer_flags;
699 static int hf_smb2_fscc_refs_snapshot_query_delta_buffer_reserved;
700 static int hf_smb2_flush_reserved2;
701 static int hf_smb2_file_id_hash;
702 static int hf_smb2_num_matched;
703
704 static int ett_smb2;
705 static int ett_smb2_olb;
706 static int ett_smb2_ea;
707 static int ett_smb2_header;
708 static int ett_smb2_encrypted;
709 static int ett_smb2_compressed;
710 static int ett_smb2_decompressed;
711 static int ett_smb2_command;
712 static int ett_smb2_secblob;
713 static int ett_smb2_negotiate_context_element;
714 static int ett_smb2_file_basic_info;
715 static int ett_smb2_file_standard_info;
716 static int ett_smb2_file_internal_info;
717 static int ett_smb2_file_ea_info;
718 static int ett_smb2_file_access_info;
719 static int ett_smb2_file_position_info;
720 static int ett_smb2_file_mode_info;
721 static int ett_smb2_file_alignment_info;
722 static int ett_smb2_file_all_info;
723 static int ett_smb2_file_allocation_info;
724 static int ett_smb2_file_endoffile_info;
725 static int ett_smb2_file_alternate_name_info;
726 static int ett_smb2_file_stream_info;
727 static int ett_smb2_file_pipe_info;
728 static int ett_smb2_file_compression_info;
729 static int ett_smb2_file_network_open_info;
730 static int ett_smb2_file_attribute_tag_info;
731 static int ett_smb2_file_rename_info;
732 static int ett_smb2_file_link_info;
733 static int ett_smb2_file_disposition_info;
734 static int ett_smb2_file_full_ea_info;
735 static int ett_smb2_file_normalized_name_info;
736 static int ett_smb2_fs_info_01;
737 static int ett_smb2_fs_info_03;
738 static int ett_smb2_fs_info_04;
739 static int ett_smb2_fs_info_05;
740 static int ett_smb2_fs_info_06;
741 static int ett_smb2_fs_info_07;
742 static int ett_smb2_fs_objectid_info;
743 static int ett_smb2_fs_posix_info;
744 static int ett_smb2_sec_info_00;
745 static int ett_smb2_additional_information_sec_mask;
746 static int ett_smb2_quota_info;
747 static int ett_smb2_query_quota_info;
748 static int ett_smb2_tid_tree;
749 static int ett_smb2_sesid_tree;
750 static int ett_smb2_create_chain_element;
751 static int ett_smb2_MxAc_buffer;
752 static int ett_smb2_QFid_buffer;
753 static int ett_smb2_RqLs_buffer;
754 static int ett_smb2_ioctl_function;
755 static int ett_smb2_FILE_OBJECTID_BUFFER;
756 static int ett_smb2_flags;
757 static int ett_smb2_sec_mode;
758 static int ett_smb2_capabilities;
759 static int ett_smb2_ses_req_flags;
760 static int ett_smb2_ses_flags;
761 static int ett_smb2_lease_state;
762 static int ett_smb2_lease_flags;
763 static int ett_smb2_share_flags;
764 static int ett_smb2_create_rep_flags;
765 static int ett_smb2_share_caps;
766 static int ett_smb2_comp_alg_flags;
767 static int ett_smb2_ioctl_flags;
768 static int ett_smb2_ioctl_network_interface;
769 static int ett_smb2_ioctl_sqos_opeations;
770 static int ett_smb2_fsctl_range_data;
771 static int ett_windows_sockaddr;
772 static int ett_smb2_close_flags;
773 static int ett_smb2_notify_info;
774 static int ett_smb2_notify_flags;
775 static int ett_smb2_write_flags;
776 static int ett_smb2_rdma_v1;
777 static int ett_smb2_DH2Q_buffer;
778 static int ett_smb2_DH2C_buffer;
779 static int ett_smb2_dh2x_flags;
780 static int ett_smb2_APP_INSTANCE_buffer;
781 static int ett_smb2_svhdx_open_device_context;
782 static int ett_smb2_app_instance_version_buffer;
783 static int ett_smb2_app_instance_version_buffer_version;
784 static int ett_smb2_aapl_create_context_request;
785 static int ett_smb2_aapl_server_query_bitmask;
786 static int ett_smb2_aapl_server_query_caps;
787 static int ett_smb2_aapl_create_context_response;
788 static int ett_smb2_aapl_server_query_volume_caps;
789 static int ett_smb2_integrity_flags;
790 static int ett_smb2_find_flags;
791 static int ett_smb2_file_directory_info;
792 static int ett_smb2_both_directory_info;
793 static int ett_smb2_id_both_directory_info;
794 static int ett_smb2_full_directory_info;
795 static int ett_smb2_posix_info;
796 static int ett_smb2_file_name_info;
797 static int ett_smb2_lock_info;
798 static int ett_smb2_lock_flags;
799 static int ett_smb2_buffercode;
800 static int ett_smb2_ioctl_network_interface_capabilities;
801 static int ett_smb2_tree_connect_flags;
802 static int ett_qfr_entry;
803 static int ett_smb2_pipe_fragment;
804 static int ett_smb2_pipe_fragments;
805 static int ett_smb2_cchunk_entry;
806 static int ett_smb2_fsctl_odx_token;
807 static int ett_smb2_symlink_error_response;
808 static int ett_smb2_reparse_data_buffer;
809 static int ett_smb2_error_data;
810 static int ett_smb2_error_context;
811 static int ett_smb2_error_redir_context;
812 static int ett_smb2_error_redir_ip_list;
813 static int ett_smb2_read_flags;
814 static int ett_smb2_signature;
815 static int ett_smb2_transform_flags;
816 static int ett_smb2_fscc_file_attributes;
817 static int ett_smb2_comp_payload;
818 static int ett_smb2_comp_pattern_v1;
819 static int ett_smb2_query_info_flags;
820 static int ett_smb2_server_notification;
821 static int ett_smb2_fscc_refs_snapshot_query_delta_buffer;
822
823 static expert_field ei_smb2_invalid_length;
824 static expert_field ei_smb2_bad_response;
825 static expert_field ei_smb2_bad_negprot_negotiate_context_count;
826 static expert_field ei_smb2_bad_negprot_negotiate_context_offset;
827 static expert_field ei_smb2_bad_negprot_reserved;
828 static expert_field ei_smb2_bad_negprot_reserved2;
829 static expert_field ei_smb2_invalid_getinfo_offset;
830 static expert_field ei_smb2_invalid_getinfo_size;
831 static expert_field ei_smb2_empty_getinfo_buffer;
832 static expert_field ei_smb2_invalid_signature;
833
834 static int smb2_tap;
835 static int smb2_eo_tap;
836
837 static dissector_handle_t gssapi_handle;
838 static dissector_handle_t ntlmssp_handle;
839 static dissector_handle_t rsvd_handle;
840
841 static heur_dissector_list_t smb2_pipe_subdissector_list;
842
843 static const fragment_items smb2_pipe_frag_items = {
844 &ett_smb2_pipe_fragment,
845 &ett_smb2_pipe_fragments,
846 &hf_smb2_pipe_fragments,
847 &hf_smb2_pipe_fragment,
848 &hf_smb2_pipe_fragment_overlap,
849 &hf_smb2_pipe_fragment_overlap_conflict,
850 &hf_smb2_pipe_fragment_multiple_tails,
851 &hf_smb2_pipe_fragment_too_long_fragment,
852 &hf_smb2_pipe_fragment_error,
853 &hf_smb2_pipe_fragment_count,
854 &hf_smb2_pipe_reassembled_in,
855 &hf_smb2_pipe_reassembled_length,
856 &hf_smb2_pipe_reassembled_data,
857 "Fragments"
858 };
859
860 #define FILE_BYTE_ALIGNMENT 0x00
861 #define FILE_WORD_ALIGNMENT 0x01
862 #define FILE_LONG_ALIGNMENT 0x03
863 #define FILE_QUAD_ALIGNMENT 0x07
864 #define FILE_OCTA_ALIGNMENT 0x0f
865 #define FILE_32_BYTE_ALIGNMENT 0x1f
866 #define FILE_64_BYTE_ALIGNMENT 0x3f
867 #define FILE_128_BYTE_ALIGNMENT 0x7f
868 #define FILE_256_BYTE_ALIGNMENT 0xff
869 #define FILE_512_BYTE_ALIGNMENT 0x1ff
870 static const value_string smb2_alignment_vals[] = {
871 { FILE_BYTE_ALIGNMENT, "FILE_BYTE_ALIGNMENT" },
872 { FILE_WORD_ALIGNMENT, "FILE_WORD_ALIGNMENT" },
873 { FILE_LONG_ALIGNMENT, "FILE_LONG_ALIGNMENT" },
874 { FILE_OCTA_ALIGNMENT, "FILE_OCTA_ALIGNMENT" },
875 { FILE_32_BYTE_ALIGNMENT, "FILE_32_BYTE_ALIGNMENT" },
876 { FILE_64_BYTE_ALIGNMENT, "FILE_64_BYTE_ALIGNMENT" },
877 { FILE_128_BYTE_ALIGNMENT, "FILE_128_BYTE_ALIGNMENT" },
878 { FILE_256_BYTE_ALIGNMENT, "FILE_256_BYTE_ALIGNMENT" },
879 { FILE_512_BYTE_ALIGNMENT, "FILE_512_BYTE_ALIGNMENT" },
880 { 0, NULL }
881 };
882
883
884 #define SMB2_CLASS_FILE_INFO 0x01
885 #define SMB2_CLASS_FS_INFO 0x02
886 #define SMB2_CLASS_SEC_INFO 0x03
887 #define SMB2_CLASS_QUOTA_INFO 0x04
888 static const value_string smb2_class_vals[] = {
889 { SMB2_CLASS_FILE_INFO, "FILE_INFO"},
890 { SMB2_CLASS_FS_INFO, "FS_INFO"},
891 { SMB2_CLASS_SEC_INFO, "SEC_INFO"},
892 { SMB2_CLASS_QUOTA_INFO, "QUOTA_INFO"},
893 { 0, NULL }
894 };
895
896 #define SMB2_SHARE_TYPE_DISK 0x01
897 #define SMB2_SHARE_TYPE_PIPE 0x02
898 #define SMB2_SHARE_TYPE_PRINT 0x03
899 static const value_string smb2_share_type_vals[] = {
900 { SMB2_SHARE_TYPE_DISK, "Physical disk" },
901 { SMB2_SHARE_TYPE_PIPE, "Named pipe" },
902 { SMB2_SHARE_TYPE_PRINT, "Printer" },
903 { 0, NULL }
904 };
905
906
907 #define SMB2_FILE_BASIC_INFO 0x04
908 #define SMB2_FILE_STANDARD_INFO 0x05
909 #define SMB2_FILE_INTERNAL_INFO 0x06
910 #define SMB2_FILE_EA_INFO 0x07
911 #define SMB2_FILE_ACCESS_INFO 0x08
912 #define SMB2_FILE_RENAME_INFO 0x0a
913 #define SMB2_FILE_LINK_INFO 0x0b
914 #define SMB2_FILE_DISPOSITION_INFO 0x0d
915 #define SMB2_FILE_POSITION_INFO 0x0e
916 #define SMB2_FILE_FULL_EA_INFO 0x0f
917 #define SMB2_FILE_MODE_INFO 0x10
918 #define SMB2_FILE_ALIGNMENT_INFO 0x11
919 #define SMB2_FILE_ALL_INFO 0x12
920 #define SMB2_FILE_ALLOCATION_INFO 0x13
921 #define SMB2_FILE_ENDOFFILE_INFO 0x14
922 #define SMB2_FILE_ALTERNATE_NAME_INFO 0x15
923 #define SMB2_FILE_STREAM_INFO 0x16
924 #define SMB2_FILE_PIPE_INFO 0x17
925 #define SMB2_FILE_COMPRESSION_INFO 0x1c
926 #define SMB2_FILE_NETWORK_OPEN_INFO 0x22
927 #define SMB2_FILE_ATTRIBUTE_TAG_INFO 0x23
928 #define SMB2_FILE_NORMALIZED_NAME_INFO 0x30
929 #define SMB2_FILE_POSIX_INFO 0x64
930 #define SMB2_FILE_ID_INFO 0x3b
931 #define SMB2_FILE_PIPE_LOCAL_INFO 0x18
932 #define SMB2_FILE_PIPE_REMOTE_INFO 0x19
933 #define SMB2_FILE_BOTH_DIRECTORY_INFO 0x03
934 #define SMB2_FILE_DIRECTORY_INFO 0x01
935 #define SMB2_FILE_FULL_DIRECTORY_INFO 0x02
936 #define SMB2_FILE_FULL_HARD_LINK_INFO 0x2e
937 #define SMB2_FILE_ID_BOTH_DIRECTORY_INFO 0x25
938 #define SMB2_FILE_ID_EXTD_DIRECTORY_INFO 0x3c
939 #define SMB2_FILE_ID_FULL_DIRECTORY_INFO 0x26
940 #define SMB2_FILE_ID_GLOBAL_TX_DIRECTORY_INFO 0x32
941 #define SMB2_FILE_LINK_INFO 0x0b
942 #define SMB2_FILE_MAIL_SLOT_SET_INFO 0x1b
943 #define SMB2_FILE_MOVE_CLUSTER_INFO 0x1f
944 #define SMB2_FILE_NAME_INFO 0x09
945 #define SMB2_FILE_NAMES_INFO 0x0c
946 #define SMB2_FILE_OBJECTID_INFO 0x1d
947 #define SMB2_FILE_QUOTA_INFO 0x20
948 #define SMB2_FILE_REPARSE_POINT_INFO 0x21
949 #define SMB2_FILE_SFIO_RESERVE_INFO 0x2c
950 #define SMB2_FILE_SFIO_VOLUME_INFO 0x2d
951 #define SMB2_FILE_SHORT_NAME_INFO 0x28
952 #define SMB2_FILE_STANDARD_LINK_INFO 0x36
953 #define SMB2_FILE_TRACKING_INFO 0x24
954 #define SMB2_VALID_DATA_LENGTH_INFO 0x27
955
956 static const value_string smb2_file_info_levels[] = {
957 {SMB2_FILE_DIRECTORY_INFO, "SMB2_FILE_DIRECTORY_INFO"},
958 {SMB2_FILE_FULL_DIRECTORY_INFO, "SMB2_FILE_FULL_DIRECTORY_INFO"},
959 {SMB2_FILE_BOTH_DIRECTORY_INFO, "SMB2_FILE_BOTH_DIRECTORY_INFO"},
960 {SMB2_FILE_BASIC_INFO, "SMB2_FILE_BASIC_INFO" },
961 {SMB2_FILE_STANDARD_INFO, "SMB2_FILE_STANDARD_INFO" },
962 {SMB2_FILE_INTERNAL_INFO, "SMB2_FILE_INTERNAL_INFO" },
963 {SMB2_FILE_EA_INFO, "SMB2_FILE_EA_INFO" },
964 {SMB2_FILE_ACCESS_INFO, "SMB2_FILE_ACCESS_INFO" },
965 {SMB2_FILE_NAME_INFO, "SMB2_FILE_NAME_INFO"},
966 {SMB2_FILE_RENAME_INFO, "SMB2_FILE_RENAME_INFO" },
967 {SMB2_FILE_LINK_INFO, "SMB2_FILE_LINK_INFO" },
968 {SMB2_FILE_NAMES_INFO, "SMB2_FILE_NAMES_INFO"},
969 {SMB2_FILE_DISPOSITION_INFO, "SMB2_FILE_DISPOSITION_INFO" },
970 {SMB2_FILE_POSITION_INFO, "SMB2_FILE_POSITION_INFO" },
971 {SMB2_FILE_FULL_EA_INFO, "SMB2_FILE_FULL_EA_INFO" },
972 {SMB2_FILE_MODE_INFO, "SMB2_FILE_MODE_INFO" },
973 {SMB2_FILE_ALIGNMENT_INFO, "SMB2_FILE_ALIGNMENT_INFO" },
974 {SMB2_FILE_ALL_INFO, "SMB2_FILE_ALL_INFO" },
975 {SMB2_FILE_ALLOCATION_INFO, "SMB2_FILE_ALLOCATION_INFO" },
976 {SMB2_FILE_ENDOFFILE_INFO, "SMB2_FILE_ENDOFFILE_INFO" },
977 {SMB2_FILE_ALTERNATE_NAME_INFO, "SMB2_FILE_ALTERNATE_NAME_INFO" },
978 {SMB2_FILE_STREAM_INFO, "SMB2_FILE_STREAM_INFO" },
979 {SMB2_FILE_PIPE_INFO, "SMB2_FILE_PIPE_INFO" },
980 {SMB2_FILE_PIPE_LOCAL_INFO, "SMB2_FILE_PIPE_LOCAL_INFO"},
981 {SMB2_FILE_PIPE_REMOTE_INFO, "SMB2_FILE_PIPE_REMOTE_INFO"},
982 {SMB2_FILE_MAIL_SLOT_SET_INFO, "SMB2_FILE_MAIL_SLOT_SET_INFO"},
983 {SMB2_FILE_COMPRESSION_INFO, "SMB2_FILE_COMPRESSION_INFO" },
984 {SMB2_FILE_OBJECTID_INFO, "SMB2_FILE_OBJECTID_INFO"},
985 {SMB2_FILE_MOVE_CLUSTER_INFO, "SMB2_FILE_MOVE_CLUSTER_INFO"},
986 {SMB2_FILE_QUOTA_INFO, "SMB2_FILE_QUOTA_INFO"},
987 {SMB2_FILE_REPARSE_POINT_INFO, "SMB2_FILE_REPARSE_POINT_INFO"},
988 {SMB2_FILE_NETWORK_OPEN_INFO, "SMB2_FILE_NETWORK_OPEN_INFO" },
989 {SMB2_FILE_ATTRIBUTE_TAG_INFO, "SMB2_FILE_ATTRIBUTE_TAG_INFO" },
990 {SMB2_FILE_TRACKING_INFO, "SMB2_FILE_TRACKING_INFO"},
991 {SMB2_FILE_ID_BOTH_DIRECTORY_INFO,"SMB2_FILE_ID_BOTH_DIRECTORY_INFO" },
992 {SMB2_FILE_ID_FULL_DIRECTORY_INFO, "SMB2_FILE_ID_FULL_DIRECTORY_INFO"},
993 {SMB2_VALID_DATA_LENGTH_INFO, "SMB2_VALID_DATA_LENGTH_INFO"},
994 {SMB2_FILE_SHORT_NAME_INFO, "SMB2_FILE_SHORT_NAME_INFO"},
995 {SMB2_FILE_SFIO_RESERVE_INFO, "SMB2_FILE_SFIO_RESERVE_INFO"},
996 {SMB2_FILE_SFIO_VOLUME_INFO, "SMB2_FILE_SFIO_VOLUME_INFO"},
997 {SMB2_FILE_FULL_HARD_LINK_INFO, "SMB2_FILE_FULL_HARD_LINK_INFO"},
998 {SMB2_FILE_NORMALIZED_NAME_INFO,"SMB2_FILE_NORMALIZED_NAME_INFO" },
999 {SMB2_FILE_ID_GLOBAL_TX_DIRECTORY_INFO, "SMB2_FILE_ID_GLOBAL_TX_DIRECTORY_INFO"},
1000 {SMB2_FILE_STANDARD_LINK_INFO, "SMB2_FILE_STANDARD_LINK_INFO"},
1001 {SMB2_FILE_ID_INFO, "SMB2_FILE_ID_INFO"},
1002 {SMB2_FILE_ID_EXTD_DIRECTORY_INFO,"SMB2_FILE_ID_EXTD_DIRECTORY_INFO"},
1003 {SMB2_FILE_POSIX_INFO, "SMB2_FILE_POSIX_INFO" },
1004 { 0, NULL }
1005 };
1006 static value_string_ext smb2_file_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_file_info_levels);
1007
1008
1009
1010 #define SMB2_FS_INFO_01 0x01
1011 #define SMB2_FS_LABEL_INFO 0x02
1012 #define SMB2_FS_INFO_03 0x03
1013 #define SMB2_FS_INFO_04 0x04
1014 #define SMB2_FS_INFO_05 0x05
1015 #define SMB2_FS_INFO_06 0x06
1016 #define SMB2_FS_INFO_07 0x07
1017 #define SMB2_FS_OBJECTID_INFO 0x08
1018 #define SMB2_FS_DRIVER_PATH_INFO 0x09
1019 #define SMB2_FS_VOLUME_FLAGS_INFO 0x0a
1020 #define SMB2_FS_SECTOR_SIZE_INFO 0x0b
1021 #define SMB2_FS_POSIX_INFO 0x64
1022
1023 static const value_string smb2_fs_info_levels[] = {
1024 {SMB2_FS_INFO_01, "FileFsVolumeInformation" },
1025 {SMB2_FS_LABEL_INFO, "FileFsLabelInformation" },
1026 {SMB2_FS_INFO_03, "FileFsSizeInformation" },
1027 {SMB2_FS_INFO_04, "FileFsDeviceInformation" },
1028 {SMB2_FS_INFO_05, "FileFsAttributeInformation" },
1029 {SMB2_FS_INFO_06, "FileFsControlInformation" },
1030 {SMB2_FS_INFO_07, "FileFsFullSizeInformation" },
1031 {SMB2_FS_OBJECTID_INFO, "FileFsObjectIdInformation" },
1032 {SMB2_FS_DRIVER_PATH_INFO, "FileFsDriverPathInformation" },
1033 {SMB2_FS_VOLUME_FLAGS_INFO, "FileFsVolumeFlagsInformation" },
1034 {SMB2_FS_SECTOR_SIZE_INFO, "FileFsSectorSizeInformation" },
1035 {SMB2_FS_POSIX_INFO, "FileFsPosixInformation" },
1036 { 0, NULL }
1037 };
1038 static value_string_ext smb2_fs_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_fs_info_levels);
1039
1040 #define SMB2_SEC_INFO_00 0x00
1041 static const value_string smb2_sec_info_levels[] = {
1042 {SMB2_SEC_INFO_00, "SMB2_SEC_INFO_00" },
1043 { 0, NULL }
1044 };
1045 static value_string_ext smb2_sec_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_sec_info_levels);
1046
1047 #define SMB2_FIND_DIRECTORY_INFO 0x01
1048 #define SMB2_FIND_FULL_DIRECTORY_INFO 0x02
1049 #define SMB2_FIND_BOTH_DIRECTORY_INFO 0x03
1050 #define SMB2_FIND_INDEX_SPECIFIED 0x04
1051 #define SMB2_FIND_NAME_INFO 0x0C
1052 #define SMB2_FIND_ID_BOTH_DIRECTORY_INFO 0x25
1053 #define SMB2_FIND_ID_FULL_DIRECTORY_INFO 0x26
1054 #define SMB2_FIND_POSIX_INFO 0x64
1055 static const value_string smb2_find_info_levels[] = {
1056 { SMB2_FIND_DIRECTORY_INFO, "SMB2_FIND_DIRECTORY_INFO" },
1057 { SMB2_FIND_FULL_DIRECTORY_INFO, "SMB2_FIND_FULL_DIRECTORY_INFO" },
1058 { SMB2_FIND_BOTH_DIRECTORY_INFO, "SMB2_FIND_BOTH_DIRECTORY_INFO" },
1059 { SMB2_FIND_INDEX_SPECIFIED, "SMB2_FIND_INDEX_SPECIFIED" },
1060 { SMB2_FIND_NAME_INFO, "SMB2_FIND_NAME_INFO" },
1061 { SMB2_FIND_ID_BOTH_DIRECTORY_INFO, "SMB2_FIND_ID_BOTH_DIRECTORY_INFO" },
1062 { SMB2_FIND_ID_FULL_DIRECTORY_INFO, "SMB2_FIND_ID_FULL_DIRECTORY_INFO" },
1063 { SMB2_FIND_POSIX_INFO, "SMB2_FIND_POSIX_INFO" },
1064 { 0, NULL }
1065 };
1066
1067 #define SMB2_PREAUTH_INTEGRITY_CAPABILITIES 0x0001
1068 #define SMB2_ENCRYPTION_CAPABILITIES 0x0002
1069 #define SMB2_COMPRESSION_CAPABILITIES 0x0003
1070 #define SMB2_NETNAME_NEGOTIATE_CONTEXT_ID 0x0005
1071 #define SMB2_TRANSPORT_CAPABILITIES 0x0006
1072 #define SMB2_RDMA_TRANSFORM_CAPABILITIES 0x0007
1073 #define SMB2_SIGNING_CAPABILITIES 0x0008
1074 #define SMB2_POSIX_EXTENSIONS_CAPABILITIES 0x0100
1075 static const value_string smb2_negotiate_context_types[] = {
1076 { SMB2_PREAUTH_INTEGRITY_CAPABILITIES, "SMB2_PREAUTH_INTEGRITY_CAPABILITIES" },
1077 { SMB2_ENCRYPTION_CAPABILITIES, "SMB2_ENCRYPTION_CAPABILITIES" },
1078 { SMB2_COMPRESSION_CAPABILITIES, "SMB2_COMPRESSION_CAPABILITIES" },
1079 { SMB2_NETNAME_NEGOTIATE_CONTEXT_ID, "SMB2_NETNAME_NEGOTIATE_CONTEXT_ID" },
1080 { SMB2_TRANSPORT_CAPABILITIES, "SMB2_TRANSPORT_CAPABILITIES" },
1081 { SMB2_RDMA_TRANSFORM_CAPABILITIES, "SMB2_RDMA_TRANSFORM_CAPABILITIES" },
1082 { SMB2_SIGNING_CAPABILITIES, "SMB2_SIGNING_CAPABILITIES" },
1083 { SMB2_POSIX_EXTENSIONS_CAPABILITIES, "SMB2_POSIX_EXTENSIONS_CAPABILITIES" },
1084 { 0, NULL }
1085 };
1086
1087 #define SMB2_HASH_ALGORITHM_SHA_512 0x0001
1088 static const value_string smb2_hash_algorithm_types[] = {
1089 { SMB2_HASH_ALGORITHM_SHA_512, "SHA-512" },
1090 { 0, NULL }
1091 };
1092
1093 #define SMB2_SIGNING_ALG_HMAC_SHA256 0x0000
1094 #define SMB2_SIGNING_ALG_AES_CMAC 0x0001
1095 #define SMB2_SIGNING_ALG_AES_GMAC 0x0002
1096 static const value_string smb2_signing_alg_types[] = {
1097 { SMB2_SIGNING_ALG_HMAC_SHA256, "HMAC-SHA256" },
1098 { SMB2_SIGNING_ALG_AES_CMAC, "AES-CMAC" },
1099 { SMB2_SIGNING_ALG_AES_GMAC, "AES-GMAC" },
1100 { 0, NULL },
1101 };
1102
1103 #define SMB2_CIPHER_AES_128_CCM 0x0001
1104 #define SMB2_CIPHER_AES_128_GCM 0x0002
1105 #define SMB2_CIPHER_AES_256_CCM 0x0003
1106 #define SMB2_CIPHER_AES_256_GCM 0x0004
1107 static const value_string smb2_cipher_types[] = {
1108 { SMB2_CIPHER_AES_128_CCM, "AES-128-CCM" },
1109 { SMB2_CIPHER_AES_128_GCM, "AES-128-GCM" },
1110 { SMB2_CIPHER_AES_256_CCM, "AES-256-CCM" },
1111 { SMB2_CIPHER_AES_256_GCM, "AES-256-GCM" },
1112 { 0, NULL }
1113 };
1114
1115 #define SMB2_TRANSFORM_FLAGS_ENCRYPTED 0x0001
1116 static int * const smb2_transform_flags[] = {
1117 &hf_smb2_transform_flags_encrypted,
1118 NULL,
1119 };
1120
1121 #define SMB2_COMP_ALG_FLAGS_CHAINED 0x00000001
1122
1123 #define SMB2_COMP_ALG_NONE 0x0000
1124 #define SMB2_COMP_ALG_LZNT1 0x0001
1125 #define SMB2_COMP_ALG_LZ77 0x0002
1126 #define SMB2_COMP_ALG_LZ77HUFF 0x0003
1127 #define SMB2_COMP_ALG_PATTERN_V1 0x0004
1128 static const value_string smb2_comp_alg_types[] = {
1129 { SMB2_COMP_ALG_NONE, "None" },
1130 { SMB2_COMP_ALG_LZNT1, "LZNT1" },
1131 { SMB2_COMP_ALG_LZ77, "LZ77" },
1132 { SMB2_COMP_ALG_LZ77HUFF, "LZ77+Huffman" },
1133 { SMB2_COMP_ALG_PATTERN_V1, "Pattern_V1" },
1134 { 0, NULL }
1135 };
1136
1137 #define SMB2_COMP_FLAG_NONE 0x0000
1138 #define SMB2_COMP_FLAG_CHAINED 0x0001
1139 static const value_string smb2_comp_transform_flags_vals[] = {
1140 { SMB2_COMP_FLAG_NONE, "None" },
1141 { SMB2_COMP_FLAG_CHAINED, "Chained" },
1142 { 0, NULL }
1143 };
1144
1145 #define SMB2_RDMA_TRANSFORM_NONE 0x0000
1146 #define SMB2_RDMA_TRANSFORM_ENCRYPTION 0x0001
1147 #define SMB2_RDMA_TRANSFORM_SIGNING 0x0002
1148 static const value_string smb2_rdma_transform_types[] = {
1149 { SMB2_RDMA_TRANSFORM_NONE, "None" },
1150 { SMB2_RDMA_TRANSFORM_ENCRYPTION, "Encryption" },
1151 { SMB2_RDMA_TRANSFORM_SIGNING, "Signing" },
1152 { 0, NULL }
1153 };
1154
1155 #define OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE 24 /* [MS-SMB2] 2.2.23.1, 2.2.24.1 and 2.2.25.1 */
1156 #define OPLOCK_BREAK_LEASE_NOTIFICATION_STRUCTURE_SIZE 44 /* [MS-SMB2] 2.2.23.2 Lease Break Notification */
1157 #define OPLOCK_BREAK_LEASE_ACKNOWLEDGMENT_STRUCTURE_SIZE 36 /* [MS-SMB2] 2.2.24.2 Lease Break Acknowledgment */
1158 #define OPLOCK_BREAK_LEASE_RESPONSE_STRUCTURE_SIZE 36 /* [MS-SMB2] 2.2.25.2 Lease Break Response */
1159
1160 static const val64_string unique_unsolicited_response[] = {
1161 { 0xffffffffffffffff, "unsolicited response" },
1162 { 0, NULL }
1163 };
1164
1165 #define SMB2_ERROR_ID_DEFAULT 0x00000000
1166 #define SMB2_ERROR_ID_SHARE_REDIRECT 0x72645253
1167 static const value_string smb2_error_id_vals[] = {
1168 { SMB2_ERROR_ID_DEFAULT, "ERROR_ID_DEFAULT" },
1169 { SMB2_ERROR_ID_SHARE_REDIRECT, "ERROR_ID_SHARE_REDIRECT" },
1170 { 0, NULL }
1171 };
1172
1173 #define SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY 0x00000001
1174 static const value_string smb2_transport_ctx_flags_vals[] = {
1175 { SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY, "SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY" },
1176 { 0, NULL }
1177 };
1178
1179 #define REPARSE_TAG_RESERVED_ZERO 0x00000000 /* Reserved reparse tag value. */
1180 #define REPARSE_TAG_RESERVED_ONE 0x00000001 /* Reserved reparse tag value. */
1181 #define REPARSE_TAG_MOUNT_POINT 0xA0000003 /* Used for mount point */
1182 #define REPARSE_TAG_HSM 0xC0000004 /* Obsolete. Used by legacy Hierarchical Storage Manager Product. */
1183 #define REPARSE_TAG_DRIVER_EXTENDER 0x80000005 /* Home server drive extender. */
1184 #define REPARSE_TAG_HSM2 0x80000006 /* Obsolete. Used by legacy Hierarchical Storage Manager Product. */
1185 #define REPARSE_TAG_SIS 0x80000007 /* Used by single-instance storage (SIS) filter driver. */
1186 #define REPARSE_TAG_DFS 0x8000000A /* Used by the DFS filter. */
1187 #define REPARSE_TAG_FILTER_MANAGER 0x8000000B /* Used by filter manager test harness */
1188 #define REPARSE_TAG_SYMLINK 0xA000000C /* Used for symbolic link support. */
1189 #define REPARSE_TAG_DFSR 0x80000012 /* Used by the DFS filter. */
1190 #define REPARSE_TAG_NFS 0x80000014 /* Used by the Network File System (NFS) component. */
1191 #define REPARSE_TAG_LX_SYMLINK 0xA000001D /* WSL symbolic link */
1192 #define REPARSE_TAG_AF_UNIX 0x80000023 /* WSL unix socket */
1193 #define REPARSE_TAG_LX_FIFO 0x80000024 /* WSL fifo pipe */
1194 #define REPARSE_TAG_LX_CHR 0x80000025 /* WSL char device */
1195 #define REPARSE_TAG_LX_BLK 0x80000026 /* WSL block device */
1196 static const value_string reparse_tag_vals[] = {
1197 { REPARSE_TAG_RESERVED_ZERO, "REPARSE_TAG_RESERVED_ZERO"},
1198 { REPARSE_TAG_RESERVED_ONE, "REPARSE_TAG_RESERVED_ONE"},
1199 { REPARSE_TAG_MOUNT_POINT, "REPARSE_TAG_MOUNT_POINT"},
1200 { REPARSE_TAG_HSM, "REPARSE_TAG_HSM"},
1201 { REPARSE_TAG_DRIVER_EXTENDER, "REPARSE_TAG_DRIVER_EXTENDER"},
1202 { REPARSE_TAG_HSM2, "REPARSE_TAG_HSM2"},
1203 { REPARSE_TAG_SIS, "REPARSE_TAG_SIS"},
1204 { REPARSE_TAG_DFS, "REPARSE_TAG_DFS"},
1205 { REPARSE_TAG_FILTER_MANAGER, "REPARSE_TAG_FILTER_MANAGER"},
1206 { REPARSE_TAG_SYMLINK, "REPARSE_TAG_SYMLINK"},
1207 { REPARSE_TAG_DFSR, "REPARSE_TAG_DFSR"},
1208 { REPARSE_TAG_NFS, "REPARSE_TAG_NFS"},
1209 { REPARSE_TAG_LX_SYMLINK, "REPARSE_TAG_LX_SYMLINK"},
1210 { REPARSE_TAG_AF_UNIX, "REPARSE_TAG_AF_UNIX"},
1211 { REPARSE_TAG_LX_FIFO, "REPARSE_TAG_LX_FIFO"},
1212 { REPARSE_TAG_LX_CHR, "REPARSE_TAG_LX_CHR"},
1213 { REPARSE_TAG_LX_BLK, "REPARSE_TAG_LX_BLK"},
1214 { 0, NULL }
1215 };
1216
1217 #define NFS_SPECFILE_LNK 0x00000000014B4E4C
1218 #define NFS_SPECFILE_CHR 0x0000000000524843
1219 #define NFS_SPECFILE_BLK 0x00000000004B4C42
1220 #define NFS_SPECFILE_FIFO 0x000000004F464946
1221 #define NFS_SPECFILE_SOCK 0x000000004B434F53
1222 static const val64_string nfs_type_vals[] = {
1223 { NFS_SPECFILE_LNK, "Symbolic Link" },
1224 { NFS_SPECFILE_CHR, "Character Device" },
1225 { NFS_SPECFILE_BLK, "Block Device" },
1226 { NFS_SPECFILE_FIFO, "FIFO" },
1227 { NFS_SPECFILE_SOCK, "UNIX Socket" },
1228 { 0, NULL }
1229 };
1230
1231 #define SMB2_NUM_PROCEDURES 256
1232 #define MAX_UNCOMPRESSED_SIZE (1<<24) /* 16MB */
1233
1234 #define SMB2_DIALECT_202 0x0202
1235 #define SMB2_DIALECT_210 0x0210
1236 #define SMB2_DIALECT_2FF 0x02FF
1237 #define SMB2_DIALECT_222 0x0222
1238 #define SMB2_DIALECT_224 0x0224
1239 #define SMB2_DIALECT_300 0x0300
1240 #define SMB2_DIALECT_302 0x0302
1241 #define SMB2_DIALECT_310 0x0310
1242 #define SMB2_DIALECT_311 0x0311
1243
1244 static const value_string smb2_dialect_vals[] = {
1245 { SMB2_DIALECT_202, "SMB 2.0.2" },
1246 { SMB2_DIALECT_210, "SMB 2.1" },
1247 { SMB2_DIALECT_2FF, "SMB2 wildcard" },
1248 { SMB2_DIALECT_222, "SMB 2.2.2 (deprecated; should be 3.0)" },
1249 { SMB2_DIALECT_224, "SMB 2.2.4 (deprecated; should be 3.0)" },
1250 { SMB2_DIALECT_300, "SMB 3.0" },
1251 { SMB2_DIALECT_302, "SMB 3.0.2" },
1252 { SMB2_DIALECT_310, "SMB 3.1.0 (deprecated; should be 3.1.1)" },
1253 { SMB2_DIALECT_311, "SMB 3.1.1" },
1254 { 0, NULL }
1255 };
1256
1257 static const value_string smb2_fsctl_infoex_integrity_modes[] = {
1258 { 0x00, "CHECKSUM_TYPE_NONE" },
1259 { 0x01, "CHECKSUM_TYPE_CRC32_OR_CRC64" },
1260 { 0, NULL }
1261 };
1262
1263 static const value_string smb2_fsctl_infoex_integrity_state[] = {
1264 { 0x00, "Change state" },
1265 { 0x01, "No state change" },
1266 { 0, NULL }
1267 };
1268
1269 #define SMB2_SL_RESTART_SCAN 0x00000001
1270 #define SMB2_SL_RETURN_SINGLE_ENTRY 0x00000002
1271 #define SL_INDEX_SPECIFIED 0x00000004
1272
1273 #define NOTIFY_SESSION_CLOSED 0x0
1274 static const value_string server_notification_types[] = {
1275 { NOTIFY_SESSION_CLOSED, "SmbNotifySessionClosed" },
1276 { 0, NULL }
1277 };
1278
1279 #define REFS_STREAM_SNAPSHOT_OPERATION_INVALID 0x00000000
1280 #define REFS_STREAM_SNAPSHOT_OPERATION_CREATE 0x00000001
1281 #define REFS_STREAM_SNAPSHOT_OPERATION_LIST 0x00000002
1282 #define REFS_STREAM_SNAPSHOT_OPERATION_QUERY_DELTAS 0x00000003
1283 #define REFS_STREAM_SNAPSHOT_OPERATION_REVERT 0x00000004
1284 #define REFS_STREAM_SNAPSHOT_OPERATION_SET_SHADOW_BTREE 0x00000005
1285 #define REFS_STREAM_SNAPSHOT_OPERATION_CLEAR_SHADOW_BTREE 0x00000006
1286
1287 static const value_string refs_stream_snapshot_operation_types[] = {
1288 { REFS_STREAM_SNAPSHOT_OPERATION_INVALID, "Invalid" },
1289 { REFS_STREAM_SNAPSHOT_OPERATION_CREATE, "Create" },
1290 { REFS_STREAM_SNAPSHOT_OPERATION_LIST, "List" },
1291 { REFS_STREAM_SNAPSHOT_OPERATION_QUERY_DELTAS, "Query Deltas" },
1292 { REFS_STREAM_SNAPSHOT_OPERATION_REVERT, "Revert" },
1293 { REFS_STREAM_SNAPSHOT_OPERATION_SET_SHADOW_BTREE, "Set Shadow Btree" },
1294 { REFS_STREAM_SNAPSHOT_OPERATION_CLEAR_SHADOW_BTREE, "Clear Shadow Btree" },
1295 { 0, NULL }
1296 };
1297
1298 #define FILE_FULL_EA_INFORMATION_FLAG_NONE 0x00000000
1299 #define FILE_FULL_EA_INFORMATION_FLAG_NEED_EA 0x00000001
1300
1301 static const value_string file_full_ea_information_flags[] = {
1302 { FILE_FULL_EA_INFORMATION_FLAG_NONE, "None" },
1303 { FILE_FULL_EA_INFORMATION_FLAG_NEED_EA, "Need EA" },
1304 { 0, NULL }
1305 };
1306
1307 static int dissect_windows_sockaddr_storage(tvbuff_t *, packet_info *, proto_tree *, int, int);
1308 static void dissect_smb2_error_data(tvbuff_t *, packet_info *, proto_tree *, int, int, smb2_info_t *);
1309 static unsigned smb2_eo_files_hash(const void *k);
1310 static int smb2_eo_files_equal(const void *k1, const void *k2);
1311
1312 static void update_preauth_hash(void *buf, packet_info *pinfo, tvbuff_t *tvb)
1313 {
1314 gcry_error_t err;
1315 gcry_md_hd_t md;
1316 void *pkt;
1317
1318 err = gcry_md_open(&md, GCRY_MD_SHA512, 0);
1319 if (err)
1320 return;
1321
1322 /* we dup in case of non-contiguous packet */
1323 pkt = tvb_memdup(pinfo->pool, tvb, 0, tvb_captured_length(tvb));
1324 gcry_md_write(md, buf, SMB2_PREAUTH_HASH_SIZE);
1325 gcry_md_write(md, pkt, tvb_captured_length(tvb));
1326 gcry_md_final(md);
1327 memcpy(buf, gcry_md_read(md, 0), SMB2_PREAUTH_HASH_SIZE);
1328 gcry_md_close(md);
1329 }
1330
1331 static void
1332 smb2stat_init(struct register_srt* srt _U_, GArray* srt_array)
1333 {
1334 srt_stat_table *smb2_srt_table;
1335 uint32_t i;
1336
1337 smb2_srt_table = init_srt_table("SMB2", NULL, srt_array, SMB2_NUM_PROCEDURES, "Commands", "smb2.cmd", NULL);
1338 for (i = 0; i < SMB2_NUM_PROCEDURES; i++)
1339 {
1340 init_srt_table_row(smb2_srt_table, i, val_to_str_ext_const(i, &smb2_cmd_vals_ext, "<unknown>"));
1341 }
1342 }
1343
1344 static tap_packet_status
1345 smb2stat_packet(void *pss, packet_info *pinfo, epan_dissect_t *edt _U_, const void *prv, tap_flags_t flags _U_)
1346 {
1347 unsigned i = 0;
1348 srt_stat_table *smb2_srt_table;
1349 srt_data_t *data = (srt_data_t *)pss;
1350 const smb2_info_t *si=(const smb2_info_t *)prv;
1351
1352 /* we are only interested in response packets */
1353 if(!(si->flags&SMB2_FLAGS_RESPONSE)){
1354 return TAP_PACKET_DONT_REDRAW;
1355 }
1356 /* We should not include cancel and oplock break requests either */
1357 if (si->opcode == SMB2_COM_CANCEL || si->opcode == SMB2_COM_BREAK) {
1358 return TAP_PACKET_DONT_REDRAW;
1359 }
1360
1361 /* if we haven't seen the request, just ignore it */
1362 if(!si->saved){
1363 return TAP_PACKET_DONT_REDRAW;
1364 }
1365
1366 /* SMB2 SRT can be very inaccurate in the presence of retransmissions. Retransmitted responses
1367 * not only add additional (bogus) transactions but also the latency associated with them.
1368 * This can greatly inflate the maximum and average SRT stats especially in the case of
1369 * retransmissions triggered by the expiry of the rexmit timer (RTOs). Only calculating SRT
1370 * for the last received response accomplishes this goal without requiring the TCP pref
1371 * "Do not call subdissectors for error packets" to be set. */
1372 if (si->saved->frame_res != pinfo->num)
1373 return TAP_PACKET_DONT_REDRAW;
1374
1375 smb2_srt_table = g_array_index(data->srt_array, srt_stat_table*, i);
1376 add_srt_table_data(smb2_srt_table, si->opcode, &si->saved->req_time, pinfo);
1377 return TAP_PACKET_REDRAW;
1378 }
1379
1380 /* Structure for SessionID <=> SessionKey mapping for decryption. */
1381 typedef struct _smb2_seskey_field_t {
1382 /* session id */
1383 unsigned char *id; /* *little-endian* - not necessarily host-endian! */
1384 unsigned id_len;
1385 /* session key */
1386 unsigned char *seskey;
1387 unsigned seskey_len;
1388 /* server to client key */
1389 unsigned char *s2ckey;
1390 unsigned s2ckey_len;
1391 /* client to server key */
1392 unsigned char *c2skey;
1393 unsigned c2skey_len;
1394 } smb2_seskey_field_t;
1395
1396 static smb2_seskey_field_t *seskey_list;
1397 static unsigned num_seskey_list;
1398
1399 static const int8_t zeros[NTLMSSP_KEY_LEN] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
1400
1401 /* Callbacks for SessionID <=> SessionKey mapping. */
1402 UAT_BUFFER_CB_DEF(seskey_list, id, smb2_seskey_field_t, id, id_len)
1403 UAT_BUFFER_CB_DEF(seskey_list, seskey, smb2_seskey_field_t, seskey, seskey_len)
1404 UAT_BUFFER_CB_DEF(seskey_list, s2ckey, smb2_seskey_field_t, s2ckey, s2ckey_len)
1405 UAT_BUFFER_CB_DEF(seskey_list, c2skey, smb2_seskey_field_t, c2skey, c2skey_len)
1406
1407 #define SMB_SESSION_ID_SIZE 8
1408
1409 static bool seskey_list_update_cb(void *r, char **err)
1410 {
1411 smb2_seskey_field_t *rec = (smb2_seskey_field_t *)r;
1412 bool has_seskey = rec->seskey_len != 0;
1413 bool has_s2ckey = rec->s2ckey_len != 0;
1414 bool has_c2skey = rec->c2skey_len != 0;
1415
1416 *err = NULL;
1417
1418 if (rec->id_len != SMB_SESSION_ID_SIZE) {
1419 *err = g_strdup("Session ID must be " G_STRINGIFY(SMB_SESSION_ID_SIZE) " bytes long and in hexadecimal");
1420 return false;
1421 }
1422
1423 if (!has_seskey && !(has_c2skey || has_s2ckey)) {
1424 *err = g_strdup("Decryption requires either the Session Key or at least one of the client-server AES keys");
1425 return false;
1426 }
1427
1428
1429 if (rec->seskey_len > NTLMSSP_KEY_LEN) {
1430 *err = g_strdup("Session Key must be a hexadecimal string representing at most " G_STRINGIFY(NTLMSSP_KEY_LEN) " bytes");
1431 return false;
1432 }
1433
1434 if (has_s2ckey && ((rec->s2ckey_len != AES_KEY_SIZE) && (rec->s2ckey_len != AES_KEY_SIZE*2))) {
1435 *err = g_strdup("Server-to-Client key must be a hexadecimal string representing "
1436 G_STRINGIFY(AES_KEY_SIZE) " or " G_STRINGIFY(AES_KEY_SIZE*2));
1437 return false;
1438 }
1439
1440 if (has_c2skey && ((rec->c2skey_len != AES_KEY_SIZE) && (rec->c2skey_len != AES_KEY_SIZE*2))) {
1441 *err = g_strdup("Client-to-Server key must be a hexadecimal string representing "
1442 G_STRINGIFY(AES_KEY_SIZE) " or " G_STRINGIFY(AES_KEY_SIZE*2));
1443 return false;
1444 }
1445
1446 return true;
1447 }
1448
1449 static void* seskey_list_copy_cb(void *n, const void *o, size_t siz _U_)
1450 {
1451 smb2_seskey_field_t *new_rec = (smb2_seskey_field_t *)n;
1452 const smb2_seskey_field_t *old_rec = (const smb2_seskey_field_t *)o;
1453
1454 new_rec->id_len = old_rec->id_len;
1455 new_rec->id = old_rec->id ? (unsigned char *)g_memdup2(old_rec->id, old_rec->id_len) : NULL;
1456 new_rec->seskey_len = old_rec->seskey_len;
1457 new_rec->seskey = old_rec->seskey ? (unsigned char *)g_memdup2(old_rec->seskey, old_rec->seskey_len) : NULL;
1458 new_rec->s2ckey_len = old_rec->s2ckey_len;
1459 new_rec->s2ckey = old_rec->s2ckey ? (unsigned char *)g_memdup2(old_rec->s2ckey, old_rec->s2ckey_len) : NULL;
1460 new_rec->c2skey_len = old_rec->c2skey_len;
1461 new_rec->c2skey = old_rec->c2skey ? (unsigned char *)g_memdup2(old_rec->c2skey, old_rec->c2skey_len) : NULL;
1462
1463 return new_rec;
1464 }
1465
1466 static void seskey_list_free_cb(void *r)
1467 {
1468 smb2_seskey_field_t *rec = (smb2_seskey_field_t *)r;
1469
1470 g_free(rec->id);
1471 g_free(rec->seskey);
1472 g_free(rec->s2ckey);
1473 g_free(rec->c2skey);
1474 }
1475
1476 static bool seskey_find_sid_key(uint64_t sesid, uint8_t *out_seskey,
1477 unsigned *out_seskey_len,
1478 uint8_t *out_s2ckey16,
1479 uint8_t *out_c2skey16,
1480 uint8_t *out_s2ckey32,
1481 uint8_t *out_c2skey32)
1482 {
1483 unsigned i;
1484 uint64_t sesid_le;
1485
1486 /*
1487 * The session IDs in the UAT are octet arrays, in little-endian
1488 * byte order (as it appears on the wire); they have been
1489 * checked to make sure they're 8 bytes (SMB_SESSION_ID_SIZE)
1490 * long. They're *probably* aligned on an appropriate boundary,
1491 * but let's not assume that - let's just use memcmp().
1492 *
1493 * The session ID passed to us, however, is in *host* byte order.
1494 * This is *NOT* necessarily little-endian; it's big-endian on,
1495 * for example, System/390 and z/Architecture ("s390" and "s390x"
1496 * in Linuxland), SPARC, and most PowerPC systems. We must,
1497 * therefore, put it into little-endian byte order before
1498 * comparing it with the IDs in the UAT values.
1499 */
1500 sesid_le = GUINT64_TO_LE(sesid);
1501
1502 for (i = 0; i < num_seskey_list; i++) {
1503 const smb2_seskey_field_t *p = &seskey_list[i];
1504 if (memcmp(&sesid_le, p->id, SMB_SESSION_ID_SIZE) == 0) {
1505 *out_seskey_len = 0;
1506 memset(out_seskey, 0, NTLMSSP_KEY_LEN*2);
1507 memset(out_s2ckey16, 0, AES_KEY_SIZE);
1508 memset(out_c2skey16, 0, AES_KEY_SIZE);
1509 memset(out_s2ckey32, 0, AES_KEY_SIZE*2);
1510 memset(out_c2skey32, 0, AES_KEY_SIZE*2);
1511
1512 if (p->seskey_len > 0 && p->seskey_len <= NTLMSSP_KEY_LEN*2) {
1513 memcpy(out_seskey, p->seskey, p->seskey_len);
1514 *out_seskey_len = p->seskey_len;
1515 }
1516 if (p->s2ckey_len == AES_KEY_SIZE)
1517 memcpy(out_s2ckey16, p->s2ckey, p->s2ckey_len);
1518 if (p->s2ckey_len == AES_KEY_SIZE*2)
1519 memcpy(out_s2ckey32, p->s2ckey, p->s2ckey_len);
1520 if (p->c2skey_len == AES_KEY_SIZE)
1521 memcpy(out_c2skey16, p->c2skey, p->c2skey_len);
1522 if (p->c2skey_len == AES_KEY_SIZE*2)
1523 memcpy(out_c2skey32, p->c2skey, p->c2skey_len);
1524
1525 return true;
1526 }
1527 }
1528
1529 return false;
1530 }
1531
1532 /* ExportObject preferences variable */
1533 bool eosmb2_take_name_as_fid = false ;
1534
1535 /* unmatched smb_saved_info structures.
1536 For unmatched smb_saved_info structures we store the smb_saved_info
1537 structure using the msg_id field.
1538 */
1539 static int
1540 smb2_saved_info_equal_unmatched(const void *k1, const void *k2)
1541 {
1542 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
1543 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
1544 return key1->msg_id == key2->msg_id;
1545 }
1546 static unsigned
1547 smb2_saved_info_hash_unmatched(const void *k)
1548 {
1549 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
1550 uint32_t hash;
1551
1552 hash = (uint32_t) (key->msg_id&0xffffffff);
1553 return hash;
1554 }
1555
1556 /* matched smb_saved_info structures.
1557 For matched smb_saved_info structures we store the smb_saved_info
1558 structure using the msg_id field.
1559 */
1560 static int
1561 smb2_saved_info_equal_matched(const void *k1, const void *k2)
1562 {
1563 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
1564 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
1565 return key1->msg_id == key2->msg_id;
1566 }
1567 static unsigned
1568 smb2_saved_info_hash_matched(const void *k)
1569 {
1570 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
1571 uint32_t hash;
1572
1573 hash = (uint32_t) (key->msg_id&0xffffffff);
1574 return hash;
1575 }
1576
1577 /* For Tids of a specific conversation.
1578 This keeps track of tid->sharename mappings and other information about the
1579 tid.
1580 qqq
1581 We might need to refine this if it occurs that tids are reused on a single
1582 conversation. we don't worry about that yet for simplicity
1583 */
1584 static int
1585 smb2_tid_info_equal(const void *k1, const void *k2)
1586 {
1587 const smb2_tid_info_t *key1 = (const smb2_tid_info_t *)k1;
1588 const smb2_tid_info_t *key2 = (const smb2_tid_info_t *)k2;
1589 return key1->tid == key2->tid;
1590 }
1591 static unsigned
1592 smb2_tid_info_hash(const void *k)
1593 {
1594 const smb2_tid_info_t *key = (const smb2_tid_info_t *)k;
1595 uint32_t hash;
1596
1597 hash = key->tid;
1598 return hash;
1599 }
1600
1601 /* For Uids of a specific conversation.
1602 This keeps track of uid->acct_name mappings and other information about the
1603 uid.
1604 qqq
1605 We might need to refine this if it occurs that uids are reused on a single
1606 conversation. we don't worry about that yet for simplicity
1607 */
1608 static int
1609 smb2_sesid_info_equal(const void *k1, const void *k2)
1610 {
1611 const smb2_sesid_info_t *key1 = (const smb2_sesid_info_t *)k1;
1612 const smb2_sesid_info_t *key2 = (const smb2_sesid_info_t *)k2;
1613 return key1->sesid == key2->sesid;
1614 }
1615 static unsigned
1616 smb2_sesid_info_hash(const void *k)
1617 {
1618 const smb2_sesid_info_t *key = (const smb2_sesid_info_t *)k;
1619 uint32_t hash;
1620
1621 hash = (uint32_t)( ((key->sesid>>32)&0xffffffff)+((key->sesid)&0xffffffff) );
1622 return hash;
1623 }
1624
1625 /*
1626 * For File IDs of a specific conversation.
1627 * This keeps track of fid to name mapping and application level conversations
1628 * over named pipes.
1629 *
1630 * This handles implementation bugs, where the fid_persitent is 0 or
1631 * the fid_persitent/fid_volative is not unique per conversation.
1632 */
1633 static int
1634 smb2_fid_info_equal(const void *k1, const void *k2)
1635 {
1636 const smb2_fid_info_t *key = (const smb2_fid_info_t *)k1;
1637 const smb2_fid_info_t *val = (const smb2_fid_info_t *)k2;
1638
1639 if (!key->frame_key) {
1640 key = (const smb2_fid_info_t *)k2;
1641 val = (const smb2_fid_info_t *)k1;
1642 }
1643
1644 if (key->fid_persistent != val->fid_persistent) {
1645 return 0;
1646 }
1647
1648 if (key->fid_volatile != val->fid_volatile) {
1649 return 0;
1650 }
1651
1652 if (key->sesid != val->sesid) {
1653 return 0;
1654 }
1655
1656 if (key->tid != val->tid) {
1657 return 0;
1658 }
1659
1660 if (!(val->frame_beg <= key->frame_key && key->frame_key <= val->frame_end)) {
1661 return 0;
1662 }
1663
1664 return 1;
1665 }
1666
1667 static unsigned
1668 smb2_fid_info_hash(const void *k)
1669 {
1670 const smb2_fid_info_t *key = (const smb2_fid_info_t *)k;
1671 uint32_t hash;
1672
1673 if (key->fid_persistent != 0) {
1674 hash = (uint32_t)( ((key->fid_persistent>>32)&0xffffffff)+((key->fid_persistent)&0xffffffff) );
1675 } else {
1676 hash = (uint32_t)( ((key->fid_volatile>>32)&0xffffffff)+((key->fid_volatile)&0xffffffff) );
1677 }
1678
1679 return hash;
1680 }
1681
1682 /* Callback for destroying the glib hash tables associated with a conversation
1683 * struct. */
1684 static bool
1685 smb2_conv_destroy(wmem_allocator_t *allocator _U_, wmem_cb_event_t event _U_,
1686 void *user_data)
1687 {
1688 smb2_conv_info_t *conv = (smb2_conv_info_t *)user_data;
1689
1690 g_hash_table_destroy(conv->matched);
1691 g_hash_table_destroy(conv->unmatched);
1692
1693 /* This conversation is gone, return false to indicate we don't
1694 * want to be called again for this conversation. */
1695 return false;
1696 }
1697
1698 static smb2_sesid_info_t *
1699 smb2_get_session(smb2_conv_info_t *conv _U_, uint64_t id, packet_info *pinfo, smb2_info_t *si)
1700 {
1701 smb2_sesid_info_t key = {.sesid = id};
1702 smb2_sesid_info_t *ses = (smb2_sesid_info_t *)wmem_map_lookup(smb2_sessions, &key);
1703
1704 if (!ses) {
1705 ses = wmem_new0(wmem_file_scope(), smb2_sesid_info_t);
1706 ses->sesid = id;
1707 ses->auth_frame = (uint32_t)-1;
1708 ses->tids = wmem_map_new(wmem_file_scope(), smb2_tid_info_hash, smb2_tid_info_equal);
1709 ses->fids = wmem_map_new(wmem_file_scope(), smb2_fid_info_hash, smb2_fid_info_equal);
1710 ses->files = wmem_map_new(wmem_file_scope(), smb2_eo_files_hash, smb2_eo_files_equal);
1711
1712 ses->session_key_frame = UINT32_MAX;
1713 seskey_find_sid_key(id,
1714 ses->session_key,
1715 &ses->session_key_len,
1716 ses->client_decryption_key16,
1717 ses->server_decryption_key16,
1718 ses->client_decryption_key32,
1719 ses->server_decryption_key32);
1720 if (pinfo && si) {
1721 if (ses->session_key_len != 0) {
1722 ses->session_key_frame = pinfo->num;
1723 }
1724 if (si->flags & SMB2_FLAGS_RESPONSE) {
1725 ses->server_port = pinfo->srcport;
1726 } else {
1727 ses->server_port = pinfo->destport;
1728 }
1729 }
1730 wmem_map_insert(smb2_sessions, ses, ses);
1731 }
1732
1733 return ses;
1734 }
1735
1736 static void
1737 smb2_add_session_info(proto_tree *ses_tree, proto_item *ses_item, tvbuff_t *tvb, int start, smb2_sesid_info_t *ses)
1738 {
1739 proto_item *new_item;
1740 if (!ses)
1741 return;
1742
1743 if (ses->acct_name) {
1744 new_item = proto_tree_add_string(ses_tree, hf_smb2_acct_name, tvb, start, 0, ses->acct_name);
1745 proto_item_set_generated(new_item);
1746 proto_item_append_text(ses_item, " Acct:%s", ses->acct_name);
1747 }
1748
1749 if (ses->domain_name) {
1750 new_item = proto_tree_add_string(ses_tree, hf_smb2_domain_name, tvb, start, 0, ses->domain_name);
1751 proto_item_set_generated(new_item);
1752 proto_item_append_text(ses_item, " Domain:%s", ses->domain_name);
1753 }
1754
1755 if (ses->host_name) {
1756 new_item = proto_tree_add_string(ses_tree, hf_smb2_host_name, tvb, start, 0, ses->host_name);
1757 proto_item_set_generated(new_item);
1758 proto_item_append_text(ses_item, " Host:%s", ses->host_name);
1759 }
1760
1761 if (ses->auth_frame != (uint32_t)-1) {
1762 new_item = proto_tree_add_uint(ses_tree, hf_smb2_auth_frame, tvb, start, 0, ses->auth_frame);
1763 proto_item_set_generated(new_item);
1764 }
1765 }
1766
1767 static void smb2_key_derivation(const uint8_t *KI, uint32_t KI_len,
1768 const uint8_t *Label, uint32_t Label_len,
1769 const uint8_t *Context, uint32_t Context_len,
1770 uint8_t *KO, uint32_t KO_len)
1771 {
1772 gcry_md_hd_t hd = NULL;
1773 uint8_t buf[4];
1774 uint8_t *digest = NULL;
1775 uint32_t L;
1776
1777 /*
1778 * a simplified version of
1779 * "NIST Special Publication 800-108" section 5.1
1780 * using hmac-sha256.
1781 */
1782 /* XXX This routine should indicate a success/failure indication, so that the failure of gcry_md_open()
1783 * can be reported to the caller.
1784 */
1785 if (gcry_md_open(&hd, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC) != 0)
1786 return;
1787 gcry_md_setkey(hd, KI, KI_len);
1788
1789 memset(buf, 0, sizeof(buf));
1790 buf[3] = 1;
1791 gcry_md_write(hd, buf, sizeof(buf));
1792 gcry_md_write(hd, Label, Label_len);
1793 gcry_md_write(hd, buf, 1);
1794 gcry_md_write(hd, Context, Context_len);
1795 L = KO_len * 8;
1796 memset(buf, 0, sizeof(buf));
1797 buf[3] = ((L) >> (0)) & 0xff;
1798 buf[2] = ((L) >> (8)) & 0xff;
1799 gcry_md_write(hd, buf, sizeof(buf));
1800
1801 digest = gcry_md_read(hd, GCRY_MD_SHA256);
1802
1803 memcpy(KO, digest, KO_len);
1804
1805 gcry_md_close(hd);
1806 }
1807
1808 /* for export-object-smb2 */
1809 static char *policy_hnd_to_file_id(wmem_allocator_t *pool, const e_ctx_hnd *hnd) {
1810 return guid_to_str(pool, &hnd->uuid);
1811 }
1812 static unsigned smb2_eo_files_hash(const void *k) {
1813 return g_str_hash(policy_hnd_to_file_id(wmem_packet_scope(), (const e_ctx_hnd *)k));
1814 }
1815 static int smb2_eo_files_equal(const void *k1, const void *k2) {
1816 int are_equal;
1817 const e_ctx_hnd *key1 = (const e_ctx_hnd *)k1;
1818 const e_ctx_hnd *key2 = (const e_ctx_hnd *)k2;
1819
1820 are_equal = (key1->uuid.data1==key2->uuid.data1 &&
1821 key1->uuid.data2==key2->uuid.data2 &&
1822 key1->uuid.data3==key2->uuid.data3 &&
1823 key1->uuid.data4[0]==key2->uuid.data4[0] &&
1824 key1->uuid.data4[1]==key2->uuid.data4[1] &&
1825 key1->uuid.data4[2]==key2->uuid.data4[2] &&
1826 key1->uuid.data4[3]==key2->uuid.data4[3] &&
1827 key1->uuid.data4[4]==key2->uuid.data4[4] &&
1828 key1->uuid.data4[5]==key2->uuid.data4[5] &&
1829 key1->uuid.data4[6]==key2->uuid.data4[6] &&
1830 key1->uuid.data4[7]==key2->uuid.data4[7]);
1831
1832 return are_equal;
1833 }
1834
1835 static void
1836 feed_eo_smb2(tvbuff_t * tvb,packet_info *pinfo,smb2_info_t * si, uint16_t dataoffset,uint32_t length, uint64_t file_offset) {
1837
1838 char *fid_name = NULL;
1839 uint32_t open_frame = 0, close_frame = 0;
1840 tvbuff_t *data_tvb = NULL;
1841 smb_eo_t *eo_info;
1842 char *file_id;
1843 char *auxstring;
1844 char **aux_string_v;
1845
1846 /* Create a new tvb to point to the payload data */
1847 data_tvb = tvb_new_subset_length(tvb, dataoffset, length);
1848 /* Create the eo_info to pass to the listener */
1849 eo_info = wmem_new(pinfo->pool, smb_eo_t);
1850 /* Fill in eo_info */
1851 eo_info->smbversion=2;
1852 /* cmd == opcode */
1853 eo_info->cmd=si->opcode;
1854 /* We don't keep track of uid in SMB v2 */
1855 eo_info->uid=0;
1856
1857 /* Try to get file id and filename */
1858 file_id=policy_hnd_to_file_id(pinfo->pool, &si->saved->policy_hnd);
1859 dcerpc_fetch_polhnd_data(&si->saved->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num);
1860 if (fid_name && g_strcmp0(fid_name,"File: ")!=0) {
1861 auxstring=fid_name;
1862 /* Remove "File: " from filename */
1863 if (g_str_has_prefix(auxstring, "File: ")) {
1864 aux_string_v = g_strsplit(auxstring, "File: ", -1);
1865 eo_info->filename = wmem_strdup_printf(pinfo->pool, "\\%s",aux_string_v[g_strv_length(aux_string_v)-1]);
1866 g_strfreev(aux_string_v);
1867 } else {
1868 if (g_str_has_prefix(auxstring, "\\")) {
1869 eo_info->filename = wmem_strdup(pinfo->pool, auxstring);
1870 } else {
1871 eo_info->filename = wmem_strdup_printf(pinfo->pool, "\\%s",auxstring);
1872 }
1873 }
1874 } else {
1875 auxstring=wmem_strdup_printf(pinfo->pool, "File_Id_%s", file_id);
1876 eo_info->filename=auxstring;
1877 }
1878
1879
1880
1881 if (eosmb2_take_name_as_fid) {
1882 eo_info->fid = g_str_hash(eo_info->filename);
1883 } else {
1884 eo_info->fid = g_str_hash(file_id);
1885 }
1886
1887 /* tid, hostname, tree_id */
1888 if (si->tree) {
1889 eo_info->tid=si->tree->tid;
1890 if (strlen(si->tree->name)>0 && strlen(si->tree->name)<=256) {
1891 eo_info->hostname = wmem_strdup(pinfo->pool, si->tree->name);
1892 } else {
1893 eo_info->hostname = wmem_strdup_printf(pinfo->pool, "\\\\%s\\TREEID_%i",tree_ip_str(pinfo,si->opcode),si->tree->tid);
1894 }
1895 } else {
1896 eo_info->tid=0;
1897 eo_info->hostname = wmem_strdup_printf(pinfo->pool, "\\\\%s\\TREEID_UNKNOWN",tree_ip_str(pinfo,si->opcode));
1898 }
1899
1900 /* packet number */
1901 eo_info->pkt_num = pinfo->num;
1902
1903 /* fid type */
1904 if (si->eo_file_info->attr_mask & SMB2_FLAGS_ATTR_DIRECTORY) {
1905 eo_info->fid_type=SMB2_FID_TYPE_DIR;
1906 } else {
1907 if (si->eo_file_info->attr_mask &
1908 (SMB2_FLAGS_ATTR_ARCHIVE | SMB2_FLAGS_ATTR_NORMAL |
1909 SMB2_FLAGS_ATTR_HIDDEN | SMB2_FLAGS_ATTR_READONLY |
1910 SMB2_FLAGS_ATTR_SYSTEM) ) {
1911 eo_info->fid_type=SMB2_FID_TYPE_FILE;
1912 } else {
1913 eo_info->fid_type=SMB2_FID_TYPE_OTHER;
1914 }
1915 }
1916
1917 /* end_of_file */
1918 eo_info->end_of_file=si->eo_file_info->end_of_file;
1919
1920 /* data offset and chunk length */
1921 eo_info->smb_file_offset=file_offset;
1922 eo_info->smb_chunk_len=length;
1923 /* XXX is this right? */
1924 if (length<si->saved->bytes_moved) {
1925 si->saved->file_offset=si->saved->file_offset+length;
1926 si->saved->bytes_moved=si->saved->bytes_moved-length;
1927 }
1928
1929 /* Payload */
1930 eo_info->payload_len = length;
1931 eo_info->payload_data = tvb_get_ptr(data_tvb, 0, length);
1932
1933 tap_queue_packet(smb2_eo_tap, pinfo, eo_info);
1934
1935 }
1936
1937 static int dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si);
1938
1939
1940 /* This is a helper to dissect the common string type
1941 * uint16 offset
1942 * uint16 length
1943 * ...
1944 * char *string
1945 *
1946 * This function is called twice, first to decode the offset/length and
1947 * second time to dissect the actual string.
1948 * It is done this way since there is no guarantee that we have the full packet and we don't
1949 * want to abort dissection too early if the packet ends somewhere between the
1950 * length/offset and the actual buffer.
1951 *
1952 */
1953 enum offset_length_buffer_offset_size {
1954 OLB_O_UINT16_S_UINT16,
1955 OLB_O_UINT16_S_UINT32,
1956 OLB_O_UINT8_P_UINT8_S_UINT32,
1957 OLB_O_UINT32_S_UINT32,
1958 OLB_S_UINT32_O_UINT32
1959 };
1960 typedef struct _offset_length_buffer_t {
1961 uint32_t off;
1962 uint32_t len;
1963 int off_offset;
1964 int len_offset;
1965 enum offset_length_buffer_offset_size offset_size;
1966 int hfindex;
1967 } offset_length_buffer_t;
1968 static int
1969 dissect_smb2_olb_length_offset(tvbuff_t *tvb, int offset, offset_length_buffer_t *olb,
1970 enum offset_length_buffer_offset_size offset_size, int hfindex)
1971 {
1972 olb->hfindex = hfindex;
1973 olb->offset_size = offset_size;
1974 switch (offset_size) {
1975 case OLB_O_UINT16_S_UINT16:
1976 olb->off = tvb_get_letohs(tvb, offset);
1977 olb->off_offset = offset;
1978 offset += 2;
1979 olb->len = tvb_get_letohs(tvb, offset);
1980 olb->len_offset = offset;
1981 offset += 2;
1982 break;
1983 case OLB_O_UINT16_S_UINT32:
1984 olb->off = tvb_get_letohs(tvb, offset);
1985 olb->off_offset = offset;
1986 offset += 2;
1987 olb->len = tvb_get_letohl(tvb, offset);
1988 olb->len_offset = offset;
1989 offset += 4;
1990 break;
1991 case OLB_O_UINT8_P_UINT8_S_UINT32:
1992 olb->off = tvb_get_uint8(tvb, offset);
1993 olb->off_offset = offset;
1994 offset += 1;
1995 /* 1 byte reserved */
1996 offset += 1;
1997 olb->len = tvb_get_letohl(tvb, offset);
1998 olb->len_offset = offset;
1999 offset += 4;
2000 break;
2001 case OLB_O_UINT32_S_UINT32:
2002 olb->off = tvb_get_letohl(tvb, offset);
2003 olb->off_offset = offset;
2004 offset += 4;
2005 olb->len = tvb_get_letohl(tvb, offset);
2006 olb->len_offset = offset;
2007 offset += 4;
2008 break;
2009 case OLB_S_UINT32_O_UINT32:
2010 olb->len = tvb_get_letohl(tvb, offset);
2011 olb->len_offset = offset;
2012 offset += 4;
2013 olb->off = tvb_get_letohl(tvb, offset);
2014 olb->off_offset = offset;
2015 offset += 4;
2016 break;
2017 }
2018
2019 return offset;
2020 }
2021
2022 #define OLB_TYPE_UNICODE_STRING 0x01
2023 #define OLB_TYPE_ASCII_STRING 0x02
2024 static const uint8_t *
2025 dissect_smb2_olb_off_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int base, int type)
2026 {
2027 int len, off;
2028 proto_item *item = NULL;
2029 proto_tree *tree = NULL;
2030 const uint8_t *name = NULL;
2031
2032 olb->off += base;
2033
2034 len = olb->len;
2035 off = olb->off;
2036
2037
2038 /* sanity check */
2039 tvb_ensure_bytes_exist(tvb, off, len);
2040 if (((off+len)<off)
2041 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
2042 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, off, -1,
2043 "Invalid offset/length. Malformed packet");
2044
2045 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
2046
2047 return NULL;
2048 }
2049
2050
2051 switch (type) {
2052 case OLB_TYPE_UNICODE_STRING:
2053 item = proto_tree_add_item_ret_string(parent_tree,
2054 olb->hfindex, tvb, off, len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
2055 pinfo->pool, &name);
2056 tree = proto_item_add_subtree(item, ett_smb2_olb);
2057 break;
2058 case OLB_TYPE_ASCII_STRING:
2059 item = proto_tree_add_item_ret_string(parent_tree,
2060 olb->hfindex, tvb, off, len, ENC_ASCII|ENC_NA,
2061 pinfo->pool, &name);
2062 tree = proto_item_add_subtree(item, ett_smb2_olb);
2063 break;
2064 }
2065
2066 switch (olb->offset_size) {
2067 case OLB_O_UINT16_S_UINT16:
2068 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
2069 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
2070 break;
2071 case OLB_O_UINT16_S_UINT32:
2072 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
2073 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2074 break;
2075 case OLB_O_UINT8_P_UINT8_S_UINT32:
2076 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 1, ENC_NA);
2077 proto_tree_add_item(tree, hf_smb2_reserved, tvb, olb->off_offset+1, 1, ENC_NA);
2078 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2079 break;
2080 case OLB_O_UINT32_S_UINT32:
2081 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
2082 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2083 break;
2084 case OLB_S_UINT32_O_UINT32:
2085 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2086 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
2087 break;
2088 }
2089
2090 return name;
2091 }
2092
2093 static const uint8_t *
2094 dissect_smb2_olb_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int type)
2095 {
2096 return dissect_smb2_olb_off_string(pinfo, parent_tree, tvb, olb, 0, type);
2097 }
2098
2099 static void
2100 dissect_smb2_olb_buffer(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb,
2101 offset_length_buffer_t *olb, smb2_info_t *si,
2102 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si))
2103 {
2104 int len, off;
2105 proto_item *sub_item = NULL;
2106 proto_tree *sub_tree = NULL;
2107 tvbuff_t *sub_tvb = NULL;
2108 int offset;
2109
2110 offset = olb->off;
2111 len = olb->len;
2112 off = olb->off;
2113
2114 /* sanity check */
2115 tvb_ensure_bytes_exist(tvb, off, len);
2116 if (((off+len)<off)
2117 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
2118 proto_tree_add_expert_format(parent_tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
2119 "Invalid offset/length. Malformed packet");
2120
2121 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
2122
2123 return;
2124 }
2125
2126 switch (olb->offset_size) {
2127 case OLB_O_UINT16_S_UINT16:
2128 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
2129 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
2130 break;
2131 case OLB_O_UINT16_S_UINT32:
2132 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
2133 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2134 break;
2135 case OLB_O_UINT8_P_UINT8_S_UINT32:
2136 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 1, ENC_NA);
2137 proto_tree_add_item(parent_tree, hf_smb2_reserved, tvb, olb->off_offset+1, 1, ENC_NA);
2138 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2139 break;
2140 case OLB_O_UINT32_S_UINT32:
2141 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
2142 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2143 break;
2144 case OLB_S_UINT32_O_UINT32:
2145 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2146 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
2147 break;
2148 }
2149
2150 /* if we don't want/need a subtree */
2151 if (olb->hfindex == -1) {
2152 sub_item = parent_tree;
2153 sub_tree = parent_tree;
2154 } else {
2155 if (parent_tree) {
2156 sub_item = proto_tree_add_item(parent_tree, olb->hfindex, tvb, offset, len, ENC_NA);
2157 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_olb);
2158 }
2159 }
2160
2161 if (off == 0 || len == 0) {
2162 proto_item_append_text(sub_item, ": NO DATA");
2163 return;
2164 }
2165
2166 if (!dissector) {
2167 return;
2168 }
2169
2170 sub_tvb = tvb_new_subset_length_caplen(tvb, off, MIN((int)len, tvb_captured_length_remaining(tvb, off)), len);
2171
2172 dissector(sub_tvb, pinfo, sub_tree, si);
2173 }
2174
2175 static int
2176 dissect_smb2_olb_tvb_max_offset(int offset, offset_length_buffer_t *olb)
2177 {
2178 if (olb->off == 0) {
2179 return offset;
2180 }
2181 return MAX(offset, (int)(olb->off + olb->len));
2182 }
2183
2184 typedef struct _smb2_function {
2185 int (*request) (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
2186 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
2187 } smb2_function;
2188
2189 static const true_false_string tfs_smb2_svhdx_has_initiator_id = {
2190 "Has an initiator id",
2191 "Does not have an initiator id"
2192 };
2193
2194 static const true_false_string tfs_flags_response = {
2195 "This is a RESPONSE",
2196 "This is a REQUEST"
2197 };
2198
2199 static const true_false_string tfs_flags_async_cmd = {
2200 "This is an ASYNC command",
2201 "This is a SYNC command"
2202 };
2203
2204 static const true_false_string tfs_flags_dfs_op = {
2205 "This is a DFS OPERATION",
2206 "This is a normal operation"
2207 };
2208
2209 static const true_false_string tfs_flags_chained = {
2210 "This pdu is a CHAINED command",
2211 "This pdu is NOT a chained command"
2212 };
2213
2214 static const true_false_string tfs_flags_signature = {
2215 "This pdu is SIGNED",
2216 "This pdu is NOT signed"
2217 };
2218
2219 static const true_false_string tfs_flags_replay_operation = {
2220 "This is a REPLAY OPERATION",
2221 "This is NOT a replay operation"
2222 };
2223
2224 static const true_false_string tfs_flags_priority_mask = {
2225 "This pdu contains a PRIORITY",
2226 "This pdu does NOT contain a PRIORITY"
2227 };
2228
2229 static const true_false_string tfs_cap_dfs = {
2230 "This host supports DFS",
2231 "This host does NOT support DFS"
2232 };
2233
2234 static const true_false_string tfs_cap_leasing = {
2235 "This host supports LEASING",
2236 "This host does NOT support LEASING"
2237 };
2238
2239 static const true_false_string tfs_cap_large_mtu = {
2240 "This host supports LARGE_MTU",
2241 "This host does NOT support LARGE_MTU"
2242 };
2243
2244 static const true_false_string tfs_cap_multi_channel = {
2245 "This host supports MULTI CHANNEL",
2246 "This host does NOT support MULTI CHANNEL"
2247 };
2248
2249 static const true_false_string tfs_cap_persistent_handles = {
2250 "This host supports PERSISTENT HANDLES",
2251 "This host does NOT support PERSISTENT HANDLES"
2252 };
2253
2254 static const true_false_string tfs_cap_directory_leasing = {
2255 "This host supports DIRECTORY LEASING",
2256 "This host does NOT support DIRECTORY LEASING"
2257 };
2258
2259 static const true_false_string tfs_cap_encryption = {
2260 "This host supports ENCRYPTION",
2261 "This host does NOT support ENCRYPTION"
2262 };
2263
2264 static const true_false_string tfs_cap_notifications = {
2265 "This host supports receiving NOTIFICATIONS",
2266 "This host does NOT support receiving NOTIFICATIONS"
2267 };
2268
2269 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rss = {
2270 "This interface supports RSS",
2271 "This interface does not support RSS"
2272 };
2273
2274 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rdma = {
2275 "This interface supports RDMA",
2276 "This interface does not support RDMA"
2277 };
2278
2279 static const value_string file_region_usage_vals[] = {
2280 { 0x00000001, "FILE_REGION_USAGE_VALID_CACHED_DATA" },
2281 { 0, NULL }
2282 };
2283
2284 static const value_string originator_flags_vals[] = {
2285 { 1, "SVHDX_ORIGINATOR_PVHDPARSER" },
2286 { 4, "SVHDX_ORIGINATOR_VHDMP" },
2287 { 0, NULL }
2288 };
2289
2290 static const value_string compression_format_vals[] = {
2291 { 0, "COMPRESSION_FORMAT_NONE" },
2292 { 1, "COMPRESSION_FORMAT_DEFAULT" },
2293 { 2, "COMPRESSION_FORMAT_LZNT1" },
2294 { 0, NULL }
2295 };
2296
2297 static const value_string checksum_algorithm_vals[] = {
2298 { 0x0000, "CHECKSUM_TYPE_NONE" },
2299 { 0x0002, "CHECKSUM_TYPE_CRC64" },
2300 { 0xFFFF, "CHECKSUM_TYPE_UNCHANGED" },
2301 { 0, NULL }
2302 };
2303
2304 /* Note: All uncommented are "dissector not implemented" */
2305 static const value_string smb2_ioctl_vals[] = {
2306 {0x00060194, "FSCTL_DFS_GET_REFERRALS"}, /* dissector implemented */
2307 {0x000601B0, "FSCTL_DFS_GET_REFERRALS_EX"},
2308 {0x00090000, "FSCTL_REQUEST_OPLOCK_LEVEL_1"},
2309 {0x00090004, "FSCTL_REQUEST_OPLOCK_LEVEL_2"},
2310 {0x00090008, "FSCTL_REQUEST_BATCH_OPLOCK"},
2311 {0x0009000C, "FSCTL_OPLOCK_BREAK_ACKNOWLEDGE"},
2312 {0x00090010, "FSCTL_OPBATCH_ACK_CLOSE_PENDING"},
2313 {0x00090014, "FSCTL_OPLOCK_BREAK_NOTIFY"},
2314 {0x00090018, "FSCTL_LOCK_VOLUME"},
2315 {0x0009001C, "FSCTL_UNLOCK_VOLUME"},
2316 {0x00090020, "FSCTL_DISMOUNT_VOLUME"},
2317 {0x00090028, "FSCTL_IS_VOLUME_MOUNTED"},
2318 {0x0009002C, "FSCTL_IS_PATHNAME_VALID"},
2319 {0x00090030, "FSCTL_MARK_VOLUME_DIRTY"},
2320 {0x0009003B, "FSCTL_QUERY_RETRIEVAL_POINTERS"},
2321 {0x0009003C, "FSCTL_GET_COMPRESSION"}, /* dissector implemented */
2322 {0x0009004F, "FSCTL_MARK_AS_SYSTEM_HIVE"},
2323 {0x00090050, "FSCTL_OPLOCK_BREAK_ACK_NO_2"},
2324 {0x00090054, "FSCTL_INVALIDATE_VOLUMES"},
2325 {0x00090058, "FSCTL_QUERY_FAT_BPB"},
2326 {0x0009005C, "FSCTL_REQUEST_FILTER_OPLOCK"},
2327 {0x00090060, "FSCTL_FILESYSTEM_GET_STATISTICS"},
2328 {0x00090064, "FSCTL_GET_NTFS_VOLUME_DATA"},
2329 {0x00090068, "FSCTL_GET_NTFS_FILE_RECORD"},
2330 {0x0009006F, "FSCTL_GET_VOLUME_BITMAP"},
2331 {0x00090073, "FSCTL_GET_RETRIEVAL_POINTERS"},
2332 {0x00090074, "FSCTL_MOVE_FILE"},
2333 {0x00090078, "FSCTL_IS_VOLUME_DIRTY"},
2334 {0x0009007C, "FSCTL_GET_HFS_INFORMATION"},
2335 {0x00090083, "FSCTL_ALLOW_EXTENDED_DASD_IO"},
2336 {0x00090087, "FSCTL_READ_PROPERTY_DATA"},
2337 {0x0009008B, "FSCTL_WRITE_PROPERTY_DATA"},
2338 {0x0009008F, "FSCTL_FIND_FILES_BY_SID"},
2339 {0x00090097, "FSCTL_DUMP_PROPERTY_DATA"},
2340 {0x0009009C, "FSCTL_GET_OBJECT_ID"}, /* dissector implemented */
2341 {0x000900A4, "FSCTL_SET_REPARSE_POINT"}, /* dissector implemented */
2342 {0x000900A8, "FSCTL_GET_REPARSE_POINT"}, /* dissector implemented */
2343 {0x000900C0, "FSCTL_CREATE_OR_GET_OBJECT_ID"}, /* dissector implemented */
2344 {0x000900C4, "FSCTL_SET_SPARSE"}, /* dissector implemented */
2345 {0x000900D4, "FSCTL_SET_ENCRYPTION"},
2346 {0x000900DB, "FSCTL_ENCRYPTION_FSCTL_IO"},
2347 {0x000900DF, "FSCTL_WRITE_RAW_ENCRYPTED"},
2348 {0x000900E3, "FSCTL_READ_RAW_ENCRYPTED"},
2349 {0x000900F0, "FSCTL_EXTEND_VOLUME"},
2350 {0x00090244, "FSCTL_CSV_TUNNEL_REQUEST"},
2351 {0x0009027C, "FSCTL_GET_INTEGRITY_INFORMATION"},
2352 {0x00090284, "FSCTL_QUERY_FILE_REGIONS"}, /* dissector implemented */
2353 {0x000902c8, "FSCTL_CSV_SYNC_TUNNEL_REQUEST"},
2354 {0x00090300, "FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT"}, /* dissector implemented */
2355 {0x00090304, "FSCTL_SVHDX_SYNC_TUNNEL_REQUEST"}, /* dissector implemented */
2356 {0x00090308, "FSCTL_SVHDX_SET_INITIATOR_INFORMATION"},
2357 {0x0009030C, "FSCTL_SET_EXTERNAL_BACKING"},
2358 {0x00090310, "FSCTL_GET_EXTERNAL_BACKING"},
2359 {0x00090314, "FSCTL_DELETE_EXTERNAL_BACKING"},
2360 {0x00090318, "FSCTL_ENUM_EXTERNAL_BACKING"},
2361 {0x0009031F, "FSCTL_ENUM_OVERLAY"},
2362 {0x00090350, "FSCTL_STORAGE_QOS_CONTROL"}, /* dissector implemented */
2363 {0x00090364, "FSCTL_SVHDX_ASYNC_TUNNEL_REQUEST"}, /* dissector implemented */
2364 {0x00090380, "FSCTL_SET_INTEGRITY_INFORMATION_EX"}, /* dissector implemented */
2365 {0x00090440, "FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT"}, /* dissector implemented */
2366 {0x000940B3, "FSCTL_ENUM_USN_DATA"},
2367 {0x000940B7, "FSCTL_SECURITY_ID_CHECK"},
2368 {0x000940BB, "FSCTL_READ_USN_JOURNAL"},
2369 {0x000940CF, "FSCTL_QUERY_ALLOCATED_RANGES"}, /* dissector implemented */
2370 {0x000940E7, "FSCTL_CREATE_USN_JOURNAL"},
2371 {0x000940EB, "FSCTL_READ_FILE_USN_DATA"},
2372 {0x000940EF, "FSCTL_WRITE_USN_CLOSE_RECORD"},
2373 {0x00094264, "FSCTL_OFFLOAD_READ"}, /* dissector implemented */
2374 {0x00098098, "FSCTL_SET_OBJECT_ID"}, /* dissector implemented */
2375 {0x000980A0, "FSCTL_DELETE_OBJECT_ID"}, /* no data in/out */
2376 {0x000980A4, "FSCTL_SET_REPARSE_POINT"},
2377 {0x000980AC, "FSCTL_DELETE_REPARSE_POINT"},
2378 {0x000980BC, "FSCTL_SET_OBJECT_ID_EXTENDED"}, /* dissector implemented */
2379 {0x000980C8, "FSCTL_SET_ZERO_DATA"}, /* dissector implemented */
2380 {0x000980D0, "FSCTL_ENABLE_UPGRADE"},
2381 {0x00098208, "FSCTL_FILE_LEVEL_TRIM"},
2382 {0x00098268, "FSCTL_OFFLOAD_WRITE"}, /* dissector implemented */
2383 {0x0009C040, "FSCTL_SET_COMPRESSION"}, /* dissector implemented */
2384 {0x0009C280, "FSCTL_SET_INTEGRITY_INFORMATION"}, /* dissector implemented */
2385 {0x00110018, "FSCTL_PIPE_WAIT"}, /* dissector implemented */
2386 {0x0011400C, "FSCTL_PIPE_PEEK"},
2387 {0x0011C017, "FSCTL_PIPE_TRANSCEIVE"}, /* dissector implemented */
2388 {0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"},
2389 {0x001401D4, "FSCTL_LMR_REQUEST_RESILIENCY"}, /* dissector implemented */
2390 {0x001401FC, "FSCTL_QUERY_NETWORK_INTERFACE_INFO"}, /* dissector implemented */
2391 {0x00140200, "FSCTL_VALIDATE_NEGOTIATE_INFO_224"}, /* dissector implemented */
2392 {0x00140204, "FSCTL_VALIDATE_NEGOTIATE_INFO"}, /* dissector implemented */
2393 {0x00144064, "FSCTL_SRV_ENUMERATE_SNAPSHOTS"}, /* dissector implemented */
2394 {0x001440F2, "FSCTL_SRV_COPYCHUNK"},
2395 {0x001441bb, "FSCTL_SRV_READ_HASH"},
2396 {0x001480F2, "FSCTL_SRV_COPYCHUNK_WRITE"},
2397 { 0, NULL }
2398 };
2399 static value_string_ext smb2_ioctl_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_vals);
2400
2401 static const value_string smb2_ioctl_device_vals[] = {
2402 { 0x0001, "BEEP" },
2403 { 0x0002, "CD_ROM" },
2404 { 0x0003, "CD_ROM_FILE_SYSTEM" },
2405 { 0x0004, "CONTROLLER" },
2406 { 0x0005, "DATALINK" },
2407 { 0x0006, "DFS" },
2408 { 0x0007, "DISK" },
2409 { 0x0008, "DISK_FILE_SYSTEM" },
2410 { 0x0009, "FILE_SYSTEM" },
2411 { 0x000a, "INPORT_PORT" },
2412 { 0x000b, "KEYBOARD" },
2413 { 0x000c, "MAILSLOT" },
2414 { 0x000d, "MIDI_IN" },
2415 { 0x000e, "MIDI_OUT" },
2416 { 0x000f, "MOUSE" },
2417 { 0x0010, "MULTI_UNC_PROVIDER" },
2418 { 0x0011, "NAMED_PIPE" },
2419 { 0x0012, "NETWORK" },
2420 { 0x0013, "NETWORK_BROWSER" },
2421 { 0x0014, "NETWORK_FILE_SYSTEM" },
2422 { 0x0015, "NULL" },
2423 { 0x0016, "PARALLEL_PORT" },
2424 { 0x0017, "PHYSICAL_NETCARD" },
2425 { 0x0018, "PRINTER" },
2426 { 0x0019, "SCANNER" },
2427 { 0x001a, "SERIAL_MOUSE_PORT" },
2428 { 0x001b, "SERIAL_PORT" },
2429 { 0x001c, "SCREEN" },
2430 { 0x001d, "SOUND" },
2431 { 0x001e, "STREAMS" },
2432 { 0x001f, "TAPE" },
2433 { 0x0020, "TAPE_FILE_SYSTEM" },
2434 { 0x0021, "TRANSPORT" },
2435 { 0x0022, "UNKNOWN" },
2436 { 0x0023, "VIDEO" },
2437 { 0x0024, "VIRTUAL_DISK" },
2438 { 0x0025, "WAVE_IN" },
2439 { 0x0026, "WAVE_OUT" },
2440 { 0x0027, "8042_PORT" },
2441 { 0x0028, "NETWORK_REDIRECTOR" },
2442 { 0x0029, "BATTERY" },
2443 { 0x002a, "BUS_EXTENDER" },
2444 { 0x002b, "MODEM" },
2445 { 0x002c, "VDM" },
2446 { 0x002d, "MASS_STORAGE" },
2447 { 0x002e, "SMB" },
2448 { 0x002f, "KS" },
2449 { 0x0030, "CHANGER" },
2450 { 0x0031, "SMARTCARD" },
2451 { 0x0032, "ACPI" },
2452 { 0x0033, "DVD" },
2453 { 0x0034, "FULLSCREEN_VIDEO" },
2454 { 0x0035, "DFS_FILE_SYSTEM" },
2455 { 0x0036, "DFS_VOLUME" },
2456 { 0x0037, "SERENUM" },
2457 { 0x0038, "TERMSRV" },
2458 { 0x0039, "KSEC" },
2459 { 0, NULL }
2460 };
2461 static value_string_ext smb2_ioctl_device_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_device_vals);
2462
2463 static const value_string smb2_ioctl_access_vals[] = {
2464 { 0x00, "FILE_ANY_ACCESS" },
2465 { 0x01, "FILE_READ_ACCESS" },
2466 { 0x02, "FILE_WRITE_ACCESS" },
2467 { 0x03, "FILE_READ_WRITE_ACCESS" },
2468 { 0, NULL }
2469 };
2470
2471 static const value_string smb2_ioctl_method_vals[] = {
2472 { 0x00, "METHOD_BUFFERED" },
2473 { 0x01, "METHOD_IN_DIRECT" },
2474 { 0x02, "METHOD_OUT_DIRECT" },
2475 { 0x03, "METHOD_NEITHER" },
2476 { 0, NULL }
2477 };
2478
2479 static const value_string smb2_ioctl_shared_virtual_disk_vals[] = {
2480 { 0x01, "SharedVirtualDisksSupported" },
2481 { 0x07, "SharedVirtualDiskCDPSnapshotsSupported" },
2482 { 0, NULL }
2483 };
2484
2485 static const value_string smb2_ioctl_shared_virtual_disk_hstate_vals[] = {
2486 { 0x00, "HandleStateNone" },
2487 { 0x01, "HandleStateFileShared" },
2488 { 0x03, "HandleStateShared" },
2489 { 0, NULL }
2490 };
2491
2492 /* this is called from both smb and smb2. */
2493 int
2494 dissect_smb2_ioctl_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, uint32_t *ioctlfunc)
2495 {
2496 proto_item *item = NULL;
2497 proto_tree *tree = NULL;
2498 uint32_t ioctl_function;
2499
2500 if (parent_tree) {
2501 item = proto_tree_add_item(parent_tree, hf_smb2_ioctl_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2502 tree = proto_item_add_subtree(item, ett_smb2_ioctl_function);
2503 }
2504
2505 ioctl_function = tvb_get_letohl(tvb, offset);
2506 if (ioctlfunc)
2507 *ioctlfunc = ioctl_function;
2508 if (ioctl_function) {
2509 const char *unknown = "unknown";
2510 const char *ioctl_name = val_to_str_ext_const(ioctl_function,
2511 &smb2_ioctl_vals_ext,
2512 unknown);
2513
2514 /*
2515 * val_to_str_const() doesn't work with a unknown == NULL
2516 */
2517 if (ioctl_name == unknown) {
2518 ioctl_name = NULL;
2519 }
2520
2521 if (ioctl_name != NULL) {
2522 col_append_fstr(
2523 pinfo->cinfo, COL_INFO, " %s", ioctl_name);
2524 }
2525
2526 /* device */
2527 proto_tree_add_item(tree, hf_smb2_ioctl_function_device, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2528 if (ioctl_name == NULL) {
2529 col_append_fstr(
2530 pinfo->cinfo, COL_INFO, " %s",
2531 val_to_str_ext((ioctl_function>>16)&0xffff, &smb2_ioctl_device_vals_ext,
2532 "Unknown (0x%08X)"));
2533 }
2534
2535 /* access */
2536 proto_tree_add_item(tree, hf_smb2_ioctl_function_access, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2537
2538 /* function */
2539 proto_tree_add_item(tree, hf_smb2_ioctl_function_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2540 if (ioctl_name == NULL) {
2541 col_append_fstr(
2542 pinfo->cinfo, COL_INFO, " Function:0x%04x",
2543 (ioctl_function>>2)&0x0fff);
2544 }
2545
2546 /* method */
2547 proto_tree_add_item(tree, hf_smb2_ioctl_function_method, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2548 }
2549
2550 offset += 4;
2551
2552 return offset;
2553 }
2554
2555 /* fake the dce/rpc support structures so we can piggy back on
2556 * dissect_nt_policy_hnd() since this will allow us
2557 * a cheap way to track where FIDs are opened, closed
2558 * and fid->filename mappings
2559 * if we want to do those things in the future.
2560 */
2561 #define FID_MODE_OPEN 0
2562 #define FID_MODE_CLOSE 1
2563 #define FID_MODE_USE 2
2564 #define FID_MODE_DHNQ 3
2565 #define FID_MODE_DHNC 4
2566 static int
2567 dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si, int mode)
2568 {
2569 uint8_t drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
2570 static dcerpc_info di; /* fake dcerpc_info struct */
2571 static dcerpc_call_value call_data;
2572 e_ctx_hnd policy_hnd = {0, DCERPC_UUID_NULL};
2573 e_ctx_hnd *policy_hnd_hashtablekey;
2574 proto_item *hnd_item = NULL;
2575 char *fid_name;
2576 uint32_t open_frame = 0, close_frame = 0;
2577 smb2_eo_file_info_t *eo_file_info;
2578 smb2_fid_info_t sfi_key;
2579 smb2_fid_info_t *sfi = NULL;
2580 uint8_t buf[8];
2581 uint64_t pol_uuid;
2582
2583 memset(&sfi_key, 0, sizeof(sfi_key));
2584 sfi_key.fid_persistent = tvb_get_letoh64(tvb, offset);
2585 sfi_key.fid_volatile = tvb_get_letoh64(tvb, offset+8);
2586 sfi_key.sesid = si->sesid;
2587 sfi_key.tid = si->tid;
2588 sfi_key.frame_key = pinfo->num;
2589 sfi_key.name = NULL;
2590
2591 di.conformant_run = 0;
2592 /* we need di->call_data->flags.NDR64 == 0 */
2593 di.call_data = &call_data;
2594
2595 switch (mode) {
2596 case FID_MODE_OPEN:
2597 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, PIDL_POLHND_OPEN);
2598 if (!pinfo->fd->visited) {
2599 sfi = wmem_new(wmem_file_scope(), smb2_fid_info_t);
2600 *sfi = sfi_key;
2601 sfi->frame_key = 0;
2602 sfi->frame_beg = si->saved ? si->saved->frame_req : pinfo->num;
2603 sfi->frame_end = UINT32_MAX;
2604
2605 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
2606 sfi->name = wmem_strdup(wmem_file_scope(), (char *)si->saved->extra_info);
2607 } else {
2608 sfi->name = wmem_strdup_printf(wmem_file_scope(), "[unknown]");
2609 }
2610
2611 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
2612 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: %s", (char *)si->saved->extra_info);
2613 } else {
2614 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: ");
2615 }
2616 dcerpc_store_polhnd_name(&policy_hnd, pinfo,
2617 fid_name);
2618
2619 wmem_map_insert(si->session->fids, sfi, sfi);
2620 si->file = sfi;
2621
2622 /* If needed, create the file entry and save the policy hnd */
2623 if (si->saved) {
2624 si->saved->file = sfi;
2625 si->saved->policy_hnd = policy_hnd;
2626 }
2627
2628 if (si->conv) {
2629 eo_file_info = (smb2_eo_file_info_t *)wmem_map_lookup(si->session->files,&policy_hnd);
2630 if (!eo_file_info) {
2631 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
2632 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
2633 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
2634 eo_file_info->end_of_file=0;
2635 wmem_map_insert(si->session->files,policy_hnd_hashtablekey,eo_file_info);
2636 }
2637 si->eo_file_info=eo_file_info;
2638 }
2639 }
2640 break;
2641 case FID_MODE_CLOSE:
2642 if (!pinfo->fd->visited) {
2643 smb2_fid_info_t *fid = (smb2_fid_info_t *)wmem_map_lookup(si->session->fids, &sfi_key);
2644 if (fid) {
2645 /* set last frame */
2646 fid->frame_end = pinfo->num;
2647 }
2648 }
2649 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, PIDL_POLHND_CLOSE);
2650 break;
2651 case FID_MODE_USE:
2652 case FID_MODE_DHNQ:
2653 case FID_MODE_DHNC:
2654 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, PIDL_POLHND_USE);
2655 break;
2656 }
2657
2658 si->file = (smb2_fid_info_t *)wmem_map_lookup(si->session->fids, &sfi_key);
2659 if (si->file) {
2660 if (si->saved) {
2661 si->saved->file = si->file;
2662 }
2663 if (si->file->name) {
2664 if (hnd_item) {
2665 proto_item_append_text(hnd_item, " File: %s", si->file->name);
2666 }
2667 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", si->file->name);
2668 }
2669 }
2670
2671 if (dcerpc_fetch_polhnd_data(&policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num)) {
2672 /* look for the eo_file_info */
2673 if (!si->eo_file_info) {
2674 if (si->saved) { si->saved->policy_hnd = policy_hnd; }
2675 if (si->conv) {
2676 eo_file_info = (smb2_eo_file_info_t *)wmem_map_lookup(si->session->files,&policy_hnd);
2677 if (eo_file_info) {
2678 si->eo_file_info=eo_file_info;
2679 } else { /* XXX This should never happen */
2680 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
2681 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
2682 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
2683 eo_file_info->end_of_file=0;
2684 wmem_map_insert(si->session->files,policy_hnd_hashtablekey,eo_file_info);
2685 }
2686 }
2687 }
2688 }
2689 /* Calculate GUID (FID) hash
2690 * This provides hash that can be filtered on to provide the SMB2 requests and responses
2691 * associated with a given FID. Note that filtering instead on the FID only returns the CREATE
2692 * response, and SMB2 requests but not their responses.
2693 */
2694 if(!pinfo->fd->visited && si->saved
2695 && policy_hnd.uuid.data1 > 0
2696 && policy_hnd.uuid.data1 < 0xffffffff) {
2697 pol_uuid = policy_hnd.uuid.data1 + policy_hnd.uuid.data2 + policy_hnd.uuid.data3;
2698 for(int i = 0; i < 8; i++) {
2699 buf[i] = (pol_uuid >> (56 - i * 8)) & 0xFF;
2700 }
2701 si->saved->fid_hash = crc32_ccitt(buf, 8);
2702 }
2703
2704 return offset;
2705 }
2706
2707 #define SMB2_FSCC_FILE_ATTRIBUTE_READ_ONLY 0x00000001
2708 #define SMB2_FSCC_FILE_ATTRIBUTE_HIDDEN 0x00000002
2709 #define SMB2_FSCC_FILE_ATTRIBUTE_SYSTEM 0x00000004
2710 #define SMB2_FSCC_FILE_ATTRIBUTE_DIRECTORY 0x00000010
2711 #define SMB2_FSCC_FILE_ATTRIBUTE_ARCHIVE 0x00000020
2712 #define SMB2_FSCC_FILE_ATTRIBUTE_NORMAL 0x00000080
2713 #define SMB2_FSCC_FILE_ATTRIBUTE_TEMPORARY 0x00000100
2714 #define SMB2_FSCC_FILE_ATTRIBUTE_SPARSE_FILE 0x00000200
2715 #define SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT 0x00000400
2716 #define SMB2_FSCC_FILE_ATTRIBUTE_COMPRESSED 0x00000800
2717 #define SMB2_FSCC_FILE_ATTRIBUTE_OFFLINE 0x00001000
2718 #define SMB2_FSCC_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
2719 #define SMB2_FSCC_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
2720 #define SMB2_FSCC_FILE_ATTRIBUTE_INTEGRITY_STREAM 0x00008000
2721 #define SMB2_FSCC_FILE_ATTRIBUTE_NO_SCRUB_DATA 0x00020000
2722
2723
2724 static const true_false_string tfs_fscc_file_attribute_reparse = {
2725 "Has an associated REPARSE POINT",
2726 "Does NOT have an associated reparse point"
2727 };
2728 static const true_false_string tfs_fscc_file_attribute_compressed = {
2729 "COMPRESSED",
2730 "Uncompressed"
2731 };
2732 static const true_false_string tfs_fscc_file_attribute_offline = {
2733 "OFFLINE",
2734 "Online"
2735 };
2736 static const true_false_string tfs_fscc_file_attribute_not_content_indexed = {
2737 "Is not indexed by the content indexing service",
2738 "Is indexed by the content indexing service"
2739 };
2740 static const true_false_string tfs_fscc_file_attribute_integrity_stream = {
2741 "Has Integrity Support",
2742 "Does NOT have Integrity Support"
2743 };
2744 static const true_false_string tfs_fscc_file_attribute_no_scrub_data = {
2745 "Is excluded from the data integrity scan",
2746 "Is not excluded from the data integrity scan"
2747 };
2748
2749 /*
2750 * File Attributes, section 2.6 in the [MS-FSCC] spec
2751 */
2752 static int
2753 dissect_fscc_file_attr(tvbuff_t* tvb, proto_tree* parent_tree, int offset, uint32_t* attr)
2754 {
2755 uint32_t mask = tvb_get_letohl(tvb, offset);
2756 static int* const mask_fields[] = {
2757 &hf_smb2_fscc_file_attr_read_only,
2758 &hf_smb2_fscc_file_attr_hidden,
2759 &hf_smb2_fscc_file_attr_system,
2760 &hf_smb2_fscc_file_attr_directory,
2761 &hf_smb2_fscc_file_attr_archive,
2762 &hf_smb2_fscc_file_attr_normal,
2763 &hf_smb2_fscc_file_attr_temporary,
2764 &hf_smb2_fscc_file_attr_sparse_file,
2765 &hf_smb2_fscc_file_attr_reparse_point,
2766 &hf_smb2_fscc_file_attr_compressed,
2767 &hf_smb2_fscc_file_attr_offline,
2768 &hf_smb2_fscc_file_attr_not_content_indexed,
2769 &hf_smb2_fscc_file_attr_encrypted,
2770 &hf_smb2_fscc_file_attr_integrity_stream,
2771 &hf_smb2_fscc_file_attr_no_scrub_data,
2772 NULL
2773 };
2774
2775 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset, hf_smb2_fscc_file_attr, ett_smb2_fscc_file_attributes, mask_fields, mask, BMT_NO_APPEND);
2776
2777 offset += 4;
2778
2779 if (attr)
2780 *attr = mask;
2781
2782 return offset;
2783 }
2784
2785 /* this info level is unique to SMB2 and differst from the corresponding
2786 * SMB_FILE_ALL_INFO in SMB
2787 */
2788 static int
2789 dissect_smb2_file_all_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2790 {
2791 proto_item *item = NULL;
2792 proto_tree *tree = NULL;
2793 int length;
2794 static int * const mode_fields[] = {
2795 &hf_smb2_mode_file_write_through,
2796 &hf_smb2_mode_file_sequential_only,
2797 &hf_smb2_mode_file_no_intermediate_buffering,
2798 &hf_smb2_mode_file_synchronous_io_alert,
2799 &hf_smb2_mode_file_synchronous_io_nonalert,
2800 &hf_smb2_mode_file_delete_on_close,
2801 NULL,
2802 };
2803
2804 if (parent_tree) {
2805 item = proto_tree_add_item(parent_tree, hf_smb2_file_all_info, tvb, offset, -1, ENC_NA);
2806 tree = proto_item_add_subtree(item, ett_smb2_file_all_info);
2807 }
2808
2809 /* create time */
2810 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
2811 offset += 8;
2812
2813 /* last access */
2814 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
2815 offset += 8;
2816
2817 /* last write */
2818 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
2819 offset += 8;
2820
2821 /* last change */
2822 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
2823 offset += 8;
2824
2825 /* File Attributes */
2826 offset = dissect_fscc_file_attr(tvb, tree, offset, NULL);
2827
2828 /* some unknown bytes */
2829 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
2830 offset += 4;
2831
2832 /* allocation size */
2833 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2834 offset += 8;
2835
2836 /* end of file */
2837 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2838 offset += 8;
2839
2840 /* number of links */
2841 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2842 offset += 4;
2843
2844 /* delete pending */
2845 proto_tree_add_item(tree, hf_smb2_delete_pending, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2846 offset += 1;
2847
2848 /* is directory */
2849 proto_tree_add_item(tree, hf_smb2_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2850 offset += 1;
2851
2852 /* padding */
2853 offset += 2;
2854
2855 /* file id */
2856 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2857 offset += 8;
2858
2859 /* ea size */
2860 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2861 offset += 4;
2862
2863 /* access mask */
2864 offset = dissect_smb_access_mask(tvb, tree, offset);
2865
2866 /* Position Information */
2867 proto_tree_add_item(tree, hf_smb2_position_information, tvb, offset, 8, ENC_NA);
2868 offset += 8;
2869
2870 /* Mode Information */
2871 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_mode_information, ett_smb2_file_mode_info, mode_fields, ENC_LITTLE_ENDIAN);
2872 offset += 4;
2873
2874 /* Alignment Information */
2875 proto_tree_add_item(tree, hf_smb2_alignment_information, tvb, offset, 4, ENC_NA);
2876 offset +=4;
2877
2878 /* file name length */
2879 length = tvb_get_letohs(tvb, offset);
2880 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2881 offset += 4;
2882
2883 /* file name */
2884 if (length) {
2885 proto_tree_add_item(tree, hf_smb2_filename,
2886 tvb, offset, length, ENC_UTF_16|ENC_LITTLE_ENDIAN);
2887 offset += length;
2888 }
2889
2890 return offset;
2891 }
2892
2893
2894 static int
2895 dissect_smb2_file_allocation_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2896 {
2897 proto_item *item = NULL;
2898 proto_tree *tree = NULL;
2899 uint16_t bc;
2900 bool trunc;
2901
2902 if (parent_tree) {
2903 item = proto_tree_add_item(parent_tree, hf_smb2_file_allocation_info, tvb, offset, -1, ENC_NA);
2904 tree = proto_item_add_subtree(item, ett_smb2_file_allocation_info);
2905 }
2906
2907 bc = tvb_captured_length_remaining(tvb, offset);
2908 offset = dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2909
2910 return offset;
2911 }
2912
2913 static int
2914 dissect_smb2_file_endoffile_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2915 {
2916 proto_item *item = NULL;
2917 proto_tree *tree = NULL;
2918 uint16_t bc;
2919 bool trunc;
2920
2921 if (parent_tree) {
2922 item = proto_tree_add_item(parent_tree, hf_smb2_file_endoffile_info, tvb, offset, -1, ENC_NA);
2923 tree = proto_item_add_subtree(item, ett_smb2_file_endoffile_info);
2924 }
2925
2926 bc = tvb_captured_length_remaining(tvb, offset);
2927 offset = dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2928
2929 return offset;
2930 }
2931
2932 static int
2933 dissect_smb2_file_alternate_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2934 {
2935 proto_item *item = NULL;
2936 proto_tree *tree = NULL;
2937 uint16_t bc;
2938 bool trunc;
2939
2940 if (parent_tree) {
2941 item = proto_tree_add_item(parent_tree, hf_smb2_file_alternate_name_info, tvb, offset, -1, ENC_NA);
2942 tree = proto_item_add_subtree(item, ett_smb2_file_alternate_name_info);
2943 }
2944
2945 bc = tvb_captured_length_remaining(tvb, offset);
2946 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, &bc, &trunc, /* XXX assumption hack */ true);
2947
2948 return offset;
2949 }
2950
2951 static int
2952 dissect_smb2_file_normalized_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2953 {
2954 proto_item *item = NULL;
2955 proto_tree *tree = NULL;
2956 uint16_t bc;
2957 bool trunc;
2958
2959 if (parent_tree) {
2960 item = proto_tree_add_item(parent_tree, hf_smb2_file_normalized_name_info, tvb, offset, -1, ENC_NA);
2961 tree = proto_item_add_subtree(item, ett_smb2_file_normalized_name_info);
2962 }
2963
2964 bc = tvb_captured_length_remaining(tvb, offset);
2965 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, &bc, &trunc, /* XXX assumption hack */ true);
2966
2967 return offset;
2968 }
2969
2970 static int
2971 dissect_smb2_file_basic_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2972 {
2973 proto_item *item = NULL;
2974 proto_tree *tree = NULL;
2975
2976 if (parent_tree) {
2977 item = proto_tree_add_item(parent_tree, hf_smb2_file_basic_info, tvb, offset, -1, ENC_NA);
2978 tree = proto_item_add_subtree(item, ett_smb2_file_basic_info);
2979 }
2980
2981 /* create time */
2982 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
2983 offset += 8;
2984
2985 /* last access */
2986 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
2987 offset += 8;
2988
2989 /* last write */
2990 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
2991 offset += 8;
2992
2993 /* last change */
2994 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
2995 offset += 8;
2996
2997 /* File Attributes */
2998 offset = dissect_fscc_file_attr(tvb, tree, offset, NULL);
2999
3000 /* some unknown bytes */
3001 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
3002 offset += 4;
3003
3004 return offset;
3005 }
3006
3007 static int
3008 dissect_smb2_file_standard_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3009 {
3010 proto_item *item = NULL;
3011 proto_tree *tree = NULL;
3012 uint16_t bc;
3013 bool trunc;
3014
3015 if (parent_tree) {
3016 item = proto_tree_add_item(parent_tree, hf_smb2_file_standard_info, tvb, offset, -1, ENC_NA);
3017 tree = proto_item_add_subtree(item, ett_smb2_file_standard_info);
3018 }
3019
3020 bc = tvb_captured_length_remaining(tvb, offset);
3021 offset = dissect_qfi_SMB_FILE_STANDARD_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3022
3023 return offset;
3024 }
3025 static int
3026 dissect_smb2_file_internal_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3027 {
3028 proto_item *item = NULL;
3029 proto_tree *tree = NULL;
3030 uint16_t bc;
3031 bool trunc;
3032
3033 if (parent_tree) {
3034 item = proto_tree_add_item(parent_tree, hf_smb2_file_internal_info, tvb, offset, -1, ENC_NA);
3035 tree = proto_item_add_subtree(item, ett_smb2_file_internal_info);
3036 }
3037
3038 bc = tvb_captured_length_remaining(tvb, offset);
3039 offset = dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3040
3041 return offset;
3042 }
3043 static int
3044 dissect_smb2_file_mode_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3045 {
3046 proto_item *item = NULL;
3047 proto_tree *tree = NULL;
3048 uint16_t bc;
3049 bool trunc;
3050
3051 if (parent_tree) {
3052 item = proto_tree_add_item(parent_tree, hf_smb2_file_mode_info, tvb, offset, -1, ENC_NA);
3053 tree = proto_item_add_subtree(item, ett_smb2_file_mode_info);
3054 }
3055
3056 bc = tvb_captured_length_remaining(tvb, offset);
3057 offset = dissect_qsfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3058
3059 return offset;
3060 }
3061 static int
3062 dissect_smb2_file_alignment_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3063 {
3064 proto_item *item = NULL;
3065 proto_tree *tree = NULL;
3066 uint16_t bc;
3067 bool trunc;
3068
3069 if (parent_tree) {
3070 item = proto_tree_add_item(parent_tree, hf_smb2_file_alignment_info, tvb, offset, -1, ENC_NA);
3071 tree = proto_item_add_subtree(item, ett_smb2_file_alignment_info);
3072 }
3073
3074 bc = tvb_captured_length_remaining(tvb, offset);
3075 offset = dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3076
3077 return offset;
3078 }
3079 static int
3080 dissect_smb2_file_position_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3081 {
3082 proto_item *item = NULL;
3083 proto_tree *tree = NULL;
3084 uint16_t bc;
3085 bool trunc;
3086
3087 if (parent_tree) {
3088 item = proto_tree_add_item(parent_tree, hf_smb2_file_position_info, tvb, offset, -1, ENC_NA);
3089 tree = proto_item_add_subtree(item, ett_smb2_file_position_info);
3090 }
3091
3092 bc = tvb_captured_length_remaining(tvb, offset);
3093 offset = dissect_qsfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3094
3095 return offset;
3096 }
3097
3098 static int
3099 dissect_smb2_file_access_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3100 {
3101 proto_item *item = NULL;
3102 proto_tree *tree = NULL;
3103
3104 if (parent_tree) {
3105 item = proto_tree_add_item(parent_tree, hf_smb2_file_access_info, tvb, offset, -1, ENC_NA);
3106 tree = proto_item_add_subtree(item, ett_smb2_file_access_info);
3107 }
3108
3109 /* access mask */
3110 offset = dissect_smb_access_mask(tvb, tree, offset);
3111
3112 return offset;
3113 }
3114
3115 static int
3116 dissect_smb2_file_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3117 {
3118 proto_item *item = NULL;
3119 proto_tree *tree = NULL;
3120 uint16_t bc;
3121 bool trunc;
3122
3123 if (parent_tree) {
3124 item = proto_tree_add_item(parent_tree, hf_smb2_file_ea_info, tvb, offset, -1, ENC_NA);
3125 tree = proto_item_add_subtree(item, ett_smb2_file_ea_info);
3126 }
3127
3128 bc = tvb_captured_length_remaining(tvb, offset);
3129 offset = dissect_qfi_SMB_FILE_EA_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3130
3131 return offset;
3132 }
3133
3134 static int
3135 dissect_smb2_file_stream_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3136 {
3137 proto_item *item = NULL;
3138 proto_tree *tree = NULL;
3139 uint16_t bc;
3140 bool trunc;
3141
3142 if (parent_tree) {
3143 item = proto_tree_add_item(parent_tree, hf_smb2_file_stream_info, tvb, offset, -1, ENC_NA);
3144 tree = proto_item_add_subtree(item, ett_smb2_file_stream_info);
3145 }
3146
3147 bc = tvb_captured_length_remaining(tvb, offset);
3148 offset = dissect_qfi_SMB_FILE_STREAM_INFO(tvb, pinfo, tree, offset, &bc, &trunc, true);
3149
3150 return offset;
3151 }
3152
3153 static int
3154 dissect_smb2_file_pipe_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3155 {
3156 proto_item *item = NULL;
3157 proto_tree *tree = NULL;
3158 uint16_t bc;
3159 bool trunc;
3160
3161 if (parent_tree) {
3162 item = proto_tree_add_item(parent_tree, hf_smb2_file_pipe_info, tvb, offset, -1, ENC_NA);
3163 tree = proto_item_add_subtree(item, ett_smb2_file_pipe_info);
3164 }
3165
3166 bc = tvb_captured_length_remaining(tvb, offset);
3167 offset = dissect_sfi_SMB_FILE_PIPE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3168
3169 return offset;
3170 }
3171
3172 static int
3173 dissect_smb2_file_compression_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3174 {
3175 proto_item *item = NULL;
3176 proto_tree *tree = NULL;
3177 uint16_t bc;
3178 bool trunc;
3179
3180 if (parent_tree) {
3181 item = proto_tree_add_item(parent_tree, hf_smb2_file_compression_info, tvb, offset, -1, ENC_NA);
3182 tree = proto_item_add_subtree(item, ett_smb2_file_compression_info);
3183 }
3184
3185 bc = tvb_captured_length_remaining(tvb, offset);
3186 offset = dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3187
3188 return offset;
3189 }
3190
3191 static int
3192 dissect_smb2_file_network_open_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3193 {
3194 proto_item *item = NULL;
3195 proto_tree *tree = NULL;
3196 uint16_t bc;
3197 bool trunc;
3198
3199 if (parent_tree) {
3200 item = proto_tree_add_item(parent_tree, hf_smb2_file_network_open_info, tvb, offset, -1, ENC_NA);
3201 tree = proto_item_add_subtree(item, ett_smb2_file_network_open_info);
3202 }
3203
3204
3205 bc = tvb_captured_length_remaining(tvb, offset);
3206 offset = dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3207
3208 return offset;
3209 }
3210
3211 static int
3212 dissect_smb2_file_attribute_tag_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3213 {
3214 proto_item *item = NULL;
3215 proto_tree *tree = NULL;
3216 uint16_t bc;
3217 bool trunc;
3218
3219 if (parent_tree) {
3220 item = proto_tree_add_item(parent_tree, hf_smb2_file_attribute_tag_info, tvb, offset, -1, ENC_NA);
3221 tree = proto_item_add_subtree(item, ett_smb2_file_attribute_tag_info);
3222 }
3223
3224
3225 bc = tvb_captured_length_remaining(tvb, offset);
3226 offset = dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3227
3228 return offset;
3229 }
3230
3231 static const true_false_string tfs_disposition_delete_on_close = {
3232 "DELETE this file when closed",
3233 "Normal access, do not delete on close"
3234 };
3235
3236 static int
3237 dissect_smb2_file_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3238 {
3239 proto_item *item = NULL;
3240 proto_tree *tree = NULL;
3241
3242 if (parent_tree) {
3243 item = proto_tree_add_item(parent_tree, hf_smb2_file_disposition_info, tvb, offset, -1, ENC_NA);
3244 tree = proto_item_add_subtree(item, ett_smb2_file_disposition_info);
3245 }
3246
3247 /* file disposition */
3248 proto_tree_add_item(tree, hf_smb2_disposition_delete_on_close, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3249
3250 return offset;
3251 }
3252
3253 static int
3254 dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3255 {
3256 proto_item *item = NULL;
3257 proto_tree *tree = NULL;
3258 uint32_t next_offset;
3259 uint8_t ea_name_len;
3260 uint16_t ea_data_len;
3261
3262 if (parent_tree) {
3263 item = proto_tree_add_item(parent_tree, hf_smb2_file_full_ea_info, tvb, offset, -1, ENC_NA);
3264 tree = proto_item_add_subtree(item, ett_smb2_file_full_ea_info);
3265 }
3266
3267 while (1) {
3268 char *name = NULL;
3269 char *data = NULL;
3270 int start_offset = offset;
3271 proto_item *ea_item;
3272 proto_tree *ea_tree;
3273
3274 ea_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_ea, &ea_item, "EA:");
3275
3276 /* next offset */
3277 next_offset = tvb_get_letohl(tvb, offset);
3278 proto_tree_add_item(ea_tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3279 offset += 4;
3280
3281 /* EA flags */
3282 proto_tree_add_item(ea_tree, hf_smb2_ea_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3283 offset += 1;
3284
3285 /* EA Name Length */
3286 ea_name_len = tvb_get_uint8(tvb, offset);
3287 proto_tree_add_item(ea_tree, hf_smb2_ea_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3288 offset += 1;
3289
3290 /* EA Data Length */
3291 ea_data_len = tvb_get_letohs(tvb, offset);
3292 proto_tree_add_item(ea_tree, hf_smb2_ea_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3293 offset += 2;
3294
3295 /* ea name */
3296 if (ea_name_len) {
3297 proto_tree_add_item_ret_display_string(ea_tree, hf_smb2_ea_name,
3298 tvb, offset, ea_name_len, ENC_ASCII|ENC_NA,
3299 pinfo->pool, &name);
3300 }
3301
3302 /* The name is terminated with a NULL */
3303 offset += ea_name_len + 1;
3304
3305 /* ea data */
3306 if (ea_data_len) {
3307 proto_tree_add_item_ret_display_string(ea_tree, hf_smb2_ea_data,
3308 tvb, offset, ea_data_len, ENC_NA,
3309 pinfo->pool, &data);
3310 }
3311 offset += ea_data_len;
3312
3313
3314 if (ea_item) {
3315 proto_item_append_text(ea_item, " %s := %s",
3316 name ? name : "",
3317 data ? data : "");
3318 }
3319 proto_item_set_len(ea_item, offset-start_offset);
3320
3321
3322 if (!next_offset) {
3323 break;
3324 }
3325
3326 offset = start_offset+next_offset;
3327 }
3328
3329 return offset;
3330 }
3331
3332 static const true_false_string tfs_replace_if_exists = {
3333 "Replace the target if it exists",
3334 "Fail if the target exists"
3335 };
3336
3337 static int
3338 dissect_smb2_file_rename_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3339 {
3340 proto_item *item = NULL;
3341 proto_tree *tree = NULL;
3342 int length;
3343
3344
3345 if (parent_tree) {
3346 item = proto_tree_add_item(parent_tree, hf_smb2_file_rename_info, tvb, offset, -1, ENC_NA);
3347 tree = proto_item_add_subtree(item, ett_smb2_file_rename_info);
3348 }
3349
3350 /* ReplaceIfExists */
3351 proto_tree_add_item(tree, hf_smb2_replace_if, tvb, offset, 1, ENC_NA);
3352 offset += 1;
3353
3354 /* reserved */
3355 proto_tree_add_item(tree, hf_smb2_reserved_random, tvb, offset, 7, ENC_NA);
3356 offset += 7;
3357
3358 /* Root Directory Handle, MBZ */
3359 proto_tree_add_item(tree, hf_smb2_root_directory_mbz, tvb, offset, 8, ENC_NA);
3360 offset += 8;
3361
3362 /* file name length */
3363 length = tvb_get_letohs(tvb, offset);
3364 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3365 offset += 4;
3366
3367 /* file name */
3368 if (length) {
3369 char *display_string;
3370
3371 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
3372 tvb, offset, length, ENC_UTF_16|ENC_LITTLE_ENDIAN,
3373 pinfo->pool, &display_string);
3374 col_append_fstr(pinfo->cinfo, COL_INFO, " NewName:%s",
3375 display_string);
3376 offset += length;
3377 }
3378
3379 return offset;
3380 }
3381
3382 static int
3383 dissect_smb2_file_link_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3384 {
3385 proto_item *item = NULL;
3386 proto_tree *tree = NULL;
3387 int length;
3388 char *display_string = NULL;
3389
3390
3391 if (parent_tree) {
3392 item = proto_tree_add_item(parent_tree, hf_smb2_file_link_info, tvb, offset, -1, ENC_NA);
3393 tree = proto_item_add_subtree(item, ett_smb2_file_link_info);
3394 }
3395
3396 /* ReplaceIfExists */
3397 proto_tree_add_item(tree, hf_smb2_replace_if, tvb, offset, 1, ENC_NA);
3398 offset += 1;
3399
3400 /* reserved */
3401 proto_tree_add_item(tree, hf_smb2_reserved_random, tvb, offset, 7, ENC_NA);
3402 offset += 7;
3403
3404 /* Root Directory Handle, MBZ */
3405 proto_tree_add_item(tree, hf_smb2_root_directory_mbz, tvb, offset, 8, ENC_NA);
3406 offset += 8;
3407
3408 /* file name length */
3409 length = tvb_get_letohs(tvb, offset);
3410 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3411 offset += 4;
3412
3413 /* file name */
3414 if (length < 1) {
3415 return offset;
3416 }
3417
3418 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
3419 tvb, offset, length, ENC_UTF_16|ENC_LITTLE_ENDIAN,
3420 pinfo->pool, &display_string);
3421 col_append_fstr(pinfo->cinfo, COL_INFO, " NewLink:%s",
3422 display_string);
3423 offset += length;
3424
3425 return offset;
3426 }
3427
3428 static int
3429 dissect_smb2_sec_info_00(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3430 {
3431 proto_item *item = NULL;
3432 proto_tree *tree = NULL;
3433
3434 if (parent_tree) {
3435 item = proto_tree_add_item(parent_tree, hf_smb2_sec_info_00, tvb, offset, -1, ENC_NA);
3436 tree = proto_item_add_subtree(item, ett_smb2_sec_info_00);
3437 }
3438
3439 /* security descriptor */
3440 offset = dissect_nt_sec_desc(tvb, offset, pinfo, tree, NULL, true, tvb_captured_length_remaining(tvb, offset), NULL);
3441
3442 return offset;
3443 }
3444
3445 static int
3446 dissect_smb2_quota_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3447 {
3448 proto_item *item = NULL;
3449 proto_tree *tree = NULL;
3450 uint16_t bcp;
3451
3452 if (parent_tree) {
3453 item = proto_tree_add_item(parent_tree, hf_smb2_quota_info, tvb, offset, -1, ENC_NA);
3454 tree = proto_item_add_subtree(item, ett_smb2_quota_info);
3455 }
3456
3457 bcp = tvb_captured_length_remaining(tvb, offset);
3458 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
3459
3460 return offset;
3461 }
3462
3463 static int
3464 dissect_smb2_fs_info_05(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3465 {
3466 proto_item *item = NULL;
3467 proto_tree *tree = NULL;
3468 uint16_t bc;
3469
3470 if (parent_tree) {
3471 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_05, tvb, offset, -1, ENC_NA);
3472 tree = proto_item_add_subtree(item, ett_smb2_fs_info_05);
3473 }
3474
3475 bc = tvb_captured_length_remaining(tvb, offset);
3476 offset = dissect_qfsi_FS_ATTRIBUTE_INFO(tvb, pinfo, tree, offset, &bc);
3477
3478 return offset;
3479 }
3480
3481 static int
3482 dissect_smb2_fs_info_06(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3483 {
3484 proto_item *item = NULL;
3485 proto_tree *tree = NULL;
3486 uint16_t bc;
3487
3488 if (parent_tree) {
3489 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_06, tvb, offset, -1, ENC_NA);
3490 tree = proto_item_add_subtree(item, ett_smb2_fs_info_06);
3491 }
3492
3493 bc = tvb_captured_length_remaining(tvb, offset);
3494 offset = dissect_nt_quota(tvb, tree, offset, &bc);
3495
3496 return offset;
3497 }
3498
3499 static int
3500 dissect_smb2_FS_OBJECTID_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3501 {
3502 proto_item *item = NULL;
3503 proto_tree *tree = NULL;
3504
3505 if (parent_tree) {
3506 item = proto_tree_add_item(parent_tree, hf_smb2_fs_objectid_info, tvb, offset, -1, ENC_NA);
3507 tree = proto_item_add_subtree(item, ett_smb2_fs_objectid_info);
3508 }
3509
3510 /* FILE_OBJECTID_BUFFER */
3511 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
3512
3513 return offset;
3514 }
3515
3516 static int
3517 dissect_smb2_fs_info_07(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3518 {
3519 proto_item *item = NULL;
3520 proto_tree *tree = NULL;
3521 uint16_t bc;
3522
3523 if (parent_tree) {
3524 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_07, tvb, offset, -1, ENC_NA);
3525 tree = proto_item_add_subtree(item, ett_smb2_fs_info_07);
3526 }
3527
3528 bc = tvb_captured_length_remaining(tvb, offset);
3529 offset = dissect_qfsi_FS_FULL_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
3530
3531 return offset;
3532 }
3533
3534 static int
3535 dissect_smb2_fs_info_01(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3536 {
3537 proto_item *item = NULL;
3538 proto_tree *tree = NULL;
3539 uint16_t bc;
3540
3541 if (parent_tree) {
3542 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_01, tvb, offset, -1, ENC_NA);
3543 tree = proto_item_add_subtree(item, ett_smb2_fs_info_01);
3544 }
3545
3546
3547 bc = tvb_captured_length_remaining(tvb, offset);
3548 offset = dissect_qfsi_FS_VOLUME_INFO(tvb, pinfo, tree, offset, &bc, true);
3549
3550 return offset;
3551 }
3552
3553 static int
3554 dissect_smb2_fs_info_03(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3555 {
3556 proto_item *item = NULL;
3557 proto_tree *tree = NULL;
3558 uint16_t bc;
3559
3560 if (parent_tree) {
3561 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_03, tvb, offset, -1, ENC_NA);
3562 tree = proto_item_add_subtree(item, ett_smb2_fs_info_03);
3563 }
3564
3565
3566 bc = tvb_captured_length_remaining(tvb, offset);
3567 offset = dissect_qfsi_FS_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
3568
3569 return offset;
3570 }
3571
3572 static int
3573 dissect_smb2_fs_info_04(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3574 {
3575 proto_item *item = NULL;
3576 proto_tree *tree = NULL;
3577 uint16_t bc;
3578
3579 if (parent_tree) {
3580 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_04, tvb, offset, -1, ENC_NA);
3581 tree = proto_item_add_subtree(item, ett_smb2_fs_info_04);
3582 }
3583
3584
3585 bc = tvb_captured_length_remaining(tvb, offset);
3586 offset = dissect_qfsi_FS_DEVICE_INFO(tvb, pinfo, tree, offset, &bc);
3587
3588 return offset;
3589 }
3590
3591 static int
3592 dissect_smb2_fs_posix_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3593 {
3594 proto_item *item = NULL;
3595 proto_tree *tree = NULL;
3596
3597 if (parent_tree) {
3598 item = proto_tree_add_item(parent_tree, hf_smb2_fs_posix_info, tvb, offset, -1, ENC_NA);
3599 tree = proto_item_add_subtree(item, ett_smb2_fs_posix_info);
3600 }
3601
3602 proto_tree_add_item(tree, hf_smb2_fs_posix_optimal_transfer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3603 offset += 4;
3604
3605 proto_tree_add_item(tree, hf_smb2_fs_posix_block_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3606 offset += 4;
3607
3608 proto_tree_add_item(tree, hf_smb2_fs_posix_total_blocks, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3609 offset += 8;
3610
3611 proto_tree_add_item(tree, hf_smb2_fs_posix_blocks_available, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3612 offset += 8;
3613
3614 proto_tree_add_item(tree, hf_smb2_fs_posix_user_blocks_available, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3615 offset += 8;
3616
3617 proto_tree_add_item(tree, hf_smb2_fs_posix_total_file_nodes, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3618 offset += 8;
3619
3620 proto_tree_add_item(tree, hf_smb2_fs_posix_free_file_nodes, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3621 offset += 8;
3622
3623 proto_tree_add_item(tree, hf_smb2_fs_posix_fs_identifier, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3624 offset += 8;
3625
3626 return offset;
3627 }
3628
3629 static const value_string oplock_vals[] = {
3630 { 0x00, "No oplock" },
3631 { 0x01, "Level2 oplock" },
3632 { 0x08, "Exclusive oplock" },
3633 { 0x09, "Batch oplock" },
3634 { 0xff, "Lease" },
3635 { 0, NULL }
3636 };
3637
3638 static int
3639 dissect_smb2_oplock(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
3640 {
3641 proto_tree_add_item(parent_tree, hf_smb2_oplock, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3642
3643 offset += 1;
3644 return offset;
3645 }
3646
3647 static int
3648 dissect_smb2_buffercode(proto_tree *parent_tree, tvbuff_t *tvb, int offset, uint16_t *length)
3649 {
3650 proto_tree *tree;
3651 proto_item *item;
3652 uint16_t buffer_code;
3653
3654 /* dissect the first 2 bytes of the command PDU */
3655 buffer_code = tvb_get_letohs(tvb, offset);
3656 item = proto_tree_add_uint(parent_tree, hf_smb2_buffer_code, tvb, offset, 2, buffer_code);
3657 tree = proto_item_add_subtree(item, ett_smb2_buffercode);
3658 proto_tree_add_item(tree, hf_smb2_buffer_code_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3659 proto_tree_add_item(tree, hf_smb2_buffer_code_flags_dyn, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3660 offset += 2;
3661
3662 if (length) {
3663 *length = buffer_code; /*&0xfffe don't mask it here, mask it on caller side */
3664 }
3665
3666 return offset;
3667 }
3668
3669 #define NEGPROT_CAP_DFS 0x00000001
3670 #define NEGPROT_CAP_LEASING 0x00000002
3671 #define NEGPROT_CAP_LARGE_MTU 0x00000004
3672 #define NEGPROT_CAP_MULTI_CHANNEL 0x00000008
3673 #define NEGPROT_CAP_PERSISTENT_HANDLES 0x00000010
3674 #define NEGPROT_CAP_DIRECTORY_LEASING 0x00000020
3675 #define NEGPROT_CAP_ENCRYPTION 0x00000040
3676 #define NEGPROT_CAP_NOTIFICATIONS 0x00000080
3677 static int
3678 dissect_smb2_capabilities(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
3679 {
3680 static int * const flags[] = {
3681 &hf_smb2_cap_dfs,
3682 &hf_smb2_cap_leasing,
3683 &hf_smb2_cap_large_mtu,
3684 &hf_smb2_cap_multi_channel,
3685 &hf_smb2_cap_persistent_handles,
3686 &hf_smb2_cap_directory_leasing,
3687 &hf_smb2_cap_encryption,
3688 &hf_smb2_cap_notifications,
3689 NULL
3690 };
3691
3692 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_capabilities, ett_smb2_capabilities, flags, ENC_LITTLE_ENDIAN);
3693 offset += 4;
3694
3695 return offset;
3696 }
3697
3698
3699
3700 #define NEGPROT_SIGN_REQ 0x02
3701 #define NEGPROT_SIGN_ENABLED 0x01
3702
3703 static int
3704 dissect_smb2_secmode(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
3705 {
3706 static int * const flags[] = {
3707 &hf_smb2_secmode_flags_sign_enabled,
3708 &hf_smb2_secmode_flags_sign_required,
3709 NULL
3710 };
3711
3712 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_security_mode, ett_smb2_sec_mode, flags, ENC_LITTLE_ENDIAN);
3713 offset += 1;
3714
3715 return offset;
3716 }
3717
3718 #define SES_REQ_FLAGS_SESSION_BINDING 0x01
3719
3720 static int
3721 dissect_smb2_ses_req_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
3722 {
3723 static int * const flags[] = {
3724 &hf_smb2_ses_req_flags_session_binding,
3725 NULL
3726 };
3727
3728 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_ses_req_flags, ett_smb2_ses_req_flags, flags, ENC_LITTLE_ENDIAN);
3729 offset += 1;
3730
3731 return offset;
3732 }
3733
3734 #define SES_FLAGS_GUEST 0x0001
3735 #define SES_FLAGS_NULL 0x0002
3736 #define SES_FLAGS_ENCRYPT 0x0004
3737
3738 static int
3739 dissect_smb2_ses_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
3740 {
3741 static int * const flags[] = {
3742 &hf_smb2_ses_flags_guest,
3743 &hf_smb2_ses_flags_null,
3744 &hf_smb2_ses_flags_encrypt,
3745 NULL
3746 };
3747
3748 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_session_flags, ett_smb2_ses_flags, flags, ENC_LITTLE_ENDIAN);
3749 offset += 2;
3750
3751 return offset;
3752 }
3753
3754 #define SHARE_FLAGS_manual_caching 0x00000000
3755 #define SHARE_FLAGS_auto_caching 0x00000010
3756 #define SHARE_FLAGS_vdo_caching 0x00000020
3757 #define SHARE_FLAGS_no_caching 0x00000030
3758
3759 static const value_string share_cache_vals[] = {
3760 { SHARE_FLAGS_manual_caching, "Manual caching" },
3761 { SHARE_FLAGS_auto_caching, "Auto caching" },
3762 { SHARE_FLAGS_vdo_caching, "VDO caching" },
3763 { SHARE_FLAGS_no_caching, "No caching" },
3764 { 0, NULL }
3765 };
3766
3767 #define SHARE_FLAGS_dfs 0x00000001
3768 #define SHARE_FLAGS_dfs_root 0x00000002
3769 #define SHARE_FLAGS_restrict_exclusive_opens 0x00000100
3770 #define SHARE_FLAGS_force_shared_delete 0x00000200
3771 #define SHARE_FLAGS_allow_namespace_caching 0x00000400
3772 #define SHARE_FLAGS_access_based_dir_enum 0x00000800
3773 #define SHARE_FLAGS_force_levelii_oplock 0x00001000
3774 #define SHARE_FLAGS_enable_hash_v1 0x00002000
3775 #define SHARE_FLAGS_enable_hash_v2 0x00004000
3776 #define SHARE_FLAGS_encryption_required 0x00008000
3777 #define SHARE_FLAGS_identity_remoting 0x00040000
3778 #define SHARE_FLAGS_compress_data 0x00100000
3779 #define SHARE_FLAGS_isolated_transport 0x00200000
3780
3781 static int
3782 dissect_smb2_share_flags(proto_tree *tree, tvbuff_t *tvb, int offset)
3783 {
3784 static int * const sf_fields[] = {
3785 &hf_smb2_share_flags_dfs,
3786 &hf_smb2_share_flags_dfs_root,
3787 &hf_smb2_share_flags_restrict_exclusive_opens,
3788 &hf_smb2_share_flags_force_shared_delete,
3789 &hf_smb2_share_flags_allow_namespace_caching,
3790 &hf_smb2_share_flags_access_based_dir_enum,
3791 &hf_smb2_share_flags_force_levelii_oplock,
3792 &hf_smb2_share_flags_enable_hash_v1,
3793 &hf_smb2_share_flags_enable_hash_v2,
3794 &hf_smb2_share_flags_encrypt_data,
3795 &hf_smb2_share_flags_identity_remoting,
3796 &hf_smb2_share_flags_compress_data,
3797 &hf_smb2_share_flags_isolated_transport,
3798 NULL
3799 };
3800 proto_item *item;
3801 uint32_t cp;
3802
3803 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_flags, ett_smb2_share_flags, sf_fields, ENC_LITTLE_ENDIAN);
3804
3805 cp = tvb_get_letohl(tvb, offset);
3806 cp &= 0x00000030;
3807 proto_tree_add_uint_format(item, hf_smb2_share_caching, tvb, offset, 4, cp, "Caching policy: %s (%08x)", val_to_str(cp, share_cache_vals, "Unknown:%u"), cp);
3808
3809
3810 offset += 4;
3811
3812 return offset;
3813 }
3814
3815 #define SHARE_CAPS_DFS 0x00000008
3816 #define SHARE_CAPS_CONTINUOUS_AVAILABILITY 0x00000010
3817 #define SHARE_CAPS_SCALEOUT 0x00000020
3818 #define SHARE_CAPS_CLUSTER 0x00000040
3819 #define SHARE_CAPS_ASYMMETRIC 0x00000080
3820 #define SHARE_CAPS_REDIRECT_TO_OWNER 0x00000100
3821
3822 static int
3823 dissect_smb2_share_caps(proto_tree *tree, tvbuff_t *tvb, int offset)
3824 {
3825 static int * const sc_fields[] = {
3826 &hf_smb2_share_caps_dfs,
3827 &hf_smb2_share_caps_continuous_availability,
3828 &hf_smb2_share_caps_scaleout,
3829 &hf_smb2_share_caps_cluster,
3830 &hf_smb2_share_caps_asymmetric,
3831 &hf_smb2_share_caps_redirect_to_owner,
3832 NULL
3833 };
3834
3835 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_caps, ett_smb2_share_caps, sc_fields, ENC_LITTLE_ENDIAN);
3836
3837 offset += 4;
3838
3839 return offset;
3840 }
3841
3842 static void
3843 dissect_smb2_secblob(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
3844 {
3845 if ((tvb_captured_length(tvb)>=7)
3846 && (!tvb_memeql(tvb, 0, (const uint8_t*)"NTLMSSP", 7))) {
3847 call_dissector(ntlmssp_handle, tvb, pinfo, tree);
3848 } else {
3849 call_dissector(gssapi_handle, tvb, pinfo, tree);
3850 }
3851 }
3852
3853 /*
3854 * Derive client and server decryption keys from the secret session key
3855 * and set them in the session object.
3856 */
3857 static void smb2_generate_decryption_keys(smb2_conv_info_t *conv, smb2_sesid_info_t *ses)
3858 {
3859 bool has_seskey = memcmp(ses->session_key, zeros, NTLMSSP_KEY_LEN) != 0;
3860 bool has_signkey = memcmp(ses->signing_key, zeros, NTLMSSP_KEY_LEN) != 0;
3861 bool has_client_key = memcmp(ses->client_decryption_key16, zeros, AES_KEY_SIZE) != 0;
3862 bool has_server_key = memcmp(ses->server_decryption_key16, zeros, AES_KEY_SIZE) != 0;
3863
3864 /* if all decryption keys are provided, nothing to do */
3865 if (has_client_key && has_server_key && has_signkey)
3866 return;
3867
3868 /* otherwise, generate them from session key, if it's there */
3869 if (!has_seskey || ses->session_key_len == 0)
3870 return;
3871
3872 /* generate decryption keys */
3873 if (conv->dialect <= SMB2_DIALECT_210) {
3874 if (!has_signkey)
3875 memcpy(ses->signing_key, ses->session_key,
3876 NTLMSSP_KEY_LEN);
3877 } else if (conv->dialect < SMB2_DIALECT_311) {
3878 if (!has_server_key)
3879 smb2_key_derivation(ses->session_key,
3880 NTLMSSP_KEY_LEN,
3881 "SMB2AESCCM", 11,
3882 "ServerIn ", 10,
3883 ses->server_decryption_key16, 16);
3884 if (!has_client_key)
3885 smb2_key_derivation(ses->session_key,
3886 NTLMSSP_KEY_LEN,
3887 "SMB2AESCCM", 11,
3888 "ServerOut", 10,
3889 ses->client_decryption_key16, 16);
3890 if (!has_signkey)
3891 smb2_key_derivation(ses->session_key,
3892 NTLMSSP_KEY_LEN,
3893 "SMB2AESCMAC", 12,
3894 "SmbSign", 8,
3895 ses->signing_key, 16);
3896 } else if (conv->dialect >= SMB2_DIALECT_311) {
3897 if (!has_server_key) {
3898 smb2_key_derivation(ses->session_key,
3899 NTLMSSP_KEY_LEN,
3900 "SMBC2SCipherKey", 16,
3901 ses->preauth_hash, SMB2_PREAUTH_HASH_SIZE,
3902 ses->server_decryption_key16, 16);
3903 smb2_key_derivation(ses->session_key,
3904 ses->session_key_len,
3905 "SMBC2SCipherKey", 16,
3906 ses->preauth_hash, SMB2_PREAUTH_HASH_SIZE,
3907 ses->server_decryption_key32, 32);
3908 }
3909 if (!has_client_key) {
3910 smb2_key_derivation(ses->session_key,
3911 NTLMSSP_KEY_LEN,
3912 "SMBS2CCipherKey", 16,
3913 ses->preauth_hash, SMB2_PREAUTH_HASH_SIZE,
3914 ses->client_decryption_key16, 16);
3915 smb2_key_derivation(ses->session_key,
3916 ses->session_key_len,
3917 "SMBS2CCipherKey", 16,
3918 ses->preauth_hash, SMB2_PREAUTH_HASH_SIZE,
3919 ses->client_decryption_key32, 32);
3920 }
3921 if (!has_signkey)
3922 smb2_key_derivation(ses->session_key,
3923 NTLMSSP_KEY_LEN,
3924 "SMBSigningKey", 14,
3925 ses->preauth_hash, SMB2_PREAUTH_HASH_SIZE,
3926 ses->signing_key, 16);
3927 }
3928
3929 DEBUG("Generated Sign key");
3930 HEXDUMP(ses->signing_key, NTLMSSP_KEY_LEN);
3931 DEBUG("Generated S2C key16");
3932 HEXDUMP(ses->client_decryption_key16, AES_KEY_SIZE);
3933 DEBUG("Generated S2C key32");
3934 HEXDUMP(ses->client_decryption_key32, AES_KEY_SIZE*2);
3935 DEBUG("Generated C2S key16");
3936 HEXDUMP(ses->server_decryption_key16, AES_KEY_SIZE);
3937 DEBUG("Generated C2S key32");
3938 HEXDUMP(ses->server_decryption_key32, AES_KEY_SIZE*2);
3939 }
3940
3941 static int
3942 dissect_smb2_session_setup_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3943 {
3944 offset_length_buffer_t s_olb;
3945 const ntlmssp_header_t *ntlmssph;
3946 static int ntlmssp_tap_id = 0;
3947 smb2_saved_info_t *ssi = si->saved;
3948 proto_item *hash_item;
3949 int idx;
3950
3951 if (!ntlmssp_tap_id) {
3952 GString *error_string;
3953 /* We don't specify any callbacks at all.
3954 * Instead we manually fetch the tapped data after the
3955 * security blob has been fully dissected and before
3956 * we exit from this dissector.
3957 */
3958 error_string = register_tap_listener("ntlmssp", NULL, NULL,
3959 TL_IS_DISSECTOR_HELPER, NULL, NULL, NULL, NULL);
3960 if (!error_string) {
3961 ntlmssp_tap_id = find_tap_id("ntlmssp");
3962 } else {
3963 g_string_free(error_string, true);
3964 }
3965 }
3966
3967 if (!pinfo->fd->visited && ssi) {
3968 /* compute preauth hash on first pass */
3969
3970 /* start from last preauth hash of the connection if 1st request */
3971 if (si->sesid == 0)
3972 memcpy(si->conv->preauth_hash_ses, si->conv->preauth_hash_con, SMB2_PREAUTH_HASH_SIZE);
3973
3974 ssi->preauth_hash_req = (uint8_t*)wmem_alloc0(wmem_file_scope(), SMB2_PREAUTH_HASH_SIZE);
3975 update_preauth_hash(si->conv->preauth_hash_current, pinfo, tvb);
3976 memcpy(ssi->preauth_hash_req, si->conv->preauth_hash_current, SMB2_PREAUTH_HASH_SIZE);
3977 }
3978
3979 if (ssi && ssi->preauth_hash_req) {
3980 hash_item = proto_tree_add_bytes_with_length(tree, hf_smb2_preauth_hash, tvb,
3981 0, tvb_captured_length(tvb),
3982 ssi->preauth_hash_req, SMB2_PREAUTH_HASH_SIZE);
3983 proto_item_set_generated(hash_item);
3984 }
3985
3986 /* buffer code */
3987 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3988 /* some unknown bytes */
3989
3990 /* flags */
3991 offset = dissect_smb2_ses_req_flags(tree, tvb, offset);
3992
3993 /* security mode */
3994 offset = dissect_smb2_secmode(tree, tvb, offset);
3995
3996 /* capabilities */
3997 offset = dissect_smb2_capabilities(tree, tvb, offset);
3998
3999 /* channel */
4000 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4001 offset += 4;
4002
4003 /* security blob offset/length */
4004 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
4005
4006 /* previous session id */
4007 proto_tree_add_item(tree, hf_smb2_previous_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4008 offset += 8;
4009
4010
4011 /* the security blob itself */
4012 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
4013
4014 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
4015
4016 /* If we have found a uid->acct_name mapping, store it */
4017 if (!pinfo->fd->visited) {
4018 idx = 0;
4019 while ((ntlmssph = (const ntlmssp_header_t *)fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL) {
4020 if (ntlmssph && ntlmssph->type == NTLMSSP_AUTH) {
4021 si->session = smb2_get_session(si->conv, si->sesid, pinfo, si);
4022 si->session->acct_name = wmem_strdup(wmem_file_scope(), ntlmssph->acct_name);
4023 si->session->domain_name = wmem_strdup(wmem_file_scope(), ntlmssph->domain_name);
4024 si->session->host_name = wmem_strdup(wmem_file_scope(), ntlmssph->host_name);
4025 /* don't overwrite session key from preferences */
4026 if (memcmp(si->session->session_key, zeros, NTLMSSP_KEY_LEN) == 0) {
4027 memcpy(si->session->session_key, ntlmssph->session_key, NTLMSSP_KEY_LEN);
4028 si->session->session_key_len = NTLMSSP_KEY_LEN;
4029 si->session->session_key_frame = pinfo->num;
4030 }
4031 si->session->auth_frame = pinfo->num;
4032 }
4033 }
4034 }
4035
4036 return offset;
4037 }
4038
4039 static void
4040 dissect_smb2_share_redirect_error(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
4041 {
4042 proto_tree *tree;
4043 proto_item *item;
4044 proto_tree *ips_tree;
4045 proto_item *ips_item;
4046
4047 offset_length_buffer_t res_olb;
4048 uint32_t i, ip_count;
4049
4050 item = proto_tree_add_item(parent_tree, hf_smb2_error_redir_context, tvb, offset, 0, ENC_NA);
4051 tree = proto_item_add_subtree(item, ett_smb2_error_redir_context);
4052
4053 /* structure size */
4054 proto_tree_add_item(tree, hf_smb2_error_redir_struct_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4055 offset += 4;
4056
4057 /* notification type */
4058 proto_tree_add_item(tree, hf_smb2_error_redir_notif_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4059 offset += 4;
4060
4061 /* resource name offset/length */
4062 offset = dissect_smb2_olb_length_offset(tvb, offset, &res_olb, OLB_O_UINT32_S_UINT32, hf_smb2_error_redir_res_name);
4063
4064 /* flags */
4065 proto_tree_add_item(tree, hf_smb2_error_redir_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4066 offset += 2;
4067
4068 /* target type */
4069 proto_tree_add_item(tree, hf_smb2_error_redir_target_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4070 offset += 2;
4071
4072 /* ip addr count */
4073 proto_tree_add_item_ret_uint(tree, hf_smb2_error_redir_ip_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &ip_count);
4074 offset += 4;
4075
4076 /* ip addr list */
4077 ips_item = proto_tree_add_item(tree, hf_smb2_error_redir_ip_list, tvb, offset, 0, ENC_NA);
4078 ips_tree = proto_item_add_subtree(ips_item, ett_smb2_error_redir_ip_list);
4079 for (i = 0; i < ip_count; i++)
4080 offset += dissect_windows_sockaddr_storage(tvb, pinfo, ips_tree, offset, -1);
4081
4082 /* resource name */
4083 dissect_smb2_olb_off_string(pinfo, tree, tvb, &res_olb, offset, OLB_TYPE_UNICODE_STRING);
4084 }
4085
4086 static void
4087 dissect_smb2_STATUS_STOPPED_ON_SYMLINK(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
4088 {
4089 proto_tree *tree;
4090 proto_item *item;
4091
4092 offset_length_buffer_t s_olb, p_olb;
4093
4094 item = proto_tree_add_item(parent_tree, hf_smb2_symlink_error_response, tvb, offset, -1, ENC_NA);
4095 tree = proto_item_add_subtree(item, ett_smb2_symlink_error_response);
4096
4097 /* symlink length */
4098 proto_tree_add_item(tree, hf_smb2_symlink_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4099 offset += 4;
4100
4101 /* symlink error tag */
4102 proto_tree_add_item(tree, hf_smb2_symlink_error_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4103 offset += 4;
4104
4105 /* reparse tag */
4106 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4107 offset += 4;
4108
4109 proto_tree_add_item(tree, hf_smb2_reparse_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4110 offset += 2;
4111
4112 proto_tree_add_item(tree, hf_smb2_unparsed_path_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4113 offset += 2;
4114
4115 /* substitute name offset/length */
4116 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_substitute_name);
4117
4118 /* print name offset/length */
4119 offset = dissect_smb2_olb_length_offset(tvb, offset, &p_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_print_name);
4120
4121 /* flags */
4122 proto_tree_add_item(tree, hf_smb2_symlink_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4123 offset += 4;
4124
4125 /* substitute name string */
4126 dissect_smb2_olb_off_string(pinfo, tree, tvb, &s_olb, offset, OLB_TYPE_UNICODE_STRING);
4127
4128 /* print name string */
4129 dissect_smb2_olb_off_string(pinfo, tree, tvb, &p_olb, offset, OLB_TYPE_UNICODE_STRING);
4130 }
4131
4132 static int
4133 // NOLINTNEXTLINE(misc-no-recursion)
4134 dissect_smb2_error_context(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
4135 {
4136 proto_tree *tree;
4137 proto_item *item;
4138 tvbuff_t *sub_tvb;
4139 uint32_t length;
4140 uint32_t id;
4141
4142 item = proto_tree_add_item(parent_tree, hf_smb2_error_context, tvb, offset, -1, ENC_NA);
4143 tree = proto_item_add_subtree(item, ett_smb2_error_context);
4144
4145 proto_tree_add_item_ret_uint(tree, hf_smb2_error_context_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
4146 offset += 4;
4147
4148 proto_tree_add_item_ret_uint(tree, hf_smb2_error_context_id, tvb, offset, 4, ENC_LITTLE_ENDIAN, &id);
4149 offset += 4;
4150
4151 sub_tvb = tvb_new_subset_length(tvb, offset, length);
4152 dissect_smb2_error_data(sub_tvb, pinfo, tree, 0, id, si);
4153 offset += length;
4154
4155 return offset;
4156 }
4157
4158 /*
4159 * Assumes it is being called with a sub-tvb (dissects at offsets 0)
4160 */
4161 static void
4162 // NOLINTNEXTLINE(misc-no-recursion)
4163 dissect_smb2_error_data(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree,
4164 int error_context_count, int error_id,
4165 smb2_info_t *si _U_)
4166 {
4167 proto_tree *tree;
4168 proto_item *item;
4169
4170 int offset = 0;
4171 int i;
4172
4173 item = proto_tree_add_item(parent_tree, hf_smb2_error_data, tvb, offset, -1, ENC_NA);
4174 tree = proto_item_add_subtree(item, ett_smb2_error_data);
4175
4176 if (error_context_count == 0) {
4177 if (tvb_captured_length_remaining(tvb, offset) <= 1)
4178 return;
4179 switch (si->status) {
4180 case NT_STATUS_STOPPED_ON_SYMLINK:
4181 dissect_smb2_STATUS_STOPPED_ON_SYMLINK(tvb, pinfo, tree, offset, si);
4182 break;
4183 case NT_STATUS_BUFFER_TOO_SMALL:
4184 proto_tree_add_item(tree, hf_smb2_error_min_buf_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4185 break;
4186 case NT_STATUS_BAD_NETWORK_NAME:
4187 if (error_id == SMB2_ERROR_ID_SHARE_REDIRECT)
4188 dissect_smb2_share_redirect_error(tvb, pinfo, tree, offset, si);
4189 default:
4190 break;
4191 }
4192 } else {
4193 increment_dissection_depth(pinfo);
4194 for (i = 0; i < error_context_count; i++) {
4195 offset += dissect_smb2_error_context(tvb, pinfo, tree, offset, si);
4196 }
4197 decrement_dissection_depth(pinfo);
4198 }
4199 }
4200
4201 /*
4202 * SMB2 Error responses are a bit convoluted. Error data can be a list
4203 * of error contexts which themselves can hold an error data field.
4204 * See [MS-SMB2] 2.2.2.1.
4205 *
4206 * ERROR_RESP := ERROR_DATA
4207 *
4208 * ERROR_DATA := ( ERROR_CONTEXT + )
4209 * | ERROR_STATUS_STOPPED_ON_SYMLINK
4210 * | ERROR_ID_SHARE_REDIRECT
4211 * | ERROR_BUFFER_TOO_SMALL
4212 *
4213 * ERROR_CONTEXT := ... + ERROR_DATA
4214 * | ERROR_ID_SHARE_REDIRECT
4215 *
4216 * This needs more fixes for cases when the original header had also the constant value of 9.
4217 * This should be fixed on caller side where it decides if it has to call this or not.
4218 *
4219 */
4220 static int
4221 dissect_smb2_error_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si,
4222 bool* continue_dissection)
4223 {
4224 int byte_count;
4225 uint8_t error_context_count;
4226 uint16_t length;
4227 tvbuff_t *sub_tvb;
4228
4229 /* buffer code */
4230 offset = dissect_smb2_buffercode(tree, tvb, offset, &length);
4231
4232 /* FIX: error response uses this constant, if not then it is not an error response */
4233 if(length != 9)
4234 {
4235 if(continue_dissection)
4236 *continue_dissection = true;
4237 } else {
4238 if(continue_dissection)
4239 *continue_dissection = false;
4240
4241 /* ErrorContextCount (1 bytes) */
4242 error_context_count = tvb_get_uint8(tvb, offset);
4243 proto_tree_add_item(tree, hf_smb2_error_context_count, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4244 offset += 1;
4245
4246 /* Reserved (1 bytes) */
4247 proto_tree_add_item(tree, hf_smb2_error_reserved, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4248 offset += 1;
4249
4250 /* ByteCount (4 bytes): The number of bytes of data contained in ErrorData[]. */
4251 byte_count = tvb_get_letohl(tvb, offset);
4252 proto_tree_add_item(tree, hf_smb2_error_byte_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4253 offset += 4;
4254
4255 /* If the ByteCount field is zero then the server MUST supply an ErrorData field
4256 that is one byte in length */
4257 if (byte_count == 0) byte_count = 1;
4258
4259 /* ErrorData (variable): A variable-length data field that contains extended
4260 error information.*/
4261 sub_tvb = tvb_new_subset_length(tvb, offset, byte_count);
4262 offset += byte_count;
4263
4264 dissect_smb2_error_data(sub_tvb, pinfo, tree, error_context_count, 0, si);
4265 }
4266
4267 return offset;
4268 }
4269
4270 static int
4271 dissect_smb2_session_setup_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4272 {
4273 offset_length_buffer_t s_olb;
4274 proto_item *hash_item;
4275 smb2_saved_info_t *ssi = si->saved;
4276
4277 si->session = smb2_get_session(si->conv, si->sesid, pinfo, si);
4278 if (si->status == 0) {
4279 si->session->auth_frame = pinfo->num;
4280 }
4281
4282 /* compute preauth hash on first pass */
4283 if (!pinfo->fd->visited && ssi) {
4284 ssi->preauth_hash_res = (uint8_t*)wmem_alloc0(wmem_file_scope(), SMB2_PREAUTH_HASH_SIZE);
4285 /*
4286 * Preauth hash can only be used if the session is
4287 * established i.e. last session setup response has a
4288 * success status. As per the specification, the last
4289 * response is NOT hashed.
4290 */
4291 if (si->status != 0) {
4292 /*
4293 * Not successful means either more req/rsp
4294 * processing is required or we reached an
4295 * error, so update hash.
4296 */
4297 update_preauth_hash(si->conv->preauth_hash_current, pinfo, tvb);
4298 } else {
4299 /*
4300 * Session is established, remember the last preauth hash
4301 */
4302 memcpy(si->session->preauth_hash, si->conv->preauth_hash_current, SMB2_PREAUTH_HASH_SIZE);
4303 }
4304
4305 /* In all cases, stash the preauth hash */
4306 memcpy(ssi->preauth_hash_res, si->conv->preauth_hash_current, SMB2_PREAUTH_HASH_SIZE);
4307 }
4308
4309 if (ssi && ssi->preauth_hash_res) {
4310 hash_item = proto_tree_add_bytes_with_length(tree, hf_smb2_preauth_hash, tvb,
4311 0, tvb_captured_length(tvb),
4312 ssi->preauth_hash_res, SMB2_PREAUTH_HASH_SIZE);
4313 proto_item_set_generated(hash_item);
4314 }
4315
4316 /* session_setup is special and we don't use dissect_smb2_error_response() here! */
4317
4318 /* buffer code */
4319 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4320
4321 /* session flags */
4322 offset = dissect_smb2_ses_flags(tree, tvb, offset);
4323
4324 /* security blob offset/length */
4325 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
4326
4327 /* the security blob itself */
4328 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
4329
4330 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
4331
4332 /* If we have found a uid->acct_name mapping, store it */
4333 #ifdef HAVE_KERBEROS
4334 if (!pinfo->fd->visited &&
4335 ((si->session->session_key_frame == UINT32_MAX) ||
4336 (si->session->session_key_frame < pinfo->num)))
4337 {
4338 enc_key_t *ek;
4339
4340 if (krb_decrypt) {
4341 read_keytab_file_from_preferences();
4342 }
4343
4344 for (ek=enc_key_list;ek;ek=ek->next) {
4345 if (!ek->is_ap_rep_key) {
4346 continue;
4347 }
4348 if (ek->fd_num == (int)pinfo->num) {
4349 break;
4350 }
4351 }
4352
4353 if (ek != NULL) {
4354 /*
4355 * If we remembered information from the PAC content
4356 * from GSSAPI AP exchange we use it, otherwise we
4357 * can only give a hint about the used session key.
4358 */
4359 if (ek->pac_names.account_name) {
4360 si->session->acct_name = wmem_strdup(wmem_file_scope(),
4361 ek->pac_names.account_name);
4362 si->session->domain_name = wmem_strdup(wmem_file_scope(),
4363 ek->pac_names.account_domain);
4364 if (ek->pac_names.device_sid) {
4365 si->session->host_name = wmem_strdup_printf(wmem_file_scope(),
4366 "DEVICE[%s]",
4367 ek->pac_names.device_sid);
4368 } else {
4369 si->session->host_name = NULL;
4370 }
4371 } else {
4372 si->session->acct_name = wmem_strdup_printf(wmem_file_scope(),
4373 "KERBEROS[%s]",
4374 ek->key_origin);
4375 si->session->domain_name = wmem_strdup_printf(wmem_file_scope(),
4376 "KERBEROS[%s]",
4377 ek->id_str);
4378 si->session->host_name = NULL;
4379 }
4380 /* don't overwrite session key from preferences */
4381 if (memcmp(si->session->session_key, zeros, NTLMSSP_KEY_LEN) == 0) {
4382 si->session->session_key_len = MIN(NTLMSSP_KEY_LEN*2, ek->keylength);
4383 memcpy(si->session->session_key,
4384 ek->keyvalue,
4385 si->session->session_key_len);
4386 si->session->session_key_frame = pinfo->num;
4387 }
4388 }
4389 }
4390 #endif
4391
4392 if (si->status == 0) {
4393 /*
4394 * Session is established, we can generate the keys
4395 */
4396 smb2_generate_decryption_keys(si->conv, si->session);
4397 }
4398
4399 return offset;
4400 }
4401
4402 static int
4403 dissect_smb2_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
4404 {
4405 offset_length_buffer_t olb;
4406 const uint8_t *buf;
4407 uint16_t flags;
4408 proto_item *item;
4409 static int * const connect_flags[] = {
4410 &hf_smb2_tc_cluster_reconnect,
4411 &hf_smb2_tc_redirect_to_owner,
4412 &hf_smb2_tc_extension_present,
4413 &hf_smb2_tc_reserved,
4414 NULL
4415 };
4416
4417 /* buffer code */
4418 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4419
4420 /* flags */
4421 item = proto_tree_get_parent(tree);
4422 flags = tvb_get_letohs(tvb, offset);
4423 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_tree_connect_flags, ett_smb2_tree_connect_flags, connect_flags, ENC_LITTLE_ENDIAN);
4424
4425 if (flags != 0) {
4426 proto_item_append_text(item, "%s%s%s",
4427 (flags & 0x0001)?", CLUSTER_RECONNECT":"",
4428 (flags & 0x0002)?", REDIRECT_TO_OWNER":"",
4429 (flags & 0x0004)?", EXTENSION_PRESENT":"");
4430 }
4431 offset += 2;
4432
4433 /* tree offset/length */
4434 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_tree);
4435
4436 /* tree string */
4437 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
4438
4439 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
4440
4441 if (!pinfo->fd->visited && si->saved && buf && olb.len) {
4442 si->saved->extra_info_type = SMB2_EI_TREENAME;
4443 si->saved->extra_info = wmem_strdup(wmem_file_scope(), buf);
4444 }
4445
4446 if (buf) {
4447 col_append_fstr(pinfo->cinfo, COL_INFO, ", Tree: '%s'",
4448 format_text(pinfo->pool, buf, strlen(buf)));
4449 }
4450
4451 return offset;
4452 }
4453 static int
4454 dissect_smb2_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
4455 {
4456 uint8_t share_type;
4457 bool continue_dissection;
4458
4459 switch (si->status) {
4460 /* buffer code */
4461 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4462 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4463 if (!continue_dissection) return offset;
4464 }
4465
4466 /* share type */
4467 share_type = tvb_get_uint8(tvb, offset);
4468 proto_tree_add_item(tree, hf_smb2_share_type, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4469 offset += 1;
4470
4471 /* byte is reserved and must be set to zero */
4472 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
4473 offset += 1;
4474
4475 if (!pinfo->fd->visited && si->saved && si->saved->extra_info_type == SMB2_EI_TREENAME && si->session) {
4476 smb2_tid_info_t *tid, tid_key;
4477
4478 tid_key.tid = si->tid;
4479 tid = (smb2_tid_info_t *)wmem_map_lookup(si->session->tids, &tid_key);
4480 if (tid) {
4481 wmem_map_remove(si->session->tids, &tid_key);
4482 }
4483 tid = wmem_new(wmem_file_scope(), smb2_tid_info_t);
4484 tid->tid = si->tid;
4485 tid->name = (char *)si->saved->extra_info;
4486 tid->connect_frame = pinfo->num;
4487 tid->disconnect_frame = 0;
4488 tid->share_type = share_type;
4489
4490 wmem_map_insert(si->session->tids, tid, tid);
4491
4492 si->saved->extra_info_type = SMB2_EI_NONE;
4493 si->saved->extra_info = NULL;
4494 }
4495
4496 if (si->tree)
4497 col_append_fstr(pinfo->cinfo, COL_INFO, ", Tree: '%s'", si->tree->name);
4498
4499 /* share flags */
4500 offset = dissect_smb2_share_flags(tree, tvb, offset);
4501
4502 /* share capabilities */
4503 offset = dissect_smb2_share_caps(tree, tvb, offset);
4504
4505 /* this is some sort of access mask */
4506 offset = dissect_smb_access_mask(tvb, tree, offset);
4507
4508 return offset;
4509 }
4510
4511 static int
4512 dissect_smb2_tree_disconnect_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4513 {
4514 /* buffer code */
4515 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4516
4517 if (si->tree)
4518 col_append_fstr(pinfo->cinfo, COL_INFO, ", Tree: '%s'", si->tree->name);
4519
4520 /* reserved */
4521 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4522 offset += 2;
4523
4524 return offset;
4525 }
4526
4527 static int
4528 dissect_smb2_tree_disconnect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4529 {
4530 bool continue_dissection;
4531
4532 switch (si->status) {
4533 /* buffer code */
4534 case 0x00000000:
4535 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4536 break;
4537
4538 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4539 if (!continue_dissection) return offset;
4540 }
4541
4542 if (si->tree) {
4543 si->tree->disconnect_frame = pinfo->fd->num;
4544 col_append_fstr(pinfo->cinfo, COL_INFO, ", Tree: '%s'", si->tree->name);
4545 }
4546
4547 /* reserved */
4548 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4549 offset += 2;
4550
4551 return offset;
4552 }
4553
4554 static int
4555 dissect_smb2_sessionlogoff_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4556 {
4557 /* buffer code */
4558 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4559
4560 /* reserved bytes */
4561 offset += 2;
4562
4563 return offset;
4564 }
4565
4566 static int
4567 dissect_smb2_sessionlogoff_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4568 {
4569 bool continue_dissection;
4570
4571 switch (si->status) {
4572 /* buffer code */
4573 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4574 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4575 if (!continue_dissection) return offset;
4576 }
4577
4578 /* reserved bytes */
4579 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4580 offset += 2;
4581
4582 return offset;
4583 }
4584
4585 static int
4586 dissect_smb2_keepalive_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4587 {
4588 /* buffer code */
4589 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4590
4591 /* some unknown bytes */
4592 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4593 offset += 2;
4594
4595 return offset;
4596 }
4597
4598 static int
4599 dissect_smb2_keepalive_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4600 {
4601 bool continue_dissection;
4602
4603 switch (si->status) {
4604 /* buffer code */
4605 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4606 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4607 if (!continue_dissection) return offset;
4608 }
4609
4610 /* some unknown bytes */
4611 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4612 offset += 2;
4613
4614 return offset;
4615 }
4616
4617 static int
4618 dissect_smb2_notify_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4619 {
4620 proto_tree *flags_tree = NULL;
4621 proto_item *flags_item = NULL;
4622 proto_item *item;
4623
4624 /* buffer code */
4625 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4626
4627 /* notify flags */
4628 if (tree) {
4629 flags_item = proto_tree_add_item(tree, hf_smb2_notify_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4630 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_notify_flags);
4631 }
4632 proto_tree_add_item(flags_tree, hf_smb2_notify_watch_tree, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4633 offset += 2;
4634
4635 /* output buffer length */
4636 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4637 offset += 4;
4638
4639 /* fid hash */
4640 if (si->saved && si->saved->fid_hash) {
4641 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
4642 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
4643 proto_item_set_generated(item);
4644 }
4645
4646 /* fid */
4647 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4648
4649 /* completion filter */
4650 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
4651
4652 /* reserved */
4653 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
4654 offset += 4;
4655
4656 return offset;
4657 }
4658
4659 static const value_string notify_action_vals[] = {
4660 {0x01, "FILE_ACTION_ADDED"},
4661 {0x02, "FILE_ACTION_REMOVED"},
4662 {0x03, "FILE_ACTION_MODIFIED"},
4663 {0x04, "FILE_ACTION_RENAMED_OLD_NAME"},
4664 {0x05, "FILE_ACTION_RENAMED_NEW_NAME"},
4665 {0x06, "FILE_ACTION_ADDED_STREAM"},
4666 {0x07, "FILE_ACTION_REMOVED_STREAM"},
4667 {0x08, "FILE_ACTION_MODIFIED_STREAM"},
4668 {0x09, "FILE_ACTION_REMOVED_BY_DELETE"},
4669 {0, NULL}
4670 };
4671
4672 static void
4673 dissect_smb2_notify_data_out(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
4674 {
4675 proto_tree *tree = NULL;
4676 proto_item *item = NULL;
4677 int offset = 0;
4678
4679 while (tvb_reported_length_remaining(tvb, offset) > 4) {
4680 uint32_t start_offset = offset;
4681 uint32_t next_offset;
4682 uint32_t length;
4683
4684 if (parent_tree) {
4685 item = proto_tree_add_item(parent_tree, hf_smb2_notify_info, tvb, offset, -1, ENC_NA);
4686 tree = proto_item_add_subtree(item, ett_smb2_notify_info);
4687 }
4688
4689 /* next offset */
4690 proto_tree_add_item_ret_uint(tree, hf_smb2_notify_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &next_offset);
4691 offset += 4;
4692
4693 proto_tree_add_item(tree, hf_smb2_notify_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4694 offset += 4;
4695
4696 /* file name length */
4697 proto_tree_add_item_ret_uint(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
4698 offset += 4;
4699
4700 /* file name */
4701 if (length) {
4702 proto_tree_add_item(tree, hf_smb2_filename,
4703 tvb, offset, length, ENC_UTF_16|ENC_LITTLE_ENDIAN);
4704 }
4705
4706 if (!next_offset) {
4707 break;
4708 }
4709
4710 offset = start_offset+next_offset;
4711 }
4712 }
4713
4714 static int
4715 dissect_smb2_notify_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
4716 {
4717 offset_length_buffer_t olb;
4718 bool continue_dissection;
4719 proto_item *item;
4720
4721 switch (si->status) {
4722 /* MS-SMB2 3.3.4.4 says STATUS_NOTIFY_ENUM_DIR is not treated as an error */
4723 case 0x0000010c: /* STATUS_NOTIFY_ENUM_DIR */
4724 case 0x00000000: /* buffer code */
4725 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4726 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4727 if (!continue_dissection) return offset;
4728 }
4729
4730 /* fid hash */
4731 if (si->saved && si->saved->fid_hash) {
4732 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
4733 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
4734 proto_item_set_generated(item);
4735 }
4736
4737 /* out buffer offset/length */
4738 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_notify_out_data);
4739
4740 /* out buffer */
4741 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_notify_data_out);
4742 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
4743
4744 return offset;
4745 }
4746
4747 #define SMB2_FIND_FLAG_RESTART_SCANS 0x01
4748 #define SMB2_FIND_FLAG_SINGLE_ENTRY 0x02
4749 #define SMB2_FIND_FLAG_INDEX_SPECIFIED 0x04
4750 #define SMB2_FIND_FLAG_REOPEN 0x10
4751
4752 static int
4753 dissect_smb2_find_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4754 {
4755 offset_length_buffer_t olb;
4756 const uint8_t *buf;
4757 uint8_t il;
4758 static int * const f_fields[] = {
4759 &hf_smb2_find_flags_restart_scans,
4760 &hf_smb2_find_flags_single_entry,
4761 &hf_smb2_find_flags_index_specified,
4762 &hf_smb2_find_flags_reopen,
4763 NULL
4764 };
4765 proto_item *item;
4766
4767
4768 /* buffer code */
4769 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4770
4771 il = tvb_get_uint8(tvb, offset);
4772 if (si->saved) {
4773 si->saved->infolevel = il;
4774 }
4775
4776 /* infolevel */
4777 proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 1, il);
4778 offset += 1;
4779
4780 /* find flags */
4781 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_find_flags, ett_smb2_find_flags, f_fields, ENC_LITTLE_ENDIAN);
4782 offset += 1;
4783
4784 /* file index */
4785 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4786 offset += 4;
4787
4788 /* fid hash */
4789 if (si->saved && si->saved->fid_hash) {
4790 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
4791 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
4792 proto_item_set_generated(item);
4793 }
4794
4795 /* fid */
4796 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4797
4798 /* search pattern offset/length */
4799 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_find_pattern);
4800
4801 /* output buffer length */
4802 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4803 offset += 4;
4804
4805 /* search pattern */
4806 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
4807
4808 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
4809
4810 if (!pinfo->fd->visited && si->saved && olb.len) {
4811 si->saved->extra_info_type = SMB2_EI_FINDPATTERN;
4812 si->saved->extra_info = wmem_strdup(wmem_file_scope(), buf);
4813 }
4814
4815 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
4816 val_to_str(il, smb2_find_info_levels, "(Level:0x%02x)"),
4817 buf);
4818
4819 return offset;
4820 }
4821
4822 static void dissect_smb2_file_directory_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si _U_)
4823 {
4824 int offset = 0;
4825 proto_item *item = NULL;
4826 proto_tree *tree = NULL;
4827
4828 while (tvb_reported_length_remaining(tvb, offset) > 4) {
4829 int old_offset = offset;
4830 int next_offset;
4831 int file_name_len;
4832
4833 if (parent_tree) {
4834 item = proto_tree_add_item(parent_tree, hf_smb2_file_directory_info, tvb, offset, -1, ENC_NA);
4835 tree = proto_item_add_subtree(item, ett_smb2_file_directory_info);
4836 }
4837
4838 /* next offset */
4839 next_offset = tvb_get_letohl(tvb, offset);
4840 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4841 offset += 4;
4842
4843 /* file index */
4844 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4845 offset += 4;
4846
4847 /* create time */
4848 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
4849 offset += 8;
4850
4851 /* last access */
4852 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
4853 offset += 8;
4854
4855 /* last write */
4856 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
4857 offset += 8;
4858
4859 /* last change */
4860 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
4861 offset += 8;
4862
4863 /* end of file */
4864 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4865 offset += 8;
4866
4867 /* allocation size */
4868 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4869 offset += 8;
4870
4871 /* File Attributes */
4872 offset = dissect_fscc_file_attr(tvb, tree, offset, NULL);
4873
4874 /* file name length */
4875 file_name_len = tvb_get_letohl(tvb, offset);
4876 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4877 offset += 4;
4878
4879 /* file name */
4880 if (file_name_len) {
4881 char *display_string;
4882
4883 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
4884 tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
4885 pinfo->pool, &display_string);
4886 proto_item_append_text(item, ": %s", display_string);
4887 offset += file_name_len;
4888 }
4889
4890 proto_item_set_len(item, offset-old_offset);
4891
4892 if (si->saved)
4893 si->saved->num_matched++;
4894
4895 if (next_offset == 0) {
4896 return;
4897 }
4898
4899 offset = old_offset+next_offset;
4900 if (offset < old_offset) {
4901 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
4902 "Invalid offset/length. Malformed packet");
4903 return;
4904 }
4905 }
4906 }
4907
4908 static void dissect_smb2_full_directory_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si _U_)
4909 {
4910 int offset = 0;
4911 proto_item *item = NULL;
4912 proto_tree *tree = NULL;
4913
4914 while (tvb_reported_length_remaining(tvb, offset) > 4) {
4915 int old_offset = offset;
4916 int next_offset;
4917 int file_name_len;
4918 uint32_t attr;
4919
4920 if (parent_tree) {
4921 item = proto_tree_add_item(parent_tree, hf_smb2_full_directory_info, tvb, offset, -1, ENC_NA);
4922 tree = proto_item_add_subtree(item, ett_smb2_full_directory_info);
4923 }
4924
4925 /* next offset */
4926 next_offset = tvb_get_letohl(tvb, offset);
4927 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4928 offset += 4;
4929
4930 /* file index */
4931 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4932 offset += 4;
4933
4934 /* create time */
4935 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
4936 offset += 8;
4937
4938 /* last access */
4939 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
4940 offset += 8;
4941
4942 /* last write */
4943 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
4944 offset += 8;
4945
4946 /* last change */
4947 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
4948 offset += 8;
4949
4950 /* end of file */
4951 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4952 offset += 8;
4953
4954 /* allocation size */
4955 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4956 offset += 8;
4957
4958 /* File Attributes */
4959 offset = dissect_fscc_file_attr(tvb, tree, offset, &attr);
4960
4961 /* file name length */
4962 file_name_len = tvb_get_letohl(tvb, offset);
4963 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4964 offset += 4;
4965
4966 /* ea size or reparse tag */
4967 if (attr & SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT)
4968 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4969 else
4970 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4971 offset += 4;
4972
4973 /* file name */
4974 if (file_name_len) {
4975 char *display_string;
4976
4977 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
4978 tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
4979 pinfo->pool, &display_string);
4980 proto_item_append_text(item, ": %s", display_string);
4981 offset += file_name_len;
4982 }
4983
4984 proto_item_set_len(item, offset-old_offset);
4985
4986 if (si->saved)
4987 si->saved->num_matched++;
4988
4989 if (next_offset == 0) {
4990 return;
4991 }
4992
4993 offset = old_offset+next_offset;
4994 if (offset < old_offset) {
4995 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
4996 "Invalid offset/length. Malformed packet");
4997 return;
4998 }
4999 }
5000 }
5001
5002 static void dissect_smb2_both_directory_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si _U_)
5003 {
5004 int offset = 0;
5005 proto_item *item = NULL;
5006 proto_tree *tree = NULL;
5007
5008 while (tvb_reported_length_remaining(tvb, offset) > 4) {
5009 int old_offset = offset;
5010 int next_offset;
5011 int file_name_len;
5012 int short_name_len;
5013 uint32_t attr;
5014
5015 if (parent_tree) {
5016 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
5017 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
5018 }
5019
5020 /* next offset */
5021 next_offset = tvb_get_letohl(tvb, offset);
5022 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5023 offset += 4;
5024
5025 /* file index */
5026 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5027 offset += 4;
5028
5029 /* create time */
5030 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
5031 offset += 8;
5032
5033 /* last access */
5034 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
5035 offset += 8;
5036
5037 /* last write */
5038 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
5039 offset += 8;
5040
5041 /* last change */
5042 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
5043 offset += 8;
5044
5045 /* end of file */
5046 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5047 offset += 8;
5048
5049 /* allocation size */
5050 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5051 offset += 8;
5052
5053 /* File Attributes */
5054 offset = dissect_fscc_file_attr(tvb, tree, offset, &attr);
5055
5056 /* file name length */
5057 file_name_len = tvb_get_letohl(tvb, offset);
5058 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5059 offset += 4;
5060
5061 /* ea size or reparse tag */
5062 if (attr & SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT)
5063 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5064 else
5065 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5066 offset += 4;
5067
5068 /* short name length */
5069 short_name_len = tvb_get_uint8(tvb, offset);
5070 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
5071 offset += 1;
5072
5073 /* reserved */
5074 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
5075 offset += 1;
5076
5077 /* short name */
5078 if (short_name_len) {
5079 proto_tree_add_item(tree, hf_smb2_short_name,
5080 tvb, offset, short_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
5081 }
5082 offset += 24;
5083
5084 /* file name */
5085 if (file_name_len) {
5086 char *display_string;
5087
5088 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
5089 tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
5090 pinfo->pool, &display_string);
5091 proto_item_append_text(item, ": %s", display_string);
5092 offset += file_name_len;
5093 }
5094
5095 proto_item_set_len(item, offset-old_offset);
5096
5097 if (si->saved)
5098 si->saved->num_matched++;
5099
5100 if (next_offset == 0) {
5101 return;
5102 }
5103
5104 offset = old_offset+next_offset;
5105 if (offset < old_offset) {
5106 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
5107 "Invalid offset/length. Malformed packet");
5108 return;
5109 }
5110 }
5111 }
5112
5113 static void dissect_smb2_file_name_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si _U_)
5114 {
5115 int offset = 0;
5116 proto_item *item = NULL;
5117 proto_tree *tree = NULL;
5118
5119 while (tvb_reported_length_remaining(tvb, offset) > 4) {
5120 int old_offset = offset;
5121 int next_offset;
5122 int file_name_len;
5123
5124 if (parent_tree) {
5125 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
5126 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
5127 }
5128
5129 /* next offset */
5130 next_offset = tvb_get_letohl(tvb, offset);
5131 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5132 offset += 4;
5133
5134 /* file index */
5135 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5136 offset += 4;
5137
5138 /* file name length */
5139 file_name_len = tvb_get_letohl(tvb, offset);
5140 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5141 offset += 4;
5142
5143 /* file name */
5144 if (file_name_len) {
5145 char *display_string;
5146
5147 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
5148 tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
5149 pinfo->pool, &display_string);
5150 proto_item_append_text(item, ": %s", display_string);
5151 offset += file_name_len;
5152 }
5153
5154 if (si->saved)
5155 si->saved->num_matched++;
5156
5157 proto_item_set_len(item, offset-old_offset);
5158
5159 if (next_offset == 0) {
5160 return;
5161 }
5162
5163 offset = old_offset+next_offset;
5164 if (offset < old_offset) {
5165 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
5166 "Invalid offset/length. Malformed packet");
5167 return;
5168 }
5169 }
5170 }
5171
5172 static void dissect_smb2_id_both_directory_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si _U_)
5173 {
5174 int offset = 0;
5175 proto_item *item = NULL;
5176 proto_tree *tree = NULL;
5177
5178 while (tvb_reported_length_remaining(tvb, offset) > 4) {
5179 int old_offset = offset;
5180 int next_offset;
5181 int file_name_len;
5182 int short_name_len;
5183 uint32_t attr;
5184
5185 if (parent_tree) {
5186 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
5187 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
5188 }
5189
5190 /* next offset */
5191 next_offset = tvb_get_letohl(tvb, offset);
5192 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5193 offset += 4;
5194
5195 /* file index */
5196 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5197 offset += 4;
5198
5199 /* create time */
5200 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
5201 offset += 8;
5202
5203 /* last access */
5204 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
5205 offset += 8;
5206
5207 /* last write */
5208 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
5209 offset += 8;
5210
5211 /* last change */
5212 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
5213 offset += 8;
5214
5215 /* end of file */
5216 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5217 offset += 8;
5218
5219 /* allocation size */
5220 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5221 offset += 8;
5222
5223 /* File Attributes */
5224 offset = dissect_fscc_file_attr(tvb, tree, offset, &attr);
5225
5226 /* file name length */
5227 file_name_len = tvb_get_letohl(tvb, offset);
5228 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5229 offset += 4;
5230
5231 /* ea size or reparse tag */
5232 if (attr & SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT)
5233 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5234 else
5235 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5236 offset += 4;
5237
5238 /* short name length */
5239 short_name_len = tvb_get_uint8(tvb, offset);
5240 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
5241 offset += 1;
5242
5243 /* reserved */
5244 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
5245 offset += 1;
5246
5247 /* short name */
5248 if (short_name_len) {
5249 proto_tree_add_item(tree, hf_smb2_short_name,
5250 tvb, offset, short_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
5251 }
5252 offset += 24;
5253
5254 /* reserved */
5255 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5256 offset += 2;
5257
5258 /* file id */
5259 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5260 offset += 8;
5261
5262 /* file name */
5263 if (file_name_len) {
5264 char *display_string;
5265
5266 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
5267 tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
5268 pinfo->pool, &display_string);
5269 proto_item_append_text(item, ": %s", display_string);
5270 offset += file_name_len;
5271 }
5272
5273 proto_item_set_len(item, offset-old_offset);
5274
5275 if (si->saved)
5276 si->saved->num_matched++;
5277
5278 if (next_offset == 0) {
5279 return;
5280 }
5281
5282 offset = old_offset+next_offset;
5283 if (offset < old_offset) {
5284 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
5285 "Invalid offset/length. Malformed packet");
5286 return;
5287 }
5288 }
5289 }
5290
5291
5292 static void dissect_smb2_id_full_directory_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si _U_)
5293 {
5294 int offset = 0;
5295 proto_item *item = NULL;
5296 proto_tree *tree = NULL;
5297
5298 while (tvb_reported_length_remaining(tvb, offset) > 4) {
5299 int old_offset = offset;
5300 int next_offset;
5301 int file_name_len;
5302 uint32_t attr;
5303
5304 if (parent_tree) {
5305 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
5306 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
5307 }
5308
5309 /* next offset */
5310 next_offset = tvb_get_letohl(tvb, offset);
5311 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5312 offset += 4;
5313
5314 /* file index */
5315 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5316 offset += 4;
5317
5318 /* create time */
5319 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
5320 offset += 8;
5321
5322 /* last access */
5323 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
5324 offset += 8;
5325
5326 /* last write */
5327 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
5328 offset += 8;
5329
5330 /* last change */
5331 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
5332 offset += 8;
5333
5334 /* end of file */
5335 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5336 offset += 8;
5337
5338 /* allocation size */
5339 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5340 offset += 8;
5341
5342 /* File Attributes */
5343 offset = dissect_fscc_file_attr(tvb, tree, offset, &attr);
5344
5345 /* file name length */
5346 file_name_len = tvb_get_letohl(tvb, offset);
5347 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5348 offset += 4;
5349
5350 /* ea size or reparse tag */
5351 if (attr & SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT)
5352 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5353 else
5354 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5355 offset += 4;
5356
5357 /* reserved */
5358 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5359 offset += 4;
5360
5361 /* file id */
5362 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5363 offset += 8;
5364
5365 /* file name */
5366 if (file_name_len) {
5367 char *display_string;
5368
5369 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
5370 tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
5371 pinfo->pool, &display_string);
5372 proto_item_append_text(item, ": %s", display_string);
5373 offset += file_name_len;
5374 }
5375
5376 proto_item_set_len(item, offset-old_offset);
5377
5378 if (si->saved)
5379 si->saved->num_matched++;
5380
5381 if (next_offset == 0) {
5382 return;
5383 }
5384
5385 offset = old_offset+next_offset;
5386 if (offset < old_offset) {
5387 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
5388 "Invalid offset/length. Malformed packet");
5389 return;
5390 }
5391 }
5392 }
5393
5394 static int dissect_smb2_posix_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5395 {
5396 /* create time */
5397 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
5398 offset += 8;
5399
5400 /* last access */
5401 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
5402 offset += 8;
5403
5404 /* last write */
5405 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
5406 offset += 8;
5407
5408 /* last change */
5409 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
5410 offset += 8;
5411
5412 /* end of file */
5413 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5414 offset += 8;
5415
5416 /* allocation size */
5417 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5418 offset += 8;
5419
5420 /* File Attributes */
5421 offset = dissect_fscc_file_attr(tvb, tree, offset, NULL);
5422
5423 /* file index */
5424 proto_tree_add_item(tree, hf_smb2_inode, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5425 offset += 8;
5426
5427 /* dev id */
5428 proto_tree_add_item(tree, hf_smb2_dev, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5429 offset += 4;
5430
5431 /* zero */
5432 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5433 offset += 4;
5434
5435 /* Hardlinks */
5436 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5437 offset += 4;
5438
5439 /* Reparse tag */
5440 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5441 offset += 4;
5442
5443 /* POSIX mode bits */
5444 proto_tree_add_item(tree, hf_smb2_posix_perms, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5445 offset += 4;
5446
5447 /* Owner and Group SID */
5448 offset = dissect_nt_sid(tvb, offset, tree, "Owner SID", NULL, -1);
5449 offset = dissect_nt_sid(tvb, offset, tree, "Group SID", NULL, -1);
5450
5451 if (si->saved)
5452 si->saved->num_matched++;
5453
5454 return offset;
5455 }
5456
5457 static void dissect_smb2_posix_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
5458 {
5459 int offset = 0;
5460 proto_item *item = NULL;
5461 proto_tree *tree = NULL;
5462
5463 while (tvb_reported_length_remaining(tvb, offset) > 4) {
5464 int old_offset = offset;
5465 int next_offset;
5466 int file_name_len;
5467
5468 if (parent_tree) {
5469 item = proto_tree_add_item(parent_tree, hf_smb2_posix_info, tvb, offset, -1, ENC_NA);
5470 tree = proto_item_add_subtree(item, ett_smb2_posix_info);
5471 }
5472
5473 /* next offset */
5474 next_offset = tvb_get_letohl(tvb, offset);
5475 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5476 offset += 4;
5477 offset += 4;
5478
5479 offset = dissect_smb2_posix_info(tvb, pinfo, tree, offset, si);
5480
5481 /* file name length */
5482 proto_tree_add_item_ret_uint(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &file_name_len);
5483 offset += 4;
5484
5485 /* file name */
5486 if (file_name_len) {
5487 proto_tree_add_item(tree, hf_smb2_filename, tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
5488 offset += file_name_len;
5489 }
5490
5491 proto_item_set_len(item, offset-old_offset);
5492
5493 if (next_offset == 0) {
5494 return;
5495 }
5496
5497 offset = old_offset+next_offset;
5498 if (offset < old_offset) {
5499 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
5500 "Invalid offset/length. Malformed packet");
5501 return;
5502 }
5503 }
5504 }
5505
5506
5507 typedef struct _smb2_find_dissector_t {
5508 uint32_t level;
5509 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
5510 } smb2_find_dissector_t;
5511
5512 static smb2_find_dissector_t smb2_find_dissectors[] = {
5513 {SMB2_FIND_DIRECTORY_INFO, dissect_smb2_file_directory_info},
5514 {SMB2_FIND_FULL_DIRECTORY_INFO, dissect_smb2_full_directory_info},
5515 {SMB2_FIND_BOTH_DIRECTORY_INFO, dissect_smb2_both_directory_info},
5516 {SMB2_FIND_NAME_INFO, dissect_smb2_file_name_info},
5517 {SMB2_FIND_ID_BOTH_DIRECTORY_INFO,dissect_smb2_id_both_directory_info},
5518 {SMB2_FIND_ID_FULL_DIRECTORY_INFO,dissect_smb2_id_full_directory_info},
5519 {SMB2_FIND_POSIX_INFO, dissect_smb2_posix_directory_info},
5520 {0, NULL}
5521 };
5522
5523 static void
5524 dissect_smb2_find_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
5525 {
5526 smb2_find_dissector_t *dis = smb2_find_dissectors;
5527
5528 if (si->saved)
5529 si->saved->num_matched = 0;
5530
5531 while (dis->dissector) {
5532 if (si->saved) {
5533 if (dis->level == si->saved->infolevel) {
5534 dis->dissector(tvb, pinfo, tree, si);
5535 return;
5536 }
5537 }
5538 dis++;
5539 }
5540
5541
5542 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
5543 }
5544
5545 static int
5546 dissect_smb2_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5547 {
5548 offset_length_buffer_t olb;
5549 proto_item *item = NULL;
5550 bool continue_dissection;
5551
5552 /* fid hash */
5553 if (si->saved && si->saved->fid_hash) {
5554 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
5555 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
5556 proto_item_set_generated(item);
5557 }
5558
5559 if (si->saved) {
5560 /* infolevel */
5561 item = proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 0, si->saved->infolevel);
5562 proto_item_set_generated(item);
5563 }
5564
5565 if (si->saved && si->saved->extra_info_type == SMB2_EI_FINDPATTERN) {
5566 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s Pattern: %s",
5567 val_to_str(si->saved->infolevel, smb2_find_info_levels, "(Level:0x%02x)"),
5568 (const char *)si->saved->extra_info);
5569 }
5570
5571 switch (si->status) {
5572 /* buffer code */
5573 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5574 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5575 if (!continue_dissection) return offset;
5576 }
5577
5578 /* findinfo offset */
5579 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_find_info_blob);
5580
5581 /* the buffer */
5582 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_find_data);
5583
5584 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
5585
5586 if (si->saved) {
5587 item = proto_tree_add_uint_format(tree, hf_smb2_num_matched, tvb, 0, 0,
5588 si->saved->num_matched, "Matched: %u names", si->saved->num_matched);
5589 proto_item_set_generated(item);
5590
5591 col_append_fstr(
5592 pinfo->cinfo, COL_INFO, ", %u matches", si->saved->num_matched);
5593 }
5594
5595 return offset;
5596 }
5597
5598 static int
5599 dissect_smb2_negotiate_context(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
5600 {
5601 uint16_t type;
5602 const char *type_str;
5603 uint32_t i, data_length, salt_length, hash_count, cipher_count, comp_count, transform_count;
5604 uint32_t signing_count;
5605 proto_item *sub_item;
5606 proto_tree *sub_tree;
5607 static int * const comp_alg_flags_fields[] = {
5608 &hf_smb2_comp_alg_flags_chained,
5609 &hf_smb2_comp_alg_flags_reserved,
5610 NULL
5611 };
5612
5613 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_negotiate_context_element, &sub_item, "Negotiate Context");
5614
5615 /* type */
5616 type = tvb_get_letohl(tvb, offset);
5617 type_str = val_to_str(type, smb2_negotiate_context_types, "Unknown Type: (0x%0x)");
5618 proto_item_append_text(sub_item, ": %s ", type_str);
5619 proto_tree_add_item(sub_tree, hf_smb2_negotiate_context_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5620 offset += 2;
5621
5622 /* data length */
5623 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_negotiate_context_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &data_length);
5624 proto_item_set_len(sub_item, data_length + 8);
5625 offset += 2;
5626
5627 /* reserved */
5628 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5629 offset += 4;
5630
5631 switch (type)
5632 {
5633 case SMB2_PREAUTH_INTEGRITY_CAPABILITIES:
5634 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_hash_alg_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &hash_count);
5635 offset += 2;
5636 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_salt_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &salt_length);
5637 offset += 2;
5638
5639 for (i = 0; i < hash_count; i++)
5640 {
5641 proto_tree_add_item(sub_tree, hf_smb2_hash_algorithm, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5642 offset += 2;
5643 }
5644
5645 if (salt_length)
5646 {
5647 proto_tree_add_item(sub_tree, hf_smb2_salt, tvb, offset, salt_length, ENC_NA);
5648 offset += salt_length;
5649 }
5650 break;
5651
5652 case SMB2_ENCRYPTION_CAPABILITIES:
5653 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_cipher_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &cipher_count);
5654 offset += 2;
5655
5656 for (i = 0; i < cipher_count; i ++)
5657 {
5658 /* in SMB3.1.1 the first cipher returned by the server session encryption algorithm */
5659 if (i == 0 && si && si->conv && (si->flags & SMB2_FLAGS_RESPONSE)) {
5660 uint16_t first_cipher = tvb_get_letohs(tvb, offset);
5661 si->conv->enc_alg = first_cipher;
5662 }
5663 proto_tree_add_item(sub_tree, hf_smb2_cipher_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5664 offset += 2;
5665 }
5666 break;
5667
5668 case SMB2_COMPRESSION_CAPABILITIES:
5669 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_comp_alg_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &comp_count);
5670 offset += 2;
5671
5672 /* padding */
5673 offset += 2;
5674
5675 /* flags */
5676 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_comp_alg_flags, ett_smb2_comp_alg_flags, comp_alg_flags_fields, ENC_LITTLE_ENDIAN);
5677 offset += 4;
5678
5679 for (i = 0; i < comp_count; i ++) {
5680 proto_tree_add_item(sub_tree, hf_smb2_comp_alg_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5681 offset += 2;
5682 }
5683 break;
5684
5685 case SMB2_NETNAME_NEGOTIATE_CONTEXT_ID:
5686 proto_tree_add_item(sub_tree, hf_smb2_netname_neg_id, tvb, offset,
5687 data_length, ENC_UTF_16|ENC_LITTLE_ENDIAN);
5688 offset += data_length;
5689 break;
5690
5691 case SMB2_TRANSPORT_CAPABILITIES:
5692 proto_tree_add_item(sub_tree, hf_smb2_transport_ctx_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5693 offset += 4;
5694 break;
5695
5696 case SMB2_RDMA_TRANSFORM_CAPABILITIES:
5697 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_rdma_transform_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &transform_count);
5698 offset += 2;
5699
5700 proto_tree_add_item(sub_tree, hf_smb2_rdma_transform_reserved1, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5701 offset += 2;
5702 proto_tree_add_item(sub_tree, hf_smb2_rdma_transform_reserved2, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5703 offset += 4;
5704
5705 for (i = 0; i < transform_count; i++) {
5706 proto_tree_add_item(sub_tree, hf_smb2_rdma_transform_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5707 offset += 2;
5708 }
5709 break;
5710
5711 case SMB2_SIGNING_CAPABILITIES:
5712 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_signing_alg_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &signing_count);
5713 offset += 2;
5714
5715 for (i = 0; i < signing_count; i++) {
5716 /* in SMB3.1.1 the first cipher returned by the server session encryption algorithm */
5717 if (i == 0 && si && si->conv && (si->flags & SMB2_FLAGS_RESPONSE)) {
5718 uint16_t first_sign_alg = tvb_get_letohs(tvb, offset);
5719 si->conv->sign_alg = first_sign_alg;
5720 }
5721 proto_tree_add_item(sub_tree, hf_smb2_signing_alg_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5722 offset += 2;
5723 }
5724 break;
5725
5726 case SMB2_POSIX_EXTENSIONS_CAPABILITIES:
5727 proto_tree_add_item(sub_tree, hf_smb2_posix_reserved, tvb, offset, data_length, ENC_NA);
5728 offset += data_length;
5729 break;
5730
5731 default:
5732 proto_tree_add_item(sub_tree, hf_smb2_unknown, tvb, offset, data_length, ENC_NA);
5733 offset += data_length;
5734 break;
5735 }
5736
5737 return offset;
5738 }
5739
5740 static int
5741 dissect_smb2_negotiate_protocol_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5742 {
5743 uint16_t dc;
5744 uint16_t i;
5745 proto_item *nco_item, *ncc_item;
5746 bool supports_smb_3_10 = false;
5747 uint32_t nco;
5748 uint32_t ncc;
5749 proto_item *hash_item = NULL;
5750 smb2_saved_info_t *ssi = si->saved;
5751
5752 /* compute preauth hash on first pass */
5753 if (!pinfo->fd->visited && ssi) {
5754 ssi->preauth_hash_req = (uint8_t*)wmem_alloc0(wmem_file_scope(), SMB2_PREAUTH_HASH_SIZE);
5755 memset(si->conv->preauth_hash_ses, 0, SMB2_PREAUTH_HASH_SIZE);
5756 memset(si->conv->preauth_hash_con, 0, SMB2_PREAUTH_HASH_SIZE);
5757 si->conv->preauth_hash_current = si->conv->preauth_hash_con;
5758 update_preauth_hash(si->conv->preauth_hash_current, pinfo, tvb);
5759 memcpy(ssi->preauth_hash_req, si->conv->preauth_hash_current, SMB2_PREAUTH_HASH_SIZE);
5760 }
5761
5762 if (ssi && ssi->preauth_hash_req) {
5763 hash_item = proto_tree_add_bytes_with_length(tree,
5764 hf_smb2_preauth_hash, tvb,
5765 0, tvb_captured_length(tvb),
5766 ssi->preauth_hash_req, SMB2_PREAUTH_HASH_SIZE);
5767 proto_item_set_generated(hash_item);
5768 }
5769
5770 /* buffer code */
5771 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5772
5773 /* dialect count */
5774 dc = tvb_get_letohs(tvb, offset);
5775 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5776 offset += 2;
5777
5778 /* security mode, skip second byte */
5779 offset = dissect_smb2_secmode(tree, tvb, offset);
5780 offset++;
5781
5782
5783 /* reserved */
5784 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5785 offset += 2;
5786
5787 /* capabilities */
5788 offset = dissect_smb2_capabilities(tree, tvb, offset);
5789
5790 /* client guid */
5791 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5792 offset += 16;
5793
5794 /* negotiate context offset */
5795 nco_item = proto_tree_add_item_ret_uint(tree, hf_smb2_negotiate_context_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &nco);
5796 offset += 4;
5797
5798 /* negotiate context count */
5799 ncc_item = proto_tree_add_item_ret_uint(tree, hf_smb2_negotiate_context_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &ncc);
5800 offset += 2;
5801
5802 /* reserved */
5803 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5804 offset += 2;
5805
5806 for (i = 0 ; i < dc; i++) {
5807 uint16_t d = tvb_get_letohs(tvb, offset);
5808 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5809 offset += 2;
5810
5811 if (d >= SMB2_DIALECT_310) {
5812 supports_smb_3_10 = true;
5813 }
5814 }
5815
5816 if (!supports_smb_3_10) {
5817 /*
5818 * XXX - if 3.10 or later isn't supported, those fields
5819 * should be dissected as an 8-byte ClientStartTime field...
5820 * ...which should always be set to zero by the
5821 * client and ignored by the server. Doing that would
5822 * require that we look ahead and scan the dialect list
5823 * but what if that's either cut off by a snapshot
5824 * length or missing due to the packet being malformed
5825 * or not reassembled or...?
5826 *
5827 * [MS-SMB2] says 3.11, but 3.10 is deprecated, and
5828 * it appears to work the same way in this regard
5829 * as 3.11.
5830 */
5831 if (ncc != 0) {
5832 expert_add_info(pinfo, ncc_item, &ei_smb2_bad_negprot_negotiate_context_count);
5833 ncc = 0;
5834 }
5835 if (nco != 0) {
5836 expert_add_info(pinfo, nco_item, &ei_smb2_bad_negprot_negotiate_context_offset);
5837 nco = 0;
5838 }
5839 }
5840
5841 if (nco != 0) {
5842 uint32_t tmp = 0x40 + 36 + dc * 2;
5843
5844 if (nco >= tmp) {
5845 offset += nco - tmp;
5846 } else {
5847 ncc = 0;
5848 }
5849 }
5850
5851 for (i = 0; i < ncc; i++) {
5852 offset = WS_ROUNDUP_8(offset);
5853 offset = dissect_smb2_negotiate_context(tvb, pinfo, tree, offset, si);
5854 }
5855
5856 return offset;
5857 }
5858
5859 static int
5860 dissect_smb2_negotiate_protocol_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5861 {
5862 offset_length_buffer_t s_olb;
5863 uint16_t i;
5864 uint32_t nco;
5865 uint32_t ncc;
5866 bool continue_dissection;
5867 proto_item *hash_item = NULL;
5868 smb2_saved_info_t *ssi = si->saved;
5869
5870 /* compute preauth hash on first pass */
5871 if (!pinfo->fd->visited && ssi) {
5872 ssi->preauth_hash_res = (uint8_t*)wmem_alloc0(wmem_file_scope(), SMB2_PREAUTH_HASH_SIZE);
5873 update_preauth_hash(si->conv->preauth_hash_current, pinfo, tvb);
5874 memcpy(ssi->preauth_hash_res, si->conv->preauth_hash_current, SMB2_PREAUTH_HASH_SIZE);
5875
5876 /*
5877 * All new sessions on this conversation must reuse
5878 * the preauth hash value at the time of the negprot
5879 * response, so we stash it and switch buffers
5880 */
5881 memcpy(si->conv->preauth_hash_ses, si->conv->preauth_hash_current, SMB2_PREAUTH_HASH_SIZE);
5882 si->conv->preauth_hash_current = si->conv->preauth_hash_ses;
5883 }
5884
5885 if (ssi && ssi->preauth_hash_res) {
5886 hash_item = proto_tree_add_bytes_with_length(tree,
5887 hf_smb2_preauth_hash, tvb,
5888 0, tvb_captured_length(tvb),
5889 ssi->preauth_hash_res, SMB2_PREAUTH_HASH_SIZE);
5890 proto_item_set_generated(hash_item);
5891 }
5892
5893 switch (si->status) {
5894 /* buffer code */
5895 case 0x00000000:
5896 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5897 break;
5898
5899 default:
5900 offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5901 if (!continue_dissection)
5902 return offset;
5903 }
5904
5905 /* security mode, skip second byte */
5906 offset = dissect_smb2_secmode(tree, tvb, offset);
5907 offset++;
5908
5909 /* dialect picked */
5910 si->conv->dialect = tvb_get_letohs(tvb, offset);
5911 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5912 offset += 2;
5913
5914 /* negotiate context count/reserved */
5915 /*
5916 * If 3.10 or later isn't the chosen dialect, this field
5917 * should be dissected as a reserved field
5918 * ...which should always be set to zero by the
5919 * client and ignored by the server.
5920 *
5921 * [MS-SMB2] says 3.11, but 3.10 is deprecated, and
5922 * it appears to work the same way in this regard
5923 * as 3.11.
5924 */
5925 if (si->conv->dialect >= SMB2_DIALECT_310) {
5926 proto_tree_add_item_ret_uint(tree, hf_smb2_negotiate_context_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &ncc);
5927 } else {
5928 proto_item *reserved_item;
5929
5930 reserved_item = proto_tree_add_item_ret_uint(tree, hf_smb2_negotiate_context_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN, &ncc);
5931 if (ncc != 0) {
5932 expert_add_info(pinfo, reserved_item, &ei_smb2_bad_negprot_reserved);
5933 ncc = 0;
5934 }
5935 }
5936 offset += 2;
5937
5938 /* server GUID */
5939 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5940 offset += 16;
5941
5942 /* capabilities */
5943 offset = dissect_smb2_capabilities(tree, tvb, offset);
5944
5945 /* max trans size */
5946 proto_tree_add_item(tree, hf_smb2_max_trans_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5947 offset += 4;
5948
5949 /* max read size */
5950 proto_tree_add_item(tree, hf_smb2_max_read_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5951 offset += 4;
5952
5953 /* max write size */
5954 proto_tree_add_item(tree, hf_smb2_max_write_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5955 offset += 4;
5956
5957 /* current time */
5958 dissect_nttime(tvb, tree, offset, hf_smb2_current_time, ENC_LITTLE_ENDIAN);
5959 offset += 8;
5960
5961 /* boot time */
5962 dissect_nttime(tvb, tree, offset, hf_smb2_boot_time, ENC_LITTLE_ENDIAN);
5963 offset += 8;
5964
5965 /* security blob offset/length */
5966 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
5967
5968 /* the security blob itself */
5969 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
5970
5971 /* negotiate context offset/reserved2 */
5972 /*
5973 * If 3.10 or later isn't the chosen dialect, this field
5974 * should be dissected as a reserved field
5975 * ...which should always be set to zero by the
5976 * client and ignored by the server.
5977 *
5978 * [MS-SMB2] says 3.11, but 3.10 is deprecated, and
5979 * it appears to work the same way in this regard
5980 * as 3.11.
5981 */
5982 if (si->conv->dialect >= SMB2_DIALECT_310) {
5983 proto_tree_add_item_ret_uint(tree, hf_smb2_negotiate_context_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &nco);
5984 } else {
5985 proto_item *reserved2_item;
5986
5987 reserved2_item = proto_tree_add_item_ret_uint(tree, hf_smb2_negotiate_context_reserved2, tvb, offset, 4, ENC_LITTLE_ENDIAN, &nco);
5988 if (nco != 0) {
5989 expert_add_info(pinfo, reserved2_item, &ei_smb2_bad_negprot_reserved2);
5990 nco = 0;
5991 }
5992 }
5993 offset += 4;
5994
5995 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
5996
5997 if (si->conv->dialect == SMB2_DIALECT_300 || si->conv->dialect == SMB2_DIALECT_302) {
5998 /* If we know we are decrypting SMB3.0, it must be CCM */
5999 si->conv->enc_alg = SMB2_CIPHER_AES_128_CCM;
6000 }
6001
6002 if (si->conv->dialect >= SMB2_DIALECT_300) {
6003 /* If we know we are decrypting SMB3.0, it's CMAC by default */
6004 si->conv->sign_alg = SMB2_SIGNING_ALG_AES_CMAC;
6005 } else {
6006 si->conv->sign_alg = SMB2_SIGNING_ALG_HMAC_SHA256;
6007 }
6008
6009 if (si->conv->dialect < SMB2_DIALECT_310) {
6010 ncc = 0;
6011 }
6012
6013 if (nco != 0) {
6014 uint32_t tmp = 0x40 + 64 + s_olb.len;
6015
6016 if (nco >= tmp) {
6017 offset += nco - tmp;
6018 } else {
6019 ncc = 0;
6020 }
6021 }
6022
6023 for (i = 0; i < ncc; i++) {
6024 offset = WS_ROUNDUP_8(offset);
6025 offset = dissect_smb2_negotiate_context(tvb, pinfo, tree, offset, si);
6026 }
6027
6028 return offset;
6029 }
6030
6031 static const true_false_string tfs_additional_owner = {
6032 "Requesting OWNER security information",
6033 "NOT requesting owner security information",
6034 };
6035
6036 static const true_false_string tfs_additional_group = {
6037 "Requesting GROUP security information",
6038 "NOT requesting group security information",
6039 };
6040
6041 static const true_false_string tfs_additional_dacl = {
6042 "Requesting DACL security information",
6043 "NOT requesting DACL security information",
6044 };
6045
6046 static const true_false_string tfs_additional_sacl = {
6047 "Requesting SACL security information",
6048 "NOT requesting SACL security information",
6049 };
6050
6051 static const true_false_string tfs_additional_label = {
6052 "Requesting integrity label security information",
6053 "NOT requesting integrity label security information",
6054 };
6055
6056 static const true_false_string tfs_additional_attribute = {
6057 "Requesting resource attribute security information",
6058 "NOT requesting resource attribute security information",
6059 };
6060
6061 static const true_false_string tfs_additional_scope = {
6062 "Requesting central access policy security information",
6063 "NOT requesting central access policy security information",
6064 };
6065
6066 static const true_false_string tfs_additional_backup = {
6067 "Requesting backup operation security information",
6068 "NOT requesting backup operation security information",
6069 };
6070
6071 static int
6072 dissect_additional_information_sec_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6073 {
6074 /* Note that in SMB1 protocol some security flags were not defined yet - see dissect_security_information_mask()
6075 So for SMB2 we have to use own dissector */
6076 static int * const flags[] = {
6077 &hf_smb2_getsetinfo_additional_owner,
6078 &hf_smb2_getsetinfo_additional_group,
6079 &hf_smb2_getsetinfo_additional_dacl,
6080 &hf_smb2_getsetinfo_additional_sacl,
6081 &hf_smb2_getsetinfo_additional_label,
6082 &hf_smb2_getsetinfo_additional_attribute,
6083 &hf_smb2_getsetinfo_additional_scope,
6084 &hf_smb2_getsetinfo_additional_backup,
6085 NULL
6086 };
6087
6088 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_getsetinfo_additionals,
6089 ett_smb2_additional_information_sec_mask, flags, ENC_LITTLE_ENDIAN);
6090 offset += 4;
6091
6092 return offset;
6093 }
6094
6095 static int
6096 dissect_smb2_getinfo_parameters(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
6097 {
6098 static int* const flag_entries[] = {
6099 &hf_smb2_query_info_flag_restart_scan,
6100 &hf_smb2_query_info_flag_return_single_entry,
6101 &hf_smb2_query_info_flag_index_specified,
6102 NULL
6103 };
6104
6105 /* Additional Info */
6106 switch (si->saved->smb2_class) {
6107 case SMB2_CLASS_SEC_INFO:
6108 dissect_additional_information_sec_mask(tvb, tree, offset);
6109 break;
6110 default:
6111 proto_tree_add_item(tree, hf_smb2_getsetinfo_additional, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6112 }
6113 offset += 4;
6114
6115 /* Flags */
6116 if (si->saved->infolevel == SMB2_FILE_FULL_EA_INFO) {
6117 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_query_info_flags, ett_smb2_query_info_flags, flag_entries, ENC_LITTLE_ENDIAN);
6118 } else {
6119 proto_tree_add_item(tree, hf_smb2_getinfo_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6120 }
6121 offset += 4;
6122
6123 return offset;
6124 }
6125
6126
6127 static int
6128 dissect_smb2_getinfo_buffer_quota(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
6129 {
6130 uint32_t sidlist_len = 0;
6131 uint32_t startsid_len = 0;
6132 uint32_t startsid_offset = 0;
6133
6134 proto_item *item = NULL;
6135 proto_tree *tree = NULL;
6136
6137 if (parent_tree) {
6138 item = proto_tree_add_item(parent_tree, hf_smb2_query_quota_info, tvb, offset, -1, ENC_NA);
6139 tree = proto_item_add_subtree(item, ett_smb2_query_quota_info);
6140 }
6141
6142 proto_tree_add_item(tree, hf_smb2_qq_single, tvb, offset, 1, ENC_LITTLE_ENDIAN);
6143 offset += 1;
6144
6145 proto_tree_add_item(tree, hf_smb2_qq_restart, tvb, offset, 1, ENC_LITTLE_ENDIAN);
6146 offset += 1;
6147
6148 /* reserved */
6149 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6150 offset += 2;
6151
6152 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_sidlist_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &sidlist_len);
6153 offset += 4;
6154
6155 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_start_sid_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &startsid_len);
6156 offset += 4;
6157
6158 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_start_sid_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &startsid_offset);
6159 offset += 4;
6160
6161 if (sidlist_len != 0) {
6162 offset = dissect_nt_get_user_quota(tvb, tree, offset, &sidlist_len);
6163 } else if (startsid_len != 0) {
6164 offset = dissect_nt_sid(tvb, offset + startsid_offset, tree, "Start SID", NULL, -1);
6165 }
6166
6167 return offset;
6168 }
6169
6170 static int
6171 dissect_smb2_class_infolevel(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si)
6172 {
6173 uint8_t cl, il;
6174 proto_item *item;
6175 int hfindex;
6176 value_string_ext *vsx;
6177
6178 if (si->flags & SMB2_FLAGS_RESPONSE) {
6179 if (!si->saved) {
6180 return offset;
6181 }
6182 cl = si->saved->smb2_class;
6183 il = si->saved->infolevel;
6184 } else {
6185 cl = tvb_get_uint8(tvb, offset);
6186 il = tvb_get_uint8(tvb, offset+1);
6187 if (si->saved) {
6188 si->saved->smb2_class = cl;
6189 si->saved->infolevel = il;
6190 }
6191 }
6192
6193
6194 switch (cl) {
6195 case SMB2_CLASS_FILE_INFO:
6196 hfindex = hf_smb2_infolevel_file_info;
6197 vsx = &smb2_file_info_levels_ext;
6198 break;
6199 case SMB2_CLASS_FS_INFO:
6200 hfindex = hf_smb2_infolevel_fs_info;
6201 vsx = &smb2_fs_info_levels_ext;
6202 break;
6203 case SMB2_CLASS_SEC_INFO:
6204 hfindex = hf_smb2_infolevel_sec_info;
6205 vsx = &smb2_sec_info_levels_ext;
6206 break;
6207 case SMB2_CLASS_QUOTA_INFO:
6208 /* infolevel is not being used for quota */
6209 hfindex = hf_smb2_infolevel;
6210 vsx = NULL;
6211 break;
6212 default:
6213 hfindex = hf_smb2_infolevel;
6214 vsx = NULL; /* allowed arg to val_to_str_ext() */
6215 }
6216
6217
6218 /* class */
6219 item = proto_tree_add_uint(tree, hf_smb2_class, tvb, offset, 1, cl);
6220 if (si->flags & SMB2_FLAGS_RESPONSE) {
6221 proto_item_set_generated(item);
6222 }
6223 /* infolevel */
6224 item = proto_tree_add_uint(tree, hfindex, tvb, offset+1, 1, il);
6225 if (si->flags & SMB2_FLAGS_RESPONSE) {
6226 proto_item_set_generated(item);
6227 }
6228 offset += 2;
6229
6230 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
6231 /* Only update COL_INFO for requests. It clutters the
6232 * display a bit too much if we do it for replies
6233 * as well.
6234 */
6235 col_append_fstr(pinfo->cinfo, COL_INFO, " %s/%s",
6236 val_to_str(cl, smb2_class_vals, "(Class:0x%02x)"),
6237 val_to_str_ext(il, vsx, "(Level:0x%02x)"));
6238 }
6239
6240 return offset;
6241 }
6242
6243 static int
6244 dissect_smb2_getinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6245 {
6246 uint32_t getinfo_size = 0;
6247 uint32_t getinfo_offset = 0;
6248 proto_item *offset_item;
6249 proto_item *item;
6250
6251 /* buffer code */
6252 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6253
6254 /* class and info level */
6255 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
6256
6257 /* max response size */
6258 proto_tree_add_item(tree, hf_smb2_max_response_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6259 offset += 4;
6260
6261 /* offset */
6262 offset_item = proto_tree_add_item_ret_uint(tree, hf_smb2_getinfo_input_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN, &getinfo_offset);
6263 offset += 2;
6264
6265 /* reserved */
6266 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6267 offset += 2;
6268
6269 /* size */
6270 proto_tree_add_item_ret_uint(tree, hf_smb2_getinfo_input_size, tvb, offset, 4, ENC_LITTLE_ENDIAN, &getinfo_size);
6271 offset += 4;
6272
6273 /* parameters */
6274 if (si->saved) {
6275 offset = dissect_smb2_getinfo_parameters(tvb, pinfo, tree, offset, si);
6276 } else {
6277 /* some unknown bytes */
6278 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 8, ENC_NA);
6279 offset += 8;
6280 }
6281
6282 /* fid hash */
6283 if (si->saved && si->saved->fid_hash) {
6284 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6285 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6286 proto_item_set_generated(item);
6287 }
6288
6289 /* fid */
6290 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6291
6292 /* buffer */
6293 if (si->saved) {
6294 if (getinfo_size != 0) {
6295 /*
6296 * 2.2.37 says "For quota requests, this MUST be
6297 * the length of the contained SMB2_QUERY_QUOTA_INFO
6298 * embedded in the request. For FileFullEaInformation
6299 * requests, this MUST be set to the length of the
6300 * user supplied EA list specified in [MS-FSCC]
6301 * section 2.4.15.1. For other information queries,
6302 * this field SHOULD be set to 0 and the server MUST
6303 * ignore it on receipt.
6304 *
6305 * This seems to imply that, for requests other
6306 * than those to types, we should either completely
6307 * ignore a non-zero getinfo_size or should, at
6308 * most, add a warning-level expert info at the
6309 * protocol level saying that it should be zero,
6310 * but not try and interpret it or check its
6311 * validity.
6312 */
6313 if (si->saved->smb2_class == SMB2_CLASS_QUOTA_INFO ||
6314 (si->saved->smb2_class == SMB2_CLASS_FILE_INFO &&
6315 si->saved->infolevel == SMB2_FILE_FULL_EA_INFO)) {
6316 /*
6317 * According to 2.2.37 SMB2 QUERY_INFO
6318 * Request in the current MS-SMB2 spec,
6319 * these are the only info requests that
6320 * have an input buffer.
6321 */
6322
6323 /*
6324 * Make sure that the input buffer is after
6325 * the fixed-length part of the message.
6326 */
6327 if (getinfo_offset < (unsigned)offset) {
6328 expert_add_info(pinfo, offset_item, &ei_smb2_invalid_getinfo_offset);
6329 return offset;
6330 }
6331
6332 /*
6333 * Make sure the input buffer is within the
6334 * message, i.e. that it's within the tvbuff.
6335 *
6336 * We check for offset+length overflowing and
6337 * for offset+length being beyond the reported
6338 * length of the tvbuff.
6339 */
6340 if (getinfo_offset + getinfo_size < getinfo_offset ||
6341 getinfo_offset + getinfo_size > tvb_reported_length(tvb)) {
6342 expert_add_info(pinfo, offset_item, &ei_smb2_invalid_getinfo_size);
6343 return offset;
6344 }
6345
6346 if (si->saved->smb2_class == SMB2_CLASS_QUOTA_INFO) {
6347 dissect_smb2_getinfo_buffer_quota(tvb, pinfo, tree, getinfo_offset, si);
6348 } else {
6349 /*
6350 * XXX - handle user supplied EA info.
6351 */
6352 proto_tree_add_item(tree, hf_smb2_unknown, tvb, getinfo_offset, getinfo_size, ENC_NA);
6353 }
6354 offset = getinfo_offset + getinfo_size;
6355 }
6356 } else {
6357 /*
6358 * The buffer size is 0, meaning it's not present.
6359 *
6360 * 2.2.37 says "For FileFullEaInformation requests,
6361 * the input buffer MUST contain the user supplied
6362 * EA list with zero or more FILE_GET_EA_INFORMATION
6363 * structures, specified in [MS-FSCC] section
6364 * 2.4.15.1.", so it seems that, for a "get full
6365 * EA information" request, the size can be zero -
6366 * there's no other obvious way for the list to
6367 * have zero structures.
6368 *
6369 * 2.2.37 also says "For quota requests, the input
6370 * buffer MUST contain an SMB2_QUERY_QUOTA_INFO,
6371 * as specified in section 2.2.37.1."; that seems
6372 * to imply that the input buffer must not be empty
6373 * in that case.
6374 */
6375 if (si->saved->smb2_class == SMB2_CLASS_QUOTA_INFO)
6376 expert_add_info(pinfo, offset_item, &ei_smb2_empty_getinfo_buffer);
6377 }
6378 }
6379
6380 return offset;
6381 }
6382
6383 static int
6384 dissect_smb2_infolevel(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si, uint8_t smb2_class, uint8_t infolevel)
6385 {
6386 int old_offset = offset;
6387
6388 switch (smb2_class) {
6389 case SMB2_CLASS_FILE_INFO:
6390 switch (infolevel) {
6391 case SMB2_FILE_BASIC_INFO:
6392 offset = dissect_smb2_file_basic_info(tvb, pinfo, tree, offset, si);
6393 break;
6394 case SMB2_FILE_STANDARD_INFO:
6395 offset = dissect_smb2_file_standard_info(tvb, pinfo, tree, offset, si);
6396 break;
6397 case SMB2_FILE_INTERNAL_INFO:
6398 offset = dissect_smb2_file_internal_info(tvb, pinfo, tree, offset, si);
6399 break;
6400 case SMB2_FILE_EA_INFO:
6401 offset = dissect_smb2_file_ea_info(tvb, pinfo, tree, offset, si);
6402 break;
6403 case SMB2_FILE_ACCESS_INFO:
6404 offset = dissect_smb2_file_access_info(tvb, pinfo, tree, offset, si);
6405 break;
6406 case SMB2_FILE_RENAME_INFO:
6407 offset = dissect_smb2_file_rename_info(tvb, pinfo, tree, offset, si);
6408 break;
6409 case SMB2_FILE_LINK_INFO:
6410 offset = dissect_smb2_file_link_info(tvb, pinfo, tree, offset, si);
6411 break;
6412 case SMB2_FILE_DISPOSITION_INFO:
6413 offset = dissect_smb2_file_disposition_info(tvb, pinfo, tree, offset, si);
6414 break;
6415 case SMB2_FILE_POSITION_INFO:
6416 offset = dissect_smb2_file_position_info(tvb, pinfo, tree, offset, si);
6417 break;
6418 case SMB2_FILE_FULL_EA_INFO:
6419 offset = dissect_smb2_file_full_ea_info(tvb, pinfo, tree, offset, si);
6420 break;
6421 case SMB2_FILE_MODE_INFO:
6422 offset = dissect_smb2_file_mode_info(tvb, pinfo, tree, offset, si);
6423 break;
6424 case SMB2_FILE_ALIGNMENT_INFO:
6425 offset = dissect_smb2_file_alignment_info(tvb, pinfo, tree, offset, si);
6426 break;
6427 case SMB2_FILE_ALL_INFO:
6428 offset = dissect_smb2_file_all_info(tvb, pinfo, tree, offset, si);
6429 break;
6430 case SMB2_FILE_ALLOCATION_INFO:
6431 offset = dissect_smb2_file_allocation_info(tvb, pinfo, tree, offset, si);
6432 break;
6433 case SMB2_FILE_ENDOFFILE_INFO:
6434 dissect_smb2_file_endoffile_info(tvb, pinfo, tree, offset, si);
6435 break;
6436 case SMB2_FILE_ALTERNATE_NAME_INFO:
6437 offset = dissect_smb2_file_alternate_name_info(tvb, pinfo, tree, offset, si);
6438 break;
6439 case SMB2_FILE_STREAM_INFO:
6440 offset = dissect_smb2_file_stream_info(tvb, pinfo, tree, offset, si);
6441 break;
6442 case SMB2_FILE_PIPE_INFO:
6443 offset = dissect_smb2_file_pipe_info(tvb, pinfo, tree, offset, si);
6444 break;
6445 case SMB2_FILE_COMPRESSION_INFO:
6446 offset = dissect_smb2_file_compression_info(tvb, pinfo, tree, offset, si);
6447 break;
6448 case SMB2_FILE_NETWORK_OPEN_INFO:
6449 offset = dissect_smb2_file_network_open_info(tvb, pinfo, tree, offset, si);
6450 break;
6451 case SMB2_FILE_ATTRIBUTE_TAG_INFO:
6452 offset = dissect_smb2_file_attribute_tag_info(tvb, pinfo, tree, offset, si);
6453 break;
6454 case SMB2_FILE_NORMALIZED_NAME_INFO:
6455 offset = dissect_smb2_file_normalized_name_info(tvb, pinfo, tree, offset, si);
6456 break;
6457 case SMB2_FILE_POSIX_INFO:
6458 offset = dissect_smb2_posix_info(tvb, pinfo, tree, offset, si);
6459 break;
6460 default:
6461 /* we don't handle this infolevel yet */
6462 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
6463 offset += tvb_captured_length_remaining(tvb, offset);
6464 }
6465 break;
6466 case SMB2_CLASS_FS_INFO:
6467 switch (infolevel) {
6468 case SMB2_FS_INFO_01:
6469 offset = dissect_smb2_fs_info_01(tvb, pinfo, tree, offset, si);
6470 break;
6471 case SMB2_FS_INFO_03:
6472 offset = dissect_smb2_fs_info_03(tvb, pinfo, tree, offset, si);
6473 break;
6474 case SMB2_FS_INFO_04:
6475 offset = dissect_smb2_fs_info_04(tvb, pinfo, tree, offset, si);
6476 break;
6477 case SMB2_FS_INFO_05:
6478 offset = dissect_smb2_fs_info_05(tvb, pinfo, tree, offset, si);
6479 break;
6480 case SMB2_FS_INFO_06:
6481 offset = dissect_smb2_fs_info_06(tvb, pinfo, tree, offset, si);
6482 break;
6483 case SMB2_FS_INFO_07:
6484 offset = dissect_smb2_fs_info_07(tvb, pinfo, tree, offset, si);
6485 break;
6486 case SMB2_FS_OBJECTID_INFO:
6487 offset = dissect_smb2_FS_OBJECTID_INFO(tvb, pinfo, tree, offset, si);
6488 break;
6489 case SMB2_FS_POSIX_INFO:
6490 offset = dissect_smb2_fs_posix_info(tvb, pinfo, tree, offset, si);
6491 break;
6492 default:
6493 /* we don't handle this infolevel yet */
6494 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
6495 offset += tvb_captured_length_remaining(tvb, offset);
6496 }
6497 break;
6498 case SMB2_CLASS_SEC_INFO:
6499 switch (infolevel) {
6500 case SMB2_SEC_INFO_00:
6501 offset = dissect_smb2_sec_info_00(tvb, pinfo, tree, offset, si);
6502 break;
6503 default:
6504 /* we don't handle this infolevel yet */
6505 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
6506 offset += tvb_captured_length_remaining(tvb, offset);
6507 }
6508 break;
6509 case SMB2_CLASS_QUOTA_INFO:
6510 offset = dissect_smb2_quota_info(tvb, pinfo, tree, offset, si);
6511 break;
6512 default:
6513 /* we don't handle this class yet */
6514 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
6515 offset += tvb_captured_length_remaining(tvb, offset);
6516 }
6517
6518 /* if we get BUFFER_OVERFLOW there will be truncated data */
6519 if (si->status == 0x80000005) {
6520 proto_item *item;
6521 item = proto_tree_add_item(tree, hf_smb2_truncated, tvb, old_offset, 0, ENC_NA);
6522 proto_item_set_generated(item);
6523 }
6524 return offset;
6525 }
6526
6527 static void
6528 dissect_smb2_getinfo_response_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6529 {
6530 /* data */
6531 if (si->saved) {
6532 dissect_smb2_infolevel(tvb, pinfo, tree, 0, si, si->saved->smb2_class, si->saved->infolevel);
6533 } else {
6534 /* some unknown bytes */
6535 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
6536 }
6537
6538 }
6539
6540
6541 static int
6542 dissect_smb2_getinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6543 {
6544 offset_length_buffer_t olb;
6545 bool continue_dissection;
6546 proto_item *item;
6547
6548 /* class/infolevel */
6549 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
6550
6551 switch (si->status) {
6552 case 0x00000000:
6553 /* if we get BUFFER_OVERFLOW there will be truncated data */
6554 case 0x80000005:
6555 /* if we get BUFFER_TOO_SMALL there will not be any data there, only
6556 * a guin32 specifying how big the buffer needs to be
6557 */
6558 /* buffer code */
6559 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6560 break;
6561 case 0xc0000023:
6562 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6563 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
6564 proto_tree_add_item(tree, hf_smb2_required_buffer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6565 offset += 4;
6566
6567 return offset;
6568 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6569 if (!continue_dissection) return offset;
6570 }
6571
6572 /* response buffer offset and size */
6573 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
6574
6575 /* response data*/
6576 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_getinfo_response_data);
6577
6578 /* fid hash */
6579 if (si->saved && si->saved->fid_hash) {
6580 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6581 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6582 proto_item_set_generated(item);
6583 }
6584
6585 return offset;
6586 }
6587
6588 static int
6589 dissect_smb2_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6590 {
6591 proto_tree *flags_tree = NULL;
6592 proto_item *flags_item = NULL;
6593 proto_item *item;
6594
6595 /* buffer code */
6596 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6597
6598 /* close flags */
6599 if (tree) {
6600 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6601 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
6602 }
6603 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6604 offset += 2;
6605
6606 /* padding */
6607 offset += 4;
6608
6609 /* fid hash */
6610 if (si->saved && si->saved->fid_hash) {
6611 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6612 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6613 proto_item_set_generated(item);
6614 }
6615
6616 /* fid */
6617 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_CLOSE);
6618
6619 return offset;
6620 }
6621
6622 static int
6623 dissect_smb2_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
6624 {
6625 proto_tree *flags_tree = NULL;
6626 proto_item *flags_item = NULL;
6627 proto_item *item;
6628 bool continue_dissection;
6629
6630 switch (si->status) {
6631 /* buffer code */
6632 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6633 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6634 if (!continue_dissection) return offset;
6635 }
6636
6637 /* close flags */
6638 if (tree) {
6639 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6640 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
6641 }
6642 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6643 offset += 2;
6644
6645 /* reserved */
6646 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6647 offset += 4;
6648
6649 /* create time */
6650 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
6651 offset += 8;
6652
6653 /* last access */
6654 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
6655 offset += 8;
6656
6657 /* last write */
6658 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
6659 offset += 8;
6660
6661 /* last change */
6662 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
6663 offset += 8;
6664
6665 /* allocation size */
6666 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6667 offset += 8;
6668
6669 /* end of file */
6670 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6671 offset += 8;
6672
6673 /* File Attributes */
6674 offset = dissect_fscc_file_attr(tvb, tree, offset, NULL);
6675
6676 /* fid hash */
6677 if (si->saved && si->saved->fid_hash) {
6678 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6679 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6680 proto_item_set_generated(item);
6681 }
6682
6683 return offset;
6684 }
6685
6686 static int
6687 dissect_smb2_flush_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6688 {
6689 proto_item *item;
6690
6691 /* buffer code */
6692 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6693
6694 /* reserved1 */
6695 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6696 offset += 2;
6697
6698 /* reserved2 */
6699 proto_tree_add_item(tree, hf_smb2_flush_reserved2, tvb, offset, 4, ENC_NA);
6700 offset += 4;
6701
6702 /* fid hash */
6703 if (si->saved && si->saved->fid_hash) {
6704 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6705 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6706 proto_item_set_generated(item);
6707 }
6708
6709 /* fid */
6710 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6711
6712 return offset;
6713 }
6714
6715 static int
6716 dissect_smb2_flush_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
6717 {
6718 bool continue_dissection;
6719 proto_item *item;
6720
6721 switch (si->status) {
6722 /* buffer code */
6723 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6724 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6725 if (!continue_dissection) return offset;
6726 }
6727
6728 /* fid hash */
6729 if (si->saved && si->saved->fid_hash) {
6730 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6731 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6732 proto_item_set_generated(item);
6733 }
6734
6735 /* reserved bytes */
6736 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6737 offset += 2;
6738
6739 return offset;
6740 }
6741
6742
6743 static int
6744 dissect_smb2_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6745 {
6746 uint16_t lock_count;
6747 proto_item *item;
6748
6749 /* buffer code */
6750 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6751
6752 /* lock count */
6753 lock_count = tvb_get_letohs(tvb, offset);
6754 proto_tree_add_item(tree, hf_smb2_lock_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6755 offset += 2;
6756
6757 /* Lock Sequence Number/Index */
6758 proto_tree_add_item(tree, hf_smb2_lock_sequence_number, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6759 proto_tree_add_item(tree, hf_smb2_lock_sequence_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6760 offset += 4;
6761
6762 /* fid hash */
6763 if (si->saved && si->saved->fid_hash) {
6764 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6765 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6766 proto_item_set_generated(item);
6767 }
6768
6769 /* fid */
6770 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6771
6772 while (lock_count--) {
6773 proto_item *lock_item = NULL;
6774 proto_tree *lock_tree = NULL;
6775 static int * const lf_fields[] = {
6776 &hf_smb2_lock_flags_shared,
6777 &hf_smb2_lock_flags_exclusive,
6778 &hf_smb2_lock_flags_unlock,
6779 &hf_smb2_lock_flags_fail_immediately,
6780 NULL
6781 };
6782
6783 if (tree) {
6784 lock_item = proto_tree_add_item(tree, hf_smb2_lock_info, tvb, offset, 24, ENC_NA);
6785 lock_tree = proto_item_add_subtree(lock_item, ett_smb2_lock_info);
6786 }
6787
6788 /* offset */
6789 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6790 offset += 8;
6791
6792 /* count */
6793 proto_tree_add_item(lock_tree, hf_smb2_lock_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6794 offset += 8;
6795
6796 /* flags */
6797 proto_tree_add_bitmask(lock_tree, tvb, offset, hf_smb2_lock_flags, ett_smb2_lock_flags, lf_fields, ENC_LITTLE_ENDIAN);
6798 offset += 4;
6799
6800 /* reserved */
6801 proto_tree_add_item(lock_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6802 offset += 4;
6803 }
6804
6805 return offset;
6806 }
6807
6808 static int
6809 dissect_smb2_lock_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
6810 {
6811 bool continue_dissection;
6812 proto_item *item;
6813
6814 switch (si->status) {
6815 /* buffer code */
6816 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6817 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6818 if (!continue_dissection) return offset;
6819 }
6820
6821 /* fid hash */
6822 if (si->saved && si->saved->fid_hash) {
6823 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6824 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6825 proto_item_set_generated(item);
6826 }
6827
6828 /* reserved */
6829 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6830 offset += 2;
6831
6832 return offset;
6833 }
6834 static int
6835 dissect_smb2_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
6836 {
6837 /* buffer code */
6838 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6839
6840 /* some unknown bytes */
6841 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
6842 offset += 2;
6843
6844 return offset;
6845 }
6846
6847 static const smb2_fid_info_t *
6848 smb2_pipe_get_fid_info(const smb2_info_t *si)
6849 {
6850 smb2_fid_info_t *file = NULL;
6851
6852 if (si == NULL) {
6853 return NULL;
6854 }
6855 if (si->file != NULL) {
6856 file = si->file;
6857 } else if (si->saved != NULL) {
6858 file = si->saved->file;
6859 }
6860 if (file == NULL) {
6861 return NULL;
6862 }
6863
6864 return file;
6865 }
6866
6867 static void
6868 smb2_pipe_set_file_id(packet_info *pinfo, smb2_info_t *si)
6869 {
6870 uint64_t persistent;
6871 const smb2_fid_info_t *file = NULL;
6872
6873 file = smb2_pipe_get_fid_info(si);
6874 if (file == NULL) {
6875 return;
6876 }
6877
6878 persistent = GPOINTER_TO_UINT(file);
6879
6880 dcerpc_set_transport_salt(persistent, pinfo);
6881 }
6882
6883 static bool smb2_pipe_reassembly = true;
6884 static bool smb2_verify_signatures;
6885 static reassembly_table smb2_pipe_reassembly_table;
6886
6887 static int
6888 dissect_file_data_smb2_pipe(tvbuff_t *raw_tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, uint32_t datalen, proto_tree *top_tree, void *data)
6889 {
6890 /*
6891 * Note: si is NULL for some callers from packet-smb.c
6892 */
6893 const smb2_info_t *si = (const smb2_info_t *)data;
6894 bool result=false;
6895 bool save_fragmented;
6896 int remaining;
6897 unsigned reported_len;
6898 const smb2_fid_info_t *file = NULL;
6899 uint32_t id;
6900 fragment_head *fd_head;
6901 fragment_item *fd_i;
6902 tvbuff_t *tvb;
6903 tvbuff_t *new_tvb;
6904 proto_item *frag_tree_item;
6905 heur_dtbl_entry_t *hdtbl_entry;
6906
6907 file = smb2_pipe_get_fid_info(si);
6908 id = (uint32_t)(GPOINTER_TO_UINT(file) & UINT32_MAX);
6909
6910 remaining = tvb_captured_length_remaining(raw_tvb, offset);
6911
6912 tvb = tvb_new_subset_length_caplen(raw_tvb, offset,
6913 MIN((int)datalen, remaining),
6914 datalen);
6915
6916 /*
6917 * Offer desegmentation service to Named Pipe subdissectors (e.g. DCERPC)
6918 * if we have all the data. Otherwise, reassembly is (probably) impossible.
6919 */
6920 pinfo->can_desegment = 0;
6921 pinfo->desegment_offset = 0;
6922 pinfo->desegment_len = 0;
6923 reported_len = tvb_reported_length(tvb);
6924 if (smb2_pipe_reassembly && tvb_captured_length(tvb) >= reported_len) {
6925 pinfo->can_desegment = 2;
6926 }
6927
6928 save_fragmented = pinfo->fragmented;
6929
6930 /*
6931 * if we are not offering desegmentation, just try the heuristics
6932 *and bail out
6933 */
6934 if (!pinfo->can_desegment) {
6935 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
6936 tvb, pinfo, top_tree,
6937 &hdtbl_entry, data);
6938 goto clean_up_and_exit;
6939 }
6940
6941 /* below this line, we know we are doing reassembly */
6942
6943 /*
6944 * this is a new packet, see if we are already reassembling this
6945 * pdu and if not, check if the dissector wants us
6946 * to reassemble it
6947 */
6948 if (!pinfo->fd->visited) {
6949 /*
6950 * This is the first pass.
6951 *
6952 * Check if we are already reassembling this PDU or not;
6953 * we check for an in-progress reassembly for this FID
6954 * in this direction, by searching for its reassembly
6955 * structure.
6956 */
6957 fd_head = fragment_get(&smb2_pipe_reassembly_table,
6958 pinfo, id, NULL);
6959 if (!fd_head) {
6960 /*
6961 * No reassembly, so this is a new pdu. check if the
6962 * dissector wants us to reassemble it or if we
6963 * already got the full pdu in this tvb.
6964 */
6965
6966 /*
6967 * Try the heuristic dissectors and see if we
6968 * find someone that recognizes this payload.
6969 */
6970 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
6971 tvb, pinfo, top_tree,
6972 &hdtbl_entry, data);
6973
6974 /* no this didn't look like something we know */
6975 if (!result) {
6976 goto clean_up_and_exit;
6977 }
6978
6979 /* did the subdissector want us to reassemble any
6980 more data ?
6981 */
6982 if (pinfo->desegment_len) {
6983 fragment_add_check(&smb2_pipe_reassembly_table,
6984 tvb, 0, pinfo, id, NULL,
6985 0, reported_len, true);
6986 fragment_set_tot_len(&smb2_pipe_reassembly_table,
6987 pinfo, id, NULL,
6988 pinfo->desegment_len+reported_len);
6989 }
6990 goto clean_up_and_exit;
6991 }
6992
6993 /* OK, we're already doing a reassembly for this FID.
6994 skip to last segment in the existing reassembly structure
6995 and add this fragment there
6996
6997 XXX we might add code here to use any offset values
6998 we might pick up from the Read/Write calls instead of
6999 assuming we always get them in the correct order
7000 */
7001 for (fd_i = fd_head->next; fd_i->next; fd_i = fd_i->next) {}
7002 fd_head = fragment_add_check(&smb2_pipe_reassembly_table,
7003 tvb, 0, pinfo, id, NULL,
7004 fd_i->offset+fd_i->len,
7005 reported_len, true);
7006
7007 /* if we completed reassembly */
7008 if (fd_head) {
7009 new_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
7010 add_new_data_source(pinfo, new_tvb,
7011 "Named Pipe over SMB2");
7012 pinfo->fragmented=false;
7013
7014 tvb = new_tvb;
7015
7016 /* list what segments we have */
7017 show_fragment_tree(fd_head, &smb2_pipe_frag_items,
7018 tree, pinfo, tvb, &frag_tree_item);
7019
7020 /* dissect the full PDU */
7021 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
7022 tvb, pinfo, top_tree,
7023 &hdtbl_entry, data);
7024 }
7025 goto clean_up_and_exit;
7026 }
7027
7028 /*
7029 * This is not the first pass; see if it's in the table of
7030 * reassembled packets.
7031 *
7032 * XXX - we know that several of the arguments aren't going to
7033 * be used, so we pass bogus variables. Can we clean this
7034 * up so that we don't have to distinguish between the first
7035 * pass and subsequent passes?
7036 */
7037 fd_head = fragment_add_check(&smb2_pipe_reassembly_table,
7038 tvb, 0, pinfo, id, NULL, 0, 0, true);
7039 if (!fd_head) {
7040 /* we didn't find it, try any of the heuristic dissectors
7041 and bail out
7042 */
7043 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
7044 tvb, pinfo, top_tree,
7045 &hdtbl_entry, data);
7046 goto clean_up_and_exit;
7047 }
7048 if (!(fd_head->flags&FD_DEFRAGMENTED)) {
7049 /* we don't have a fully reassembled frame */
7050 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
7051 tvb, pinfo, top_tree,
7052 &hdtbl_entry, data);
7053 goto clean_up_and_exit;
7054 }
7055
7056 /* it is reassembled but it was reassembled in a different frame */
7057 if (pinfo->num != fd_head->reassembled_in) {
7058 proto_item *item;
7059 item = proto_tree_add_uint(top_tree, hf_smb2_pipe_reassembled_in,
7060 tvb, 0, 0, fd_head->reassembled_in);
7061 proto_item_set_generated(item);
7062 goto clean_up_and_exit;
7063 }
7064
7065 /* display the reassembled pdu */
7066 new_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
7067 add_new_data_source(pinfo, new_tvb,
7068 "Named Pipe over SMB2");
7069 pinfo->fragmented = false;
7070
7071 tvb = new_tvb;
7072
7073 /* list what segments we have */
7074 show_fragment_tree(fd_head, &smb2_pipe_frag_items,
7075 top_tree, pinfo, tvb, &frag_tree_item);
7076
7077 /* dissect the full PDU */
7078 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
7079 tvb, pinfo, top_tree,
7080 &hdtbl_entry, data);
7081
7082 clean_up_and_exit:
7083 /* clear out the variables */
7084 pinfo->can_desegment=0;
7085 pinfo->desegment_offset = 0;
7086 pinfo->desegment_len = 0;
7087
7088 if (!result) {
7089 call_data_dissector(tvb, pinfo, top_tree);
7090 }
7091
7092 pinfo->fragmented = save_fragmented;
7093
7094 offset += datalen;
7095 return offset;
7096 }
7097
7098 #define SMB2_CHANNEL_NONE 0x00000000
7099 #define SMB2_CHANNEL_RDMA_V1 0x00000001
7100 #define SMB2_CHANNEL_RDMA_V1_INVALIDATE 0x00000002
7101 #define SMB2_CHANNEL_RDMA_TRANSFORM 0x00000003
7102
7103 static const value_string smb2_channel_vals[] = {
7104 { SMB2_CHANNEL_NONE, "None" },
7105 { SMB2_CHANNEL_RDMA_V1, "RDMA V1" },
7106 { SMB2_CHANNEL_RDMA_V1_INVALIDATE, "RDMA V1_INVALIDATE" },
7107 { SMB2_CHANNEL_RDMA_TRANSFORM, "RDMA TRANSFORM" },
7108 { 0, NULL }
7109 };
7110
7111 static void
7112 dissect_smb2_rdma_v1_blob(tvbuff_t *tvb, packet_info *pinfo _U_,
7113 proto_tree *parent_tree, smb2_info_t *si _U_)
7114 {
7115 int offset = 0;
7116 int len;
7117 int i;
7118 int num;
7119 proto_tree *sub_tree;
7120 proto_item *parent_item;
7121
7122 parent_item = proto_tree_get_parent(parent_tree);
7123
7124 len = tvb_reported_length(tvb);
7125
7126 num = len / 16;
7127
7128 if (parent_item) {
7129 proto_item_append_text(parent_item, ": SMBDirect Buffer Descriptor V1: (%d elements)", num);
7130 }
7131
7132 for (i = 0; i < num; i++) {
7133 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, 8, ett_smb2_rdma_v1, NULL, "RDMA V1");
7134
7135 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7136 offset += 8;
7137
7138 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_token, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7139 offset += 4;
7140
7141 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7142 offset += 4;
7143 }
7144 }
7145
7146 #define SMB2_WRITE_FLAG_WRITE_THROUGH 0x00000001
7147 #define SMB2_WRITE_FLAG_WRITE_UNBUFFERED 0x00000002
7148
7149 static const true_false_string tfs_write_through = {
7150 "Client is asking for WRITE_THROUGH",
7151 "Client is NOT asking for WRITE_THROUGH"
7152 };
7153
7154 static const true_false_string tfs_write_unbuffered = {
7155 "Client is asking for UNBUFFERED write",
7156 "Client is NOT asking for UNBUFFERED write"
7157 };
7158
7159 static int
7160 dissect_smb2_write_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7161 {
7162 uint16_t dataoffset = 0;
7163 uint32_t data_tvb_len;
7164 offset_length_buffer_t c_olb;
7165 uint32_t channel;
7166 uint32_t length;
7167 uint64_t off;
7168 proto_item *item;
7169 static int * const f_fields[] = {
7170 &hf_smb2_write_flags_write_through,
7171 &hf_smb2_write_flags_write_unbuffered,
7172 NULL
7173 };
7174
7175 /* buffer code */
7176 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
7177
7178 /* data offset */
7179 dataoffset=tvb_get_letohs(tvb,offset);
7180 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7181 offset += 2;
7182
7183 /* length */
7184 length = tvb_get_letohl(tvb, offset);
7185 proto_tree_add_item(tree, hf_smb2_write_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7186 offset += 4;
7187
7188 /* offset */
7189 off = tvb_get_letoh64(tvb, offset);
7190 if (si->saved) si->saved->file_offset=off;
7191 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7192 offset += 8;
7193
7194 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" PRIu64, length, off);
7195
7196 /* fid hash */
7197 if (si->saved && si->saved->fid_hash) {
7198 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
7199 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
7200 proto_item_set_generated(item);
7201 }
7202
7203 /* fid */
7204 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
7205
7206 /* channel */
7207 channel = tvb_get_letohl(tvb, offset);
7208 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7209 offset += 4;
7210
7211 /* remaining bytes */
7212 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7213 offset += 4;
7214
7215 /* write channel info blob offset/length */
7216 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
7217
7218 /* flags */
7219 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_write_flags, ett_smb2_write_flags, f_fields, ENC_LITTLE_ENDIAN);
7220 offset += 4;
7221
7222 /* the write channel info blob itself */
7223 switch (channel) {
7224 case SMB2_CHANNEL_RDMA_V1:
7225 case SMB2_CHANNEL_RDMA_V1_INVALIDATE:
7226 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
7227 break;
7228 case SMB2_CHANNEL_NONE:
7229 default:
7230 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
7231 break;
7232 }
7233
7234 data_tvb_len=(uint32_t)tvb_captured_length_remaining(tvb, offset);
7235
7236 /* data or namedpipe ?*/
7237 if (length) {
7238 int oldoffset = offset;
7239 smb2_pipe_set_file_id(pinfo, si);
7240 offset = dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, length, si->top_tree, si);
7241 if (offset != oldoffset) {
7242 /* managed to dissect pipe data */
7243 goto out;
7244 }
7245 }
7246
7247 /* just ordinary data */
7248 proto_tree_add_item(tree, hf_smb2_write_data, tvb, offset, length, ENC_NA);
7249
7250 offset += MIN(length,(uint32_t)tvb_captured_length_remaining(tvb, offset));
7251
7252 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
7253
7254 out:
7255 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
7256 if (si->saved && si->eo_file_info) { /* without this data we don't know which file this belongs to */
7257 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,off);
7258 }
7259 }
7260
7261 return offset;
7262 }
7263
7264
7265 static int
7266 dissect_smb2_write_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
7267 {
7268 bool continue_dissection;
7269 proto_item *item;
7270
7271 switch (si->status) {
7272 /* buffer code */
7273 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
7274 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
7275 if (!continue_dissection) return offset;
7276 }
7277
7278 /* reserved */
7279 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
7280 offset += 2;
7281
7282 /* fid hash */
7283 if (si->saved && si->saved->fid_hash) {
7284 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
7285 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
7286 proto_item_set_generated(item);
7287 }
7288
7289 /* count */
7290 proto_tree_add_item(tree, hf_smb2_write_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7291 offset += 4;
7292
7293 /* remaining, must be set to 0 */
7294 proto_tree_add_item(tree, hf_smb2_write_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7295 offset += 4;
7296
7297 /* write channel info offset */
7298 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7299 offset += 2;
7300
7301 /* write channel info length */
7302 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7303 offset += 2;
7304
7305 return offset;
7306 }
7307
7308 /* The STORAGE_OFFLOAD_TOKEN is used for "Offload Data Transfer" (ODX) operations,
7309 including FSCTL_OFFLOAD_READ, FSCTL_OFFLOAD_WRITE. Ref: MS-FSCC 2.3.79
7310 Note: Unlike most of SMB2, the token fields are BIG-endian! */
7311 static int
7312 dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
7313 {
7314 proto_tree *sub_tree;
7315 proto_item *sub_item;
7316 uint32_t idlen = 0;
7317 uint32_t idtype = 0;
7318
7319 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 512, ett_smb2_fsctl_odx_token, &sub_item, "Token");
7320
7321 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_fsctl_odx_token_type, tvb, offset, 4, ENC_BIG_ENDIAN, &idtype);
7322 offset += 4;
7323
7324 proto_item_append_text(sub_item, " (IdType 0x%x)", idtype);
7325
7326 /* reserved */
7327 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
7328 offset += 2;
7329
7330 /* TokenIdLength */
7331 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_fsctl_odx_token_idlen, tvb, offset, 2, ENC_BIG_ENDIAN, &idlen);
7332 offset += 2;
7333
7334 /* idlen is what the server says is the "meaningful" part of the token.
7335 However, token ID is always 504 bytes */
7336 proto_tree_add_bytes_format_value(sub_tree, hf_smb2_fsctl_odx_token_idraw, tvb,
7337 offset, idlen, NULL, "Opaque Data");
7338 offset += 504;
7339
7340 return (offset);
7341 }
7342
7343 /* MS-FSCC 2.3.77, 2.3.78 */
7344 static void
7345 dissect_smb2_FSCTL_OFFLOAD_READ(tvbuff_t *tvb,
7346 packet_info *pinfo _U_,
7347 proto_tree *tree,
7348 int offset,
7349 bool in)
7350 {
7351 proto_tree_add_item(tree, hf_smb2_fsctl_odx_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7352 offset += 4;
7353
7354 proto_tree_add_item(tree, hf_smb2_fsctl_odx_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7355 offset += 4;
7356
7357 if (in) {
7358 proto_tree_add_item(tree, hf_smb2_fsctl_odx_token_ttl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7359 offset += 4;
7360
7361 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7362 offset += 4;
7363
7364 proto_tree_add_item(tree, hf_smb2_fsctl_odx_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7365 offset += 8;
7366
7367 proto_tree_add_item(tree, hf_smb2_fsctl_odx_copy_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7368 /* offset += 8; */
7369 } else {
7370 proto_tree_add_item(tree, hf_smb2_fsctl_odx_xfer_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7371 offset += 8;
7372
7373 (void) dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvb, pinfo, tree, offset);
7374 }
7375 }
7376
7377 /* MS-FSCC 2.3.80, 2.3.81 */
7378 static void
7379 dissect_smb2_FSCTL_OFFLOAD_WRITE(tvbuff_t *tvb,
7380 packet_info *pinfo _U_,
7381 proto_tree *tree,
7382 int offset,
7383 bool in)
7384 {
7385 proto_tree_add_item(tree, hf_smb2_fsctl_odx_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7386 offset += 4;
7387
7388 proto_tree_add_item(tree, hf_smb2_fsctl_odx_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7389 offset += 4;
7390
7391 if (in) {
7392 proto_tree_add_item(tree, hf_smb2_fsctl_odx_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7393 offset += 8;
7394
7395 proto_tree_add_item(tree, hf_smb2_fsctl_odx_copy_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7396 offset += 8;
7397
7398 proto_tree_add_item(tree, hf_smb2_fsctl_odx_token_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7399 offset += 8;
7400
7401 dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvb, pinfo, tree, offset);
7402
7403 } else {
7404 proto_tree_add_item(tree, hf_smb2_fsctl_odx_xfer_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7405 /* offset += 8; */
7406 }
7407 }
7408
7409 static void
7410 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *top_tree, bool data_in _U_, void *data)
7411 {
7412 dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, tvb_captured_length_remaining(tvb, offset), top_tree, data);
7413 }
7414
7415 static void
7416 dissect_smb2_FSCTL_PIPE_WAIT(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, proto_tree *top_tree, bool data_in _U_)
7417 {
7418 int timeout_offset;
7419 uint32_t name_len;
7420 uint8_t timeout_specified;
7421 char *display_string;
7422
7423 /* Timeout */
7424 timeout_offset = offset;
7425 offset += 8;
7426
7427 /* Name length */
7428 /* XXX - put the name length into the tree */
7429 name_len = tvb_get_letohl(tvb, offset);
7430 offset += 4;
7431
7432 /* Timeout specified */
7433 timeout_specified = tvb_get_uint8(tvb, offset);
7434 if (timeout_specified) {
7435 proto_tree_add_item(top_tree, hf_smb2_fsctl_pipe_wait_timeout,
7436 tvb, timeout_offset, 8, ENC_LITTLE_ENDIAN);
7437 }
7438 offset += 1;
7439
7440 /* Padding */
7441 offset += 1;
7442
7443 /* Name */
7444 proto_tree_add_item_ret_display_string(top_tree, hf_smb2_fsctl_pipe_wait_name,
7445 tvb, offset, name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
7446 pinfo->pool, &display_string);
7447
7448 col_append_fstr(pinfo->cinfo, COL_INFO, " Pipe: %s", display_string);
7449 }
7450
7451 static int
7452 dissect_smb2_FSCTL_SET_SPARSE(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
7453 {
7454
7455 /* There is no out data */
7456 if (!data_in) {
7457 return offset;
7458 }
7459
7460 /* sparse flag (optional) */
7461 if (tvb_reported_length_remaining(tvb, offset) >= 1) {
7462 proto_tree_add_item(tree, hf_smb2_fsctl_sparse_flag, tvb, offset, 1, ENC_NA);
7463 offset += 1;
7464 }
7465
7466 return offset;
7467 }
7468
7469 static int
7470 dissect_smb2_FSCTL_SET_ZERO_DATA(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
7471 {
7472 proto_tree *sub_tree;
7473 proto_item *sub_item;
7474
7475 /* There is no out data */
7476 if (!data_in) {
7477 return offset;
7478 }
7479
7480 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
7481
7482 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7483 offset += 8;
7484
7485 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7486 offset += 8;
7487
7488 return offset;
7489 }
7490
7491 static void
7492 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, bool data_in)
7493 {
7494 proto_tree *sub_tree;
7495 proto_item *sub_item;
7496
7497 if (data_in) {
7498 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
7499
7500 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7501 offset += 8;
7502
7503 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7504 offset += 8;
7505 } else {
7506 /* Zero or more allocated ranges may be reported. */
7507 while (tvb_reported_length_remaining(tvb, offset) >= 16) {
7508
7509 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
7510
7511 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7512 offset += 8;
7513
7514 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7515 offset += 8;
7516 }
7517 }
7518 }
7519
7520
7521 static void
7522 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, bool data_in)
7523 {
7524
7525 if (data_in) {
7526 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7527 offset += 8;
7528
7529 proto_tree_add_item(tree, hf_smb2_qfr_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7530 offset += 8;
7531
7532 proto_tree_add_item(tree, hf_smb2_qfr_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7533 offset += 4;
7534
7535 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7536 offset += 4;
7537 } else {
7538 uint32_t entry_count = 0;
7539
7540 proto_tree_add_item(tree, hf_smb2_qfr_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7541 offset += 4;
7542
7543 proto_tree_add_item(tree, hf_smb2_qfr_total_region_entry_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7544 offset += 4;
7545
7546 proto_tree_add_item_ret_uint(tree, hf_smb2_qfr_region_entry_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &entry_count);
7547 offset += 4;
7548
7549 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7550 offset += 4;
7551
7552 while (entry_count && tvb_reported_length_remaining(tvb, offset)) {
7553 proto_tree *sub_tree;
7554 proto_item *sub_item;
7555
7556 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 24, ett_qfr_entry, &sub_item, "Entry");
7557
7558 proto_tree_add_item(sub_tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7559 offset += 8;
7560
7561 proto_tree_add_item(sub_tree, hf_smb2_qfr_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7562 offset += 8;
7563
7564 proto_tree_add_item(sub_tree, hf_smb2_qfr_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7565 offset += 4;
7566
7567 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7568 offset += 4;
7569
7570 entry_count--;
7571 }
7572 }
7573 }
7574
7575 static void
7576 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
7577 {
7578 /* There is no out data */
7579 if (!data_in) {
7580 return;
7581 }
7582
7583 /* timeout */
7584 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7585 offset += 4;
7586
7587 /* reserved */
7588 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7589 }
7590
7591 static void
7592 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
7593 {
7594 /* There is no in data */
7595 if (data_in) {
7596 return;
7597 }
7598
7599 proto_tree_add_item(tree, hf_smb2_ioctl_shared_virtual_disk_support, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7600 offset += 4;
7601
7602 proto_tree_add_item(tree, hf_smb2_ioctl_shared_virtual_disk_handle_state, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7603 }
7604
7605 #define STORAGE_QOS_CONTROL_FLAG_SET_LOGICAL_FLOW_ID 0x00000001
7606 #define STORAGE_QOS_CONTROL_FLAG_SET_POLICY 0x00000002
7607 #define STORAGE_QOS_CONTROL_FLAG_PROBE_POLICY 0x00000004
7608 #define STORAGE_QOS_CONTROL_FLAG_GET_STATUS 0x00000008
7609 #define STORAGE_QOS_CONTROL_FLAG_UPDATE_COUNTERS 0x00000010
7610
7611 static const value_string smb2_ioctl_sqos_protocol_version_vals[] = {
7612 { 0x0100, "Storage QoS Protocol Version 1.0" },
7613 { 0x0101, "Storage QoS Protocol Version 1.1" },
7614 { 0, NULL }
7615 };
7616
7617 static const value_string smb2_ioctl_sqos_status_vals[] = {
7618 { 0x00, "StorageQoSStatusOk" },
7619 { 0x01, "StorageQoSStatusInsufficientThroughput" },
7620 { 0x02, "StorageQoSUnknownPolicyId" },
7621 { 0x04, "StorageQoSStatusConfigurationMismatch" },
7622 { 0x05, "StorageQoSStatusNotAvailable" },
7623 { 0, NULL }
7624 };
7625
7626 static void
7627 dissect_smb2_FSCTL_STORAGE_QOS_CONTROL(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, bool data_in)
7628 {
7629 static int * const operations[] = {
7630 &hf_smb2_ioctl_sqos_op_set_logical_flow_id,
7631 &hf_smb2_ioctl_sqos_op_set_policy,
7632 &hf_smb2_ioctl_sqos_op_probe_policy,
7633 &hf_smb2_ioctl_sqos_op_get_status,
7634 &hf_smb2_ioctl_sqos_op_update_counters,
7635 NULL
7636 };
7637
7638 int proto_ver;
7639
7640 /* Both request and reply have the same common header */
7641
7642 proto_ver = tvb_get_letohs(tvb, offset);
7643 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_protocol_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7644 offset += 2;
7645
7646 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7647 offset += 2;
7648
7649 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_ioctl_sqos_options,
7650 ett_smb2_ioctl_sqos_opeations, operations, ENC_LITTLE_ENDIAN);
7651 offset += 4;
7652
7653 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_logical_flow_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7654 offset += 16;
7655
7656 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_policy_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7657 offset += 16;
7658
7659 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_initiator_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7660 offset += 16;
7661
7662 if (data_in) {
7663 offset_length_buffer_t host_olb, node_olb;
7664
7665 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_limit, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7666 offset += 8;
7667
7668 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_reservation, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7669 offset += 8;
7670
7671 offset = dissect_smb2_olb_length_offset(tvb, offset, &host_olb, OLB_O_UINT16_S_UINT16, hf_smb2_ioctl_sqos_initiator_name);
7672
7673 offset = dissect_smb2_olb_length_offset(tvb, offset, &node_olb, OLB_O_UINT16_S_UINT16, hf_smb2_ioctl_sqos_initiator_node_name);
7674
7675 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_io_count_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7676 offset += 8;
7677
7678 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_normalized_io_count_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7679 offset += 8;
7680
7681 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_latency_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7682 offset += 8;
7683
7684 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_lower_latency_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7685 offset += 8;
7686
7687 if (proto_ver > 0x0100) {
7688 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_bandwidth_limit, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7689 offset += 8;
7690
7691 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_kilobyte_count_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7692 /*offset += 8;*/
7693 }
7694
7695 dissect_smb2_olb_string(pinfo, tree, tvb, &host_olb, OLB_TYPE_UNICODE_STRING);
7696
7697 dissect_smb2_olb_string(pinfo, tree, tvb, &node_olb, OLB_TYPE_UNICODE_STRING);
7698 } else {
7699 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_time_to_live, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7700 offset += 4;
7701
7702 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7703 offset += 4;
7704
7705 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_maximum_io_rate, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7706 offset += 8;
7707
7708 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_minimum_io_rate, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7709 offset += 8;
7710
7711 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_base_io_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7712 offset += 4;
7713
7714 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_reserved2, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7715
7716 if (proto_ver > 0x0100) {
7717 offset += 4;
7718 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_maximum_bandwidth, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7719 }
7720 }
7721 }
7722
7723 static int
7724 dissect_windows_sockaddr_in(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
7725 {
7726 proto_item *sub_item;
7727 proto_tree *sub_tree;
7728 proto_item *parent_item;
7729
7730 if (len == -1) {
7731 len = 8;
7732 }
7733
7734 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
7735 parent_item = proto_tree_get_parent(parent_tree);
7736
7737 /* family */
7738 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7739 offset += 2;
7740
7741 /* port */
7742 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7743 offset += 2;
7744
7745 /* IPv4 address */
7746 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in_addr, tvb, offset, 4, ENC_BIG_ENDIAN);
7747 proto_item_append_text(sub_item, ", IPv4: %s", tvb_ip_to_str(pinfo->pool, tvb, offset));
7748 proto_item_append_text(parent_item, ", IPv4: %s", tvb_ip_to_str(pinfo->pool, tvb, offset));
7749 offset += 4;
7750 return offset;
7751 }
7752
7753 static int
7754 dissect_windows_sockaddr_in6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
7755 {
7756 proto_item *sub_item;
7757 proto_tree *sub_tree;
7758 proto_item *parent_item;
7759
7760 if (len == -1) {
7761 len = 26;
7762 }
7763
7764 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
7765 parent_item = proto_tree_get_parent(parent_tree);
7766
7767 /* family */
7768 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7769 offset += 2;
7770
7771 /* port */
7772 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7773 offset += 2;
7774
7775 /* sin6_flowinfo */
7776 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_flowinfo, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7777 offset += 4;
7778
7779 /* IPv6 address */
7780 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_addr, tvb, offset, 16, ENC_NA);
7781 proto_item_append_text(sub_item, ", IPv6: %s", tvb_ip6_to_str(pinfo->pool, tvb, offset));
7782 proto_item_append_text(parent_item, ", IPv6: %s", tvb_ip6_to_str(pinfo->pool, tvb, offset));
7783 offset += 16;
7784
7785 /* sin6_scope_id */
7786 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_scope_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7787 offset += 2;
7788
7789 return offset;
7790 }
7791
7792 static int
7793 dissect_windows_sockaddr_storage(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, int len)
7794 {
7795 proto_item *sub_item;
7796 proto_tree *sub_tree;
7797 proto_item *parent_item;
7798 uint16_t family;
7799
7800 family = tvb_get_letohs(tvb, offset);
7801 switch (family) {
7802 case WINSOCK_AF_INET:
7803 return dissect_windows_sockaddr_in(tvb, pinfo, parent_tree, offset, len);
7804 case WINSOCK_AF_INET6:
7805 return dissect_windows_sockaddr_in6(tvb, pinfo, parent_tree, offset, len);
7806 }
7807
7808 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
7809 parent_item = proto_tree_get_parent(parent_tree);
7810
7811 /* ss_family */
7812 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7813 proto_item_append_text(sub_item, ", Family: %d (0x%04x)", family, family);
7814 proto_item_append_text(parent_item, ", Family: %d (0x%04x)", family, family);
7815 return offset + len;
7816 }
7817
7818 #define NETWORK_INTERFACE_CAP_RSS 0x00000001
7819 #define NETWORK_INTERFACE_CAP_RDMA 0x00000002
7820
7821 static void
7822 // NOLINTNEXTLINE(misc-no-recursion)
7823 dissect_smb2_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
7824 {
7825 uint32_t next_offset;
7826 int offset = 0;
7827 int len = -1;
7828 proto_item *sub_item;
7829 proto_tree *sub_tree;
7830 proto_item *item;
7831 uint32_t capabilities;
7832 uint64_t link_speed;
7833 float val = 0;
7834 const char *unit = NULL;
7835 static int * const capability_flags[] = {
7836 &hf_smb2_ioctl_network_interface_capability_rdma,
7837 &hf_smb2_ioctl_network_interface_capability_rss,
7838 NULL
7839 };
7840
7841 next_offset = tvb_get_letohl(tvb, offset);
7842 if (next_offset) {
7843 len = next_offset;
7844 }
7845
7846 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_smb2_ioctl_network_interface, &sub_item, "Network Interface");
7847 item = proto_tree_get_parent(parent_tree);
7848
7849 /* next offset */
7850 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7851 offset += 4;
7852
7853 /* interface index */
7854 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7855 offset += 4;
7856
7857 /* capabilities */
7858 capabilities = tvb_get_letohl(tvb, offset);
7859 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_ioctl_network_interface_capabilities, ett_smb2_ioctl_network_interface_capabilities, capability_flags, ENC_LITTLE_ENDIAN);
7860
7861 if (capabilities != 0) {
7862 proto_item_append_text(item, "%s%s",
7863 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
7864 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
7865 proto_item_append_text(sub_item, "%s%s",
7866 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
7867 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
7868 }
7869 offset += 4;
7870
7871 /* reserved (was rss queue count for release 38 and 39) */
7872 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7873 offset += 4;
7874
7875 /* link speed */
7876 link_speed = tvb_get_letoh64(tvb, offset);
7877 item = proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_link_speed, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7878 if (link_speed >= (1000*1000*1000)) {
7879 val = (float)(link_speed / (1000*1000*1000));
7880 unit = "G";
7881 } else if (link_speed >= (1000*1000)) {
7882 val = (float)(link_speed / (1000*1000));
7883 unit = "M";
7884 } else if (link_speed >= (1000)) {
7885 val = (float)(link_speed / (1000));
7886 unit = "K";
7887 } else {
7888 val = (float)(link_speed);
7889 unit = "";
7890 }
7891 proto_item_append_text(item, ", %.1f %sBits/s", val, unit);
7892 proto_item_append_text(sub_item, ", %.1f %sBits/s", val, unit);
7893
7894 offset += 8;
7895
7896 /* socket address */
7897 dissect_windows_sockaddr_storage(tvb, pinfo, sub_tree, offset, -1);
7898
7899 if (next_offset) {
7900 tvbuff_t *next_tvb;
7901 next_tvb = tvb_new_subset_remaining(tvb, next_offset);
7902
7903 /* next extra info */
7904 increment_dissection_depth(pinfo);
7905 dissect_smb2_NETWORK_INTERFACE_INFO(next_tvb, pinfo, parent_tree);
7906 decrement_dissection_depth(pinfo);
7907 }
7908 }
7909
7910 static void
7911 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, bool data_in)
7912 {
7913 /* There is no in data */
7914 if (data_in) {
7915 return;
7916 }
7917
7918 dissect_smb2_NETWORK_INTERFACE_INFO(tvb, pinfo, tree);
7919 }
7920
7921 static void
7922 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, bool data_in)
7923 {
7924 /*
7925 * This is only used by Windows 8 beta
7926 */
7927 if (data_in) {
7928 /* capabilities */
7929 offset = dissect_smb2_capabilities(tree, tvb, offset);
7930
7931 /* client guid */
7932 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7933 offset += 16;
7934
7935 /* security mode, skip second byte */
7936 offset = dissect_smb2_secmode(tree, tvb, offset);
7937 offset++;
7938
7939 /* dialect */
7940 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7941 offset += 2;
7942 } else {
7943 /* capabilities */
7944 offset = dissect_smb2_capabilities(tree, tvb, offset);
7945
7946 /* server guid */
7947 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7948 offset += 16;
7949
7950 /* security mode, skip second byte */
7951 offset = dissect_smb2_secmode(tree, tvb, offset);
7952 offset++;
7953
7954 /* dialect */
7955 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7956 offset += 2;
7957 }
7958 }
7959
7960 static void
7961 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, bool data_in)
7962 {
7963 if (data_in) {
7964 uint16_t dc;
7965
7966 /* capabilities */
7967 offset = dissect_smb2_capabilities(tree, tvb, offset);
7968
7969 /* client guid */
7970 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7971 offset += 16;
7972
7973 /* security mode, skip second byte */
7974 offset = dissect_smb2_secmode(tree, tvb, offset);
7975 offset++;
7976
7977 /* dialect count */
7978 dc = tvb_get_letohs(tvb, offset);
7979 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7980 offset += 2;
7981
7982 for ( ; dc>0; dc--) {
7983 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7984 offset += 2;
7985 }
7986 } else {
7987 /* capabilities */
7988 offset = dissect_smb2_capabilities(tree, tvb, offset);
7989
7990 /* server guid */
7991 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7992 offset += 16;
7993
7994 /* security mode, skip second byte */
7995 offset = dissect_smb2_secmode(tree, tvb, offset);
7996 offset++;
7997
7998 /* dialect */
7999 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8000 offset += 2;
8001 }
8002 }
8003
8004 static void
8005 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8006 {
8007 uint32_t num_snapshots;
8008
8009 /* There is no in data */
8010 if (data_in) {
8011 return;
8012 }
8013
8014 /* NumberOfSnapShots */
8015 proto_tree_add_item(tree, hf_smb2_ioctl_enumerate_snapshots_num_snapshots, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8016 offset += 4;
8017
8018 /* NumberOfSnapshotsReturned */
8019 proto_tree_add_item_ret_uint(tree, hf_smb2_ioctl_enumerate_snapshots_num_snapshots_returned, tvb, offset, 4, ENC_LITTLE_ENDIAN, &num_snapshots);
8020 offset += 4;
8021
8022 /* SnapShotArraySize */
8023 proto_tree_add_item(tree, hf_smb2_ioctl_enumerate_snapshots_snapshot_array_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8024 offset += 4;
8025
8026 while (num_snapshots--) {
8027 int len;
8028 int old_offset = offset;
8029
8030 proto_tree_add_item_ret_length(tree, hf_smb2_ioctl_enumerate_snapshots_snapshot,
8031 tvb, offset, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN, &len);
8032
8033 offset = old_offset+len;
8034 }
8035 }
8036
8037 int
8038 dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
8039 {
8040 proto_item *item = NULL;
8041 proto_tree *tree = NULL;
8042
8043 /* FILE_OBJECTID_BUFFER */
8044 if (parent_tree) {
8045 item = proto_tree_add_item(parent_tree, hf_smb2_FILE_OBJECTID_BUFFER, tvb, offset, 64, ENC_NA);
8046 tree = proto_item_add_subtree(item, ett_smb2_FILE_OBJECTID_BUFFER);
8047 }
8048
8049 /* Object ID */
8050 proto_tree_add_item(tree, hf_smb2_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8051 offset += 16;
8052
8053 /* Birth Volume ID */
8054 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8055 offset += 16;
8056
8057 /* Birth Object ID */
8058 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8059 offset += 16;
8060
8061 /* Domain ID */
8062 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8063 offset += 16;
8064
8065 return offset;
8066 }
8067
8068 static int
8069 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8070 {
8071
8072 /* There is no in data */
8073 if (data_in) {
8074 return offset;
8075 }
8076
8077 /* FILE_OBJECTID_BUFFER */
8078 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
8079
8080 return offset;
8081 }
8082
8083 static int
8084 dissect_smb2_FSCTL_GET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8085 {
8086
8087 /* There is no in data */
8088 if (data_in) {
8089 return offset;
8090 }
8091
8092 /* compression format */
8093 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8094 offset += 2;
8095
8096 return offset;
8097 }
8098
8099 static int
8100 dissect_smb2_FSCTL_SET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8101 {
8102
8103 /* There is no out data */
8104 if (!data_in) {
8105 return offset;
8106 }
8107
8108 /* compression format */
8109 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8110 offset += 2;
8111
8112 return offset;
8113 }
8114
8115 static int
8116 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8117 {
8118 static int * const integrity_flags[] = {
8119 &hf_smb2_integrity_flags_enforcement_off,
8120 NULL
8121 };
8122
8123 /* There is no out data */
8124 if (!data_in) {
8125 return offset;
8126 }
8127
8128 proto_tree_add_item(tree, hf_smb2_checksum_algorithm, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8129 offset += 2;
8130
8131 proto_tree_add_item(tree, hf_smb2_integrity_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8132 offset += 2;
8133
8134 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_integrity_flags, ett_smb2_integrity_flags, integrity_flags, ENC_LITTLE_ENDIAN);
8135 offset += 4;
8136
8137 return offset;
8138 }
8139
8140 static int
8141 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION_EX(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8142 {
8143 static int * const integrity_flags[] = {
8144 &hf_smb2_integrity_flags_enforcement_off,
8145 NULL
8146 };
8147
8148 if (!data_in) {
8149 return offset;
8150 }
8151
8152 proto_tree_add_item(tree, hf_smb2_fsctl_infoex_enable_integrity, tvb, offset, 1, ENC_LITTLE_ENDIAN);
8153 offset += 1;
8154
8155 proto_tree_add_item(tree, hf_smb2_fsctl_infoex_keep_integrity_state, tvb, offset, 1, ENC_LITTLE_ENDIAN);
8156 offset += 1;
8157
8158 proto_tree_add_item(tree, hf_smb2_fsctl_infoex_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8159 offset += 2;
8160
8161 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_fsctl_infoex_flags, ett_smb2_integrity_flags, integrity_flags, ENC_LITTLE_ENDIAN);
8162 offset += 4;
8163
8164 proto_tree_add_item(tree, hf_smb2_fsctl_infoex_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
8165 offset += 1;
8166
8167 proto_tree_add_item(tree, hf_smb2_fsctl_infoex_reserved2, tvb, offset, 7, ENC_LITTLE_ENDIAN);
8168 offset += 7;
8169
8170 return offset;
8171 }
8172
8173 static int
8174 dissect_smb2_FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT_Query_Delta(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
8175 {
8176 proto_tree *sub_tree;
8177
8178 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_fscc_refs_snapshot_query_delta_buffer, NULL, "Query Delta Buffer");
8179
8180 proto_tree_add_item(sub_tree, hf_smb2_fscc_refs_snapshot_query_delta_buffer_startvcn, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8181 offset += 8;
8182
8183 proto_tree_add_item(sub_tree, hf_smb2_fscc_refs_snapshot_query_delta_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8184 offset += 4;
8185
8186 proto_tree_add_item(sub_tree, hf_smb2_fscc_refs_snapshot_query_delta_buffer_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8187 offset += 4;
8188
8189 return offset;
8190 }
8191
8192 static int
8193 dissect_smb2_FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, bool data_in)
8194 {
8195 uint32_t operation;
8196 uint32_t name_len;
8197 uint32_t input_buffer_len;
8198
8199 /* There is no in data */
8200 if (!data_in) {
8201 return offset;
8202 }
8203
8204 proto_tree_add_item_ret_uint(tree, hf_smb2_fscc_refs_snapshot_mgmt_operation, tvb, offset, 4, ENC_LITTLE_ENDIAN, &operation);
8205 offset += 4;
8206
8207 proto_tree_add_item_ret_uint(tree, hf_smb2_fscc_refs_snapshot_mgmt_namelen, tvb, offset, 2, ENC_LITTLE_ENDIAN, &name_len);
8208 offset += 2;
8209
8210 proto_tree_add_item_ret_uint(tree, hf_smb2_fscc_refs_snapshot_mgmt_input_buffer_len, tvb, offset, 2, ENC_LITTLE_ENDIAN, &input_buffer_len);
8211 offset += 2;
8212
8213 proto_tree_add_item(tree, hf_smb2_fscc_refs_snapshot_mgmt_reserved, tvb, offset, 16, ENC_NA);
8214 offset += 16;
8215
8216 if (name_len) {
8217 proto_tree_add_item(tree, hf_smb2_fscc_refs_snapshot_mgmt_name, tvb, offset, name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
8218 offset += name_len;
8219 }
8220
8221 if (operation == REFS_STREAM_SNAPSHOT_OPERATION_QUERY_DELTAS) {
8222 offset += dissect_smb2_FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT_Query_Delta(tvb, pinfo, tree, offset);
8223 }
8224
8225 return offset;
8226 }
8227
8228 static int
8229 dissect_smb2_FSCTL_SET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8230 {
8231
8232 /* There is no out data */
8233 if (!data_in) {
8234 return offset;
8235 }
8236
8237 /* FILE_OBJECTID_BUFFER */
8238 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
8239
8240 return offset;
8241 }
8242
8243 static int
8244 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8245 {
8246
8247 /* There is no out data */
8248 if (!data_in) {
8249 return offset;
8250 }
8251
8252 /* FILE_OBJECTID_BUFFER->ExtendedInfo */
8253
8254 /* Birth Volume ID */
8255 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8256 offset += 16;
8257
8258 /* Birth Object ID */
8259 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8260 offset += 16;
8261
8262 /* Domain ID */
8263 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8264 offset += 16;
8265
8266 return offset;
8267 }
8268
8269 static int
8270 dissect_smb2_cchunk_RESUME_KEY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
8271 {
8272
8273 proto_tree_add_bytes_format_value(tree, hf_smb2_cchunk_resume_key, tvb,
8274 offset, 24, NULL, "Opaque Data");
8275 offset += 24;
8276
8277 return (offset);
8278 }
8279
8280 static void
8281 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8282 {
8283
8284 /* There is no in data */
8285 if (data_in) {
8286 return;
8287 }
8288
8289 offset = dissect_smb2_cchunk_RESUME_KEY(tvb, pinfo, tree, offset);
8290
8291 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8292 }
8293
8294 static void
8295 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8296 {
8297 proto_tree *sub_tree;
8298 proto_item *sub_item;
8299 uint32_t chunk_count = 0;
8300
8301 /* Output is simpler - handle that first. */
8302 if (!data_in) {
8303 proto_tree_add_item(tree, hf_smb2_cchunk_chunks_written, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8304 proto_tree_add_item(tree, hf_smb2_cchunk_bytes_written, tvb, offset+4, 4, ENC_LITTLE_ENDIAN);
8305 proto_tree_add_item(tree, hf_smb2_cchunk_total_written, tvb, offset+8, 4, ENC_LITTLE_ENDIAN);
8306 return;
8307 }
8308
8309 /* Input data, fixed part */
8310 offset = dissect_smb2_cchunk_RESUME_KEY(tvb, pinfo, tree, offset);
8311 proto_tree_add_item_ret_uint(tree, hf_smb2_cchunk_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &chunk_count);
8312 offset += 4;
8313
8314 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8315 offset += 4;
8316
8317 /* Zero or more allocated ranges may be reported. */
8318 while (chunk_count && tvb_reported_length_remaining(tvb, offset) >= 24) {
8319 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 24, ett_smb2_cchunk_entry, &sub_item, "Chunk");
8320
8321 proto_tree_add_item(sub_tree, hf_smb2_cchunk_src_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8322 offset += 8;
8323
8324 proto_tree_add_item(sub_tree, hf_smb2_cchunk_dst_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8325 offset += 8;
8326
8327 proto_tree_add_item(sub_tree, hf_smb2_cchunk_xfer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8328 offset += 4;
8329
8330 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8331 offset += 4;
8332
8333 chunk_count--;
8334 }
8335 }
8336
8337 static void
8338 dissect_smb2_reparse_nfs(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, uint32_t length)
8339 {
8340 uint64_t type;
8341 int symlink_length;
8342
8343 type = tvb_get_letoh64(tvb, offset);
8344 proto_tree_add_item(tree, hf_smb2_nfs_type, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8345 offset += 8;
8346
8347 switch (type) {
8348 case NFS_SPECFILE_LNK:
8349 /*
8350 * According to [MS-FSCC] 2.1.2.6 "length" contains
8351 * the 8-byte type plus the symlink target in Unicode
8352 * non-NULL terminated.
8353 */
8354 if (length < 8) {
8355 THROW(ReportedBoundsError);
8356 }
8357 symlink_length = length - 8;
8358 proto_tree_add_item(tree, hf_smb2_nfs_symlink_target, tvb, offset,
8359 symlink_length, ENC_UTF_16|ENC_LITTLE_ENDIAN);
8360 break;
8361 case NFS_SPECFILE_CHR:
8362 proto_tree_add_item(tree, hf_smb2_nfs_chr_major, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8363 offset += 4;
8364 proto_tree_add_item(tree, hf_smb2_nfs_chr_minor, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8365 break;
8366 case NFS_SPECFILE_BLK:
8367 proto_tree_add_item(tree, hf_smb2_nfs_blk_major, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8368 offset += 4;
8369 proto_tree_add_item(tree, hf_smb2_nfs_blk_minor, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8370 break;
8371 case NFS_SPECFILE_FIFO:
8372 case NFS_SPECFILE_SOCK:
8373 /* no data */
8374 break;
8375 }
8376 }
8377
8378 static void
8379 dissect_smb2_FSCTL_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
8380 {
8381 proto_item *item = NULL;
8382 proto_tree *tree = NULL;
8383
8384 uint32_t tag;
8385 uint32_t length;
8386 offset_length_buffer_t s_olb, p_olb;
8387
8388 /* REPARSE_DATA_BUFFER */
8389 if (parent_tree) {
8390 item = proto_tree_add_item(parent_tree, hf_smb2_reparse_data_buffer, tvb, offset, -1, ENC_NA);
8391 tree = proto_item_add_subtree(item, ett_smb2_reparse_data_buffer);
8392 }
8393
8394 /* reparse tag */
8395 tag = tvb_get_letohl(tvb, offset);
8396 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8397 offset += 4;
8398
8399 /* reparse data length */
8400 length = tvb_get_letohs(tvb, offset);
8401 proto_tree_add_item(tree, hf_smb2_reparse_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8402 offset += 2;
8403
8404 /* reserved */
8405 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
8406 offset += 2;
8407
8408 if (!(tag & 0x80000000)) {
8409 /* if high bit is not set, this buffer has a GUID field */
8410 /* reparse guid */
8411 proto_tree_add_item(tree, hf_smb2_reparse_guid, tvb, offset, 16, ENC_NA);
8412 offset += 16;
8413 }
8414
8415 switch (tag) {
8416 case REPARSE_TAG_SYMLINK:
8417 /* substitute name offset/length */
8418 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_substitute_name);
8419
8420 /* print name offset/length */
8421 offset = dissect_smb2_olb_length_offset(tvb, offset, &p_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_print_name);
8422
8423 /* flags */
8424 proto_tree_add_item(tree, hf_smb2_symlink_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8425 offset += 4;
8426
8427 /* substitute name string */
8428 dissect_smb2_olb_off_string(pinfo, tree, tvb, &s_olb, offset, OLB_TYPE_UNICODE_STRING);
8429
8430 /* print name string */
8431 dissect_smb2_olb_off_string(pinfo, tree, tvb, &p_olb, offset, OLB_TYPE_UNICODE_STRING);
8432 break;
8433 case REPARSE_TAG_NFS:
8434 dissect_smb2_reparse_nfs(tvb, pinfo, tree, offset, length);
8435 break;
8436 default:
8437 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, length, ENC_NA);
8438 }
8439 }
8440
8441 static void
8442 dissect_smb2_FSCTL_SET_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, bool data_in)
8443 {
8444 if (!data_in) {
8445 return;
8446 }
8447
8448 dissect_smb2_FSCTL_REPARSE_POINT(tvb, pinfo, parent_tree, offset);
8449 }
8450
8451 static void
8452 dissect_smb2_FSCTL_GET_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, bool data_in)
8453 {
8454 if (data_in) {
8455 return;
8456 }
8457
8458 dissect_smb2_FSCTL_REPARSE_POINT(tvb, pinfo, parent_tree, offset);
8459 }
8460
8461 static void
8462 dissect_smb2_FSCTL_GET_NTFS_VOLUME_DATA(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8463 {
8464 /* There is no in data */
8465 if (data_in) {
8466 return;
8467 }
8468
8469 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_volume_serial, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8470 offset += 8;
8471
8472 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_num_sectors, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8473 offset += 8;
8474
8475 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_total_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8476 offset += 8;
8477
8478 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_free_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8479 offset += 8;
8480
8481 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_total_reserved, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8482 offset += 8;
8483
8484 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8485 offset += 4;
8486
8487 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_cluster, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8488 offset += 4;
8489
8490 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_file_record_segment, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8491 offset += 4;
8492
8493 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_clusters_per_file_record_segment, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8494 offset += 4;
8495
8496 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_mft_valid_data_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8497 offset += 8;
8498
8499 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_mft_start_lcn, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8500 offset += 8;
8501
8502 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_mft2_start_lcn, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8503 offset += 8;
8504
8505 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_start, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8506 offset += 8;
8507
8508 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_end, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8509 }
8510
8511 void
8512 dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *top_tree, uint32_t ioctl_function, bool data_in, void *private_data _U_)
8513 {
8514 uint16_t dc;
8515
8516 dc = tvb_reported_length(tvb);
8517
8518 switch (ioctl_function) {
8519 case 0x00060194: /* FSCTL_DFS_GET_REFERRALS */
8520 if (data_in) {
8521 dissect_get_dfs_request_data(tvb, pinfo, tree, 0, &dc, true);
8522 } else {
8523 dissect_get_dfs_referral_data(tvb, pinfo, tree, 0, &dc, true);
8524 }
8525 break;
8526 case 0x000940CF: /* FSCTL_QUERY_ALLOCATED_RANGES */
8527 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvb, pinfo, tree, 0, data_in);
8528 break;
8529 case 0x00094264: /* FSCTL_OFFLOAD_READ */
8530 dissect_smb2_FSCTL_OFFLOAD_READ(tvb, pinfo, tree, 0, data_in);
8531 break;
8532 case 0x00098268: /* FSCTL_OFFLOAD_WRITE */
8533 dissect_smb2_FSCTL_OFFLOAD_WRITE(tvb, pinfo, tree, 0, data_in);
8534 break;
8535 case 0x0011c017: /* FSCTL_PIPE_TRANSCEIVE */
8536 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvb, pinfo, tree, 0, top_tree, data_in, private_data);
8537 break;
8538 case 0x00110018: /* FSCTL_PIPE_WAIT */
8539 dissect_smb2_FSCTL_PIPE_WAIT(tvb, pinfo, tree, 0, top_tree, data_in);
8540 break;
8541 case 0x00140078: /* FSCTL_SRV_REQUEST_RESUME_KEY */
8542 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvb, pinfo, tree, 0, data_in);
8543 break;
8544 case 0x001401D4: /* FSCTL_LMR_REQUEST_RESILIENCY */
8545 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvb, pinfo, tree, 0, data_in);
8546 break;
8547 case 0x001401FC: /* FSCTL_QUERY_NETWORK_INTERFACE_INFO */
8548 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvb, pinfo, tree, 0, data_in);
8549 break;
8550 case 0x00140200: /* FSCTL_VALIDATE_NEGOTIATE_INFO_224 */
8551 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvb, pinfo, tree, 0, data_in);
8552 break;
8553 case 0x00140204: /* FSCTL_VALIDATE_NEGOTIATE_INFO */
8554 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvb, pinfo, tree, 0, data_in);
8555 break;
8556 case 0x00144064: /* FSCTL_SRV_ENUMERATE_SNAPSHOTS */
8557 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvb, pinfo, tree, 0, data_in);
8558 break;
8559 case 0x001440F2: /* FSCTL_SRV_COPYCHUNK */
8560 case 0x001480F2: /* FSCTL_SRV_COPYCHUNK_WRITE */
8561 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvb, pinfo, tree, 0, data_in);
8562 break;
8563 case 0x000900A4: /* FSCTL_SET_REPARSE_POINT */
8564 dissect_smb2_FSCTL_SET_REPARSE_POINT(tvb, pinfo, tree, 0, data_in);
8565 break;
8566 case 0x000900A8: /* FSCTL_GET_REPARSE_POINT */
8567 dissect_smb2_FSCTL_GET_REPARSE_POINT(tvb, pinfo, tree, 0, data_in);
8568 break;
8569 case 0x0009009C: /* FSCTL_GET_OBJECT_ID */
8570 case 0x000900c0: /* FSCTL_CREATE_OR_GET_OBJECT_ID */
8571 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
8572 break;
8573 case 0x000900c4: /* FSCTL_SET_SPARSE */
8574 dissect_smb2_FSCTL_SET_SPARSE(tvb, pinfo, tree, 0, data_in);
8575 break;
8576 case 0x00098098: /* FSCTL_SET_OBJECT_ID */
8577 dissect_smb2_FSCTL_SET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
8578 break;
8579 case 0x000980BC: /* FSCTL_SET_OBJECT_ID_EXTENDED */
8580 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvb, pinfo, tree, 0, data_in);
8581 break;
8582 case 0x000980C8: /* FSCTL_SET_ZERO_DATA */
8583 dissect_smb2_FSCTL_SET_ZERO_DATA(tvb, pinfo, tree, 0, data_in);
8584 break;
8585 case 0x0009003C: /* FSCTL_GET_COMPRESSION */
8586 dissect_smb2_FSCTL_GET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
8587 break;
8588 case 0x00090300: /* FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT */
8589 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvb, pinfo, tree, 0, data_in);
8590 break;
8591 case 0x00090304: /* FSCTL_SVHDX_SYNC_TUNNEL or response */
8592 case 0x00090364: /* FSCTL_SVHDX_ASYNC_TUNNEL or response */
8593 call_dissector_with_data(rsvd_handle, tvb, pinfo, top_tree, &data_in);
8594 break;
8595 case 0x00090350: /* FSCTL_STORAGE_QOS_CONTROL */
8596 dissect_smb2_FSCTL_STORAGE_QOS_CONTROL(tvb, pinfo, tree, 0, data_in);
8597 break;
8598 case 0x0009C040: /* FSCTL_SET_COMPRESSION */
8599 dissect_smb2_FSCTL_SET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
8600 break;
8601 case 0x00090284: /* FSCTL_QUERY_FILE_REGIONS */
8602 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvb, pinfo, tree, 0, data_in);
8603 break;
8604 case 0x0009C280: /* FSCTL_SET_INTEGRITY_INFORMATION request or response */
8605 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvb, pinfo, tree, 0, data_in);
8606 break;
8607 case 0x00090064: /* FSCTL_GET_NTFS_VOLUME_DATA */
8608 dissect_smb2_FSCTL_GET_NTFS_VOLUME_DATA(tvb, pinfo, tree, 0, data_in);
8609 break;
8610 case 0x00090380:
8611 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION_EX(tvb, pinfo, tree, 0, data_in);
8612 break;
8613 case 0x00090440:
8614 dissect_smb2_FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT(tvb, pinfo, tree, 0, data_in);
8615 break;
8616 default:
8617 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
8618 }
8619 }
8620
8621 static void
8622 dissect_smb2_ioctl_data_in(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
8623 {
8624 smb2_pipe_set_file_id(pinfo, si);
8625 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, true, si);
8626 }
8627
8628 static void
8629 dissect_smb2_ioctl_data_out(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
8630 {
8631 smb2_pipe_set_file_id(pinfo, si);
8632 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, false, si);
8633 }
8634
8635 static int
8636 dissect_smb2_ioctl_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8637 {
8638 offset_length_buffer_t o_olb;
8639 offset_length_buffer_t i_olb;
8640 proto_tree *flags_tree = NULL;
8641 proto_item *flags_item = NULL;
8642 proto_item *item;
8643
8644 /* buffer code */
8645 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
8646
8647 /* reserved */
8648 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
8649 offset += 2;
8650
8651 /* ioctl function */
8652 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
8653
8654 /* fid hash */
8655 if (si->saved && si->saved->fid_hash) {
8656 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
8657 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
8658 proto_item_set_generated(item);
8659 }
8660
8661 /* fid */
8662 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
8663
8664 /* in buffer offset/length */
8665 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
8666
8667 /* max ioctl in size */
8668 proto_tree_add_item(tree, hf_smb2_max_ioctl_in_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8669 offset += 4;
8670
8671 /* out buffer offset/length */
8672 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
8673
8674 /* max ioctl out size */
8675 proto_tree_add_item(tree, hf_smb2_max_ioctl_out_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8676 offset += 4;
8677
8678 /* flags */
8679 if (tree) {
8680 flags_item = proto_tree_add_item(tree, hf_smb2_ioctl_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8681 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_ioctl_flags);
8682 }
8683 proto_tree_add_item(flags_tree, hf_smb2_ioctl_is_fsctl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8684 offset += 4;
8685
8686 /* reserved */
8687 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8688 offset += 4;
8689
8690 /* try to decode these blobs in the order they were encoded
8691 * so that for "short" packets we will dissect as much as possible
8692 * before aborting with "short packet"
8693 */
8694 if (i_olb.off>o_olb.off) {
8695 /* out buffer */
8696 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
8697 /* in buffer */
8698 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
8699 } else {
8700 /* in buffer */
8701 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
8702 /* out buffer */
8703 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
8704 }
8705
8706 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
8707 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
8708
8709 return offset;
8710 }
8711
8712 static int
8713 dissect_smb2_ioctl_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8714 {
8715 offset_length_buffer_t o_olb;
8716 offset_length_buffer_t i_olb;
8717 bool continue_dissection;
8718 proto_item *item;
8719
8720 switch (si->status) {
8721 /* buffer code */
8722 /* if we get BUFFER_OVERFLOW there will be truncated data */
8723 case 0x80000005:
8724 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
8725 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
8726 if (!continue_dissection) return offset;
8727 }
8728
8729 /* reserved */
8730 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
8731 offset += 2;
8732
8733 /* ioctl function */
8734 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
8735
8736 /* fid hash */
8737 if (si->saved && si->saved->fid_hash) {
8738 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
8739 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
8740 proto_item_set_generated(item);
8741 }
8742
8743 /* fid */
8744 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
8745
8746 /* in buffer offset/length */
8747 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
8748
8749 /* out buffer offset/length */
8750 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
8751
8752
8753 /* flags: reserved: must be zero */
8754 proto_tree_add_item(tree, hf_smb2_flags, tvb, offset, 4, ENC_NA);
8755 offset += 4;
8756
8757 /* reserved */
8758 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8759 offset += 4;
8760
8761 /* try to decode these blobs in the order they were encoded
8762 * so that for "short" packets we will dissect as much as possible
8763 * before aborting with "short packet"
8764 */
8765 if (i_olb.off>o_olb.off) {
8766 /* out buffer */
8767 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
8768 /* in buffer */
8769 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
8770 } else {
8771 /* in buffer */
8772 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
8773 /* out buffer */
8774 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
8775 }
8776
8777 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
8778 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
8779
8780 return offset;
8781 }
8782
8783
8784 #define SMB2_READFLAG_READ_UNBUFFERED 0x01
8785 #define SMB2_READFLAG_READ_COMPRESSED 0x02
8786
8787 static const true_false_string tfs_read_unbuffered = {
8788 "Client is asking for UNBUFFERED read",
8789 "Client is NOT asking for UNBUFFERED read"
8790 };
8791
8792 static const true_false_string tfs_read_compressed = {
8793 "Client is asking for COMPRESSED data",
8794 "Client is NOT asking for COMPRESSED data"
8795 };
8796
8797 static int
8798 dissect_smb2_read_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8799 {
8800 offset_length_buffer_t c_olb;
8801 uint32_t channel;
8802 uint32_t len;
8803 uint64_t off;
8804 proto_item *item;
8805
8806 static int * const flags[] = {
8807 &hf_smb2_read_flags_unbuffered,
8808 &hf_smb2_read_flags_compressed,
8809 NULL
8810 };
8811
8812 /* buffer code */
8813 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
8814
8815 /* padding */
8816 proto_tree_add_item(tree, hf_smb2_read_padding, tvb, offset, 1, ENC_LITTLE_ENDIAN);
8817 offset += 1;
8818
8819 /* flags */
8820 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_read_flags,
8821 ett_smb2_read_flags, flags, ENC_LITTLE_ENDIAN);
8822 offset += 1;
8823
8824 /* length */
8825 len = tvb_get_letohl(tvb, offset);
8826 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8827 offset += 4;
8828
8829 /* offset */
8830 off = tvb_get_letoh64(tvb, offset);
8831 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8832 offset += 8;
8833
8834 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" PRIu64, len, off);
8835
8836 /* fid hash */
8837 if (si->saved && si->saved->fid_hash) {
8838 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
8839 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
8840 proto_item_set_generated(item);
8841 }
8842
8843 /* fid */
8844 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
8845
8846 /* minimum count */
8847 proto_tree_add_item(tree, hf_smb2_min_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8848 offset += 4;
8849
8850 /* channel */
8851 channel = tvb_get_letohl(tvb, offset);
8852 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8853 offset += 4;
8854
8855 /* remaining bytes */
8856 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8857 offset += 4;
8858
8859 /* read channel info blob offset/length */
8860 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
8861
8862 /* the read channel info blob itself */
8863 switch (channel) {
8864 case SMB2_CHANNEL_RDMA_V1:
8865 case SMB2_CHANNEL_RDMA_V1_INVALIDATE:
8866 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
8867 break;
8868 case SMB2_CHANNEL_NONE:
8869 default:
8870 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
8871 break;
8872 }
8873
8874 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
8875
8876 /* Store len and offset */
8877 if (si->saved) {
8878 si->saved->file_offset=off;
8879 si->saved->bytes_moved=len;
8880 }
8881
8882 return offset;
8883 }
8884
8885 static void
8886 dissect_smb2_read_blob(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
8887 {
8888 int offset = 0;
8889 int length = tvb_captured_length_remaining(tvb, offset);
8890
8891 smb2_pipe_set_file_id(pinfo, si);
8892
8893 offset = dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, length, si->top_tree, si);
8894 if (offset != 0) {
8895 /* managed to dissect pipe data */
8896 return;
8897 }
8898
8899 /* data */
8900 proto_tree_add_item(tree, hf_smb2_read_data, tvb, offset, length, ENC_NA);
8901 }
8902
8903 static int
8904 dissect_smb2_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
8905 {
8906 offset_length_buffer_t olb;
8907 uint32_t data_tvb_len;
8908 bool continue_dissection;
8909 proto_item *item;
8910
8911 switch (si->status) {
8912 /* buffer code */
8913 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
8914 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
8915 if (!continue_dissection) return offset;
8916 }
8917
8918 /* data offset 8 bit, 8 bit reserved, length 32bit */
8919 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb,
8920 OLB_O_UINT8_P_UINT8_S_UINT32,
8921 hf_smb2_read_blob);
8922
8923 /* remaining */
8924 proto_tree_add_item(tree, hf_smb2_read_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8925 offset += 4;
8926
8927 /* fid hash */
8928 if (si->saved && si->saved->fid_hash) {
8929 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
8930 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
8931 proto_item_set_generated(item);
8932 }
8933
8934 /* reserved */
8935 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8936 offset += 4;
8937
8938 data_tvb_len=(uint32_t)tvb_captured_length_remaining(tvb, offset);
8939
8940 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_read_blob);
8941
8942 offset += MIN(olb.len, data_tvb_len);
8943
8944 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == olb.len)) {
8945 if (si->saved && si->eo_file_info) { /* without this data we don't know which file this belongs to */
8946 feed_eo_smb2(tvb,pinfo,si,olb.off,olb.len,si->saved->file_offset);
8947 }
8948 }
8949
8950 return offset;
8951 }
8952
8953 static void
8954 report_create_context_malformed_buffer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, const char *buffer_desc)
8955 {
8956 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_bad_response, tvb, 0, -1,
8957 "%s SHOULD NOT be generated", buffer_desc);
8958 }
8959 static void
8960 dissect_smb2_ExtA_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
8961 {
8962 proto_item *item = NULL;
8963 if (tree) {
8964 item = proto_tree_get_parent(tree);
8965 proto_item_append_text(item, ": SMB2_FILE_FULL_EA_INFO");
8966 }
8967 dissect_smb2_file_full_ea_info(tvb, pinfo, tree, 0, si);
8968 }
8969
8970 static void
8971 dissect_smb2_ExtA_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
8972 {
8973 report_create_context_malformed_buffer(tvb, pinfo, tree, "ExtA Response");
8974 }
8975
8976 static void
8977 dissect_smb2_SecD_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
8978 {
8979 proto_item *item = NULL;
8980 if (tree) {
8981 item = proto_tree_get_parent(tree);
8982 proto_item_append_text(item, ": SMB2_SEC_INFO_00");
8983 }
8984 dissect_smb2_sec_info_00(tvb, pinfo, tree, 0, si);
8985 }
8986
8987 static void
8988 dissect_smb2_SecD_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
8989 {
8990 report_create_context_malformed_buffer(tvb, pinfo, tree, "SecD Response");
8991 }
8992
8993 /*
8994 * Add the timestamp to the info column and to the name of the file if
8995 * we have not visited this packet before.
8996 */
8997 static void
8998 add_timestamp_to_info_col(tvbuff_t *tvb, packet_info *pinfo, smb2_info_t *si,
8999 int offset)
9000 {
9001 uint32_t filetime_high, filetime_low;
9002 uint64_t ft;
9003 nstime_t ts;
9004
9005 filetime_low = tvb_get_letohl(tvb, offset);
9006 filetime_high = tvb_get_letohl(tvb, offset + 4);
9007
9008 ft = ((uint64_t)filetime_high << 32) | filetime_low;
9009 if (!filetime_to_nstime(&ts, ft)) {
9010 return;
9011 }
9012
9013 col_append_fstr(pinfo->cinfo, COL_INFO, "@%s",
9014 abs_time_to_str(pinfo->pool, &ts, ABSOLUTE_TIME_UTC,
9015 false));
9016
9017 /* Append the timestamp */
9018 if (!pinfo->fd->visited) {
9019 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
9020 char *saved_name = (char *)si->saved->extra_info;
9021
9022 si->saved->extra_info = wmem_strdup_printf(wmem_file_scope(),
9023 "%s@%s", (char *)saved_name,
9024 abs_time_to_str(pinfo->pool, &ts,
9025 ABSOLUTE_TIME_UTC, false));
9026 wmem_free(wmem_file_scope(), saved_name);
9027 }
9028 }
9029 }
9030
9031 static void
9032 dissect_smb2_TWrp_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9033 {
9034 proto_item *item = NULL;
9035 if (tree) {
9036 item = proto_tree_get_parent(tree);
9037 proto_item_append_text(item, ": Timestamp");
9038 }
9039 add_timestamp_to_info_col(tvb, pinfo, si, 0);
9040 dissect_nttime(tvb, tree, 0, hf_smb2_twrp_timestamp, ENC_LITTLE_ENDIAN);
9041 }
9042
9043 static void
9044 dissect_smb2_TWrp_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9045 {
9046 report_create_context_malformed_buffer(tvb, pinfo, tree, "TWrp Response");
9047 }
9048
9049 static void
9050 dissect_smb2_QFid_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9051 {
9052 proto_item *item = NULL;
9053
9054 if (tree) {
9055 item = proto_tree_get_parent(tree);
9056 }
9057
9058 if (item) {
9059 if (tvb_reported_length(tvb) == 0) {
9060 proto_item_append_text(item, ": NO DATA");
9061 } else {
9062 proto_item_append_text(item, ": QFid request should have no data, malformed packet");
9063 }
9064 }
9065 }
9066
9067 static void
9068 dissect_smb2_QFid_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9069 {
9070 int offset = 0;
9071 proto_item *item;
9072 proto_item *sub_tree;
9073
9074 item = proto_tree_get_parent(tree);
9075
9076 proto_item_append_text(item, ": QFid INFO");
9077 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_QFid_buffer, NULL, "QFid INFO");
9078
9079 proto_tree_add_item(sub_tree, hf_smb2_qfid_fid, tvb, offset, 32, ENC_NA);
9080 }
9081
9082 static void
9083 dissect_smb2_AlSi_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9084 {
9085 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, 0, 8, ENC_LITTLE_ENDIAN);
9086 }
9087
9088 static void
9089 dissect_smb2_AlSi_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9090 {
9091 report_create_context_malformed_buffer(tvb, pinfo, tree, "AlSi Response");
9092 }
9093
9094 static void
9095 dissect_smb2_DHnQ_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
9096 {
9097 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNQ);
9098 }
9099
9100 static void
9101 dissect_smb2_DHnQ_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9102 {
9103 proto_tree_add_item(tree, hf_smb2_dhnq_buffer_reserved, tvb, 0, 8, ENC_LITTLE_ENDIAN);
9104 }
9105
9106 static void
9107 dissect_smb2_DHnC_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
9108 {
9109 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNC);
9110 }
9111
9112 static void
9113 dissect_smb2_DHnC_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
9114 {
9115 report_create_context_malformed_buffer(tvb, pinfo, tree, "DHnC Response");
9116 }
9117
9118 /*
9119 * SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
9120 * 4 - timeout
9121 * 4 - flags
9122 * 8 - reserved
9123 * 16 - create guid
9124 *
9125 * SMB2_CREATE_DURABLE_HANDLE_RESPONSE_V2
9126 * 4 - timeout
9127 * 4 - flags
9128 *
9129 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
9130 * 16 - file id
9131 * 16 - create guid
9132 * 4 - flags
9133 *
9134 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
9135 * - nothing -
9136 */
9137 #define SMB2_DH2X_FLAGS_PERSISTENT_HANDLE 0x00000002
9138
9139 static void
9140 dissect_smb2_DH2Q_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9141 {
9142 static int * const dh2x_flags_fields[] = {
9143 &hf_smb2_dh2x_buffer_flags_persistent_handle,
9144 NULL
9145 };
9146 int offset = 0;
9147 proto_item *item;
9148 proto_item *sub_tree;
9149
9150 item = proto_tree_get_parent(tree);
9151
9152 proto_item_append_text(item, ": DH2Q Request");
9153 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2Q_buffer, NULL, "DH2Q Request");
9154
9155 /* timeout */
9156 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9157 offset += 4;
9158
9159 /* flags */
9160 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_dh2x_buffer_flags,
9161 ett_smb2_dh2x_flags, dh2x_flags_fields, ENC_LITTLE_ENDIAN);
9162 offset += 4;
9163
9164 /* reserved */
9165 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_reserved, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9166 offset += 8;
9167
9168 /* create guid */
9169 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
9170 }
9171
9172 static void
9173 dissect_smb2_DH2Q_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9174 {
9175 int offset = 0;
9176 proto_item *item;
9177 proto_item *sub_tree;
9178
9179 item = proto_tree_get_parent(tree);
9180
9181 proto_item_append_text(item, ": DH2Q Response");
9182 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2Q_buffer, NULL, "DH2Q Response");
9183
9184 /* timeout */
9185 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9186 offset += 4;
9187
9188 /* flags */
9189 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9190 }
9191
9192 static void
9193 dissect_smb2_DH2C_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
9194 {
9195 int offset = 0;
9196 proto_item *item;
9197 proto_item *sub_tree;
9198
9199 item = proto_tree_get_parent(tree);
9200
9201 proto_item_append_text(item, ": DH2C Request");
9202 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2C_buffer, NULL, "DH2C Request");
9203
9204 /* file id */
9205 dissect_smb2_fid(tvb, pinfo, sub_tree, offset, si, FID_MODE_DHNC);
9206 offset += 16;
9207
9208 /* create guid */
9209 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
9210 offset += 16;
9211
9212 /* flags */
9213 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9214 }
9215
9216 static void
9217 dissect_smb2_DH2C_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
9218 {
9219 report_create_context_malformed_buffer(tvb, pinfo, tree, "DH2C Response");
9220 }
9221
9222 static void
9223 dissect_smb2_MxAc_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9224 {
9225 int offset = 0;
9226 proto_item *item = NULL;
9227
9228 if (tree) {
9229 item = proto_tree_get_parent(tree);
9230 }
9231
9232 if (tvb_reported_length(tvb) == 0) {
9233 if (item) {
9234 proto_item_append_text(item, ": NO DATA");
9235 }
9236 return;
9237 }
9238
9239 if (item) {
9240 proto_item_append_text(item, ": Timestamp");
9241 }
9242
9243 dissect_nttime(tvb, tree, offset, hf_smb2_mxac_timestamp, ENC_LITTLE_ENDIAN);
9244 }
9245
9246 static void
9247 dissect_smb2_MxAc_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9248 {
9249 int offset = 0;
9250 proto_item *item;
9251 proto_tree *sub_tree;
9252
9253 item = proto_tree_get_parent(tree);
9254
9255 if (tvb_reported_length(tvb) == 0) {
9256 proto_item_append_text(item, ": NO DATA");
9257 return;
9258 }
9259
9260 proto_item_append_text(item, ": MxAc INFO");
9261 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_MxAc_buffer, NULL, "MxAc INFO");
9262
9263 proto_tree_add_item(sub_tree, hf_smb2_mxac_status, tvb, offset, 4, ENC_BIG_ENDIAN);
9264 offset += 4;
9265
9266 dissect_smb_access_mask(tvb, sub_tree, offset);
9267 }
9268
9269 /*
9270 * SMB2_CREATE_REQUEST_LEASE 32
9271 * 16 - lease key
9272 * 4 - lease state
9273 * 4 - lease flags
9274 * 8 - lease duration
9275 *
9276 * SMB2_CREATE_REQUEST_LEASE_V2 52
9277 * 16 - lease key
9278 * 4 - lease state
9279 * 4 - lease flags
9280 * 8 - lease duration
9281 * 16 - parent lease key
9282 * 2 - epoch
9283 * 2 - reserved
9284 */
9285 #define SMB2_LEASE_STATE_READ_CACHING 0x00000001
9286 #define SMB2_LEASE_STATE_HANDLE_CACHING 0x00000002
9287 #define SMB2_LEASE_STATE_WRITE_CACHING 0x00000004
9288
9289 #define SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED 0x00000001
9290 #define SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS 0x00000002
9291 #define SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET 0x00000004
9292
9293 static int * const lease_state_fields[] = {
9294 &hf_smb2_lease_state_read_caching,
9295 &hf_smb2_lease_state_handle_caching,
9296 &hf_smb2_lease_state_write_caching,
9297 NULL
9298 };
9299 static int * const lease_flags_fields[] = {
9300 &hf_smb2_lease_flags_break_ack_required,
9301 &hf_smb2_lease_flags_break_in_progress,
9302 &hf_smb2_lease_flags_parent_lease_key_set,
9303 NULL
9304 };
9305
9306 static void
9307 dissect_SMB2_CREATE_LEASE_VX(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
9308 {
9309 int offset = 0;
9310 int len;
9311 proto_tree *sub_tree = NULL;
9312 proto_item *parent_item;
9313
9314 parent_item = proto_tree_get_parent(parent_tree);
9315
9316 len = tvb_reported_length(tvb);
9317
9318 switch (len) {
9319 case 32: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE */
9320 proto_item_append_text(parent_item, ": LEASE_V1");
9321 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_RqLs_buffer, NULL, "LEASE_V1");
9322 break;
9323 case 52: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE_V2 */
9324 proto_item_append_text(parent_item, ": LEASE_V2");
9325 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_RqLs_buffer, NULL, "LEASE_V2");
9326 break;
9327 default:
9328 report_create_context_malformed_buffer(tvb, pinfo, parent_tree, "RqLs");
9329 break;
9330 }
9331
9332 proto_tree_add_item(sub_tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
9333 offset += 16;
9334
9335 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_state,
9336 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
9337 offset += 4;
9338
9339 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_flags,
9340 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
9341 offset += 4;
9342
9343 proto_tree_add_item(sub_tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9344 offset += 8;
9345
9346 if (len < 52) {
9347 return;
9348 }
9349
9350 proto_tree_add_item(sub_tree, hf_smb2_parent_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
9351 offset += 16;
9352
9353 proto_tree_add_item(sub_tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9354 offset += 2;
9355
9356 proto_tree_add_item(sub_tree, hf_smb2_lease_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9357 }
9358
9359 static void
9360 dissect_smb2_RqLs_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9361 {
9362 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
9363 }
9364
9365 static void
9366 dissect_smb2_RqLs_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9367 {
9368 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
9369 }
9370
9371 /*
9372 * SMB2_CREATE_APP_INSTANCE_ID
9373 * 2 - structure size - 20
9374 * 2 - reserved
9375 * 16 - application guid
9376 */
9377
9378 static void
9379 dissect_smb2_APP_INSTANCE_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9380 {
9381 int offset = 0;
9382 proto_item *item;
9383 proto_item *sub_tree;
9384
9385 item = proto_tree_get_parent(tree);
9386
9387 proto_item_append_text(item, ": CREATE APP INSTANCE ID");
9388 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_APP_INSTANCE_buffer, NULL, "APP INSTANCE ID");
9389
9390 /* struct size */
9391 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_struct_size,
9392 tvb, offset, 2, ENC_LITTLE_ENDIAN);
9393 offset += 2;
9394
9395 /* reserved */
9396 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_reserved,
9397 tvb, offset, 2, ENC_LITTLE_ENDIAN);
9398 offset += 2;
9399
9400 /* create guid */
9401 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_app_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
9402 }
9403
9404 static void
9405 dissect_smb2_APP_INSTANCE_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9406 {
9407 report_create_context_malformed_buffer(tvb, pinfo, tree, "APP INSTANCE Response");
9408 }
9409
9410 /*
9411 * Dissect the MS-RSVD stuff that turns up when HyperV uses SMB3.x
9412 */
9413 static void
9414 dissect_smb2_svhdx_open_device_context(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9415 {
9416 int offset = 0;
9417 uint32_t version;
9418 proto_item *item;
9419 proto_item *sub_tree;
9420
9421 item = proto_tree_get_parent(tree);
9422
9423 proto_item_append_text(item, ": SVHDX OPEN DEVICE CONTEXT");
9424 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_svhdx_open_device_context, NULL, "SVHDX OPEN DEVICE CONTEXT");
9425
9426 /* Version */
9427 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_svhdx_open_device_context_version,
9428 tvb, offset, 4, ENC_LITTLE_ENDIAN, &version);
9429 offset += 4;
9430
9431 /* HasInitiatorId */
9432 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_has_initiator_id,
9433 tvb, offset, 1, ENC_LITTLE_ENDIAN);
9434 offset += 1;
9435
9436 /* Reserved */
9437 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_reserved,
9438 tvb, offset, 3, ENC_NA);
9439 offset += 3;
9440
9441 /* InitiatorId */
9442 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_id,
9443 tvb, offset, 16, ENC_LITTLE_ENDIAN);
9444 offset += 16;
9445
9446 /* Flags TODO: Dissect these*/
9447 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_flags,
9448 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9449 offset += 4;
9450
9451 /* OriginatorFlags */
9452 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_originator_flags,
9453 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9454 offset += 4;
9455
9456 /* OpenRequestId */
9457 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_open_request_id,
9458 tvb, offset, 8, ENC_LITTLE_ENDIAN);
9459 offset += 8;
9460
9461 /* InitiatorHostNameLength */
9462 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_host_name_len,
9463 tvb, offset, 2, ENC_LITTLE_ENDIAN);
9464 offset += 2;
9465
9466 /* InitiatorHostName */
9467 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_host_name,
9468 tvb, offset, 126, ENC_ASCII | ENC_NA);
9469 offset += 126;
9470
9471 if (version == 2) {
9472 /* VirtualDiskPropertiesInitialized */
9473 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized,
9474 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9475 offset += 4;
9476
9477 /* ServerServiceVersion */
9478 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_server_service_version,
9479 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9480 offset += 4;
9481
9482 /* VirtualSectorSize */
9483 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_virtual_sector_size,
9484 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9485 offset += 4;
9486
9487 /* PhysicalSectorSize */
9488 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_physical_sector_size,
9489 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9490 offset += 4;
9491
9492 /* VirtualSize */
9493 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_virtual_size,
9494 tvb, offset, 8, ENC_LITTLE_ENDIAN);
9495 }
9496 }
9497
9498 /*
9499 * SMB2_CREATE_APP_INSTANCE_VERSION
9500 * 2 - structure size - 24
9501 * 2 - reserved
9502 * 4 - padding
9503 * 8 - AppInstanceVersionHigh
9504 * 8 - AppInstanceVersionHigh
9505 */
9506
9507 static void
9508 dissect_smb2_app_instance_version_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9509 {
9510 int offset = 0;
9511 proto_item *item;
9512 proto_item *sub_tree;
9513 proto_item *version_sub_tree;
9514 uint64_t version_high;
9515 uint64_t version_low;
9516
9517 item = proto_tree_get_parent(tree);
9518
9519 proto_item_append_text(item, ": CREATE APP INSTANCE VERSION");
9520 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_app_instance_version_buffer, NULL, "APP INSTANCE VERSION");
9521
9522 /* struct size */
9523 proto_tree_add_item(sub_tree, hf_smb2_app_instance_version_struct_size,
9524 tvb, offset, 2, ENC_LITTLE_ENDIAN);
9525 offset += 2;
9526
9527 /* reserved */
9528 proto_tree_add_item(sub_tree, hf_smb2_app_instance_version_reserved,
9529 tvb, offset, 2, ENC_LITTLE_ENDIAN);
9530 offset += 2;
9531
9532 /* padding */
9533 proto_tree_add_item(sub_tree, hf_smb2_app_instance_version_padding,
9534 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9535 offset += 4;
9536
9537 version_sub_tree = proto_tree_add_subtree(sub_tree, tvb, offset, -1, ett_smb2_app_instance_version_buffer_version, NULL, "version");
9538
9539 /* version high */
9540 proto_tree_add_item_ret_uint64(version_sub_tree, hf_smb2_app_instance_version_high,
9541 tvb, offset, 8, ENC_LITTLE_ENDIAN, &version_high);
9542 offset += 8;
9543
9544 /* version low */
9545 proto_tree_add_item_ret_uint64(version_sub_tree, hf_smb2_app_instance_version_low,
9546 tvb, offset, 8, ENC_LITTLE_ENDIAN, &version_low);
9547
9548 proto_item_append_text(version_sub_tree, " : %" PRIu64 ".%" PRIu64, version_high, version_low);
9549 proto_item_append_text(sub_tree, ", version: %" PRIu64 ".%" PRIu64, version_high, version_low);
9550 }
9551
9552 static void
9553 dissect_smb2_app_instance_version_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9554 {
9555 report_create_context_malformed_buffer(tvb, pinfo, tree, "APP INSTANCE Version Response");
9556 }
9557
9558 static void
9559 dissect_smb2_posix_buffer_request(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
9560 {
9561 int offset = 0;
9562 proto_item *item;
9563
9564 item = proto_tree_get_parent(tree);
9565 proto_item_append_text(item, ": POSIX Create Context request");
9566
9567 /* POSIX mode bits */
9568 proto_tree_add_item(tree, hf_smb2_posix_perms, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9569 }
9570
9571 static void
9572 dissect_smb2_posix_buffer_response(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
9573 {
9574 int offset = 0;
9575 proto_item *item;
9576
9577 item = proto_tree_get_parent(tree);
9578 proto_item_append_text(item, ": POSIX Create Context response");
9579
9580 /* Hardlinks */
9581 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9582 offset += 4;
9583
9584 /* Reparse tag */
9585 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9586 offset += 4;
9587
9588 /* POSIX mode bits */
9589 proto_tree_add_item(tree, hf_smb2_posix_perms, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9590 offset += 4;
9591
9592 /* Owner and Group SID */
9593 offset = dissect_nt_sid(tvb, offset, tree, "Owner SID", NULL, -1);
9594 dissect_nt_sid(tvb, offset, tree, "Group SID", NULL, -1);
9595 }
9596
9597 #define SMB2_AAPL_SERVER_QUERY 1
9598 #define SMB2_AAPL_RESOLVE_ID 2
9599
9600 static const value_string aapl_command_code_vals[] = {
9601 { SMB2_AAPL_SERVER_QUERY, "Server query"},
9602 { SMB2_AAPL_RESOLVE_ID, "Resolve ID"},
9603 { 0, NULL }
9604 };
9605
9606 #define SMB2_AAPL_SERVER_CAPS 0x00000001
9607 #define SMB2_AAPL_VOLUME_CAPS 0x00000002
9608 #define SMB2_AAPL_MODEL_INFO 0x00000004
9609
9610 static int * const aapl_server_query_bitmap_fields[] = {
9611 &hf_smb2_aapl_server_query_bitmask_server_caps,
9612 &hf_smb2_aapl_server_query_bitmask_volume_caps,
9613 &hf_smb2_aapl_server_query_bitmask_model_info,
9614 NULL
9615 };
9616
9617 #define SMB2_AAPL_SUPPORTS_READ_DIR_ATTR 0x00000001
9618 #define SMB2_AAPL_SUPPORTS_OSX_COPYFILE 0x00000002
9619 #define SMB2_AAPL_UNIX_BASED 0x00000004
9620 #define SMB2_AAPL_SUPPORTS_NFS_ACE 0x00000008
9621
9622 static int * const aapl_server_query_caps_fields[] = {
9623 &hf_smb2_aapl_server_query_caps_supports_read_dir_attr,
9624 &hf_smb2_aapl_server_query_caps_supports_osx_copyfile,
9625 &hf_smb2_aapl_server_query_caps_unix_based,
9626 &hf_smb2_aapl_server_query_caps_supports_nfs_ace,
9627 NULL
9628 };
9629
9630 static void
9631 dissect_smb2_AAPL_buffer_request(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
9632 {
9633 int offset = 0;
9634 proto_item *item;
9635 proto_item *sub_tree;
9636 uint32_t command_code;
9637
9638 item = proto_tree_get_parent(tree);
9639
9640 proto_item_append_text(item, ": AAPL Create Context request");
9641 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_aapl_create_context_request, NULL, "AAPL Create Context request");
9642
9643 /* Command code */
9644 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_aapl_command_code,
9645 tvb, offset, 4, ENC_LITTLE_ENDIAN, &command_code);
9646 offset += 4;
9647
9648 /* Reserved */
9649 proto_tree_add_item(sub_tree, hf_smb2_aapl_reserved,
9650 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9651 offset += 4;
9652
9653 switch (command_code) {
9654
9655 case SMB2_AAPL_SERVER_QUERY:
9656 /* Request bitmap */
9657 proto_tree_add_bitmask(sub_tree, tvb, offset,
9658 hf_smb2_aapl_server_query_bitmask,
9659 ett_smb2_aapl_server_query_bitmask,
9660 aapl_server_query_bitmap_fields,
9661 ENC_LITTLE_ENDIAN);
9662 offset += 8;
9663
9664 /* Client capabilities */
9665 proto_tree_add_bitmask(sub_tree, tvb, offset,
9666 hf_smb2_aapl_server_query_caps,
9667 ett_smb2_aapl_server_query_caps,
9668 aapl_server_query_caps_fields,
9669 ENC_LITTLE_ENDIAN);
9670 break;
9671
9672 case SMB2_AAPL_RESOLVE_ID:
9673 /* file ID */
9674 proto_tree_add_item(sub_tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9675 break;
9676
9677 default:
9678 break;
9679 }
9680 }
9681
9682 #define SMB2_AAPL_SUPPORTS_RESOLVE_ID 0x00000001
9683 #define SMB2_AAPL_CASE_SENSITIVE 0x00000002
9684 #define SMB2_AAPL_SUPPORTS_FULL_SYNC 0x00000004
9685
9686 static int * const aapl_server_query_volume_caps_fields[] = {
9687 &hf_smb2_aapl_server_query_volume_caps_support_resolve_id,
9688 &hf_smb2_aapl_server_query_volume_caps_case_sensitive,
9689 &hf_smb2_aapl_server_query_volume_caps_supports_full_sync,
9690 NULL
9691 };
9692
9693 static void
9694 dissect_smb2_AAPL_buffer_response(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
9695 {
9696 int offset = 0;
9697 proto_item *item;
9698 proto_item *sub_tree;
9699 uint32_t command_code;
9700 uint64_t server_query_bitmask;
9701
9702 item = proto_tree_get_parent(tree);
9703
9704 proto_item_append_text(item, ": AAPL Create Context response");
9705 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_aapl_create_context_response, NULL, "AAPL Create Context response");
9706
9707 /* Command code */
9708 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_aapl_command_code,
9709 tvb, offset, 4, ENC_LITTLE_ENDIAN, &command_code);
9710 offset += 4;
9711
9712 /* Reserved */
9713 proto_tree_add_item(sub_tree, hf_smb2_aapl_reserved,
9714 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9715 offset += 4;
9716
9717 switch (command_code) {
9718
9719 case SMB2_AAPL_SERVER_QUERY:
9720 /* Reply bitmap */
9721 proto_tree_add_bitmask_ret_uint64(sub_tree, tvb, offset,
9722 hf_smb2_aapl_server_query_bitmask,
9723 ett_smb2_aapl_server_query_bitmask,
9724 aapl_server_query_bitmap_fields,
9725 ENC_LITTLE_ENDIAN,
9726 &server_query_bitmask);
9727 offset += 8;
9728
9729 if (server_query_bitmask & SMB2_AAPL_SERVER_CAPS) {
9730 /* Server capabilities */
9731 proto_tree_add_bitmask(sub_tree, tvb, offset,
9732 hf_smb2_aapl_server_query_caps,
9733 ett_smb2_aapl_server_query_caps,
9734 aapl_server_query_caps_fields,
9735 ENC_LITTLE_ENDIAN);
9736 offset += 8;
9737 }
9738 if (server_query_bitmask & SMB2_AAPL_VOLUME_CAPS) {
9739 /* Volume capabilities */
9740 proto_tree_add_bitmask(sub_tree, tvb, offset,
9741 hf_smb2_aapl_server_query_volume_caps,
9742 ett_smb2_aapl_server_query_volume_caps,
9743 aapl_server_query_volume_caps_fields,
9744 ENC_LITTLE_ENDIAN);
9745 offset += 8;
9746 }
9747 if (server_query_bitmask & SMB2_AAPL_MODEL_INFO) {
9748 /* Padding */
9749 offset += 4;
9750
9751 /* Model string */
9752 proto_tree_add_item(sub_tree, hf_smb2_aapl_server_query_model_string,
9753 tvb, offset, 4,
9754 ENC_UTF_16|ENC_LITTLE_ENDIAN);
9755 }
9756 break;
9757
9758 case SMB2_AAPL_RESOLVE_ID:
9759 /* NT status */
9760 proto_tree_add_item(sub_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9761 offset += 4;
9762
9763 /* Server path */
9764 proto_tree_add_item(sub_tree, hf_smb2_aapl_server_query_server_path,
9765 tvb, offset, 4,
9766 ENC_UTF_16|ENC_LITTLE_ENDIAN);
9767 break;
9768
9769 default:
9770 break;
9771 }
9772 }
9773
9774 typedef void (*create_context_data_dissector_t)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
9775
9776 typedef struct create_context_data_dissectors {
9777 create_context_data_dissector_t request;
9778 create_context_data_dissector_t response;
9779 } create_context_data_dissectors_t;
9780
9781 struct create_context_data_tag_dissectors {
9782 const char *tag;
9783 const char *val;
9784 create_context_data_dissectors_t dissectors;
9785 };
9786
9787 static struct create_context_data_tag_dissectors create_context_dissectors_array[] = {
9788 { "ExtA", "SMB2_CREATE_EA_BUFFER",
9789 { dissect_smb2_ExtA_buffer_request, dissect_smb2_ExtA_buffer_response } },
9790 { "SecD", "SMB2_CREATE_SD_BUFFER",
9791 { dissect_smb2_SecD_buffer_request, dissect_smb2_SecD_buffer_response } },
9792 { "AlSi", "SMB2_CREATE_ALLOCATION_SIZE",
9793 { dissect_smb2_AlSi_buffer_request, dissect_smb2_AlSi_buffer_response } },
9794 { "MxAc", "SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST",
9795 { dissect_smb2_MxAc_buffer_request, dissect_smb2_MxAc_buffer_response } },
9796 { "DHnQ", "SMB2_CREATE_DURABLE_HANDLE_REQUEST",
9797 { dissect_smb2_DHnQ_buffer_request, dissect_smb2_DHnQ_buffer_response } },
9798 { "DHnC", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT",
9799 { dissect_smb2_DHnC_buffer_request, dissect_smb2_DHnC_buffer_response } },
9800 { "DH2Q", "SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2",
9801 { dissect_smb2_DH2Q_buffer_request, dissect_smb2_DH2Q_buffer_response } },
9802 { "DH2C", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2",
9803 { dissect_smb2_DH2C_buffer_request, dissect_smb2_DH2C_buffer_response } },
9804 { "TWrp", "SMB2_CREATE_TIMEWARP_TOKEN",
9805 { dissect_smb2_TWrp_buffer_request, dissect_smb2_TWrp_buffer_response } },
9806 { "QFid", "SMB2_CREATE_QUERY_ON_DISK_ID",
9807 { dissect_smb2_QFid_buffer_request, dissect_smb2_QFid_buffer_response } },
9808 { "RqLs", "SMB2_CREATE_REQUEST_LEASE",
9809 { dissect_smb2_RqLs_buffer_request, dissect_smb2_RqLs_buffer_response } },
9810 { "744D142E-46FA-0890-4AF7-A7EF6AA6BC45", "SMB2_CREATE_APP_INSTANCE_ID",
9811 { dissect_smb2_APP_INSTANCE_buffer_request, dissect_smb2_APP_INSTANCE_buffer_response } },
9812 { "6aa6bc45-a7ef-4af7-9008-fa462e144d74", "SMB2_CREATE_APP_INSTANCE_ID",
9813 { dissect_smb2_APP_INSTANCE_buffer_request, dissect_smb2_APP_INSTANCE_buffer_response } },
9814 { "9ecfcb9c-c104-43e6-980e-158da1f6ec83", "SVHDX_OPEN_DEVICE_CONTEXT",
9815 { dissect_smb2_svhdx_open_device_context, dissect_smb2_svhdx_open_device_context} },
9816 { "b7d082b9-563b-4f07-a07b-524a8116a010", "SMB2_CREATE_APP_INSTANCE_VERSION",
9817 { dissect_smb2_app_instance_version_buffer_request, dissect_smb2_app_instance_version_buffer_response } },
9818 { "5025ad93-b49c-e711-b423-83de968bcd7c", "SMB2_POSIX_CREATE_CONTEXT",
9819 { dissect_smb2_posix_buffer_request, dissect_smb2_posix_buffer_response } },
9820 { "AAPL", "SMB2_AAPL_CREATE_CONTEXT",
9821 { dissect_smb2_AAPL_buffer_request, dissect_smb2_AAPL_buffer_response } },
9822 };
9823
9824 static struct create_context_data_tag_dissectors*
9825 get_create_context_data_tag_dissectors(const char *tag)
9826 {
9827 static struct create_context_data_tag_dissectors INVALID = {
9828 NULL, "<invalid>", { NULL, NULL }
9829 };
9830
9831 size_t i;
9832
9833 for (i = 0; i<array_length(create_context_dissectors_array); i++) {
9834 if (!strcmp(tag, create_context_dissectors_array[i].tag))
9835 return &create_context_dissectors_array[i];
9836 }
9837 return &INVALID;
9838 }
9839
9840 static void
9841 // NOLINTNEXTLINE(misc-no-recursion)
9842 dissect_smb2_create_extra_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si)
9843 {
9844 offset_length_buffer_t tag_olb;
9845 offset_length_buffer_t data_olb;
9846 const uint8_t *tag;
9847 uint16_t chain_offset;
9848 int offset = 0;
9849 int len = -1;
9850 proto_item *sub_item;
9851 proto_tree *sub_tree;
9852 proto_item *parent_item = NULL;
9853 create_context_data_dissectors_t *dissectors = NULL;
9854 create_context_data_dissector_t dissector = NULL;
9855 struct create_context_data_tag_dissectors *tag_dissectors;
9856
9857 chain_offset = tvb_get_letohl(tvb, offset);
9858 if (chain_offset) {
9859 len = chain_offset;
9860 }
9861
9862 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_smb2_create_chain_element, &sub_item, "Chain Element");
9863 parent_item = proto_tree_get_parent(parent_tree);
9864
9865 /* chain offset */
9866 proto_tree_add_item(sub_tree, hf_smb2_create_chain_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9867 offset += 4;
9868
9869 /* tag offset/length */
9870 offset = dissect_smb2_olb_length_offset(tvb, offset, &tag_olb, OLB_O_UINT16_S_UINT32, hf_smb2_tag);
9871
9872 /* data offset/length */
9873 dissect_smb2_olb_length_offset(tvb, offset, &data_olb, OLB_O_UINT16_S_UINT32, hf_smb2_create_chain_data);
9874
9875 /*
9876 * These things are all either 4-char strings, like DH2C, or GUIDs,
9877 * however, at least one of them appears to be a GUID as a string and
9878 * one appears to be a binary guid. So, check if the length is
9879 * 16, and if so, pull the GUID and convert it to a string. Otherwise
9880 * call dissect_smb2_olb_string.
9881 */
9882 if (tag_olb.len == 16) {
9883 e_guid_t tag_guid;
9884 proto_item *tag_item;
9885 proto_tree *tag_tree;
9886
9887 tvb_get_letohguid(tvb, tag_olb.off, &tag_guid);
9888 tag = guid_to_str(pinfo->pool, &tag_guid);
9889
9890 tag_item = proto_tree_add_string(sub_tree, tag_olb.hfindex, tvb, tag_olb.off, tag_olb.len, tag);
9891 tag_tree = proto_item_add_subtree(tag_item, ett_smb2_olb);
9892 proto_tree_add_item(tag_tree, hf_smb2_olb_offset, tvb, tag_olb.off_offset, 2, ENC_LITTLE_ENDIAN);
9893 proto_tree_add_item(tag_tree, hf_smb2_olb_length, tvb, tag_olb.len_offset, 2, ENC_LITTLE_ENDIAN);
9894
9895 } else {
9896 /* tag string */
9897 tag = dissect_smb2_olb_string(pinfo, sub_tree, tvb, &tag_olb, OLB_TYPE_ASCII_STRING);
9898 }
9899
9900 tag_dissectors = get_create_context_data_tag_dissectors(tag);
9901
9902 proto_item_append_text(parent_item, " %s", tag_dissectors->val);
9903 proto_item_append_text(sub_item, ": %s \"%s\"", tag_dissectors->val, tag);
9904
9905 /* data */
9906 dissectors = &tag_dissectors->dissectors;
9907 if (dissectors)
9908 dissector = (si->flags & SMB2_FLAGS_RESPONSE) ? dissectors->response : dissectors->request;
9909
9910 dissect_smb2_olb_buffer(pinfo, sub_tree, tvb, &data_olb, si, dissector);
9911
9912 if (chain_offset) {
9913 tvbuff_t *chain_tvb;
9914 chain_tvb = tvb_new_subset_remaining(tvb, chain_offset);
9915
9916 /* next extra info */
9917 increment_dissection_depth(pinfo);
9918 dissect_smb2_create_extra_info(chain_tvb, pinfo, parent_tree, si);
9919 decrement_dissection_depth(pinfo);
9920 }
9921 }
9922
9923 static int
9924 dissect_smb2_create_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
9925 {
9926 offset_length_buffer_t f_olb, e_olb;
9927 const uint8_t *fname;
9928 proto_item *item;
9929
9930 /* buffer code */
9931 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
9932
9933 /* security flags */
9934 offset++;
9935
9936 /* oplock */
9937 offset = dissect_smb2_oplock(tree, tvb, offset);
9938
9939 /* impersonation level */
9940 proto_tree_add_item(tree, hf_smb2_impersonation_level, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9941 offset += 4;
9942
9943 /* create flags */
9944 proto_tree_add_item(tree, hf_smb2_create_flags, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9945 offset += 8;
9946
9947 /* reserved */
9948 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 8, ENC_NA);
9949 offset += 8;
9950
9951 /* access mask */
9952 offset = dissect_smb_access_mask(tvb, tree, offset);
9953
9954 /* File Attributes */
9955 offset = dissect_fscc_file_attr(tvb, tree, offset, NULL);
9956
9957 /* share access */
9958 offset = dissect_nt_share_access(tvb, tree, offset);
9959
9960 /* create disposition */
9961 proto_tree_add_item(tree, hf_smb2_create_disposition, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9962 offset += 4;
9963
9964 /* create options */
9965 offset = dissect_nt_create_options(tvb, tree, offset);
9966
9967 /* fid hash */
9968 if (si->saved && si->saved->fid_hash) {
9969 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
9970 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
9971 proto_item_set_generated(item);
9972 }
9973
9974 /* filename offset/length */
9975 offset = dissect_smb2_olb_length_offset(tvb, offset, &f_olb, OLB_O_UINT16_S_UINT16, hf_smb2_filename);
9976
9977 /* extrainfo offset */
9978 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
9979
9980 /* filename string */
9981 fname = dissect_smb2_olb_string(pinfo, tree, tvb, &f_olb, OLB_TYPE_UNICODE_STRING);
9982 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s",
9983 format_text(pinfo->pool, fname, strlen(fname)));
9984
9985 /* save the name if it looks sane */
9986 if (!pinfo->fd->visited) {
9987 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
9988 wmem_free(wmem_file_scope(), si->saved->extra_info);
9989 si->saved->extra_info = NULL;
9990 si->saved->extra_info_type = SMB2_EI_NONE;
9991 }
9992 if (si->saved && f_olb.len < 1024) {
9993 si->saved->extra_info_type = SMB2_EI_FILENAME;
9994 si->saved->extra_info = wmem_strdup(wmem_file_scope(), fname);
9995 }
9996 }
9997
9998 /* If extrainfo_offset is non-null then this points to another
9999 * buffer. The offset is relative to the start of the smb packet
10000 */
10001 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
10002
10003 offset = dissect_smb2_olb_tvb_max_offset(offset, &f_olb);
10004 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
10005
10006 return offset;
10007 }
10008
10009 #define SMB2_CREATE_REP_FLAGS_REPARSE_POINT 0x01
10010
10011 static int
10012 dissect_smb2_create_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
10013 {
10014 uint64_t end_of_file;
10015 uint32_t attr_mask;
10016 offset_length_buffer_t e_olb;
10017 static int * const create_rep_flags_fields[] = {
10018 &hf_smb2_create_rep_flags_reparse_point,
10019 NULL
10020 };
10021 bool continue_dissection;
10022 proto_item *item;
10023
10024 switch (si->status) {
10025 /* buffer code */
10026 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
10027 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
10028 if (!continue_dissection) return offset;
10029 }
10030
10031 /* oplock */
10032 offset = dissect_smb2_oplock(tree, tvb, offset);
10033
10034 /* reserved */
10035 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_create_rep_flags,
10036 ett_smb2_create_rep_flags, create_rep_flags_fields, ENC_LITTLE_ENDIAN);
10037 offset += 1;
10038
10039 /* create action */
10040 proto_tree_add_item(tree, hf_smb2_create_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10041 offset += 4;
10042
10043 /* create time */
10044 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
10045 offset += 8;
10046
10047 /* last access */
10048 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
10049 offset += 8;
10050
10051 /* last write */
10052 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
10053 offset += 8;
10054
10055 /* last change */
10056 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
10057 offset += 8;
10058
10059 /* allocation size */
10060 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
10061 offset += 8;
10062
10063 /* end of file */
10064 end_of_file = tvb_get_letoh64(tvb, offset);
10065 if (si->eo_file_info) {
10066 si->eo_file_info->end_of_file = tvb_get_letoh64(tvb, offset);
10067 }
10068 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
10069 offset += 8;
10070
10071 /* File Attributes */
10072 offset = dissect_fscc_file_attr(tvb, tree, offset, &attr_mask);
10073
10074 /* reserved */
10075 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
10076 offset += 4;
10077
10078 /* fid hash */
10079 if (si->saved && si->saved->fid_hash) {
10080 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
10081 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
10082 proto_item_set_generated(item);
10083 }
10084
10085 /* fid */
10086 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_OPEN);
10087
10088 /* We save this after dissect_smb2_fid just because it would be
10089 possible to have this response without having the mathing request.
10090 In that case the entry in the file info hash table has been created
10091 in dissect_smb2_fid */
10092 if (si->eo_file_info) {
10093 si->eo_file_info->end_of_file = end_of_file;
10094 si->eo_file_info->attr_mask = attr_mask;
10095 }
10096
10097 /* extrainfo offset */
10098 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
10099
10100 /* If extrainfo_offset is non-null then this points to another
10101 * buffer. The offset is relative to the start of the smb packet
10102 */
10103 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
10104
10105 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
10106
10107 /* free si->saved->extra_info we don't need it any more */
10108 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
10109 wmem_free(wmem_file_scope(), si->saved->extra_info);
10110 si->saved->extra_info = NULL;
10111 si->saved->extra_info_type = SMB2_EI_NONE;
10112 }
10113
10114 return offset;
10115 }
10116
10117
10118 static int
10119 dissect_smb2_setinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
10120 {
10121 uint32_t setinfo_size;
10122 uint16_t setinfo_offset;
10123 proto_item *item;
10124
10125 /* buffer code */
10126 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
10127
10128 /* class and info level */
10129 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
10130
10131 /* size */
10132 setinfo_size = tvb_get_letohl(tvb, offset);
10133 proto_tree_add_item(tree, hf_smb2_setinfo_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10134 offset += 4;
10135
10136 /* offset */
10137 setinfo_offset = tvb_get_letohs(tvb, offset);
10138 proto_tree_add_item(tree, hf_smb2_setinfo_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10139 offset += 2;
10140
10141 /* reserved */
10142 proto_tree_add_item(tree, hf_smb2_setinfo_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10143 offset += 2;
10144
10145 if (si->saved && si->saved->smb2_class == SMB2_CLASS_SEC_INFO) {
10146 /* AdditionalInformation (4 bytes): Provides additional information to the server.
10147 If security information is being set, this value MUST contain a 4-byte bit field
10148 of flags indicating what security attributes MUST be applied. */
10149 offset = dissect_additional_information_sec_mask(tvb, tree, offset);
10150 } else {
10151 /* For all other set requests, this field MUST be 0. */
10152 proto_tree_add_item(tree, hf_smb2_getsetinfo_additional, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10153 offset += 4;
10154 }
10155
10156 /* fid hash */
10157 if (si->saved && si->saved->fid_hash) {
10158 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
10159 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
10160 proto_item_set_generated(item);
10161 }
10162
10163 /* fid */
10164 dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
10165
10166 /* data */
10167 if (si->saved)
10168 dissect_smb2_infolevel(tvb, pinfo, tree, setinfo_offset, si, si->saved->smb2_class, si->saved->infolevel);
10169 offset = setinfo_offset + setinfo_size;
10170
10171 return offset;
10172 }
10173
10174 static int
10175 dissect_smb2_setinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
10176 {
10177 bool continue_dissection;
10178 proto_item *item;
10179
10180 /* class/infolevel */
10181 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
10182
10183 /* fid hash */
10184 if (si->saved && si->saved->fid_hash) {
10185 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
10186 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
10187 proto_item_set_generated(item);
10188 }
10189
10190 /* buffer code */
10191 switch (si->status) {
10192 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
10193 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
10194 if (!continue_dissection) return offset;
10195 }
10196
10197 return offset;
10198 }
10199
10200 static int
10201 dissect_smb2_break_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
10202 {
10203 uint16_t buffer_code;
10204
10205 /* buffer code */
10206 buffer_code = tvb_get_letohs(tvb, offset);
10207 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
10208
10209 if (buffer_code == OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE) {
10210 /* OPLOCK Break */
10211
10212 /* oplock */
10213 offset = dissect_smb2_oplock(tree, tvb, offset);
10214
10215 /* reserved */
10216 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
10217 offset += 1;
10218
10219 /* reserved */
10220 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
10221 offset += 4;
10222
10223 /* fid */
10224 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
10225
10226 return offset;
10227 }
10228
10229 if (buffer_code == OPLOCK_BREAK_LEASE_ACKNOWLEDGMENT_STRUCTURE_SIZE) {
10230 /* Lease Break Acknowledgment */
10231
10232 /* reserved */
10233 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
10234 offset +=2;
10235
10236 /* lease flags */
10237 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
10238 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
10239 offset += 4;
10240
10241 /* lease key */
10242 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
10243 offset += 16;
10244
10245 /* lease state */
10246 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
10247 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
10248 offset += 4;
10249
10250 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
10251 offset += 8;
10252
10253 return offset;
10254 }
10255
10256 return offset;
10257 }
10258
10259 static int
10260 dissect_smb2_break_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
10261 {
10262 uint16_t buffer_code;
10263 bool continue_dissection;
10264
10265 /* buffer code */
10266 buffer_code = tvb_get_letohs(tvb, offset);
10267 switch (si->status) {
10268 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
10269 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
10270 if (!continue_dissection) return offset;
10271 }
10272
10273 if (buffer_code == OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE) {
10274 /* OPLOCK Break Notification */
10275
10276 /* oplock */
10277 offset = dissect_smb2_oplock(tree, tvb, offset);
10278
10279 /* reserved */
10280 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
10281 offset += 1;
10282
10283 /* reserved */
10284 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
10285 offset += 4;
10286
10287 /* fid */
10288 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
10289
10290 /* in break requests from server to client here're 24 byte zero bytes
10291 * which are likely a bug in windows (they may use 2* 24 bytes instead of just
10292 * 1 *24 bytes
10293 */
10294 return offset;
10295 }
10296
10297 if (buffer_code == OPLOCK_BREAK_LEASE_NOTIFICATION_STRUCTURE_SIZE) {
10298 proto_item *item;
10299
10300 /* Lease Break Notification */
10301
10302 /* new lease epoch */
10303 proto_tree_add_item(tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10304 offset += 2;
10305
10306 /* lease flags */
10307 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
10308 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
10309 offset += 4;
10310
10311 /* lease key */
10312 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
10313 offset += 16;
10314
10315 /* current lease state */
10316 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
10317 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
10318 if (item) {
10319 proto_item_prepend_text(item, "Current ");
10320 }
10321 offset += 4;
10322
10323 /* new lease state */
10324 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
10325 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
10326 if (item) {
10327 proto_item_prepend_text(item, "New ");
10328 }
10329 offset += 4;
10330
10331 /* break reason - reserved */
10332 proto_tree_add_item(tree, hf_smb2_lease_break_reason, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10333 offset += 4;
10334
10335 /* access mask hint - reserved */
10336 proto_tree_add_item(tree, hf_smb2_lease_access_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10337 offset += 4;
10338
10339 /* share mask hint - reserved */
10340 proto_tree_add_item(tree, hf_smb2_lease_share_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10341 offset += 4;
10342
10343 return offset;
10344 }
10345
10346 if (buffer_code == OPLOCK_BREAK_LEASE_RESPONSE_STRUCTURE_SIZE) {
10347 /* Lease Break Response */
10348
10349 /* reserved */
10350 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
10351 offset +=2;
10352
10353 /* lease flags */
10354 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
10355 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
10356 offset += 4;
10357
10358 /* lease key */
10359 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
10360 offset += 16;
10361
10362 /* lease state */
10363 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
10364 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
10365 offset += 4;
10366
10367 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
10368 offset += 8;
10369
10370 return offset;
10371 }
10372
10373 return offset;
10374 }
10375
10376 static int
10377 dissect_smb2_notify_session_closed(tvbuff_t *tvb, proto_tree *parent_tree, packet_info *pinfo _U_, int offset, smb2_info_t *si _U_)
10378 {
10379 proto_tree *sub_tree;
10380
10381 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_server_notification, NULL, "Notification");
10382
10383 /* reserved */
10384 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
10385 offset += 4;
10386
10387 return offset;
10388 }
10389
10390 static int
10391 dissect_smb2_server_to_client_notification(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
10392 {
10393 uint32_t notification_type;
10394
10395 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
10396
10397 /* reserved */
10398 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
10399 offset += 2;
10400
10401 /* notification type */
10402 proto_tree_add_item_ret_uint(tree, hf_smb2_notification_type, tvb, offset, 4, ENC_NA, &notification_type);
10403 offset += 4;
10404
10405 switch(notification_type) {
10406 case NOTIFY_SESSION_CLOSED:
10407 default:
10408 offset = dissect_smb2_notify_session_closed(tvb, tree, pinfo, offset, si);
10409 break;
10410 }
10411
10412 return offset;
10413 }
10414
10415 /* names here are just until we find better names for these functions */
10416 static const value_string smb2_cmd_vals[] = {
10417 { 0x00, "Negotiate Protocol" },
10418 { 0x01, "Session Setup" },
10419 { 0x02, "Session Logoff" },
10420 { 0x03, "Tree Connect" },
10421 { 0x04, "Tree Disconnect" },
10422 { 0x05, "Create" },
10423 { 0x06, "Close" },
10424 { 0x07, "Flush" },
10425 { 0x08, "Read" },
10426 { 0x09, "Write" },
10427 { 0x0A, "Lock" },
10428 { 0x0B, "Ioctl" },
10429 { 0x0C, "Cancel" },
10430 { 0x0D, "KeepAlive" },
10431 { 0x0E, "Find" },
10432 { 0x0F, "Notify" },
10433 { 0x10, "GetInfo" },
10434 { 0x11, "SetInfo" },
10435 { 0x12, "Break" },
10436 { 0x13, "Server notification" },
10437 { 0x14, "unknown-0x14" },
10438 { 0x15, "unknown-0x15" },
10439 { 0x16, "unknown-0x16" },
10440 { 0x17, "unknown-0x17" },
10441 { 0x18, "unknown-0x18" },
10442 { 0x19, "unknown-0x19" },
10443 { 0x1A, "unknown-0x1A" },
10444 { 0x1B, "unknown-0x1B" },
10445 { 0x1C, "unknown-0x1C" },
10446 { 0x1D, "unknown-0x1D" },
10447 { 0x1E, "unknown-0x1E" },
10448 { 0x1F, "unknown-0x1F" },
10449 { 0x20, "unknown-0x20" },
10450 { 0x21, "unknown-0x21" },
10451 { 0x22, "unknown-0x22" },
10452 { 0x23, "unknown-0x23" },
10453 { 0x24, "unknown-0x24" },
10454 { 0x25, "unknown-0x25" },
10455 { 0x26, "unknown-0x26" },
10456 { 0x27, "unknown-0x27" },
10457 { 0x28, "unknown-0x28" },
10458 { 0x29, "unknown-0x29" },
10459 { 0x2A, "unknown-0x2A" },
10460 { 0x2B, "unknown-0x2B" },
10461 { 0x2C, "unknown-0x2C" },
10462 { 0x2D, "unknown-0x2D" },
10463 { 0x2E, "unknown-0x2E" },
10464 { 0x2F, "unknown-0x2F" },
10465 { 0x30, "unknown-0x30" },
10466 { 0x31, "unknown-0x31" },
10467 { 0x32, "unknown-0x32" },
10468 { 0x33, "unknown-0x33" },
10469 { 0x34, "unknown-0x34" },
10470 { 0x35, "unknown-0x35" },
10471 { 0x36, "unknown-0x36" },
10472 { 0x37, "unknown-0x37" },
10473 { 0x38, "unknown-0x38" },
10474 { 0x39, "unknown-0x39" },
10475 { 0x3A, "unknown-0x3A" },
10476 { 0x3B, "unknown-0x3B" },
10477 { 0x3C, "unknown-0x3C" },
10478 { 0x3D, "unknown-0x3D" },
10479 { 0x3E, "unknown-0x3E" },
10480 { 0x3F, "unknown-0x3F" },
10481 { 0x40, "unknown-0x40" },
10482 { 0x41, "unknown-0x41" },
10483 { 0x42, "unknown-0x42" },
10484 { 0x43, "unknown-0x43" },
10485 { 0x44, "unknown-0x44" },
10486 { 0x45, "unknown-0x45" },
10487 { 0x46, "unknown-0x46" },
10488 { 0x47, "unknown-0x47" },
10489 { 0x48, "unknown-0x48" },
10490 { 0x49, "unknown-0x49" },
10491 { 0x4A, "unknown-0x4A" },
10492 { 0x4B, "unknown-0x4B" },
10493 { 0x4C, "unknown-0x4C" },
10494 { 0x4D, "unknown-0x4D" },
10495 { 0x4E, "unknown-0x4E" },
10496 { 0x4F, "unknown-0x4F" },
10497 { 0x50, "unknown-0x50" },
10498 { 0x51, "unknown-0x51" },
10499 { 0x52, "unknown-0x52" },
10500 { 0x53, "unknown-0x53" },
10501 { 0x54, "unknown-0x54" },
10502 { 0x55, "unknown-0x55" },
10503 { 0x56, "unknown-0x56" },
10504 { 0x57, "unknown-0x57" },
10505 { 0x58, "unknown-0x58" },
10506 { 0x59, "unknown-0x59" },
10507 { 0x5A, "unknown-0x5A" },
10508 { 0x5B, "unknown-0x5B" },
10509 { 0x5C, "unknown-0x5C" },
10510 { 0x5D, "unknown-0x5D" },
10511 { 0x5E, "unknown-0x5E" },
10512 { 0x5F, "unknown-0x5F" },
10513 { 0x60, "unknown-0x60" },
10514 { 0x61, "unknown-0x61" },
10515 { 0x62, "unknown-0x62" },
10516 { 0x63, "unknown-0x63" },
10517 { 0x64, "unknown-0x64" },
10518 { 0x65, "unknown-0x65" },
10519 { 0x66, "unknown-0x66" },
10520 { 0x67, "unknown-0x67" },
10521 { 0x68, "unknown-0x68" },
10522 { 0x69, "unknown-0x69" },
10523 { 0x6A, "unknown-0x6A" },
10524 { 0x6B, "unknown-0x6B" },
10525 { 0x6C, "unknown-0x6C" },
10526 { 0x6D, "unknown-0x6D" },
10527 { 0x6E, "unknown-0x6E" },
10528 { 0x6F, "unknown-0x6F" },
10529 { 0x70, "unknown-0x70" },
10530 { 0x71, "unknown-0x71" },
10531 { 0x72, "unknown-0x72" },
10532 { 0x73, "unknown-0x73" },
10533 { 0x74, "unknown-0x74" },
10534 { 0x75, "unknown-0x75" },
10535 { 0x76, "unknown-0x76" },
10536 { 0x77, "unknown-0x77" },
10537 { 0x78, "unknown-0x78" },
10538 { 0x79, "unknown-0x79" },
10539 { 0x7A, "unknown-0x7A" },
10540 { 0x7B, "unknown-0x7B" },
10541 { 0x7C, "unknown-0x7C" },
10542 { 0x7D, "unknown-0x7D" },
10543 { 0x7E, "unknown-0x7E" },
10544 { 0x7F, "unknown-0x7F" },
10545 { 0x80, "unknown-0x80" },
10546 { 0x81, "unknown-0x81" },
10547 { 0x82, "unknown-0x82" },
10548 { 0x83, "unknown-0x83" },
10549 { 0x84, "unknown-0x84" },
10550 { 0x85, "unknown-0x85" },
10551 { 0x86, "unknown-0x86" },
10552 { 0x87, "unknown-0x87" },
10553 { 0x88, "unknown-0x88" },
10554 { 0x89, "unknown-0x89" },
10555 { 0x8A, "unknown-0x8A" },
10556 { 0x8B, "unknown-0x8B" },
10557 { 0x8C, "unknown-0x8C" },
10558 { 0x8D, "unknown-0x8D" },
10559 { 0x8E, "unknown-0x8E" },
10560 { 0x8F, "unknown-0x8F" },
10561 { 0x90, "unknown-0x90" },
10562 { 0x91, "unknown-0x91" },
10563 { 0x92, "unknown-0x92" },
10564 { 0x93, "unknown-0x93" },
10565 { 0x94, "unknown-0x94" },
10566 { 0x95, "unknown-0x95" },
10567 { 0x96, "unknown-0x96" },
10568 { 0x97, "unknown-0x97" },
10569 { 0x98, "unknown-0x98" },
10570 { 0x99, "unknown-0x99" },
10571 { 0x9A, "unknown-0x9A" },
10572 { 0x9B, "unknown-0x9B" },
10573 { 0x9C, "unknown-0x9C" },
10574 { 0x9D, "unknown-0x9D" },
10575 { 0x9E, "unknown-0x9E" },
10576 { 0x9F, "unknown-0x9F" },
10577 { 0xA0, "unknown-0xA0" },
10578 { 0xA1, "unknown-0xA1" },
10579 { 0xA2, "unknown-0xA2" },
10580 { 0xA3, "unknown-0xA3" },
10581 { 0xA4, "unknown-0xA4" },
10582 { 0xA5, "unknown-0xA5" },
10583 { 0xA6, "unknown-0xA6" },
10584 { 0xA7, "unknown-0xA7" },
10585 { 0xA8, "unknown-0xA8" },
10586 { 0xA9, "unknown-0xA9" },
10587 { 0xAA, "unknown-0xAA" },
10588 { 0xAB, "unknown-0xAB" },
10589 { 0xAC, "unknown-0xAC" },
10590 { 0xAD, "unknown-0xAD" },
10591 { 0xAE, "unknown-0xAE" },
10592 { 0xAF, "unknown-0xAF" },
10593 { 0xB0, "unknown-0xB0" },
10594 { 0xB1, "unknown-0xB1" },
10595 { 0xB2, "unknown-0xB2" },
10596 { 0xB3, "unknown-0xB3" },
10597 { 0xB4, "unknown-0xB4" },
10598 { 0xB5, "unknown-0xB5" },
10599 { 0xB6, "unknown-0xB6" },
10600 { 0xB7, "unknown-0xB7" },
10601 { 0xB8, "unknown-0xB8" },
10602 { 0xB9, "unknown-0xB9" },
10603 { 0xBA, "unknown-0xBA" },
10604 { 0xBB, "unknown-0xBB" },
10605 { 0xBC, "unknown-0xBC" },
10606 { 0xBD, "unknown-0xBD" },
10607 { 0xBE, "unknown-0xBE" },
10608 { 0xBF, "unknown-0xBF" },
10609 { 0xC0, "unknown-0xC0" },
10610 { 0xC1, "unknown-0xC1" },
10611 { 0xC2, "unknown-0xC2" },
10612 { 0xC3, "unknown-0xC3" },
10613 { 0xC4, "unknown-0xC4" },
10614 { 0xC5, "unknown-0xC5" },
10615 { 0xC6, "unknown-0xC6" },
10616 { 0xC7, "unknown-0xC7" },
10617 { 0xC8, "unknown-0xC8" },
10618 { 0xC9, "unknown-0xC9" },
10619 { 0xCA, "unknown-0xCA" },
10620 { 0xCB, "unknown-0xCB" },
10621 { 0xCC, "unknown-0xCC" },
10622 { 0xCD, "unknown-0xCD" },
10623 { 0xCE, "unknown-0xCE" },
10624 { 0xCF, "unknown-0xCF" },
10625 { 0xD0, "unknown-0xD0" },
10626 { 0xD1, "unknown-0xD1" },
10627 { 0xD2, "unknown-0xD2" },
10628 { 0xD3, "unknown-0xD3" },
10629 { 0xD4, "unknown-0xD4" },
10630 { 0xD5, "unknown-0xD5" },
10631 { 0xD6, "unknown-0xD6" },
10632 { 0xD7, "unknown-0xD7" },
10633 { 0xD8, "unknown-0xD8" },
10634 { 0xD9, "unknown-0xD9" },
10635 { 0xDA, "unknown-0xDA" },
10636 { 0xDB, "unknown-0xDB" },
10637 { 0xDC, "unknown-0xDC" },
10638 { 0xDD, "unknown-0xDD" },
10639 { 0xDE, "unknown-0xDE" },
10640 { 0xDF, "unknown-0xDF" },
10641 { 0xE0, "unknown-0xE0" },
10642 { 0xE1, "unknown-0xE1" },
10643 { 0xE2, "unknown-0xE2" },
10644 { 0xE3, "unknown-0xE3" },
10645 { 0xE4, "unknown-0xE4" },
10646 { 0xE5, "unknown-0xE5" },
10647 { 0xE6, "unknown-0xE6" },
10648 { 0xE7, "unknown-0xE7" },
10649 { 0xE8, "unknown-0xE8" },
10650 { 0xE9, "unknown-0xE9" },
10651 { 0xEA, "unknown-0xEA" },
10652 { 0xEB, "unknown-0xEB" },
10653 { 0xEC, "unknown-0xEC" },
10654 { 0xED, "unknown-0xED" },
10655 { 0xEE, "unknown-0xEE" },
10656 { 0xEF, "unknown-0xEF" },
10657 { 0xF0, "unknown-0xF0" },
10658 { 0xF1, "unknown-0xF1" },
10659 { 0xF2, "unknown-0xF2" },
10660 { 0xF3, "unknown-0xF3" },
10661 { 0xF4, "unknown-0xF4" },
10662 { 0xF5, "unknown-0xF5" },
10663 { 0xF6, "unknown-0xF6" },
10664 { 0xF7, "unknown-0xF7" },
10665 { 0xF8, "unknown-0xF8" },
10666 { 0xF9, "unknown-0xF9" },
10667 { 0xFA, "unknown-0xFA" },
10668 { 0xFB, "unknown-0xFB" },
10669 { 0xFC, "unknown-0xFC" },
10670 { 0xFD, "unknown-0xFD" },
10671 { 0xFE, "unknown-0xFE" },
10672 { 0xFF, "unknown-0xFF" },
10673 { 0x00, NULL },
10674 };
10675 value_string_ext smb2_cmd_vals_ext = VALUE_STRING_EXT_INIT(smb2_cmd_vals);
10676
10677 static const char *decode_smb2_name(uint16_t cmd)
10678 {
10679 if (cmd > 0xFF) return "unknown";
10680 return smb2_cmd_vals[cmd & 0xFF].strptr;
10681 }
10682
10683 static const smb2_function smb2_dissector[256] = {
10684 /* 0x00 NegotiateProtocol*/
10685 {dissect_smb2_negotiate_protocol_request,
10686 dissect_smb2_negotiate_protocol_response},
10687 /* 0x01 SessionSetup*/
10688 {dissect_smb2_session_setup_request,
10689 dissect_smb2_session_setup_response},
10690 /* 0x02 SessionLogoff*/
10691 {dissect_smb2_sessionlogoff_request,
10692 dissect_smb2_sessionlogoff_response},
10693 /* 0x03 TreeConnect*/
10694 {dissect_smb2_tree_connect_request,
10695 dissect_smb2_tree_connect_response},
10696 /* 0x04 TreeDisconnect*/
10697 {dissect_smb2_tree_disconnect_request,
10698 dissect_smb2_tree_disconnect_response},
10699 /* 0x05 Create*/
10700 {dissect_smb2_create_request,
10701 dissect_smb2_create_response},
10702 /* 0x06 Close*/
10703 {dissect_smb2_close_request,
10704 dissect_smb2_close_response},
10705 /* 0x07 Flush*/
10706 {dissect_smb2_flush_request,
10707 dissect_smb2_flush_response},
10708 /* 0x08 Read*/
10709 {dissect_smb2_read_request,
10710 dissect_smb2_read_response},
10711 /* 0x09 Write*/
10712 {dissect_smb2_write_request,
10713 dissect_smb2_write_response},
10714 /* 0x0a Lock */
10715 {dissect_smb2_lock_request,
10716 dissect_smb2_lock_response},
10717 /* 0x0b Ioctl*/
10718 {dissect_smb2_ioctl_request,
10719 dissect_smb2_ioctl_response},
10720 /* 0x0c Cancel*/
10721 {dissect_smb2_cancel_request,
10722 NULL},
10723 /* 0x0d KeepAlive*/
10724 {dissect_smb2_keepalive_request,
10725 dissect_smb2_keepalive_response},
10726 /* 0x0e Find*/
10727 {dissect_smb2_find_request,
10728 dissect_smb2_find_response},
10729 /* 0x0f Notify*/
10730 {dissect_smb2_notify_request,
10731 dissect_smb2_notify_response},
10732 /* 0x10 GetInfo*/
10733 {dissect_smb2_getinfo_request,
10734 dissect_smb2_getinfo_response},
10735 /* 0x11 SetInfo*/
10736 {dissect_smb2_setinfo_request,
10737 dissect_smb2_setinfo_response},
10738 /* 0x12 Break */
10739 {dissect_smb2_break_request,
10740 dissect_smb2_break_response},
10741 /* 0x13 Server to client notification */
10742 {NULL,
10743 dissect_smb2_server_to_client_notification},
10744 /* 0x14 */ {NULL, NULL},
10745 /* 0x15 */ {NULL, NULL},
10746 /* 0x16 */ {NULL, NULL},
10747 /* 0x17 */ {NULL, NULL},
10748 /* 0x18 */ {NULL, NULL},
10749 /* 0x19 */ {NULL, NULL},
10750 /* 0x1a */ {NULL, NULL},
10751 /* 0x1b */ {NULL, NULL},
10752 /* 0x1c */ {NULL, NULL},
10753 /* 0x1d */ {NULL, NULL},
10754 /* 0x1e */ {NULL, NULL},
10755 /* 0x1f */ {NULL, NULL},
10756 /* 0x20 */ {NULL, NULL},
10757 /* 0x21 */ {NULL, NULL},
10758 /* 0x22 */ {NULL, NULL},
10759 /* 0x23 */ {NULL, NULL},
10760 /* 0x24 */ {NULL, NULL},
10761 /* 0x25 */ {NULL, NULL},
10762 /* 0x26 */ {NULL, NULL},
10763 /* 0x27 */ {NULL, NULL},
10764 /* 0x28 */ {NULL, NULL},
10765 /* 0x29 */ {NULL, NULL},
10766 /* 0x2a */ {NULL, NULL},
10767 /* 0x2b */ {NULL, NULL},
10768 /* 0x2c */ {NULL, NULL},
10769 /* 0x2d */ {NULL, NULL},
10770 /* 0x2e */ {NULL, NULL},
10771 /* 0x2f */ {NULL, NULL},
10772 /* 0x30 */ {NULL, NULL},
10773 /* 0x31 */ {NULL, NULL},
10774 /* 0x32 */ {NULL, NULL},
10775 /* 0x33 */ {NULL, NULL},
10776 /* 0x34 */ {NULL, NULL},
10777 /* 0x35 */ {NULL, NULL},
10778 /* 0x36 */ {NULL, NULL},
10779 /* 0x37 */ {NULL, NULL},
10780 /* 0x38 */ {NULL, NULL},
10781 /* 0x39 */ {NULL, NULL},
10782 /* 0x3a */ {NULL, NULL},
10783 /* 0x3b */ {NULL, NULL},
10784 /* 0x3c */ {NULL, NULL},
10785 /* 0x3d */ {NULL, NULL},
10786 /* 0x3e */ {NULL, NULL},
10787 /* 0x3f */ {NULL, NULL},
10788 /* 0x40 */ {NULL, NULL},
10789 /* 0x41 */ {NULL, NULL},
10790 /* 0x42 */ {NULL, NULL},
10791 /* 0x43 */ {NULL, NULL},
10792 /* 0x44 */ {NULL, NULL},
10793 /* 0x45 */ {NULL, NULL},
10794 /* 0x46 */ {NULL, NULL},
10795 /* 0x47 */ {NULL, NULL},
10796 /* 0x48 */ {NULL, NULL},
10797 /* 0x49 */ {NULL, NULL},
10798 /* 0x4a */ {NULL, NULL},
10799 /* 0x4b */ {NULL, NULL},
10800 /* 0x4c */ {NULL, NULL},
10801 /* 0x4d */ {NULL, NULL},
10802 /* 0x4e */ {NULL, NULL},
10803 /* 0x4f */ {NULL, NULL},
10804 /* 0x50 */ {NULL, NULL},
10805 /* 0x51 */ {NULL, NULL},
10806 /* 0x52 */ {NULL, NULL},
10807 /* 0x53 */ {NULL, NULL},
10808 /* 0x54 */ {NULL, NULL},
10809 /* 0x55 */ {NULL, NULL},
10810 /* 0x56 */ {NULL, NULL},
10811 /* 0x57 */ {NULL, NULL},
10812 /* 0x58 */ {NULL, NULL},
10813 /* 0x59 */ {NULL, NULL},
10814 /* 0x5a */ {NULL, NULL},
10815 /* 0x5b */ {NULL, NULL},
10816 /* 0x5c */ {NULL, NULL},
10817 /* 0x5d */ {NULL, NULL},
10818 /* 0x5e */ {NULL, NULL},
10819 /* 0x5f */ {NULL, NULL},
10820 /* 0x60 */ {NULL, NULL},
10821 /* 0x61 */ {NULL, NULL},
10822 /* 0x62 */ {NULL, NULL},
10823 /* 0x63 */ {NULL, NULL},
10824 /* 0x64 */ {NULL, NULL},
10825 /* 0x65 */ {NULL, NULL},
10826 /* 0x66 */ {NULL, NULL},
10827 /* 0x67 */ {NULL, NULL},
10828 /* 0x68 */ {NULL, NULL},
10829 /* 0x69 */ {NULL, NULL},
10830 /* 0x6a */ {NULL, NULL},
10831 /* 0x6b */ {NULL, NULL},
10832 /* 0x6c */ {NULL, NULL},
10833 /* 0x6d */ {NULL, NULL},
10834 /* 0x6e */ {NULL, NULL},
10835 /* 0x6f */ {NULL, NULL},
10836 /* 0x70 */ {NULL, NULL},
10837 /* 0x71 */ {NULL, NULL},
10838 /* 0x72 */ {NULL, NULL},
10839 /* 0x73 */ {NULL, NULL},
10840 /* 0x74 */ {NULL, NULL},
10841 /* 0x75 */ {NULL, NULL},
10842 /* 0x76 */ {NULL, NULL},
10843 /* 0x77 */ {NULL, NULL},
10844 /* 0x78 */ {NULL, NULL},
10845 /* 0x79 */ {NULL, NULL},
10846 /* 0x7a */ {NULL, NULL},
10847 /* 0x7b */ {NULL, NULL},
10848 /* 0x7c */ {NULL, NULL},
10849 /* 0x7d */ {NULL, NULL},
10850 /* 0x7e */ {NULL, NULL},
10851 /* 0x7f */ {NULL, NULL},
10852 /* 0x80 */ {NULL, NULL},
10853 /* 0x81 */ {NULL, NULL},
10854 /* 0x82 */ {NULL, NULL},
10855 /* 0x83 */ {NULL, NULL},
10856 /* 0x84 */ {NULL, NULL},
10857 /* 0x85 */ {NULL, NULL},
10858 /* 0x86 */ {NULL, NULL},
10859 /* 0x87 */ {NULL, NULL},
10860 /* 0x88 */ {NULL, NULL},
10861 /* 0x89 */ {NULL, NULL},
10862 /* 0x8a */ {NULL, NULL},
10863 /* 0x8b */ {NULL, NULL},
10864 /* 0x8c */ {NULL, NULL},
10865 /* 0x8d */ {NULL, NULL},
10866 /* 0x8e */ {NULL, NULL},
10867 /* 0x8f */ {NULL, NULL},
10868 /* 0x90 */ {NULL, NULL},
10869 /* 0x91 */ {NULL, NULL},
10870 /* 0x92 */ {NULL, NULL},
10871 /* 0x93 */ {NULL, NULL},
10872 /* 0x94 */ {NULL, NULL},
10873 /* 0x95 */ {NULL, NULL},
10874 /* 0x96 */ {NULL, NULL},
10875 /* 0x97 */ {NULL, NULL},
10876 /* 0x98 */ {NULL, NULL},
10877 /* 0x99 */ {NULL, NULL},
10878 /* 0x9a */ {NULL, NULL},
10879 /* 0x9b */ {NULL, NULL},
10880 /* 0x9c */ {NULL, NULL},
10881 /* 0x9d */ {NULL, NULL},
10882 /* 0x9e */ {NULL, NULL},
10883 /* 0x9f */ {NULL, NULL},
10884 /* 0xa0 */ {NULL, NULL},
10885 /* 0xa1 */ {NULL, NULL},
10886 /* 0xa2 */ {NULL, NULL},
10887 /* 0xa3 */ {NULL, NULL},
10888 /* 0xa4 */ {NULL, NULL},
10889 /* 0xa5 */ {NULL, NULL},
10890 /* 0xa6 */ {NULL, NULL},
10891 /* 0xa7 */ {NULL, NULL},
10892 /* 0xa8 */ {NULL, NULL},
10893 /* 0xa9 */ {NULL, NULL},
10894 /* 0xaa */ {NULL, NULL},
10895 /* 0xab */ {NULL, NULL},
10896 /* 0xac */ {NULL, NULL},
10897 /* 0xad */ {NULL, NULL},
10898 /* 0xae */ {NULL, NULL},
10899 /* 0xaf */ {NULL, NULL},
10900 /* 0xb0 */ {NULL, NULL},
10901 /* 0xb1 */ {NULL, NULL},
10902 /* 0xb2 */ {NULL, NULL},
10903 /* 0xb3 */ {NULL, NULL},
10904 /* 0xb4 */ {NULL, NULL},
10905 /* 0xb5 */ {NULL, NULL},
10906 /* 0xb6 */ {NULL, NULL},
10907 /* 0xb7 */ {NULL, NULL},
10908 /* 0xb8 */ {NULL, NULL},
10909 /* 0xb9 */ {NULL, NULL},
10910 /* 0xba */ {NULL, NULL},
10911 /* 0xbb */ {NULL, NULL},
10912 /* 0xbc */ {NULL, NULL},
10913 /* 0xbd */ {NULL, NULL},
10914 /* 0xbe */ {NULL, NULL},
10915 /* 0xbf */ {NULL, NULL},
10916 /* 0xc0 */ {NULL, NULL},
10917 /* 0xc1 */ {NULL, NULL},
10918 /* 0xc2 */ {NULL, NULL},
10919 /* 0xc3 */ {NULL, NULL},
10920 /* 0xc4 */ {NULL, NULL},
10921 /* 0xc5 */ {NULL, NULL},
10922 /* 0xc6 */ {NULL, NULL},
10923 /* 0xc7 */ {NULL, NULL},
10924 /* 0xc8 */ {NULL, NULL},
10925 /* 0xc9 */ {NULL, NULL},
10926 /* 0xca */ {NULL, NULL},
10927 /* 0xcb */ {NULL, NULL},
10928 /* 0xcc */ {NULL, NULL},
10929 /* 0xcd */ {NULL, NULL},
10930 /* 0xce */ {NULL, NULL},
10931 /* 0xcf */ {NULL, NULL},
10932 /* 0xd0 */ {NULL, NULL},
10933 /* 0xd1 */ {NULL, NULL},
10934 /* 0xd2 */ {NULL, NULL},
10935 /* 0xd3 */ {NULL, NULL},
10936 /* 0xd4 */ {NULL, NULL},
10937 /* 0xd5 */ {NULL, NULL},
10938 /* 0xd6 */ {NULL, NULL},
10939 /* 0xd7 */ {NULL, NULL},
10940 /* 0xd8 */ {NULL, NULL},
10941 /* 0xd9 */ {NULL, NULL},
10942 /* 0xda */ {NULL, NULL},
10943 /* 0xdb */ {NULL, NULL},
10944 /* 0xdc */ {NULL, NULL},
10945 /* 0xdd */ {NULL, NULL},
10946 /* 0xde */ {NULL, NULL},
10947 /* 0xdf */ {NULL, NULL},
10948 /* 0xe0 */ {NULL, NULL},
10949 /* 0xe1 */ {NULL, NULL},
10950 /* 0xe2 */ {NULL, NULL},
10951 /* 0xe3 */ {NULL, NULL},
10952 /* 0xe4 */ {NULL, NULL},
10953 /* 0xe5 */ {NULL, NULL},
10954 /* 0xe6 */ {NULL, NULL},
10955 /* 0xe7 */ {NULL, NULL},
10956 /* 0xe8 */ {NULL, NULL},
10957 /* 0xe9 */ {NULL, NULL},
10958 /* 0xea */ {NULL, NULL},
10959 /* 0xeb */ {NULL, NULL},
10960 /* 0xec */ {NULL, NULL},
10961 /* 0xed */ {NULL, NULL},
10962 /* 0xee */ {NULL, NULL},
10963 /* 0xef */ {NULL, NULL},
10964 /* 0xf0 */ {NULL, NULL},
10965 /* 0xf1 */ {NULL, NULL},
10966 /* 0xf2 */ {NULL, NULL},
10967 /* 0xf3 */ {NULL, NULL},
10968 /* 0xf4 */ {NULL, NULL},
10969 /* 0xf5 */ {NULL, NULL},
10970 /* 0xf6 */ {NULL, NULL},
10971 /* 0xf7 */ {NULL, NULL},
10972 /* 0xf8 */ {NULL, NULL},
10973 /* 0xf9 */ {NULL, NULL},
10974 /* 0xfa */ {NULL, NULL},
10975 /* 0xfb */ {NULL, NULL},
10976 /* 0xfc */ {NULL, NULL},
10977 /* 0xfd */ {NULL, NULL},
10978 /* 0xfe */ {NULL, NULL},
10979 /* 0xff */ {NULL, NULL},
10980 };
10981
10982
10983 #define SMB3_AES128CCM_NONCE 11
10984 #define SMB3_AES128GCM_NONCE 12
10985
10986 static bool is_decrypted_header_ok(uint8_t *p, size_t size)
10987 {
10988 if (size < 4)
10989 return false;
10990
10991 if ((p[0] == SMB2_COMP_HEADER || p[0] == SMB2_NORM_HEADER)
10992 && (p[1] == 'S' || p[2] == 'M' || p[3] == 'B')) {
10993 return true;
10994 }
10995
10996 DEBUG("decrypt: bad SMB header");
10997 return false;
10998 }
10999
11000 static bool
11001 do_decrypt(uint8_t *data,
11002 size_t data_size,
11003 const uint8_t *key,
11004 const uint8_t *aad,
11005 int aad_size,
11006 const uint8_t *nonce,
11007 int alg)
11008 {
11009 gcry_error_t err;
11010 gcry_cipher_hd_t cipher_hd = NULL;
11011 int algo;
11012 size_t keylen;
11013 int mode;
11014 int iv_size;
11015 uint64_t lengths[3];
11016
11017 switch (alg) {
11018 case SMB2_CIPHER_AES_128_CCM:
11019 algo = GCRY_CIPHER_AES128;
11020 keylen = AES_KEY_SIZE;
11021 mode = GCRY_CIPHER_MODE_CCM;
11022 iv_size = SMB3_AES128CCM_NONCE;
11023 break;
11024 case SMB2_CIPHER_AES_128_GCM:
11025 algo = GCRY_CIPHER_AES128;
11026 keylen = AES_KEY_SIZE;
11027 mode = GCRY_CIPHER_MODE_GCM;
11028 iv_size = SMB3_AES128GCM_NONCE;
11029 break;
11030 case SMB2_CIPHER_AES_256_CCM:
11031 algo = GCRY_CIPHER_AES256;
11032 keylen = AES_KEY_SIZE*2;
11033 mode = GCRY_CIPHER_MODE_CCM;
11034 iv_size = SMB3_AES128CCM_NONCE;
11035 break;
11036 case SMB2_CIPHER_AES_256_GCM:
11037 algo = GCRY_CIPHER_AES256;
11038 keylen = AES_KEY_SIZE*2;
11039 mode = GCRY_CIPHER_MODE_GCM;
11040 iv_size = SMB3_AES128GCM_NONCE;
11041 break;
11042 default:
11043 return false;
11044 }
11045
11046 /* Open the cipher */
11047 err = gcry_cipher_open(&cipher_hd, algo, mode, 0);
11048 if (err != GPG_ERR_NO_ERROR) {
11049 DEBUG("GCRY: open %s/%s", gcry_strsource(err), gcry_strerror(err));
11050 return false;
11051 }
11052
11053 /* Set the key */
11054 err = gcry_cipher_setkey(cipher_hd, key, keylen);
11055 if (err != GPG_ERR_NO_ERROR) {
11056 DEBUG("GCRY: setkey %s/%s", gcry_strsource(err), gcry_strerror(err));
11057 gcry_cipher_close(cipher_hd);
11058 return false;
11059 }
11060
11061 /* Set the initial value */
11062 err = gcry_cipher_setiv(cipher_hd, nonce, iv_size);
11063 if (err != GPG_ERR_NO_ERROR) {
11064 DEBUG("GCRY: setiv %s/%s", gcry_strsource(err), gcry_strerror(err));
11065 gcry_cipher_close(cipher_hd);
11066 return false;
11067 }
11068
11069 lengths[0] = data_size; /* encrypted length */
11070 lengths[1] = aad_size; /* AAD length */
11071 lengths[2] = 16; /* tag length (signature size) */
11072
11073 if (mode == GCRY_CIPHER_MODE_CCM) {
11074 err = gcry_cipher_ctl(cipher_hd, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
11075 if (err != GPG_ERR_NO_ERROR) {
11076 DEBUG("GCRY: ctl %s/%s", gcry_strsource(err), gcry_strerror(err));
11077 gcry_cipher_close(cipher_hd);
11078 return false;
11079 }
11080 }
11081
11082 err = gcry_cipher_authenticate(cipher_hd, aad, aad_size);
11083 if (err != GPG_ERR_NO_ERROR) {
11084 DEBUG("GCRY: auth %s/%s", gcry_strsource(err), gcry_strerror(err));
11085 gcry_cipher_close(cipher_hd);
11086 return false;
11087 }
11088
11089 err = gcry_cipher_decrypt(cipher_hd, data, data_size, NULL, 0);
11090 if (err != GPG_ERR_NO_ERROR) {
11091 DEBUG("GCRY: decrypt %s/%s", gcry_strsource(err), gcry_strerror(err));
11092 gcry_cipher_close(cipher_hd);
11093 return false;
11094 }
11095
11096 /* Done with the cipher */
11097 gcry_cipher_close(cipher_hd);
11098 return is_decrypted_header_ok(data, data_size);
11099 }
11100
11101 static uint8_t*
11102 decrypt_smb_payload(packet_info *pinfo,
11103 tvbuff_t *tvb, int offset,
11104 int offset_aad,
11105 smb2_transform_info_t *sti)
11106 {
11107 const uint8_t *aad = NULL;
11108 uint8_t *data = NULL;
11109 uint8_t *key16 = NULL;
11110 uint8_t *keys16[2];
11111 uint8_t *key32 = NULL;
11112 uint8_t *keys32[2];
11113 bool ok;
11114 int aad_size;
11115 int alg;
11116
11117 /* AAD is the rest of transform header after the ProtocolID and Signature */
11118 aad_size = 32;
11119
11120 if ((unsigned)tvb_captured_length_remaining(tvb, offset) < sti->size)
11121 return NULL;
11122
11123 if (tvb_captured_length_remaining(tvb, offset_aad) < aad_size)
11124 return NULL;
11125
11126 if (pinfo->destport == sti->session->server_port) {
11127 keys16[0] = sti->session->server_decryption_key16;
11128 keys16[1] = sti->session->client_decryption_key16;
11129 keys32[0] = sti->session->server_decryption_key32;
11130 keys32[1] = sti->session->client_decryption_key32;
11131 } else {
11132 keys16[1] = sti->session->server_decryption_key16;
11133 keys16[0] = sti->session->client_decryption_key16;
11134 keys32[1] = sti->session->server_decryption_key32;
11135 keys32[0] = sti->session->client_decryption_key32;
11136 }
11137
11138 aad = tvb_get_ptr(tvb, offset_aad, aad_size);
11139 data = (uint8_t *)tvb_memdup(pinfo->pool, tvb, offset, sti->size);
11140
11141 /*
11142 * In SMB3.0 the transform header had a Algorithm field to
11143 * know which type of encryption was used but only CCM was
11144 * supported.
11145 *
11146 * SMB3.1.1 turned that field into a generic "Encrypted" flag
11147 * which cannot be used to determine the encryption
11148 * type. Instead the type is decided in the NegProt response,
11149 * within the Encryption Capability context which should only
11150 * have one element. That element is saved in the conversation
11151 * struct (si->conv) and checked here.
11152 *
11153 * If the trace didn't contain NegProt packets, we have to
11154 * guess the encryption type by trying them all.
11155 *
11156 * Similarly, if we don't have unencrypted packets telling us
11157 * which host is the server and which host is the client, we
11158 * have to guess by trying both keys.
11159 */
11160
11161 DEBUG("dialect 0x%x alg 0x%x conv alg 0x%x", sti->conv->dialect, sti->flags, sti->conv->enc_alg);
11162
11163 for (unsigned i = 0; i < G_N_ELEMENTS(keys16); i++) {
11164 bool try_ccm16, try_gcm16;
11165 bool try_ccm32, try_gcm32;
11166 try_ccm16 = try_gcm16 = false;
11167 try_ccm32 = try_gcm32 = false;
11168 ok = false;
11169
11170 key16 = keys16[i];
11171 key32 = keys32[i];
11172
11173 switch (sti->conv->enc_alg) {
11174 case SMB2_CIPHER_AES_128_CCM:
11175 try_ccm16 = true;
11176 break;
11177 case SMB2_CIPHER_AES_128_GCM:
11178 try_gcm16 = true;
11179 break;
11180 case SMB2_CIPHER_AES_256_CCM:
11181 try_ccm32 = true;
11182 break;
11183 case SMB2_CIPHER_AES_256_GCM:
11184 try_gcm32 = true;
11185 break;
11186 default:
11187 /* we don't know, try all */
11188 try_gcm16 = true;
11189 try_ccm16 = true;
11190 try_gcm32 = true;
11191 try_ccm32 = true;
11192 }
11193
11194 if (try_gcm16) {
11195 uint8_t *key = key16;
11196 DEBUG("trying AES-128-GCM decryption");
11197 alg = SMB2_CIPHER_AES_128_GCM;
11198 tvb_memcpy(tvb, data, offset, sti->size);
11199 ok = do_decrypt(data, sti->size, key, aad, aad_size, sti->nonce, alg);
11200 if (ok)
11201 break;
11202 DEBUG("bad decrypted buffer with AES-128-GCM");
11203 }
11204 if (try_ccm16) {
11205 uint8_t *key = key16;
11206 DEBUG("trying AES-128-CCM decryption");
11207 alg = SMB2_CIPHER_AES_128_CCM;
11208 ok = do_decrypt(data, sti->size, key, aad, aad_size, sti->nonce, alg);
11209 if (ok)
11210 break;
11211 DEBUG("bad decrypted buffer with AES-128-CCM");
11212 }
11213 if (try_gcm32) {
11214 uint8_t *key = key32;
11215 DEBUG("trying AES-256-GCM decryption");
11216 alg = SMB2_CIPHER_AES_256_GCM;
11217 tvb_memcpy(tvb, data, offset, sti->size);
11218 ok = do_decrypt(data, sti->size, key, aad, aad_size, sti->nonce, alg);
11219 if (ok)
11220 break;
11221 DEBUG("bad decrypted buffer with AES-256-GCM");
11222 }
11223 if (try_ccm32) {
11224 uint8_t *key = key32;
11225 DEBUG("trying AES-256-CCM decryption");
11226 alg = SMB2_CIPHER_AES_256_CCM;
11227 ok = do_decrypt(data, sti->size, key, aad, aad_size, sti->nonce, alg);
11228 if (ok)
11229 break;
11230 DEBUG("bad decrypted buffer with AES-256-CCM");
11231 }
11232 DEBUG("trying to decrypt with swapped client/server keys");
11233 tvb_memcpy(tvb, data, offset, sti->size);
11234 }
11235
11236 if (!ok)
11237 return NULL;
11238
11239 /* Remember what worked */
11240 sti->conv->enc_alg = alg;
11241 if (key16 == sti->session->server_decryption_key16)
11242 sti->session->server_port = pinfo->destport;
11243 else
11244 sti->session->server_port = pinfo->srcport;
11245 return data;
11246 }
11247
11248 /*
11249 Append tvb[offset:offset+length] to out
11250 */
11251 static void
11252 append_uncompress_data(wmem_array_t *out, tvbuff_t *tvb, int offset, unsigned length)
11253 {
11254 const uint8_t *ptr = tvb_get_ptr(tvb, offset, length);
11255 if (ptr)
11256 wmem_array_append(out, tvb_get_ptr(tvb, offset, length), length);
11257 }
11258
11259 static int
11260 dissect_smb2_compression_pattern_v1(proto_tree *tree,
11261 tvbuff_t *tvb, int offset, int length,
11262 wmem_array_t *out)
11263 {
11264 proto_item *pat_item;
11265 proto_tree *pat_tree;
11266 unsigned pattern, times;
11267
11268 pat_tree = proto_tree_add_subtree_format(tree, tvb, offset, length,
11269 ett_smb2_comp_pattern_v1, &pat_item,
11270 "Pattern");
11271
11272 proto_tree_add_item_ret_uint(pat_tree, hf_smb2_comp_pattern_v1_pattern, tvb, offset, 1, ENC_LITTLE_ENDIAN, &pattern);
11273 offset += 1;
11274
11275 proto_tree_add_item(pat_tree, hf_smb2_comp_pattern_v1_reserved1, tvb, offset, 1, ENC_LITTLE_ENDIAN);
11276 offset += 1;
11277
11278 proto_tree_add_item(pat_tree, hf_smb2_comp_pattern_v1_reserved2, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11279 offset += 2;
11280
11281 proto_tree_add_item_ret_uint(pat_tree, hf_smb2_comp_pattern_v1_repetitions, tvb, offset, 4, ENC_LITTLE_ENDIAN, &times);
11282 offset += 4;
11283
11284 proto_item_append_text(pat_item, " 0x%02x repeated %u times", pattern, times);
11285
11286 if (out && times < MAX_UNCOMPRESSED_SIZE) {
11287 uint8_t v = (uint8_t)pattern;
11288
11289 for (unsigned i = 0; i < times; i++)
11290 wmem_array_append(out, &v, 1);
11291 }
11292
11293 return offset;
11294 }
11295
11296 static int
11297 dissect_smb2_chained_comp_payload(packet_info *pinfo, proto_tree *tree,
11298 tvbuff_t *tvb, int offset,
11299 wmem_array_t *out,
11300 bool *ok)
11301 {
11302 proto_tree *subtree;
11303 proto_item *subitem;
11304 unsigned alg, length, flags, orig_size = 0;
11305 tvbuff_t *uncomp_tvb = NULL;
11306 bool lz_based = false;
11307
11308 *ok = true;
11309
11310 subtree = proto_tree_add_subtree_format(tree, tvb, offset, 0, ett_smb2_comp_payload, &subitem, "COMPRESSION_PAYLOAD_HEADER");
11311 proto_tree_add_item_ret_uint(subtree, hf_smb2_comp_transform_comp_alg, tvb, offset, 2, ENC_LITTLE_ENDIAN, &alg);
11312 offset += 2;
11313
11314 proto_tree_add_item_ret_uint(subtree, hf_smb2_comp_transform_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN, &flags);
11315 offset += 2;
11316
11317 proto_tree_add_item_ret_uint(subtree, hf_smb2_comp_transform_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
11318 offset += 4;
11319
11320 proto_item_set_len(subitem, length);
11321
11322 lz_based = (SMB2_COMP_ALG_LZNT1 <= alg && alg <= SMB2_COMP_ALG_LZ77HUFF);
11323 if (lz_based) {
11324 proto_tree_add_item_ret_uint(subtree, hf_smb2_comp_transform_orig_payload_size,
11325 tvb, offset, 4, ENC_LITTLE_ENDIAN, &orig_size);
11326 offset += 4;
11327 length -= 4;
11328 }
11329
11330 if (length > MAX_UNCOMPRESSED_SIZE) {
11331 /* decompression error */
11332 col_append_str(pinfo->cinfo, COL_INFO, "Comp. SMB3 (invalid)");
11333 *ok = false;
11334 goto out;
11335 }
11336
11337 switch (alg) {
11338 case SMB2_COMP_ALG_NONE:
11339 append_uncompress_data(out, tvb, offset, length);
11340 break;
11341 case SMB2_COMP_ALG_LZ77:
11342 uncomp_tvb = tvb_uncompress_lz77(tvb, offset, length);
11343 break;
11344 case SMB2_COMP_ALG_LZ77HUFF:
11345 uncomp_tvb = tvb_uncompress_lz77huff(tvb, offset, length);
11346 break;
11347 case SMB2_COMP_ALG_LZNT1:
11348 uncomp_tvb = tvb_uncompress_lznt1(tvb, offset, length);
11349 break;
11350 case SMB2_COMP_ALG_PATTERN_V1:
11351 dissect_smb2_compression_pattern_v1(subtree, tvb, offset, length, out);
11352 break;
11353 default:
11354 col_append_str(pinfo->cinfo, COL_INFO, "Comp. SMB3 (unknown)");
11355 uncomp_tvb = NULL;
11356 break;
11357 }
11358
11359 if (lz_based) {
11360 if (!uncomp_tvb || tvb_reported_length(uncomp_tvb) != orig_size) {
11361 /* decompression error */
11362 col_append_str(pinfo->cinfo, COL_INFO, "Comp. SMB3 (invalid)");
11363 *ok = false;
11364 goto out;
11365 }
11366 append_uncompress_data(out, uncomp_tvb, 0, tvb_reported_length(uncomp_tvb));
11367 }
11368
11369 out:
11370 if (uncomp_tvb)
11371 tvb_free(uncomp_tvb);
11372 proto_tree_add_item(subtree, hf_smb2_comp_transform_data, tvb, offset, length, ENC_NA);
11373 offset += length;
11374
11375 return offset;
11376 }
11377
11378 static int
11379 dissect_smb2_comp_transform_header(packet_info *pinfo, proto_tree *tree,
11380 tvbuff_t *tvb, int offset,
11381 smb2_comp_transform_info_t *scti,
11382 tvbuff_t **comp_tvb,
11383 tvbuff_t **plain_tvb)
11384 {
11385 int in_size;
11386 tvbuff_t *uncomp_tvb = NULL;
11387 unsigned flags;
11388 wmem_array_t *uncomp_data;
11389
11390 *comp_tvb = NULL;
11391 *plain_tvb = NULL;
11392
11393 /*
11394 "old" compressed method:
11395
11396 [COMPRESS_TRANSFORM_HEADER with Flags=0]
11397 [OPTIONAL UNCOMPRESSED DATA]
11398 [COMPRESSED DATA]
11399
11400 new "chained" compressed method:
11401
11402 [fist 8 bytes of COMPRESS_TRANSFORM_HEADER with Flags=CHAINED]
11403 [ sequence of
11404 [ COMPRESSION_PAYLOAD_HEADER ]
11405 [ COMPRESSED PAYLOAD ]
11406 ]
11407 */
11408
11409 /* SMB2_COMPRESSION_TRANSFORM marker */
11410 proto_tree_add_item(tree, hf_smb2_protocol_id, tvb, offset, 4, ENC_BIG_ENDIAN);
11411 offset += 4;
11412
11413 proto_tree_add_item_ret_uint(tree, hf_smb2_comp_transform_orig_size, tvb, offset, 4, ENC_LITTLE_ENDIAN, &scti->orig_size);
11414 offset += 4;
11415
11416 uncomp_data = wmem_array_sized_new(pinfo->pool, 1, 1024);
11417
11418 flags = tvb_get_letohs(tvb, offset+2);
11419 if (flags & SMB2_COMP_FLAG_CHAINED) {
11420 bool all_ok = true;
11421
11422 *comp_tvb = tvb_new_subset_length(tvb, offset, tvb_reported_length_remaining(tvb, offset));
11423 do {
11424 bool ok = false;
11425
11426 offset = dissect_smb2_chained_comp_payload(pinfo, tree, tvb, offset, uncomp_data, &ok);
11427 if (!ok)
11428 all_ok = false;
11429 } while (tvb_reported_length_remaining(tvb, offset) > 8);
11430 if (all_ok)
11431 goto decompression_ok;
11432 else
11433 goto out;
11434
11435 }
11436
11437 proto_tree_add_item_ret_uint(tree, hf_smb2_comp_transform_comp_alg, tvb, offset, 2, ENC_LITTLE_ENDIAN, &scti->alg);
11438 offset += 2;
11439
11440 proto_tree_add_item_ret_uint(tree, hf_smb2_comp_transform_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN, &flags);
11441 offset += 2;
11442
11443 proto_tree_add_item_ret_uint(tree, hf_smb2_comp_transform_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &scti->comp_offset);
11444 offset += 4;
11445
11446 *comp_tvb = tvb_new_subset_length(tvb, offset, tvb_reported_length_remaining(tvb, offset));
11447
11448 if (scti->orig_size > MAX_UNCOMPRESSED_SIZE || scti->comp_offset > MAX_UNCOMPRESSED_SIZE) {
11449 col_append_str(pinfo->cinfo, COL_INFO, "Comp. SMB3 (too big)");
11450 goto out;
11451 }
11452
11453 /*
11454 * final uncompressed size is the partial normal packet + uncompressed segment
11455 * final_size = scti->orig_size + scti->comp_offset
11456 */
11457
11458 append_uncompress_data(uncomp_data, tvb, offset, scti->comp_offset);
11459 in_size = tvb_reported_length_remaining(tvb, offset + scti->comp_offset);
11460
11461 /* decompress compressed segment */
11462 switch (scti->alg) {
11463 case SMB2_COMP_ALG_LZ77:
11464 uncomp_tvb = tvb_uncompress_lz77(tvb, offset + scti->comp_offset, in_size);
11465 break;
11466 case SMB2_COMP_ALG_LZ77HUFF:
11467 uncomp_tvb = tvb_uncompress_lz77huff(tvb, offset + scti->comp_offset, in_size);
11468 break;
11469 case SMB2_COMP_ALG_LZNT1:
11470 uncomp_tvb = tvb_uncompress_lznt1(tvb, offset + scti->comp_offset, in_size);
11471 break;
11472 default:
11473 col_append_str(pinfo->cinfo, COL_INFO, "Comp. SMB3 (unknown)");
11474 uncomp_tvb = NULL;
11475 goto out;
11476 }
11477
11478 if (!uncomp_tvb || tvb_reported_length(uncomp_tvb) != scti->orig_size) {
11479 /* decompression error */
11480 col_append_str(pinfo->cinfo, COL_INFO, "Comp. SMB3 (invalid)");
11481 goto out;
11482 }
11483
11484 /* write decompressed segment at the end of partial packet */
11485 append_uncompress_data(uncomp_data, uncomp_tvb, 0, scti->orig_size);
11486
11487 decompression_ok:
11488 col_append_str(pinfo->cinfo, COL_INFO, "Decomp. SMB3");
11489 *plain_tvb = tvb_new_child_real_data(tvb,
11490 (uint8_t *)wmem_array_get_raw(uncomp_data),
11491 wmem_array_get_count(uncomp_data),
11492 wmem_array_get_count(uncomp_data));
11493 add_new_data_source(pinfo, *plain_tvb, "Decomp. SMB3");
11494
11495 out:
11496 if (uncomp_tvb)
11497 tvb_free(uncomp_tvb);
11498 return offset;
11499 }
11500
11501 static int
11502 dissect_smb2_transform_header(packet_info *pinfo, proto_tree *tree,
11503 tvbuff_t *tvb, int offset,
11504 smb2_transform_info_t *sti,
11505 tvbuff_t **enc_tvb, tvbuff_t **plain_tvb)
11506 {
11507 proto_item *sesid_item = NULL;
11508 proto_tree *sesid_tree = NULL;
11509 int sesid_offset;
11510 uint8_t *plain_data = NULL;
11511 int offset_aad;
11512
11513 *enc_tvb = NULL;
11514 *plain_tvb = NULL;
11515
11516 /* signature */
11517 proto_tree_add_item(tree, hf_smb2_transform_signature, tvb, offset, 16, ENC_NA);
11518 offset += 16;
11519
11520 offset_aad = offset;
11521
11522 /* nonce */
11523 proto_tree_add_item(tree, hf_smb2_transform_nonce, tvb, offset, 16, ENC_NA);
11524 tvb_memcpy(tvb, sti->nonce, offset, 16);
11525 offset += 16;
11526
11527 /* size */
11528 proto_tree_add_item(tree, hf_smb2_transform_msg_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11529 sti->size = tvb_get_letohl(tvb, offset);
11530 offset += 4;
11531
11532 /* reserved */
11533 proto_tree_add_item(tree, hf_smb2_transform_reserved, tvb, offset, 2, ENC_NA);
11534 offset += 2;
11535
11536 /* flags */
11537 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_transform_flags,
11538 ett_smb2_transform_flags,
11539 smb2_transform_flags, ENC_LITTLE_ENDIAN);
11540 sti->flags = tvb_get_letohs(tvb, offset);
11541 offset += 2;
11542
11543 /* session ID */
11544 sesid_offset = offset;
11545 sti->sesid = tvb_get_letoh64(tvb, offset);
11546 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
11547 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
11548 offset += 8;
11549
11550 /* now we need to first lookup the uid session */
11551 sti->session = smb2_get_session(sti->conv, sti->sesid, NULL, NULL);
11552 smb2_add_session_info(sesid_tree, sesid_item, tvb, sesid_offset, sti->session);
11553
11554 if (sti->flags & SMB2_TRANSFORM_FLAGS_ENCRYPTED) {
11555 plain_data = decrypt_smb_payload(pinfo, tvb, offset, offset_aad, sti);
11556 }
11557 *enc_tvb = tvb_new_subset_length(tvb, offset, sti->size);
11558
11559 if (plain_data != NULL) {
11560 *plain_tvb = tvb_new_child_real_data(*enc_tvb, plain_data, sti->size, sti->size);
11561 add_new_data_source(pinfo, *plain_tvb, "Decrypted SMB3");
11562 }
11563
11564 offset += sti->size;
11565 return offset;
11566 }
11567
11568 static const char *
11569 get_special_packet_title(uint16_t cmd, uint32_t flags, uint64_t msg_id, tvbuff_t *tvb, int offset)
11570 {
11571 /* for some types of packets we don't have request/response packets but something else
11572 * to show more correct names while displaying them we use this logic to override standard naming convention
11573 */
11574
11575 uint16_t buffer_code;
11576 /* detect oplock/lease break packets */
11577 if (cmd != SMB2_COM_BREAK) {
11578 return NULL;
11579 }
11580
11581 buffer_code = tvb_get_letohs(tvb, offset);
11582 if (flags & SMB2_FLAGS_RESPONSE) {
11583 switch (buffer_code) {
11584 case OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE:
11585 /* note - Notification and Response packets for Oplock Break are equivalent,
11586 * we can distinguish them only via msg_id value */
11587 if (msg_id == 0xFFFFFFFFFFFFFFFF) /* see [MS-SMB2] 3.3.4.6 Object Store Indicates an Oplock Break */
11588 return "Oplock Break Notification";
11589 else
11590 return "Oplock Break Response";
11591 case OPLOCK_BREAK_LEASE_NOTIFICATION_STRUCTURE_SIZE:
11592 return "Lease Break Notification";
11593 case OPLOCK_BREAK_LEASE_RESPONSE_STRUCTURE_SIZE:
11594 return "Lease Break Response";
11595 }
11596 } else {
11597 switch (buffer_code) {
11598 case OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE:
11599 return "Oplock Break Acknowledgment";
11600 case OPLOCK_BREAK_LEASE_ACKNOWLEDGMENT_STRUCTURE_SIZE:
11601 return "Lease Break Acknowledgment";
11602 }
11603 }
11604 /* return back to standard notation if we can't detect packet type of break packet */
11605 return NULL;
11606 }
11607
11608 static int
11609 dissect_smb2_command(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
11610 {
11611 int (*cmd_dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
11612 proto_item *cmd_item;
11613 proto_tree *cmd_tree;
11614 int old_offset = offset;
11615 const char *packet_title = get_special_packet_title(si->opcode, si->flags, si->msg_id, tvb, offset);
11616
11617 if (packet_title) {
11618 cmd_tree = proto_tree_add_subtree_format(tree, tvb, offset, -1,
11619 ett_smb2_command, &cmd_item, "%s (0x%02x)",
11620 packet_title,
11621 si->opcode);
11622 } else {
11623 cmd_tree = proto_tree_add_subtree_format(tree, tvb, offset, -1,
11624 ett_smb2_command, &cmd_item, "%s %s (0x%02x)",
11625 decode_smb2_name(si->opcode),
11626 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request",
11627 si->opcode);
11628 }
11629
11630 cmd_dissector = (si->flags & SMB2_FLAGS_RESPONSE)?
11631 smb2_dissector[si->opcode&0xff].response:
11632 smb2_dissector[si->opcode&0xff].request;
11633 if (cmd_dissector) {
11634 offset = (*cmd_dissector)(tvb, pinfo, cmd_tree, offset, si);
11635 } else {
11636 proto_tree_add_item(cmd_tree, hf_smb2_unknown, tvb, offset, -1, ENC_NA);
11637 offset = tvb_captured_length(tvb);
11638 }
11639
11640 proto_item_set_len(cmd_item, offset-old_offset);
11641
11642 return offset;
11643 }
11644
11645 static int
11646 dissect_smb2_tid_sesid(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
11647 {
11648 proto_item *tid_item = NULL;
11649 proto_tree *tid_tree = NULL;
11650 smb2_tid_info_t tid_key;
11651 int tid_offset = 0;
11652 proto_item *sesid_item = NULL;
11653 proto_tree *sesid_tree = NULL;
11654 smb2_sesid_info_t sesid_key;
11655 int sesid_offset;
11656 proto_item *item;
11657
11658
11659 if (si->flags&SMB2_FLAGS_ASYNC_CMD) {
11660 proto_tree_add_item(tree, hf_smb2_aid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
11661 offset += 8;
11662 } else {
11663 /* Reserved */
11664 proto_tree_add_item(tree, hf_smb2_header_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11665 offset += 4;
11666
11667 /* Tree ID */
11668 tid_offset = offset;
11669 si->tid = tvb_get_letohl(tvb, offset);
11670 tid_item = proto_tree_add_item(tree, hf_smb2_tid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11671 tid_tree = proto_item_add_subtree(tid_item, ett_smb2_tid_tree);
11672 offset += 4;
11673 }
11674
11675 /* Session ID */
11676 sesid_offset = offset;
11677 si->sesid = tvb_get_letoh64(tvb, offset);
11678 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
11679 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
11680 offset += 8;
11681
11682 /* now we need to first lookup the uid session */
11683 sesid_key.sesid = si->sesid;
11684 si->session = (smb2_sesid_info_t *)wmem_map_lookup(smb2_sessions, &sesid_key);
11685 if (!si->session) {
11686 si->session = smb2_get_session(si->conv, si->sesid, pinfo, si);
11687 return offset;
11688 }
11689
11690 smb2_add_session_info(sesid_tree, sesid_item, tvb, sesid_offset, si->session);
11691
11692 if (!(si->flags&SMB2_FLAGS_ASYNC_CMD)) {
11693 /* see if we can find the name for this tid */
11694 tid_key.tid = si->tid;
11695 si->tree = (smb2_tid_info_t *)wmem_map_lookup(si->session->tids, &tid_key);
11696 if (!si->tree) return offset;
11697
11698 item = proto_tree_add_string(tid_tree, hf_smb2_tree, tvb, tid_offset, 4, si->tree->name);
11699 proto_item_set_generated(item);
11700 proto_item_append_text(tid_item, " %s", si->tree->name);
11701
11702 item = proto_tree_add_uint(tid_tree, hf_smb2_share_type, tvb, tid_offset, 0, si->tree->share_type);
11703 proto_item_set_generated(item);
11704
11705 item = proto_tree_add_uint(tid_tree, hf_smb2_tcon_frame, tvb, tid_offset, 0, si->tree->connect_frame);
11706 proto_item_set_generated(item);
11707
11708 item = proto_tree_add_uint(tid_tree, hf_smb2_tdcon_frame, tvb, tid_offset, 0, si->tree->disconnect_frame);
11709 proto_item_set_generated(item);
11710
11711 }
11712
11713 return offset;
11714 }
11715
11716 static void
11717 dissect_smb2_signature(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si)
11718 {
11719 proto_item *item = NULL;
11720 proto_tree *stree = NULL;
11721 gcry_error_t err;
11722 gcry_mac_hd_t md;
11723 uint8_t mac[NTLMSSP_KEY_LEN] = { 0, };
11724 size_t len = NTLMSSP_KEY_LEN;
11725 int i, remaining;
11726 bool use_mac = false;
11727
11728 item = proto_tree_add_item(tree, hf_smb2_signature, tvb, offset, 16, ENC_NA);
11729
11730 if (!si || !si->session ||!si->conv)
11731 return;
11732
11733 if (!smb2_verify_signatures || !(si->flags & SMB2_FLAGS_SIGNATURE))
11734 return;
11735
11736 if (memcmp(si->session->signing_key, zeros, NTLMSSP_KEY_LEN) == 0) {
11737 return;
11738 }
11739
11740 if (tvb_reported_length(tvb) > tvb_captured_length(tvb))
11741 return;
11742
11743 remaining = tvb_reported_length_remaining(tvb, offset + NTLMSSP_KEY_LEN);
11744
11745 if (si->conv->sign_alg == SMB2_SIGNING_ALG_HMAC_SHA256) {
11746 err = gcry_mac_open(&md, GCRY_MAC_HMAC_SHA256, 0, NULL);
11747 if (err)
11748 return;
11749 use_mac = true;
11750 } else if (si->conv->sign_alg == SMB2_SIGNING_ALG_AES_CMAC) {
11751 err = gcry_mac_open(&md, GCRY_MAC_CMAC_AES, 0, NULL);
11752 if (err)
11753 return;
11754 use_mac = true;
11755 }
11756
11757 if (use_mac) {
11758 gcry_mac_setkey(md, si->session->signing_key, len);
11759 gcry_mac_write(md, tvb_get_ptr(tvb, 0, 48), 48);
11760 gcry_mac_write(md, zeros, NTLMSSP_KEY_LEN);
11761 gcry_mac_write(md, tvb_get_ptr(tvb, offset + NTLMSSP_KEY_LEN, remaining), remaining);
11762 gcry_mac_read(md, &mac[0], &len);
11763 gcry_mac_close(md);
11764 }
11765
11766 stree = proto_item_add_subtree(item, ett_smb2_signature);
11767
11768 if (memcmp(&mac[0], tvb_get_ptr(tvb, offset, NTLMSSP_KEY_LEN), NTLMSSP_KEY_LEN) == 0) {
11769 proto_tree_add_item(stree, hf_smb2_good_signature, tvb, offset, 16, ENC_NA);
11770 return; /* signature matched */
11771 }
11772
11773 item = proto_tree_add_item(stree, hf_smb2_bad_signature, tvb, offset, 16, ENC_NA);
11774 proto_item_append_text(item, " ");
11775 for (i = 0; i < NTLMSSP_KEY_LEN; i++)
11776 proto_item_append_text(item, "%02x", mac[i]);
11777 proto_item_set_generated(item);
11778 expert_add_info(pinfo, item, &ei_smb2_invalid_signature);
11779
11780 return;
11781 }
11782
11783 static int
11784 // NOLINTNEXTLINE(misc-no-recursion)
11785 dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, bool first_in_chain)
11786 {
11787 int msg_type;
11788 proto_item *item = NULL;
11789 proto_tree *tree = NULL;
11790 proto_item *header_item = NULL;
11791 proto_tree *header_tree = NULL;
11792 int offset = 0;
11793 int chain_offset = 0;
11794 const char *label = smb_header_label;
11795 conversation_t *conversation;
11796 smb2_saved_info_t *ssi = NULL, ssi_key;
11797 smb2_info_t *si;
11798 smb2_transform_info_t *sti;
11799 smb2_comp_transform_info_t *scti;
11800 char *fid_name;
11801 uint32_t open_frame,close_frame;
11802 smb2_eo_file_info_t *eo_file_info;
11803 e_ctx_hnd *policy_hnd_hashtablekey;
11804 const char *packet_title;
11805
11806 sti = wmem_new(pinfo->pool, smb2_transform_info_t);
11807 scti = wmem_new(pinfo->pool, smb2_comp_transform_info_t);
11808 si = wmem_new0(pinfo->pool, smb2_info_t);
11809 si->top_tree = parent_tree;
11810
11811 msg_type = tvb_get_uint8(tvb, 0);
11812
11813 switch (msg_type) {
11814 case SMB2_COMP_HEADER:
11815 label = smb_comp_transform_header_label;
11816 break;
11817 case SMB2_ENCR_HEADER:
11818 label = smb_transform_header_label;
11819 break;
11820 case SMB2_NORM_HEADER:
11821 label = smb_header_label;
11822 break;
11823 default:
11824 label = smb_bad_header_label;
11825 break;
11826 }
11827
11828 increment_dissection_depth(pinfo);
11829
11830 /* find which conversation we are part of and get the data for that
11831 * conversation
11832 */
11833 conversation = find_or_create_conversation(pinfo);
11834 si->conv = (smb2_conv_info_t *)conversation_get_proto_data(conversation, proto_smb2);
11835 if (!si->conv) {
11836 /* no smb2_into_t structure for this conversation yet,
11837 * create it.
11838 */
11839 si->conv = wmem_new0(wmem_file_scope(), smb2_conv_info_t);
11840 /* qqq this leaks memory for now since we never free
11841 the hashtables */
11842 si->conv->matched = g_hash_table_new(smb2_saved_info_hash_matched,
11843 smb2_saved_info_equal_matched);
11844 si->conv->unmatched = g_hash_table_new(smb2_saved_info_hash_unmatched,
11845 smb2_saved_info_equal_unmatched);
11846 si->conv->preauth_hash_current = si->conv->preauth_hash_con;
11847
11848 /* Bit of a hack to avoid leaking the hash tables - register a
11849 * callback to free them. Ideally wmem would implement a simple
11850 * hash table so we wouldn't have to do this. */
11851 wmem_register_callback(wmem_file_scope(), smb2_conv_destroy,
11852 si->conv);
11853
11854 conversation_add_proto_data(conversation, proto_smb2, si->conv);
11855 }
11856
11857 sti->conv = si->conv;
11858 scti->conv = si->conv;
11859
11860 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB2");
11861 if (first_in_chain) {
11862 /* first packet */
11863 col_clear(pinfo->cinfo, COL_INFO);
11864 } else {
11865 col_append_str(pinfo->cinfo, COL_INFO, "; ");
11866 }
11867
11868 item = proto_tree_add_item(parent_tree, proto_smb2, tvb, offset, -1, ENC_NA);
11869 tree = proto_item_add_subtree(item, ett_smb2);
11870
11871 header_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_header, &header_item, label);
11872
11873 /* Decode the header */
11874
11875 if (msg_type == SMB2_NORM_HEADER) {
11876 /* SMB2 marker */
11877 proto_tree_add_item(header_tree, hf_smb2_protocol_id, tvb, offset, 4, ENC_BIG_ENDIAN);
11878 offset += 4;
11879
11880 /* we need the flags before we know how to parse the credits field */
11881 si->flags = tvb_get_letohl(tvb, offset+12);
11882
11883 /* header length */
11884 proto_tree_add_item(header_tree, hf_smb2_header_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11885 offset += 2;
11886
11887 /* credit charge (previously "epoch" (unused) which has been deprecated as of "SMB 2.1") */
11888 proto_tree_add_item(header_tree, hf_smb2_credit_charge, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11889 offset += 2;
11890
11891 /* Status Code */
11892 if (si->flags & SMB2_FLAGS_RESPONSE) {
11893 si->status = tvb_get_letohl(tvb, offset);
11894 proto_tree_add_item(header_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11895 offset += 4;
11896 } else {
11897 si->status = 0;
11898 proto_tree_add_item(header_tree, hf_smb2_channel_sequence, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11899 offset += 2;
11900 proto_tree_add_item(header_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
11901 offset += 2;
11902 }
11903
11904 /* opcode */
11905 si->opcode = tvb_get_letohs(tvb, offset);
11906 proto_tree_add_item(header_tree, hf_smb2_cmd, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11907 offset += 2;
11908
11909 /* credits */
11910 if (si->flags & SMB2_FLAGS_RESPONSE) {
11911 proto_tree_add_item(header_tree, hf_smb2_credits_granted, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11912 } else {
11913 proto_tree_add_item(header_tree, hf_smb2_credits_requested, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11914 }
11915 offset += 2;
11916
11917 /* flags */
11918 if (header_tree) {
11919 static int * const flags[] = {
11920 &hf_smb2_flags_response,
11921 &hf_smb2_flags_async_cmd,
11922 &hf_smb2_flags_chained,
11923 &hf_smb2_flags_signature,
11924 &hf_smb2_flags_priority_mask,
11925 &hf_smb2_flags_dfs_op,
11926 &hf_smb2_flags_replay_operation,
11927 NULL
11928 };
11929
11930 proto_tree_add_bitmask(header_tree, tvb, offset, hf_smb2_flags,
11931 ett_smb2_flags, flags, ENC_LITTLE_ENDIAN);
11932 }
11933
11934 offset += 4;
11935
11936 /* Next Command */
11937 chain_offset = tvb_get_letohl(tvb, offset);
11938 proto_tree_add_item(header_tree, hf_smb2_chain_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11939 offset += 4;
11940
11941 /* Message ID */
11942 si->msg_id = tvb_get_letoh64(tvb, offset);
11943 ssi_key.msg_id = si->msg_id;
11944 proto_tree_add_item(header_tree, hf_smb2_msg_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
11945 offset += 8;
11946
11947 /* Tree ID and Session ID */
11948 offset = dissect_smb2_tid_sesid(pinfo, header_tree, tvb, offset, si);
11949
11950 /* Signature */
11951 dissect_smb2_signature(pinfo, tvb, offset, header_tree, si);
11952 offset += 16;
11953 proto_item_set_len(header_item, offset);
11954
11955 /* Check if this is a special packet type and it has non-regular title */
11956 packet_title = get_special_packet_title(si->opcode, si->flags, si->msg_id, tvb, offset);
11957 if (packet_title) {
11958 col_append_str(pinfo->cinfo, COL_INFO, packet_title);
11959 } else {
11960 /* Regular packets have standard title */
11961 col_append_fstr(pinfo->cinfo, COL_INFO, "%s %s",
11962 decode_smb2_name(si->opcode),
11963 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request");
11964 }
11965 if (si->status) {
11966 col_append_fstr(
11967 pinfo->cinfo, COL_INFO, ", Error: %s",
11968 val_to_str_ext(si->status, &NT_errors_ext,
11969 "Unknown (0x%08X)"));
11970 }
11971
11972
11973 if (!pinfo->fd->visited) {
11974 /* see if we can find this msg_id in the unmatched table */
11975 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
11976
11977 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
11978 /* This is a request */
11979 if (ssi) {
11980 /* this is a request and we already found
11981 * an older ssi so just delete the previous
11982 * one
11983 */
11984 g_hash_table_remove(si->conv->unmatched, ssi);
11985 ssi = NULL;
11986 }
11987
11988 if (!ssi) {
11989 /* no we couldn't find it, so just add it then
11990 * if was a request we are decoding
11991 */
11992 ssi = wmem_new0(wmem_file_scope(), smb2_saved_info_t);
11993 ssi->msg_id = ssi_key.msg_id;
11994 ssi->frame_req = pinfo->num;
11995 ssi->frame_res = UINT32_MAX;
11996 ssi->req_time = pinfo->abs_ts;
11997 ssi->extra_info_type = SMB2_EI_NONE;
11998 g_hash_table_insert(si->conv->unmatched, ssi, ssi);
11999 }
12000 } else {
12001 /* This is a response */
12002 if (!((si->flags & SMB2_FLAGS_ASYNC_CMD)
12003 && si->status == NT_STATUS_PENDING)
12004 && ssi) {
12005 /* just set the response frame and move it to the matched table */
12006 ssi->frame_res = pinfo->num;
12007 g_hash_table_remove(si->conv->unmatched, ssi);
12008 g_hash_table_insert(si->conv->matched, ssi, ssi);
12009 }
12010 }
12011 } else {
12012 /* see if we can find this msg_id in the matched table */
12013 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->matched, &ssi_key);
12014 /* if we couldn't find it in the matched table, it might still
12015 * be in the unmatched table
12016 */
12017 if (!ssi) {
12018 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
12019 }
12020 }
12021
12022 if (ssi) {
12023 if (dcerpc_fetch_polhnd_data(&ssi->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num)) {
12024 /* If needed, create the file entry and save the policy hnd */
12025 if (!si->eo_file_info) {
12026 if (si->conv) {
12027 eo_file_info = (smb2_eo_file_info_t *)wmem_map_lookup(si->session->files,&ssi->policy_hnd);
12028 if (!eo_file_info) { /* XXX This should never happen */
12029 /* assert(1==0); */
12030 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
12031 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
12032 memcpy(policy_hnd_hashtablekey, &ssi->policy_hnd, sizeof(e_ctx_hnd));
12033 eo_file_info->end_of_file=0;
12034 wmem_map_insert(si->session->files,policy_hnd_hashtablekey,eo_file_info);
12035 }
12036 si->eo_file_info=eo_file_info;
12037 }
12038 }
12039
12040 }
12041
12042 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
12043 if (ssi->frame_res != UINT32_MAX) {
12044 proto_item *tmp_item;
12045 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_in, tvb, 0, 0, ssi->frame_res);
12046 proto_item_set_generated(tmp_item);
12047 }
12048 } else {
12049 if (ssi->frame_req != UINT32_MAX) {
12050 proto_item *tmp_item;
12051 nstime_t t, deltat;
12052
12053 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_to, tvb, 0, 0, ssi->frame_req);
12054 proto_item_set_generated(tmp_item);
12055 t = pinfo->abs_ts;
12056 nstime_delta(&deltat, &t, &ssi->req_time);
12057 tmp_item = proto_tree_add_time(header_tree, hf_smb2_time, tvb,
12058 0, 0, &deltat);
12059 proto_item_set_generated(tmp_item);
12060 }
12061 }
12062 if (si->file != NULL) {
12063 ssi->file = si->file;
12064 } else {
12065 si->file = ssi->file;
12066 }
12067 }
12068 /* if we don't have ssi yet we must fake it */
12069 /*qqq*/
12070 si->saved = ssi;
12071
12072 tap_queue_packet(smb2_tap, pinfo, si);
12073
12074 /* Decode the payload */
12075 offset = dissect_smb2_command(pinfo, tree, tvb, offset, si);
12076 } else if (msg_type == SMB2_ENCR_HEADER) {
12077 proto_tree *enc_tree;
12078 tvbuff_t *enc_tvb = NULL;
12079 tvbuff_t *plain_tvb = NULL;
12080
12081 /* SMB2_TRANSFORM marker */
12082 proto_tree_add_item(header_tree, hf_smb2_protocol_id, tvb, offset, 4, ENC_BIG_ENDIAN);
12083 offset += 4;
12084
12085 offset = dissect_smb2_transform_header(pinfo, header_tree, tvb, offset, sti,
12086 &enc_tvb, &plain_tvb);
12087
12088 enc_tree = proto_tree_add_subtree(tree, enc_tvb, 0, sti->size, ett_smb2_encrypted, NULL, "Encrypted SMB3 data");
12089 if (plain_tvb != NULL) {
12090 col_append_str(pinfo->cinfo, COL_INFO, "Decrypted SMB3");
12091 dissect_smb2(plain_tvb, pinfo, enc_tree, false);
12092 } else {
12093 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted SMB3");
12094 proto_tree_add_item(enc_tree, hf_smb2_transform_encrypted_data,
12095 enc_tvb, 0, sti->size, ENC_NA);
12096 }
12097
12098 if (tvb_reported_length_remaining(tvb, offset) > 0) {
12099 chain_offset = offset;
12100 }
12101 } else if (msg_type == SMB2_COMP_HEADER) {
12102 proto_tree *comp_tree;
12103 proto_item *decomp_item;
12104 tvbuff_t *plain_tvb = NULL;
12105 tvbuff_t *comp_tvb = NULL;
12106
12107 offset = dissect_smb2_comp_transform_header(pinfo, header_tree, tvb, offset,
12108 scti, &comp_tvb, &plain_tvb);
12109
12110 comp_tree = proto_tree_add_subtree(header_tree, tvb, offset,
12111 tvb_reported_length_remaining(tvb, offset),
12112 ett_smb2_compressed, NULL,
12113 "Compressed SMB3 data");
12114 proto_tree_add_item(comp_tree, hf_smb2_comp_transform_data,
12115 tvb, offset,
12116 tvb_reported_length_remaining(tvb, offset),
12117 ENC_NA);
12118
12119 if (plain_tvb) {
12120 proto_tree *decomp_tree;
12121
12122 decomp_tree = proto_tree_add_subtree(header_tree, plain_tvb, 0,
12123 tvb_reported_length_remaining(plain_tvb, 0),
12124 ett_smb2_decompressed, &decomp_item,
12125 "Decompressed SMB3 data");
12126 proto_item_set_generated(decomp_item);
12127 dissect_smb2(plain_tvb, pinfo, decomp_tree, false);
12128 }
12129
12130 offset += tvb_reported_length_remaining(tvb, offset);
12131 } else {
12132 col_append_str(pinfo->cinfo, COL_INFO, "Invalid header");
12133
12134 /* bad packet after decompressing/decrypting */
12135 offset += tvb_reported_length_remaining(tvb, offset);
12136 }
12137
12138 if (chain_offset > 0) {
12139 tvbuff_t *next_tvb;
12140
12141 proto_item_set_len(item, chain_offset);
12142
12143 next_tvb = tvb_new_subset_remaining(tvb, chain_offset);
12144 offset = dissect_smb2(next_tvb, pinfo, parent_tree, false);
12145 }
12146
12147 decrement_dissection_depth(pinfo);
12148 return offset;
12149 }
12150
12151 static bool
12152 dissect_smb2_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
12153 {
12154 uint8_t b;
12155
12156 /* must check that this really is a smb2 packet */
12157 if (tvb_captured_length(tvb) < 4)
12158 return false;
12159
12160 b = tvb_get_uint8(tvb, 0);
12161 if (((b != SMB2_COMP_HEADER) && (b != SMB2_ENCR_HEADER) && (b != SMB2_NORM_HEADER))
12162 || (tvb_get_uint8(tvb, 1) != 'S')
12163 || (tvb_get_uint8(tvb, 2) != 'M')
12164 || (tvb_get_uint8(tvb, 3) != 'B') ) {
12165 return false;
12166 }
12167
12168 dissect_smb2(tvb, pinfo, parent_tree, true);
12169
12170 return true;
12171 }
12172
12173 void
12174 proto_register_smb2(void)
12175 {
12176 module_t *smb2_module;
12177 static hf_register_info hf[] = {
12178 { &hf_smb2_cmd,
12179 { "Command", "smb2.cmd", FT_UINT16, BASE_DEC | BASE_EXT_STRING,
12180 &smb2_cmd_vals_ext, 0, "SMB2 Command Opcode", HFILL }
12181 },
12182
12183 { &hf_smb2_response_to,
12184 { "Response to", "smb2.response_to", FT_FRAMENUM, BASE_NONE,
12185 FRAMENUM_TYPE(FT_FRAMENUM_REQUEST), 0, "This packet is a response to the packet in this frame", HFILL }
12186 },
12187
12188 { &hf_smb2_response_in,
12189 { "Response in", "smb2.response_in", FT_FRAMENUM, BASE_NONE,
12190 FRAMENUM_TYPE(FT_FRAMENUM_RESPONSE), 0, "The response to this packet is in this packet", HFILL }
12191 },
12192
12193 { &hf_smb2_time,
12194 { "Time from request", "smb2.time", FT_RELATIVE_TIME, BASE_NONE,
12195 NULL, 0, "Time between Request and Response for SMB2 cmds", HFILL }
12196 },
12197
12198 { &hf_smb2_preauth_hash,
12199 { "Preauth Hash", "smb2.preauth_hash", FT_BYTES, BASE_NONE,
12200 NULL, 0, "SMB3.1.1 pre-authentication SHA512 hash after hashing the packet", HFILL }
12201 },
12202
12203 { &hf_smb2_header_len,
12204 { "Header Length", "smb2.header_len", FT_UINT16, BASE_DEC,
12205 NULL, 0, "SMB2 Size of Header", HFILL }
12206 },
12207
12208 { &hf_smb2_nt_status,
12209 { "NT Status", "smb2.nt_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
12210 &NT_errors_ext, 0, "NT Status code", HFILL }
12211 },
12212
12213 { &hf_smb2_msg_id,
12214 { "Message ID", "smb2.msg_id", FT_UINT64, BASE_DEC|BASE_VAL64_STRING|BASE_SPECIAL_VALS,
12215 VALS64(unique_unsolicited_response), 0, NULL, HFILL }
12216 },
12217
12218 { &hf_smb2_tid,
12219 { "Tree Id", "smb2.tid", FT_UINT32, BASE_HEX,
12220 NULL, 0, NULL, HFILL }
12221 },
12222
12223 { &hf_smb2_aid,
12224 { "Async Id", "smb2.aid", FT_UINT64, BASE_HEX,
12225 NULL, 0, NULL, HFILL }
12226 },
12227
12228 { &hf_smb2_sesid,
12229 { "Session Id", "smb2.sesid", FT_UINT64, BASE_HEX,
12230 NULL, 0, NULL, HFILL }
12231 },
12232
12233 { &hf_smb2_previous_sesid,
12234 { "Previous Session Id", "smb2.previous_sesid", FT_UINT64, BASE_HEX,
12235 NULL, 0, NULL, HFILL }
12236 },
12237
12238 { &hf_smb2_chain_offset,
12239 { "Chain Offset", "smb2.chain_offset", FT_UINT32, BASE_HEX,
12240 NULL, 0, NULL, HFILL }
12241 },
12242
12243 { &hf_smb2_end_of_file,
12244 { "End Of File", "smb2.eof", FT_UINT64, BASE_DEC,
12245 NULL, 0, "SMB2 End Of File/File size", HFILL }
12246 },
12247
12248 { &hf_smb2_nlinks,
12249 { "Number of Links", "smb2.nlinks", FT_UINT32, BASE_DEC,
12250 NULL, 0, "Number of links to this object", HFILL }
12251 },
12252
12253 { &hf_smb2_file_id,
12254 { "File Id", "smb2.file_id", FT_UINT64, BASE_HEX,
12255 NULL, 0, NULL, HFILL }
12256 },
12257
12258 { &hf_smb2_allocation_size,
12259 { "Allocation Size", "smb2.allocation_size", FT_UINT64, BASE_DEC,
12260 NULL, 0, NULL, HFILL }
12261 },
12262
12263 { &hf_smb2_max_response_size,
12264 { "Max Response Size", "smb2.max_response_size", FT_UINT32, BASE_DEC,
12265 NULL, 0, NULL, HFILL }
12266 },
12267
12268 { &hf_smb2_getinfo_input_size,
12269 { "Getinfo Input Size", "smb2.getinfo_input_size", FT_UINT32, BASE_DEC,
12270 NULL, 0, NULL, HFILL }
12271 },
12272
12273 { &hf_smb2_getinfo_input_offset,
12274 { "Getinfo Input Offset", "smb2.getinfo_input_offset", FT_UINT16, BASE_HEX,
12275 NULL, 0, NULL, HFILL }
12276 },
12277
12278 { &hf_smb2_getsetinfo_additional,
12279 { "Additional Info", "smb2.getsetinfo_additional", FT_UINT32, BASE_HEX,
12280 NULL, 0, NULL, HFILL }
12281 },
12282
12283 { &hf_smb2_getsetinfo_additionals,
12284 { "Additional Info", "smb2.getsetinfo_additionals", FT_UINT32, BASE_HEX,
12285 NULL, 0, NULL, HFILL }
12286 },
12287
12288 { &hf_smb2_getsetinfo_additional_owner,
12289 { "Owner", "smb2.getsetinfo_additional_secinfo.owner", FT_BOOLEAN, 32,
12290 TFS(&tfs_additional_owner), OWNER_SECURITY_INFORMATION, "Is owner security information being queried?", HFILL }},
12291
12292 { &hf_smb2_getsetinfo_additional_group,
12293 { "Group", "smb2.getsetinfo_additional_secinfo.group", FT_BOOLEAN, 32,
12294 TFS(&tfs_additional_group), GROUP_SECURITY_INFORMATION, "Is group security information being queried?", HFILL }},
12295
12296 { &hf_smb2_getsetinfo_additional_dacl,
12297 { "DACL", "smb2.getsetinfo_additional_secinfo.dacl", FT_BOOLEAN, 32,
12298 TFS(&tfs_additional_dacl), DACL_SECURITY_INFORMATION, "Is DACL security information being queried?", HFILL }},
12299
12300 { &hf_smb2_getsetinfo_additional_sacl,
12301 { "SACL", "smb2.getsetinfo_additional_secinfo.sacl", FT_BOOLEAN, 32,
12302 TFS(&tfs_additional_sacl), SACL_SECURITY_INFORMATION, "Is SACL security information being queried?", HFILL }},
12303
12304 { &hf_smb2_getsetinfo_additional_label,
12305 { "Integrity label", "smb2.getsetinfo_additional_secinfo.label", FT_BOOLEAN, 32,
12306 TFS(&tfs_additional_label), LABEL_SECURITY_INFORMATION, "Is integrity label security information being queried?", HFILL }},
12307
12308 { &hf_smb2_getsetinfo_additional_attribute,
12309 { "Resource attribute", "smb2.getsetinfo_additional_secinfo.attribute", FT_BOOLEAN, 32,
12310 TFS(&tfs_additional_attribute), ATTRIBUTE_SECURITY_INFORMATION, "Is resource attribute security information being queried?", HFILL }},
12311
12312 { &hf_smb2_getsetinfo_additional_scope,
12313 { "Central access policy", "smb2.getsetinfo_additional_secinfo.scope", FT_BOOLEAN, 32,
12314 TFS(&tfs_additional_scope), SCOPE_SECURITY_INFORMATION, "Is central access policy security information being queried?", HFILL }},
12315
12316 { &hf_smb2_getsetinfo_additional_backup,
12317 { "Backup operation", "smb2.getsetinfo_additional_secinfo.backup", FT_BOOLEAN, 32,
12318 TFS(&tfs_additional_backup), BACKUP_SECURITY_INFORMATION, "Is backup operation security information being queried?", HFILL }},
12319
12320 { &hf_smb2_getinfo_flags,
12321 { "Flags", "smb2.getinfo_flags", FT_UINT32, BASE_HEX,
12322 NULL, 0, NULL, HFILL }
12323 },
12324
12325 { &hf_smb2_setinfo_size,
12326 { "Setinfo Size", "smb2.setinfo_size", FT_UINT32, BASE_DEC,
12327 NULL, 0, NULL, HFILL }
12328 },
12329
12330 { &hf_smb2_setinfo_offset,
12331 { "Setinfo Offset", "smb2.setinfo_offset", FT_UINT16, BASE_HEX,
12332 NULL, 0, NULL, HFILL }
12333 },
12334
12335 { &hf_smb2_setinfo_reserved,
12336 { "Reserved", "smb2.setinfo_reserved", FT_UINT16, BASE_DEC,
12337 NULL, 0, NULL, HFILL }
12338 },
12339
12340 { &hf_smb2_max_ioctl_out_size,
12341 { "Max Ioctl Out Size", "smb2.max_ioctl_out_size", FT_UINT32, BASE_DEC,
12342 NULL, 0, NULL, HFILL }
12343 },
12344
12345 { &hf_smb2_max_ioctl_in_size,
12346 { "Max Ioctl In Size", "smb2.max_ioctl_in_size", FT_UINT32, BASE_DEC,
12347 NULL, 0, NULL, HFILL }
12348 },
12349
12350 { &hf_smb2_required_buffer_size,
12351 { "Required Buffer Size", "smb2.required_size", FT_UINT32, BASE_DEC,
12352 NULL, 0, NULL, HFILL }
12353 },
12354
12355 { &hf_smb2_header_reserved,
12356 { "Reserved", "smb2.header_reserved", FT_UINT32, BASE_HEX,
12357 NULL, 0, NULL, HFILL }
12358 },
12359
12360
12361 /* SMB2 header flags */
12362 { &hf_smb2_flags,
12363 { "Flags", "smb2.flags", FT_UINT32, BASE_HEX,
12364 NULL, 0, "SMB2 flags", HFILL }
12365 },
12366
12367 { &hf_smb2_flags_response,
12368 { "Response", "smb2.flags.response", FT_BOOLEAN, 32,
12369 TFS(&tfs_flags_response), SMB2_FLAGS_RESPONSE, "Whether this is an SMB2 Request or Response", HFILL }
12370 },
12371
12372 { &hf_smb2_flags_async_cmd,
12373 { "Async command", "smb2.flags.async", FT_BOOLEAN, 32,
12374 TFS(&tfs_flags_async_cmd), SMB2_FLAGS_ASYNC_CMD, NULL, HFILL }
12375 },
12376
12377 { &hf_smb2_flags_dfs_op,
12378 { "DFS operation", "smb2.flags.dfs", FT_BOOLEAN, 32,
12379 TFS(&tfs_flags_dfs_op), SMB2_FLAGS_DFS_OP, NULL, HFILL }
12380 },
12381
12382 { &hf_smb2_flags_chained,
12383 { "Chained", "smb2.flags.chained", FT_BOOLEAN, 32,
12384 TFS(&tfs_flags_chained), SMB2_FLAGS_CHAINED, "Whether the pdu continues a chain or not", HFILL }
12385 },
12386 { &hf_smb2_flags_signature,
12387 { "Signing", "smb2.flags.signature", FT_BOOLEAN, 32,
12388 TFS(&tfs_flags_signature), SMB2_FLAGS_SIGNATURE, "Whether the pdu is signed or not", HFILL }
12389 },
12390
12391 { &hf_smb2_flags_replay_operation,
12392 { "Replay operation", "smb2.flags.replay", FT_BOOLEAN, 32,
12393 TFS(&tfs_flags_replay_operation), SMB2_FLAGS_REPLAY_OPERATION, "Whether this is a replay operation", HFILL }
12394 },
12395
12396 { &hf_smb2_flags_priority_mask,
12397 { "Priority", "smb2.flags.priority_mask", FT_BOOLEAN, 32,
12398 TFS(&tfs_flags_priority_mask), SMB2_FLAGS_PRIORITY_MASK, "Priority Mask", HFILL }
12399 },
12400
12401 { &hf_smb2_tree,
12402 { "Tree", "smb2.tree", FT_STRING, BASE_NONE,
12403 NULL, 0, "Name of the Tree/Share", HFILL }
12404 },
12405
12406 { &hf_smb2_filename,
12407 { "Filename", "smb2.filename", FT_STRING, BASE_NONE,
12408 NULL, 0, NULL, HFILL }
12409 },
12410
12411 { &hf_smb2_filename_len,
12412 { "Filename Length", "smb2.filename.len", FT_UINT32, BASE_DEC,
12413 NULL, 0, NULL, HFILL }
12414 },
12415
12416 { &hf_smb2_file_id_hash,
12417 { "FileId Hash", "smb2.fid_hash", FT_UINT32, BASE_HEX,
12418 NULL, 0, "Used to find all instances of a File ID", HFILL }
12419 },
12420
12421 { &hf_smb2_num_matched,
12422 { "Matched pattern", "smb2.num_matched", FT_UINT16, BASE_DEC,
12423 NULL, 0, "Number of files matching the find pattern", HFILL }
12424 },
12425
12426
12427 { &hf_smb2_replace_if,
12428 { "Replace If", "smb2.rename.replace_if", FT_BOOLEAN, 8,
12429 TFS(&tfs_replace_if_exists), 0xFF, "Whether to replace if the target exists", HFILL }
12430 },
12431
12432 { &hf_smb2_data_offset,
12433 { "Data Offset", "smb2.data_offset", FT_UINT16, BASE_HEX,
12434 NULL, 0, "Offset to data", HFILL }
12435 },
12436
12437 { &hf_smb2_find_info_level,
12438 { "Info Level", "smb2.find.infolevel", FT_UINT32, BASE_DEC,
12439 VALS(smb2_find_info_levels), 0, "Find_Info Infolevel", HFILL }
12440 },
12441 { &hf_smb2_find_flags,
12442 { "Find Flags", "smb2.find.flags", FT_UINT8, BASE_HEX,
12443 NULL, 0, NULL, HFILL }
12444 },
12445
12446 { &hf_smb2_find_pattern,
12447 { "Search Pattern", "smb2.find.pattern", FT_STRING, BASE_NONE,
12448 NULL, 0, "Find pattern", HFILL }
12449 },
12450
12451 { &hf_smb2_find_info_blob,
12452 { "Info", "smb2.find.info_blob", FT_BYTES, BASE_NONE,
12453 NULL, 0, "Find Info", HFILL }
12454 },
12455
12456 { &hf_smb2_ea_size,
12457 { "EA Size", "smb2.ea_size", FT_UINT32, BASE_DEC,
12458 NULL, 0, "Size of EA data", HFILL }
12459 },
12460
12461 { &hf_smb2_position_information,
12462 { "Position Information", "smb2.position_info", FT_UINT64, BASE_DEC,
12463 NULL, 0, "Current file position", HFILL }
12464 },
12465
12466 { &hf_smb2_mode_information,
12467 { "Mode Information", "smb2.mode_info", FT_UINT32, BASE_HEX,
12468 NULL, 0, "File mode information", HFILL }
12469 },
12470
12471 { &hf_smb2_mode_file_write_through,
12472 { "FILE_WRITE_THROUGH", "smb2.mode.file_write_through", FT_UINT32, BASE_HEX,
12473 NULL, 0x02, NULL, HFILL }
12474 },
12475
12476 { &hf_smb2_mode_file_sequential_only,
12477 { "FILE_SEQUENTIAL_ONLY", "smb2.mode.file_sequential_only", FT_UINT32, BASE_HEX,
12478 NULL, 0x04, NULL, HFILL }
12479 },
12480
12481 { &hf_smb2_mode_file_no_intermediate_buffering,
12482 { "FILE_NO_INTERMEDIATE_BUFFERING", "smb2.mode.file_no_intermediate_buffering", FT_UINT32, BASE_HEX,
12483 NULL, 0x08, NULL, HFILL }
12484 },
12485
12486 { &hf_smb2_mode_file_synchronous_io_alert,
12487 { "FILE_SYNCHRONOUS_IO_ALERT", "smb2.mode.file_synchronous_io_alert", FT_UINT32, BASE_HEX,
12488 NULL, 0x10, NULL, HFILL }
12489 },
12490
12491 { &hf_smb2_mode_file_synchronous_io_nonalert,
12492 { "FILE_SYNCHRONOUS_IO_NONALERT", "smb2.mode.file_synchronous_io_nonalert", FT_UINT32, BASE_HEX,
12493 NULL, 0x20, NULL, HFILL }
12494 },
12495
12496 { &hf_smb2_mode_file_delete_on_close,
12497 { "FILE_DELETE_ON_CLOSE", "smb2.mode.file_delete_on_close", FT_UINT32, BASE_HEX,
12498 NULL, 0x1000, NULL, HFILL }
12499 },
12500
12501 { &hf_smb2_alignment_information,
12502 { "Alignment Information", "smb2.alignment_info", FT_UINT32, BASE_HEX,
12503 VALS(smb2_alignment_vals), 0, "File alignment", HFILL}
12504 },
12505
12506 { &hf_smb2_class,
12507 { "Class", "smb2.class", FT_UINT8, BASE_HEX,
12508 VALS(smb2_class_vals), 0, "Info class", HFILL }
12509 },
12510
12511 { &hf_smb2_infolevel,
12512 { "InfoLevel", "smb2.infolevel", FT_UINT8, BASE_HEX,
12513 NULL, 0, NULL, HFILL }
12514 },
12515
12516 { &hf_smb2_infolevel_file_info,
12517 { "InfoLevel", "smb2.file_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
12518 &smb2_file_info_levels_ext, 0, "File_Info Infolevel", HFILL }
12519 },
12520
12521 { &hf_smb2_infolevel_fs_info,
12522 { "InfoLevel", "smb2.fs_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
12523 &smb2_fs_info_levels_ext, 0, "Fs_Info Infolevel", HFILL }
12524 },
12525
12526 { &hf_smb2_infolevel_sec_info,
12527 { "InfoLevel", "smb2.sec_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
12528 &smb2_sec_info_levels_ext, 0, "Sec_Info Infolevel", HFILL }
12529 },
12530
12531 { &hf_smb2_write_length,
12532 { "Write Length", "smb2.write_length", FT_UINT32, BASE_DEC,
12533 NULL, 0, "Amount of data to write", HFILL }
12534 },
12535
12536 { &hf_smb2_read_blob,
12537 { "Info", "smb2.read.blob", FT_BYTES, BASE_NONE,
12538 NULL, 0, "Read Blob", HFILL }
12539 },
12540
12541 { &hf_smb2_read_length,
12542 { "Read Length", "smb2.read_length", FT_UINT32, BASE_DEC,
12543 NULL, 0, "Amount of data to read", HFILL }
12544 },
12545
12546 { &hf_smb2_read_remaining,
12547 { "Read Remaining", "smb2.read_remaining", FT_UINT32, BASE_DEC,
12548 NULL, 0, NULL, HFILL }
12549 },
12550
12551 { &hf_smb2_read_padding,
12552 { "Padding", "smb2.read_padding", FT_UINT8, BASE_HEX,
12553 NULL, 0, NULL, HFILL }
12554 },
12555
12556 { &hf_smb2_read_flags,
12557 { "Flags", "smb2.read_flags", FT_UINT8, BASE_HEX,
12558 NULL, 0, NULL, HFILL }
12559 },
12560
12561 { &hf_smb2_read_flags_unbuffered,
12562 { "Unbuffered", "smb2.read_flags.unbuffered", FT_BOOLEAN, 8,
12563 TFS(&tfs_read_unbuffered), SMB2_READFLAG_READ_UNBUFFERED, "If client requests unbuffered read", HFILL }
12564 },
12565
12566 { &hf_smb2_read_flags_compressed,
12567 { "Compressed", "smb2.read_flags.compressed", FT_BOOLEAN, 8,
12568 TFS(&tfs_read_compressed), SMB2_READFLAG_READ_COMPRESSED, "If client requests compressed response", HFILL }
12569 },
12570
12571 { &hf_smb2_create_flags,
12572 { "Create Flags", "smb2.create_flags", FT_UINT64, BASE_HEX,
12573 NULL, 0, NULL, HFILL }
12574 },
12575
12576 { &hf_smb2_file_offset,
12577 { "File Offset", "smb2.file_offset", FT_UINT64, BASE_DEC,
12578 NULL, 0, NULL, HFILL }
12579 },
12580
12581 { &hf_smb2_fsctl_range_offset,
12582 { "File Offset", "smb2.fsctl.range_offset", FT_UINT64, BASE_DEC,
12583 NULL, 0, NULL, HFILL }
12584 },
12585
12586 { &hf_smb2_fsctl_range_length,
12587 { "Length", "smb2.fsctl.range_length", FT_UINT64, BASE_DEC,
12588 NULL, 0, NULL, HFILL }
12589 },
12590
12591 { &hf_smb2_qfr_length,
12592 { "Length", "smb2.qfr_length", FT_UINT64, BASE_DEC,
12593 NULL, 0, NULL, HFILL }
12594 },
12595
12596 { &hf_smb2_qfr_usage,
12597 { "Desired Usage", "smb2.qfr_usage", FT_UINT32, BASE_HEX,
12598 VALS(file_region_usage_vals), 0, NULL, HFILL }
12599 },
12600
12601 { &hf_smb2_qfr_flags,
12602 { "Flags", "smb2.qfr_flags", FT_UINT32, BASE_HEX,
12603 NULL, 0, NULL, HFILL }
12604 },
12605
12606 { &hf_smb2_qfr_total_region_entry_count,
12607 { "Total Region Entry Count", "smb2.qfr_tot_region_entry_count", FT_UINT32, BASE_HEX,
12608 NULL, 0, NULL, HFILL }
12609 },
12610
12611 { &hf_smb2_qfr_region_entry_count,
12612 { "Region Entry Count", "smb2.qfr_region_entry_count", FT_UINT32, BASE_HEX,
12613 NULL, 0, NULL, HFILL }
12614 },
12615
12616 { &hf_smb2_security_blob,
12617 { "Security Blob", "smb2.security_blob", FT_BYTES, BASE_NONE,
12618 NULL, 0, NULL, HFILL }
12619 },
12620
12621 { &hf_smb2_ioctl_out_data,
12622 { "Out Data", "smb2.ioctl.out", FT_NONE, BASE_NONE,
12623 NULL, 0, "Ioctl Out", HFILL }
12624 },
12625
12626 { &hf_smb2_ioctl_in_data,
12627 { "In Data", "smb2.ioctl.in", FT_NONE, BASE_NONE,
12628 NULL, 0, "Ioctl In", HFILL }
12629 },
12630
12631 { &hf_smb2_server_guid,
12632 { "Server Guid", "smb2.server_guid", FT_GUID, BASE_NONE,
12633 NULL, 0, NULL, HFILL }
12634 },
12635
12636 { &hf_smb2_client_guid,
12637 { "Client Guid", "smb2.client_guid", FT_GUID, BASE_NONE,
12638 NULL, 0, NULL, HFILL }
12639 },
12640
12641 { &hf_smb2_object_id,
12642 { "ObjectId", "smb2.object_id", FT_GUID, BASE_NONE,
12643 NULL, 0, "ObjectID for this FID", HFILL }
12644 },
12645
12646 { &hf_smb2_birth_volume_id,
12647 { "BirthVolumeId", "smb2.birth_volume_id", FT_GUID, BASE_NONE,
12648 NULL, 0, "ObjectID for the volume where this FID was originally created", HFILL }
12649 },
12650
12651 { &hf_smb2_birth_object_id,
12652 { "BirthObjectId", "smb2.birth_object_id", FT_GUID, BASE_NONE,
12653 NULL, 0, "ObjectID for this FID when it was originally created", HFILL }
12654 },
12655
12656 { &hf_smb2_domain_id,
12657 { "DomainId", "smb2.domain_id", FT_GUID, BASE_NONE,
12658 NULL, 0, NULL, HFILL }
12659 },
12660
12661 { &hf_smb2_create_timestamp,
12662 { "Create", "smb2.create.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
12663 NULL, 0, "Time when this object was created", HFILL }
12664 },
12665
12666 { &hf_smb2_fid,
12667 { "File Id", "smb2.fid", FT_GUID, BASE_NONE,
12668 NULL, 0, "SMB2 File Id", HFILL }
12669 },
12670
12671 { &hf_smb2_write_data,
12672 { "Write Data", "smb2.write_data", FT_BYTES, BASE_NONE,
12673 NULL, 0, "SMB2 Data to be written", HFILL }
12674 },
12675
12676 { &hf_smb2_write_flags,
12677 { "Write Flags", "smb2.write.flags", FT_UINT32, BASE_HEX,
12678 NULL, 0, NULL, HFILL }
12679 },
12680
12681 { &hf_smb2_write_flags_write_through,
12682 { "Write through", "smb2.write.flags.write_through", FT_BOOLEAN, 32,
12683 TFS(&tfs_write_through), SMB2_WRITE_FLAG_WRITE_THROUGH, "If the client requests WRITE_THROUGH", HFILL }
12684 },
12685
12686 { &hf_smb2_write_flags_write_unbuffered,
12687 { "Unbuffered", "smb2.write.flags.unbuffered", FT_BOOLEAN, 32,
12688 TFS(&tfs_write_unbuffered), SMB2_WRITE_FLAG_WRITE_UNBUFFERED, "If client requests UNBUFFERED read", HFILL }
12689 },
12690
12691 { &hf_smb2_write_count,
12692 { "Write Count", "smb2.write.count", FT_UINT32, BASE_DEC,
12693 NULL, 0, NULL, HFILL }
12694 },
12695
12696 { &hf_smb2_write_remaining,
12697 { "Write Remaining", "smb2.write.remaining", FT_UINT32, BASE_DEC,
12698 NULL, 0, NULL, HFILL }
12699 },
12700
12701 { &hf_smb2_read_data,
12702 { "Read Data", "smb2.read_data", FT_BYTES, BASE_NONE,
12703 NULL, 0, "SMB2 Data that is read", HFILL }
12704 },
12705
12706 { &hf_smb2_last_access_timestamp,
12707 { "Last Access", "smb2.last_access.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
12708 NULL, 0, "Time when this object was last accessed", HFILL }
12709 },
12710
12711 { &hf_smb2_last_write_timestamp,
12712 { "Last Write", "smb2.last_write.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
12713 NULL, 0, "Time when this object was last written to", HFILL }
12714 },
12715
12716 { &hf_smb2_last_change_timestamp,
12717 { "Last Change", "smb2.last_change.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
12718 NULL, 0, "Time when this object was last changed", HFILL }
12719 },
12720
12721 { &hf_smb2_file_all_info,
12722 { "SMB2_FILE_ALL_INFO", "smb2.file_all_info", FT_NONE, BASE_NONE,
12723 NULL, 0, NULL, HFILL }
12724 },
12725
12726 { &hf_smb2_file_allocation_info,
12727 { "SMB2_FILE_ALLOCATION_INFO", "smb2.file_allocation_info", FT_NONE, BASE_NONE,
12728 NULL, 0, NULL, HFILL }
12729 },
12730
12731 { &hf_smb2_file_endoffile_info,
12732 { "SMB2_FILE_ENDOFFILE_INFO", "smb2.file_endoffile_info", FT_NONE, BASE_NONE,
12733 NULL, 0, NULL, HFILL }
12734 },
12735
12736 { &hf_smb2_good_signature,
12737 { "Good signature", "smb2.good_signature", FT_NONE, BASE_NONE,
12738 NULL, 0, NULL, HFILL }
12739 },
12740
12741 { &hf_smb2_bad_signature,
12742 { "Bad signature. Should be", "smb2.bad_signature", FT_NONE, BASE_NONE,
12743 NULL, 0, NULL, HFILL }
12744 },
12745
12746 { &hf_smb2_file_alternate_name_info,
12747 { "SMB2_FILE_ALTERNATE_NAME_INFO", "smb2.file_alternate_name_info", FT_NONE, BASE_NONE,
12748 NULL, 0, NULL, HFILL }
12749 },
12750
12751 { &hf_smb2_file_normalized_name_info,
12752 { "SMB2_FILE_NORMALIZED_NAME_INFO", "smb2.file_normalized_name_info", FT_NONE, BASE_NONE,
12753 NULL, 0, NULL, HFILL }
12754 },
12755
12756 { &hf_smb2_file_stream_info,
12757 { "SMB2_FILE_STREAM_INFO", "smb2.file_stream_info", FT_NONE, BASE_NONE,
12758 NULL, 0, NULL, HFILL }
12759 },
12760
12761 { &hf_smb2_file_pipe_info,
12762 { "SMB2_FILE_PIPE_INFO", "smb2.file_pipe_info", FT_NONE, BASE_NONE,
12763 NULL, 0, NULL, HFILL }
12764 },
12765
12766 { &hf_smb2_file_compression_info,
12767 { "SMB2_FILE_COMPRESSION_INFO", "smb2.file_compression_info", FT_NONE, BASE_NONE,
12768 NULL, 0, NULL, HFILL }
12769 },
12770
12771 { &hf_smb2_file_basic_info,
12772 { "SMB2_FILE_BASIC_INFO", "smb2.file_basic_info", FT_NONE, BASE_NONE,
12773 NULL, 0, NULL, HFILL }
12774 },
12775
12776 { &hf_smb2_file_standard_info,
12777 { "SMB2_FILE_STANDARD_INFO", "smb2.file_standard_info", FT_NONE, BASE_NONE,
12778 NULL, 0, NULL, HFILL }
12779 },
12780
12781 { &hf_smb2_file_internal_info,
12782 { "SMB2_FILE_INTERNAL_INFO", "smb2.file_internal_info", FT_NONE, BASE_NONE,
12783 NULL, 0, NULL, HFILL }
12784 },
12785
12786 { &hf_smb2_file_mode_info,
12787 { "SMB2_FILE_MODE_INFO", "smb2.file_mode_info", FT_NONE, BASE_NONE,
12788 NULL, 0, NULL, HFILL }
12789 },
12790
12791 { &hf_smb2_file_alignment_info,
12792 { "SMB2_FILE_ALIGNMENT_INFO", "smb2.file_alignment_info", FT_NONE, BASE_NONE,
12793 NULL, 0, NULL, HFILL }
12794 },
12795
12796 { &hf_smb2_file_position_info,
12797 { "SMB2_FILE_POSITION_INFO", "smb2.file_position_info", FT_NONE, BASE_NONE,
12798 NULL, 0, NULL, HFILL }
12799 },
12800
12801 { &hf_smb2_file_access_info,
12802 { "SMB2_FILE_ACCESS_INFO", "smb2.file_access_info", FT_NONE, BASE_NONE,
12803 NULL, 0, NULL, HFILL }
12804 },
12805
12806 { &hf_smb2_file_ea_info,
12807 { "SMB2_FILE_EA_INFO", "smb2.file_ea_info", FT_NONE, BASE_NONE,
12808 NULL, 0, NULL, HFILL }
12809 },
12810
12811 { &hf_smb2_file_network_open_info,
12812 { "SMB2_FILE_NETWORK_OPEN_INFO", "smb2.file_network_open_info", FT_NONE, BASE_NONE,
12813 NULL, 0, NULL, HFILL }
12814 },
12815
12816 { &hf_smb2_file_attribute_tag_info,
12817 { "SMB2_FILE_ATTRIBUTE_TAG_INFO", "smb2.file_attribute_tag_info", FT_NONE, BASE_NONE,
12818 NULL, 0, NULL, HFILL }
12819 },
12820
12821 { &hf_smb2_file_disposition_info,
12822 { "SMB2_FILE_DISPOSITION_INFO", "smb2.file_disposition_info", FT_NONE, BASE_NONE,
12823 NULL, 0, NULL, HFILL }
12824 },
12825
12826 { &hf_smb2_file_full_ea_info,
12827 { "SMB2_FILE_FULL_EA_INFO", "smb2.file_full_ea_info", FT_NONE, BASE_NONE,
12828 NULL, 0, NULL, HFILL }
12829 },
12830
12831 { &hf_smb2_file_rename_info,
12832 { "SMB2_FILE_RENAME_INFO", "smb2.file_rename_info", FT_NONE, BASE_NONE,
12833 NULL, 0, NULL, HFILL }
12834 },
12835
12836 { &hf_smb2_file_link_info,
12837 { "SMB2_FILE_LINK_INFO", "smb2.file_link_info", FT_NONE, BASE_NONE,
12838 NULL, 0, NULL, HFILL }
12839 },
12840
12841 { &hf_smb2_fs_info_01,
12842 { "FileFsVolumeInformation", "smb2.fs_volume_info", FT_NONE, BASE_NONE,
12843 NULL, 0, NULL, HFILL }
12844 },
12845
12846 { &hf_smb2_fs_info_03,
12847 { "FileFsSizeInformation", "smb2.fs_size_info", FT_NONE, BASE_NONE,
12848 NULL, 0, NULL, HFILL }
12849 },
12850
12851 { &hf_smb2_fs_info_04,
12852 { "FileFsDeviceInformation", "smb2.fs_device_info", FT_NONE, BASE_NONE,
12853 NULL, 0, NULL, HFILL }
12854 },
12855
12856 { &hf_smb2_fs_info_05,
12857 { "FileFsAttributeInformation", "smb2.fs_attribute_info", FT_NONE, BASE_NONE,
12858 NULL, 0, NULL, HFILL }
12859 },
12860
12861 { &hf_smb2_fs_info_06,
12862 { "FileFsControlInformation", "smb2.fs_control_info", FT_NONE, BASE_NONE,
12863 NULL, 0, NULL, HFILL }
12864 },
12865
12866 { &hf_smb2_fs_info_07,
12867 { "FileFsFullSizeInformation", "smb2.fs_full_size_info", FT_NONE, BASE_NONE,
12868 NULL, 0, NULL, HFILL }
12869 },
12870
12871 { &hf_smb2_fs_objectid_info,
12872 { "FileFsObjectIdInformation", "smb2.fs_objectid_info", FT_NONE, BASE_NONE,
12873 NULL, 0, NULL, HFILL }
12874 },
12875
12876 { &hf_smb2_fs_posix_info,
12877 { "FileFsPOSIXInformation", "smb2.fs_posix_info", FT_NONE, BASE_NONE,
12878 NULL, 0, NULL, HFILL }
12879 },
12880
12881 { &hf_smb2_fs_posix_optimal_transfer_size,
12882 { "Optimal Transfer Size", "smb2.fs_posix_optimal_transfer_size", FT_UINT32, BASE_DEC,
12883 NULL, 0, NULL, HFILL }
12884 },
12885
12886 { &hf_smb2_fs_posix_block_size,
12887 { "Block Size", "smb2.fs_posix_block_size", FT_UINT32, BASE_DEC,
12888 NULL, 0, NULL, HFILL }
12889 },
12890
12891 { &hf_smb2_fs_posix_total_blocks,
12892 { "Total Blocks", "smb2.fs_posix_total_blocks", FT_UINT64, BASE_DEC,
12893 NULL, 0, NULL, HFILL }
12894 },
12895
12896 { &hf_smb2_fs_posix_blocks_available,
12897 { "Blocks Available", "smb2.fs_posix_blocks_available", FT_UINT64, BASE_DEC,
12898 NULL, 0, NULL, HFILL }
12899 },
12900
12901 { &hf_smb2_fs_posix_user_blocks_available,
12902 { "User Blocks Available", "smb2.fs_posix_user_blocks_available", FT_UINT64, BASE_DEC,
12903 NULL, 0, NULL, HFILL }
12904 },
12905
12906 { &hf_smb2_fs_posix_total_file_nodes,
12907 { "Total File Nodes", "smb2.fs_posix_total_file_nodes", FT_UINT64, BASE_DEC,
12908 NULL, 0, NULL, HFILL }
12909 },
12910
12911 { &hf_smb2_fs_posix_free_file_nodes,
12912 { "Free File Nodes", "smb2.fs_posix_free_file_nodes", FT_UINT64, BASE_DEC,
12913 NULL, 0, NULL, HFILL }
12914 },
12915
12916 { &hf_smb2_fs_posix_fs_identifier,
12917 { "Fs-Identifier", "smb2.fs_posix_fs_identifier", FT_UINT64, BASE_HEX,
12918 NULL, 0, NULL, HFILL }
12919 },
12920
12921 { &hf_smb2_sec_info_00,
12922 { "SMB2_SEC_INFO_00", "smb2.sec_info_00", FT_NONE, BASE_NONE,
12923 NULL, 0, NULL, HFILL }
12924 },
12925
12926 { &hf_smb2_quota_info,
12927 { "SMB2_QUOTA_INFO", "smb2.quota_info", FT_NONE, BASE_NONE,
12928 NULL, 0, NULL, HFILL }
12929 },
12930
12931 { &hf_smb2_query_quota_info,
12932 { "SMB2_QUERY_QUOTA_INFO", "smb2.query_quota_info", FT_NONE, BASE_NONE,
12933 NULL, 0, NULL, HFILL }
12934 },
12935
12936 { &hf_smb2_qq_single,
12937 { "ReturnSingle", "smb2.query_quota_info.single", FT_BOOLEAN, 8,
12938 NULL, 0xff, NULL, HFILL }
12939 },
12940
12941 { &hf_smb2_qq_restart,
12942 { "RestartScan", "smb2.query_quota_info.restart", FT_BOOLEAN, 8,
12943 NULL, 0xff, NULL, HFILL }
12944 },
12945
12946 { &hf_smb2_qq_sidlist_len,
12947 { "SidListLength", "smb2.query_quota_info.sidlistlen", FT_UINT32, BASE_DEC,
12948 NULL, 0, NULL, HFILL }
12949 },
12950
12951 { &hf_smb2_qq_start_sid_len,
12952 { "StartSidLength", "smb2.query_quota_info.startsidlen", FT_UINT32, BASE_DEC,
12953 NULL, 0, NULL, HFILL }
12954 },
12955
12956 { &hf_smb2_qq_start_sid_offset,
12957 { "StartSidOffset", "smb2.query_quota_info.startsidoffset", FT_UINT32, BASE_DEC,
12958 NULL, 0, NULL, HFILL }
12959 },
12960
12961 { &hf_smb2_disposition_delete_on_close,
12962 { "Delete on close", "smb2.disposition.delete_on_close", FT_BOOLEAN, 8,
12963 TFS(&tfs_disposition_delete_on_close), 0x01, NULL, HFILL }
12964 },
12965
12966
12967 { &hf_smb2_create_disposition,
12968 { "Disposition", "smb2.create.disposition", FT_UINT32, BASE_DEC,
12969 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }
12970 },
12971
12972 { &hf_smb2_create_action,
12973 { "Create Action", "smb2.create.action", FT_UINT32, BASE_DEC,
12974 VALS(oa_open_vals), 0, NULL, HFILL }
12975 },
12976
12977 { &hf_smb2_create_rep_flags,
12978 { "Response Flags", "smb2.create.rep_flags", FT_UINT8, BASE_HEX,
12979 NULL, 0, NULL, HFILL }
12980 },
12981
12982 { &hf_smb2_create_rep_flags_reparse_point,
12983 { "ReparsePoint", "smb2.create.rep_flags.reparse_point", FT_BOOLEAN, 8,
12984 NULL, SMB2_CREATE_REP_FLAGS_REPARSE_POINT, NULL, HFILL }
12985 },
12986
12987 { &hf_smb2_extrainfo,
12988 { "ExtraInfo", "smb2.create.extrainfo", FT_NONE, BASE_NONE,
12989 NULL, 0, "Create ExtraInfo", HFILL }
12990 },
12991
12992 { &hf_smb2_create_chain_offset,
12993 { "Chain Offset", "smb2.create.chain_offset", FT_UINT32, BASE_HEX,
12994 NULL, 0, "Offset to next entry in chain or 0", HFILL }
12995 },
12996
12997 { &hf_smb2_create_chain_data,
12998 { "Data", "smb2.create.chain_data", FT_NONE, BASE_NONE,
12999 NULL, 0, "Chain Data", HFILL }
13000 },
13001
13002 { &hf_smb2_FILE_OBJECTID_BUFFER,
13003 { "FILE_OBJECTID_BUFFER", "smb2.FILE_OBJECTID_BUFFER", FT_NONE, BASE_NONE,
13004 NULL, 0, NULL, HFILL }
13005 },
13006
13007 { &hf_smb2_lease_key,
13008 { "Lease Key", "smb2.lease.lease_key", FT_GUID, BASE_NONE,
13009 NULL, 0, NULL, HFILL }
13010 },
13011
13012 { &hf_smb2_lease_state,
13013 { "Lease State", "smb2.lease.lease_state", FT_UINT32, BASE_HEX,
13014 NULL, 0, NULL, HFILL }
13015 },
13016
13017 { &hf_smb2_lease_state_read_caching,
13018 { "Read Caching", "smb2.lease.lease_state.read_caching", FT_BOOLEAN, 32,
13019 NULL, SMB2_LEASE_STATE_READ_CACHING, NULL, HFILL }
13020 },
13021
13022 { &hf_smb2_lease_state_handle_caching,
13023 { "Handle Caching", "smb2.lease.lease_state.handle_caching", FT_BOOLEAN, 32,
13024 NULL, SMB2_LEASE_STATE_HANDLE_CACHING, NULL, HFILL }
13025 },
13026
13027 { &hf_smb2_lease_state_write_caching,
13028 { "Write Caching", "smb2.lease.lease_state.write_caching", FT_BOOLEAN, 32,
13029 NULL, SMB2_LEASE_STATE_WRITE_CACHING, NULL, HFILL }
13030 },
13031
13032 { &hf_smb2_lease_flags,
13033 { "Lease Flags", "smb2.lease.lease_flags", FT_UINT32, BASE_HEX,
13034 NULL, 0, NULL, HFILL }
13035 },
13036
13037 { &hf_smb2_lease_flags_break_ack_required,
13038 { "Break Ack Required", "smb2.lease.lease_state.break_ack_required", FT_BOOLEAN, 32,
13039 NULL, SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED, NULL, HFILL }
13040 },
13041
13042 { &hf_smb2_lease_flags_break_in_progress,
13043 { "Break In Progress", "smb2.lease.lease_state.break_in_progress", FT_BOOLEAN, 32,
13044 NULL, SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS, NULL, HFILL }
13045 },
13046
13047 { &hf_smb2_lease_flags_parent_lease_key_set,
13048 { "Parent Lease Key Set", "smb2.lease.lease_state.parent_lease_key_set", FT_BOOLEAN, 32,
13049 NULL, SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET, NULL, HFILL }
13050 },
13051
13052 { &hf_smb2_lease_duration,
13053 { "Lease Duration", "smb2.lease.lease_duration", FT_UINT64, BASE_HEX,
13054 NULL, 0, NULL, HFILL }
13055 },
13056
13057 { &hf_smb2_parent_lease_key,
13058 { "Parent Lease Key", "smb2.lease.parent_lease_key", FT_GUID, BASE_NONE,
13059 NULL, 0, NULL, HFILL }
13060 },
13061
13062 { &hf_smb2_lease_epoch,
13063 { "Lease Epoch", "smb2.lease.lease_oplock", FT_UINT16, BASE_HEX,
13064 NULL, 0, NULL, HFILL }
13065 },
13066
13067 { &hf_smb2_lease_reserved,
13068 { "Lease Reserved", "smb2.lease.lease_reserved", FT_UINT16, BASE_HEX,
13069 NULL, 0, NULL, HFILL }
13070 },
13071
13072 { &hf_smb2_lease_break_reason,
13073 { "Lease Break Reason", "smb2.lease.lease_break_reason", FT_UINT32, BASE_HEX,
13074 NULL, 0, NULL, HFILL }
13075 },
13076
13077 { &hf_smb2_lease_access_mask_hint,
13078 { "Access Mask Hint", "smb2.lease.access_mask_hint", FT_UINT32, BASE_HEX,
13079 NULL, 0, NULL, HFILL }
13080 },
13081
13082 { &hf_smb2_lease_share_mask_hint,
13083 { "Share Mask Hint", "smb2.lease.share_mask_hint", FT_UINT32, BASE_HEX,
13084 NULL, 0, NULL, HFILL }
13085 },
13086
13087 { &hf_smb2_next_offset,
13088 { "Next Offset", "smb2.next_offset", FT_UINT32, BASE_DEC,
13089 NULL, 0, "Offset to next buffer or 0", HFILL }
13090 },
13091
13092 { &hf_smb2_negotiate_context_type,
13093 { "Type", "smb2.negotiate_context.type", FT_UINT16, BASE_HEX,
13094 VALS(smb2_negotiate_context_types), 0, NULL, HFILL }
13095 },
13096
13097 { &hf_smb2_negotiate_context_data_length,
13098 { "DataLength", "smb2.negotiate_context.data_length", FT_UINT16, BASE_DEC,
13099 NULL, 0, NULL, HFILL }
13100 },
13101
13102 { &hf_smb2_negotiate_context_offset,
13103 { "NegotiateContextOffset", "smb2.negotiate_context.offset", FT_UINT32, BASE_HEX,
13104 NULL, 0, NULL, HFILL }
13105 },
13106
13107 { &hf_smb2_negotiate_context_reserved2,
13108 { "Reserved2", "smb2.negotiate_context.reserved2", FT_UINT32, BASE_HEX,
13109 NULL, 0, NULL, HFILL }
13110 },
13111
13112 { &hf_smb2_negotiate_context_count,
13113 { "NegotiateContextCount", "smb2.negotiate_context.count", FT_UINT16, BASE_DEC,
13114 NULL, 0, NULL, HFILL }
13115 },
13116
13117 { &hf_smb2_negotiate_context_reserved,
13118 { "Reserved", "smb2.negotiate_context.reserved", FT_UINT16, BASE_DEC,
13119 NULL, 0, NULL, HFILL }
13120 },
13121
13122 { &hf_smb2_hash_alg_count,
13123 { "HashAlgorithmCount", "smb2.negotiate_context.hash_alg_count", FT_UINT16, BASE_DEC,
13124 NULL, 0, NULL, HFILL }},
13125
13126 { &hf_smb2_hash_algorithm,
13127 { "HashAlgorithm", "smb2.negotiate_context.hash_algorithm", FT_UINT16, BASE_HEX,
13128 VALS(smb2_hash_algorithm_types), 0, NULL, HFILL }},
13129
13130 { &hf_smb2_salt_length,
13131 { "SaltLength", "smb2.negotiate_context.salt_length", FT_UINT16, BASE_DEC,
13132 NULL, 0, NULL, HFILL }},
13133
13134 { &hf_smb2_salt,
13135 { "Salt", "smb2.negotiate_context.salt", FT_BYTES, BASE_NONE,
13136 NULL, 0, NULL, HFILL }},
13137
13138 { &hf_smb2_signing_alg_count,
13139 { "SigningAlgorithmCount", "smb2.negotiate_context.signing_alg_count", FT_UINT16, BASE_DEC,
13140 NULL, 0, NULL, HFILL }},
13141
13142 { &hf_smb2_signing_alg_id,
13143 { "SigningAlgorithmId", "smb2.negotiate_context.signing_id", FT_UINT16, BASE_HEX,
13144 VALS(smb2_signing_alg_types), 0, NULL, HFILL }},
13145
13146 { &hf_smb2_cipher_count,
13147 { "CipherCount", "smb2.negotiate_context.cipher_count", FT_UINT16, BASE_DEC,
13148 NULL, 0, NULL, HFILL }},
13149
13150 { &hf_smb2_cipher_id,
13151 { "CipherId", "smb2.negotiate_context.cipher_id", FT_UINT16, BASE_HEX,
13152 VALS(smb2_cipher_types), 0, NULL, HFILL }},
13153
13154 { &hf_smb2_posix_reserved,
13155 { "POSIX Reserved", "smb2.negotiate_context.posix_reserved", FT_BYTES, BASE_NONE,
13156 NULL, 0, NULL, HFILL }
13157 },
13158
13159 { &hf_smb2_dev,
13160 { "Device", "smb2.dev", FT_UINT32, BASE_HEX,
13161 NULL, 0, NULL, HFILL }
13162 },
13163
13164 { &hf_smb2_inode,
13165 { "Inode", "smb2.inode", FT_UINT64, BASE_HEX,
13166 NULL, 0, NULL, HFILL }
13167 },
13168
13169 { &hf_smb2_comp_alg_count,
13170 { "CompressionAlgorithmCount", "smb2.negotiate_context.comp_alg_count", FT_UINT16, BASE_DEC,
13171 NULL, 0, NULL, HFILL }},
13172
13173 { &hf_smb2_comp_alg_id,
13174 { "CompressionAlgorithmId", "smb2.negotiate_context.comp_alg_id", FT_UINT16, BASE_HEX,
13175 VALS(smb2_comp_alg_types), 0, NULL, HFILL }},
13176
13177 { &hf_smb2_comp_alg_flags,
13178 { "Flags", "smb2.negotiate_context.comp_alg_flags", FT_UINT32, BASE_HEX,
13179 NULL, 0, NULL, HFILL }
13180 },
13181
13182 { &hf_smb2_comp_alg_flags_chained,
13183 { "Chained", "smb2.negotiate_context.comp_alg_flags.chained", FT_BOOLEAN, 32,
13184 NULL, SMB2_COMP_ALG_FLAGS_CHAINED, "Chained compression is supported on this connection", HFILL }
13185 },
13186
13187 { &hf_smb2_comp_alg_flags_reserved,
13188 { "Reserved", "smb2.negotiate_context.comp_alg_flags.reserved", FT_UINT32, BASE_HEX,
13189 NULL, 0xFFFFFFFE, "Must be zero", HFILL }
13190 },
13191
13192 { &hf_smb2_netname_neg_id,
13193 { "Netname", "smb2.negotiate_context.netname", FT_STRING,
13194 BASE_NONE, NULL, 0x0, NULL, HFILL }
13195 },
13196
13197 { &hf_smb2_transport_ctx_flags,
13198 { "Flags", "smb2.negotiate_context.transport_flags", FT_UINT32, BASE_HEX,
13199 VALS(smb2_transport_ctx_flags_vals), 0, NULL, HFILL }
13200 },
13201
13202 { &hf_smb2_rdma_transform_count,
13203 { "TransformCount", "smb2.negotiate_context.rdma_transform_count", FT_UINT16, BASE_DEC,
13204 NULL, 0, NULL, HFILL }
13205 },
13206
13207 { &hf_smb2_rdma_transform_reserved1,
13208 { "Reserved1", "smb2.negotiate_context.rdma_transform_reserved1", FT_UINT16, BASE_HEX,
13209 NULL, 0, NULL, HFILL }
13210 },
13211
13212 { &hf_smb2_rdma_transform_reserved2,
13213 { "Reserved2", "smb2.negotiate_context.rdma_transform_reserved2", FT_UINT32, BASE_HEX,
13214 NULL, 0, NULL, HFILL }
13215 },
13216
13217 { &hf_smb2_rdma_transform_id,
13218 { "RDMATransformId", "smb2.negotiate_context.rdma_transform_id", FT_UINT16, BASE_HEX,
13219 VALS(smb2_rdma_transform_types), 0, NULL, HFILL }
13220 },
13221
13222 { &hf_smb2_current_time,
13223 { "Current Time", "smb2.current_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
13224 NULL, 0, "Current Time at server", HFILL }
13225 },
13226
13227 { &hf_smb2_boot_time,
13228 { "Boot Time", "smb2.boot_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
13229 NULL, 0, "Boot Time at server", HFILL }
13230 },
13231
13232 { &hf_smb2_ea_flags,
13233 { "EA Flags", "smb2.ea.flags", FT_UINT8, BASE_HEX,
13234 VALS(file_full_ea_information_flags), 0, NULL, HFILL }
13235 },
13236
13237 { &hf_smb2_ea_name_len,
13238 { "EA Name Length", "smb2.ea.name_len", FT_UINT8, BASE_DEC,
13239 NULL, 0, NULL, HFILL }
13240 },
13241
13242 { &hf_smb2_ea_data_len,
13243 { "EA Data Length", "smb2.ea.data_len", FT_UINT16, BASE_DEC,
13244 NULL, 0, NULL, HFILL }
13245 },
13246
13247 { &hf_smb2_delete_pending,
13248 { "Delete Pending", "smb2.delete_pending", FT_UINT8, BASE_DEC,
13249 NULL, 0, NULL, HFILL }
13250 },
13251
13252 { &hf_smb2_is_directory,
13253 { "Is Directory", "smb2.is_directory", FT_UINT8, BASE_DEC,
13254 NULL, 0, "Is this a directory?", HFILL }
13255 },
13256
13257 { &hf_smb2_oplock,
13258 { "Oplock", "smb2.create.oplock", FT_UINT8, BASE_HEX,
13259 VALS(oplock_vals), 0, "Oplock type", HFILL }
13260 },
13261
13262 { &hf_smb2_close_flags,
13263 { "Close Flags", "smb2.close.flags", FT_UINT16, BASE_HEX,
13264 NULL, 0, NULL, HFILL }
13265 },
13266
13267 { &hf_smb2_notify_flags,
13268 { "Notify Flags", "smb2.notify.flags", FT_UINT16, BASE_HEX,
13269 NULL, 0, NULL, HFILL }
13270 },
13271
13272 { &hf_smb2_buffer_code,
13273 { "StructureSize", "smb2.buffer_code", FT_UINT16, BASE_HEX,
13274 NULL, 0, NULL, HFILL }
13275 },
13276
13277 { &hf_smb2_buffer_code_len,
13278 { "Fixed Part Length", "smb2.buffer_code.length", FT_UINT16, BASE_DEC,
13279 NULL, 0xFFFE, "Length of fixed portion of PDU", HFILL }
13280 },
13281
13282 { &hf_smb2_olb_length,
13283 { "Blob Length", "smb2.olb.length", FT_UINT32, BASE_DEC,
13284 NULL, 0, "Length of the buffer", HFILL }
13285 },
13286
13287 { &hf_smb2_olb_offset,
13288 { "Blob Offset", "smb2.olb.offset", FT_UINT32, BASE_HEX,
13289 NULL, 0, "Offset to the buffer", HFILL }
13290 },
13291
13292 { &hf_smb2_buffer_code_flags_dyn,
13293 { "Dynamic Part", "smb2.buffer_code.dynamic", FT_BOOLEAN, 16,
13294 NULL, 0x0001, "Whether a dynamic length blob follows", HFILL }
13295 },
13296
13297 { &hf_smb2_ea_data,
13298 { "EA Data", "smb2.ea.data", FT_BYTES, BASE_NONE|BASE_SHOW_ASCII_PRINTABLE,
13299 NULL, 0, NULL, HFILL }
13300 },
13301
13302 { &hf_smb2_ea_name,
13303 { "EA Name", "smb2.ea.name", FT_STRING, BASE_NONE,
13304 NULL, 0, NULL, HFILL }
13305 },
13306
13307 { &hf_smb2_impersonation_level,
13308 { "Impersonation level", "smb2.impersonation.level", FT_UINT32, BASE_DEC,
13309 VALS(impersonation_level_vals), 0, NULL, HFILL }
13310 },
13311
13312 { &hf_smb2_ioctl_function,
13313 { "Function", "smb2.ioctl.function", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
13314 &smb2_ioctl_vals_ext, 0, "Ioctl function", HFILL }
13315 },
13316
13317 { &hf_smb2_ioctl_function_device,
13318 { "Device", "smb2.ioctl.function.device", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
13319 &smb2_ioctl_device_vals_ext, 0xffff0000, "Device for Ioctl", HFILL }
13320 },
13321
13322 { &hf_smb2_ioctl_function_access,
13323 { "Access", "smb2.ioctl.function.access", FT_UINT32, BASE_HEX,
13324 VALS(smb2_ioctl_access_vals), 0x0000c000, "Access for Ioctl", HFILL }
13325 },
13326
13327 { &hf_smb2_ioctl_function_function,
13328 { "Function", "smb2.ioctl.function.function", FT_UINT32, BASE_HEX,
13329 NULL, 0x00003ffc, "Function for Ioctl", HFILL }
13330 },
13331
13332 { &hf_smb2_ioctl_function_method,
13333 { "Method", "smb2.ioctl.function.method", FT_UINT32, BASE_HEX,
13334 VALS(smb2_ioctl_method_vals), 0x00000003, "Method for Ioctl", HFILL }
13335 },
13336
13337 { &hf_smb2_fsctl_pipe_wait_timeout,
13338 { "Timeout", "smb2.fsctl.wait.timeout", FT_INT64, BASE_DEC,
13339 NULL, 0, "Wait timeout", HFILL }
13340 },
13341
13342 { &hf_smb2_fsctl_pipe_wait_name,
13343 { "Name", "smb2.fsctl.wait.name", FT_STRING, BASE_NONE,
13344 NULL, 0, "Pipe name", HFILL }
13345 },
13346
13347 { &hf_smb2_fsctl_odx_token_type,
13348 { "TokenType", "smb2.fsctl.odx.token.type", FT_UINT32, BASE_HEX,
13349 NULL, 0, NULL, HFILL }
13350 },
13351
13352 { &hf_smb2_fsctl_odx_token_idlen,
13353 { "TokenIdLength", "smb2.fsctl.odx.token.idlen", FT_UINT16, BASE_DEC,
13354 NULL, 0, NULL, HFILL }
13355 },
13356
13357 { &hf_smb2_fsctl_odx_token_idraw,
13358 { "TokenId", "smb2.fsctl.odx.token.id", FT_BYTES, BASE_NONE,
13359 NULL, 0, "Token ID (opaque)", HFILL }
13360 },
13361
13362 { &hf_smb2_fsctl_odx_token_ttl,
13363 { "TokenTimeToLive", "smb2.fsctl.odx.token_ttl", FT_UINT32, BASE_DEC,
13364 NULL, 0, "TTL requested for the token (in milliseconds)", HFILL }
13365 },
13366
13367 { &hf_smb2_fsctl_odx_size,
13368 { "Size", "smb2.fsctl.odx.size", FT_UINT32, BASE_DEC,
13369 NULL, 0, "Size of this data element", HFILL }
13370 },
13371
13372 { &hf_smb2_fsctl_odx_flags,
13373 { "Flags", "smb2.fsctl.odx.flags", FT_UINT32, BASE_HEX,
13374 NULL, 0, "Flags for this operation", HFILL }
13375 },
13376
13377 { &hf_smb2_fsctl_odx_file_offset,
13378 { "FileOffset", "smb2.fsctl.odx.file_offset", FT_UINT64, BASE_DEC,
13379 NULL, 0, NULL, HFILL }
13380 },
13381
13382 { &hf_smb2_fsctl_odx_copy_length,
13383 { "CopyLength", "smb2.fsctl.odx.copy_length", FT_UINT64, BASE_DEC,
13384 NULL, 0, NULL, HFILL }
13385 },
13386
13387 { &hf_smb2_fsctl_odx_xfer_length,
13388 { "TransferLength", "smb2.fsctl.odx.xfer_length", FT_UINT64, BASE_DEC,
13389 NULL, 0, NULL, HFILL }
13390 },
13391
13392 { &hf_smb2_fsctl_odx_token_offset,
13393 { "TokenOffset", "smb2.fsctl.odx.token_offset", FT_UINT64, BASE_DEC,
13394 NULL, 0, "Token Offset (relative to start of token)", HFILL }
13395 },
13396
13397 { &hf_smb2_fsctl_sparse_flag,
13398 { "SetSparse", "smb2.fsctl.set_sparse", FT_BOOLEAN, 8,
13399 NULL, 0xFF, NULL, HFILL }
13400 },
13401
13402 { &hf_smb2_ioctl_resiliency_timeout,
13403 { "Timeout", "smb2.ioctl.resiliency.timeout", FT_UINT32, BASE_DEC,
13404 NULL, 0, "Resiliency timeout", HFILL }
13405 },
13406
13407 { &hf_smb2_ioctl_resiliency_reserved,
13408 { "Reserved", "smb2.ioctl.resiliency.reserved", FT_UINT32, BASE_DEC,
13409 NULL, 0, "Resiliency reserved", HFILL }
13410 },
13411
13412 { &hf_smb2_ioctl_shared_virtual_disk_support,
13413 { "SharedVirtualDiskSupport", "smb2.ioctl.shared_virtual_disk.support", FT_UINT32, BASE_HEX,
13414 VALS(smb2_ioctl_shared_virtual_disk_vals), 0, "Supported shared capabilities", HFILL }
13415 },
13416
13417 { &hf_smb2_ioctl_shared_virtual_disk_handle_state,
13418 { "SharedVirtualDiskHandleState", "smb2.ioctl.shared_virtual_disk.handle_state", FT_UINT32, BASE_HEX,
13419 VALS(smb2_ioctl_shared_virtual_disk_hstate_vals), 0, NULL, HFILL }
13420 },
13421
13422 { &hf_smb2_ioctl_sqos_protocol_version,
13423 { "ProtocolVersion", "smb2.ioctl.sqos.protocol_version", FT_UINT16, BASE_HEX,
13424 VALS(smb2_ioctl_sqos_protocol_version_vals), 0, NULL, HFILL }
13425 },
13426
13427 { &hf_smb2_ioctl_sqos_reserved,
13428 { "Reserved", "smb2.ioctl.sqos.reserved", FT_UINT16, BASE_DEC,
13429 NULL, 0, NULL, HFILL }
13430 },
13431
13432 { &hf_smb2_ioctl_sqos_options,
13433 { "Operations", "smb2.ioctl.sqos.operations", FT_UINT32, BASE_HEX,
13434 NULL, 0, "SQOS operations", HFILL }
13435 },
13436
13437 { &hf_smb2_ioctl_sqos_op_set_logical_flow_id,
13438 { "Set Logical Flow ID", "smb2.ioctl.sqos.operations.set_logical_flow_id", FT_BOOLEAN, 32,
13439 NULL, STORAGE_QOS_CONTROL_FLAG_SET_LOGICAL_FLOW_ID, "Whether Set Logical Flow ID operation is performed", HFILL }
13440 },
13441
13442 { &hf_smb2_ioctl_sqos_op_set_policy,
13443 { "Set Policy", "smb2.ioctl.sqos.operations.set_policy", FT_BOOLEAN, 32,
13444 NULL, STORAGE_QOS_CONTROL_FLAG_SET_POLICY, "Whether Set Policy operation is performed", HFILL }
13445 },
13446
13447 { &hf_smb2_ioctl_sqos_op_probe_policy,
13448 { "Probe Policy", "smb2.ioctl.sqos.operations.probe_policy", FT_BOOLEAN, 32,
13449 NULL, STORAGE_QOS_CONTROL_FLAG_PROBE_POLICY, "Whether Probe Policy operation is performed", HFILL }
13450 },
13451
13452 { &hf_smb2_ioctl_sqos_op_get_status,
13453 { "Get Status", "smb2.ioctl.sqos.operations.get_status", FT_BOOLEAN, 32,
13454 NULL, STORAGE_QOS_CONTROL_FLAG_GET_STATUS, "Whether Get Status operation is performed", HFILL }
13455 },
13456
13457 { &hf_smb2_ioctl_sqos_op_update_counters,
13458 { "Update Counters", "smb2.ioctl.sqos.operations.update_counters", FT_BOOLEAN, 32,
13459 NULL, STORAGE_QOS_CONTROL_FLAG_UPDATE_COUNTERS, "Whether Update Counters operation is performed", HFILL }
13460 },
13461
13462 { &hf_smb2_ioctl_sqos_logical_flow_id,
13463 { "LogicalFlowID", "smb2.ioctl.sqos.logical_flow_id", FT_GUID, BASE_NONE,
13464 NULL, 0, NULL, HFILL }
13465 },
13466
13467 { &hf_smb2_ioctl_sqos_policy_id,
13468 { "PolicyID", "smb2.ioctl.sqos.policy_id", FT_GUID, BASE_NONE,
13469 NULL, 0, NULL, HFILL }
13470 },
13471
13472 { &hf_smb2_ioctl_sqos_initiator_id,
13473 { "InitiatorID", "smb2.ioctl.sqos.initiator_id", FT_GUID, BASE_NONE,
13474 NULL, 0, NULL, HFILL }
13475 },
13476
13477 { &hf_smb2_ioctl_sqos_limit,
13478 { "Limit", "smb2.ioctl.sqos.limit", FT_UINT64, BASE_DEC,
13479 NULL, 0, "Desired maximum throughput for the logical flow, in normalized IOPS", HFILL }
13480 },
13481
13482 { &hf_smb2_ioctl_sqos_reservation,
13483 { "Reservation", "smb2.ioctl.sqos.reservation", FT_UINT64, BASE_DEC,
13484 NULL, 0, "Desired minimum throughput for the logical flow, in normalized 8KB IOPS", HFILL }
13485 },
13486
13487 { &hf_smb2_ioctl_sqos_initiator_name,
13488 { "InitiatorName", "smb2.ioctl.sqos.initiator_name", FT_STRING, BASE_NONE,
13489 NULL, 0x0, NULL, HFILL }
13490 },
13491
13492 { &hf_smb2_ioctl_sqos_initiator_node_name,
13493 { "InitiatorNodeName", "smb2.ioctl.sqos.initiator_node_name", FT_STRING, BASE_NONE,
13494 NULL, 0x0, NULL, HFILL }
13495 },
13496
13497 { &hf_smb2_ioctl_sqos_io_count_increment,
13498 { "IoCountIncrement", "smb2.ioctl.sqos.io_count_increment", FT_UINT64, BASE_DEC,
13499 NULL, 0, "The total number of I/O requests issued by the initiator on the logical flow", HFILL }
13500 },
13501
13502 { &hf_smb2_ioctl_sqos_normalized_io_count_increment,
13503 { "NormalizedIoCountIncrement", "smb2.ioctl.sqos.normalized_io_count_increment", FT_UINT64, BASE_DEC,
13504 NULL, 0, "The total number of normalized 8-KB I/O requests issued by the initiator on the logical flow", HFILL }
13505 },
13506
13507 { &hf_smb2_ioctl_sqos_latency_increment,
13508 { "LatencyIncrement", "smb2.ioctl.sqos.latency_increment", FT_UINT64, BASE_DEC,
13509 NULL, 0, "The total latency (including initiator's queues delays) measured by the initiator", HFILL }
13510 },
13511
13512 { &hf_smb2_ioctl_sqos_lower_latency_increment,
13513 { "LowerLatencyIncrement", "smb2.ioctl.sqos.lower_latency_increment", FT_UINT64, BASE_DEC,
13514 NULL, 0, "The total latency (excluding initiator's queues delays) measured by the initiator", HFILL }
13515 },
13516
13517 { &hf_smb2_ioctl_sqos_bandwidth_limit,
13518 { "BandwidthLimit", "smb2.ioctl.sqos.bandwidth_limit", FT_UINT64, BASE_DEC,
13519 NULL, 0, "Desired maximum bandwidth for the logical flow, in kilobytes per second", HFILL }
13520 },
13521
13522 { &hf_smb2_ioctl_sqos_kilobyte_count_increment,
13523 { "KilobyteCountIncrement", "smb2.ioctl.sqos.kilobyte_count_increment", FT_UINT64, BASE_DEC,
13524 NULL, 0, "The total data transfer length of all I/O requests, in kilobyte units, issued by the initiator on the logical flow", HFILL }
13525 },
13526
13527 { &hf_smb2_ioctl_sqos_time_to_live,
13528 { "TimeToLive", "smb2.ioctl.sqos.time_to_live", FT_UINT32, BASE_DEC,
13529 NULL, 0, "The expected period of validity of the Status, MaximumIoRate and MinimumIoRate fields, expressed in milliseconds", HFILL }
13530 },
13531
13532 { &hf_smb2_ioctl_sqos_status,
13533 { "Status", "smb2.ioctl.sqos.status", FT_UINT32, BASE_HEX,
13534 VALS(smb2_ioctl_sqos_status_vals), 0, "The current status of the logical flow", HFILL }
13535 },
13536
13537 { &hf_smb2_ioctl_sqos_maximum_io_rate,
13538 { "MaximumIoRate", "smb2.ioctl.sqos.maximum_io_rate", FT_UINT64, BASE_DEC,
13539 NULL, 0, "The maximum I/O initiation rate currently assigned to the logical flow, expressed in normalized input/output operations per second (normalized IOPS)", HFILL }
13540 },
13541
13542 { &hf_smb2_ioctl_sqos_minimum_io_rate,
13543 { "MinimumIoRate", "smb2.ioctl.sqos.minimum_io_rate", FT_UINT64, BASE_DEC,
13544 NULL, 0, "The minimum I/O completion rate currently assigned to the logical flow, expressed in normalized IOPS", HFILL }
13545 },
13546
13547 { &hf_smb2_ioctl_sqos_base_io_size,
13548 { "BaseIoSize", "smb2.ioctl.sqos.base_io_size", FT_UINT32, BASE_DEC,
13549 NULL, 0, "The base I/O size used to compute the normalized size of an I/O request for the logical flow", HFILL }
13550 },
13551
13552 { &hf_smb2_ioctl_sqos_reserved2,
13553 { "Reserved", "smb2.ioctl.sqos.reserved2", FT_UINT32, BASE_DEC,
13554 NULL, 0, NULL, HFILL }
13555 },
13556
13557 { &hf_smb2_ioctl_sqos_maximum_bandwidth,
13558 { "MaximumBandwidth", "smb2.ioctl.sqos.maximum_bandwidth", FT_UINT64, BASE_DEC,
13559 NULL, 0, "The maximum bandwidth currently assigned to the logical flow, expressed in kilobytes per second", HFILL }
13560 },
13561
13562
13563 { &hf_windows_sockaddr_family,
13564 { "Socket Family", "smb2.windows.sockaddr.family", FT_UINT16, BASE_DEC,
13565 NULL, 0, "The socket address family (on windows)", HFILL }
13566 },
13567
13568 { &hf_windows_sockaddr_port,
13569 { "Socket Port", "smb2.windows.sockaddr.port", FT_UINT16, BASE_DEC,
13570 NULL, 0, "The socket address port", HFILL }
13571 },
13572
13573 { &hf_windows_sockaddr_in_addr,
13574 { "Socket IPv4", "smb2.windows.sockaddr.in.addr", FT_IPv4, BASE_NONE,
13575 NULL, 0, "The IPv4 address", HFILL }
13576 },
13577
13578 { &hf_windows_sockaddr_in6_flowinfo,
13579 { "IPv6 Flow Info", "smb2.windows.sockaddr.in6.flow_info", FT_UINT32, BASE_HEX,
13580 NULL, 0, "The socket IPv6 flow info", HFILL }
13581 },
13582
13583 { &hf_windows_sockaddr_in6_addr,
13584 { "Socket IPv6", "smb2.windows.sockaddr.in6.addr", FT_IPv6, BASE_NONE,
13585 NULL, 0, "The IPv6 address", HFILL }
13586 },
13587
13588 { &hf_windows_sockaddr_in6_scope_id,
13589 { "IPv6 Scope ID", "smb2.windows.sockaddr.in6.scope_id", FT_UINT32, BASE_DEC,
13590 NULL, 0, "The socket IPv6 scope id", HFILL }
13591 },
13592
13593 { &hf_smb2_ioctl_network_interface_next_offset,
13594 { "Next Offset", "smb2.ioctl.network_interfaces.next_offset", FT_UINT32, BASE_HEX,
13595 NULL, 0, "Offset to next entry in chain or 0", HFILL }
13596 },
13597
13598 { &hf_smb2_ioctl_network_interface_index,
13599 { "Interface Index", "smb2.ioctl.network_interfaces.index", FT_UINT32, BASE_DEC,
13600 NULL, 0, "The index of the interface", HFILL }
13601 },
13602
13603 { &hf_smb2_ioctl_network_interface_reserved,
13604 { "Reserved", "smb2.ioctl.network_interfaces.reserved", FT_UINT32, BASE_DEC,
13605 NULL, 0, "Was RSS Queue Count", HFILL }
13606 },
13607
13608 { &hf_smb2_ioctl_network_interface_capabilities,
13609 { "Interface Cababilities", "smb2.ioctl.network_interfaces.capabilities", FT_UINT32, BASE_HEX,
13610 NULL, 0, "The capabilities of the network interface", HFILL }
13611 },
13612
13613 { &hf_smb2_ioctl_network_interface_capability_rss,
13614 { "RSS", "smb2.ioctl.network_interfaces.capabilities.rss", FT_BOOLEAN, 32,
13615 TFS(&tfs_smb2_ioctl_network_interface_capability_rss), NETWORK_INTERFACE_CAP_RSS, "If the host supports RSS", HFILL }
13616 },
13617
13618 { &hf_smb2_ioctl_network_interface_capability_rdma,
13619 { "RDMA", "smb2.ioctl.network_interfaces.capabilities.rdma", FT_BOOLEAN, 32,
13620 TFS(&tfs_smb2_ioctl_network_interface_capability_rdma), NETWORK_INTERFACE_CAP_RDMA, "If the host supports RDMA", HFILL }
13621 },
13622
13623 { &hf_smb2_ioctl_network_interface_link_speed,
13624 { "Link Speed", "smb2.ioctl.network_interfaces.link_speed", FT_UINT64, BASE_DEC,
13625 NULL, 0, "The link speed of the interface", HFILL }
13626 },
13627
13628 { &hf_smb2_ioctl_enumerate_snapshots_num_snapshots,
13629 { "Number of snapshots", "smb2.ioctl.enumerate_snapshots.num_snapshots", FT_UINT32, BASE_DEC,
13630 NULL, 0, "Number of previous versions associated with the volume", HFILL }
13631 },
13632
13633 { &hf_smb2_ioctl_enumerate_snapshots_num_snapshots_returned,
13634 { "Number of snapshots returned", "smb2.ioctl.enumerate_snapshots.num_snapshots_returned", FT_UINT32, BASE_DEC,
13635 NULL, 0, "Number of previous version time stamps returned", HFILL }
13636 },
13637
13638 { &hf_smb2_ioctl_enumerate_snapshots_snapshot_array_size,
13639 { "Array size", "smb2.ioctl.enumerate_snapshots.array_size", FT_UINT32, BASE_DEC,
13640 NULL, 0, "Number of bytes for snapshot time stamp strings", HFILL }
13641 },
13642
13643 { &hf_smb2_ioctl_enumerate_snapshots_snapshot,
13644 { "Snapshot", "smb2.ioctl.enumerate_snapshots.snapshot", FT_STRINGZ, BASE_NONE,
13645 NULL, 0, "Time stamp of previous version", HFILL }
13646 },
13647
13648 { &hf_smb2_ioctl_get_ntfs_volume_data_volume_serial, {
13649 "VolumeSerialNumber",
13650 "smb2.ioctl.get_ntfs_volume_data.volume_serial_number",
13651 FT_UINT64, BASE_DEC,
13652 NULL, 0, "Volume Serial Number", HFILL },
13653 },
13654
13655 { &hf_smb2_ioctl_get_ntfs_volume_data_num_sectors, {
13656 "NumberSectors",
13657 "smb2.ioctl.get_ntfs_volume_data.num_sectors",
13658 FT_UINT64, BASE_DEC,
13659 NULL, 0, "Number Sectors", HFILL },
13660 },
13661
13662 { &hf_smb2_ioctl_get_ntfs_volume_data_total_clusters, {
13663 "TotalClusters",
13664 "smb2.ioctl.get_ntfs_volume_data.total_clusters",
13665 FT_UINT64, BASE_DEC,
13666 NULL, 0, "Total Clusters", HFILL },
13667 },
13668
13669 { &hf_smb2_ioctl_get_ntfs_volume_data_free_clusters, {
13670 "FreeClusters",
13671 "smb2.ioctl.get_ntfs_volume_data.free_clusters",
13672 FT_UINT64, BASE_DEC,
13673 NULL, 0, "Free Clusters", HFILL },
13674 },
13675
13676 { &hf_smb2_ioctl_get_ntfs_volume_data_total_reserved, {
13677 "TotalReserved",
13678 "smb2.ioctl.get_ntfs_volume_data.total_reserved",
13679 FT_UINT64, BASE_DEC,
13680 NULL, 0, "Total Reserved", HFILL },
13681 },
13682
13683 { &hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_sector, {
13684 "BytesPerSector",
13685 "smb2.ioctl.get_ntfs_volume_data.bytes_per_sector",
13686 FT_UINT32, BASE_DEC,
13687 NULL, 0, "Bytes Per Sector", HFILL },
13688 },
13689
13690 { &hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_cluster, {
13691 "BytesPerCluster",
13692 "smb2.ioctl.get_ntfs_volume_data.bytes_per_cluster",
13693 FT_UINT32, BASE_DEC,
13694 NULL, 0, "Bytes Per Cluster", HFILL },
13695 },
13696
13697 { &hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_file_record_segment, {
13698 "BytesPerFileRecordSegment",
13699 "smb2.ioctl.get_ntfs_volume_data.bytes_per_file_record_segment",
13700 FT_UINT32, BASE_DEC,
13701 NULL, 0, "Bytes Per File Record Segment", HFILL },
13702 },
13703
13704 { &hf_smb2_ioctl_get_ntfs_volume_data_clusters_per_file_record_segment, {
13705 "ClustersPerFileRecordSegment",
13706 "smb2.ioctl.get_ntfs_volume_data.clusters_per_file_record_segment",
13707 FT_UINT32, BASE_DEC,
13708 NULL, 0, "Clusters Per File Record Segment", HFILL },
13709 },
13710
13711 { &hf_smb2_ioctl_get_ntfs_volume_data_mft_valid_data_length, {
13712 "MftValidDataLength",
13713 "smb2.ioctl.get_ntfs_volume_data.mft_valid_data_length",
13714 FT_UINT64, BASE_DEC,
13715 NULL, 0, "Mft Valid Data Length", HFILL },
13716 },
13717
13718 { &hf_smb2_ioctl_get_ntfs_volume_data_mft_start_lcn, {
13719 "MftStartLcn",
13720 "smb2.ioctl.get_ntfs_volume_data.mft_start_lcn",
13721 FT_UINT64, BASE_DEC,
13722 NULL, 0, "Mft Start Lcn", HFILL },
13723 },
13724
13725 { &hf_smb2_ioctl_get_ntfs_volume_data_mft2_start_lcn, {
13726 "Mft2StartLcn",
13727 "smb2.ioctl.get_ntfs_volume_data.mft2_start_lcn",
13728 FT_UINT64, BASE_DEC,
13729 NULL, 0, "Mft2 Start Lcn", HFILL },
13730 },
13731
13732 { &hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_start, {
13733 "MftZoneStart",
13734 "smb2.ioctl.get_ntfs_volume_data.mft_zone_start",
13735 FT_UINT64, BASE_DEC,
13736 NULL, 0, "Mft Zone Start", HFILL },
13737 },
13738
13739 { &hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_end, {
13740 "MftZoneEnd",
13741 "smb2.ioctl.get_ntfs_volume_data.mft_zone_end",
13742 FT_UINT64, BASE_DEC,
13743 NULL, 0, "Mft Zone End", HFILL },
13744 },
13745
13746 { &hf_smb2_tree_connect_flags,
13747 { "Flags", "smb2.tc.flags", FT_UINT16, BASE_HEX,
13748 NULL, 0, "Tree Connect flags", HFILL }
13749 },
13750
13751 { &hf_smb2_tc_cluster_reconnect,
13752 { "Cluster Reconnect", "smb2.tc.cluster_reconnect", FT_BOOLEAN, 16,
13753 TFS(&tfs_set_notset), 0x0001, "If this is a Cluster Reconnect", HFILL }
13754 },
13755
13756 { &hf_smb2_tc_redirect_to_owner,
13757 { "Redirect To Owner", "smb2.tc.redirect_to_owner", FT_BOOLEAN, 16,
13758 TFS(&tfs_set_notset), 0x0002, "Set if the client can handle Share Redirects", HFILL }
13759 },
13760
13761 { &hf_smb2_tc_extension_present,
13762 { "Extension Present", "smb2.tc.extension_present", FT_BOOLEAN, 16,
13763 TFS(&tfs_set_notset), 0x0004, "Set if an extension structure is present", HFILL }
13764 },
13765
13766 { &hf_smb2_tc_reserved,
13767 { "Reserved", "smb2.tc.reserved", FT_UINT16, BASE_HEX,
13768 NULL, 0xFFF8, "Must be zero", HFILL }
13769 },
13770
13771 { &hf_smb2_compression_format,
13772 { "Compression Format", "smb2.compression_format", FT_UINT16, BASE_DEC,
13773 VALS(compression_format_vals), 0, NULL, HFILL }
13774 },
13775
13776 { &hf_smb2_checksum_algorithm,
13777 { "Checksum Algorithm", "smb2.checksum_algorithm", FT_UINT16, BASE_HEX,
13778 VALS(checksum_algorithm_vals), 0, NULL, HFILL }
13779 },
13780
13781 { &hf_smb2_integrity_reserved,
13782 { "Reserved", "smb2.integrity_reserved", FT_UINT16, BASE_DEC,
13783 NULL, 0, NULL, HFILL }
13784 },
13785
13786 { &hf_smb2_integrity_flags,
13787 { "Flags", "smb2.integrity_flags", FT_UINT32, BASE_HEX,
13788 NULL, 0, NULL, HFILL }
13789 },
13790
13791 { &hf_smb2_integrity_flags_enforcement_off,
13792 { "FSCTL_INTEGRITY_FLAG_CHECKSUM_ENFORCEMENT_OFF", "smb2.integrity_flags_enforcement", FT_BOOLEAN, 32,
13793 NULL, 0x1, "If checksum error enforcement is off", HFILL }
13794 },
13795
13796 { &hf_smb2_share_type,
13797 { "Share Type", "smb2.share_type", FT_UINT8, BASE_HEX,
13798 VALS(smb2_share_type_vals), 0, "Type of share", HFILL }
13799 },
13800
13801 { &hf_smb2_credit_charge,
13802 { "Credit Charge", "smb2.credit.charge", FT_UINT16, BASE_DEC,
13803 NULL, 0, NULL, HFILL }
13804 },
13805
13806 { &hf_smb2_credits_requested,
13807 { "Credits requested", "smb2.credits.requested", FT_UINT16, BASE_DEC,
13808 NULL, 0, NULL, HFILL }
13809 },
13810
13811 { &hf_smb2_credits_granted,
13812 { "Credits granted", "smb2.credits.granted", FT_UINT16, BASE_DEC,
13813 NULL, 0, NULL, HFILL }
13814 },
13815
13816 { &hf_smb2_channel_sequence,
13817 { "Channel Sequence", "smb2.channel_sequence", FT_UINT16, BASE_DEC,
13818 NULL, 0, NULL, HFILL }
13819 },
13820
13821 { &hf_smb2_dialect_count,
13822 { "Dialect count", "smb2.dialect_count", FT_UINT16, BASE_DEC,
13823 NULL, 0, NULL, HFILL }
13824 },
13825
13826 { &hf_smb2_dialect,
13827 { "Dialect", "smb2.dialect", FT_UINT16, BASE_HEX,
13828 VALS(smb2_dialect_vals), 0, NULL, HFILL }
13829 },
13830
13831 { &hf_smb2_security_mode,
13832 { "Security mode", "smb2.sec_mode", FT_UINT8, BASE_HEX,
13833 NULL, 0, NULL, HFILL }
13834 },
13835
13836 { &hf_smb2_session_flags,
13837 { "Session Flags", "smb2.session_flags", FT_UINT16, BASE_HEX,
13838 NULL, 0, NULL, HFILL }
13839 },
13840
13841 { &hf_smb2_lock_count,
13842 { "Lock Count", "smb2.lock_count", FT_UINT16, BASE_DEC,
13843 NULL, 0, NULL, HFILL }
13844 },
13845
13846 { &hf_smb2_lock_sequence_number,
13847 { "Lock Sequence Number", "smb2.lock_sequence_number", FT_UINT32, BASE_DEC,
13848 NULL, 0x0000000F, NULL, HFILL }
13849 },
13850
13851 { &hf_smb2_lock_sequence_index,
13852 { "Lock Sequence Index", "smb2.lock_sequence_index", FT_UINT32, BASE_DEC,
13853 NULL, 0xFFFFFFF0, NULL, HFILL }
13854 },
13855
13856 { &hf_smb2_capabilities,
13857 { "Capabilities", "smb2.capabilities", FT_UINT32, BASE_HEX,
13858 NULL, 0, NULL, HFILL }
13859 },
13860
13861 { &hf_smb2_auth_frame,
13862 { "Authenticated in Frame", "smb2.auth_frame", FT_FRAMENUM, BASE_NONE,
13863 NULL, 0, "Which frame this user was authenticated in", HFILL }
13864 },
13865
13866 { &hf_smb2_tcon_frame,
13867 { "Connected in Frame", "smb2.tcon_frame", FT_FRAMENUM, BASE_NONE,
13868 NULL, 0, "Which frame this share was connected in", HFILL }
13869 },
13870
13871 { &hf_smb2_tdcon_frame,
13872 { "Disconnected in Frame", "smb2.tdcon_frame", FT_FRAMENUM, BASE_NONE,
13873 NULL, 0, "Which frame this share was disconnected in", HFILL }
13874 },
13875
13876 { &hf_smb2_tag,
13877 { "Tag", "smb2.tag", FT_STRING, BASE_NONE,
13878 NULL, 0, "Tag of chain entry", HFILL }
13879 },
13880
13881 { &hf_smb2_acct_name,
13882 { "Account", "smb2.acct", FT_STRING, BASE_NONE,
13883 NULL, 0, "Account Name", HFILL }
13884 },
13885
13886 { &hf_smb2_domain_name,
13887 { "Domain", "smb2.domain", FT_STRING, BASE_NONE,
13888 NULL, 0, "Domain Name", HFILL }
13889 },
13890
13891 { &hf_smb2_host_name,
13892 { "Host", "smb2.host", FT_STRING, BASE_NONE,
13893 NULL, 0, "Host Name", HFILL }
13894 },
13895
13896 { &hf_smb2_signature,
13897 { "Signature", "smb2.signature", FT_BYTES, BASE_NONE,
13898 NULL, 0, NULL, HFILL }
13899 },
13900
13901 { &hf_smb2_unknown,
13902 { "Unknown", "smb2.unknown", FT_BYTES, BASE_NONE,
13903 NULL, 0, NULL, HFILL }
13904 },
13905
13906 { &hf_smb2_twrp_timestamp,
13907 { "Timestamp", "smb2.twrp_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
13908 NULL, 0, "TWrp timestamp", HFILL }
13909 },
13910
13911 { &hf_smb2_mxac_timestamp,
13912 { "Timestamp", "smb2.mxac_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
13913 NULL, 0, "MxAc timestamp", HFILL }
13914 },
13915
13916 { &hf_smb2_mxac_status,
13917 { "Query Status", "smb2.mxac_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
13918 &NT_errors_ext, 0, "NT Status code", HFILL }
13919 },
13920
13921 { &hf_smb2_qfid_fid,
13922 { "Opaque File ID", "smb2.qfid_fid", FT_BYTES, BASE_NONE,
13923 NULL, 0, NULL, HFILL }
13924 },
13925
13926 { &hf_smb2_ses_flags_guest,
13927 { "Guest", "smb2.ses_flags.guest", FT_BOOLEAN, 16,
13928 NULL, SES_FLAGS_GUEST, NULL, HFILL }
13929 },
13930
13931 { &hf_smb2_ses_flags_null,
13932 { "Null", "smb2.ses_flags.null", FT_BOOLEAN, 16,
13933 NULL, SES_FLAGS_NULL, NULL, HFILL }
13934 },
13935
13936 { &hf_smb2_ses_flags_encrypt,
13937 { "Encrypt", "smb2.ses_flags.encrypt", FT_BOOLEAN, 16,
13938 NULL, SES_FLAGS_ENCRYPT, NULL, HFILL }},
13939
13940 { &hf_smb2_secmode_flags_sign_required,
13941 { "Signing required", "smb2.sec_mode.sign_required", FT_BOOLEAN, 8,
13942 NULL, NEGPROT_SIGN_REQ, "Is signing required", HFILL }
13943 },
13944
13945 { &hf_smb2_secmode_flags_sign_enabled,
13946 { "Signing enabled", "smb2.sec_mode.sign_enabled", FT_BOOLEAN, 8,
13947 NULL, NEGPROT_SIGN_ENABLED, "Is signing enabled", HFILL }
13948 },
13949
13950 { &hf_smb2_ses_req_flags,
13951 { "Flags", "smb2.ses_req_flags", FT_UINT8, BASE_DEC,
13952 NULL, 0, NULL, HFILL }
13953 },
13954
13955 { &hf_smb2_ses_req_flags_session_binding,
13956 { "Session Binding Request", "smb2.ses_req_flags.session_binding", FT_BOOLEAN, 8,
13957 NULL, SES_REQ_FLAGS_SESSION_BINDING, "The client wants to bind to an existing session", HFILL }
13958 },
13959
13960 { &hf_smb2_cap_dfs,
13961 { "DFS", "smb2.capabilities.dfs", FT_BOOLEAN, 32,
13962 TFS(&tfs_cap_dfs), NEGPROT_CAP_DFS, "If the host supports dfs", HFILL }
13963 },
13964
13965 { &hf_smb2_cap_leasing,
13966 { "LEASING", "smb2.capabilities.leasing", FT_BOOLEAN, 32,
13967 TFS(&tfs_cap_leasing), NEGPROT_CAP_LEASING, "If the host supports leasing", HFILL }
13968 },
13969
13970 { &hf_smb2_cap_large_mtu,
13971 { "LARGE MTU", "smb2.capabilities.large_mtu", FT_BOOLEAN, 32,
13972 TFS(&tfs_cap_large_mtu), NEGPROT_CAP_LARGE_MTU, "If the host supports LARGE MTU", HFILL }
13973 },
13974
13975 { &hf_smb2_cap_multi_channel,
13976 { "MULTI CHANNEL", "smb2.capabilities.multi_channel", FT_BOOLEAN, 32,
13977 TFS(&tfs_cap_multi_channel), NEGPROT_CAP_MULTI_CHANNEL, "If the host supports MULTI CHANNEL", HFILL }
13978 },
13979
13980 { &hf_smb2_cap_persistent_handles,
13981 { "PERSISTENT HANDLES", "smb2.capabilities.persistent_handles", FT_BOOLEAN, 32,
13982 TFS(&tfs_cap_persistent_handles), NEGPROT_CAP_PERSISTENT_HANDLES, "If the host supports PERSISTENT HANDLES", HFILL }
13983 },
13984
13985 { &hf_smb2_cap_directory_leasing,
13986 { "DIRECTORY LEASING", "smb2.capabilities.directory_leasing", FT_BOOLEAN, 32,
13987 TFS(&tfs_cap_directory_leasing), NEGPROT_CAP_DIRECTORY_LEASING, "If the host supports DIRECTORY LEASING", HFILL }
13988 },
13989
13990 { &hf_smb2_cap_encryption,
13991 { "ENCRYPTION", "smb2.capabilities.encryption", FT_BOOLEAN, 32,
13992 TFS(&tfs_cap_encryption), NEGPROT_CAP_ENCRYPTION, "If the host supports ENCRYPTION", HFILL }
13993 },
13994
13995 { &hf_smb2_cap_notifications,
13996 { "NOTIFICATIONS", "smb2.capabilities.notifications", FT_BOOLEAN, 32,
13997 TFS(&tfs_cap_notifications), NEGPROT_CAP_NOTIFICATIONS, "If the host supports receiving notifications from server", HFILL }
13998 },
13999
14000 { &hf_smb2_max_trans_size,
14001 { "Max Transaction Size", "smb2.max_trans_size", FT_UINT32, BASE_DEC,
14002 NULL, 0, NULL, HFILL }
14003 },
14004
14005 { &hf_smb2_max_read_size,
14006 { "Max Read Size", "smb2.max_read_size", FT_UINT32, BASE_DEC,
14007 NULL, 0, NULL, HFILL }
14008 },
14009
14010 { &hf_smb2_max_write_size,
14011 { "Max Write Size", "smb2.max_write_size", FT_UINT32, BASE_DEC,
14012 NULL, 0, NULL, HFILL }
14013 },
14014
14015 { &hf_smb2_channel,
14016 { "Channel", "smb2.channel", FT_UINT32, BASE_HEX,
14017 VALS(smb2_channel_vals), 0, NULL, HFILL }
14018 },
14019
14020 { &hf_smb2_rdma_v1_offset,
14021 { "Offset", "smb2.buffer_descriptor.offset", FT_UINT64, BASE_DEC,
14022 NULL, 0, NULL, HFILL }
14023 },
14024
14025 { &hf_smb2_rdma_v1_token,
14026 { "Token", "smb2.buffer_descriptor.token", FT_UINT32, BASE_HEX,
14027 NULL, 0, NULL, HFILL }
14028 },
14029
14030 { &hf_smb2_rdma_v1_length,
14031 { "Length", "smb2.buffer_descriptor.length", FT_UINT32, BASE_DEC,
14032 NULL, 0, NULL, HFILL }
14033 },
14034
14035 { &hf_smb2_share_flags,
14036 { "Share flags", "smb2.share_flags", FT_UINT32, BASE_HEX,
14037 NULL, 0, NULL, HFILL }
14038 },
14039
14040 { &hf_smb2_share_flags_dfs,
14041 { "DFS", "smb2.share_flags.dfs", FT_BOOLEAN, 32,
14042 NULL, SHARE_FLAGS_dfs, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }
14043 },
14044
14045 { &hf_smb2_share_flags_dfs_root,
14046 { "DFS root", "smb2.share_flags.dfs_root", FT_BOOLEAN, 32,
14047 NULL, SHARE_FLAGS_dfs_root, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }
14048 },
14049
14050 { &hf_smb2_share_flags_restrict_exclusive_opens,
14051 { "Restrict exclusive opens", "smb2.share_flags.restrict_exclusive_opens", FT_BOOLEAN, 32,
14052 NULL, SHARE_FLAGS_restrict_exclusive_opens, "The specified share disallows exclusive file opens that deny reads to an open file", HFILL }
14053 },
14054
14055 { &hf_smb2_share_flags_force_shared_delete,
14056 { "Force shared delete", "smb2.share_flags.force_shared_delete", FT_BOOLEAN, 32,
14057 NULL, SHARE_FLAGS_force_shared_delete, "Shared files in the specified share can be forcibly deleted", HFILL }
14058 },
14059
14060 { &hf_smb2_share_flags_allow_namespace_caching,
14061 { "Allow namespace caching", "smb2.share_flags.allow_namespace_caching", FT_BOOLEAN, 32,
14062 NULL, SHARE_FLAGS_allow_namespace_caching, "Clients are allowed to cache the namespace of the specified share", HFILL }
14063 },
14064
14065 { &hf_smb2_share_flags_access_based_dir_enum,
14066 { "Access based directory enum", "smb2.share_flags.access_based_dir_enum", FT_BOOLEAN, 32,
14067 NULL, SHARE_FLAGS_access_based_dir_enum, "The server will filter directory entries based on the access permissions of the client", HFILL }
14068 },
14069
14070 { &hf_smb2_share_flags_force_levelii_oplock,
14071 { "Force level II oplock", "smb2.share_flags.force_levelii_oplock", FT_BOOLEAN, 32,
14072 NULL, SHARE_FLAGS_force_levelii_oplock, "The server will not issue exclusive caching rights on this share", HFILL }
14073 },
14074
14075 { &hf_smb2_share_flags_enable_hash_v1,
14076 { "Enable hash V1", "smb2.share_flags.enable_hash_v1", FT_BOOLEAN, 32,
14077 NULL, SHARE_FLAGS_enable_hash_v1, "The share supports hash generation V1 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }
14078 },
14079
14080 { &hf_smb2_share_flags_enable_hash_v2,
14081 { "Enable hash V2", "smb2.share_flags.enable_hash_v2", FT_BOOLEAN, 32,
14082 NULL, SHARE_FLAGS_enable_hash_v2, "The share supports hash generation V2 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }
14083 },
14084
14085 { &hf_smb2_share_flags_encrypt_data,
14086 { "Encrypted data required", "smb2.share_flags.encrypt_data", FT_BOOLEAN, 32,
14087 NULL, SHARE_FLAGS_encryption_required, "The share require data encryption", HFILL }
14088 },
14089
14090 { &hf_smb2_share_flags_identity_remoting,
14091 { "Identity Remoting", "smb2.share_flags.identity_remoting", FT_BOOLEAN, 32,
14092 NULL, SHARE_FLAGS_identity_remoting, "The specified share supports Identity Remoting", HFILL }
14093 },
14094
14095 { &hf_smb2_share_flags_compress_data,
14096 { "Compressed IO", "smb2.share_flags.compress_data", FT_BOOLEAN, 32,
14097 NULL, SHARE_FLAGS_compress_data, "The share supports compression of read/write messages", HFILL }
14098 },
14099
14100 { &hf_smb2_share_flags_isolated_transport,
14101 { "Isolated Transport", "smb2.share_flags.isolated_transport", FT_BOOLEAN, 32,
14102 NULL, SHARE_FLAGS_isolated_transport, "The server indicates that administrator set share property telling client that it is preferable to isolate communication to that share on a separate set of connections.", HFILL }
14103 },
14104
14105 { &hf_smb2_share_caching,
14106 { "Caching policy", "smb2.share.caching", FT_UINT32, BASE_HEX,
14107 VALS(share_cache_vals), 0, NULL, HFILL }
14108 },
14109
14110 { &hf_smb2_share_caps,
14111 { "Share Capabilities", "smb2.share_caps", FT_UINT32, BASE_HEX,
14112 NULL, 0, NULL, HFILL }
14113 },
14114
14115 { &hf_smb2_share_caps_dfs,
14116 { "DFS", "smb2.share_caps.dfs", FT_BOOLEAN, 32,
14117 NULL, SHARE_CAPS_DFS, "The specified share is present in a DFS tree structure", HFILL }
14118 },
14119
14120 { &hf_smb2_share_caps_continuous_availability,
14121 { "CONTINUOUS AVAILABILITY", "smb2.share_caps.continuous_availability", FT_BOOLEAN, 32,
14122 NULL, SHARE_CAPS_CONTINUOUS_AVAILABILITY, "The specified share is continuously available", HFILL }
14123 },
14124
14125 { &hf_smb2_share_caps_scaleout,
14126 { "SCALEOUT", "smb2.share_caps.scaleout", FT_BOOLEAN, 32,
14127 NULL, SHARE_CAPS_SCALEOUT, "The specified share is a scaleout share", HFILL }
14128 },
14129
14130 { &hf_smb2_share_caps_cluster,
14131 { "CLUSTER", "smb2.share_caps.cluster", FT_BOOLEAN, 32,
14132 NULL, SHARE_CAPS_CLUSTER, "The specified share is a cluster share", HFILL }
14133 },
14134
14135 { &hf_smb2_share_caps_asymmetric,
14136 { "ASYMMETRIC", "smb2.share_caps.asymmetric", FT_BOOLEAN, 32,
14137 NULL, SHARE_CAPS_ASYMMETRIC, "The specified share allows dynamic changes in ownership of the share", HFILL }
14138 },
14139
14140 { &hf_smb2_share_caps_redirect_to_owner,
14141 { "REDIRECT_TO_OWNER", "smb2.share_caps.redirect_to_owner", FT_BOOLEAN, 32,
14142 NULL, SHARE_CAPS_REDIRECT_TO_OWNER, "The specified share supports synchronous share level redirection", HFILL }
14143 },
14144
14145 { &hf_smb2_ioctl_flags,
14146 { "Flags", "smb2.ioctl.flags", FT_UINT32, BASE_HEX,
14147 NULL, 0, NULL, HFILL }
14148 },
14149
14150 { &hf_smb2_min_count,
14151 { "Min Count", "smb2.min_count", FT_UINT32, BASE_DEC,
14152 NULL, 0, NULL, HFILL }
14153 },
14154
14155 { &hf_smb2_remaining_bytes,
14156 { "Remaining Bytes", "smb2.remaining_bytes", FT_UINT32, BASE_DEC,
14157 NULL, 0, NULL, HFILL }
14158 },
14159
14160 { &hf_smb2_channel_info_offset,
14161 { "Channel Info Offset", "smb2.channel_info_offset", FT_UINT16, BASE_DEC,
14162 NULL, 0, NULL, HFILL }
14163 },
14164
14165 { &hf_smb2_channel_info_length,
14166 { "Channel Info Length", "smb2.channel_info_length", FT_UINT16, BASE_DEC,
14167 NULL, 0, NULL, HFILL }
14168 },
14169
14170 { &hf_smb2_channel_info_blob,
14171 { "Channel Info Blob", "smb2.channel_info_blob", FT_NONE, BASE_NONE,
14172 NULL, 0, NULL, HFILL }
14173 },
14174
14175 { &hf_smb2_ioctl_is_fsctl,
14176 { "Is FSCTL", "smb2.ioctl.is_fsctl", FT_BOOLEAN, 32,
14177 NULL, 0x00000001, NULL, HFILL }
14178 },
14179
14180 { &hf_smb2_output_buffer_len,
14181 { "Output Buffer Length", "smb2.output_buffer_len", FT_UINT32, BASE_DEC,
14182 NULL, 0, NULL, HFILL }
14183 },
14184
14185 { &hf_smb2_close_pq_attrib,
14186 { "PostQuery Attrib", "smb2.close.pq_attrib", FT_BOOLEAN, 16,
14187 NULL, 0x0001, NULL, HFILL }
14188 },
14189
14190 { &hf_smb2_notify_watch_tree,
14191 { "Watch Tree", "smb2.notify.watch_tree", FT_BOOLEAN, 16,
14192 NULL, 0x0001, NULL, HFILL }
14193 },
14194
14195 { &hf_smb2_notify_out_data,
14196 { "Out Data", "smb2.notify.out", FT_NONE, BASE_NONE,
14197 NULL, 0, NULL, HFILL }
14198 },
14199
14200 { &hf_smb2_notify_info,
14201 { "Notify Info", "smb2.notify.info", FT_NONE, BASE_NONE,
14202 NULL, 0, NULL, HFILL }
14203 },
14204
14205 { &hf_smb2_notify_next_offset,
14206 { "Next Offset", "smb2.notify.next_offset", FT_UINT32, BASE_HEX,
14207 NULL, 0, "Offset to next entry in chain or 0", HFILL }
14208 },
14209
14210 { &hf_smb2_notify_action,
14211 { "Action", "smb2.notify.action", FT_UINT32, BASE_HEX,
14212 VALS(notify_action_vals), 0, "Notify Action", HFILL }
14213 },
14214
14215
14216 { &hf_smb2_find_flags_restart_scans,
14217 { "Restart Scans", "smb2.find.restart_scans", FT_BOOLEAN, 8,
14218 NULL, SMB2_FIND_FLAG_RESTART_SCANS, NULL, HFILL }
14219 },
14220
14221 { &hf_smb2_find_flags_single_entry,
14222 { "Single Entry", "smb2.find.single_entry", FT_BOOLEAN, 8,
14223 NULL, SMB2_FIND_FLAG_SINGLE_ENTRY, NULL, HFILL }
14224 },
14225
14226 { &hf_smb2_find_flags_index_specified,
14227 { "Index Specified", "smb2.find.index_specified", FT_BOOLEAN, 8,
14228 NULL, SMB2_FIND_FLAG_INDEX_SPECIFIED, NULL, HFILL }
14229 },
14230
14231 { &hf_smb2_find_flags_reopen,
14232 { "Reopen", "smb2.find.reopen", FT_BOOLEAN, 8,
14233 NULL, SMB2_FIND_FLAG_REOPEN, NULL, HFILL }
14234 },
14235
14236 { &hf_smb2_file_index,
14237 { "File Index", "smb2.file_index", FT_UINT32, BASE_HEX,
14238 NULL, 0, NULL, HFILL }
14239 },
14240
14241 { &hf_smb2_file_directory_info,
14242 { "FileDirectoryInfo", "smb2.find.file_directory_info", FT_NONE, BASE_NONE,
14243 NULL, 0, NULL, HFILL }
14244 },
14245
14246 { &hf_smb2_full_directory_info,
14247 { "FullDirectoryInfo", "smb2.find.full_directory_info", FT_NONE, BASE_NONE,
14248 NULL, 0, NULL, HFILL }
14249 },
14250
14251 { &hf_smb2_both_directory_info,
14252 { "FileBothDirectoryInfo", "smb2.find.both_directory_info", FT_NONE, BASE_NONE,
14253 NULL, 0, NULL, HFILL }
14254 },
14255
14256 { &hf_smb2_id_both_directory_info,
14257 { "FileIdBothDirectoryInfo", "smb2.find.id_both_directory_info", FT_NONE, BASE_NONE,
14258 NULL, 0, NULL, HFILL }
14259 },
14260
14261 { &hf_smb2_posix_info,
14262 { "FilePosixInfo", "smb2.find.posix_info", FT_NONE, BASE_NONE,
14263 NULL, 0, NULL, HFILL }
14264 },
14265
14266 { &hf_smb2_short_name_len,
14267 { "Short Name Length", "smb2.short_name_len", FT_UINT8, BASE_DEC,
14268 NULL, 0, NULL, HFILL }
14269 },
14270
14271 { &hf_smb2_short_name,
14272 { "Short Name", "smb2.shortname", FT_STRING, BASE_NONE,
14273 NULL, 0, NULL, HFILL }
14274 },
14275
14276 { &hf_smb2_lock_info,
14277 { "Lock Info", "smb2.lock_info", FT_NONE, BASE_NONE,
14278 NULL, 0, NULL, HFILL }
14279 },
14280
14281 { &hf_smb2_lock_length,
14282 { "Length", "smb2.lock_length", FT_UINT64, BASE_DEC,
14283 NULL, 0, NULL, HFILL }
14284 },
14285
14286 { &hf_smb2_lock_flags,
14287 { "Flags", "smb2.lock_flags", FT_UINT32, BASE_HEX,
14288 NULL, 0, NULL, HFILL }
14289 },
14290
14291 { &hf_smb2_lock_flags_shared,
14292 { "Shared", "smb2.lock_flags.shared", FT_BOOLEAN, 32,
14293 NULL, 0x00000001, NULL, HFILL }
14294 },
14295
14296 { &hf_smb2_lock_flags_exclusive,
14297 { "Exclusive", "smb2.lock_flags.exclusive", FT_BOOLEAN, 32,
14298 NULL, 0x00000002, NULL, HFILL }
14299 },
14300
14301 { &hf_smb2_lock_flags_unlock,
14302 { "Unlock", "smb2.lock_flags.unlock", FT_BOOLEAN, 32,
14303 NULL, 0x00000004, NULL, HFILL }
14304 },
14305
14306 { &hf_smb2_lock_flags_fail_immediately,
14307 { "Fail Immediately", "smb2.lock_flags.fail_immediately", FT_BOOLEAN, 32,
14308 NULL, 0x00000010, NULL, HFILL }
14309 },
14310
14311 { &hf_smb2_error_context_count,
14312 { "Error Context Count", "smb2.error.context_count", FT_UINT8, BASE_DEC,
14313 NULL, 0, NULL, HFILL }
14314 },
14315
14316 { &hf_smb2_error_reserved,
14317 { "Reserved", "smb2.error.reserved", FT_UINT8, BASE_HEX,
14318 NULL, 0, NULL, HFILL }
14319 },
14320
14321 { &hf_smb2_error_byte_count,
14322 { "Byte Count", "smb2.error.byte_count", FT_UINT32, BASE_DEC,
14323 NULL, 0, NULL, HFILL }
14324 },
14325
14326 { &hf_smb2_error_data,
14327 { "Error Data", "smb2.error.data", FT_BYTES, BASE_NONE,
14328 NULL, 0, NULL, HFILL }
14329 },
14330
14331 { &hf_smb2_error_context,
14332 { "Error Context", "smb2.error.context", FT_BYTES, BASE_NONE,
14333 NULL, 0, NULL, HFILL }
14334 },
14335
14336 { &hf_smb2_error_context_id,
14337 { "Type", "smb2.error.context.id", FT_UINT32, BASE_HEX,
14338 VALS(smb2_error_id_vals), 0, NULL, HFILL }
14339 },
14340
14341 { &hf_smb2_error_context_length,
14342 { "Type", "smb2.error.context.length", FT_UINT32, BASE_DEC,
14343 NULL, 0, NULL, HFILL }
14344 },
14345
14346 { &hf_smb2_error_min_buf_length,
14347 { "Minimum required buffer length", "smb2.error.min_buf_length", FT_UINT32, BASE_DEC,
14348 NULL, 0, NULL, HFILL }
14349 },
14350
14351 { &hf_smb2_error_redir_context,
14352 { "Share Redirect", "smb2.error.share_redirect", FT_NONE, BASE_NONE,
14353 NULL, 0, NULL, HFILL }
14354 },
14355
14356 { &hf_smb2_error_redir_struct_size,
14357 { "Struct Size", "smb2.error.share_redirect.struct_size", FT_UINT32, BASE_DEC,
14358 NULL, 0, NULL, HFILL }
14359 },
14360
14361 { &hf_smb2_error_redir_notif_type,
14362 { "Notification Type", "smb2.error.share_redirect.notif_type", FT_UINT32, BASE_DEC,
14363 NULL, 0, NULL, HFILL }
14364 },
14365
14366 { &hf_smb2_error_redir_flags,
14367 { "Flags", "smb2.error.share_redirect.flags", FT_UINT16, BASE_HEX,
14368 NULL, 0, NULL, HFILL }
14369 },
14370
14371 { &hf_smb2_error_redir_target_type,
14372 { "Target Type", "smb2.error.share_redirect.target_type", FT_UINT16, BASE_HEX,
14373 NULL, 0, NULL, HFILL }
14374 },
14375
14376 { &hf_smb2_error_redir_ip_count,
14377 { "IP Addr Count", "smb2.error.share_redirect.ip_count", FT_UINT32, BASE_DEC,
14378 NULL, 0, NULL, HFILL }
14379 },
14380
14381 { &hf_smb2_error_redir_ip_list,
14382 { "IP Addr List", "smb2.error.share_redirect.ip_list", FT_NONE, BASE_NONE,
14383 NULL, 0, NULL, HFILL }
14384 },
14385
14386 { &hf_smb2_error_redir_res_name,
14387 { "Resource Name", "smb2.error.share_redirect.res_name", FT_STRING, BASE_NONE,
14388 NULL, 0, NULL, HFILL }
14389 },
14390
14391 { &hf_smb2_reserved,
14392 { "Reserved", "smb2.reserved", FT_BYTES, BASE_NONE,
14393 NULL, 0, NULL, HFILL }
14394 },
14395
14396 { &hf_smb2_reserved_random,
14397 { "Reserved (Random)", "smb2.reserved.random", FT_BYTES, BASE_NONE,
14398 NULL, 0, "Reserved bytes, random data", HFILL }
14399 },
14400
14401 { &hf_smb2_root_directory_mbz,
14402 { "Root Dir Handle (MBZ)", "smb2.root_directory", FT_BYTES, BASE_NONE,
14403 NULL, 0, NULL, HFILL }
14404 },
14405
14406 { &hf_smb2_dhnq_buffer_reserved,
14407 { "Reserved", "smb2.dhnq_buffer_reserved", FT_UINT64, BASE_HEX,
14408 NULL, 0, NULL, HFILL }
14409 },
14410
14411 { &hf_smb2_dh2x_buffer_timeout,
14412 { "Timeout", "smb2.dh2x.timeout", FT_UINT32, BASE_DEC,
14413 NULL, 0, NULL, HFILL }
14414 },
14415
14416 { &hf_smb2_dh2x_buffer_flags,
14417 { "Flags", "smb2.dh2x.flags", FT_UINT32, BASE_HEX,
14418 NULL, 0, NULL, HFILL }
14419 },
14420
14421 { &hf_smb2_dh2x_buffer_flags_persistent_handle,
14422 { "Persistent Handle", "smb2.dh2x.flags.persistent_handle", FT_BOOLEAN, 32,
14423 NULL, SMB2_DH2X_FLAGS_PERSISTENT_HANDLE, NULL, HFILL }
14424 },
14425
14426 { &hf_smb2_dh2x_buffer_reserved,
14427 { "Reserved", "smb2.dh2x.reserved", FT_UINT64, BASE_HEX,
14428 NULL, 0, NULL, HFILL }
14429 },
14430
14431 { &hf_smb2_dh2x_buffer_create_guid,
14432 { "Create Guid", "smb2.dh2x.create_guid", FT_GUID, BASE_NONE,
14433 NULL, 0, NULL, HFILL }
14434 },
14435
14436 { &hf_smb2_APP_INSTANCE_buffer_struct_size,
14437 { "Struct Size", "smb2.app_instance.struct_size", FT_UINT16, BASE_DEC,
14438 NULL, 0, NULL, HFILL }
14439 },
14440
14441 { &hf_smb2_APP_INSTANCE_buffer_reserved,
14442 { "Reserved", "smb2.app_instance.reserved", FT_UINT16, BASE_HEX,
14443 NULL, 0, NULL, HFILL }
14444 },
14445
14446 { &hf_smb2_APP_INSTANCE_buffer_app_guid,
14447 { "Application Guid", "smb2.app_instance.app_guid", FT_GUID, BASE_NONE,
14448 NULL, 0, NULL, HFILL }
14449 },
14450
14451 { &hf_smb2_svhdx_open_device_context_version,
14452 { "Version", "smb2.svhdx_open_device_context.version", FT_UINT32, BASE_DEC,
14453 NULL, 0, NULL, HFILL }
14454 },
14455
14456 { &hf_smb2_svhdx_open_device_context_has_initiator_id,
14457 { "HasInitiatorId", "smb2.svhdx_open_device_context.initiator_has_id", FT_BOOLEAN, BASE_NONE,
14458 TFS(&tfs_smb2_svhdx_has_initiator_id), 0, "Whether the host has an initiator", HFILL }
14459 },
14460
14461 { &hf_smb2_svhdx_open_device_context_reserved,
14462 { "Reserved", "smb2.svhdx_open_device_context.reserved", FT_BYTES, BASE_NONE,
14463 NULL, 0, NULL, HFILL }
14464 },
14465
14466 { &hf_smb2_svhdx_open_device_context_initiator_id,
14467 { "InitiatorId", "smb2.svhdx_open_device_context.initiator_id", FT_GUID, BASE_NONE,
14468 NULL, 0, NULL, HFILL }
14469 },
14470
14471 { &hf_smb2_svhdx_open_device_context_flags,
14472 { "Flags", "smb2.svhdx_open_device_context.flags", FT_UINT32, BASE_HEX,
14473 NULL, 0, NULL, HFILL }
14474 },
14475
14476 { &hf_smb2_svhdx_open_device_context_originator_flags,
14477 { "OriginatorFlags", "smb2.svhdx_open_device_context.originator_flags", FT_UINT32, BASE_HEX,
14478 VALS(originator_flags_vals), 0, NULL, HFILL }
14479 },
14480
14481 { &hf_smb2_svhdx_open_device_context_open_request_id,
14482 { "OpenRequestId","smb2.svhxd_open_device_context.open_request_id", FT_UINT64, BASE_HEX,
14483 NULL, 0, NULL, HFILL }
14484 },
14485
14486 { &hf_smb2_svhdx_open_device_context_initiator_host_name_len,
14487 { "HostNameLength", "smb2.svhxd_open_device_context.initiator_host_name_len", FT_UINT16, BASE_DEC,
14488 NULL, 0, NULL, HFILL }
14489 },
14490
14491 { &hf_smb2_svhdx_open_device_context_initiator_host_name,
14492 { "HostName", "smb2.svhdx_open_device_context.host_name", FT_STRING, BASE_NONE,
14493 NULL, 0, NULL, HFILL }
14494 },
14495
14496 { &hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized,
14497 { "VirtualDiskPropertiesInitialized", "smb2.svhdx_open_device_context.virtual_disk_properties_initialized", FT_BOOLEAN, BASE_NONE,
14498 NULL, 0, "Whether VirtualSectorSize, PhysicalSectorSize, and VirtualSize fields are filled", HFILL }
14499 },
14500
14501 { &hf_smb2_svhdx_open_device_context_server_service_version,
14502 { "ServerServiceVersion", "smb2.svhdx_open_device_context.server_service_version", FT_UINT32, BASE_DEC,
14503 NULL, 0, "The current version of the protocol running on the server", HFILL }
14504 },
14505
14506 { &hf_smb2_svhdx_open_device_context_virtual_sector_size,
14507 { "VirtualSectorSize", "smb2.svhdx_open_device_context.virtual_sector_size", FT_UINT32, BASE_DEC,
14508 NULL, 0, "The virtual sector size of the virtual disk", HFILL }
14509 },
14510
14511 { &hf_smb2_svhdx_open_device_context_physical_sector_size,
14512 { "PhysicalSectorSize", "smb2.svhdx_open_device_context.physical_sector_size", FT_UINT32, BASE_DEC,
14513 NULL, 0, "The physical sector size of the virtual disk", HFILL }
14514 },
14515
14516 { &hf_smb2_svhdx_open_device_context_virtual_size,
14517 { "VirtualSize", "smb2.svhdx_open_device_context.virtual_size", FT_UINT64, BASE_DEC,
14518 NULL, 0, "The current length of the virtual disk, in bytes", HFILL }
14519 },
14520
14521 { &hf_smb2_app_instance_version_struct_size,
14522 { "Struct Size", "smb2.app_instance_version.struct_size", FT_UINT16, BASE_DEC,
14523 NULL, 0, NULL, HFILL }
14524 },
14525
14526 { &hf_smb2_app_instance_version_reserved,
14527 { "Reserved", "smb2.app_instance_version.reserved", FT_UINT16, BASE_DEC,
14528 NULL, 0, NULL, HFILL }
14529 },
14530
14531 { &hf_smb2_app_instance_version_padding,
14532 { "Padding", "smb2.app_instance_version.padding", FT_UINT32, BASE_HEX,
14533 NULL, 0, NULL, HFILL }
14534 },
14535
14536 { &hf_smb2_app_instance_version_high,
14537 { "AppInstanceVersionHigh", "smb2.app_instance_version.version.high", FT_UINT64, BASE_DEC,
14538 NULL, 0, NULL, HFILL }
14539 },
14540
14541 { &hf_smb2_app_instance_version_low,
14542 { "AppInstanceVersionLow", "smb2.app_instance_version.version.low", FT_UINT64, BASE_DEC,
14543 NULL, 0, NULL, HFILL }
14544 },
14545
14546 { &hf_smb2_posix_perms,
14547 { "POSIX perms", "smb2.posix_perms", FT_UINT32, BASE_OCT,
14548 NULL, 0, NULL, HFILL }
14549 },
14550
14551 { &hf_smb2_aapl_command_code,
14552 { "Command code", "smb2.aapl.command_code", FT_UINT32, BASE_DEC,
14553 VALS(aapl_command_code_vals), 0, NULL, HFILL }
14554 },
14555
14556 { &hf_smb2_aapl_reserved,
14557 { "Reserved", "smb2.aapl.reserved", FT_UINT32, BASE_HEX,
14558 NULL, 0, NULL, HFILL }
14559 },
14560
14561 { &hf_smb2_aapl_server_query_bitmask,
14562 { "Query bitmask", "smb2.aapl.query_bitmask", FT_UINT64, BASE_HEX,
14563 NULL, 0, NULL, HFILL }
14564 },
14565
14566 { &hf_smb2_aapl_server_query_bitmask_server_caps,
14567 { "Server capabilities", "smb2.aapl.bitmask.server_caps", FT_BOOLEAN, 64,
14568 NULL, SMB2_AAPL_SERVER_CAPS, NULL, HFILL }
14569 },
14570
14571 { &hf_smb2_aapl_server_query_bitmask_volume_caps,
14572 { "Volume capabilities", "smb2.aapl.bitmask.volume_caps", FT_BOOLEAN, 64,
14573 NULL, SMB2_AAPL_VOLUME_CAPS, NULL, HFILL }
14574 },
14575
14576 { &hf_smb2_aapl_server_query_bitmask_model_info,
14577 { "Model information", "smb2.aapl.bitmask.model_info", FT_BOOLEAN, 64,
14578 NULL, SMB2_AAPL_MODEL_INFO, NULL, HFILL }
14579 },
14580
14581 { &hf_smb2_aapl_server_query_caps,
14582 { "Client/Server capabilities", "smb2.aapl.caps", FT_UINT64, BASE_HEX,
14583 NULL, 0, NULL, HFILL }
14584 },
14585
14586 { &hf_smb2_aapl_server_query_caps_supports_read_dir_attr,
14587 { "Supports READDIRATTR", "smb2.aapl.caps.supports_read_dir_addr", FT_BOOLEAN, 64,
14588 NULL, SMB2_AAPL_SUPPORTS_READ_DIR_ATTR, NULL, HFILL }
14589 },
14590
14591 { &hf_smb2_aapl_server_query_caps_supports_osx_copyfile,
14592 { "Supports macOS copyfile", "smb2.aapl.caps.supports_osx_copyfile", FT_BOOLEAN, 64,
14593 NULL, SMB2_AAPL_SUPPORTS_OSX_COPYFILE, NULL, HFILL }
14594 },
14595
14596 { &hf_smb2_aapl_server_query_caps_unix_based,
14597 { "UNIX-based", "smb2.aapl.caps.unix_based", FT_BOOLEAN, 64,
14598 NULL, SMB2_AAPL_UNIX_BASED, NULL, HFILL }
14599 },
14600
14601 { &hf_smb2_aapl_server_query_caps_supports_nfs_ace,
14602 { "Supports NFS ACE", "smb2.aapl.supports_nfs_ace", FT_BOOLEAN, 64,
14603 NULL, SMB2_AAPL_SUPPORTS_NFS_ACE, NULL, HFILL }
14604 },
14605
14606 { &hf_smb2_aapl_server_query_volume_caps,
14607 { "Volume capabilities", "smb2.aapl.volume_caps", FT_UINT64, BASE_HEX,
14608 NULL, 0, NULL, HFILL }
14609 },
14610
14611 { &hf_smb2_aapl_server_query_volume_caps_support_resolve_id,
14612 { "Supports Resolve ID", "smb2.aapl.volume_caps.supports_resolve_id", FT_BOOLEAN, 64,
14613 NULL, SMB2_AAPL_SUPPORTS_RESOLVE_ID, NULL, HFILL }
14614 },
14615
14616 { &hf_smb2_aapl_server_query_volume_caps_case_sensitive,
14617 { "Case sensitive", "smb2.aapl.volume_caps.case_sensitive", FT_BOOLEAN, 64,
14618 NULL, SMB2_AAPL_CASE_SENSITIVE, NULL, HFILL }
14619 },
14620
14621 { &hf_smb2_aapl_server_query_volume_caps_supports_full_sync,
14622 { "Supports full sync", "smb2.aapl.volume_caps.supports_full_sync", FT_BOOLEAN, 64,
14623 NULL, SMB2_AAPL_SUPPORTS_FULL_SYNC, NULL, HFILL }
14624 },
14625
14626 { &hf_smb2_aapl_server_query_model_string,
14627 { "Model string", "smb2.aapl.model_string", FT_UINT_STRING, BASE_NONE,
14628 NULL, 0, NULL, HFILL }
14629 },
14630
14631 { &hf_smb2_aapl_server_query_server_path,
14632 { "Server path", "smb2.aapl.server_path", FT_UINT_STRING, BASE_NONE,
14633 NULL, 0, NULL, HFILL }
14634 },
14635
14636 { &hf_smb2_transform_signature,
14637 { "Signature", "smb2.header.transform.signature", FT_BYTES, BASE_NONE,
14638 NULL, 0, NULL, HFILL }
14639 },
14640
14641 { &hf_smb2_transform_nonce,
14642 { "Nonce", "smb2.header.transform.nonce", FT_BYTES, BASE_NONE,
14643 NULL, 0, NULL, HFILL }
14644 },
14645
14646 { &hf_smb2_transform_msg_size,
14647 { "Message size", "smb2.header.transform.msg_size", FT_UINT32, BASE_DEC,
14648 NULL, 0, NULL, HFILL }
14649 },
14650
14651 { &hf_smb2_transform_reserved,
14652 { "Reserved", "smb2.header.transform.reserved", FT_BYTES, BASE_NONE,
14653 NULL, 0, NULL, HFILL }
14654 },
14655
14656 /* SMB2 header flags */
14657 { &hf_smb2_transform_flags,
14658 { "Flags", "smb2.header.transform.flags", FT_UINT16, BASE_HEX,
14659 NULL, 0, "SMB2 transform flags", HFILL }
14660 },
14661
14662 { &hf_smb2_transform_flags_encrypted,
14663 { "Encrypted", "smb2.header.transform.flags.encrypted", FT_BOOLEAN, 16,
14664 NULL, SMB2_TRANSFORM_FLAGS_ENCRYPTED,
14665 "Whether the payload is encrypted", HFILL }
14666 },
14667
14668 { &hf_smb2_transform_encrypted_data,
14669 { "Data", "smb2.header.transform.enc_data", FT_BYTES, BASE_NONE,
14670 NULL, 0, NULL, HFILL }
14671 },
14672
14673 { &hf_smb2_comp_transform_orig_size,
14674 { "OriginalSize", "smb2.header.comp_transform.original_size", FT_UINT32, BASE_DEC,
14675 NULL, 0, NULL, HFILL }
14676 },
14677
14678 { &hf_smb2_comp_transform_comp_alg,
14679 { "CompressionAlgorithm", "smb2.header.comp_transform.comp_alg", FT_UINT16, BASE_HEX,
14680 VALS(smb2_comp_alg_types), 0, NULL, HFILL }
14681 },
14682
14683 { &hf_smb2_comp_transform_flags,
14684 { "Flags", "smb2.header.comp_transform.flags", FT_UINT16, BASE_HEX,
14685 VALS(smb2_comp_transform_flags_vals), 0, NULL, HFILL }
14686 },
14687
14688 { &hf_smb2_comp_transform_offset,
14689 { "Offset", "smb2.header.comp_transform.offset", FT_UINT32, BASE_HEX,
14690 NULL, 0, NULL, HFILL }
14691 },
14692
14693 { &hf_smb2_comp_transform_length,
14694 { "Length", "smb2.header.comp_transform.length", FT_UINT32, BASE_HEX,
14695 NULL, 0, NULL, HFILL }
14696 },
14697
14698 { &hf_smb2_comp_transform_data,
14699 { "CompressedData", "smb2.header.comp_transform.data", FT_BYTES, BASE_NONE,
14700 NULL, 0, NULL, HFILL }
14701 },
14702
14703 { &hf_smb2_comp_transform_orig_payload_size,
14704 { "OriginalPayloadSize", "smb2.header.comp_transform.orig_payload_size", FT_UINT32, BASE_DEC,
14705 NULL, 0, NULL, HFILL }
14706 },
14707
14708 { &hf_smb2_comp_pattern_v1_pattern,
14709 { "Pattern", "smb2.pattern_v1.pattern", FT_UINT8, BASE_HEX,
14710 NULL, 0, NULL, HFILL }
14711 },
14712
14713 { &hf_smb2_comp_pattern_v1_reserved1,
14714 { "Reserved1", "smb2.pattern_v1.reserved1", FT_UINT8, BASE_HEX,
14715 NULL, 0, NULL, HFILL }
14716 },
14717
14718 { &hf_smb2_comp_pattern_v1_reserved2,
14719 { "Reserved2", "smb2.pattern_v1.reserved2", FT_UINT16, BASE_HEX,
14720 NULL, 0, NULL, HFILL }
14721 },
14722
14723 { &hf_smb2_comp_pattern_v1_repetitions,
14724 { "Repetitions", "smb2.pattern_v1.repetitions", FT_UINT32, BASE_DEC,
14725 NULL, 0, NULL, HFILL }
14726 },
14727
14728 { &hf_smb2_protocol_id,
14729 { "ProtocolId", "smb2.protocol_id", FT_UINT32, BASE_HEX,
14730 NULL, 0, NULL, HFILL }
14731 },
14732
14733 { &hf_smb2_truncated,
14734 { "Truncated...", "smb2.truncated", FT_NONE, BASE_NONE,
14735 NULL, 0, NULL, HFILL }
14736 },
14737
14738 { &hf_smb2_pipe_fragment_overlap,
14739 { "Fragment overlap", "smb2.pipe.fragment.overlap", FT_BOOLEAN, BASE_NONE,
14740 NULL, 0x0, "Fragment overlaps with other fragments", HFILL }
14741 },
14742
14743 { &hf_smb2_pipe_fragment_overlap_conflict,
14744 { "Conflicting data in fragment overlap", "smb2.pipe.fragment.overlap.conflict", FT_BOOLEAN, BASE_NONE,
14745 NULL, 0x0, NULL, HFILL }
14746 },
14747
14748 { &hf_smb2_pipe_fragment_multiple_tails,
14749 { "Multiple tail fragments found", "smb2.pipe.fragment.multipletails", FT_BOOLEAN, BASE_NONE,
14750 NULL, 0x0, "Several tails were found when defragmenting the packet", HFILL }
14751 },
14752
14753 { &hf_smb2_pipe_fragment_too_long_fragment,
14754 { "Fragment too long", "smb2.pipe.fragment.toolongfragment", FT_BOOLEAN, BASE_NONE,
14755 NULL, 0x0, "Fragment contained data past end of packet", HFILL }
14756 },
14757
14758 { &hf_smb2_pipe_fragment_error,
14759 { "Defragmentation error", "smb2.pipe.fragment.error", FT_FRAMENUM, BASE_NONE,
14760 NULL, 0x0, "Defragmentation error due to illegal fragments", HFILL }
14761 },
14762
14763 { &hf_smb2_pipe_fragment_count,
14764 { "Fragment count", "smb2.pipe.fragment.count", FT_UINT32, BASE_DEC,
14765 NULL, 0x0, NULL, HFILL }
14766 },
14767
14768 { &hf_smb2_pipe_fragment,
14769 { "Fragment SMB2 Named Pipe", "smb2.pipe.fragment", FT_FRAMENUM, BASE_NONE,
14770 NULL, 0x0, NULL, HFILL }
14771 },
14772
14773 { &hf_smb2_pipe_fragments,
14774 { "Reassembled SMB2 Named Pipe fragments", "smb2.pipe.fragments", FT_NONE, BASE_NONE,
14775 NULL, 0x0, NULL, HFILL }
14776 },
14777
14778 { &hf_smb2_pipe_reassembled_in,
14779 { "This SMB2 Named Pipe payload is reassembled in frame", "smb2.pipe.reassembled_in", FT_FRAMENUM, BASE_NONE,
14780 NULL, 0x0, "The Named Pipe PDU is completely reassembled in this frame", HFILL }
14781 },
14782
14783 { &hf_smb2_pipe_reassembled_length,
14784 { "Reassembled SMB2 Named Pipe length", "smb2.pipe.reassembled.length", FT_UINT32, BASE_DEC,
14785 NULL, 0x0, "The total length of the reassembled payload", HFILL }
14786 },
14787
14788 { &hf_smb2_pipe_reassembled_data,
14789 { "Reassembled SMB2 Named Pipe Data", "smb2.pipe.reassembled.data", FT_BYTES, BASE_NONE,
14790 NULL, 0x0, "The reassembled payload", HFILL }
14791 },
14792
14793 { &hf_smb2_cchunk_resume_key,
14794 { "ResumeKey", "smb2.fsctl.cchunk.resume_key", FT_BYTES, BASE_NONE,
14795 NULL, 0x0, "Opaque data representing source of copy", HFILL }
14796 },
14797
14798 { &hf_smb2_cchunk_count,
14799 { "Chunk Count", "smb2.fsctl.cchunk.count", FT_UINT32, BASE_DEC,
14800 NULL, 0x0, NULL, HFILL }
14801 },
14802
14803 { &hf_smb2_cchunk_src_offset,
14804 { "Source Offset", "smb2.fsctl.cchunk.src_offset", FT_UINT64, BASE_DEC,
14805 NULL, 0x0, NULL, HFILL }
14806 },
14807
14808 { &hf_smb2_cchunk_dst_offset,
14809 { "Target Offset", "smb2.fsctl.cchunk.dst_offset", FT_UINT64, BASE_DEC,
14810 NULL, 0x0, NULL, HFILL }
14811 },
14812
14813 { &hf_smb2_cchunk_xfer_len,
14814 { "Transfer Length", "smb2.fsctl.cchunk.xfer_len", FT_UINT32, BASE_DEC,
14815 NULL, 0x0, NULL, HFILL }
14816 },
14817
14818 { &hf_smb2_cchunk_chunks_written,
14819 { "Chunks Written", "smb2.fsctl.cchunk.chunks_written", FT_UINT32, BASE_DEC,
14820 NULL, 0x0, NULL, HFILL }
14821 },
14822
14823 { &hf_smb2_cchunk_bytes_written,
14824 { "Chunk Bytes Written", "smb2.fsctl.cchunk.bytes_written", FT_UINT32, BASE_DEC,
14825 NULL, 0x0, NULL, HFILL }
14826 },
14827
14828 { &hf_smb2_cchunk_total_written,
14829 { "Total Bytes Written", "smb2.fsctl.cchunk.total_written", FT_UINT32, BASE_DEC,
14830 NULL, 0x0, NULL, HFILL }
14831 },
14832 { &hf_smb2_reparse_tag,
14833 { "Reparse Tag", "smb2.reparse_tag", FT_UINT32, BASE_HEX,
14834 VALS(reparse_tag_vals), 0x0, NULL, HFILL }
14835 },
14836 { &hf_smb2_reparse_guid,
14837 { "Reparse GUID", "smb2.reparse_guid", FT_NONE, BASE_NONE,
14838 NULL, 0, NULL, HFILL }
14839 },
14840 { &hf_smb2_reparse_data_length,
14841 { "Reparse Data Length", "smb2.reparse_data_length", FT_UINT16, BASE_DEC,
14842 NULL, 0x0, NULL, HFILL }
14843 },
14844 { &hf_smb2_reparse_data_buffer,
14845 { "Reparse Data Buffer", "smb2.reparse_data_buffer", FT_NONE, BASE_NONE,
14846 NULL, 0, NULL, HFILL }
14847 },
14848 { &hf_smb2_nfs_type,
14849 { "NFS file type", "smb2.nfs.type", FT_UINT64, BASE_HEX|BASE_VAL64_STRING,
14850 VALS64(nfs_type_vals), 0x0, NULL, HFILL }
14851 },
14852 { &hf_smb2_nfs_symlink_target,
14853 { "Symlink Target", "smb2.nfs.symlink.target", FT_STRING,
14854 BASE_NONE, NULL, 0x0, NULL, HFILL }
14855 },
14856 { &hf_smb2_nfs_chr_major,
14857 { "Major", "smb2.nfs.char.major", FT_UINT32,
14858 BASE_HEX, NULL, 0x0, NULL, HFILL }
14859 },
14860 { &hf_smb2_nfs_chr_minor,
14861 { "Minor", "smb2.nfs.char.minor", FT_UINT32,
14862 BASE_HEX, NULL, 0x0, NULL, HFILL }
14863 },
14864 { &hf_smb2_nfs_blk_major,
14865 { "Major", "smb2.nfs.block.major", FT_UINT32,
14866 BASE_HEX, NULL, 0x0, NULL, HFILL }
14867 },
14868 { &hf_smb2_nfs_blk_minor,
14869 { "Minor", "smb2.nfs.block.minor", FT_UINT32,
14870 BASE_HEX, NULL, 0x0, NULL, HFILL }
14871 },
14872 { &hf_smb2_symlink_error_response,
14873 { "Symbolic Link Error Response", "smb2.symlink_error_response", FT_NONE, BASE_NONE,
14874 NULL, 0, NULL, HFILL }
14875 },
14876 { &hf_smb2_symlink_length,
14877 { "SymLink Length", "smb2.symlink.length", FT_UINT32,
14878 BASE_DEC, NULL, 0x0, NULL, HFILL }
14879 },
14880 { &hf_smb2_symlink_error_tag,
14881 { "SymLink Error Tag", "smb2.symlink.error_tag", FT_UINT32,
14882 BASE_HEX, NULL, 0x0, NULL, HFILL }
14883 },
14884 { &hf_smb2_unparsed_path_length,
14885 { "Unparsed Path Length", "smb2.symlink.unparsed_path_length", FT_UINT16, BASE_DEC,
14886 NULL, 0x0, NULL, HFILL }
14887 },
14888 { &hf_smb2_symlink_substitute_name,
14889 { "Substitute Name", "smb2.symlink.substitute_name", FT_STRING, BASE_NONE,
14890 NULL, 0x0, NULL, HFILL }
14891 },
14892 { &hf_smb2_symlink_print_name,
14893 { "Print Name", "smb2.symlink.print_name", FT_STRING, BASE_NONE,
14894 NULL, 0x0, NULL, HFILL }
14895 },
14896 { &hf_smb2_symlink_flags,
14897 { "Flags", "smb2.symlink.flags", FT_UINT32, BASE_DEC,
14898 NULL, 0x0, NULL, HFILL }
14899 },
14900 { &hf_smb2_fscc_file_attr,
14901 { "File Attributes", "smb2.file_attribute", FT_UINT32, BASE_HEX,
14902 NULL, 0x0, NULL, HFILL }
14903 },
14904 { &hf_smb2_fscc_file_attr_read_only,
14905 { "Read Only", "smb2.file_attribute.read_only", FT_BOOLEAN, 32,
14906 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL } },
14907
14908 { &hf_smb2_fscc_file_attr_hidden,
14909 { "Hidden", "smb2.file_attribute.hidden", FT_BOOLEAN, 32,
14910 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL } },
14911
14912 { &hf_smb2_fscc_file_attr_system,
14913 { "System", "smb2.file_attribute.system", FT_BOOLEAN, 32,
14914 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL } },
14915
14916 { &hf_smb2_fscc_file_attr_directory,
14917 { "Directory", "smb2.file_attribute.directory", FT_BOOLEAN, 32,
14918 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL } },
14919
14920 { &hf_smb2_fscc_file_attr_archive,
14921 { "Requires archived", "smb2.file_attribute.archive", FT_BOOLEAN, 32,
14922 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL } },
14923
14924 { &hf_smb2_fscc_file_attr_normal,
14925 { "Normal", "smb2.file_attribute.normal", FT_BOOLEAN, 32,
14926 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL } },
14927
14928 { &hf_smb2_fscc_file_attr_temporary,
14929 { "Temporary", "smb2.file_attribute.temporary", FT_BOOLEAN, 32,
14930 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL } },
14931
14932 { &hf_smb2_fscc_file_attr_sparse_file,
14933 { "Sparse", "smb2.file_attribute.sparse", FT_BOOLEAN, 32,
14934 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_SPARSE_FILE, "Is this a sparse file?", HFILL } },
14935
14936 { &hf_smb2_fscc_file_attr_reparse_point,
14937 { "Reparse Point", "smb2.file_attribute.reparse", FT_BOOLEAN, 32,
14938 TFS(&tfs_fscc_file_attribute_reparse), SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT, "Does this file have an associated reparse point?", HFILL } },
14939
14940 { &hf_smb2_fscc_file_attr_compressed,
14941 { "Compressed", "smb2.file_attribute.compressed", FT_BOOLEAN, 32,
14942 TFS(&tfs_fscc_file_attribute_compressed), SMB2_FSCC_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL } },
14943
14944 { &hf_smb2_fscc_file_attr_offline,
14945 { "Offline", "smb2.file_attribute.offline", FT_BOOLEAN, 32,
14946 TFS(&tfs_fscc_file_attribute_offline), SMB2_FSCC_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL } },
14947
14948 { &hf_smb2_fscc_file_attr_not_content_indexed,
14949 { "Not Content Indexed", "smb2.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
14950 TFS(&tfs_fscc_file_attribute_not_content_indexed), SMB2_FSCC_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL } },
14951
14952 { &hf_smb2_fscc_file_attr_encrypted,
14953 { "Encrypted", "smb2.file_attribute.encrypted", FT_BOOLEAN, 32,
14954 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL } },
14955
14956 { &hf_smb2_fscc_file_attr_integrity_stream,
14957 { "Integrity Stream", "smb2.file_attribute.integrity_stream", FT_BOOLEAN, 32,
14958 TFS(&tfs_fscc_file_attribute_integrity_stream), SMB2_FSCC_FILE_ATTRIBUTE_INTEGRITY_STREAM, "Is this file configured with integrity support?", HFILL } },
14959
14960 { &hf_smb2_fscc_file_attr_no_scrub_data,
14961 { "No Scrub Data", "smb2.file_attribute.no_scrub_data", FT_BOOLEAN, 32,
14962 TFS(&tfs_fscc_file_attribute_no_scrub_data), SMB2_FSCC_FILE_ATTRIBUTE_NO_SCRUB_DATA, "Is this file configured to be excluded from the data integrity scan?", HFILL } },
14963
14964 { &hf_smb2_fsctl_infoex_enable_integrity,
14965 {"Enable Integrity", "smb2.fsctl.infoex.enable_integrity", FT_UINT8, BASE_HEX,
14966 VALS(smb2_fsctl_infoex_integrity_modes), 0, NULL, HFILL } },
14967
14968 { &hf_smb2_fsctl_infoex_keep_integrity_state,
14969 {"Integrity State", "smb2.fsctl.infoex.keep_integrity_state", FT_UINT8, BASE_HEX,
14970 VALS(smb2_fsctl_infoex_integrity_state), 0, NULL, HFILL } },
14971
14972 { &hf_smb2_fsctl_infoex_reserved,
14973 {"Reserved", "smb2.fsctl.infoex.reserved", FT_UINT16, BASE_HEX,
14974 NULL, 0, NULL, HFILL } },
14975
14976 { &hf_smb2_fsctl_infoex_flags,
14977 { "Flags", "smb2.fsctl.infoex.flags", FT_UINT32, BASE_HEX,
14978 NULL, 0, NULL, HFILL } },
14979
14980 { &hf_smb2_fsctl_infoex_version,
14981 { "Version", "smb2.fsctl.infoex.version", FT_UINT8, BASE_DEC,
14982 NULL, 0, NULL, HFILL } },
14983
14984 { &hf_smb2_fsctl_infoex_reserved2,
14985 { "Reserved", "smb2.fsctl.infoex.reserved2", FT_UINT56, BASE_HEX,
14986 NULL, 0, NULL, HFILL } },
14987
14988 { &hf_smb2_query_info_flags,
14989 {"Flags", "smb2.query_info.flags", FT_UINT32, BASE_HEX,
14990 NULL, 0, NULL, HFILL }},
14991
14992 { &hf_smb2_query_info_flag_restart_scan,
14993 {"SL Restart Scan", "smb2.query_info.flags.restart_scan", FT_BOOLEAN, 32,
14994 NULL, SMB2_SL_RESTART_SCAN, "Restart the scan for EAs from the beginning", HFILL } },
14995
14996 { &hf_smb2_query_info_flag_return_single_entry,
14997 {"SL Return Single Entry", "smb2.query_info.flags.return_single_entry", FT_BOOLEAN, 32,
14998 NULL, SMB2_SL_RETURN_SINGLE_ENTRY, "Return a single EA entry in the response buffer.", HFILL } },
14999
15000 { &hf_smb2_query_info_flag_index_specified,
15001 {"SL Index Specified", "smb2.query_info.flags.index_specified", FT_BOOLEAN, 32,
15002 NULL, SL_INDEX_SPECIFIED, "The caller has specified an EA index.", HFILL } },
15003
15004 { &hf_smb2_notification_type,
15005 { "Notification Type", "smb2.notification.type", FT_UINT32, BASE_HEX,
15006 VALS(server_notification_types), 0, NULL, HFILL } },
15007
15008 {
15009 &hf_smb2_fscc_refs_snapshot_mgmt_operation,
15010 { "Operation", "smb2.refs.snapshot.mgmt.op", FT_UINT32, BASE_HEX,
15011 VALS(refs_stream_snapshot_operation_types), 0, NULL, HFILL }},
15012
15013 {
15014 &hf_smb2_fscc_refs_snapshot_mgmt_namelen,
15015 { "Name Length", "smb2.refs.snapshot.mgmt.namelen", FT_UINT16, BASE_DEC,
15016 NULL, 0, NULL, HFILL }},
15017
15018 {
15019 &hf_smb2_fscc_refs_snapshot_mgmt_input_buffer_len,
15020 { "Input Buffer Length", "smb2.refs.snapshot.mgmt.input_buffer_len", FT_UINT16, BASE_DEC,
15021 NULL, 0, NULL, HFILL }},
15022
15023 {
15024 &hf_smb2_fscc_refs_snapshot_mgmt_reserved,
15025 { "Reserved", "smb2.refs.snapshot.mgmt.reserved", FT_BYTES, BASE_NONE,
15026 NULL, 0, NULL, HFILL }},
15027
15028 {
15029 &hf_smb2_fscc_refs_snapshot_mgmt_name,
15030 { "Name", "smb2.refs.snapshot.mgmt.name", FT_STRING, BASE_NONE,
15031 NULL, 0x0, NULL, HFILL }},
15032
15033 {
15034 &hf_smb2_fscc_refs_snapshot_query_delta_buffer_startvcn,
15035 { "Starting VCN", "smb2.refs.snapshot.query.delta_buffer.startvcn", FT_UINT64, BASE_DEC,
15036 NULL, 0, NULL, HFILL }},
15037
15038 {
15039 &hf_smb2_fscc_refs_snapshot_query_delta_buffer_flags,
15040 { "Flags", "smb2.refs.snapshot.query.delta_buffer.flags", FT_UINT32, BASE_DEC,
15041 NULL, 0, NULL, HFILL }},
15042
15043 {
15044 &hf_smb2_fscc_refs_snapshot_query_delta_buffer_reserved,
15045 { "Reserved", "smb2.refs.snapshot.query.delta_buffer.reserved", FT_UINT32, BASE_DEC,
15046 NULL, 0, NULL, HFILL }},
15047
15048 { &hf_smb2_flush_reserved2,
15049 { "Reserved2", "smb2.flush.reserved2", FT_BYTES, BASE_NONE,
15050 NULL, 0, NULL, HFILL }},
15051
15052 };
15053
15054 static int *ett[] = {
15055 &ett_smb2,
15056 &ett_smb2_ea,
15057 &ett_smb2_olb,
15058 &ett_smb2_header,
15059 &ett_smb2_encrypted,
15060 &ett_smb2_compressed,
15061 &ett_smb2_decompressed,
15062 &ett_smb2_command,
15063 &ett_smb2_secblob,
15064 &ett_smb2_negotiate_context_element,
15065 &ett_smb2_file_basic_info,
15066 &ett_smb2_file_standard_info,
15067 &ett_smb2_file_internal_info,
15068 &ett_smb2_file_ea_info,
15069 &ett_smb2_file_access_info,
15070 &ett_smb2_file_rename_info,
15071 &ett_smb2_file_link_info,
15072 &ett_smb2_file_disposition_info,
15073 &ett_smb2_file_position_info,
15074 &ett_smb2_file_full_ea_info,
15075 &ett_smb2_file_mode_info,
15076 &ett_smb2_file_alignment_info,
15077 &ett_smb2_file_all_info,
15078 &ett_smb2_file_allocation_info,
15079 &ett_smb2_file_endoffile_info,
15080 &ett_smb2_file_alternate_name_info,
15081 &ett_smb2_file_stream_info,
15082 &ett_smb2_file_pipe_info,
15083 &ett_smb2_file_compression_info,
15084 &ett_smb2_file_network_open_info,
15085 &ett_smb2_file_attribute_tag_info,
15086 &ett_smb2_file_normalized_name_info,
15087 &ett_smb2_fs_info_01,
15088 &ett_smb2_fs_info_03,
15089 &ett_smb2_fs_info_04,
15090 &ett_smb2_fs_info_05,
15091 &ett_smb2_fs_info_06,
15092 &ett_smb2_fs_info_07,
15093 &ett_smb2_fs_objectid_info,
15094 &ett_smb2_fs_posix_info,
15095 &ett_smb2_sec_info_00,
15096 &ett_smb2_additional_information_sec_mask,
15097 &ett_smb2_quota_info,
15098 &ett_smb2_query_quota_info,
15099 &ett_smb2_tid_tree,
15100 &ett_smb2_sesid_tree,
15101 &ett_smb2_create_chain_element,
15102 &ett_smb2_MxAc_buffer,
15103 &ett_smb2_QFid_buffer,
15104 &ett_smb2_RqLs_buffer,
15105 &ett_smb2_ioctl_function,
15106 &ett_smb2_FILE_OBJECTID_BUFFER,
15107 &ett_smb2_flags,
15108 &ett_smb2_sec_mode,
15109 &ett_smb2_capabilities,
15110 &ett_smb2_ses_req_flags,
15111 &ett_smb2_ses_flags,
15112 &ett_smb2_create_rep_flags,
15113 &ett_smb2_lease_state,
15114 &ett_smb2_lease_flags,
15115 &ett_smb2_share_flags,
15116 &ett_smb2_share_caps,
15117 &ett_smb2_comp_alg_flags,
15118 &ett_smb2_ioctl_flags,
15119 &ett_smb2_ioctl_network_interface,
15120 &ett_smb2_ioctl_sqos_opeations,
15121 &ett_smb2_fsctl_range_data,
15122 &ett_windows_sockaddr,
15123 &ett_smb2_close_flags,
15124 &ett_smb2_notify_info,
15125 &ett_smb2_notify_flags,
15126 &ett_smb2_rdma_v1,
15127 &ett_smb2_write_flags,
15128 &ett_smb2_find_flags,
15129 &ett_smb2_file_directory_info,
15130 &ett_smb2_both_directory_info,
15131 &ett_smb2_id_both_directory_info,
15132 &ett_smb2_full_directory_info,
15133 &ett_smb2_posix_info,
15134 &ett_smb2_file_name_info,
15135 &ett_smb2_lock_info,
15136 &ett_smb2_lock_flags,
15137 &ett_smb2_DH2Q_buffer,
15138 &ett_smb2_DH2C_buffer,
15139 &ett_smb2_dh2x_flags,
15140 &ett_smb2_APP_INSTANCE_buffer,
15141 &ett_smb2_svhdx_open_device_context,
15142 &ett_smb2_app_instance_version_buffer,
15143 &ett_smb2_app_instance_version_buffer_version,
15144 &ett_smb2_aapl_create_context_request,
15145 &ett_smb2_aapl_server_query_bitmask,
15146 &ett_smb2_aapl_server_query_caps,
15147 &ett_smb2_aapl_create_context_response,
15148 &ett_smb2_aapl_server_query_volume_caps,
15149 &ett_smb2_integrity_flags,
15150 &ett_smb2_buffercode,
15151 &ett_smb2_ioctl_network_interface_capabilities,
15152 &ett_smb2_tree_connect_flags,
15153 &ett_qfr_entry,
15154 &ett_smb2_pipe_fragment,
15155 &ett_smb2_pipe_fragments,
15156 &ett_smb2_cchunk_entry,
15157 &ett_smb2_fsctl_odx_token,
15158 &ett_smb2_symlink_error_response,
15159 &ett_smb2_reparse_data_buffer,
15160 &ett_smb2_error_data,
15161 &ett_smb2_error_context,
15162 &ett_smb2_error_redir_context,
15163 &ett_smb2_error_redir_ip_list,
15164 &ett_smb2_read_flags,
15165 &ett_smb2_signature,
15166 &ett_smb2_transform_flags,
15167 &ett_smb2_fscc_file_attributes,
15168 &ett_smb2_comp_pattern_v1,
15169 &ett_smb2_comp_payload,
15170 &ett_smb2_query_info_flags,
15171 &ett_smb2_server_notification,
15172 &ett_smb2_fscc_refs_snapshot_query_delta_buffer,
15173 };
15174
15175 static ei_register_info ei[] = {
15176 { &ei_smb2_invalid_length, { "smb2.invalid_length", PI_MALFORMED, PI_ERROR, "Invalid length", EXPFILL }},
15177 { &ei_smb2_bad_response, { "smb2.bad_response", PI_MALFORMED, PI_ERROR, "Bad response", EXPFILL }},
15178 { &ei_smb2_bad_negprot_negotiate_context_count, { "smb2.bad_negprot_negotiate_context_count", PI_MALFORMED, PI_ERROR, "Negotiate Protocol request NegotiateContextCount is nonzero without SMB 3.11 support", EXPFILL }},
15179 { &ei_smb2_bad_negprot_negotiate_context_offset, { "smb2.bad_negprot_negotiate_context_offset", PI_MALFORMED, PI_ERROR, "Negotiate Protocol request NegotiateContextOffset is nonzero without SMB 3.11 support", EXPFILL }},
15180 { &ei_smb2_bad_negprot_reserved, { "smb2.bad_negprot_reserved", PI_MALFORMED, PI_ERROR, "Negotiate Protocol response Reserved is nonzero", EXPFILL }},
15181 { &ei_smb2_bad_negprot_reserved2, { "smb2.bad_negprot_reserved2", PI_MALFORMED, PI_ERROR, "Negotiate Protocol response Reserved2 is nonzero", EXPFILL }},
15182 { &ei_smb2_invalid_getinfo_offset, { "smb2.invalid_getinfo_offset", PI_MALFORMED, PI_ERROR, "Input buffer offset isn't past the fixed data in the message", EXPFILL }},
15183 { &ei_smb2_invalid_getinfo_size, { "smb2.invalid_getinfo_size", PI_MALFORMED, PI_ERROR, "Input buffer length goes past the end of the message", EXPFILL }},
15184 { &ei_smb2_empty_getinfo_buffer, { "smb2.empty_getinfo_buffer", PI_PROTOCOL, PI_WARN, "Input buffer length is empty for a quota request", EXPFILL }},
15185 { &ei_smb2_invalid_signature, { "smb2.invalid_signature", PI_MALFORMED, PI_ERROR, "Invalid Signature", EXPFILL }},
15186 };
15187
15188 expert_module_t* expert_smb2;
15189
15190 /* SessionID <=> SessionKey mappings for decryption */
15191 uat_t *seskey_uat;
15192
15193 static uat_field_t seskey_uat_fields[] = {
15194 UAT_FLD_BUFFER(seskey_list, id, "Session ID", "The session ID buffer, coded as hex string, as it appears on the wire (LE)."),
15195 UAT_FLD_BUFFER(seskey_list, seskey, "Session Key", "The secret session key buffer, coded as 16-byte hex string."),
15196 UAT_FLD_BUFFER(seskey_list, s2ckey, "Server-to-Client", "The AES-128 key used by the client to decrypt server messages, coded as 16-byte hex string."),
15197 UAT_FLD_BUFFER(seskey_list, c2skey, "Client-to-Server", "The AES-128 key used by the server to decrypt client messages, coded as 16-byte hex string."),
15198 UAT_END_FIELDS
15199 };
15200
15201 proto_smb2 = proto_register_protocol("SMB2 (Server Message Block Protocol version 2)",
15202 "SMB2", "smb2");
15203 proto_register_subtree_array(ett, array_length(ett));
15204 proto_register_field_array(proto_smb2, hf, array_length(hf));
15205 expert_smb2 = expert_register_protocol(proto_smb2);
15206 expert_register_field_array(expert_smb2, ei, array_length(ei));
15207
15208 smb2_module = prefs_register_protocol(proto_smb2, NULL);
15209 prefs_register_bool_preference(smb2_module, "eosmb2_take_name_as_fid",
15210 "Use the full file name as File ID when exporting an SMB2 object",
15211 "Whether the export object functionality will take the full path file name as file identifier",
15212 &eosmb2_take_name_as_fid);
15213
15214 prefs_register_bool_preference(smb2_module, "pipe_reassembly",
15215 "Reassemble Named Pipes over SMB2",
15216 "Whether the dissector should reassemble Named Pipes over SMB2 commands",
15217 &smb2_pipe_reassembly);
15218
15219 prefs_register_bool_preference(smb2_module, "verify_signatures",
15220 "Verify SMB2 Signatures",
15221 "Whether the dissector should try to verify SMB2 signatures",
15222 &smb2_verify_signatures);
15223
15224 seskey_uat = uat_new("Secret session key to use for decryption",
15225 sizeof(smb2_seskey_field_t),
15226 "smb2_seskey_list",
15227 true,
15228 &seskey_list,
15229 &num_seskey_list,
15230 (UAT_AFFECTS_DISSECTION | UAT_AFFECTS_FIELDS),
15231 NULL,
15232 seskey_list_copy_cb,
15233 seskey_list_update_cb,
15234 seskey_list_free_cb,
15235 NULL,
15236 NULL,
15237 seskey_uat_fields);
15238
15239 prefs_register_uat_preference(smb2_module,
15240 "seskey_list",
15241 "Secret session keys for decryption",
15242 "A table of Session ID to Session keys mappings used to decrypt traffic.",
15243 seskey_uat);
15244
15245 smb2_pipe_subdissector_list = register_heur_dissector_list_with_description("smb2_pipe_subdissectors", "SMB2 Pipe data", proto_smb2);
15246 /*
15247 * XXX - addresses_ports_reassembly_table_functions?
15248 * Probably correct for SMB-over-NBT and SMB-over-TCP,
15249 * as stuff from two different connections should
15250 * probably not be combined, but what about other
15251 * transports for SMB, e.g. NBF or Netware?
15252 */
15253 reassembly_table_register(&smb2_pipe_reassembly_table,
15254 &addresses_reassembly_table_functions);
15255
15256 smb2_tap = register_tap("smb2");
15257 smb2_eo_tap = register_tap("smb_eo"); /* SMB Export Object tap */
15258
15259 register_srt_table(proto_smb2, NULL, 1, smb2stat_packet, smb2stat_init, NULL);
15260 smb2_sessions = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), smb2_sesid_info_hash, smb2_sesid_info_equal);
15261 }
15262
15263 void
15264 proto_reg_handoff_smb2(void)
15265 {
15266 gssapi_handle = find_dissector_add_dependency("gssapi", proto_smb2);
15267 ntlmssp_handle = find_dissector_add_dependency("ntlmssp", proto_smb2);
15268 rsvd_handle = find_dissector_add_dependency("rsvd", proto_smb2);
15269 heur_dissector_add("netbios", dissect_smb2_heur, "SMB2 over Netbios", "smb2_netbios", proto_smb2, HEURISTIC_ENABLE);
15270 heur_dissector_add("smb_direct", dissect_smb2_heur, "SMB2 over SMB Direct", "smb2_smb_direct", proto_smb2, HEURISTIC_ENABLE);
15271 }
15272
15273 /*
15274 * Editor modelines - https://www.wireshark.org/tools/modelines.html
15275 *
15276 * Local variables:
15277 * c-basic-offset: 8
15278 * tab-width: 8
15279 * indent-tabs-mode: t
15280 * End:
15281 *
15282 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
15283 * :indentSize=8:tabSize=8:noTabs=false:
15284 */
Metzes wireshark repo