epan/dissectors/packet-homepna.c

   1 /* packet-homepna.c
   2  *
   3  * ITU-T Rec. G.9954 (renumbered from G.989.2)
   4  * https://www.itu.int/rec/T-REC-G.9954/en
   5  *
   6  * Wireshark - Network traffic analyzer
   7  * By Gerald Combs <gerald@wireshark.org>
   8  * Copyright 1998 Gerald Combs
   9  *
  10  * SPDX-License-Identifier: GPL-2.0-or-later
  11  */
  12
  13 #include "config.h"
  14
  15 #include <epan/packet.h>
  16 #include <epan/etypes.h>
  17
  18 void proto_register_homepna(void);
  19 void proto_reg_handoff_homepna(void);
  20
  21 static dissector_handle_t homepna_handle;
  22
  23 static int proto_homepna;
  24
  25 static int hf_homepna_type;
  26 static int hf_homepna_length;
  27 static int hf_homepna_version;
  28 static int hf_homepna_data;
  29 static int hf_homepna_etype;
  30 static int hf_homepna_trailer;
  31
  32 static int ett_homepna;
  33
  34 static dissector_handle_t ethertype_handle;
  35
  36 static const range_string homepna_type_rvals[] = {
  37     { 0,     0,     "Non-standard" },
  38     { 1,     1,     "Rate Request Control Frame" },
  39     { 2,     2,     "Link Integrity Short Frame" },
  40     { 3,     3,     "Capabilities Announcement" },
  41     { 4,     4,     "LARQ" },
  42     { 5,     5,     "Vendor-specific short format type" },
  43     { 6,     127,   "Reserved for future use by the ITU-T" },
  44     { 128,   32767, "Reserved for future use by the ITU-T" },
  45     { 32768, 32768, "Reserved for future use by the ITU-T" },
  46     { 32769, 32769, "Vendor-specific long-format" },
  47     { 32770, 65535, "Reserved for future use by the ITU-T" },
  48     { 0, 0, NULL }
  49 };
  50
  51 typedef enum
  52 {
  53     HOMEPNA_FORMAT_SHORT,
  54     HOMEPNA_FORMAT_LONG
  55 } homepna_format_e;
  56
  57 static int
  58 dissect_homepna(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
  59 {
  60     /*
  61      * XXX: Ethertype 0x886C is assigned by IEEE to HomePNA, which was
  62      * originally developed by Epigram and bought by Broadcom.
  63      * Broadcom *also* uses 0x886C in their Wi-Fi firmware for certain
  64      * event frames with an entirely different unregistered protocol,
  65      * and at least up to certain firmware versions, there was an
  66      * exploit based on these so people might want to dissect them.
  67      * https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html
  68      * https://github.com/kanstrup/bcmdhd-dissector/
  69      * https://android.googlesource.com/kernel/common.git/+/bcmdhd-3.10/drivers/net/wireless/bcmdhd/include/proto/ethernet.h
  70      * There's an example at
  71      * https://gitlab.com/wireshark/wireshark/-/issues/12759
  72      * We could eventually have a dissector for that; right now this
  73      * dissectors will incorrectly dissect such packets and probably call
  74      * them malformed.
  75      */
  76
  77     proto_tree *ti;
  78     proto_tree *homepna_tree;
  79     int offset = 0;
  80     uint32_t control_length;
  81     homepna_format_e homepna_format = HOMEPNA_FORMAT_SHORT;
  82     uint16_t protocol;
  83     ethertype_data_t ethertype_data;
  84
  85     if (tvb_captured_length(tvb) < 4)
  86         return 0;
  87
  88     col_set_str(pinfo->cinfo, COL_PROTOCOL, "HomePNA");
  89     col_clear(pinfo->cinfo, COL_INFO);
  90
  91     ti = proto_tree_add_item(tree, proto_homepna, tvb, 0, -1, ENC_NA);
  92     homepna_tree = proto_item_add_subtree(ti, ett_homepna);
  93
  94     if (tvb_get_uint8(tvb, offset) > 127)
  95         homepna_format = HOMEPNA_FORMAT_LONG;
  96
  97     if (homepna_format == HOMEPNA_FORMAT_SHORT)
  98     {
  99         proto_tree_add_item(homepna_tree, hf_homepna_type, tvb, offset, 1, ENC_BIG_ENDIAN);
 100         offset += 1;
 101         proto_tree_add_item_ret_uint(homepna_tree, hf_homepna_length, tvb, offset, 1, ENC_BIG_ENDIAN, &control_length);
 102         offset += 1;
 103     }
 104     else
 105     {
 106         proto_tree_add_item(homepna_tree, hf_homepna_type, tvb, offset, 2, ENC_BIG_ENDIAN);
 107         offset += 2;
 108         proto_tree_add_item_ret_uint(homepna_tree, hf_homepna_length, tvb, offset, 2, ENC_BIG_ENDIAN, &control_length);
 109         offset += 2;
 110     }
 111
 112     proto_tree_add_item(homepna_tree, hf_homepna_version, tvb, offset, 1, ENC_BIG_ENDIAN);
 113     offset += 1;
 114
 115     proto_tree_add_item(homepna_tree, hf_homepna_data, tvb, offset, control_length-3, ENC_NA);
 116     offset += (control_length-2);
 117
 118     protocol = tvb_get_ntohs(tvb, offset);
 119     proto_tree_add_uint(homepna_tree, hf_homepna_etype, tvb, offset, 2, protocol);
 120
 121     offset += 2;
 122     if (protocol == 0) {
 123         /* No next layer protocol. Set our length here so the previous
 124          * dissector can find any padding, trailer, and FCS.
 125          */
 126         proto_item_set_len(ti, offset);
 127         set_actual_length(tvb, offset);
 128     } else {
 129         ethertype_data.etype = protocol;
 130         ethertype_data.payload_offset = offset;
 131         ethertype_data.fh_tree = homepna_tree;
 132         ethertype_data.trailer_id = hf_homepna_trailer;
 133         ethertype_data.fcs_len = 0;
 134
 135         call_dissector_with_data(ethertype_handle, tvb, pinfo, tree, &ethertype_data);
 136     }
 137
 138     return tvb_captured_length(tvb);
 139 }
 140
 141 void
 142 proto_register_homepna(void)
 143 {
 144     static hf_register_info hf[] = {
 145         { &hf_homepna_type,
 146         { "Type", "hpna.type", FT_UINT16, BASE_DEC|BASE_RANGE_STRING, RVALS(homepna_type_rvals), 0x0,
 147             NULL, HFILL}},
 148         { &hf_homepna_length,
 149         { "Length", "hpna.length", FT_UINT16, BASE_DEC, NULL, 0x0,
 150             NULL, HFILL}},
 151         { &hf_homepna_version,
 152         { "Version", "hpna.version", FT_UINT8, BASE_DEC, NULL, 0x0,
 153             NULL, HFILL}},
 154         { &hf_homepna_data,
 155         { "Data", "hpna.data", FT_BYTES, BASE_NONE, NULL, 0x0,
 156             NULL, HFILL}},
 157         { &hf_homepna_etype,
 158         { "Ethertype", "hpna.etype", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
 159             NULL, HFILL}},
 160         { &hf_homepna_trailer,
 161         { "Trailer", "hpna.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
 162             NULL, HFILL}},
 163
 164     };
 165
 166     static int *ett[] = {
 167         &ett_homepna,
 168     };
 169
 170     proto_homepna = proto_register_protocol("HomePNA, wlan link local tunnel", "HomePNA", "hpna");
 171     proto_register_field_array(proto_homepna, hf, array_length(hf));
 172     proto_register_subtree_array(ett, array_length(ett));
 173
 174     homepna_handle = register_dissector("hpna", dissect_homepna, proto_homepna);
 175 }
 176
 177
 178 void
 179 proto_reg_handoff_homepna(void)
 180 {
 181     dissector_add_uint("ethertype", ETHERTYPE_LINK_CTL, homepna_handle);
 182
 183     ethertype_handle = find_dissector_add_dependency("ethertype", proto_homepna);
 184 }
 185
 186 /*
 187  * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
 188  *
 189  * Local variables:
 190  * c-basic-offset: 4
 191  * tab-width: 8
 192  * indent-tabs-mode: nil
 193  * End:
 194  *
 195  * vi: set shiftwidth=4 tabstop=8 expandtab:
 196  * :indentSize=4:tabSize=8:noTabs=true:
 197  */