| blob | 65ff9b9adf619b13f8b25c2bb3047b1c5eab3c18 |
1 /* packet-rpc.c
2 * Routines for rpc dissection
3 * Copyright 1999, Uwe Girlich <Uwe.Girlich@philosys.de>
4 *
5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
8 *
9 * Copied from packet-smb.c
10 *
11 * SPDX-License-Identifier: GPL-2.0-or-later
12 */
17 #include <epan/packet.h>
18 #include <epan/expert.h>
19 #include <epan/exceptions.h>
20 #include <wsutil/pint.h>
21 #include <wsutil/str_util.h>
22 #include <epan/prefs.h>
23 #include <epan/reassemble.h>
24 #include <epan/tap.h>
25 #include <epan/stat_tap_ui.h>
26 #include <epan/srt_table.h>
27 #include <epan/show_exception.h>
28 #include <epan/tfs.h>
29 #include <wsutil/array.h>
37 /*
38 * See:
39 *
40 * RFC 1831, "RPC: Remote Procedure Call Protocol Specification
41 * Version 2";
42 *
43 * RFC 1832, "XDR: External Data Representation Standard";
44 *
45 * RFC 2203, "RPCSEC_GSS Protocol Specification".
46 *
47 * See also
48 *
49 * RFC 2695, "Authentication Mechanisms for ONC RPC"
50 *
51 * although we don't currently dissect AUTH_DES or AUTH_KERB.
52 *
53 * RFC 5531, "Appendix C: Current Number Assignments" defines AUTH_RSA.
54 * AUTH_RSA is not implemented for any known RPC-protocols. The Gluster
55 * protocols (ab)use AUTH_RSA for their own AUTH-flavor. AUTH_RSA is
56 * therefore dissected as the unofficial AUTH_GLUSTER.
57 */
61 #define RPC_TCP_PORT 111
63 #define RPC_UDP 0
64 #define RPC_TCP 1
65 #define RPC_TLS 2
67 /* desegmentation of RPC over TCP */
70 /* defragmentation of fragmented RPC over TCP records */
73 /* try to dissect RPC packets for programs that are not known
74 * (proprietary ones) by wireshark.
75 */
78 /* try to find RPC fragment start if normal decode fails
79 * (good when starting decode of mid-stream capture)
80 */
91 };
97 };
120 };
128 };
137 };
144 };
154 };
160 };
171 };
177 };
179 /* the protocol number */
256 /* Generated from convert_proto_tree_add_text.pl */
307 NULL,
309 /* Reassembled data field */
310 NULL,
311 "fragments"
312 };
314 /* Hash table with info on RPC program numbers */
329 static void
330 rpcstat_find_procs(const char *table_name _U_, ftenum_t selector_type _U_, void *key, void *value _U_, void *user_data _U_)
331 {
336 }
339 }
343 }
346 }
349 }
350 }
352 static void
354 {
367 rpc_srt_table = init_srt_table(table_name, NULL, srt_array, tap_data->num_procedures, NULL, hfi->abbrev, tap_data);
369 {
373 }
374 }
376 static tap_packet_status
377 rpcstat_packet(void *pss, packet_info *pinfo, epan_dissect_t *edt _U_, const void *prv, tap_flags_t flags _U_)
378 {
388 /* don't handle this since its outside of known table */
390 }
391 /* we are only interested in reply packets */
394 }
395 /* we are only interested in certain program/versions */
398 }
403 }
405 static unsigned
407 {
413 {
426 /* Need to run over both dissector tables */
433 }
434 }
435 else
436 {
438 }
441 }
447 /***********************************/
448 /* Hash array with procedure names */
449 /***********************************/
451 /* compare 2 keys */
452 static int
454 {
462 }
464 /* calculate a hash key */
465 static unsigned
467 {
471 }
474 /* return the name associated with a previously registered procedure. */
477 {
478 rpc_proc_info_key key;
479 dissector_handle_t dissect_function;
486 /* Look at both tables for possible procedure names */
487 if ((dissect_function = dissector_get_custom_table_handle(subdissector_call_table, &key)) != NULL)
489 else if ((dissect_function = dissector_get_custom_table_handle(subdissector_reply_table, &key)) != NULL)
492 /* happens only with strange program versions or
493 non-existing dissectors */
495 }
497 }
499 /*----------------------------------------*/
500 /* end of Hash array with procedure names */
501 /*----------------------------------------*/
504 /*********************************/
505 /* Hash array with program names */
506 /*********************************/
508 static void
510 {
515 }
517 void
520 {
534 /*
535 * Now register each of the versions of the program.
536 */
538 /*
539 * Add the operation number hfinfo value for this version.
540 */
547 proc++) {
548 rpc_proc_info_key key;
560 /* Abort out if desired - but don't throw an exception here! */
565 }
567 create_dissector_handle_with_name_and_description(proc->dissect_call, value->proto_id, NULL, proc->strptr));
575 /* Abort out if desired - but don't throw an exception here! */
580 }
582 create_dissector_handle_with_name_and_description(proc->dissect_reply, value->proto_id, NULL, proc->strptr));
583 }
584 }
585 }
589 /* return the hf_field associated with a previously registered program.
590 */
591 int
593 {
596 if ((rpc_prog = (rpc_prog_info_value *)g_hash_table_lookup(rpc_progs,GUINT_TO_POINTER(prog)))) {
598 }
600 }
602 /* return the name associated with a previously registered program. This
603 should probably eventually be expanded to use the rpc YP/NIS map
604 so that it can give names for programs not handled by wireshark */
607 {
611 if ((rpc_prog = (rpc_prog_info_value *)g_hash_table_lookup(rpc_progs,GUINT_TO_POINTER(prog))) == NULL) {
613 }
616 }
618 }
621 /*--------------------------------------*/
622 /* end of Hash array with program names */
623 /*--------------------------------------*/
625 /* One of these structures are created for each conversation that contains
626 * RPC and contains the state we need to maintain for the conversation.
627 */
633 /* we can not hang this off the conversation structure above since the context
634 will be reused across all tcp connections between the client and the server.
635 a global tree for all contexts should still be unlikely to have collissions
636 here.
637 */
640 unsigned int
642 {
646 /* Check for overflow */
650 }
653 int
656 {
659 }
662 int
665 {
668 }
671 int
674 {
682 }
684 /*
685 * We want to make this function available outside this file and
686 * allow callers to pass a dissection function for the opaque data
687 */
688 int
696 {
714 /* int string_item_offset; */
723 }
727 }
732 /* truncated string */
739 else
741 }
743 /* full string data */
751 /* truncated fill bytes */
756 else
758 }
760 /* full fill bytes */
763 }
764 }
766 /*
767 * If we were passed a dissection routine, make a TVB of the data
768 * and call the dissection routine
769 */
775 string_length);
779 }
782 string_buffer = tvb_get_string_enc(wmem_packet_scope(), tvb, data_offset, string_length_copy, ENC_ASCII);
784 bytes_buffer = tvb_memcpy(tvb, wmem_alloc(wmem_packet_scope(), string_length_copy), data_offset, string_length_copy);
785 }
787 /* calculate a nice printable string */
794 /* copy over the data and append <TRUNCATED> */
795 formatted_text=wmem_strdup_printf(wmem_packet_scope(), "%s%s", formatted, RPC_STRING_TRUNCATED);
798 }
804 }
805 }
808 }
810 /* string_item_offset = offset; */
813 formatted_text);
818 }
824 string_buffer,
829 bytes_buffer,
831 }
832 }
840 }
844 }
846 }
853 /*
854 * If the data was truncated, throw the appropriate exception,
855 * so that dissection stops and the frame is properly marked.
856 */
860 }
863 int
866 {
870 }
873 int
876 {
880 }
883 int
887 {
891 }
894 int
897 {
907 data);
908 }
911 }
912 }
915 }
917 int
921 {
939 }
946 }
950 }
952 static int
954 {
966 /* first, open with [ */
975 }
977 /* add at most 16 GIDs to the text */
985 }
987 }
989 /* finally, close with ] */
994 }
996 static int
998 {
1024 }
1032 static int
1036 {
1060 /* we only track contexts up to 16 bytes in size */
1062 }
1082 }
1085 }
1088 }
1092 it = proto_tree_add_uint(context_tree, hf_rpc_authgss_ctx_create_frame, tvb, 0, 0, context_info->create_frame);
1094 }
1098 it = proto_tree_add_uint(context_tree, hf_rpc_authgss_ctx_destroy_frame, tvb, 0, 0, context_info->destroy_frame);
1100 }
1105 }
1107 static int
1110 {
1136 offset = dissect_rpc_authgss_context(tree, tvb, offset, pinfo, rpc_conv_info, false, agc_proc == RPCSEC_GSS_DESTROY ? true : false);
1139 }
1141 static int
1144 {
1148 }
1150 static int
1152 {
1163 {
1171 window);
1178 nickname);
1181 }
1184 }
1186 static int
1188 {
1199 }
1201 static int
1203 {
1219 }
1221 static int
1223 {
1225 nstime_t timestamp;
1248 }
1250 static int
1252 {
1260 offset);
1263 }
1265 static int
1268 {
1290 /*
1291 case AUTH_SHORT:
1293 break;
1294 */
1300 /* AUTH_RSA is (ab)used by Gluster */
1324 }
1325 }
1329 }
1331 int
1334 {
1343 proto_rpc);
1346 }
1348 /*
1349 * XDR opaque object, the contents of which are interpreted as a GSS-API
1350 * token.
1351 */
1352 static int
1355 {
1384 }
1387 }
1389 /* AUTH_DES verifiers are asymmetrical, so we need to know what type of
1390 * verifier we're decoding (CALL or REPLY).
1391 */
1392 static int
1395 {
1422 {
1430 }
1431 else
1432 {
1433 /* must be an RPC_REPLY */
1441 }
1452 }
1453 }
1457 }
1459 static int
1462 {
1464 }
1466 static int
1469 {
1492 }
1494 static int
1497 {
1512 }
1514 static int
1517 {
1531 offset);
1548 }
1550 static int
1552 {
1554 offset);
1556 }
1558 static int
1562 {
1567 /* set the current protocol name */
1572 /* call the dissector for the next level */
1576 /* restore the protocol name */
1578 }
1581 }
1584 static int
1587 dissector_handle_t dissect_function,
1589 {
1602 /* Set rounded length so it does not croak while setting up the
1603 * GSS Data subtree when the packet has been truncated so at
1604 * least the rest of the packet could be partially dissected */
1606 }
1615 /* offset = */
1622 }
1624 static int
1627 {
1629 /* int return_offset; */
1637 ENC_NA);
1640 /* can't decrypt if we don't have SPNEGO */
1644 }
1652 }
1656 /*
1657 * Attempt to find a conversation for a call and, if we don't find one,
1658 * create a new one.
1659 */
1662 {
1665 /*
1666 * If the transport is connection-oriented (TCP or Infiniband),
1667 * we use the addresses and ports of both endpoints, because
1668 * the addresses and ports of the two endpoints should be
1669 * the same for a call and its matching reply. (XXX - what
1670 * if the connection is broken and re-established between
1671 * the call and the reply? Or will the call be re-made on
1672 * the new connection?)
1673 *
1674 * If the transport is connectionless, we don't worry
1675 * about the address to which the call was sent, because
1676 * there's no guarantee that the reply will come from the
1677 * address to which the call was sent. We also don't
1678 * worry about the port *from* which the call was sent,
1679 * because some clients (*cough* macOS NFS client *cough*)
1680 * might send retransmissions from a different port from
1681 * the original request.
1682 */
1686 /*
1687 * XXX - you currently still have to pass a non-null
1688 * pointer for the second address argument even
1689 * if you use NO_ADDR_B.
1690 */
1694 }
1705 }
1706 }
1708 }
1712 {
1715 /*
1716 * If the transport is connection-oriented (TCP or Infiniband),
1717 * we use the addresses and ports of both endpoints, because
1718 * the addresses and ports of the two endpoints should be
1719 * the same for a call and its matching reply. (XXX - what
1720 * if the connection is broken and re-established between
1721 * the call and the reply? Or will the call be re-made on
1722 * the new connection?)
1723 *
1724 * If the transport is connectionless, we don't worry
1725 * about the address from which the reply was sent,
1726 * because there's no guarantee that the call was sent
1727 * to the address from which the reply came. We also
1728 * don't worry about the port *to* which the reply was
1729 * sent, because some clients (*cough* macOS NFS client
1730 * *cough*) might send call retransmissions from a
1731 * different port from the original request, so replies
1732 * to the original call and a retransmission of the call
1733 * might be sent to different ports.
1734 */
1738 /*
1739 * XXX - you currently still have to pass a non-null
1740 * pointer for the second address argument even
1741 * if you use NO_ADDR_B.
1742 */
1746 }
1748 }
1752 {
1756 {
1777 }
1779 }
1781 /*
1782 * Dissect the arguments to an indirect call; used by the portmapper/RPCBIND
1783 * dissector for the CALLIT procedure.
1784 *
1785 * Record these in the same table as the direct calls
1786 * so we can find it when dissecting an indirect call reply.
1787 * (There should not be collissions between xid between direct and
1788 * indirect calls.)
1789 */
1790 int
1793 {
1795 rpc_proc_info_key key;
1804 if ((dissect_function = dissector_get_custom_table_handle(subdissector_call_table, &key)) != NULL) {
1805 /*
1806 * Establish a conversation for the call, for use when
1807 * matching calls with replies.
1808 */
1811 /*
1812 * Do we already have a state structure for this conv
1813 */
1816 /* No. Attach that information to the conversation, and add
1817 * it to the list of information structures.
1818 */
1823 }
1825 /* Make the dissector for this conversation the non-heuristic
1826 RPC dissector. */
1830 /* Dissectors for RPC procedure calls and replies shouldn't
1831 create new tvbuffs, and we don't create one ourselves,
1832 so we should have been handed the tvbuff for this RPC call;
1833 as such, the XID is at offset 0 in this tvbuff. */
1834 /* look up the request */
1838 /* We didn't find it; create a new entry.
1839 Prepare the value data.
1840 Not all of it is needed for handling indirect
1841 calls, so we set a bunch of items to 0. */
1850 /*
1851 * XXX - what about RPCSEC_GSS?
1852 * Do we have to worry about it?
1853 */
1857 /* store it */
1859 }
1860 }
1862 /* We don't know the procedure.
1863 Happens only with strange program versions or
1864 non-existing dissectors.
1865 Just show the arguments as opaque data. */
1867 offset);
1869 }
1874 /* Dissect the arguments */
1878 }
1880 /*
1881 * Dissect the results in an indirect reply; used by the portmapper/RPCBIND
1882 * dissector.
1883 */
1884 int
1887 {
1893 rpc_proc_info_key key;
1896 /*
1897 * Look for the matching call in the xid table.
1898 * A reply must match a call that we've seen, and the
1899 * reply must be sent to the same address that the call came
1900 * from, and must come from the port to which the call was sent.
1901 */
1904 /* We haven't seen an RPC call for that conversation,
1905 so we can't check for a reply to that call.
1906 Just show the reply stuff as opaque data. */
1908 offset);
1910 }
1911 /*
1912 * Do we already have a state structure for this conv
1913 */
1916 /* No. Attach that information to the conversation, and add
1917 * it to the list of information structures.
1918 */
1922 }
1924 /* The XIDs of the call and reply must match. */
1928 /* The XID doesn't match a call from that
1929 conversation, so it's probably not an RPC reply.
1930 Just show the reply stuff as opaque data. */
1932 offset);
1934 }
1943 }
1946 }
1949 {
1952 /* Put the program, version, and procedure into the tree. */
1965 }
1968 /* We don't know how to dissect the reply procedure.
1969 Just show the reply stuff as opaque data. */
1971 offset);
1973 }
1975 /* Put the length of the reply value into the tree. */
1979 /* Dissect the return value */
1983 }
1985 /*
1986 * Just mark this as a continuation of an earlier packet.
1987 */
1988 static void
1990 {
2000 }
2003 int
2004 dissect_rpc_void(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, void *data _U_)
2005 {
2007 }
2009 int
2010 dissect_rpc_unknown(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, void *data _U_)
2011 {
2016 }
2020 {
2025 /* Captured data in packet isn't enough to let us
2026 tell. */
2028 }
2030 /* XID can be anything, so don't check it.
2031 We already have the message type.
2032 Check whether an RPC version number of 2 is in the
2033 location where it would be, and that an RPC program
2034 number we know about is in the location where it would be.
2036 Sun's snoop just checks for a message direction of RPC_CALL
2037 and a version number of 2, which is a bit of a weak heuristic.
2039 We could conceivably check for any of the program numbers
2040 in the list at
2042 ftp://ftp.tau.ac.il/pub/users/eilon/rpc/rpc
2044 and report it as RPC (but not dissect the payload if
2045 we don't have a subdissector) if it matches. */
2048 /* we only dissect RPC version 2 */
2052 /* Do we know this program? */
2053 rpc_prog = (rpc_prog_info_value *)g_hash_table_lookup(rpc_progs, GUINT_TO_POINTER(rpc_prog_key));
2057 /*
2058 * No.
2059 * If the user has specified that he wants to try to
2060 * dissect even completely unknown RPC program numbers,
2061 * then let him do that.
2062 */
2064 /* They didn't, so just fail. */
2066 }
2068 /*
2069 * The user wants us to try to dissect even
2070 * unknown program numbers.
2071 *
2072 * Use some heuristics to keep from matching any
2073 * packet with a 2 in the appropriate location.
2074 * We check that the program number is neither
2075 * 0 nor -1, and that the version is <= 10, which
2076 * is better than nothing.
2077 */
2087 rpc_prog->progname = wmem_strdup_printf(wmem_packet_scope(), "Unknown RPC program %u", rpc_prog_key);
2088 }
2091 }
2095 {
2101 /* A reply must match a call that we've seen, and the reply
2102 must be sent to the same address that the call came from,
2103 and must come from the port to which the call was sent.
2105 If the transport is connection-oriented (we check, for
2106 now, only for "pinfo->ptype" of PT_TCP), we take
2107 into account the port from which the call was sent
2108 and the address to which the call was sent, because
2109 the addresses and ports of the two endpoints should be
2110 the same for all calls and replies.
2112 If the transport is connectionless, we don't worry
2113 about the address from which the reply was sent,
2114 because there's no guarantee that the call was sent
2115 to the address from which the reply came. We also
2116 don't worry about the port *to* which the reply was
2117 sent, because some clients (*cough* macOS NFS client
2118 *cough*) might send retransmissions from a
2119 different port from the original request, so replies
2120 to the original call and a retransmission of the call
2121 might be sent to different ports.
2123 Sun's snoop just checks for a message direction of RPC_REPLY
2124 and a status of MSG_ACCEPTED or MSG_DENIED, which is a bit
2125 of a weak heuristic. */
2129 /*
2130 * We have a conversation; try to find an RPC
2131 * state structure for the conversation.
2132 */
2136 else
2139 /*
2140 * We don't have a conversation, so we obviously
2141 * don't have an RPC state structure for it.
2142 */
2145 }
2148 /*
2149 * We don't have a conversation, or we have one but
2150 * there's no RPC state information for it, or
2151 * we have RPC state information but the XID doesn't
2152 * match a call from the conversation, so it's
2153 * probably not an RPC reply.
2154 *
2155 * Unless we're permitted to scan for embedded records
2156 * and this is a connection-oriented transport,
2157 * give up.
2158 */
2159 if (((! rpc_find_fragment_start) || (pinfo->ptype != PT_TCP)) && (pinfo->ptype != PT_IBQP) && (pinfo->ptype != PT_IWARP_MPA)) {
2161 }
2163 /*
2164 * Do we have a conversation to which to attach
2165 * that information?
2166 */
2168 /*
2169 * It's not part of any conversation - create
2170 * a new one.
2171 */
2173 }
2175 /*
2176 * Do we have RPC information for that conversation?
2177 */
2179 /*
2180 * No. Create a new RPC information structure,
2181 * and attach it to the conversation.
2182 */
2187 }
2189 /*
2190 * Define a dummy call for this reply.
2191 */
2198 /* store it */
2200 }
2202 /* pass rpc_info to subdissectors */
2205 }
2207 static bool
2211 {
2251 rpc_proc_info_key key;
2253 nstime_t ns;
2255 dissector_handle_t dissect_function;
2259 gssapi_encrypt_info_t gssapi_encrypt;
2261 /*
2262 * Check to see whether this looks like an RPC call or reply.
2263 */
2265 /* Captured data in packet isn't enough to let us tell. */
2267 }
2269 /* both directions need at least this */
2275 /* Check for RPC call. */
2283 /* Check for RPC reply. */
2291 /* The putative message type field contains neither
2292 RPC_CALL nor RPC_REPLY, so it's not an RPC call or
2293 reply. */
2295 }
2298 /*
2299 * This is RPC-over-TCP; check if this is the last
2300 * fragment.
2301 */
2303 /*
2304 * This isn't the last fragment.
2305 * If we're doing reassembly, just return
2306 * true to indicate that this looks like
2307 * the beginning of an RPC message,
2308 * and let them do fragment reassembly.
2309 */
2312 }
2313 }
2318 ENC_NA);
2324 }
2335 }
2351 }
2359 }
2361 /* Set the protocol name to the underlying
2362 program name. */
2369 }
2377 if ((dissect_function = dissector_get_custom_table_handle(subdissector_call_table, &key)) != NULL) {
2379 }
2381 /* happens only with unknown program or version
2382 * numbers
2383 */
2386 }
2388 /* Check for RPCSEC_GSS and AUTH_GSSAPI */
2394 /*
2395 * It's GSS-API authentication...
2396 */
2398 /*
2399 * ...and we have the procedure
2400 * and service information for it.
2401 */
2406 /*
2407 * ...but the procedure and service
2408 * information isn't available.
2409 */
2411 }
2415 /*
2416 * AUTH_GSSAPI flavor. If auth_msg is true,
2417 * then this is an AUTH_GSSAPI message and
2418 * not an application level message.
2419 */
2428 }
2429 }
2433 /*
2434 * It's not GSS-API authentication.
2435 */
2438 }
2439 }
2445 /* Print the program version, procedure name, and message type (call or reply). */
2448 else
2450 /* Special case for NFSv4 - if the type is COMPOUND, do not print the procedure name */
2453 msg_type_name);
2454 else
2458 /*
2459 * Establish a conversation for the call, for use when
2460 * matching calls with replies.
2461 */
2464 /*
2465 * Do we already have a state structure for this conv
2466 */
2469 /* No. Attach that information to the conversation, and add
2470 * it to the list of information structures.
2471 */
2475 }
2478 /* Make the dissector for this conversation the non-heuristic
2479 RPC dissector. */
2483 }
2485 /* look up the request */
2488 /* We've seen a request with this XID, with the same
2489 source and destination, before - but was it
2490 *this* request? */
2492 /* No, so it's a duplicate request.
2493 Mark it as such. */
2501 }
2504 }
2506 /* Prepare the value data.
2507 "req_num" and "rep_num" are frame numbers;
2508 frame numbers are 1-origin, so we use 0
2509 to mean "we don't yet know in which frame
2510 the reply for this call appears". */
2524 /* store it */
2526 }
2536 }
2543 /* pass rpc_info to subdissectors */
2546 /* go to the next dissector */
2551 /* we know already the type from the calling routine,
2552 and we already have "rpc_call" set above. */
2563 }
2565 /* happens only with unknown program or version
2566 * numbers
2567 */
2570 }
2572 /*
2573 * If this is an AUTH_GSSAPI message, then the RPC procedure
2574 * is not an application procedure, but rather an auth level
2575 * procedure, so it would be misleading to print the RPC
2576 * procname. Replace the RPC procname with the corresponding
2577 * AUTH_GSSAPI procname.
2578 */
2581 }
2584 if ((rpc_prog = (rpc_prog_info_value *)g_hash_table_lookup(rpc_progs,GUINT_TO_POINTER(rpc_prog_key))) == NULL) {
2589 }
2596 /* Set the protocol name to the underlying
2597 program name. */
2599 }
2601 /* Print the program version, procedure name, and message type (call or reply). */
2604 else
2606 /* Special case for NFSv4 - if the type is COMPOUND, do not print the procedure name */
2610 else
2627 }
2634 /* Indicate the frame to which this is a reply. */
2650 }
2654 /* We have not yet seen a reply to that call, so
2655 this must be the first reply; remember its
2656 frame number. */
2659 /* We have seen a reply to this call - but was it
2660 *this* reply? */
2664 /* No, so it's a duplicate reply.
2665 Mark it as such. */
2675 }
2676 }
2686 }
2691 /* go to the next dissector */
2699 hf_rpc_programversion_min,
2702 hf_rpc_programversion_max,
2704 }
2707 /*
2708 * There's no protocol reply, so don't
2709 * try to dissect it.
2710 */
2715 /*
2716 * There's no protocol reply, so don't
2717 * try to dissect it.
2718 */
2721 }
2729 reject_state);
2730 }
2738 hf_rpc_version_min,
2741 hf_rpc_version_max,
2743 }
2750 auth_state);
2751 }
2753 }
2755 /*
2756 * There's no protocol reply, so don't
2757 * try to dissect it.
2758 */
2763 /*
2764 * This isn't a valid reply state, so we have
2765 * no clue what's going on; don't try to dissect
2766 * the protocol reply.
2767 */
2770 }
2774 /*
2775 * The switch statement at the top returned if
2776 * this was neither an RPC call nor a reply.
2777 */
2779 }
2781 /* now we know, that RPC was shorter */
2787 }
2790 /*
2791 * There's no RPC call or reply here; just dissect
2792 * whatever's left as data.
2793 */
2797 }
2799 /* we must queue this packet to the tap system before we actually
2800 call the subdissectors since short packets (i.e. nfs read reply)
2801 will cause an exception and execution would never reach the call
2802 to tap_queue_packet() in that case
2803 */
2807 /* If this is encrypted data we have to try to decrypt the data first before we
2808 * we create a tree.
2809 * the reason for this is because if we can decrypt the data we must create the
2810 * item/tree for the next protocol using the decrypted tvb and not the current
2811 * tvb.
2812 */
2816 if (flavor == FLAVOR_GSSAPI && gss_proc == RPCSEC_GSS_DATA && gss_svc == RPCSEC_GSS_SVC_PRIVACY) {
2823 proto_tree_add_item(gss_tree, hf_rpc_authgss_seq, gssapi_encrypt.gssapi_decrypted_tvb, 0, 4, ENC_BIG_ENDIAN);
2825 /* Switcheroo to the new tvb that contains the decrypted payload */
2828 }
2829 }
2832 /* create here the program specific sub-tree */
2836 pitem = proto_tree_add_item(tree, proto_id, tvb, offset, tvb_reported_length_remaining(tvb, offset), ENC_NA);
2845 /*
2846 * No such element in the GArray.
2847 */
2849 }
2859 }
2860 }
2862 /* proto==0 if this is an unknown program */
2865 }
2867 /*
2868 * Don't call any subdissector if we have no more date to dissect.
2869 */
2872 }
2874 /*
2875 * Handle RPCSEC_GSS and AUTH_GSSAPI specially.
2876 */
2880 /*
2881 * We don't know the authentication flavor, so we can't
2882 * dissect the payload.
2883 */
2889 /*
2890 * It's not GSS-API authentication. Just dissect the
2891 * payload.
2892 */
2898 /*
2899 * It's GSS-API authentication, but we don't have the
2900 * procedure and service information, so we can't dissect
2901 * the payload.
2902 */
2908 /*
2909 * It's GSS-API authentication, and we have the procedure
2910 * and service information; process the GSS-API stuff,
2911 * and process the payload if there is any.
2912 */
2920 }
2924 }
2931 dissect_function,
2933 }
2937 dissect_function,
2939 }
2945 dissect_function,
2948 }
2949 }
2954 }
2958 /*
2959 * This is an AUTH_GSSAPI message. It contains data
2960 * only for the authentication procedure and not for the
2961 * application level RPC procedure. Reset the column
2962 * protocol and info fields to indicate that this is
2963 * an RPC auth level message, then process the args.
2964 */
2982 }
2992 }
2994 /* Adjust the length to account for the auth message. */
2997 }
3001 /*
3002 * An RPC with AUTH_GSSAPI authentication. The data
3003 * portion is always private, so don't call the dissector.
3004 */
3007 }
3010 /*
3011 * dissect any remaining bytes (incomplete dissection) as pure
3012 * data in the ptree
3013 */
3017 }
3019 /* XXX this should really loop over all fhandles registered for the frame */
3026 }
3032 }
3034 }
3035 }
3038 }
3040 static bool
3042 {
3045 }
3047 static int
3049 {
3054 }
3056 }
3059 /* Defragmentation of RPC-over-TCP records */
3060 /* table to hold defragmented RPC records */
3063 /*
3064 * XXX - can we eliminate this by defining our own key-handling functions
3065 * for rpc_fragment_table? (Note that those functions must look at
3066 * not only the addresses of the endpoints, but the ports of the endpoints,
3067 * so that they don't try to combine fragments from different TCP
3068 * connections.)
3069 */
3077 /* xxx */
3081 static unsigned
3083 {
3087 }
3089 static int
3091 {
3097 }
3099 static void
3101 {
3114 rpc_rm);
3116 rpc_rm);
3117 }
3118 }
3120 static void
3122 {
3124 /*
3125 * Show the fragment header and the data for the fragment.
3126 */
3129 }
3130 }
3132 static void
3135 {
3146 }
3148 void
3151 {
3158 /*
3159 * This message was not all in one fragment,
3160 * so show the fragment header *and* the data
3161 * for the fragment (which is the last fragment),
3162 * and a tree with information about all fragments.
3163 */
3166 /*
3167 * Show a tree with information about all fragments.
3168 */
3171 /*
3172 * This message was all in one fragment, so just show
3173 * the fragment header.
3174 */
3176 }
3177 }
3179 static bool
3184 {
3190 TRY {
3193 can_defragment);
3194 }
3195 CATCH_NONFATAL_ERRORS {
3196 /*
3197 * Somebody threw an exception that means that there
3198 * was a problem dissecting the payload; that means
3199 * that a dissector was found, so we don't need to
3200 * dissect the payload as data or update the protocol
3201 * or info columns.
3202 *
3203 * Just show the exception and then continue dissecting.
3204 */
3208 /*
3209 * We treat this as a "successful" dissection of
3210 * an RPC packet, as "dissect_rpc_message()"
3211 * *did* decide it was an RPC packet, throwing
3212 * an exception while dissecting it as such.
3213 */
3215 }
3216 ENDTRY;
3218 }
3220 static int
3224 {
3241 }
3246 /*
3247 * Get the record mark.
3248 */
3250 /*
3251 * XXX - we should somehow arrange to handle
3252 * a record mark split across TCP segments.
3253 */
3255 }
3260 /*
3261 * Do TCP desegmentation, if enabled.
3262 *
3263 * reject fragments bigger than this preference setting.
3264 * This is arbitrary, but should at least prevent
3265 * some crashes from either packets with really
3266 * large RPC-over-TCP fragments or from stuff that's
3267 * not really valid for this protocol.
3268 */
3277 /* This frame doesn't have all the data for this message.
3278 *
3279 * If this is a heuristic dissector, check whether it looks
3280 * like the beginning of an RPC call or reply.
3281 */
3286 /*
3287 * Captured data in packet isn't
3288 * enough to let us tell.
3289 */
3291 }
3293 /* both directions need at least this */
3299 /* Check for RPC call. */
3302 /* Doesn't look like a call. */
3304 }
3308 /* Check for RPC reply. */
3311 /* Doesn't look like a reply. */
3313 }
3317 /* The putative message type field
3318 contains neither RPC_CALL nor
3319 RPC_REPLY, so it's not an RPC
3320 call or reply. */
3322 }
3324 /* Get this conversation, creating it if
3325 it doesn't already exist, and make the
3326 dissector for it the non-heuristic RPC
3327 dissector for RPC-over-TCP. */
3331 }
3332 }
3334 /* OK, we think it is RPC. Can we desegment? */
3336 /* Yes, so tell the TCP dissector how much
3337 * more data we need. */
3343 /* No. */
3346 }
3349 }
3353 /* We don't have all the data for this fragment. */
3357 }
3360 tvb_reported_len);
3362 /*
3363 * If we're not defragmenting, just hand this to the
3364 * disssector.
3365 *
3366 * We defragment only if we should (rpc_defragment true) *and* we
3367 * can (tvb_len <= len, so that we have all the data in the fragment).
3368 */
3370 /*
3371 * We can't defragment. Hand the dissector the tvbuff for the
3372 * fragment as the tvbuff for the record.
3373 */
3377 /*
3378 * Mark this as fragmented, so if somebody throws an
3379 * exception, we don't report it as a malformed frame.
3380 */
3390 }
3392 /*
3393 * First, we check to see if this fragment is part of a record
3394 * that we're in the process of defragmenting.
3395 *
3396 * The key is the conversation ID for the conversation to which
3397 * the packet belongs and the current sequence number.
3398 *
3399 * We must first find the conversation and, if we don't find
3400 * one, create it.
3401 */
3409 /*
3410 * This fragment was not found in our table, so it doesn't
3411 * contain a continuation of a higher-level PDU.
3412 * Is it the last fragment?
3413 */
3415 /*
3416 * This isn't the last fragment, so we don't
3417 * have the complete record.
3418 *
3419 * It's the first fragment we've seen, so if
3420 * it's truly the first fragment of the record,
3421 * and it has enough data, the dissector can at
3422 * least check whether it looks like a valid
3423 * message, as it contains the start of the
3424 * message.
3425 *
3426 * The dissector should not dissect anything
3427 * if the "last fragment" flag isn't set in
3428 * the record marker, so it shouldn't throw
3429 * an exception.
3430 */
3435 /*
3436 * OK, now start defragmentation with that
3437 * fragment. Add this fragment, and set up
3438 * next packet/sequence number as well.
3439 *
3440 * We must remember this fragment.
3441 */
3451 /*
3452 * Start defragmentation.
3453 */
3459 /*
3460 * Make sure that defragmentation isn't complete;
3461 * it shouldn't be, as this is the first fragment
3462 * we've seen, and the "last fragment" bit wasn't
3463 * set on it.
3464 */
3473 new_rfk);
3475 /*
3476 * This is part of a fragmented record,
3477 * but it's not the first part.
3478 * Show it as a record marker plus data, under
3479 * a top-level tree for this protocol.
3480 */
3485 /*
3486 * No more processing need be done, as we don't
3487 * have a complete record.
3488 */
3491 /* oddly, we have a first fragment, not marked as last,
3492 * but which the defragmenter thinks is complete.
3493 * So rather than creating a fragment reassembly tree,
3494 * we simply throw away the partial fragment structure
3495 * and fall though to our "sole fragment" processing below.
3496 */
3497 }
3498 }
3500 /*
3501 * This is the first fragment we've seen, and it's also
3502 * the last fragment; that means the record wasn't
3503 * fragmented. Hand the dissector the tvbuff for the
3504 * fragment as the tvbuff for the record.
3505 */
3509 /*
3510 * OK, this fragment was found, which means it continues
3511 * a record. This means we must defragment it.
3512 * Add it to the defragmentation lists.
3513 */
3519 /*
3520 * fragment_add_multiple_ok() returned NULL.
3521 * This means that defragmentation is not
3522 * completed yet.
3523 *
3524 * We must add an entry to the hash table with
3525 * the sequence number following this fragment
3526 * as the starting sequence number, so that when
3527 * we see that fragment we'll find that entry.
3528 *
3529 * XXX - as TCP stream data is not currently
3530 * guaranteed to be provided in order to dissectors,
3531 * RPC fragments aren't guaranteed to be provided
3532 * in order, either.
3533 */
3541 new_rfk);
3543 /*
3544 * This is part of a fragmented record,
3545 * but it's not the first part.
3546 * Show it as a record marker plus data, under
3547 * a top-level tree for this protocol,
3548 * but don't hand it to the dissector
3549 */
3554 /*
3555 * No more processing need be done, as we don't
3556 * have a complete record.
3557 */
3559 }
3561 /*
3562 * It's completely defragmented.
3563 *
3564 * We only call subdissector for the last fragment.
3565 * XXX - this assumes in-order delivery of RPC
3566 * fragments, which requires in-order delivery of TCP
3567 * segments.
3568 */
3570 /*
3571 * Well, it's defragmented, but this isn't
3572 * the last fragment; this probably means
3573 * this isn't the first pass, so we don't
3574 * need to start defragmentation.
3575 *
3576 * This is part of a fragmented record,
3577 * but it's not the first part.
3578 * Show it as a record marker plus data, under
3579 * a top-level tree for this protocol,
3580 * but don't show it to the dissector.
3581 */
3586 /*
3587 * No more processing need be done, as we
3588 * only disssect the data with the last
3589 * fragment.
3590 */
3592 }
3594 /*
3595 * OK, this is the last segment.
3596 * Create a tvbuff for the defragmented
3597 * record.
3598 */
3600 /*
3601 * Create a new TVB structure for
3602 * defragmented data.
3603 */
3606 /*
3607 * Add defragmented data to the data source list.
3608 */
3610 }
3612 /*
3613 * We have something to hand to the RPC message
3614 * dissector.
3615 */
3623 /**
3624 * Scans tvb, starting at given offset, to see if we can find
3625 * what looks like a valid RPC-over-TCP reply header.
3626 *
3627 * @param tvb Buffer to inspect for RPC reply header.
3628 * @param offset Offset to begin search of tvb at.
3629 *
3630 * @return -1 if no reply header found, else offset to start of header
3631 * (i.e., to the RPC record mark field).
3632 */
3634 static int
3636 {
3638 /*
3639 * Looking for partial header sequence. From beginning of
3640 * stream-style header, including "record mark", full ONC-RPC
3641 * looks like:
3642 * BE int32 record mark (rfc 1831 sec. 10)
3643 * ? int32 XID (rfc 1831 sec. 8)
3644 * BE int32 msg_type (ibid sec. 8, call = 0, reply = 1)
3645 *
3646 * -------------------------------------------------------------
3647 * Then reply-specific fields are
3648 * BE int32 reply_stat (ibid, accept = 0, deny = 1)
3649 *
3650 * Then, assuming accepted,
3651 * opaque_auth
3652 * BE int32 auth_flavor (ibid, none = 0)
3653 * BE int32 ? auth_len (ibid, none = 0)
3654 *
3655 * BE int32 accept_stat (ibid, success = 0, errs are 1..5 in rpc v2)
3656 *
3657 * -------------------------------------------------------------
3658 * Or, call-specific fields are
3659 * BE int32 rpc_vers (rfc 1831 sec 8, always == 2)
3660 * BE int32 prog (NFS == 000186A3)
3661 * BE int32 prog_ver (NFS v2/3 == 2 or 3)
3662 * BE int32 proc_id (NFS, <= 256 ???)
3663 * opaque_auth
3664 * ...
3665 */
3667 /* Initially, we search only for something matching the template
3668 * of a successful reply with no auth verifier.
3669 * Our first qualification test is search for a string of zero bytes,
3670 * corresponding the four uint32_t values
3671 * reply_stat
3672 * auth_flavor
3673 * auth_len
3674 * accept_stat
3675 *
3676 * If this string of zeros matches, then we go back and check the
3677 * preceding msg_type and record_mark fields.
3678 */
3699 /* start search at first possible location */
3703 /* nothing to search, so claim no RPC */
3705 }
3709 /* probably never take this, as get_ptr seems to assert */
3711 }
3714 /* First test for long tail of zeros, starting at the back.
3715 * A failure lets us skip the maximum possible buffer amount.
3716 */
3719 {
3721 {
3722 /* match failure. Since we need N contiguous zeros,
3723 * we can increment next match start so zero testing
3724 * begins right after this failure spot.
3725 */
3729 }
3731 pbBuf --;
3732 }
3736 }
3738 /* got a match in zero-fill region, verify reply ID and
3739 * record mark fields */
3745 /* looks ok, try dissect */
3747 }
3749 /* no match yet, nor egregious miss either. Inch along to next try */
3750 ibSearchStart ++;
3751 }
3757 /**
3758 * Scans tvb for what looks like a valid RPC call / reply header.
3759 * If found, calls standard dissect_rpc_fragment() logic to digest
3760 * the (hopefully valid) fragment.
3761 *
3762 * With any luck, one invocation of this will be sufficient to get
3763 * us back in alignment with the stream, and no further calls to
3764 * this routine will be needed for a given conversation. As if. :-)
3765 *
3766 * Can return:
3767 * Same as dissect_rpc_fragment(). Will return zero (no frame)
3768 * if no valid RPC header is found.
3769 */
3771 static int
3776 {
3783 /* could search for request, but not needed (or testable) thus far */
3785 }
3792 /* misses are reported as-is */
3794 {
3796 }
3798 /* returning a non-zero length, correct it to reflect the extra offset
3799 * we found necessary
3800 */
3803 }
3805 /* negative length seems to only be used as a flag,
3806 * don't mess it up until found necessary
3807 */
3808 /* len -= offReply - offset; */
3809 }
3816 /*
3817 * Returns true if it looks like ONC RPC, false otherwise.
3818 */
3819 static bool
3822 {
3829 /*
3830 * Process this fragment.
3831 */
3837 /*
3838 * Try discarding some leading bytes from tvb, on assumption
3839 * that we are looking at the middle of a stream-based transfer
3840 */
3844 }
3848 /*
3849 * dissect_rpc_fragment() thinks this is ONC RPC,
3850 * but we need more data from the TCP stream for
3851 * this fragment.
3852 */
3854 }
3856 /*
3857 * It's not RPC. Stop processing.
3858 */
3860 }
3862 /* Set fence so whatever the subdissector put in the
3863 * Info column stays there.
3864 *
3865 * This is useful when some ONC RPC protocol is
3866 * carrying another protocol that can also run atop
3867 * other protocols, so that the other protocol's
3868 * dissector has to clear the Info column to add
3869 * its own material, and there are multiple PDUs
3870 * in one frame. If the fence isn't set, the Info
3871 * column will only reflect the information from
3872 * the first PDU in the frame.
3873 */
3876 /* PDU tracking
3877 If the length indicates that the PDU continues beyond
3878 the end of this tvb, then tell TCP about it so that it
3879 knows where the next PDU starts.
3880 This is to help TCP detect when PDUs are not aligned to
3881 segment boundaries and allow it to find RPC headers
3882 that starts in the middle of a TCP segment.
3883 */
3888 }
3889 }
3892 }
3894 }
3896 static bool
3898 {
3902 }
3904 static int
3906 {
3913 }
3915 static bool
3917 {
3923 }
3925 }
3927 }
3929 static int
3931 {
3940 }
3943 }
3945 /* Tap statistics */
3947 {
3948 PROGRAM_NAME_COLUMN,
3949 PROGRAM_NUM_COLUMN,
3950 VERSION_COLUMN,
3951 CALLS_COLUMN,
3952 MIN_SRT_COLUMN,
3953 MAX_SRT_COLUMN,
3954 AVG_SRT_COLUMN
3965 };
3968 {
3977 }
3979 }
3983 }
3985 static tap_packet_status
3986 rpc_prog_stat_packet(void *tapdata, packet_info *pinfo _U_, epan_dissect_t *edt _U_, const void *rciv_ptr, tap_flags_t flags _U_)
3987 {
3991 nstime_t delta;
4002 {
4007 if ((ri->prog == program_data->value.uint_value) && (ri->vers == version_data->value.uint_value)) {
4010 }
4011 }
4014 /* Add a new row */
4030 }
4032 /* we are only interested in reply packets */
4035 }
4042 /* calculate time delta between request and reply */
4050 }
4056 }
4064 }
4066 static void
4068 {
4073 {
4086 }
4087 }
4089 static void
4090 rpc_prog_stat_free_table_item(stat_tap_table* table _U_, unsigned row _U_, unsigned column, stat_tap_table_item_type* field_data)
4091 {
4094 }
4096 static void
4098 {
4100 }
4102 /* will be called once from register.c at startup time */
4103 void
4105 {
4239 HFILL }},
4243 HFILL }},
4247 HFILL }},
4297 /* Generated from convert_proto_tree_add_text.pl */
4298 { &hf_rpc_opaque_length, { "length", "rpc.opaque_length", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
4299 { &hf_rpc_fill_bytes, { "fill bytes", "rpc.fill_bytes", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }},
4300 { &hf_rpc_no_values, { "no values", "rpc.array_no_values", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
4301 { &hf_rpc_opaque_data, { "opaque data", "rpc.opaque_data", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }},
4302 { &hf_rpc_argument_length, { "Argument length", "rpc.argument_length", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
4303 { &hf_rpc_continuation_data, { "Continuation data", "rpc.continuation_data", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }},
4304 { &hf_rpc_fragment_data, { "Fragment Data", "rpc.fragment_data", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }},
4315 { "Conflicting data in fragment overlap", "rpc.fragment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
4319 { "Multiple tail fragments found", "rpc.fragment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
4349 };
4366 };
4368 { &ei_rpc_cannot_dissect, { "rpc.cannot_dissect", PI_UNDECODED, PI_WARN, "Cannot dissect", EXPFILL }},
4369 { &ei_rpc_segment_needed, { "rpc.segment_needed", PI_REASSEMBLE, PI_NOTE, "Need another TCP segment but cannot desegment or not enabled (check RPC and TCP preferences)", EXPFILL }},
4370 };
4377 };
4380 REGISTER_PACKET_STAT_GROUP_UNSORTED,
4384 rpc_prog_stat_init,
4385 rpc_prog_stat_packet,
4386 rpc_prog_stat_reset,
4387 rpc_prog_stat_free_table_item,
4388 NULL,
4391 NULL,
4392 0
4393 };
4396 proto_rpc_unknown = proto_register_protocol("Unknown RPC protocol", "Unknown RPC", "rpc-unknown");
4398 subdissector_call_table = register_custom_dissector_table("rpc.call", "RPC Call Functions", proto_rpc, rpc_proc_hash, rpc_proc_equal, g_free);
4399 subdissector_reply_table = register_custom_dissector_table("rpc.reply", "RPC Reply Functions", proto_rpc, rpc_proc_hash, rpc_proc_equal, g_free);
4401 /* this is a dummy dissector for all those unknown rpc programs */
4407 rpc_reassembly_table = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), rpc_fragment_hash, rpc_fragment_equal);
4414 "Whether the RPC dissector should reassemble messages spanning multiple TCP segments."
4415 " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
4422 prefs_register_uint_preference(rpc_module, "max_tcp_pdu_size", "Maximum size of a RPC-over-TCP PDU",
4423 "Set the maximum size of RPCoverTCP PDUs. "
4424 " If the size field of the record marker is larger "
4430 "Whether the RPC dissector should attempt to dissect RPC PDUs containing programs that are not known to Wireshark. This will make the heuristics significantly weaker and elevate the risk for falsely identifying and misdissecting packets significantly.",
4435 "Whether the RPC dissector should attempt to locate RPC PDU boundaries when initial fragment alignment is not known. This may cause false positives, or slow operation.",
4446 /*
4447 * Init the hash tables. Dissectors for RPC protocols must
4448 * have a "handoff registration" routine that registers the
4449 * protocol with RPC; they must not do it in their protocol
4450 * registration routine, as their protocol registration
4451 * routine might be called before this routine is called and
4452 * thus might be called before the hash tables are initialized,
4453 * but it's guaranteed that all protocol registration routines
4454 * will be called before any handoff registration routines
4455 * are called.
4456 */
4463 }
4465 void
4467 {
4468 /* tcp/udp port 111 is used by portmapper which is an onc-rpc service.
4469 we register onc-rpc on this port so that we can choose RPC in
4470 the list offered by DecodeAs, and so that traffic to or from
4471 port 111 from or to a higher-numbered port is dissected as RPC
4472 even if there's a dissector registered on the other port (it's
4473 probably RPC traffic from some randomly-chosen port that happens
4474 to match some port for which we have a dissector)
4475 */
4480 heur_dissector_add("tcp", dissect_rpc_tcp_heur, "RPC over TCP", "rpc_tcp", proto_rpc, HEURISTIC_ENABLE);
4481 heur_dissector_add("udp", dissect_rpc_heur, "RPC over UDP", "rpc_udp", proto_rpc, HEURISTIC_ENABLE);
4482 heur_dissector_add("tls", dissect_rpc_tls_heur, "RPC with TLS", "rpc_tls", proto_rpc, HEURISTIC_ENABLE);
4486 }
4488 /*
4489 * Editor modelines
4490 *
4491 * Local Variables:
4492 * c-basic-offset: 8
4493 * tab-width: 8
4494 * indent-tabs-mode: t
4495 * End:
4496 *
4497 * ex: set shiftwidth=8 tabstop=8 noexpandtab:
4498 * :indentSize=8:tabSize=8:noTabs=false:
4499 */