search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-smb.c
blobb7dac61a8819f52743cf659711ed9358f2d92c41
1 /* packet-smb.c
2 * Routines for smb packet dissection
3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4 * 2001 Rewrite by Ronnie Sahlberg and Guy Harris
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * Copied from packet-pop.c
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15 #include "config.h"
16
17 #include <epan/packet.h>
18 #include <epan/exceptions.h>
19 #include <epan/strutil.h>
20 #include <epan/prefs.h>
21 #include <epan/reassemble.h>
22 #include <epan/tap.h>
23 #include <epan/srt_table.h>
24 #include <epan/expert.h>
25 #include <epan/to_str.h>
26 #include <epan/export_object.h>
27 #include <epan/tfs.h>
28 #include <wsutil/array.h>
29
30 #include "packet-windows-common.h"
31 #include "packet-smb.h"
32 #include "packet-ipx.h"
33 #include "packet-idp.h"
34 #include "packet-smb-common.h"
35 #include "packet-smb-mailslot.h"
36 #include "packet-smb-pipe.h"
37 #include "packet-ntlmssp.h"
38 #include "packet-smb2.h"
39
40 void proto_register_smb(void);
41 void proto_reg_handoff_smb(void);
42
43 /*
44 * Various specifications and documents about SMB can be found in
45 *
46 * ftp://ftp.microsoft.com/developr/drg/CIFS/
47 *
48 * and a CIFS specification from the Storage Networking Industry Association
49 * can be found on a link from the page at
50 *
51 * http://www.snia.org/tech_activities/CIFS
52 *
53 * (it supercedes the document at
54 *
55 * ftp://ftp.microsoft.com/developr/drg/CIFS/draft-leach-cifs-v1-spec-01.txt
56 *
57 * ).
58 *
59 * There are also some Open Group publications documenting CIFS available
60 * for download; catalog entries for them are at:
61 *
62 * http://www.opengroup.org/products/publications/catalog/c209.htm
63 *
64 * http://www.opengroup.org/products/publications/catalog/c195.htm
65 *
66 * The document "NT LAN Manager SMB File Sharing Protocol Extensions"
67 * can be found at
68 *
69 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
70 *
71 * (or, presumably a similar path under the Samba mirrors). As the
72 * ".doc" indicates, it's a Word document. Some of the specs from the
73 * Microsoft FTP site can be found in the
74 *
75 * http://www.samba.org/samba/ftp/specs/
76 *
77 * directory as well.
78 *
79 * Beware - these specs may have errors.
80 *
81 * Microsoft's public protocol specifications, including MS-CIFS and
82 * other SMB-related specifications, can be found at
83 *
84 * http://msdn.microsoft.com/en-us/library/cc216513.aspx
85 *
86 * See also
87 *
88 * https://wiki.samba.org/index.php/UNIX_Extensions
89 */
90
91 /* DFS referral entry flags */
92 #define REFENT_FLAGS_NAME_LIST_REFERRAL 0x0002
93 #define REFENT_FLAGS_TARGET_SET_BOUNDARY 0x0004
94
95
96 static int proto_smb;
97 static int hf_smb_cmd;
98 static int hf_smb_andxcmd;
99 static int hf_smb_mapped_in;
100 static int hf_smb_unmapped_in;
101 static int hf_smb_opened_in;
102 static int hf_smb_closed_in;
103 static int hf_smb_key;
104 static int hf_smb_session_id;
105 static int hf_smb_sequence_num;
106 static int hf_smb_group_id;
107 static int hf_smb_pid;
108 static int hf_smb_tid;
109 static int hf_smb_uid;
110 static int hf_smb_mid;
111 static int hf_smb_pid_high;
112 static int hf_smb_sig;
113 static int hf_smb_response_to;
114 static int hf_smb_time;
115 static int hf_smb_response_in;
116 static int hf_smb_continuation_of;
117 static int hf_smb_nt_status;
118 static int hf_smb_error_class;
119 static int hf_smb_error_code;
120 static int hf_smb_reserved;
121 static int hf_smb_create_flags;
122 static int hf_smb_create_options;
123 static int hf_smb_share_access;
124 static int hf_smb_access_mask;
125 static int hf_smb_flags;
126 static int hf_smb_flags_lock;
127 static int hf_smb_flags_receive_buffer;
128 static int hf_smb_flags_caseless;
129 static int hf_smb_flags_canon;
130 static int hf_smb_flags_oplock;
131 static int hf_smb_flags_notify;
132 static int hf_smb_flags_response;
133 static int hf_smb_flags2;
134 static int hf_smb_flags2_long_names_allowed;
135 static int hf_smb_flags2_ea;
136 static int hf_smb_flags2_sec_sig;
137 static int hf_smb_flags2_compressed;
138 static int hf_smb_flags2_sec_sig_required;
139 static int hf_smb_flags2_long_names_used;
140 static int hf_smb_flags2_reparse_path;
141 static int hf_smb_flags2_esn;
142 static int hf_smb_flags2_dfs;
143 static int hf_smb_flags2_roe;
144 static int hf_smb_flags2_nt_error;
145 static int hf_smb_flags2_string;
146 static int hf_smb_word_count;
147 static int hf_smb_byte_count;
148 static int hf_smb_buffer_format;
149 static int hf_smb_dialect;
150 static int hf_smb_dialect_name;
151 static int hf_smb_dialect_index;
152 static int hf_smb_max_trans_buf_size;
153 static int hf_smb_max_mpx_count;
154 static int hf_smb_max_vcs_num;
155 static int hf_smb_session_key;
156 static int hf_smb_server_timezone;
157 static int hf_smb_challenge_length;
158 static int hf_smb_challenge;
159 static int hf_smb_primary_domain;
160 static int hf_smb_server;
161 static int hf_smb_max_raw_buf_size;
162 static int hf_smb_server_guid;
163 static int hf_smb_volume_guid;
164 static int hf_smb_security_blob_len;
165 static int hf_smb_security_blob;
166 static int hf_smb_sm16;
167 static int hf_smb_sm_mode16;
168 static int hf_smb_sm_password16;
169 static int hf_smb_sm;
170 static int hf_smb_sm_mode;
171 static int hf_smb_sm_password;
172 static int hf_smb_sm_signatures;
173 static int hf_smb_sm_sig_required;
174 static int hf_smb_rm;
175 static int hf_smb_rm_read;
176 static int hf_smb_rm_write;
177 static int hf_smb_server_date_time;
178 static int hf_smb_server_smb_date;
179 static int hf_smb_server_smb_time;
180 static int hf_smb_server_cap;
181 static int hf_smb_server_cap_raw_mode;
182 static int hf_smb_server_cap_mpx_mode;
183 static int hf_smb_server_cap_unicode;
184 static int hf_smb_server_cap_large_files;
185 static int hf_smb_server_cap_nt_smbs;
186 static int hf_smb_server_cap_rpc_remote_apis;
187 static int hf_smb_server_cap_nt_status;
188 static int hf_smb_server_cap_level_ii_oplocks;
189 static int hf_smb_server_cap_lock_and_read;
190 static int hf_smb_server_cap_nt_find;
191 static int hf_smb_server_cap_dfs;
192 static int hf_smb_server_cap_infolevel_passthru;
193 static int hf_smb_server_cap_large_readx;
194 static int hf_smb_server_cap_large_writex;
195 static int hf_smb_server_cap_lwio;
196 static int hf_smb_server_cap_unix;
197 static int hf_smb_server_cap_compressed_data;
198 static int hf_smb_server_cap_dynamic_reauth;
199 static int hf_smb_server_cap_extended_security;
200 static int hf_smb_system_time;
201 static int hf_smb_secondaries_will_follow;
202 static int hf_smb_unknown;
203 static int hf_smb_dir_name;
204 static int hf_smb_echo_count;
205 static int hf_smb_echo_data;
206 static int hf_smb_echo_seq_num;
207 static int hf_smb_max_buf_size;
208 static int hf_smb_password;
209 static int hf_smb_password_len;
210 static int hf_smb_ansi_password;
211 static int hf_smb_ansi_password_len;
212 static int hf_smb_unicode_password;
213 static int hf_smb_unicode_password_len;
214 static int hf_smb_path;
215 static int hf_smb_service;
216 static int hf_smb_move_flags;
217 static int hf_smb_move_flags_file;
218 static int hf_smb_move_flags_dir;
219 static int hf_smb_move_flags_verify;
220 static int hf_smb_files_moved;
221 static int hf_smb_file_access_mask_read_data;
222 static int hf_smb_file_access_mask_write_data;
223 static int hf_smb_file_access_mask_append_data;
224 static int hf_smb_file_access_mask_read_ea;
225 static int hf_smb_file_access_mask_write_ea;
226 static int hf_smb_file_access_mask_execute;
227 static int hf_smb_file_access_mask_read_attribute;
228 static int hf_smb_file_access_mask_write_attribute;
229 static int hf_smb_dir_access_mask_list;
230 static int hf_smb_dir_access_mask_add_file;
231 static int hf_smb_dir_access_mask_add_subdir;
232 static int hf_smb_dir_access_mask_read_ea;
233 static int hf_smb_dir_access_mask_write_ea;
234 static int hf_smb_dir_access_mask_traverse;
235 static int hf_smb_dir_access_mask_delete_child;
236 static int hf_smb_dir_access_mask_read_attribute;
237 static int hf_smb_dir_access_mask_write_attribute;
238 static int hf_smb_copy_flags;
239 static int hf_smb_copy_flags_file;
240 static int hf_smb_copy_flags_dir;
241 static int hf_smb_copy_flags_dest_mode;
242 static int hf_smb_copy_flags_source_mode;
243 static int hf_smb_copy_flags_verify;
244 static int hf_smb_copy_flags_tree_copy;
245 static int hf_smb_copy_flags_ea_action;
246 static int hf_smb_count;
247 static int hf_smb_count_low;
248 static int hf_smb_count_high;
249 static int hf_smb_file_name;
250 static int hf_smb_open_function;
251 static int hf_smb_open_function_open;
252 static int hf_smb_open_function_create;
253 static int hf_smb_fid;
254 static int hf_smb_file_attr_16bit;
255 static int hf_smb_file_attr_8bit;
256 static int hf_smb_file_attr_read_only_16bit;
257 static int hf_smb_file_attr_read_only_8bit;
258 static int hf_smb_file_attr_hidden_16bit;
259 static int hf_smb_file_attr_hidden_8bit;
260 static int hf_smb_file_attr_system_16bit;
261 static int hf_smb_file_attr_system_8bit;
262 static int hf_smb_file_attr_volume_16bit;
263 static int hf_smb_file_attr_volume_8bit;
264 static int hf_smb_file_attr_directory_16bit;
265 static int hf_smb_file_attr_directory_8bit;
266 static int hf_smb_file_attr_archive_16bit;
267 static int hf_smb_file_attr_archive_8bit;
268 #if 0
269 static int hf_smb_file_attr_device;
270 static int hf_smb_file_attr_normal;
271 static int hf_smb_file_attr_temporary;
272 static int hf_smb_file_attr_sparse;
273 static int hf_smb_file_attr_reparse;
274 static int hf_smb_file_attr_compressed;
275 static int hf_smb_file_attr_offline;
276 static int hf_smb_file_attr_not_content_indexed;
277 static int hf_smb_file_attr_encrypted;
278 #endif
279 static int hf_smb_file_size;
280 static int hf_smb_search_attribute;
281 static int hf_smb_search_attribute_read_only;
282 static int hf_smb_search_attribute_hidden;
283 static int hf_smb_search_attribute_system;
284 static int hf_smb_search_attribute_volume;
285 static int hf_smb_search_attribute_directory;
286 static int hf_smb_search_attribute_archive;
287 static int hf_smb_access_mode;
288 static int hf_smb_access_sharing;
289 static int hf_smb_access_locality;
290 static int hf_smb_access_caching;
291 static int hf_smb_access_writetru;
292 static int hf_smb_desired_access;
293 static int hf_smb_granted_access;
294 static int hf_smb_create_time;
295 static int hf_smb_modify_time;
296 static int hf_smb_backup_time;
297 static int hf_smb_mac_alloc_block_count;
298 static int hf_smb_mac_alloc_block_size;
299 static int hf_smb_mac_free_block_count;
300 static int hf_smb_mac_fndrinfo;
301 static int hf_smb_mac_root_file_count;
302 static int hf_smb_mac_root_dir_count;
303 static int hf_smb_mac_file_count;
304 static int hf_smb_mac_dir_count;
305 static int hf_smb_mac_sup;
306 static int hf_smb_mac_sup_access_ctrl;
307 static int hf_smb_mac_sup_getset_comments;
308 static int hf_smb_mac_sup_desktopdb_calls;
309 static int hf_smb_mac_sup_unique_ids;
310 static int hf_smb_mac_sup_streams;
311 static int hf_smb_create_dos_date;
312 static int hf_smb_create_dos_time;
313 static int hf_smb_last_write_time;
314 static int hf_smb_last_write_dos_date;
315 static int hf_smb_last_write_dos_time;
316 static int hf_smb_access_time;
317 static int hf_smb_access_dos_date;
318 static int hf_smb_access_dos_time;
319 static int hf_smb_old_file_name;
320 static int hf_smb_offset;
321 static int hf_smb_remaining;
322 static int hf_smb_padding;
323 static int hf_smb_file_data;
324 /* static int hf_smb_raw_ea_data; */
325 static int hf_smb_total_data_len;
326 static int hf_smb_data_len;
327 static int hf_smb_data_len_low;
328 static int hf_smb_data_len_high;
329 static int hf_bytes_until_total_data_count;
330 static int hf_smb_seek_mode;
331 static int hf_smb_data_size;
332 static int hf_smb_alloc_size;
333 static int hf_smb_alloc_size64;
334 static int hf_smb_max_count;
335 static int hf_smb_max_count_low;
336 static int hf_smb_max_count_high;
337 static int hf_smb_min_count;
338 static int hf_smb_timeout;
339 static int hf_smb_high_offset;
340 static int hf_smb_units;
341 static int hf_smb_bpu;
342 static int hf_smb_blocksize;
343 static int hf_smb_freeunits;
344 static int hf_smb_data_offset;
345 static int hf_smb_dcm;
346 static int hf_smb_request_mask;
347 static int hf_smb_response_mask;
348 static int hf_smb_search_id;
349 static int hf_smb_write_mode;
350 static int hf_smb_write_mode_write_through;
351 static int hf_smb_write_mode_return_remaining;
352 static int hf_smb_write_mode_raw;
353 static int hf_smb_write_mode_message_start;
354 static int hf_smb_write_mode_connectionless;
355 static int hf_smb_resume_key_len;
356 static int hf_smb_resume_find_id;
357 static int hf_smb_resume_server_cookie;
358 static int hf_smb_resume_client_cookie;
359 static int hf_smb_andxoffset;
360 static int hf_smb_lock_type;
361 static int hf_smb_lock_type_large;
362 static int hf_smb_lock_type_cancel;
363 static int hf_smb_lock_type_change;
364 static int hf_smb_lock_type_oplock;
365 static int hf_smb_lock_type_shared;
366 static int hf_smb_locking_ol;
367 static int hf_smb_number_of_locks;
368 static int hf_smb_number_of_unlocks;
369 static int hf_smb_lock_long_offset;
370 static int hf_smb_lock_long_length;
371 static int hf_smb_file_type;
372 static int hf_smb_ipc_state;
373 static int hf_smb_ipc_state_nonblocking;
374 static int hf_smb_ipc_state_endpoint;
375 static int hf_smb_ipc_state_pipe_type;
376 static int hf_smb_ipc_state_read_mode;
377 static int hf_smb_ipc_state_icount;
378 static int hf_smb_server_fid;
379 static int hf_smb_open_flags;
380 static int hf_smb_open_flags_add_info;
381 static int hf_smb_open_flags_ex_oplock;
382 static int hf_smb_open_flags_batch_oplock;
383 static int hf_smb_open_flags_ealen;
384 static int hf_smb_open_action;
385 static int hf_smb_open_action_open;
386 static int hf_smb_open_action_lock;
387 static int hf_smb_vc_num;
388 static int hf_smb_account;
389 static int hf_smb_os;
390 static int hf_smb_lanman;
391 static int hf_smb_setup_action;
392 static int hf_smb_setup_action_guest;
393 static int hf_smb_fs;
394 static int hf_smb_connect_flags;
395 static int hf_smb_connect_flags_dtid;
396 static int hf_smb_connect_flags_ext_sig;
397 static int hf_smb_connect_flags_ext_resp;
398 static int hf_smb_connect_support;
399 static int hf_smb_connect_support_search;
400 static int hf_smb_connect_support_in_dfs;
401 static int hf_smb_connect_support_csc_mask_vals;
402 static int hf_smb_connect_support_uniquefilename;
403 static int hf_smb_connect_support_extended_signature;
404 static int hf_smb_max_setup_count;
405 static int hf_smb_total_param_count;
406 static int hf_smb_total_data_count;
407 static int hf_smb_max_param_count;
408 static int hf_smb_max_data_count;
409 static int hf_smb_param_disp16;
410 static int hf_smb_param_count16;
411 static int hf_smb_param_offset16;
412 static int hf_smb_param_disp32;
413 static int hf_smb_param_count32;
414 static int hf_smb_param_offset32;
415 static int hf_smb_data_disp16;
416 static int hf_smb_data_count16;
417 static int hf_smb_data_offset16;
418 static int hf_smb_data_disp32;
419 static int hf_smb_data_count32;
420 static int hf_smb_data_offset32;
421 static int hf_smb_setup_count;
422 static int hf_smb_nt_trans_subcmd;
423 static int hf_smb_nt_ioctl_isfsctl;
424 static int hf_smb_nt_ioctl_flags_completion_filter;
425 static int hf_smb_nt_ioctl_flags_root_handle;
426 static int hf_smb_nt_notify_action;
427 static int hf_smb_nt_notify_watch_tree;
428 static int hf_smb_nt_notify_completion_filter;
429 static int hf_smb_nt_notify_stream_write;
430 static int hf_smb_nt_notify_stream_size;
431 static int hf_smb_nt_notify_stream_name;
432 static int hf_smb_nt_notify_security;
433 static int hf_smb_nt_notify_ea;
434 static int hf_smb_nt_notify_creation;
435 static int hf_smb_nt_notify_last_access;
436 static int hf_smb_nt_notify_last_write;
437 static int hf_smb_nt_notify_size;
438 static int hf_smb_nt_notify_attributes;
439 static int hf_smb_nt_notify_dir_name;
440 static int hf_smb_nt_notify_file_name;
441 static int hf_smb_root_dir_fid;
442 static int hf_smb_nt_create_disposition;
443 static int hf_smb_sd_length;
444 static int hf_smb_ea_list_length;
445 static int hf_smb_ea_flags;
446 static int hf_smb_ea_name_length;
447 static int hf_smb_ea_data_length;
448 static int hf_smb_ea_name;
449 static int hf_smb_ea_data;
450 static int hf_smb_file_name_len;
451 static int hf_smb_nt_impersonation_level;
452 static int hf_smb_nt_security_flags;
453 static int hf_smb_nt_security_flags_context_tracking;
454 static int hf_smb_nt_security_flags_effective_only;
455 static int hf_smb_nt_access_mask_generic_read;
456 static int hf_smb_nt_access_mask_generic_write;
457 static int hf_smb_nt_access_mask_generic_execute;
458 static int hf_smb_nt_access_mask_generic_all;
459 static int hf_smb_nt_access_mask_maximum_allowed;
460 static int hf_smb_nt_access_mask_system_security;
461 static int hf_smb_nt_access_mask_synchronize;
462 static int hf_smb_nt_access_mask_write_owner;
463 static int hf_smb_nt_access_mask_write_dac;
464 static int hf_smb_nt_access_mask_read_control;
465 static int hf_smb_nt_access_mask_delete;
466 static int hf_smb_nt_access_mask_write_attributes;
467 static int hf_smb_nt_access_mask_read_attributes;
468 static int hf_smb_nt_access_mask_delete_child;
469 static int hf_smb_nt_access_mask_execute;
470 static int hf_smb_nt_access_mask_write_ea;
471 static int hf_smb_nt_access_mask_read_ea;
472 static int hf_smb_nt_access_mask_append;
473 static int hf_smb_nt_access_mask_write;
474 static int hf_smb_nt_access_mask_read;
475 static int hf_smb_nt_create_bits_oplock;
476 static int hf_smb_nt_create_bits_boplock;
477 static int hf_smb_nt_create_bits_dir;
478 static int hf_smb_nt_create_bits_ext_resp;
479 static int hf_smb_nt_create_options_directory_file;
480 static int hf_smb_nt_create_options_write_through;
481 static int hf_smb_nt_create_options_sequential_only;
482 static int hf_smb_nt_create_options_no_intermediate_buffering;
483 static int hf_smb_nt_create_options_sync_io_alert;
484 static int hf_smb_nt_create_options_sync_io_nonalert;
485 static int hf_smb_nt_create_options_non_directory_file;
486 static int hf_smb_nt_create_options_create_tree_connection;
487 static int hf_smb_nt_create_options_complete_if_oplocked;
488 static int hf_smb_nt_create_options_no_ea_knowledge;
489 static int hf_smb_nt_create_options_file_open_for_recovery;
490 static int hf_smb_nt_create_options_random_access;
491 static int hf_smb_nt_create_options_delete_on_close;
492 static int hf_smb_nt_create_options_open_by_fileid;
493 static int hf_smb_nt_create_options_backup_intent;
494 static int hf_smb_nt_create_options_no_compression;
495 static int hf_smb_nt_create_options_reserve_opfilter;
496 static int hf_smb_nt_create_options_open_reparse_point;
497 static int hf_smb_nt_create_options_open_no_recall;
498 static int hf_smb_nt_create_options_open_for_free_space_query;
499 static int hf_smb_nt_share_access_read;
500 static int hf_smb_nt_share_access_write;
501 static int hf_smb_nt_share_access_delete;
502 static int hf_smb_file_eattr;
503 static int hf_smb_file_eattr_read_only;
504 static int hf_smb_file_eattr_hidden;
505 static int hf_smb_file_eattr_system;
506 static int hf_smb_file_eattr_volume;
507 static int hf_smb_file_eattr_directory;
508 static int hf_smb_file_eattr_archive;
509 static int hf_smb_file_eattr_device;
510 static int hf_smb_file_eattr_normal;
511 static int hf_smb_file_eattr_temporary;
512 static int hf_smb_file_eattr_sparse;
513 static int hf_smb_file_eattr_reparse;
514 static int hf_smb_file_eattr_compressed;
515 static int hf_smb_file_eattr_offline;
516 static int hf_smb_file_eattr_not_content_indexed;
517 static int hf_smb_file_eattr_encrypted;
518 static int hf_smb_size_returned_quota_data;
519 static int hf_smb_sec_desc_len;
520 static int hf_smb_nt_qsd;
521 static int hf_smb_nt_qsd_owner;
522 static int hf_smb_nt_qsd_group;
523 static int hf_smb_nt_qsd_dacl;
524 static int hf_smb_nt_qsd_sacl;
525 static int hf_smb_extended_attributes;
526 static int hf_smb_oplock_level;
527 static int hf_smb_response_type;
528 static int hf_smb_create_action;
529 static int hf_smb_file_id;
530 static int hf_smb_file_id_64bit;
531 static int hf_smb_ea_error_offset;
532 static int hf_smb_end_of_file;
533 static int hf_smb_replace;
534 static int hf_smb_root_dir_handle;
535 static int hf_smb_target_name_len;
536 static int hf_smb_target_name;
537 static int hf_smb_device_type;
538 static int hf_smb_is_directory;
539 static int hf_smb_next_entry_offset;
540 static int hf_smb_change_time;
541 static int hf_smb_setup_len;
542 static int hf_smb_print_mode;
543 static int hf_smb_print_identifier;
544 static int hf_smb_restart_index;
545 static int hf_smb_print_queue_date;
546 static int hf_smb_print_queue_dos_date;
547 static int hf_smb_print_queue_dos_time;
548 static int hf_smb_print_status;
549 static int hf_smb_print_spool_file_number;
550 static int hf_smb_print_spool_file_size;
551 static int hf_smb_print_spool_file_name;
552 static int hf_smb_start_index;
553 static int hf_smb_originator_name;
554 static int hf_smb_destination_name;
555 static int hf_smb_message_len;
556 static int hf_smb_message;
557 static int hf_smb_mgid;
558 static int hf_smb_forwarded_name;
559 static int hf_smb_machine_name;
560 static int hf_smb_cancel_to;
561 static int hf_smb_trans2_subcmd;
562 static int hf_smb_trans_name;
563 static int hf_smb_transaction_flags;
564 static int hf_smb_transaction_flags_dtid;
565 static int hf_smb_transaction_flags_owt;
566 static int hf_smb_search_count_max;
567 static int hf_smb_search_count_found;
568 static int hf_smb_search_pattern;
569 static int hf_smb_ff2;
570 static int hf_smb_ff2_backup;
571 static int hf_smb_ff2_continue;
572 static int hf_smb_ff2_resume;
573 static int hf_smb_ff2_close_eos;
574 static int hf_smb_ff2_close;
575 static int hf_smb_ff2_information_level;
576 static int hf_smb_qpi_loi;
577 static int hf_smb_spi_loi;
578 #if 0
579 static int hf_smb_sfi;
580 static int hf_smb_sfi_writetru;
581 static int hf_smb_sfi_caching;
582 #endif
583 static int hf_smb_storage_type;
584 static int hf_smb_resume;
585 static int hf_smb_max_referral_level;
586 static int hf_smb_qfsi_information_level;
587 static int hf_smb_sfsi_information_level;
588 static int hf_smb_number_of_links;
589 static int hf_smb_delete_pending;
590 static int hf_smb_index_number;
591 static int hf_smb_position;
592 /* static int hf_smb_current_offset; */
593 static int hf_smb_t2_alignment;
594 static int hf_smb_t2_stream_name_length;
595 static int hf_smb_t2_stream_size;
596 static int hf_smb_t2_stream_name;
597 static int hf_smb_t2_compressed_file_size;
598 static int hf_smb_t2_compressed_format;
599 static int hf_smb_t2_compressed_unit_shift;
600 static int hf_smb_t2_compressed_chunk_shift;
601 static int hf_smb_t2_compressed_cluster_shift;
602 static int hf_smb_t2_marked_for_deletion;
603 static int hf_smb_dfs_path_consumed;
604 static int hf_smb_dfs_num_referrals;
605 static int hf_smb_get_dfs_flags;
606 static int hf_smb_get_dfs_server_hold_storage;
607 static int hf_smb_get_dfs_fielding;
608 static int hf_smb_dfs_referral_version;
609 static int hf_smb_dfs_referral_size;
610 static int hf_smb_dfs_referral_server_type;
611 static int hf_smb_dfs_referral_flags;
612 static int hf_smb_dfs_referral_flags_name_list_referral;
613 static int hf_smb_dfs_referral_flags_target_set_boundary;
614 static int hf_smb_dfs_referral_node_offset;
615 static int hf_smb_dfs_referral_node;
616 static int hf_smb_dfs_referral_proximity;
617 static int hf_smb_dfs_referral_ttl;
618 static int hf_smb_dfs_referral_path_offset;
619 static int hf_smb_dfs_referral_path;
620 static int hf_smb_dfs_referral_alt_path_offset;
621 static int hf_smb_dfs_referral_alt_path;
622 static int hf_smb_dfs_referral_domain_offset;
623 static int hf_smb_dfs_referral_number_of_expnames;
624 static int hf_smb_dfs_referral_expnames_offset;
625 static int hf_smb_dfs_referral_domain_name;
626 static int hf_smb_dfs_referral_expname;
627 static int hf_smb_dfs_referral_server_guid;
628 static int hf_smb_end_of_search;
629 static int hf_smb_last_name_offset;
630 static int hf_smb_fn_information_level;
631 static int hf_smb_monitor_handle;
632 static int hf_smb_change_count;
633 static int hf_smb_file_index;
634 static int hf_smb_short_file_name;
635 static int hf_smb_short_file_name_len;
636 static int hf_smb_fs_id;
637 static int hf_smb_sector_unit;
638 static int hf_smb_fs_units;
639 static int hf_smb_fs_sector;
640 static int hf_smb_avail_units;
641 static int hf_smb_volume_serial_num;
642 static int hf_smb_volume_label_len;
643 static int hf_smb_volume_label;
644 static int hf_smb_free_alloc_units64;
645 static int hf_smb_caller_free_alloc_units64;
646 static int hf_smb_actual_free_alloc_units64;
647 static int hf_smb_max_name_len;
648 static int hf_smb_fs_name_len;
649 static int hf_smb_fs_name;
650 static int hf_smb_device_char;
651 static int hf_smb_device_char_removable;
652 static int hf_smb_device_char_read_only;
653 static int hf_smb_device_char_floppy;
654 static int hf_smb_device_char_write_once;
655 static int hf_smb_device_char_remote;
656 static int hf_smb_device_char_mounted;
657 static int hf_smb_device_char_virtual;
658 static int hf_smb_device_char_secure_open;
659 static int hf_smb_device_char_ts;
660 static int hf_smb_device_char_webdav;
661 static int hf_smb_device_char_aat;
662 static int hf_smb_device_char_portable;
663 static int hf_smb_fs_attr;
664 static int hf_smb_fs_attr_css;
665 static int hf_smb_fs_attr_cpn;
666 static int hf_smb_fs_attr_uod;
667 static int hf_smb_fs_attr_pacls;
668 static int hf_smb_fs_attr_fc;
669 static int hf_smb_fs_attr_vq;
670 static int hf_smb_fs_attr_ssf;
671 static int hf_smb_fs_attr_srp;
672 static int hf_smb_fs_attr_srs;
673 static int hf_smb_fs_attr_sla;
674 static int hf_smb_fs_attr_vic;
675 static int hf_smb_fs_attr_soids;
676 static int hf_smb_fs_attr_se;
677 static int hf_smb_fs_attr_ns;
678 static int hf_smb_fs_attr_rov;
679 static int hf_smb_fs_attr_swo;
680 static int hf_smb_fs_attr_st;
681 static int hf_smb_fs_attr_shl;
682 static int hf_smb_fs_attr_sis;
683 static int hf_smb_fs_attr_sbr;
684 static int hf_smb_fs_attr_ssv;
685 static int hf_smb_quota_flags;
686 static int hf_smb_quota_flags_enabled;
687 static int hf_smb_quota_flags_deny_disk;
688 static int hf_smb_quota_flags_log_limit;
689 static int hf_smb_quota_flags_log_warning;
690 static int hf_smb_soft_quota_limit;
691 static int hf_smb_hard_quota_limit;
692 static int hf_smb_user_quota_used;
693 static int hf_smb_user_quota_change_time;
694 static int hf_smb_length_of_sid;
695 static int hf_smb_user_quota_offset;
696 static int hf_smb_nt_rename_level;
697 static int hf_smb_cluster_count;
698 static int hf_smb_segments;
699 static int hf_smb_segment;
700 static int hf_smb_segment_overlap;
701 static int hf_smb_segment_overlap_conflict;
702 static int hf_smb_segment_multiple_tails;
703 static int hf_smb_segment_too_long_fragment;
704 static int hf_smb_segment_error;
705 static int hf_smb_segment_count;
706 static int hf_smb_reassembled_length;
707 static int hf_smb_pipe_write_len;
708 static int hf_smb_unix_major_version;
709 static int hf_smb_unix_minor_version;
710 static int hf_smb_unix_capability;
711 static int hf_smb_unix_capability_fcntl;
712 static int hf_smb_unix_capability_posix_acl;
713 static int hf_smb_unix_capability_xattr;
714 static int hf_smb_unix_capability_attr;
715 static int hf_smb_unix_capability_posix_paths;
716 static int hf_smb_unix_capability_posix_path_ops;
717 static int hf_smb_unix_capability_large_read;
718 static int hf_smb_unix_capability_large_write;
719 static int hf_smb_unix_capability_encryption;
720 static int hf_smb_unix_capability_mandatory_crypto;
721 static int hf_smb_unix_capability_proxy;
722 static int hf_smb_unix_file_link_dest;
723 static int hf_smb_unix_file_size;
724 static int hf_smb_unix_file_num_bytes;
725 static int hf_smb_unix_file_last_status;
726 static int hf_smb_unix_file_last_access;
727 static int hf_smb_unix_file_last_change;
728 static int hf_smb_unix_file_creation_time;
729 static int hf_smb_unix_file_uid;
730 static int hf_smb_unix_file_gid;
731 static int hf_smb_unix_file_type;
732 static int hf_smb_unix_file_dev_major;
733 static int hf_smb_unix_file_dev_minor;
734 static int hf_smb_unix_file_unique_id;
735 static int hf_smb_unix_file_permissions;
736 static int hf_smb_unix_file_nlinks;
737 static int hf_smb_unix_info2_file_flags;
738 static int hf_smb_unix_info2_file_flags_mask;
739 static int hf_smb_unix_info2_file_flags_secure_delete;
740 static int hf_smb_unix_info2_file_flags_enable_undelete;
741 static int hf_smb_unix_info2_file_flags_synchronous;
742 static int hf_smb_unix_info2_file_flags_immutable;
743 static int hf_smb_unix_info2_file_flags_append_only;
744 static int hf_smb_unix_info2_file_flags_do_not_backup;
745 static int hf_smb_unix_info2_file_flags_no_update_atime;
746 static int hf_smb_unix_info2_file_flags_hidden;
747 static int hf_smb_unix_file_name_length;
748 static int hf_smb_unix_file_name;
749 static int hf_smb_unix_find_file_nextoffset;
750 static int hf_smb_unix_find_file_resumekey;
751 static int hf_smb_unix_whoami_mapflags;
752 static int hf_smb_unix_whoami_mapflags_mask;
753 static int hf_smb_unix_whoami_num_supl_gids;
754 static int hf_smb_unix_whoami_num_supl_sids;
755 static int hf_smb_unix_whoami_sids_buflen;
756 static int hf_smb_disposition_delete_on_close;
757 static int hf_smb_pipe_info_flag;
758 static int hf_smb_mode;
759 static int hf_smb_attribute;
760 static int hf_smb_reparse_tag;
761 static int hf_smb_logged_in;
762 static int hf_smb_logged_out;
763 static int hf_smb_file_rw_offset;
764 static int hf_smb_file_rw_length;
765 static int hf_smb_posix_acl_version;
766 static int hf_smb_posix_num_file_aces;
767 static int hf_smb_posix_num_def_aces;
768 static int hf_smb_posix_ace_type;
769 static int hf_smb_posix_ace_flags;
770 static int hf_smb_posix_ace_perm_read;
771 static int hf_smb_posix_ace_perm_write;
772 static int hf_smb_posix_ace_perm_execute;
773 static int hf_smb_posix_ace_perm_owner_uid;
774 static int hf_smb_posix_ace_perm_owner_gid;
775 static int hf_smb_posix_ace_perm_uid;
776 static int hf_smb_posix_ace_perm_gid;
777 static int hf_smb_trans_data_setup_word;
778 static int hf_smb_trans_data_parameters;
779 static int hf_smb_trans_data;
780 static int hf_smb_extra_byte_parameters;
781 static int hf_smb_file_access_mask_full_control;
782 static int hf_smb_dir_access_mask_full_control;
783 static int hf_smb_word_unk_response_format;
784 static int hf_smb_nt_transaction_setup;
785 static int hf_smb_server_component;
786 static int hf_smb_byte_parameters;
787 static int hf_smb_word_parameters;
788
789 static int ett_smb;
790 static int ett_smb_fid;
791 static int ett_smb_tid;
792 static int ett_smb_uid;
793 static int ett_smb_hdr;
794 static int ett_smb_command;
795 static int ett_smb_fileattributes;
796 static int ett_smb_capabilities;
797 static int ett_smb_aflags;
798 static int ett_smb_dialect;
799 static int ett_smb_dialects;
800 static int ett_smb_mode;
801 static int ett_smb_rawmode;
802 static int ett_smb_flags;
803 static int ett_smb_flags2;
804 static int ett_smb_desiredaccess;
805 static int ett_smb_search;
806 static int ett_smb_file;
807 static int ett_smb_openfunction;
808 static int ett_smb_filetype;
809 static int ett_smb_openaction;
810 static int ett_smb_writemode;
811 static int ett_smb_lock_type;
812 static int ett_smb_ssetupandxaction;
813 static int ett_smb_optionsup;
814 static int ett_smb_time_date;
815 static int ett_smb_move_copy_flags;
816 static int ett_smb_file_attributes;
817 static int ett_smb_search_resume_key;
818 static int ett_smb_search_dir_info;
819 static int ett_smb_unlocks;
820 static int ett_smb_unlock;
821 static int ett_smb_locks;
822 static int ett_smb_lock;
823 static int ett_smb_open_flags;
824 static int ett_smb_ipc_state;
825 static int ett_smb_open_action;
826 static int ett_smb_setup_action;
827 static int ett_smb_connect_flags;
828 static int ett_smb_connect_support_bits;
829 static int ett_smb_nt_access_mask;
830 static int ett_smb_nt_create_bits;
831 static int ett_smb_nt_create_options;
832 static int ett_smb_nt_share_access;
833 static int ett_smb_nt_security_flags;
834 static int ett_smb_nt_trans_setup;
835 static int ett_smb_nt_trans_data;
836 static int ett_smb_nt_trans_param;
837 static int ett_smb_nt_notify_completion_filter;
838 static int ett_smb_nt_ioctl_flags;
839 static int ett_smb_security_information_mask;
840 static int ett_smb_print_queue_entry;
841 static int ett_smb_transaction_flags;
842 static int ett_smb_transaction_params;
843 static int ett_smb_find_first2_flags;
844 static int ett_smb_mac_support_flags;
845 #if 0
846 static int ett_smb_ioflag;
847 #endif
848 static int ett_smb_transaction_data;
849 static int ett_smb_stream_info;
850 static int ett_smb_dfs_referrals;
851 static int ett_smb_dfs_referral;
852 static int ett_smb_dfs_referral_flags;
853 static int ett_smb_dfs_referral_expnames;
854 static int ett_smb_get_dfs_flags;
855 static int ett_smb_ff2_data;
856 static int ett_smb_device_characteristics;
857 static int ett_smb_fs_attributes;
858 static int ett_smb_segments;
859 static int ett_smb_segment;
860 static int ett_smb_quotaflags;
861 static int ett_smb_secblob;
862 static int ett_smb_unicode_password;
863 static int ett_smb_ea;
864 static int ett_smb_unix_capabilities;
865 static int ett_smb_unix_whoami_gids;
866 static int ett_smb_unix_whoami_sids;
867 static int ett_smb_posix_ace;
868 static int ett_smb_posix_ace_perms;
869 static int ett_smb_info2_file_flags;
870
871 static expert_field ei_smb_missing_word_parameters;
872 static expert_field ei_smb_mal_information_level;
873 static expert_field ei_smb_not_implemented;
874 static expert_field ei_smb_nt_transaction_setup;
875 static expert_field ei_smb_posix_ace_type;
876 static expert_field ei_smb_info_level_unknown;
877 static expert_field ei_smb_info_level_not_understood;
878
879 static int smb_tap;
880 static int smb_eo_tap;
881
882 static dissector_handle_t smb_handle;
883 static dissector_handle_t gssapi_handle;
884 static dissector_handle_t ntlmssp_handle;
885
886 static const fragment_items smb_frag_items = {
887 &ett_smb_segment,
888 &ett_smb_segments,
889
890 &hf_smb_segments,
891 &hf_smb_segment,
892 &hf_smb_segment_overlap,
893 &hf_smb_segment_overlap_conflict,
894 &hf_smb_segment_multiple_tails,
895 &hf_smb_segment_too_long_fragment,
896 &hf_smb_segment_error,
897 &hf_smb_segment_count,
898 NULL,
899 &hf_smb_reassembled_length,
900 /* Reassembled data field */
901 NULL,
902 "segments"
903 };
904
905 static proto_tree *top_tree_global; /* ugly */
906
907 static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, uint8_t cmd, bool first_pdu, smb_info_t *si);
908
909 #define SMB_NUM_PROCEDURES 256
910 #define SMB_SRT_TABLE_INDEX 0
911 #define TRANS2_SRT_TABLE_INDEX 1
912 #define NT_SRT_TABLE_INDEX 2
913
914 static void
915 smbstat_init(struct register_srt* srt _U_, GArray* srt_array)
916 {
917 srt_stat_table *smb_srt_table;
918 srt_stat_table *trans2_srt_table;
919 srt_stat_table *nt_srt_table;
920 uint32_t i;
921
922 smb_srt_table = init_srt_table("SMB Commands", NULL, srt_array, SMB_NUM_PROCEDURES, "Commands", "smb.cmd", NULL);
923 trans2_srt_table = init_srt_table("Transaction2 Sub-Commands", NULL, srt_array, SMB_NUM_PROCEDURES, "Transaction2 Commands", "smb.trans2.cmd", NULL);
924 nt_srt_table = init_srt_table("NT Transaction Sub-Commands", NULL, srt_array, SMB_NUM_PROCEDURES, "NT Transaction Sub-Commands", "smb.nt.function", NULL);
925 for (i = 0; i < SMB_NUM_PROCEDURES; i++)
926 {
927 init_srt_table_row(smb_srt_table, i, val_to_str_ext_const(i, &smb_cmd_vals_ext, "<unknown>"));
928 init_srt_table_row(trans2_srt_table, i, val_to_str_ext_const(i, &trans2_cmd_vals_ext, "<unknown>"));
929 init_srt_table_row(nt_srt_table, i, val_to_str_ext_const(i, &nt_cmd_vals_ext, "<unknown>"));
930 }
931 }
932
933 static tap_packet_status
934 smbstat_packet(void *pss, packet_info *pinfo, epan_dissect_t *edt _U_, const void *prv, tap_flags_t flags _U_)
935 {
936 unsigned i = 0;
937 srt_stat_table *smb_srt_table;
938 srt_data_t *data = (srt_data_t *)pss;
939 const smb_info_t *si = (const smb_info_t *)prv;
940
941 /* we are only interested in reply packets */
942 if (si->request) {
943 return TAP_PACKET_DONT_REDRAW;
944 }
945 /* if we haven't seen the request, just ignore it */
946 if (!si->sip) {
947 return TAP_PACKET_DONT_REDRAW;
948 }
949
950 if (si->cmd == 0xA0 && si->sip->extra_info_type == SMB_EI_NTI) {
951 smb_nt_transact_info_t *sti = (smb_nt_transact_info_t *)si->sip->extra_info;
952
953 /*nt transaction*/
954 if (sti) {
955 i = NT_SRT_TABLE_INDEX;
956 smb_srt_table = g_array_index(data->srt_array, srt_stat_table*, i);
957 add_srt_table_data(smb_srt_table, sti->subcmd, &si->sip->req_time, pinfo);
958 }
959 } else if (si->cmd == 0x32 && si->sip->extra_info_type == SMB_EI_T2I) {
960 smb_transact2_info_t *st2i = (smb_transact2_info_t *)si->sip->extra_info;
961
962 /*transaction2*/
963 if (st2i) {
964 i = TRANS2_SRT_TABLE_INDEX;
965 smb_srt_table = g_array_index(data->srt_array, srt_stat_table*, i);
966 add_srt_table_data(smb_srt_table, st2i->subcmd, &si->sip->req_time, pinfo);
967 }
968 } else {
969 i = SMB_SRT_TABLE_INDEX;
970 smb_srt_table = g_array_index(data->srt_array, srt_stat_table*, i);
971 add_srt_table_data(smb_srt_table, si->cmd, &si->sip->req_time, pinfo);
972 }
973
974 return TAP_PACKET_REDRAW;
975
976 }
977
978 /*
979 * Export object functionality
980 */
981 /* These flags show what kind of data the object contains
982 (designed to be or'ed) */
983 #define SMB_EO_CONTAINS_NOTHING 0x00
984 #define SMB_EO_CONTAINS_READS 0x01
985 #define SMB_EO_CONTAINS_WRITES 0x02
986 #define SMB_EO_CONTAINS_READSANDWRITES 0x03
987
988 static const value_string smb_eo_contains_string[] = {
989 {SMB_EO_CONTAINS_NOTHING, "" },
990 {SMB_EO_CONTAINS_READS, "R" },
991 {SMB_EO_CONTAINS_WRITES, "W" },
992 {SMB_EO_CONTAINS_READSANDWRITES, "R&W"},
993 {0, NULL}
994 };
995
996 /* Strings that describes the SMB object type */
997 static const value_string smb_fid_types[] = {
998 {SMB_FID_TYPE_UNKNOWN,"UNKNOWN"},
999 {SMB_FID_TYPE_FILE,"FILE"},
1000 {SMB_FID_TYPE_DIR,"DIRECTORY (Not Implemented)"},
1001 {SMB_FID_TYPE_PIPE,"PIPE (Not Implemented)"},
1002 {0, NULL}
1003 };
1004
1005 static const value_string smb2_fid_types[] = {
1006 {SMB2_FID_TYPE_UNKNOWN,"UNKNOWN"},
1007 {SMB2_FID_TYPE_FILE,"FILE"},
1008 {SMB2_FID_TYPE_DIR,"DIRECTORY (Not Implemented)"},
1009 {SMB2_FID_TYPE_PIPE,"PIPE (Not Implemented)"},
1010 {SMB2_FID_TYPE_OTHER,"OTHER (Not Implemented)"},
1011 {0, NULL}
1012 };
1013
1014
1015 /* This struct contains the relationship between
1016 the row# in the export_object window and the file being captured;
1017 the row# in this GSList will match the row# in the entry list */
1018
1019 typedef struct _active_file {
1020 uint16_t tid, uid;
1021 uint32_t fid; /* 16-bit fid (smb) or 32-bit compressed fid (smb2) */
1022 uint64_t file_length; /* The last free reported offset. We treat it as the file length */
1023 uint64_t data_gathered; /* The actual total of data gathered */
1024 uint8_t flag_contains; /* What kind of data it contains */
1025 GSList *free_chunk_list; /* A list of virtual "holes" in the file stream stored in memory */
1026 bool is_out_of_memory; /* true if we cannot allocate memory for this file */
1027 } active_file ;
1028
1029 /* This is the GSList that will contain all the files that we are tracking */
1030 static GSList *GSL_active_files;
1031
1032 /* We define a free chunk in a file as an start offset and end offset
1033 Consider a free chunk as a "hole" in a file that we are capturing */
1034 typedef struct _free_chunk {
1035 uint64_t start_offset;
1036 uint64_t end_offset;
1037 } free_chunk;
1038
1039 /* insert_chunk function will recalculate the free_chunk_list, the data_size,
1040 the end_of_file, and the data_gathered as appropriate.
1041 It will also insert the data chunk that is coming in the right
1042 place of the file in memory.
1043 HINTS:
1044 file->data_gathered contains the real data gathered independently from the file length
1045 file->file_length contains the length of the file in memory, i.e.,
1046 the last offset captured. In most cases, the real
1047 file length would be different.
1048 */
1049 static void
1050 insert_chunk(active_file *file, export_object_entry_t *entry, const smb_eo_t *eo_info)
1051 {
1052 int nfreechunks = g_slist_length(file->free_chunk_list);
1053 int i;
1054 free_chunk *current_free_chunk;
1055 free_chunk *new_free_chunk;
1056 uint64_t chunk_offset = eo_info->smb_file_offset;
1057 uint64_t chunk_length = eo_info->payload_len;
1058 uint64_t chunk_end_offset = chunk_offset + chunk_length-1;
1059 /* Size of file in memory */
1060 uint64_t calculated_size = chunk_offset + chunk_length;
1061 void * dest_memory_addr;
1062
1063 /* Let's recalculate the file length and data gathered */
1064 if ((file->data_gathered == 0) && (nfreechunks == 0)) {
1065 /* If this is the first entry for this file, we first create an initial free chunk */
1066 new_free_chunk = g_new(free_chunk, 1);
1067 new_free_chunk->start_offset = 0;
1068 new_free_chunk->end_offset = MAX(file->file_length, chunk_end_offset+1) - 1;
1069 file->free_chunk_list = NULL;
1070 file->free_chunk_list = g_slist_append(file->free_chunk_list, new_free_chunk);
1071 nfreechunks += 1;
1072 } else {
1073 if (chunk_end_offset > file->file_length-1) {
1074 new_free_chunk = g_new(free_chunk, 1);
1075 new_free_chunk->start_offset = file->file_length;
1076 new_free_chunk->end_offset = chunk_end_offset;
1077 file->free_chunk_list = g_slist_append(file->free_chunk_list, new_free_chunk);
1078 nfreechunks += 1;
1079 }
1080 }
1081 file->file_length = MAX(file->file_length, chunk_end_offset+1);
1082
1083 /* Recalculate each free chunk according with the incoming data chunk */
1084 for (i=0; i<nfreechunks; i++) {
1085 current_free_chunk = (free_chunk *)g_slist_nth_data(file->free_chunk_list, i);
1086 /* 1. data chunk before the free chunk? */
1087 /* -> free chunk is not altered and no new data gathered */
1088 if (chunk_end_offset<current_free_chunk->start_offset) {
1089 continue;
1090 }
1091 /* 2. data chunk overlaps the first part of free_chunk */
1092 /* -> free chunk shrinks from the beginning */
1093 if (chunk_offset<=current_free_chunk->start_offset && chunk_end_offset>=current_free_chunk->start_offset && chunk_end_offset<current_free_chunk->end_offset) {
1094 file->data_gathered += chunk_end_offset-current_free_chunk->start_offset+1;
1095 current_free_chunk->start_offset=chunk_end_offset+1;
1096 continue;
1097 }
1098 /* 3. data chunk overlaps completely the free chunk */
1099 /* -> free chunk is removed */
1100 if (chunk_offset<=current_free_chunk->start_offset && chunk_end_offset>=current_free_chunk->end_offset) {
1101 file->data_gathered += current_free_chunk->end_offset-current_free_chunk->start_offset+1;
1102 file->free_chunk_list = g_slist_remove(file->free_chunk_list, current_free_chunk);
1103 g_free(current_free_chunk);
1104 nfreechunks -= 1;
1105 if (nfreechunks == 0) { /* The free chunk list is empty */
1106 g_slist_free(file->free_chunk_list);
1107 file->free_chunk_list = NULL;
1108 break;
1109 }
1110 i--;
1111 continue;
1112 }
1113 /* 4. data chunk is inside the free chunk */
1114 /* -> free chunk is split into two */
1115 if (chunk_offset>current_free_chunk->start_offset && chunk_end_offset<current_free_chunk->end_offset) {
1116 new_free_chunk = g_new(free_chunk, 1);
1117 new_free_chunk->start_offset = chunk_end_offset + 1;
1118 new_free_chunk->end_offset = current_free_chunk->end_offset;
1119 current_free_chunk->end_offset = chunk_offset-1;
1120 file->free_chunk_list = g_slist_insert(file->free_chunk_list, new_free_chunk, i + 1);
1121 file->data_gathered += chunk_length;
1122 continue;
1123 }
1124 /* 5.- data chunk overlaps the end part of free chunk */
1125 /* -> free chunk shrinks from the end */
1126 if (chunk_offset>current_free_chunk->start_offset && chunk_offset<=current_free_chunk->end_offset && chunk_end_offset>=current_free_chunk->end_offset) {
1127 file->data_gathered += current_free_chunk->end_offset-chunk_offset+1;
1128 current_free_chunk->end_offset = chunk_offset-1;
1129 continue;
1130 }
1131 /* 6.- data chunk is after the free chunk */
1132 /* -> free chunk is not altered and no new data gathered */
1133 if (chunk_offset>current_free_chunk->end_offset) {
1134 continue;
1135 }
1136 }
1137
1138 /* Now, let's insert the data chunk into memory
1139 ...first, we shall be able to allocate the memory */
1140 if (!entry->payload_data) {
1141 /* This is a New file */
1142 if (calculated_size > UINT32_MAX) {
1143 /*
1144 * The argument to g_try_malloc() is
1145 * a size_t, however the maximum size of a file
1146 * is 32-bit. If the calculated size is
1147 * bigger than that, we just say the attempt
1148 * to allocate memory failed.
1149 */
1150 entry->payload_data = NULL;
1151 } else {
1152 entry->payload_data = (uint8_t *)g_try_malloc((size_t)calculated_size);
1153 entry->payload_len = (size_t)calculated_size;
1154 }
1155 if (!entry->payload_data) {
1156 /* Memory error */
1157 file->is_out_of_memory = true;
1158 }
1159 } else {
1160 /* This is an existing file in memory */
1161 if (calculated_size > (uint64_t) entry->payload_len &&
1162 !file->is_out_of_memory) {
1163 /* We need more memory */
1164 if (calculated_size > UINT32_MAX) {
1165 /*
1166 * As for g_try_malloc(), so for
1167 * g_try_realloc().
1168 */
1169 dest_memory_addr = NULL;
1170 } else {
1171 dest_memory_addr = g_try_realloc(
1172 entry->payload_data,
1173 (size_t)calculated_size);
1174 }
1175 if (!dest_memory_addr) {
1176 /* Memory error */
1177 file->is_out_of_memory = true;
1178 /* We don't have memory for this file.
1179 Free the current file content from memory */
1180 g_free(entry->payload_data);
1181 entry->payload_data = NULL;
1182 entry->payload_len = 0;
1183 } else {
1184 entry->payload_data = (uint8_t *)dest_memory_addr;
1185 entry->payload_len = (size_t)calculated_size;
1186 }
1187 }
1188 }
1189 /* ...then, put the chunk of the file in the right place */
1190 if (!file->is_out_of_memory) {
1191 dest_memory_addr = entry->payload_data + chunk_offset;
1192 memmove(dest_memory_addr, eo_info->payload_data, eo_info->payload_len);
1193 }
1194 }
1195
1196 /* We use this function to obtain the index in the GSL of a given file */
1197 static int
1198 find_incoming_file(GSList *GSL_active_files_p, active_file *incoming_file)
1199 {
1200 int i, row, last;
1201 active_file *in_list_file;
1202
1203 row = -1;
1204 last = g_slist_length(GSL_active_files_p) - 1;
1205
1206 /* We lookup in reverse order because it is more likely that the file
1207 is one of the latest */
1208 for (i=last; i>=0; i--) {
1209 in_list_file = (active_file *)g_slist_nth_data(GSL_active_files_p, i);
1210 /* The best-working criteria of two identical files is that the file
1211 that is the same of the file that we are analyzing is the last one
1212 in the list that has the same tid and the same fid */
1213 /* note that we have excluded in_list_file->uid == incoming_file->uid
1214 from the comparison, because a file can be opened by different
1215 SMB users and it is still the same file */
1216 if (in_list_file->tid == incoming_file->tid &&
1217 in_list_file->fid == incoming_file->fid) {
1218 row = i;
1219 break;
1220 }
1221 }
1222
1223 return row;
1224 }
1225
1226 static tap_packet_status
1227 smb_eo_packet(void *tapdata, packet_info *pinfo, epan_dissect_t *edt _U_, const void *data, tap_flags_t flags _U_)
1228 {
1229 export_object_list_t *object_list = (export_object_list_t *)tapdata;
1230 const smb_eo_t *eo_info = (const smb_eo_t *)data;
1231
1232 export_object_entry_t *entry;
1233 export_object_entry_t *current_entry;
1234 active_file incoming_file;
1235 int active_row;
1236 active_file *new_file;
1237 active_file *current_file;
1238 uint8_t contains;
1239 bool is_supported_filetype;
1240 float percent;
1241
1242 const char *aux_smb_fid_type_string;
1243
1244 if (eo_info->smbversion==1) {
1245 /* Is this an eo_smb supported file_type? (right now we only support FILE) */
1246 is_supported_filetype = (eo_info->fid_type == SMB_FID_TYPE_FILE);
1247 aux_smb_fid_type_string = val_to_str_const(eo_info->fid_type, smb_fid_types, "?");
1248
1249 /* What kind of data this packet contains? */
1250 switch(eo_info->cmd) {
1251 case SMB_COM_READ_ANDX:
1252 case SMB_COM_READ:
1253 contains = SMB_EO_CONTAINS_READS;
1254 break;
1255 case SMB_COM_WRITE_ANDX:
1256 case SMB_COM_WRITE:
1257 contains = SMB_EO_CONTAINS_WRITES;
1258 break;
1259 default:
1260 contains = SMB_EO_CONTAINS_NOTHING;
1261 break;
1262 }
1263 } else {
1264 /* Is this an eo_smb supported file_type? (right now we only support FILE) */
1265 is_supported_filetype = (eo_info->fid_type == SMB2_FID_TYPE_FILE );
1266 aux_smb_fid_type_string = val_to_str_const(eo_info->fid_type, smb2_fid_types, "?");
1267
1268 /* What kind of data this packet contains? */
1269 switch(eo_info->cmd) {
1270 case SMB2_COM_READ:
1271 contains = SMB_EO_CONTAINS_READS;
1272 break;
1273 case SMB2_COM_WRITE:
1274 contains = SMB_EO_CONTAINS_WRITES;
1275 break;
1276 default:
1277 contains = SMB_EO_CONTAINS_NOTHING;
1278 break;
1279 }
1280 }
1281
1282
1283 /* Is this data from an already tracked file or not? */
1284 incoming_file.tid = eo_info->tid;
1285 incoming_file.uid = eo_info->uid;
1286 incoming_file.fid = eo_info->fid;
1287 active_row = find_incoming_file(GSL_active_files, &incoming_file);
1288
1289 if (active_row == -1) { /* This is a new-tracked file */
1290 /* Construct the entry in the list of active files */
1291 entry = g_new(export_object_entry_t, 1);
1292 entry->payload_data = NULL;
1293 entry->payload_len = 0;
1294 new_file = g_new(active_file, 1);
1295 new_file->tid = incoming_file.tid;
1296 new_file->uid = incoming_file.uid;
1297 new_file->fid = incoming_file.fid;
1298 new_file->file_length = eo_info->end_of_file;
1299 new_file->flag_contains = contains;
1300 new_file->free_chunk_list = NULL;
1301 new_file->data_gathered = 0;
1302 new_file->is_out_of_memory = false;
1303 entry->pkt_num = pinfo->num;
1304
1305 entry->hostname=g_filename_display_name(eo_info->hostname);
1306 entry->filename=g_filename_display_name(eo_info->filename);
1307
1308 /* Insert the first chunk in the chunk list of this file */
1309 if (is_supported_filetype) {
1310 insert_chunk(new_file, entry, eo_info);
1311 }
1312
1313 if (new_file->is_out_of_memory) {
1314 entry->content_type =
1315 ws_strdup_printf("%s (%"PRIu64"?/%"PRIu64") %s [mem!!]",
1316 aux_smb_fid_type_string,
1317 new_file->data_gathered,
1318 new_file->file_length,
1319 try_val_to_str(contains, smb_eo_contains_string));
1320 } else {
1321 if (new_file->file_length > 0) {
1322 percent = (float) (100*new_file->data_gathered/new_file->file_length);
1323 } else {
1324 percent = 0.0f;
1325 }
1326
1327 entry->content_type =
1328 ws_strdup_printf("%s (%"PRIu64"/%"PRIu64") %s [%5.2f%%]",
1329 aux_smb_fid_type_string,
1330 new_file->data_gathered,
1331 new_file->file_length,
1332 try_val_to_str(contains, smb_eo_contains_string),
1333 percent);
1334 }
1335
1336 object_list->add_entry(object_list->gui_data, entry);
1337 GSL_active_files = g_slist_append(GSL_active_files, new_file);
1338 }
1339 else if (is_supported_filetype) {
1340 current_file = (active_file *)g_slist_nth_data(GSL_active_files, active_row);
1341 /* Recalculate the current file flags */
1342 current_file->flag_contains = current_file->flag_contains|contains;
1343 current_entry = object_list->get_entry(object_list->gui_data, active_row);
1344
1345 insert_chunk(current_file, current_entry, eo_info);
1346
1347 /* Modify the current_entry object_type string */
1348 if (current_file->is_out_of_memory) {
1349 current_entry->content_type =
1350 ws_strdup_printf("%s (%"PRIu64"?/%"PRIu64") %s [mem!!]",
1351 aux_smb_fid_type_string,
1352 current_file->data_gathered,
1353 current_file->file_length,
1354 try_val_to_str(current_file->flag_contains, smb_eo_contains_string));
1355 } else {
1356 percent = (float) (100*current_file->data_gathered/current_file->file_length);
1357 current_entry->content_type =
1358 ws_strdup_printf("%s (%"PRIu64"/%"PRIu64") %s [%5.2f%%]",
1359 aux_smb_fid_type_string,
1360 current_file->data_gathered,
1361 current_file->file_length,
1362 try_val_to_str(current_file->flag_contains, smb_eo_contains_string),
1363 percent);
1364 }
1365 }
1366
1367 return TAP_PACKET_REDRAW; /* State changed - window should be redrawn */
1368 }
1369
1370 /* This is the eo_reset_cb function that is used in the export_object module
1371 to cleanup any previous private data of the export object functionality before perform
1372 the eo_reset function or when the window closes */
1373 static void
1374 smb_eo_cleanup(void)
1375 {
1376 int i, last;
1377 active_file *in_list_file;
1378
1379 /* Free any previous data structures used in previous invocation to the
1380 export_object_smb function */
1381 last = g_slist_length(GSL_active_files);
1382 if (GSL_active_files) {
1383 for (i=last-1; i>=0; i--) {
1384 in_list_file = (active_file *)g_slist_nth_data(GSL_active_files, i);
1385 if (in_list_file->free_chunk_list) {
1386 g_slist_free(in_list_file->free_chunk_list);
1387 in_list_file->free_chunk_list = NULL;
1388 }
1389 g_free(in_list_file);
1390 }
1391 g_slist_free(GSL_active_files);
1392 GSL_active_files = NULL;
1393 }
1394 }
1395
1396 /*
1397 * Macros for use in the main dissector routines for an SMB.
1398 */
1399
1400 #define WORD_COUNT \
1401 /* Word Count */ \
1402 wc = tvb_get_uint8(tvb, offset); \
1403 proto_tree_add_uint(tree, hf_smb_word_count, \
1404 tvb, offset, 1, wc); \
1405 offset += 1; \
1406 if (wc == 0) goto bytecount;
1407
1408 #define BYTE_COUNT \
1409 bytecount: \
1410 bc = tvb_get_letohs(tvb, offset); \
1411 proto_tree_add_uint(tree, hf_smb_byte_count, \
1412 tvb, offset, 2, bc); \
1413 offset += 2; \
1414 if (bc == 0) goto endofcommand;
1415
1416 #define CHECK_BYTE_COUNT(len) \
1417 if (bc < len) goto endofcommand;
1418
1419 #define COUNT_BYTES(len) {\
1420 int tmp; \
1421 tmp = len; \
1422 offset += tmp; \
1423 bc -= tmp; \
1424 }
1425
1426 #define END_OF_SMB \
1427 if (bc != 0) { \
1428 int bc_remaining; \
1429 bc_remaining = tvb_reported_length_remaining(tvb, offset); \
1430 if ( ((int)bc) > bc_remaining) { \
1431 bc = bc_remaining; \
1432 } \
1433 if (bc) { \
1434 proto_tree_add_item(tree, hf_smb_extra_byte_parameters, tvb, offset, bc, ENC_NA); \
1435 } \
1436 offset += bc; \
1437 } \
1438 endofcommand:
1439
1440 /*
1441 * Macros for use in routines called by them.
1442 */
1443 #define CHECK_BYTE_COUNT_SUBR(len) \
1444 if (*bcp < len) { \
1445 *trunc = true; \
1446 return offset; \
1447 }
1448
1449 #define CHECK_STRING_SUBR(fn) \
1450 if (fn == NULL) { \
1451 *trunc = true; \
1452 return offset; \
1453 }
1454
1455 #define COUNT_BYTES_SUBR(len) \
1456 offset += len; \
1457 *bcp -= len;
1458
1459 /*
1460 * Macros for use when dissecting transaction parameters and data
1461 */
1462 #define CHECK_BYTE_COUNT_TRANS(len) \
1463 if (bc < len) return offset;
1464
1465 #define CHECK_STRING_TRANS(fn) \
1466 if (fn == NULL) return offset;
1467
1468 #define COUNT_BYTES_TRANS(len) \
1469 offset += len; \
1470 bc -= len;
1471
1472 /*
1473 * Macros for use in subrroutines dissecting transaction parameters or data
1474 */
1475 #define CHECK_BYTE_COUNT_TRANS_SUBR(len) \
1476 if (*bcp < len) return offset;
1477
1478 #define CHECK_STRING_TRANS_SUBR(fn) \
1479 if (fn == NULL) return offset;
1480
1481 #define COUNT_BYTES_TRANS_SUBR(len) \
1482 offset += len; \
1483 *bcp -= len;
1484
1485 bool sid_display_hex;
1486 bool sid_name_snooping;
1487
1488 /* ExportObject preferences variable */
1489 bool eosmb_take_name_as_fid = false ;
1490 /* Utility to get an str representing ipv4 or ipv6 address */
1491 const char *tree_ip_str(packet_info *pinfo, uint16_t cmd) {
1492 const char *buf;
1493
1494 if ( cmd == SMB_COM_READ_ANDX ||
1495 cmd == SMB_COM_READ ||
1496 cmd == SMB2_COM_READ) {
1497 buf = address_to_str(pinfo->pool, &pinfo->src);
1498 } else {
1499 buf = address_to_str(pinfo->pool, &pinfo->dst);
1500 }
1501
1502 return buf;
1503 }
1504
1505
1506 /* ExportObject feed function*/
1507 static void
1508 feed_eo_smb(uint16_t cmd, uint16_t fid, tvbuff_t * tvb, packet_info *pinfo, uint16_t dataoffset, uint32_t datalen, uint32_t chunk_len,
1509 uint64_t file_offset, smb_info_t *si) {
1510
1511 smb_eo_t *eo_info; /* eo_info variable to pass info. to
1512 export object and aux */
1513 smb_tid_info_t *tid_info = NULL;
1514 smb_fid_info_t *fid_info = NULL;
1515 smb_fid_info_t *suspect_fid_info = NULL;
1516 tvbuff_t *data_tvb;
1517 GSList *GSL_iterator;
1518
1519 /* Create a new tvb to point to the payload data */
1520 data_tvb = tvb_new_subset_length(tvb, dataoffset, datalen);
1521 /* Create the eo_info to pass to the listener */
1522 eo_info = wmem_new(pinfo->pool, smb_eo_t);
1523
1524 /* Try to get fid_info and tid_info */
1525 if (fid_info == NULL) {
1526 GSL_iterator = si->ct->GSL_fid_info;
1527 while (GSL_iterator) {
1528 suspect_fid_info = (smb_fid_info_t *)GSL_iterator->data;
1529 if (suspect_fid_info->opened_in > pinfo->num) break;
1530 if ((suspect_fid_info->tid == si->tid) && (suspect_fid_info->fid == fid))
1531 fid_info = suspect_fid_info;
1532 GSL_iterator = g_slist_next(GSL_iterator);
1533 }
1534 }
1535
1536
1537 tid_info = (smb_tid_info_t *)wmem_tree_lookup32(si->ct->tid_tree, si->tid);
1538
1539 /* Construct the eo_info structure */
1540 eo_info->smbversion = 1;
1541 if (tid_info) {
1542 if (tid_info->filename) {
1543 eo_info->hostname = tid_info->filename;
1544 } else {
1545 eo_info->hostname = wmem_strdup_printf(pinfo->pool, "\\\\%s\\TREEID_UNKNOWN", tree_ip_str(pinfo, cmd));
1546 }
1547 }
1548 else eo_info->hostname = wmem_strdup_printf(pinfo->pool, "\\\\%s\\TREEID_%i", tree_ip_str(pinfo, cmd), si->tid);
1549 if (fid_info) {
1550 eo_info->filename = NULL;
1551 if (fid_info->fsi)
1552 if (fid_info->fsi->filename)
1553 eo_info->filename = (char *) fid_info->fsi->filename;
1554 if (!eo_info->filename) eo_info->filename = wmem_strdup_printf(pinfo->pool, "\\FILEID_%i", fid);
1555 eo_info->fid_type = fid_info->type;
1556 eo_info->end_of_file = fid_info->end_of_file;
1557 } else {
1558 eo_info->fid_type = SMB_FID_TYPE_UNKNOWN;
1559 eo_info->filename = wmem_strdup_printf(pinfo->pool, "\\FILEID_%i", fid);
1560 eo_info->end_of_file = 0;
1561 }
1562 if (eosmb_take_name_as_fid) {
1563 eo_info->fid = g_str_hash(eo_info->filename);
1564 } else {
1565 eo_info->fid = fid;
1566 }
1567 eo_info->tid = si->tid;
1568 eo_info->uid = si->uid;
1569 eo_info->payload_len = datalen;
1570 eo_info->payload_data = tvb_get_ptr(data_tvb, 0, datalen);
1571 eo_info->smb_file_offset = file_offset;
1572 eo_info->smb_chunk_len = chunk_len;
1573 eo_info->cmd = cmd;
1574 /* Queue data to the listener */
1575
1576 tap_queue_packet(smb_eo_tap, pinfo, eo_info);
1577 } /* feed_eo_smb */
1578
1579 /* Compare function to maintain the GSL_fid_info ordered
1580 Order criteria: packet where the fid was opened */
1581 static int
1582 fid_cmp(smb_fid_info_t *fida, smb_fid_info_t *fidb)
1583 {
1584 return (fida->opened_in - fidb->opened_in);
1585 }
1586
1587 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
1588 These are needed by the reassembly of SMB Transaction payload and DCERPC over SMB
1589 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
1590 static bool smb_trans_reassembly = true;
1591 bool smb_dcerpc_reassembly = true;
1592
1593 static reassembly_table smb_trans_reassembly_table;
1594
1595 static fragment_head *
1596 smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb,
1597 int offset, unsigned count, unsigned pos, unsigned totlen, smb_info_t *si)
1598 {
1599 fragment_head *fd_head = NULL;
1600 int more_frags;
1601
1602 /* Don't pass the reassembly code data that doesn't exist */
1603 /* Fail if some or all of the fragment is located beyond the total length */
1604 if ( !tvb_bytes_exist(tvb, offset, count) || (pos > totlen) || (count > totlen) || ((pos + count) > totlen)) {
1605 THROW(ReportedBoundsError);
1606 }
1607
1608 more_frags = totlen > (pos + count);
1609
1610 DISSECTOR_ASSERT(si);
1611
1612 if (si->sip == NULL) {
1613 /*
1614 * We don't have the frame number of the request.
1615 */
1616 return NULL;
1617 }
1618
1619 if (!pinfo->fd->visited) {
1620 fd_head = fragment_add(&smb_trans_reassembly_table, tvb, offset,
1621 pinfo, si->sip->frame_req, NULL,
1622 pos, count, more_frags);
1623 } else {
1624 fd_head = fragment_get(&smb_trans_reassembly_table,
1625 pinfo, si->sip->frame_req, NULL);
1626 }
1627
1628 if (!fd_head || !(fd_head->flags & FD_DEFRAGMENTED)) {
1629 /* This is continued - mark it as such, so we recognize
1630 continuation responses.
1631 */
1632 si->sip->flags |= SMB_SIF_IS_CONTINUED;
1633 } else {
1634 /* We've finished reassembling, so there are no more
1635 continuation responses.
1636 */
1637 si->sip->flags &= ~SMB_SIF_IS_CONTINUED;
1638 }
1639
1640 /* we only show the defragmented packet for the first fragment,
1641 or else we might end up with dissecting one HUGE transaction PDU
1642 a LOT of times. (first fragment is the only one containing the setup
1643 bytes)
1644 I have seen ONE Transaction PDU that is ~60kb, spanning many Transaction
1645 SMBs. Takes a LOT of time dissecting and is not fun.
1646 */
1647 if ( (pos == 0) && fd_head && (fd_head->flags & FD_DEFRAGMENTED)) {
1648 return fd_head;
1649 } else {
1650 return NULL;
1651 }
1652 }
1653
1654
1655
1656
1657
1658 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
1659 These variables and functions are used to match
1660 responses with calls
1661 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
1662 /*
1663 * The information we need to save about a request in order to show the
1664 * frame number of the request in the dissection of the reply.
1665 */
1666 typedef struct {
1667 uint32_t frame;
1668 uint32_t pid_mid;
1669 } smb_saved_info_key_t;
1670
1671 /* unmatched smb_saved_info structures.
1672 For unmatched smb_saved_info structures we store the smb_saved_info
1673 structure using the MID and the PID as the key.
1674
1675 Oh, yes, the key is really a pointer, but we use it as if it was an integer.
1676 Ugly, yes. Not portable to DEC-20 Yes. But it saves a few bytes.
1677 The key is the PID in the upper 16 bits and the MID in the lower 16 bits.
1678 */
1679 static int
1680 smb_saved_info_equal_unmatched(const void *k1, const void *k2)
1681 {
1682 register uint32_t key1 = GPOINTER_TO_UINT(k1);
1683 register uint32_t key2 = GPOINTER_TO_UINT(k2);
1684 return key1 == key2;
1685 }
1686 static unsigned
1687 smb_saved_info_hash_unmatched(const void *k)
1688 {
1689 register uint32_t key = GPOINTER_TO_UINT(k);
1690 return key;
1691 }
1692
1693 /* matched smb_saved_info structures.
1694 For matched smb_saved_info structures we store the smb_saved_info
1695 structure twice in the table using the frame number, and a combination
1696 of the MID and the PID, as the key.
1697 The frame number is guaranteed to be unique but if ever someone makes
1698 some change that will renumber the frames in a capture we are in BIG trouble.
1699 This is not likely though since that would break (among other things) all the
1700 reassembly routines as well.
1701
1702 We also need the MID as there may be more than one SMB request or reply
1703 in a single frame, and we also need the PID as there may be more than
1704 one outstanding request with the same MID and different PIDs.
1705 */
1706 static int
1707 smb_saved_info_equal_matched(const void *k1, const void *k2)
1708 {
1709 const smb_saved_info_key_t *key1 = (const smb_saved_info_key_t *)k1;
1710 const smb_saved_info_key_t *key2 = (const smb_saved_info_key_t *)k2;
1711 return (key1->frame == key2->frame) && (key1->pid_mid == key2->pid_mid);
1712 }
1713 static unsigned
1714 smb_saved_info_hash_matched(const void *k)
1715 {
1716 const smb_saved_info_key_t *key = (const smb_saved_info_key_t *)k;
1717 return key->frame + key->pid_mid;
1718 }
1719
1720 static GSList *conv_tables;
1721
1722 static int
1723 smb_find_unicode_null_offset(tvbuff_t *tvb, int offset, const int maxlength, const uint16_t needle, const unsigned encoding)
1724 {
1725 unsigned captured_length = tvb_captured_length(tvb);
1726 if (G_LIKELY((unsigned) offset > captured_length)) {
1727 return -1;
1728 }
1729
1730 unsigned limit = captured_length - offset;
1731
1732 /* Only search to end of tvbuff, w/o throwing exception. */
1733 if (maxlength >= 0 && limit > (unsigned) maxlength) {
1734 /* Maximum length doesn't go past end of tvbuff; search
1735 to that value. */
1736 limit = (unsigned) maxlength;
1737 }
1738
1739 limit = limit & ~1;
1740
1741 while(limit){
1742 if (needle == tvb_get_uint16(tvb, offset, encoding)){
1743 return offset;
1744 }
1745 offset += 2;
1746 limit -= 2;
1747 }
1748 return -1;
1749 }
1750
1751 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
1752 End of request/response matching functions
1753 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
1754
1755 /* Turn a little-endian Unicode '\0'-terminated string into a string we
1756 can display.
1757 If exactlen==true then us_lenp contains the exact len of the string in
1758 bytes. It might not be null terminated !
1759 bc specifies the number of bytes in the byte parameters; Windows 2000,
1760 at least, appears, in some cases, to put only 1 byte of 0 at the end
1761 of a Unicode string if the byte count
1762 */
1763 static char *
1764 unicode_to_str(wmem_allocator_t *scope, tvbuff_t *tvb, int offset, int *us_lenp, bool exactlen,
1765 uint16_t bc)
1766 {
1767 int len;
1768 if (exactlen) {
1769 return tvb_get_string_enc(scope, tvb, offset, *us_lenp, ENC_UTF_16|ENC_LITTLE_ENDIAN);
1770 } else {
1771 /* Handle the odd cases where Windows 2000 has a Unicode
1772 * string followed by a single NUL byte when the string
1773 * takes up the entire byte count.
1774 */
1775 len = smb_find_unicode_null_offset(tvb, offset, bc, 0, ENC_LITTLE_ENDIAN);
1776 if (len == -1) {
1777 if (bc % 2 == 1 && tvb_get_uint8(tvb, offset + bc - 1) == 0) {
1778 *us_lenp = bc;
1779 return tvb_get_string_enc(scope, tvb, offset, bc - 1, ENC_UTF_16|ENC_LITTLE_ENDIAN);
1780 }
1781 }
1782 return tvb_get_stringz_enc(scope, tvb, offset, us_lenp, ENC_UTF_16|ENC_LITTLE_ENDIAN);
1783 }
1784 }
1785
1786 /* nopad == true : Do not add any padding before this string
1787 * exactlen == true : len contains the exact len of the string in bytes.
1788 * bc: pointer to variable with amount of data left in the byte parameters
1789 * region
1790 */
1791 static const char *
1792 get_unicode_or_ascii_string(wmem_allocator_t *scope, tvbuff_t *tvb, int *offsetp,
1793 bool useunicode, int *len, bool nopad, bool exactlen,
1794 uint16_t *bcp)
1795 {
1796 const char *string;
1797 int string_len = 0;
1798 int copylen;
1799
1800 if (*bcp == 0) {
1801 /* Not enough data in buffer */
1802 return NULL;
1803 }
1804
1805 if (useunicode) {
1806 if ((!nopad) && (*offsetp % 2)) {
1807 (*offsetp)++; /* Looks like a pad byte there sometimes */
1808 (*bcp)--;
1809
1810 if (*bcp == 0) {
1811 /* Not enough data in buffer */
1812 return NULL;
1813 }
1814 }
1815
1816 if(exactlen){
1817 string_len = *len;
1818 if (string_len < 0) {
1819 /* This probably means it's a very large unsigned number; just set
1820 it to the largest signed number, so that we throw the appropriate
1821 exception. */
1822 string_len = INT_MAX;
1823 } else if (string_len > *bcp){
1824 string_len = *bcp;
1825 }
1826 }
1827
1828 string = unicode_to_str(scope, tvb, *offsetp, &string_len, exactlen, *bcp);
1829 } else {
1830 /* XXX: Use the local OEM (extended ASCII DOS) code page.
1831 * On US English machines that means ENC_CP437, but it
1832 * could be CP850 (which contains the characters of
1833 * ISO-8859-1, arranged differently), CP866, etc.
1834 * Using ENC_ASCII is safest.
1835 *
1836 * There could be a preference for local code page.
1837 * (The same should apply in packet-smb-browser.c too)
1838 */
1839 if(exactlen){
1840 copylen = *len;
1841
1842 if (copylen < 0) {
1843 /* This probably means it's a very large unsigned number; just set
1844 it to the largest signed number, so that we throw the appropriate
1845 exception. */
1846 copylen = INT_MAX;
1847 }
1848
1849 return tvb_get_string_enc(scope, tvb, *offsetp, copylen, ENC_ASCII);
1850 } else {
1851 return tvb_get_stringz_enc(scope, tvb, *offsetp, len, ENC_ASCII);
1852 }
1853 }
1854
1855 *len = string_len;
1856 return string;
1857 }
1858
1859 typedef struct _smb_uid_t {
1860 char *domain;
1861 char *account;
1862 int logged_in;
1863 int logged_out;
1864 } smb_uid_t;
1865
1866 static void
1867 smb_file_specific_rights(tvbuff_t *tvb, int offset, proto_tree *tree, uint32_t mask)
1868 {
1869 static int * const mask_flags[] = {
1870 &hf_smb_file_access_mask_write_attribute,
1871 &hf_smb_file_access_mask_read_attribute,
1872 &hf_smb_file_access_mask_execute,
1873 &hf_smb_file_access_mask_write_ea,
1874 &hf_smb_file_access_mask_read_ea,
1875 &hf_smb_file_access_mask_append_data,
1876 &hf_smb_file_access_mask_write_data,
1877 &hf_smb_file_access_mask_read_data,
1878 NULL
1879 };
1880
1881 mask &= 0x0000ffff;
1882 if (mask == 0x000001ff) {
1883 proto_tree_add_uint(tree, hf_smb_file_access_mask_full_control, tvb, offset, 4, mask);
1884 }
1885
1886 proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, mask_flags, mask);
1887 }
1888 static struct access_mask_info smb_file_access_mask_info = {
1889 "FILE", /* Name of specific rights */
1890 smb_file_specific_rights, /* Dissection function */
1891 NULL, /* Generic mapping table */
1892 NULL /* Standard mapping table */
1893 };
1894
1895
1896 static void
1897 smb_dir_specific_rights(tvbuff_t *tvb, int offset, proto_tree *tree, uint32_t mask)
1898 {
1899 static int * const mask_flags[] = {
1900 &hf_smb_dir_access_mask_write_attribute,
1901 &hf_smb_dir_access_mask_read_attribute,
1902 &hf_smb_dir_access_mask_delete_child,
1903 &hf_smb_dir_access_mask_traverse,
1904 &hf_smb_dir_access_mask_write_ea,
1905 &hf_smb_dir_access_mask_read_ea,
1906 &hf_smb_dir_access_mask_add_subdir,
1907 &hf_smb_dir_access_mask_add_file,
1908 &hf_smb_dir_access_mask_list,
1909 NULL
1910 };
1911
1912 mask &= 0x0000ffff;
1913 if (mask == 0x000001ff) {
1914 proto_tree_add_uint(tree, hf_smb_dir_access_mask_full_control, tvb, offset, 4, mask);
1915 }
1916
1917 proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, mask_flags, mask);
1918 }
1919 static struct access_mask_info smb_dir_access_mask_info = {
1920 "DIR", /* Name of specific rights */
1921 smb_dir_specific_rights, /* Dissection function */
1922 NULL, /* Generic mapping table */
1923 NULL /* Standard mapping table */
1924 };
1925
1926
1927
1928 static const value_string buffer_format_vals[] = {
1929 {1, "Data Block"},
1930 {2, "Dialect"},
1931 {3, "Pathname"},
1932 {4, "ASCII"},
1933 {5, "Variable Block"},
1934 {0, NULL}
1935 };
1936
1937 #define POSIX_ACE_TYPE_USER_OBJ 0x01
1938 #define POSIX_ACE_TYPE_USER 0x02
1939 #define POSIX_ACE_TYPE_GROUP_OBJ 0x04
1940 #define POSIX_ACE_TYPE_GROUP 0x08
1941 #define POSIX_ACE_TYPE_MASK 0x10
1942 #define POSIX_ACE_TYPE_OTHER 0x20
1943 static const value_string ace_type_vals[] = {
1944 {POSIX_ACE_TYPE_USER_OBJ, "User Obj"},
1945 {POSIX_ACE_TYPE_USER, "User"},
1946 {POSIX_ACE_TYPE_GROUP_OBJ, "Group Obj"},
1947 {POSIX_ACE_TYPE_GROUP, "Group"},
1948 {POSIX_ACE_TYPE_MASK, "Mask"},
1949 {POSIX_ACE_TYPE_OTHER, "Other"},
1950 {0, NULL}
1951 };
1952
1953 /*
1954 * UTIME - this is *almost* like a UNIX time stamp, except that it's
1955 * in seconds since January 1, 1970, 00:00:00 *local* time, not since
1956 * January 1, 1970, 00:00:00 GMT.
1957 *
1958 * This means we have to do some extra work to convert it. This code is
1959 * based on the Samba code:
1960 *
1961 * Unix SMB/Netbios implementation.
1962 * Version 1.9.
1963 * time handling functions
1964 * Copyright (C) Andrew Tridgell 1992-1998
1965 */
1966
1967 /*
1968 * Yield the difference between *A and *B, in seconds, ignoring leap
1969 * seconds.
1970 */
1971 #define TM_YEAR_BASE 1900
1972
1973 static int
1974 tm_diff(struct tm *a, struct tm *b)
1975 {
1976 int ay = a->tm_year + (TM_YEAR_BASE - 1);
1977 int by = b->tm_year + (TM_YEAR_BASE - 1);
1978 int intervening_leap_days =
1979 (ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
1980 int years = ay - by;
1981 int days =
1982 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
1983 int hours = 24*days + (a->tm_hour - b->tm_hour);
1984 int minutes = 60*hours + (a->tm_min - b->tm_min);
1985 int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
1986
1987 return seconds;
1988 }
1989
1990 /*
1991 * Return the UTC offset in seconds west of UTC, or 0 if it cannot be
1992 * determined.
1993 */
1994 static int
1995 TimeZone(time_t t)
1996 {
1997 struct tm *tm = gmtime(&t);
1998 struct tm tm_utc;
1999
2000 if (tm == NULL)
2001 return 0;
2002 tm_utc = *tm;
2003 tm = localtime(&t);
2004 if (tm == NULL)
2005 return 0;
2006 return tm_diff(&tm_utc, tm);
2007 }
2008
2009 /*
2010 * Return the same value as TimeZone, but it should be more efficient.
2011 *
2012 * We keep a table of DST offsets to prevent calling localtime() on each
2013 * call of this function. This saves a LOT of time on many unixes.
2014 *
2015 * Updated by Paul Eggert <eggert@twinsun.com>
2016 */
2017 #ifndef CHAR_BIT
2018 #define CHAR_BIT 8
2019 #endif
2020
2021 #ifndef TIME_T_MIN
2022 #define TIME_T_MIN ((time_t) ((time_t)0 < (time_t) -1 ? (time_t) 0 \
2023 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1)))
2024 #endif
2025 #ifndef TIME_T_MAX
2026 #define TIME_T_MAX ((time_t) (~ (time_t) 0 - TIME_T_MIN))
2027 #endif
2028
2029 static int
2030 TimeZoneFaster(time_t t)
2031 {
2032 static struct dst_table {time_t start, end; int zone;} *tdt;
2033 static struct dst_table *dst_table = NULL;
2034 static int table_size = 0;
2035 int i;
2036 int zone = 0;
2037
2038 if (t == 0)
2039 t = time(NULL);
2040
2041 /* Tunis has a 8 day DST region, we need to be careful ... */
2042 #define MAX_DST_WIDTH (365*24*60*60)
2043 #define MAX_DST_SKIP (7*24*60*60)
2044
2045 for (i = 0; i < table_size; i++) {
2046 if ((t >= dst_table[i].start) && (t <= dst_table[i].end))
2047 break;
2048 }
2049
2050 if (i < table_size) {
2051 zone = dst_table[i].zone;
2052 } else {
2053 time_t low, high;
2054
2055 zone = TimeZone(t);
2056 if (dst_table == NULL)
2057 tdt = (struct dst_table *)g_malloc(sizeof(dst_table[0])*(i+1));
2058 else
2059 tdt = (struct dst_table *)g_realloc(dst_table, sizeof(dst_table[0])*(i+1));
2060 if (tdt == NULL) {
2061 g_free(dst_table);
2062 table_size = 0;
2063 } else {
2064 dst_table = tdt;
2065 table_size++;
2066
2067 dst_table[i].zone = zone;
2068 dst_table[i].start = dst_table[i].end = t;
2069
2070 /* no entry will cover more than 6 months */
2071 low = t - MAX_DST_WIDTH/2;
2072 /* XXX - what if t < MAX_DST_WIDTH/2? */
2073
2074 high = t + MAX_DST_WIDTH/2;
2075 /* XXX - what if this overflows? */
2076
2077 /*
2078 * Widen the new entry using two bisection searches.
2079 */
2080 while (low+60*60 < dst_table[i].start) {
2081 if (dst_table[i].start - low > MAX_DST_SKIP*2)
2082 t = dst_table[i].start - MAX_DST_SKIP;
2083 else
2084 t = low + (dst_table[i].start-low)/2;
2085 if (TimeZone(t) == zone)
2086 dst_table[i].start = t;
2087 else
2088 low = t;
2089 }
2090
2091 while (high-60*60 > dst_table[i].end) {
2092 if (high - dst_table[i].end > MAX_DST_SKIP*2)
2093 t = dst_table[i].end + MAX_DST_SKIP;
2094 else
2095 t = high - (high-dst_table[i].end)/2;
2096 if (TimeZone(t) == zone)
2097 dst_table[i].end = t;
2098 else
2099 high = t;
2100 }
2101 }
2102 }
2103 return zone;
2104 }
2105
2106 /*
2107 * Return the UTC offset in seconds west of UTC, adjusted for extra time
2108 * offset, for a local time value. If ut = lt + LocTimeDiff(lt), then
2109 * lt = ut - TimeDiff(ut), but the converse does not necessarily hold near
2110 * daylight savings transitions because some local times are ambiguous.
2111 * LocTimeDiff(t) equals TimeDiff(t) except near daylight savings transitions.
2112 */
2113 static int
2114 LocTimeDiff(time_t lt)
2115 {
2116 int d = TimeZoneFaster(lt);
2117 time_t t = lt + d;
2118
2119 /* if overflow occurred, ignore all the adjustments so far */
2120 if (((t < lt) ^ (d < 0)))
2121 t = lt;
2122
2123 /*
2124 * Now t should be close enough to the true UTC to yield the
2125 * right answer.
2126 */
2127 return TimeZoneFaster(t);
2128 }
2129
2130 static int
2131 dissect_smb_UTIME(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
2132 {
2133 uint32_t timeval;
2134 nstime_t ts;
2135
2136 ts.secs = timeval = tvb_get_letohl(tvb, offset);
2137 ts.nsecs = 0;
2138 if (timeval == 0xffffffff) {
2139 proto_tree_add_time_format_value(tree, hf_date, tvb, offset, 4, &ts,
2140 "No time specified (0xffffffff)");
2141 offset += 4;
2142 return offset;
2143 }
2144
2145 /*
2146 * We add the local time offset.
2147 */
2148 ts.secs = timeval + LocTimeDiff(timeval);
2149
2150 proto_tree_add_time(tree, hf_date, tvb, offset, 4, &ts);
2151 offset += 4;
2152
2153 return offset;
2154 }
2155
2156 static int
2157 dissect_smb_datetime(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
2158 int hf_date, int hf_dos_date, int hf_dos_time, bool time_first)
2159 {
2160 uint16_t dos_time, dos_date;
2161 proto_item *item = NULL;
2162 proto_tree *tree = NULL;
2163 struct tm tm;
2164 time_t t;
2165 nstime_t tv;
2166
2167 static const int mday_noleap[12] = {
2168 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
2169 };
2170 static const int mday_leap[12] = {
2171 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
2172 };
2173
2174 #define ISLEAP(y) ((((y) % 4) == 0) && ((((y) % 100) != 0) || (((y) % 400) == 0)))
2175
2176 if (time_first) {
2177 dos_time = tvb_get_letohs(tvb, offset);
2178 dos_date = tvb_get_letohs(tvb, offset+2);
2179 } else {
2180 dos_date = tvb_get_letohs(tvb, offset);
2181 dos_time = tvb_get_letohs(tvb, offset+2);
2182 }
2183
2184 if (((dos_date == 0xffff) && (dos_time == 0xffff)) ||
2185 ((dos_date == 0) && (dos_time == 0))) {
2186 /*
2187 * No date/time specified.
2188 */
2189 if (parent_tree) {
2190 tv.secs = 0;
2191 tv.nsecs = 0;
2192 proto_tree_add_time_format_value(parent_tree, hf_date, tvb, offset, 4,
2193 &tv, "No time specified (0x%08x)",
2194 ((dos_date << 16) | dos_time));
2195 }
2196 offset += 4;
2197 return offset;
2198 }
2199
2200 tm.tm_sec = (dos_time & 0x1f) * 2;
2201 tm.tm_min = (dos_time>>5) & 0x3f;
2202 tm.tm_hour = (dos_time>>11) & 0x1f;
2203 tm.tm_mday = dos_date & 0x1f;
2204 tm.tm_mon = ((dos_date>>5) & 0x0f) - 1;
2205 tm.tm_year = ((dos_date>>9) & 0x7f) + 1980 - 1900;
2206 tm.tm_isdst = -1;
2207
2208 /*
2209 * Do some sanity checks before calling "mktime()";
2210 * "mktime()" doesn't do them, it "normalizes" out-of-range
2211 * values.
2212 */
2213 if ((tm.tm_sec > 59) || (tm.tm_min > 59) || (tm.tm_hour > 23) ||
2214 (tm.tm_mon < 0) || (tm.tm_mon > 11) ||
2215 (ISLEAP(tm.tm_year + 1900) ?
2216 (tm.tm_mday > mday_leap[tm.tm_mon]) :
2217 (tm.tm_mday > mday_noleap[tm.tm_mon])) ||
2218 ((t = mktime(&tm)) == -1)) {
2219 /*
2220 * Invalid date/time.
2221 */
2222 if (parent_tree) {
2223 tv.secs = 0;
2224 tv.nsecs = 0;
2225 item = proto_tree_add_time_format_value(parent_tree, hf_date, tvb, offset, 4,
2226 &tv, "Invalid time (0x%08x)", ((dos_date << 16) | dos_time));
2227 tree = proto_item_add_subtree(item, ett_smb_time_date);
2228 if (time_first) {
2229 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
2230 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
2231 } else {
2232 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
2233 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
2234 }
2235 }
2236 offset += 4;
2237 return offset;
2238 }
2239
2240 tv.secs = t;
2241 tv.nsecs = 0;
2242
2243 if (parent_tree) {
2244 item = proto_tree_add_time(parent_tree, hf_date, tvb, offset, 4, &tv);
2245 tree = proto_item_add_subtree(item, ett_smb_time_date);
2246 if (time_first) {
2247 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
2248 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset+2, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
2249 } else {
2250 proto_tree_add_uint_format(tree, hf_dos_date, tvb, offset, 2, dos_date, "DOS Date: %04d-%02d-%02d (0x%04x)", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, dos_date);
2251 proto_tree_add_uint_format(tree, hf_dos_time, tvb, offset+2, 2, dos_time, "DOS Time: %02d:%02d:%02d (0x%04x)", tm.tm_hour, tm.tm_min, tm.tm_sec, dos_time);
2252 }
2253 }
2254
2255 offset += 4;
2256
2257 return offset;
2258 }
2259
2260 static const true_false_string tfs_disposition_delete_on_close = {
2261 "DELETE this file when closed",
2262 "Normal access, do not delete on close"
2263 };
2264
2265 static const true_false_string tfs_pipe_info_flag = {
2266 "SET NAMED PIPE mode",
2267 "Clear NAMED PIPE mode"
2268 };
2269
2270
2271 static const value_string da_access_vals[] = {
2272 { 0, "Open for reading"},
2273 { 1, "Open for writing"},
2274 { 2, "Open for reading and writing"},
2275 { 3, "Open for execute"},
2276 {0, NULL}
2277 };
2278 static const value_string da_sharing_vals[] = {
2279 { 0, "Compatibility mode"},
2280 { 1, "Deny read/write/execute (exclusive)"},
2281 { 2, "Deny write"},
2282 { 3, "Deny read/execute"},
2283 { 4, "Deny none"},
2284 {0, NULL}
2285 };
2286 static const value_string da_locality_vals[] = {
2287 { 0, "Locality of reference unknown"},
2288 { 1, "Mainly sequential access"},
2289 { 2, "Mainly random access"},
2290 { 3, "Random access with some locality"},
2291 {0, NULL}
2292 };
2293 static const true_false_string tfs_da_caching = {
2294 "Do not cache this file",
2295 "Caching permitted on this file"
2296 };
2297 static const true_false_string tfs_da_writetru = {
2298 "Write through enabled",
2299 "Write through disabled"
2300 };
2301 static int
2302 dissect_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int hf_access)
2303 {
2304 static int * const flags[] = {
2305 &hf_smb_access_writetru,
2306 &hf_smb_access_caching,
2307 &hf_smb_access_locality,
2308 &hf_smb_access_sharing,
2309 &hf_smb_access_mode,
2310 NULL
2311 };
2312
2313 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_access, ett_smb_desiredaccess, flags, ENC_LITTLE_ENDIAN);
2314 offset += 2;
2315
2316 return offset;
2317 }
2318
2319 #define SMB_FILE_ATTRIBUTE_READ_ONLY 0x00000001
2320 #define SMB_FILE_ATTRIBUTE_HIDDEN 0x00000002
2321 #define SMB_FILE_ATTRIBUTE_SYSTEM 0x00000004
2322 #define SMB_FILE_ATTRIBUTE_VOLUME 0x00000008
2323 #define SMB_FILE_ATTRIBUTE_DIRECTORY 0x00000010
2324 #define SMB_FILE_ATTRIBUTE_ARCHIVE 0x00000020
2325 #define SMB_FILE_ATTRIBUTE_DEVICE 0x00000040
2326 #define SMB_FILE_ATTRIBUTE_NORMAL 0x00000080
2327 #define SMB_FILE_ATTRIBUTE_TEMPORARY 0x00000100
2328 #define SMB_FILE_ATTRIBUTE_SPARSE 0x00000200
2329 #define SMB_FILE_ATTRIBUTE_REPARSE 0x00000400
2330 #define SMB_FILE_ATTRIBUTE_COMPRESSED 0x00000800
2331 #define SMB_FILE_ATTRIBUTE_OFFLINE 0x00001000
2332 #define SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
2333 #define SMB_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
2334
2335 static const true_false_string tfs_file_attribute_read_only = {
2336 "READ ONLY",
2337 "NOT read only",
2338 };
2339 static const true_false_string tfs_file_attribute_hidden = {
2340 "HIDDEN",
2341 "NOT hidden"
2342 };
2343 static const true_false_string tfs_file_attribute_system = {
2344 "SYSTEM file/dir",
2345 "NOT a system file/dir"
2346 };
2347 static const true_false_string tfs_file_attribute_volume = {
2348 "VOLUME ID",
2349 "NOT a volume ID"
2350 };
2351 static const true_false_string tfs_file_attribute_directory = {
2352 "DIRECTORY",
2353 "NOT a directory"
2354 };
2355 static const true_false_string tfs_file_attribute_archive = {
2356 "Modified since last ARCHIVE",
2357 "Has NOT been modified since last archive"
2358 };
2359 static const true_false_string tfs_file_attribute_device = {
2360 "A DEVICE",
2361 "NOT a device"
2362 };
2363 static const true_false_string tfs_file_attribute_normal = {
2364 "An ordinary file/dir",
2365 "Has some attribute set"
2366 };
2367 static const true_false_string tfs_file_attribute_temporary = {
2368 "A TEMPORARY file",
2369 "NOT a temporary file"
2370 };
2371 static const true_false_string tfs_file_attribute_sparse = {
2372 "A SPARSE file",
2373 "NOT a sparse file"
2374 };
2375 static const true_false_string tfs_file_attribute_reparse = {
2376 "Has an associated REPARSE POINT",
2377 "Does NOT have an associated reparse point"
2378 };
2379 static const true_false_string tfs_file_attribute_compressed = {
2380 "COMPRESSED",
2381 "Uncompressed"
2382 };
2383 static const true_false_string tfs_file_attribute_offline = {
2384 "OFFLINE",
2385 "Online"
2386 };
2387 static const true_false_string tfs_file_attribute_not_content_indexed = {
2388 "CONTENT INDEXED",
2389 "NOT content indexed"
2390 };
2391 static const true_false_string tfs_file_attribute_encrypted = {
2392 "This is an ENCRYPTED file",
2393 "This is NOT an encrypted file"
2394 };
2395
2396 /*
2397 * Dissects an SMB_FILE_ATTRIBUTES, to use the term given to it by
2398 * section 2.2.1.2.4 of [MS-CIFS], in cases where it's just file attributes,
2399 * not search attributes.
2400 */
2401 static int
2402 dissect_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2403 {
2404 static int * const flags[] = {
2405 &hf_smb_file_attr_archive_16bit,
2406 &hf_smb_file_attr_directory_16bit,
2407 &hf_smb_file_attr_volume_16bit,
2408 &hf_smb_file_attr_system_16bit,
2409 &hf_smb_file_attr_hidden_16bit,
2410 &hf_smb_file_attr_read_only_16bit,
2411 NULL
2412 };
2413
2414 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_file_attr_16bit, ett_smb_file_attributes, flags, ENC_LITTLE_ENDIAN);
2415 offset += 2;
2416
2417 return offset;
2418 }
2419
2420 /*
2421 * 3.11 in the SNIA CIFS spec
2422 * SMB_EXT_FILE_ATTR, section 2.2.1.2.3 in the [MS-CIFS] spec
2423 */
2424 static int
2425 dissect_file_ext_attr_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
2426 int len, uint32_t mask)
2427 {
2428 proto_item *item;
2429 /*
2430 * XXX - Network Monitor disagrees on some of the
2431 * bits, e.g. the bits above temporary are "atomic write"
2432 * and "transaction write", and it says nothing about the
2433 * bits above that.
2434 *
2435 * Does the Win32 API documentation, or the NT Native API book,
2436 * suggest anything?
2437 */
2438 static int * const mask_fields[] = {
2439 &hf_smb_file_eattr_read_only,
2440 &hf_smb_file_eattr_hidden,
2441 &hf_smb_file_eattr_system,
2442 &hf_smb_file_eattr_volume,
2443 &hf_smb_file_eattr_directory,
2444 &hf_smb_file_eattr_archive,
2445 &hf_smb_file_eattr_device,
2446 &hf_smb_file_eattr_normal,
2447 &hf_smb_file_eattr_temporary,
2448 &hf_smb_file_eattr_sparse,
2449 &hf_smb_file_eattr_reparse,
2450 &hf_smb_file_eattr_compressed,
2451 &hf_smb_file_eattr_offline,
2452 &hf_smb_file_eattr_not_content_indexed,
2453 &hf_smb_file_eattr_encrypted,
2454 NULL
2455 };
2456
2457 item = proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset,
2458 hf_smb_file_eattr, ett_smb_file_attributes, mask_fields, mask, BMT_NO_APPEND);
2459 if (len == 0)
2460 proto_item_set_generated(item);
2461
2462 offset += len;
2463
2464 return offset;
2465 }
2466
2467 /* 3.11 */
2468 static int
2469 dissect_file_ext_attr(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2470 {
2471 uint32_t mask;
2472
2473 mask = tvb_get_letohl(tvb, offset);
2474
2475 offset = dissect_file_ext_attr_bits(tvb, parent_tree, offset, 4, mask);
2476
2477 return offset;
2478 }
2479
2480 static int
2481 dissect_dir_info_file_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2482 {
2483 static int * const flags[] = {
2484 &hf_smb_file_attr_read_only_8bit,
2485 &hf_smb_file_attr_hidden_8bit,
2486 &hf_smb_file_attr_system_8bit,
2487 &hf_smb_file_attr_volume_8bit,
2488 &hf_smb_file_attr_directory_8bit,
2489 &hf_smb_file_attr_archive_8bit,
2490 NULL
2491 };
2492
2493 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_file_attr_8bit, ett_smb_file_attributes, flags, ENC_NA);
2494 offset += 1;
2495
2496 return offset;
2497 }
2498
2499 static const true_false_string tfs_search_attribute_read_only = {
2500 "Include READ ONLY files in search results",
2501 "Do NOT include read only files in search results",
2502 };
2503 static const true_false_string tfs_search_attribute_hidden = {
2504 "Include HIDDEN files in search results",
2505 "Do NOT include hidden files in search results"
2506 };
2507 static const true_false_string tfs_search_attribute_system = {
2508 "Include SYSTEM files in search results",
2509 "Do NOT include system files in search results"
2510 };
2511 static const true_false_string tfs_search_attribute_volume = {
2512 "Include VOLUME IDs in search results",
2513 "Do NOT include volume IDs in search results"
2514 };
2515 static const true_false_string tfs_search_attribute_directory = {
2516 "Include DIRECTORIES in search results",
2517 "Do NOT include directories in search results"
2518 };
2519 static const true_false_string tfs_search_attribute_archive = {
2520 "Include ARCHIVE files in search results",
2521 "Do NOT include archive files in search results"
2522 };
2523
2524 /*
2525 * Dissects an SMB_FILE_ATTRIBUTES, to use the term given to it by
2526 * section 2.2.1.2.4 of [MS-CIFS], in cases where it's search attributes.
2527 */
2528 static int
2529 dissect_search_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2530 {
2531 static int * const flags[] = {
2532 &hf_smb_search_attribute_read_only,
2533 &hf_smb_search_attribute_hidden,
2534 &hf_smb_search_attribute_system,
2535 &hf_smb_search_attribute_volume,
2536 &hf_smb_search_attribute_directory,
2537 &hf_smb_search_attribute_archive,
2538 NULL
2539 };
2540
2541 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_search_attribute, ett_smb_search, flags, ENC_LITTLE_ENDIAN);
2542 offset += 2;
2543
2544 return offset;
2545 }
2546
2547 #if 0
2548 /*
2549 * XXX - this isn't used.
2550 * Is this used for anything? NT Create AndX doesn't use it.
2551 * Is there some 16-bit attribute field with more bits than Read Only,
2552 * Hidden, System, Volume ID, Directory, and Archive?
2553 */
2554 static int
2555 dissect_extended_file_attributes(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset)
2556 {
2557 static int * const flags[] = {
2558 &hf_smb_file_attr_read_only_16bit,
2559 &hf_smb_file_attr_hidden_16bit,
2560 &hf_smb_file_attr_system_16bit,
2561 &hf_smb_file_attr_volume_16bit,
2562 &hf_smb_file_attr_directory_16bit,
2563 &hf_smb_file_attr_archive_16bit,
2564 &hf_smb_file_attr_device,
2565 &hf_smb_file_attr_normal,
2566 &hf_smb_file_attr_temporary,
2567 &hf_smb_file_attr_sparse,
2568 &hf_smb_file_attr_reparse,
2569 &hf_smb_file_attr_compressed,
2570 &hf_smb_file_attr_offline,
2571 &hf_smb_file_attr_not_content_indexed,
2572 &hf_smb_file_attr_encrypted,
2573 NULL
2574 };
2575
2576 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_file_eattr, ett_smb_file_attributes, flags, ENC_LITTLE_ENDIAN);
2577 offset += 2;
2578
2579 return offset;
2580 }
2581 #endif
2582
2583
2584 #define SERVER_CAP_RAW_MODE 0x00000001
2585 #define SERVER_CAP_MPX_MODE 0x00000002
2586 #define SERVER_CAP_UNICODE 0x00000004
2587 #define SERVER_CAP_LARGE_FILES 0x00000008
2588 #define SERVER_CAP_NT_SMBS 0x00000010
2589 #define SERVER_CAP_RPC_REMOTE_APIS 0x00000020
2590 #define SERVER_CAP_STATUS32 0x00000040
2591 #define SERVER_CAP_LEVEL_II_OPLOCKS 0x00000080
2592 #define SERVER_CAP_LOCK_AND_READ 0x00000100
2593 #define SERVER_CAP_NT_FIND 0x00000200
2594 #define SERVER_CAP_DFS 0x00001000
2595 #define SERVER_CAP_INFOLEVEL_PASSTHRU 0x00002000
2596 #define SERVER_CAP_LARGE_READX 0x00004000
2597 #define SERVER_CAP_LARGE_WRITEX 0x00008000
2598 #define SERVER_CAP_LWIO 0x00010000
2599 #define SERVER_CAP_UNIX 0x00800000
2600 #define SERVER_CAP_COMPRESSED_DATA 0x02000000
2601 #define SERVER_CAP_DYNAMIC_REAUTH 0x20000000
2602 #define SERVER_CAP_EXTENDED_SECURITY 0x80000000
2603
2604 static const true_false_string tfs_server_cap_raw_mode = {
2605 "Read Raw and Write Raw are supported",
2606 "Read Raw and Write Raw are not supported"
2607 };
2608 static const true_false_string tfs_server_cap_mpx_mode = {
2609 "Read Mpx and Write Mpx are supported",
2610 "Read Mpx and Write Mpx are not supported"
2611 };
2612 static const true_false_string tfs_server_cap_unicode = {
2613 "Unicode strings are supported",
2614 "Unicode strings are not supported"
2615 };
2616 static const true_false_string tfs_server_cap_large_files = {
2617 "Large files are supported",
2618 "Large files are not supported",
2619 };
2620 static const true_false_string tfs_server_cap_nt_smbs = {
2621 "NT SMBs are supported",
2622 "NT SMBs are not supported"
2623 };
2624 static const true_false_string tfs_server_cap_rpc_remote_apis = {
2625 "RPC remote APIs are supported",
2626 "RPC remote APIs are not supported"
2627 };
2628 static const true_false_string tfs_server_cap_nt_status = {
2629 "NT status codes are supported",
2630 "NT status codes are not supported"
2631 };
2632 static const true_false_string tfs_server_cap_level_ii_oplocks = {
2633 "Level 2 oplocks are supported",
2634 "Level 2 oplocks are not supported"
2635 };
2636 static const true_false_string tfs_server_cap_lock_and_read = {
2637 "Lock and Read is supported",
2638 "Lock and Read is not supported"
2639 };
2640 static const true_false_string tfs_server_cap_nt_find = {
2641 "NT Find is supported",
2642 "NT Find is not supported"
2643 };
2644 static const true_false_string tfs_server_cap_dfs = {
2645 "Dfs is supported",
2646 "Dfs is not supported"
2647 };
2648 static const true_false_string tfs_server_cap_infolevel_passthru = {
2649 "NT information level request passthrough is supported",
2650 "NT information level request passthrough is not supported"
2651 };
2652 static const true_false_string tfs_server_cap_large_readx = {
2653 "Large Read andX is supported",
2654 "Large Read andX is not supported"
2655 };
2656 static const true_false_string tfs_server_cap_large_writex = {
2657 "Large Write andX is supported",
2658 "Large Write andX is not supported"
2659 };
2660 static const true_false_string tfs_server_cap_lwio = {
2661 "LWIO ioctl/fsctl is supported",
2662 "LWIO ioctl/fsctl is not supported"
2663 };
2664 static const true_false_string tfs_server_cap_unix = {
2665 "UNIX extensions are supported",
2666 "UNIX extensions are not supported"
2667 };
2668 static const true_false_string tfs_server_cap_compressed_data = {
2669 "Compressed data transfer is supported",
2670 "Compressed data transfer is not supported"
2671 };
2672 static const true_false_string tfs_server_cap_dynamic_reauth = {
2673 "Dynamic Reauth is supported",
2674 "Dynamic Reauth is not supported"
2675 };
2676 static const true_false_string tfs_server_cap_extended_security = {
2677 "Extended security exchanges are supported",
2678 "Extended security exchanges are not supported"
2679 };
2680 static int
2681 dissect_negprot_capabilities(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2682 {
2683 uint32_t mask;
2684
2685 static int * const flags[] = {
2686 &hf_smb_server_cap_raw_mode,
2687 &hf_smb_server_cap_mpx_mode,
2688 &hf_smb_server_cap_unicode,
2689 &hf_smb_server_cap_large_files,
2690 &hf_smb_server_cap_nt_smbs,
2691 &hf_smb_server_cap_rpc_remote_apis,
2692 &hf_smb_server_cap_nt_status,
2693 &hf_smb_server_cap_level_ii_oplocks,
2694 &hf_smb_server_cap_lock_and_read,
2695 &hf_smb_server_cap_nt_find,
2696 &hf_smb_server_cap_dfs,
2697 &hf_smb_server_cap_infolevel_passthru,
2698 &hf_smb_server_cap_large_readx,
2699 &hf_smb_server_cap_large_writex,
2700 &hf_smb_server_cap_lwio,
2701 &hf_smb_server_cap_unix,
2702 &hf_smb_server_cap_compressed_data,
2703 &hf_smb_server_cap_dynamic_reauth,
2704 &hf_smb_server_cap_extended_security,
2705 NULL
2706 };
2707
2708 mask = tvb_get_letohl(tvb, offset);
2709 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_server_cap, ett_smb_capabilities, flags, ENC_LITTLE_ENDIAN);
2710
2711 return mask;
2712 }
2713
2714 #define RAWMODE_READ 0x0001
2715 #define RAWMODE_WRITE 0x0002
2716 static const true_false_string tfs_rm_read = {
2717 "Read Raw is supported",
2718 "Read Raw is not supported"
2719 };
2720 static const true_false_string tfs_rm_write = {
2721 "Write Raw is supported",
2722 "Write Raw is not supported"
2723 };
2724
2725 static int
2726 dissect_negprot_rawmode(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
2727 {
2728 static int * const flags[] = {
2729 &hf_smb_rm_read,
2730 &hf_smb_rm_write,
2731 NULL
2732 };
2733
2734 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_rm, ett_smb_rawmode, flags, ENC_LITTLE_ENDIAN);
2735
2736 offset += 2;
2737
2738 return offset;
2739 }
2740
2741 #define SECURITY_MODE_MODE 0x01
2742 #define SECURITY_MODE_PASSWORD 0x02
2743 #define SECURITY_MODE_SIGNATURES 0x04
2744 #define SECURITY_MODE_SIG_REQUIRED 0x08
2745 static const true_false_string tfs_sm_mode = {
2746 "USER security mode",
2747 "SHARE security mode"
2748 };
2749 static const true_false_string tfs_sm_password = {
2750 "ENCRYPTED password. Use challenge/response",
2751 "PLAINTEXT password"
2752 };
2753 static const true_false_string tfs_sm_signatures = {
2754 "Security signatures ENABLED",
2755 "Security signatures NOT enabled"
2756 };
2757 static const true_false_string tfs_sm_sig_required = {
2758 "Security signatures REQUIRED",
2759 "Security signatures NOT required"
2760 };
2761
2762 static int
2763 dissect_negprot_security_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int wc)
2764 {
2765 static int * const flags13[] = {
2766 &hf_smb_sm_mode16,
2767 &hf_smb_sm_password16,
2768 NULL
2769 };
2770 static int * const flags17[] = {
2771 &hf_smb_sm_mode,
2772 &hf_smb_sm_password,
2773 &hf_smb_sm_signatures,
2774 &hf_smb_sm_sig_required,
2775 NULL
2776 };
2777
2778 switch(wc) {
2779 case 13:
2780 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_sm16, ett_smb_mode, flags13, ENC_LITTLE_ENDIAN);
2781 offset += 2;
2782 break;
2783
2784 case 17:
2785 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_sm, ett_smb_mode, flags17, ENC_LITTLE_ENDIAN);
2786 offset += 1;
2787 break;
2788 }
2789
2790 return offset;
2791 }
2792
2793 #define MAX_DIALECTS 20
2794 struct negprot_dialects {
2795 int num;
2796 char *name[MAX_DIALECTS+1];
2797 };
2798
2799 static int
2800 dissect_negprot_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
2801 {
2802 proto_tree *tr = NULL;
2803 proto_item *ti;
2804 uint16_t bc;
2805 uint8_t wc;
2806 struct negprot_dialects *dialects = NULL;
2807
2808 DISSECTOR_ASSERT(si);
2809
2810 WORD_COUNT;
2811
2812 BYTE_COUNT;
2813
2814 tr = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb_dialects, &ti, "Requested Dialects");
2815
2816 if (!pinfo->fd->visited && si->sip) {
2817 dialects = wmem_new(wmem_file_scope(), struct negprot_dialects);
2818 dialects->num = 0;
2819 si->sip->extra_info_type = SMB_EI_DIALECTS;
2820 si->sip->extra_info = dialects;
2821 }
2822
2823 while (bc) {
2824 int len;
2825 const uint8_t *str;
2826 proto_item *dit = NULL;
2827 proto_tree *dtr = NULL;
2828
2829 /* XXX - what if this runs past bc? */
2830 tvb_ensure_bytes_exist(tvb, offset+1, 1);
2831
2832 /* XXX: This is an OEM String according to MS-CIFS and
2833 * should use the local OEM (extended ASCII DOS) code page,
2834 * It doesn't appear than any known dialect strings use
2835 * anything outside ASCII, though.
2836 *
2837 * There could be a dissector preference for local code page.
2838 */
2839 str = tvb_get_stringz_enc(pinfo->pool, tvb, offset+1, &len, ENC_ASCII);
2840
2841 if (tr) {
2842 dit = proto_tree_add_string(tr, hf_smb_dialect, tvb, offset, len+1, str);
2843 dtr = proto_item_add_subtree(dit, ett_smb_dialect);
2844 }
2845
2846 /* Buffer Format */
2847 CHECK_BYTE_COUNT(1);
2848 proto_tree_add_item(dtr, hf_smb_buffer_format, tvb, offset, 1,
2849 ENC_LITTLE_ENDIAN);
2850 COUNT_BYTES(1);
2851
2852 /*Dialect Name */
2853 CHECK_BYTE_COUNT(len);
2854 proto_tree_add_item(dtr, hf_smb_dialect_name, tvb,
2855 offset, len, ENC_ASCII);
2856 COUNT_BYTES(len);
2857
2858 if (!pinfo->fd->visited && dialects && (dialects->num < MAX_DIALECTS)) {
2859 dialects->name[dialects->num++] = wmem_strdup(wmem_file_scope(), str);
2860 }
2861 }
2862 proto_item_set_len(ti, bc);
2863
2864 END_OF_SMB
2865
2866 return offset;
2867 }
2868
2869 static int
2870 dissect_negprot_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
2871 {
2872 uint8_t wc;
2873 uint16_t dialect;
2874 const char *dn;
2875 int dn_len;
2876 uint16_t bc;
2877 uint16_t chl = 0;
2878 uint32_t caps = 0;
2879 int16_t tz;
2880 const char *dialect_name = NULL;
2881 struct negprot_dialects *dialects = NULL;
2882
2883 DISSECTOR_ASSERT(si);
2884
2885 WORD_COUNT;
2886
2887 /* Dialect Index */
2888 dialect = tvb_get_letohs(tvb, offset);
2889
2890 if (si->sip && (si->sip->extra_info_type == SMB_EI_DIALECTS)) {
2891 dialects = (struct negprot_dialects *)si->sip->extra_info;
2892 if (dialect < dialects->num) {
2893 dialect_name = dialects->name[dialect];
2894 }
2895 }
2896 if (!dialect_name) {
2897 dialect_name = "unknown";
2898 }
2899
2900 switch(wc) {
2901 case 1:
2902 if (dialect == 0xffff) {
2903 /*
2904 * Server doesn't support any of the dialects the
2905 * client listed.
2906 */
2907 proto_tree_add_uint_format_value(tree, hf_smb_dialect_index,
2908 tvb, offset, 2, dialect,
2909 "-1, server does not support any of the listed dialects");
2910 } else {
2911 /*
2912 * A dialect was selected; this should be
2913 * Core Protocol.
2914 */
2915 proto_tree_add_uint(tree, hf_smb_dialect_index,
2916 tvb, offset, 2, dialect);
2917 }
2918 break;
2919 case 13:
2920 /*
2921 * Server selected a dialect from LAN Manager 1.0 through
2922 * LAN Manager 2.1.
2923 */
2924 proto_tree_add_uint_format_value(tree, hf_smb_dialect_index,
2925 tvb, offset, 2, dialect,
2926 "%u, Greater than CORE PROTOCOL and up to LANMAN2.1", dialect);
2927 break;
2928 case 17:
2929 /*
2930 * Server selected NT LAN Manager.
2931 */
2932 proto_tree_add_uint_format_value(tree, hf_smb_dialect_index,
2933 tvb, offset, 2, dialect,
2934 "%u: %s", dialect, dialect_name);
2935 break;
2936 default:
2937 proto_tree_add_item(tree, hf_smb_word_unk_response_format, tvb, offset, wc*2, ENC_NA);
2938 offset += wc*2;
2939 goto bytecount;
2940 }
2941 offset += 2;
2942
2943 switch(wc) {
2944 case 13:
2945 /*
2946 * Server selected a dialect from LAN Manager 1.0 through
2947 * LAN Manager 2.1.
2948 */
2949
2950 /* Security Mode */
2951 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
2952
2953 /* Maximum Transmit Buffer Size */
2954 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
2955 tvb, offset, 2, ENC_LITTLE_ENDIAN);
2956 offset += 2;
2957
2958 /* Maximum Multiplex Count */
2959 proto_tree_add_item(tree, hf_smb_max_mpx_count,
2960 tvb, offset, 2, ENC_LITTLE_ENDIAN);
2961 offset += 2;
2962
2963 /* Maximum Vcs Number */
2964 proto_tree_add_item(tree, hf_smb_max_vcs_num,
2965 tvb, offset, 2, ENC_LITTLE_ENDIAN);
2966 offset += 2;
2967
2968 /* raw mode */
2969 offset = dissect_negprot_rawmode(tvb, tree, offset);
2970
2971 /* session key */
2972 proto_tree_add_item(tree, hf_smb_session_key,
2973 tvb, offset, 4, ENC_LITTLE_ENDIAN);
2974 offset += 4;
2975
2976 /* current time and date at server */
2977 offset = dissect_smb_datetime(tvb, tree, offset, hf_smb_server_date_time, hf_smb_server_smb_date, hf_smb_server_smb_time,
2978 true);
2979
2980 /* time zone */
2981 tz = tvb_get_letohs(tvb, offset);
2982 proto_tree_add_int_format_value(tree, hf_smb_server_timezone, tvb, offset, 2, tz, "%d min from UTC", tz);
2983 offset += 2;
2984
2985 /*
2986 * The LAN Manager 1 and 2.0 specs say these are the
2987 * first 2 of 4 reserved bytes; the LAN Manager 2.1
2988 * spec says it's a 2-byte encryption key (challenge)
2989 * length.
2990 */
2991 chl = tvb_get_letohs(tvb, offset);
2992 proto_tree_add_uint(tree, hf_smb_challenge_length, tvb, offset, 2, chl);
2993 offset += 2;
2994
2995 /* 2 reserved bytes */
2996 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
2997 offset += 2;
2998
2999 break;
3000
3001 case 17:
3002 /*
3003 * Server selected NT LAN Manager.
3004 */
3005
3006 /* Security Mode */
3007 offset = dissect_negprot_security_mode(tvb, tree, offset, wc);
3008
3009 /* Maximum Multiplex Count */
3010 proto_tree_add_item(tree, hf_smb_max_mpx_count,
3011 tvb, offset, 2, ENC_LITTLE_ENDIAN);
3012 offset += 2;
3013
3014 /* Maximum Vcs Number */
3015 proto_tree_add_item(tree, hf_smb_max_vcs_num,
3016 tvb, offset, 2, ENC_LITTLE_ENDIAN);
3017 offset += 2;
3018
3019 /* Maximum Transmit Buffer Size */
3020 proto_tree_add_item(tree, hf_smb_max_trans_buf_size,
3021 tvb, offset, 4, ENC_LITTLE_ENDIAN);
3022 offset += 4;
3023
3024 /* maximum raw buffer size */
3025 proto_tree_add_item(tree, hf_smb_max_raw_buf_size,
3026 tvb, offset, 4, ENC_LITTLE_ENDIAN);
3027 offset += 4;
3028
3029 /* session key */
3030 proto_tree_add_item(tree, hf_smb_session_key,
3031 tvb, offset, 4, ENC_LITTLE_ENDIAN);
3032 offset += 4;
3033
3034 /* server capabilities */
3035 caps = dissect_negprot_capabilities(tvb, tree, offset);
3036 offset += 4;
3037
3038 /* system time */
3039 dissect_nttime(tvb, tree, offset,
3040 hf_smb_system_time, ENC_LITTLE_ENDIAN);
3041 offset += 8;
3042
3043 /* time zone */
3044 tz = tvb_get_letohs(tvb, offset);
3045 proto_tree_add_int_format_value(tree, hf_smb_server_timezone,
3046 tvb, offset, 2, tz,
3047 "%d min from UTC", tz);
3048 offset += 2;
3049
3050 /* challenge length */
3051 chl = tvb_get_uint8(tvb, offset);
3052 proto_tree_add_uint(tree, hf_smb_challenge_length,
3053 tvb, offset, 1, chl);
3054 offset += 1;
3055
3056 break;
3057 }
3058
3059 BYTE_COUNT;
3060
3061 switch(wc) {
3062 case 13:
3063 /*
3064 * Server selected a dialect from LAN Manager 1.0 through
3065 * LAN Manager 2.1.
3066 */
3067
3068 /* encrypted challenge/response data */
3069 if (chl) {
3070 CHECK_BYTE_COUNT(chl);
3071 proto_tree_add_item(tree, hf_smb_challenge, tvb, offset, chl, ENC_NA);
3072 COUNT_BYTES(chl);
3073 }
3074
3075 /*
3076 * Primary domain.
3077 *
3078 * XXX - not present if negotiated dialect isn't
3079 * "DOS LANMAN 2.1" or "LANMAN2.1", but we'd either
3080 * have to see the request, or assume what dialect strings
3081 * were sent, to determine that.
3082 *
3083 * Is this something other than a primary domain if the
3084 * negotiated dialect is Windows for Workgroups 3.1a?
3085 * It appears to be 8 bytes of binary data in at least
3086 * one capture - is that an encryption key or something
3087 * such as that?
3088 */
3089 dn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
3090 si->unicode, &dn_len, false, false, &bc);
3091 if (dn == NULL)
3092 goto endofcommand;
3093 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
3094 offset, dn_len, dn);
3095 COUNT_BYTES(dn_len);
3096 break;
3097
3098 case 17:
3099 /*
3100 * Server selected NT LAN Manager.
3101 */
3102 if (!(caps & SERVER_CAP_EXTENDED_SECURITY)) {
3103 /* encrypted challenge/response data */
3104 /* XXX - is this aligned on an even boundary? */
3105 if (chl) {
3106 CHECK_BYTE_COUNT(chl);
3107 proto_tree_add_item(tree, hf_smb_challenge,
3108 tvb, offset, chl, ENC_NA);
3109 COUNT_BYTES(chl);
3110 }
3111
3112 /* domain */
3113 /*
3114 * This string is special; at least in some captures,
3115 * it's in Unicode, even if "Unicode strings" isn't
3116 * set in the flags2 field. If the "Unicode support"
3117 * flag is set in the server capabilities field,
3118 * that seems to indicate that it's in Unicode for
3119 * those captures.
3120 *
3121 * So fetch it in Unicode either if it's set in the
3122 * flags2 field *or* in the capabilities field.
3123 *
3124 * XXX - I've seen captures where "Unicode strings"
3125 * isn't set, "Unicode support" is set in the server
3126 * capabilities field, and the primary domain string
3127 * is in the local code page; that may just have
3128 * a buggy server, though.
3129 *
3130 * Clients tend, at least according to the
3131 * footnote in MS-CIFS for the DomainName field
3132 * in the Negotiate response, to ignore that
3133 * field, so maybe servers put extra bytes in
3134 * there without clients noticing.
3135 */
3136 si->unicode = (caps & SERVER_CAP_UNICODE) || si->unicode;
3137
3138 /*
3139 * If we're fetching Unicode strings:
3140 *
3141 * This string is NOT padded to be 16-bit
3142 * aligned; it's unaligned in some captures.
3143 *
3144 * However, it sometimes has an extra byte
3145 * before it. If the byte count is not a
3146 * multiple of 2, there must be an extra byte
3147 * somewhere; it appears to be the byte just
3148 * before this string, so check for an odd
3149 * byte count, and skip that byte.
3150 *
3151 * If we're fetching local code page strings:
3152 *
3153 * In some cases there appears to be an extra
3154 * byte before it. It's not clear what
3155 * indicates its presence, if anything.
3156 *
3157 * However, at least one of those cases
3158 * was one of the "the server set the
3159 * Unicode support flag in capabilities,
3160 * but sent the domain name in the local
3161 * code page" captures mentioned above,
3162 * so maybe it was just a buggy server.
3163 *
3164 * Again, as noted above, clients may just
3165 * ignore that field, leaving servers "free"
3166 * to mess it up.
3167 */
3168 if (si->unicode && (bc % 2) != 0) {
3169 /* Skip the padding */
3170 CHECK_BYTE_COUNT(1);
3171 COUNT_BYTES(1);
3172 }
3173 dn = get_unicode_or_ascii_string(pinfo->pool, tvb,
3174 &offset, si->unicode, &dn_len, true, false,
3175 &bc);
3176 if (dn == NULL)
3177 goto endofcommand;
3178 proto_tree_add_string(tree, hf_smb_primary_domain,
3179 tvb, offset, dn_len, dn);
3180 COUNT_BYTES(dn_len);
3181
3182 /* server name, seen in w2k pro capture */
3183 dn = get_unicode_or_ascii_string(pinfo->pool, tvb,
3184 &offset, si->unicode, &dn_len, true, false,
3185 &bc);
3186 if (dn == NULL)
3187 goto endofcommand;
3188 proto_tree_add_string(tree, hf_smb_server,
3189 tvb, offset, dn_len, dn);
3190 COUNT_BYTES(dn_len);
3191
3192 } else {
3193 proto_item *blob_item;
3194 uint16_t sbloblen;
3195
3196 /* guid */
3197 /* XXX - show it in the standard Microsoft format
3198 for GUIDs? */
3199 CHECK_BYTE_COUNT(16);
3200 proto_tree_add_item(tree, hf_smb_server_guid,
3201 tvb, offset, 16, ENC_NA);
3202 COUNT_BYTES(16);
3203
3204 /* security blob */
3205 /* If it runs past the end of the captured data, don't
3206 * try to put all of it into the protocol tree as the
3207 * raw security blob; we might get an exception on
3208 * short frames and then we will not see anything at all
3209 * of the security blob.
3210 */
3211 sbloblen = bc;
3212 if (sbloblen > tvb_reported_length_remaining(tvb, offset)) {
3213 sbloblen = tvb_reported_length_remaining(tvb, offset);
3214 }
3215 blob_item = proto_tree_add_item(
3216 tree, hf_smb_security_blob,
3217 tvb, offset, sbloblen, ENC_NA);
3218
3219 /*
3220 * If Extended security and BCC == 16, then raw
3221 * NTLMSSP is in use. We need to save this info
3222 */
3223
3224 if (bc) {
3225 tvbuff_t *gssapi_tvb;
3226 proto_tree *gssapi_tree;
3227
3228 gssapi_tree = proto_item_add_subtree(
3229 blob_item, ett_smb_secblob);
3230
3231 /*
3232 * Set the reported length of this to
3233 * the reported length of the blob,
3234 * rather than the amount of data
3235 * available from the blob, so that
3236 * we'll throw the right exception if
3237 * it's too short.
3238 */
3239 gssapi_tvb = tvb_new_subset_length_caplen(
3240 tvb, offset, sbloblen, bc);
3241
3242 call_dissector(
3243 gssapi_handle, gssapi_tvb, pinfo,
3244 gssapi_tree);
3245
3246 if (si->ct)
3247 si->ct->raw_ntlmssp = 0;
3248
3249 COUNT_BYTES(bc);
3250 }
3251 else {
3252
3253 /*
3254 * There is no blob. We just have to make sure
3255 * that subsequent routines know to call the
3256 * right things ...
3257 */
3258
3259 if (si->ct)
3260 si->ct->raw_ntlmssp = 1;
3261
3262 }
3263 }
3264 break;
3265 }
3266
3267 END_OF_SMB
3268
3269 return offset;
3270 }
3271
3272
3273 static int
3274 dissect_old_dir_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
3275 {
3276 int dn_len;
3277 const char *dn;
3278 uint8_t wc;
3279 uint16_t bc;
3280
3281 DISSECTOR_ASSERT(si);
3282
3283 WORD_COUNT;
3284
3285 BYTE_COUNT;
3286
3287 /* buffer format */
3288 CHECK_BYTE_COUNT(1);
3289 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3290 COUNT_BYTES(1);
3291
3292 /* dir name */
3293 dn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &dn_len,
3294 false, false, &bc);
3295
3296 if ((!pinfo->fd->visited) && si->sip) {
3297 si->sip->extra_info_type = SMB_EI_FILENAME;
3298 si->sip->extra_info = wmem_strdup(wmem_file_scope(), dn);
3299 }
3300
3301 if (dn == NULL)
3302 goto endofcommand;
3303 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, dn_len,
3304 dn);
3305 COUNT_BYTES(dn_len);
3306
3307 col_append_fstr(pinfo->cinfo, COL_INFO, ", Directory: %s",
3308 format_text(pinfo->pool, (const unsigned char *)dn, strlen(dn)));
3309
3310 END_OF_SMB
3311
3312 return offset;
3313 }
3314
3315 static int
3316 dissect_empty(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
3317 {
3318 uint8_t wc;
3319 uint16_t bc;
3320 proto_item *item = NULL;
3321
3322 DISSECTOR_ASSERT(si);
3323
3324 if (si->sip && (si->sip->extra_info_type == SMB_EI_FILENAME)) {
3325 item = proto_tree_add_string(tree, hf_smb_file_name, tvb, 0, 0, (const char *)si->sip->extra_info);
3326 proto_item_set_generated(item);
3327 }
3328
3329
3330 WORD_COUNT;
3331
3332 BYTE_COUNT;
3333
3334 END_OF_SMB
3335
3336 return offset;
3337 }
3338
3339 static int
3340 dissect_rename_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
3341 {
3342 uint8_t wc;
3343 uint16_t bc;
3344 proto_item *item = NULL;
3345
3346 DISSECTOR_ASSERT(si);
3347
3348 if (si->sip && (si->sip->extra_info_type == SMB_EI_RENAMEDATA)) {
3349 smb_rename_saved_info_t *rni = (smb_rename_saved_info_t *)si->sip->extra_info;
3350
3351 item = proto_tree_add_string(tree, hf_smb_old_file_name, tvb, 0, 0, rni->old_name);
3352 proto_item_set_generated(item);
3353 item = proto_tree_add_string(tree, hf_smb_file_name, tvb, 0, 0, rni->new_name);
3354 proto_item_set_generated(item);
3355 }
3356
3357
3358 WORD_COUNT;
3359
3360 BYTE_COUNT;
3361
3362 END_OF_SMB
3363
3364 return offset;
3365 }
3366
3367 static int
3368 dissect_echo_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
3369 {
3370 uint16_t ec, bc;
3371 uint8_t wc;
3372
3373 WORD_COUNT;
3374
3375 /* echo count */
3376 ec = tvb_get_letohs(tvb, offset);
3377 proto_tree_add_uint(tree, hf_smb_echo_count, tvb, offset, 2, ec);
3378 offset += 2;
3379
3380 BYTE_COUNT;
3381
3382 if (bc != 0) {
3383 /* echo data */
3384 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, ENC_NA);
3385 COUNT_BYTES(bc);
3386 }
3387
3388 END_OF_SMB
3389
3390 return offset;
3391 }
3392
3393 static int
3394 dissect_echo_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
3395 {
3396 uint16_t bc;
3397 uint8_t wc;
3398
3399 WORD_COUNT;
3400
3401 /* echo sequence number */
3402 proto_tree_add_item(tree, hf_smb_echo_seq_num, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3403 offset += 2;
3404
3405 BYTE_COUNT;
3406
3407 if (bc != 0) {
3408 /* echo data */
3409 proto_tree_add_item(tree, hf_smb_echo_data, tvb, offset, bc, ENC_NA);
3410 COUNT_BYTES(bc);
3411 }
3412
3413 END_OF_SMB
3414
3415 return offset;
3416 }
3417
3418 static int
3419 dissect_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
3420 {
3421 int an_len, pwlen;
3422 const char *an;
3423 uint8_t wc;
3424 uint16_t bc;
3425
3426 DISSECTOR_ASSERT(si);
3427
3428 WORD_COUNT;
3429
3430 BYTE_COUNT;
3431
3432 /* buffer format */
3433 CHECK_BYTE_COUNT(1);
3434 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3435 COUNT_BYTES(1);
3436
3437 /* Path */
3438 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
3439 si->unicode, &an_len, false, false, &bc);
3440 if (an == NULL)
3441 goto endofcommand;
3442 proto_tree_add_string(tree, hf_smb_path, tvb,
3443 offset, an_len, an);
3444 COUNT_BYTES(an_len);
3445
3446 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3447 format_text(pinfo->pool, (const unsigned char*)an, strlen(an)));
3448
3449 /* buffer format */
3450 CHECK_BYTE_COUNT(1);
3451 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3452 COUNT_BYTES(1);
3453
3454 /* password, ANSI */
3455 /* XXX - what if this runs past bc? */
3456 pwlen = tvb_strsize(tvb, offset);
3457 CHECK_BYTE_COUNT(pwlen);
3458 proto_tree_add_item(tree, hf_smb_password,
3459 tvb, offset, pwlen, ENC_NA);
3460 COUNT_BYTES(pwlen);
3461
3462 /* buffer format */
3463 CHECK_BYTE_COUNT(1);
3464 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3465 COUNT_BYTES(1);
3466
3467 /* Service */
3468 /*
3469 * XXX - the SNIA CIFS spec "Strings that are never passed in
3470 * Unicode are: ... The service name string in the
3471 * Tree_Connect_AndX SMB". Is that claim false?
3472 */
3473 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
3474 si->unicode, &an_len, false, false, &bc);
3475 if (an == NULL)
3476 goto endofcommand;
3477 proto_tree_add_string(tree, hf_smb_service, tvb,
3478 offset, an_len, an);
3479 COUNT_BYTES(an_len);
3480
3481 END_OF_SMB
3482
3483 return offset;
3484 }
3485
3486 static int
3487 dissect_smb_uid(tvbuff_t *tvb, proto_tree *parent_tree, int offset, smb_info_t *si)
3488 {
3489 proto_item *item, *subitem;
3490 proto_tree *tree;
3491 smb_uid_t *smb_uid = NULL;
3492
3493 item = proto_tree_add_uint(parent_tree, hf_smb_uid, tvb, offset, 2, si->uid);
3494 tree = proto_item_add_subtree(item, ett_smb_uid);
3495
3496 smb_uid = (smb_uid_t *)wmem_tree_lookup32(si->ct->uid_tree, si->uid);
3497 if (smb_uid) {
3498 if (smb_uid->domain && smb_uid->account)
3499 proto_item_append_text(item, " (");
3500 if (smb_uid->domain) {
3501 proto_item_append_text(item, "%s", smb_uid->domain);
3502 subitem = proto_tree_add_string(tree, hf_smb_primary_domain, tvb, 0, 0, smb_uid->domain);
3503 proto_item_set_generated(subitem);
3504 }
3505 if (smb_uid->account) {
3506 proto_item_append_text(item, "\\%s", smb_uid->account);
3507 subitem = proto_tree_add_string(tree, hf_smb_account, tvb, 0, 0, smb_uid->account);
3508 proto_item_set_generated(subitem);
3509 }
3510 if (smb_uid->domain && smb_uid->account)
3511 proto_item_append_text(item, ")");
3512 if (smb_uid->logged_in > 0) {
3513 subitem = proto_tree_add_uint(tree, hf_smb_logged_in, tvb, 0, 0, smb_uid->logged_in);
3514 proto_item_set_generated(subitem);
3515 }
3516 if (smb_uid->logged_out > 0) {
3517 subitem = proto_tree_add_uint(tree, hf_smb_logged_out, tvb, 0, 0, smb_uid->logged_out);
3518 proto_item_set_generated(subitem);
3519 }
3520 }
3521 offset += 2;
3522
3523 return offset;
3524 }
3525
3526 static int
3527 dissect_smb_tid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, uint16_t tid, bool is_created, bool is_closed, smb_info_t *si)
3528 {
3529 proto_item *it;
3530 proto_tree *tr;
3531 smb_tid_info_t *tid_info = NULL;
3532
3533 DISSECTOR_ASSERT(si);
3534
3535 /* tid */
3536 it = proto_tree_add_uint(tree, hf_smb_tid, tvb, offset, 2, tid);
3537 tr = proto_item_add_subtree(it, ett_smb_tid);
3538 offset += 2;
3539
3540 if ((!pinfo->fd->visited) && is_created) {
3541 tid_info = wmem_new(wmem_file_scope(), smb_tid_info_t);
3542 tid_info->opened_in = pinfo->num;
3543 tid_info->closed_in = 0;
3544 tid_info->type = SMB_FID_TYPE_UNKNOWN;
3545 if (si->sip && (si->sip->extra_info_type == SMB_EI_TIDNAME)) {
3546 tid_info->filename = (char *)si->sip->extra_info;
3547 } else {
3548 tid_info->filename = NULL;
3549 }
3550 wmem_tree_insert32(si->ct->tid_tree, tid, tid_info);
3551 }
3552
3553 if (!tid_info) {
3554 tid_info = (smb_tid_info_t *)wmem_tree_lookup32_le(si->ct->tid_tree, tid);
3555 }
3556 if (!tid_info) {
3557 return offset;
3558 }
3559
3560 if ((!pinfo->fd->visited) && is_closed) {
3561 tid_info->closed_in = pinfo->num;
3562 }
3563
3564 if (tid_info->opened_in) {
3565 if (tid_info->filename) {
3566 proto_item_append_text(it, " (%s)", tid_info->filename);
3567
3568 it = proto_tree_add_string(tr, hf_smb_path, tvb, 0, 0, tid_info->filename);
3569 proto_item_set_generated(it);
3570 }
3571
3572 it = proto_tree_add_uint(tr, hf_smb_mapped_in, tvb, 0, 0, tid_info->opened_in);
3573 proto_item_set_generated(it);
3574 }
3575 if (tid_info->closed_in) {
3576 it = proto_tree_add_uint(tr, hf_smb_unmapped_in, tvb, 0, 0, tid_info->closed_in);
3577 proto_item_set_generated(it);
3578 }
3579
3580
3581 return offset;
3582 }
3583
3584 static int
3585 dissect_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
3586 {
3587 uint8_t wc;
3588 uint16_t bc;
3589
3590 WORD_COUNT;
3591
3592 /* Maximum Buffer Size */
3593 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3594 offset += 2;
3595
3596 /* tid */
3597 offset = dissect_smb_tid(tvb, pinfo, tree, offset, tvb_get_letohs(tvb, offset), true, false, si);
3598
3599 BYTE_COUNT;
3600
3601 END_OF_SMB
3602
3603 return offset;
3604 }
3605
3606
3607 static const true_false_string tfs_of_create = {
3608 "Create file if it does not exist",
3609 "Fail if file does not exist"
3610 };
3611 static const value_string of_open[] = {
3612 { 0, "Fail if file exists"},
3613 { 1, "Open file if it exists"},
3614 { 2, "Truncate file if it exists"},
3615 {0, NULL}
3616 };
3617 static int
3618 dissect_open_function(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
3619 {
3620 static int * const flags[] = {
3621 &hf_smb_open_function_create,
3622 &hf_smb_open_function_open,
3623 NULL
3624 };
3625
3626 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_open_function, ett_smb_openfunction, flags, ENC_LITTLE_ENDIAN);
3627 offset += 2;
3628
3629 return offset;
3630 }
3631
3632
3633 static const true_false_string tfs_mf_file = {
3634 "Target must be a file",
3635 "Target needn't be a file"
3636 };
3637 static const true_false_string tfs_mf_dir = {
3638 "Target must be a directory",
3639 "Target needn't be a directory"
3640 };
3641 static const true_false_string tfs_mf_verify = {
3642 "MUST verify all writes",
3643 "Don't have to verify writes"
3644 };
3645 static int
3646 dissect_move_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
3647 {
3648 static int * const flags[] = {
3649 &hf_smb_move_flags_verify,
3650 &hf_smb_move_flags_dir,
3651 &hf_smb_move_flags_file,
3652 NULL
3653 };
3654
3655 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_move_flags, ett_smb_move_copy_flags, flags, ENC_LITTLE_ENDIAN);
3656 offset += 2;
3657
3658 return offset;
3659 }
3660
3661 static const true_false_string tfs_cf_mode = {
3662 "ASCII",
3663 "Binary"
3664 };
3665 static const true_false_string tfs_cf_tree_copy = {
3666 "Copy is a tree copy",
3667 "Copy is a file copy"
3668 };
3669 static const true_false_string tfs_cf_ea_action = {
3670 "Fail copy",
3671 "Discard EAs"
3672 };
3673 static int
3674 dissect_copy_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
3675 {
3676 static int * const flags[] = {
3677 &hf_smb_copy_flags_ea_action,
3678 &hf_smb_copy_flags_tree_copy,
3679 &hf_smb_copy_flags_verify,
3680 &hf_smb_copy_flags_source_mode,
3681 &hf_smb_copy_flags_dest_mode,
3682 &hf_smb_copy_flags_dir,
3683 &hf_smb_copy_flags_file,
3684 NULL
3685 };
3686
3687 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_copy_flags, ett_smb_move_copy_flags, flags, ENC_LITTLE_ENDIAN);
3688 offset += 2;
3689
3690 return offset;
3691 }
3692
3693 static int
3694 dissect_move_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
3695 {
3696 int fn_len;
3697 uint16_t tid;
3698 uint16_t bc;
3699 uint8_t wc;
3700 const char *fn;
3701
3702 DISSECTOR_ASSERT(si);
3703
3704 WORD_COUNT;
3705
3706 /* tid */
3707 tid = tvb_get_letohs(tvb, offset);
3708 offset = dissect_smb_tid(tvb, pinfo, tree, offset, tid, false, false, si);
3709
3710 /* open function */
3711 offset = dissect_open_function(tvb, tree, offset);
3712
3713 /* move flags */
3714 offset = dissect_move_flags(tvb, tree, offset);
3715
3716 BYTE_COUNT;
3717
3718 /* buffer format */
3719 CHECK_BYTE_COUNT(1);
3720 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3721 COUNT_BYTES(1);
3722
3723 /* file name */
3724 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
3725 false, false, &bc);
3726 if (fn == NULL)
3727 goto endofcommand;
3728 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
3729 fn_len, fn, "Old File Name: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
3730 COUNT_BYTES(fn_len);
3731
3732 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
3733 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
3734
3735 /* buffer format */
3736 CHECK_BYTE_COUNT(1);
3737 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3738 COUNT_BYTES(1);
3739
3740 /* file name */
3741 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
3742 false, false, &bc);
3743 if (fn == NULL)
3744 goto endofcommand;
3745 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
3746 fn_len, fn, "New File Name: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
3747 COUNT_BYTES(fn_len);
3748
3749 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
3750 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
3751
3752 END_OF_SMB
3753
3754 return offset;
3755 }
3756
3757 static int
3758 dissect_copy_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
3759 {
3760 int fn_len;
3761 uint16_t tid;
3762 uint16_t bc;
3763 uint8_t wc;
3764 const char *fn;
3765
3766 DISSECTOR_ASSERT(si);
3767
3768 WORD_COUNT;
3769
3770 /* tid */
3771 tid = tvb_get_letohs(tvb, offset);
3772 offset = dissect_smb_tid(tvb, pinfo, tree, offset, tid, false, false, si);
3773
3774 /* open function */
3775 offset = dissect_open_function(tvb, tree, offset);
3776
3777 /* copy flags */
3778 offset = dissect_copy_flags(tvb, tree, offset);
3779
3780 BYTE_COUNT;
3781
3782 /* buffer format */
3783 CHECK_BYTE_COUNT(1);
3784 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3785 COUNT_BYTES(1);
3786
3787 /* file name */
3788 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
3789 false, false, &bc);
3790 if (fn == NULL)
3791 goto endofcommand;
3792 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
3793 fn_len, fn, "Source File Name: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
3794 COUNT_BYTES(fn_len);
3795
3796 col_append_fstr(pinfo->cinfo, COL_INFO, ", Source Name: %s",
3797 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
3798
3799 /* buffer format */
3800 CHECK_BYTE_COUNT(1);
3801 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3802 COUNT_BYTES(1);
3803
3804 /* file name */
3805 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
3806 false, false, &bc);
3807 if (fn == NULL)
3808 goto endofcommand;
3809 proto_tree_add_string_format(tree, hf_smb_file_name, tvb, offset,
3810 fn_len, fn, "Destination File Name: %s",
3811 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
3812 COUNT_BYTES(fn_len);
3813
3814 col_append_fstr(pinfo->cinfo, COL_INFO, ", Destination Name: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
3815
3816 END_OF_SMB
3817
3818 return offset;
3819 }
3820
3821 static int
3822 dissect_move_copy_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
3823 {
3824 int fn_len;
3825 const char *fn;
3826 uint8_t wc;
3827 uint16_t bc;
3828
3829 DISSECTOR_ASSERT(si);
3830
3831 WORD_COUNT;
3832
3833 /* # of files moved */
3834 proto_tree_add_item(tree, hf_smb_files_moved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3835 offset += 2;
3836
3837 BYTE_COUNT;
3838
3839 /* buffer format */
3840 CHECK_BYTE_COUNT(1);
3841 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3842 COUNT_BYTES(1);
3843
3844 /* file name */
3845 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
3846 false, false, &bc);
3847 if (fn == NULL)
3848 goto endofcommand;
3849 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3850 fn);
3851 COUNT_BYTES(fn_len);
3852
3853 END_OF_SMB
3854
3855 return offset;
3856 }
3857
3858 static int
3859 dissect_open_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
3860 {
3861 int fn_len;
3862 const char *fn;
3863 uint8_t wc;
3864 uint16_t bc;
3865 smb_fid_saved_info_t *fsi; /* eo_smb needs to track this info */
3866
3867 DISSECTOR_ASSERT(si);
3868
3869 WORD_COUNT;
3870
3871 /* desired access */
3872 offset = dissect_access(tvb, tree, offset, hf_smb_desired_access);
3873
3874 /* Search Attributes */
3875 offset = dissect_search_attributes(tvb, tree, offset);
3876
3877 BYTE_COUNT;
3878
3879 /* buffer format */
3880 CHECK_BYTE_COUNT(1);
3881 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3882 COUNT_BYTES(1);
3883
3884 /* file name */
3885 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
3886 false, false, &bc);
3887 if (fn == NULL)
3888 goto endofcommand;
3889 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
3890 fn);
3891 COUNT_BYTES(fn_len);
3892
3893 /* store it for the fid->name/openframe/closeframe matching in
3894 * dissect_smb_fid() called from the response.
3895 */
3896 if ((!pinfo->fd->visited) && si->sip && fn) {
3897 fsi = wmem_new0(wmem_file_scope(), smb_fid_saved_info_t);
3898 fsi->filename = wmem_strdup(wmem_file_scope(), fn);
3899
3900 si->sip->extra_info_type = SMB_EI_FILEDATA;
3901 si->sip->extra_info = fsi;
3902 }
3903
3904 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
3905 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
3906
3907 END_OF_SMB
3908
3909 return offset;
3910 }
3911
3912
3913
3914 static int
3915 dissect_nt_create_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset,
3916 int len, uint32_t mask)
3917 {
3918 proto_item *item = NULL;
3919 /*
3920 * XXX - it's 0x00000016 in at least one capture, but
3921 * Network Monitor doesn't say what the 0x00000010 bit is.
3922 * Does the Win32 API documentation, or NT Native API book,
3923 * suggest anything?
3924 *
3925 * That is the extended response desired bit ... RJS, from Samba
3926 * Well, maybe. Samba thinks it is, and uses it to encode
3927 * OpLock granted as the high order bit of the Action field
3928 * in the response. However, Windows does not do that. Or at least
3929 * Win2K doesn't.
3930 */
3931 static int * const fields[] = {
3932 &hf_smb_nt_create_bits_oplock,
3933 &hf_smb_nt_create_bits_boplock,
3934 &hf_smb_nt_create_bits_dir,
3935 &hf_smb_nt_create_bits_ext_resp,
3936 NULL
3937 };
3938
3939 item = proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset, hf_smb_create_flags, ett_smb_nt_create_bits,
3940 fields, mask, BMT_NO_APPEND);
3941
3942 if (len == 0)
3943 proto_item_set_generated(item);
3944
3945 offset += len;
3946
3947 return offset;
3948 }
3949
3950 /* FIXME: need to call dissect_nt_access_mask() instead */
3951 static int
3952 dissect_smb_access_mask_bits(tvbuff_t *tvb, proto_tree *parent_tree,
3953 int offset, int len, uint32_t mask)
3954 {
3955 proto_item *item;
3956 /*
3957 * Some of these bits come from
3958 *
3959 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
3960 *
3961 * and others come from the section on ZwOpenFile in "Windows(R)
3962 * NT(R)/2000 Native API Reference".
3963 */
3964 static int * const fields[] = {
3965 &hf_smb_nt_access_mask_read,
3966 &hf_smb_nt_access_mask_write,
3967 &hf_smb_nt_access_mask_append,
3968 &hf_smb_nt_access_mask_read_ea,
3969 &hf_smb_nt_access_mask_write_ea,
3970 &hf_smb_nt_access_mask_execute,
3971 &hf_smb_nt_access_mask_delete_child,
3972 &hf_smb_nt_access_mask_read_attributes,
3973 &hf_smb_nt_access_mask_write_attributes,
3974 &hf_smb_nt_access_mask_delete,
3975 &hf_smb_nt_access_mask_read_control,
3976 &hf_smb_nt_access_mask_write_dac,
3977 &hf_smb_nt_access_mask_write_owner,
3978 &hf_smb_nt_access_mask_synchronize,
3979 &hf_smb_nt_access_mask_system_security,
3980 &hf_smb_nt_access_mask_maximum_allowed,
3981 &hf_smb_nt_access_mask_generic_all,
3982 &hf_smb_nt_access_mask_generic_execute,
3983 &hf_smb_nt_access_mask_generic_write,
3984 &hf_smb_nt_access_mask_generic_read,
3985 NULL
3986 };
3987
3988 item = proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset, hf_smb_access_mask, ett_smb_nt_access_mask,
3989 fields, mask, BMT_NO_APPEND);
3990
3991 if (len == 0)
3992 proto_item_set_generated(item);
3993 offset += len;
3994
3995 return offset;
3996 }
3997
3998 int
3999 dissect_smb_access_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
4000 {
4001 uint32_t mask;
4002
4003 mask = tvb_get_letohl(tvb, offset);
4004
4005 offset = dissect_smb_access_mask_bits(tvb, parent_tree, offset, 4, mask);
4006
4007 return offset;
4008 }
4009
4010 #define SHARE_ACCESS_READ 0x00000001
4011 #define SHARE_ACCESS_WRITE 0x00000002
4012 #define SHARE_ACCESS_DELETE 0x00000004
4013
4014 static int
4015 dissect_nt_share_access_bits(tvbuff_t *tvb, proto_tree *parent_tree,
4016 int offset, int len, uint32_t mask)
4017 {
4018 proto_item *item;
4019 static int * const fields[] = {
4020 &hf_smb_nt_share_access_read,
4021 &hf_smb_nt_share_access_write,
4022 &hf_smb_nt_share_access_delete,
4023 NULL
4024 };
4025
4026 item = proto_tree_add_bitmask_value(parent_tree, tvb, offset, hf_smb_share_access, ett_smb_nt_share_access, fields, mask);
4027
4028 if (len == 0)
4029 proto_item_set_generated(item);
4030
4031 offset += len;
4032
4033 return offset;
4034 }
4035
4036 int
4037 dissect_nt_share_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
4038 {
4039 uint32_t mask;
4040
4041 mask = tvb_get_letohl(tvb, offset);
4042
4043 offset = dissect_nt_share_access_bits(tvb, parent_tree, offset, 4, mask);
4044
4045 return offset;
4046 }
4047
4048
4049 static int
4050 dissect_nt_create_options_bits(tvbuff_t *tvb, proto_tree *parent_tree,
4051 int offset, int len, uint32_t mask)
4052 {
4053 proto_item *item;
4054 /*
4055 * From
4056 *
4057 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
4058 */
4059 static int * const fields[] = {
4060 &hf_smb_nt_create_options_directory_file,
4061 &hf_smb_nt_create_options_write_through,
4062 &hf_smb_nt_create_options_sequential_only,
4063 &hf_smb_nt_create_options_no_intermediate_buffering,
4064 &hf_smb_nt_create_options_sync_io_alert,
4065 &hf_smb_nt_create_options_sync_io_nonalert,
4066 &hf_smb_nt_create_options_non_directory_file,
4067 &hf_smb_nt_create_options_create_tree_connection,
4068 &hf_smb_nt_create_options_complete_if_oplocked,
4069 &hf_smb_nt_create_options_no_ea_knowledge,
4070 &hf_smb_nt_create_options_file_open_for_recovery,
4071 &hf_smb_nt_create_options_random_access,
4072 &hf_smb_nt_create_options_delete_on_close,
4073 &hf_smb_nt_create_options_open_by_fileid,
4074 &hf_smb_nt_create_options_backup_intent,
4075 &hf_smb_nt_create_options_no_compression,
4076 &hf_smb_nt_create_options_reserve_opfilter,
4077 &hf_smb_nt_create_options_open_reparse_point,
4078 &hf_smb_nt_create_options_open_no_recall,
4079 &hf_smb_nt_create_options_open_for_free_space_query,
4080 NULL
4081 };
4082
4083 item = proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset, hf_smb_create_options, ett_smb_nt_create_options, fields, mask, BMT_NO_APPEND);
4084 if (len == 0)
4085 proto_item_set_generated(item);
4086
4087 offset += len;
4088
4089 return offset;
4090 }
4091
4092 int
4093 dissect_nt_create_options(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
4094 {
4095 uint32_t mask;
4096
4097 mask = tvb_get_letohl(tvb, offset);
4098
4099 offset = dissect_nt_create_options_bits(tvb, parent_tree, offset, 4, mask);
4100
4101 return offset;
4102 }
4103
4104
4105 /* fids are scoped by tcp session */
4106 smb_fid_info_t *
4107 dissect_smb_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
4108 int len, uint16_t fid, bool is_created, bool is_closed, bool is_generated, smb_info_t* si)
4109 {
4110 smb_saved_info_t *sip;
4111 proto_item *it;
4112 proto_tree *tr;
4113 smb_fid_info_t *fid_info = NULL;
4114 smb_fid_info_t *suspect_fid_info = NULL;
4115 /* We need this to use an array-accessed tree */
4116 GSList *GSL_iterator;
4117
4118 DISSECTOR_ASSERT(si);
4119
4120 sip = si->sip;
4121
4122 it = proto_tree_add_uint(tree, hf_smb_fid, tvb, offset, len, fid);
4123 if (is_generated) {
4124 proto_item_set_generated(it);
4125 }
4126 tr = proto_item_add_subtree(it, ett_smb_fid);
4127 col_append_fstr(pinfo->cinfo, COL_INFO, ", FID: 0x%04x", fid);
4128
4129 if ((!pinfo->fd->visited) && is_created) {
4130 fid_info = wmem_new(wmem_file_scope(), smb_fid_info_t);
4131 fid_info->opened_in = pinfo->num;
4132 fid_info->closed_in = 0;
4133 fid_info->type = SMB_FID_TYPE_UNKNOWN;
4134 fid_info->fid = fid;
4135 fid_info->tid = si->tid;
4136 if (si->sip && (si->sip->extra_info_type == SMB_EI_FILEDATA)) {
4137 fid_info->fsi = (smb_fid_saved_info_t *)si->sip->extra_info;
4138 } else {
4139 fid_info->fsi = NULL;
4140 }
4141 /* We don't use the fid_tree anymore to access and
4142 maintain the fid information of analyzed files.
4143 (was wmem_tree_insert32(si->ct->fid_tree, fid, fid_info);)
4144 We'll use a single list instead to keep track of the
4145 files (fid) opened.
4146 Note that the insert_sorted function allows to insert duplicates
4147 but being inside this if section should prevent it */
4148 si->ct->GSL_fid_info = g_slist_insert_sorted(
4149 si->ct->GSL_fid_info,
4150 fid_info,
4151 (GCompareFunc)fid_cmp);
4152 }
4153
4154 if (!fid_info) {
4155 /* we use the single linked list to access this fid_info
4156 (was fid_info = wmem_tree_lookup32(si->ct->fid_tree, fid);) */
4157 GSL_iterator = si->ct->GSL_fid_info;
4158 while (GSL_iterator) {
4159 suspect_fid_info = (smb_fid_info_t *)GSL_iterator->data;
4160 if (suspect_fid_info->opened_in > pinfo->num) break;
4161 if ((suspect_fid_info->tid == si->tid) && (suspect_fid_info->fid == fid))
4162 fid_info = (smb_fid_info_t *)suspect_fid_info;
4163 GSL_iterator = g_slist_next(GSL_iterator);
4164 }
4165 }
4166 if (!fid_info) {
4167 return NULL;
4168 }
4169
4170 /* Store the fid in the transaction structure and remember if
4171 it was in the request or in the reply we saw it
4172 */
4173 if (sip && (!is_generated) && (!pinfo->fd->visited)) {
4174 sip->fid = fid;
4175 if (si->request) {
4176 sip->fid_seen_in_request = true;
4177 } else {
4178 sip->fid_seen_in_request = false;
4179 }
4180 }
4181
4182 if ((!pinfo->fd->visited) && is_closed) {
4183 fid_info->closed_in = pinfo->num;
4184 }
4185
4186 if (fid_info->opened_in) {
4187 it = proto_tree_add_uint(tr, hf_smb_opened_in, tvb, 0, 0, fid_info->opened_in);
4188 proto_item_set_generated(it);
4189 }
4190
4191 if (fid_info->closed_in) {
4192 it = proto_tree_add_uint(tr, hf_smb_closed_in, tvb, 0, 0, fid_info->closed_in);
4193 proto_item_set_generated(it);
4194 }
4195
4196
4197 if (fid_info->opened_in) {
4198 if (fid_info->fsi && fid_info->fsi->filename) {
4199 it = proto_tree_add_string(tr, hf_smb_file_name, tvb, 0, 0, fid_info->fsi->filename);
4200 proto_item_set_generated(it);
4201 proto_item_append_text(tr, " (%s)", fid_info->fsi->filename);
4202 dissect_nt_create_bits(tvb, tr, 0, 0, fid_info->fsi->create_flags);
4203 dissect_smb_access_mask_bits(tvb, tr, 0, 0, fid_info->fsi->access_mask);
4204 dissect_file_ext_attr_bits(tvb, tr, 0, 0, fid_info->fsi->file_attributes);
4205 dissect_nt_share_access_bits(tvb, tr, 0, 0, fid_info->fsi->share_access);
4206 dissect_nt_create_options_bits(tvb, tr, 0, 0, fid_info->fsi->create_options);
4207 it = proto_tree_add_uint(tr, hf_smb_nt_create_disposition, tvb, 0, 0, fid_info->fsi->create_disposition);
4208 proto_item_set_generated(it);
4209 }
4210 }
4211
4212 return fid_info;
4213 }
4214
4215 static int
4216 dissect_open_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4217 {
4218 uint8_t wc;
4219 uint16_t bc;
4220 uint16_t fid;
4221 smb_fid_info_t *fid_info = NULL; /* eo_smb needs to track this info */
4222 uint16_t fattr;
4223 bool isdir = false;
4224
4225 WORD_COUNT;
4226
4227 /* fid */
4228 fid = tvb_get_letohs(tvb, offset);
4229
4230 fid_info = dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, true, false, false, si);
4231 if (fid_info) {
4232 /* This command is used to create and open a new file or open
4233 and truncate an existing file to zero length */
4234 fid_info->end_of_file = 0;
4235 if (fid_info->fsi) {
4236 /* File Type */
4237 fattr = fid_info->fsi->file_attributes;
4238 /* XXX Volumes considered as directories */
4239 isdir = (fattr & SMB_FILE_ATTRIBUTE_DIRECTORY) || (fattr & SMB_FILE_ATTRIBUTE_VOLUME);
4240 if (isdir == 0) {
4241 fid_info->type = SMB_FID_TYPE_FILE;
4242 } else {
4243 fid_info->type = SMB_FID_TYPE_DIR;
4244 }
4245 }
4246 }
4247
4248 offset += 2;
4249
4250 /* File Attributes */
4251 offset = dissect_file_attributes(tvb, tree, offset);
4252
4253 /* last write time */
4254 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
4255
4256 /* File Size */
4257 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4258 offset += 4;
4259
4260 /* granted access */
4261 offset = dissect_access(tvb, tree, offset, hf_smb_granted_access);
4262
4263 BYTE_COUNT;
4264
4265 END_OF_SMB
4266
4267 return offset;
4268 }
4269
4270 static int
4271 dissect_query_information2_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4272 {
4273 uint8_t wc;
4274 uint16_t bc;
4275 uint16_t fid;
4276
4277 WORD_COUNT;
4278
4279 /* fid */
4280 fid = tvb_get_letohs(tvb, offset);
4281 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
4282 offset += 2;
4283
4284 BYTE_COUNT;
4285
4286 END_OF_SMB
4287
4288 return offset;
4289 }
4290
4291 static int
4292 dissect_close_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4293 {
4294 uint8_t wc;
4295 uint16_t bc;
4296 uint16_t fid;
4297
4298 WORD_COUNT;
4299
4300 /* fid */
4301 fid = tvb_get_letohs(tvb, offset);
4302 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, true, false, si);
4303 offset += 2;
4304
4305 BYTE_COUNT;
4306
4307 END_OF_SMB
4308
4309 return offset;
4310 }
4311
4312 static int
4313 dissect_open_print_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4314 {
4315 uint8_t wc;
4316 uint16_t bc;
4317 uint16_t fid;
4318
4319 WORD_COUNT;
4320
4321 /* fid */
4322 fid = tvb_get_letohs(tvb, offset);
4323 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
4324 offset += 2;
4325
4326 BYTE_COUNT;
4327
4328 END_OF_SMB
4329
4330 return offset;
4331 }
4332
4333 static int
4334 dissect_create_new_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4335 {
4336 uint8_t wc;
4337 uint16_t bc;
4338 uint16_t fid;
4339
4340 WORD_COUNT;
4341
4342 /* fid */
4343 fid = tvb_get_letohs(tvb, offset);
4344 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, true, false, false, si);
4345 offset += 2;
4346
4347 BYTE_COUNT;
4348
4349 END_OF_SMB
4350
4351 return offset;
4352 }
4353
4354 static int
4355 dissect_flush_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4356 {
4357 uint8_t wc;
4358 uint16_t bc;
4359 uint16_t fid;
4360
4361 WORD_COUNT;
4362
4363 /* fid */
4364 fid = tvb_get_letohs(tvb, offset);
4365 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
4366 offset += 2;
4367
4368 BYTE_COUNT;
4369
4370 END_OF_SMB
4371
4372 return offset;
4373 }
4374
4375 static int
4376 dissect_create_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4377 {
4378 uint8_t wc;
4379 uint16_t bc;
4380 uint16_t fid;
4381 smb_fid_info_t *fid_info = NULL; /* eo_smb needs to track this info */
4382 uint16_t fattr;
4383 bool isdir = false;
4384
4385 WORD_COUNT;
4386
4387 /* fid */
4388 fid = tvb_get_letohs(tvb, offset);
4389 fid_info = dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, true, false, false, si);
4390 if (fid_info) {
4391 /* This command is used to create and open a new file or open
4392 and truncate an existing file to zero length */
4393 fid_info->end_of_file = 0;
4394 if (fid_info->fsi) {
4395 /* File Type */
4396 fattr = fid_info->fsi->file_attributes;
4397 /* XXX Volumes considered as directories */
4398 isdir = (fattr & SMB_FILE_ATTRIBUTE_DIRECTORY) || (fattr & SMB_FILE_ATTRIBUTE_VOLUME);
4399 if (isdir == 0) {
4400 fid_info->type = SMB_FID_TYPE_FILE;
4401 } else {
4402 fid_info->type = SMB_FID_TYPE_DIR;
4403 }
4404 }
4405 }
4406
4407 offset += 2;
4408
4409 BYTE_COUNT;
4410
4411 END_OF_SMB
4412
4413 return offset;
4414 }
4415
4416 static int
4417 dissect_create_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4418 {
4419 int fn_len;
4420 const char *fn;
4421 uint8_t wc;
4422 uint16_t bc;
4423 smb_fid_saved_info_t *fsi; /* eo_smb needs to track this info */
4424 uint32_t file_attributes = 0;
4425
4426 DISSECTOR_ASSERT(si);
4427
4428 WORD_COUNT;
4429
4430 /* file attributes */
4431 /* We read the two lower bytes into the four-bytes file-attributes, because they are compatible */
4432 file_attributes = tvb_get_letohs(tvb, offset);
4433 offset = dissect_file_attributes(tvb, tree, offset);
4434
4435 /* creation time */
4436 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
4437
4438 BYTE_COUNT;
4439
4440 /* buffer format */
4441 CHECK_BYTE_COUNT(1);
4442 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4443 COUNT_BYTES(1);
4444
4445 /* File Name */
4446 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
4447 false, false, &bc);
4448 if (fn == NULL)
4449 goto endofcommand;
4450 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4451 fn);
4452 COUNT_BYTES(fn_len);
4453
4454 /* store it for the fid->name/openframe/closeframe matching in
4455 * dissect_smb_fid() called from the response.
4456 */
4457 if ((!pinfo->fd->visited) && si->sip && fn) {
4458 fsi = wmem_new0(wmem_file_scope(), smb_fid_saved_info_t);
4459 fsi->filename = wmem_strdup(wmem_file_scope(), fn);
4460 fsi->file_attributes = file_attributes;
4461
4462 si->sip->extra_info_type = SMB_EI_FILEDATA;
4463 si->sip->extra_info = fsi;
4464 }
4465
4466
4467 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
4468 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
4469
4470 END_OF_SMB
4471
4472 return offset;
4473 }
4474
4475 static int
4476 dissect_close_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4477 {
4478 uint8_t wc;
4479 uint16_t bc, fid;
4480
4481 WORD_COUNT;
4482
4483 /* fid */
4484 fid = tvb_get_letohs(tvb, offset);
4485 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, true, false, si);
4486 offset += 2;
4487
4488 /* last write time */
4489 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
4490
4491 BYTE_COUNT;
4492
4493 END_OF_SMB
4494
4495 return offset;
4496 }
4497
4498 static int
4499 dissect_delete_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4500 {
4501 int fn_len;
4502 const char *fn;
4503 uint8_t wc;
4504 uint16_t bc;
4505
4506 DISSECTOR_ASSERT(si);
4507
4508 WORD_COUNT;
4509
4510 /* search attributes */
4511 offset = dissect_search_attributes(tvb, tree, offset);
4512
4513 BYTE_COUNT;
4514
4515 /* buffer format */
4516 CHECK_BYTE_COUNT(1);
4517 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4518 COUNT_BYTES(1);
4519
4520 /* file name */
4521 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
4522 false, false, &bc);
4523
4524 if ((!pinfo->fd->visited) && si->sip) {
4525 si->sip->extra_info_type = SMB_EI_FILENAME;
4526 si->sip->extra_info = wmem_strdup(wmem_file_scope(), fn);
4527 }
4528
4529 if (fn == NULL)
4530 goto endofcommand;
4531 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4532 fn);
4533 COUNT_BYTES(fn_len);
4534
4535 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
4536 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
4537
4538 END_OF_SMB
4539
4540 return offset;
4541 }
4542
4543 static int
4544 dissect_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4545 {
4546 int fn_len;
4547 const char *fn, *old_name = NULL, *new_name = NULL;
4548 uint8_t wc;
4549 uint16_t bc;
4550 smb_rename_saved_info_t *rni = NULL;
4551
4552 DISSECTOR_ASSERT(si);
4553
4554 WORD_COUNT;
4555
4556 /* search attributes */
4557 offset = dissect_search_attributes(tvb, tree, offset);
4558
4559 BYTE_COUNT;
4560
4561 /* buffer format */
4562 CHECK_BYTE_COUNT(1);
4563 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4564 COUNT_BYTES(1);
4565
4566 /* old file name */
4567 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
4568 false, false, &bc);
4569 if (fn == NULL)
4570 goto endofcommand;
4571 old_name = fn;
4572 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
4573 fn);
4574 COUNT_BYTES(fn_len);
4575
4576 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
4577 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
4578
4579 /* buffer format */
4580 CHECK_BYTE_COUNT(1);
4581 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4582 COUNT_BYTES(1);
4583
4584 /* file name */
4585 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
4586 false, false, &bc);
4587 if (fn == NULL)
4588 goto endofcommand;
4589 new_name = fn;
4590 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4591 fn);
4592 COUNT_BYTES(fn_len);
4593
4594 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
4595 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
4596
4597 END_OF_SMB
4598
4599 /* save the offset/len for this transaction */
4600 if (si->sip && !pinfo->fd->visited) {
4601 rni = wmem_new(wmem_file_scope(), smb_rename_saved_info_t);
4602 rni->old_name = wmem_strdup(wmem_file_scope(), old_name);
4603 rni->new_name = wmem_strdup(wmem_file_scope(), new_name);
4604
4605 si->sip->extra_info_type = SMB_EI_RENAMEDATA;
4606 si->sip->extra_info = rni;
4607 }
4608
4609 return offset;
4610 }
4611
4612 static int
4613 dissect_nt_rename_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4614 {
4615 int fn_len;
4616 const char *fn;
4617 uint8_t wc;
4618 uint16_t bc;
4619
4620 DISSECTOR_ASSERT(si);
4621
4622 WORD_COUNT;
4623
4624 /* search attributes */
4625 offset = dissect_search_attributes(tvb, tree, offset);
4626
4627 proto_tree_add_item(tree, hf_smb_nt_rename_level, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4628 offset += 2;
4629
4630 proto_tree_add_item(tree, hf_smb_cluster_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4631 offset += 4;
4632
4633 BYTE_COUNT;
4634
4635 /* buffer format */
4636 CHECK_BYTE_COUNT(1);
4637 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4638 COUNT_BYTES(1);
4639
4640 /* old file name */
4641 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
4642 false, false, &bc);
4643 if (fn == NULL)
4644 goto endofcommand;
4645 proto_tree_add_string(tree, hf_smb_old_file_name, tvb, offset, fn_len,
4646 fn);
4647 COUNT_BYTES(fn_len);
4648
4649 col_append_fstr(pinfo->cinfo, COL_INFO, ", Old Name: %s",
4650 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
4651
4652 /* buffer format */
4653 CHECK_BYTE_COUNT(1);
4654 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4655 COUNT_BYTES(1);
4656
4657 /* file name */
4658 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
4659 false, false, &bc);
4660 if (fn == NULL)
4661 goto endofcommand;
4662 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4663 fn);
4664 COUNT_BYTES(fn_len);
4665
4666 col_append_fstr(pinfo->cinfo, COL_INFO, ", New Name: %s",
4667 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
4668
4669 END_OF_SMB
4670
4671 return offset;
4672 }
4673
4674
4675 static int
4676 dissect_query_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4677 {
4678 uint16_t bc;
4679 uint8_t wc;
4680 const char *fn;
4681 int fn_len;
4682
4683 DISSECTOR_ASSERT(si);
4684
4685 WORD_COUNT;
4686
4687 BYTE_COUNT;
4688
4689 /* Buffer Format */
4690 CHECK_BYTE_COUNT(1);
4691 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4692 COUNT_BYTES(1);
4693
4694 /* File Name */
4695 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
4696 false, false, &bc);
4697 if (fn == NULL)
4698 goto endofcommand;
4699 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4700 fn);
4701 COUNT_BYTES(fn_len);
4702
4703 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
4704 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
4705
4706 END_OF_SMB
4707
4708 return offset;
4709 }
4710
4711 static int
4712 dissect_query_information_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
4713 {
4714 uint16_t bc;
4715 uint8_t wc;
4716
4717 WORD_COUNT;
4718
4719 /* File Attributes */
4720 offset = dissect_file_attributes(tvb, tree, offset);
4721
4722 /* Last Write Time */
4723 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
4724
4725 /* File Size */
4726 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4727 offset += 4;
4728
4729 /* 10 reserved bytes */
4730 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, ENC_NA);
4731 offset += 10;
4732
4733 BYTE_COUNT;
4734
4735 END_OF_SMB
4736
4737 return offset;
4738 }
4739
4740 static int
4741 dissect_set_information_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4742 {
4743 int fn_len;
4744 const char *fn;
4745 uint8_t wc;
4746 uint16_t bc;
4747
4748 DISSECTOR_ASSERT(si);
4749
4750 WORD_COUNT;
4751
4752 /* file attributes */
4753 offset = dissect_file_attributes(tvb, tree, offset);
4754
4755 /* last write time */
4756 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
4757
4758 /* 10 reserved bytes */
4759 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, ENC_NA);
4760 offset += 10;
4761
4762 BYTE_COUNT;
4763
4764 /* buffer format */
4765 CHECK_BYTE_COUNT(1);
4766 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4767 COUNT_BYTES(1);
4768
4769 /* file name */
4770 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
4771 false, false, &bc);
4772 if (fn == NULL)
4773 goto endofcommand;
4774 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
4775 fn);
4776 COUNT_BYTES(fn_len);
4777
4778 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
4779 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
4780
4781 END_OF_SMB
4782
4783 return offset;
4784 }
4785
4786 typedef struct _rw_info_t {
4787 uint64_t offset;
4788 uint32_t len;
4789 uint16_t fid;
4790 } rw_info_t;
4791
4792 static int
4793 dissect_read_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4794 {
4795 uint8_t wc;
4796 uint16_t cnt = 0, bc;
4797 uint32_t ofs = 0;
4798 unsigned int fid;
4799 rw_info_t *rwi = NULL;
4800
4801 WORD_COUNT;
4802
4803 /* fid */
4804 fid = tvb_get_letohs(tvb, offset);
4805 dissect_smb_fid(tvb, pinfo, tree, offset, 2, (uint16_t) fid, false, false, false, si);
4806 offset += 2;
4807
4808 /* read count */
4809 cnt = tvb_get_letohs(tvb, offset);
4810 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4811 offset += 2;
4812
4813 /* offset */
4814 ofs = tvb_get_letohl(tvb, offset);
4815 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4816 offset += 4;
4817
4818 col_append_fstr(pinfo->cinfo, COL_INFO,
4819 ", %u byte%s at offset %u", cnt,
4820 (cnt == 1) ? "" : "s", ofs);
4821
4822 /* remaining */
4823 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4824 offset += 2;
4825
4826 /* save the offset/len for this transaction */
4827 if (si->sip && !pinfo->fd->visited) {
4828 rwi = wmem_new(wmem_file_scope(), rw_info_t);
4829 rwi->offset = ofs;
4830 rwi->len = cnt;
4831 rwi->fid = fid;
4832 si->sip->extra_info_type = SMB_EI_RWINFO;
4833 si->sip->extra_info = rwi;
4834 }
4835
4836 BYTE_COUNT;
4837
4838 END_OF_SMB
4839
4840 return offset;
4841 }
4842
4843 int
4844 dissect_file_data(tvbuff_t *tvb, proto_tree *tree, int offset, uint16_t bc, int dataoffset, uint16_t datalen)
4845 {
4846 int tvblen;
4847
4848 if (bc > datalen) {
4849 /* We have some initial padding bytes. */
4850 /* XXX - use the data offset here instead? */
4851 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
4852 ENC_NA);
4853 offset += bc-datalen;
4854 bc = datalen;
4855 }
4856 tvblen = tvb_reported_length_remaining(tvb, dataoffset > 0 ? dataoffset : offset );
4857 if (bc > tvblen) {
4858 proto_tree_add_bytes_format_value(tree, hf_smb_file_data, tvb, dataoffset > 0 ? dataoffset : offset, tvblen, NULL, "Incomplete. Only %d of %u bytes", tvblen, bc);
4859 if (dataoffset == -1 || dataoffset == offset)
4860 offset += tvblen;
4861 } else {
4862 proto_tree_add_item(tree, hf_smb_file_data, tvb, dataoffset > 0 ? dataoffset : offset, bc, ENC_NA);
4863 if (dataoffset == -1 || dataoffset == offset)
4864 offset += bc;
4865 }
4866 return offset;
4867 }
4868
4869 static int
4870 dissect_file_data_dcerpc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
4871 proto_tree *top_tree, int offset, uint16_t bc, uint16_t datalen, uint16_t fid,
4872 void *data)
4873 {
4874 int tvblen;
4875 tvbuff_t *dcerpc_tvb;
4876
4877 if (bc > datalen) {
4878 /* We have some initial padding bytes. */
4879 /* XXX - use the data offset here instead? */
4880 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, bc-datalen,
4881 ENC_NA);
4882 offset += bc-datalen;
4883 bc = datalen;
4884 }
4885 tvblen = tvb_reported_length_remaining(tvb, offset);
4886 dcerpc_tvb = tvb_new_subset_length_caplen(tvb, offset, tvblen, bc);
4887 dissect_pipe_dcerpc(dcerpc_tvb, pinfo, top_tree, tree, fid, data);
4888 if (bc > tvblen)
4889 offset += tvblen;
4890 else
4891 offset += bc;
4892 return offset;
4893 }
4894
4895 /*
4896 * transporting DCERPC over SMB seems to be implemented in various
4897 * ways. We might just assume it can be done by an almost random
4898 * mix of Trans/Read/Write calls
4899 *
4900 * if we suspect dcerpc, just send them all down to packet-smb-pipe.c
4901 * and let him sort them out
4902 */
4903 static int
4904 dissect_file_data_maybe_dcerpc(tvbuff_t *tvb, packet_info *pinfo,
4905 proto_tree *tree, proto_tree *top_tree, int offset, uint16_t bc,
4906 int dataoffset, uint16_t datalen, uint32_t ofs, uint16_t fid, smb_info_t *si)
4907 {
4908 DISSECTOR_ASSERT(si);
4909
4910 if ( (si->sip && (si->sip->flags & SMB_SIF_TID_IS_IPC)) && (ofs == 0) ) {
4911 /* dcerpc call */
4912 /* XXX - use the data offset to determine where the data starts? */
4913 return dissect_file_data_dcerpc(tvb, pinfo, tree,
4914 top_tree, offset, bc, datalen, fid, si);
4915 } else {
4916 /* ordinary file data */
4917 return dissect_file_data(tvb, tree, offset, bc, dataoffset, datalen);
4918 }
4919 }
4920
4921 static int
4922 dissect_read_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
4923 {
4924 uint16_t cnt = 0, bc;
4925 uint8_t wc;
4926 int fid = 0;
4927 uint32_t datalen = 0, dataoffset = 0;
4928 uint32_t tvblen;
4929 rw_info_t *rwi = NULL;
4930
4931 DISSECTOR_ASSERT(si);
4932
4933 WORD_COUNT;
4934
4935 /* read count */
4936 cnt = tvb_get_letohs(tvb, offset);
4937 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
4938 offset += 2;
4939
4940 /* 8 reserved bytes */
4941 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, ENC_NA);
4942 offset += 8;
4943 BYTE_COUNT;
4944
4945 /* buffer format */
4946 CHECK_BYTE_COUNT(1);
4947 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4948 COUNT_BYTES(1);
4949
4950 /* data len */
4951 CHECK_BYTE_COUNT(2);
4952 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4953 datalen = tvb_get_letohs(tvb, offset);
4954 COUNT_BYTES(2);
4955 dataoffset = offset;
4956
4957 /* file data, might be DCERPC on a pipe */
4958 if (bc) {
4959 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
4960 top_tree_global, offset, bc, -1, bc, 0, (uint16_t) fid, si);
4961 bc = 0;
4962 }
4963
4964 /* If we have seen the request, then print which FID this refers to */
4965 if ((si->sip != NULL) && (si->sip->frame_req > 0) && (si->sip->extra_info_type == SMB_EI_FID)) {
4966 fid = GPOINTER_TO_INT(si->sip->extra_info);
4967 }
4968
4969 if (si->sip && (si->sip->extra_info_type == SMB_EI_RWINFO)) {
4970 rwi = (rw_info_t *)si->sip->extra_info;
4971 }
4972 if (rwi) {
4973 proto_item *it;
4974
4975 it = proto_tree_add_uint64(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
4976
4977 proto_item_set_generated(it);
4978 it = proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
4979 proto_item_set_generated(it);
4980
4981 /* we need the fid for the call to dcerpc below */
4982 fid = rwi->fid;
4983 }
4984
4985 /* feed the export object tap listener */
4986 tvblen = tvb_reported_length_remaining(tvb, dataoffset);
4987 if (have_tap_listener(smb_eo_tap) && (datalen == tvblen) && rwi) {
4988 feed_eo_smb(SMB_COM_READ, fid, tvb, pinfo, dataoffset, datalen, rwi->len, rwi->offset, si);
4989 }
4990
4991 END_OF_SMB
4992
4993 return offset;
4994 }
4995
4996 static int
4997 dissect_lock_and_read_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
4998 {
4999 uint16_t cnt, bc;
5000 uint8_t wc;
5001
5002 WORD_COUNT;
5003
5004 /* read count */
5005 cnt = tvb_get_letohs(tvb, offset);
5006 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
5007 offset += 2;
5008
5009 /* 8 reserved bytes */
5010 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 8, ENC_NA);
5011 offset += 8;
5012
5013 BYTE_COUNT;
5014
5015 /* buffer format */
5016 CHECK_BYTE_COUNT(1);
5017 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
5018 COUNT_BYTES(1);
5019
5020 /* data len */
5021 CHECK_BYTE_COUNT(2);
5022 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5023 COUNT_BYTES(2);
5024
5025 END_OF_SMB
5026
5027 return offset;
5028 }
5029
5030
5031
5032 static int
5033 dissect_write_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
5034 {
5035 uint32_t ofs = 0;
5036 uint16_t cnt = 0, bc, fid = 0;
5037 uint8_t wc;
5038 rw_info_t *rwi = NULL;
5039 uint32_t datalen = 0, dataoffset = 0;
5040 uint32_t tvblen;
5041
5042 DISSECTOR_ASSERT(si);
5043
5044 WORD_COUNT;
5045
5046 /* fid */
5047 fid = tvb_get_letohs(tvb, offset);
5048 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
5049 offset += 2;
5050
5051 /* write count */
5052 cnt = tvb_get_letohs(tvb, offset);
5053 datalen = cnt;
5054 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
5055 offset += 2;
5056
5057 /* offset */
5058 ofs = tvb_get_letohl(tvb, offset);
5059 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5060 offset += 4;
5061
5062 col_append_fstr(pinfo->cinfo, COL_INFO,
5063 ", %u byte%s at offset %u", cnt,
5064 (cnt == 1) ? "" : "s", ofs);
5065
5066 /* save the offset/len for this transaction */
5067 if (si->sip && !pinfo->fd->visited) {
5068 rwi = wmem_new(wmem_file_scope(), rw_info_t);
5069 rwi->offset = ofs;
5070 rwi->len = cnt;
5071 rwi->fid = fid;
5072
5073 si->sip->extra_info_type = SMB_EI_RWINFO;
5074 si->sip->extra_info = rwi;
5075 }
5076 if (si->sip && (si->sip->extra_info_type == SMB_EI_RWINFO)) {
5077 rwi = (rw_info_t *)si->sip->extra_info;
5078 }
5079 if (rwi) {
5080 proto_item *it;
5081
5082 it = proto_tree_add_uint64(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
5083
5084 proto_item_set_generated(it);
5085 it = proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
5086 proto_item_set_generated(it);
5087 }
5088
5089 /* remaining */
5090 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5091 offset += 2;
5092
5093 BYTE_COUNT;
5094
5095 /* buffer format */
5096 CHECK_BYTE_COUNT(1);
5097 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
5098 COUNT_BYTES(1);
5099
5100 /* data len */
5101 CHECK_BYTE_COUNT(2);
5102 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5103 COUNT_BYTES(2);
5104 dataoffset = offset;
5105
5106 /* file data, might be DCERPC on a pipe */
5107 if (bc != 0) {
5108 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
5109 top_tree_global, offset, bc, -1, bc, ofs, fid, si);
5110 bc = 0;
5111 }
5112
5113 /* feed the export object tap listener */
5114 tvblen = tvb_reported_length_remaining(tvb, dataoffset);
5115 if (have_tap_listener(smb_eo_tap) && (datalen == tvblen) && rwi) {
5116 feed_eo_smb(SMB_COM_WRITE, fid, tvb, pinfo, dataoffset, datalen, rwi->len, rwi->offset, si);
5117 }
5118
5119 END_OF_SMB
5120
5121 return offset;
5122 }
5123
5124 static int
5125 dissect_write_file_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
5126 {
5127 uint8_t wc;
5128 uint16_t bc, cnt;
5129 rw_info_t *rwi = NULL;
5130
5131 DISSECTOR_ASSERT(si);
5132
5133 WORD_COUNT;
5134
5135 /* write count */
5136 cnt = tvb_get_letohs(tvb, offset);
5137 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5138 offset += 2;
5139
5140 col_append_fstr(pinfo->cinfo, COL_INFO,
5141 ", %u byte%s", cnt, (cnt == 1) ? "" : "s");
5142
5143 if (si->sip && (si->sip->extra_info_type == SMB_EI_RWINFO)) {
5144 rwi = (rw_info_t *)si->sip->extra_info;
5145 }
5146 if (rwi) {
5147 proto_item *it;
5148
5149 it = proto_tree_add_uint64(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
5150
5151 proto_item_set_generated(it);
5152 it = proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
5153 proto_item_set_generated(it);
5154 }
5155
5156 BYTE_COUNT;
5157
5158 END_OF_SMB
5159
5160 return offset;
5161 }
5162
5163 static int
5164 dissect_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
5165 {
5166 uint8_t wc;
5167 uint16_t bc, fid;
5168
5169 WORD_COUNT;
5170
5171 /* fid */
5172 fid = tvb_get_letohs(tvb, offset);
5173 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
5174 offset += 2;
5175
5176 /* lock count */
5177 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5178 offset += 4;
5179
5180 /* offset */
5181 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5182 offset += 4;
5183
5184 BYTE_COUNT;
5185
5186 END_OF_SMB
5187
5188 return offset;
5189 }
5190
5191 static int
5192 dissect_create_temporary_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
5193 {
5194 int fn_len;
5195 const char *fn;
5196 uint8_t wc;
5197 uint16_t bc;
5198
5199 DISSECTOR_ASSERT(si);
5200
5201 WORD_COUNT;
5202
5203 /* 2 reserved bytes */
5204 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
5205 offset += 2;
5206
5207 /* Creation time */
5208 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
5209
5210 BYTE_COUNT;
5211
5212 /* buffer format */
5213 CHECK_BYTE_COUNT(1);
5214 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
5215 COUNT_BYTES(1);
5216
5217 /*
5218 * Directory name.
5219 *
5220 * MS-CIFS says this is a "null-terminated string", without saying
5221 * it's always ASCII, so we honor the "Unicode strings" flag.
5222 */
5223 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
5224 false, false, &bc);
5225 if (fn == NULL)
5226 goto endofcommand;
5227 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
5228 fn);
5229 COUNT_BYTES(fn_len);
5230
5231 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
5232 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
5233
5234 END_OF_SMB
5235
5236 return offset;
5237 }
5238
5239 static int
5240 dissect_create_temporary_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
5241 {
5242 int fn_len;
5243 const char *fn;
5244 uint8_t wc;
5245 uint16_t bc, fid;
5246
5247 DISSECTOR_ASSERT(si);
5248
5249 WORD_COUNT;
5250
5251 /* fid */
5252 fid = tvb_get_letohs(tvb, offset);
5253 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, true, false, false, si);
5254 offset += 2;
5255
5256 BYTE_COUNT;
5257
5258 /*
5259 * File name.
5260 *
5261 * MS-CIFS says "The string SHOULD be a null-terminated array of
5262 * ASCII characters.", so we ignore the "Unicode strings" flag.
5263 */
5264 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, false, &fn_len,
5265 true, false, &bc);
5266 if (fn == NULL)
5267 goto endofcommand;
5268 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
5269 fn);
5270 COUNT_BYTES(fn_len);
5271
5272 END_OF_SMB
5273
5274 return offset;
5275 }
5276
5277 static const value_string seek_mode_vals[] = {
5278 {0, "From Start Of File"},
5279 {1, "From Current Position"},
5280 {2, "From End Of File"},
5281 {0, NULL}
5282 };
5283
5284 static int
5285 dissect_seek_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
5286 {
5287 uint8_t wc;
5288 uint16_t bc, fid;
5289
5290 WORD_COUNT;
5291
5292 /* fid */
5293 fid = tvb_get_letohs(tvb, offset);
5294 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
5295 offset += 2;
5296
5297 /* Seek Mode */
5298 proto_tree_add_item(tree, hf_smb_seek_mode, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5299 offset += 2;
5300
5301 /* offset */
5302 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5303 offset += 4;
5304
5305 BYTE_COUNT;
5306
5307 END_OF_SMB
5308
5309 return offset;
5310 }
5311
5312 static int
5313 dissect_seek_file_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
5314 {
5315 uint8_t wc;
5316 uint16_t bc;
5317
5318 WORD_COUNT;
5319
5320 /* offset */
5321 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5322 offset += 4;
5323
5324 BYTE_COUNT;
5325
5326 END_OF_SMB
5327
5328 return offset;
5329 }
5330
5331 static int
5332 dissect_set_information2_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
5333 {
5334 uint8_t wc;
5335 uint16_t bc, fid;
5336
5337 WORD_COUNT;
5338
5339 /* fid */
5340 fid = tvb_get_letohs(tvb, offset);
5341 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
5342 offset += 2;
5343
5344 /* create time */
5345 offset = dissect_smb_datetime(tvb, tree, offset,
5346 hf_smb_create_time,
5347 hf_smb_create_dos_date, hf_smb_create_dos_time, false);
5348
5349 /* access time */
5350 offset = dissect_smb_datetime(tvb, tree, offset,
5351 hf_smb_access_time,
5352 hf_smb_access_dos_date, hf_smb_access_dos_time, false);
5353
5354 /* last write time */
5355 offset = dissect_smb_datetime(tvb, tree, offset,
5356 hf_smb_last_write_time,
5357 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, false);
5358
5359 BYTE_COUNT;
5360
5361 END_OF_SMB
5362
5363 return offset;
5364 }
5365
5366 static int
5367 dissect_query_information2_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
5368 {
5369 uint8_t wc;
5370 uint16_t bc;
5371
5372 WORD_COUNT;
5373
5374 /* create time */
5375 offset = dissect_smb_datetime(tvb, tree, offset,
5376 hf_smb_create_time,
5377 hf_smb_create_dos_date, hf_smb_create_dos_time, false);
5378
5379 /* access time */
5380 offset = dissect_smb_datetime(tvb, tree, offset,
5381 hf_smb_access_time,
5382 hf_smb_access_dos_date, hf_smb_access_dos_time, false);
5383
5384 /* last write time */
5385 offset = dissect_smb_datetime(tvb, tree, offset,
5386 hf_smb_last_write_time,
5387 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, false);
5388
5389 /* data size */
5390 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5391 offset += 4;
5392
5393 /* allocation size */
5394 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5395 offset += 4;
5396
5397 /* File Attributes */
5398 offset = dissect_file_attributes(tvb, tree, offset);
5399
5400 BYTE_COUNT;
5401
5402 END_OF_SMB
5403
5404 return offset;
5405 }
5406
5407 static int
5408 dissect_write_and_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
5409 {
5410 uint8_t wc;
5411 uint16_t cnt = 0;
5412 uint16_t bc, fid;
5413
5414 WORD_COUNT;
5415
5416 /* fid */
5417 fid = tvb_get_letohs(tvb, offset);
5418 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, true, false, si);
5419 offset += 2;
5420
5421 /* write count */
5422 cnt = tvb_get_letohs(tvb, offset);
5423 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
5424 offset += 2;
5425
5426 /* offset */
5427 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5428 offset += 4;
5429
5430 /* last write time */
5431 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
5432
5433 if (wc == 12) {
5434 /* 12 reserved bytes */
5435 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 12, ENC_NA);
5436 offset += 12;
5437 }
5438
5439 BYTE_COUNT;
5440
5441 /* 1 pad byte */
5442 CHECK_BYTE_COUNT(1);
5443 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, ENC_NA);
5444 COUNT_BYTES(1);
5445
5446 offset = dissect_file_data(tvb, tree, offset, cnt, -1, cnt);
5447 bc = 0; /* XXX */
5448
5449 END_OF_SMB
5450
5451 return offset;
5452 }
5453
5454 static int
5455 dissect_write_and_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
5456 {
5457 uint8_t wc;
5458 uint16_t bc;
5459
5460 WORD_COUNT;
5461
5462 /* write count */
5463 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5464 offset += 2;
5465
5466 BYTE_COUNT;
5467
5468 END_OF_SMB
5469
5470 return offset;
5471 }
5472
5473 /* Timeout is defined on page 117 of SMB Protocol Extensions version 2.0
5474 available at http://us1.samba.org/samba/ftp/SMB-info/DOSEXTP.TXT
5475 */
5476 static char *
5477 smbext20_timeout_msecs_to_str(wmem_allocator_t *scope, int32_t timeout)
5478 {
5479 char *buf;
5480 #define SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN 60
5481
5482 if (timeout <= 0) {
5483 buf = (char *)wmem_alloc(scope, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1);
5484 if (timeout == 0) {
5485 snprintf(buf, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1, "Return immediately (0)");
5486 } else if (timeout == -1) {
5487 snprintf(buf, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1, "Wait indefinitely (-1)");
5488 } else if (timeout == -2) {
5489 snprintf(buf, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1, "Use default timeout (-2)");
5490 } else {
5491 snprintf(buf, SMBEXT20_TIMEOUT_MSECS_TO_STR_MAXLEN+1, "Unknown reserved value (%d)", timeout);
5492 }
5493 return buf;
5494 }
5495
5496 return signed_time_msecs_to_str(scope, timeout);
5497 }
5498
5499 static int
5500 dissect_read_raw_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
5501 {
5502 uint8_t wc;
5503 uint16_t bc, fid;
5504 uint32_t to;
5505
5506 WORD_COUNT;
5507
5508 /* fid */
5509 fid = tvb_get_letohs(tvb, offset);
5510 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
5511 offset += 2;
5512
5513 /* offset */
5514 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5515 offset += 4;
5516
5517 /* max count */
5518 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5519 offset += 2;
5520
5521 /* min count */
5522 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5523 offset += 2;
5524
5525 /* timeout */
5526 to = tvb_get_letohl(tvb, offset);
5527 proto_tree_add_uint_format_value(tree, hf_smb_timeout, tvb, offset, 4, to, "%s", smbext20_timeout_msecs_to_str(pinfo->pool, to));
5528 offset += 4;
5529
5530 /* 2 reserved bytes */
5531 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
5532 offset += 2;
5533
5534 if (wc == 10) {
5535 /* high offset */
5536 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5537 offset += 4;
5538 }
5539
5540 BYTE_COUNT;
5541
5542 END_OF_SMB
5543
5544 return offset;
5545 }
5546
5547 static int
5548 dissect_query_information_disk_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
5549 {
5550 uint8_t wc;
5551 uint16_t bc;
5552
5553 WORD_COUNT;
5554
5555 /* units */
5556 proto_tree_add_item(tree, hf_smb_units, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5557 offset += 2;
5558
5559 /* bpu */
5560 proto_tree_add_item(tree, hf_smb_bpu, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5561 offset += 2;
5562
5563 /* block size */
5564 proto_tree_add_item(tree, hf_smb_blocksize, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5565 offset += 2;
5566
5567 /* free units */
5568 proto_tree_add_item(tree, hf_smb_freeunits, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5569 offset += 2;
5570
5571 /* 2 reserved bytes */
5572 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
5573 offset += 2;
5574
5575 BYTE_COUNT;
5576
5577 END_OF_SMB
5578
5579 return offset;
5580 }
5581
5582 static int
5583 dissect_read_mpx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
5584 {
5585 uint8_t wc;
5586 uint16_t bc, fid;
5587
5588 WORD_COUNT;
5589
5590 /* fid */
5591 fid = tvb_get_letohs(tvb, offset);
5592 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
5593 offset += 2;
5594
5595 /* offset */
5596 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5597 offset += 4;
5598
5599 /* max count */
5600 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5601 offset += 2;
5602
5603 /* min count */
5604 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5605 offset += 2;
5606
5607 /* 6 reserved bytes */
5608 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, ENC_NA);
5609 offset += 6;
5610
5611 BYTE_COUNT;
5612
5613 END_OF_SMB
5614
5615 return offset;
5616 }
5617
5618 static int
5619 dissect_read_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
5620 {
5621 uint16_t datalen = 0, bc;
5622 uint8_t wc;
5623
5624 WORD_COUNT;
5625
5626 /* offset */
5627 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5628 offset += 4;
5629
5630 /* count */
5631 proto_tree_add_item(tree, hf_smb_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5632 offset += 2;
5633
5634 /* 2 reserved bytes */
5635 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
5636 offset += 2;
5637
5638 /* data compaction mode */
5639 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5640 offset += 2;
5641
5642 /* 2 reserved bytes */
5643 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
5644 offset += 2;
5645
5646 /* data len */
5647 datalen = tvb_get_letohs(tvb, offset);
5648 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5649 offset += 2;
5650
5651 /* data offset */
5652 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5653 offset += 2;
5654
5655 BYTE_COUNT;
5656
5657 /* file data */
5658 /* XXX - use the data offset to determine where the data starts? */
5659 offset = dissect_file_data(tvb, tree, offset, bc, -1, datalen);
5660 bc = 0;
5661
5662 END_OF_SMB
5663
5664 return offset;
5665 }
5666
5667
5668 static const true_false_string tfs_write_mode_write_through = {
5669 "WRITE THROUGH requested",
5670 "Write through not requested"
5671 };
5672 static const true_false_string tfs_write_mode_return_remaining = {
5673 "RETURN REMAINING (pipe/dev) requested",
5674 "DON'T return remaining (pipe/dev)"
5675 };
5676 static const true_false_string tfs_write_mode_raw = {
5677 "Use WriteRawNamedPipe (pipe)",
5678 "DON'T use WriteRawNamedPipe (pipe)"
5679 };
5680 static const true_false_string tfs_write_mode_message_start = {
5681 "This is the START of a MESSAGE (pipe)",
5682 "This is NOT the start of a message (pipe)"
5683 };
5684 static const true_false_string tfs_write_mode_connectionless = {
5685 "CONNECTIONLESS mode requested",
5686 "Connectionless mode NOT requested"
5687 };
5688
5689 #define WRITE_MODE_CONNECTIONLESS 0x0080
5690 #define WRITE_MODE_MESSAGE_START 0x0008
5691 #define WRITE_MODE_RAW 0x0004
5692 #define WRITE_MODE_RETURN_REMAINING 0x0002
5693 #define WRITE_MODE_WRITE_THROUGH 0x0001
5694
5695 static int
5696 dissect_write_mode(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
5697 {
5698 uint16_t mask;
5699 proto_item *item;
5700 proto_tree *tree;
5701
5702 mask = tvb_get_letohs(tvb, offset);
5703
5704 if (parent_tree) {
5705 item = proto_tree_add_item(parent_tree, hf_smb_write_mode, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5706 tree = proto_item_add_subtree(item, ett_smb_rawmode);
5707
5708 if (bm&WRITE_MODE_CONNECTIONLESS) {
5709 proto_tree_add_boolean(tree, hf_smb_write_mode_connectionless,
5710 tvb, offset, 2, mask);
5711 }
5712 if (bm&WRITE_MODE_MESSAGE_START) {
5713 proto_tree_add_boolean(tree, hf_smb_write_mode_message_start,
5714 tvb, offset, 2, mask);
5715 }
5716 if (bm&WRITE_MODE_RAW) {
5717 proto_tree_add_boolean(tree, hf_smb_write_mode_raw,
5718 tvb, offset, 2, mask);
5719 }
5720 if (bm&WRITE_MODE_RETURN_REMAINING) {
5721 proto_tree_add_boolean(tree, hf_smb_write_mode_return_remaining,
5722 tvb, offset, 2, mask);
5723 }
5724 if (bm&WRITE_MODE_WRITE_THROUGH) {
5725 proto_tree_add_boolean(tree, hf_smb_write_mode_write_through,
5726 tvb, offset, 2, mask);
5727 }
5728 }
5729
5730 offset += 2;
5731 return offset;
5732 }
5733
5734 static int
5735 dissect_write_raw_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
5736 {
5737 uint32_t to;
5738 uint16_t datalen = 0, bc, fid;
5739 uint8_t wc;
5740
5741 WORD_COUNT;
5742
5743 /* fid */
5744 fid = tvb_get_letohs(tvb, offset);
5745 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
5746 offset += 2;
5747
5748 /* total data length */
5749 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5750 offset += 2;
5751
5752 /* 2 reserved bytes */
5753 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
5754 offset += 2;
5755
5756 /* offset */
5757 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5758 offset += 4;
5759
5760 /* timeout */
5761 to = tvb_get_letohl(tvb, offset);
5762 proto_tree_add_uint_format_value(tree, hf_smb_timeout, tvb, offset, 4, to, "%s", smbext20_timeout_msecs_to_str(pinfo->pool, to));
5763 offset += 4;
5764
5765 /* mode */
5766 offset = dissect_write_mode(tvb, tree, offset, 0x0003);
5767
5768 /* 4 reserved bytes */
5769 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, ENC_NA);
5770 offset += 4;
5771
5772 /* data len */
5773 datalen = tvb_get_letohs(tvb, offset);
5774 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5775 offset += 2;
5776
5777 /* data offset */
5778 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5779 offset += 2;
5780
5781 BYTE_COUNT;
5782
5783 /* file data */
5784 /* XXX - use the data offset to determine where the data starts? */
5785 offset = dissect_file_data(tvb, tree, offset, bc, -1, datalen);
5786 bc = 0;
5787
5788 END_OF_SMB
5789
5790 return offset;
5791 }
5792
5793 static int
5794 dissect_write_raw_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
5795 {
5796 uint8_t wc;
5797 uint16_t bc;
5798
5799 WORD_COUNT;
5800
5801 /* remaining */
5802 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5803 offset += 2;
5804
5805 BYTE_COUNT;
5806
5807 END_OF_SMB
5808
5809 return offset;
5810 }
5811
5812 static int
5813 dissect_write_mpx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
5814 {
5815 uint32_t to;
5816 uint16_t datalen = 0, bc, fid;
5817 uint8_t wc;
5818
5819 WORD_COUNT;
5820
5821 /* fid */
5822 fid = tvb_get_letohs(tvb, offset);
5823 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
5824 offset += 2;
5825
5826 /* total data length */
5827 proto_tree_add_item(tree, hf_smb_total_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5828 offset += 2;
5829
5830 /* 2 reserved bytes */
5831 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
5832 offset += 2;
5833
5834 /* offset */
5835 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5836 offset += 4;
5837
5838 /* timeout */
5839 to = tvb_get_letohl(tvb, offset);
5840 proto_tree_add_uint_format_value(tree, hf_smb_timeout, tvb, offset, 4, to, "%s", smbext20_timeout_msecs_to_str(pinfo->pool, to));
5841 offset += 4;
5842
5843 /* mode */
5844 offset = dissect_write_mode(tvb, tree, offset, 0x0083);
5845
5846 /* request mask */
5847 proto_tree_add_item(tree, hf_smb_request_mask, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5848 offset += 4;
5849
5850 /* data len */
5851 datalen = tvb_get_letohs(tvb, offset);
5852 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, datalen);
5853 offset += 2;
5854
5855 /* data offset */
5856 proto_tree_add_item(tree, hf_smb_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5857 offset += 2;
5858
5859 BYTE_COUNT;
5860
5861 /* file data */
5862 /* XXX - use the data offset to determine where the data starts? */
5863 offset = dissect_file_data(tvb, tree, offset, bc, -1,datalen);
5864 bc = 0;
5865
5866 END_OF_SMB
5867
5868 return offset;
5869 }
5870
5871 static int
5872 dissect_write_mpx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
5873 {
5874 uint8_t wc;
5875 uint16_t bc;
5876
5877 WORD_COUNT;
5878
5879 /* response mask */
5880 proto_tree_add_item(tree, hf_smb_response_mask, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5881 offset += 4;
5882
5883 BYTE_COUNT;
5884
5885 END_OF_SMB
5886
5887 return offset;
5888 }
5889
5890 static int
5891 dissect_search_id(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
5892 {
5893 uint8_t wc;
5894 uint16_t bc;
5895 uint32_t search_id;
5896
5897 WORD_COUNT;
5898
5899 /* search ID */
5900 proto_tree_add_item_ret_uint(tree, hf_smb_search_id, tvb, offset, 2,
5901 ENC_LITTLE_ENDIAN, &search_id);
5902 col_append_fstr(pinfo->cinfo, COL_INFO, ", Search ID: %u", (uint16_t)search_id);
5903 offset += 2;
5904
5905 BYTE_COUNT;
5906
5907 END_OF_SMB
5908
5909 return offset;
5910 }
5911
5912 static int
5913 dissect_search_resume_key(tvbuff_t *tvb, packet_info *pinfo,
5914 proto_tree *parent_tree, int offset, uint16_t *bcp, bool *trunc,
5915 bool has_find_id, smb_info_t *si)
5916 {
5917 proto_tree *tree;
5918 int fn_len;
5919 const char *fn;
5920
5921 DISSECTOR_ASSERT(si);
5922
5923 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 21,
5924 ett_smb_search_resume_key, NULL, "Resume Key");
5925
5926 /* reserved byte */
5927 CHECK_BYTE_COUNT_SUBR(1);
5928 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
5929 COUNT_BYTES_SUBR(1);
5930
5931 /* file name */
5932 fn_len = 11;
5933 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, false/*never Unicode*/, &fn_len,
5934 true, true, bcp);
5935 CHECK_STRING_SUBR(fn);
5936 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, 11, fn);
5937 COUNT_BYTES_SUBR(fn_len);
5938
5939 if (has_find_id) {
5940 CHECK_BYTE_COUNT_SUBR(1);
5941 proto_tree_add_item(tree, hf_smb_resume_find_id, tvb, offset, 1, ENC_LITTLE_ENDIAN);
5942 COUNT_BYTES_SUBR(1);
5943
5944 /* server cookie */
5945 CHECK_BYTE_COUNT_SUBR(4);
5946 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 4, ENC_NA);
5947 COUNT_BYTES_SUBR(4);
5948 } else {
5949 /* server cookie */
5950 CHECK_BYTE_COUNT_SUBR(5);
5951 proto_tree_add_item(tree, hf_smb_resume_server_cookie, tvb, offset, 5, ENC_NA);
5952 COUNT_BYTES_SUBR(5);
5953 }
5954
5955 /* client cookie */
5956 CHECK_BYTE_COUNT_SUBR(4);
5957 proto_tree_add_item(tree, hf_smb_resume_client_cookie, tvb, offset, 4, ENC_NA);
5958 COUNT_BYTES_SUBR(4);
5959
5960 *trunc = false;
5961 return offset;
5962 }
5963
5964 static int
5965 dissect_search_dir_info(tvbuff_t *tvb, packet_info *pinfo,
5966 proto_tree *parent_tree, int offset, uint16_t *bcp, bool *trunc,
5967 bool has_find_id, smb_info_t *si)
5968 {
5969 proto_tree *tree;
5970 int fn_len;
5971 const char *fn;
5972
5973 DISSECTOR_ASSERT(si);
5974
5975 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 43,
5976 ett_smb_search_dir_info, NULL, "Directory Information");
5977
5978 /* resume key */
5979 offset = dissect_search_resume_key(tvb, pinfo, tree, offset, bcp,
5980 trunc, has_find_id, si);
5981 if (*trunc)
5982 return offset;
5983
5984 /* File Attributes */
5985 CHECK_BYTE_COUNT_SUBR(1);
5986 offset = dissect_dir_info_file_attributes(tvb, tree, offset);
5987 *bcp -= 1;
5988
5989 /* last write time */
5990 CHECK_BYTE_COUNT_SUBR(4);
5991 offset = dissect_smb_datetime(tvb, tree, offset,
5992 hf_smb_last_write_time,
5993 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
5994 true);
5995 *bcp -= 4;
5996
5997 /* File Size */
5998 CHECK_BYTE_COUNT_SUBR(4);
5999 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6000 COUNT_BYTES_SUBR(4);
6001
6002 /* file name */
6003 /* [MS-CIFS] says this is 13 *bytes*, and also says "Unicode is
6004 not supported; names are returned in the extended ASCII
6005 (OEM) character set only." */
6006 fn_len = 13;
6007 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, false/*Never Unicode*/, &fn_len,
6008 true, true, bcp);
6009 CHECK_STRING_SUBR(fn);
6010 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len, fn);
6011 COUNT_BYTES_SUBR(fn_len);
6012
6013 *trunc = false;
6014 return offset;
6015 }
6016
6017
6018 static int
6019 dissect_search_find_request(tvbuff_t *tvb, packet_info *pinfo,
6020 proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si,
6021 bool has_find_id)
6022 {
6023 int fn_len;
6024 const char *fn;
6025 uint16_t rkl;
6026 uint8_t wc;
6027 uint16_t bc;
6028 bool trunc;
6029
6030 DISSECTOR_ASSERT(si);
6031
6032 WORD_COUNT;
6033
6034 /* max count */
6035 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6036 offset += 2;
6037
6038 /* Search Attributes */
6039 offset = dissect_search_attributes(tvb, tree, offset);
6040
6041 BYTE_COUNT;
6042
6043 /* buffer format */
6044 CHECK_BYTE_COUNT(1);
6045 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
6046 COUNT_BYTES(1);
6047
6048 /* file name */
6049 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
6050 true, false, &bc);
6051 if (fn == NULL)
6052 goto endofcommand;
6053 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
6054 fn);
6055 COUNT_BYTES(fn_len);
6056
6057 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
6058 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
6059
6060 /* buffer format */
6061 CHECK_BYTE_COUNT(1);
6062 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
6063 COUNT_BYTES(1);
6064
6065 /* resume key length */
6066 CHECK_BYTE_COUNT(2);
6067 rkl = tvb_get_letohs(tvb, offset);
6068 proto_tree_add_uint(tree, hf_smb_resume_key_len, tvb, offset, 2, rkl);
6069 COUNT_BYTES(2);
6070
6071 /* resume key */
6072 if (rkl) {
6073 offset = dissect_search_resume_key(tvb, pinfo, tree, offset,
6074 &bc, &trunc, has_find_id, si);
6075 if (trunc)
6076 goto endofcommand;
6077 }
6078
6079 END_OF_SMB
6080
6081 return offset;
6082 }
6083
6084 static int
6085 dissect_search_dir_request(tvbuff_t *tvb, packet_info *pinfo,
6086 proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
6087 {
6088 return dissect_search_find_request(tvb, pinfo, tree, offset,
6089 smb_tree, si, false);
6090 }
6091
6092 static int
6093 dissect_find_request(tvbuff_t *tvb, packet_info *pinfo,
6094 proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
6095 {
6096 return dissect_search_find_request(tvb, pinfo, tree, offset,
6097 smb_tree, si, true);
6098 }
6099
6100 static int
6101 dissect_find_close_request(tvbuff_t *tvb, packet_info *pinfo,
6102 proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
6103 {
6104 return dissect_search_find_request(tvb, pinfo, tree, offset,
6105 smb_tree, si, true);
6106 }
6107
6108 static int
6109 dissect_search_find_response(tvbuff_t *tvb, packet_info *pinfo,
6110 proto_tree *tree, int offset, proto_tree *smb_tree _U_,
6111 bool has_find_id, smb_info_t *si)
6112 {
6113 uint16_t count = 0;
6114 uint8_t wc;
6115 uint16_t bc;
6116 bool trunc;
6117
6118 WORD_COUNT;
6119
6120 /* count */
6121 count = tvb_get_letohs(tvb, offset);
6122 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, count);
6123 offset += 2;
6124
6125 BYTE_COUNT;
6126
6127 /* buffer format */
6128 CHECK_BYTE_COUNT(1);
6129 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
6130 COUNT_BYTES(1);
6131
6132 /* data len */
6133 CHECK_BYTE_COUNT(2);
6134 proto_tree_add_item(tree, hf_smb_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6135 COUNT_BYTES(2);
6136
6137 while (count--) {
6138 offset = dissect_search_dir_info(tvb, pinfo, tree, offset,
6139 &bc, &trunc, has_find_id, si);
6140 if (trunc)
6141 goto endofcommand;
6142 }
6143
6144 END_OF_SMB
6145
6146 return offset;
6147 }
6148
6149 static int
6150 dissect_search_dir_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
6151 {
6152 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
6153 false, si);
6154 }
6155
6156 static int
6157 dissect_find_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
6158 {
6159 return dissect_search_find_response(tvb, pinfo, tree, offset, smb_tree,
6160 true, si);
6161 }
6162
6163 static int
6164 dissect_find_close_response(tvbuff_t *tvb, packet_info *pinfo _U_,
6165 proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
6166 {
6167 uint8_t wc;
6168 uint16_t bc;
6169 uint16_t data_len;
6170
6171 WORD_COUNT;
6172
6173 /* reserved */
6174 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
6175 offset += 2;
6176
6177 BYTE_COUNT;
6178
6179 /* buffer format */
6180 CHECK_BYTE_COUNT(1);
6181 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
6182 COUNT_BYTES(1);
6183
6184 /* data len */
6185 CHECK_BYTE_COUNT(2);
6186 data_len = tvb_get_ntohs(tvb, offset);
6187 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, data_len);
6188 COUNT_BYTES(2);
6189
6190 if (data_len != 0) {
6191 CHECK_BYTE_COUNT(data_len);
6192 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset,
6193 data_len, ENC_NA);
6194 COUNT_BYTES(data_len);
6195 }
6196
6197 END_OF_SMB
6198
6199 return offset;
6200 }
6201
6202 static const value_string locking_ol_vals[] = {
6203 {0, "Client is not holding oplock on this file"},
6204 {1, "Level 2 oplock currently held by client"},
6205 {0, NULL}
6206 };
6207
6208 static const true_false_string tfs_lock_type_large = {
6209 "Large file locking format requested",
6210 "Large file locking format not requested"
6211 };
6212 static const true_false_string tfs_lock_type_cancel = {
6213 "Cancel outstanding lock request",
6214 "Don't cancel outstanding lock request"
6215 };
6216 static const true_false_string tfs_lock_type_change = {
6217 "Change lock type",
6218 "Don't change lock type"
6219 };
6220 static const true_false_string tfs_lock_type_oplock = {
6221 "This is an oplock break notification/response",
6222 "This is not an oplock break notification/response"
6223 };
6224 static const true_false_string tfs_lock_type_shared = {
6225 "This is a shared lock",
6226 "This is an exclusive lock"
6227 };
6228 static int
6229 dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
6230 {
6231 uint8_t wc, cmd = 0xff, lt = 0, ol = 0;
6232 uint16_t andxoffset = 0, un = 0, ln = 0, bc, fid, num_lock = 0, num_unlock = 0;
6233 uint32_t to;
6234 proto_item *it = NULL;
6235 proto_tree *tr = NULL;
6236 int old_offset = offset;
6237 smb_locking_saved_info_t *ld = NULL;
6238 static int * const locks[] = {
6239 &hf_smb_lock_type_large,
6240 &hf_smb_lock_type_cancel,
6241 &hf_smb_lock_type_change,
6242 &hf_smb_lock_type_oplock,
6243 &hf_smb_lock_type_shared,
6244 NULL
6245 };
6246
6247 DISSECTOR_ASSERT(si);
6248
6249 WORD_COUNT;
6250
6251 /* next smb command */
6252 cmd = tvb_get_uint8(tvb, offset);
6253 if (cmd != 0xff) {
6254 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
6255 } else {
6256 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
6257 }
6258 offset += 1;
6259
6260 /* reserved byte */
6261 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
6262 offset += 1;
6263
6264 /* andxoffset */
6265 andxoffset = tvb_get_letohs(tvb, offset);
6266 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6267 offset += 2;
6268
6269 /* fid */
6270 fid = tvb_get_letohs(tvb, offset);
6271 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
6272 offset += 2;
6273
6274 /* lock type */
6275 lt = tvb_get_uint8(tvb, offset);
6276 proto_tree_add_bitmask(tree, tvb, offset, hf_smb_lock_type, ett_smb_lock_type, locks, ENC_NA);
6277 offset += 1;
6278
6279 /* oplock level */
6280 ol = tvb_get_uint8(tvb, offset);
6281 proto_tree_add_item(tree, hf_smb_locking_ol, tvb, offset, 1, ENC_LITTLE_ENDIAN);
6282 offset += 1;
6283
6284 /* timeout */
6285 to = tvb_get_letohl(tvb, offset);
6286 proto_tree_add_uint_format_value(tree, hf_smb_timeout, tvb, offset, 4, to, "%s", smbext20_timeout_msecs_to_str(pinfo->pool, to));
6287 offset += 4;
6288
6289 /* number of unlocks */
6290 un = tvb_get_letohs(tvb, offset);
6291 num_unlock = un;
6292 proto_tree_add_uint(tree, hf_smb_number_of_unlocks, tvb, offset, 2, un);
6293 offset += 2;
6294
6295 /* number of locks */
6296 ln = tvb_get_letohs(tvb, offset);
6297 num_lock = ln;
6298 proto_tree_add_uint(tree, hf_smb_number_of_locks, tvb, offset, 2, ln);
6299 offset += 2;
6300
6301 BYTE_COUNT;
6302
6303 /* store the locking data for the response */
6304 if ((!pinfo->fd->visited) && si->sip) {
6305 ld = wmem_new(wmem_file_scope(), smb_locking_saved_info_t);
6306 ld->type = lt;
6307 ld->oplock_level = ol;
6308 ld->num_lock = num_lock;
6309 ld->num_unlock = num_unlock;
6310 ld->locks = NULL;
6311 ld->unlocks = NULL;
6312 si->sip->extra_info_type = SMB_EI_LOCKDATA;
6313 si->sip->extra_info = ld;
6314 }
6315
6316 /* unlocks */
6317 if (un) {
6318 old_offset = offset;
6319
6320 tr = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb_unlocks, &it, "Unlocks");
6321 while (un--) {
6322 proto_tree *ltree_2;
6323 if (lt&0x10) {
6324 uint64_t val;
6325 uint16_t lock_pid;
6326 uint64_t lock_offset;
6327 uint64_t lock_length;
6328
6329 /* large lock format */
6330 ltree_2 = proto_tree_add_subtree(tr, tvb, offset, 20, ett_smb_unlock, NULL, "Unlock");
6331
6332 /* PID */
6333 CHECK_BYTE_COUNT(2);
6334 lock_pid = tvb_get_letohs(tvb, offset);
6335 proto_tree_add_item(ltree_2, hf_smb_pid, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6336 COUNT_BYTES(2);
6337
6338 /* 2 reserved bytes */
6339 CHECK_BYTE_COUNT(2);
6340 proto_tree_add_item(ltree_2, hf_smb_reserved, tvb, offset, 2, ENC_NA);
6341 COUNT_BYTES(2);
6342
6343 /* offset */
6344 CHECK_BYTE_COUNT(8);
6345 val = ((uint64_t)tvb_get_letohl(tvb, offset)) << 32
6346 | tvb_get_letohl(tvb, offset+4);
6347 lock_offset = val;
6348 proto_tree_add_uint64(ltree_2, hf_smb_lock_long_offset, tvb, offset, 8, val);
6349 COUNT_BYTES(8);
6350
6351 /* length */
6352 CHECK_BYTE_COUNT(8);
6353 val = ((uint64_t)tvb_get_letohl(tvb, offset)) << 32
6354 | tvb_get_letohl(tvb, offset+4);
6355 lock_length = val;
6356 proto_tree_add_uint64(ltree_2, hf_smb_lock_long_length, tvb, offset, 8, val);
6357 COUNT_BYTES(8);
6358
6359 /* remember the unlock for the reply */
6360 if (ld) {
6361 smb_lock_info_t *li;
6362 li = wmem_new(wmem_file_scope(), smb_lock_info_t);
6363 li->next = ld->unlocks;
6364 ld->unlocks = li;
6365 li->pid = lock_pid;
6366 li->offset = lock_offset;
6367 li->length = lock_length;
6368 }
6369 } else {
6370 /* normal lock format */
6371 ltree_2 = proto_tree_add_subtree(tr, tvb, offset, 10, ett_smb_unlock, NULL, "Unlock");
6372
6373 /* PID */
6374 CHECK_BYTE_COUNT(2);
6375 proto_tree_add_item(ltree_2, hf_smb_pid, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6376 COUNT_BYTES(2);
6377
6378 /* offset */
6379 CHECK_BYTE_COUNT(4);
6380 proto_tree_add_item(ltree_2, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6381 COUNT_BYTES(4);
6382
6383 /* lock count */
6384 CHECK_BYTE_COUNT(4);
6385 proto_tree_add_item(ltree_2, hf_smb_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6386 COUNT_BYTES(4);
6387 }
6388 }
6389 proto_item_set_len(it, offset-old_offset);
6390 it = NULL;
6391 }
6392
6393 /* locks */
6394 if (ln) {
6395 old_offset = offset;
6396
6397 tr = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb_locks, &it, "Locks");
6398 while (ln--) {
6399 proto_tree *ltree_2;
6400 if (lt&0x10) {
6401 uint64_t val;
6402 uint16_t lock_pid;
6403 uint64_t lock_offset;
6404 uint64_t lock_length;
6405
6406 /* large lock format */
6407 ltree_2 = proto_tree_add_subtree(tr, tvb, offset, 20, ett_smb_lock, NULL, "Lock");
6408
6409 /* PID */
6410 CHECK_BYTE_COUNT(2);
6411 lock_pid = tvb_get_letohs(tvb, offset);
6412 proto_tree_add_item(ltree_2, hf_smb_pid, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6413 COUNT_BYTES(2);
6414
6415 /* 2 reserved bytes */
6416 CHECK_BYTE_COUNT(2);
6417 proto_tree_add_item(ltree_2, hf_smb_reserved, tvb, offset, 2, ENC_NA);
6418 COUNT_BYTES(2);
6419
6420 /* offset */
6421 CHECK_BYTE_COUNT(8);
6422 val = ((uint64_t)tvb_get_letohl(tvb, offset)) << 32
6423 | tvb_get_letohl(tvb, offset+4);
6424 lock_offset = val;
6425 proto_tree_add_uint64(ltree_2, hf_smb_lock_long_offset, tvb, offset, 8, val);
6426 COUNT_BYTES(8);
6427
6428 /* length */
6429 CHECK_BYTE_COUNT(8);
6430 val = ((uint64_t)tvb_get_letohl(tvb, offset)) << 32
6431 | tvb_get_letohl(tvb, offset+4);
6432 lock_length = val;
6433 proto_tree_add_uint64(ltree_2, hf_smb_lock_long_length, tvb, offset, 8, val);
6434 COUNT_BYTES(8);
6435
6436 /* remember the lock for the reply */
6437 if (ld) {
6438 smb_lock_info_t *li;
6439 li = wmem_new(wmem_file_scope(), smb_lock_info_t);
6440 li->next = ld->locks;
6441 ld->locks = li;
6442 li->pid = lock_pid;
6443 li->offset = lock_offset;
6444 li->length = lock_length;
6445 }
6446 } else {
6447 /* normal lock format */
6448 ltree_2 = proto_tree_add_subtree(tr, tvb, offset, 10, ett_smb_lock, NULL, "Lock");
6449
6450 /* PID */
6451 CHECK_BYTE_COUNT(2);
6452 proto_tree_add_item(ltree_2, hf_smb_pid, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6453 COUNT_BYTES(2);
6454
6455 /* offset */
6456 CHECK_BYTE_COUNT(4);
6457 proto_tree_add_item(ltree_2, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6458 COUNT_BYTES(4);
6459
6460 /* lock count */
6461 CHECK_BYTE_COUNT(4);
6462 proto_tree_add_item(ltree_2, hf_smb_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6463 COUNT_BYTES(4);
6464 }
6465 }
6466 proto_item_set_len(it, offset-old_offset);
6467 it = NULL;
6468 }
6469
6470 END_OF_SMB
6471
6472 if (it != NULL) {
6473 /*
6474 * We ran out of byte count in the middle of dissecting
6475 * the locks or the unlocks; set the site of the item
6476 * we were dissecting.
6477 */
6478 proto_item_set_len(it, offset-old_offset);
6479 }
6480
6481 if (cmd != 0xff) { /* there is an andX command */
6482 if (andxoffset < offset) {
6483 THROW(ReportedBoundsError);
6484 }
6485 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
6486 }
6487
6488 return offset;
6489 }
6490
6491 static int
6492 dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
6493 {
6494 uint8_t wc, cmd = 0xff;
6495 uint16_t andxoffset = 0;
6496 uint16_t bc;
6497
6498 DISSECTOR_ASSERT(si);
6499
6500 /* print the lock info from the request */
6501 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_LOCKDATA)) {
6502 smb_locking_saved_info_t *ld;
6503 proto_item *litem = NULL;
6504 proto_tree *ltree = NULL;
6505
6506 ld = (smb_locking_saved_info_t *)si->sip->extra_info;
6507 if (ld != NULL) {
6508 proto_tree *ltr;
6509 smb_lock_info_t *li;
6510 if (tree) {
6511 litem = proto_tree_add_uint(tree, hf_smb_lock_type, tvb, 0, 0, ld->type);
6512 proto_item_set_generated(litem);
6513 ltree = proto_item_add_subtree(litem, ett_smb_lock_type);
6514
6515 proto_tree_add_boolean(ltree, hf_smb_lock_type_large, tvb, 0, 0, ld->type);
6516 proto_tree_add_boolean(ltree, hf_smb_lock_type_cancel, tvb, 0, 0, ld->type);
6517 proto_tree_add_boolean(ltree, hf_smb_lock_type_change, tvb, 0, 0, ld->type);
6518 proto_tree_add_boolean(ltree, hf_smb_lock_type_oplock, tvb, 0, 0, ld->type);
6519 proto_tree_add_boolean(ltree, hf_smb_lock_type_shared, tvb, 0, 0, ld->type);
6520 proto_tree_add_uint(ltree, hf_smb_locking_ol, tvb, 0, 0, ld->oplock_level);
6521 proto_tree_add_uint(ltree, hf_smb_number_of_unlocks, tvb, 0, 0, ld->num_unlock);
6522 proto_tree_add_uint(ltree, hf_smb_number_of_locks, tvb, 0, 0, ld->num_lock);
6523
6524 ltr = proto_tree_add_subtree(ltree, tvb, 0, 0, ett_smb_lock, NULL, "Locks");
6525 li = ld->locks;
6526 while (li) {
6527 proto_tree_add_uint(ltr, hf_smb_pid, tvb, 0, 0, li->pid);
6528 proto_tree_add_uint64(ltr, hf_smb_lock_long_offset, tvb, 0, 0, li->offset);
6529 proto_tree_add_uint64(ltr, hf_smb_lock_long_length, tvb, 0, 0, li->length);
6530 li = li->next;
6531 }
6532 ltr = proto_tree_add_subtree(ltree, tvb, 0, 0, ett_smb_unlock, NULL, "Unlocks");
6533 li = ld->unlocks;
6534 while (li) {
6535 proto_tree_add_uint(ltr, hf_smb_pid, tvb, 0, 0, li->pid);
6536 proto_tree_add_uint64(ltr, hf_smb_lock_long_offset, tvb, 0, 0, li->offset);
6537 proto_tree_add_uint64(ltr, hf_smb_lock_long_length, tvb, 0, 0, li->length);
6538 li = li->next;
6539 }
6540 }
6541 }
6542 }
6543
6544 WORD_COUNT;
6545
6546 /* next smb command */
6547 cmd = tvb_get_uint8(tvb, offset);
6548 if (cmd != 0xff) {
6549 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
6550 } else {
6551 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
6552 }
6553 offset += 1;
6554
6555 /* reserved byte */
6556 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
6557 offset += 1;
6558
6559 /* andxoffset */
6560 andxoffset = tvb_get_letohs(tvb, offset);
6561 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6562 offset += 2;
6563
6564 BYTE_COUNT;
6565
6566 END_OF_SMB
6567
6568 if (cmd != 0xff) { /* there is an andX command */
6569 if (andxoffset < offset) {
6570 THROW(ReportedBoundsError);
6571 }
6572 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
6573 }
6574
6575 return offset;
6576 }
6577
6578
6579 const value_string oa_open_vals[] = {
6580 { 0, "No action taken?"},
6581 { 1, "The file existed and was opened"},
6582 { 2, "The file did not exist but was created"},
6583 { 3, "The file existed and was truncated"},
6584 { 0x8001, "The file existed and was opened, and an OpLock was granted"},
6585 { 0x8002, "The file did not exist but was created, and an OpLock was granted"},
6586 { 0x8003, "The file existed and was truncated, and an OpLock was granted"},
6587 {0, NULL}
6588 };
6589 static const true_false_string tfs_oa_lock = {
6590 "File is currently opened only by this user",
6591 "File is opened by another user (or mode not supported by server)"
6592 };
6593 static int
6594 dissect_open_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6595 {
6596 static int * const flags[] = {
6597 &hf_smb_open_action_lock,
6598 &hf_smb_open_action_open,
6599 NULL
6600 };
6601
6602 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_open_action, ett_smb_open_action, flags, ENC_LITTLE_ENDIAN);
6603 offset += 2;
6604
6605 return offset;
6606 }
6607
6608 static const true_false_string tfs_open_flags_add_info = {
6609 "Additional information requested",
6610 "Additional information not requested"
6611 };
6612 static const true_false_string tfs_open_flags_ex_oplock = {
6613 "Exclusive oplock requested",
6614 "Exclusive oplock not requested"
6615 };
6616 static const true_false_string tfs_open_flags_batch_oplock = {
6617 "Batch oplock requested",
6618 "Batch oplock not requested"
6619 };
6620 static const true_false_string tfs_open_flags_ealen = {
6621 "Total length of EAs requested",
6622 "Total length of EAs not requested"
6623 };
6624 static int
6625 dissect_open_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int bm)
6626 {
6627 uint16_t mask;
6628 proto_item *item;
6629 proto_tree *tree;
6630
6631 mask = tvb_get_letohs(tvb, offset);
6632
6633 if (parent_tree) {
6634 item = proto_tree_add_item(parent_tree, hf_smb_open_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6635 tree = proto_item_add_subtree(item, ett_smb_open_flags);
6636
6637 if (bm&0x0001) {
6638 proto_tree_add_boolean(tree, hf_smb_open_flags_add_info,
6639 tvb, offset, 2, mask);
6640 }
6641 if (bm&0x0002) {
6642 proto_tree_add_boolean(tree, hf_smb_open_flags_ex_oplock,
6643 tvb, offset, 2, mask);
6644 }
6645 if (bm&0x0004) {
6646 proto_tree_add_boolean(tree, hf_smb_open_flags_batch_oplock,
6647 tvb, offset, 2, mask);
6648 }
6649 if (bm&0x0008) {
6650 proto_tree_add_boolean(tree, hf_smb_open_flags_ealen,
6651 tvb, offset, 2, mask);
6652 }
6653 }
6654
6655 offset += 2;
6656
6657 return offset;
6658 }
6659
6660 /* [MS-CIFS].pdf 2.2.4.64.2 provides the last two file types, however
6661 [MS-SMB].PDF 2.2.4.9.2 elides value 4, Character mode device. */
6662 static const value_string filetype_vals[] = {
6663 { 0, "Disk file or directory"},
6664 { 1, "Named pipe in byte mode"},
6665 { 2, "Named pipe in message mode"},
6666 { 3, "Spooled printer"},
6667 { 4, "Character mode device"},
6668 { 0xFFFF, "Unknown file type"},
6669 {0, NULL}
6670 };
6671 static int
6672 dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
6673 {
6674 uint8_t wc, cmd = 0xff;
6675 uint16_t andxoffset = 0, bc;
6676 uint32_t to;
6677 int fn_len;
6678 const char *fn;
6679
6680 DISSECTOR_ASSERT(si);
6681
6682 WORD_COUNT;
6683
6684 /* next smb command */
6685 cmd = tvb_get_uint8(tvb, offset);
6686 if (cmd != 0xff) {
6687 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
6688 } else {
6689 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
6690 }
6691 offset += 1;
6692
6693 /* reserved byte */
6694 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
6695 offset += 1;
6696
6697 /* andxoffset */
6698 andxoffset = tvb_get_letohs(tvb, offset);
6699 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6700 offset += 2;
6701
6702 /* open flags */
6703 offset = dissect_open_flags(tvb, tree, offset, 0x0007);
6704
6705 /* desired access */
6706 offset = dissect_access(tvb, tree, offset, hf_smb_desired_access);
6707
6708 /* Search Attributes */
6709 offset = dissect_search_attributes(tvb, tree, offset);
6710
6711 /* File Attributes */
6712 offset = dissect_file_attributes(tvb, tree, offset);
6713
6714 /* creation time */
6715 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_create_time);
6716
6717 /* open function */
6718 offset = dissect_open_function(tvb, tree, offset);
6719
6720 /* allocation size */
6721 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6722 offset += 4;
6723
6724 /* timeout, described at http://us1.samba.org/samba/ftp/SMB-info/DOSEXTP.TXT */
6725 to = tvb_get_letohl(tvb, offset);
6726 proto_tree_add_uint_format_value(tree, hf_smb_timeout, tvb, offset, 4, to, "%s", smbext20_timeout_msecs_to_str(pinfo->pool, to));
6727 offset += 4;
6728
6729 /* 4 reserved bytes */
6730 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, ENC_NA);
6731 offset += 4;
6732
6733 BYTE_COUNT;
6734
6735 /* file name */
6736 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
6737 false, false, &bc);
6738 if (fn == NULL)
6739 goto endofcommand;
6740 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
6741 fn);
6742 COUNT_BYTES(fn_len);
6743
6744 /* Copied this portion of code from create_andx_request
6745 to guarantee that fsi and si->sip are always correctly filled out */
6746 if ((!pinfo->fd->visited) && si->sip && fn) {
6747 smb_fid_saved_info_t *fsi;
6748
6749 fsi = wmem_new0(wmem_file_scope(), smb_fid_saved_info_t);
6750 fsi->filename = wmem_strdup(wmem_file_scope(), fn);
6751
6752 si->sip->extra_info_type = SMB_EI_FILEDATA;
6753 si->sip->extra_info = fsi;
6754 }
6755
6756 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
6757 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
6758
6759 END_OF_SMB
6760
6761 if (cmd != 0xff) { /* there is an andX command */
6762 if (andxoffset < offset) {
6763 THROW(ReportedBoundsError);
6764 }
6765 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
6766 }
6767
6768 return offset;
6769 }
6770
6771 static const true_false_string tfs_ipc_state_nonblocking = {
6772 "Reads/writes return immediately if no data available",
6773 "Reads/writes block if no data available"
6774 };
6775 static const value_string ipc_state_endpoint_vals[] = {
6776 { 0, "Consumer end of pipe"},
6777 { 1, "Server end of pipe"},
6778 {0, NULL}
6779 };
6780 static const value_string ipc_state_pipe_type_vals[] = {
6781 { 0, "Byte stream pipe"},
6782 { 1, "Message pipe"},
6783 {0, NULL}
6784 };
6785 static const value_string ipc_state_read_mode_vals[] = {
6786 { 0, "Read pipe as a byte stream"},
6787 { 1, "Read messages from pipe"},
6788 {0, NULL}
6789 };
6790
6791 int
6792 dissect_ipc_state(tvbuff_t *tvb, proto_tree *parent_tree, int offset, bool setstate_flag)
6793 {
6794 static int * const setstate_flags[] = {
6795 &hf_smb_ipc_state_nonblocking,
6796 &hf_smb_ipc_state_read_mode,
6797 NULL
6798 };
6799 static int * const not_setstate_flags[] = {
6800 &hf_smb_ipc_state_nonblocking,
6801 &hf_smb_ipc_state_endpoint,
6802 &hf_smb_ipc_state_pipe_type,
6803 &hf_smb_ipc_state_read_mode,
6804 &hf_smb_ipc_state_icount,
6805 NULL
6806 };
6807
6808 if (!setstate_flag) {
6809 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_ipc_state, ett_smb_ipc_state, not_setstate_flags, ENC_LITTLE_ENDIAN);
6810 } else {
6811 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_ipc_state, ett_smb_ipc_state, setstate_flags, ENC_LITTLE_ENDIAN);
6812 }
6813 offset += 2;
6814
6815 return offset;
6816 }
6817
6818 static int
6819 dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
6820 {
6821 uint8_t wc, cmd = 0xff;
6822 uint16_t andxoffset = 0, bc;
6823 uint16_t fid;
6824 uint16_t ftype;
6825 uint16_t fattr;
6826 smb_fid_info_t *fid_info = NULL;
6827 bool isdir = false;
6828
6829 WORD_COUNT;
6830
6831 /* next smb command */
6832 cmd = tvb_get_uint8(tvb, offset);
6833 if (cmd != 0xff) {
6834 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
6835 } else {
6836 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
6837 }
6838 offset += 1;
6839
6840 /* reserved byte */
6841 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
6842 offset += 1;
6843
6844 /* andxoffset */
6845 andxoffset = tvb_get_letohs(tvb, offset);
6846 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6847 offset += 2;
6848
6849 /* fid */
6850 fid = tvb_get_letohs(tvb, offset);
6851 /* we add fid_info= to this call so that we save the result */
6852 fid_info = dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, true, false, false, si);
6853
6854 offset += 2;
6855
6856 /* File Attributes */
6857 fattr = tvb_get_letohs(tvb, offset);
6858 isdir = fattr & SMB_FILE_ATTRIBUTE_DIRECTORY;
6859 offset = dissect_file_attributes(tvb, tree, offset);
6860
6861 /* last write time */
6862 offset = dissect_smb_UTIME(tvb, tree, offset, hf_smb_last_write_time);
6863
6864 /* File Size */
6865 /* We store the file_size in the fid_info */
6866 if (fid_info) {
6867 fid_info->end_of_file = (uint64_t) tvb_get_letohl(tvb, offset);
6868 }
6869 proto_tree_add_item(tree, hf_smb_file_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6870 offset += 4;
6871
6872 /* granted access */
6873 offset = dissect_access(tvb, tree, offset, hf_smb_granted_access);
6874
6875 /* File Type */
6876 ftype = tvb_get_letohs(tvb, offset);
6877 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6878 offset += 2;
6879 /* Copied from dissect_nt_create_andx_response
6880 Try to remember the type of this fid so that we can dissect
6881 any future security descriptor (access mask) properly
6882 */
6883 if (fid_info) {
6884 fid_info->type = SMB_FID_TYPE_UNKNOWN;
6885 }
6886 if (ftype == 0) {
6887 if (isdir == 0) {
6888 if (fid_info) {
6889 fid_info->type = SMB_FID_TYPE_FILE;
6890 }
6891 } else {
6892 if (fid_info) {
6893 fid_info->type = SMB_FID_TYPE_DIR;
6894 }
6895 }
6896 }
6897 if ((ftype == 2) || (ftype == 1)) {
6898 if (fid_info) {
6899 fid_info->type = SMB_FID_TYPE_PIPE;
6900 }
6901 }
6902
6903 /* IPC State */
6904 offset = dissect_ipc_state(tvb, tree, offset, false);
6905
6906 /* open_action */
6907 offset = dissect_open_action(tvb, tree, offset);
6908
6909 /* server fid */
6910 proto_tree_add_item(tree, hf_smb_server_fid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6911 offset += 4;
6912
6913 /* 2 reserved bytes */
6914 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
6915 offset += 2;
6916
6917 /* [MS-SMB] 2.2.4.1.2 Server Response Extensions */
6918 if (wc == 19) {
6919 proto_tree *tr = NULL;
6920
6921 tr = proto_tree_add_subtree(tree, tvb, offset, 4,
6922 ett_smb_nt_access_mask, NULL, "Maximal Access Rights");
6923 offset = dissect_smb_access_mask(tvb, tr, offset);
6924
6925 tr = proto_tree_add_subtree(tree, tvb, offset, 4,
6926 ett_smb_nt_access_mask, NULL, "Guest Maximal Access Rights");
6927 offset = dissect_smb_access_mask(tvb, tr, offset);
6928 }
6929
6930 BYTE_COUNT;
6931
6932 END_OF_SMB
6933
6934 if (cmd != 0xff) { /* there is an andX command */
6935 if (andxoffset < offset) {
6936 THROW(ReportedBoundsError);
6937 }
6938 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
6939 }
6940
6941 return offset;
6942 }
6943
6944 static int
6945 dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
6946 {
6947 uint8_t wc, cmd = 0xff;
6948 uint16_t andxoffset = 0, bc, maxcnt_low;
6949 uint32_t maxcnt_high;
6950 uint32_t maxcnt = 0;
6951 uint32_t offsetlow, offsethigh = 0;
6952 uint64_t ofs;
6953 unsigned int fid;
6954 rw_info_t *rwi = NULL;
6955
6956
6957 DISSECTOR_ASSERT(si);
6958
6959 WORD_COUNT;
6960
6961 /* next smb command */
6962 cmd = tvb_get_uint8(tvb, offset);
6963 if (cmd != 0xff) {
6964 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
6965 } else {
6966 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
6967 }
6968 offset += 1;
6969
6970 /* reserved byte */
6971 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
6972 offset += 1;
6973
6974 /* andxoffset */
6975 andxoffset = tvb_get_letohs(tvb, offset);
6976 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
6977 offset += 2;
6978
6979 /* fid */
6980 fid = tvb_get_letohs(tvb, offset);
6981 dissect_smb_fid(tvb, pinfo, tree, offset, 2, (uint16_t) fid, false, false, false, si);
6982 offset += 2;
6983
6984 /* offset */
6985 offsetlow = tvb_get_letohl(tvb, offset);
6986 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6987 offset += 4;
6988
6989 /* max count low */
6990 maxcnt_low = tvb_get_letohs(tvb, offset);
6991 proto_tree_add_uint(tree, hf_smb_max_count_low, tvb, offset, 2, maxcnt_low);
6992 offset += 2;
6993
6994 /* min count */
6995 proto_tree_add_item(tree, hf_smb_min_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6996 offset += 2;
6997
6998 /*
6999 * max count high
7000 *
7001 * XXX - we should really only do this in case we have seen
7002 * LARGE FILE being negotiated. Unfortunately, we might not
7003 * have seen the negotiation phase in the capture....
7004 *
7005 * XXX - this is shown as a ULONG in the SNIA SMB spec, i.e.
7006 * it's 32 bits, but the description says "High 16 bits of
7007 * MaxCount if CAP_LARGE_READX".
7008 *
7009 * The SMB File Sharing Protocol Extensions Version 2.0,
7010 * Document Version 3.3 spec doesn't speak of an extra 16
7011 * bits in max count, but it does show a 32-bit timeout
7012 * after the min count field.
7013 *
7014 * The Microsoft [MS-SMB] spec shows it as a ULONG named
7015 * Timeout_or_MaxCountHigh, which is
7016 *
7017 * ...extended to be treated as a union of a 32-bit
7018 * Timeout field and a 16-bit MaxCountHigh field.
7019 * When reading from a regular file, the field
7020 * MUST be interpreted as MaxCountHigh and the
7021 * two unused bytes MUST be zero. When reading from
7022 * a name[sic] pipe or I/O device, the field MUST
7023 * be interpreted as Timeout.
7024 *
7025 * Timeout is a timeout in milliseconds, with 0xffffffff
7026 * and 0xfffffffe having special meaning.
7027 *
7028 * MaxCountHigh is 16 bits of the MaxCountHigh value
7029 * followed by 16 bits of Reserved.
7030 *
7031 * We fetch and display it as 32 bits for now.
7032 *
7033 * XXX if maxcount high is 0xFFFFFFFF we assume it is just padding
7034 * bytes and we just ignore it.
7035 */
7036 maxcnt_high = tvb_get_letohl(tvb, offset);
7037 if (maxcnt_high == 0xffffffff) {
7038 maxcnt_high = 0;
7039 } else {
7040 proto_tree_add_uint(tree, hf_smb_max_count_high, tvb, offset, 4, maxcnt_high);
7041 }
7042
7043 offset += 4;
7044
7045 maxcnt = maxcnt_high;
7046 maxcnt = (maxcnt<<16) | maxcnt_low;
7047
7048 /* remaining */
7049 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7050 offset += 2;
7051
7052 if (wc == 12) {
7053 /* high offset */
7054 offsethigh = tvb_get_letohl(tvb, offset);
7055 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7056 offset += 4;
7057 }
7058
7059 ofs = offsethigh;
7060 ofs = (ofs<<32) | offsetlow;
7061
7062 col_append_fstr(pinfo->cinfo, COL_INFO,
7063 ", %u byte%s at offset %" PRIu64,
7064 maxcnt, (maxcnt == 1) ? "" : "s", ofs);
7065
7066 /* save the offset/len for this transaction */
7067 if (si->sip && !pinfo->fd->visited) {
7068 rwi = wmem_new(wmem_file_scope(), rw_info_t);
7069 rwi->offset = ofs;
7070 rwi->len = maxcnt;
7071 rwi->fid = fid;
7072
7073 si->sip->extra_info_type = SMB_EI_RWINFO;
7074 si->sip->extra_info = rwi;
7075 }
7076 if (si->sip && (si->sip->extra_info_type == SMB_EI_RWINFO)) {
7077 rwi = (rw_info_t *)si->sip->extra_info;
7078 }
7079 if (rwi) {
7080 proto_item *it;
7081
7082 it = proto_tree_add_uint64(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
7083
7084 proto_item_set_generated(it);
7085 it = proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
7086 proto_item_set_generated(it);
7087 }
7088
7089 BYTE_COUNT;
7090
7091 END_OF_SMB
7092
7093 if (cmd != 0xff) { /* there is an andX command */
7094 if (andxoffset < offset) {
7095 THROW(ReportedBoundsError);
7096 }
7097 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
7098 }
7099
7100 return offset;
7101 }
7102
7103 static int
7104 dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
7105 {
7106 uint8_t wc, cmd = 0xff;
7107 uint16_t andxoffset = 0, bc, datalen_low, dataoffset = 0;
7108 uint32_t datalen = 0, datalen_high;
7109 rw_info_t *rwi = NULL;
7110 uint16_t fid = 0; /* was int fid = 0; */
7111
7112 uint32_t tvblen;
7113
7114 DISSECTOR_ASSERT(si);
7115
7116 WORD_COUNT;
7117
7118 /* next smb command */
7119 cmd = tvb_get_uint8(tvb, offset);
7120 if (cmd != 0xff) {
7121 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
7122 } else {
7123 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
7124 }
7125 offset += 1;
7126
7127 /* reserved byte */
7128 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
7129 offset += 1;
7130
7131 /* andxoffset */
7132 andxoffset = tvb_get_letohs(tvb, offset);
7133 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7134 offset += 2;
7135
7136 /* If we have seen the request, then print which FID this refers to */
7137 /* first check if we have seen the request */
7138 if ((si->sip != NULL) && (si->sip->frame_req > 0) && (si->sip->extra_info_type == SMB_EI_FID)) {
7139 fid = GPOINTER_TO_INT(si->sip->extra_info);
7140 dissect_smb_fid(tvb, pinfo, tree, 0, 0, (uint16_t) fid, false, false, false, si);
7141 }
7142
7143 if (si->sip && (si->sip->extra_info_type == SMB_EI_RWINFO)) {
7144 rwi = (rw_info_t *)si->sip->extra_info;
7145 }
7146 if (rwi) {
7147 proto_item *it;
7148
7149 it = proto_tree_add_uint64(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
7150
7151 proto_item_set_generated(it);
7152 it = proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
7153 proto_item_set_generated(it);
7154
7155 /* we need the fid for the call to dcerpc below */
7156 fid = rwi->fid;
7157 }
7158
7159 /* remaining */
7160 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7161 offset += 2;
7162
7163 /* data compaction mode */
7164 proto_tree_add_item(tree, hf_smb_dcm, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7165 offset += 2;
7166
7167 /* 2 reserved bytes */
7168 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
7169 offset += 2;
7170
7171 /* data len low */
7172 datalen_low = tvb_get_letohs(tvb, offset);
7173 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
7174 offset += 2;
7175
7176 /* data offset */
7177 dataoffset = tvb_get_letohs(tvb, offset);
7178 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
7179 offset += 2;
7180
7181 /*
7182 * XXX - the SNIA SMB spec says this is a USHORT, not a
7183 * ULONG.
7184 *
7185 * XXX - we should really only do this in case we have seen
7186 * LARGE FILE being negotiated. Unfortunately, we might not
7187 * have seen the negotiation phase in the capture....
7188 */
7189 /* data length high */
7190 datalen_high = tvb_get_letohl(tvb, offset);
7191 if (datalen_high == 0xffffffff) {
7192 datalen_high = 0;
7193 } else {
7194 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 4, datalen_high);
7195 }
7196 offset += 4;
7197
7198 datalen = datalen_high;
7199 datalen = (datalen<<16) | datalen_low;
7200
7201
7202 col_append_fstr(pinfo->cinfo, COL_INFO,
7203 ", %u byte%s", datalen,
7204 (datalen == 1) ? "" : "s");
7205
7206
7207 /* 6 reserved bytes */
7208 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 6, ENC_NA);
7209 offset += 6;
7210
7211 BYTE_COUNT;
7212
7213 /* file data, might be DCERPC on a pipe */
7214 if (bc) {
7215 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
7216 top_tree_global, offset, bc, -1, (uint16_t) datalen, 0, (uint16_t) fid, si);
7217 bc = 0;
7218 }
7219
7220 /* feed the export object tap listener */
7221 tvblen = tvb_reported_length_remaining(tvb, dataoffset);
7222 if (have_tap_listener(smb_eo_tap) && (datalen == tvblen) && rwi) {
7223 feed_eo_smb(SMB_COM_READ_ANDX, fid, tvb, pinfo, dataoffset, datalen, rwi->len, rwi->offset, si);
7224 }
7225
7226 END_OF_SMB
7227
7228 if (cmd != 0xff) { /* there is an andX command */
7229 if (andxoffset < offset) {
7230 THROW(ReportedBoundsError);
7231 }
7232 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
7233 }
7234
7235 return offset;
7236 }
7237
7238 /* SMB_COM_WRITE_ANDX(0x2F)
7239 https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/a66126d2-a1db-446b-8736-b9f5559c49bd
7240 */
7241 static int
7242 dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
7243 {
7244 uint8_t wc, cmd = 0xff;
7245 uint16_t andxoffset = 0, bc, dataoffset = 0, datalen_low, datalen_high;
7246 uint32_t offsetlow, offsethigh = 0;
7247 uint64_t ofs;
7248 uint32_t datalen = 0;
7249 uint16_t fid = 0; /* was unsigned int fid = 0; */
7250 uint16_t mode = 0;
7251 rw_info_t *rwi = NULL;
7252
7253 uint32_t tvblen;
7254
7255 DISSECTOR_ASSERT(si);
7256
7257 WORD_COUNT;
7258
7259 /* next smb command */
7260 cmd = tvb_get_uint8(tvb, offset);
7261 if (cmd != 0xff) {
7262 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
7263 } else {
7264 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
7265 }
7266 offset += 1;
7267
7268 /* reserved byte */
7269 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
7270 offset += 1;
7271
7272 /* andxoffset */
7273 andxoffset = tvb_get_letohs(tvb, offset);
7274 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7275 offset += 2;
7276
7277 /* fid */
7278 fid = tvb_get_letohs(tvb, offset);
7279 dissect_smb_fid(tvb, pinfo, tree, offset, 2, (uint16_t) fid, false, false, false, si);
7280 offset += 2;
7281
7282 /* offset */
7283 offsetlow = tvb_get_letohl(tvb, offset);
7284 proto_tree_add_item(tree, hf_smb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7285 offset += 4;
7286
7287 /* reserved */
7288 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, ENC_NA);
7289 offset += 4;
7290
7291 /* mode */
7292 mode = tvb_get_letohs(tvb, offset);
7293 offset = dissect_write_mode(tvb, tree, offset, 0x000f);
7294
7295 /* remaining */
7296 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7297 offset += 2;
7298
7299 /*
7300 * XXX - we should really only do this in case we have seen
7301 * LARGE FILE being negotiated. Unfortunately, we might not
7302 * have seen the negotiation phase in the capture....
7303 */
7304 /* data length high */
7305 datalen_high = tvb_get_letohs(tvb, offset);
7306 proto_tree_add_uint(tree, hf_smb_data_len_high, tvb, offset, 2, datalen_high);
7307 offset += 2;
7308
7309 /* data len low */
7310 datalen_low = tvb_get_letohs(tvb, offset);
7311 proto_tree_add_uint(tree, hf_smb_data_len_low, tvb, offset, 2, datalen_low);
7312 offset += 2;
7313
7314 datalen = datalen_high;
7315 datalen = (datalen<<16) | datalen_low;
7316
7317 /* data offset */
7318 dataoffset = tvb_get_letohs(tvb, offset);
7319 proto_tree_add_uint(tree, hf_smb_data_offset, tvb, offset, 2, dataoffset);
7320 offset += 2;
7321
7322 if (wc == 14) {
7323 /* high offset */
7324 offsethigh = tvb_get_letohl(tvb, offset);
7325 proto_tree_add_item(tree, hf_smb_high_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7326 offset += 4;
7327 }
7328
7329 ofs = offsethigh;
7330 ofs = (ofs<<32) | offsetlow;
7331
7332 col_append_fstr(pinfo->cinfo, COL_INFO,
7333 ", %u byte%s at offset %" PRIu64,
7334 datalen, (datalen == 1) ? "" : "s", ofs);
7335
7336 /* save the offset/len for this transaction */
7337 if (si->sip && !pinfo->fd->visited) {
7338 rwi = wmem_new(wmem_file_scope(), rw_info_t);
7339 rwi->offset = ofs;
7340 rwi->len = datalen;
7341 rwi->fid = fid;
7342
7343 si->sip->extra_info_type = SMB_EI_RWINFO;
7344 si->sip->extra_info = rwi;
7345 }
7346 if (si->sip && (si->sip->extra_info_type == SMB_EI_RWINFO)) {
7347 rwi = (rw_info_t *)si->sip->extra_info;
7348 }
7349 if (rwi) {
7350 proto_item *it;
7351
7352 it = proto_tree_add_uint64(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
7353
7354 proto_item_set_generated(it);
7355 it = proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
7356 proto_item_set_generated(it);
7357 }
7358
7359
7360 BYTE_COUNT;
7361
7362 /* if both the MessageStart and the WriteRawNamedPipe flags are set
7363 the first two bytes of the payload is the length of the data.
7364 Assume that all WriteAndX PDUs that have MESSAGE_START set to
7365 be over the IPC$ share and thus they all transport DCERPC.
7366 (if we didn't already know that from the TreeConnect call)
7367 */
7368 if (mode&WRITE_MODE_MESSAGE_START) {
7369 if (mode&WRITE_MODE_RAW) {
7370 proto_tree_add_item(tree, hf_smb_pipe_write_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7371 offset += 2;
7372 dataoffset += 2;
7373 bc -= 2;
7374 datalen -= 2;
7375 }
7376 if (!pinfo->fd->visited) {
7377 /* In case we did not see the TreeConnect call,
7378 store this TID here as well as a IPC TID
7379 so we know that future Read/Writes to this
7380 TID is (probably) DCERPC.
7381 */
7382 if (g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))) {
7383 g_hash_table_remove(si->ct->tid_service, GUINT_TO_POINTER(si->tid));
7384 }
7385 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_IPC);
7386 }
7387 if (si->sip) {
7388 si->sip->flags |= SMB_SIF_TID_IS_IPC;
7389 }
7390 }
7391
7392 /* file data, might be DCERPC on a pipe */
7393 if (bc != 0) {
7394 /* https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/a66126d2-a1db-446b-8736-b9f5559c49bd
7395 The DataOffset field can be used to relocate the SMB_Data.Bytes.Data
7396 block to the end of the message,even if the message is a multi-part AndX
7397 chain. If the SMB_Data.Bytes.Data block is relocated, the contents of
7398 SMB_Data.Bytes will not be contiguous.
7399 */
7400 offset = dissect_file_data_maybe_dcerpc(tvb, pinfo, tree,
7401 top_tree_global, offset, bc, dataoffset, (uint16_t) datalen, 0, (uint16_t) fid, si);
7402 bc = 0;
7403 }
7404
7405 /* feed the export object tap listener */
7406 tvblen = tvb_reported_length_remaining(tvb, dataoffset);
7407 if (have_tap_listener(smb_eo_tap) && (datalen == tvblen) && rwi) {
7408 feed_eo_smb(SMB_COM_WRITE_ANDX, fid, tvb, pinfo, dataoffset, datalen, rwi->len, rwi->offset, si);
7409 }
7410
7411 END_OF_SMB
7412
7413 if (cmd != 0xff) { /* there is an andX command */
7414 if (andxoffset < offset) {
7415 THROW(ReportedBoundsError);
7416 }
7417 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
7418 }
7419
7420 return offset;
7421 }
7422
7423 static int
7424 dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
7425 {
7426 uint8_t wc, cmd = 0xff;
7427 uint16_t andxoffset = 0, bc, count_low, count_high;
7428 uint32_t count = 0;
7429 rw_info_t *rwi = NULL;
7430
7431 DISSECTOR_ASSERT(si);
7432
7433 WORD_COUNT;
7434
7435 /* next smb command */
7436 cmd = tvb_get_uint8(tvb, offset);
7437 if (cmd != 0xff) {
7438 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
7439 } else {
7440 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
7441 }
7442 offset += 1;
7443
7444 /* reserved byte */
7445 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
7446 offset += 1;
7447
7448 /* andxoffset */
7449 andxoffset = tvb_get_letohs(tvb, offset);
7450 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7451 offset += 2;
7452
7453
7454 if (si->sip && (si->sip->extra_info_type == SMB_EI_RWINFO)) {
7455 rwi = (rw_info_t *)si->sip->extra_info;
7456 }
7457 if (rwi) {
7458 proto_item *it;
7459
7460 it = proto_tree_add_uint64(tree, hf_smb_file_rw_offset, tvb, 0, 0, rwi->offset);
7461
7462 proto_item_set_generated(it);
7463 it = proto_tree_add_uint(tree, hf_smb_file_rw_length, tvb, 0, 0, rwi->len);
7464 proto_item_set_generated(it);
7465 }
7466
7467
7468 /* write count low */
7469 count_low = tvb_get_letohs(tvb, offset);
7470 proto_tree_add_uint(tree, hf_smb_count_low, tvb, offset, 2, count_low);
7471 offset += 2;
7472
7473 /* remaining */
7474 proto_tree_add_item(tree, hf_smb_remaining, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7475 offset += 2;
7476
7477 /* XXX we should really only do this in case we have seen LARGE FILE being negotiated */
7478 /* write count high */
7479 count_high = tvb_get_letohs(tvb, offset);
7480 proto_tree_add_uint(tree, hf_smb_count_high, tvb, offset, 2, count_high);
7481 offset += 2;
7482
7483 count = count_high;
7484 count = (count<<16) | count_low;
7485
7486 col_append_fstr(pinfo->cinfo, COL_INFO,
7487 ", %u byte%s", count,
7488 (count == 1) ? "" : "s");
7489
7490 /* 2 reserved bytes */
7491 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
7492 offset += 2;
7493
7494 BYTE_COUNT;
7495
7496 END_OF_SMB
7497
7498 if (cmd != 0xff) { /* there is an andX command */
7499 if (andxoffset < offset) {
7500 THROW(ReportedBoundsError);
7501 }
7502 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
7503 }
7504
7505 return offset;
7506 }
7507
7508
7509 static const true_false_string tfs_setup_action_guest = {
7510 "Logged in as GUEST",
7511 "Not logged in as GUEST"
7512 };
7513 static int
7514 dissect_setup_action(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
7515 {
7516 static int * const flags[] = {
7517 &hf_smb_setup_action_guest,
7518 NULL
7519 };
7520
7521 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_setup_action, ett_smb_setup_action, flags, ENC_LITTLE_ENDIAN);
7522 offset += 2;
7523
7524 return offset;
7525 }
7526
7527
7528 static int
7529 dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
7530 {
7531 uint8_t wc, cmd = 0xff;
7532 uint16_t bc;
7533 uint16_t andxoffset = 0;
7534 int an_len;
7535 const char *an;
7536 int dn_len;
7537 const char *dn;
7538 uint16_t pwlen = 0;
7539 uint16_t sbloblen = 0, sbloblen_short;
7540 uint16_t apwlen = 0, upwlen = 0;
7541 bool unicodeflag;
7542 static int ntlmssp_tap_id = 0;
7543 const ntlmssp_header_t *ntlmssph;
7544
7545 if (!ntlmssp_tap_id) {
7546 GString *error_string;
7547 /* We don't specify any callbacks at all.
7548 * Instead we manually fetch the tapped data after the
7549 * security blob has been fully dissected and before
7550 * we exit from this dissector.
7551 */
7552 error_string = register_tap_listener("ntlmssp", NULL, NULL,
7553 TL_IS_DISSECTOR_HELPER, NULL, NULL, NULL, NULL);
7554 if (!error_string) {
7555 ntlmssp_tap_id = find_tap_id("ntlmssp");
7556 } else {
7557 g_string_free(error_string, true);
7558 }
7559 }
7560
7561 DISSECTOR_ASSERT(si);
7562
7563 WORD_COUNT;
7564
7565 /* next smb command */
7566 cmd = tvb_get_uint8(tvb, offset);
7567 if (cmd != 0xff) {
7568 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
7569 } else {
7570 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
7571 }
7572 offset += 1;
7573
7574 /* reserved byte */
7575 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
7576 offset += 1;
7577
7578 /* andxoffset */
7579 andxoffset = tvb_get_letohs(tvb, offset);
7580 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7581 offset += 2;
7582
7583 /* Maximum Buffer Size */
7584 proto_tree_add_item(tree, hf_smb_max_buf_size, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7585 offset += 2;
7586
7587 /* Maximum Multiplex Count */
7588 proto_tree_add_item(tree, hf_smb_max_mpx_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7589 offset += 2;
7590
7591 /* VC Number */
7592 proto_tree_add_item(tree, hf_smb_vc_num, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7593 offset += 2;
7594
7595 /* session key */
7596 proto_tree_add_item(tree, hf_smb_session_key, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7597 offset += 4;
7598
7599 switch (wc) {
7600 case 10:
7601 /* password length, ASCII*/
7602 pwlen = tvb_get_letohs(tvb, offset);
7603 proto_tree_add_uint(tree, hf_smb_password_len,
7604 tvb, offset, 2, pwlen);
7605 offset += 2;
7606
7607 /* 4 reserved bytes */
7608 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, ENC_NA);
7609 offset += 4;
7610
7611 break;
7612
7613 case 12:
7614 /* security blob length */
7615 sbloblen = tvb_get_letohs(tvb, offset);
7616 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
7617 offset += 2;
7618
7619 /* 4 reserved bytes */
7620 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, ENC_NA);
7621 offset += 4;
7622
7623 /* capabilities */
7624 dissect_negprot_capabilities(tvb, tree, offset);
7625 offset += 4;
7626
7627 break;
7628
7629 case 13:
7630 /* password length, ANSI*/
7631 apwlen = tvb_get_letohs(tvb, offset);
7632 proto_tree_add_uint(tree, hf_smb_ansi_password_len,
7633 tvb, offset, 2, apwlen);
7634 offset += 2;
7635
7636 /* password length, Unicode*/
7637 upwlen = tvb_get_letohs(tvb, offset);
7638 proto_tree_add_uint(tree, hf_smb_unicode_password_len,
7639 tvb, offset, 2, upwlen);
7640 offset += 2;
7641
7642 /* 4 reserved bytes */
7643 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, ENC_NA);
7644 offset += 4;
7645
7646 /* capabilities */
7647 dissect_negprot_capabilities(tvb, tree, offset);
7648 offset += 4;
7649
7650 break;
7651 }
7652
7653 BYTE_COUNT;
7654
7655 if (wc == 12) {
7656 proto_item *blob_item;
7657
7658 /* security blob */
7659 /* If it runs past the end of the captured data, don't
7660 * try to put all of it into the protocol tree as the
7661 * raw security blob; we might get an exception on
7662 * short frames and then we will not see anything at all
7663 * of the security blob.
7664 */
7665 sbloblen_short = sbloblen;
7666 if (sbloblen_short > tvb_reported_length_remaining(tvb, offset)) {
7667 sbloblen_short = tvb_reported_length_remaining(tvb, offset);
7668 }
7669 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
7670 tvb, offset, sbloblen_short,
7671 ENC_NA);
7672
7673 /* As an optimization, because Windows is perverse,
7674 we check to see if NTLMSSP is the first part of the
7675 blob, and if so, call the NTLMSSP dissector,
7676 otherwise we call the GSS-API dissector. This is because
7677 Windows can request RAW NTLMSSP, but will happily handle
7678 a client that wraps NTLMSSP in SPNEGO
7679 */
7680
7681 if (sbloblen) {
7682 tvbuff_t *blob_tvb;
7683 proto_tree *blob_tree;
7684
7685 blob_tree = proto_item_add_subtree(blob_item,
7686 ett_smb_secblob);
7687 CHECK_BYTE_COUNT(sbloblen);
7688
7689 /*
7690 * Set the reported length of this to the reported
7691 * length of the blob, rather than the amount of
7692 * data available from the blob, so that we'll
7693 * throw the right exception if it's too short.
7694 */
7695 blob_tvb = tvb_new_subset_length_caplen(tvb, offset, sbloblen_short,
7696 sbloblen);
7697
7698 if (si && si->ct && si->ct->raw_ntlmssp &&
7699 (tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0)) {
7700 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
7701 blob_tree);
7702
7703 }
7704 else {
7705 call_dissector(gssapi_handle, blob_tvb,
7706 pinfo, blob_tree);
7707 }
7708
7709 /* If we have found a uid->acct_name mapping, store it */
7710 if (!pinfo->fd->visited && si->sip) {
7711 int idx = 0;
7712 if ((ntlmssph = (const ntlmssp_header_t *)fetch_tapped_data(ntlmssp_tap_id, idx + 1 )) != NULL) {
7713 if (ntlmssph && (ntlmssph->type == 3)) {
7714 smb_uid_t *smb_uid;
7715
7716 smb_uid = wmem_new(wmem_file_scope(), smb_uid_t);
7717 smb_uid->logged_in = -1;
7718 smb_uid->logged_out = -1;
7719 smb_uid->domain = wmem_strdup(wmem_file_scope(), ntlmssph->domain_name);
7720 smb_uid->account = wmem_strdup(wmem_file_scope(), ntlmssph->acct_name);
7721
7722 si->sip->extra_info = smb_uid;
7723 si->sip->extra_info_type = SMB_EI_UID;
7724 }
7725 }
7726 }
7727
7728 COUNT_BYTES(sbloblen);
7729 }
7730
7731 /* OS
7732 * Even though this field should honour the unicode flag
7733 * some ms clients gets this wrong.
7734 * At least XP SP1 sends this in ASCII
7735 * even when the unicode flag is on.
7736 * Test if the first three bytes are "Win"
7737 * and if so just override the flag.
7738 */
7739 unicodeflag = si->unicode;
7740 if ( tvb_strneql(tvb, offset, "Win", 3) == 0 ) {
7741 unicodeflag = false;
7742 }
7743 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
7744 unicodeflag, &an_len, false, false, &bc);
7745 if (an == NULL)
7746 goto endofcommand;
7747 proto_tree_add_string(tree, hf_smb_os, tvb,
7748 offset, an_len, an);
7749 COUNT_BYTES(an_len);
7750
7751 /* LANMAN */
7752 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
7753 * padding/null string/whatever in front of this. W2K doesn't
7754 * appear to. I suspect that's a bug that got fixed; I also
7755 * suspect that, in practice, nobody ever looks at that field
7756 * because the bug didn't appear to get fixed until NT 5.0....
7757 *
7758 * Even though this field should honour the unicode flag
7759 * some ms clients gets this wrong.
7760 * At least XP SP1 sends this in ASCII
7761 * even when the unicode flag is on.
7762 * Test if the first three bytes are "Win"
7763 * and if so just override the flag.
7764 */
7765 unicodeflag = si->unicode;
7766 if ( tvb_strneql(tvb, offset, "Win", 3) == 0 ) {
7767 unicodeflag = false;
7768 }
7769 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
7770 unicodeflag, &an_len, false, false, &bc);
7771 if (an == NULL)
7772 goto endofcommand;
7773 proto_tree_add_string(tree, hf_smb_lanman, tvb,
7774 offset, an_len, an);
7775 COUNT_BYTES(an_len);
7776
7777 /* Primary domain */
7778 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
7779 * byte in front of this, at least if all the strings are
7780 * ASCII and the account name is empty. Another bug?
7781 */
7782 dn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
7783 si->unicode, &dn_len, false, false, &bc);
7784 if (dn == NULL)
7785 goto endofcommand;
7786 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
7787 offset, dn_len, dn);
7788 COUNT_BYTES(dn_len);
7789 } else {
7790 switch (wc) {
7791
7792 case 10:
7793 if (pwlen) {
7794 /* password, ASCII */
7795 CHECK_BYTE_COUNT(pwlen);
7796 proto_tree_add_item(tree, hf_smb_password,
7797 tvb, offset, pwlen, ENC_NA);
7798 COUNT_BYTES(pwlen);
7799 }
7800
7801 break;
7802
7803 case 13:
7804 if (apwlen) {
7805 /* password, ANSI */
7806 CHECK_BYTE_COUNT(apwlen);
7807 proto_tree_add_item(tree, hf_smb_ansi_password,
7808 tvb, offset, apwlen, ENC_NA);
7809 COUNT_BYTES(apwlen);
7810 }
7811
7812 if (upwlen) {
7813 proto_item *item;
7814
7815 /* password, Unicode */
7816 CHECK_BYTE_COUNT(upwlen);
7817 item = proto_tree_add_item(tree, hf_smb_unicode_password,
7818 tvb, offset, upwlen, ENC_NA);
7819
7820 if (upwlen > 24) {
7821 proto_tree *subtree;
7822 subtree = proto_item_add_subtree(item, ett_smb_unicode_password);
7823 dissect_ntlmv2_response(tvb, pinfo, subtree, offset, upwlen);
7824 }
7825
7826 COUNT_BYTES(upwlen);
7827 }
7828
7829 break;
7830 }
7831
7832 /* Account Name */
7833 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
7834 si->unicode, &an_len, false, false, &bc);
7835 if (an == NULL)
7836 goto endofcommand;
7837 proto_tree_add_string(tree, hf_smb_account, tvb, offset, an_len,
7838 an);
7839 COUNT_BYTES(an_len);
7840
7841 /* Primary domain */
7842 /* XXX - pre-W2K NT systems sometimes appear to stick an extra
7843 * byte in front of this, at least if all the strings are
7844 * ASCII and the account name is empty. Another bug?
7845 */
7846 dn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
7847 si->unicode, &dn_len, false, false, &bc);
7848 if (dn == NULL)
7849 goto endofcommand;
7850 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
7851 offset, dn_len, dn);
7852 COUNT_BYTES(dn_len);
7853
7854 col_append_str(pinfo->cinfo, COL_INFO, ", User: ");
7855
7856 if (!dn[0] && !an[0])
7857 col_append_str(pinfo->cinfo, COL_INFO, "anonymous");
7858 else
7859 col_append_fstr(pinfo->cinfo, COL_INFO,
7860 "%s\\%s",
7861 format_text(pinfo->pool, (const unsigned char*)dn, strlen(dn)),
7862 format_text(pinfo->pool, (const unsigned char*)an, strlen(an)));
7863
7864 /* OS */
7865 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
7866 si->unicode, &an_len, false, false, &bc);
7867 if (an == NULL)
7868 goto endofcommand;
7869 proto_tree_add_string(tree, hf_smb_os, tvb,
7870 offset, an_len, an);
7871 COUNT_BYTES(an_len);
7872
7873 /* LANMAN */
7874 /* XXX - pre-W2K NT systems appear to stick an extra 2 bytes of
7875 * padding/null string/whatever in front of this. W2K doesn't
7876 * appear to. I suspect that's a bug that got fixed; I also
7877 * suspect that, in practice, nobody ever looks at that field
7878 * because the bug didn't appear to get fixed until NT 5.0....
7879 */
7880 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
7881 si->unicode, &an_len, false, false, &bc);
7882 if (an == NULL)
7883 goto endofcommand;
7884 proto_tree_add_string(tree, hf_smb_lanman, tvb,
7885 offset, an_len, an);
7886 COUNT_BYTES(an_len);
7887 }
7888
7889 END_OF_SMB
7890
7891 if (cmd != 0xff) { /* there is an andX command */
7892 if (andxoffset < offset) {
7893 THROW(ReportedBoundsError);
7894 }
7895 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
7896 }
7897
7898 return offset;
7899 }
7900
7901 static int
7902 dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
7903 {
7904 uint8_t wc, cmd = 0xff;
7905 uint16_t andxoffset = 0, bc;
7906 uint16_t sbloblen = 0;
7907 int an_len;
7908 const char *an;
7909
7910 DISSECTOR_ASSERT(si);
7911
7912 WORD_COUNT;
7913
7914 if (!pinfo->fd->visited && si->sip && si->sip->extra_info &&
7915 (si->sip->extra_info_type == SMB_EI_UID)) {
7916 smb_uid_t *smb_uid;
7917
7918 smb_uid = (smb_uid_t *)si->sip->extra_info;
7919 smb_uid->logged_in = pinfo->num;
7920 wmem_tree_insert32(si->ct->uid_tree, si->uid, smb_uid);
7921 }
7922
7923 /* next smb command */
7924 cmd = tvb_get_uint8(tvb, offset);
7925 if (cmd != 0xff) {
7926 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
7927 } else {
7928 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
7929 }
7930 offset += 1;
7931
7932 /* reserved byte */
7933 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
7934 offset += 1;
7935
7936 /* andxoffset */
7937 andxoffset = tvb_get_letohs(tvb, offset);
7938 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
7939 offset += 2;
7940
7941 /* flags */
7942 offset = dissect_setup_action(tvb, tree, offset);
7943
7944 if (wc == 4) {
7945 /* security blob length */
7946 sbloblen = tvb_get_letohs(tvb, offset);
7947 proto_tree_add_uint(tree, hf_smb_security_blob_len, tvb, offset, 2, sbloblen);
7948 offset += 2;
7949 }
7950
7951 BYTE_COUNT;
7952
7953 if (wc == 4) {
7954 proto_item *blob_item;
7955
7956 /* security blob */
7957 /* don't try to eat too much of we might get an exception on
7958 * short frames and then we will not see anything at all
7959 * of the security blob.
7960 */
7961 if (sbloblen > tvb_reported_length_remaining(tvb, offset)) {
7962 sbloblen = tvb_reported_length_remaining(tvb, offset);
7963 }
7964 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
7965 tvb, offset, sbloblen, ENC_NA);
7966
7967 if (sbloblen) {
7968 tvbuff_t *blob_tvb;
7969 proto_tree *blob_tree;
7970
7971 blob_tree = proto_item_add_subtree(blob_item,
7972 ett_smb_secblob);
7973 CHECK_BYTE_COUNT(sbloblen);
7974
7975 blob_tvb = tvb_new_subset_length(tvb, offset, sbloblen);
7976
7977 if (si && si->ct && si->ct->raw_ntlmssp &&
7978 (tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0)) {
7979 call_dissector(ntlmssp_handle, blob_tvb, pinfo,
7980 blob_tree);
7981
7982 }
7983 else {
7984 call_dissector(gssapi_handle, blob_tvb, pinfo,
7985 blob_tree);
7986
7987 }
7988
7989 COUNT_BYTES(sbloblen);
7990 }
7991 }
7992
7993 /* OS */
7994 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
7995 si->unicode, &an_len, false, false, &bc);
7996 if (an == NULL)
7997 goto endofcommand;
7998 proto_tree_add_string(tree, hf_smb_os, tvb,
7999 offset, an_len, an);
8000 COUNT_BYTES(an_len);
8001
8002 /* LANMAN */
8003 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
8004 si->unicode, &an_len, false, false, &bc);
8005 if (an == NULL)
8006 goto endofcommand;
8007 proto_tree_add_string(tree, hf_smb_lanman, tvb,
8008 offset, an_len, an);
8009 COUNT_BYTES(an_len);
8010
8011 if ((wc == 3) || (wc == 4)) {
8012 /* Primary domain */
8013 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
8014 si->unicode, &an_len, false, false, &bc);
8015 if (an == NULL)
8016 goto endofcommand;
8017 proto_tree_add_string(tree, hf_smb_primary_domain, tvb,
8018 offset, an_len, an);
8019 COUNT_BYTES(an_len);
8020 }
8021
8022 END_OF_SMB
8023
8024 if (cmd != 0xff) { /* there is an andX command */
8025 if (andxoffset < offset) {
8026 THROW(ReportedBoundsError);
8027 }
8028 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
8029 }
8030
8031 return offset;
8032 }
8033
8034
8035 static int
8036 dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si _U_)
8037 {
8038 uint8_t wc, cmd = 0xff;
8039 uint16_t andxoffset = 0;
8040 uint16_t bc;
8041
8042 WORD_COUNT;
8043
8044 /* next smb command */
8045 cmd = tvb_get_uint8(tvb, offset);
8046 if (cmd != 0xff) {
8047 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
8048 } else {
8049 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
8050 }
8051 offset += 1;
8052
8053 /* reserved byte */
8054 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
8055 offset += 1;
8056
8057 /* andxoffset */
8058 andxoffset = tvb_get_letohs(tvb, offset);
8059 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8060 offset += 2;
8061
8062 BYTE_COUNT;
8063
8064 END_OF_SMB
8065
8066 if (cmd != 0xff) { /* there is an andX command */
8067 if (andxoffset < offset) {
8068 THROW(ReportedBoundsError);
8069 }
8070 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
8071 }
8072
8073 return offset;
8074 }
8075
8076 /*
8077 * From [MS-SMB] - v20100711 Server Message Block (SMB) Protocol Specification
8078 * http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-SMB%5D.pdf
8079 * 2.2.4.7 SMB_COM_TREE_CONNECT_ANDX (0x75)
8080 */
8081
8082 static const true_false_string tfs_connect_support_search = {
8083 "Exclusive search bits supported",
8084 "Exclusive search bits not supported"
8085 };
8086 static const true_false_string tfs_connect_support_in_dfs = {
8087 "Share is in Dfs",
8088 "Share isn't in Dfs"
8089 };
8090 static const value_string connect_support_csc_mask_vals[] = {
8091 { 0, "Automatic file-to-file reintegration NOT permitted"},
8092 { 1, "Automatic file-to-file reintegration permitted"},
8093 { 2, "Offline caching allow for the share"},
8094 { 3, "Offline caching NOT allow for the share"},
8095 {0, NULL}
8096 };
8097 static const true_false_string tfs_connect_support_uniquefilename = {
8098 "Client allowed to cache share namespaces",
8099 "Client NOT allowed to cache share namespaces"
8100 };
8101 static const true_false_string tfs_connect_support_extended_signature = {
8102 "Extended signature",
8103 "NOT extended signature"
8104 };
8105
8106 static int
8107 dissect_connect_support_bits(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
8108 {
8109 static int * const flags[] = {
8110 &hf_smb_connect_support_search,
8111 &hf_smb_connect_support_in_dfs,
8112 &hf_smb_connect_support_csc_mask_vals,
8113 &hf_smb_connect_support_uniquefilename,
8114 &hf_smb_connect_support_extended_signature,
8115 NULL
8116 };
8117
8118 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_connect_support, ett_smb_connect_support_bits, flags, ENC_LITTLE_ENDIAN);
8119 offset += 2;
8120
8121 return offset;
8122 }
8123
8124 static const true_false_string tfs_disconnect_tid = {
8125 "DISCONNECT TID",
8126 "Do NOT disconnect TID"
8127 };
8128
8129 static const true_false_string tfs_extended_signature = {
8130 "Extended Signature",
8131 "NOT Extended Signature"
8132 };
8133
8134 static const true_false_string tfs_extended_response = {
8135 "Extended Response",
8136 "NOT Extended Response"
8137 };
8138
8139 static int
8140 dissect_connect_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
8141 {
8142 static int * const flags[] = {
8143 &hf_smb_connect_flags_dtid,
8144 &hf_smb_connect_flags_ext_sig,
8145 &hf_smb_connect_flags_ext_resp,
8146 NULL
8147 };
8148
8149 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_connect_flags, ett_smb_connect_flags, flags, ENC_LITTLE_ENDIAN);
8150 offset += 2;
8151
8152 return offset;
8153 }
8154
8155 static int
8156 dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
8157 {
8158 uint8_t wc, cmd = 0xff;
8159 uint16_t bc;
8160 uint16_t andxoffset = 0, pwlen = 0;
8161 int an_len;
8162 const uint8_t *an;
8163
8164 DISSECTOR_ASSERT(si);
8165
8166 WORD_COUNT;
8167
8168 /* next smb command */
8169 cmd = tvb_get_uint8(tvb, offset);
8170 if (cmd != 0xff) {
8171 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
8172 } else {
8173 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
8174 }
8175 offset += 1;
8176
8177 /* reserved byte */
8178 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
8179 offset += 1;
8180
8181 /* andxoffset */
8182 andxoffset = tvb_get_letohs(tvb, offset);
8183 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8184 offset += 2;
8185
8186 /* flags */
8187 offset = dissect_connect_flags(tvb, tree, offset);
8188
8189 /* password length*/
8190 pwlen = tvb_get_letohs(tvb, offset);
8191 proto_tree_add_uint(tree, hf_smb_password_len, tvb, offset, 2, pwlen);
8192 offset += 2;
8193
8194 BYTE_COUNT;
8195
8196 /* password */
8197 CHECK_BYTE_COUNT(pwlen);
8198 proto_tree_add_item(tree, hf_smb_password,
8199 tvb, offset, pwlen, ENC_NA);
8200 COUNT_BYTES(pwlen);
8201
8202 /* Path */
8203 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
8204 si->unicode, &an_len, false, false, &bc);
8205 if (an == NULL)
8206 goto endofcommand;
8207 proto_tree_add_string(tree, hf_smb_path, tvb,
8208 offset, an_len, an);
8209 COUNT_BYTES(an_len);
8210
8211 /* store it for the tid->name/openframe/closeframe matching in
8212 * dissect_smb_tid() called from the response.
8213 */
8214 if ((!pinfo->fd->visited) && si->sip && an) {
8215 si->sip->extra_info_type = SMB_EI_TIDNAME;
8216 si->sip->extra_info = wmem_strdup(wmem_file_scope(), an);
8217 }
8218
8219 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
8220 format_text(pinfo->pool, (const unsigned char*)an, strlen(an)));
8221
8222 /*
8223 * NOTE: the Service string is always ASCII, even if the
8224 * "strings are Unicode" bit is set in the flags2 field
8225 * of the SMB.
8226 */
8227
8228 /* Service */
8229 /* XXX - what if this runs past bc? */
8230 an_len = tvb_strsize(tvb, offset);
8231 CHECK_BYTE_COUNT(an_len);
8232 proto_tree_add_item_ret_string(tree, hf_smb_service, tvb,
8233 offset, an_len, ENC_ASCII|ENC_NA, pinfo->pool, &an);
8234 COUNT_BYTES(an_len);
8235
8236 END_OF_SMB
8237
8238 if (cmd != 0xff) { /* there is an andX command */
8239 if (andxoffset < offset) {
8240 THROW(ReportedBoundsError);
8241 }
8242 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
8243 }
8244
8245 return offset;
8246 }
8247
8248
8249 static int
8250 dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
8251 {
8252 uint8_t wc, cmd = 0xff;
8253 uint16_t andxoffset = 0;
8254 uint16_t bc;
8255 int an_len;
8256 const uint8_t *an;
8257
8258 DISSECTOR_ASSERT(si);
8259
8260 WORD_COUNT;
8261
8262 /* next smb command */
8263 cmd = tvb_get_uint8(tvb, offset);
8264 if (cmd != 0xff) {
8265 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
8266 } else {
8267 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
8268 }
8269 offset += 1;
8270
8271 /* reserved byte */
8272 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
8273 offset += 1;
8274
8275 /* andxoffset */
8276 andxoffset = tvb_get_letohs(tvb, offset);
8277 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
8278 offset += 2;
8279
8280 /* There are three valid formats of tree connect response.
8281 All have the first two words: andx_cmd, andx_off,
8282 and then have additional words as follows:
8283 wc=2: (ancient LanMan -- no more words)
8284 wc=3: (NT, non-ext) opt_support
8285 wc=7: (NT, extended) opt_support,
8286 tree_access(2w), guest_access(2w)
8287 byte_count follows those words as usual */
8288
8289 if (wc >= 3) {
8290 /* flags */
8291 offset = dissect_connect_support_bits(tvb, tree, offset);
8292 }
8293
8294 if (wc == 7) {
8295 /*
8296 * Refer to [MS-SMB] - v20100711
8297 * When a server returns extended information, the response
8298 * takes the following format, with WordCount = 7.
8299 * MaximalShareAccessRights, and GuestMaximalShareAccessRights fields
8300 * has added.
8301 */
8302 proto_tree *tr;
8303 tr = proto_tree_add_subtree(tree, tvb, offset, 4,
8304 ett_smb_nt_access_mask, NULL, "Maximal Share Access Rights");
8305 offset = dissect_smb_access_mask(tvb, tr, offset);
8306
8307 tr = proto_tree_add_subtree(tree, tvb, offset, 4,
8308 ett_smb_nt_access_mask, NULL, "Guest Maximal Share Access Rights");
8309 offset = dissect_smb_access_mask(tvb, tr, offset);
8310 }
8311
8312 BYTE_COUNT;
8313
8314 /*
8315 * NOTE: even though the SNIA CIFS spec doesn't say there's
8316 * a "Service" string if there's a word count of 2, the
8317 * document at
8318 *
8319 * ftp://ftp.microsoft.com/developr/drg/CIFS/dosextp.txt
8320 *
8321 * (it's in an ugly format - text intended to be sent to a
8322 * printer, with backspaces and overstrikes used for boldfacing
8323 * and underlining; UNIX "col -b" can be used to strip the
8324 * overstrikes out) says there's a "Service" string there, and
8325 * some network traffic has it.
8326 */
8327
8328 /*
8329 * NOTE: the Service string is always ASCII, even if the
8330 * "strings are Unicode" bit is set in the flags2 field
8331 * of the SMB.
8332 */
8333
8334 /* Service */
8335 /* XXX - what if this runs past bc? */
8336 an_len = tvb_strsize(tvb, offset);
8337 CHECK_BYTE_COUNT(an_len);
8338 proto_tree_add_item_ret_string(tree, hf_smb_service, tvb,
8339 offset, an_len, ENC_ASCII|ENC_NA, pinfo->pool, &an);
8340 COUNT_BYTES(an_len);
8341
8342 /* Now when we know the service type, store it so that we know it for later commands down
8343 this tree */
8344 if (!pinfo->fd->visited) {
8345 /* Remove any previous entry for this TID */
8346 if (g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))) {
8347 g_hash_table_remove(si->ct->tid_service, GUINT_TO_POINTER(si->tid));
8348 }
8349 if (strcmp(an, "IPC") == 0) {
8350 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_IPC);
8351 } else {
8352 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_NORMAL);
8353 }
8354 }
8355
8356 if (bc != 0) {
8357 /*
8358 * Sometimes this isn't present.
8359 */
8360
8361 /* Native FS */
8362 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
8363 si->unicode, &an_len, /*true*/false, false,
8364 &bc);
8365 if (an == NULL)
8366 goto endofcommand;
8367 proto_tree_add_string(tree, hf_smb_fs, tvb,
8368 offset, an_len, an);
8369 COUNT_BYTES(an_len);
8370 }
8371
8372 END_OF_SMB
8373
8374 if (cmd != 0xff) { /* there is an andX command */
8375 if (andxoffset < offset) {
8376 THROW(ReportedBoundsError);
8377 }
8378 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
8379 }
8380
8381 return offset;
8382 }
8383
8384
8385
8386 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8387 NT Transaction command begins here
8388 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
8389 #define NT_TRANS_CREATE 1
8390 #define NT_TRANS_IOCTL 2
8391 #define NT_TRANS_SSD 3
8392 #define NT_TRANS_NOTIFY 4
8393 #define NT_TRANS_RENAME 5
8394 #define NT_TRANS_QSD 6
8395 #define NT_TRANS_GET_USER_QUOTA 7
8396 #define NT_TRANS_SET_USER_QUOTA 8
8397 static const value_string nt_cmd_vals[] = {
8398 {NT_TRANS_CREATE, "NT CREATE"},
8399 {NT_TRANS_IOCTL, "NT IOCTL"},
8400 {NT_TRANS_SSD, "NT SET SECURITY DESC"},
8401 {NT_TRANS_NOTIFY, "NT NOTIFY"},
8402 {NT_TRANS_RENAME, "NT RENAME"},
8403 {NT_TRANS_QSD, "NT QUERY SECURITY DESC"},
8404 {NT_TRANS_GET_USER_QUOTA, "NT GET USER QUOTA"},
8405 {NT_TRANS_SET_USER_QUOTA, "NT SET USER QUOTA"},
8406 {0, NULL}
8407 };
8408 value_string_ext nt_cmd_vals_ext = VALUE_STRING_EXT_INIT(nt_cmd_vals);
8409
8410 static const value_string nt_ioctl_isfsctl_vals[] = {
8411 {0, "Device IOCTL"},
8412 {1, "FS control : FSCTL"},
8413 {0, NULL}
8414 };
8415
8416 #define NT_IOCTL_FLAGS_ROOT_HANDLE 0x01
8417 static const true_false_string tfs_nt_ioctl_flags_root_handle = {
8418 "Apply the command to share root handle (MUST BE Dfs)",
8419 "Apply to this share",
8420 };
8421
8422 static const value_string nt_notify_action_vals[] = {
8423 {1, "ADDED (object was added"},
8424 {2, "REMOVED (object was removed)"},
8425 {3, "MODIFIED (object was modified)"},
8426 {4, "RENAMED_OLD_NAME (this is the old name of object)"},
8427 {5, "RENAMED_NEW_NAME (this is the new name of object)"},
8428 {6, "ADDED_STREAM (a stream was added)"},
8429 {7, "REMOVED_STREAM (a stream was removed)"},
8430 {8, "MODIFIED_STREAM (a stream was modified)"},
8431 {0, NULL}
8432 };
8433
8434 static const value_string watch_tree_vals[] = {
8435 {0, "Current directory only"},
8436 {1, "Subdirectories also"},
8437 {0, NULL}
8438 };
8439
8440 #define NT_NOTIFY_STREAM_WRITE 0x00000800
8441 #define NT_NOTIFY_STREAM_SIZE 0x00000400
8442 #define NT_NOTIFY_STREAM_NAME 0x00000200
8443 #define NT_NOTIFY_SECURITY 0x00000100
8444 #define NT_NOTIFY_EA 0x00000080
8445 #define NT_NOTIFY_CREATION 0x00000040
8446 #define NT_NOTIFY_LAST_ACCESS 0x00000020
8447 #define NT_NOTIFY_LAST_WRITE 0x00000010
8448 #define NT_NOTIFY_SIZE 0x00000008
8449 #define NT_NOTIFY_ATTRIBUTES 0x00000004
8450 #define NT_NOTIFY_DIR_NAME 0x00000002
8451 #define NT_NOTIFY_FILE_NAME 0x00000001
8452 static const true_false_string tfs_nt_notify_stream_write = {
8453 "Notify on changes to STREAM WRITE",
8454 "Do NOT notify on changes to stream write",
8455 };
8456 static const true_false_string tfs_nt_notify_stream_size = {
8457 "Notify on changes to STREAM SIZE",
8458 "Do NOT notify on changes to stream size",
8459 };
8460 static const true_false_string tfs_nt_notify_stream_name = {
8461 "Notify on changes to STREAM NAME",
8462 "Do NOT notify on changes to stream name",
8463 };
8464 static const true_false_string tfs_nt_notify_security = {
8465 "Notify on changes to SECURITY",
8466 "Do NOT notify on changes to security",
8467 };
8468 static const true_false_string tfs_nt_notify_ea = {
8469 "Notify on changes to EA",
8470 "Do NOT notify on changes to EA",
8471 };
8472 static const true_false_string tfs_nt_notify_creation = {
8473 "Notify on changes to CREATION TIME",
8474 "Do NOT notify on changes to creation time",
8475 };
8476 static const true_false_string tfs_nt_notify_last_access = {
8477 "Notify on changes to LAST ACCESS TIME",
8478 "Do NOT notify on changes to last access time",
8479 };
8480 static const true_false_string tfs_nt_notify_last_write = {
8481 "Notify on changes to LAST WRITE TIME",
8482 "Do NOT notify on changes to last write time",
8483 };
8484 static const true_false_string tfs_nt_notify_size = {
8485 "Notify on changes to SIZE",
8486 "Do NOT notify on changes to size",
8487 };
8488 static const true_false_string tfs_nt_notify_attributes = {
8489 "Notify on changes to ATTRIBUTES",
8490 "Do NOT notify on changes to attributes",
8491 };
8492 static const true_false_string tfs_nt_notify_dir_name = {
8493 "Notify on changes to DIR NAME",
8494 "Do NOT notify on changes to dir name",
8495 };
8496 static const true_false_string tfs_nt_notify_file_name = {
8497 "Notify on changes to FILE NAME",
8498 "Do NOT notify on changes to file name",
8499 };
8500
8501 const value_string create_disposition_vals[] = {
8502 {0, "Supersede (supersede existing file (if it exists))"},
8503 {1, "Open (if file exists open it, else fail)"},
8504 {2, "Create (if file exists fail, else create it)"},
8505 {3, "Open If (if file exists open it, else create it)"},
8506 {4, "Overwrite (if file exists overwrite, else fail)"},
8507 {5, "Overwrite If (if file exists overwrite, else create it)"},
8508 {0, NULL}
8509 };
8510
8511 const value_string impersonation_level_vals[] = {
8512 {0, "Anonymous"},
8513 {1, "Identification"},
8514 {2, "Impersonation"},
8515 {3, "Delegation"},
8516 {0, NULL}
8517 };
8518
8519 static const true_false_string tfs_nt_security_flags_context_tracking = {
8520 "Security tracking mode is DYNAMIC",
8521 "Security tracking mode is STATIC",
8522 };
8523
8524 static const true_false_string tfs_nt_security_flags_effective_only = {
8525 "ONLY ENABLED aspects of the client's security context are available",
8526 "ALL aspects of the client's security context are available",
8527 };
8528
8529 static const true_false_string tfs_nt_create_bits_oplock = {
8530 "Requesting OPLOCK",
8531 "Does NOT request oplock"
8532 };
8533
8534 static const true_false_string tfs_nt_create_bits_boplock = {
8535 "Requesting BATCH OPLOCK",
8536 "Does NOT request batch oplock"
8537 };
8538
8539 /*
8540 * XXX - must be a directory, and can be a file, or can be a directory,
8541 * and must be a file?
8542 */
8543 static const true_false_string tfs_nt_create_bits_dir = {
8544 "Target of open MUST be a DIRECTORY",
8545 "Target of open can be a file"
8546 };
8547
8548 static const true_false_string tfs_nt_create_bits_ext_resp = {
8549 "Extended responses required",
8550 "Extended responses NOT required"
8551 };
8552
8553 static const true_false_string tfs_nt_access_mask_generic_read = {
8554 "GENERIC READ is set",
8555 "Generic read is NOT set"
8556 };
8557 static const true_false_string tfs_nt_access_mask_generic_write = {
8558 "GENERIC WRITE is set",
8559 "Generic write is NOT set"
8560 };
8561 static const true_false_string tfs_nt_access_mask_generic_execute = {
8562 "GENERIC EXECUTE is set",
8563 "Generic execute is NOT set"
8564 };
8565 static const true_false_string tfs_nt_access_mask_generic_all = {
8566 "GENERIC ALL is set",
8567 "Generic all is NOT set"
8568 };
8569 static const true_false_string tfs_nt_access_mask_maximum_allowed = {
8570 "MAXIMUM ALLOWED is set",
8571 "Maximum allowed is NOT set"
8572 };
8573 static const true_false_string tfs_nt_access_mask_system_security = {
8574 "SYSTEM SECURITY is set",
8575 "System security is NOT set"
8576 };
8577 static const true_false_string tfs_nt_access_mask_synchronize = {
8578 "Can wait on handle to SYNCHRONIZE on completion of I/O",
8579 "Can NOT wait on handle to synchronize on completion of I/O"
8580 };
8581 static const true_false_string tfs_nt_access_mask_write_owner = {
8582 "Can WRITE OWNER (take ownership)",
8583 "Can NOT write owner (take ownership)"
8584 };
8585 static const true_false_string tfs_nt_access_mask_write_dac = {
8586 "OWNER may WRITE the DAC",
8587 "Owner may NOT write to the DAC"
8588 };
8589 static const true_false_string tfs_nt_access_mask_read_control = {
8590 "READ ACCESS to owner, group and ACL of the SID",
8591 "Read access is NOT granted to owner, group and ACL of the SID"
8592 };
8593 static const true_false_string tfs_nt_access_mask_delete = {
8594 "DELETE access",
8595 "NO delete access"
8596 };
8597 static const true_false_string tfs_nt_access_mask_write_attributes = {
8598 "WRITE ATTRIBUTES access",
8599 "NO write attributes access"
8600 };
8601 static const true_false_string tfs_nt_access_mask_read_attributes = {
8602 "READ ATTRIBUTES access",
8603 "NO read attributes access"
8604 };
8605 static const true_false_string tfs_nt_access_mask_delete_child = {
8606 "DELETE CHILD access",
8607 "NO delete child access"
8608 };
8609 static const true_false_string tfs_nt_access_mask_execute = {
8610 "EXECUTE access",
8611 "NO execute access"
8612 };
8613 static const true_false_string tfs_nt_access_mask_write_ea = {
8614 "WRITE EXTENDED ATTRIBUTES access",
8615 "NO write extended attributes access"
8616 };
8617 static const true_false_string tfs_nt_access_mask_read_ea = {
8618 "READ EXTENDED ATTRIBUTES access",
8619 "NO read extended attributes access"
8620 };
8621 static const true_false_string tfs_nt_access_mask_append = {
8622 "APPEND access",
8623 "NO append access"
8624 };
8625 static const true_false_string tfs_nt_access_mask_write = {
8626 "WRITE access",
8627 "NO write access"
8628 };
8629 static const true_false_string tfs_nt_access_mask_read = {
8630 "READ access",
8631 "NO read access"
8632 };
8633
8634 static const true_false_string tfs_nt_share_access_delete = {
8635 "Object can be shared for DELETE",
8636 "Object can NOT be shared for delete"
8637 };
8638 static const true_false_string tfs_nt_share_access_write = {
8639 "Object can be shared for WRITE",
8640 "Object can NOT be shared for write"
8641 };
8642 static const true_false_string tfs_nt_share_access_read = {
8643 "Object can be shared for READ",
8644 "Object can NOT be shared for read"
8645 };
8646
8647 static const value_string oplock_level_vals[] = {
8648 {0, "No oplock granted"},
8649 {1, "Exclusive oplock granted"},
8650 {2, "Batch oplock granted"},
8651 {3, "Level II oplock granted"},
8652 {0, NULL}
8653 };
8654
8655 static const value_string response_type_vals[] = {
8656 {0x00, "Non-extended response"},
8657 {0x01, "Extended response"},
8658 {0, NULL}
8659 };
8660
8661 static const value_string device_type_vals[] = {
8662 {0x00000001, "Beep"},
8663 {0x00000002, "CDROM"},
8664 {0x00000003, "CDROM Filesystem"},
8665 {0x00000004, "Controller"},
8666 {0x00000005, "Datalink"},
8667 {0x00000006, "Dfs"},
8668 {0x00000007, "Disk"},
8669 {0x00000008, "Disk Filesystem"},
8670 {0x00000009, "Filesystem"},
8671 {0x0000000a, "Inport Port"},
8672 {0x0000000b, "Keyboard"},
8673 {0x0000000c, "Mailslot"},
8674 {0x0000000d, "MIDI-In"},
8675 {0x0000000e, "MIDI-Out"},
8676 {0x0000000f, "Mouse"},
8677 {0x00000010, "Multi UNC Provider"},
8678 {0x00000011, "Named Pipe"},
8679 {0x00000012, "Network"},
8680 {0x00000013, "Network Browser"},
8681 {0x00000014, "Network Filesystem"},
8682 {0x00000015, "NULL"},
8683 {0x00000016, "Parallel Port"},
8684 {0x00000017, "Physical card"},
8685 {0x00000018, "Printer"},
8686 {0x00000019, "Scanner"},
8687 {0x0000001a, "Serial Mouse port"},
8688 {0x0000001b, "Serial port"},
8689 {0x0000001c, "Screen"},
8690 {0x0000001d, "Sound"},
8691 {0x0000001e, "Streams"},
8692 {0x0000001f, "Tape"},
8693 {0x00000020, "Tape Filesystem"},
8694 {0x00000021, "Transport"},
8695 {0x00000022, "Unknown"},
8696 {0x00000023, "Video"},
8697 {0x00000024, "Virtual Disk"},
8698 {0x00000025, "WAVE-In"},
8699 {0x00000026, "WAVE-Out"},
8700 {0x00000027, "8042 Port"},
8701 {0x00000028, "Network Redirector"},
8702 {0x00000029, "Battery"},
8703 {0x0000002a, "Bus Extender"},
8704 {0x0000002b, "Modem"},
8705 {0x0000002c, "VDM"},
8706 {0, NULL}
8707 };
8708 static value_string_ext device_type_vals_ext = VALUE_STRING_EXT_INIT(device_type_vals);
8709
8710 static const value_string is_directory_vals[] = {
8711 {0, "This is NOT a directory"},
8712 {1, "This is a DIRECTORY"},
8713 {0, NULL}
8714 };
8715
8716 static int
8717 dissect_nt_security_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
8718 {
8719 static int * const flags[] = {
8720 &hf_smb_nt_security_flags_context_tracking,
8721 &hf_smb_nt_security_flags_effective_only,
8722 NULL
8723 };
8724
8725 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_nt_security_flags, ett_smb_nt_security_flags, flags, ENC_NA);
8726 offset += 1;
8727
8728 return offset;
8729 }
8730
8731 /*
8732 * XXX - there are some more flags in the description of "ZwOpenFile()"
8733 * in "Windows(R) NT(R)/2000 Native API Reference"; do those go over
8734 * the wire as well? (The spec at
8735 *
8736 * http://www.samba.org/samba/ftp/specs/smb-nt01.doc
8737 *
8738 * says that "the FILE_NO_INTERMEDIATE_BUFFERING option is not exported
8739 * via the SMB protocol. The NT redirector should convert this option
8740 * to FILE_WRITE_THROUGH."
8741 *
8742 * The "Sync I/O Alert" and "Sync I/O Nonalert" are given the bit
8743 * values one would infer from their position in the list of flags for
8744 * "ZwOpenFile()". Most of the others probably have those values
8745 * as well, although "8.3 only" has been replaced by option FILE_OPEN_FOR_RECOVERY
8746 * which the server must ignore.).
8747 */
8748 static const true_false_string tfs_nt_create_options_directory = {
8749 "File being created/opened must be a directory",
8750 "File being created/opened must not be a directory"
8751 };
8752 static const true_false_string tfs_nt_create_options_write_through = {
8753 "Writes should flush buffered data before completing",
8754 "Writes need not flush buffered data before completing"
8755 };
8756 static const true_false_string tfs_nt_create_options_sequential_only = {
8757 "The file will only be accessed sequentially",
8758 "The file might not only be accessed sequentially"
8759 };
8760 static const true_false_string tfs_nt_create_options_no_intermediate_buffering = {
8761 "NO intermediate buffering is allowed",
8762 "Intermediate buffering is allowed"
8763 };
8764 static const true_false_string tfs_nt_create_options_sync_io_alert = {
8765 "All operations SYNCHRONOUS, waits subject to termination from alert",
8766 "Operations NOT necessarily synchronous"
8767 };
8768 static const true_false_string tfs_nt_create_options_sync_io_nonalert = {
8769 "All operations SYNCHRONOUS, waits not subject to alert",
8770 "Operations NOT necessarily synchronous"
8771 };
8772 static const true_false_string tfs_nt_create_options_non_directory = {
8773 "File being created/opened must not be a directory",
8774 "File being created/opened must be a directory"
8775 };
8776 static const true_false_string tfs_nt_create_options_create_tree_connection = {
8777 "Create Tree Connections is SET",
8778 "Create Tree Connections is NOT set"
8779 };
8780 static const true_false_string tfs_nt_create_options_complete_if_oplocked = {
8781 "Complete if oplocked is SET",
8782 "Complete if oplocked is NOT set"
8783 };
8784 static const true_false_string tfs_nt_create_options_no_ea_knowledge = {
8785 "The client does not understand extended attributes",
8786 "The client understands extended attributes"
8787 };
8788 static const true_false_string tfs_nt_create_options_file_open_for_recovery = {
8789 "The file is being opened for recovery",
8790 "The file is not being opened for recovery"
8791 };
8792 static const true_false_string tfs_nt_create_options_random_access = {
8793 "The file will be accessed randomly",
8794 "The file will not be accessed randomly"
8795 };
8796 static const true_false_string tfs_nt_create_options_delete_on_close = {
8797 "The file should be deleted when it is closed",
8798 "The file should not be deleted when it is closed"
8799 };
8800 static const true_false_string tfs_nt_create_options_open_by_fileid = {
8801 "OpenByFileID bit is SET",
8802 "OpenByFileID is NOT set"
8803 };
8804 static const true_false_string tfs_nt_create_options_backup_intent = {
8805 "This is a create with BACKUP INTENT",
8806 "This is a normal create"
8807 };
8808 static const true_false_string tfs_nt_create_options_no_compression = {
8809 "Open/Create with NO Compression",
8810 "Compression is allowed for Open/Create"
8811 };
8812 static const true_false_string tfs_nt_create_options_reserve_opfilter = {
8813 "Reserve Opfilter is SET",
8814 "Reserve Opfilter is NOT set"
8815 };
8816 static const true_false_string tfs_nt_create_options_open_reparse_point = {
8817 "Open a Reparse Point",
8818 "Normal open"
8819 };
8820 static const true_false_string tfs_nt_create_options_open_no_recall = {
8821 "Open No Recall is SET",
8822 "Open no recall is NOT set"
8823 };
8824 static const true_false_string tfs_nt_create_options_open_for_free_space_query = {
8825 "This is an OPEN FOR FREE SPACE QUERY",
8826 "This is NOT an open for free space query"
8827 };
8828
8829 int
8830 dissect_nt_notify_completion_filter(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
8831 {
8832 static int * const flags[] = {
8833 &hf_smb_nt_notify_file_name,
8834 &hf_smb_nt_notify_dir_name,
8835 &hf_smb_nt_notify_attributes,
8836 &hf_smb_nt_notify_size,
8837 &hf_smb_nt_notify_last_write,
8838 &hf_smb_nt_notify_last_access,
8839 &hf_smb_nt_notify_creation,
8840 &hf_smb_nt_notify_ea,
8841 &hf_smb_nt_notify_security,
8842 &hf_smb_nt_notify_stream_name,
8843 &hf_smb_nt_notify_stream_size,
8844 &hf_smb_nt_notify_stream_write,
8845 NULL
8846 };
8847
8848 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_nt_notify_completion_filter, ett_smb_nt_notify_completion_filter, flags, ENC_LITTLE_ENDIAN);
8849 offset += 4;
8850
8851 return offset;
8852 }
8853
8854 static int
8855 dissect_nt_ioctl_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
8856 {
8857 static int * const flags[] = {
8858 &hf_smb_nt_ioctl_flags_root_handle,
8859 NULL
8860 };
8861
8862 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_nt_ioctl_flags_completion_filter, ett_smb_nt_ioctl_flags, flags, ENC_NA);
8863 offset += 1;
8864
8865 return offset;
8866 }
8867
8868 /*
8869 * From the section on ZwQuerySecurityObject in "Windows(R) NT(R)/2000
8870 * Native API Reference".
8871 */
8872 static const true_false_string tfs_nt_qsd_owner = {
8873 "Requesting OWNER security information",
8874 "NOT requesting owner security information",
8875 };
8876
8877 static const true_false_string tfs_nt_qsd_group = {
8878 "Requesting GROUP security information",
8879 "NOT requesting group security information",
8880 };
8881
8882 static const true_false_string tfs_nt_qsd_dacl = {
8883 "Requesting DACL security information",
8884 "NOT requesting DACL security information",
8885 };
8886
8887 static const true_false_string tfs_nt_qsd_sacl = {
8888 "Requesting SACL security information",
8889 "NOT requesting SACL security information",
8890 };
8891
8892 #define NT_QSD_OWNER 0x00000001
8893 #define NT_QSD_GROUP 0x00000002
8894 #define NT_QSD_DACL 0x00000004
8895 #define NT_QSD_SACL 0x00000008
8896
8897 int
8898 dissect_security_information_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
8899 {
8900 static int * const flags[] = {
8901 &hf_smb_nt_qsd_owner,
8902 &hf_smb_nt_qsd_group,
8903 &hf_smb_nt_qsd_dacl,
8904 &hf_smb_nt_qsd_sacl,
8905 NULL
8906 };
8907
8908 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_nt_qsd, ett_smb_security_information_mask, flags, ENC_LITTLE_ENDIAN);
8909 offset += 4;
8910
8911 return offset;
8912 }
8913
8914 int
8915 dissect_nt_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, uint16_t *bcp)
8916 {
8917 int old_offset, old_sid_offset;
8918 uint32_t qsize;
8919
8920 do {
8921 old_offset = offset;
8922
8923 CHECK_BYTE_COUNT_TRANS_SUBR(4);
8924 qsize = tvb_get_letohl(tvb, offset);
8925 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
8926 COUNT_BYTES_TRANS_SUBR(4);
8927
8928 CHECK_BYTE_COUNT_TRANS_SUBR(4);
8929 /* length of SID */
8930 proto_tree_add_item(tree, hf_smb_length_of_sid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8931 COUNT_BYTES_TRANS_SUBR(4);
8932
8933 /* change time */
8934 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8935 dissect_nttime(tvb, tree, offset,
8936 hf_smb_user_quota_change_time, ENC_LITTLE_ENDIAN);
8937 COUNT_BYTES_TRANS_SUBR(8);
8938
8939 /* number of bytes for used quota */
8940 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8941 proto_tree_add_item(tree, hf_smb_user_quota_used, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8942 COUNT_BYTES_TRANS_SUBR(8);
8943
8944 /* number of bytes for quota warning */
8945 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8946 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8947 COUNT_BYTES_TRANS_SUBR(8);
8948
8949 /* number of bytes for quota limit */
8950 CHECK_BYTE_COUNT_TRANS_SUBR(8);
8951 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8952 COUNT_BYTES_TRANS_SUBR(8);
8953
8954 /* SID of the user */
8955 old_sid_offset = offset;
8956 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
8957 *bcp -= (offset-old_sid_offset);
8958
8959 if (qsize) {
8960 offset = old_offset+qsize;
8961 }
8962 }while (qsize);
8963
8964
8965 return offset;
8966 }
8967
8968
8969 int
8970 dissect_nt_get_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, uint32_t *bcp)
8971 {
8972 int old_offset, old_sid_offset;
8973 uint32_t qsize;
8974
8975 do {
8976 old_offset = offset;
8977
8978 CHECK_BYTE_COUNT_TRANS_SUBR(4);
8979 qsize = tvb_get_letohl(tvb, offset);
8980 proto_tree_add_uint(tree, hf_smb_user_quota_offset, tvb, offset, 4, qsize);
8981 COUNT_BYTES_TRANS_SUBR(4);
8982
8983 CHECK_BYTE_COUNT_TRANS_SUBR(4);
8984 /* length of SID */
8985 proto_tree_add_item(tree, hf_smb_length_of_sid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8986 COUNT_BYTES_TRANS_SUBR(4);
8987
8988 /* SID of the user */
8989 old_sid_offset = offset;
8990 offset = dissect_nt_sid(tvb, offset, tree, "SID", NULL, -1);
8991 *bcp -= (offset-old_sid_offset);
8992
8993 if (qsize) {
8994 offset = old_offset+qsize;
8995 }
8996 }while (qsize);
8997
8998
8999 return offset;
9000 }
9001
9002
9003 static int
9004 dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int bc, smb_nt_transact_info_t *nti, smb_info_t *si, int subcmd, uint32_t sd_len, uint32_t ea_len)
9005 {
9006 proto_tree *tree;
9007 int old_offset = offset;
9008 uint16_t bcp = bc; /* XXX fixme */
9009 struct access_mask_info *ami = NULL;
9010 tvbuff_t *ioctl_tvb;
9011
9012 DISSECTOR_ASSERT(si);
9013
9014 tree = proto_tree_add_subtree_format(parent_tree, tvb, offset, -1,
9015 ett_smb_nt_trans_data, NULL, "%s Data",
9016 val_to_str_ext(subcmd, &nt_cmd_vals_ext, "Unknown NT transaction (%u)"));
9017
9018 switch(subcmd) {
9019 case NT_TRANS_CREATE:
9020 /* security descriptor */
9021 if (sd_len) {
9022 offset = dissect_nt_sec_desc(
9023 tvb, offset, pinfo, tree, NULL, true,
9024 sd_len, NULL);
9025 }
9026
9027 /* extended attributes */
9028 if (ea_len) {
9029 proto_tree_add_item(tree, hf_smb_extended_attributes, tvb, offset, ea_len, ENC_NA);
9030 offset += ea_len;
9031 }
9032
9033 break;
9034 case NT_TRANS_IOCTL:
9035 /* ioctl data */
9036 ioctl_tvb = tvb_new_subset_length_caplen(tvb, offset, MIN((int)bc, tvb_reported_length_remaining(tvb, offset)), bc);
9037 if (nti) {
9038 dissect_smb2_ioctl_data(ioctl_tvb, pinfo, tree, top_tree_global, nti->ioctl_function, true, NULL);
9039 }
9040
9041 offset += bc;
9042
9043 break;
9044 case NT_TRANS_SSD:
9045 if (nti) {
9046 switch(nti->fid_type) {
9047 case SMB_FID_TYPE_FILE:
9048 ami = &smb_file_access_mask_info;
9049 break;
9050 case SMB_FID_TYPE_DIR:
9051 ami = &smb_dir_access_mask_info;
9052 break;
9053 }
9054 }
9055
9056 offset = dissect_nt_sec_desc(
9057 tvb, offset, pinfo, tree, NULL, true, bc, ami);
9058
9059 if (offset < (old_offset + bc)) {
9060 offset = old_offset + bc;
9061 }
9062
9063 break;
9064 case NT_TRANS_NOTIFY:
9065 break;
9066 case NT_TRANS_RENAME:
9067 /* XXX not documented */
9068 break;
9069 case NT_TRANS_QSD:
9070 break;
9071 case NT_TRANS_GET_USER_QUOTA:
9072 /* unknown 4 bytes */
9073 proto_tree_add_item(tree, hf_smb_unknown, tvb,
9074 offset, 4, ENC_NA);
9075 offset += 4;
9076
9077 /* length of SID */
9078 proto_tree_add_item(tree, hf_smb_length_of_sid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9079 offset +=4;
9080
9081 offset = dissect_nt_sid(tvb, offset, tree, "Quota", NULL, -1);
9082 break;
9083 case NT_TRANS_SET_USER_QUOTA:
9084 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
9085 break;
9086 }
9087
9088 /* ooops there were data we didn't know how to process */
9089 if ((offset-old_offset) < bc) {
9090 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset,
9091 bc - (offset-old_offset), ENC_NA);
9092 offset += bc - (offset-old_offset);
9093 }
9094
9095 return offset;
9096 }
9097
9098 static int
9099 dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, uint16_t bc, smb_nt_transact_info_t *nti, smb_info_t *si, int subcmd, uint32_t *sd_len, uint32_t *ea_len)
9100 {
9101 proto_tree *tree;
9102 uint32_t fn_len, create_flags, access_mask, share_access, create_options;
9103 const char *fn;
9104
9105 DISSECTOR_ASSERT(si);
9106
9107 tree = proto_tree_add_subtree_format(parent_tree, tvb, offset, len,
9108 ett_smb_nt_trans_param, NULL, "%s Parameters",
9109 val_to_str_ext(subcmd, &nt_cmd_vals_ext, "Unknown NT transaction (%u)"));
9110
9111 switch(subcmd) {
9112 case NT_TRANS_CREATE:
9113 /* Create flags */
9114 create_flags = tvb_get_letohl(tvb, offset);
9115 offset = dissect_nt_create_bits(tvb, tree, offset, 4, create_flags);
9116 bc -= 4;
9117
9118 /* root directory fid */
9119 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9120 COUNT_BYTES(4);
9121
9122 /* nt access mask */
9123 access_mask = tvb_get_letohl(tvb, offset);
9124 offset = dissect_smb_access_mask_bits(tvb, tree, offset, 4, access_mask);
9125 bc -= 4;
9126
9127 /* allocation size */
9128 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9129 COUNT_BYTES(8);
9130
9131 /* Extended File Attributes */
9132 offset = dissect_file_ext_attr(tvb, tree, offset);
9133 bc -= 4;
9134
9135 /* share access */
9136 share_access = tvb_get_letohl(tvb, offset);
9137 offset = dissect_nt_share_access_bits(tvb, tree, offset, 4, share_access);
9138 bc -= 4;
9139
9140 /* create disposition */
9141 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9142 COUNT_BYTES(4);
9143
9144 /* create options */
9145 create_options = tvb_get_letohl(tvb, offset);
9146 offset = dissect_nt_create_options_bits(tvb, tree, offset, 4, create_options);
9147 bc -= 4;
9148
9149 /* sd length */
9150 proto_tree_add_item_ret_uint(tree, hf_smb_sd_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, sd_len);
9151 COUNT_BYTES(4);
9152
9153 /* ea length */
9154 proto_tree_add_item_ret_uint(tree, hf_smb_ea_list_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, ea_len);
9155 COUNT_BYTES(4);
9156
9157 /* file name len */
9158 fn_len = (uint32_t)tvb_get_letohl(tvb, offset);
9159 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
9160 COUNT_BYTES(4);
9161
9162 /* impersonation level */
9163 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9164 COUNT_BYTES(4);
9165
9166 /* security flags */
9167 offset = dissect_nt_security_flags(tvb, tree, offset);
9168 bc -= 1;
9169
9170 /* May need to skip alignment padding. */
9171 if (offset&1) {
9172 /* pad byte */
9173 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, ENC_NA);
9174 offset += 1;
9175 }
9176
9177 /* file name */
9178 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, true, true, &bc);
9179 if (fn != NULL) {
9180 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9181 fn);
9182 COUNT_BYTES(fn_len);
9183 }
9184
9185 break;
9186 case NT_TRANS_IOCTL:
9187 break;
9188 case NT_TRANS_SSD: {
9189 uint16_t fid;
9190 smb_fid_info_t *fid_info;
9191
9192 /* fid */
9193 fid = tvb_get_letohs(tvb, offset);
9194 fid_info = dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
9195 offset += 2;
9196 if (nti) {
9197 if (fid_info) {
9198 nti->fid_type = fid_info->type;
9199 } else {
9200 nti->fid_type = SMB_FID_TYPE_UNKNOWN;
9201 }
9202 }
9203
9204 /* 2 reserved bytes */
9205 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
9206 offset += 2;
9207
9208 /* security information */
9209 offset = dissect_security_information_mask(tvb, tree, offset);
9210 break;
9211 }
9212 case NT_TRANS_NOTIFY:
9213 break;
9214 case NT_TRANS_RENAME:
9215 /* XXX not documented */
9216 break;
9217 case NT_TRANS_QSD: {
9218 uint16_t fid;
9219 smb_fid_info_t *fid_info;
9220
9221 /* fid */
9222 fid = tvb_get_letohs(tvb, offset);
9223 fid_info = dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
9224 offset += 2;
9225 if (nti) {
9226 if (fid_info) {
9227 nti->fid_type = fid_info->type;
9228 } else {
9229 nti->fid_type = SMB_FID_TYPE_UNKNOWN;
9230 }
9231 }
9232
9233 /* 2 reserved bytes */
9234 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
9235 offset += 2;
9236
9237 /* security information */
9238 offset = dissect_security_information_mask(tvb, tree, offset);
9239 break;
9240 }
9241 case NT_TRANS_GET_USER_QUOTA:
9242 /* not decoded yet */
9243 break;
9244 case NT_TRANS_SET_USER_QUOTA:
9245 /* not decoded yet */
9246 break;
9247 }
9248
9249 return offset;
9250 }
9251
9252 static int
9253 dissect_nt_trans_setup_request(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len, smb_info_t *si, int subcmd)
9254 {
9255 proto_tree *tree;
9256 smb_nt_transact_info_t *nti = NULL;
9257 smb_saved_info_t *sip;
9258
9259 DISSECTOR_ASSERT(si);
9260 sip = si->sip;
9261 if (sip && (sip->extra_info_type == SMB_EI_NTI)) {
9262 nti = (smb_nt_transact_info_t *)sip->extra_info;
9263 }
9264
9265 tree = proto_tree_add_subtree_format(parent_tree, tvb, offset, len,
9266 ett_smb_nt_trans_setup, NULL, "%s Setup",
9267 val_to_str_ext(subcmd, &nt_cmd_vals_ext, "Unknown NT transaction (%u)"));
9268
9269 switch(subcmd) {
9270 case NT_TRANS_CREATE:
9271 offset += len;
9272 break;
9273 case NT_TRANS_IOCTL: {
9274 uint16_t fid;
9275
9276 /* function code */
9277 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, nti ? &nti->ioctl_function : NULL);
9278
9279 /* fid */
9280 fid = tvb_get_letohs(tvb, offset);
9281 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
9282 offset += 2;
9283
9284 /* isfsctl */
9285 proto_tree_add_item(tree, hf_smb_nt_ioctl_isfsctl, tvb, offset, 1, ENC_LITTLE_ENDIAN);
9286 offset += 1;
9287
9288 /* isflags */
9289 offset = dissect_nt_ioctl_flags(tvb, tree, offset);
9290
9291 break;
9292 }
9293 case NT_TRANS_SSD:
9294 offset += len;
9295 break;
9296 case NT_TRANS_NOTIFY: {
9297 uint16_t fid;
9298
9299 /* completion filter */
9300 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
9301
9302 /* fid */
9303 fid = tvb_get_letohs(tvb, offset);
9304 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
9305 offset += 2;
9306
9307 /* watch tree */
9308 proto_tree_add_item(tree, hf_smb_nt_notify_watch_tree, tvb, offset, 1, ENC_LITTLE_ENDIAN);
9309 offset += 1;
9310
9311 /* reserved byte */
9312 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
9313 offset += 1;
9314
9315 break;
9316 }
9317 case NT_TRANS_RENAME:
9318 /* XXX not documented */
9319 offset += len;
9320 break;
9321 case NT_TRANS_QSD:
9322 break;
9323 case NT_TRANS_GET_USER_QUOTA:
9324 /* not decoded yet */
9325 offset += len;
9326 break;
9327 case NT_TRANS_SET_USER_QUOTA:
9328 /* not decoded yet */
9329 offset += len;
9330 break;
9331 }
9332
9333 return offset;
9334 }
9335
9336
9337 static int
9338 dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
9339 {
9340 uint8_t wc, sc;
9341 uint32_t pc = 0, pd = 0, po = 0, dc = 0, od = 0, dd = 0;
9342 uint32_t td = 0, tp = 0;
9343 smb_saved_info_t *sip;
9344 int subcmd;
9345 uint32_t sd_len, ea_len;
9346 uint16_t bc;
9347 uint32_t padcnt;
9348 smb_nt_transact_info_t *nti = NULL;
9349 fragment_head *r_fd = NULL;
9350 tvbuff_t *pd_tvb = NULL;
9351 bool save_fragmented;
9352
9353 save_fragmented = pinfo->fragmented;
9354
9355 subcmd = 0;
9356 sd_len = 0;
9357 ea_len = 0;
9358
9359 DISSECTOR_ASSERT(si);
9360 sip = si->sip;
9361
9362 WORD_COUNT;
9363
9364 if (wc >= 19) {
9365 /* primary request */
9366 /* max setup count */
9367 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, ENC_LITTLE_ENDIAN);
9368 offset += 1;
9369
9370 /* 2 reserved bytes */
9371 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
9372 offset += 2;
9373 } else {
9374 /* secondary request */
9375 /* 3 reserved bytes */
9376 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, ENC_NA);
9377 offset += 3;
9378 }
9379
9380
9381 /* total param count */
9382 tp = tvb_get_letohl(tvb, offset);
9383 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
9384 offset += 4;
9385
9386 /* total data count */
9387 td = tvb_get_letohl(tvb, offset);
9388 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
9389 offset += 4;
9390
9391 if (wc >= 19) {
9392 /* primary request */
9393 /* max param count */
9394 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9395 offset += 4;
9396
9397 /* max data count */
9398 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9399 offset += 4;
9400 }
9401
9402 /* param count */
9403 pc = tvb_get_letohl(tvb, offset);
9404 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
9405 offset += 4;
9406
9407 /* param offset */
9408 po = tvb_get_letohl(tvb, offset);
9409 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
9410 offset += 4;
9411
9412 /* param displacement */
9413 if (wc >= 19) {
9414 /* primary request*/
9415 } else {
9416 /* secondary request */
9417
9418 proto_tree_add_item(tree, hf_smb_param_disp32, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9419 offset += 4;
9420 }
9421
9422 /* data count */
9423 dc = tvb_get_letohl(tvb, offset);
9424 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
9425 offset += 4;
9426
9427 /* data offset */
9428 od = tvb_get_letohl(tvb, offset);
9429 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
9430 offset += 4;
9431
9432 /* data displacement */
9433 if (wc >= 19) {
9434 /* primary request */
9435 } else {
9436 /* secondary request */
9437 dd = tvb_get_letohl(tvb, offset);
9438 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
9439 offset += 4;
9440 }
9441
9442 /* setup count */
9443 if (wc >= 19) {
9444 /* primary request */
9445 sc = tvb_get_uint8(tvb, offset);
9446 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
9447 offset += 1;
9448 } else {
9449 /* secondary request */
9450 sc = 0;
9451 }
9452
9453 /* function */
9454 if (wc >= 19) {
9455 /* primary request */
9456 subcmd = tvb_get_letohs(tvb, offset);
9457 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, offset, 2, subcmd);
9458 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
9459 val_to_str_ext_const(subcmd, &nt_cmd_vals_ext, "<unknown>"));
9460
9461 if (!si->unidir && sip) {
9462 if (!pinfo->fd->visited) {
9463 /*
9464 * Allocate a new smb_nt_transact_info_t
9465 * structure.
9466 */
9467 nti = wmem_new(wmem_file_scope(), smb_nt_transact_info_t);
9468 nti->subcmd = subcmd;
9469 nti->fid_type = SMB_FID_TYPE_UNKNOWN;
9470 nti->ioctl_function = 0;
9471 sip->extra_info = nti;
9472 sip->extra_info_type = SMB_EI_NTI;
9473 } else {
9474 if (sip->extra_info_type == SMB_EI_NTI) {
9475 nti = (smb_nt_transact_info_t *)sip->extra_info;
9476 }
9477 }
9478 }
9479 } else {
9480 /* secondary request */
9481 col_append_str(pinfo->cinfo, COL_INFO, " (secondary request)");
9482 }
9483 offset += 2;
9484
9485 #if 0 /* XXX this is a padding byte? I don't think so. -gwr */
9486 if (offset&1) {
9487 /* pad byte */
9488 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, ENC_NA);
9489 offset += 1;
9490 }
9491 #endif
9492
9493 /* if there were any setup bytes, decode them */
9494 if (sc) {
9495 dissect_nt_trans_setup_request(tvb, pinfo, offset, tree, sc*2, si, subcmd);
9496 offset += sc*2;
9497 }
9498
9499 /*
9500 * Do we really need to even look at the byte count here?
9501 * Servers normally use byte_count only when assembling the
9502 * setup, parameters, and data segments. Once we know
9503 * how long each of those are, we should dissect them
9504 * using the lengths determined during assembly.
9505 */
9506 BYTE_COUNT;
9507
9508 /* reassembly of SMB NT Transaction data payload.
9509 In this section we do reassembly of both the data and parameters
9510 blocks of the SMB transaction command.
9511 */
9512 /* do we need reassembly? */
9513 if ( (td && (td != dc)) || (tp && (tp != pc)) ) {
9514 /* oh yeah, either data or parameter section needs
9515 reassembly...
9516 */
9517 pinfo->fragmented = true;
9518 if (smb_trans_reassembly) {
9519 /* ...and we were told to do reassembly */
9520 if (pc) {
9521 r_fd = smb_trans_defragment(tree, pinfo, tvb,
9522 po, pc, pd, td+tp, si);
9523 }
9524 if ((r_fd == NULL) && dc) {
9525 r_fd = smb_trans_defragment(tree, pinfo, tvb,
9526 od, dc, dd+tp, td+tp, si);
9527 }
9528 }
9529 }
9530
9531 /* if we got a reassembled fd structure from the reassembly routine we
9532 must create pd_tvb from it
9533 */
9534 if (r_fd) {
9535 proto_item *frag_tree_item;
9536
9537 pd_tvb = tvb_new_chain(tvb, r_fd->tvb_data);
9538 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
9539
9540 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb, &frag_tree_item);
9541 }
9542
9543 if (pd_tvb) {
9544 /* we have reassembled data, grab param and data from there */
9545 dissect_nt_trans_param_request(pd_tvb, pinfo, 0, tree, tp,
9546 (uint16_t) tvb_reported_length(pd_tvb),
9547 nti, si, subcmd, &sd_len, &ea_len);
9548 dissect_nt_trans_data_request(pd_tvb, pinfo, tp, tree, td, nti, si,
9549 subcmd, sd_len, ea_len);
9550 COUNT_BYTES(bc); /* We are done */
9551 } else {
9552 /* we do not have reassembled data, just use what we have in the
9553 packet as well as we can */
9554 /* parameters */
9555 if (po > (uint32_t)offset) {
9556 /* We have some initial padding bytes.
9557 */
9558 padcnt = po-offset;
9559 if (padcnt > bc)
9560 padcnt = bc;
9561 CHECK_BYTE_COUNT(padcnt);
9562 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, ENC_NA);
9563 COUNT_BYTES(padcnt);
9564 }
9565 if (pc) {
9566 CHECK_BYTE_COUNT(pc);
9567 dissect_nt_trans_param_request(tvb, pinfo, offset, tree, pc, bc,
9568 nti, si, subcmd, &sd_len, &ea_len);
9569 COUNT_BYTES(pc);
9570 }
9571
9572 /* data */
9573 if (od > (uint32_t)offset) {
9574 /* We have some initial padding bytes.
9575 */
9576 padcnt = od-offset;
9577 if (padcnt > bc)
9578 padcnt = bc;
9579 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, ENC_NA);
9580 COUNT_BYTES(padcnt);
9581 }
9582 if (dc) {
9583 CHECK_BYTE_COUNT(dc);
9584 dissect_nt_trans_data_request(tvb, pinfo, offset, tree, dc,
9585 nti, si, subcmd, sd_len, ea_len);
9586 COUNT_BYTES(dc);
9587 }
9588 }
9589
9590 END_OF_SMB
9591
9592 pinfo->fragmented = save_fragmented;
9593 return offset;
9594 }
9595
9596
9597
9598 static int
9599 dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo,
9600 int offset, proto_tree *parent_tree, int len,
9601 smb_nt_transact_info_t *nti, smb_info_t *si)
9602 {
9603 proto_tree *tree = NULL;
9604 uint16_t bcp;
9605 struct access_mask_info *ami = NULL;
9606 tvbuff_t *ioctl_tvb;
9607
9608 DISSECTOR_ASSERT(si);
9609
9610 if (parent_tree) {
9611 if (nti != NULL) {
9612 tree = proto_tree_add_subtree_format(parent_tree, tvb, offset, len,
9613 ett_smb_nt_trans_data, NULL, "%s Data",
9614 val_to_str_ext(nti->subcmd, &nt_cmd_vals_ext, "Unknown NT Transaction (%u)"));
9615 } else {
9616 /*
9617 * We never saw the request to which this is a
9618 * response.
9619 */
9620 tree = proto_tree_add_subtree(parent_tree, tvb, offset, len,
9621 ett_smb_nt_trans_data, NULL, "Unknown NT Transaction Data (matching request not seen)");
9622 }
9623 }
9624
9625 if (nti == NULL) {
9626 offset += len;
9627 return offset;
9628 }
9629 switch(nti->subcmd) {
9630 case NT_TRANS_CREATE:
9631 break;
9632 case NT_TRANS_IOCTL:
9633 /* ioctl data */
9634 ioctl_tvb = tvb_new_subset_length_caplen(tvb, offset, MIN((int)len, tvb_reported_length_remaining(tvb, offset)), len);
9635 dissect_smb2_ioctl_data(ioctl_tvb, pinfo, tree, top_tree_global, nti->ioctl_function, false, NULL);
9636
9637 offset += len;
9638
9639 break;
9640 case NT_TRANS_SSD:
9641 break;
9642 case NT_TRANS_NOTIFY:
9643 break;
9644 case NT_TRANS_RENAME:
9645 /* XXX not documented */
9646 break;
9647 case NT_TRANS_QSD:
9648 if (nti) {
9649 switch(nti->fid_type) {
9650 case SMB_FID_TYPE_FILE:
9651 ami = &smb_file_access_mask_info;
9652 break;
9653 case SMB_FID_TYPE_DIR:
9654 ami = &smb_dir_access_mask_info;
9655 break;
9656 }
9657 }
9658 offset = dissect_nt_sec_desc(
9659 tvb, offset, pinfo, tree, NULL, true, len, ami);
9660 break;
9661 case NT_TRANS_GET_USER_QUOTA:
9662 bcp = len;
9663 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
9664 break;
9665 case NT_TRANS_SET_USER_QUOTA:
9666 /* not decoded yet */
9667 break;
9668 }
9669
9670 return offset;
9671 }
9672
9673 static int
9674 dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
9675 int offset, proto_tree *parent_tree,
9676 int len, uint16_t bc, smb_info_t *si)
9677 {
9678 proto_tree *tree = NULL;
9679 uint32_t fn_len;
9680 const char *fn;
9681 smb_nt_transact_info_t *nti;
9682 uint16_t fid;
9683 int old_offset;
9684 uint32_t neo;
9685 int padcnt;
9686 smb_fid_info_t *fid_info = NULL;
9687 uint16_t ftype;
9688 uint8_t isdir;
9689 uint8_t ext_resp = 0;
9690
9691 DISSECTOR_ASSERT(si);
9692
9693 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_NTI))
9694 nti = (smb_nt_transact_info_t *)si->sip->extra_info;
9695 else
9696 nti = NULL;
9697
9698 if (parent_tree) {
9699 if (nti != NULL) {
9700 tree = proto_tree_add_subtree_format(parent_tree, tvb, offset, len,
9701 ett_smb_nt_trans_param, NULL, "%s Parameters",
9702 val_to_str_ext(nti->subcmd, &nt_cmd_vals_ext, "Unknown NT Transaction (%u)"));
9703 } else {
9704 /*
9705 * We never saw the request to which this is a
9706 * response.
9707 */
9708 tree = proto_tree_add_subtree(parent_tree, tvb, offset, len,
9709 ett_smb_nt_trans_param, NULL, "Unknown NT Transaction Parameters (matching request not seen)");
9710 }
9711 }
9712
9713 if (nti == NULL) {
9714 offset += len;
9715 return offset;
9716 }
9717 switch(nti->subcmd) {
9718 case NT_TRANS_CREATE:
9719 /* oplock level */
9720 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, ENC_LITTLE_ENDIAN);
9721 offset += 1;
9722
9723 /* response type, as per MS-SMB 2.2.7.1.2 */
9724 ext_resp = tvb_get_uint8(tvb, offset);
9725 proto_tree_add_item(tree, hf_smb_response_type, tvb, offset, 1, ENC_NA);
9726 offset += 1;
9727
9728 /* fid */
9729 fid = tvb_get_letohs(tvb, offset);
9730 fid_info = dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, true, false, false, si);
9731 offset += 2;
9732
9733 /* create action */
9734 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9735 offset += 4;
9736
9737 /* ea error offset */
9738 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9739 offset += 4;
9740
9741 /* create time */
9742 dissect_nttime(tvb, tree, offset,
9743 hf_smb_create_time, ENC_LITTLE_ENDIAN);
9744 offset += 8;
9745
9746 /* access time */
9747 dissect_nttime(tvb, tree, offset,
9748 hf_smb_access_time, ENC_LITTLE_ENDIAN);
9749 offset += 8;
9750
9751 /* last write time */
9752 dissect_nttime(tvb, tree, offset,
9753 hf_smb_last_write_time, ENC_LITTLE_ENDIAN);
9754 offset += 8;
9755
9756 /* last change time */
9757 dissect_nttime(tvb, tree, offset,
9758 hf_smb_change_time, ENC_LITTLE_ENDIAN);
9759 offset += 8;
9760
9761 /* Extended File Attributes */
9762 offset = dissect_file_ext_attr(tvb, tree, offset);
9763
9764 /* allocation size */
9765 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9766 offset += 8;
9767
9768 /* end of file */
9769 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9770 offset += 8;
9771
9772 /* File Type */
9773 ftype = tvb_get_letohs(tvb, offset);
9774 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9775 offset += 2;
9776
9777 /* device state */
9778 offset = dissect_ipc_state(tvb, tree, offset, false);
9779
9780 /* is directory */
9781 isdir = tvb_get_uint8(tvb, offset);
9782 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
9783 offset += 1;
9784
9785 /* decode extended response per [MS-SMB] 2.2.7.1.2
9786 (volume_guid, file_id, max_acc, guest_acc)
9787 Just like dissect_nt_create_andx_response */
9788 if (ext_resp != 0) {
9789 proto_tree *tr = NULL;
9790
9791 /* The first field is a Volume GUID ... */
9792 proto_tree_add_item(tree, hf_smb_volume_guid,
9793 tvb, offset, 16, ENC_NA);
9794 offset += 16;
9795
9796 /* The file ID comes next */
9797 proto_tree_add_item(tree, hf_smb_file_id_64bit,
9798 tvb, offset, 8, ENC_LITTLE_ENDIAN);
9799 offset += 8;
9800
9801 tr = proto_tree_add_subtree(tree, tvb, offset, 4,
9802 ett_smb_nt_access_mask, NULL, "Maximal Access Rights");
9803 offset = dissect_smb_access_mask(tvb, tr, offset);
9804
9805 tr = proto_tree_add_subtree(tree, tvb, offset, 4,
9806 ett_smb_nt_access_mask, NULL, "Guest Maximal Access Rights");
9807 offset = dissect_smb_access_mask(tvb, tr, offset);
9808 }
9809
9810 /* Try to remember the type of this fid so that we can dissect
9811 * any future security descriptor (access mask) properly
9812 */
9813 if (ftype == 0) {
9814 if (isdir == 0) {
9815 if (fid_info) {
9816 fid_info->type = SMB_FID_TYPE_FILE;
9817 }
9818 } else {
9819 if (fid_info) {
9820 fid_info->type = SMB_FID_TYPE_DIR;
9821 }
9822 }
9823 }
9824 if (ftype == 2) {
9825 if (fid_info) {
9826 fid_info->type = SMB_FID_TYPE_PIPE;
9827 }
9828 }
9829 break;
9830 case NT_TRANS_IOCTL:
9831 break;
9832 case NT_TRANS_SSD:
9833 break;
9834 case NT_TRANS_NOTIFY:
9835 while (len) {
9836 old_offset = offset;
9837
9838 /* next entry offset */
9839 neo = tvb_get_letohl(tvb, offset);
9840 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
9841 COUNT_BYTES(4);
9842 len -= 4;
9843 /* broken implementations */
9844 if (len < 0) break;
9845
9846 /* action */
9847 proto_tree_add_item(tree, hf_smb_nt_notify_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9848 COUNT_BYTES(4);
9849 len -= 4;
9850 /* broken implementations */
9851 if (len < 0) break;
9852
9853 /* file name len */
9854 fn_len = (uint32_t)tvb_get_letohl(tvb, offset);
9855 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
9856 COUNT_BYTES(4);
9857 len -= 4;
9858 /* broken implementations */
9859 if (len < 0) break;
9860
9861 /* file name */
9862 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, true, true, &bc);
9863 if (fn == NULL)
9864 break;
9865 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
9866 fn);
9867 COUNT_BYTES(fn_len);
9868 len -= fn_len;
9869 /* broken implementations */
9870 if (len < 0) break;
9871
9872 if (neo == 0)
9873 break; /* no more structures */
9874
9875 /* skip to next structure */
9876 padcnt = (old_offset + neo) - offset;
9877 if (padcnt < 0) {
9878 /*
9879 * XXX - this is bogus; flag it?
9880 */
9881 padcnt = 0;
9882 }
9883 if (padcnt != 0) {
9884 COUNT_BYTES(padcnt);
9885 len -= padcnt;
9886 /* broken implementations */
9887 if (len < 0) break;
9888 }
9889 }
9890 break;
9891 case NT_TRANS_RENAME:
9892 /* XXX not documented */
9893 break;
9894 case NT_TRANS_QSD:
9895 /*
9896 * This appears to be the size of the security
9897 * descriptor; the calling sequence of
9898 * "ZwQuerySecurityObject()" suggests that it would
9899 * be. The actual security descriptor wouldn't
9900 * follow if the max data count in the request
9901 * was smaller; this lets the client know how
9902 * big a buffer it needs to provide.
9903 */
9904 proto_tree_add_item(tree, hf_smb_sec_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9905 offset += 4;
9906 break;
9907 case NT_TRANS_GET_USER_QUOTA:
9908 proto_tree_add_item(tree, hf_smb_size_returned_quota_data, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9909 offset += 4;
9910 break;
9911 case NT_TRANS_SET_USER_QUOTA:
9912 /* not decoded yet */
9913 break;
9914 }
9915
9916 return offset;
9917 }
9918
9919 static int
9920 dissect_nt_trans_setup_response(tvbuff_t *tvb, packet_info *pinfo,
9921 int offset, proto_tree *parent_tree,
9922 int len, smb_info_t *si)
9923 {
9924 smb_nt_transact_info_t *nti;
9925
9926 DISSECTOR_ASSERT(si);
9927
9928 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_NTI))
9929 nti = (smb_nt_transact_info_t *)si->sip->extra_info;
9930 else
9931 nti = NULL;
9932
9933 if (parent_tree) {
9934 if (nti != NULL) {
9935 proto_tree_add_bytes_format(parent_tree, hf_smb_nt_transaction_setup, tvb, offset, len,
9936 NULL, "%s Setup",
9937 val_to_str_ext(nti->subcmd, &nt_cmd_vals_ext, "Unknown NT Transaction (%u)"));
9938 } else {
9939 /*
9940 * We never saw the request to which this is a
9941 * response.
9942 */
9943 proto_tree_add_expert(parent_tree, pinfo, &ei_smb_nt_transaction_setup, tvb, offset, len);
9944 }
9945 }
9946
9947 if (nti == NULL) {
9948 offset += len;
9949 return offset;
9950 }
9951 switch(nti->subcmd) {
9952 case NT_TRANS_CREATE:
9953 break;
9954 case NT_TRANS_IOCTL:
9955 break;
9956 case NT_TRANS_SSD:
9957 break;
9958 case NT_TRANS_NOTIFY:
9959 break;
9960 case NT_TRANS_RENAME:
9961 /* XXX not documented */
9962 break;
9963 case NT_TRANS_QSD:
9964 break;
9965 case NT_TRANS_GET_USER_QUOTA:
9966 /* not decoded yet */
9967 break;
9968 case NT_TRANS_SET_USER_QUOTA:
9969 /* not decoded yet */
9970 break;
9971 }
9972
9973 return offset;
9974 }
9975
9976 static int
9977 dissect_nt_transaction_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
9978 {
9979 uint8_t wc, sc;
9980 uint32_t pc = 0, po = 0, pd = 0, dc = 0, od = 0, dd = 0;
9981 uint32_t td = 0, tp = 0;
9982 smb_nt_transact_info_t *nti = NULL;
9983 uint16_t bc;
9984 int32_t padcnt;
9985 fragment_head *r_fd = NULL;
9986 tvbuff_t *pd_tvb = NULL;
9987 bool save_fragmented;
9988
9989 DISSECTOR_ASSERT(si);
9990
9991 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_NTI))
9992 nti = (smb_nt_transact_info_t *)si->sip->extra_info;
9993 else
9994 nti = NULL;
9995
9996 /* primary request */
9997 if (nti != NULL) {
9998 proto_tree_add_uint(tree, hf_smb_nt_trans_subcmd, tvb, 0, 0, nti->subcmd);
9999 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
10000 val_to_str_ext(nti->subcmd, &nt_cmd_vals_ext, "<unknown (%u)>"));
10001 } else {
10002 proto_tree_add_uint_format_value(tree, hf_smb_nt_trans_subcmd, tvb, offset, 0, -1,
10003 "<unknown function - could not find matching request>");
10004 col_append_str(pinfo->cinfo, COL_INFO, ", <unknown>");
10005 }
10006
10007 WORD_COUNT;
10008
10009 /* 3 reserved bytes */
10010 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, ENC_NA);
10011 offset += 3;
10012
10013 /* total param count */
10014 tp = tvb_get_letohl(tvb, offset);
10015 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 4, tp);
10016 offset += 4;
10017
10018 /* total data count */
10019 td = tvb_get_letohl(tvb, offset);
10020 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 4, td);
10021 offset += 4;
10022
10023 /* param count */
10024 pc = tvb_get_letohl(tvb, offset);
10025 proto_tree_add_uint(tree, hf_smb_param_count32, tvb, offset, 4, pc);
10026 offset += 4;
10027
10028 /* param offset */
10029 po = tvb_get_letohl(tvb, offset);
10030 proto_tree_add_uint(tree, hf_smb_param_offset32, tvb, offset, 4, po);
10031 offset += 4;
10032
10033 /* param displacement */
10034 pd = tvb_get_letohl(tvb, offset);
10035 proto_tree_add_uint(tree, hf_smb_param_disp32, tvb, offset, 4, pd);
10036 offset += 4;
10037
10038 /* data count */
10039 dc = tvb_get_letohl(tvb, offset);
10040 proto_tree_add_uint(tree, hf_smb_data_count32, tvb, offset, 4, dc);
10041 offset += 4;
10042
10043 /* data offset */
10044 od = tvb_get_letohl(tvb, offset);
10045 proto_tree_add_uint(tree, hf_smb_data_offset32, tvb, offset, 4, od);
10046 offset += 4;
10047
10048 /* data displacement */
10049 dd = tvb_get_letohl(tvb, offset);
10050 proto_tree_add_uint(tree, hf_smb_data_disp32, tvb, offset, 4, dd);
10051 offset += 4;
10052
10053 /* setup count */
10054 sc = tvb_get_uint8(tvb, offset);
10055 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
10056 offset += 1;
10057
10058 /* setup data */
10059 if (sc) {
10060 dissect_nt_trans_setup_response(tvb, pinfo, offset, tree, sc*2, si);
10061 offset += sc*2;
10062 }
10063
10064 BYTE_COUNT;
10065
10066 /* reassembly of SMB NT Transaction data payload.
10067 In this section we do reassembly of both the data and parameters
10068 blocks of the SMB transaction command.
10069 */
10070 save_fragmented = pinfo->fragmented;
10071 /* do we need reassembly? */
10072 if ( (td && (td != dc)) || (tp && (tp != pc)) ) {
10073 /* oh yeah, either data or parameter section needs
10074 reassembly...
10075 */
10076 pinfo->fragmented = true;
10077 if (smb_trans_reassembly) {
10078 /* ...and we were told to do reassembly */
10079 if (pc) {
10080 r_fd = smb_trans_defragment(tree, pinfo, tvb,
10081 po, pc, pd, td+tp, si);
10082
10083 }
10084 if ((r_fd == NULL) && dc) {
10085 r_fd = smb_trans_defragment(tree, pinfo, tvb,
10086 od, dc, dd+tp, td+tp, si);
10087 }
10088 }
10089 }
10090
10091 /* if we got a reassembled fd structure from the reassembly routine we
10092 must create pd_tvb from it
10093 */
10094 if (r_fd) {
10095 proto_item *frag_tree_item;
10096
10097 pd_tvb = tvb_new_chain(tvb, r_fd->tvb_data);
10098 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
10099
10100 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb, &frag_tree_item);
10101 }
10102
10103
10104 if (pd_tvb) {
10105 /* we have reassembled data, grab param and data from there */
10106 dissect_nt_trans_param_response(pd_tvb, pinfo, 0, tree, tp,
10107 (uint16_t) tvb_reported_length(pd_tvb), si);
10108 dissect_nt_trans_data_response(pd_tvb, pinfo, tp, tree, td, nti, si);
10109 COUNT_BYTES(bc); /* We are done */
10110 } else {
10111 /* we do not have reassembled data, just use what we have in the
10112 packet as well as we can */
10113 /* parameters */
10114 if (po > (uint32_t)offset) {
10115 /* We have some initial padding bytes.
10116 */
10117 padcnt = po-offset;
10118 if (padcnt > bc)
10119 padcnt = bc;
10120 CHECK_BYTE_COUNT(padcnt);
10121 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, ENC_NA);
10122 COUNT_BYTES(padcnt);
10123 }
10124 if (pc) {
10125 CHECK_BYTE_COUNT(pc);
10126 dissect_nt_trans_param_response(tvb, pinfo, offset, tree, pc, bc, si);
10127 COUNT_BYTES(pc);
10128 }
10129
10130 /* data */
10131 if (od > (uint32_t)offset) {
10132 /* We have some initial padding bytes.
10133 */
10134 padcnt = od-offset;
10135 if (padcnt > bc)
10136 padcnt = bc;
10137 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, ENC_NA);
10138 COUNT_BYTES(padcnt);
10139 }
10140 if (dc) {
10141 CHECK_BYTE_COUNT(dc);
10142 dissect_nt_trans_data_response(tvb, pinfo, offset, tree, dc, nti, si);
10143 COUNT_BYTES(dc);
10144 }
10145 }
10146 pinfo->fragmented = save_fragmented;
10147
10148 END_OF_SMB
10149
10150 return offset;
10151 }
10152
10153 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10154 NT Transaction command ends here
10155 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
10156
10157 static const value_string print_mode_vals[] = {
10158 {0, "Text Mode"},
10159 {1, "Graphics Mode"},
10160 {0, NULL}
10161 };
10162
10163 static int
10164 dissect_open_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
10165 {
10166 int fn_len;
10167 const char *fn;
10168 uint8_t wc;
10169 uint16_t bc;
10170
10171 DISSECTOR_ASSERT(si);
10172
10173 WORD_COUNT;
10174
10175 /* setup len */
10176 proto_tree_add_item(tree, hf_smb_setup_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10177 offset += 2;
10178
10179 /* print mode */
10180 proto_tree_add_item(tree, hf_smb_print_mode, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10181 offset += 2;
10182
10183 BYTE_COUNT;
10184
10185 /* buffer format */
10186 CHECK_BYTE_COUNT(1);
10187 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10188 COUNT_BYTES(1);
10189
10190 /* print identifier */
10191 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, true, false, &bc);
10192 if (fn == NULL)
10193 goto endofcommand;
10194 proto_tree_add_string(tree, hf_smb_print_identifier, tvb, offset, fn_len,
10195 fn);
10196 COUNT_BYTES(fn_len);
10197
10198 END_OF_SMB
10199
10200 return offset;
10201 }
10202
10203
10204 static int
10205 dissect_write_print_file_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
10206 {
10207 int cnt;
10208 uint8_t wc;
10209 uint16_t bc, fid;
10210
10211 WORD_COUNT;
10212
10213 /* fid */
10214 fid = tvb_get_letohs(tvb, offset);
10215 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
10216 offset += 2;
10217
10218 BYTE_COUNT;
10219
10220 /* buffer format */
10221 CHECK_BYTE_COUNT(1);
10222 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10223 COUNT_BYTES(1);
10224
10225 /* data len */
10226 CHECK_BYTE_COUNT(2);
10227 cnt = tvb_get_letohs(tvb, offset);
10228 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, cnt);
10229 COUNT_BYTES(2);
10230
10231 /* file data */
10232 offset = dissect_file_data(tvb, tree, offset, (uint16_t) cnt, -1, (uint16_t) cnt);
10233
10234 END_OF_SMB
10235
10236 return offset;
10237 }
10238
10239
10240 static const value_string print_status_vals[] = {
10241 {1, "Held or Stopped"},
10242 {2, "Printing"},
10243 {3, "Awaiting print"},
10244 {4, "In intercept"},
10245 {5, "File had error"},
10246 {6, "Printer error"},
10247 {0, NULL}
10248 };
10249
10250 static int
10251 dissect_get_print_queue_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
10252 {
10253 uint8_t wc;
10254 uint16_t bc;
10255
10256 WORD_COUNT;
10257
10258 /* max count */
10259 proto_tree_add_item(tree, hf_smb_max_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10260 offset += 2;
10261
10262 /* start index */
10263 proto_tree_add_item(tree, hf_smb_start_index, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10264 offset += 2;
10265
10266 BYTE_COUNT;
10267
10268 END_OF_SMB
10269
10270 return offset;
10271 }
10272
10273 static int
10274 dissect_print_queue_element(tvbuff_t *tvb, packet_info *pinfo,
10275 proto_tree *parent_tree, int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
10276 {
10277 proto_tree *tree;
10278 int fn_len;
10279 const char *fn;
10280
10281 DISSECTOR_ASSERT(si);
10282
10283 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 28,
10284 ett_smb_print_queue_entry, NULL, "Queue entry");
10285
10286 /* queued time */
10287 CHECK_BYTE_COUNT_SUBR(4);
10288 offset = dissect_smb_datetime(tvb, tree, offset,
10289 hf_smb_print_queue_date,
10290 hf_smb_print_queue_dos_date, hf_smb_print_queue_dos_time, false);
10291 *bcp -= 4;
10292
10293 /* status */
10294 CHECK_BYTE_COUNT_SUBR(1);
10295 proto_tree_add_item(tree, hf_smb_print_status, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10296 COUNT_BYTES_SUBR(1);
10297
10298 /* spool file number */
10299 CHECK_BYTE_COUNT_SUBR(2);
10300 proto_tree_add_item(tree, hf_smb_print_spool_file_number, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10301 COUNT_BYTES_SUBR(2);
10302
10303 /* spool file size */
10304 CHECK_BYTE_COUNT_SUBR(4);
10305 proto_tree_add_item(tree, hf_smb_print_spool_file_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10306 COUNT_BYTES_SUBR(4);
10307
10308 /* reserved byte */
10309 CHECK_BYTE_COUNT_SUBR(1);
10310 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
10311 COUNT_BYTES_SUBR(1);
10312
10313 /* file name */
10314 fn_len = 16;
10315 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, true, true, bcp);
10316 CHECK_STRING_SUBR(fn);
10317 proto_tree_add_string(tree, hf_smb_print_spool_file_name, tvb, offset, 16,
10318 fn);
10319 COUNT_BYTES_SUBR(fn_len);
10320
10321 *trunc = false;
10322 return offset;
10323 }
10324
10325 static int
10326 dissect_get_print_queue_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
10327 {
10328 uint16_t cnt = 0, len;
10329 uint8_t wc;
10330 uint16_t bc;
10331 bool trunc;
10332
10333 WORD_COUNT;
10334
10335 /* count */
10336 cnt = tvb_get_letohs(tvb, offset);
10337 proto_tree_add_uint(tree, hf_smb_count, tvb, offset, 2, cnt);
10338 offset += 2;
10339
10340 /* restart index */
10341 proto_tree_add_item(tree, hf_smb_restart_index, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10342 offset += 2;
10343
10344 BYTE_COUNT;
10345
10346 /* buffer format */
10347 CHECK_BYTE_COUNT(1);
10348 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10349 COUNT_BYTES(1);
10350
10351 /* data len */
10352 CHECK_BYTE_COUNT(2);
10353 len = tvb_get_letohs(tvb, offset);
10354 proto_tree_add_uint(tree, hf_smb_data_len, tvb, offset, 2, len);
10355 COUNT_BYTES(2);
10356
10357 /* queue elements */
10358 while (cnt--) {
10359 offset = dissect_print_queue_element(tvb, pinfo, tree, offset,
10360 &bc, &trunc, si);
10361 if (trunc)
10362 goto endofcommand;
10363 }
10364
10365 END_OF_SMB
10366
10367 return offset;
10368 }
10369
10370
10371 static int
10372 dissect_send_single_block_message_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
10373 {
10374 int name_len;
10375 uint16_t bc;
10376 uint8_t wc;
10377 uint16_t message_len;
10378
10379 WORD_COUNT;
10380
10381 BYTE_COUNT;
10382
10383 /* buffer format */
10384 CHECK_BYTE_COUNT(1);
10385 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10386 COUNT_BYTES(1);
10387
10388 /* originator name */
10389 /* XXX - what if this runs past bc? */
10390 name_len = tvb_strsize(tvb, offset);
10391 CHECK_BYTE_COUNT(name_len);
10392 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
10393 name_len, ENC_ASCII);
10394 COUNT_BYTES(name_len);
10395
10396 /* buffer format */
10397 CHECK_BYTE_COUNT(1);
10398 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10399 COUNT_BYTES(1);
10400
10401 /* destination name */
10402 /* XXX - what if this runs past bc? */
10403 name_len = tvb_strsize(tvb, offset);
10404 CHECK_BYTE_COUNT(name_len);
10405 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
10406 name_len, ENC_ASCII);
10407 COUNT_BYTES(name_len);
10408
10409 /* buffer format */
10410 CHECK_BYTE_COUNT(1);
10411 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10412 COUNT_BYTES(1);
10413
10414 /* message len */
10415 CHECK_BYTE_COUNT(2);
10416 message_len = tvb_get_letohs(tvb, offset);
10417 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
10418 message_len);
10419 COUNT_BYTES(2);
10420
10421 /* message */
10422 CHECK_BYTE_COUNT(message_len);
10423 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
10424 ENC_ASCII);
10425 COUNT_BYTES(message_len);
10426
10427 END_OF_SMB
10428
10429 return offset;
10430 }
10431
10432 static int
10433 dissect_send_multi_block_message_start_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
10434 {
10435 int name_len;
10436 uint16_t bc;
10437 uint8_t wc;
10438
10439 WORD_COUNT;
10440
10441 BYTE_COUNT;
10442
10443 /* buffer format */
10444 CHECK_BYTE_COUNT(1);
10445 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10446 COUNT_BYTES(1);
10447
10448 /* originator name */
10449 /* XXX - what if this runs past bc? */
10450 name_len = tvb_strsize(tvb, offset);
10451 CHECK_BYTE_COUNT(name_len);
10452 proto_tree_add_item(tree, hf_smb_originator_name, tvb, offset,
10453 name_len, ENC_ASCII);
10454 COUNT_BYTES(name_len);
10455
10456 /* buffer format */
10457 CHECK_BYTE_COUNT(1);
10458 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10459 COUNT_BYTES(1);
10460
10461 /* destination name */
10462 /* XXX - what if this runs past bc? */
10463 name_len = tvb_strsize(tvb, offset);
10464 CHECK_BYTE_COUNT(name_len);
10465 proto_tree_add_item(tree, hf_smb_destination_name, tvb, offset,
10466 name_len, ENC_ASCII);
10467 COUNT_BYTES(name_len);
10468
10469 END_OF_SMB
10470
10471 return offset;
10472 }
10473
10474 static int
10475 dissect_message_group_id(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
10476 {
10477 uint16_t bc;
10478 uint8_t wc;
10479
10480 WORD_COUNT;
10481
10482 /* message group ID */
10483 proto_tree_add_item(tree, hf_smb_mgid, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10484 offset += 2;
10485
10486 BYTE_COUNT;
10487
10488 END_OF_SMB
10489
10490 return offset;
10491 }
10492
10493 static int
10494 dissect_send_multi_block_message_text_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
10495 {
10496 uint16_t bc;
10497 uint8_t wc;
10498 uint16_t message_len;
10499
10500 WORD_COUNT;
10501
10502 BYTE_COUNT;
10503
10504 /* buffer format */
10505 CHECK_BYTE_COUNT(1);
10506 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10507 COUNT_BYTES(1);
10508
10509 /* message len */
10510 CHECK_BYTE_COUNT(2);
10511 message_len = tvb_get_letohs(tvb, offset);
10512 proto_tree_add_uint(tree, hf_smb_message_len, tvb, offset, 2,
10513 message_len);
10514 COUNT_BYTES(2);
10515
10516 /* message */
10517 CHECK_BYTE_COUNT(message_len);
10518 proto_tree_add_item(tree, hf_smb_message, tvb, offset, message_len,
10519 ENC_ASCII);
10520 COUNT_BYTES(message_len);
10521
10522 END_OF_SMB
10523
10524 return offset;
10525 }
10526
10527 static int
10528 dissect_forwarded_name(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
10529 {
10530 int name_len;
10531 uint16_t bc;
10532 uint8_t wc;
10533
10534 WORD_COUNT;
10535
10536 BYTE_COUNT;
10537
10538 /* buffer format */
10539 CHECK_BYTE_COUNT(1);
10540 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10541 COUNT_BYTES(1);
10542
10543 /* forwarded name */
10544 /* XXX - what if this runs past bc? */
10545 name_len = tvb_strsize(tvb, offset);
10546 CHECK_BYTE_COUNT(name_len);
10547 proto_tree_add_item(tree, hf_smb_forwarded_name, tvb, offset,
10548 name_len, ENC_ASCII);
10549 COUNT_BYTES(name_len);
10550
10551 END_OF_SMB
10552
10553 return offset;
10554 }
10555
10556 static int
10557 dissect_get_machine_name_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
10558 {
10559 int name_len;
10560 uint16_t bc;
10561 uint8_t wc;
10562
10563 WORD_COUNT;
10564
10565 BYTE_COUNT;
10566
10567 /* buffer format */
10568 CHECK_BYTE_COUNT(1);
10569 proto_tree_add_item(tree, hf_smb_buffer_format, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10570 COUNT_BYTES(1);
10571
10572 /* machine name */
10573 /* XXX - what if this runs past bc? */
10574 name_len = tvb_strsize(tvb, offset);
10575 CHECK_BYTE_COUNT(name_len);
10576 proto_tree_add_item(tree, hf_smb_machine_name, tvb, offset,
10577 name_len, ENC_ASCII);
10578 COUNT_BYTES(name_len);
10579
10580 END_OF_SMB
10581
10582 return offset;
10583 }
10584
10585
10586 static int
10587 dissect_nt_create_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si _U_)
10588 {
10589 uint8_t wc, cmd = 0xff;
10590 uint16_t andxoffset = 0;
10591 uint16_t bc;
10592 int fn_len = -1;
10593 const char *fn;
10594 uint32_t create_flags = 0, access_mask = 0, file_attributes = 0;
10595 uint32_t share_access = 0, create_options = 0, create_disposition = 0;
10596
10597 DISSECTOR_ASSERT(si);
10598
10599 WORD_COUNT;
10600
10601 /* next smb command */
10602 cmd = tvb_get_uint8(tvb, offset);
10603 if (cmd != 0xff) {
10604 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
10605 } else {
10606 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
10607 }
10608 offset += 1;
10609
10610 /* reserved byte */
10611 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
10612 offset += 1;
10613
10614 /* andxoffset */
10615 andxoffset = tvb_get_letohs(tvb, offset);
10616 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
10617 offset += 2;
10618
10619 /* reserved byte */
10620 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
10621 offset += 1;
10622
10623 /* file name len */
10624 fn_len = tvb_get_letohs(tvb, offset);
10625 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 2, fn_len);
10626 offset += 2;
10627
10628 /* Create flags */
10629 create_flags = tvb_get_letohl(tvb, offset);
10630 offset = dissect_nt_create_bits(tvb, tree, offset, 4, create_flags);
10631
10632 /* root directory fid */
10633 proto_tree_add_item(tree, hf_smb_root_dir_fid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10634 offset += 4;
10635
10636 /* nt access mask */
10637 access_mask = tvb_get_letohl(tvb, offset);
10638 offset = dissect_smb_access_mask_bits(tvb, tree, offset, 4, access_mask);
10639
10640 /* allocation size */
10641 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
10642 offset += 8;
10643
10644 /* Extended File Attributes */
10645 file_attributes = tvb_get_letohl(tvb, offset);
10646 offset = dissect_file_ext_attr_bits(tvb, tree, offset, 4, file_attributes);
10647
10648 /* share access */
10649 share_access = tvb_get_letohl(tvb, offset);
10650 offset = dissect_nt_share_access_bits(tvb, tree, offset, 4, share_access);
10651
10652 /* create disposition */
10653 create_disposition = tvb_get_letohl(tvb, offset);
10654 proto_tree_add_item(tree, hf_smb_nt_create_disposition, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10655 offset += 4;
10656
10657 /* create options */
10658 create_options = tvb_get_letohl(tvb, offset);
10659 offset = dissect_nt_create_options_bits(tvb, tree, offset, 4, create_options);
10660
10661 /* impersonation level */
10662 proto_tree_add_item(tree, hf_smb_nt_impersonation_level, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10663 offset += 4;
10664
10665 /* security flags */
10666 offset = dissect_nt_security_flags(tvb, tree, offset);
10667
10668 BYTE_COUNT;
10669
10670 /* file name */
10671 if (fn_len == -1) {
10672 /*
10673 * We never set the file name length, perhaps because
10674 * the word count was zero. This is not a valid
10675 * packet.
10676 */
10677 proto_tree_add_expert(tree, pinfo, &ei_smb_missing_word_parameters,
10678 tvb, 0, 0);
10679 goto endofcommand;
10680 }
10681 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, false, &bc);
10682 if (fn == NULL)
10683 goto endofcommand;
10684 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
10685 fn);
10686 COUNT_BYTES(fn_len);
10687
10688 /* store it for the fid->name/openframe/closeframe matching in
10689 * dissect_smb_fid() called from the response.
10690 */
10691 if ((!pinfo->fd->visited) && si->sip && fn) {
10692 smb_fid_saved_info_t *fsi;
10693
10694 fsi = wmem_new(wmem_file_scope(), smb_fid_saved_info_t);
10695 fsi->filename = wmem_strdup(wmem_file_scope(), fn);
10696 fsi->create_flags = create_flags;
10697 fsi->access_mask = access_mask;
10698 fsi->file_attributes = file_attributes;
10699 fsi->share_access = share_access;
10700 fsi->create_options = create_options;
10701 fsi->create_disposition = create_disposition;
10702
10703 si->sip->extra_info_type = SMB_EI_FILEDATA;
10704 si->sip->extra_info = fsi;
10705 }
10706
10707 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
10708 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
10709
10710 END_OF_SMB
10711
10712 if (cmd != 0xff) { /* there is an andX command */
10713 if (andxoffset < offset)
10714 THROW(ReportedBoundsError);
10715 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
10716 }
10717
10718 return offset;
10719 }
10720
10721
10722 static int
10723 dissect_nt_create_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si)
10724 {
10725 uint8_t wc, cmd = 0xff;
10726 uint16_t andxoffset = 0;
10727 uint16_t bc;
10728 uint16_t fid = 0;
10729 uint16_t ftype;
10730 uint8_t isdir;
10731 smb_fid_info_t *fid_info = NULL;
10732
10733 WORD_COUNT;
10734
10735 /* next smb command */
10736 cmd = tvb_get_uint8(tvb, offset);
10737 if (cmd != 0xff) {
10738 proto_tree_add_uint(tree, hf_smb_andxcmd, tvb, offset, 1, cmd);
10739 } else {
10740 proto_tree_add_uint_format_value(tree, hf_smb_andxcmd, tvb, offset, 1, cmd, "No further commands (0xff)");
10741 }
10742 offset += 1;
10743
10744 /* reserved byte */
10745 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
10746 offset += 1;
10747
10748 /* andxoffset */
10749 andxoffset = tvb_get_letohs(tvb, offset);
10750 proto_tree_add_uint(tree, hf_smb_andxoffset, tvb, offset, 2, andxoffset);
10751 offset += 2;
10752
10753 /* oplock level */
10754 proto_tree_add_item(tree, hf_smb_oplock_level, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10755 offset += 1;
10756
10757 /* fid */
10758 fid = tvb_get_letohs(tvb, offset);
10759 fid_info = dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, true, false, false, si);
10760 offset += 2;
10761
10762 /* create action */
10763 /*XXX is this really the same as create disposition in the request? it looks so*/
10764 /* No, it is not. It is the same as the create action from an Open&X request ... RJS */
10765 proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10766 offset += 4;
10767
10768 /* create time */
10769 dissect_nttime(tvb, tree, offset, hf_smb_create_time, ENC_LITTLE_ENDIAN);
10770 offset += 8;
10771
10772 /* access time */
10773 dissect_nttime(tvb, tree, offset, hf_smb_access_time, ENC_LITTLE_ENDIAN);
10774 offset += 8;
10775
10776 /* last write time */
10777 dissect_nttime(tvb, tree, offset,
10778 hf_smb_last_write_time, ENC_LITTLE_ENDIAN);
10779 offset += 8;
10780
10781 /* last change time */
10782 dissect_nttime(tvb, tree, offset, hf_smb_change_time, ENC_LITTLE_ENDIAN);
10783 offset += 8;
10784
10785 /* Extended File Attributes */
10786 offset = dissect_file_ext_attr(tvb, tree, offset);
10787
10788 /* allocation size */
10789 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
10790 offset += 8;
10791
10792 /* end of file */
10793 /* We store the end of file */
10794 if (fid_info) {
10795 fid_info->end_of_file = tvb_get_letoh64(tvb, offset);
10796 }
10797 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
10798 offset += 8;
10799
10800 /* File Type */
10801 ftype = tvb_get_letohs(tvb, offset);
10802 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10803 offset += 2;
10804
10805 /* IPC State */
10806 offset = dissect_ipc_state(tvb, tree, offset, false);
10807
10808 /* is directory */
10809 isdir = tvb_get_uint8(tvb, offset);
10810 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
10811 offset += 1;
10812
10813 /* Always use the word count to decide if this is an "extended" response.
10814 When the server doesn't support the 0x10 flag, it will send a normal
10815 34 word response, so the word count is the only way to tell which of
10816 the response formats we have. MS-SMB 2.2.4.9.2
10817 Also note that the extended format is actually 50 words, but in a
10818 "windows behavior note" they say Windows sets word count to 42.
10819 Handle anything 42 or larger as "extended" format. */
10820 if (wc >= 42) {
10821 proto_tree *tr = NULL;
10822
10823 /* The first field is a Volume GUID ... */
10824 proto_tree_add_item(tree, hf_smb_volume_guid,
10825 tvb, offset, 16, ENC_NA);
10826 offset += 16;
10827
10828 /* The file ID comes next */
10829 proto_tree_add_item(tree, hf_smb_file_id_64bit,
10830 tvb, offset, 8, ENC_LITTLE_ENDIAN);
10831 offset += 8;
10832
10833 tr = proto_tree_add_subtree(tree, tvb, offset, 4,
10834 ett_smb_nt_access_mask, NULL, "Maximal Access Rights");
10835
10836 offset = dissect_smb_access_mask(tvb, tr, offset);
10837
10838 tr = proto_tree_add_subtree(tree, tvb, offset, 4,
10839 ett_smb_nt_access_mask, NULL, "Guest Maximal Access Rights");
10840
10841 offset = dissect_smb_access_mask(tvb, tr, offset);
10842 }
10843
10844 /* Try to remember the type of this fid so that we can dissect
10845 * any future security descriptor (access mask) properly
10846 */
10847 if (ftype == 0) {
10848 if (isdir == 0) {
10849 if (fid_info) {
10850 fid_info->type = SMB_FID_TYPE_FILE;
10851 }
10852 } else {
10853 if (fid_info) {
10854 fid_info->type = SMB_FID_TYPE_DIR;
10855 }
10856 }
10857 }
10858 if (ftype == 2) {
10859 if (fid_info) {
10860 fid_info->type = SMB_FID_TYPE_PIPE;
10861 }
10862 }
10863
10864 BYTE_COUNT;
10865
10866 END_OF_SMB
10867
10868 if (cmd != 0xff) { /* there is an andX command */
10869 if (andxoffset < offset)
10870 THROW(ReportedBoundsError);
10871 dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, false, si);
10872 }
10873
10874 /* if there was an error, add a generated filename to the tree */
10875 if (si->nt_status) {
10876 dissect_smb_fid(tvb, pinfo, tree, 0, 0, fid, true, true, true, si);
10877 }
10878
10879 return offset;
10880 }
10881
10882
10883 static int
10884 dissect_nt_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
10885 {
10886 uint8_t wc;
10887 uint16_t bc;
10888
10889 WORD_COUNT;
10890
10891 BYTE_COUNT;
10892
10893 END_OF_SMB
10894
10895 return offset;
10896 }
10897
10898 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10899 BEGIN Transaction/Transaction2 Primary and secondary requests
10900 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
10901
10902
10903 static const value_string trans2_cmd_vals[] = {
10904 { 0x00, "OPEN2" },
10905 { 0x01, "FIND_FIRST2" },
10906 { 0x02, "FIND_NEXT2" },
10907 { 0x03, "QUERY_FS_INFO" },
10908 { 0x04, "SET_FS_INFO" },
10909 { 0x05, "QUERY_PATH_INFO" },
10910 { 0x06, "SET_PATH_INFO" },
10911 { 0x07, "QUERY_FILE_INFO" },
10912 { 0x08, "SET_FILE_INFO" },
10913 { 0x09, "FSCTL" },
10914 { 0x0A, "IOCTL2" },
10915 { 0x0B, "FIND_NOTIFY_FIRST" },
10916 { 0x0C, "FIND_NOTIFY_NEXT" },
10917 { 0x0D, "CREATE_DIRECTORY" },
10918 { 0x0E, "SESSION_SETUP" },
10919 { 0x0F, "Unknown (0x0f)" }, /* dummy so val_to_str_ext can do indexed lookup */
10920 { 0x10, "GET_DFS_REFERRAL" },
10921 { 0x11, "REPORT_DFS_INCONSISTENCY" },
10922 { 0, NULL }
10923 };
10924 value_string_ext trans2_cmd_vals_ext = VALUE_STRING_EXT_INIT(trans2_cmd_vals);
10925
10926 static const true_false_string tfs_tf_dtid = {
10927 "Also DISCONNECT TID",
10928 "Do NOT disconnect TID"
10929 };
10930 static const true_false_string tfs_tf_owt = {
10931 "One Way Transaction (NO RESPONSE)",
10932 "Two way transaction"
10933 };
10934
10935 static const true_false_string tfs_ff2_backup = {
10936 "Find WITH backup intent",
10937 "No backup intent"
10938 };
10939 static const true_false_string tfs_ff2_continue = {
10940 "CONTINUE search from previous position",
10941 "New search, do NOT continue from previous position"
10942 };
10943 static const true_false_string tfs_ff2_resume = {
10944 "Return RESUME keys",
10945 "Do NOT return resume keys"
10946 };
10947 static const true_false_string tfs_ff2_close_eos = {
10948 "CLOSE search if END OF SEARCH is reached",
10949 "Do NOT close search if end of search reached"
10950 };
10951 static const true_false_string tfs_ff2_close = {
10952 "CLOSE search after this request",
10953 "Do NOT close search after this request"
10954 };
10955
10956 /* used by
10957 TRANS2_FIND_FIRST2 and TRANS2_FIND_NEXT2
10958 */
10959 static const value_string ff2_il_vals[] = {
10960 { 1, "Info Standard"},
10961 { 2, "Info Query EA Size"},
10962 { 3, "Info Query EAs From List"},
10963 { 0x0101, "Find File Directory Info"},
10964 { 0x0102, "Find File Full Directory Info"},
10965 { 0x0103, "Find File Names Info"},
10966 { 0x0104, "Find File Both Directory Info"},
10967 { 0x0105, "Find File Full Directory Info"},
10968 { 0x0106, "Find File Id Both Directory Info"},
10969 { 0x0202, "Find File Unix"},
10970 { 0x020B, "Find File Unix Info2"},
10971 {0, NULL}
10972 };
10973
10974 /* values used by :
10975 TRANS2_QUERY_PATH_INFORMATION
10976 TRANS2_QUERY_FILE_INFORMATION
10977 */
10978 static const value_string qpi_loi_vals[] = {
10979 { 1, "Info Standard"},
10980 { 2, "Info Query EA Size"},
10981 { 3, "Info Query EAs From List"},
10982 { 4, "Info Query All EAs"},
10983 { 6, "Info Is Name Valid"},
10984 { 0x0101, "Query File Basic Info"},
10985 { 0x0102, "Query File Standard Info"},
10986 { 0x0103, "Query File EA Info"},
10987 { 0x0104, "Query File Name Info"},
10988 { 0x0107, "Query File All Info"},
10989 { 0x0108, "Query File Alt Name Info"},
10990 { 0x0109, "Query File Stream Info"},
10991 { 0x010b, "Query File Compression Info"},
10992 { 0x0200, "Query File Unix Basic"},
10993 { 0x0201, "Query File Unix Link"},
10994 { 0x0202, "Query File Unix Hardlink"},
10995 { 0x0204, "Query File Posix ACL"},
10996 { 0x0205, "Query File Posix XATTR"},
10997 { 0x0206, "Query File Posix Attr Flags"},
10998 { 0x0207, "Query File Posix Permissions"},
10999 { 0x0208, "Query File Posix Lock"},
11000 { 0x020b, "Query File Unix Info2"},
11001 { 1004, "Query File Basic Info"},
11002 { 1005, "Query File Standard Info"},
11003 { 1006, "Query File Internal Info"},
11004 { 1007, "Query File EA Info"},
11005 { 1009, "Query File Name Info"},
11006 { 1010, "Query File Rename Info"},
11007 { 1011, "Query File Link Info"},
11008 { 1012, "Query File Names Info"},
11009 { 1013, "Query File Disposition Info"},
11010 { 1014, "Query File Position Info"},
11011 { 1015, "Query File Full EA Info"},
11012 { 1016, "Query File Mode Info"},
11013 { 1017, "Query File Alignment Info"},
11014 { 1018, "Query File All Info"},
11015 { 1019, "Query File Allocation Info"},
11016 { 1020, "Query File End of File Info"},
11017 { 1021, "Query File Alt Name Info"},
11018 { 1022, "Query File Stream Info"},
11019 { 1023, "Query File Pipe Info"},
11020 { 1024, "Query File Pipe Local Info"},
11021 { 1025, "Query File Pipe Remote Info"},
11022 { 1026, "Query File Mailslot Query Info"},
11023 { 1027, "Query File Mailslot Set Info"},
11024 { 1028, "Query File Compression Info"},
11025 { 1029, "Query File ObjectID Info"},
11026 { 1030, "Query File Completion Info"},
11027 { 1031, "Query File Move Cluster Info"},
11028 { 1032, "Query File Quota Info"},
11029 { 1033, "Query File Reparsepoint Info"},
11030 { 1034, "Query File Network Open Info"},
11031 { 1035, "Query File Attribute Tag Info"},
11032 { 1036, "Query File Tracking Info"},
11033 { 1037, "Query File Maximum Info"},
11034 {0, NULL}
11035 };
11036 static value_string_ext qpi_loi_vals_ext = VALUE_STRING_EXT_INIT(qpi_loi_vals);
11037
11038 /* values used by :
11039 TRANS2_SET_PATH_INFORMATION
11040 TRANS2_SET_FILE_INFORMATION
11041 (the SNIA CIFS spec lists some only for TRANS2_SET_FILE_INFORMATION,
11042 but I'm assuming they apply to TRANS2_SET_PATH_INFORMATION as
11043 well; note that they're different from the QUERY_PATH_INFORMATION
11044 and QUERY_FILE_INFORMATION values!)
11045 */
11046 static const value_string spi_loi_vals[] = {
11047 { 1, "Info Standard"},
11048 { 2, "Info Set EAs"},
11049 { 4, "Info Query All EAs"},
11050 { 0x0101, "Set File Basic Info"},
11051 { 0x0102, "Set File Disposition Info"},
11052 { 0x0103, "Set File Allocation Info"},
11053 { 0x0104, "Set File End Of File Info"},
11054 { 0x0200, "Set File Unix Basic"},
11055 { 0x0201, "Set File Unix Link"},
11056 { 0x0202, "Set File Unix HardLink"},
11057 { 0x0204, "Set File Unix ACL"},
11058 { 0x0205, "Set File Unix XATTR"},
11059 { 0x0206, "Set File Unix Attr Flags"},
11060 { 0x0208, "Set File Posix Lock"},
11061 { 0x0209, "Set File Posix Open"},
11062 { 0x020a, "Set File Posix Unlink"},
11063 { 0x020b, "Set File Unix Info2"},
11064 { 1004, "Set File Basic Info"},
11065 { 1010, "Set Rename Information"},
11066 { 1013, "Set Disposition Information"},
11067 { 1014, "Set Position Information"},
11068 { 1016, "Set Mode Information"},
11069 { 1019, "Set Allocation Information"},
11070 { 1020, "Set EOF Information"},
11071 { 1023, "Set File Pipe Information"},
11072 { 1025, "Set File Pipe Remote Information"},
11073 { 1029, "Set Copy On Write Information"},
11074 { 1032, "Set OLE Class ID Information"},
11075 { 1039, "Set Inherit Context Index Information"},
11076 { 1040, "Set OLE Information (?)"},
11077 {0, NULL}
11078 };
11079 static value_string_ext spi_loi_vals_ext = VALUE_STRING_EXT_INIT(spi_loi_vals);
11080
11081 static const value_string qfsi_vals[] = {
11082 { 1, "Info Allocation"},
11083 { 2, "Info Volume"},
11084 { 0x0101, "Query FS Label Info"},
11085 { 0x0102, "Query FS Volume Info"},
11086 { 0x0103, "Query FS Size Info"},
11087 { 0x0104, "Query FS Device Info"},
11088 { 0x0105, "Query FS Attribute Info"},
11089 { 0x0200, "Unix Query FS Info"},
11090 { 0x0202, "Unix Query POSIX whoami"},
11091 { 0x0301, "Mac Query FS Info"},
11092 { 1001, "Query FS Label Info"},
11093 { 1002, "Query FS Volume Info"},
11094 { 1003, "Query FS Size Info"},
11095 { 1004, "Query FS Device Info"},
11096 { 1005, "Query FS Attribute Info"},
11097 { 1006, "Query FS Quota Info"},
11098 { 1007, "Query Full FS Size Info"},
11099 { 1008, "Object ID Information"},
11100 {0, NULL}
11101 };
11102 static value_string_ext qfsi_vals_ext = VALUE_STRING_EXT_INIT(qfsi_vals);
11103
11104 static const value_string sfsi_vals[] = {
11105 { 0x203, "Request Transport Encryption"},
11106 { 1006, "Set FS Quota Info"},
11107 {0, NULL}
11108 };
11109
11110 static const value_string nt_rename_vals[] = {
11111 { 0x0103, "Create Hard Link"},
11112 {0, NULL}
11113 };
11114
11115
11116 static const value_string delete_pending_vals[] = {
11117 {0, "Normal, no pending delete"},
11118 {1, "This object has DELETE PENDING"},
11119 {0, NULL}
11120 };
11121
11122 static const value_string alignment_vals[] = {
11123 {0, "Byte alignment"},
11124 {1, "Word (16bit) alignment"},
11125 {3, "Long (32bit) alignment"},
11126 {7, "8 byte boundary alignment"},
11127 {0x0f, "16 byte boundary alignment"},
11128 {0x1f, "32 byte boundary alignment"},
11129 {0x3f, "64 byte boundary alignment"},
11130 {0x7f, "128 byte boundary alignment"},
11131 {0xff, "256 byte boundary alignment"},
11132 {0x1ff, "512 byte boundary alignment"},
11133 {0, NULL}
11134 };
11135
11136 static const true_false_string tfs_marked_for_deletion = {
11137 "File is MARKED FOR DELETION",
11138 "File is NOT marked for deletion"
11139 };
11140
11141 static const true_false_string tfs_get_dfs_server_hold_storage = {
11142 "Referral SERVER HOLDS STORAGE for the file",
11143 "Referral server does NOT hold storage for the file"
11144 };
11145 static const true_false_string tfs_get_dfs_fielding = {
11146 "The server in referral is FIELDING CAPABLE",
11147 "The server in referrals is NOT fielding capable"
11148 };
11149
11150 static const true_false_string tfs_dfs_referral_flags_name_list_referral = {
11151 "A domain/DC referral response",
11152 "NOT a domain/DC referral response"
11153 };
11154
11155 static const true_false_string tfs_dfs_referral_flags_target_set_boundary = {
11156 "The first target in the target set",
11157 "NOT the first target in the target set"
11158 };
11159
11160 static const value_string dfs_referral_server_type_vals[] = {
11161 {0, "Non-root targets returned"},
11162 {1, "Root targets returns"},
11163 {0, NULL}
11164 };
11165
11166
11167 static const true_false_string tfs_device_char_removable = {
11168 "This is a REMOVABLE device",
11169 "This is NOT a removable device"
11170 };
11171 static const true_false_string tfs_device_char_read_only = {
11172 "This is a READ-ONLY device",
11173 "This is NOT a read-only device"
11174 };
11175 static const true_false_string tfs_device_char_floppy = {
11176 "This is a FLOPPY DISK device",
11177 "This is NOT a floppy disk device"
11178 };
11179 static const true_false_string tfs_device_char_write_once = {
11180 "This is a WRITE-ONCE device",
11181 "This is NOT a write-once device"
11182 };
11183 static const true_false_string tfs_device_char_remote = {
11184 "This is a REMOTE device",
11185 "This is NOT a remote device"
11186 };
11187 static const true_false_string tfs_device_char_mounted = {
11188 "This device is MOUNTED",
11189 "This device is NOT mounted"
11190 };
11191 static const true_false_string tfs_device_char_virtual = {
11192 "This is a VIRTUAL device",
11193 "This is NOT a virtual device"
11194 };
11195 static const true_false_string tfs_device_char_secure_open = {
11196 "This device supports SECURE OPEN",
11197 "This device does NOT support secure open"
11198 };
11199 static const true_false_string tfs_device_char_ts = {
11200 "This is a TERMINAL SERVICES device",
11201 "This is NOT a terminal services device"
11202 };
11203 static const true_false_string tfs_device_char_webdav = {
11204 "This is a WEBDAV device",
11205 "This is NOT a webdav device"
11206 };
11207 static const true_false_string tfs_device_char_portable = {
11208 "This is a PORTABLE device",
11209 "This is NOT a portable device"
11210 };
11211 static const true_false_string tfs_device_char_aat = {
11212 "This device ALLOWS APPCONTAINER TRAVERSAL",
11213 "This device does NOT allow appcontainer traversal"
11214 };
11215
11216 static const true_false_string tfs_fs_attr_css = {
11217 "This FS supports CASE SENSITIVE SEARCHes",
11218 "This FS does NOT support case sensitive searches"
11219 };
11220 static const true_false_string tfs_fs_attr_cpn = {
11221 "This FS supports CASE PRESERVED NAMES",
11222 "This FS does NOT support case preserved names"
11223 };
11224 static const true_false_string tfs_fs_attr_uod = {
11225 "This FS supports UNICODE NAMES",
11226 "This FS does NOT support unicode names"
11227 };
11228 static const true_false_string tfs_fs_attr_pacls = {
11229 "This FS supports PERSISTENT ACLs",
11230 "This FS does NOT support persistent acls"
11231 };
11232 static const true_false_string tfs_fs_attr_fc = {
11233 "This FS supports COMPRESSED FILES",
11234 "This FS does NOT support compressed files"
11235 };
11236 static const true_false_string tfs_fs_attr_vq = {
11237 "This FS supports VOLUME QUOTAS",
11238 "This FS does NOT support volume quotas"
11239 };
11240 static const true_false_string tfs_fs_attr_srp = {
11241 "This FS supports REPARSE POINTS",
11242 "This FS does NOT support reparse points"
11243 };
11244 static const true_false_string tfs_fs_attr_srs = {
11245 "This FS supports REMOTE STORAGE",
11246 "This FS does NOT support remote storage"
11247 };
11248 static const true_false_string tfs_fs_attr_ssf = {
11249 "This FS supports SPARSE FILES",
11250 "This FS does NOT support sparse files"
11251 };
11252 static const true_false_string tfs_fs_attr_sla = {
11253 "This FS supports LFN APIs",
11254 "This FS does NOT support lfn apis"
11255 };
11256 static const true_false_string tfs_fs_attr_vic = {
11257 "This FS VOLUME IS COMPRESSED",
11258 "This FS volume is NOT compressed"
11259 };
11260 static const true_false_string tfs_fs_attr_soids = {
11261 "This FS supports OIDs",
11262 "This FS does NOT support OIDs"
11263 };
11264 static const true_false_string tfs_fs_attr_se = {
11265 "This FS supports ENCRYPTION",
11266 "This FS does NOT support encryption"
11267 };
11268 static const true_false_string tfs_fs_attr_ns = {
11269 "This FS supports NAMED STREAMS",
11270 "This FS does NOT support named streams"
11271 };
11272 static const true_false_string tfs_fs_attr_rov = {
11273 "This is a READ ONLY VOLUME",
11274 "This is a read/write volume"
11275 };
11276 static const true_false_string tfs_fs_attr_swo = {
11277 "This is a SEQUENTIAL WRITE ONCE VOLUME",
11278 "This is NOT a sequential write once volume"
11279 };
11280 static const true_false_string tfs_fs_attr_st = {
11281 "This filesystem supports TRANSACTIONS",
11282 "This filesystem does NOT support transactions"
11283 };
11284 static const true_false_string tfs_fs_attr_shl = {
11285 "This filesystem supports HARD LINKS",
11286 "This filesystem does NOT support hard links"
11287 };
11288 static const true_false_string tfs_fs_attr_sis = {
11289 "This filesystem supports INTEGRITY STREAMS",
11290 "This filesystem does NOT support integrity streams"
11291 };
11292 static const true_false_string tfs_fs_attr_sbr = {
11293 "This filesystem supports BLOCK REFCOUNTING",
11294 "This filesystem does NOT support block refcounting"
11295 };
11296 static const true_false_string tfs_fs_attr_ssv = {
11297 "This filesystem supports SPARSE VDL",
11298 "This filesystem does NOT support sparse vdl"
11299 };
11300
11301 #define FF2_RESUME 0x0004
11302
11303 static int
11304 dissect_ff2_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb_info_t *si)
11305 {
11306 uint16_t mask;
11307 smb_transact2_info_t *t2i;
11308 static int * const flags[] = {
11309 &hf_smb_ff2_backup,
11310 &hf_smb_ff2_continue,
11311 &hf_smb_ff2_resume,
11312 &hf_smb_ff2_close_eos,
11313 &hf_smb_ff2_close,
11314 NULL
11315 };
11316
11317 mask = tvb_get_letohs(tvb, offset);
11318
11319 DISSECTOR_ASSERT(si);
11320
11321 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_T2I)) {
11322 t2i = (smb_transact2_info_t *)si->sip->extra_info;
11323 if (t2i != NULL) {
11324 if (!pinfo->fd->visited)
11325 t2i->resume_keys = (mask & FF2_RESUME);
11326 }
11327 }
11328
11329 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_ff2, ett_smb_find_first2_flags, flags, ENC_LITTLE_ENDIAN);
11330 offset += 2;
11331
11332 return offset;
11333 }
11334
11335 #if 0
11336 static int
11337 dissect_sfi_ioflag(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
11338 {
11339 static int * const flags[] = {
11340 &hf_smb_sfi_writetru,
11341 &hf_smb_sfi_caching,
11342 NULL
11343 };
11344
11345 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_sfi, ett_smb_ioflag, flags, ENC_LITTLE_ENDIAN);
11346 offset += 2;
11347
11348 return offset;
11349 }
11350 #endif
11351
11352 int
11353 dissect_get_dfs_request_data(tvbuff_t *tvb, packet_info *pinfo,
11354 proto_tree *tree, int offset, uint16_t *bcp, bool unicode)
11355 {
11356 int fn_len;
11357 const char *fn;
11358 uint16_t bc = *bcp;
11359
11360 /* referral level */
11361 CHECK_BYTE_COUNT_TRANS(2);
11362 proto_tree_add_item(tree, hf_smb_max_referral_level, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11363 COUNT_BYTES_TRANS(2);
11364
11365 /* file name */
11366 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, unicode, &fn_len, false, false, &bc);
11367 CHECK_STRING_TRANS(fn);
11368 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11369 fn);
11370 COUNT_BYTES_TRANS(fn_len);
11371
11372 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
11373 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
11374
11375 *bcp = bc;
11376 return offset;
11377 }
11378
11379 static int
11380 dissect_transaction2_request_parameters(tvbuff_t *tvb, packet_info *pinfo,
11381 proto_tree *parent_tree, int offset, int subcmd, uint16_t bc, smb_info_t *si)
11382 {
11383 proto_tree *tree;
11384 smb_transact2_info_t *t2i;
11385 int fn_len;
11386 const char *fn;
11387 uint32_t search_id;
11388
11389 DISSECTOR_ASSERT(si);
11390
11391 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_T2I))
11392 t2i = (smb_transact2_info_t *)si->sip->extra_info;
11393 else
11394 t2i = NULL;
11395
11396 tree = proto_tree_add_subtree_format(parent_tree, tvb, offset, bc,
11397 ett_smb_transaction_params, NULL, "%s Parameters",
11398 val_to_str_ext(subcmd, &trans2_cmd_vals_ext,
11399 "Unknown (0x%02x)"));
11400
11401 switch(subcmd) {
11402 case 0x0000: /*TRANS2_OPEN2*/
11403 /* open flags */
11404 CHECK_BYTE_COUNT_TRANS(2);
11405 offset = dissect_open_flags(tvb, tree, offset, 0x000f);
11406 bc -= 2;
11407
11408 /* desired access */
11409 CHECK_BYTE_COUNT_TRANS(2);
11410 offset = dissect_access(tvb, tree, offset, hf_smb_desired_access);
11411 bc -= 2;
11412
11413 /* Search Attributes */
11414 CHECK_BYTE_COUNT_TRANS(2);
11415 offset = dissect_search_attributes(tvb, tree, offset);
11416 bc -= 2;
11417
11418 /* File Attributes */
11419 CHECK_BYTE_COUNT_TRANS(2);
11420 offset = dissect_file_attributes(tvb, tree, offset);
11421 bc -= 2;
11422
11423 /* create time */
11424 CHECK_BYTE_COUNT_TRANS(4);
11425 offset = dissect_smb_datetime(tvb, tree, offset,
11426 hf_smb_create_time,
11427 hf_smb_create_dos_date, hf_smb_create_dos_time,
11428 true);
11429 bc -= 4;
11430
11431 /* open function */
11432 CHECK_BYTE_COUNT_TRANS(2);
11433 offset = dissect_open_function(tvb, tree, offset);
11434 bc -= 2;
11435
11436 /* allocation size */
11437 CHECK_BYTE_COUNT_TRANS(4);
11438 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11439 COUNT_BYTES_TRANS(4);
11440
11441 /* 10 reserved bytes */
11442 CHECK_BYTE_COUNT_TRANS(10);
11443 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 10, ENC_NA);
11444 COUNT_BYTES_TRANS(10);
11445
11446 /* file name */
11447 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, false, &bc);
11448 CHECK_STRING_TRANS(fn);
11449 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11450 fn);
11451 COUNT_BYTES_TRANS(fn_len);
11452
11453 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
11454 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
11455 break;
11456 case 0x0001: /*TRANS2_FIND_FIRST2*/
11457 /* Search Attributes */
11458 CHECK_BYTE_COUNT_TRANS(2);
11459 offset = dissect_search_attributes(tvb, tree, offset);
11460 bc -= 2;
11461
11462 /* search count */
11463 CHECK_BYTE_COUNT_TRANS(2);
11464 proto_tree_add_item(tree, hf_smb_search_count_max, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11465 COUNT_BYTES_TRANS(2);
11466
11467 /* Find First2 flags */
11468 CHECK_BYTE_COUNT_TRANS(2);
11469 offset = dissect_ff2_flags(tvb, pinfo, tree, offset, si);
11470 bc -= 2;
11471
11472 /* Find First2 information level */
11473 CHECK_BYTE_COUNT_TRANS(2);
11474 si->info_level = tvb_get_letohs(tvb, offset);
11475 if ((t2i != NULL) && !pinfo->fd->visited)
11476 t2i->info_level = si->info_level;
11477 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
11478 COUNT_BYTES_TRANS(2);
11479
11480 /* storage type */
11481 CHECK_BYTE_COUNT_TRANS(4);
11482 proto_tree_add_item(tree, hf_smb_storage_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11483 COUNT_BYTES_TRANS(4);
11484
11485 /* search pattern */
11486 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, false, &bc);
11487 CHECK_STRING_TRANS(fn);
11488 if (t2i && !t2i->name) {
11489 t2i->name = wmem_strdup(wmem_file_scope(), fn);
11490 }
11491 proto_tree_add_string(tree, hf_smb_search_pattern, tvb, offset, fn_len,
11492 fn);
11493 COUNT_BYTES_TRANS(fn_len);
11494
11495 col_append_fstr(pinfo->cinfo, COL_INFO, ", Pattern: %s",
11496 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
11497 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
11498 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11499
11500 break;
11501 case 0x0002: /*TRANS2_FIND_NEXT2*/
11502 /* sid */
11503 CHECK_BYTE_COUNT_TRANS(2);
11504 proto_tree_add_item_ret_uint(tree, hf_smb_search_id, tvb, offset, 2,
11505 ENC_LITTLE_ENDIAN, &search_id);
11506 col_append_fstr(pinfo->cinfo, COL_INFO, ", Search ID: %u", (uint16_t)search_id);
11507 COUNT_BYTES_TRANS(2);
11508
11509 /* search count */
11510 CHECK_BYTE_COUNT_TRANS(2);
11511 proto_tree_add_item(tree, hf_smb_search_count_max, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11512 COUNT_BYTES_TRANS(2);
11513
11514 /* Find First2 information level */
11515 CHECK_BYTE_COUNT_TRANS(2);
11516 si->info_level = tvb_get_letohs(tvb, offset);
11517 if ((t2i != NULL) && !pinfo->fd->visited)
11518 t2i->info_level = si->info_level;
11519 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, offset, 2, si->info_level);
11520 COUNT_BYTES_TRANS(2);
11521
11522 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
11523 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
11524
11525 /* resume key */
11526 CHECK_BYTE_COUNT_TRANS(4);
11527 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11528 COUNT_BYTES_TRANS(4);
11529
11530 /* Find First2 flags */
11531 CHECK_BYTE_COUNT_TRANS(2);
11532 offset = dissect_ff2_flags(tvb, pinfo, tree, offset, si);
11533 bc -= 2;
11534
11535 /* file name */
11536 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, false, &bc);
11537 CHECK_STRING_TRANS(fn);
11538 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11539 fn);
11540 COUNT_BYTES_TRANS(fn_len);
11541
11542 if (strlen(fn)) {
11543 col_append_fstr(pinfo->cinfo, COL_INFO, ", Continue after: %s",
11544 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
11545 } else {
11546 col_append_str(pinfo->cinfo, COL_INFO, ", Continue after previous file");
11547 }
11548 break;
11549 case 0x0003: /*TRANS2_QUERY_FS_INFORMATION*/
11550 /* level of interest */
11551 CHECK_BYTE_COUNT_TRANS(2);
11552 si->info_level = tvb_get_letohs(tvb, offset);
11553 if ((t2i != NULL) && !pinfo->fd->visited)
11554 t2i->info_level = si->info_level;
11555 proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, offset, 2, si->info_level);
11556 COUNT_BYTES_TRANS(2);
11557
11558 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
11559 val_to_str_ext(si->info_level, &qfsi_vals_ext,
11560 "Unknown (0x%02x)"));
11561
11562 break;
11563 case 0x0004: /*TRANS2_SET_FS_INFORMATION*/
11564 /* level of interest */
11565 CHECK_BYTE_COUNT_TRANS(4);
11566 si->info_level = tvb_get_letohs(tvb, offset+2);
11567 if ((t2i != NULL) && !pinfo->fd->visited)
11568 t2i->info_level = si->info_level;
11569 proto_tree_add_uint(tree, hf_smb_sfsi_information_level, tvb, offset+2, 2, si->info_level);
11570 COUNT_BYTES_TRANS(4);
11571
11572 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
11573 val_to_str(si->info_level, sfsi_vals,
11574 "Unknown (0x%02x)"));
11575
11576 break;
11577 case 0x0005: /*TRANS2_QUERY_PATH_INFORMATION*/
11578 /* level of interest */
11579 CHECK_BYTE_COUNT_TRANS(2);
11580 si->info_level = tvb_get_letohs(tvb, offset);
11581 if ((t2i != NULL) && !pinfo->fd->visited)
11582 t2i->info_level = si->info_level;
11583 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
11584 COUNT_BYTES_TRANS(2);
11585
11586 col_append_fstr(
11587 pinfo->cinfo, COL_INFO, ", %s",
11588 val_to_str_ext(si->info_level, &qpi_loi_vals_ext,
11589 "Unknown (%u)"));
11590
11591 /* 4 reserved bytes */
11592 CHECK_BYTE_COUNT_TRANS(4);
11593 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, ENC_NA);
11594 COUNT_BYTES_TRANS(4);
11595
11596 /* file name */
11597 fn = tvb_get_stringz_enc(pinfo->pool, tvb, offset, &fn_len, (si->unicode ? ENC_UTF_16|ENC_LITTLE_ENDIAN : ENC_ASCII|ENC_NA));
11598
11599 CHECK_STRING_TRANS(fn);
11600 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11601 fn);
11602 COUNT_BYTES_TRANS(fn_len);
11603 if (t2i && !t2i->name) {
11604 t2i->name = wmem_strdup(wmem_file_scope(), fn);
11605 }
11606
11607 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
11608 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
11609
11610 break;
11611 case 0x0006: /*TRANS2_SET_PATH_INFORMATION*/
11612 /* level of interest */
11613 CHECK_BYTE_COUNT_TRANS(2);
11614 si->info_level = tvb_get_letohs(tvb, offset);
11615 if ((t2i != NULL) && !pinfo->fd->visited)
11616 t2i->info_level = si->info_level;
11617 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
11618 COUNT_BYTES_TRANS(2);
11619
11620 /* 4 reserved bytes */
11621 CHECK_BYTE_COUNT_TRANS(4);
11622 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, ENC_NA);
11623 COUNT_BYTES_TRANS(4);
11624
11625 /* file name */
11626 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, false, &bc);
11627 CHECK_STRING_TRANS(fn);
11628 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11629 fn);
11630 COUNT_BYTES_TRANS(fn_len);
11631
11632 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
11633 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
11634
11635 break;
11636 case 0x0007: { /*TRANS2_QUERY_FILE_INFORMATION*/
11637 uint16_t fid;
11638
11639 /* fid */
11640 CHECK_BYTE_COUNT_TRANS(2);
11641 fid = tvb_get_letohs(tvb, offset);
11642 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
11643 COUNT_BYTES_TRANS(2);
11644
11645 /* level of interest */
11646 CHECK_BYTE_COUNT_TRANS(2);
11647 si->info_level = tvb_get_letohs(tvb, offset);
11648 if ((t2i != NULL) && !pinfo->fd->visited)
11649 t2i->info_level = si->info_level;
11650 proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, offset, 2, si->info_level);
11651 COUNT_BYTES_TRANS(2);
11652
11653 col_append_fstr(
11654 pinfo->cinfo, COL_INFO, ", %s",
11655 val_to_str_ext(si->info_level, &qpi_loi_vals_ext,
11656 "Unknown (%u)"));
11657
11658 break;
11659 }
11660 case 0x0008: { /*TRANS2_SET_FILE_INFORMATION*/
11661 uint16_t fid;
11662
11663 /* fid */
11664 CHECK_BYTE_COUNT_TRANS(2);
11665 fid = tvb_get_letohs(tvb, offset);
11666 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
11667 COUNT_BYTES_TRANS(2);
11668
11669 /* level of interest */
11670 CHECK_BYTE_COUNT_TRANS(2);
11671 si->info_level = tvb_get_letohs(tvb, offset);
11672 if ((t2i != NULL) && !pinfo->fd->visited)
11673 t2i->info_level = si->info_level;
11674 proto_tree_add_uint(tree, hf_smb_spi_loi, tvb, offset, 2, si->info_level);
11675 COUNT_BYTES_TRANS(2);
11676
11677 #if 0
11678 /*
11679 * XXX - "Microsoft Networks SMB File Sharing Protocol
11680 * Extensions Version 3.0, Document Version 1.11,
11681 * July 19, 1990" says this is I/O flags, but it's
11682 * reserved in the SNIA spec, and some clients appear
11683 * to leave junk in it.
11684 *
11685 * Is this some field used only if a particular
11686 * dialect was negotiated, so that clients can feel
11687 * safe not setting it if they haven't negotiated that
11688 * dialect? Or do the (non-OS/2) clients simply not care
11689 * about that particular OS/2-oriented dialect?
11690 */
11691
11692 /* IO Flag */
11693 CHECK_BYTE_COUNT_TRANS(2);
11694 offset = dissect_sfi_ioflag(tvb, tree, offset);
11695 bc -= 2;
11696 #else
11697 /* 2 reserved bytes */
11698 CHECK_BYTE_COUNT_TRANS(2);
11699 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
11700 COUNT_BYTES_TRANS(2);
11701 #endif
11702
11703 break;
11704 }
11705 case 0x0009: /*TRANS2_FSCTL*/
11706 /* this call has no parameter block in the request */
11707
11708 /*
11709 * XXX - "Microsoft Networks SMB File Sharing Protocol
11710 * Extensions Version 3.0, Document Version 1.11,
11711 * July 19, 1990" says this contains a
11712 * "File system specific parameter block". (That means
11713 * we may not be able to dissect it in any case.)
11714 */
11715 break;
11716 case 0x000a: /*TRANS2_IOCTL2*/
11717 /* this call has no parameter block in the request */
11718
11719 /*
11720 * XXX - "Microsoft Networks SMB File Sharing Protocol
11721 * Extensions Version 3.0, Document Version 1.11,
11722 * July 19, 1990" says this contains a
11723 * "Device/function specific parameter block". (That
11724 * means we may not be able to dissect it in any case.)
11725 */
11726 break;
11727 case 0x000b: /*TRANS2_FIND_NOTIFY_FIRST*/
11728 /* Search Attributes */
11729 CHECK_BYTE_COUNT_TRANS(2);
11730 offset = dissect_search_attributes(tvb, tree, offset);
11731 bc -= 2;
11732
11733 /* Number of changes to wait for */
11734 CHECK_BYTE_COUNT_TRANS(2);
11735 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11736 COUNT_BYTES_TRANS(2);
11737
11738 /* Find Notify information level */
11739 CHECK_BYTE_COUNT_TRANS(2);
11740 si->info_level = tvb_get_letohs(tvb, offset);
11741 if ((t2i != NULL) && !pinfo->fd->visited)
11742 t2i->info_level = si->info_level;
11743 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, offset, 2, si->info_level);
11744 COUNT_BYTES_TRANS(2);
11745
11746 /* 4 reserved bytes */
11747 CHECK_BYTE_COUNT_TRANS(4);
11748 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, ENC_NA);
11749 COUNT_BYTES_TRANS(4);
11750
11751 /* file name */
11752 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, false, &bc);
11753 CHECK_STRING_TRANS(fn);
11754 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11755 fn);
11756 COUNT_BYTES_TRANS(fn_len);
11757
11758 col_append_fstr(pinfo->cinfo, COL_INFO, ", Path: %s",
11759 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
11760
11761 break;
11762 case 0x000c: /*TRANS2_FIND_NOTIFY_NEXT*/
11763 /* Monitor handle */
11764 CHECK_BYTE_COUNT_TRANS(2);
11765 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11766 COUNT_BYTES_TRANS(2);
11767
11768 /* Number of changes to wait for */
11769 CHECK_BYTE_COUNT_TRANS(2);
11770 proto_tree_add_item(tree, hf_smb_change_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11771 COUNT_BYTES_TRANS(2);
11772
11773 break;
11774 case 0x000d: /*TRANS2_CREATE_DIRECTORY*/
11775 /* 4 reserved bytes */
11776 CHECK_BYTE_COUNT_TRANS(4);
11777 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, ENC_NA);
11778 COUNT_BYTES_TRANS(4);
11779
11780 /* dir name */
11781 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len,
11782 false, false, &bc);
11783 CHECK_STRING_TRANS(fn);
11784 proto_tree_add_string(tree, hf_smb_dir_name, tvb, offset, fn_len,
11785 fn);
11786 COUNT_BYTES_TRANS(fn_len);
11787
11788 col_append_fstr(pinfo->cinfo, COL_INFO, ", Dir: %s",
11789 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
11790 break;
11791 case 0x000e: /*TRANS2_SESSION_SETUP*/
11792 /* XXX unknown structure*/
11793 break;
11794 case 0x0010: /*TRANS2_GET_DFS_REFERRAL*/
11795 offset = dissect_get_dfs_request_data(tvb, pinfo, tree, offset, &bc, si->unicode);
11796 break;
11797 case 0x0011: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
11798 /* file name */
11799 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, false, &bc);
11800 CHECK_STRING_TRANS(fn);
11801 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
11802 fn);
11803 COUNT_BYTES_TRANS(fn_len);
11804
11805 col_append_fstr(pinfo->cinfo, COL_INFO, ", File: %s",
11806 format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
11807 break;
11808 }
11809
11810 /* ooops there were data we didn't know how to process */
11811 if (bc != 0) {
11812 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, bc, ENC_NA);
11813 offset += bc;
11814 }
11815
11816 return offset;
11817 }
11818
11819 /*
11820 * XXX - just use "dissect_connect_flags()" here?
11821 */
11822 static uint16_t
11823 dissect_transaction_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
11824 {
11825 uint16_t mask;
11826 static int * const flags[] = {
11827 &hf_smb_transaction_flags_owt,
11828 &hf_smb_transaction_flags_dtid,
11829 NULL
11830 };
11831
11832 mask = tvb_get_letohs(tvb, offset);
11833 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_transaction_flags, ett_smb_transaction_flags, flags, ENC_LITTLE_ENDIAN);
11834
11835 return mask;
11836 }
11837
11838
11839 static int
11840 dissect_get_dfs_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
11841 {
11842 static int * const flags[] = {
11843 &hf_smb_get_dfs_server_hold_storage,
11844 &hf_smb_get_dfs_fielding,
11845 NULL
11846 };
11847
11848 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_get_dfs_flags, ett_smb_get_dfs_flags, flags, ENC_LITTLE_ENDIAN);
11849
11850 offset += 2;
11851 return offset;
11852 }
11853
11854 static int
11855 dissect_dfs_referral_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
11856 {
11857 static int * const flags[] = {
11858 &hf_smb_dfs_referral_flags_name_list_referral,
11859 &hf_smb_dfs_referral_flags_target_set_boundary,
11860 NULL
11861 };
11862
11863 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_dfs_referral_flags, ett_smb_dfs_referral_flags, flags, ENC_LITTLE_ENDIAN);
11864 offset += 2;
11865
11866 return offset;
11867 }
11868
11869
11870 /* dfs inconsistency data (4.4.2)
11871 */
11872 static int
11873 dissect_dfs_inconsistency_data(tvbuff_t *tvb, packet_info *pinfo,
11874 proto_tree *tree, int offset, uint16_t *bcp, smb_info_t *si)
11875 {
11876 int fn_len;
11877 const char *fn;
11878
11879 DISSECTOR_ASSERT(si);
11880
11881 /*XXX should this data hold version and size? unclear from doc*/
11882 /* referral version */
11883 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11884 proto_tree_add_item(tree, hf_smb_dfs_referral_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11885 COUNT_BYTES_TRANS_SUBR(2);
11886
11887 /* referral size */
11888 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11889 proto_tree_add_item(tree, hf_smb_dfs_referral_size, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11890 COUNT_BYTES_TRANS_SUBR(2);
11891
11892 /* referral server type */
11893 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11894 proto_tree_add_item(tree, hf_smb_dfs_referral_server_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11895 COUNT_BYTES_TRANS_SUBR(2);
11896
11897 /* referral flags */
11898 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11899 offset = dissect_dfs_referral_flags(tvb, tree, offset);
11900 *bcp -= 2;
11901
11902 /* node name */
11903 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, false, bcp);
11904 CHECK_STRING_TRANS_SUBR(fn);
11905 proto_tree_add_string(tree, hf_smb_dfs_referral_node, tvb, offset, fn_len,
11906 fn);
11907 COUNT_BYTES_TRANS_SUBR(fn_len);
11908
11909 return offset;
11910 }
11911
11912 static int
11913 dissect_dfs_referral_strings(tvbuff_t *tvb, proto_tree *tree, int hfindex,
11914 int nstring, int stroffset, int oldoffset, int offset,
11915 uint16_t bc, bool unicode, int *end)
11916 {
11917 int istring;
11918 const char *str;
11919 int str_len; /* string length including the terminating NULL. */
11920
11921 if (stroffset <= oldoffset)
11922 return oldoffset;
11923
11924 bc -= (stroffset - offset);
11925 for (istring = 0; istring < nstring; istring++) {
11926 if ((int16_t)bc > 0) {
11927 str = get_unicode_or_ascii_string(wmem_packet_scope(), tvb, &stroffset, unicode, &str_len, false, false, &bc);
11928 CHECK_STRING_TRANS_SUBR(str);
11929 proto_tree_add_string(tree, hfindex, tvb, stroffset, str_len, str);
11930 stroffset += str_len;
11931 bc -= str_len;
11932 if (end && (*end < stroffset))
11933 *end = stroffset;
11934 }
11935 }
11936
11937 return offset;
11938 }
11939
11940
11941 static int
11942 dissect_dfs_referral_string(tvbuff_t *tvb, proto_tree *tree, int hfindex,
11943 int stroffset, int oldoffset, int offset,
11944 uint16_t bc, bool unicode, int *end)
11945 {
11946 return dissect_dfs_referral_strings(tvb, tree, hfindex,
11947 1, stroffset, oldoffset, offset,
11948 bc, unicode, end);
11949 }
11950
11951 static int
11952 dissect_dfs_referral_entry_v2(tvbuff_t *tvb, proto_tree *tree, int oldoffset, int offset,
11953 uint16_t refflags _U_, uint16_t *bcp, bool unicode, int *ucstring_end)
11954 {
11955
11956 uint16_t pathoffset;
11957 uint16_t altpathoffset;
11958 uint16_t nodeoffset;
11959
11960 /* proximity */
11961 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11962 proto_tree_add_item(tree, hf_smb_dfs_referral_proximity, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11963 COUNT_BYTES_TRANS_SUBR(4);
11964
11965 /* ttl */
11966 CHECK_BYTE_COUNT_TRANS_SUBR(4);
11967 proto_tree_add_item(tree, hf_smb_dfs_referral_ttl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11968 COUNT_BYTES_TRANS_SUBR(4);
11969
11970 /* path offset */
11971 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11972 pathoffset = tvb_get_letohs(tvb, offset);
11973 proto_tree_add_uint(tree, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
11974 COUNT_BYTES_TRANS_SUBR(2);
11975
11976 /* alt path offset */
11977 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11978 altpathoffset = tvb_get_letohs(tvb, offset);
11979 proto_tree_add_uint(tree, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
11980 COUNT_BYTES_TRANS_SUBR(2);
11981
11982 /* node offset */
11983 CHECK_BYTE_COUNT_TRANS_SUBR(2);
11984 nodeoffset = tvb_get_letohs(tvb, offset);
11985 proto_tree_add_uint(tree, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
11986 COUNT_BYTES_TRANS_SUBR(2);
11987
11988 /* path */
11989 if (pathoffset) {
11990 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_path,
11991 pathoffset+oldoffset, oldoffset, offset,
11992 *bcp, unicode, ucstring_end);
11993 }
11994
11995 /* alt path */
11996 if (altpathoffset) {
11997 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_alt_path,
11998 altpathoffset+oldoffset, oldoffset, offset,
11999 *bcp, unicode, ucstring_end);
12000 }
12001
12002 /* node */
12003 if (nodeoffset) {
12004 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_node,
12005 nodeoffset+oldoffset, oldoffset, offset,
12006 *bcp, unicode, ucstring_end);
12007 }
12008
12009 return offset;
12010
12011 }
12012
12013
12014 static int
12015 dissect_dfs_referral_entry_v3(tvbuff_t *tvb, proto_tree *tree, int oldoffset, int offset,
12016 uint16_t refflags, uint16_t *bcp, bool unicode, int *ucstring_end)
12017 {
12018 uint16_t domoffset;
12019 uint16_t nexpnames;
12020 uint16_t expoffset;
12021 uint16_t pathoffset;
12022 uint16_t altpathoffset;
12023 uint16_t nodeoffset;
12024
12025 /* ttl */
12026 CHECK_BYTE_COUNT_TRANS_SUBR(4);
12027 proto_tree_add_item(tree, hf_smb_dfs_referral_ttl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12028 COUNT_BYTES_TRANS_SUBR(4);
12029
12030 if (refflags & REFENT_FLAGS_NAME_LIST_REFERRAL) {
12031 /* domain name offset */
12032 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12033 domoffset = tvb_get_letohs(tvb, offset);
12034 proto_tree_add_uint(tree, hf_smb_dfs_referral_domain_offset, tvb, offset, 2, domoffset);
12035 COUNT_BYTES_TRANS_SUBR(2);
12036
12037 /* number of expanded names*/
12038 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12039 nexpnames = tvb_get_letohs(tvb, offset);
12040 proto_tree_add_uint(tree, hf_smb_dfs_referral_number_of_expnames, tvb, offset, 2, nexpnames);
12041 COUNT_BYTES_TRANS_SUBR(2);
12042
12043 /* expanded names offset */
12044 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12045 expoffset = tvb_get_letohs(tvb, offset);
12046 proto_tree_add_uint(tree, hf_smb_dfs_referral_expnames_offset, tvb, offset, 2, expoffset);
12047 COUNT_BYTES_TRANS_SUBR(2);
12048
12049 /* padding: zero or 16 bytes, which should be ignored by clients.
12050 * we ignore them too.
12051 */
12052
12053 /* domain name */
12054 if (domoffset) {
12055 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_domain_name,
12056 domoffset+oldoffset, oldoffset, offset,
12057 *bcp, unicode, ucstring_end);
12058 }
12059 /* expanded names */
12060 if (expoffset) {
12061 proto_tree *exptree;
12062
12063 exptree = proto_tree_add_subtree(tree, tvb, offset, *bcp, ett_smb_dfs_referral_expnames, NULL, "Expanded Names");
12064
12065 dissect_dfs_referral_strings(tvb, exptree, hf_smb_dfs_referral_expname,
12066 nexpnames, expoffset+oldoffset, oldoffset, offset,
12067 *bcp, unicode, ucstring_end);
12068 }
12069 } else {
12070 /* path offset */
12071 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12072 pathoffset = tvb_get_letohs(tvb, offset);
12073 proto_tree_add_uint(tree, hf_smb_dfs_referral_path_offset, tvb, offset, 2, pathoffset);
12074 COUNT_BYTES_TRANS_SUBR(2);
12075
12076 /* alt path offset */
12077 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12078 altpathoffset = tvb_get_letohs(tvb, offset);
12079 proto_tree_add_uint(tree, hf_smb_dfs_referral_alt_path_offset, tvb, offset, 2, altpathoffset);
12080 COUNT_BYTES_TRANS_SUBR(2);
12081
12082 /* node offset */
12083 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12084 nodeoffset = tvb_get_letohs(tvb, offset);
12085 proto_tree_add_uint(tree, hf_smb_dfs_referral_node_offset, tvb, offset, 2, nodeoffset);
12086 COUNT_BYTES_TRANS_SUBR(2);
12087
12088 /* service site guid */
12089 CHECK_BYTE_COUNT_TRANS_SUBR(16);
12090 proto_tree_add_item(tree, hf_smb_dfs_referral_server_guid, tvb, offset, 16, ENC_NA);
12091 COUNT_BYTES_TRANS_SUBR(16);
12092
12093 /* path */
12094 if (pathoffset) {
12095 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_path,
12096 pathoffset+oldoffset, oldoffset, offset,
12097 *bcp, unicode, ucstring_end);
12098 }
12099
12100 /* alt path */
12101 if (altpathoffset) {
12102 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_alt_path,
12103 altpathoffset+oldoffset, oldoffset, offset,
12104 *bcp, unicode, ucstring_end);
12105 }
12106
12107 /* node */
12108 if (nodeoffset) {
12109 dissect_dfs_referral_string(tvb, tree, hf_smb_dfs_referral_node,
12110 nodeoffset+oldoffset, oldoffset, offset,
12111 *bcp, unicode, ucstring_end);
12112 }
12113 }
12114
12115 return offset;
12116
12117 }
12118
12119 /* get dfs referral data (4.4.1)
12120 */
12121 int
12122 dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo,
12123 proto_tree *tree, int offset, uint16_t *bcp, bool unicode)
12124 {
12125 uint16_t numref;
12126 uint16_t refsize;
12127 uint16_t refflags;
12128 int fn_len;
12129 const char *fn;
12130 int unklen;
12131 int ucstring_end;
12132 int ucstring_len;
12133
12134 /* path consumed */
12135 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12136 proto_tree_add_item(tree, hf_smb_dfs_path_consumed, tvb, offset, 2, ENC_LITTLE_ENDIAN);
12137 COUNT_BYTES_TRANS_SUBR(2);
12138
12139 /* num referrals */
12140 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12141 numref = tvb_get_letohs(tvb, offset);
12142 proto_tree_add_uint(tree, hf_smb_dfs_num_referrals, tvb, offset, 2, numref);
12143 COUNT_BYTES_TRANS_SUBR(2);
12144
12145 /* get dfs flags */
12146 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12147 offset = dissect_get_dfs_flags(tvb, tree, offset);
12148 *bcp -= 2;
12149
12150 /* XXX - in at least one capture there appears to be 2 bytes
12151 of stuff after the Dfs flags, perhaps so that the header
12152 in front of the referral list is a multiple of 4 bytes long. */
12153 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12154 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 2, ENC_NA);
12155 COUNT_BYTES_TRANS_SUBR(2);
12156
12157 /* if there are any referrals */
12158 if (numref) {
12159 proto_item *ref_item;
12160 proto_tree *ref_tree;
12161 int old_offset = offset;
12162
12163 ref_tree = proto_tree_add_subtree(tree,
12164 tvb, offset, *bcp, ett_smb_dfs_referrals, &ref_item, "Referrals");
12165 ucstring_end = -1;
12166
12167 while (numref--) {
12168 proto_item *ri;
12169 proto_tree *rt;
12170 int old_offset_2 = offset;
12171 uint16_t version;
12172
12173 rt = proto_tree_add_subtree(ref_tree,
12174 tvb, offset, *bcp, ett_smb_dfs_referral, &ri, "Referral");
12175
12176 /* referral version */
12177 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12178 version = tvb_get_letohs(tvb, offset);
12179 proto_tree_add_uint(rt, hf_smb_dfs_referral_version,
12180 tvb, offset, 2, version);
12181 COUNT_BYTES_TRANS_SUBR(2);
12182
12183 /* referral size */
12184 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12185 refsize = tvb_get_letohs(tvb, offset);
12186 proto_tree_add_uint(rt, hf_smb_dfs_referral_size, tvb, offset, 2, refsize);
12187 COUNT_BYTES_TRANS_SUBR(2);
12188
12189 /* referral server type */
12190 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12191 proto_tree_add_item(rt, hf_smb_dfs_referral_server_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
12192 COUNT_BYTES_TRANS_SUBR(2);
12193
12194 /* referral flags */
12195 CHECK_BYTE_COUNT_TRANS_SUBR(2);
12196 refflags = tvb_get_letohs(tvb, offset);
12197 offset = dissect_dfs_referral_flags(tvb, rt, offset);
12198 *bcp -= 2;
12199
12200 switch(version) {
12201
12202 case 1:
12203 /* node name */
12204 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, unicode, &fn_len, false, false, bcp);
12205 CHECK_STRING_TRANS_SUBR(fn);
12206 proto_tree_add_string(rt, hf_smb_dfs_referral_node, tvb, offset, fn_len,
12207 fn);
12208 COUNT_BYTES_TRANS_SUBR(fn_len);
12209 break;
12210
12211 case 2:
12212 offset = dissect_dfs_referral_entry_v2(tvb, rt, old_offset_2, offset,
12213 refflags, bcp, unicode, &ucstring_end);
12214 break;
12215 case 3:
12216 offset = dissect_dfs_referral_entry_v3(tvb, rt, old_offset_2, offset,
12217 refflags, bcp, unicode, &ucstring_end);
12218 break;
12219 case 4:
12220 /* V4 is extactly same as V3, except the version number and
12221 * one more ReferralEntryFlags */
12222 offset = dissect_dfs_referral_entry_v3(tvb, rt, old_offset_2, offset,
12223 refflags, bcp, unicode, &ucstring_end);
12224 break;
12225 }
12226
12227 /*
12228 * Show anything beyond the length of the referral
12229 * as unknown data.
12230 */
12231 unklen = (old_offset_2 + refsize) - offset;
12232 if (unklen < 0) {
12233 /*
12234 * XXX - the length is bogus.
12235 */
12236 unklen = 0;
12237 }
12238 if (unklen != 0) {
12239 CHECK_BYTE_COUNT_TRANS_SUBR(unklen);
12240 proto_tree_add_item(rt, hf_smb_unknown, tvb,
12241 offset, unklen, ENC_NA);
12242 COUNT_BYTES_TRANS_SUBR(unklen);
12243 }
12244
12245 proto_item_set_len(ri, offset-old_offset_2);
12246 }
12247
12248 /*
12249 * Treat the offset past the end of the last Unicode
12250 * string after the referrals (if any) as the last
12251 * offset.
12252 */
12253 if (ucstring_end > offset) {
12254 ucstring_len = ucstring_end - offset;
12255 if (*bcp < ucstring_len)
12256 ucstring_len = *bcp;
12257 offset += ucstring_len;
12258 *bcp -= ucstring_len;
12259 }
12260 proto_item_set_len(ref_item, offset-old_offset);
12261 }
12262
12263 return offset;
12264 }
12265
12266 /* This dissects the standard four 8-byte Windows timestamps ...
12267 */
12268 static int
12269 dissect_smb_standard_8byte_timestamps(tvbuff_t *tvb,
12270 packet_info *pinfo _U_, proto_tree *tree,
12271 int offset, uint16_t *bcp, bool *trunc)
12272 {
12273 /* create time */
12274 CHECK_BYTE_COUNT_SUBR(8);
12275 dissect_nttime(tvb, tree, offset, hf_smb_create_time, ENC_LITTLE_ENDIAN);
12276 COUNT_BYTES_SUBR(8);
12277
12278 /* access time */
12279 CHECK_BYTE_COUNT_SUBR(8);
12280 dissect_nttime(tvb, tree, offset, hf_smb_access_time, ENC_LITTLE_ENDIAN);
12281 COUNT_BYTES_SUBR(8);
12282
12283 /* last write time */
12284 CHECK_BYTE_COUNT_SUBR(8);
12285 dissect_nttime(tvb, tree, offset,
12286 hf_smb_last_write_time, ENC_LITTLE_ENDIAN);
12287 COUNT_BYTES_SUBR(8);
12288
12289 /* last change time */
12290 CHECK_BYTE_COUNT_SUBR(8);
12291 dissect_nttime(tvb, tree, offset, hf_smb_change_time, ENC_LITTLE_ENDIAN);
12292 COUNT_BYTES_SUBR(8);
12293
12294 *trunc = false;
12295 return offset;
12296 }
12297
12298 /* this dissects the SMB_INFO_STANDARD
12299 as described in 4.2.16.1 of the CIFS 1.0 specification
12300 or as described in 2.2.8.3.1 of the MS-CIFS specification for query
12301 section 2.2.8.4.1 of the MS-CIFS specification describes it for set;
12302 it says that everything past the last write time is "reserved",
12303 presumably meaning that you can fetch it but not set it
12304 for now we just use it for both query and set
12305 */
12306 static int
12307 dissect_qsfi_SMB_INFO_STANDARD(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12308 int offset, uint16_t *bcp, bool *trunc)
12309 {
12310 /* create time */
12311 CHECK_BYTE_COUNT_SUBR(4);
12312 offset = dissect_smb_datetime(tvb, tree, offset,
12313 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
12314 false);
12315 *bcp -= 4;
12316
12317 /* access time */
12318 CHECK_BYTE_COUNT_SUBR(4);
12319 offset = dissect_smb_datetime(tvb, tree, offset,
12320 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
12321 false);
12322 *bcp -= 4;
12323
12324 /* last write time */
12325 CHECK_BYTE_COUNT_SUBR(4);
12326 offset = dissect_smb_datetime(tvb, tree, offset,
12327 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
12328 false);
12329 *bcp -= 4;
12330
12331 /* data size */
12332 CHECK_BYTE_COUNT_SUBR(4);
12333 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12334 COUNT_BYTES_SUBR(4);
12335
12336 /* allocation size */
12337 CHECK_BYTE_COUNT_SUBR(4);
12338 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12339 COUNT_BYTES_SUBR(4);
12340
12341 /* File Attributes */
12342 CHECK_BYTE_COUNT_SUBR(2);
12343 offset = dissect_file_attributes(tvb, tree, offset);
12344 *bcp -= 2;
12345
12346 /*
12347 * The MS-CIFS spec says this doesn't have an EA length field;
12348 * the SNIA CIFS spec says it does, as does the 1996
12349 * "Microsoft Networks SMB FILE SHARING PROTOCOL Document
12350 * Version 6.0p" document.
12351 *
12352 * Some older SMB documents point to the documentation
12353 * for the OS/2 DosQFileInfo() API; the page at
12354 *
12355 * http://cyberkinetica.homeunix.net/os2tk45/prcp/111_L2_DosQFileInfo.html
12356 *
12357 * says that, for level 1 (SMB_INFO_STANDARD), there is no EA
12358 * length - that's just for level 2 (SMB_INFO_QUERY_EA_SIZE).
12359 *
12360 * I've seen captures with it and without it; given the mixed
12361 * messages sent by different documents, this is not surprising.
12362 *
12363 * We display it if it's there; we don't set *trunc if it's
12364 * not.
12365 *
12366 * Note: in FIND_FIRST2/FIND_NEXT2, the EA length is *not*
12367 * present.
12368 */
12369 if (*bcp != 0) {
12370 CHECK_BYTE_COUNT_SUBR(4);
12371 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset,
12372 4, ENC_LITTLE_ENDIAN);
12373 COUNT_BYTES_SUBR(4);
12374 }
12375
12376 *trunc = false;
12377 return offset;
12378 }
12379
12380 /* this dissects the SMB_INFO_QUERY_EA_SIZE
12381 as described in 4.2.16.1 of the CIFS 1.0 specification
12382 and as described in 2.2.8.3.2 of the MS-CIFS specification
12383 */
12384 static int
12385 dissect_qfi_SMB_INFO_QUERY_EA_SIZE(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12386 int offset, uint16_t *bcp, bool *trunc)
12387 {
12388 /* create time */
12389 CHECK_BYTE_COUNT_SUBR(4);
12390 offset = dissect_smb_datetime(tvb, tree, offset,
12391 hf_smb_create_time, hf_smb_create_dos_date, hf_smb_create_dos_time,
12392 false);
12393 *bcp -= 4;
12394
12395 /* access time */
12396 CHECK_BYTE_COUNT_SUBR(4);
12397 offset = dissect_smb_datetime(tvb, tree, offset,
12398 hf_smb_access_time, hf_smb_access_dos_date, hf_smb_access_dos_time,
12399 false);
12400 *bcp -= 4;
12401
12402 /* last write time */
12403 CHECK_BYTE_COUNT_SUBR(4);
12404 offset = dissect_smb_datetime(tvb, tree, offset,
12405 hf_smb_last_write_time, hf_smb_last_write_dos_date, hf_smb_last_write_dos_time,
12406 false);
12407 *bcp -= 4;
12408
12409 /* data size */
12410 CHECK_BYTE_COUNT_SUBR(4);
12411 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12412 COUNT_BYTES_SUBR(4);
12413
12414 /* allocation size */
12415 CHECK_BYTE_COUNT_SUBR(4);
12416 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12417 COUNT_BYTES_SUBR(4);
12418
12419 /* File Attributes */
12420 CHECK_BYTE_COUNT_SUBR(2);
12421 offset = dissect_file_attributes(tvb, tree, offset);
12422 *bcp -= 2;
12423
12424 /* ea length */
12425 CHECK_BYTE_COUNT_SUBR(4);
12426 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12427 COUNT_BYTES_SUBR(4);
12428
12429 *trunc = false;
12430 return offset;
12431 }
12432
12433 /* this dissects the SMB_INFO_QUERY_EAS_FROM_LIST, SMB_INFO_QUERY_ALL_EAS,
12434 * and TRANS2_SET_FILE_INFORMATION as described in 4.2.16.2 and
12435 * [MS-CIFS] 2.2.6.9. This the "EA (Extended Attribute) subtree.
12436 */
12437 static int
12438 dissect_4_2_16_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
12439 int offset, uint16_t *bcp, bool *trunc)
12440 {
12441 uint8_t name_len;
12442 uint32_t data_len;
12443 /* EA size */
12444
12445 CHECK_BYTE_COUNT_SUBR(4);
12446 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12447 COUNT_BYTES_SUBR(4);
12448
12449 while (*bcp > 0) {
12450 proto_item *item;
12451 proto_tree *subtree;
12452 char *display_string;
12453 int start_offset = offset;
12454
12455 subtree = proto_tree_add_subtree(
12456 tree, tvb, offset, 0, ett_smb_ea, &item, "Extended Attribute");
12457
12458 /* EA flags */
12459
12460 CHECK_BYTE_COUNT_SUBR(1);
12461 proto_tree_add_item(
12462 subtree, hf_smb_ea_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
12463 COUNT_BYTES_SUBR(1);
12464
12465 /* EA name length */
12466
12467 name_len = tvb_get_uint8(tvb, offset);
12468
12469 CHECK_BYTE_COUNT_SUBR(1);
12470 proto_tree_add_item(
12471 subtree, hf_smb_ea_name_length, tvb, offset, 1, ENC_LITTLE_ENDIAN);
12472 COUNT_BYTES_SUBR(1);
12473
12474 /* EA data length */
12475
12476 data_len = tvb_get_letohs(tvb, offset);
12477
12478 CHECK_BYTE_COUNT_SUBR(2);
12479 proto_tree_add_item(
12480 subtree, hf_smb_ea_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
12481 COUNT_BYTES_SUBR(2);
12482
12483 /* EA name */
12484
12485 CHECK_BYTE_COUNT_SUBR(name_len + 1);
12486 proto_tree_add_item_ret_display_string(
12487 subtree, hf_smb_ea_name, tvb, offset, name_len + 1,
12488 ENC_ASCII|ENC_NA,
12489 pinfo->pool, &display_string);
12490 proto_item_append_text(item, ": %s", display_string);
12491 COUNT_BYTES_SUBR(name_len + 1);
12492
12493 /* EA data */
12494
12495 /* If the data length is greater than the buffer size then SECONDARY requests will follow.
12496 * This often occurs with LOI "Info Set EAs". */
12497 if (data_len > *bcp)
12498 break;
12499
12500 proto_tree_add_item(
12501 subtree, hf_smb_ea_data, tvb, offset, data_len, ENC_NA);
12502
12503 COUNT_BYTES_SUBR(data_len);
12504 proto_item_set_len(item, offset - start_offset);
12505 }
12506
12507 *trunc = false;
12508 return offset;
12509 }
12510
12511 /* this dissects the SMB_INFO_IS_NAME_VALID
12512 as described in 4.2.16.3
12513 */
12514 static int
12515 dissect_4_2_16_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
12516 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
12517 {
12518 int fn_len;
12519 const char *fn;
12520
12521 DISSECTOR_ASSERT(si);
12522
12523 /* file name */
12524 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, false, bcp);
12525 CHECK_STRING_SUBR(fn);
12526 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12527 fn);
12528 COUNT_BYTES_SUBR(fn_len);
12529
12530 *trunc = false;
12531 return offset;
12532 }
12533
12534 /* this dissects the SMB_QUERY_FILE_BASIC_INFO
12535 as described in 4.2.16.4
12536 */
12537 static int
12538 dissect_4_2_16_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
12539 int offset, uint16_t *bcp, bool *trunc)
12540 {
12541
12542 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
12543 if (*trunc) {
12544 return offset;
12545 }
12546
12547 /* File Attributes */
12548 CHECK_BYTE_COUNT_SUBR(4);
12549 offset = dissect_file_ext_attr(tvb, tree, offset);
12550 *bcp -= 4;
12551
12552 *trunc = false;
12553 return offset;
12554 }
12555
12556 /* this dissects the SMB_QUERY_FILE_STANDARD_INFO
12557 as described in 4.2.16.5 of the SNIA CIFS spec
12558 and section 2.2.8.3.7 of the MS-CIFS spec
12559 */
12560 int
12561 dissect_qfi_SMB_FILE_STANDARD_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12562 int offset, uint16_t *bcp, bool *trunc)
12563 {
12564 /* allocation size */
12565 CHECK_BYTE_COUNT_SUBR(8);
12566 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12567 COUNT_BYTES_SUBR(8);
12568
12569 /* end of file */
12570 CHECK_BYTE_COUNT_SUBR(8);
12571 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12572 COUNT_BYTES_SUBR(8);
12573
12574 /* number of links */
12575 CHECK_BYTE_COUNT_SUBR(4);
12576 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12577 COUNT_BYTES_SUBR(4);
12578
12579 /* delete pending */
12580 CHECK_BYTE_COUNT_SUBR(1);
12581 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 1, ENC_LITTLE_ENDIAN);
12582 COUNT_BYTES_SUBR(1);
12583
12584 /* is directory */
12585 CHECK_BYTE_COUNT_SUBR(1);
12586 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
12587 COUNT_BYTES_SUBR(1);
12588
12589 *trunc = false;
12590 return offset;
12591 }
12592
12593 /* this dissects the SMB_QUERY_FILE_INTERNAL_INFO
12594 */
12595 int
12596 dissect_qfi_SMB_FILE_INTERNAL_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12597 int offset, uint16_t *bcp, bool *trunc)
12598 {
12599 /* file id */
12600 CHECK_BYTE_COUNT_SUBR(8);
12601 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12602 COUNT_BYTES_SUBR(8);
12603
12604 *trunc = false;
12605 return offset;
12606 }
12607
12608 /* this dissects the SMB_QUERY_FILE_POSITION_INFO
12609 */
12610 int
12611 dissect_qsfi_SMB_FILE_POSITION_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12612 int offset, uint16_t *bcp, bool *trunc)
12613 {
12614 /* file position */
12615 CHECK_BYTE_COUNT_SUBR(8);
12616 proto_tree_add_item(tree, hf_smb_position, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12617 COUNT_BYTES_SUBR(8);
12618
12619 *trunc = false;
12620 return offset;
12621 }
12622
12623 /* this dissects the SMB_QUERY_FILE_MODE_INFO
12624 */
12625 int
12626 dissect_qsfi_SMB_FILE_MODE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12627 int offset, uint16_t *bcp, bool *trunc)
12628 {
12629 /* mode */
12630 CHECK_BYTE_COUNT_SUBR(4);
12631 proto_tree_add_item(tree, hf_smb_mode, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12632 COUNT_BYTES_SUBR(4);
12633
12634 *trunc = false;
12635 return offset;
12636 }
12637
12638 /* this dissects the SMB_QUERY_FILE_ALIGNMENT_INFO
12639 */
12640 int
12641 dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12642 int offset, uint16_t *bcp, bool *trunc)
12643 {
12644 /* alignment */
12645 CHECK_BYTE_COUNT_SUBR(4);
12646 proto_tree_add_item(tree, hf_smb_t2_alignment, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12647 COUNT_BYTES_SUBR(4);
12648
12649 *trunc = false;
12650 return offset;
12651 }
12652
12653 /* this dissects the SMB_QUERY_FILE_EA_INFO
12654 as described in 4.2.16.6 of the SNIA CIFS spec
12655 and 2.2.8.3.8 of the MS-CIFS spec
12656 */
12657 int
12658 dissect_qfi_SMB_FILE_EA_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12659 int offset, uint16_t *bcp, bool *trunc)
12660 {
12661 /* ea length */
12662 CHECK_BYTE_COUNT_SUBR(4);
12663 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12664 COUNT_BYTES_SUBR(4);
12665
12666 *trunc = false;
12667 return offset;
12668 }
12669
12670 /* this dissects the SMB_FILE_ALLOCATION_INFO
12671 as described in 4.2.19.3 in the SNIA CIFS spec
12672 and the SMB_SET_FILE_ALLOCATION_INFO
12673 as described in 2.2.8.4.5 in the MS-CIFS spec for set (MS-CIFS doesn't
12674 say it can be queried)
12675 */
12676 int
12677 dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12678 int offset, uint16_t *bcp, bool *trunc)
12679 {
12680 /* allocation size */
12681 CHECK_BYTE_COUNT_SUBR(8);
12682 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12683 COUNT_BYTES_SUBR(8);
12684
12685 *trunc = false;
12686 return offset;
12687 }
12688
12689 /* this dissects the SMB_FILE_ENDOFFILE_INFO
12690 as described in 4.2.19.4 in the SNIA CIFS spec
12691 and the SMB_SET_FILE_END_OF_FILE_INFO
12692 as described in 2.2.8.4.6 in the MS-CIFS spec for set (MS-CIFS doesn't
12693 say it can be queried)
12694 */
12695 int
12696 dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12697 int offset, uint16_t *bcp, bool *trunc)
12698 {
12699 /* offset of end of file */
12700 CHECK_BYTE_COUNT_SUBR(8);
12701 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12702 COUNT_BYTES_SUBR(8);
12703
12704 *trunc = false;
12705 return offset;
12706 }
12707
12708 /* this dissects the SMB_QUERY_FILE_NAME_INFO
12709 as described in 4.2.16.7 of the SNIA CIFS spec
12710 and in 2.2.8.3.9 of the MS-CIFS spec
12711 this is the same as SMB_QUERY_FILE_ALT_NAME_INFO
12712 as described in 4.2.16.9 of the SNIA CIFS spec
12713 and 2.2.8.3.11 of the MS-CIFS spec
12714 although the latter two are used to fetch the 8.3 name
12715 rather than the long name
12716
12717 https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/4718fc40-e539-4014-8e33-b675af74e3e1
12718
12719 FileNormalizedNameInformation:
12720 https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/20bcadba-808c-4880-b757-4af93e41edf6
12721 */
12722 int
12723 dissect_qfi_SMB_FILE_NAME_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
12724 int offset, uint16_t *bcp, bool *trunc, bool unicode)
12725 {
12726 int fn_len;
12727 const char *fn;
12728
12729 /* file name len */
12730 CHECK_BYTE_COUNT_SUBR(4);
12731 proto_tree_add_item_ret_uint(tree, hf_smb_file_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &fn_len);
12732 COUNT_BYTES_SUBR(4);
12733
12734 /* file name */
12735 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, unicode, &fn_len, true, true, bcp);
12736
12737 CHECK_STRING_SUBR(fn);
12738
12739 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12740 fn);
12741 COUNT_BYTES_SUBR(fn_len);
12742
12743 *trunc = false;
12744 return offset;
12745 }
12746
12747 /* this dissects the SMB_QUERY_FILE_ALL_INFO
12748 as described in 2.2.8.3.8 of the MS-CIFS spec
12749 but not as described in 4.2.16.8 since SNIA spec is wrong
12750 */
12751 static int
12752 dissect_qfi_SMB_FILE_ALL_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
12753 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
12754 {
12755 uint32_t fn_len;
12756 const char *fn;
12757
12758 DISSECTOR_ASSERT(si);
12759
12760 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
12761 if (*trunc) {
12762 return offset;
12763 }
12764
12765 /* File Attributes */
12766 CHECK_BYTE_COUNT_SUBR(4);
12767 offset = dissect_file_ext_attr(tvb, tree, offset);
12768 *bcp -= 4;
12769
12770 /* 4 pad bytes */
12771 offset += 4;
12772 *bcp -= 4;
12773
12774 /* allocation size */
12775 CHECK_BYTE_COUNT_SUBR(8);
12776 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12777 COUNT_BYTES_SUBR(8);
12778
12779 /* end of file */
12780 CHECK_BYTE_COUNT_SUBR(8);
12781 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12782 COUNT_BYTES_SUBR(8);
12783
12784 /* number of links */
12785 CHECK_BYTE_COUNT_SUBR(4);
12786 proto_tree_add_item(tree, hf_smb_number_of_links, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12787 COUNT_BYTES_SUBR(4);
12788
12789 /* delete pending */
12790 CHECK_BYTE_COUNT_SUBR(1);
12791 proto_tree_add_item(tree, hf_smb_delete_pending, tvb, offset, 1, ENC_LITTLE_ENDIAN);
12792 COUNT_BYTES_SUBR(1);
12793
12794 /* is directory */
12795 CHECK_BYTE_COUNT_SUBR(1);
12796 proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
12797 COUNT_BYTES_SUBR(1);
12798
12799 /* 2 pad bytes */
12800 offset += 2;
12801 *bcp -= 2;
12802
12803 /* ea length */
12804 CHECK_BYTE_COUNT_SUBR(4);
12805 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
12806 COUNT_BYTES_SUBR(4);
12807
12808 /* file name len */
12809 CHECK_BYTE_COUNT_SUBR(4);
12810 fn_len = (uint32_t)tvb_get_letohl(tvb, offset);
12811 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
12812 COUNT_BYTES_SUBR(4);
12813
12814
12815 /* file name */
12816 CHECK_BYTE_COUNT_SUBR(fn_len);
12817 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, true, true, bcp);
12818 if (fn != NULL) {
12819 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
12820 fn);
12821 COUNT_BYTES_SUBR(fn_len);
12822 }
12823
12824
12825 if (*trunc)
12826 return offset;
12827
12828 return offset;
12829 }
12830
12831 /* this dissects the SMB_QUERY_FILE_STREAM_INFO
12832 as described in 4.2.16.10 of the SNIA CIFS spec
12833 and 2.2.8.3.12 of the MS-CIFS spec
12834 */
12835 int
12836 dissect_qfi_SMB_FILE_STREAM_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
12837 int offset, uint16_t *bcp, bool *trunc, int unicode)
12838 {
12839 proto_item *item;
12840 proto_tree *tree;
12841 int old_offset;
12842 uint32_t neo;
12843 int fn_len;
12844 const char *fn;
12845 int padcnt;
12846
12847
12848 for (;;) {
12849 old_offset = offset;
12850
12851 /* next entry offset */
12852 CHECK_BYTE_COUNT_SUBR(4);
12853 tree = proto_tree_add_subtree(parent_tree, tvb, offset, *bcp, ett_smb_ff2_data, &item, "Stream Info");
12854
12855 neo = tvb_get_letohl(tvb, offset);
12856 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
12857 COUNT_BYTES_SUBR(4);
12858
12859 /* stream name len */
12860 CHECK_BYTE_COUNT_SUBR(4);
12861 fn_len = tvb_get_letohl(tvb, offset);
12862 proto_tree_add_uint(tree, hf_smb_t2_stream_name_length, tvb, offset, 4, fn_len);
12863 COUNT_BYTES_SUBR(4);
12864
12865 /* stream size */
12866 CHECK_BYTE_COUNT_SUBR(8);
12867 proto_tree_add_item(tree, hf_smb_t2_stream_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12868 COUNT_BYTES_SUBR(8);
12869
12870 /* allocation size */
12871 CHECK_BYTE_COUNT_SUBR(8);
12872 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12873 COUNT_BYTES_SUBR(8);
12874
12875 /* stream name */
12876 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, unicode, &fn_len, false, true, bcp);
12877 CHECK_STRING_SUBR(fn);
12878 proto_tree_add_string(tree, hf_smb_t2_stream_name, tvb, offset, fn_len,
12879 fn);
12880 COUNT_BYTES_SUBR(fn_len);
12881
12882 proto_item_append_text(item, ": %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
12883 proto_item_set_len(item, offset-old_offset);
12884
12885 if (neo == 0)
12886 break; /* no more structures */
12887
12888 /* skip to next structure */
12889 padcnt = (old_offset + neo) - offset;
12890 if (padcnt < 0) {
12891 /*
12892 * XXX - this is bogus; flag it?
12893 */
12894 padcnt = 0;
12895 }
12896 if (padcnt != 0) {
12897 CHECK_BYTE_COUNT_SUBR(padcnt);
12898 COUNT_BYTES_SUBR(padcnt);
12899 }
12900 }
12901
12902 *trunc = false;
12903 return offset;
12904 }
12905
12906 /* this dissects the SMB_QUERY_FILE_COMPRESSION_INFO
12907 as described in 4.2.16.11 of the SNIA CIFS spec
12908 and 2.2.8.3.13 of the MS-CIFS spec
12909 */
12910 int
12911 dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12912 int offset, uint16_t *bcp, bool *trunc)
12913 {
12914 /* compressed file size */
12915 CHECK_BYTE_COUNT_SUBR(8);
12916 proto_tree_add_item(tree, hf_smb_t2_compressed_file_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12917 COUNT_BYTES_SUBR(8);
12918
12919 /* compression format */
12920 CHECK_BYTE_COUNT_SUBR(2);
12921 proto_tree_add_item(tree, hf_smb_t2_compressed_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
12922 COUNT_BYTES_SUBR(2);
12923
12924 /* compression unit shift */
12925 CHECK_BYTE_COUNT_SUBR(1);
12926 proto_tree_add_item(tree, hf_smb_t2_compressed_unit_shift, tvb, offset, 1, ENC_LITTLE_ENDIAN);
12927 COUNT_BYTES_SUBR(1);
12928
12929 /* compression chunk shift */
12930 CHECK_BYTE_COUNT_SUBR(1);
12931 proto_tree_add_item(tree, hf_smb_t2_compressed_chunk_shift, tvb, offset, 1, ENC_LITTLE_ENDIAN);
12932 COUNT_BYTES_SUBR(1);
12933
12934 /* compression cluster shift */
12935 CHECK_BYTE_COUNT_SUBR(1);
12936 proto_tree_add_item(tree, hf_smb_t2_compressed_cluster_shift, tvb, offset, 1, ENC_LITTLE_ENDIAN);
12937 COUNT_BYTES_SUBR(1);
12938
12939 /* 3 reserved bytes */
12940 CHECK_BYTE_COUNT_SUBR(3);
12941 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 3, ENC_NA);
12942 COUNT_BYTES_SUBR(3);
12943
12944 *trunc = false;
12945 return offset;
12946 }
12947
12948 /* 4.2.16.12 - SMB_QUERY_FILE_UNIX_BASIC */
12949
12950 static const value_string unix_file_type_vals[] = {
12951 { 0, "File" },
12952 { 1, "Directory" },
12953 { 2, "Symbolic link" },
12954 { 3, "Character device" },
12955 { 4, "Block device" },
12956 { 5, "FIFO" },
12957 { 6, "Socket" },
12958 { 0, NULL }
12959 };
12960
12961 static int
12962 dissect_4_2_16_12(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
12963 int offset, uint16_t *bcp, bool *trunc)
12964 {
12965 /* End of file (file size) */
12966 CHECK_BYTE_COUNT_SUBR(8);
12967 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12968 COUNT_BYTES_SUBR(8);
12969
12970 /* Number of bytes */
12971 CHECK_BYTE_COUNT_SUBR(8);
12972 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12973 COUNT_BYTES_SUBR(8);
12974
12975 /* Last status change */
12976 CHECK_BYTE_COUNT_SUBR(8);
12977 dissect_nttime(tvb, tree, offset, hf_smb_unix_file_last_status, ENC_LITTLE_ENDIAN);
12978 COUNT_BYTES_SUBR(8);
12979
12980 /* Last access time */
12981 CHECK_BYTE_COUNT_SUBR(8);
12982 dissect_nttime(tvb, tree, offset, hf_smb_unix_file_last_access, ENC_LITTLE_ENDIAN);
12983 COUNT_BYTES_SUBR(8);
12984
12985 /* Last modification time */
12986 CHECK_BYTE_COUNT_SUBR(8);
12987 dissect_nttime(tvb, tree, offset, hf_smb_unix_file_last_change, ENC_LITTLE_ENDIAN);
12988 COUNT_BYTES_SUBR(8);
12989
12990 /* File owner uid */
12991 CHECK_BYTE_COUNT_SUBR(8);
12992 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12993 COUNT_BYTES_SUBR(8);
12994
12995 /* File group gid */
12996 CHECK_BYTE_COUNT_SUBR(8);
12997 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
12998 COUNT_BYTES_SUBR(8);
12999
13000 /* File type */
13001 CHECK_BYTE_COUNT_SUBR(4);
13002 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
13003 COUNT_BYTES_SUBR(4);
13004
13005 /* Major device number */
13006 CHECK_BYTE_COUNT_SUBR(8);
13007 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13008 COUNT_BYTES_SUBR(8);
13009
13010 /* Minor device number */
13011 CHECK_BYTE_COUNT_SUBR(8);
13012 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13013 COUNT_BYTES_SUBR(8);
13014
13015 /* Unique id */
13016 CHECK_BYTE_COUNT_SUBR(8);
13017 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13018 COUNT_BYTES_SUBR(8);
13019
13020 /* Permissions */
13021 CHECK_BYTE_COUNT_SUBR(8);
13022 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13023 COUNT_BYTES_SUBR(8);
13024
13025 /* Nlinks */
13026 CHECK_BYTE_COUNT_SUBR(8);
13027 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13028 COUNT_BYTES_SUBR(8);
13029
13030 /* Sometimes there is one extra byte in the data field which I
13031 guess could be padding, but we are only using 4 or 8 byte
13032 data types so this is a bit confusing. -tpot */
13033
13034 *trunc = false;
13035 return offset;
13036 }
13037
13038 /* 4.2.16.13 - SMB_QUERY_FILE_UNIX_LINK */
13039
13040 static int
13041 dissect_4_2_16_13(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
13042 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
13043 {
13044 const char *fn;
13045 int fn_len = 0;
13046
13047 DISSECTOR_ASSERT(si);
13048
13049 /* Link destination */
13050
13051 fn = get_unicode_or_ascii_string(pinfo->pool,
13052 tvb, &offset, si->unicode, &fn_len, false, true, bcp);
13053
13054 CHECK_STRING_SUBR(fn);
13055 proto_tree_add_string(
13056 tree, hf_smb_unix_file_link_dest, tvb, offset, fn_len, fn);
13057 COUNT_BYTES_SUBR(fn_len);
13058
13059 *trunc = false;
13060 return offset;
13061 }
13062
13063 /* unix ACL
13064 */
13065 static int
13066 dissect_qspi_unix_acl(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
13067 int offset, uint16_t *bcp, bool *trunc)
13068 {
13069 uint16_t num_file_aces;
13070 static int * const perm_fields[] = {
13071 &hf_smb_posix_ace_perm_read,
13072 &hf_smb_posix_ace_perm_write,
13073 &hf_smb_posix_ace_perm_execute,
13074 NULL
13075 };
13076
13077 /* version */
13078 CHECK_BYTE_COUNT_SUBR(2);
13079 proto_tree_add_item(tree, hf_smb_posix_acl_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
13080 COUNT_BYTES_SUBR(2);
13081
13082 /* num file acls */
13083 CHECK_BYTE_COUNT_SUBR(2);
13084 num_file_aces = tvb_get_letohs(tvb, offset);
13085 proto_tree_add_item(tree, hf_smb_posix_num_file_aces, tvb, offset, 2, ENC_LITTLE_ENDIAN);
13086 COUNT_BYTES_SUBR(2);
13087
13088 /* num default acls */
13089 CHECK_BYTE_COUNT_SUBR(2);
13090 proto_tree_add_item(tree, hf_smb_posix_num_def_aces, tvb, offset, 2, ENC_LITTLE_ENDIAN);
13091 COUNT_BYTES_SUBR(2);
13092
13093 while (num_file_aces--) {
13094 proto_item *it, *type_item;
13095 proto_tree *tr;
13096 int old_offset = offset;
13097 uint8_t ace_type;
13098
13099 tr = proto_tree_add_subtree(tree, tvb, offset, 0, ett_smb_posix_ace, &it, "ACE");
13100
13101 /* ace type */
13102 CHECK_BYTE_COUNT_SUBR(1);
13103 ace_type = tvb_get_uint8(tvb, offset);
13104 type_item = proto_tree_add_item(tr, hf_smb_posix_ace_type, tvb, offset, 1, ENC_LITTLE_ENDIAN);
13105 COUNT_BYTES_SUBR(1);
13106
13107 CHECK_BYTE_COUNT_SUBR(1);
13108 proto_tree_add_bitmask(tr, tvb, offset, hf_smb_posix_ace_flags, ett_smb_posix_ace_perms, perm_fields, ENC_BIG_ENDIAN);
13109 COUNT_BYTES_SUBR(1);
13110
13111 switch(ace_type) {
13112 case POSIX_ACE_TYPE_USER_OBJ:
13113 CHECK_BYTE_COUNT_SUBR(4);
13114 proto_tree_add_item(tr, hf_smb_posix_ace_perm_owner_uid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
13115 COUNT_BYTES_SUBR(4);
13116
13117 CHECK_BYTE_COUNT_SUBR(4);
13118 /* 4 reserved bytes */
13119 COUNT_BYTES_SUBR(4);
13120 break;
13121 case POSIX_ACE_TYPE_GROUP_OBJ:
13122 CHECK_BYTE_COUNT_SUBR(4);
13123 proto_tree_add_item(tr, hf_smb_posix_ace_perm_owner_gid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
13124 COUNT_BYTES_SUBR(4);
13125
13126 CHECK_BYTE_COUNT_SUBR(4);
13127 /* 4 reserved bytes */
13128 COUNT_BYTES_SUBR(4);
13129 break;
13130
13131 case POSIX_ACE_TYPE_MASK:
13132 case POSIX_ACE_TYPE_OTHER:
13133 CHECK_BYTE_COUNT_SUBR(8);
13134 /* 8 reserved bytes */
13135 COUNT_BYTES_SUBR(8);
13136 break;
13137
13138 case POSIX_ACE_TYPE_USER:
13139 CHECK_BYTE_COUNT_SUBR(4);
13140 proto_tree_add_item(tr, hf_smb_posix_ace_perm_uid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
13141 COUNT_BYTES_SUBR(4);
13142
13143 CHECK_BYTE_COUNT_SUBR(4);
13144 /* 4 reserved bytes */
13145 COUNT_BYTES_SUBR(4);
13146 break;
13147
13148 case POSIX_ACE_TYPE_GROUP:
13149 CHECK_BYTE_COUNT_SUBR(4);
13150 proto_tree_add_item(tr, hf_smb_posix_ace_perm_gid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
13151 COUNT_BYTES_SUBR(4);
13152
13153 CHECK_BYTE_COUNT_SUBR(4);
13154 /* 4 reserved bytes */
13155 COUNT_BYTES_SUBR(4);
13156 break;
13157 default:
13158 expert_add_info(pinfo, type_item, &ei_smb_posix_ace_type);
13159 CHECK_BYTE_COUNT_SUBR(8);
13160 /* skip 8 bytes */
13161 COUNT_BYTES_SUBR(8);
13162 }
13163
13164 proto_item_set_len(it, offset-old_offset);
13165 }
13166
13167 *trunc = false;
13168 return offset;
13169 }
13170
13171 static int
13172 dissect_qspi_unix_xattr(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
13173 int offset, uint16_t *bcp _U_, bool *trunc)
13174 {
13175 proto_tree_add_expert(tree, pinfo, &ei_smb_not_implemented, tvb, offset, 0);
13176
13177 *trunc = false;
13178 return offset;
13179 }
13180
13181 static int
13182 dissect_qspi_unix_attr_flags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
13183 int offset, uint16_t *bcp _U_, bool *trunc)
13184 {
13185 proto_tree_add_expert(tree, pinfo, &ei_smb_not_implemented, tvb, offset, 0);
13186
13187 *trunc = false;
13188 return offset;
13189 }
13190
13191 static int
13192 dissect_qpi_unix_permissions(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
13193 int offset, uint16_t *bcp _U_, bool *trunc)
13194 {
13195 proto_tree_add_expert(tree, pinfo, &ei_smb_not_implemented, tvb, offset, 0);
13196
13197 *trunc = false;
13198 return offset;
13199 }
13200
13201 static int
13202 dissect_qspi_unix_lock(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
13203 int offset, uint16_t *bcp _U_, bool *trunc)
13204 {
13205 proto_tree_add_expert(tree, pinfo, &ei_smb_not_implemented, tvb, offset, 0);
13206
13207 *trunc = false;
13208 return offset;
13209 }
13210
13211 static int
13212 dissect_qspi_unix_open(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
13213 int offset, uint16_t *bcp _U_, bool *trunc)
13214 {
13215 proto_tree_add_expert(tree, pinfo, &ei_smb_not_implemented, tvb, offset, 0);
13216
13217 *trunc = false;
13218 return offset;
13219 }
13220
13221 static int
13222 dissect_qspi_unix_unlink(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
13223 int offset, uint16_t *bcp _U_, bool *trunc)
13224 {
13225 proto_tree_add_expert(tree, pinfo, &ei_smb_not_implemented, tvb, offset, 0);
13226
13227 *trunc = false;
13228 return offset;
13229 }
13230
13231 /* SMB_FIND_FILE_UNIX_INFO2 */
13232
13233 #if 0
13234 static const true_false_string tfs_i2f_secure_delete = {
13235 "File should be erased such that the data is not recoverable",
13236 "File need not be erased such that the data is not recoverable"
13237 };
13238 static const true_false_string tfs_i2f_enable_undelete = {
13239 "File should opt-in to a server-specific deletion recovery scheme",
13240 "File should not opt-in to a server-specific deletion recovery scheme"
13241 };
13242 static const true_false_string tfs_i2f_synchronous = {
13243 "I/O to this file should be performed synchronously",
13244 "I/O to this file need not be performed synchronously"
13245 };
13246 static const true_false_string tfs_i2f_immutable = {
13247 "NO changes can be made to this file",
13248 "Changes can be made to this file if permissions allow it"
13249 };
13250 static const true_false_string tfs_i2f_append_only = {
13251 "Only appends can be made to this file",
13252 "Writes can be made atop existing data in this file"
13253 };
13254 static const true_false_string tfs_i2f_do_not_backup = {
13255 "Backup programs should ignore this file",
13256 "Backup programs should not ignore this file"
13257 };
13258 static const true_false_string tfs_i2f_no_update_atime = {
13259 "The server is not required to update the last access time on this file",
13260 "The server is required to update the last access time on this file"
13261 };
13262 static const true_false_string tfs_i2f_hidden = {
13263 "User interface programs may ignore this file",
13264 "User interface programs should not ignore this file based solely on this flag"
13265 };
13266 #endif
13267
13268 static int
13269 dissect_unix_info2_file_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset, int hf)
13270 {
13271 static int * const flags[] = {
13272 &hf_smb_unix_info2_file_flags_secure_delete,
13273 &hf_smb_unix_info2_file_flags_enable_undelete,
13274 &hf_smb_unix_info2_file_flags_synchronous,
13275 &hf_smb_unix_info2_file_flags_immutable,
13276 &hf_smb_unix_info2_file_flags_append_only,
13277 &hf_smb_unix_info2_file_flags_do_not_backup,
13278 &hf_smb_unix_info2_file_flags_no_update_atime,
13279 &hf_smb_unix_info2_file_flags_hidden,
13280 NULL
13281 };
13282
13283 proto_tree_add_bitmask(parent_tree, tvb, offset, hf, ett_smb_info2_file_flags, flags, ENC_LITTLE_ENDIAN);
13284 offset += 4;
13285
13286 return offset;
13287 }
13288
13289 static int
13290 dissect_qspi_unix_info2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
13291 int offset, uint16_t *bcp, bool *trunc)
13292 {
13293 /* End of file (file size) */
13294 CHECK_BYTE_COUNT_SUBR(8);
13295 proto_tree_add_item(tree, hf_smb_unix_file_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13296 COUNT_BYTES_SUBR(8);
13297
13298 /* Number of bytes (or blocks? The SNIA spec for UNIX basic
13299 info says "bytes", the Samba page for this says "blocks") */
13300 CHECK_BYTE_COUNT_SUBR(8);
13301 proto_tree_add_item(tree, hf_smb_unix_file_num_bytes, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13302 COUNT_BYTES_SUBR(8);
13303
13304 /* Last status change */
13305 CHECK_BYTE_COUNT_SUBR(8);
13306 dissect_nttime(tvb, tree, offset, hf_smb_unix_file_last_status, ENC_LITTLE_ENDIAN);
13307 COUNT_BYTES_SUBR(8);
13308
13309 /* Last access time */
13310 CHECK_BYTE_COUNT_SUBR(8);
13311 dissect_nttime(tvb, tree, offset, hf_smb_unix_file_last_access, ENC_LITTLE_ENDIAN);
13312 COUNT_BYTES_SUBR(8);
13313
13314 /* Last modification time */
13315 CHECK_BYTE_COUNT_SUBR(8);
13316 dissect_nttime(tvb, tree, offset, hf_smb_unix_file_last_change, ENC_LITTLE_ENDIAN);
13317 COUNT_BYTES_SUBR(8);
13318
13319 /* File owner uid */
13320 CHECK_BYTE_COUNT_SUBR(8);
13321 proto_tree_add_item(tree, hf_smb_unix_file_uid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13322 COUNT_BYTES_SUBR(8);
13323
13324 /* File group gid */
13325 CHECK_BYTE_COUNT_SUBR(8);
13326 proto_tree_add_item(tree, hf_smb_unix_file_gid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13327 COUNT_BYTES_SUBR(8);
13328
13329 /* File type */
13330 CHECK_BYTE_COUNT_SUBR(4);
13331 proto_tree_add_item(tree, hf_smb_unix_file_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
13332 COUNT_BYTES_SUBR(4);
13333
13334 /* Major device number */
13335 CHECK_BYTE_COUNT_SUBR(8);
13336 proto_tree_add_item(tree, hf_smb_unix_file_dev_major, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13337 COUNT_BYTES_SUBR(8);
13338
13339 /* Minor device number */
13340 CHECK_BYTE_COUNT_SUBR(8);
13341 proto_tree_add_item(tree, hf_smb_unix_file_dev_minor, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13342 COUNT_BYTES_SUBR(8);
13343
13344 /* Unique id */
13345 CHECK_BYTE_COUNT_SUBR(8);
13346 proto_tree_add_item(tree, hf_smb_unix_file_unique_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13347 COUNT_BYTES_SUBR(8);
13348
13349 /* Permissions */
13350 CHECK_BYTE_COUNT_SUBR(8);
13351 proto_tree_add_item(tree, hf_smb_unix_file_permissions, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13352 COUNT_BYTES_SUBR(8);
13353
13354 /* Nlinks */
13355 CHECK_BYTE_COUNT_SUBR(8);
13356 proto_tree_add_item(tree, hf_smb_unix_file_nlinks, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13357 COUNT_BYTES_SUBR(8);
13358
13359 /* Creation time */
13360 CHECK_BYTE_COUNT_SUBR(8);
13361 dissect_nttime(tvb, tree, offset, hf_smb_unix_file_creation_time, ENC_LITTLE_ENDIAN);
13362 COUNT_BYTES_SUBR(8);
13363
13364 /* File flags */
13365 CHECK_BYTE_COUNT_SUBR(4);
13366 offset = dissect_unix_info2_file_flags(tvb, tree, offset, hf_smb_unix_info2_file_flags);
13367 *bcp -= 4;
13368
13369 /* File flags mask */
13370 CHECK_BYTE_COUNT_SUBR(4);
13371 offset = dissect_unix_info2_file_flags(tvb, tree, offset, hf_smb_unix_info2_file_flags_mask);
13372 *bcp -= 4;
13373
13374 *trunc = false;
13375 return offset;
13376 }
13377
13378 /* this dissects the SMB_QUERY_FILE_NETWORK_OPEN_INFO
13379 */
13380 int
13381 dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvbuff_t *tvb,
13382 packet_info *pinfo, proto_tree *tree,
13383 int offset, uint16_t *bcp, bool *trunc)
13384 {
13385
13386 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
13387 if (*trunc) {
13388 return offset;
13389 }
13390
13391 /* allocation size */
13392 CHECK_BYTE_COUNT_SUBR(8);
13393 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13394 COUNT_BYTES_SUBR(8);
13395
13396 /* end of file */
13397 CHECK_BYTE_COUNT_SUBR(8);
13398 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13399 COUNT_BYTES_SUBR(8);
13400
13401 /* File Attributes */
13402 CHECK_BYTE_COUNT_SUBR(4);
13403 offset = dissect_file_ext_attr(tvb, tree, offset);
13404 *bcp -= 4;
13405
13406 /* 4 reserved bytes */
13407 CHECK_BYTE_COUNT_SUBR(4);
13408 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, ENC_NA);
13409 COUNT_BYTES_SUBR(4);
13410
13411 *trunc = false;
13412 return offset;
13413 }
13414
13415 /* this dissects the SMB_FILE_ATTRIBUTE_TAG_INFO
13416 */
13417 int
13418 dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvbuff_t *tvb,
13419 packet_info *pinfo _U_, proto_tree *tree,
13420 int offset, uint16_t *bcp, bool *trunc)
13421 {
13422 /* attribute */
13423 CHECK_BYTE_COUNT_SUBR(4);
13424 proto_tree_add_item(tree, hf_smb_attribute, tvb, offset, 4, ENC_LITTLE_ENDIAN);
13425 COUNT_BYTES_SUBR(4);
13426
13427 /* reparse tag */
13428 CHECK_BYTE_COUNT_SUBR(4);
13429 proto_tree_add_item(tree, hf_smb_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
13430 COUNT_BYTES_SUBR(4);
13431
13432 *trunc = false;
13433 return offset;
13434 }
13435
13436 /* this dissects the SMB_SET_FILE_DISPOSITION_INFO
13437 as described in 4.2.19.2
13438 */
13439 static int
13440 dissect_4_2_19_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
13441 int offset, uint16_t *bcp, bool *trunc)
13442 {
13443 /* marked for deletion? */
13444 CHECK_BYTE_COUNT_SUBR(1);
13445 proto_tree_add_item(tree, hf_smb_t2_marked_for_deletion, tvb, offset, 1, ENC_LITTLE_ENDIAN);
13446 COUNT_BYTES_SUBR(1);
13447
13448 *trunc = false;
13449 return offset;
13450 }
13451
13452 /* Set File Rename Info */
13453
13454 static const true_false_string tfs_smb_replace = {
13455 "Remove target file if it exists",
13456 "Do NOT remove target file if it exists",
13457 };
13458
13459 static int
13460 dissect_rename_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
13461 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
13462 {
13463 const char *fn;
13464 uint32_t target_name_len;
13465 int fn_len;
13466
13467 DISSECTOR_ASSERT(si);
13468
13469 /* Replace flag */
13470 CHECK_BYTE_COUNT_SUBR(4);
13471 proto_tree_add_item(tree, hf_smb_replace, tvb, offset, 4, ENC_LITTLE_ENDIAN);
13472 COUNT_BYTES_SUBR(4);
13473
13474 /* Root directory handle */
13475 CHECK_BYTE_COUNT_SUBR(4);
13476 proto_tree_add_item(tree, hf_smb_root_dir_handle, tvb, offset, 4, ENC_LITTLE_ENDIAN);
13477 COUNT_BYTES_SUBR(4);
13478
13479 /* Target name length */
13480 CHECK_BYTE_COUNT_SUBR(4);
13481 target_name_len = tvb_get_letohl(tvb, offset);
13482 proto_tree_add_uint(tree, hf_smb_target_name_len, tvb, offset, 4, target_name_len);
13483 COUNT_BYTES_SUBR(4);
13484
13485 /* Target name */
13486 fn_len = target_name_len;
13487 fn = get_unicode_or_ascii_string(pinfo->pool,
13488 tvb, &offset, si->unicode, &fn_len, false, true, bcp);
13489
13490 CHECK_STRING_SUBR(fn);
13491 proto_tree_add_string(
13492 tree, hf_smb_target_name, tvb, offset, fn_len, fn);
13493 COUNT_BYTES_SUBR(fn_len);
13494
13495 *trunc = false;
13496 return offset;
13497 }
13498
13499 static int
13500 dissect_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
13501 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
13502 {
13503 #if 0
13504 const char *fn;
13505 uint32_t target_name_len;*/
13506 int fn_len;
13507 #endif
13508
13509 DISSECTOR_ASSERT(si);
13510
13511 /* Disposition flags */
13512 CHECK_BYTE_COUNT_SUBR(1);
13513 proto_tree_add_item(tree, hf_smb_disposition_delete_on_close, tvb, offset, 1, ENC_LITTLE_ENDIAN);
13514 COUNT_BYTES_SUBR(1);
13515
13516 *trunc = false;
13517 return offset;
13518 }
13519
13520 int
13521 dissect_sfi_SMB_FILE_PIPE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
13522 int offset, uint16_t *bcp, bool *trunc)
13523 {
13524 /* pipe info flag */
13525 CHECK_BYTE_COUNT_SUBR(1);
13526 proto_tree_add_item(tree, hf_smb_pipe_info_flag, tvb, offset, 1, ENC_LITTLE_ENDIAN);
13527 COUNT_BYTES_SUBR(1);
13528
13529 *trunc = false;
13530 return offset;
13531 }
13532
13533 /*dissect the data block for TRANS2_QUERY_PATH_INFORMATION and
13534 TRANS2_QUERY_FILE_INFORMATION*/
13535 static int
13536 dissect_qpi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
13537 proto_item *item _U_, int offset, uint16_t *bcp, smb_info_t *si)
13538 {
13539 bool trunc = false;
13540
13541 if (!*bcp) {
13542 return offset;
13543 }
13544
13545 DISSECTOR_ASSERT(si);
13546
13547 switch(si->info_level) {
13548 case 1: /*Info Standard*/
13549 offset = dissect_qsfi_SMB_INFO_STANDARD(tvb, pinfo, tree, offset, bcp,
13550 &trunc);
13551 break;
13552
13553 case 2: /*Info Query EA Size*/
13554 offset = dissect_qfi_SMB_INFO_QUERY_EA_SIZE(tvb, pinfo, tree, offset, bcp,
13555 &trunc);
13556 break;
13557 case 3: /*Info Query EAs From List*/
13558 case 4: /*Info Query All EAs*/
13559 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
13560 &trunc);
13561 break;
13562 case 6: /*Info Is Name Valid*/
13563 offset = dissect_4_2_16_3(tvb, pinfo, tree, offset, bcp,
13564 &trunc, si);
13565 break;
13566 case 0x0101: /*Query File Basic Info*/
13567 case 1004: /* SMB_FILE_BASIC_INFORMATION */
13568 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
13569 &trunc);
13570 break;
13571 case 0x0102: /*Query File Standard Info*/
13572 case 1005: /* SMB_FILE_STANDARD_INFORMATION */
13573 offset = dissect_qfi_SMB_FILE_STANDARD_INFO(tvb, pinfo, tree, offset, bcp,
13574 &trunc);
13575 break;
13576 case 1006: /* SMB_FILE_INTERNAL_INFORMATION */
13577 offset = dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb, pinfo, tree, offset, bcp,
13578 &trunc);
13579 break;
13580 case 0x0103: /*Query File EA Info*/
13581 case 1007: /* SMB_FILE_EA_INFORMATION */
13582 offset = dissect_qfi_SMB_FILE_EA_INFO(tvb, pinfo, tree, offset, bcp,
13583 &trunc);
13584 break;
13585 case 0x0104: /*Query File Name Info*/
13586 case 1009: /* SMB_FILE_NAME_INFORMATION */
13587 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, bcp,
13588 &trunc, si->unicode);
13589 break;
13590 case 1014: /* SMB_FILE_POSITION_INFORMATION */
13591 offset = dissect_qsfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, bcp,
13592 &trunc);
13593 break;
13594 case 1016: /* SMB_FILE_MODE_INFORMATION */
13595 offset = dissect_qsfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, bcp,
13596 &trunc);
13597 break;
13598 case 1017: /* SMB_FILE_ALIGNMENT_INFORMATION */
13599 offset = dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb, pinfo, tree, offset, bcp,
13600 &trunc);
13601 break;
13602 case 0x0107: /*Query File All Info*/
13603 case 1018: /* SMB_FILE_ALL_INFORMATION */
13604 offset = dissect_qfi_SMB_FILE_ALL_INFO(tvb, pinfo, tree, offset, bcp,
13605 &trunc, si);
13606 break;
13607 case 1019: /* SMB_FILE_ALLOCATION_INFORMATION */
13608 offset = dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, bcp,
13609 &trunc);
13610 break;
13611 case 1020: /* SMB_FILE_ENDOFFILE_INFORMATION */
13612 offset = dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, bcp,
13613 &trunc);
13614 break;
13615 case 0x0108: /*Query File Alt File Info*/
13616 case 1021: /* SMB_FILE_ALTERNATE_NAME_INFORMATION */
13617 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, bcp,
13618 &trunc, si->unicode);
13619 break;
13620 case 1022: /* SMB_FILE_STREAM_INFORMATION */
13621 si->unicode = true;
13622 /* FALLTHRU */
13623 case 0x0109: /*Query File Stream Info*/
13624 offset = dissect_qfi_SMB_FILE_STREAM_INFO(tvb, pinfo, tree, offset, bcp,
13625 &trunc, si->unicode);
13626 break;
13627 case 0x010b: /*Query File Compression Info*/
13628 case 1028: /* SMB_FILE_COMPRESSION_INFORMATION */
13629 offset = dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb, pinfo, tree, offset, bcp,
13630 &trunc);
13631 break;
13632 case 1034: /* SMB_FILE_NETWORK_OPEN_INFO */
13633 offset = dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb, pinfo, tree, offset, bcp, &trunc);
13634 break;
13635 case 1035: /* SMB_FILE_ATTRIBUTE_TAG_INFO */
13636 offset = dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb, pinfo, tree, offset, bcp, &trunc);
13637 break;
13638 case 0x0200: /* Query File Unix Basic*/
13639 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
13640 &trunc);
13641 break;
13642 case 0x0201: /* Query File Unix Link*/
13643 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
13644 &trunc, si);
13645 break;
13646 case 0x0202: /* Query File Unix HardLink*/
13647 /* XXX add this from the SNIA doc */
13648 break;
13649 case 0x0204: /* Query File Unix ACL*/
13650 offset = dissect_qspi_unix_acl(tvb, pinfo, tree, offset, bcp,
13651 &trunc);
13652 break;
13653 case 0x0205: /* Query File Unix XATTR*/
13654 offset = dissect_qspi_unix_xattr(tvb, pinfo, tree, offset, bcp,
13655 &trunc);
13656 break;
13657 case 0x0206: /* Query File Unix Attr Flags*/
13658 offset = dissect_qspi_unix_attr_flags(tvb, pinfo, tree, offset, bcp,
13659 &trunc);
13660 break;
13661 case 0x0207: /* Query File Unix Permissions*/
13662 offset = dissect_qpi_unix_permissions(tvb, pinfo, tree, offset, bcp,
13663 &trunc);
13664 break;
13665 case 0x0208: /* Query File Unix Lock*/
13666 offset = dissect_qspi_unix_lock(tvb, pinfo, tree, offset, bcp,
13667 &trunc);
13668 break;
13669 case 0x020b: /* Query File Unix Info2*/
13670 offset = dissect_qspi_unix_info2(tvb, pinfo, tree, offset, bcp,
13671 &trunc);
13672 break;
13673
13674 default:
13675 proto_tree_add_expert(tree, pinfo, &ei_smb_info_level_unknown, tvb, offset, *bcp);
13676 offset += *bcp;
13677 *bcp = 0;
13678 trunc = false;
13679 break;
13680 }
13681
13682 return offset;
13683 }
13684
13685 /*dissect the data block for TRANS2_SET_PATH_INFORMATION and
13686 TRANS2_SET_FILE_INFORMATION*/
13687 static int
13688 dissect_spi_loi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
13689 proto_item *item, int offset, uint16_t *bcp, smb_info_t *si)
13690 {
13691 bool trunc;
13692
13693 if (!*bcp) {
13694 return offset;
13695 }
13696
13697 DISSECTOR_ASSERT(si);
13698
13699 switch(si->info_level) {
13700 case 1: /*Info Standard*/
13701 offset = dissect_qsfi_SMB_INFO_STANDARD(tvb, pinfo, tree, offset, bcp,
13702 &trunc);
13703 break;
13704 case 2: /*Info Set EAs*/
13705 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
13706 &trunc);
13707 break;
13708 case 4: /*Info Query All EAs - not in [MS-CIFS]*/
13709 offset = dissect_4_2_16_2(tvb, pinfo, tree, offset, bcp,
13710 &trunc);
13711 break;
13712 case 0x0101: /*Set File Basic Info*/
13713 case 1004: /* SMB_FILE_BASIC_INFORMATION */
13714 offset = dissect_4_2_16_4(tvb, pinfo, tree, offset, bcp,
13715 &trunc);
13716 break;
13717 case 0x0102: /*Set File Disposition Info*/
13718 offset = dissect_4_2_19_2(tvb, pinfo, tree, offset, bcp,
13719 &trunc);
13720 break;
13721 case 0x0103: /*Set File Allocation Info*/
13722 case 1019: /* Set File Allocation Information */
13723 offset = dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, bcp,
13724 &trunc);
13725 break;
13726 case 0x0104: /*Set End Of File Info*/
13727 case 1020: /* SMB_FILE_ENDOFFILE_INFORMATION */
13728 offset = dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, bcp,
13729 &trunc);
13730 break;
13731 case 0x0200: /*Set File Unix Basic. Same as query. */
13732 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp,
13733 &trunc);
13734 break;
13735 case 0x0201: /*Set File Unix Link. Same as query. */
13736 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
13737 &trunc, si);
13738 break;
13739 case 0x0202: /*Set File Unix HardLink. Same as link query. */
13740 offset = dissect_4_2_16_13(tvb, pinfo, tree, offset, bcp,
13741 &trunc, si);
13742 break;
13743 case 0x0204: /* Set File Unix ACL*/
13744 offset = dissect_qspi_unix_acl(tvb, pinfo, tree, offset, bcp,
13745 &trunc);
13746 break;
13747 case 0x0205: /* Set File Unix XATTR*/
13748 offset = dissect_qspi_unix_xattr(tvb, pinfo, tree, offset, bcp,
13749 &trunc);
13750 break;
13751 case 0x0206: /* Set File Unix Attr Flags*/
13752 offset = dissect_qspi_unix_attr_flags(tvb, pinfo, tree, offset, bcp,
13753 &trunc);
13754 break;
13755 case 0x0208: /* Set File Unix Lock*/
13756 offset = dissect_qspi_unix_lock(tvb, pinfo, tree, offset, bcp,
13757 &trunc);
13758 break;
13759 case 0x0209: /* Set File Unix Open*/
13760 offset = dissect_qspi_unix_open(tvb, pinfo, tree, offset, bcp,
13761 &trunc);
13762 break;
13763 case 0x020a: /* Set File Unix Unlink*/
13764 offset = dissect_qspi_unix_unlink(tvb, pinfo, tree, offset, bcp,
13765 &trunc);
13766 break;
13767 case 0x020b: /* Set File Unix Info2*/
13768 offset = dissect_qspi_unix_info2(tvb, pinfo, tree, offset, bcp,
13769 &trunc);
13770 break;
13771 case 1010: /* Set File Rename */
13772 offset = dissect_rename_info(tvb, pinfo, tree, offset, bcp,
13773 &trunc, si);
13774 break;
13775 case 1013: /* Set Disposition Information */
13776 offset = dissect_disposition_info(tvb, pinfo, tree, offset, bcp,
13777 &trunc, si);
13778 break;
13779 case 1014: /* SMB_FILE_POSITION_INFORMATION */
13780 offset = dissect_qsfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, bcp,
13781 &trunc);
13782 break;
13783 case 1016: /* SMB_FILE_MODE_INFORMATION */
13784 offset = dissect_qsfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, bcp,
13785 &trunc);
13786 break;
13787 case 1023: /* Set Pipe Info */
13788 offset = dissect_sfi_SMB_FILE_PIPE_INFO(tvb, pinfo, tree, offset, bcp,
13789 &trunc);
13790 break;
13791 case 1025:
13792 case 1029:
13793 case 1032:
13794 case 1039:
13795 case 1040:
13796 /* XXX: TODO, extra levels discovered by tridge */
13797 proto_tree_add_expert(tree, pinfo, &ei_smb_info_level_not_understood, tvb, offset, *bcp);
13798 offset += *bcp;
13799 *bcp = 0;
13800 trunc = false;
13801 break;
13802
13803 default:
13804 proto_tree_add_expert(tree, pinfo, &ei_smb_info_level_unknown, tvb, offset, *bcp);
13805 offset += *bcp;
13806 *bcp = 0;
13807 trunc = false;
13808 break;
13809 }
13810
13811 if (trunc) {
13812 expert_add_info(pinfo, item, &ei_smb_mal_information_level);
13813 }
13814 return offset;
13815 }
13816
13817
13818 static const true_false_string tfs_quota_flags_deny_disk = {
13819 "DENY DISK SPACE for users exceeding quota limit",
13820 "Do NOT deny disk space for users exceeding quota limit"
13821 };
13822 static const true_false_string tfs_quota_flags_log_limit = {
13823 "LOG EVENT when a user exceeds their QUOTA LIMIT",
13824 "Do NOT log event when a user exceeds their quota limit"
13825 };
13826 static const true_false_string tfs_quota_flags_log_warning = {
13827 "LOG EVENT when a user exceeds their WARNING LEVEL",
13828 "Do NOT log event when a user exceeds their warning level"
13829 };
13830 static const true_false_string tfs_quota_flags_enabled = {
13831 "Quotas are ENABLED of this fs",
13832 "Quotas are NOT enabled on this fs"
13833 };
13834 static void
13835 dissect_quota_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
13836 {
13837 static int * const mask[] = {
13838 &hf_smb_quota_flags_deny_disk,
13839 &hf_smb_quota_flags_log_warning,
13840 &hf_smb_quota_flags_log_limit,
13841 &hf_smb_quota_flags_enabled,
13842 NULL
13843 };
13844
13845 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_quota_flags,
13846 ett_smb_quotaflags, mask, ENC_NA);
13847 }
13848
13849 int
13850 dissect_nt_quota(tvbuff_t *tvb, proto_tree *tree, int offset, uint16_t *bcp)
13851 {
13852 /* first 24 bytes are unknown */
13853 CHECK_BYTE_COUNT_TRANS_SUBR(24);
13854 proto_tree_add_item(tree, hf_smb_unknown, tvb,
13855 offset, 24, ENC_NA);
13856 COUNT_BYTES_TRANS_SUBR(24);
13857
13858 /* number of bytes for quota warning */
13859 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13860 proto_tree_add_item(tree, hf_smb_soft_quota_limit, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13861 COUNT_BYTES_TRANS_SUBR(8);
13862
13863 /* number of bytes for quota limit */
13864 CHECK_BYTE_COUNT_TRANS_SUBR(8);
13865 proto_tree_add_item(tree, hf_smb_hard_quota_limit, tvb, offset, 8, ENC_LITTLE_ENDIAN);
13866 COUNT_BYTES_TRANS_SUBR(8);
13867
13868 /* one byte of quota flags */
13869 CHECK_BYTE_COUNT_TRANS_SUBR(1);
13870 dissect_quota_flags(tvb, tree, offset);
13871 COUNT_BYTES_TRANS_SUBR(1);
13872
13873 /* these 7 bytes are unknown */
13874 CHECK_BYTE_COUNT_TRANS_SUBR(7);
13875 proto_tree_add_item(tree, hf_smb_unknown, tvb,
13876 offset, 7, ENC_NA);
13877 COUNT_BYTES_TRANS_SUBR(7);
13878
13879 return offset;
13880 }
13881
13882 static int
13883 dissect_sfsi_request(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
13884 int offset, uint16_t *bcp, smb_info_t *si)
13885 {
13886 if (!*bcp) {
13887 return offset;
13888 }
13889
13890 DISSECTOR_ASSERT(si);
13891
13892 switch(si->info_level) {
13893 case 0x203: /* REQUEST_TRANSPORT_ENCRYPTION */ {
13894 proto_item *blob_item;
13895 tvbuff_t *blob_tvb;
13896 proto_tree *blob_tree;
13897
13898 /* security blob */
13899 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
13900 tvb, offset,
13901 tvb_reported_length_remaining(tvb, offset),
13902 ENC_NA);
13903
13904 /* As an optimization, because Windows is perverse,
13905 we check to see if NTLMSSP is the first part of the
13906 blob, and if so, call the NTLMSSP dissector,
13907 otherwise we call the GSS-API dissector. This is because
13908 Windows can request RAW NTLMSSP, but will happily handle
13909 a client that wraps NTLMSSP in SPNEGO
13910 */
13911
13912 blob_tree = proto_item_add_subtree(blob_item,
13913 ett_smb_secblob);
13914
13915 blob_tvb = tvb_new_subset_remaining(tvb, offset);
13916
13917 if (tvb_strneql(blob_tvb, 0, "NTLMSSP", 7) == 0) {
13918 call_dissector(ntlmssp_handle, blob_tvb, pinfo, blob_tree);
13919 } else {
13920 call_dissector(gssapi_handle, blob_tvb, pinfo, blob_tree);
13921 }
13922
13923 offset += tvb_reported_length_remaining(tvb, offset);
13924 *bcp = 0;
13925 break;
13926 }
13927 case 1006: /* QUERY_FS_QUOTA_INFO */
13928 offset = dissect_nt_quota(tvb, tree, offset, bcp);
13929 break;
13930 }
13931
13932 return offset;
13933 }
13934
13935 static int
13936 dissect_sfsi_response(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
13937 int offset, uint16_t *bcp, smb_info_t *si)
13938 {
13939 if (!*bcp) {
13940 return offset;
13941 }
13942
13943 DISSECTOR_ASSERT(si);
13944
13945 switch(si->info_level) {
13946 case 0x203: /* REQUEST_TRANSPORT_ENCRYPTION */ {
13947 proto_item *blob_item;
13948 tvbuff_t *blob_tvb;
13949 proto_tree *blob_tree;
13950
13951 /* security blob */
13952 blob_item = proto_tree_add_item(tree, hf_smb_security_blob,
13953 tvb, offset,
13954 tvb_reported_length_remaining(tvb, offset),
13955 ENC_NA);
13956
13957 /* As an optimization, because Windows is perverse,
13958 we check to see if NTLMSSP is the first part of the
13959 blob, and if so, call the NTLMSSP dissector,
13960 otherwise we call the GSS-API dissector. This is because
13961 Windows can request RAW NTLMSSP, but will happily handle
13962 a client that wraps NTLMSSP in SPNEGO
13963 */
13964
13965 blob_tree = proto_item_add_subtree(blob_item,
13966 ett_smb_secblob);
13967
13968 blob_tvb = tvb_new_subset_remaining(tvb, offset);
13969
13970 if (tvb_strneql(blob_tvb, 0, "NTLMSSP", 7) == 0) {
13971 call_dissector(ntlmssp_handle, blob_tvb, pinfo, blob_tree);
13972 } else {
13973 call_dissector(gssapi_handle, blob_tvb, pinfo, blob_tree);
13974 }
13975
13976 offset += tvb_reported_length_remaining(tvb, offset);
13977 *bcp = 0;
13978 break;
13979 }
13980 case 1006: /* QUERY_FS_QUOTA_INFO */
13981 /* nothing */
13982 break;
13983 }
13984
13985 return offset;
13986 }
13987
13988 static int
13989 dissect_transaction2_request_data(tvbuff_t *tvb, packet_info *pinfo,
13990 proto_tree *parent_tree, int offset, int subcmd, uint16_t dc, smb_info_t *si)
13991 {
13992 proto_item *item;
13993 proto_tree *tree;
13994
13995 DISSECTOR_ASSERT(si);
13996
13997 tree = proto_tree_add_subtree_format(parent_tree, tvb, offset, dc,
13998 ett_smb_transaction_data, &item, "%s Data",
13999 val_to_str_ext(subcmd, &trans2_cmd_vals_ext,
14000 "Unknown (0x%02x)"));
14001
14002 switch(subcmd) {
14003 case 0x0000: /*TRANS2_OPEN2*/
14004 /* XXX don't know how to decode FEAList */
14005 break;
14006 case 0x0001: /*TRANS2_FIND_FIRST2*/
14007 /* XXX don't know how to decode FEAList */
14008 break;
14009 case 0x0002: /*TRANS2_FIND_NEXT2*/
14010 /* XXX don't know how to decode FEAList */
14011 break;
14012 case 0x0003: /*TRANS2_QUERY_FS_INFORMATION*/
14013 /* no data field in this request */
14014 break;
14015 case 0x0004: /* TRANS2_SET_FS_INFORMATION */
14016 offset = dissect_sfsi_request(tvb, pinfo, tree, offset, &dc, si);
14017 break;
14018 case 0x0005: /*TRANS2_QUERY_PATH_INFORMATION*/
14019 /* no data field in this request */
14020 /*
14021 * XXX - "Microsoft Networks SMB File Sharing Protocol
14022 * Extensions Version 3.0, Document Version 1.11,
14023 * July 19, 1990" says there may be "Additional
14024 * FileInfoLevel dependent information" here.
14025 *
14026 * Was that just a cut-and-pasteo?
14027 * TRANS2_SET_PATH_INFORMATION *does* have that information
14028 * here.
14029 */
14030 break;
14031 case 0x0006: /*TRANS2_SET_PATH_INFORMATION*/
14032 offset = dissect_spi_loi_vals(tvb, pinfo, tree, item, offset, &dc, si);
14033 break;
14034 case 0x0007: /*TRANS2_QUERY_FILE_INFORMATION*/
14035 /* no data field in this request */
14036 /*
14037 * XXX - "Microsoft Networks SMB File Sharing Protocol
14038 * Extensions Version 3.0, Document Version 1.11,
14039 * July 19, 1990" says there may be "Additional
14040 * FileInfoLevel dependent information" here.
14041 *
14042 * Was that just a cut-and-pasteo?
14043 * TRANS2_SET_FILE_INFORMATION *does* have that information
14044 * here.
14045 */
14046 break;
14047 case 0x0008: /*TRANS2_SET_FILE_INFORMATION*/
14048 offset = dissect_spi_loi_vals(tvb, pinfo, tree, item, offset, &dc, si);
14049 break;
14050 case 0x0009: /*TRANS2_FSCTL*/
14051 /*XXX don't know how to decode this yet */
14052
14053 /*
14054 * XXX - "Microsoft Networks SMB File Sharing Protocol
14055 * Extensions Version 3.0, Document Version 1.11,
14056 * July 19, 1990" says this contains a
14057 * "File system specific data block". (That means we
14058 * may not be able to dissect it in any case.)
14059 */
14060 break;
14061 case 0x000a: /*TRANS2_IOCTL2*/
14062 /*XXX don't know how to decode this yet */
14063
14064 /*
14065 * XXX - "Microsoft Networks SMB File Sharing Protocol
14066 * Extensions Version 3.0, Document Version 1.11,
14067 * July 19, 1990" says this contains a
14068 * "Device/function specific data block". (That
14069 * means we may not be able to dissect it in any case.)
14070 */
14071 break;
14072 case 0x000b: /*TRANS2_FIND_NOTIFY_FIRST*/
14073 /*XXX don't know how to decode this yet */
14074
14075 /*
14076 * XXX - "Microsoft Networks SMB File Sharing Protocol
14077 * Extensions Version 3.0, Document Version 1.11,
14078 * July 19, 1990" says this contains "additional
14079 * level dependent match data".
14080 */
14081 break;
14082 case 0x000c: /*TRANS2_FIND_NOTIFY_NEXT*/
14083 /*XXX don't know how to decode this yet */
14084
14085 /*
14086 * XXX - "Microsoft Networks SMB File Sharing Protocol
14087 * Extensions Version 3.0, Document Version 1.11,
14088 * July 19, 1990" says this contains "additional
14089 * level dependent monitor information".
14090 */
14091 break;
14092 case 0x000d: /*TRANS2_CREATE_DIRECTORY*/
14093 /* XXX optional FEAList, unknown what FEAList looks like*/
14094 break;
14095 case 0x000e: /*TRANS2_SESSION_SETUP*/
14096 /*XXX don't know how to decode this yet */
14097 break;
14098 case 0x0010: /*TRANS2_GET_DFS_REFERRAL*/
14099 /* no data field in this request */
14100 break;
14101 case 0x0011: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
14102 offset = dissect_dfs_inconsistency_data(tvb, pinfo, tree, offset, &dc, si);
14103 break;
14104 }
14105
14106 if (dc > 0) {
14107 if (si->info_level == 2) {
14108 /* The LOI is "Info Set EAs (2), and dc is greater than zero, thus
14109 * SECONDARY requests will follow carrying the remainder of the data. */
14110 proto_tree_add_item(tree, hf_smb_secondaries_will_follow, tvb, offset, dc, ENC_NA);
14111 dc = 0;
14112 } else {
14113 /* ooops there were data we didn't know how to process */
14114 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, ENC_NA);
14115 offset += dc;
14116 }
14117 }
14118
14119 return offset;
14120 }
14121
14122
14123 static void
14124 dissect_trans_data(tvbuff_t *s_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb,
14125 proto_tree *tree)
14126 {
14127 int i;
14128 int offset;
14129 unsigned length;
14130
14131 /*
14132 * Show the setup words.
14133 */
14134 if (s_tvb != NULL) {
14135 length = tvb_reported_length(s_tvb);
14136 for (i = 0, offset = 0; length >= 2;
14137 i++, offset += 2, length -= 2) {
14138 /*
14139 * XXX - add a setup word filterable field?
14140 */
14141 proto_tree_add_uint_format(tree, hf_smb_trans_data_setup_word, s_tvb, offset, 2,
14142 tvb_get_letohs(s_tvb, offset), "Setup Word %d: 0x%04x", i, tvb_get_letohs(s_tvb, offset));
14143 }
14144 }
14145
14146 /*
14147 * Show the parameters, if any.
14148 */
14149 if (p_tvb != NULL) {
14150 length = tvb_reported_length(p_tvb);
14151 if (length != 0) {
14152 proto_tree_add_item(tree, hf_smb_trans_data_parameters, p_tvb, 0, length, ENC_NA);
14153 }
14154 }
14155
14156 /*
14157 * Show the data, if any.
14158 */
14159 if (d_tvb != NULL) {
14160 length = tvb_reported_length(d_tvb);
14161 if (length != 0) {
14162 proto_tree_add_item(tree, hf_smb_trans_data, d_tvb, 0, length, ENC_NA);
14163 }
14164 }
14165 }
14166
14167 /* This routine handles the following 4 calls
14168 Transaction 0x25
14169 Transaction Secondary 0x26
14170 Transaction2 0x32
14171 Transaction2 Secondary 0x33
14172 */
14173 static int
14174 dissect_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
14175 {
14176 uint8_t wc, sc = 0;
14177 int so = offset;
14178 int sl = 0;
14179 int spo = offset;
14180 int spc = 0;
14181 uint16_t od = 0, po = 0, pc = 0, dc = 0, pd, dd = 0;
14182 uint16_t tdc = 0;
14183 int subcmd = -1;
14184 uint32_t to;
14185 int an_len;
14186 const char *an = NULL;
14187 smb_transact2_info_t *t2i;
14188 smb_transact_info_t *tri;
14189 uint16_t bc;
14190 int padcnt;
14191 bool dissected_trans;
14192 proto_item *it;
14193
14194 DISSECTOR_ASSERT(si);
14195
14196 WORD_COUNT;
14197
14198 if (wc == 8 || (wc == 9 && si->cmd == SMB_COM_TRANSACTION2_SECONDARY)) {
14199 /*secondary client request*/
14200
14201 /* total param count, only a 16bit integer here*/
14202 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
14203 offset += 2;
14204
14205 /* total data count , only 16bit integer here*/
14206 tdc = tvb_get_letohs(tvb, offset);
14207 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
14208 offset += 2;
14209
14210 /* param count */
14211 pc = tvb_get_letohs(tvb, offset);
14212 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
14213 offset += 2;
14214
14215 /* param offset */
14216 po = tvb_get_letohs(tvb, offset);
14217 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
14218 offset += 2;
14219
14220 /* param disp */
14221 pd = tvb_get_letohs(tvb, offset);
14222 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
14223 offset += 2;
14224
14225 /* data count */
14226 dc = tvb_get_letohs(tvb, offset);
14227 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
14228 offset += 2;
14229
14230 /* data offset */
14231 od = tvb_get_letohs(tvb, offset);
14232 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
14233 offset += 2;
14234
14235 /* data displacement (dd)
14236 * The amount of data sent NOT including the data in this packet. If there are more
14237 * data to send per "Total Data Count" (tdc) [MS-CIFS] 2.2.4.46.1, additional
14238 * "TRANS2 Secondary Requests" ([MS-CIFS] 2.2.4.46.2) will follow, each increasing dd
14239 * until the tdc is reached (dd + dc = tdc).
14240 */
14241 dd = tvb_get_letohs(tvb, offset);
14242 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
14243 offset += 2;
14244
14245 if (tdc && tdc >= dc ) {
14246 uint16_t diff = tdc - (dc + dd);
14247 it = proto_tree_add_uint(tree, hf_bytes_until_total_data_count, tvb, 0, 0, diff);
14248 proto_item_set_generated(it);
14249 }
14250 if (tdc)
14251 col_append_fstr(pinfo->cinfo, COL_INFO, ", Data: %u of %u", dd + dc, tdc);
14252
14253 if (si->cmd == SMB_COM_TRANSACTION2 || si->cmd == SMB_COM_TRANSACTION2_SECONDARY) {
14254 uint16_t fid;
14255
14256 /* fid */
14257 fid = tvb_get_letohs(tvb, offset);
14258 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, false, false, false, si);
14259
14260 offset += 2;
14261 }
14262
14263 /* There are no setup words. */
14264 so = offset;
14265 sl = 0;
14266 } else {
14267 /* it is NOT a secondary request */
14268
14269 /* total param count , only a 16 bit integer here*/
14270 proto_tree_add_item(tree, hf_smb_total_param_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
14271 offset += 2;
14272
14273 /* total data count , only 16bit integer here*/
14274 tdc = tvb_get_letohs(tvb, offset);
14275 proto_tree_add_item(tree, hf_smb_total_data_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
14276 offset += 2;
14277
14278 /* max param count , only 16bit integer here*/
14279 proto_tree_add_item(tree, hf_smb_max_param_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
14280 offset += 2;
14281
14282 /* max data count, only 16bit integer here*/
14283 proto_tree_add_item(tree, hf_smb_max_data_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
14284 offset += 2;
14285
14286 /* max setup count, only 16bit integer here*/
14287 proto_tree_add_item(tree, hf_smb_max_setup_count, tvb, offset, 1, ENC_NA);
14288 offset += 1;
14289
14290 /* reserved byte */
14291 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
14292 offset += 1;
14293
14294 /* transaction flags */
14295 dissect_transaction_flags(tvb, tree, offset);
14296 offset += 2;
14297
14298 /* timeout */
14299 to = tvb_get_letohl(tvb, offset);
14300 proto_tree_add_uint_format_value(tree, hf_smb_timeout, tvb, offset, 4, to, "%s", smbext20_timeout_msecs_to_str(pinfo->pool, to));
14301 offset += 4;
14302
14303 /* 2 reserved bytes */
14304 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
14305 offset += 2;
14306
14307 /* param count */
14308 pc = tvb_get_letohs(tvb, offset);
14309 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
14310 offset += 2;
14311
14312 /* param offset */
14313 po = tvb_get_letohs(tvb, offset);
14314 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
14315 offset += 2;
14316
14317 /* Data_Count (dc)
14318 * The amount of data carried in this request. If there are more data to send per
14319 * Total Data Count (tdc) [MS-CIFS] 2.2.4.46.1, TRANS2 Secondary Requests
14320 * ([MS-CIFS] 2.2.4.46.2) will follow, each increasing Data displacement (dd)until
14321 * tdc is reached (dd + dc = tdc).
14322 */
14323 dc = tvb_get_letohs(tvb, offset);
14324 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
14325 offset += 2;
14326
14327 if (tdc && tdc >= dc) {
14328 uint16_t diff = tdc - dc;
14329 it = proto_tree_add_uint(tree, hf_bytes_until_total_data_count, tvb, 0, 0, diff);
14330 proto_item_set_generated(it);
14331 }
14332
14333 /* data offset */
14334 od = tvb_get_letohs(tvb, offset);
14335 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
14336 offset += 2;
14337
14338 /* data displacement is zero here */
14339 dd = 0;
14340
14341 /* setup count */
14342 sc = tvb_get_uint8(tvb, offset);
14343 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
14344 offset += 1;
14345
14346 /* reserved byte */
14347 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
14348 offset += 1;
14349
14350 /* this is where the setup bytes, if any start */
14351 so = offset;
14352 sl = sc*2;
14353
14354 /* if there were any setup bytes, decode them */
14355 if (sc) {
14356 switch(si->cmd) {
14357
14358 case SMB_COM_TRANSACTION2:
14359 /* TRANSACTION2 only has one setup word and
14360 that is the subcommand code.
14361
14362 XXX - except for TRANS2_FSCTL
14363 and TRANS2_IOCTL. */
14364 subcmd = tvb_get_letohs(tvb, offset);
14365 proto_tree_add_uint(tree, hf_smb_trans2_subcmd,
14366 tvb, offset, 2, subcmd);
14367 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
14368 val_to_str_ext(subcmd, &trans2_cmd_vals_ext,
14369 "Unknown (0x%02x)"));
14370 if (tdc)
14371 col_append_fstr(pinfo->cinfo, COL_INFO, ", Data: %u of %u", dc, tdc);
14372
14373 if (!si->unidir) {
14374 if (!pinfo->fd->visited && si->sip) {
14375 /*
14376 * Allocate a new
14377 * smb_transact2_info_t
14378 * structure.
14379 */
14380 t2i = wmem_new(wmem_file_scope(), smb_transact2_info_t);
14381 t2i->subcmd = subcmd;
14382 t2i->info_level = -1;
14383 t2i->resume_keys = false;
14384 t2i->name = NULL;
14385 si->sip->extra_info = t2i;
14386 si->sip->extra_info_type = SMB_EI_T2I;
14387 }
14388 }
14389
14390 /*
14391 * XXX - process TRANS2_FSCTL and
14392 * TRANS2_IOCTL setup words here.
14393 */
14394 break;
14395
14396 case SMB_COM_TRANSACTION:
14397 /* TRANSACTION setup words processed below */
14398 break;
14399 }
14400
14401 offset += sl;
14402 }
14403 }
14404
14405 BYTE_COUNT;
14406
14407 if (wc != 8) {
14408 /* primary request */
14409 /* name is NULL if transaction2 */
14410 if (si->cmd == SMB_COM_TRANSACTION) {
14411 /* Transaction Name */
14412 an = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset,
14413 si->unicode, &an_len, false, false, &bc);
14414 if (an == NULL)
14415 goto endofcommand;
14416 proto_tree_add_string(tree, hf_smb_trans_name, tvb,
14417 offset, an_len, an);
14418 COUNT_BYTES(an_len);
14419 }
14420 }
14421
14422 /*
14423 * The pipe or mailslot arguments for Transaction start with
14424 * the first setup word (or where the first setup word would
14425 * be if there were any setup words), and run to the current
14426 * offset (which could mean that there aren't any).
14427 */
14428 spo = so;
14429 spc = offset - spo;
14430
14431 /* parameters */
14432 if (po > offset) {
14433 /* We have some initial padding bytes.
14434 */
14435 padcnt = po-offset;
14436 if (padcnt > bc)
14437 padcnt = bc;
14438 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, ENC_NA);
14439 COUNT_BYTES(padcnt);
14440 }
14441 if (pc) {
14442 CHECK_BYTE_COUNT(pc);
14443 switch(si->cmd) {
14444
14445 case SMB_COM_TRANSACTION2:
14446 /* TRANSACTION2 parameters*/
14447 offset = dissect_transaction2_request_parameters(tvb,
14448 pinfo, tree, offset, subcmd, pc, si);
14449 bc -= pc;
14450 break;
14451
14452 case SMB_COM_TRANSACTION:
14453 /* TRANSACTION parameters processed below */
14454 COUNT_BYTES(pc);
14455 break;
14456 }
14457 }
14458
14459 /* data */
14460 if (od > offset) {
14461 /* We have some initial padding bytes.
14462 */
14463 padcnt = od-offset;
14464 if (padcnt > bc)
14465 padcnt = bc;
14466 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, ENC_NA);
14467 COUNT_BYTES(padcnt);
14468 }
14469 if (dc) {
14470 CHECK_BYTE_COUNT(dc);
14471 switch(si->cmd) {
14472
14473 case SMB_COM_TRANSACTION2:
14474 /* TRANSACTION2 data*/
14475 offset = dissect_transaction2_request_data(tvb, pinfo,
14476 tree, offset, subcmd, dc, si);
14477 bc -= dc;
14478 break;
14479
14480 case SMB_COM_TRANSACTION:
14481 /* TRANSACTION data processed below */
14482 COUNT_BYTES(dc);
14483 break;
14484 }
14485 }
14486
14487 /*TRANSACTION request parameters */
14488 if (si->cmd == SMB_COM_TRANSACTION) {
14489 /*XXX replace this block with a function and use that one
14490 for both requests/responses*/
14491 if (dd == 0) {
14492 tvbuff_t *p_tvb, *d_tvb, *s_tvb;
14493 tvbuff_t *sp_tvb, *pd_tvb;
14494
14495 if (pc > 0) {
14496 if (pc>tvb_reported_length_remaining(tvb, po)) {
14497 p_tvb = tvb_new_subset_length_caplen(tvb, po, tvb_reported_length_remaining(tvb, po), pc);
14498 } else {
14499 p_tvb = tvb_new_subset_length(tvb, po, pc);
14500 }
14501 } else {
14502 p_tvb = NULL;
14503 }
14504 if (dc > 0) {
14505 if (dc>tvb_reported_length_remaining(tvb, od)) {
14506 d_tvb = tvb_new_subset_length_caplen(tvb, od, tvb_reported_length_remaining(tvb, od), dc);
14507 } else {
14508 d_tvb = tvb_new_subset_length(tvb, od, dc);
14509 }
14510 } else {
14511 d_tvb = NULL;
14512 }
14513 if (sl) {
14514 if (sl>tvb_reported_length_remaining(tvb, so)) {
14515 s_tvb = tvb_new_subset_length_caplen(tvb, so, tvb_reported_length_remaining(tvb, so), sl);
14516 } else {
14517 s_tvb = tvb_new_subset_length(tvb, so, sl);
14518 }
14519 } else {
14520 s_tvb = NULL;
14521 }
14522
14523 if (!si->unidir) {
14524 if (!pinfo->fd->visited && si->sip) {
14525 /*
14526 * Allocate a new smb_transact_info_t
14527 * structure.
14528 */
14529 tri = wmem_new(wmem_file_scope(), smb_transact_info_t);
14530 tri->subcmd = -1;
14531 tri->trans_subcmd = -1;
14532 tri->function = -1;
14533 tri->fid = -1;
14534 tri->lanman_cmd = 0;
14535 tri->param_descrip = NULL;
14536 tri->data_descrip = NULL;
14537 tri->aux_data_descrip = NULL;
14538 tri->info_level = -1;
14539 si->sip->extra_info = tri;
14540 si->sip->extra_info_type = SMB_EI_TRI;
14541 } else {
14542 /*
14543 * We already filled the structure
14544 * in; don't bother doing so again.
14545 */
14546 tri = NULL;
14547 }
14548 } else {
14549 /*
14550 * This is a unidirectional message, for
14551 * which there will be no reply; don't
14552 * bother allocating an "smb_transact_info_t"
14553 * structure for it.
14554 */
14555 tri = NULL;
14556 }
14557 dissected_trans = false;
14558 if (an == NULL)
14559 goto endofcommand;
14560 if (strncmp("\\PIPE\\", an, 6) == 0) {
14561 if (tri != NULL)
14562 tri->subcmd = TRANSACTION_PIPE;
14563
14564 /*
14565 * A tvbuff containing the setup words and
14566 * the pipe path.
14567 */
14568 sp_tvb = tvb_new_subset_length(tvb, spo, spc);
14569
14570 /*
14571 * A tvbuff containing the parameters and the
14572 * data.
14573 */
14574 pd_tvb = tvb_new_subset_remaining(tvb, po);
14575
14576 dissected_trans = dissect_pipe_smb(sp_tvb,
14577 s_tvb, pd_tvb, p_tvb, d_tvb, an+6, pinfo,
14578 top_tree_global, si);
14579
14580 /* In case we did not see the TreeConnect call,
14581 store this TID here as well as a IPC TID
14582 so we know that future Read/Writes to this
14583 TID is (probably) DCERPC.
14584 */
14585 if (g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))) {
14586 g_hash_table_remove(si->ct->tid_service, GUINT_TO_POINTER(si->tid));
14587 }
14588 g_hash_table_insert(si->ct->tid_service, GUINT_TO_POINTER(si->tid), (void *)TID_IPC);
14589 } else if (strncmp("\\MAILSLOT\\", an, 10) == 0) {
14590 if (tri != NULL)
14591 tri->subcmd = TRANSACTION_MAILSLOT;
14592
14593 /*
14594 * A tvbuff containing the setup words and
14595 * the mailslot path.
14596 */
14597 sp_tvb = tvb_new_subset_length(tvb, spo, spc);
14598 dissected_trans = dissect_mailslot_smb(sp_tvb,
14599 s_tvb, d_tvb, an+10, pinfo, top_tree_global, si);
14600 }
14601 if (!dissected_trans)
14602 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
14603
14604 } else if (tdc) {
14605 col_append_fstr(pinfo->cinfo, COL_INFO, ", Data: %u of %u", dc + dd, tdc);
14606 }
14607 }
14608
14609 END_OF_SMB
14610
14611 return offset;
14612 }
14613
14614
14615
14616 static int
14617 dissect_4_3_4_1(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
14618 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
14619 {
14620 int fn_len;
14621 const char *fn;
14622 int old_offset = offset;
14623 proto_item *item;
14624 proto_tree *tree;
14625 smb_transact2_info_t *t2i;
14626 bool resume_keys = false;
14627 uint32_t bytes_needed = 0;
14628
14629 DISSECTOR_ASSERT(si);
14630
14631 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_T2I)) {
14632 t2i = (smb_transact2_info_t *)si->sip->extra_info;
14633 if (t2i != NULL)
14634 resume_keys = t2i->resume_keys;
14635 }
14636
14637 tree = proto_tree_add_subtree(parent_tree, tvb, offset, *bcp, ett_smb_ff2_data, &item,
14638 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
14639
14640 /*
14641 * Figure out of there are enough bytes to display the whole entry.
14642 * This consistes of 22 bytes or 26 bytes if resume_keys, followed
14643 * by a length byte and that many chars.
14644 */
14645 bytes_needed = 23 + (resume_keys ? 4 : 0);
14646 tvb_ensure_bytes_exist(tvb, offset, bytes_needed);
14647
14648 /* Now, get the length */
14649 fn_len = tvb_get_uint8(tvb, offset + bytes_needed - 1);
14650 tvb_ensure_bytes_exist(tvb, offset, bytes_needed + fn_len);
14651
14652 if (resume_keys) {
14653 /* resume key */
14654 CHECK_BYTE_COUNT_SUBR(4);
14655 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, ENC_LITTLE_ENDIAN);
14656 COUNT_BYTES_SUBR(4);
14657 }
14658
14659 /* create time */
14660 CHECK_BYTE_COUNT_SUBR(4);
14661 offset = dissect_smb_datetime(tvb, tree, offset,
14662 hf_smb_create_time,
14663 hf_smb_create_dos_date, hf_smb_create_dos_time, false);
14664 *bcp -= 4;
14665
14666 /* access time */
14667 CHECK_BYTE_COUNT_SUBR(4);
14668 offset = dissect_smb_datetime(tvb, tree, offset,
14669 hf_smb_access_time,
14670 hf_smb_access_dos_date, hf_smb_access_dos_time, false);
14671 *bcp -= 4;
14672
14673 /* last write time */
14674 CHECK_BYTE_COUNT_SUBR(4);
14675 offset = dissect_smb_datetime(tvb, tree, offset,
14676 hf_smb_last_write_time,
14677 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, false);
14678 *bcp -= 4;
14679
14680 /* data size */
14681 CHECK_BYTE_COUNT_SUBR(4);
14682 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
14683 COUNT_BYTES_SUBR(4);
14684
14685 /* allocation size */
14686 CHECK_BYTE_COUNT_SUBR(4);
14687 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
14688 COUNT_BYTES_SUBR(4);
14689
14690 /* File Attributes */
14691 CHECK_BYTE_COUNT_SUBR(2);
14692 offset = dissect_file_attributes(tvb, tree, offset);
14693 *bcp -= 2;
14694
14695 /* file name len */
14696 CHECK_BYTE_COUNT_SUBR(1);
14697 fn_len = tvb_get_uint8(tvb, offset);
14698 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
14699 COUNT_BYTES_SUBR(1);
14700 if (si->unicode)
14701 fn_len += 2; /* include terminating '\0' */
14702 else
14703 fn_len++; /* include terminating '\0' */
14704
14705 /* file name */
14706 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, true, bcp);
14707 CHECK_STRING_SUBR(fn);
14708 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
14709 fn);
14710 COUNT_BYTES_SUBR(fn_len);
14711
14712 proto_item_append_text(item, " File: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
14713 proto_item_set_len(item, offset-old_offset);
14714
14715 *trunc = false;
14716 return offset;
14717 }
14718
14719 static int
14720 dissect_4_3_4_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
14721 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
14722 {
14723 int fn_len;
14724 const char *fn;
14725 int old_offset = offset;
14726 proto_item *item;
14727 proto_tree *tree;
14728 smb_transact2_info_t *t2i;
14729 bool resume_keys = false;
14730 uint32_t bytes_needed = 0;
14731
14732 DISSECTOR_ASSERT(si);
14733
14734 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_T2I)) {
14735 t2i = (smb_transact2_info_t *)si->sip->extra_info;
14736 if (t2i != NULL)
14737 resume_keys = t2i->resume_keys;
14738 }
14739
14740 tree = proto_tree_add_subtree(parent_tree, tvb, offset, *bcp, ett_smb_ff2_data, &item,
14741 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
14742
14743 /*
14744 * Figure out of there are enough bytes to display the whole entry.
14745 * This consistes of 26 bytes or 30 bytes if resume_keys, followed
14746 * by a length byte and that many chars.
14747 */
14748 bytes_needed = 27 + (resume_keys ? 4 : 0);
14749 tvb_ensure_bytes_exist(tvb, offset, bytes_needed);
14750
14751 /* Now, get the length */
14752 fn_len = tvb_get_uint8(tvb, offset + bytes_needed - 1);
14753 tvb_ensure_bytes_exist(tvb, offset, bytes_needed + fn_len);
14754
14755 if (resume_keys) {
14756 /* resume key */
14757 CHECK_BYTE_COUNT_SUBR(4);
14758 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, ENC_LITTLE_ENDIAN);
14759 COUNT_BYTES_SUBR(4);
14760 }
14761
14762 /* create time */
14763 CHECK_BYTE_COUNT_SUBR(4);
14764 offset = dissect_smb_datetime(tvb, tree, offset,
14765 hf_smb_create_time,
14766 hf_smb_create_dos_date, hf_smb_create_dos_time, false);
14767 *bcp -= 4;
14768
14769 /* access time */
14770 CHECK_BYTE_COUNT_SUBR(4);
14771 offset = dissect_smb_datetime(tvb, tree, offset,
14772 hf_smb_access_time,
14773 hf_smb_access_dos_date, hf_smb_access_dos_time, false);
14774 *bcp -= 4;
14775
14776 /* last write time */
14777 CHECK_BYTE_COUNT_SUBR(4);
14778 offset = dissect_smb_datetime(tvb, tree, offset,
14779 hf_smb_last_write_time,
14780 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, false);
14781 *bcp -= 4;
14782
14783 /* data size */
14784 CHECK_BYTE_COUNT_SUBR(4);
14785 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
14786 COUNT_BYTES_SUBR(4);
14787
14788 /* allocation size */
14789 CHECK_BYTE_COUNT_SUBR(4);
14790 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
14791 COUNT_BYTES_SUBR(4);
14792
14793 /* File Attributes */
14794 CHECK_BYTE_COUNT_SUBR(2);
14795 offset = dissect_file_attributes(tvb, tree, offset);
14796 *bcp -= 2;
14797
14798 /* ea length */
14799 CHECK_BYTE_COUNT_SUBR(4);
14800 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
14801 COUNT_BYTES_SUBR(4);
14802
14803 /* file name len */
14804 CHECK_BYTE_COUNT_SUBR(1);
14805 fn_len = tvb_get_uint8(tvb, offset);
14806 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
14807 COUNT_BYTES_SUBR(1);
14808
14809 /* file name */
14810 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, true, true, bcp);
14811 CHECK_STRING_SUBR(fn);
14812 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
14813 fn);
14814 COUNT_BYTES_SUBR(fn_len);
14815 proto_item_append_text(item, " File: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
14816
14817 /*
14818 * To quote the footnote for FileName in Section 2.2.8.1.2:
14819 *
14820 * Windows NT servers always append a single NULL padding byte
14821 * to the FileName field. The length of this additional byte
14822 * is not included in the value of the FileNameLength field.
14823 *
14824 * That's "single byte", not "UTF-16 null character".
14825 *
14826 * XXX - what about other servers? Do we need to somehow
14827 * determine whether the server is a "Windows NT server" or
14828 * not?
14829 */
14830 CHECK_BYTE_COUNT_SUBR(1);
14831 COUNT_BYTES_SUBR(1);
14832
14833 proto_item_set_len(item, offset-old_offset);
14834
14835 *trunc = false;
14836 return offset;
14837 }
14838
14839 /*
14840 * According to MS-CIFS 2.2.8.1.3 this is like the function above with the
14841 * addition of the list of EA name value pairs before the file name.
14842 *
14843 * The EAs are formatted as an SMB_FEA as in 2.2.1.2.2. We will deal with
14844 * this soon.
14845 */
14846 static int
14847 dissect_4_3_4_3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
14848 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
14849 {
14850 int fn_len;
14851 const char *fn;
14852 int old_offset = offset;
14853 int ea_size = 0;
14854 proto_item *item;
14855 proto_tree *tree;
14856 smb_transact2_info_t *t2i;
14857 bool resume_keys = false;
14858
14859
14860 DISSECTOR_ASSERT(si);
14861
14862 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_T2I)) {
14863 t2i = (smb_transact2_info_t *)si->sip->extra_info;
14864 if (t2i != NULL)
14865 resume_keys = t2i->resume_keys;
14866 }
14867
14868 tree = proto_tree_add_subtree(parent_tree, tvb, offset, *bcp, ett_smb_ff2_data, &item,
14869 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
14870
14871 if (resume_keys) {
14872 /* resume key */
14873 CHECK_BYTE_COUNT_SUBR(4);
14874 proto_tree_add_item(tree, hf_smb_resume, tvb, offset, 4, ENC_LITTLE_ENDIAN);
14875 COUNT_BYTES_SUBR(4);
14876 }
14877
14878 /* create time */
14879 CHECK_BYTE_COUNT_SUBR(4);
14880 offset = dissect_smb_datetime(tvb, tree, offset,
14881 hf_smb_create_time,
14882 hf_smb_create_dos_date, hf_smb_create_dos_time, false);
14883 *bcp -= 4;
14884
14885 /* access time */
14886 CHECK_BYTE_COUNT_SUBR(4);
14887 offset = dissect_smb_datetime(tvb, tree, offset,
14888 hf_smb_access_time,
14889 hf_smb_access_dos_date, hf_smb_access_dos_time, false);
14890 *bcp -= 4;
14891
14892 /* last write time */
14893 CHECK_BYTE_COUNT_SUBR(4);
14894 offset = dissect_smb_datetime(tvb, tree, offset,
14895 hf_smb_last_write_time,
14896 hf_smb_last_write_dos_date, hf_smb_last_write_dos_time, false);
14897 *bcp -= 4;
14898
14899 /* data size */
14900 CHECK_BYTE_COUNT_SUBR(4);
14901 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
14902 COUNT_BYTES_SUBR(4);
14903
14904 /* allocation size */
14905 CHECK_BYTE_COUNT_SUBR(4);
14906 proto_tree_add_item(tree, hf_smb_alloc_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
14907 COUNT_BYTES_SUBR(4);
14908
14909 /* File Attributes */
14910 CHECK_BYTE_COUNT_SUBR(2);
14911 offset = dissect_file_attributes(tvb, tree, offset);
14912 *bcp -= 2;
14913
14914 /* ea length */
14915 CHECK_BYTE_COUNT_SUBR(4);
14916 ea_size = tvb_get_letohl(tvb, offset);
14917 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
14918 COUNT_BYTES_SUBR(4);
14919
14920 /* The EAs ... they are formatted as in MS-CIFS 2.2.1.2.2 */
14921 proto_tree_add_bytes_format(tree, hf_smb_file_data, tvb, offset, ea_size, NULL, "EAs");
14922 COUNT_BYTES_SUBR(ea_size);
14923 *bcp -= ea_size;
14924
14925 /* file name len */
14926 CHECK_BYTE_COUNT_SUBR(1);
14927 fn_len = tvb_get_uint8(tvb, offset);
14928 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 1, fn_len);
14929 COUNT_BYTES_SUBR(1);
14930 if (si->unicode)
14931 fn_len += 2; /* include terminating '\0' */
14932 else
14933 fn_len++; /* include terminating '\0' */
14934
14935 /* file name */
14936 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, true, bcp);
14937 CHECK_STRING_SUBR(fn);
14938 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
14939 fn);
14940 COUNT_BYTES_SUBR(fn_len);
14941
14942 proto_item_append_text(item, " File: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
14943 proto_item_set_len(item, offset-old_offset);
14944
14945 return offset;
14946 }
14947
14948 static int
14949 dissect_4_3_4_4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
14950 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
14951 {
14952 int fn_len;
14953 const char *fn;
14954 int old_offset = offset;
14955 proto_item *item;
14956 proto_tree *tree;
14957 uint32_t neo;
14958 int padcnt;
14959
14960 DISSECTOR_ASSERT(si);
14961
14962 /*
14963 * We check this first before adding the sub-tree so things do not
14964 * get ugly.
14965 */
14966
14967 /* next entry offset */
14968 CHECK_BYTE_COUNT_SUBR(4);
14969 neo = tvb_get_letohl(tvb, offset);
14970
14971 /* Ensure we have the bytes we need, which is up to neo */
14972 tvb_ensure_bytes_exist(tvb, offset, neo ? neo : *bcp);
14973
14974 tree = proto_tree_add_subtree(parent_tree, tvb, offset, *bcp, ett_smb_ff2_data, &item,
14975 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
14976
14977 /*
14978 * We assume that the presence of a next entry offset implies the
14979 * absence of a resume key, as appears to be the case for 4.3.4.6.
14980 */
14981
14982 CHECK_BYTE_COUNT_SUBR(4);
14983 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
14984 COUNT_BYTES_SUBR(4);
14985
14986 /* file index */
14987 CHECK_BYTE_COUNT_SUBR(4);
14988 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
14989 COUNT_BYTES_SUBR(4);
14990
14991 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
14992 if (*trunc) {
14993 return offset;
14994 }
14995
14996 /* end of file */
14997 CHECK_BYTE_COUNT_SUBR(8);
14998 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
14999 COUNT_BYTES_SUBR(8);
15000
15001 /* allocation size */
15002 CHECK_BYTE_COUNT_SUBR(8);
15003 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15004 COUNT_BYTES_SUBR(8);
15005
15006 /* Extended File Attributes */
15007 CHECK_BYTE_COUNT_SUBR(4);
15008 offset = dissect_file_ext_attr(tvb, tree, offset);
15009 *bcp -= 4;
15010
15011 /* file name len */
15012 CHECK_BYTE_COUNT_SUBR(4);
15013 fn_len = tvb_get_letohl(tvb, offset);
15014 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
15015 COUNT_BYTES_SUBR(4);
15016
15017 /* file name */
15018 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, true, bcp);
15019 CHECK_STRING_SUBR(fn);
15020 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
15021 fn);
15022 COUNT_BYTES_SUBR(fn_len);
15023
15024 /* skip to next structure */
15025 if (neo) {
15026 padcnt = (old_offset + neo) - offset;
15027 if (padcnt < 0) {
15028 /*
15029 * XXX - this is bogus; flag it?
15030 */
15031 padcnt = 0;
15032 }
15033 if (padcnt != 0) {
15034 CHECK_BYTE_COUNT_SUBR(padcnt);
15035 COUNT_BYTES_SUBR(padcnt);
15036 }
15037 }
15038
15039 proto_item_append_text(item, " File: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
15040 proto_item_set_len(item, offset-old_offset);
15041
15042 *trunc = false;
15043 return offset;
15044 }
15045
15046 static int
15047 dissect_4_3_4_5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
15048 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
15049 {
15050 int fn_len;
15051 const char *fn;
15052 int old_offset = offset;
15053 proto_item *item;
15054 proto_tree *tree;
15055 uint32_t neo;
15056 int padcnt;
15057
15058 DISSECTOR_ASSERT(si);
15059
15060 /*
15061 * We check this first before adding the sub-tree so things do not
15062 * get ugly.
15063 */
15064
15065 /* next entry offset */
15066 CHECK_BYTE_COUNT_SUBR(4);
15067 neo = tvb_get_letohl(tvb, offset);
15068
15069 /* Ensure we have the bytes we need, which is up to neo */
15070 tvb_ensure_bytes_exist(tvb, offset, neo ? neo : *bcp);
15071
15072 tree = proto_tree_add_subtree(parent_tree, tvb, offset, *bcp, ett_smb_ff2_data, &item,
15073 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
15074
15075 /*
15076 * We assume that the presence of a next entry offset implies the
15077 * absence of a resume key, as appears to be the case for 4.3.4.6.
15078 */
15079
15080 CHECK_BYTE_COUNT_SUBR(4);
15081 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
15082 COUNT_BYTES_SUBR(4);
15083
15084 /* file index */
15085 CHECK_BYTE_COUNT_SUBR(4);
15086 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15087 COUNT_BYTES_SUBR(4);
15088
15089 /* standard 8-byte timestamps */
15090 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
15091 if (*trunc) {
15092 return offset;
15093 }
15094
15095 /* end of file */
15096 CHECK_BYTE_COUNT_SUBR(8);
15097 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15098 COUNT_BYTES_SUBR(8);
15099
15100 /* allocation size */
15101 CHECK_BYTE_COUNT_SUBR(8);
15102 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15103 COUNT_BYTES_SUBR(8);
15104
15105 /* Extended File Attributes */
15106 CHECK_BYTE_COUNT_SUBR(4);
15107 offset = dissect_file_ext_attr(tvb, tree, offset);
15108 *bcp -= 4;
15109
15110 /* file name len */
15111 CHECK_BYTE_COUNT_SUBR(4);
15112 fn_len = tvb_get_letohl(tvb, offset);
15113 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
15114 COUNT_BYTES_SUBR(4);
15115
15116 /* ea length */
15117 CHECK_BYTE_COUNT_SUBR(4);
15118 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15119 COUNT_BYTES_SUBR(4);
15120
15121 /* file name */
15122 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, true, bcp);
15123 CHECK_STRING_SUBR(fn);
15124 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
15125 fn);
15126 COUNT_BYTES_SUBR(fn_len);
15127
15128 /* skip to next structure */
15129 if (neo) {
15130 padcnt = (old_offset + neo) - offset;
15131 if (padcnt < 0) {
15132 /*
15133 * XXX - this is bogus; flag it?
15134 */
15135 padcnt = 0;
15136 }
15137 if (padcnt != 0) {
15138 CHECK_BYTE_COUNT_SUBR(padcnt);
15139 COUNT_BYTES_SUBR(padcnt);
15140 }
15141 }
15142
15143 proto_item_append_text(item, " File: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
15144 proto_item_set_len(item, offset-old_offset);
15145
15146 *trunc = false;
15147 return offset;
15148 }
15149
15150 static int
15151 dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
15152 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
15153 {
15154 int fn_len, sfn_len;
15155 const char *fn, *sfn;
15156 int old_offset = offset;
15157 proto_item *item;
15158 proto_tree *tree;
15159 uint32_t neo;
15160 int padcnt;
15161
15162 DISSECTOR_ASSERT(si);
15163
15164 /*
15165 * We check this first before adding the sub-tree so things do not
15166 * get ugly.
15167 */
15168
15169 /* next entry offset */
15170 CHECK_BYTE_COUNT_SUBR(4);
15171 neo = tvb_get_letohl(tvb, offset);
15172
15173 /* Ensure we have the bytes we need, which is up to neo */
15174 tvb_ensure_bytes_exist(tvb, offset, neo ? neo : *bcp);
15175
15176 tree = proto_tree_add_subtree(parent_tree, tvb, offset, *bcp, ett_smb_ff2_data, &item,
15177 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
15178
15179 /*
15180 * XXX - I have not seen any of these that contain a resume
15181 * key, even though some of the requests had the "return resume
15182 * key" flag set.
15183 */
15184
15185 CHECK_BYTE_COUNT_SUBR(4);
15186 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
15187 COUNT_BYTES_SUBR(4);
15188
15189 /* file index */
15190 CHECK_BYTE_COUNT_SUBR(4);
15191 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15192 COUNT_BYTES_SUBR(4);
15193
15194 /* dissect standard 8-byte timestamps */
15195 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
15196 if (*trunc) {
15197 return offset;
15198 }
15199
15200 /* end of file */
15201 CHECK_BYTE_COUNT_SUBR(8);
15202 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15203 COUNT_BYTES_SUBR(8);
15204
15205 /* allocation size */
15206 CHECK_BYTE_COUNT_SUBR(8);
15207 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15208 COUNT_BYTES_SUBR(8);
15209
15210 /* Extended File Attributes */
15211 CHECK_BYTE_COUNT_SUBR(4);
15212 offset = dissect_file_ext_attr(tvb, tree, offset);
15213 *bcp -= 4;
15214
15215 /* file name len */
15216 CHECK_BYTE_COUNT_SUBR(4);
15217 fn_len = tvb_get_letohl(tvb, offset);
15218 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
15219 COUNT_BYTES_SUBR(4);
15220
15221 /*
15222 * EA length.
15223 *
15224 * XXX - in one captures, this has the topmost bit set, and the
15225 * rest of the bits have the value 7. Is the topmost bit being
15226 * set some indication that the value *isn't* the length of
15227 * the EAs?
15228 */
15229 CHECK_BYTE_COUNT_SUBR(4);
15230 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15231 COUNT_BYTES_SUBR(4);
15232
15233 /* short file name len */
15234 CHECK_BYTE_COUNT_SUBR(1);
15235 sfn_len = tvb_get_uint8(tvb, offset);
15236 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
15237 COUNT_BYTES_SUBR(1);
15238
15239 /* reserved byte */
15240 CHECK_BYTE_COUNT_SUBR(1);
15241 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
15242 COUNT_BYTES_SUBR(1);
15243
15244 /* short file name - it's not always in Unicode */
15245 sfn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &sfn_len, false, true, bcp);
15246 CHECK_STRING_SUBR(sfn);
15247 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
15248 sfn);
15249 COUNT_BYTES_SUBR(24);
15250
15251 /* file name */
15252 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, true, bcp);
15253 CHECK_STRING_SUBR(fn);
15254 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
15255 fn);
15256 COUNT_BYTES_SUBR(fn_len);
15257
15258 /* skip to next structure */
15259 if (neo) {
15260 padcnt = (old_offset + neo) - offset;
15261 if (padcnt < 0) {
15262 /*
15263 * XXX - this is bogus; flag it?
15264 */
15265 padcnt = 0;
15266 }
15267 if (padcnt != 0) {
15268 CHECK_BYTE_COUNT_SUBR(padcnt);
15269 COUNT_BYTES_SUBR(padcnt);
15270 }
15271 }
15272
15273 proto_item_append_text(item, " File: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
15274 proto_item_set_len(item, offset-old_offset);
15275
15276 *trunc = false;
15277 return offset;
15278 }
15279
15280 static int
15281 dissect_4_3_4_6full(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
15282 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
15283 {
15284 int fn_len;
15285 const char *fn;
15286 int old_offset = offset;
15287 proto_item *item;
15288 proto_tree *tree;
15289 uint32_t neo;
15290 int padcnt;
15291
15292 DISSECTOR_ASSERT(si);
15293
15294 /*
15295 * We check this first before adding the sub-tree so things do not
15296 * get ugly.
15297 */
15298
15299 /* next entry offset */
15300 CHECK_BYTE_COUNT_SUBR(4);
15301 neo = tvb_get_letohl(tvb, offset);
15302
15303 /* Ensure we have the bytes we need, which is up to neo */
15304 tvb_ensure_bytes_exist(tvb, offset, neo ? neo : *bcp);
15305
15306 tree = proto_tree_add_subtree(parent_tree, tvb, offset, *bcp, ett_smb_ff2_data, &item,
15307 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
15308
15309 /*
15310 * XXX - I have not seen any of these that contain a resume
15311 * key, even though some of the requests had the "return resume
15312 * key" flag set.
15313 */
15314
15315 CHECK_BYTE_COUNT_SUBR(4);
15316 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
15317 COUNT_BYTES_SUBR(4);
15318
15319 /* file index */
15320 CHECK_BYTE_COUNT_SUBR(4);
15321 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15322 COUNT_BYTES_SUBR(4);
15323
15324 /* dissect standard 8-byte timestamps */
15325 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
15326 if (*trunc) {
15327 return offset;
15328 }
15329
15330 /* end of file */
15331 CHECK_BYTE_COUNT_SUBR(8);
15332 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15333 COUNT_BYTES_SUBR(8);
15334
15335 /* allocation size */
15336 CHECK_BYTE_COUNT_SUBR(8);
15337 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15338 COUNT_BYTES_SUBR(8);
15339
15340 /* Extended File Attributes */
15341 CHECK_BYTE_COUNT_SUBR(4);
15342 offset = dissect_file_ext_attr(tvb, tree, offset);
15343 *bcp -= 4;
15344
15345 /* file name len */
15346 CHECK_BYTE_COUNT_SUBR(4);
15347 fn_len = tvb_get_letohl(tvb, offset);
15348 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
15349 COUNT_BYTES_SUBR(4);
15350
15351 /*
15352 * EA length.
15353 *
15354 * XXX - in one captures, this has the topmost bit set, and the
15355 * rest of the bits have the value 7. Is the topmost bit being
15356 * set some indication that the value *isn't* the length of
15357 * the EAs?
15358 */
15359 CHECK_BYTE_COUNT_SUBR(4);
15360 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15361 COUNT_BYTES_SUBR(4);
15362
15363 /* skip 4 bytes */
15364 COUNT_BYTES_SUBR(4);
15365
15366 CHECK_BYTE_COUNT_SUBR(8);
15367 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15368 COUNT_BYTES_SUBR(8);
15369
15370 /* file name */
15371 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, true, bcp);
15372 CHECK_STRING_SUBR(fn);
15373 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
15374 fn);
15375 COUNT_BYTES_SUBR(fn_len);
15376
15377 /* skip to next structure */
15378 if (neo) {
15379 padcnt = (old_offset + neo) - offset;
15380 if (padcnt < 0) {
15381 /*
15382 * XXX - this is bogus; flag it?
15383 */
15384 padcnt = 0;
15385 }
15386 if (padcnt != 0) {
15387 CHECK_BYTE_COUNT_SUBR(padcnt);
15388 COUNT_BYTES_SUBR(padcnt);
15389 }
15390 }
15391
15392 proto_item_append_text(item, " File: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
15393 proto_item_set_len(item, offset-old_offset);
15394
15395 *trunc = false;
15396 return offset;
15397 }
15398
15399 static int
15400 dissect_4_3_4_6_id_both(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
15401 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
15402 {
15403 int fn_len, sfn_len;
15404 const char *fn, *sfn;
15405 int old_offset = offset;
15406 proto_item *item;
15407 proto_tree *tree;
15408 uint32_t neo;
15409 int padcnt;
15410
15411 DISSECTOR_ASSERT(si);
15412
15413 /*
15414 * We check this first before adding the sub-tree so things do not
15415 * get ugly.
15416 */
15417
15418 /* next entry offset */
15419 CHECK_BYTE_COUNT_SUBR(4);
15420 neo = tvb_get_letohl(tvb, offset);
15421
15422 /* Ensure we have the bytes we need, which is up to neo */
15423 tvb_ensure_bytes_exist(tvb, offset, neo ? neo : *bcp);
15424
15425 tree = proto_tree_add_subtree(parent_tree, tvb, offset, *bcp, ett_smb_ff2_data, &item,
15426 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
15427
15428 /*
15429 * XXX - I have not seen any of these that contain a resume
15430 * key, even though some of the requests had the "return resume
15431 * key" flag set.
15432 */
15433
15434 CHECK_BYTE_COUNT_SUBR(4);
15435 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
15436 COUNT_BYTES_SUBR(4);
15437
15438 /* file index */
15439 CHECK_BYTE_COUNT_SUBR(4);
15440 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15441 COUNT_BYTES_SUBR(4);
15442
15443 /* dissect standard 8-byte timestamps */
15444 offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
15445 if (*trunc) {
15446 return offset;
15447 }
15448
15449 /* end of file */
15450 CHECK_BYTE_COUNT_SUBR(8);
15451 proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15452 COUNT_BYTES_SUBR(8);
15453
15454 /* allocation size */
15455 CHECK_BYTE_COUNT_SUBR(8);
15456 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15457 COUNT_BYTES_SUBR(8);
15458
15459 /* Extended File Attributes */
15460 CHECK_BYTE_COUNT_SUBR(4);
15461 offset = dissect_file_ext_attr(tvb, tree, offset);
15462 *bcp -= 4;
15463
15464 /* file name len */
15465 CHECK_BYTE_COUNT_SUBR(4);
15466 fn_len = tvb_get_letohl(tvb, offset);
15467 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
15468 COUNT_BYTES_SUBR(4);
15469
15470 /*
15471 * EA length.
15472 *
15473 * XXX - in one captures, this has the topmost bit set, and the
15474 * rest of the bits have the value 7. Is the topmost bit being
15475 * set some indication that the value *isn't* the length of
15476 * the EAs?
15477 */
15478 CHECK_BYTE_COUNT_SUBR(4);
15479 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15480 COUNT_BYTES_SUBR(4);
15481
15482 /* short file name len */
15483 CHECK_BYTE_COUNT_SUBR(1);
15484 sfn_len = tvb_get_uint8(tvb, offset);
15485 proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
15486 COUNT_BYTES_SUBR(1);
15487
15488 /* reserved byte */
15489 CHECK_BYTE_COUNT_SUBR(1);
15490 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
15491 COUNT_BYTES_SUBR(1);
15492
15493 /* short file name - it's not always in Unicode */
15494 sfn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &sfn_len, false, true, bcp);
15495 CHECK_STRING_SUBR(sfn);
15496 proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
15497 sfn);
15498 COUNT_BYTES_SUBR(24);
15499
15500 /* reserved bytes */
15501 CHECK_BYTE_COUNT_SUBR(2);
15502 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
15503 COUNT_BYTES_SUBR(2);
15504
15505 /* file id */
15506 CHECK_BYTE_COUNT_SUBR(8);
15507 proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15508 COUNT_BYTES_SUBR(8);
15509
15510 /* file name */
15511 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, true, bcp);
15512 CHECK_STRING_SUBR(fn);
15513 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
15514 fn);
15515 COUNT_BYTES_SUBR(fn_len);
15516
15517 /* skip to next structure */
15518 if (neo) {
15519 padcnt = (old_offset + neo) - offset;
15520 if (padcnt < 0) {
15521 /*
15522 * XXX - this is bogus; flag it?
15523 */
15524 padcnt = 0;
15525 }
15526 if (padcnt != 0) {
15527 CHECK_BYTE_COUNT_SUBR(padcnt);
15528 COUNT_BYTES_SUBR(padcnt);
15529 }
15530 }
15531
15532 proto_item_append_text(item, " File: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
15533 proto_item_set_len(item, offset-old_offset);
15534
15535 *trunc = false;
15536 return offset;
15537 }
15538
15539 static int
15540 dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
15541 int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
15542 {
15543 int fn_len;
15544 const char *fn;
15545 int old_offset = offset;
15546 proto_item *item;
15547 proto_tree *tree;
15548 uint32_t neo;
15549 int padcnt;
15550
15551 DISSECTOR_ASSERT(si);
15552
15553 /*
15554 * We check this first before adding the sub-tree so things do not
15555 * get ugly.
15556 */
15557
15558 /* next entry offset */
15559 CHECK_BYTE_COUNT_SUBR(4);
15560 neo = tvb_get_letohl(tvb, offset);
15561
15562 /* Ensure we have the bytes we need, which is up to neo */
15563 tvb_ensure_bytes_exist(tvb, offset, neo ? neo : *bcp);
15564
15565 tree = proto_tree_add_subtree(parent_tree, tvb, offset, *bcp, ett_smb_ff2_data, &item,
15566 val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
15567
15568 /*
15569 * We assume that the presence of a next entry offset implies the
15570 * absence of a resume key, as appears to be the case for 4.3.4.6.
15571 */
15572
15573 CHECK_BYTE_COUNT_SUBR(4);
15574 proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
15575 COUNT_BYTES_SUBR(4);
15576
15577 /* file index */
15578 CHECK_BYTE_COUNT_SUBR(4);
15579 proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15580 COUNT_BYTES_SUBR(4);
15581
15582 /* file name len */
15583 CHECK_BYTE_COUNT_SUBR(4);
15584 fn_len = tvb_get_letohl(tvb, offset);
15585 proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
15586 COUNT_BYTES_SUBR(4);
15587
15588 /* file name */
15589 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, true, bcp);
15590 CHECK_STRING_SUBR(fn);
15591 proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
15592 fn);
15593 COUNT_BYTES_SUBR(fn_len);
15594
15595 /* skip to next structure */
15596 if (neo) {
15597 padcnt = (old_offset + neo) - offset;
15598 if (padcnt < 0) {
15599 /*
15600 * XXX - this is bogus; flag it?
15601 */
15602 padcnt = 0;
15603 }
15604 if (padcnt != 0) {
15605 CHECK_BYTE_COUNT_SUBR(padcnt);
15606 COUNT_BYTES_SUBR(padcnt);
15607 }
15608 }
15609
15610 proto_item_append_text(item, " File: %s", format_text(pinfo->pool, (const unsigned char*)fn, strlen(fn)));
15611 proto_item_set_len(item, offset-old_offset);
15612
15613 *trunc = false;
15614 return offset;
15615 }
15616
15617 /* 4.3.4.8 - SMB_FIND_FILE_UNIX */
15618
15619 static int
15620 dissect_4_3_4_8(tvbuff_t *tvb, packet_info *pinfo,
15621 proto_tree *tree, int offset, uint16_t *bcp,
15622 bool *trunc, smb_info_t *si)
15623 {
15624 const char *fn;
15625 int fn_len;
15626 int pad;
15627
15628 DISSECTOR_ASSERT(si);
15629
15630 /* NextEntryOffset */
15631 CHECK_BYTE_COUNT_SUBR(4);
15632 proto_tree_add_item(tree, hf_smb_unix_find_file_nextoffset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15633 COUNT_BYTES_SUBR(4);
15634
15635 /* ResumeKey */
15636 CHECK_BYTE_COUNT_SUBR(4);
15637 proto_tree_add_item(tree, hf_smb_unix_find_file_resumekey, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15638 COUNT_BYTES_SUBR(4);
15639
15640 /* Unix basic info */
15641 offset = dissect_4_2_16_12(tvb, pinfo, tree, offset, bcp, trunc);
15642 if (*trunc)
15643 return offset;
15644
15645 /* Name */
15646
15647 fn = get_unicode_or_ascii_string(pinfo->pool,
15648 tvb, &offset, si->unicode, &fn_len, false, false, bcp);
15649
15650 CHECK_STRING_SUBR(fn);
15651 proto_tree_add_string(
15652 tree, hf_smb_unix_file_name, tvb, offset, fn_len, fn);
15653 COUNT_BYTES_SUBR(fn_len);
15654
15655 /* Pad to 4 bytes */
15656
15657 if (offset % 4) {
15658 pad = 4 - (offset % 4);
15659 COUNT_BYTES_SUBR(pad);
15660 }
15661
15662 *trunc = false;
15663 return offset;
15664 }
15665
15666 static int
15667 dissect_find_file_unix_info2(tvbuff_t *tvb, packet_info *pinfo,
15668 proto_tree *tree, int offset, uint16_t *bcp,
15669 bool *trunc, smb_info_t *si)
15670 {
15671 const char *fn;
15672 uint32_t namelen;
15673 int fn_len;
15674 int pad;
15675
15676 DISSECTOR_ASSERT(si);
15677
15678 /* NextEntryOffset */
15679 CHECK_BYTE_COUNT_SUBR(4);
15680 proto_tree_add_item(tree, hf_smb_unix_find_file_nextoffset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15681 COUNT_BYTES_SUBR(4);
15682
15683 /* ResumeKey */
15684 CHECK_BYTE_COUNT_SUBR(4);
15685 proto_tree_add_item(tree, hf_smb_unix_find_file_resumekey, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15686 COUNT_BYTES_SUBR(4);
15687
15688 /* Unix Info2 */
15689 offset = dissect_qspi_unix_info2(tvb, pinfo, tree, offset, bcp, trunc);
15690 if (*trunc)
15691 return offset;
15692
15693 /* Name length */
15694 CHECK_BYTE_COUNT_SUBR(4);
15695 namelen = tvb_get_letohl(tvb, offset);
15696 proto_tree_add_uint(tree, hf_smb_unix_file_name_length, tvb, offset, 4, namelen);
15697 COUNT_BYTES_SUBR(4);
15698
15699 /* Name */
15700
15701 /*
15702 * namelen could be > 2^31-1; this will catch that.
15703 * The length argument to get_unicode_or_ascii_string() is an
15704 * int, not an unsigned int, so we have to worry about that.
15705 */
15706 tvb_ensure_bytes_exist(tvb, offset, namelen);
15707 fn_len = namelen;
15708 fn = get_unicode_or_ascii_string(pinfo->pool,
15709 tvb, &offset, si->unicode, &fn_len, true, true, bcp);
15710
15711 CHECK_STRING_SUBR(fn);
15712 proto_tree_add_string(
15713 tree, hf_smb_unix_file_name, tvb, offset, fn_len, fn);
15714 COUNT_BYTES_SUBR(fn_len);
15715
15716 /* Pad to 4 bytes */
15717
15718 if (offset % 4) {
15719 pad = 4 - (offset % 4);
15720 CHECK_BYTE_COUNT_SUBR(pad);
15721 COUNT_BYTES_SUBR(pad);
15722 }
15723
15724 *trunc = false;
15725 return offset;
15726 }
15727
15728 /*dissect the data block for TRANS2_FIND_FIRST2*/
15729 static int
15730 dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
15731 proto_tree * tree, int offset, uint16_t *bcp, bool *trunc, smb_info_t *si)
15732 {
15733 if (!*bcp) {
15734 *trunc = false;
15735 return offset;
15736 }
15737
15738 DISSECTOR_ASSERT(si);
15739
15740 switch(si->info_level) {
15741 case 1: /*Info Standard*/
15742 offset = dissect_4_3_4_1(tvb, pinfo, tree, offset, bcp,
15743 trunc, si);
15744 break;
15745 case 2: /*Info Query EA Size*/
15746 offset = dissect_4_3_4_2(tvb, pinfo, tree, offset, bcp,
15747 trunc, si);
15748 break;
15749 case 3: /* Info Query EAs From List same as
15750 * InfoQueryEASize.
15751 * Not according to MS-CIFS 2.2.8.1.3. RJS
15752 */
15753 offset = dissect_4_3_4_3(tvb, pinfo, tree, offset, bcp,
15754 trunc, si);
15755 break;
15756 case 0x0101: /*Find File Directory Info*/
15757 offset = dissect_4_3_4_4(tvb, pinfo, tree, offset, bcp,
15758 trunc, si);
15759 break;
15760 case 0x0102: /*Find File Full Directory Info*/
15761 offset = dissect_4_3_4_5(tvb, pinfo, tree, offset, bcp,
15762 trunc, si);
15763 break;
15764 case 0x0103: /*Find File Names Info*/
15765 offset = dissect_4_3_4_7(tvb, pinfo, tree, offset, bcp,
15766 trunc, si);
15767 break;
15768 case 0x0104: /*Find File Both Directory Info*/
15769 offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
15770 trunc, si);
15771 break;
15772 case 0x0105: /*Find File Full Directory Info*/
15773 offset = dissect_4_3_4_6full(tvb, pinfo, tree, offset, bcp,
15774 trunc, si);
15775 break;
15776 case 0x0106: /*Find File Id Both Directory Info*/
15777 offset = dissect_4_3_4_6_id_both(tvb, pinfo, tree, offset, bcp,
15778 trunc, si);
15779 break;
15780 case 0x0202: /*Find File Unix*/
15781 offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
15782 trunc, si);
15783 break;
15784 case 0x020B: /*Find File Unix Info2*/
15785 offset = dissect_find_file_unix_info2(tvb, pinfo, tree, offset, bcp,
15786 trunc, si);
15787 break;
15788 default: /* unknown info level */
15789 *trunc = false;
15790 break;
15791 }
15792 return offset;
15793 }
15794
15795
15796 /* is this one just wrong and should be dissect_fs0105_attributes above ? */
15797 static int
15798 dissect_fs_attributes(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
15799 {
15800 static int * const flags[] = {
15801 /* case sensitive search */
15802 &hf_smb_fs_attr_css,
15803 /* case preserved names */
15804 &hf_smb_fs_attr_cpn,
15805 /* unicode on disk */
15806 &hf_smb_fs_attr_uod,
15807 /* persistent acls */
15808 &hf_smb_fs_attr_pacls,
15809 /* file compression */
15810 &hf_smb_fs_attr_fc,
15811 /* volume quotas */
15812 &hf_smb_fs_attr_vq,
15813 /* sparse files */
15814 &hf_smb_fs_attr_ssf,
15815 /* reparse points */
15816 &hf_smb_fs_attr_srp,
15817 /* remote storage */
15818 &hf_smb_fs_attr_srs,
15819 /* lfn apis */
15820 &hf_smb_fs_attr_sla,
15821 /* volume is compressed */
15822 &hf_smb_fs_attr_vic,
15823 /* support oids */
15824 &hf_smb_fs_attr_soids,
15825 /* encryption */
15826 &hf_smb_fs_attr_se,
15827 /* named streams */
15828 &hf_smb_fs_attr_ns,
15829 /* read only volume */
15830 &hf_smb_fs_attr_rov,
15831 /* sequential write once */
15832 &hf_smb_fs_attr_swo,
15833 /* supports transactions */
15834 &hf_smb_fs_attr_st,
15835 /* supports hard links */
15836 &hf_smb_fs_attr_shl,
15837 /* supports integrity streams */
15838 &hf_smb_fs_attr_sis,
15839 /* supports block refcounting */
15840 &hf_smb_fs_attr_sbr,
15841 /* supports sparse vdl */
15842 &hf_smb_fs_attr_ssv,
15843 NULL
15844 };
15845
15846 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_fs_attr, ett_smb_fs_attributes, flags, ENC_LITTLE_ENDIAN);
15847 offset += 4;
15848
15849 return offset;
15850 }
15851
15852
15853 static int
15854 dissect_device_characteristics(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
15855 {
15856 static int * const mask[] = {
15857 &hf_smb_device_char_removable,
15858 &hf_smb_device_char_read_only,
15859 &hf_smb_device_char_floppy,
15860 &hf_smb_device_char_write_once,
15861 &hf_smb_device_char_remote,
15862 &hf_smb_device_char_mounted,
15863 &hf_smb_device_char_virtual,
15864 &hf_smb_device_char_secure_open,
15865 &hf_smb_device_char_ts,
15866 &hf_smb_device_char_webdav,
15867 &hf_smb_device_char_portable,
15868 &hf_smb_device_char_aat,
15869 NULL
15870 };
15871
15872 proto_tree_add_bitmask_with_flags(parent_tree, tvb, offset, hf_smb_device_char,
15873 ett_smb_device_characteristics, mask, ENC_LITTLE_ENDIAN, BMT_NO_APPEND);
15874
15875 offset += 4;
15876 return offset;
15877 }
15878
15879 /*dissect the data block for TRANS2_QUERY_FS_INFORMATION*/
15880
15881 static const true_false_string tfs_smb_mac_access_ctrl = {
15882 "Macintosh Access Control Supported",
15883 "Macintosh Access Control Not Supported"
15884 };
15885
15886 static const true_false_string tfs_smb_mac_getset_comments = {
15887 "Macintosh Get & Set Comments Supported",
15888 "Macintosh Get & Set Comments Not Supported"
15889 };
15890
15891 static const true_false_string tfs_smb_mac_desktopdb_calls = {
15892 "Macintosh Get & Set Desktop Database Info Supported",
15893 "Macintosh Get & Set Desktop Database Info Not Supported"
15894 };
15895
15896 static const true_false_string tfs_smb_mac_unique_ids = {
15897 "Macintosh Unique IDs Supported",
15898 "Macintosh Unique IDs Not Supported"
15899 };
15900
15901 static const true_false_string tfs_smb_mac_streams = {
15902 "Macintosh and Streams Extensions Not Supported",
15903 "Macintosh and Streams Extensions Supported"
15904 };
15905
15906 int
15907 dissect_qfsi_FS_VOLUME_INFO(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, int offset, uint16_t *bcp, int unicode)
15908 {
15909 int fn_len, vll;
15910 const char *fn;
15911
15912 /* create time */
15913 CHECK_BYTE_COUNT_TRANS_SUBR(8);
15914 dissect_nttime(tvb, tree, offset,
15915 hf_smb_create_time, ENC_LITTLE_ENDIAN);
15916 COUNT_BYTES_TRANS_SUBR(8);
15917
15918 /* volume serial number */
15919 CHECK_BYTE_COUNT_TRANS_SUBR(4);
15920 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15921 COUNT_BYTES_TRANS_SUBR(4);
15922
15923 /* volume label length */
15924 CHECK_BYTE_COUNT_TRANS_SUBR(4);
15925 vll = tvb_get_letohl(tvb, offset);
15926 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
15927 COUNT_BYTES_TRANS_SUBR(4);
15928
15929 /* 2 reserved bytes */
15930 CHECK_BYTE_COUNT_TRANS_SUBR(2);
15931 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
15932 COUNT_BYTES_TRANS_SUBR(2);
15933
15934 /* label */
15935 fn_len = vll;
15936 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, unicode, &fn_len, false, true, bcp);
15937 CHECK_STRING_TRANS_SUBR(fn);
15938 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
15939 fn);
15940 COUNT_BYTES_TRANS_SUBR(fn_len);
15941
15942 return offset;
15943 }
15944
15945 int
15946 dissect_qfsi_FS_SIZE_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, uint16_t *bcp)
15947 {
15948 /* allocation size */
15949 CHECK_BYTE_COUNT_TRANS_SUBR(8);
15950 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15951 COUNT_BYTES_TRANS_SUBR(8);
15952
15953 /* free allocation units */
15954 CHECK_BYTE_COUNT_TRANS_SUBR(8);
15955 proto_tree_add_item(tree, hf_smb_free_alloc_units64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
15956 COUNT_BYTES_TRANS_SUBR(8);
15957
15958 /* sectors per unit */
15959 CHECK_BYTE_COUNT_TRANS_SUBR(4);
15960 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15961 COUNT_BYTES_TRANS_SUBR(4);
15962
15963 /* bytes per sector */
15964 CHECK_BYTE_COUNT_TRANS_SUBR(4);
15965 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15966 COUNT_BYTES_TRANS_SUBR(4);
15967
15968 return offset;
15969 }
15970
15971 int
15972 dissect_qfsi_FS_DEVICE_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, uint16_t *bcp)
15973 {
15974 /* device type */
15975 CHECK_BYTE_COUNT_TRANS_SUBR(4);
15976 proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
15977 COUNT_BYTES_TRANS_SUBR(4);
15978
15979 /* device characteristics */
15980 CHECK_BYTE_COUNT_TRANS_SUBR(4);
15981 offset = dissect_device_characteristics(tvb, tree, offset);
15982 *bcp -= 4;
15983
15984 return offset;
15985 }
15986
15987 int
15988 dissect_qfsi_FS_ATTRIBUTE_INFO(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, int offset, uint16_t *bcp)
15989 {
15990 int fn_len, fnl;
15991 const char *fn;
15992
15993 /* FS attributes */
15994 CHECK_BYTE_COUNT_TRANS_SUBR(4);
15995 offset = dissect_fs_attributes(tvb, tree, offset);
15996 *bcp -= 4;
15997
15998 /* max name len */
15999 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16000 proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
16001 COUNT_BYTES_TRANS_SUBR(4);
16002
16003 /* fs name length */
16004 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16005 fnl = tvb_get_letohl(tvb, offset);
16006 proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
16007 COUNT_BYTES_TRANS_SUBR(4);
16008
16009 /* label */
16010 fn_len = fnl;
16011 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, true, &fn_len, false, true, bcp);
16012 CHECK_STRING_TRANS_SUBR(fn);
16013 proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
16014 fn);
16015 COUNT_BYTES_TRANS_SUBR(fn_len);
16016
16017 return offset;
16018 }
16019
16020 int
16021 dissect_qfsi_FS_OBJECTID_INFO(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, int offset, uint16_t *bcp)
16022 {
16023 CHECK_BYTE_COUNT_TRANS_SUBR(64);
16024
16025 dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
16026
16027 COUNT_BYTES_TRANS_SUBR(64);
16028
16029 return offset;
16030 }
16031
16032 int
16033 dissect_qfsi_FS_FULL_SIZE_INFO(tvbuff_t * tvb, packet_info * pinfo _U_, proto_tree * tree, int offset, uint16_t *bcp)
16034 {
16035 /* allocation size */
16036 CHECK_BYTE_COUNT_TRANS_SUBR(8);
16037 proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
16038 COUNT_BYTES_TRANS_SUBR(8);
16039
16040 /* caller free allocation units */
16041 CHECK_BYTE_COUNT_TRANS_SUBR(8);
16042 proto_tree_add_item(tree, hf_smb_caller_free_alloc_units64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
16043 COUNT_BYTES_TRANS_SUBR(8);
16044
16045 /* actual free allocation units */
16046 CHECK_BYTE_COUNT_TRANS_SUBR(8);
16047 proto_tree_add_item(tree, hf_smb_actual_free_alloc_units64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
16048 COUNT_BYTES_TRANS_SUBR(8);
16049
16050 /* sectors per unit */
16051 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16052 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, ENC_LITTLE_ENDIAN);
16053 COUNT_BYTES_TRANS_SUBR(4);
16054
16055 /* bytes per sector */
16056 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16057 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN);
16058 COUNT_BYTES_TRANS_SUBR(4);
16059
16060 return offset;
16061 }
16062
16063 static int
16064 dissect_qfsi_vals(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree,
16065 int offset, uint16_t *bcp, smb_info_t *si)
16066 {
16067 int fn_len, vll;
16068 const char *fn;
16069
16070 if (!*bcp) {
16071 return offset;
16072 }
16073
16074 DISSECTOR_ASSERT(si);
16075
16076 switch(si->info_level) {
16077 case 1: /* SMB_INFO_ALLOCATION */
16078 /* filesystem id */
16079 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16080 proto_tree_add_item(tree, hf_smb_fs_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
16081 COUNT_BYTES_TRANS_SUBR(4);
16082
16083 /* sectors per unit */
16084 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16085 proto_tree_add_item(tree, hf_smb_sector_unit, tvb, offset, 4, ENC_LITTLE_ENDIAN);
16086 COUNT_BYTES_TRANS_SUBR(4);
16087
16088 /* units */
16089 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16090 proto_tree_add_item(tree, hf_smb_fs_units, tvb, offset, 4, ENC_LITTLE_ENDIAN);
16091 COUNT_BYTES_TRANS_SUBR(4);
16092
16093 /* avail units */
16094 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16095 proto_tree_add_item(tree, hf_smb_avail_units, tvb, offset, 4, ENC_LITTLE_ENDIAN);
16096 COUNT_BYTES_TRANS_SUBR(4);
16097
16098 /* bytes per sector, only 16bit integer here */
16099 CHECK_BYTE_COUNT_TRANS_SUBR(2);
16100 proto_tree_add_item(tree, hf_smb_fs_sector, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16101 COUNT_BYTES_TRANS_SUBR(2);
16102
16103 break;
16104 case 2: /* SMB_INFO_VOLUME */
16105 /* volume serial number */
16106 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16107 proto_tree_add_item(tree, hf_smb_volume_serial_num, tvb, offset, 4, ENC_LITTLE_ENDIAN);
16108 COUNT_BYTES_TRANS_SUBR(4);
16109
16110 /* volume label length, only one byte here */
16111 CHECK_BYTE_COUNT_TRANS_SUBR(1);
16112 proto_tree_add_item_ret_uint(tree, hf_smb_volume_label_len, tvb, offset, 1, ENC_NA, &fn_len);
16113 COUNT_BYTES_TRANS_SUBR(1);
16114
16115 /* label - not aligned! */
16116 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, true, true, bcp);
16117 CHECK_STRING_TRANS_SUBR(fn);
16118 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len, fn);
16119 COUNT_BYTES_TRANS_SUBR(fn_len);
16120
16121 break;
16122 case 0x0101: /* SMB_QUERY_FS_LABEL_INFO */
16123 case 1002: /* SMB_FS_LABEL_INFORMATION */
16124 /* volume label length */
16125 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16126 vll = tvb_get_letohl(tvb, offset);
16127 proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
16128 COUNT_BYTES_TRANS_SUBR(4);
16129
16130 /* label */
16131 fn_len = vll;
16132 fn = get_unicode_or_ascii_string(pinfo->pool, tvb, &offset, si->unicode, &fn_len, false, true, bcp);
16133 CHECK_STRING_TRANS_SUBR(fn);
16134 proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len, fn);
16135 COUNT_BYTES_TRANS_SUBR(fn_len);
16136
16137 break;
16138 case 0x0102: /* SMB_QUERY_FS_VOLUME_INFO */
16139 case 1001: /* SMB_FS_VOLUME_INFORMATION */
16140 offset = dissect_qfsi_FS_VOLUME_INFO(tvb, pinfo, tree, offset, bcp, si->unicode);
16141 break;
16142 case 0x0103: /* SMB_QUERY_FS_SIZE_INFO */
16143 case 1003: /* SMB_FS_SIZE_INFORMATION */
16144 offset = dissect_qfsi_FS_SIZE_INFO(tvb, pinfo, tree, offset, bcp);
16145 break;
16146 case 0x0104: /* SMB_QUERY_FS_DEVICE_INFO */
16147 case 1004: /* SMB_FS_DEVICE_INFORMATION */
16148 offset = dissect_qfsi_FS_DEVICE_INFO(tvb, pinfo, tree, offset, bcp);
16149 break;
16150 case 0x0105: /* SMB_QUERY_FS_ATTRIBUTE_INFO */
16151 case 1005: /* SMB_FS_ATTRIBUTE_INFORMATION */
16152 offset = dissect_qfsi_FS_ATTRIBUTE_INFO(tvb, pinfo, tree, offset, bcp);
16153 break;
16154 case 0x200: { /* SMB_QUERY_CIFS_UNIX_INFO */
16155 proto_item *item_2 = NULL;
16156 proto_tree *subtree = NULL;
16157
16158 /* MajorVersionNumber */
16159 CHECK_BYTE_COUNT_TRANS_SUBR(2);
16160 proto_tree_add_item(tree, hf_smb_unix_major_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16161 COUNT_BYTES_TRANS_SUBR(2);
16162
16163 /* MinorVersionNumber */
16164 CHECK_BYTE_COUNT_TRANS_SUBR(2);
16165 proto_tree_add_item(tree, hf_smb_unix_minor_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16166 COUNT_BYTES_TRANS_SUBR(2);
16167
16168 /* Capability */
16169
16170 CHECK_BYTE_COUNT_TRANS_SUBR(8);
16171
16172 if (tree) {
16173 item_2 = proto_tree_add_item(tree, hf_smb_unix_capability, tvb, offset, 8, ENC_LITTLE_ENDIAN);
16174 subtree = proto_item_add_subtree(
16175 item_2, ett_smb_unix_capabilities);
16176 }
16177
16178 proto_tree_add_item(
16179 subtree, hf_smb_unix_capability_fcntl, tvb, offset, 4,
16180 ENC_LITTLE_ENDIAN);
16181
16182 proto_tree_add_item(
16183 subtree, hf_smb_unix_capability_posix_acl, tvb, offset, 4,
16184 ENC_LITTLE_ENDIAN);
16185
16186 proto_tree_add_item(
16187 subtree, hf_smb_unix_capability_xattr, tvb, offset, 4,
16188 ENC_LITTLE_ENDIAN);
16189
16190 proto_tree_add_item(
16191 subtree, hf_smb_unix_capability_attr, tvb, offset, 4,
16192 ENC_LITTLE_ENDIAN);
16193
16194 proto_tree_add_item(
16195 subtree, hf_smb_unix_capability_posix_paths, tvb, offset, 4,
16196 ENC_LITTLE_ENDIAN);
16197
16198 proto_tree_add_item(
16199 subtree, hf_smb_unix_capability_posix_path_ops, tvb, offset, 4,
16200 ENC_LITTLE_ENDIAN);
16201
16202 proto_tree_add_item(
16203 subtree, hf_smb_unix_capability_large_read, tvb, offset, 4,
16204 ENC_LITTLE_ENDIAN);
16205
16206 proto_tree_add_item(
16207 subtree, hf_smb_unix_capability_large_write, tvb, offset, 4,
16208 ENC_LITTLE_ENDIAN);
16209
16210 proto_tree_add_item(
16211 subtree, hf_smb_unix_capability_encryption, tvb, offset, 4,
16212 ENC_LITTLE_ENDIAN);
16213
16214 proto_tree_add_item(
16215 subtree, hf_smb_unix_capability_mandatory_crypto, tvb, offset, 4,
16216 ENC_LITTLE_ENDIAN);
16217
16218 proto_tree_add_item(
16219 subtree, hf_smb_unix_capability_proxy, tvb, offset, 4,
16220 ENC_LITTLE_ENDIAN);
16221
16222 COUNT_BYTES_TRANS_SUBR(8);
16223
16224 break;
16225 }
16226
16227 case 0x202: { /* SMB_QUERY_POSIX_WHOAMI */
16228 proto_tree *st_gids;
16229 uint32_t num_gids;
16230 unsigned i;
16231 proto_tree *st_sids;
16232 int old_sid_offset;
16233 uint32_t num_sids;
16234 uint32_t sids_buflen;
16235
16236 /* Mapping flags */
16237 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16238 proto_tree_add_item(tree, hf_smb_unix_whoami_mapflags,
16239 tvb, offset, 4, ENC_LITTLE_ENDIAN);
16240 COUNT_BYTES_TRANS_SUBR(4);
16241
16242 /* Mapping flags mask */
16243 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16244 proto_tree_add_item(tree, hf_smb_unix_whoami_mapflags_mask,
16245 tvb, offset, 4, ENC_LITTLE_ENDIAN);
16246 COUNT_BYTES_TRANS_SUBR(4);
16247
16248 /* primary UID */
16249 CHECK_BYTE_COUNT_TRANS_SUBR(8);
16250 proto_tree_add_item(tree, hf_smb_unix_file_uid,
16251 tvb, offset, 8, ENC_LITTLE_ENDIAN);
16252 COUNT_BYTES_TRANS_SUBR(8);
16253
16254 /* primary GID */
16255 CHECK_BYTE_COUNT_TRANS_SUBR(8);
16256 proto_tree_add_item(tree, hf_smb_unix_file_gid,
16257 tvb, offset, 8, ENC_LITTLE_ENDIAN);
16258 COUNT_BYTES_TRANS_SUBR(8);
16259
16260 /* number of supplementary GIDs */
16261 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16262 num_gids = tvb_get_letohl(tvb, offset);
16263 proto_tree_add_item(tree, hf_smb_unix_whoami_num_supl_gids,
16264 tvb, offset, 4, ENC_LITTLE_ENDIAN);
16265 COUNT_BYTES_TRANS_SUBR(4);
16266
16267 /* number of supplementary SIDs */
16268 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16269 num_sids = tvb_get_letohl(tvb, offset);
16270 proto_tree_add_item(tree, hf_smb_unix_whoami_num_supl_sids,
16271 tvb, offset, 4, ENC_LITTLE_ENDIAN);
16272 COUNT_BYTES_TRANS_SUBR(4);
16273
16274 /* supplementary SIDs buffer length */
16275 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16276 sids_buflen = tvb_get_letohl(tvb, offset);
16277 proto_tree_add_item(tree, hf_smb_unix_whoami_sids_buflen,
16278 tvb, offset, 4, ENC_LITTLE_ENDIAN);
16279 COUNT_BYTES_TRANS_SUBR(4);
16280
16281 /* pad / reserved (must be zero) */
16282 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16283 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 4, ENC_NA);
16284 COUNT_BYTES_TRANS_SUBR(4);
16285
16286
16287 /* GIDs */
16288 st_gids = proto_tree_add_subtree(tree, tvb, offset, num_gids * 8,
16289 ett_smb_unix_whoami_gids, NULL, "Supplementary UNIX GIDs");
16290
16291 for (i = 0; i < num_gids; i++) {
16292 CHECK_BYTE_COUNT_TRANS_SUBR(8);
16293 proto_tree_add_item(st_gids, hf_smb_unix_file_gid,
16294 tvb, offset, 8, ENC_LITTLE_ENDIAN);
16295 COUNT_BYTES_TRANS_SUBR(8);
16296 }
16297
16298 /* SIDs */
16299 st_sids = proto_tree_add_subtree(tree, tvb, offset, sids_buflen,
16300 ett_smb_unix_whoami_sids, NULL, "List of SIDs");
16301
16302 for (i = 0; i < num_sids; i++) {
16303 old_sid_offset = offset;
16304 offset = dissect_nt_sid(tvb, offset, st_sids, "SID", NULL, -1);
16305 CHECK_BYTE_COUNT_TRANS_SUBR(offset-old_sid_offset);
16306 *bcp -= (offset - old_sid_offset);
16307 }
16308
16309 break;
16310 }
16311
16312 case 0x301: { /* MAC_QUERY_FS_INFO */
16313 static int * const support_flags[] = {
16314 &hf_smb_mac_sup_access_ctrl,
16315 &hf_smb_mac_sup_getset_comments,
16316 &hf_smb_mac_sup_desktopdb_calls,
16317 &hf_smb_mac_sup_unique_ids,
16318 &hf_smb_mac_sup_streams,
16319 NULL
16320 };
16321
16322 /* Create time */
16323 CHECK_BYTE_COUNT_TRANS_SUBR(8);
16324 dissect_nttime(tvb, tree, offset, hf_smb_create_time, ENC_LITTLE_ENDIAN);
16325 COUNT_BYTES_TRANS_SUBR(8);
16326 /* Modify Time */
16327 CHECK_BYTE_COUNT_TRANS_SUBR(8);
16328 dissect_nttime(tvb, tree, offset, hf_smb_modify_time, ENC_LITTLE_ENDIAN);
16329 COUNT_BYTES_TRANS_SUBR(8);
16330 /* Backup Time */
16331 CHECK_BYTE_COUNT_TRANS_SUBR(8);
16332 dissect_nttime(tvb, tree, offset, hf_smb_backup_time, ENC_LITTLE_ENDIAN);
16333 CHECK_BYTE_COUNT_TRANS_SUBR(8);
16334 /* Allocation blocks */
16335 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16336 proto_tree_add_item(tree, hf_smb_mac_alloc_block_count, tvb,
16337 offset,
16338 4, ENC_LITTLE_ENDIAN);
16339 COUNT_BYTES_TRANS_SUBR(4);
16340 /* Allocation Block Size */
16341 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16342 proto_tree_add_item(tree, hf_smb_mac_alloc_block_size, tvb,
16343 offset, 4, ENC_LITTLE_ENDIAN);
16344 COUNT_BYTES_TRANS_SUBR(4);
16345 /* Free Block Count */
16346 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16347 proto_tree_add_item(tree, hf_smb_mac_free_block_count, tvb,
16348 offset, 4, ENC_LITTLE_ENDIAN);
16349 COUNT_BYTES_TRANS_SUBR(4);
16350 /* Finder Info ... */
16351 CHECK_BYTE_COUNT_TRANS_SUBR(32);
16352 proto_tree_add_bytes_format_value(tree, hf_smb_mac_fndrinfo, tvb,
16353 offset, 32, NULL,
16354 "%s",
16355 tvb_format_text(pinfo->pool, tvb, offset, 32));
16356 COUNT_BYTES_TRANS_SUBR(32);
16357 /* Number Files */
16358 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16359 proto_tree_add_item(tree, hf_smb_mac_root_file_count, tvb,
16360 offset, 4, ENC_LITTLE_ENDIAN);
16361 COUNT_BYTES_TRANS_SUBR(4);
16362 /* Number of Root Directories */
16363 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16364 proto_tree_add_item(tree, hf_smb_mac_root_dir_count, tvb,
16365 offset, 4, ENC_LITTLE_ENDIAN);
16366 COUNT_BYTES_TRANS_SUBR(4);
16367 /* Number of files */
16368 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16369 proto_tree_add_item(tree, hf_smb_mac_file_count, tvb,
16370 offset, 4, ENC_LITTLE_ENDIAN);
16371 COUNT_BYTES_TRANS_SUBR(4);
16372 /* Dir Count */
16373 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16374 proto_tree_add_item(tree, hf_smb_mac_dir_count, tvb,
16375 offset, 4, ENC_LITTLE_ENDIAN);
16376 COUNT_BYTES_TRANS_SUBR(4);
16377 /* Mac Support Flags */
16378 CHECK_BYTE_COUNT_TRANS_SUBR(4);
16379 proto_tree_add_bitmask(tree, tvb, offset, hf_smb_mac_sup, ett_smb_mac_support_flags, support_flags, ENC_LITTLE_ENDIAN);
16380 COUNT_BYTES_TRANS_SUBR(4);
16381 break;
16382 }
16383 case 1006: /* QUERY_FS_QUOTA_INFO */
16384 offset = dissect_nt_quota(tvb, tree, offset, bcp);
16385 break;
16386 case 1007: /* SMB_FS_FULL_SIZE_INFORMATION */
16387 offset = dissect_qfsi_FS_FULL_SIZE_INFO(tvb, pinfo, tree, offset, bcp);
16388 break;
16389 case 1008: /* Query Object ID */ {
16390 offset = dissect_qfsi_FS_OBJECTID_INFO(tvb, pinfo, tree, offset, bcp);
16391 break;
16392 }
16393 }
16394
16395 return offset;
16396 }
16397
16398 static int
16399 dissect_transaction2_response_data(tvbuff_t *tvb, packet_info *pinfo,
16400 proto_tree *parent_tree, smb_info_t *si)
16401 {
16402 proto_item *item = NULL;
16403 proto_tree *tree = NULL;
16404 smb_transact2_info_t *t2i;
16405 int count;
16406 bool trunc = false;
16407 int offset = 0;
16408 uint16_t dc;
16409
16410 dc = tvb_reported_length(tvb);
16411
16412 DISSECTOR_ASSERT(si);
16413
16414 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_T2I))
16415 t2i = (smb_transact2_info_t *)si->sip->extra_info;
16416 else
16417 t2i = NULL;
16418
16419 if (parent_tree) {
16420 if ((t2i != NULL) && (t2i->subcmd != -1)) {
16421 tree = proto_tree_add_subtree_format(parent_tree, tvb, offset, dc,
16422 ett_smb_transaction_data, &item, "%s Data",
16423 val_to_str_ext(t2i->subcmd, &trans2_cmd_vals_ext,
16424 "Unknown (0x%02x)"));
16425 } else {
16426 tree = proto_tree_add_subtree(parent_tree, tvb, offset, dc,
16427 ett_smb_transaction_data, &item, "Unknown Transaction2 Data");
16428 }
16429 }
16430
16431 if (t2i == NULL) {
16432 offset += dc;
16433 return offset;
16434 }
16435 switch(t2i->subcmd) {
16436 case 0x0000: /*TRANS2_OPEN2*/
16437 /* XXX not implemented yet. See SNIA doc */
16438 break;
16439 case 0x0001: /*TRANS2_FIND_FIRST2*/
16440 /* returned data */
16441 count = si->info_count;
16442
16443 if (count == -1) {
16444 break;
16445 }
16446 col_append_fstr(pinfo->cinfo, COL_INFO,
16447 ", Files found: %u", count);
16448 if (count) {
16449 while (count--) {
16450 offset = dissect_ff2_response_data(tvb, pinfo, tree,
16451 offset, &dc, &trunc, si);
16452 if (trunc)
16453 break;
16454 }
16455 } else {
16456 col_append_str(pinfo->cinfo, COL_INFO,
16457 ", No files found");
16458 }
16459 break;
16460 case 0x0002: /*TRANS2_FIND_NEXT2*/
16461 /* returned data */
16462 count = si->info_count;
16463
16464 if (count == -1) {
16465 break;
16466 }
16467 if (count) {
16468 col_append_fstr(pinfo->cinfo, COL_INFO,
16469 ", Files found: %u", count);
16470 while (count--) {
16471 offset = dissect_ff2_response_data(tvb, pinfo, tree,
16472 offset, &dc, &trunc, si);
16473 if (trunc)
16474 break;
16475 }
16476 } else {
16477 col_append_str(pinfo->cinfo, COL_INFO,
16478 ", No files found");
16479 }
16480 break;
16481 case 0x0003: /*TRANS2_QUERY_FS_INFORMATION*/
16482 offset = dissect_qfsi_vals(tvb, pinfo, tree, offset, &dc, si);
16483 break;
16484 case 0x0004: /*TRANS2_SET_FS_INFORMATION*/
16485 offset = dissect_sfsi_response(tvb, pinfo, tree, offset, &dc, si);
16486 break;
16487 case 0x0005: /*TRANS2_QUERY_PATH_INFORMATION*/
16488 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, item, offset, &dc, si);
16489 break;
16490 case 0x0006: /*TRANS2_SET_PATH_INFORMATION*/
16491 /* no data in this response */
16492 break;
16493 case 0x0007: /*TRANS2_QUERY_FILE_INFORMATION*/
16494 /* identical to QUERY_PATH_INFO */
16495 offset = dissect_qpi_loi_vals(tvb, pinfo, tree, item, offset, &dc, si);
16496 break;
16497 case 0x0008: /*TRANS2_SET_FILE_INFORMATION*/
16498 /* no data in this response */
16499 break;
16500 case 0x0009: /*TRANS2_FSCTL*/
16501 /* XXX don't know how to dissect this one (yet)*/
16502
16503 /*
16504 * XXX - "Microsoft Networks SMB File Sharing Protocol
16505 * Extensions Version 3.0, Document Version 1.11,
16506 * July 19, 1990" says this contains a
16507 * "File system specific return data block".
16508 * (That means we may not be able to dissect it in any
16509 * case.)
16510 */
16511 break;
16512 case 0x000a: /*TRANS2_IOCTL2*/
16513 /* XXX don't know how to dissect this one (yet)*/
16514
16515 /*
16516 * XXX - "Microsoft Networks SMB File Sharing Protocol
16517 * Extensions Version 3.0, Document Version 1.11,
16518 * July 19, 1990" says this contains a
16519 * "Device/function specific return data block".
16520 * (That means we may not be able to dissect it in any
16521 * case.)
16522 */
16523 break;
16524 case 0x000b: /*TRANS2_FIND_NOTIFY_FIRST*/
16525 /* XXX don't know how to dissect this one (yet)*/
16526
16527 /*
16528 * XXX - "Microsoft Networks SMB File Sharing Protocol
16529 * Extensions Version 3.0, Document Version 1.11,
16530 * July 19, 1990" says this contains "the level
16531 * dependent information about the changes which
16532 * occurred".
16533 */
16534 break;
16535 case 0x000c: /*TRANS2_FIND_NOTIFY_NEXT*/
16536 /* XXX don't know how to dissect this one (yet)*/
16537
16538 /*
16539 * XXX - "Microsoft Networks SMB File Sharing Protocol
16540 * Extensions Version 3.0, Document Version 1.11,
16541 * July 19, 1990" says this contains "the level
16542 * dependent information about the changes which
16543 * occurred".
16544 */
16545 break;
16546 case 0x000d: /*TRANS2_CREATE_DIRECTORY*/
16547 /* no data in this response */
16548 break;
16549 case 0x000e: /*TRANS2_SESSION_SETUP*/
16550 /* XXX don't know how to dissect this one (yet)*/
16551 break;
16552 case 0x0010: /*TRANS2_GET_DFS_REFERRAL*/
16553 offset = dissect_get_dfs_referral_data(tvb, pinfo, tree, offset, &dc, si->unicode);
16554 break;
16555 case 0x0011: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
16556 /* the SNIA spec appears to say the response has no data */
16557 break;
16558 case -1:
16559 /*
16560 * We don't know what the matching request was; don't
16561 * bother putting anything else into the tree for the data.
16562 */
16563 offset += dc;
16564 dc = 0;
16565 break;
16566 }
16567
16568 /* ooops there were data we didn't know how to process */
16569 if (dc != 0) {
16570 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, dc, ENC_NA);
16571 offset += dc;
16572 }
16573
16574 return offset;
16575 }
16576
16577
16578 static int
16579 dissect_transaction2_response_parameters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb_info_t *si)
16580 {
16581 proto_item *item = NULL;
16582 proto_tree *tree = NULL;
16583 smb_transact2_info_t *t2i;
16584 uint16_t fid;
16585 int lno;
16586 int offset = 0;
16587 int pc;
16588 uint32_t search_id;
16589
16590 pc = tvb_reported_length(tvb);
16591
16592 DISSECTOR_ASSERT(si);
16593
16594 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_T2I))
16595 t2i = (smb_transact2_info_t *)si->sip->extra_info;
16596 else
16597 t2i = NULL;
16598
16599 if (parent_tree) {
16600 if ((t2i != NULL) && (t2i->subcmd != -1)) {
16601 tree = proto_tree_add_subtree_format(parent_tree, tvb, offset, pc,
16602 ett_smb_transaction_params, &item, "%s Parameters",
16603 val_to_str_ext(t2i->subcmd, &trans2_cmd_vals_ext,
16604 "Unknown (0x%02x)"));
16605 } else {
16606 tree = proto_tree_add_subtree(parent_tree, tvb, offset, pc,
16607 ett_smb_transaction_params, &item, "Unknown Transaction2 Parameters");
16608 }
16609 }
16610
16611 if (t2i == NULL) {
16612 offset += pc;
16613 return offset;
16614 }
16615 switch(t2i->subcmd) {
16616 case 0x00: /*TRANS2_OPEN2*/
16617 /* fid */
16618 fid = tvb_get_letohs(tvb, offset);
16619 dissect_smb_fid(tvb, pinfo, tree, offset, 2, fid, true, false, false, si);
16620 offset += 2;
16621
16622 /*
16623 * XXX - Microsoft Networks SMB File Sharing Protocol
16624 * Extensions Version 3.0, Document Version 1.11,
16625 * July 19, 1990 says that the file attributes, create
16626 * time (which it says is the last modification time),
16627 * data size, granted access, file type, and IPC state
16628 * are returned only if bit 0 is set in the open flags,
16629 * and that the EA length is returned only if bit 3
16630 * is set in the open flags. Does that mean that,
16631 * at least in that SMB dialect, those fields are not
16632 * present in the reply parameters if the bits in
16633 * question aren't set?
16634 */
16635
16636 /* File Attributes */
16637 offset = dissect_file_attributes(tvb, tree, offset);
16638
16639 /* create time */
16640 offset = dissect_smb_datetime(tvb, tree, offset,
16641 hf_smb_create_time,
16642 hf_smb_create_dos_date, hf_smb_create_dos_time, true);
16643
16644 /* data size */
16645 proto_tree_add_item(tree, hf_smb_data_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
16646 offset += 4;
16647
16648 /* granted access */
16649 offset = dissect_access(tvb, tree, offset, hf_smb_granted_access);
16650
16651 /* File Type */
16652 proto_tree_add_item(tree, hf_smb_file_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16653 offset += 2;
16654
16655 /* IPC State */
16656 offset = dissect_ipc_state(tvb, tree, offset, false);
16657
16658 /* open_action */
16659 offset = dissect_open_action(tvb, tree, offset);
16660
16661 /* server unique file ID */
16662 proto_tree_add_item(tree, hf_smb_file_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
16663 offset += 4;
16664
16665 /* ea error offset, only a 16 bit integer here */
16666 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16667 offset += 2;
16668
16669 /* ea length */
16670 proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
16671 offset += 4;
16672
16673 break;
16674 case 0x01: /*TRANS2_FIND_FIRST2*/
16675 /* Find First2 information level */
16676 proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, si->info_level);
16677
16678 /* sid */
16679
16680 proto_tree_add_item_ret_uint(tree, hf_smb_search_id, tvb, offset, 2,
16681 ENC_LITTLE_ENDIAN, &search_id);
16682 offset += 2;
16683
16684 col_append_fstr(pinfo->cinfo, COL_INFO, ", Search ID: %u", (uint16_t)search_id);
16685
16686 /* search count */
16687 si->info_count = tvb_get_letohs(tvb, offset);
16688 proto_tree_add_uint(tree, hf_smb_search_count_found, tvb, offset, 2, si->info_count);
16689 offset += 2;
16690
16691 /* end of search */
16692 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16693 offset += 2;
16694
16695 /* ea error offset, only a 16 bit integer here */
16696 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16697 offset += 2;
16698
16699 /* last name offset */
16700 lno = tvb_get_letohs(tvb, offset);
16701 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
16702 offset += 2;
16703
16704 break;
16705 case 0x02: /*TRANS2_FIND_NEXT2*/
16706 /* search count */
16707 si->info_count = tvb_get_letohs(tvb, offset);
16708 proto_tree_add_uint(tree, hf_smb_search_count_found, tvb, offset, 2, si->info_count);
16709 offset += 2;
16710
16711 /* end of search */
16712 proto_tree_add_item(tree, hf_smb_end_of_search, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16713 offset += 2;
16714
16715 /* ea_error_offset, only a 16 bit integer here*/
16716 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16717 offset += 2;
16718
16719 /* last name offset */
16720 lno = tvb_get_letohs(tvb, offset);
16721 proto_tree_add_uint(tree, hf_smb_last_name_offset, tvb, offset, 2, lno);
16722 offset += 2;
16723
16724 break;
16725 case 0x03: /*TRANS2_QUERY_FS_INFORMATION*/
16726 /* no parameter block here */
16727 break;
16728 case 0x05: /*TRANS2_QUERY_PATH_INFORMATION*/
16729 /* ea_error_offset, only a 16 bit integer here*/
16730 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16731 offset += 2;
16732
16733 break;
16734 case 0x06: /*TRANS2_SET_PATH_INFORMATION*/
16735 /* ea_error_offset, only a 16 bit integer here*/
16736 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16737 offset += 2;
16738
16739 break;
16740 case 0x07: /*TRANS2_QUERY_FILE_INFORMATION*/
16741 /* ea_error_offset, only a 16 bit integer here*/
16742 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16743 offset += 2;
16744
16745 break;
16746 case 0x08: /*TRANS2_SET_FILE_INFORMATION*/
16747 /* ea_error_offset, only a 16 bit integer here*/
16748 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16749 offset += 2;
16750
16751 break;
16752 case 0x09: /*TRANS2_FSCTL*/
16753 /* XXX don't know how to dissect this one (yet)*/
16754
16755 /*
16756 * XXX - "Microsoft Networks SMB File Sharing Protocol
16757 * Extensions Version 3.0, Document Version 1.11,
16758 * July 19, 1990" says this contains a
16759 * "File system specific return parameter block".
16760 * (That means we may not be able to dissect it in any
16761 * case.)
16762 */
16763 break;
16764 case 0x0a: /*TRANS2_IOCTL2*/
16765 /* XXX don't know how to dissect this one (yet)*/
16766
16767 /*
16768 * XXX - "Microsoft Networks SMB File Sharing Protocol
16769 * Extensions Version 3.0, Document Version 1.11,
16770 * July 19, 1990" says this contains a
16771 * "Device/function specific return parameter block".
16772 * (That means we may not be able to dissect it in any
16773 * case.)
16774 */
16775 break;
16776 case 0x0b: /*TRANS2_FIND_NOTIFY_FIRST*/
16777 /* Find Notify information level */
16778 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
16779
16780 /* Monitor handle */
16781 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16782 offset += 2;
16783
16784 /* Change count */
16785 si->info_count = tvb_get_letohs(tvb, offset);
16786 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
16787 offset += 2;
16788
16789 /* ea_error_offset, only a 16 bit integer here*/
16790 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16791 offset += 2;
16792
16793 break;
16794 case 0x0c: /*TRANS2_FIND_NOTIFY_NEXT*/
16795 /* Find Notify information level */
16796 proto_tree_add_uint(tree, hf_smb_fn_information_level, tvb, 0, 0, si->info_level);
16797
16798 /* Change count */
16799 si->info_count = tvb_get_letohs(tvb, offset);
16800 proto_tree_add_uint(tree, hf_smb_change_count, tvb, offset, 2, si->info_count);
16801 offset += 2;
16802
16803 /* ea_error_offset, only a 16 bit integer here*/
16804 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16805 offset += 2;
16806
16807 break;
16808 case 0x0d: /*TRANS2_CREATE_DIRECTORY*/
16809 /* ea error offset, only a 16 bit integer here */
16810 proto_tree_add_item(tree, hf_smb_ea_error_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
16811 offset += 2;
16812
16813 break;
16814 case 0x0e: /*TRANS2_SESSION_SETUP*/
16815 /* XXX don't know how to dissect this one (yet)*/
16816 break;
16817 case 0x10: /*TRANS2_GET_DFS_REFERRAL*/
16818 /* XXX don't know how to dissect this one (yet) see SNIA doc*/
16819 break;
16820 case 0x11: /*TRANS2_REPORT_DFS_INCONSISTENCY*/
16821 /* XXX don't know how to dissect this one (yet) see SNIA doc*/
16822 break;
16823 case -1:
16824 /*
16825 * We don't know what the matching request was; don't
16826 * bother putting anything else into the tree for the data.
16827 */
16828 offset += pc;
16829 break;
16830 }
16831
16832 /* ooops there were data we didn't know how to process */
16833 if (offset < pc) {
16834 proto_tree_add_item(tree, hf_smb_unknown, tvb, offset, pc-offset, ENC_NA);
16835 offset += pc-offset;
16836 }
16837 return offset;
16838 }
16839
16840
16841 static int
16842 dissect_transaction_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si)
16843 {
16844 uint8_t sc, wc;
16845 uint16_t od = 0, po = 0, pc = 0, pd = 0, dc = 0, dd = 0, td = 0, tp = 0;
16846 smb_transact2_info_t *t2i = NULL;
16847 uint32_t pid_mid = 0;
16848 uint16_t bc;
16849 int padcnt;
16850 bool dissected_trans;
16851 fragment_head *r_fd = NULL;
16852 tvbuff_t *pd_tvb = NULL, *d_tvb = NULL, *p_tvb = NULL;
16853 tvbuff_t *s_tvb = NULL, *sp_tvb = NULL;
16854 bool save_fragmented;
16855 proto_item *item;
16856
16857 DISSECTOR_ASSERT(si);
16858
16859 switch(si->cmd) {
16860 case SMB_COM_TRANSACTION2:
16861 /* transaction2 */
16862 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_T2I)) {
16863 t2i = (smb_transact2_info_t *)si->sip->extra_info;
16864 } else
16865 t2i = NULL;
16866 if (t2i == NULL) {
16867 /*
16868 * We didn't see the matching request, so we don't
16869 * know what type of transaction this is.
16870 */
16871 proto_tree_add_uint_format_value(tree, hf_smb_trans2_subcmd, tvb, 0, 0, -1,
16872 "<UNKNOWN> since request packet wasn't seen");
16873 col_append_str(pinfo->cinfo, COL_INFO, "<unknown>");
16874 } else {
16875 si->info_level = t2i->info_level;
16876 if (t2i->subcmd == -1) {
16877 /*
16878 * We didn't manage to extract the subcommand
16879 * from the matching request (perhaps because
16880 * the frame was short), so we don't know what
16881 * type of transaction this is.
16882 */
16883 proto_tree_add_uint_format_value(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd,
16884 "<UNKNOWN> since transaction code wasn't found in request packet");
16885 col_append_str(pinfo->cinfo, COL_INFO, "<unknown>");
16886 } else {
16887 proto_tree_add_uint(tree, hf_smb_trans2_subcmd, tvb, 0, 0, t2i->subcmd);
16888 switch (t2i->subcmd) {
16889
16890 case 0x0001: /* FIND_FIRST2 */
16891 if (t2i->info_level == -1)
16892 item = proto_tree_add_uint_format_value(tree, hf_smb_ff2_information_level, tvb, 0, 0, t2i->info_level,
16893 "<UNKNOWN> since information level wasn't found in request packet");
16894 else
16895 item = proto_tree_add_uint(tree, hf_smb_ff2_information_level, tvb, 0, 0, t2i->info_level);
16896 proto_item_set_generated(item);
16897 if (t2i->name) {
16898 item = proto_tree_add_string(tree, hf_smb_search_pattern, tvb, 0, 0, t2i->name);
16899 proto_item_set_generated(item);
16900 }
16901 break;
16902
16903 case 0x0005: /* QUERY_PATH_INFORMATION */
16904 if (t2i->info_level == -1)
16905 item = proto_tree_add_uint_format_value(tree, hf_smb_qpi_loi, tvb, 0, 0, t2i->info_level,
16906 "<UNKNOWN> since information level wasn't found in request packet");
16907 else
16908 item = proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, 0, 0, t2i->info_level);
16909 proto_item_set_generated(item);
16910 if (t2i->name) {
16911 item = proto_tree_add_string(tree, hf_smb_file_name, tvb, 0, 0, t2i->name);
16912 proto_item_set_generated(item);
16913 }
16914 break;
16915
16916 case 0x0007: /* QUERY_FILE_INFORMATION */
16917 if (t2i->info_level == -1)
16918 item = proto_tree_add_uint_format_value(tree, hf_smb_qpi_loi, tvb, 0, 0, t2i->info_level,
16919 "<UNKNOWN> since information level wasn't found in request packet");
16920 else
16921 item = proto_tree_add_uint(tree, hf_smb_qpi_loi, tvb, 0, 0, t2i->info_level);
16922 proto_item_set_generated(item);
16923 break;
16924
16925 case 0x0003: /* QUERY_FS_INFORMATION */
16926 if (t2i->info_level == -1)
16927 item = proto_tree_add_uint_format_value(tree, hf_smb_qfsi_information_level, tvb, 0, 0, si->info_level,
16928 "<UNKNOWN> since information level wasn't found in request packet");
16929 else
16930 item = proto_tree_add_uint(tree, hf_smb_qfsi_information_level, tvb, 0, 0, si->info_level);
16931 proto_item_set_generated(item);
16932 break;
16933
16934 case 0x0004: /* SET_FS_INFORMATION */
16935 if (t2i->info_level == -1)
16936 item = proto_tree_add_uint_format_value(tree, hf_smb_sfsi_information_level, tvb, 0, 0, si->info_level,
16937 "<UNKNOWN> since information level wasn't found in request packet");
16938 else
16939 item = proto_tree_add_uint(tree, hf_smb_sfsi_information_level, tvb, 0, 0, si->info_level);
16940 proto_item_set_generated(item);
16941 break;
16942 }
16943
16944 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
16945 val_to_str_ext(t2i->subcmd,
16946 &trans2_cmd_vals_ext,
16947 "<unknown (0x%02x)>"));
16948 }
16949 }
16950 break;
16951 }
16952
16953 WORD_COUNT;
16954
16955 /* total param count, only a 16bit integer here */
16956 tp = tvb_get_letohs(tvb, offset);
16957 proto_tree_add_uint(tree, hf_smb_total_param_count, tvb, offset, 2, tp);
16958 offset += 2;
16959
16960 /* total data count, only a 16 bit integer here */
16961 td = tvb_get_letohs(tvb, offset);
16962 proto_tree_add_uint(tree, hf_smb_total_data_count, tvb, offset, 2, td);
16963 offset += 2;
16964
16965 /* 2 reserved bytes */
16966 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
16967 offset += 2;
16968
16969 /* param count */
16970 pc = tvb_get_letohs(tvb, offset);
16971 proto_tree_add_uint(tree, hf_smb_param_count16, tvb, offset, 2, pc);
16972 offset += 2;
16973
16974 /* param offset */
16975 po = tvb_get_letohs(tvb, offset);
16976 proto_tree_add_uint(tree, hf_smb_param_offset16, tvb, offset, 2, po);
16977 offset += 2;
16978
16979 /* param disp */
16980 pd = tvb_get_letohs(tvb, offset);
16981 proto_tree_add_uint(tree, hf_smb_param_disp16, tvb, offset, 2, pd);
16982 offset += 2;
16983
16984 /* data count */
16985 dc = tvb_get_letohs(tvb, offset);
16986 proto_tree_add_uint(tree, hf_smb_data_count16, tvb, offset, 2, dc);
16987 offset += 2;
16988
16989 /* data offset */
16990 od = tvb_get_letohs(tvb, offset);
16991 proto_tree_add_uint(tree, hf_smb_data_offset16, tvb, offset, 2, od);
16992 offset += 2;
16993
16994 /* data displacement
16995 * The amount of data sent NOT including the data in this packet. If there are more
16996 * data to send per "Total Data Count", transact continuation packets will follow
16997 * until the td is reached (dd + dc = td).
16998 */
16999 dd = tvb_get_letohs(tvb, offset);
17000 proto_tree_add_uint(tree, hf_smb_data_disp16, tvb, offset, 2, dd);
17001 offset += 2;
17002
17003 /* Now that an FF2 FIND_NEXT2 or SET_FILE_INFO, or a SET_PATH_INFO response has been fully decoded,
17004 * we can remove it from the unmatched table. They were left in there to prevent
17005 * "response<unknown>" errors whenever there are multiple responses to the same request,
17006 * or requests with "Subcommand: <UNKNOWN>" errors, respectively.
17007 */
17008 if (pinfo->fd->visited && t2i) {
17009 if (t2i->subcmd == 0x0001 || t2i->subcmd == 0x0002 ||
17010 t2i->subcmd == 0x0006 || t2i->subcmd == 0x0008 ||
17011 si->cmd == SMB_COM_TRANSACTION2_SECONDARY ||
17012 si->cmd == SMB_COM_TRANSACTION_SECONDARY ||
17013 si->cmd == SMB_COM_NT_TRANSACT_SECONDARY) {
17014
17015 pid_mid = (si->pid << 16) | si->mid;
17016 g_hash_table_remove(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
17017 }
17018 }
17019
17020 if (td && td >= dc + dd ) {
17021 uint16_t diff = td - (dc + dd);
17022 item = proto_tree_add_uint(tree, hf_bytes_until_total_data_count, tvb, 0, 0, diff);
17023 proto_item_set_generated(item);
17024 }
17025 if (td && t2i) {
17026 col_append_fstr(pinfo->cinfo, COL_INFO,
17027 ", Data: %u of %u", dc + dd, td);
17028 }
17029
17030 /* setup count */
17031 sc = tvb_get_uint8(tvb, offset);
17032 proto_tree_add_uint(tree, hf_smb_setup_count, tvb, offset, 1, sc);
17033 offset += 1;
17034
17035 /* reserved byte */
17036 proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
17037 offset += 1;
17038
17039
17040 /* if there were any setup bytes, put them in a tvb for later */
17041 if (sc) {
17042 if ((2*sc) > tvb_reported_length_remaining(tvb, offset)) {
17043 s_tvb = tvb_new_subset_length_caplen(tvb, offset, tvb_reported_length_remaining(tvb, offset), 2*sc);
17044 } else {
17045 s_tvb = tvb_new_subset_length(tvb, offset, 2*sc);
17046 }
17047 sp_tvb = tvb_new_subset_remaining(tvb, offset);
17048 } else {
17049 s_tvb = NULL;
17050 sp_tvb = NULL;
17051 }
17052 offset += 2*sc;
17053
17054
17055 BYTE_COUNT;
17056
17057
17058 /* reassembly of SMB Transaction data payload.
17059 In this section we do reassembly of both the data and parameters
17060 blocks of the SMB transaction command.
17061 */
17062 save_fragmented = pinfo->fragmented;
17063 /* do we need reassembly? */
17064 if ( (td != dc) || (tp != pc) ) {
17065 /* oh yeah, either data or parameter section needs
17066 reassembly
17067 */
17068 pinfo->fragmented = true;
17069 if (smb_trans_reassembly) {
17070 /* ...and we were told to do reassembly */
17071 if (pc) {
17072 r_fd = smb_trans_defragment(tree, pinfo, tvb,
17073 po, pc, pd, td+tp, si);
17074
17075 }
17076 if ((r_fd == NULL) && dc) {
17077 r_fd = smb_trans_defragment(tree, pinfo, tvb,
17078 od, dc, dd+tp, td+tp, si);
17079 }
17080 }
17081 }
17082
17083 /* if we got a reassembled fd structure from the reassembly routine we must
17084 create pd_tvb from it
17085 */
17086 if (r_fd) {
17087 proto_item *frag_tree_item;
17088
17089 pd_tvb = tvb_new_chain(tvb, r_fd->tvb_data);
17090 add_new_data_source(pinfo, pd_tvb, "Reassembled SMB");
17091 show_fragment_tree(r_fd, &smb_frag_items, tree, pinfo, pd_tvb, &frag_tree_item);
17092 }
17093
17094
17095 if (pd_tvb) {
17096 /* OK we have reassembled data, extract d_tvb and p_tvb from it */
17097 if (tp) {
17098 p_tvb = tvb_new_subset_length(pd_tvb, 0, tp);
17099 }
17100 if (td) {
17101 d_tvb = tvb_new_subset_length(pd_tvb, tp, td);
17102 }
17103 } else {
17104 /* It was not reassembled. Do as best as we can.
17105 * in this case we always try to dissect the stuff if
17106 * data and param displacement is 0. i.e. for the first
17107 * (and maybe only) packet.
17108 */
17109 if ( (pd == 0) && (dd == 0) ) {
17110 int min;
17111 int reported_min;
17112 min = MIN(pc, tvb_reported_length_remaining(tvb, po));
17113 reported_min = MIN(pc, tvb_reported_length_remaining(tvb, po));
17114 if (min && reported_min) {
17115 p_tvb = tvb_new_subset_length_caplen(tvb, po, min, reported_min);
17116 }
17117 min = MIN(dc, tvb_reported_length_remaining(tvb, od));
17118 reported_min = MIN(dc, tvb_reported_length_remaining(tvb, od));
17119 if (min && reported_min) {
17120 d_tvb = tvb_new_subset_length_caplen(tvb, od, min, reported_min);
17121 }
17122 /*
17123 * A tvbuff containing the parameters
17124 * and the data.
17125 * XXX - check pc and dc as well?
17126 */
17127 if (tvb_reported_length_remaining(tvb, po)) {
17128 pd_tvb = tvb_new_subset_remaining(tvb, po);
17129 }
17130 }
17131 }
17132
17133
17134
17135 /* parameters */
17136 if (po > offset) {
17137 /* We have some padding bytes.
17138 */
17139 padcnt = po-offset;
17140 if (padcnt > bc)
17141 padcnt = bc;
17142 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, ENC_NA);
17143 COUNT_BYTES(padcnt);
17144 }
17145 if ((si->cmd == SMB_COM_TRANSACTION2) && p_tvb) {
17146 /* TRANSACTION2 parameters*/
17147 dissect_transaction2_response_parameters(p_tvb, pinfo, tree, si);
17148 }
17149 COUNT_BYTES(pc);
17150
17151
17152 /* data */
17153 if (od > offset) {
17154 /* We have some initial padding bytes.
17155 */
17156 padcnt = od-offset;
17157 if (padcnt > bc)
17158 padcnt = bc;
17159 proto_tree_add_item(tree, hf_smb_padding, tvb, offset, padcnt, ENC_NA);
17160 COUNT_BYTES(padcnt);
17161 }
17162 /*
17163 * If the data count is bigger than the count of bytes
17164 * remaining, clamp it so that the count of bytes remaining
17165 * doesn't go negative.
17166 */
17167 if (dc > bc)
17168 dc = bc;
17169 COUNT_BYTES(dc);
17170
17171
17172
17173 /* from now on, everything is in separate tvbuffs so we don't count
17174 the bytes with COUNT_BYTES any more.
17175 neither do we reference offset any more (which by now points to the
17176 first byte AFTER this PDU */
17177
17178
17179 if ((si->cmd == SMB_COM_TRANSACTION2) && d_tvb) {
17180 /* TRANSACTION2 parameters*/
17181 dissect_transaction2_response_data(d_tvb, pinfo, tree, si);
17182 }
17183
17184
17185 if (si->cmd == SMB_COM_TRANSACTION) {
17186 smb_transact_info_t *tri;
17187
17188 dissected_trans = false;
17189 if ((si->sip != NULL) && (si->sip->extra_info_type == SMB_EI_TRI))
17190 tri = (smb_transact_info_t *)si->sip->extra_info;
17191 else
17192 tri = NULL;
17193 if (tri != NULL) {
17194 switch(tri->subcmd) {
17195
17196 case TRANSACTION_PIPE:
17197 /* This function is safe to call for
17198 s_tvb == sp_tvb == NULL, i.e. if we don't
17199 know them at this point.
17200 It's also safe to call if "p_tvb"
17201 or "d_tvb" are null.
17202 */
17203 if ( pd_tvb) {
17204 dissected_trans = dissect_pipe_smb(
17205 sp_tvb, s_tvb, pd_tvb, p_tvb,
17206 d_tvb, NULL, pinfo, top_tree_global, si);
17207 }
17208 break;
17209
17210 case TRANSACTION_MAILSLOT:
17211 /* This one should be safe to call
17212 even if s_tvb and sp_tvb is NULL
17213 */
17214 if (d_tvb) {
17215 dissected_trans = dissect_mailslot_smb(
17216 sp_tvb, s_tvb, d_tvb, NULL, pinfo,
17217 top_tree_global, si);
17218 }
17219 break;
17220 }
17221 }
17222 if (!dissected_trans) {
17223 /* This one is safe to call for s_tvb == p_tvb == d_tvb == NULL */
17224 dissect_trans_data(s_tvb, p_tvb, d_tvb, tree);
17225 }
17226 }
17227
17228 pinfo->fragmented = save_fragmented;
17229 END_OF_SMB
17230
17231 return offset;
17232 }
17233
17234
17235 static int
17236 dissect_find_notify_close(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
17237 {
17238 uint8_t wc;
17239 uint16_t bc;
17240
17241 WORD_COUNT;
17242
17243 /* Monitor handle */
17244 proto_tree_add_item(tree, hf_smb_monitor_handle, tvb, offset, 2, ENC_LITTLE_ENDIAN);
17245 offset += 2;
17246
17247 BYTE_COUNT;
17248
17249 END_OF_SMB
17250
17251 return offset;
17252 }
17253
17254 /* XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
17255 END Transaction/Transaction2 Primary and secondary requests
17256 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX */
17257
17258
17259 static int
17260 dissect_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, proto_tree *smb_tree _U_, smb_info_t *si _U_)
17261 {
17262 uint8_t wc;
17263 uint16_t bc;
17264
17265 WORD_COUNT;
17266
17267 if (wc != 0) {
17268 proto_tree_add_item(tree, hf_smb_word_parameters, tvb, offset, wc*2, ENC_NA);
17269 offset += wc*2;
17270 }
17271
17272 BYTE_COUNT;
17273
17274 if (bc != 0) {
17275 proto_tree_add_item(tree, hf_smb_byte_parameters, tvb, offset, bc, ENC_NA);
17276 offset += bc;
17277 bc = 0;
17278 }
17279
17280 END_OF_SMB
17281
17282 return offset;
17283 }
17284
17285 typedef struct _smb_function {
17286 int (*request)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si);
17287 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si);
17288 } smb_function;
17289
17290 static const smb_function smb_dissector[256] = {
17291 /* 0x00 Create Dir*/ {dissect_old_dir_request , dissect_empty},
17292 /* 0x01 Delete Dir*/ {dissect_old_dir_request , dissect_empty},
17293 /* 0x02 Open File*/ {dissect_open_file_request , dissect_open_file_response},
17294 /* 0x03 Create File*/ {dissect_create_file_request , dissect_create_file_response},
17295 /* 0x04 Close File*/ {dissect_close_file_request , dissect_empty},
17296 /* 0x05 Flush File*/ {dissect_flush_file_request , dissect_empty},
17297 /* 0x06 Delete File*/ {dissect_delete_file_request , dissect_empty},
17298 /* 0x07 Rename File*/ {dissect_rename_file_request , dissect_rename_file_response},
17299 /* 0x08 Query Info*/ {dissect_query_information_request , dissect_query_information_response},
17300 /* 0x09 Set Info*/ {dissect_set_information_request , dissect_empty},
17301 /* 0x0a Read File*/ {dissect_read_file_request , dissect_read_file_response},
17302 /* 0x0b Write File*/ {dissect_write_file_request , dissect_write_file_response},
17303 /* 0x0c Lock Byte Range*/ {dissect_lock_request , dissect_empty},
17304 /* 0x0d Unlock Byte Range*/ {dissect_lock_request , dissect_empty},
17305 /* 0x0e Create Temp*/ {dissect_create_temporary_request , dissect_create_temporary_response},
17306 /* 0x0f Create New*/ {dissect_create_file_request , dissect_create_new_response},
17307
17308 /* 0x10 Check Dir*/ {dissect_old_dir_request , dissect_empty},
17309 /* 0x11 Process Exit*/ {dissect_empty , dissect_empty},
17310 /* 0x12 Seek File*/ {dissect_seek_file_request , dissect_seek_file_response},
17311 /* 0x13 Lock And Read*/ {dissect_read_file_request , dissect_lock_and_read_response},
17312 /* 0x14 Write And Unlock*/ {dissect_write_file_request , dissect_write_file_response},
17313 /* 0x15 */ {dissect_unknown , dissect_unknown},
17314 /* 0x16 */ {dissect_unknown , dissect_unknown},
17315 /* 0x17 */ {dissect_unknown , dissect_unknown},
17316 /* 0x18 */ {dissect_unknown , dissect_unknown},
17317 /* 0x19 */ {dissect_unknown , dissect_unknown},
17318 /* 0x1a Read Raw*/ {dissect_read_raw_request , dissect_unknown},
17319 /* 0x1b Read MPX*/ {dissect_read_mpx_request , dissect_read_mpx_response},
17320 /* 0x1c Read MPX Secondary*/ {dissect_unknown , dissect_unknown},
17321 /* 0x1d Write Raw*/ {dissect_write_raw_request , dissect_write_raw_response},
17322 /* 0x1e Write MPX*/ {dissect_write_mpx_request , dissect_write_mpx_response},
17323 /* 0x1f Write MPX Secondary*/ {dissect_unknown , dissect_unknown},
17324
17325 /* 0x20 Write Complete*/ {dissect_unknown , dissect_write_and_close_response},
17326 /* 0x21 */ {dissect_unknown , dissect_unknown},
17327 /* 0x22 Set Info2*/ {dissect_set_information2_request , dissect_empty},
17328 /* 0x23 Query Info2*/ {dissect_query_information2_request , dissect_query_information2_response},
17329 /* 0x24 Locking And X*/ {dissect_locking_andx_request , dissect_locking_andx_response},
17330 /* 0x25 Transaction*/ {dissect_transaction_request , dissect_transaction_response},
17331 /* 0x26 Transaction Secondary*/ {dissect_transaction_request , dissect_unknown}, /*This SMB has no response */
17332 /* 0x27 IOCTL*/ {dissect_unknown , dissect_unknown},
17333 /* 0x28 IOCTL Secondary*/ {dissect_unknown , dissect_unknown},
17334 /* 0x29 Copy File*/ {dissect_copy_request , dissect_move_copy_response},
17335 /* 0x2a Move File*/ {dissect_move_request , dissect_move_copy_response},
17336 /* 0x2b Echo*/ {dissect_echo_request , dissect_echo_response},
17337 /* 0x2c Write And Close*/ {dissect_write_and_close_request , dissect_write_and_close_response},
17338 /* 0x2d Open And X*/ {dissect_open_andx_request , dissect_open_andx_response},
17339 /* 0x2e Read And X*/ {dissect_read_andx_request , dissect_read_andx_response},
17340 /* 0x2f Write And X*/ {dissect_write_andx_request , dissect_write_andx_response},
17341
17342 /* 0x30 */ {dissect_unknown , dissect_unknown},
17343 /* 0x31 Close And Tree Disconnect */ {dissect_close_file_request , dissect_empty},
17344 /* 0x32 Transaction2*/ {dissect_transaction_request , dissect_transaction_response},
17345 /* 0x33 Transaction2 Secondary*/ {dissect_transaction_request , dissect_unknown}, /*This SMB has no response */
17346 /* 0x34 Find Close2*/ {dissect_search_id , dissect_empty},
17347 /* 0x35 Find Notify Close*/ {dissect_find_notify_close , dissect_empty},
17348 /* 0x36 */ {dissect_unknown, dissect_unknown},
17349 /* 0x37 */ {dissect_unknown, dissect_unknown},
17350 /* 0x38 */ {dissect_unknown, dissect_unknown},
17351 /* 0x39 */ {dissect_unknown, dissect_unknown},
17352 /* 0x3a */ {dissect_unknown, dissect_unknown},
17353 /* 0x3b */ {dissect_unknown, dissect_unknown},
17354 /* 0x3c */ {dissect_unknown, dissect_unknown},
17355 /* 0x3d */ {dissect_unknown, dissect_unknown},
17356 /* 0x3e */ {dissect_unknown, dissect_unknown},
17357 /* 0x3f */ {dissect_unknown, dissect_unknown},
17358
17359 /* 0x40 */ {dissect_unknown, dissect_unknown},
17360 /* 0x41 */ {dissect_unknown, dissect_unknown},
17361 /* 0x42 */ {dissect_unknown, dissect_unknown},
17362 /* 0x43 */ {dissect_unknown, dissect_unknown},
17363 /* 0x44 */ {dissect_unknown, dissect_unknown},
17364 /* 0x45 */ {dissect_unknown, dissect_unknown},
17365 /* 0x46 */ {dissect_unknown, dissect_unknown},
17366 /* 0x47 */ {dissect_unknown, dissect_unknown},
17367 /* 0x48 */ {dissect_unknown, dissect_unknown},
17368 /* 0x49 */ {dissect_unknown, dissect_unknown},
17369 /* 0x4a */ {dissect_unknown, dissect_unknown},
17370 /* 0x4b */ {dissect_unknown, dissect_unknown},
17371 /* 0x4c */ {dissect_unknown, dissect_unknown},
17372 /* 0x4d */ {dissect_unknown, dissect_unknown},
17373 /* 0x4e */ {dissect_unknown, dissect_unknown},
17374 /* 0x4f */ {dissect_unknown, dissect_unknown},
17375
17376 /* 0x50 */ {dissect_unknown, dissect_unknown},
17377 /* 0x51 */ {dissect_unknown, dissect_unknown},
17378 /* 0x52 */ {dissect_unknown, dissect_unknown},
17379 /* 0x53 */ {dissect_unknown, dissect_unknown},
17380 /* 0x54 */ {dissect_unknown, dissect_unknown},
17381 /* 0x55 */ {dissect_unknown, dissect_unknown},
17382 /* 0x56 */ {dissect_unknown, dissect_unknown},
17383 /* 0x57 */ {dissect_unknown, dissect_unknown},
17384 /* 0x58 */ {dissect_unknown, dissect_unknown},
17385 /* 0x59 */ {dissect_unknown, dissect_unknown},
17386 /* 0x5a */ {dissect_unknown, dissect_unknown},
17387 /* 0x5b */ {dissect_unknown, dissect_unknown},
17388 /* 0x5c */ {dissect_unknown, dissect_unknown},
17389 /* 0x5d */ {dissect_unknown, dissect_unknown},
17390 /* 0x5e */ {dissect_unknown, dissect_unknown},
17391 /* 0x5f */ {dissect_unknown, dissect_unknown},
17392
17393 /* 0x60 */ {dissect_unknown, dissect_unknown},
17394 /* 0x61 */ {dissect_unknown, dissect_unknown},
17395 /* 0x62 */ {dissect_unknown, dissect_unknown},
17396 /* 0x63 */ {dissect_unknown, dissect_unknown},
17397 /* 0x64 */ {dissect_unknown, dissect_unknown},
17398 /* 0x65 */ {dissect_unknown, dissect_unknown},
17399 /* 0x66 */ {dissect_unknown, dissect_unknown},
17400 /* 0x67 */ {dissect_unknown, dissect_unknown},
17401 /* 0x68 */ {dissect_unknown, dissect_unknown},
17402 /* 0x69 */ {dissect_unknown, dissect_unknown},
17403 /* 0x6a */ {dissect_unknown, dissect_unknown},
17404 /* 0x6b */ {dissect_unknown, dissect_unknown},
17405 /* 0x6c */ {dissect_unknown, dissect_unknown},
17406 /* 0x6d */ {dissect_unknown, dissect_unknown},
17407 /* 0x6e */ {dissect_unknown, dissect_unknown},
17408 /* 0x6f */ {dissect_unknown, dissect_unknown},
17409
17410 /* 0x70 Tree Connect*/ {dissect_tree_connect_request , dissect_tree_connect_response},
17411 /* 0x71 Tree Disconnect*/ {dissect_empty , dissect_empty},
17412 /* 0x72 Negotiate Protocol*/ {dissect_negprot_request , dissect_negprot_response},
17413 /* 0x73 Session Setup And X*/ {dissect_session_setup_andx_request , dissect_session_setup_andx_response},
17414 /* 0x74 Logoff And X*/ {dissect_empty_andx , dissect_empty_andx},
17415 /* 0x75 Tree Connect And X*/ {dissect_tree_connect_andx_request , dissect_tree_connect_andx_response},
17416 /* 0x76 */ {dissect_unknown, dissect_unknown},
17417 /* 0x77 */ {dissect_unknown, dissect_unknown},
17418 /* 0x78 */ {dissect_unknown, dissect_unknown},
17419 /* 0x79 */ {dissect_unknown, dissect_unknown},
17420 /* 0x7a */ {dissect_unknown, dissect_unknown},
17421 /* 0x7b */ {dissect_unknown, dissect_unknown},
17422 /* 0x7c */ {dissect_unknown, dissect_unknown},
17423 /* 0x7d */ {dissect_unknown, dissect_unknown},
17424 /* 0x7e */ {dissect_unknown, dissect_unknown},
17425 /* 0x7f */ {dissect_unknown, dissect_unknown},
17426
17427 /* 0x80 Query Info Disk*/ {dissect_empty , dissect_query_information_disk_response},
17428 /* 0x81 Search Dir*/ {dissect_search_dir_request , dissect_search_dir_response},
17429 /* 0x82 Find*/ {dissect_find_request , dissect_find_response},
17430 /* 0x83 Find Unique*/ {dissect_find_request , dissect_find_response},
17431 /* 0x84 Find Close*/ {dissect_find_close_request , dissect_find_close_response},
17432 /* 0x85 */ {dissect_unknown, dissect_unknown},
17433 /* 0x86 */ {dissect_unknown, dissect_unknown},
17434 /* 0x87 */ {dissect_unknown, dissect_unknown},
17435 /* 0x88 */ {dissect_unknown, dissect_unknown},
17436 /* 0x89 */ {dissect_unknown, dissect_unknown},
17437 /* 0x8a */ {dissect_unknown, dissect_unknown},
17438 /* 0x8b */ {dissect_unknown, dissect_unknown},
17439 /* 0x8c */ {dissect_unknown, dissect_unknown},
17440 /* 0x8d */ {dissect_unknown, dissect_unknown},
17441 /* 0x8e */ {dissect_unknown, dissect_unknown},
17442 /* 0x8f */ {dissect_unknown, dissect_unknown},
17443
17444 /* 0x90 */ {dissect_unknown, dissect_unknown},
17445 /* 0x91 */ {dissect_unknown, dissect_unknown},
17446 /* 0x92 */ {dissect_unknown, dissect_unknown},
17447 /* 0x93 */ {dissect_unknown, dissect_unknown},
17448 /* 0x94 */ {dissect_unknown, dissect_unknown},
17449 /* 0x95 */ {dissect_unknown, dissect_unknown},
17450 /* 0x96 */ {dissect_unknown, dissect_unknown},
17451 /* 0x97 */ {dissect_unknown, dissect_unknown},
17452 /* 0x98 */ {dissect_unknown, dissect_unknown},
17453 /* 0x99 */ {dissect_unknown, dissect_unknown},
17454 /* 0x9a */ {dissect_unknown, dissect_unknown},
17455 /* 0x9b */ {dissect_unknown, dissect_unknown},
17456 /* 0x9c */ {dissect_unknown, dissect_unknown},
17457 /* 0x9d */ {dissect_unknown, dissect_unknown},
17458 /* 0x9e */ {dissect_unknown, dissect_unknown},
17459 /* 0x9f */ {dissect_unknown, dissect_unknown},
17460
17461 /* 0xa0 NT Transaction*/ {dissect_nt_transaction_request , dissect_nt_transaction_response},
17462 /* 0xa1 NT Trans secondary*/ {dissect_nt_transaction_request , dissect_nt_transaction_response},
17463 /* 0xa2 NT CreateAndX*/ {dissect_nt_create_andx_request , dissect_nt_create_andx_response},
17464 /* 0xa3 */ {dissect_unknown, dissect_unknown},
17465 /* 0xa4 NT Cancel*/ {dissect_nt_cancel_request , dissect_unknown}, /*no response to this one*/
17466 /* 0xa5 NT Rename*/ {dissect_nt_rename_file_request , dissect_empty},
17467 /* 0xa6 */ {dissect_unknown, dissect_unknown},
17468 /* 0xa7 */ {dissect_unknown, dissect_unknown},
17469 /* 0xa8 */ {dissect_unknown, dissect_unknown},
17470 /* 0xa9 */ {dissect_unknown, dissect_unknown},
17471 /* 0xaa */ {dissect_unknown, dissect_unknown},
17472 /* 0xab */ {dissect_unknown, dissect_unknown},
17473 /* 0xac */ {dissect_unknown, dissect_unknown},
17474 /* 0xad */ {dissect_unknown, dissect_unknown},
17475 /* 0xae */ {dissect_unknown, dissect_unknown},
17476 /* 0xaf */ {dissect_unknown, dissect_unknown},
17477
17478 /* 0xb0 */ {dissect_unknown, dissect_unknown},
17479 /* 0xb1 */ {dissect_unknown, dissect_unknown},
17480 /* 0xb2 */ {dissect_unknown, dissect_unknown},
17481 /* 0xb3 */ {dissect_unknown, dissect_unknown},
17482 /* 0xb4 */ {dissect_unknown, dissect_unknown},
17483 /* 0xb5 */ {dissect_unknown, dissect_unknown},
17484 /* 0xb6 */ {dissect_unknown, dissect_unknown},
17485 /* 0xb7 */ {dissect_unknown, dissect_unknown},
17486 /* 0xb8 */ {dissect_unknown, dissect_unknown},
17487 /* 0xb9 */ {dissect_unknown, dissect_unknown},
17488 /* 0xba */ {dissect_unknown, dissect_unknown},
17489 /* 0xbb */ {dissect_unknown, dissect_unknown},
17490 /* 0xbc */ {dissect_unknown, dissect_unknown},
17491 /* 0xbd */ {dissect_unknown, dissect_unknown},
17492 /* 0xbe */ {dissect_unknown, dissect_unknown},
17493 /* 0xbf */ {dissect_unknown, dissect_unknown},
17494
17495 /* 0xc0 Open Print File*/ {dissect_open_print_file_request , dissect_open_print_file_response},
17496 /* 0xc1 Write Print File*/ {dissect_write_print_file_request , dissect_empty},
17497 /* 0xc2 Close Print File*/ {dissect_close_print_file_request , dissect_empty},
17498 /* 0xc3 Get Print Queue*/ {dissect_get_print_queue_request , dissect_get_print_queue_response},
17499 /* 0xc4 */ {dissect_unknown, dissect_unknown},
17500 /* 0xc5 */ {dissect_unknown, dissect_unknown},
17501 /* 0xc6 */ {dissect_unknown, dissect_unknown},
17502 /* 0xc7 */ {dissect_unknown, dissect_unknown},
17503 /* 0xc8 */ {dissect_unknown, dissect_unknown},
17504 /* 0xc9 */ {dissect_unknown, dissect_unknown},
17505 /* 0xca */ {dissect_unknown, dissect_unknown},
17506 /* 0xcb */ {dissect_unknown, dissect_unknown},
17507 /* 0xcc */ {dissect_unknown, dissect_unknown},
17508 /* 0xcd */ {dissect_unknown, dissect_unknown},
17509 /* 0xce */ {dissect_unknown, dissect_unknown},
17510 /* 0xcf */ {dissect_unknown, dissect_unknown},
17511
17512 /* 0xd0 Send Single Block Message*/ {dissect_send_single_block_message_request , dissect_empty},
17513 /* 0xd1 Send Broadcast Message*/ {dissect_send_single_block_message_request , dissect_empty},
17514 /* 0xd2 Forward User Name*/ {dissect_forwarded_name , dissect_empty},
17515 /* 0xd3 Cancel Forward*/ {dissect_forwarded_name , dissect_empty},
17516 /* 0xd4 Get Machine Name*/ {dissect_empty , dissect_get_machine_name_response},
17517 /* 0xd5 Send Start of Multi-block Message*/ {dissect_send_multi_block_message_start_request , dissect_message_group_id},
17518 /* 0xd6 Send End of Multi-block Message*/ {dissect_message_group_id , dissect_empty},
17519 /* 0xd7 Send Text of Multi-block Message*/ {dissect_send_multi_block_message_text_request , dissect_empty},
17520 /* 0xd8 SMBreadbulk*/ {dissect_unknown , dissect_unknown},
17521 /* 0xd9 SMBwritebulk*/ {dissect_unknown , dissect_unknown},
17522 /* 0xda SMBwritebulkdata*/ {dissect_unknown , dissect_unknown},
17523 /* 0xdb */ {dissect_unknown, dissect_unknown},
17524 /* 0xdc */ {dissect_unknown, dissect_unknown},
17525 /* 0xdd */ {dissect_unknown, dissect_unknown},
17526 /* 0xde */ {dissect_unknown, dissect_unknown},
17527 /* 0xdf */ {dissect_unknown, dissect_unknown},
17528
17529 /* 0xe0 */ {dissect_unknown, dissect_unknown},
17530 /* 0xe1 */ {dissect_unknown, dissect_unknown},
17531 /* 0xe2 */ {dissect_unknown, dissect_unknown},
17532 /* 0xe3 */ {dissect_unknown, dissect_unknown},
17533 /* 0xe4 */ {dissect_unknown, dissect_unknown},
17534 /* 0xe5 */ {dissect_unknown, dissect_unknown},
17535 /* 0xe6 */ {dissect_unknown, dissect_unknown},
17536 /* 0xe7 */ {dissect_unknown, dissect_unknown},
17537 /* 0xe8 */ {dissect_unknown, dissect_unknown},
17538 /* 0xe9 */ {dissect_unknown, dissect_unknown},
17539 /* 0xea */ {dissect_unknown, dissect_unknown},
17540 /* 0xeb */ {dissect_unknown, dissect_unknown},
17541 /* 0xec */ {dissect_unknown, dissect_unknown},
17542 /* 0xed */ {dissect_unknown, dissect_unknown},
17543 /* 0xee */ {dissect_unknown, dissect_unknown},
17544 /* 0xef */ {dissect_unknown, dissect_unknown},
17545
17546 /* 0xf0 */ {dissect_unknown, dissect_unknown},
17547 /* 0xf1 */ {dissect_unknown, dissect_unknown},
17548 /* 0xf2 */ {dissect_unknown, dissect_unknown},
17549 /* 0xf3 */ {dissect_unknown, dissect_unknown},
17550 /* 0xf4 */ {dissect_unknown, dissect_unknown},
17551 /* 0xf5 */ {dissect_unknown, dissect_unknown},
17552 /* 0xf6 */ {dissect_unknown, dissect_unknown},
17553 /* 0xf7 */ {dissect_unknown, dissect_unknown},
17554 /* 0xf8 */ {dissect_unknown, dissect_unknown},
17555 /* 0xf9 */ {dissect_unknown, dissect_unknown},
17556 /* 0xfa */ {dissect_unknown, dissect_unknown},
17557 /* 0xfb */ {dissect_unknown, dissect_unknown},
17558 /* 0xfc */ {dissect_unknown, dissect_unknown},
17559 /* 0xfd */ {dissect_unknown, dissect_unknown},
17560 /* 0xfe */ {dissect_unknown, dissect_unknown},
17561 /* 0xff */ {dissect_unknown, dissect_unknown},
17562 };
17563
17564 static int
17565 dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *smb_tree, uint8_t cmd, bool first_pdu, smb_info_t *si)
17566 {
17567 smb_saved_info_t *sip;
17568
17569 DISSECTOR_ASSERT(si);
17570
17571 if (cmd != 0xff) {
17572 proto_item *cmd_item;
17573 proto_tree *cmd_tree;
17574 int (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *smb_tree, smb_info_t *si);
17575
17576 if (first_pdu) {
17577 col_append_fstr(pinfo->cinfo, COL_INFO,
17578 "%s %s",
17579 val_to_str_ext(cmd, &smb_cmd_vals_ext, "Unknown (0x%02x)"),
17580 (si->request)? "Request" : "Response");
17581 } else {
17582 col_append_fstr(pinfo->cinfo, COL_INFO,
17583 "; %s",
17584 val_to_str_ext(cmd, &smb_cmd_vals_ext, "Unknown (0x%02x)"));
17585 }
17586
17587 cmd_tree = proto_tree_add_subtree_format(smb_tree, tvb, offset, -1,
17588 ett_smb_command, &cmd_item, "%s %s (0x%02x)",
17589 val_to_str_ext_const(cmd, &smb_cmd_vals_ext, "Unknown"),
17590 (si->request)?"Request":"Response",
17591 cmd);
17592
17593 /* we track FIDs on a per transaction basis.
17594 if this was a request and the fid was seen in a reply
17595 we add a "generated" fid tree for this pdu and v.v.
17596 */
17597 sip = si->sip;
17598 if (sip && sip->fid) {
17599 if ( (si->request && (!sip->fid_seen_in_request))
17600 || ((!si->request) && sip->fid_seen_in_request) ) {
17601 dissect_smb_fid(tvb, pinfo, cmd_tree, offset, 0, sip->fid, false, false, true, si);
17602 }
17603 }
17604
17605 dissector = (si->request) ?
17606 smb_dissector[cmd].request : smb_dissector[cmd].response;
17607
17608 offset = (*dissector)(tvb, pinfo, cmd_tree, offset, smb_tree, si);
17609
17610 if (!tvb_offset_exists(tvb, offset-1)) {
17611 THROW(ReportedBoundsError);
17612 }
17613 proto_item_set_end(cmd_item, tvb, offset);
17614 }
17615 return offset;
17616 }
17617
17618 static const value_string smb_cmd_vals[] = {
17619 { 0x00, "Create Directory" },
17620 { 0x01, "Delete Directory" },
17621 { 0x02, "Open" },
17622 { 0x03, "Create" },
17623 { 0x04, "Close" },
17624 { 0x05, "Flush" },
17625 { 0x06, "Delete" },
17626 { 0x07, "Rename" },
17627 { 0x08, "Query Information" },
17628 { 0x09, "Set Information" },
17629 { 0x0A, "Read" },
17630 { 0x0B, "Write" },
17631 { 0x0C, "Lock Byte Range" },
17632 { 0x0D, "Unlock Byte Range" },
17633 { 0x0E, "Create Temp" },
17634 { 0x0F, "Create New" },
17635 { 0x10, "Check Directory" },
17636 { 0x11, "Process Exit" },
17637 { 0x12, "Seek" },
17638 { 0x13, "Lock And Read" },
17639 { 0x14, "Write And Unlock" },
17640 { 0x15, "unknown-0x15" },
17641 { 0x16, "unknown-0x16" },
17642 { 0x17, "unknown-0x17" },
17643 { 0x18, "unknown-0x18" },
17644 { 0x19, "unknown-0x19" },
17645 { 0x1A, "Read Raw" },
17646 { 0x1B, "Read MPX" },
17647 { 0x1C, "Read MPX Secondary" },
17648 { 0x1D, "Write Raw" },
17649 { 0x1E, "Write MPX" },
17650 { 0x1F, "Write MPX Secondary" },
17651 { 0x20, "Write Complete" },
17652
17653 /*
17654 * To quote
17655 *
17656 * http://msdn.microsoft.com/en-us/library/ee442098.aspx
17657 *
17658 * "This command was introduced in the NT LAN Manager dialect, and
17659 * was reserved but not implemented.
17660 *
17661 * Clients SHOULD NOT send requests using this command code, and
17662 * servers receiving requests with this command code SHOULD return
17663 * STATUS_NOT_IMPLEMENTED (ERRDOS/ERRbadfunc)."
17664 */
17665 { 0x21, "Query Server (reserved)" },
17666
17667 { 0x22, "Set Information2" },
17668 { 0x23, "Query Information2" },
17669 { 0x24, "Locking AndX" },
17670 { 0x25, "Trans" },
17671 { 0x26, "Trans Secondary" },
17672 { 0x27, "IOCTL" },
17673 { 0x28, "IOCTL Secondary" },
17674 { 0x29, "Copy" },
17675 { 0x2A, "Move" },
17676 { 0x2B, "Echo" },
17677 { 0x2C, "Write And Close" },
17678 { 0x2D, "Open AndX" },
17679 { 0x2E, "Read AndX" },
17680 { 0x2F, "Write AndX" },
17681
17682 /*
17683 * To quote
17684 *
17685 * http://msdn.microsoft.com/en-us/library/ee442127.aspx
17686 *
17687 * "This command was reserved but not implemented. It was also never
17688 * defined. It is listed in [SNIA], but it is not defined in that
17689 * document and does not appear in any other references.
17690 *
17691 * Clients SHOULD NOT send requests using this command code, and
17692 * servers receiving requests with this command code SHOULD return
17693 * STATUS_NOT_IMPLEMENTED (ERRDOC/ERRbadfunc)."
17694 */
17695 { 0x30, "New File Size (reserved)" },
17696
17697 { 0x31, "Close And Tree Disconnect" },
17698 { 0x32, "Trans2" },
17699 { 0x33, "Trans2 Secondary" },
17700 { 0x34, "Find Close2" },
17701 { 0x35, "Find Notify Close" },
17702 { 0x70, "Tree Connect" },
17703 { 0x71, "Tree Disconnect" },
17704 { 0x72, "Negotiate Protocol" },
17705 { 0x73, "Session Setup AndX" },
17706 { 0x74, "Logoff AndX" },
17707 { 0x75, "Tree Connect AndX" },
17708 { 0x80, "Query Information Disk" },
17709 { 0x81, "Search" },
17710 { 0x82, "Find" },
17711 { 0x83, "Find Unique" },
17712 { 0x84, "Find Close" },
17713 { 0xA0, "NT Trans" },
17714 { 0xA1, "NT Trans Secondary" },
17715 { 0xA2, "NT Create AndX" },
17716 { 0xA3, "unknown-0xA3" },
17717 { 0xA4, "NT Cancel" },
17718 { 0xA5, "NT Rename" },
17719 { 0xC0, "Open Print File" },
17720 { 0xC1, "Write Print File" },
17721 { 0xC2, "Close Print File" },
17722 { 0xC3, "Get Print Queue" },
17723 { 0xD0, "Send Single Block Message" },
17724 { 0xD1, "Send Broadcast Message" },
17725 { 0xD2, "Forward User Name" },
17726 { 0xD3, "Cancel Forward" },
17727 { 0xD4, "Get Machine Name" },
17728 { 0xD5, "Send Start of Multi-block Message" },
17729 { 0xD6, "Send End of Multi-block Message" },
17730 { 0xD7, "Send Text of Multi-block Message" },
17731 { 0xD8, "SMBreadbulk" },
17732 { 0xD9, "SMBwritebulk" },
17733 { 0xDA, "SMBwritebulkdata" },
17734 { 0xFE, "SMBinvalid" },
17735 { 0x00, NULL },
17736 };
17737 value_string_ext smb_cmd_vals_ext = VALUE_STRING_EXT_INIT(smb_cmd_vals);
17738
17739
17740 static void
17741 free_hash_tables(void *ctarg, void *user_data _U_)
17742 {
17743 conv_tables_t *ct = (conv_tables_t *)ctarg;
17744
17745 if (ct->unmatched)
17746 g_hash_table_destroy(ct->unmatched);
17747 if (ct->matched)
17748 g_hash_table_destroy(ct->matched);
17749 if (ct->primaries)
17750 g_hash_table_destroy(ct->primaries);
17751 if (ct->tid_service)
17752 g_hash_table_destroy(ct->tid_service);
17753 g_slist_free(ct->GSL_fid_info);
17754 g_free(ct);
17755 }
17756
17757 static void
17758 smb_cleanup(void)
17759 {
17760 if (conv_tables) {
17761 g_slist_foreach(conv_tables, free_hash_tables, NULL);
17762 g_slist_free(conv_tables);
17763 conv_tables = NULL;
17764 }
17765 }
17766
17767 static const value_string errcls_types[] = {
17768 { SMB_SUCCESS, "Success"},
17769 { SMB_ERRDOS, "DOS Error"},
17770 { SMB_ERRSRV, "Server Error"},
17771 { SMB_ERRHRD, "Hardware Error"},
17772 { SMB_ERRCMD, "Command Error - Not an SMB format command"},
17773 { 0, NULL }
17774 };
17775
17776 /* Error codes for the ERRSRV class */
17777
17778 #define SRV_errors_VALUE_STRING_LIST(XXX) \
17779 XXX( SMBE_SRV_error, 1, "Non specific error code") \
17780 XXX( SMBE_SRV_badpw, 2, "Bad password") \
17781 XXX( SMBE_SRV_badtype, 3, "Reserved") \
17782 XXX( SMBE_SRV_access, 4, "No permissions to perform the requested operation") \
17783 XXX( SMBE_SRV_invnid, 5, "TID invalid") \
17784 XXX( SMBE_SRV_invnetname, 6, "Invalid network name. Service not found") \
17785 XXX( SMBE_SRV_invdevice, 7, "Invalid device") \
17786 XXX( SMBE_SRV_unknownsmb, 22, "Unknown SMB, from NT 3.5 response") \
17787 XXX( SMBE_SRV_qfull, 49, "Print queue full") \
17788 XXX( SMBE_SRV_qtoobig, 50, "Queued item too big") \
17789 XXX( SMBE_SRV_qeof, 51, "EOF in print queue dump") \
17790 XXX( SMBE_SRV_invpfid, 52, "Invalid print file in smb_fid") \
17791 XXX( SMBE_SRV_smbcmd, 64, "Unrecognised command") \
17792 XXX( SMBE_SRV_srverror, 65, "SMB server internal error") \
17793 XXX( SMBE_SRV_filespecs, 67, "Fid and pathname invalid combination") \
17794 XXX( SMBE_SRV_badlink, 68, "Bad link in request ???") \
17795 XXX( SMBE_SRV_badpermits, 69, "Access specified for a file is not valid") \
17796 XXX( SMBE_SRV_badpid, 70, "Bad process id in request") \
17797 XXX( SMBE_SRV_setattrmode, 71, "Attribute mode invalid") \
17798 XXX( SMBE_SRV_paused, 81, "Message server paused") \
17799 XXX( SMBE_SRV_msgoff, 82, "Not receiving messages") \
17800 XXX( SMBE_SRV_noroom, 83, "No room for message") \
17801 XXX( SMBE_SRV_rmuns, 87, "Too many remote usernames") \
17802 XXX( SMBE_SRV_timeout, 88, "Operation timed out") \
17803 XXX( SMBE_SRV_noresource, 89, "No resources currently available for request.") \
17804 XXX( SMBE_SRV_toomanyuids, 90, "Too many userids") \
17805 XXX( SMBE_SRV_baduid, 91, "Bad userid") \
17806 XXX( SMBE_SRV_useMPX, 250, "Temporarily unable to use raw mode, use MPX mode") \
17807 XXX( SMBE_SRV_useSTD, 251, "Temporarily unable to use raw mode, use standard mode") \
17808 XXX( SMBE_SRV_contMPX, 252, "Resume MPX mode") \
17809 XXX( SMBE_SRV_badPW, 253, "Bad Password???") \
17810 XXX( SMBE_SRV_nosupport, 0xFFFF, "Operation not supported")
17811
17812 #if 0 /* Values not needed */
17813 VALUE_STRING_ENUM(SRV_errors);
17814 #endif
17815 VALUE_STRING_ARRAY(SRV_errors);
17816 static value_string_ext SRV_errors_ext = VALUE_STRING_EXT_INIT(SRV_errors);
17817
17818
17819 /* Error codes for the ERRHRD class */
17820
17821 #define HRD_errors_VALUE_STRING_LIST(XXX) \
17822 XXX( SMBE_HRD_nowrite, 19, "Read only media") \
17823 XXX( SMBE_HRD_badunit, 20, "Unknown device") \
17824 XXX( SMBE_HRD_notready, 21, "Drive not ready") \
17825 XXX( SMBE_HRD_badcmd, 22, "Unknown command") \
17826 XXX( SMBE_HRD_data, 23, "Data (CRC) error") \
17827 XXX( SMBE_HRD_badreq, 24, "Bad request structure length") \
17828 XXX( SMBE_HRD_seek, 25, "Seek error") \
17829 XXX( SMBE_HRD_badmedia, 26, "Unknown media type") \
17830 XXX( SMBE_HRD_badsector, 27, "Sector not found") \
17831 XXX( SMBE_HRD_nopaper, 28, "Printer out of paper") \
17832 XXX( SMBE_HRD_write, 29, "Write fault") \
17833 XXX( SMBE_HRD_read, 30, "Read fault") \
17834 XXX( SMBE_HRD_general, 31, "General failure") \
17835 /* -- (really part of ERRDOS class ??) -- */ \
17836 XXX( SMBE_HRD_badshare, 32, "An open conflicts with an existing open") \
17837 XXX( SMBE_HRD_lock, 33, "Lock conflict/invalid mode, or unlock of another process's lock") \
17838 /* -- --*/ \
17839 XXX( SMBE_HRD_wrongdisk, 34, "The wrong disk was found in a drive") \
17840 XXX( SMBE_HRD_FCBunavail, 35, "No FCBs are available to process request") \
17841 XXX( SMBE_HRD_sharebufexc, 36, "A sharing buffer has been exceeded") \
17842 XXX( SMBE_HRD_diskfull, 39, "Disk full???")
17843
17844 #if 0 /* Values not needed */
17845 VALUE_STRING_ENUM(HRD_errors);
17846 #endif
17847 VALUE_STRING_ARRAY(HRD_errors);
17848 static value_string_ext HRD_errors_ext = VALUE_STRING_EXT_INIT(HRD_errors);
17849
17850 static const char *decode_smb_error(uint8_t errcls, uint16_t errcode)
17851 {
17852
17853 switch (errcls) {
17854
17855 case SMB_SUCCESS:
17856 return "No Error"; /* No error ??? */
17857
17858 case SMB_ERRDOS:
17859 return val_to_str_ext(errcode, &DOS_errors_ext, "Unknown DOS error (%x)");
17860
17861 case SMB_ERRSRV:
17862 return val_to_str_ext(errcode, &SRV_errors_ext, "Unknown SRV error (%x)");
17863
17864 case SMB_ERRHRD:
17865 return val_to_str_ext(errcode, &HRD_errors_ext, "Unknown HRD error (%x)");
17866
17867 default:
17868 return "Unknown error class!";
17869 }
17870
17871 }
17872
17873 static const true_false_string tfs_smb_flags_lock = {
17874 "Lock&Read, Write&Unlock are supported",
17875 "Lock&Read, Write&Unlock are not supported"
17876 };
17877 static const true_false_string tfs_smb_flags_receive_buffer = {
17878 "Receive buffer has been posted",
17879 "Receive buffer has not been posted"
17880 };
17881 static const true_false_string tfs_smb_flags_caseless = {
17882 "Path names are caseless",
17883 "Path names are case sensitive"
17884 };
17885 static const true_false_string tfs_smb_flags_canon = {
17886 "Pathnames are canonicalized",
17887 "Pathnames are not canonicalized"
17888 };
17889 static const true_false_string tfs_smb_flags_oplock = {
17890 "OpLock requested/granted",
17891 "OpLock not requested/granted"
17892 };
17893 static const true_false_string tfs_smb_flags_notify = {
17894 "Notify client on all modifications",
17895 "Notify client only on open"
17896 };
17897 static const true_false_string tfs_smb_flags_response = {
17898 "Message is a response to the client/redirector",
17899 "Message is a request to the server"
17900 };
17901
17902 static int
17903 dissect_smb_flags(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
17904 {
17905 static int * const flags[] = {
17906 &hf_smb_flags_response,
17907 &hf_smb_flags_notify,
17908 &hf_smb_flags_oplock,
17909 &hf_smb_flags_canon,
17910 &hf_smb_flags_caseless,
17911 &hf_smb_flags_receive_buffer,
17912 &hf_smb_flags_lock,
17913 NULL
17914 };
17915
17916 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_flags, ett_smb_flags, flags, ENC_NA);
17917 offset += 1;
17918
17919 return offset;
17920 }
17921
17922
17923
17924 static const true_false_string tfs_smb_flags2_long_names_allowed = {
17925 "Long file names are allowed in the response",
17926 "Long file names are not allowed in the response"
17927 };
17928 static const true_false_string tfs_smb_flags2_ea = {
17929 "Extended attributes are supported",
17930 "Extended attributes are not supported"
17931 };
17932 static const true_false_string tfs_smb_flags2_sec_sig = {
17933 "Security signatures are supported",
17934 "Security signatures are not supported"
17935 };
17936 static const true_false_string tfs_smb_flags2_compressed = {
17937 "Compression is requested",
17938 "Compression is not requested"
17939 };
17940 static const true_false_string tfs_smb_flags2_sec_sig_required = {
17941 "Security signatures are required",
17942 "Security signatures are not required"
17943 };
17944 static const true_false_string tfs_smb_flags2_long_names_used = {
17945 "Path names in request are long file names",
17946 "Path names in request are not long file names"
17947 };
17948 static const true_false_string tfs_smb_flags2_reparse_path = {
17949 "The request uses a @GMT reparse path",
17950 "The request does not use a @GMT reparse path"
17951 };
17952 static const true_false_string tfs_smb_flags2_esn = {
17953 "Extended security negotiation is supported",
17954 "Extended security negotiation is not supported"
17955 };
17956 static const true_false_string tfs_smb_flags2_dfs = {
17957 "Resolve pathnames with Dfs",
17958 "Don't resolve pathnames with Dfs"
17959 };
17960 static const true_false_string tfs_smb_flags2_roe = {
17961 "Permit reads if execute-only",
17962 "Don't permit reads if execute-only"
17963 };
17964 static const true_false_string tfs_smb_flags2_nt_error = {
17965 "Error codes are NT error codes",
17966 "Error codes are DOS error codes"
17967 };
17968 static const true_false_string tfs_smb_flags2_string = {
17969 "Strings are Unicode",
17970 "Strings are ASCII"
17971 };
17972 static int
17973 dissect_smb_flags2(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
17974 {
17975 static int * const flags[] = {
17976 &hf_smb_flags2_string,
17977 &hf_smb_flags2_nt_error,
17978 &hf_smb_flags2_roe,
17979 &hf_smb_flags2_dfs,
17980 &hf_smb_flags2_esn,
17981 &hf_smb_flags2_reparse_path,
17982 &hf_smb_flags2_long_names_used,
17983 &hf_smb_flags2_sec_sig_required,
17984 &hf_smb_flags2_compressed,
17985 &hf_smb_flags2_sec_sig,
17986 &hf_smb_flags2_ea,
17987 &hf_smb_flags2_long_names_allowed,
17988 NULL
17989 };
17990
17991 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb_flags2, ett_smb_flags2, flags, ENC_LITTLE_ENDIAN);
17992 offset += 2;
17993
17994 return offset;
17995 }
17996
17997
17998
17999 #define SMB_FLAGS_DIRN 0x80
18000
18001
18002 static int
18003 dissect_smb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void* data _U_)
18004 {
18005 int offset = 0;
18006 proto_item *item;
18007 proto_tree *tree, *htree;
18008 proto_item *tmp_item = NULL;
18009 uint8_t flags;
18010 uint16_t flags2;
18011 smb_info_t *si;
18012 smb_saved_info_t *sip = NULL;
18013 smb_saved_info_key_t key;
18014 smb_saved_info_key_t *new_key;
18015 uint8_t errclass = 0;
18016 uint16_t errcode = 0;
18017 uint32_t pid_mid;
18018 conversation_t *conversation;
18019 nstime_t t, deltat;
18020 smb_transact2_info_t *t2i = NULL;
18021 bool remove = true;
18022
18023 si = wmem_new0(pinfo->pool, smb_info_t);
18024 top_tree_global = parent_tree;
18025
18026 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB");
18027 col_clear(pinfo->cinfo, COL_INFO);
18028
18029 /* start off using the local variable, we will allocate a new one if we
18030 need to*/
18031 si->cmd = tvb_get_uint8(tvb, offset+4);
18032 flags = tvb_get_uint8(tvb, offset+9);
18033 /*
18034 * XXX - in some SMB-over-OSI-transport and SMB-over-Vines traffic,
18035 * the direction flag appears never to be set, even for what appear
18036 * to be replies. Do some SMB servers fail to set that flag,
18037 * under the assumption that the client knows it's a reply because
18038 * it received it?
18039 */
18040 si->request = !(flags&SMB_FLAGS_DIRN);
18041 flags2 = tvb_get_letohs(tvb, offset+10);
18042 if (flags2 & 0x8000) {
18043 si->unicode = true; /* Mark them as Unicode */
18044 } else {
18045 si->unicode = false;
18046 }
18047 si->tid = tvb_get_letohs(tvb, offset+24);
18048 si->pid = tvb_get_letohs(tvb, offset+26);
18049 si->uid = tvb_get_letohs(tvb, offset+28);
18050 si->mid = tvb_get_letohs(tvb, offset+30);
18051 pid_mid = (si->pid << 16) | si->mid;
18052 si->info_level = -1;
18053 si->info_count = -1;
18054
18055 item = proto_tree_add_item(parent_tree, proto_smb, tvb, offset,
18056 -1, ENC_NA);
18057 tree = proto_item_add_subtree(item, ett_smb);
18058
18059 htree = proto_tree_add_subtree(tree, tvb, offset, 32,
18060 ett_smb_hdr, NULL, "SMB Header");
18061
18062
18063 proto_tree_add_uint_format_value(htree, hf_smb_server_component, tvb, offset, 4, tvb_get_letohl(tvb, offset), "SMB");
18064 offset += 4; /* Skip the marker */
18065
18066 /* find which conversation we are part of and get the tables for that
18067 conversation*/
18068 conversation = find_or_create_conversation(pinfo);
18069 /* see if we already have the smb data for this conversation */
18070 si->ct = (conv_tables_t *)conversation_get_proto_data(conversation, proto_smb);
18071 if (!si->ct) {
18072 /* No, not yet. create it and attach it to the conversation */
18073 si->ct = g_new(conv_tables_t, 1);
18074
18075 conv_tables = g_slist_prepend(conv_tables, si->ct);
18076 si->ct->matched = g_hash_table_new(smb_saved_info_hash_matched,
18077 smb_saved_info_equal_matched);
18078 si->ct->unmatched = g_hash_table_new(smb_saved_info_hash_unmatched,
18079 smb_saved_info_equal_unmatched);
18080 /* We used the same key format as the unmatched entries */
18081 si->ct->primaries = g_hash_table_new(
18082 smb_saved_info_hash_unmatched,
18083 smb_saved_info_equal_unmatched);
18084 si->ct->tid_service = g_hash_table_new(
18085 smb_saved_info_hash_unmatched,
18086 smb_saved_info_equal_unmatched);
18087 si->ct->raw_ntlmssp = 0;
18088
18089 si->ct->fid_tree = wmem_tree_new(wmem_file_scope());
18090 si->ct->tid_tree = wmem_tree_new(wmem_file_scope());
18091 si->ct->uid_tree = wmem_tree_new(wmem_file_scope());
18092 /* Initialize the GSL_fid_info for this ct */
18093 si->ct->GSL_fid_info = NULL;
18094 conversation_add_proto_data(conversation, proto_smb, si->ct);
18095 }
18096
18097 if ( (si->request)
18098 && (si->mid == 0)
18099 && (si->uid == 0)
18100 && (si->pid == 0)
18101 && (si->tid == 0) ) {
18102 /* this is a broadcast SMB packet, there will not be a reply.
18103 We don't need to do anything
18104 */
18105 si->unidir = true;
18106 } else if (si->cmd == SMB_COM_NT_CANCEL) /* NT Cancel */
18107 /* Ok, we got a special request type. This request is an
18108 an NT Cancel. We don't expect any responses to this packet.
18109 Anyway, we want to remembe0 this packet somehow and
18110 remember which original request it is associated with so
18111 we can say nice things such as "This is a Cancellation to
18112 the request in frame x", but we don't want the
18113 request/response matching to get messed up.
18114
18115 The only thing we do in this case is trying to find which original
18116 request we match with and insert an entry for this "special"
18117 request for later reference. We continue to reference the original
18118 requests smb_saved_info_t but we don't touch it or change anything
18119 in it.
18120 */
18121 si->unidir = true; /*we don't expect an answer to this one*/
18122
18123 else if ((si->cmd == SMB_COM_TRANSACTION_SECONDARY) /* Transaction Secondary */
18124 || (si->cmd == SMB_COM_TRANSACTION2_SECONDARY) /* Transaction2 Secondary */
18125 || (si->cmd == SMB_COM_NT_TRANSACT_SECONDARY)) { /* NT Transaction Secondary */
18126 /* In the case of secondariy requests there is response to the initial request
18127 followed by one or more secondary *requests* then another response. Each
18128 of the secondaries should point to the second response as the response
18129 and have "Response in: <second response's frame number>".
18130 */
18131 si->unidir = false;
18132
18133 if (!pinfo->fd->visited) {
18134 /* try to find which original call we match and if we
18135 find it add us to the matched table. Don't touch
18136 anything else since we don't want this one to mess
18137 up the request/response matching. We still consider
18138 the initial call the real request and this is only
18139 some sort of continuation.
18140 */
18141 /* we only check the unmatched table and assume that the
18142 last seen MID matching ours is the right one.
18143 This can fail but is better than nothing
18144 */
18145 sip = (smb_saved_info_t *)g_hash_table_lookup(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
18146 if (sip != NULL) {
18147 new_key = wmem_new(wmem_file_scope(), smb_saved_info_key_t);
18148 new_key->frame = pinfo->num;
18149 new_key->pid_mid = pid_mid;
18150 /*
18151 * With secondary requests there is a command such as
18152 * SET_FILE_INFO, an immediate response, one or more
18153 * secondaries containing the remaining data, followed by
18154 * another response. Each secondary shows command as the
18155 * request, and the *second* response as the response.
18156 * The second request shows the command as the request.
18157 * Finally the command request shows the second response
18158 * as the response frame. We need to set sip->frame_res = 0
18159 * so that the second response will be matched to each
18160 * secondary request.
18161 */
18162 if ((si->cmd == SMB_COM_TRANSACTION_SECONDARY) ||
18163 (si->cmd == SMB_COM_TRANSACTION2_SECONDARY) ||
18164 (si->cmd == SMB_COM_NT_TRANSACT_SECONDARY)) {
18165 sip->frame_res = 0;
18166 }
18167 g_hash_table_insert(si->ct->matched, new_key, sip);
18168 } else {
18169 if ((si->cmd == SMB_COM_TRANSACTION_SECONDARY) ||
18170 (si->cmd == SMB_COM_TRANSACTION2_SECONDARY) ||
18171 (si->cmd == SMB_COM_NT_TRANSACT_SECONDARY)) {
18172 sip = (smb_saved_info_t *)g_hash_table_lookup(si->ct->primaries, GUINT_TO_POINTER(pid_mid));
18173 }
18174 }
18175 } else {
18176 /* we have seen this packet before; check the
18177 matching table
18178 */
18179 key.frame = pinfo->num;
18180 key.pid_mid = pid_mid;
18181 sip = (smb_saved_info_t *)g_hash_table_lookup(si->ct->matched, &key);
18182 if (sip == NULL) {
18183 /*
18184 We didn't find it.
18185 Too bad, unfortunately there is not really much we can
18186 do now since this means that we never saw the initial
18187 request.
18188 */
18189 }
18190 }
18191
18192
18193 if (sip && sip->frame_req) {
18194 switch(si->cmd) {
18195 case SMB_COM_NT_CANCEL:
18196 tmp_item = proto_tree_add_uint(htree, hf_smb_cancel_to,
18197 tvb, 0, 0, sip->frame_req);
18198 proto_item_set_generated(tmp_item);
18199 break;
18200 case SMB_COM_TRANSACTION_SECONDARY:
18201 case SMB_COM_TRANSACTION2_SECONDARY:
18202 case SMB_COM_NT_TRANSACT_SECONDARY:
18203 tmp_item = proto_tree_add_uint(htree, hf_smb_continuation_of,
18204 tvb, 0, 0, sip->frame_req);
18205 proto_item_set_generated(tmp_item);
18206 break;
18207 }
18208 } else {
18209 switch(si->cmd) {
18210 case SMB_COM_NT_CANCEL:
18211 proto_tree_add_uint_format_value(htree, hf_smb_cancel_to, tvb, 0, 0, 0, "<unknown frame>");
18212 break;
18213 case SMB_COM_TRANSACTION_SECONDARY:
18214 case SMB_COM_TRANSACTION2_SECONDARY:
18215 case SMB_COM_NT_TRANSACT_SECONDARY:
18216 proto_tree_add_uint_format_value(htree, hf_smb_continuation_of, tvb, 0, 0, 0, "<unknown frame>");
18217 break;
18218 }
18219 }
18220 } else { /* normal bidirectional request or response */
18221 si->unidir = false;
18222
18223 if (!pinfo->fd->visited) {
18224 /* first see if we find an unmatched smb "equal" to
18225 the current one
18226 */
18227 sip = (smb_saved_info_t *)g_hash_table_lookup(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
18228 if (sip != NULL) {
18229 bool cmd_match = false;
18230
18231 /*
18232 * Make sure the SMB we found was the
18233 * same command, or a different command
18234 * that's another valid type of reply
18235 * to that command.
18236 */
18237 if (si->cmd == sip->cmd) {
18238 cmd_match = true;
18239 }
18240 else if (si->cmd == SMB_COM_NT_CANCEL) {
18241 cmd_match = true;
18242 }
18243 else if ((si->cmd == SMB_COM_TRANSACTION_SECONDARY)
18244 && (sip->cmd == SMB_COM_TRANSACTION)) {
18245 cmd_match = true;
18246 }
18247 else if ((si->cmd == SMB_COM_TRANSACTION2_SECONDARY)
18248 && (sip->cmd == SMB_COM_TRANSACTION2)) {
18249 cmd_match = true;
18250 }
18251 else if ((si->cmd == SMB_COM_NT_TRANSACT_SECONDARY)
18252 && (sip->cmd == SMB_COM_NT_TRANSACT)) {
18253 cmd_match = true;
18254 }
18255
18256 if ( (si->request) || (!cmd_match) ) {
18257 /* We are processing an SMB request but there was already
18258 another "identical" smb request we had not matched yet.
18259 This must mean that either we have a retransmission or that the
18260 response to the previous one was lost and the client has reused
18261 the MID for this conversation. In either case it's not much more
18262 we can do than forget the old request and concentrate on the
18263 present one instead.
18264
18265 We also do this cleanup if we see that the cmd in the original
18266 request in sip->cmd is not compatible with the current cmd.
18267 This is to prevent matching errors such as if there were two
18268 SMBs of different cmds but with identical MID and PID values and
18269 if wireshark lost the first reply and the second request.
18270 */
18271 g_hash_table_remove(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
18272 sip = NULL; /* XXX should free it as well */
18273 } else {
18274 /* we have found a response to some
18275 request we have seen earlier.
18276 What we do now depends on whether
18277 this is the first response to that
18278 request we see (id frame_res == 0) or
18279 if it's a response to a request
18280 for which we've seen an earlier
18281 response that's continued.
18282 */
18283 if ((sip->frame_res == 0) ||
18284 (sip->flags & SMB_SIF_IS_CONTINUED)) {
18285 /* OK, it is the first response
18286 we have seen to this packet,
18287 or it's a continuation of
18288 a response we've seen. */
18289 sip->frame_res = pinfo->num;
18290 new_key = wmem_new(wmem_file_scope(), smb_saved_info_key_t);
18291 new_key->frame = sip->frame_res;
18292 new_key->pid_mid = pid_mid;
18293 g_hash_table_insert(si->ct->matched, new_key, sip);
18294 /* We remove the entry for unmatched since we have found a match.
18295 * We have to do this since the MID value wraps so quickly
18296 * and if there is packetloss in the trace (maybe due to large holes
18297 * created by a sniffer device not being able to keep up
18298 * with the line rate.
18299 * There is a real possibility that the following would occur which is painful :
18300 * 1, -> Request MID:5
18301 * 2, <- Response MID:5
18302 * 3, -> Request MID:5 (missing from capture)
18303 * 4, <- Response MID:5
18304 * We DON'T want #4 to be presented as a response to #1
18305 */
18306 /* Prevent "FIND_FIRST2 <unknown>", "FIND_NEXT2 <unknown>"
18307 * "SET_FILE_INFO <unknown>" INFO and "SET_PATH_INFO <unknown>" responses
18308 * when there are multiple responses to the same request. And prevent
18309 * "Continuation of: <unknown frame>" in Trans2 Secondary requests.
18310 * We leave the pid_mid of these responses and requests in the unmatched
18311 * table until all of them have been fully processed.
18312 */
18313 if (sip->extra_info_type == SMB_EI_T2I) {
18314 t2i = (smb_transact2_info_t *)sip->extra_info;
18315 if (t2i) {
18316 /* FIND_FIRST2 or FIND_NEXT2 or
18317 * SET_FILE INFO or SET_PATH_INFO
18318 */
18319 if (t2i->subcmd == 0x0001 || t2i->subcmd == 0x0002 ||
18320 t2i->subcmd == 0x0006 || t2i->subcmd == 0x0008) {
18321 remove = false;
18322 }
18323 }
18324 }
18325 if (si->cmd == SMB_COM_TRANSACTION2_SECONDARY ||
18326 si->cmd == SMB_COM_TRANSACTION_SECONDARY ||
18327 si->cmd == SMB_COM_NT_TRANSACT_SECONDARY) {
18328 remove = false;
18329 }
18330 if (remove) {
18331 g_hash_table_remove(si->ct->unmatched, GUINT_TO_POINTER(pid_mid));
18332 }
18333
18334 } else {
18335 /* We have already seen another response to this MID.
18336 */
18337 sip = NULL;
18338 }
18339 }
18340 } else {
18341 if ((si->cmd == SMB_COM_TRANSACTION) ||
18342 (si->cmd == SMB_COM_TRANSACTION2) ||
18343 (si->cmd == SMB_COM_NT_TRANSACT)) {
18344 sip = (smb_saved_info_t *)g_hash_table_lookup(si->ct->primaries, GUINT_TO_POINTER(pid_mid));
18345 }
18346 }
18347
18348 if (si->request) {
18349 sip = wmem_new(wmem_file_scope(), smb_saved_info_t);
18350 sip->frame_req = pinfo->num;
18351 sip->frame_res = 0;
18352 sip->req_time = pinfo->abs_ts;
18353 sip->flags = 0;
18354 if (g_hash_table_lookup(si->ct->tid_service, GUINT_TO_POINTER(si->tid))
18355 == (void *)TID_IPC) {
18356 sip->flags |= SMB_SIF_TID_IS_IPC;
18357 }
18358 sip->cmd = si->cmd;
18359 sip->extra_info = NULL;
18360 sip->extra_info_type = SMB_EI_NONE;
18361 sip->fid = 0;
18362 sip->fid_seen_in_request = 0;
18363 g_hash_table_insert(si->ct->unmatched, GUINT_TO_POINTER(pid_mid), sip);
18364 new_key = wmem_new(wmem_file_scope(), smb_saved_info_key_t);
18365 new_key->frame = sip->frame_req;
18366 new_key->pid_mid = pid_mid;
18367 g_hash_table_insert(si->ct->matched, new_key, sip);
18368
18369 /* If it is a TRANSACT cmd, insert in hash */
18370 if ((si->cmd == SMB_COM_TRANSACTION) ||
18371 (si->cmd == SMB_COM_TRANSACTION2) ||
18372 (si->cmd == SMB_COM_NT_TRANSACT)) {
18373 g_hash_table_insert(si->ct->primaries, GUINT_TO_POINTER(pid_mid), sip);
18374 }
18375 }
18376 } else {
18377 /* we have seen this packet before; check the
18378 matching table.
18379 If we haven't yet seen the reply, we won't
18380 find the info for it; we don't need it, as
18381 we only use it to save information, and, as
18382 we've seen this packet before, we've already
18383 saved the information.
18384 */
18385 key.frame = pinfo->num;
18386 key.pid_mid = pid_mid;
18387 sip = (smb_saved_info_t *)g_hash_table_lookup(si->ct->matched, &key);
18388 }
18389 }
18390
18391 /*
18392 * Pass the "sip" on to subdissectors through "si".
18393 */
18394 si->sip = sip;
18395
18396 if (sip != NULL) {
18397 /*
18398 * Put in fields for the frame number of the frame to which
18399 * this is a response or the frame with the response to this
18400 * frame - if we know the frame number (i.e., it's not 0).
18401 */
18402 if (si->request) {
18403 if (sip->frame_res != 0) {
18404 tmp_item = proto_tree_add_uint(htree, hf_smb_response_in, tvb, 0, 0, sip->frame_res);
18405 proto_item_set_generated(tmp_item);
18406 }
18407 } else {
18408 if (sip->frame_req != 0) {
18409 tmp_item = proto_tree_add_uint(htree, hf_smb_response_to, tvb, 0, 0, sip->frame_req);
18410 proto_item_set_generated(tmp_item);
18411 t = pinfo->abs_ts;
18412 nstime_delta(&deltat, &t, &sip->req_time);
18413 tmp_item = proto_tree_add_time(htree, hf_smb_time, tvb,
18414 0, 0, &deltat);
18415 proto_item_set_generated(tmp_item);
18416 }
18417 }
18418 }
18419
18420 /* smb command */
18421 proto_tree_add_uint(htree, hf_smb_cmd, tvb, offset, 1, si->cmd);
18422 offset += 1;
18423
18424 if (flags2 & 0x4000) {
18425 /* handle NT 32 bit error code */
18426
18427 si->nt_status = tvb_get_letohl(tvb, offset);
18428
18429 proto_tree_add_item(htree, hf_smb_nt_status, tvb, offset, 4,
18430 ENC_LITTLE_ENDIAN);
18431 offset += 4;
18432
18433 } else {
18434 /* handle DOS error code & class */
18435 errclass = tvb_get_uint8(tvb, offset);
18436 proto_tree_add_uint(htree, hf_smb_error_class, tvb, offset, 1,
18437 errclass);
18438 offset += 1;
18439
18440 /* reserved byte */
18441 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
18442 offset += 1;
18443
18444 /* error code */
18445 /* XXX - the type of this field depends on the value of
18446 * "errcls", so there is isn't a single value_string array
18447 * fo it, so there can't be a single field for it.
18448 */
18449 errcode = tvb_get_letohs(tvb, offset);
18450 proto_tree_add_uint_format_value(htree, hf_smb_error_code, tvb,
18451 offset, 2, errcode, "%s",
18452 decode_smb_error(errclass, errcode));
18453 offset += 2;
18454 }
18455
18456 /* flags */
18457 offset = dissect_smb_flags(tvb, htree, offset);
18458
18459 /* flags2 */
18460 offset = dissect_smb_flags2(tvb, htree, offset);
18461
18462 /*
18463 * The document at
18464 *
18465 * http://www.samba.org/samba/ftp/specs/smbpub.txt
18466 *
18467 * (a text version of "Microsoft Networks SMB FILE SHARING
18468 * PROTOCOL, Document Version 6.0p") says that:
18469 *
18470 * the first 2 bytes of these 12 bytes are, for NT Create and X,
18471 * the "High Part of PID";
18472 *
18473 * the next four bytes are reserved;
18474 *
18475 * the next four bytes are, for SMB-over-IPX (with no
18476 * NetBIOS involved) two bytes of Session ID and two bytes
18477 * of SequenceNumber.
18478 *
18479 * Network Monitor 2.x dissects the four bytes before the Session ID
18480 * as a "Key", and the two bytes after the SequenceNumber as
18481 * a "Group ID".
18482 *
18483 * The "High Part of PID" has been seen in calls other than NT
18484 * Create and X, although most of them appear to be I/O on DCE RPC
18485 * pipes opened with the NT Create and X in question.
18486 */
18487 proto_tree_add_item(htree, hf_smb_pid_high, tvb, offset, 2, ENC_LITTLE_ENDIAN);
18488 offset += 2;
18489
18490 if ((pinfo->ptype == PT_IPX) &&
18491 ((pinfo->match_uint == IPX_SOCKET_NWLINK_SMB_SERVER) ||
18492 (pinfo->match_uint == IPX_SOCKET_NWLINK_SMB_REDIR) ||
18493 (pinfo->match_uint == IPX_SOCKET_NWLINK_SMB_MESSENGER))) {
18494 /*
18495 * This is SMB-over-IPX.
18496 * XXX - do we have to worry about "sequenced commands",
18497 * as per the Samba document? They say that for
18498 * "unsequenced commands" (with a sequence number of 0),
18499 * the Mid must be unique, but perhaps the Mid doesn't
18500 * have to be unique for sequenced commands. In at least
18501 * one capture with SMB-over-IPX, however, the Mids
18502 * are unique even for sequenced commands.
18503 */
18504 /* Key */
18505 proto_tree_add_item(htree, hf_smb_key, tvb, offset, 4,
18506 ENC_LITTLE_ENDIAN);
18507 offset += 4;
18508
18509 /* Session ID */
18510 proto_tree_add_item(htree, hf_smb_session_id, tvb, offset, 2,
18511 ENC_LITTLE_ENDIAN);
18512 offset += 2;
18513
18514 /* Sequence number */
18515 proto_tree_add_item(htree, hf_smb_sequence_num, tvb, offset, 2,
18516 ENC_LITTLE_ENDIAN);
18517 offset += 2;
18518
18519 /* Group ID */
18520 proto_tree_add_item(htree, hf_smb_group_id, tvb, offset, 2,
18521 ENC_LITTLE_ENDIAN);
18522 offset += 2;
18523 } else {
18524 /*
18525 * According to http://ubiqx.org/cifs/SMB.html#SMB.4.2.1
18526 * and http://ubiqx.org/cifs/SMB.html#SMB.5.5.1 the 8
18527 * bytes after the "High part of PID" are an 8-byte
18528 * signature ...
18529 */
18530 proto_tree_add_item(htree, hf_smb_sig, tvb, offset, 8, ENC_NA);
18531 offset += 8;
18532
18533 proto_tree_add_item(htree, hf_smb_reserved, tvb, offset, 2, ENC_NA);
18534 offset += 2;
18535 }
18536
18537 /* TID
18538 * TreeConnectAndX(0x75) is special, here it is the mere fact of
18539 * having a response that means that the share was mapped and we
18540 * need to track it
18541 */
18542 if (!pinfo->fd->visited && (si->cmd == 0x75) && !si->request) {
18543 offset = dissect_smb_tid(tvb, pinfo, htree, offset, (uint16_t)si->tid, true, false, si);
18544 } else {
18545 offset = dissect_smb_tid(tvb, pinfo, htree, offset, (uint16_t)si->tid, false, false, si);
18546 }
18547
18548 /* PID */
18549 proto_tree_add_uint(htree, hf_smb_pid, tvb, offset, 2, si->pid);
18550 offset += 2;
18551
18552 /* UID */
18553 offset = dissect_smb_uid(tvb, htree, offset, si);
18554
18555 /* MID */
18556 proto_tree_add_uint(htree, hf_smb_mid, tvb, offset, 2, si->mid);
18557 offset += 2;
18558
18559 /* tap the packet before the dissectors are called so we still get
18560 the tap listener called even if there is an exception.
18561 */
18562 tap_queue_packet(smb_tap, pinfo, si);
18563 dissect_smb_command(tvb, pinfo, offset, tree, si->cmd, true, si);
18564
18565 /* Append error info from this packet to info string. */
18566 if (!si->request) {
18567 if (flags2 & 0x4000) {
18568 /*
18569 * The status is an NT status code; was there
18570 * an error?
18571 */
18572 if ((si->nt_status & 0xC0000000) == 0xC0000000) {
18573 /*
18574 * Yes.
18575 */
18576 col_append_fstr(
18577 pinfo->cinfo, COL_INFO, ", Error: %s",
18578 val_to_str_ext(si->nt_status, &NT_errors_ext,
18579 "Unknown (0x%08X)"));
18580 }
18581 } else {
18582 /*
18583 * The status is a DOS error class and code; was
18584 * there an error?
18585 */
18586 if (errclass != SMB_SUCCESS) {
18587 /*
18588 * Yes.
18589 */
18590 col_append_fstr(
18591 pinfo->cinfo, COL_INFO, ", Error: %s",
18592 decode_smb_error(errclass, errcode));
18593 }
18594 }
18595 }
18596 return tvb_captured_length(tvb);
18597 }
18598
18599 static bool
18600 dissect_smb_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data)
18601 {
18602 /* must check that this really is a smb packet */
18603 if (tvb_reported_length(tvb) < 4)
18604 return false;
18605
18606 if ( (tvb_get_uint8(tvb, 0) != 0xff)
18607 || (tvb_get_uint8(tvb, 1) != 'S')
18608 || (tvb_get_uint8(tvb, 2) != 'M')
18609 || (tvb_get_uint8(tvb, 3) != 'B') ) {
18610 return false;
18611 }
18612
18613 dissect_smb(tvb, pinfo, parent_tree, data);
18614 return true;
18615 }
18616
18617 void
18618 proto_register_smb(void)
18619 {
18620 static hf_register_info hf[] = {
18621 { &hf_smb_cmd,
18622 { "SMB Command", "smb.cmd", FT_UINT8, BASE_HEX|BASE_EXT_STRING,
18623 &smb_cmd_vals_ext, 0x0, NULL, HFILL }},
18624
18625 { &hf_smb_andxcmd,
18626 { "AndXCommand", "smb.cmd", FT_UINT8, BASE_HEX|BASE_EXT_STRING,
18627 &smb_cmd_vals_ext, 0x0, NULL, HFILL }},
18628
18629 { &hf_smb_trans2_subcmd,
18630 { "Subcommand", "smb.trans2.cmd", FT_UINT16, BASE_HEX|BASE_EXT_STRING,
18631 &trans2_cmd_vals_ext, 0, "Subcommand for TRANSACTION2", HFILL }},
18632
18633 { &hf_smb_nt_trans_subcmd,
18634 { "Function", "smb.nt.function", FT_UINT16, BASE_DEC|BASE_EXT_STRING,
18635 &nt_cmd_vals_ext, 0, "Function for NT Transaction", HFILL }},
18636
18637 { &hf_smb_word_count,
18638 { "Word Count (WCT)", "smb.wct", FT_UINT8, BASE_DEC,
18639 NULL, 0x0, "Word Count, count of parameter words", HFILL }},
18640
18641 { &hf_smb_byte_count,
18642 { "Byte Count (BCC)", "smb.bcc", FT_UINT16, BASE_DEC,
18643 NULL, 0x0, "Byte Count, count of data bytes", HFILL }},
18644
18645 { &hf_smb_response_to,
18646 { "Response to", "smb.response_to", FT_FRAMENUM, BASE_NONE,
18647 FRAMENUM_TYPE(FT_FRAMENUM_REQUEST), 0, "This packet is a response to the packet in this frame", HFILL }},
18648
18649 { &hf_smb_time,
18650 { "Time from request", "smb.time", FT_RELATIVE_TIME, BASE_NONE,
18651 NULL, 0, "Time between Request and Response for SMB cmds", HFILL }},
18652
18653 { &hf_smb_response_in,
18654 { "Response in", "smb.response_in", FT_FRAMENUM, BASE_NONE,
18655 FRAMENUM_TYPE(FT_FRAMENUM_RESPONSE), 0, "The response to this packet is in this packet", HFILL }},
18656
18657 { &hf_smb_continuation_of,
18658 { "Continuation of", "smb.continuation_of", FT_FRAMENUM, BASE_NONE,
18659 NULL, 0, "This packet is a continuation of the packet in this frame", HFILL }},
18660
18661 { &hf_smb_nt_status,
18662 { "NT Status", "smb.nt_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
18663 &NT_errors_ext, 0, "NT Status code", HFILL }},
18664
18665 { &hf_smb_error_class,
18666 { "Error Class", "smb.error_class", FT_UINT8, BASE_HEX,
18667 VALS(errcls_types), 0, "DOS Error Class", HFILL }},
18668
18669 { &hf_smb_error_code,
18670 { "Error Code", "smb.error_code", FT_UINT16, BASE_HEX,
18671 NULL, 0, "DOS Error Code", HFILL }},
18672
18673 { &hf_smb_reserved,
18674 { "Reserved", "smb.reserved", FT_BYTES, BASE_NONE,
18675 NULL, 0, "Reserved bytes, must be zero", HFILL }},
18676
18677 { &hf_smb_sig,
18678 { "Signature", "smb.signature", FT_BYTES, BASE_NONE,
18679 NULL, 0, "Signature bytes", HFILL }},
18680
18681 { &hf_smb_key,
18682 { "Key", "smb.key", FT_UINT32, BASE_HEX,
18683 NULL, 0, "SMB-over-IPX Key", HFILL }},
18684
18685 { &hf_smb_session_id,
18686 { "Session ID", "smb.sessid", FT_UINT16, BASE_DEC,
18687 NULL, 0, "SMB-over-IPX Session ID", HFILL }},
18688
18689 { &hf_smb_sequence_num,
18690 { "Sequence Number", "smb.sequence_num", FT_UINT16, BASE_DEC,
18691 NULL, 0, "SMB-over-IPX Sequence Number", HFILL }},
18692
18693 { &hf_smb_group_id,
18694 { "Group ID", "smb.group_id", FT_UINT16, BASE_DEC,
18695 NULL, 0, "SMB-over-IPX Group ID", HFILL }},
18696
18697 { &hf_smb_pid,
18698 { "Process ID", "smb.pid", FT_UINT16, BASE_DEC,
18699 NULL, 0, NULL, HFILL }},
18700
18701 { &hf_smb_pid_high,
18702 { "Process ID High", "smb.pid.high", FT_UINT16, BASE_DEC,
18703 NULL, 0, "Process ID High Bytes", HFILL }},
18704
18705 { &hf_smb_tid,
18706 { "Tree ID", "smb.tid", FT_UINT16, BASE_DEC,
18707 NULL, 0, NULL, HFILL }},
18708
18709 { &hf_smb_uid,
18710 { "User ID", "smb.uid", FT_UINT16, BASE_DEC,
18711 NULL, 0, NULL, HFILL }},
18712
18713 { &hf_smb_mid,
18714 { "Multiplex ID", "smb.mid", FT_UINT16, BASE_DEC,
18715 NULL, 0, NULL, HFILL }},
18716
18717 { &hf_smb_flags,
18718 { "Flags", "smb.flags", FT_UINT8, BASE_HEX,
18719 NULL, 0x0, NULL, HFILL }},
18720
18721 { &hf_smb_flags_lock,
18722 { "Lock and Read", "smb.flags.lock", FT_BOOLEAN, 8,
18723 TFS(&tfs_smb_flags_lock), 0x01, "Are Lock&Read and Write&Unlock operations supported?", HFILL }},
18724
18725 { &hf_smb_flags_receive_buffer,
18726 { "Receive Buffer Posted", "smb.flags.receive_buffer", FT_BOOLEAN, 8,
18727 TFS(&tfs_smb_flags_receive_buffer), 0x02, "Have receive buffers been reported?", HFILL }},
18728
18729 { &hf_smb_flags_caseless,
18730 { "Case Sensitivity", "smb.flags.caseless", FT_BOOLEAN, 8,
18731 TFS(&tfs_smb_flags_caseless), 0x08, "Are pathnames caseless or casesensitive?", HFILL }},
18732
18733 { &hf_smb_flags_canon,
18734 { "Canonicalized Pathnames", "smb.flags.canon", FT_BOOLEAN, 8,
18735 TFS(&tfs_smb_flags_canon), 0x10, "Are pathnames canonicalized?", HFILL }},
18736
18737 { &hf_smb_flags_oplock,
18738 { "Oplocks", "smb.flags.oplock", FT_BOOLEAN, 8,
18739 TFS(&tfs_smb_flags_oplock), 0x20, "Is an oplock requested/granted?", HFILL }},
18740
18741 { &hf_smb_flags_notify,
18742 { "Notify", "smb.flags.notify", FT_BOOLEAN, 8,
18743 TFS(&tfs_smb_flags_notify), 0x40, "Notify on open or all?", HFILL }},
18744
18745 { &hf_smb_flags_response,
18746 { "Request/Response", "smb.flags.response", FT_BOOLEAN, 8,
18747 TFS(&tfs_smb_flags_response), 0x80, "Is this a request or a response?", HFILL }},
18748
18749 { &hf_smb_flags2,
18750 { "Flags2", "smb.flags2", FT_UINT16, BASE_HEX,
18751 NULL, 0x0, NULL, HFILL }},
18752
18753 { &hf_smb_flags2_long_names_allowed,
18754 { "Long Names Allowed", "smb.flags2.long_names_allowed", FT_BOOLEAN, 16,
18755 TFS(&tfs_smb_flags2_long_names_allowed), 0x0001, "Are long file names allowed in the response?", HFILL }},
18756
18757 { &hf_smb_flags2_ea,
18758 { "Extended Attributes", "smb.flags2.ea", FT_BOOLEAN, 16,
18759 TFS(&tfs_smb_flags2_ea), 0x0002, "Are extended attributes supported?", HFILL }},
18760
18761 { &hf_smb_flags2_sec_sig,
18762 { "Security Signatures", "smb.flags2.sec_sig", FT_BOOLEAN, 16,
18763 TFS(&tfs_smb_flags2_sec_sig), 0x0004, "Are security signatures supported?", HFILL }},
18764
18765 { &hf_smb_flags2_compressed,
18766 { "Compressed", "smb.flags2.compressed", FT_BOOLEAN, 16,
18767 TFS(&tfs_smb_flags2_compressed), 0x0008, "Is compression requested?", HFILL }},
18768
18769 { &hf_smb_flags2_sec_sig_required,
18770 { "Security Signatures Required", "smb.flags2.sec_sig_required", FT_BOOLEAN, 16,
18771 TFS(&tfs_smb_flags2_sec_sig_required), 0x0010, "Are security signatures required?", HFILL }},
18772
18773 { &hf_smb_flags2_long_names_used,
18774 { "Long Names Used", "smb.flags2.long_names_used", FT_BOOLEAN, 16,
18775 TFS(&tfs_smb_flags2_long_names_used), 0x0040, "Are pathnames in this request long file names?", HFILL }},
18776
18777 { &hf_smb_flags2_reparse_path,
18778 { "Reparse Path", "smb.flags2.reparse_path", FT_BOOLEAN, 16,
18779 TFS(&tfs_smb_flags2_reparse_path), 0x0400, "The request uses a @GMT reparse path", HFILL }},
18780
18781 { &hf_smb_flags2_esn,
18782 { "Extended Security Negotiation", "smb.flags2.esn", FT_BOOLEAN, 16,
18783 TFS(&tfs_smb_flags2_esn), 0x0800, "Is extended security negotiation supported?", HFILL }},
18784
18785 { &hf_smb_flags2_dfs,
18786 { "Dfs", "smb.flags2.dfs", FT_BOOLEAN, 16,
18787 TFS(&tfs_smb_flags2_dfs), 0x1000, "Can pathnames be resolved using Dfs?", HFILL }},
18788
18789 { &hf_smb_flags2_roe,
18790 { "Execute-only Reads", "smb.flags2.roe", FT_BOOLEAN, 16,
18791 TFS(&tfs_smb_flags2_roe), 0x2000, "Will reads be allowed for execute-only files?", HFILL }},
18792
18793 { &hf_smb_flags2_nt_error,
18794 { "Error Code Type", "smb.flags2.nt_error", FT_BOOLEAN, 16,
18795 TFS(&tfs_smb_flags2_nt_error), 0x4000, "Are error codes NT or DOS format?", HFILL }},
18796
18797 { &hf_smb_flags2_string,
18798 { "Unicode Strings", "smb.flags2.string", FT_BOOLEAN, 16,
18799 TFS(&tfs_smb_flags2_string), 0x8000, "Are strings ASCII or Unicode?", HFILL }},
18800
18801 { &hf_smb_buffer_format,
18802 { "Buffer Format", "smb.buffer_format", FT_UINT8, BASE_DEC,
18803 VALS(buffer_format_vals), 0x0, "Buffer Format, type of buffer", HFILL }},
18804
18805 { &hf_smb_dialect,
18806 { "Dialect", "smb.dialect", FT_STRING, BASE_NONE,
18807 NULL, 0x0, NULL, HFILL }},
18808
18809 { &hf_smb_dialect_name,
18810 { "Name", "smb.dialect.name", FT_STRING, BASE_NONE,
18811 NULL, 0, "Name of dialect", HFILL }},
18812
18813 { &hf_smb_dialect_index,
18814 { "Selected Index", "smb.dialect.index", FT_UINT16, BASE_DEC,
18815 NULL, 0, "Index of selected dialect", HFILL }},
18816
18817 { &hf_smb_max_trans_buf_size,
18818 { "Max Buffer Size", "smb.max_bufsize", FT_UINT32, BASE_DEC,
18819 NULL, 0, "Maximum transmit buffer size", HFILL }},
18820
18821 { &hf_smb_max_mpx_count,
18822 { "Max Mpx Count", "smb.max_mpx_count", FT_UINT16, BASE_DEC,
18823 NULL, 0, "Maximum pending multiplexed requests", HFILL }},
18824
18825 { &hf_smb_max_vcs_num,
18826 { "Max VCs", "smb.max_vcs", FT_UINT16, BASE_DEC,
18827 NULL, 0, "Maximum VCs between client and server", HFILL }},
18828
18829 { &hf_smb_session_key,
18830 { "Session Key", "smb.session_key", FT_UINT32, BASE_HEX,
18831 NULL, 0, "Unique token identifying this session", HFILL }},
18832
18833 { &hf_smb_server_timezone,
18834 { "Server Time Zone", "smb.server_timezone", FT_INT16, BASE_DEC,
18835 NULL, 0, "Current timezone at server.", HFILL }},
18836
18837 { &hf_smb_challenge_length,
18838 { "Challenge Length", "smb.challenge_length", FT_UINT16, BASE_DEC,
18839 NULL, 0, "Challenge_length (must be 0 if not LM2.1 dialect)", HFILL }},
18840
18841 { &hf_smb_challenge,
18842 { "Challenge", "smb.challenge", FT_BYTES, BASE_NONE,
18843 NULL, 0, "Challenge Data (for LM2.1 dialect)", HFILL }},
18844
18845 { &hf_smb_primary_domain,
18846 { "Primary Domain", "smb.primary_domain", FT_STRING, BASE_NONE,
18847 NULL, 0, "The server's primary domain", HFILL }},
18848
18849 { &hf_smb_server,
18850 { "Server", "smb.server", FT_STRING, BASE_NONE,
18851 NULL, 0, "The name of the DC/server", HFILL }},
18852
18853 { &hf_smb_max_raw_buf_size,
18854 { "Max Raw Buffer", "smb.max_raw", FT_UINT32, BASE_DEC,
18855 NULL, 0, "Maximum raw buffer size", HFILL }},
18856
18857 { &hf_smb_server_guid,
18858 { "Server GUID", "smb.server_guid", FT_GUID, BASE_NONE,
18859 NULL, 0, "Globally unique identifier for this server", HFILL }},
18860
18861 { &hf_smb_volume_guid,
18862 { "Volume GUID", "smb.volume_guid", FT_GUID, BASE_NONE,
18863 NULL, 0, "Globally unique identifier for this volume", HFILL }},
18864
18865 { &hf_smb_security_blob_len,
18866 { "Security Blob Length", "smb.security_blob_len", FT_UINT16, BASE_DEC,
18867 NULL, 0, NULL, HFILL }},
18868
18869 { &hf_smb_security_blob,
18870 { "Security Blob", "smb.security_blob", FT_BYTES, BASE_NONE,
18871 NULL, 0, NULL, HFILL }},
18872
18873 { &hf_smb_sm16,
18874 { "Security Mode", "smb.sm", FT_UINT16, BASE_HEX,
18875 NULL, 0x0, NULL, HFILL }},
18876
18877 { &hf_smb_sm_mode16,
18878 { "Mode", "smb.sm.mode", FT_BOOLEAN, 16,
18879 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
18880
18881 { &hf_smb_sm_password16,
18882 { "Password", "smb.sm.password", FT_BOOLEAN, 16,
18883 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
18884
18885 { &hf_smb_sm,
18886 { "Security Mode", "smb.sm", FT_UINT8, BASE_HEX,
18887 NULL, 0x0, NULL, HFILL }},
18888
18889 { &hf_smb_sm_mode,
18890 { "Mode", "smb.sm.mode", FT_BOOLEAN, 8,
18891 TFS(&tfs_sm_mode), SECURITY_MODE_MODE, "User or Share security mode?", HFILL }},
18892
18893 { &hf_smb_sm_password,
18894 { "Password", "smb.sm.password", FT_BOOLEAN, 8,
18895 TFS(&tfs_sm_password), SECURITY_MODE_PASSWORD, "Encrypted or plaintext passwords?", HFILL }},
18896
18897 { &hf_smb_sm_signatures,
18898 { "Signatures", "smb.sm.signatures", FT_BOOLEAN, 8,
18899 TFS(&tfs_sm_signatures), SECURITY_MODE_SIGNATURES, "Are security signatures enabled?", HFILL }},
18900
18901 { &hf_smb_sm_sig_required,
18902 { "Sig Req", "smb.sm.sig_required", FT_BOOLEAN, 8,
18903 TFS(&tfs_sm_sig_required), SECURITY_MODE_SIG_REQUIRED, "Are security signatures required?", HFILL }},
18904
18905 { &hf_smb_rm,
18906 { "Raw Mode", "smb.rm", FT_UINT16, BASE_HEX,
18907 NULL, 0x0, NULL, HFILL }},
18908
18909 { &hf_smb_rm_read,
18910 { "Read Raw", "smb.rm.read", FT_BOOLEAN, 16,
18911 TFS(&tfs_rm_read), RAWMODE_READ, "Is Read Raw supported?", HFILL }},
18912
18913 { &hf_smb_rm_write,
18914 { "Write Raw", "smb.rm.write", FT_BOOLEAN, 16,
18915 TFS(&tfs_rm_write), RAWMODE_WRITE, "Is Write Raw supported?", HFILL }},
18916
18917 { &hf_smb_server_date_time,
18918 { "Server Date and Time", "smb.server_date_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
18919 NULL, 0, "Current date and time at server", HFILL }},
18920
18921 { &hf_smb_server_smb_date,
18922 { "Server Date", "smb.server_date_time.smb_date", FT_UINT16, BASE_HEX,
18923 NULL, 0, "Current date at server, SMB_DATE format", HFILL }},
18924
18925 { &hf_smb_server_smb_time,
18926 { "Server Time", "smb.server_date_time.smb_time", FT_UINT16, BASE_HEX,
18927 NULL, 0, "Current time at server, SMB_TIME format", HFILL }},
18928
18929 { &hf_smb_server_cap,
18930 { "Capabilities", "smb.server_cap", FT_UINT32, BASE_HEX,
18931 NULL, 0x0, NULL, HFILL }},
18932
18933 { &hf_smb_server_cap_raw_mode,
18934 { "Raw Mode", "smb.server_cap.raw_mode", FT_BOOLEAN, 32,
18935 TFS(&tfs_server_cap_raw_mode), SERVER_CAP_RAW_MODE, "Are Raw Read and Raw Write supported?", HFILL }},
18936
18937 { &hf_smb_server_cap_mpx_mode,
18938 { "MPX Mode", "smb.server_cap.mpx_mode", FT_BOOLEAN, 32,
18939 TFS(&tfs_server_cap_mpx_mode), SERVER_CAP_MPX_MODE, "Are Read Mpx and Write Mpx supported?", HFILL }},
18940
18941 { &hf_smb_server_cap_unicode,
18942 { "Unicode", "smb.server_cap.unicode", FT_BOOLEAN, 32,
18943 TFS(&tfs_server_cap_unicode), SERVER_CAP_UNICODE, "Are Unicode strings supported?", HFILL }},
18944
18945 { &hf_smb_server_cap_large_files,
18946 { "Large Files", "smb.server_cap.large_files", FT_BOOLEAN, 32,
18947 TFS(&tfs_server_cap_large_files), SERVER_CAP_LARGE_FILES, "Are large files (>4GB) supported?", HFILL }},
18948
18949 { &hf_smb_server_cap_nt_smbs,
18950 { "NT SMBs", "smb.server_cap.nt_smbs", FT_BOOLEAN, 32,
18951 TFS(&tfs_server_cap_nt_smbs), SERVER_CAP_NT_SMBS, "Are NT SMBs supported?", HFILL }},
18952
18953 { &hf_smb_server_cap_rpc_remote_apis,
18954 { "RPC Remote APIs", "smb.server_cap.rpc_remote_apis", FT_BOOLEAN, 32,
18955 TFS(&tfs_server_cap_rpc_remote_apis), SERVER_CAP_RPC_REMOTE_APIS, "Are RPC Remote APIs supported?", HFILL }},
18956
18957 { &hf_smb_server_cap_nt_status,
18958 { "NT Status Codes", "smb.server_cap.nt_status", FT_BOOLEAN, 32,
18959 TFS(&tfs_server_cap_nt_status), SERVER_CAP_STATUS32, "Are NT Status Codes supported?", HFILL }},
18960
18961 { &hf_smb_server_cap_level_ii_oplocks,
18962 { "Level 2 Oplocks", "smb.server_cap.level_2_oplocks", FT_BOOLEAN, 32,
18963 TFS(&tfs_server_cap_level_ii_oplocks), SERVER_CAP_LEVEL_II_OPLOCKS, "Are Level 2 oplocks supported?", HFILL }},
18964
18965 { &hf_smb_server_cap_lock_and_read,
18966 { "Lock and Read", "smb.server_cap.lock_and_read", FT_BOOLEAN, 32,
18967 TFS(&tfs_server_cap_lock_and_read), SERVER_CAP_LOCK_AND_READ, "Is Lock and Read supported?", HFILL }},
18968
18969 { &hf_smb_server_cap_nt_find,
18970 { "NT Find", "smb.server_cap.nt_find", FT_BOOLEAN, 32,
18971 TFS(&tfs_server_cap_nt_find), SERVER_CAP_NT_FIND, "Is NT Find supported?", HFILL }},
18972
18973 { &hf_smb_server_cap_dfs,
18974 { "Dfs", "smb.server_cap.dfs", FT_BOOLEAN, 32,
18975 TFS(&tfs_server_cap_dfs), SERVER_CAP_DFS, "Is Dfs supported?", HFILL }},
18976
18977 { &hf_smb_server_cap_infolevel_passthru,
18978 { "Infolevel Passthru", "smb.server_cap.infolevel_passthru", FT_BOOLEAN, 32,
18979 TFS(&tfs_server_cap_infolevel_passthru), SERVER_CAP_INFOLEVEL_PASSTHRU, "Is NT information level request passthrough supported?", HFILL }},
18980
18981 { &hf_smb_server_cap_large_readx,
18982 { "Large ReadX", "smb.server_cap.large_readx", FT_BOOLEAN, 32,
18983 TFS(&tfs_server_cap_large_readx), SERVER_CAP_LARGE_READX, "Is Large Read andX supported?", HFILL }},
18984
18985 { &hf_smb_server_cap_large_writex,
18986 { "Large WriteX", "smb.server_cap.large_writex", FT_BOOLEAN, 32,
18987 TFS(&tfs_server_cap_large_writex), SERVER_CAP_LARGE_WRITEX, "Is Large Write andX supported?", HFILL }},
18988
18989 { &hf_smb_server_cap_lwio,
18990 { "LWIO", "smb.server_cap.lwio", FT_BOOLEAN, 32,
18991 TFS(&tfs_server_cap_lwio), SERVER_CAP_LWIO,
18992 "Is IOCTL/FSCTL supported", HFILL }},
18993
18994 { &hf_smb_server_cap_unix,
18995 { "UNIX", "smb.server_cap.unix", FT_BOOLEAN, 32,
18996 TFS(&tfs_server_cap_unix), SERVER_CAP_UNIX , "Are UNIX extensions supported?", HFILL }},
18997
18998 { &hf_smb_server_cap_compressed_data,
18999 { "Compressed Data", "smb.server_cap.compressed_data", FT_BOOLEAN, 32,
19000 TFS(&tfs_server_cap_compressed_data), SERVER_CAP_COMPRESSED_DATA, "Is compressed data transfer supported?", HFILL }},
19001
19002 { &hf_smb_server_cap_dynamic_reauth,
19003 { "Dynamic Reauth", "smb.server_cap.dynamic_reauth", FT_BOOLEAN, 32,
19004 TFS(&tfs_server_cap_dynamic_reauth), SERVER_CAP_DYNAMIC_REAUTH,
19005 "Is dynamic reauth supported?", HFILL }},
19006
19007 { &hf_smb_server_cap_extended_security,
19008 { "Extended Security", "smb.server_cap.extended_security", FT_BOOLEAN, 32,
19009 TFS(&tfs_server_cap_extended_security), SERVER_CAP_EXTENDED_SECURITY, "Are Extended security exchanges supported?", HFILL }},
19010
19011 { &hf_smb_system_time,
19012 { "System Time", "smb.system.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
19013 NULL, 0, NULL, HFILL }},
19014
19015 { &hf_smb_secondaries_will_follow,
19016 { "Secondaries will follow", "smb.secondaries_will_follow", FT_BYTES, BASE_NONE,
19017 NULL, 0, "Level of interest is Info Set EAs and TDC > DC so SECONDARY reqs will follow", HFILL }},
19018
19019 { &hf_smb_unknown,
19020 { "Unknown Data", "smb.unknown_data", FT_BYTES, BASE_NONE,
19021 NULL, 0, "Unknown Data. Should be implemented by someone", HFILL }},
19022
19023 { &hf_smb_dir_name,
19024 { "Directory", "smb.dir_name", FT_STRING, BASE_NONE,
19025 NULL, 0, "SMB Directory Name", HFILL }},
19026
19027 { &hf_smb_echo_count,
19028 { "Echo Count", "smb.echo.count", FT_UINT16, BASE_DEC,
19029 NULL, 0, "Number of times to echo data back", HFILL }},
19030
19031 { &hf_smb_echo_data,
19032 { "Echo Data", "smb.echo.data", FT_BYTES, BASE_NONE,
19033 NULL, 0, "Data for SMB Echo Request/Response", HFILL }},
19034
19035 { &hf_smb_echo_seq_num,
19036 { "Echo Seq Num", "smb.echo.seq_num", FT_UINT16, BASE_DEC,
19037 NULL, 0, "Sequence number for this echo response", HFILL }},
19038
19039 { &hf_smb_max_buf_size,
19040 { "Max Buffer", "smb.max_buf", FT_UINT16, BASE_DEC,
19041 NULL, 0, "Max client buffer size", HFILL }},
19042
19043 { &hf_smb_path,
19044 { "Path", "smb.path", FT_STRING, BASE_NONE,
19045 NULL, 0, "Path. Server name and share name", HFILL }},
19046
19047 { &hf_smb_service,
19048 { "Service", "smb.service", FT_STRING, BASE_NONE,
19049 NULL, 0, "Service name", HFILL }},
19050
19051 { &hf_smb_password,
19052 { "Password", "smb.password", FT_BYTES, BASE_NONE,
19053 NULL, 0, NULL, HFILL }},
19054
19055 { &hf_smb_ansi_password,
19056 { "ANSI Password", "smb.ansi_password", FT_BYTES, BASE_NONE,
19057 NULL, 0, NULL, HFILL }},
19058
19059 { &hf_smb_unicode_password,
19060 { "Unicode Password", "smb.unicode_password", FT_BYTES, BASE_NONE,
19061 NULL, 0, NULL, HFILL }},
19062
19063 { &hf_smb_move_flags,
19064 { "Flags", "smb.move.flags", FT_UINT16, BASE_HEX,
19065 NULL, 0x0, NULL, HFILL }},
19066
19067 { &hf_smb_move_flags_file,
19068 { "Must be file", "smb.move.flags.file", FT_BOOLEAN, 16,
19069 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
19070
19071 { &hf_smb_move_flags_dir,
19072 { "Must be directory", "smb.move.flags.dir", FT_BOOLEAN, 16,
19073 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
19074
19075 { &hf_smb_move_flags_verify,
19076 { "Verify writes", "smb.move.flags.verify", FT_BOOLEAN, 16,
19077 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
19078
19079 { &hf_smb_files_moved,
19080 { "Files Moved", "smb.files_moved", FT_UINT16, BASE_DEC,
19081 NULL, 0, "Number of files moved", HFILL }},
19082
19083 { &hf_smb_copy_flags,
19084 { "Flags", "smb.copy.flags", FT_UINT16, BASE_HEX,
19085 NULL, 0x0, NULL, HFILL }},
19086
19087 { &hf_smb_copy_flags_file,
19088 { "Must be file", "smb.copy.flags.file", FT_BOOLEAN, 16,
19089 TFS(&tfs_mf_file), 0x0001, "Must target be a file?", HFILL }},
19090
19091 { &hf_smb_copy_flags_dir,
19092 { "Must be directory", "smb.copy.flags.dir", FT_BOOLEAN, 16,
19093 TFS(&tfs_mf_dir), 0x0002, "Must target be a directory?", HFILL }},
19094
19095 { &hf_smb_copy_flags_dest_mode,
19096 { "Destination mode", "smb.copy.flags.dest_mode", FT_BOOLEAN, 16,
19097 TFS(&tfs_cf_mode), 0x0004, "Is destination in ASCII?", HFILL }},
19098
19099 { &hf_smb_copy_flags_source_mode,
19100 { "Source mode", "smb.copy.flags.source_mode", FT_BOOLEAN, 16,
19101 TFS(&tfs_cf_mode), 0x0008, "Is source in ASCII?", HFILL }},
19102
19103 { &hf_smb_copy_flags_verify,
19104 { "Verify writes", "smb.copy.flags.verify", FT_BOOLEAN, 16,
19105 TFS(&tfs_mf_verify), 0x0010, "Verify all writes?", HFILL }},
19106
19107 { &hf_smb_copy_flags_tree_copy,
19108 { "Tree copy", "smb.copy.flags.tree_copy", FT_BOOLEAN, 16,
19109 TFS(&tfs_cf_tree_copy), 0x0020, "Is copy a tree copy?", HFILL }},
19110
19111 { &hf_smb_copy_flags_ea_action,
19112 { "EA action if EAs not supported on dest", "smb.copy.flags.ea_action", FT_BOOLEAN, 16,
19113 TFS(&tfs_cf_ea_action), 0x0040, "Fail copy if source file has EAs and dest doesn't support EAs?", HFILL }},
19114
19115 { &hf_smb_count,
19116 { "Count", "smb.count", FT_UINT32, BASE_DEC,
19117 NULL, 0, "Count number of items/bytes", HFILL }},
19118
19119 { &hf_smb_count_low,
19120 { "Count Low", "smb.count_low", FT_UINT16, BASE_DEC,
19121 NULL, 0, "Count number of items/bytes, Low 16 bits", HFILL }},
19122
19123 { &hf_smb_count_high,
19124 { "Count High (multiply with 64K)", "smb.count_high", FT_UINT16, BASE_DEC,
19125 NULL, 0, "Count number of items/bytes, High 16 bits", HFILL }},
19126
19127 { &hf_smb_file_name,
19128 { "File Name", "smb.file", FT_STRING, BASE_NONE,
19129 NULL, 0, NULL, HFILL }},
19130
19131 { &hf_smb_open_function,
19132 { "Open Function", "smb.open.function", FT_UINT16, BASE_HEX,
19133 NULL, 0x0, NULL, HFILL }},
19134
19135 { &hf_smb_open_function_create,
19136 { "Create", "smb.open.function.create", FT_BOOLEAN, 16,
19137 TFS(&tfs_of_create), 0x0010, "Create file if it doesn't exist?", HFILL }},
19138
19139 { &hf_smb_open_function_open,
19140 { "Open", "smb.open.function.open", FT_UINT16, BASE_DEC,
19141 VALS(of_open), 0x0003, "Action to be taken on open if file exists", HFILL }},
19142
19143 { &hf_smb_fid,
19144 { "FID", "smb.fid", FT_UINT16, BASE_HEX,
19145 NULL, 0, "FID: File ID", HFILL }},
19146
19147 { &hf_smb_file_attr_16bit,
19148 { "File Attributes", "smb.file_attribute", FT_UINT16, BASE_HEX,
19149 NULL, 0x0, NULL, HFILL }},
19150
19151 { &hf_smb_file_attr_8bit,
19152 { "File Attributes", "smb.file_attribute", FT_UINT8, BASE_HEX,
19153 NULL, 0x0, NULL, HFILL }},
19154
19155 { &hf_smb_file_attr_read_only_16bit,
19156 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 16,
19157 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
19158
19159 { &hf_smb_file_attr_read_only_8bit,
19160 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 8,
19161 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
19162
19163 { &hf_smb_file_attr_hidden_16bit,
19164 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 16,
19165 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
19166
19167 { &hf_smb_file_attr_hidden_8bit,
19168 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 8,
19169 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
19170
19171 { &hf_smb_file_attr_system_16bit,
19172 { "System", "smb.file_attribute.system", FT_BOOLEAN, 16,
19173 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
19174
19175 { &hf_smb_file_attr_system_8bit,
19176 { "System", "smb.file_attribute.system", FT_BOOLEAN, 8,
19177 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
19178
19179 { &hf_smb_file_attr_volume_16bit,
19180 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 16,
19181 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
19182
19183 { &hf_smb_file_attr_volume_8bit,
19184 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 8,
19185 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID file attribute", HFILL }},
19186
19187 { &hf_smb_file_attr_directory_16bit,
19188 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 16,
19189 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
19190
19191 { &hf_smb_file_attr_directory_8bit,
19192 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 8,
19193 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
19194
19195 { &hf_smb_file_attr_archive_16bit,
19196 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 16,
19197 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
19198
19199 { &hf_smb_file_attr_archive_8bit,
19200 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 8,
19201 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
19202
19203 #if 0
19204 { &hf_smb_file_attr_device,
19205 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 16,
19206 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
19207
19208 { &hf_smb_file_attr_normal,
19209 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 16,
19210 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
19211
19212 { &hf_smb_file_attr_temporary,
19213 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 16,
19214 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
19215
19216 { &hf_smb_file_attr_sparse,
19217 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 16,
19218 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
19219
19220 { &hf_smb_file_attr_reparse,
19221 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 16,
19222 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
19223
19224 { &hf_smb_file_attr_compressed,
19225 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 16,
19226 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
19227
19228 { &hf_smb_file_attr_offline,
19229 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 16,
19230 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
19231
19232 { &hf_smb_file_attr_not_content_indexed,
19233 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 16,
19234 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
19235
19236 { &hf_smb_file_attr_encrypted,
19237 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 16,
19238 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
19239 #endif
19240
19241 { &hf_smb_file_size,
19242 { "File Size", "smb.file_size", FT_UINT32, BASE_DEC,
19243 NULL, 0, NULL, HFILL }},
19244
19245 { &hf_smb_search_attribute,
19246 { "Search Attributes", "smb.search.attribute", FT_UINT16, BASE_HEX,
19247 NULL, 0x0, NULL, HFILL }},
19248
19249 { &hf_smb_search_attribute_read_only,
19250 { "Read Only", "smb.search.attribute.read_only", FT_BOOLEAN, 16,
19251 TFS(&tfs_search_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY search attribute", HFILL }},
19252
19253 { &hf_smb_search_attribute_hidden,
19254 { "Hidden", "smb.search.attribute.hidden", FT_BOOLEAN, 16,
19255 TFS(&tfs_search_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN search attribute", HFILL }},
19256
19257 { &hf_smb_search_attribute_system,
19258 { "System", "smb.search.attribute.system", FT_BOOLEAN, 16,
19259 TFS(&tfs_search_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM search attribute", HFILL }},
19260
19261 { &hf_smb_search_attribute_volume,
19262 { "Volume ID", "smb.search.attribute.volume", FT_BOOLEAN, 16,
19263 TFS(&tfs_search_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME ID search attribute", HFILL }},
19264
19265 { &hf_smb_search_attribute_directory,
19266 { "Directory", "smb.search.attribute.directory", FT_BOOLEAN, 16,
19267 TFS(&tfs_search_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY search attribute", HFILL }},
19268
19269 { &hf_smb_search_attribute_archive,
19270 { "Archive", "smb.search.attribute.archive", FT_BOOLEAN, 16,
19271 TFS(&tfs_search_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE search attribute", HFILL }},
19272
19273 { &hf_smb_access_mode,
19274 { "Access Mode", "smb.access.mode", FT_UINT16, BASE_DEC,
19275 VALS(da_access_vals), 0x0007, NULL, HFILL }},
19276
19277 { &hf_smb_access_sharing,
19278 { "Sharing Mode", "smb.access.sharing", FT_UINT16, BASE_DEC,
19279 VALS(da_sharing_vals), 0x0070, NULL, HFILL }},
19280
19281 { &hf_smb_access_locality,
19282 { "Locality", "smb.access.locality", FT_UINT16, BASE_DEC,
19283 VALS(da_locality_vals), 0x0700, "Locality of reference", HFILL }},
19284
19285 { &hf_smb_access_caching,
19286 { "Caching", "smb.access.caching", FT_BOOLEAN, 16,
19287 TFS(&tfs_da_caching), 0x1000, "Caching mode?", HFILL }},
19288
19289 { &hf_smb_desired_access,
19290 { "Desired Access", "smb.access.desired", FT_UINT16, BASE_HEX,
19291 NULL, 0x0, NULL, HFILL }},
19292
19293 { &hf_smb_granted_access,
19294 { "Granted Access", "smb.access.granted", FT_UINT16, BASE_HEX,
19295 NULL, 0x0, NULL, HFILL }},
19296
19297 { &hf_smb_access_writetru,
19298 { "Writethrough", "smb.access.writethrough", FT_BOOLEAN, 16,
19299 TFS(&tfs_da_writetru), 0x4000, "Writethrough mode?", HFILL }},
19300
19301 { &hf_smb_create_time,
19302 { "Created", "smb.create.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
19303 NULL, 0, "Creation Time", HFILL }},
19304
19305 { &hf_smb_modify_time,
19306 { "Modified", "smb.modify.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
19307 NULL, 0, "Modification Time", HFILL }},
19308
19309 { &hf_smb_backup_time,
19310 { "Backed-up", "smb.backup.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
19311 NULL, 0, "Backup time", HFILL}},
19312
19313 { &hf_smb_mac_alloc_block_count,
19314 { "Allocation Block Count", "smb.alloc.count", FT_UINT32, BASE_DEC,
19315 NULL, 0, NULL, HFILL}},
19316
19317 { &hf_smb_mac_alloc_block_size,
19318 { "Allocation Block Count", "smb.alloc.size", FT_UINT32, BASE_DEC,
19319 NULL, 0, "Allocation Block Size", HFILL}},
19320
19321 { &hf_smb_mac_free_block_count,
19322 { "Free Block Count", "smb.free_block.count", FT_UINT32, BASE_DEC,
19323 NULL, 0, NULL, HFILL}},
19324
19325 { &hf_smb_mac_root_file_count,
19326 { "Root File Count", "smb.root.file.count", FT_UINT32, BASE_DEC,
19327 NULL, 0, NULL, HFILL}},
19328
19329 { &hf_smb_mac_root_dir_count,
19330 { "Root Directory Count", "smb.root.dir.count", FT_UINT32, BASE_DEC,
19331 NULL, 0, NULL, HFILL}},
19332
19333 { &hf_smb_mac_file_count,
19334 { "Root File Count", "smb.file.count", FT_UINT32, BASE_DEC,
19335 NULL, 0, NULL, HFILL}},
19336
19337 { &hf_smb_mac_dir_count,
19338 { "Root Directory Count", "smb.dir.count", FT_UINT32, BASE_DEC,
19339 NULL, 0, NULL, HFILL}},
19340
19341 { &hf_smb_mac_sup,
19342 { "Mac Support Flags", "smb.mac", FT_UINT32, BASE_HEX,
19343 NULL, 0x0, NULL, HFILL }},
19344
19345 { &hf_smb_mac_sup_access_ctrl,
19346 { "Mac Access Control", "smb.mac.access_control", FT_BOOLEAN, 32,
19347 TFS(&tfs_smb_mac_access_ctrl), 0x00000010, "Are Mac Access Control Supported", HFILL }},
19348
19349 { &hf_smb_mac_sup_getset_comments,
19350 { "Get Set Comments", "smb.mac.get_set_comments", FT_BOOLEAN, 32,
19351 TFS(&tfs_smb_mac_getset_comments), 0x00000020, "Are Mac Get Set Comments supported?", HFILL }},
19352
19353 { &hf_smb_mac_sup_desktopdb_calls,
19354 { "Desktop DB Calls", "smb.mac.desktop_db_calls", FT_BOOLEAN, 32,
19355 TFS(&tfs_smb_mac_desktopdb_calls), 0x00000040, "Are Macintosh Desktop DB Calls Supported?", HFILL }},
19356
19357 { &hf_smb_mac_sup_unique_ids,
19358 { "Macintosh Unique IDs", "smb.mac.uids", FT_BOOLEAN, 32,
19359 TFS(&tfs_smb_mac_unique_ids), 0x00000080, "Are Unique IDs supported", HFILL }},
19360
19361 { &hf_smb_mac_sup_streams,
19362 { "Mac Streams", "smb.mac.streams_support", FT_BOOLEAN, 32,
19363 TFS(&tfs_smb_mac_streams), 0x00000100, "Are Mac Extensions and streams supported?", HFILL }},
19364
19365 { &hf_smb_create_dos_date,
19366 { "Create Date", "smb.create.smb.date", FT_UINT16, BASE_HEX,
19367 NULL, 0, "Create Date, SMB_DATE format", HFILL }},
19368
19369 { &hf_smb_create_dos_time,
19370 { "Create Time", "smb.create.smb.time", FT_UINT16, BASE_HEX,
19371 NULL, 0, "Create Time, SMB_TIME format", HFILL }},
19372
19373 { &hf_smb_last_write_time,
19374 { "Last Write", "smb.last_write.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
19375 NULL, 0, "Time this file was last written to", HFILL }},
19376
19377 { &hf_smb_last_write_dos_date,
19378 { "Last Write Date", "smb.last_write.smb.date", FT_UINT16, BASE_HEX,
19379 NULL, 0, "Last Write Date, SMB_DATE format", HFILL }},
19380
19381 { &hf_smb_last_write_dos_time,
19382 { "Last Write Time", "smb.last_write.smb.time", FT_UINT16, BASE_HEX,
19383 NULL, 0, "Last Write Time, SMB_TIME format", HFILL }},
19384
19385 { &hf_smb_old_file_name,
19386 { "Old File Name", "smb.old_file", FT_STRING, BASE_NONE,
19387 NULL, 0, "Old File Name (When renaming a file)", HFILL }},
19388
19389 { &hf_smb_offset,
19390 { "Offset", "smb.offset", FT_UINT32, BASE_DEC,
19391 NULL, 0, "Offset in file", HFILL }},
19392
19393 { &hf_smb_remaining,
19394 { "Remaining", "smb.remaining", FT_UINT32, BASE_DEC,
19395 NULL, 0, "Remaining number of bytes", HFILL }},
19396
19397 { &hf_smb_padding,
19398 { "Padding", "smb.padding", FT_BYTES, BASE_NONE,
19399 NULL, 0, "Padding or unknown data", HFILL }},
19400
19401 { &hf_smb_file_data,
19402 { "File Data", "smb.file_data", FT_BYTES, BASE_NONE,
19403 NULL, 0, "Data read/written to the file", HFILL }},
19404
19405 #if 0
19406 { &hf_smb_raw_ea_data,
19407 { "EA Data", "smb.ea_data", FT_BYTES, BASE_NONE,
19408 NULL, 0, "Data in EA list", HFILL }},
19409 #endif
19410
19411 { &hf_smb_mac_fndrinfo,
19412 { "Finder Info", "smb.mac.finderinfo", FT_BYTES, BASE_NONE,
19413 NULL, 0, NULL, HFILL}},
19414
19415 { &hf_smb_total_data_len,
19416 { "Total Data Length", "smb.total_data_len", FT_UINT16, BASE_DEC,
19417 NULL, 0, "Total length of data", HFILL }},
19418
19419 { &hf_smb_data_len,
19420 { "Data Length", "smb.data_len", FT_UINT16, BASE_DEC,
19421 NULL, 0, "Length of data", HFILL }},
19422
19423 { &hf_smb_data_len_low,
19424 { "Data Length Low", "smb.data_len_low", FT_UINT16, BASE_DEC,
19425 NULL, 0, "Length of data, Low 16 bits", HFILL }},
19426
19427 { &hf_smb_data_len_high,
19428 { "Data Length High (multiply with 64K)", "smb.data_len_high", FT_UINT16, BASE_DEC,
19429 NULL, 0, "Length of data, High 16 bits", HFILL }},
19430
19431 { &hf_bytes_until_total_data_count,
19432 { "Bytes remaining until TDC", "smb.bytes_until_tdc", FT_UINT16, BASE_DEC,
19433 NULL, 0, "Bytes remaining until the total data length is reached", HFILL }},
19434
19435 { &hf_smb_seek_mode,
19436 { "Seek Mode", "smb.seek_mode", FT_UINT16, BASE_DEC,
19437 VALS(seek_mode_vals), 0, "Seek Mode, what type of seek", HFILL }},
19438
19439 { &hf_smb_access_time,
19440 { "Last Access", "smb.access.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
19441 NULL, 0, "Last Access Time", HFILL }},
19442
19443 { &hf_smb_access_dos_date,
19444 { "Last Access Date", "smb.access.smb.date", FT_UINT16, BASE_HEX,
19445 NULL, 0, "Last Access Date, SMB_DATE format", HFILL }},
19446
19447 { &hf_smb_access_dos_time,
19448 { "Last Access Time", "smb.access.smb.time", FT_UINT16, BASE_HEX,
19449 NULL, 0, "Last Access Time, SMB_TIME format", HFILL }},
19450
19451 { &hf_smb_data_size,
19452 { "Data Size", "smb.data_size", FT_UINT32, BASE_DEC,
19453 NULL, 0, NULL, HFILL }},
19454
19455 { &hf_smb_alloc_size,
19456 { "Allocation Size", "smb.alloc_size", FT_UINT32, BASE_DEC,
19457 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
19458
19459 { &hf_smb_max_count,
19460 { "Max Count", "smb.maxcount", FT_UINT16, BASE_DEC,
19461 NULL, 0, "Maximum Count", HFILL }},
19462
19463 { &hf_smb_max_count_low,
19464 { "Max Count Low", "smb.maxcount_low", FT_UINT16, BASE_DEC,
19465 NULL, 0, "Maximum Count, Low 16 bits", HFILL }},
19466
19467 { &hf_smb_max_count_high,
19468 { "Max Count High (multiply with 64K)", "smb.maxcount_high", FT_UINT16, BASE_DEC,
19469 NULL, 0, "Maximum Count, High 16 bits", HFILL }},
19470
19471 { &hf_smb_min_count,
19472 { "Min Count", "smb.mincount", FT_UINT16, BASE_DEC,
19473 NULL, 0, "Minimum Count", HFILL }},
19474
19475 { &hf_smb_timeout,
19476 { "Timeout", "smb.timeout", FT_UINT32, BASE_DEC,
19477 NULL, 0, "Timeout in milliseconds", HFILL }},
19478
19479 { &hf_smb_high_offset,
19480 { "High Offset", "smb.offset_high", FT_UINT32, BASE_DEC,
19481 NULL, 0, "High 32 Bits Of File Offset", HFILL }},
19482
19483 { &hf_smb_units,
19484 { "Total Units", "smb.units", FT_UINT16, BASE_DEC,
19485 NULL, 0, "Total number of units at server", HFILL }},
19486
19487 { &hf_smb_bpu,
19488 { "Blocks Per Unit", "smb.bpu", FT_UINT16, BASE_DEC,
19489 NULL, 0, "Blocks per unit at server", HFILL }},
19490
19491 { &hf_smb_blocksize,
19492 { "Block Size", "smb.blocksize", FT_UINT16, BASE_DEC,
19493 NULL, 0, "Block size (in bytes) at server", HFILL }},
19494
19495 { &hf_smb_freeunits,
19496 { "Free Units", "smb.free_units", FT_UINT16, BASE_DEC,
19497 NULL, 0, "Number of free units at server", HFILL }},
19498
19499 { &hf_smb_data_offset,
19500 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
19501 NULL, 0, NULL, HFILL }},
19502
19503 { &hf_smb_dcm,
19504 { "Data Compaction Mode", "smb.dcm", FT_UINT16, BASE_DEC,
19505 NULL, 0, NULL, HFILL }},
19506
19507 { &hf_smb_request_mask,
19508 { "Request Mask", "smb.request.mask", FT_UINT32, BASE_HEX,
19509 NULL, 0, "Connectionless mode mask", HFILL }},
19510
19511 { &hf_smb_response_mask,
19512 { "Response Mask", "smb.response.mask", FT_UINT32, BASE_HEX,
19513 NULL, 0, "Connectionless mode mask", HFILL }},
19514
19515 { &hf_smb_search_id,
19516 { "Search ID", "smb.search_id", FT_UINT16, BASE_HEX,
19517 NULL, 0, "Search ID, handle for find operations", HFILL }},
19518
19519 { &hf_smb_write_mode,
19520 { "Write Mode", "smb.write.mode", FT_UINT16, BASE_HEX,
19521 NULL, 0x0, NULL, HFILL }},
19522
19523 { &hf_smb_write_mode_write_through,
19524 { "Write Through", "smb.write.mode.write_through", FT_BOOLEAN, 16,
19525 TFS(&tfs_write_mode_write_through), WRITE_MODE_WRITE_THROUGH, "Write through mode requested?", HFILL }},
19526
19527 { &hf_smb_write_mode_return_remaining,
19528 { "Return Remaining", "smb.write.mode.return_remaining", FT_BOOLEAN, 16,
19529 TFS(&tfs_write_mode_return_remaining), WRITE_MODE_RETURN_REMAINING, "Return remaining data responses?", HFILL }},
19530
19531 { &hf_smb_write_mode_raw,
19532 { "Write Raw", "smb.write.mode.raw", FT_BOOLEAN, 16,
19533 TFS(&tfs_write_mode_raw), WRITE_MODE_RAW, "Use WriteRawNamedPipe?", HFILL }},
19534
19535 { &hf_smb_write_mode_message_start,
19536 { "Message Start", "smb.write.mode.message_start", FT_BOOLEAN, 16,
19537 TFS(&tfs_write_mode_message_start), WRITE_MODE_MESSAGE_START, "Is this the start of a message?", HFILL }},
19538
19539 { &hf_smb_write_mode_connectionless,
19540 { "Connectionless", "smb.write.mode.connectionless", FT_BOOLEAN, 16,
19541 TFS(&tfs_write_mode_connectionless), WRITE_MODE_CONNECTIONLESS, "Connectionless mode requested?", HFILL }},
19542
19543 { &hf_smb_resume_key_len,
19544 { "Resume Key Length", "smb.resume.key_len", FT_UINT16, BASE_DEC,
19545 NULL, 0, NULL, HFILL }},
19546
19547 { &hf_smb_resume_find_id,
19548 { "Find ID", "smb.resume.find_id", FT_UINT8, BASE_HEX,
19549 NULL, 0, "Handle for Find operation", HFILL }},
19550
19551 { &hf_smb_resume_server_cookie,
19552 { "Server Cookie", "smb.resume.server.cookie", FT_BYTES, BASE_NONE,
19553 NULL, 0, "Cookie, must not be modified by the client", HFILL }},
19554
19555 { &hf_smb_resume_client_cookie,
19556 { "Client Cookie", "smb.resume.client.cookie", FT_BYTES, BASE_NONE,
19557 NULL, 0, "Cookie, must not be modified by the server", HFILL }},
19558
19559 { &hf_smb_andxoffset,
19560 { "AndXOffset", "smb.andxoffset", FT_UINT16, BASE_DEC,
19561 NULL, 0, "Offset to next command in this SMB packet", HFILL }},
19562
19563 { &hf_smb_lock_type,
19564 { "Lock Type", "smb.lock.type", FT_UINT8, BASE_HEX,
19565 NULL, 0x0, NULL, HFILL }},
19566
19567 { &hf_smb_lock_type_large,
19568 { "Large Files", "smb.lock.type.large", FT_BOOLEAN, 8,
19569 TFS(&tfs_lock_type_large), 0x10, "Large file locking requested?", HFILL }},
19570
19571 { &hf_smb_lock_type_cancel,
19572 { "Cancel", "smb.lock.type.cancel", FT_BOOLEAN, 8,
19573 TFS(&tfs_lock_type_cancel), 0x08, "Cancel outstanding lock requests?", HFILL }},
19574
19575 { &hf_smb_lock_type_change,
19576 { "Change", "smb.lock.type.change", FT_BOOLEAN, 8,
19577 TFS(&tfs_lock_type_change), 0x04, "Change type of lock?", HFILL }},
19578
19579 { &hf_smb_lock_type_oplock,
19580 { "Oplock Break", "smb.lock.type.oplock_release", FT_BOOLEAN, 8,
19581 TFS(&tfs_lock_type_oplock), 0x02, "Is this a notification of, or a response to, an oplock break?", HFILL }},
19582
19583 { &hf_smb_lock_type_shared,
19584 { "Shared", "smb.lock.type.shared", FT_BOOLEAN, 8,
19585 TFS(&tfs_lock_type_shared), 0x01, "Shared or exclusive lock requested?", HFILL }},
19586
19587 { &hf_smb_locking_ol,
19588 { "Oplock Level", "smb.locking.oplock.level", FT_UINT8, BASE_DEC,
19589 VALS(locking_ol_vals), 0, "Level of existing oplock at client (if any)", HFILL }},
19590
19591 { &hf_smb_number_of_locks,
19592 { "Number of Locks", "smb.locking.num_locks", FT_UINT16, BASE_DEC,
19593 NULL, 0, "Number of lock requests in this request", HFILL }},
19594
19595 { &hf_smb_number_of_unlocks,
19596 { "Number of Unlocks", "smb.locking.num_unlocks", FT_UINT16, BASE_DEC,
19597 NULL, 0, "Number of unlock requests in this request", HFILL }},
19598
19599 { &hf_smb_lock_long_length,
19600 { "Length", "smb.lock.length", FT_UINT64, BASE_DEC,
19601 NULL, 0, "Length of lock/unlock region", HFILL }},
19602
19603 { &hf_smb_lock_long_offset,
19604 { "Offset", "smb.lock.offset", FT_UINT64, BASE_DEC,
19605 NULL, 0, "Offset in the file of lock/unlock region", HFILL }},
19606
19607 { &hf_smb_file_type,
19608 { "File Type", "smb.file_type", FT_UINT16, BASE_DEC,
19609 VALS(filetype_vals), 0, "Type of file", HFILL }},
19610
19611 { &hf_smb_ipc_state,
19612 { "IPC State", "smb.ipc_state", FT_UINT16, BASE_HEX,
19613 NULL, 0x0, NULL, HFILL }},
19614
19615 { &hf_smb_ipc_state_nonblocking,
19616 { "Nonblocking", "smb.ipc_state.nonblocking", FT_BOOLEAN, 16,
19617 TFS(&tfs_ipc_state_nonblocking), 0x8000, "Is I/O to this pipe nonblocking?", HFILL }},
19618
19619 { &hf_smb_ipc_state_endpoint,
19620 { "Endpoint", "smb.ipc_state.endpoint", FT_UINT16, BASE_DEC,
19621 VALS(ipc_state_endpoint_vals), 0x4000, "Which end of the pipe this is", HFILL }},
19622
19623 { &hf_smb_ipc_state_pipe_type,
19624 { "Pipe Type", "smb.ipc_state.pipe_type", FT_UINT16, BASE_DEC,
19625 VALS(ipc_state_pipe_type_vals), 0x0c00, "What type of pipe this is", HFILL }},
19626
19627 { &hf_smb_ipc_state_read_mode,
19628 { "Read Mode", "smb.ipc_state.read_mode", FT_UINT16, BASE_DEC,
19629 VALS(ipc_state_read_mode_vals), 0x0300, "How this pipe should be read", HFILL }},
19630
19631 { &hf_smb_ipc_state_icount,
19632 { "Icount", "smb.ipc_state.icount", FT_UINT16, BASE_DEC,
19633 NULL, 0x00FF, "Count to control pipe instancing", HFILL }},
19634
19635 { &hf_smb_server_fid,
19636 { "Server FID", "smb.server_fid", FT_UINT32, BASE_HEX,
19637 NULL, 0, "Server unique File ID", HFILL }},
19638
19639 { &hf_smb_open_flags,
19640 { "Flags", "smb.open.flags", FT_UINT16, BASE_HEX,
19641 NULL, 0x0, NULL, HFILL }},
19642
19643 { &hf_smb_open_flags_add_info,
19644 { "Additional Info", "smb.open.flags.add_info", FT_BOOLEAN, 16,
19645 TFS(&tfs_open_flags_add_info), 0x0001, "Additional Information Requested?", HFILL }},
19646
19647 { &hf_smb_open_flags_ex_oplock,
19648 { "Exclusive Oplock", "smb.open.flags.ex_oplock", FT_BOOLEAN, 16,
19649 TFS(&tfs_open_flags_ex_oplock), 0x0002, "Exclusive Oplock Requested?", HFILL }},
19650
19651 { &hf_smb_open_flags_batch_oplock,
19652 { "Batch Oplock", "smb.open.flags.batch_oplock", FT_BOOLEAN, 16,
19653 TFS(&tfs_open_flags_batch_oplock), 0x0004, "Batch Oplock Requested?", HFILL }},
19654
19655 { &hf_smb_open_flags_ealen,
19656 { "Total EA Len", "smb.open.flags.ealen", FT_BOOLEAN, 16,
19657 TFS(&tfs_open_flags_ealen), 0x0008, "Total EA Len Requested?", HFILL }},
19658
19659 { &hf_smb_open_action,
19660 { "Action", "smb.open.action", FT_UINT16, BASE_HEX,
19661 NULL, 0x0, NULL, HFILL }},
19662
19663 { &hf_smb_open_action_open,
19664 { "Open Action", "smb.open.action.open", FT_UINT16, BASE_DEC,
19665 VALS(oa_open_vals), 0x0003, "Open Action, how the file was opened", HFILL }},
19666
19667 { &hf_smb_open_action_lock,
19668 { "Exclusive Open", "smb.open.action.lock", FT_BOOLEAN, 16,
19669 TFS(&tfs_oa_lock), 0x8000, "Is this file opened by another user?", HFILL }},
19670
19671 { &hf_smb_vc_num,
19672 { "VC Number", "smb.vc", FT_UINT16, BASE_DEC,
19673 NULL, 0, NULL, HFILL }},
19674
19675 { &hf_smb_password_len,
19676 { "Password Length", "smb.pwlen", FT_UINT16, BASE_DEC,
19677 NULL, 0, "Length of password", HFILL }},
19678
19679 { &hf_smb_ansi_password_len,
19680 { "ANSI Password Length", "smb.ansi_pwlen", FT_UINT16, BASE_DEC,
19681 NULL, 0, "Length of ANSI password", HFILL }},
19682
19683 { &hf_smb_unicode_password_len,
19684 { "Unicode Password Length", "smb.unicode_pwlen", FT_UINT16, BASE_DEC,
19685 NULL, 0, "Length of Unicode password", HFILL }},
19686
19687 { &hf_smb_account,
19688 { "Account", "smb.account", FT_STRING, BASE_NONE,
19689 NULL, 0, "Account, username", HFILL }},
19690
19691 { &hf_smb_os,
19692 { "Native OS", "smb.native_os", FT_STRING, BASE_NONE,
19693 NULL, 0, "Which OS we are running", HFILL }},
19694
19695 { &hf_smb_lanman,
19696 { "Native LAN Manager", "smb.native_lanman", FT_STRING, BASE_NONE,
19697 NULL, 0, "Which LANMAN protocol we are running", HFILL }},
19698
19699 { &hf_smb_setup_action,
19700 { "Action", "smb.setup.action", FT_UINT16, BASE_HEX,
19701 NULL, 0x0, NULL, HFILL }},
19702
19703 { &hf_smb_setup_action_guest,
19704 { "Guest", "smb.setup.action.guest", FT_BOOLEAN, 16,
19705 TFS(&tfs_setup_action_guest), 0x0001, "Client logged in as GUEST?", HFILL }},
19706
19707 { &hf_smb_fs,
19708 { "Native File System", "smb.native_fs", FT_STRING, BASE_NONE,
19709 NULL, 0, NULL, HFILL }},
19710
19711 { &hf_smb_connect_flags,
19712 { "Flags", "smb.connect.flags", FT_UINT16, BASE_HEX,
19713 NULL, 0x0, NULL, HFILL }},
19714
19715 { &hf_smb_connect_flags_dtid,
19716 { "Disconnect TID", "smb.connect.flags.dtid", FT_BOOLEAN, 16,
19717 TFS(&tfs_disconnect_tid), 0x0001, "Disconnect TID?", HFILL }},
19718
19719 { &hf_smb_connect_flags_ext_sig,
19720 { "Extended Signature", "smb.connect.flags.extendedsig", FT_BOOLEAN, 16,
19721 TFS(&tfs_extended_signature), 0x0004, "Extended signature?", HFILL }},
19722
19723 { &hf_smb_connect_flags_ext_resp,
19724 { "Extended Response", "smb.connect.flags.extendedresp", FT_BOOLEAN, 16,
19725 TFS(&tfs_extended_response), 0x0008, "Extended response?", HFILL }},
19726
19727 { &hf_smb_connect_support,
19728 { "Optional Support", "smb.connect.support", FT_UINT16, BASE_HEX,
19729 NULL, 0x0, NULL, HFILL }},
19730
19731 { &hf_smb_connect_support_search,
19732 { "Search Bits", "smb.connect.support.search", FT_BOOLEAN, 16,
19733 TFS(&tfs_connect_support_search), 0x0001, "Exclusive Search Bits supported?", HFILL }},
19734
19735 { &hf_smb_connect_support_in_dfs,
19736 { "In Dfs", "smb.connect.support.dfs", FT_BOOLEAN, 16,
19737 TFS(&tfs_connect_support_in_dfs), 0x0002, "Is this in a Dfs tree?", HFILL }},
19738
19739 { &hf_smb_connect_support_csc_mask_vals,
19740 { "CSC Mask", "smb.connect.support.cscmask", FT_UINT16, BASE_DEC,
19741 VALS(connect_support_csc_mask_vals), 0x000c, "CSC mask?", HFILL }},
19742
19743 { &hf_smb_connect_support_uniquefilename,
19744 { "Unique File Name", "smb.connect.support.uniqfilename", FT_BOOLEAN, 16,
19745 TFS(&tfs_connect_support_uniquefilename), 0x0010, "Unique file name supported?", HFILL }},
19746
19747 { &hf_smb_connect_support_extended_signature,
19748 { "Extended Signatures", "smb.connect.support.extendedsig", FT_BOOLEAN, 16,
19749 TFS(&tfs_connect_support_extended_signature), 0x0020, "Extended signatures?", HFILL }},
19750
19751 { &hf_smb_max_setup_count,
19752 { "Max Setup Count", "smb.msc", FT_UINT8, BASE_DEC,
19753 NULL, 0, "Maximum number of setup words to return", HFILL }},
19754
19755 { &hf_smb_total_param_count,
19756 { "Total Parameter Count", "smb.tpc", FT_UINT32, BASE_DEC,
19757 NULL, 0, "Total number of parameter bytes", HFILL }},
19758
19759 { &hf_smb_total_data_count,
19760 { "Total Data Count", "smb.tdc", FT_UINT16, BASE_DEC,
19761 NULL, 0, "Total number of data bytes", HFILL }},
19762
19763 { &hf_smb_max_param_count,
19764 { "Max Parameter Count", "smb.mpc", FT_UINT32, BASE_DEC,
19765 NULL, 0, "Maximum number of parameter bytes to return", HFILL }},
19766
19767 { &hf_smb_max_data_count,
19768 { "Max Data Count", "smb.mdc", FT_UINT32, BASE_DEC,
19769 NULL, 0, "Maximum number of data bytes to return", HFILL }},
19770
19771 { &hf_smb_param_disp16,
19772 { "Parameter Displacement", "smb.pd", FT_UINT16, BASE_DEC,
19773 NULL, 0, "Displacement of these parameter bytes", HFILL }},
19774
19775 { &hf_smb_param_count16,
19776 { "Parameter Count", "smb.pc", FT_UINT16, BASE_DEC,
19777 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
19778
19779 { &hf_smb_param_offset16,
19780 { "Parameter Offset", "smb.po", FT_UINT16, BASE_DEC,
19781 NULL, 0, "Offset (from header start) to parameters", HFILL }},
19782
19783 { &hf_smb_param_disp32,
19784 { "Parameter Displacement", "smb.pd", FT_UINT32, BASE_DEC,
19785 NULL, 0, "Displacement of these parameter bytes", HFILL }},
19786
19787 { &hf_smb_param_count32,
19788 { "Parameter Count", "smb.pc", FT_UINT32, BASE_DEC,
19789 NULL, 0, "Number of parameter bytes in this buffer", HFILL }},
19790
19791 { &hf_smb_param_offset32,
19792 { "Parameter Offset", "smb.po", FT_UINT32, BASE_DEC,
19793 NULL, 0, "Offset (from header start) to parameters", HFILL }},
19794
19795 { &hf_smb_data_count16,
19796 { "Data Count", "smb.dc", FT_UINT16, BASE_DEC,
19797 NULL, 0, "Number of data bytes in this buffer", HFILL }},
19798
19799 { &hf_smb_data_disp16,
19800 { "Data Displacement", "smb.data_disp", FT_UINT16, BASE_DEC,
19801 NULL, 0, NULL, HFILL }},
19802
19803 { &hf_smb_data_offset16,
19804 { "Data Offset", "smb.data_offset", FT_UINT16, BASE_DEC,
19805 NULL, 0, NULL, HFILL }},
19806
19807 { &hf_smb_data_count32,
19808 { "Data Count", "smb.dc", FT_UINT32, BASE_DEC,
19809 NULL, 0, "Number of data bytes in this buffer", HFILL }},
19810
19811 { &hf_smb_data_disp32,
19812 { "Data Displacement", "smb.data_disp", FT_UINT32, BASE_DEC,
19813 NULL, 0, NULL, HFILL }},
19814
19815 { &hf_smb_data_offset32,
19816 { "Data Offset", "smb.data_offset", FT_UINT32, BASE_DEC,
19817 NULL, 0, NULL, HFILL }},
19818
19819 { &hf_smb_setup_count,
19820 { "Setup Count", "smb.sc", FT_UINT8, BASE_DEC,
19821 NULL, 0, "Number of setup words in this buffer", HFILL }},
19822
19823 { &hf_smb_nt_ioctl_isfsctl,
19824 { "IsFSctl", "smb.nt.ioctl.isfsctl", FT_UINT8, BASE_DEC,
19825 VALS(nt_ioctl_isfsctl_vals), 0, "Is this a device IOCTL (false) or FS Control (true)", HFILL }},
19826
19827 { &hf_smb_nt_ioctl_flags_completion_filter,
19828 { "Completion Filter", "smb.nt.ioctl.completion_filter", FT_UINT8, BASE_HEX,
19829 NULL, 0x0, NULL, HFILL }},
19830
19831 { &hf_smb_nt_ioctl_flags_root_handle,
19832 { "Root Handle", "smb.nt.ioctl.flags.root_handle", FT_BOOLEAN, 8,
19833 TFS(&tfs_nt_ioctl_flags_root_handle), NT_IOCTL_FLAGS_ROOT_HANDLE, "Apply to this share or root Dfs share", HFILL }},
19834
19835 { &hf_smb_nt_notify_action,
19836 { "Action", "smb.nt.notify.action", FT_UINT32, BASE_DEC,
19837 VALS(nt_notify_action_vals), 0, "Which action caused this notify response", HFILL }},
19838
19839 { &hf_smb_nt_notify_watch_tree,
19840 { "Watch Tree", "smb.nt.notify.watch_tree", FT_UINT8, BASE_DEC,
19841 VALS(watch_tree_vals), 0, "Should Notify watch subdirectories also?", HFILL }},
19842
19843
19844 { &hf_smb_nt_notify_completion_filter,
19845 { "Completion Filter", "smb.nt.notify.completion_filter", FT_UINT32, BASE_HEX,
19846 NULL, 0x0, NULL, HFILL }},
19847 { &hf_smb_nt_notify_file_name,
19848 { "File Name Change", "smb.nt.notify.file_name", FT_BOOLEAN, 32,
19849 TFS(&tfs_nt_notify_file_name), NT_NOTIFY_FILE_NAME, "Notify on changes to file name", HFILL }},
19850
19851 { &hf_smb_nt_notify_dir_name,
19852 { "Directory Name Change", "smb.nt.notify.dir_name", FT_BOOLEAN, 32,
19853 TFS(&tfs_nt_notify_dir_name), NT_NOTIFY_DIR_NAME, "Notify on changes to directory name", HFILL }},
19854
19855 { &hf_smb_nt_notify_attributes,
19856 { "Attribute Change", "smb.nt.notify.attributes", FT_BOOLEAN, 32,
19857 TFS(&tfs_nt_notify_attributes), NT_NOTIFY_ATTRIBUTES, "Notify on changes to attributes", HFILL }},
19858
19859 { &hf_smb_nt_notify_size,
19860 { "Size Change", "smb.nt.notify.size", FT_BOOLEAN, 32,
19861 TFS(&tfs_nt_notify_size), NT_NOTIFY_SIZE, "Notify on changes to size", HFILL }},
19862
19863 { &hf_smb_nt_notify_last_write,
19864 { "Last Write Change", "smb.nt.notify.last_write", FT_BOOLEAN, 32,
19865 TFS(&tfs_nt_notify_last_write), NT_NOTIFY_LAST_WRITE, "Notify on changes to last write", HFILL }},
19866
19867 { &hf_smb_nt_notify_last_access,
19868 { "Last Access Change", "smb.nt.notify.last_access", FT_BOOLEAN, 32,
19869 TFS(&tfs_nt_notify_last_access), NT_NOTIFY_LAST_ACCESS, "Notify on changes to last access", HFILL }},
19870
19871 { &hf_smb_nt_notify_creation,
19872 { "Created Change", "smb.nt.notify.creation", FT_BOOLEAN, 32,
19873 TFS(&tfs_nt_notify_creation), NT_NOTIFY_CREATION, "Notify on changes to creation time", HFILL }},
19874
19875 { &hf_smb_nt_notify_ea,
19876 { "EA Change", "smb.nt.notify.ea", FT_BOOLEAN, 32,
19877 TFS(&tfs_nt_notify_ea), NT_NOTIFY_EA, "Notify on changes to Extended Attributes", HFILL }},
19878
19879 { &hf_smb_nt_notify_security,
19880 { "Security Change", "smb.nt.notify.security", FT_BOOLEAN, 32,
19881 TFS(&tfs_nt_notify_security), NT_NOTIFY_SECURITY, "Notify on changes to security settings", HFILL }},
19882
19883 { &hf_smb_nt_notify_stream_name,
19884 { "Stream Name Change", "smb.nt.notify.stream_name", FT_BOOLEAN, 32,
19885 TFS(&tfs_nt_notify_stream_name), NT_NOTIFY_STREAM_NAME, "Notify on changes to stream name?", HFILL }},
19886
19887 { &hf_smb_nt_notify_stream_size,
19888 { "Stream Size Change", "smb.nt.notify.stream_size", FT_BOOLEAN, 32,
19889 TFS(&tfs_nt_notify_stream_size), NT_NOTIFY_STREAM_SIZE, "Notify on changes of stream size", HFILL }},
19890
19891 { &hf_smb_nt_notify_stream_write,
19892 { "Stream Write", "smb.nt.notify.stream_write", FT_BOOLEAN, 32,
19893 TFS(&tfs_nt_notify_stream_write), NT_NOTIFY_STREAM_WRITE, "Notify on stream write?", HFILL }},
19894
19895
19896 { &hf_smb_root_dir_fid,
19897 { "Root FID", "smb.rfid", FT_UINT32, BASE_HEX,
19898 NULL, 0, "Open is relative to this FID (if nonzero)", HFILL }},
19899
19900 { &hf_smb_alloc_size64,
19901 { "Allocation Size", "smb.alloc_size64", FT_UINT64, BASE_DEC,
19902 NULL, 0, "Number of bytes to reserve on create or truncate", HFILL }},
19903
19904 { &hf_smb_nt_create_disposition,
19905 { "Disposition", "smb.create.disposition", FT_UINT32, BASE_DEC,
19906 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }},
19907
19908 { &hf_smb_sd_length,
19909 { "SD Length", "smb.sd.length", FT_UINT32, BASE_DEC,
19910 NULL, 0, "Total length of security descriptor", HFILL }},
19911
19912 { &hf_smb_ea_list_length,
19913 { "EA List Length", "smb.ea.list_length", FT_UINT32, BASE_DEC,
19914 NULL, 0, "Total length of extended attributes", HFILL }},
19915
19916 { &hf_smb_ea_flags,
19917 { "EA Flags", "smb.ea.flags", FT_UINT8, BASE_HEX,
19918 NULL, 0, NULL, HFILL }},
19919
19920 { &hf_smb_ea_name_length,
19921 { "EA Name Length", "smb.ea.name_length", FT_UINT8, BASE_DEC,
19922 NULL, 0, NULL, HFILL }},
19923
19924 { &hf_smb_ea_data_length,
19925 { "EA Data Length", "smb.ea.data_length", FT_UINT16, BASE_DEC,
19926 NULL, 0, NULL, HFILL }},
19927
19928 { &hf_smb_ea_name,
19929 { "EA Name", "smb.ea.name", FT_STRING, BASE_NONE,
19930 NULL, 0, NULL, HFILL }},
19931
19932 { &hf_smb_ea_data,
19933 { "EA Data", "smb.ea.data", FT_BYTES, BASE_NONE|BASE_SHOW_ASCII_PRINTABLE,
19934 NULL, 0, NULL, HFILL }},
19935
19936 { &hf_smb_file_name_len,
19937 { "File Name Len", "smb.file_name_len", FT_UINT32, BASE_DEC,
19938 NULL, 0, "Length of File Name", HFILL }},
19939
19940 { &hf_smb_nt_impersonation_level,
19941 { "Impersonation", "smb.impersonation.level", FT_UINT32, BASE_DEC,
19942 VALS(impersonation_level_vals), 0, "Impersonation level", HFILL }},
19943
19944 { &hf_smb_nt_security_flags,
19945 { "Security Flags", "smb.security.flags", FT_UINT8, BASE_HEX,
19946 NULL, 0x0, NULL, HFILL }},
19947
19948 { &hf_smb_nt_security_flags_context_tracking,
19949 { "Context Tracking", "smb.security.flags.context_tracking", FT_BOOLEAN, 8,
19950 TFS(&tfs_nt_security_flags_context_tracking), 0x01, "Is security tracking static or dynamic?", HFILL }},
19951
19952 { &hf_smb_nt_security_flags_effective_only,
19953 { "Effective Only", "smb.security.flags.effective_only", FT_BOOLEAN, 8,
19954 TFS(&tfs_nt_security_flags_effective_only), 0x02, "Are only enabled or all aspects uf the users SID available?", HFILL }},
19955
19956 { &hf_smb_nt_access_mask_generic_read,
19957 { "Generic Read", "smb.access.generic_read", FT_BOOLEAN, 32,
19958 TFS(&tfs_nt_access_mask_generic_read), 0x80000000, "Is generic read allowed for this object?", HFILL }},
19959
19960 { &hf_smb_nt_access_mask_generic_write,
19961 { "Generic Write", "smb.access.generic_write", FT_BOOLEAN, 32,
19962 TFS(&tfs_nt_access_mask_generic_write), 0x40000000, "Is generic write allowed for this object?", HFILL }},
19963
19964 { &hf_smb_nt_access_mask_generic_execute,
19965 { "Generic Execute", "smb.access.generic_execute", FT_BOOLEAN, 32,
19966 TFS(&tfs_nt_access_mask_generic_execute), 0x20000000, "Is generic execute allowed for this object?", HFILL }},
19967
19968 { &hf_smb_nt_access_mask_generic_all,
19969 { "Generic All", "smb.access.generic_all", FT_BOOLEAN, 32,
19970 TFS(&tfs_nt_access_mask_generic_all), 0x10000000, "Is generic all allowed for this attribute", HFILL }},
19971
19972 { &hf_smb_nt_access_mask_maximum_allowed,
19973 { "Maximum Allowed", "smb.access.maximum_allowed", FT_BOOLEAN, 32,
19974 TFS(&tfs_nt_access_mask_maximum_allowed), 0x02000000, "?", HFILL }},
19975
19976 { &hf_smb_nt_access_mask_system_security,
19977 { "System Security", "smb.access.system_security", FT_BOOLEAN, 32,
19978 TFS(&tfs_nt_access_mask_system_security), 0x01000000, "Access to a system ACL?", HFILL }},
19979
19980 { &hf_smb_nt_access_mask_synchronize,
19981 { "Synchronize", "smb.access.synchronize", FT_BOOLEAN, 32,
19982 TFS(&tfs_nt_access_mask_synchronize), 0x00100000, "Windows NT: synchronize access", HFILL }},
19983
19984 { &hf_smb_nt_access_mask_write_owner,
19985 { "Write Owner", "smb.access.write_owner", FT_BOOLEAN, 32,
19986 TFS(&tfs_nt_access_mask_write_owner), 0x00080000, "Can owner write to the object?", HFILL }},
19987
19988 { &hf_smb_nt_access_mask_write_dac,
19989 { "Write DAC", "smb.access.write_dac", FT_BOOLEAN, 32,
19990 TFS(&tfs_nt_access_mask_write_dac), 0x00040000, "Is write allowed to the owner group or ACLs?", HFILL }},
19991
19992 { &hf_smb_nt_access_mask_read_control,
19993 { "Read Control", "smb.access.read_control", FT_BOOLEAN, 32,
19994 TFS(&tfs_nt_access_mask_read_control), 0x00020000, "Are reads allowed of owner, group and ACL data of the SID?", HFILL }},
19995
19996 { &hf_smb_nt_access_mask_delete,
19997 { "Delete", "smb.access.delete", FT_BOOLEAN, 32,
19998 TFS(&tfs_nt_access_mask_delete), 0x00010000, "Can object be deleted", HFILL }},
19999
20000 { &hf_smb_nt_access_mask_write_attributes,
20001 { "Write Attributes", "smb.access.write_attributes", FT_BOOLEAN, 32,
20002 TFS(&tfs_nt_access_mask_write_attributes), 0x00000100, "Can object's attributes be written", HFILL }},
20003
20004 { &hf_smb_nt_access_mask_read_attributes,
20005 { "Read Attributes", "smb.access.read_attributes", FT_BOOLEAN, 32,
20006 TFS(&tfs_nt_access_mask_read_attributes), 0x00000080, "Can object's attributes be read", HFILL }},
20007
20008 { &hf_smb_nt_access_mask_delete_child,
20009 { "Delete Child", "smb.access.delete_child", FT_BOOLEAN, 32,
20010 TFS(&tfs_nt_access_mask_delete_child), 0x00000040, "Can object's subdirectories be deleted", HFILL }},
20011
20012 /*
20013 * "Execute" for files, "traverse" for directories.
20014 */
20015 { &hf_smb_nt_access_mask_execute,
20016 { "Execute", "smb.access.execute", FT_BOOLEAN, 32,
20017 TFS(&tfs_nt_access_mask_execute), 0x00000020, "Can object be executed (if file) or traversed (if directory)", HFILL }},
20018
20019 { &hf_smb_nt_access_mask_write_ea,
20020 { "Write EA", "smb.access.write_ea", FT_BOOLEAN, 32,
20021 TFS(&tfs_nt_access_mask_write_ea), 0x00000010, "Can object's extended attributes be written", HFILL }},
20022
20023 { &hf_smb_nt_access_mask_read_ea,
20024 { "Read EA", "smb.access.read_ea", FT_BOOLEAN, 32,
20025 TFS(&tfs_nt_access_mask_read_ea), 0x00000008, "Can object's extended attributes be read", HFILL }},
20026
20027 /*
20028 * "Append data" for files, "add subdirectory" for directories,
20029 * "create pipe instance" for named pipes.
20030 */
20031 { &hf_smb_nt_access_mask_append,
20032 { "Append", "smb.access.append", FT_BOOLEAN, 32,
20033 TFS(&tfs_nt_access_mask_append), 0x00000004, "Can object's contents be appended to", HFILL }},
20034
20035 /*
20036 * "Write data" for files and pipes, "add file" for directory.
20037 */
20038 { &hf_smb_nt_access_mask_write,
20039 { "Write", "smb.access.write", FT_BOOLEAN, 32,
20040 TFS(&tfs_nt_access_mask_write), 0x00000002, "Can object's contents be written", HFILL }},
20041
20042 /*
20043 * "Read data" for files and pipes, "list directory" for directory.
20044 */
20045 { &hf_smb_nt_access_mask_read,
20046 { "Read", "smb.access.read", FT_BOOLEAN, 32,
20047 TFS(&tfs_nt_access_mask_read), 0x00000001, "Can object's contents be read", HFILL }},
20048
20049 { &hf_smb_nt_create_bits_oplock,
20050 { "Exclusive Oplock", "smb.nt.create.oplock", FT_BOOLEAN, 32,
20051 TFS(&tfs_nt_create_bits_oplock), 0x00000002, "Is an oplock requested", HFILL }},
20052
20053 { &hf_smb_nt_create_bits_boplock,
20054 { "Batch Oplock", "smb.nt.create.batch_oplock", FT_BOOLEAN, 32,
20055 TFS(&tfs_nt_create_bits_boplock), 0x00000004, "Is a batch oplock requested?", HFILL }},
20056
20057 { &hf_smb_nt_create_bits_dir,
20058 { "Create Directory", "smb.nt.create.dir", FT_BOOLEAN, 32,
20059 TFS(&tfs_nt_create_bits_dir), 0x00000008, "Must target of open be a directory?", HFILL }},
20060
20061 { &hf_smb_nt_create_bits_ext_resp,
20062 { "Extended Response", "smb.nt.create.ext", FT_BOOLEAN, 32,
20063 TFS(&tfs_nt_create_bits_ext_resp), 0x00000010, "Extended response required?", HFILL }},
20064
20065 { &hf_smb_nt_create_options_directory_file,
20066 { "Directory", "smb.nt.create_options.directory", FT_BOOLEAN, 32,
20067 TFS(&tfs_nt_create_options_directory), 0x00000001, "Should file being opened/created be a directory?", HFILL }},
20068
20069 { &hf_smb_nt_create_options_write_through,
20070 { "Write Through", "smb.nt.create_options.write_through", FT_BOOLEAN, 32,
20071 TFS(&tfs_nt_create_options_write_through), 0x00000002, "Should writes to the file write buffered data out before completing?", HFILL }},
20072
20073 { &hf_smb_nt_create_options_sequential_only,
20074 { "Sequential Only", "smb.nt.create_options.sequential_only", FT_BOOLEAN, 32,
20075 TFS(&tfs_nt_create_options_sequential_only), 0x00000004, "Will access to this file only be sequential?", HFILL }},
20076
20077 { &hf_smb_nt_create_options_no_intermediate_buffering,
20078 { "Intermediate Buffering", "smb.nt.create_options.intermediate_buffering", FT_BOOLEAN, 32,
20079 TFS(&tfs_nt_create_options_no_intermediate_buffering), 0x00000008, "Is intermediate buffering allowed?", HFILL }},
20080
20081 { &hf_smb_nt_create_options_sync_io_alert,
20082 { "Sync I/O Alert", "smb.nt.create_options.sync_io_alert", FT_BOOLEAN, 32,
20083 TFS(&tfs_nt_create_options_sync_io_alert), 0x00000010, "All operations are performed synchronous", HFILL}},
20084
20085 { &hf_smb_nt_create_options_sync_io_nonalert,
20086 { "Sync I/O Nonalert", "smb.nt.create_options.sync_io_nonalert", FT_BOOLEAN, 32,
20087 TFS(&tfs_nt_create_options_sync_io_nonalert), 0x00000020, "All operations are synchronous and may block", HFILL}},
20088
20089 { &hf_smb_nt_create_options_non_directory_file,
20090 { "Non-Directory", "smb.nt.create_options.non_directory", FT_BOOLEAN, 32,
20091 TFS(&tfs_nt_create_options_non_directory), 0x00000040, "Should file being opened/created be a non-directory?", HFILL }},
20092
20093 { &hf_smb_nt_create_options_create_tree_connection,
20094 { "Create Tree Connection", "smb.nt.create_options.create_tree_connection", FT_BOOLEAN, 32,
20095 TFS(&tfs_nt_create_options_create_tree_connection), 0x00000080, "Create Tree Connection flag", HFILL }},
20096
20097 { &hf_smb_nt_create_options_complete_if_oplocked,
20098 { "Complete If Oplocked", "smb.nt.create_options.complete_if_oplocked", FT_BOOLEAN, 32,
20099 TFS(&tfs_nt_create_options_complete_if_oplocked), 0x00000100, "Complete if oplocked flag", HFILL }},
20100
20101 { &hf_smb_nt_create_options_no_ea_knowledge,
20102 { "No EA Knowledge", "smb.nt.create_options.no_ea_knowledge", FT_BOOLEAN, 32,
20103 TFS(&tfs_nt_create_options_no_ea_knowledge), 0x00000200, "Does the client not understand extended attributes?", HFILL }},
20104
20105 { &hf_smb_nt_create_options_file_open_for_recovery,
20106 { "Opened for recovery", "smb.nt.create_options.file_open_for_recovery", FT_BOOLEAN, 32,
20107 TFS(&tfs_nt_create_options_file_open_for_recovery), 0x00000400, "This option must be ignored by the server", HFILL }},
20108
20109 { &hf_smb_nt_create_options_random_access,
20110 { "Random Access", "smb.nt.create_options.random_access", FT_BOOLEAN, 32,
20111 TFS(&tfs_nt_create_options_random_access), 0x00000800, "Will the client be accessing the file randomly?", HFILL }},
20112
20113 { &hf_smb_nt_create_options_delete_on_close,
20114 { "Delete On Close", "smb.nt.create_options.delete_on_close", FT_BOOLEAN, 32,
20115 TFS(&tfs_nt_create_options_delete_on_close), 0x00001000, "Should the file be deleted when closed?", HFILL }},
20116 { &hf_smb_nt_create_options_open_by_fileid,
20117 { "Open By FileID", "smb.nt.create_options.open_by_fileid", FT_BOOLEAN, 32,
20118 TFS(&tfs_nt_create_options_open_by_fileid), 0x00002000, "Open file by inode", HFILL }},
20119
20120 { &hf_smb_nt_create_options_backup_intent,
20121 { "Backup Intent", "smb.nt.create_options.backup_intent", FT_BOOLEAN, 32,
20122 TFS(&tfs_nt_create_options_backup_intent), 0x00004000, "Is this opened by BACKUP ADMIN for backup intent?", HFILL }},
20123
20124 { &hf_smb_nt_create_options_no_compression,
20125 { "No Compression", "smb.nt.create_options.no_compression", FT_BOOLEAN, 32,
20126 TFS(&tfs_nt_create_options_no_compression), 0x00008000, "Is compression allowed?", HFILL }},
20127
20128 { &hf_smb_nt_create_options_reserve_opfilter,
20129 { "Reserve Opfilter", "smb.nt.create_options.reserve_opfilter", FT_BOOLEAN, 32,
20130 TFS(&tfs_nt_create_options_reserve_opfilter), 0x00100000, "Reserve Opfilter flag", HFILL }},
20131
20132 { &hf_smb_nt_create_options_open_reparse_point,
20133 { "Open Reparse Point", "smb.nt.create_options.open_reparse_point", FT_BOOLEAN, 32,
20134 TFS(&tfs_nt_create_options_open_reparse_point), 0x00200000, "Is this an open of a reparse point or of the normal file?", HFILL }},
20135
20136 { &hf_smb_nt_create_options_open_no_recall,
20137 { "Open No Recall", "smb.nt.create_options.open_no_recall", FT_BOOLEAN, 32,
20138 TFS(&tfs_nt_create_options_open_no_recall), 0x00400000, "Open no recall flag", HFILL }},
20139
20140 { &hf_smb_nt_create_options_open_for_free_space_query,
20141 { "Open For Free Space query", "smb.nt.create_options.open_for_free_space_query", FT_BOOLEAN, 32,
20142 TFS(&tfs_nt_create_options_open_for_free_space_query), 0x00800000, "Open For Free Space Query flag", HFILL }},
20143
20144 { &hf_smb_nt_share_access_read,
20145 { "Read", "smb.share.access.read", FT_BOOLEAN, 32,
20146 TFS(&tfs_nt_share_access_read), SHARE_ACCESS_READ, "Can the object be shared for reading?", HFILL }},
20147
20148 { &hf_smb_nt_share_access_write,
20149 { "Write", "smb.share.access.write", FT_BOOLEAN, 32,
20150 TFS(&tfs_nt_share_access_write), SHARE_ACCESS_WRITE, "Can the object be shared for write?", HFILL }},
20151
20152 { &hf_smb_nt_share_access_delete,
20153 { "Delete", "smb.share.access.delete", FT_BOOLEAN, 32,
20154 TFS(&tfs_nt_share_access_delete), SHARE_ACCESS_DELETE, NULL, HFILL }},
20155
20156 { &hf_smb_file_eattr,
20157 { "File Attributes", "smb.file_attribute", FT_UINT32, BASE_HEX,
20158 NULL, 0x0, NULL, HFILL }},
20159
20160 { &hf_smb_file_eattr_read_only,
20161 { "Read Only", "smb.file_attribute.read_only", FT_BOOLEAN, 32,
20162 TFS(&tfs_file_attribute_read_only), SMB_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL }},
20163
20164 { &hf_smb_file_eattr_hidden,
20165 { "Hidden", "smb.file_attribute.hidden", FT_BOOLEAN, 32,
20166 TFS(&tfs_file_attribute_hidden), SMB_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL }},
20167
20168 { &hf_smb_file_eattr_system,
20169 { "System", "smb.file_attribute.system", FT_BOOLEAN, 32,
20170 TFS(&tfs_file_attribute_system), SMB_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL }},
20171
20172 { &hf_smb_file_eattr_volume,
20173 { "Volume ID", "smb.file_attribute.volume", FT_BOOLEAN, 32,
20174 TFS(&tfs_file_attribute_volume), SMB_FILE_ATTRIBUTE_VOLUME, "VOLUME file attribute", HFILL }},
20175
20176 { &hf_smb_file_eattr_directory,
20177 { "Directory", "smb.file_attribute.directory", FT_BOOLEAN, 32,
20178 TFS(&tfs_file_attribute_directory), SMB_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL }},
20179
20180 { &hf_smb_file_eattr_archive,
20181 { "Archive", "smb.file_attribute.archive", FT_BOOLEAN, 32,
20182 TFS(&tfs_file_attribute_archive), SMB_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL }},
20183
20184 { &hf_smb_file_eattr_device,
20185 { "Device", "smb.file_attribute.device", FT_BOOLEAN, 32,
20186 TFS(&tfs_file_attribute_device), SMB_FILE_ATTRIBUTE_DEVICE, "Is this file a device?", HFILL }},
20187
20188 { &hf_smb_file_eattr_normal,
20189 { "Normal", "smb.file_attribute.normal", FT_BOOLEAN, 32,
20190 TFS(&tfs_file_attribute_normal), SMB_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL }},
20191
20192 { &hf_smb_file_eattr_temporary,
20193 { "Temporary", "smb.file_attribute.temporary", FT_BOOLEAN, 32,
20194 TFS(&tfs_file_attribute_temporary), SMB_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL }},
20195
20196 { &hf_smb_file_eattr_sparse,
20197 { "Sparse", "smb.file_attribute.sparse", FT_BOOLEAN, 32,
20198 TFS(&tfs_file_attribute_sparse), SMB_FILE_ATTRIBUTE_SPARSE, "Is this a sparse file?", HFILL }},
20199
20200 { &hf_smb_file_eattr_reparse,
20201 { "Reparse Point", "smb.file_attribute.reparse", FT_BOOLEAN, 32,
20202 TFS(&tfs_file_attribute_reparse), SMB_FILE_ATTRIBUTE_REPARSE, "Does this file have an associated reparse point?", HFILL }},
20203
20204 { &hf_smb_file_eattr_compressed,
20205 { "Compressed", "smb.file_attribute.compressed", FT_BOOLEAN, 32,
20206 TFS(&tfs_file_attribute_compressed), SMB_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL }},
20207
20208 { &hf_smb_file_eattr_offline,
20209 { "Offline", "smb.file_attribute.offline", FT_BOOLEAN, 32,
20210 TFS(&tfs_file_attribute_offline), SMB_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL }},
20211
20212 { &hf_smb_file_eattr_not_content_indexed,
20213 { "Content Indexed", "smb.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
20214 TFS(&tfs_file_attribute_not_content_indexed), SMB_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL }},
20215
20216 { &hf_smb_file_eattr_encrypted,
20217 { "Encrypted", "smb.file_attribute.encrypted", FT_BOOLEAN, 32,
20218 TFS(&tfs_file_attribute_encrypted), SMB_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL }},
20219
20220 { &hf_smb_size_returned_quota_data,
20221 { "Size of returned Quota data", "smb.size_returned_quota_data", FT_UINT32, BASE_DEC,
20222 NULL, 0x0, NULL, HFILL }},
20223
20224 { &hf_smb_sec_desc_len,
20225 { "NT Security Descriptor Length", "smb.sec_desc_len", FT_UINT32, BASE_DEC,
20226 NULL, 0, NULL, HFILL }},
20227
20228 { &hf_smb_nt_qsd,
20229 { "Security Information", "smb.nt_qsd", FT_UINT32, BASE_HEX,
20230 NULL, 0x0, NULL, HFILL }},
20231
20232 { &hf_smb_nt_qsd_owner,
20233 { "Owner", "smb.nt_qsd.owner", FT_BOOLEAN, 32,
20234 TFS(&tfs_nt_qsd_owner), NT_QSD_OWNER, "Is owner security information being queried?", HFILL }},
20235
20236 { &hf_smb_nt_qsd_group,
20237 { "Group", "smb.nt_qsd.group", FT_BOOLEAN, 32,
20238 TFS(&tfs_nt_qsd_group), NT_QSD_GROUP, "Is group security information being queried?", HFILL }},
20239
20240 { &hf_smb_nt_qsd_dacl,
20241 { "DACL", "smb.nt_qsd.dacl", FT_BOOLEAN, 32,
20242 TFS(&tfs_nt_qsd_dacl), NT_QSD_DACL, "Is DACL security information being queried?", HFILL }},
20243
20244 { &hf_smb_nt_qsd_sacl,
20245 { "SACL", "smb.nt_qsd.sacl", FT_BOOLEAN, 32,
20246 TFS(&tfs_nt_qsd_sacl), NT_QSD_SACL, "Is SACL security information being queried?", HFILL }},
20247
20248 { &hf_smb_extended_attributes,
20249 { "Extended Attributes", "smb.ext_attr", FT_BYTES, BASE_NONE,
20250 NULL, 0, NULL, HFILL }},
20251
20252 { &hf_smb_oplock_level,
20253 { "Oplock level", "smb.oplock.level", FT_UINT8, BASE_DEC,
20254 VALS(oplock_level_vals), 0, "Level of oplock granted", HFILL }},
20255
20256 { &hf_smb_response_type,
20257 { "Response type", "smb.response_type", FT_UINT8, BASE_HEX,
20258 VALS(response_type_vals), 0, "NT Transaction Create response type", HFILL }},
20259
20260 { &hf_smb_create_action,
20261 { "Create action", "smb.create.action", FT_UINT32, BASE_DEC,
20262 VALS(oa_open_vals), 0, "Type of action taken", HFILL }},
20263
20264 { &hf_smb_file_id,
20265 { "Server unique file ID", "smb.create.file_id", FT_UINT32, BASE_HEX,
20266 NULL, 0, NULL, HFILL }},
20267
20268 { &hf_smb_file_id_64bit,
20269 { "Server unique 64-bit file ID", "smb.create.file_id_64b", FT_UINT64, BASE_HEX,
20270 NULL, 0, NULL, HFILL }},
20271
20272 { &hf_smb_ea_error_offset,
20273 { "EA Error offset", "smb.ea.error_offset", FT_UINT32, BASE_DEC,
20274 NULL, 0, "Offset into EA list if EA error", HFILL }},
20275
20276 { &hf_smb_end_of_file,
20277 { "End Of File", "smb.end_of_file", FT_UINT64, BASE_DEC,
20278 NULL, 0, "Offset to the first free byte in the file", HFILL }},
20279
20280 { &hf_smb_replace,
20281 { "Replace", "smb.replace", FT_BOOLEAN, BASE_NONE,
20282 TFS(&tfs_smb_replace), 0x0, "Remove target if it exists?", HFILL }},
20283
20284 { &hf_smb_root_dir_handle,
20285 { "Root Directory Handle", "smb.root_dir_handle", FT_UINT32, BASE_HEX,
20286 NULL, 0, NULL, HFILL }},
20287
20288 { &hf_smb_target_name_len,
20289 { "Target name length", "smb.target_name_len", FT_UINT32, BASE_DEC,
20290 NULL, 0, "Length of target file name", HFILL }},
20291
20292 { &hf_smb_target_name,
20293 { "Target name", "smb.target_name", FT_STRING, BASE_NONE,
20294 NULL, 0, "Target file name", HFILL }},
20295
20296 { &hf_smb_device_type,
20297 { "Device Type", "smb.device.type", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
20298 &device_type_vals_ext, 0, "Type of device", HFILL }},
20299
20300 { &hf_smb_is_directory,
20301 { "Is Directory", "smb.is_directory", FT_UINT8, BASE_DEC,
20302 VALS(is_directory_vals), 0, "Is this object a directory?", HFILL }},
20303
20304 { &hf_smb_next_entry_offset,
20305 { "Next Entry Offset", "smb.next_entry_offset", FT_UINT32, BASE_DEC,
20306 NULL, 0, "Offset to next entry", HFILL }},
20307
20308 { &hf_smb_change_time,
20309 { "Change", "smb.change.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
20310 NULL, 0, "Last Change Time", HFILL }},
20311
20312 { &hf_smb_setup_len,
20313 { "Setup Len", "smb.print.setup.len", FT_UINT16, BASE_DEC,
20314 NULL, 0, "Length of printer setup data", HFILL }},
20315
20316 { &hf_smb_print_mode,
20317 { "Mode", "smb.print.mode", FT_UINT16, BASE_DEC,
20318 VALS(print_mode_vals), 0, "Text or Graphics mode", HFILL }},
20319
20320 { &hf_smb_print_identifier,
20321 { "Identifier", "smb.print.identifier", FT_STRING, BASE_NONE,
20322 NULL, 0, "Identifier string for this print job", HFILL }},
20323
20324 { &hf_smb_restart_index,
20325 { "Restart Index", "smb.print.restart_index", FT_UINT16, BASE_DEC,
20326 NULL, 0, "Index of entry after last returned", HFILL }},
20327
20328 { &hf_smb_print_queue_date,
20329 { "Queued", "smb.print.queued.date", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
20330 NULL, 0, "Date when this entry was queued", HFILL }},
20331
20332 { &hf_smb_print_queue_dos_date,
20333 { "Queued Date", "smb.print.queued.smb.date", FT_UINT16, BASE_HEX,
20334 NULL, 0, "Date when this print job was queued, SMB_DATE format", HFILL }},
20335
20336 { &hf_smb_print_queue_dos_time,
20337 { "Queued Time", "smb.print.queued.smb.time", FT_UINT16, BASE_HEX,
20338 NULL, 0, "Time when this print job was queued, SMB_TIME format", HFILL }},
20339
20340 { &hf_smb_print_status,
20341 { "Status", "smb.print.status", FT_UINT8, BASE_HEX,
20342 VALS(print_status_vals), 0, "Status of this entry", HFILL }},
20343
20344 { &hf_smb_print_spool_file_number,
20345 { "Spool File Number", "smb.print.spool.file_number", FT_UINT16, BASE_DEC,
20346 NULL, 0, "Spool File Number, assigned by the spooler", HFILL }},
20347
20348 { &hf_smb_print_spool_file_size,
20349 { "Spool File Size", "smb.print.spool.file_size", FT_UINT32, BASE_DEC,
20350 NULL, 0, "Number of bytes in spool file", HFILL }},
20351
20352 { &hf_smb_print_spool_file_name,
20353 { "Name", "smb.print.spool.name", FT_STRINGZ, BASE_NONE,
20354 NULL, 0, "Name of client that submitted this job", HFILL }},
20355
20356 { &hf_smb_start_index,
20357 { "Start Index", "smb.print.start_index", FT_UINT16, BASE_DEC,
20358 NULL, 0, "First queue entry to return", HFILL }},
20359
20360 { &hf_smb_originator_name,
20361 { "Originator Name", "smb.originator_name", FT_STRINGZ, BASE_NONE,
20362 NULL, 0, "Name of sender of message", HFILL }},
20363
20364 { &hf_smb_destination_name,
20365 { "Destination Name", "smb.destination_name", FT_STRINGZ, BASE_NONE,
20366 NULL, 0, "Name of recipient of message", HFILL }},
20367
20368 { &hf_smb_message_len,
20369 { "Message Len", "smb.message.len", FT_UINT16, BASE_DEC,
20370 NULL, 0, "Length of message", HFILL }},
20371
20372 { &hf_smb_message,
20373 { "Message", "smb.message", FT_STRING, BASE_NONE,
20374 NULL, 0, "Message text", HFILL }},
20375
20376 { &hf_smb_mgid,
20377 { "Message Group ID", "smb.mgid", FT_UINT16, BASE_DEC,
20378 NULL, 0, "Message group ID for multi-block messages", HFILL }},
20379
20380 { &hf_smb_forwarded_name,
20381 { "Forwarded Name", "smb.forwarded_name", FT_STRINGZ, BASE_NONE,
20382 NULL, 0, "Recipient name being forwarded", HFILL }},
20383
20384 { &hf_smb_machine_name,
20385 { "Machine Name", "smb.machine_name", FT_STRINGZ, BASE_NONE,
20386 NULL, 0, "Name of target machine", HFILL }},
20387
20388 { &hf_smb_cancel_to,
20389 { "Cancel to", "smb.cancel_to", FT_FRAMENUM, BASE_NONE,
20390 NULL, 0, "This packet is a cancellation of the packet in this frame", HFILL }},
20391
20392 { &hf_smb_trans_name,
20393 { "Transaction Name", "smb.trans_name", FT_STRING, BASE_NONE,
20394 NULL, 0, "Name of transaction", HFILL }},
20395
20396 { &hf_smb_transaction_flags,
20397 { "Flags", "smb.transaction.flags", FT_UINT16, BASE_HEX,
20398 NULL, 0x0, NULL, HFILL }},
20399
20400 { &hf_smb_transaction_flags_dtid,
20401 { "Disconnect TID", "smb.transaction.flags.dtid", FT_BOOLEAN, 16,
20402 TFS(&tfs_tf_dtid), 0x0001, "Disconnect TID?", HFILL }},
20403
20404 { &hf_smb_transaction_flags_owt,
20405 { "One Way Transaction", "smb.transaction.flags.owt", FT_BOOLEAN, 16,
20406 TFS(&tfs_tf_owt), 0x0002, "One Way Transaction (no response)?", HFILL }},
20407
20408 { &hf_smb_search_count_max,
20409 { "Search Count Max", "smb.search_count_max", FT_UINT16, BASE_DEC,
20410 NULL, 0, "Maximum number of search entries to return", HFILL }},
20411
20412 { &hf_smb_search_count_found,
20413 { "Search Count Found", "smb.search_count_found", FT_UINT16, BASE_DEC,
20414 NULL, 0, "The number of files found", HFILL }},
20415
20416 { &hf_smb_search_pattern,
20417 { "Search Pattern", "smb.search_pattern", FT_STRING, BASE_NONE,
20418 NULL, 0, NULL, HFILL }},
20419
20420 { &hf_smb_ff2,
20421 { "Flags", "smb.find_first2.flags", FT_UINT16, BASE_HEX,
20422 NULL, 0x0, NULL, HFILL }},
20423
20424 { &hf_smb_ff2_backup,
20425 { "Backup Intent", "smb.find_first2.flags.backup", FT_BOOLEAN, 16,
20426 TFS(&tfs_ff2_backup), 0x0010, "Find with backup intent", HFILL }},
20427
20428 { &hf_smb_ff2_continue,
20429 { "Continue", "smb.find_first2.flags.continue", FT_BOOLEAN, 16,
20430 TFS(&tfs_ff2_continue), 0x0008, "Continue search from previous ending place", HFILL }},
20431
20432 { &hf_smb_ff2_resume,
20433 { "Resume", "smb.find_first2.flags.resume", FT_BOOLEAN, 16,
20434 TFS(&tfs_ff2_resume), FF2_RESUME, "Return resume keys for each entry found", HFILL }},
20435
20436 { &hf_smb_ff2_close_eos,
20437 { "Close on EOS", "smb.find_first2.flags.eos", FT_BOOLEAN, 16,
20438 TFS(&tfs_ff2_close_eos), 0x0002, "Close search if end of search reached", HFILL }},
20439
20440 { &hf_smb_ff2_close,
20441 { "Close", "smb.find_first2.flags.close", FT_BOOLEAN, 16,
20442 TFS(&tfs_ff2_close), 0x0001, "Close search after this request", HFILL }},
20443
20444 { &hf_smb_ff2_information_level,
20445 { "Level of Interest", "smb.ff2_loi", FT_UINT16, BASE_HEX,
20446 VALS(ff2_il_vals), 0, "Level of interest for FIND_FIRST2 command", HFILL }},
20447
20448 { &hf_smb_qpi_loi,
20449 { "Level of Interest", "smb.qpi_loi", FT_UINT16, BASE_HEX,
20450 VALS(qpi_loi_vals), 0, "Level of interest for TRANSACTION[2] QUERY_{FILE,PATH}_INFO commands", HFILL }},
20451
20452 { &hf_smb_spi_loi,
20453 { "Level of Interest", "smb.spi_loi", FT_UINT16, BASE_HEX | BASE_EXT_STRING,
20454 &spi_loi_vals_ext, 0, "Level of interest for TRANSACTION[2] SET_{FILE,PATH}_INFO commands", HFILL }},
20455
20456 #if 0
20457 { &hf_smb_sfi,
20458 { "IO Flag", "smb.sfi_flags", FT_UINT16, BASE_HEX,
20459 NULL, 0x0, NULL, HFILL }},
20460
20461 { &hf_smb_sfi_writetru,
20462 { "Writethrough", "smb.sfi_writethrough", FT_BOOLEAN, 16,
20463 TFS(&tfs_da_writetru), 0x0010, "Writethrough mode?", HFILL }},
20464
20465 { &hf_smb_sfi_caching,
20466 { "Caching", "smb.sfi_caching", FT_BOOLEAN, 16,
20467 TFS(&tfs_da_caching), 0x0020, "Caching mode?", HFILL }},
20468 #endif
20469
20470 { &hf_smb_storage_type,
20471 { "Storage Type", "smb.storage_type", FT_UINT32, BASE_DEC,
20472 NULL, 0, "Type of storage", HFILL }},
20473
20474 { &hf_smb_resume,
20475 { "Resume Key", "smb.resume", FT_UINT32, BASE_DEC,
20476 NULL, 0, NULL, HFILL }},
20477
20478 { &hf_smb_max_referral_level,
20479 { "Max Referral Level", "smb.max_referral_level", FT_UINT16, BASE_DEC,
20480 NULL, 0, "Latest referral version number understood", HFILL }},
20481
20482 { &hf_smb_qfsi_information_level,
20483 { "Level of Interest", "smb.qfsi_loi", FT_UINT16, BASE_HEX | BASE_EXT_STRING,
20484 &qfsi_vals_ext, 0, "Level of interest for QUERY_FS_INFORMATION2 command", HFILL }},
20485
20486 { &hf_smb_sfsi_information_level,
20487 { "Level of Interest", "smb.sfsi_loi", FT_UINT16, BASE_HEX,
20488 VALS(sfsi_vals), 0, "Level of interest for SET_FS_INFORMATION2 command", HFILL }},
20489
20490 { &hf_smb_nt_rename_level,
20491 { "Level of Interest", "smb.ntr_loi", FT_UINT16, BASE_DEC,
20492 VALS(nt_rename_vals), 0, "NT Rename level", HFILL }},
20493
20494 { &hf_smb_cluster_count,
20495 { "Cluster count", "smb.ntr_clu", FT_UINT32, BASE_DEC,
20496 NULL, 0, "Number of clusters", HFILL }},
20497
20498 { &hf_smb_number_of_links,
20499 { "Link Count", "smb.link_count", FT_UINT32, BASE_DEC,
20500 NULL, 0, "Number of hard links to the file", HFILL }},
20501
20502 { &hf_smb_delete_pending,
20503 { "Delete Pending", "smb.delete_pending", FT_UINT16, BASE_DEC,
20504 VALS(delete_pending_vals), 0, "Is this object about to be deleted?", HFILL }},
20505
20506 { &hf_smb_index_number,
20507 { "Index Number", "smb.index_number", FT_UINT64, BASE_HEX,
20508 NULL, 0, "File system unique identifier", HFILL }},
20509
20510 { &hf_smb_position,
20511 { "Position", "smb.position", FT_UINT64, BASE_DEC,
20512 NULL, 0, "File position", HFILL }},
20513
20514 #if 0
20515 { &hf_smb_current_offset,
20516 { "Current Offset", "smb.offset", FT_UINT64, BASE_DEC,
20517 NULL, 0, "Current offset in the file", HFILL }},
20518 #endif
20519
20520 { &hf_smb_t2_alignment,
20521 { "Alignment", "smb.alignment", FT_UINT32, BASE_DEC,
20522 VALS(alignment_vals), 0, "What alignment do we require for buffers", HFILL }},
20523
20524 { &hf_smb_t2_stream_name_length,
20525 { "Stream Name Length", "smb.stream_name_len", FT_UINT32, BASE_DEC,
20526 NULL, 0, "Length of stream name", HFILL }},
20527
20528 { &hf_smb_t2_stream_size,
20529 { "Stream Size", "smb.stream_size", FT_UINT64, BASE_DEC,
20530 NULL, 0, "Size of the stream in number of bytes", HFILL }},
20531
20532 { &hf_smb_t2_stream_name,
20533 { "Stream Name", "smb.stream_name", FT_STRING, BASE_NONE,
20534 NULL, 0, "Name of the stream", HFILL }},
20535
20536 { &hf_smb_t2_compressed_file_size,
20537 { "Compressed Size", "smb.compressed.file_size", FT_UINT64, BASE_DEC,
20538 NULL, 0, "Size of the compressed file", HFILL }},
20539
20540 { &hf_smb_t2_compressed_format,
20541 { "Compression Format", "smb.compressed.format", FT_UINT16, BASE_DEC,
20542 NULL, 0, "Compression algorithm used", HFILL }},
20543
20544 { &hf_smb_t2_compressed_unit_shift,
20545 { "Unit Shift", "smb.compressed.unit_shift", FT_UINT8, BASE_DEC,
20546 NULL, 0, "Size of the stream in number of bytes", HFILL }},
20547
20548 { &hf_smb_t2_compressed_chunk_shift,
20549 { "Chunk Shift", "smb.compressed.chunk_shift", FT_UINT8, BASE_DEC,
20550 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
20551
20552 { &hf_smb_t2_compressed_cluster_shift,
20553 { "Cluster Shift", "smb.compressed.cluster_shift", FT_UINT8, BASE_DEC,
20554 NULL, 0, "Allocated size of the stream in number of bytes", HFILL }},
20555
20556 { &hf_smb_t2_marked_for_deletion,
20557 { "Marked for Deletion", "smb.marked_for_deletion", FT_BOOLEAN, BASE_NONE,
20558 TFS(&tfs_marked_for_deletion), 0x0, "Marked for deletion?", HFILL }},
20559
20560 { &hf_smb_dfs_path_consumed,
20561 { "Path Consumed", "smb.dfs.path_consumed", FT_UINT16, BASE_DEC,
20562 NULL, 0, "Number of RequestFilename bytes client", HFILL }},
20563
20564 { &hf_smb_dfs_num_referrals,
20565 { "Num Referrals", "smb.dfs.num_referrals", FT_UINT16, BASE_DEC,
20566 NULL, 0, "Number of referrals in this pdu", HFILL }},
20567
20568 { &hf_smb_get_dfs_flags,
20569 { "Flags", "smb.dfs.flags", FT_UINT16, BASE_HEX,
20570 NULL, 0x0, NULL, HFILL }},
20571
20572 { &hf_smb_get_dfs_server_hold_storage,
20573 { "Hold Storage", "smb.dfs.flags.server_hold_storage", FT_BOOLEAN, 16,
20574 TFS(&tfs_get_dfs_server_hold_storage), 0x0002, "The servers in referrals should hold storage for the file", HFILL }},
20575
20576 { &hf_smb_get_dfs_fielding,
20577 { "Fielding", "smb.dfs.flags.fielding", FT_BOOLEAN, 16,
20578 TFS(&tfs_get_dfs_fielding), 0x0001, "The servers in referrals are capable of fielding", HFILL }},
20579
20580 { &hf_smb_dfs_referral_version,
20581 { "Version", "smb.dfs.referral.version", FT_UINT16, BASE_DEC,
20582 NULL, 0, "Version of referral element", HFILL }},
20583
20584 { &hf_smb_dfs_referral_size,
20585 { "Size", "smb.dfs.referral.size", FT_UINT16, BASE_DEC,
20586 NULL, 0, "Size of referral element", HFILL }},
20587
20588 { &hf_smb_dfs_referral_server_type,
20589 { "Server Type", "smb.dfs.referral.server.type", FT_UINT16, BASE_DEC,
20590 VALS(dfs_referral_server_type_vals), 0, "Type of referral server", HFILL }},
20591
20592 { &hf_smb_dfs_referral_flags,
20593 { "Flags", "smb.dfs.referral.flags", FT_UINT16, BASE_HEX,
20594 NULL, 0x0, NULL, HFILL }},
20595
20596 { &hf_smb_dfs_referral_flags_name_list_referral,
20597 { "NameListReferral", "smb.dfs.referral.flags.name_list_referral", FT_BOOLEAN, 16,
20598 TFS(&tfs_dfs_referral_flags_name_list_referral), REFENT_FLAGS_NAME_LIST_REFERRAL, "Is a domain/DC referral response?", HFILL }},
20599
20600 { &hf_smb_dfs_referral_flags_target_set_boundary,
20601 { "TargetSetBoundary", "smb.dfs.referral.flags.target_set_boundary", FT_BOOLEAN, 16,
20602 TFS(&tfs_dfs_referral_flags_target_set_boundary), REFENT_FLAGS_TARGET_SET_BOUNDARY, "Is this a first target in the target set?", HFILL }},
20603
20604 { &hf_smb_dfs_referral_node_offset,
20605 { "Node Offset", "smb.dfs.referral.node_offset", FT_UINT16, BASE_DEC,
20606 NULL, 0, "Offset of name of entity to visit next", HFILL }},
20607
20608 { &hf_smb_dfs_referral_node,
20609 { "Node", "smb.dfs.referral.node", FT_STRING, BASE_NONE,
20610 NULL, 0, "Name of entity to visit next", HFILL }},
20611
20612 { &hf_smb_dfs_referral_proximity,
20613 { "Proximity", "smb.dfs.referral.proximity", FT_UINT32, BASE_DEC,
20614 NULL, 0, "Hint describing proximity of this server to the client", HFILL }},
20615
20616 { &hf_smb_dfs_referral_ttl,
20617 { "TTL", "smb.dfs.referral.ttl", FT_UINT32, BASE_DEC,
20618 NULL, 0, "Number of seconds the client can cache this referral", HFILL }},
20619
20620 { &hf_smb_dfs_referral_path_offset,
20621 { "Path Offset", "smb.dfs.referral.path_offset", FT_UINT16, BASE_DEC,
20622 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
20623
20624 { &hf_smb_dfs_referral_path,
20625 { "Path", "smb.dfs.referral.path", FT_STRING, BASE_NONE,
20626 NULL, 0, "Dfs Path that matched pathconsumed", HFILL }},
20627
20628 { &hf_smb_dfs_referral_alt_path_offset,
20629 { "Alt Path Offset", "smb.dfs.referral.alt_path_offset", FT_UINT16, BASE_DEC,
20630 NULL, 0, "Offset of alternative(8.3) Path that matched pathconsumed", HFILL }},
20631
20632 { &hf_smb_dfs_referral_alt_path,
20633 { "Alt Path", "smb.dfs.referral.alt_path", FT_STRING, BASE_NONE,
20634 NULL, 0, "Alternative(8.3) Path that matched pathconsumed", HFILL }},
20635
20636 { &hf_smb_dfs_referral_domain_offset,
20637 { "Domain Offset", "smb.dfs.referral.domain_offset", FT_UINT16, BASE_DEC,
20638 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
20639
20640 { &hf_smb_dfs_referral_number_of_expnames,
20641 { "Number of Expanded Names", "smb.dfs.referral.number_of_expnames", FT_UINT16, BASE_DEC,
20642 NULL, 0, NULL, HFILL }},
20643
20644 { &hf_smb_dfs_referral_expnames_offset,
20645 { "Expanded Names Offset", "smb.dfs.referral.expnames_offset", FT_UINT16, BASE_DEC,
20646 NULL, 0, "Offset of Dfs Path that matched pathconsumed", HFILL }},
20647
20648 { &hf_smb_dfs_referral_domain_name,
20649 { "Domain Name", "smb.dfs.referral.domain_name", FT_STRING, BASE_NONE,
20650 NULL, 0, "Dfs referral domain name", HFILL }},
20651
20652 { &hf_smb_dfs_referral_expname,
20653 { "Expanded Name", "smb.dfs.referral.expname", FT_STRING, BASE_NONE,
20654 NULL, 0, "Dfs expanded name", HFILL }},
20655
20656 { &hf_smb_dfs_referral_server_guid,
20657 { "Server GUID", "smb.dfs.referral.server_guid", FT_GUID, BASE_NONE,
20658 NULL, 0, "Globally unique identifier for this server", HFILL }},
20659
20660 { &hf_smb_end_of_search,
20661 { "End Of Search", "smb.end_of_search", FT_UINT16, BASE_DEC,
20662 NULL, 0, "Was last entry returned?", HFILL }},
20663
20664 { &hf_smb_last_name_offset,
20665 { "Last Name Offset", "smb.last_name_offset", FT_UINT16, BASE_DEC,
20666 NULL, 0, "If non-0 this is the offset into the datablock for the file name of the last entry", HFILL }},
20667
20668 { &hf_smb_fn_information_level,
20669 { "Level of Interest", "smb.fn_loi", FT_UINT16, BASE_DEC,
20670 NULL, 0, "Level of interest for FIND_NOTIFY command", HFILL }},
20671
20672 { &hf_smb_monitor_handle,
20673 { "Monitor Handle", "smb.monitor_handle", FT_UINT16, BASE_HEX,
20674 NULL, 0, "Handle for Find Notify operations", HFILL }},
20675
20676 { &hf_smb_change_count,
20677 { "Change Count", "smb.change_count", FT_UINT16, BASE_DEC,
20678 NULL, 0, "Number of changes to wait for", HFILL }},
20679
20680 { &hf_smb_file_index,
20681 { "File Index", "smb.file_index", FT_UINT32, BASE_DEC,
20682 NULL, 0, NULL, HFILL }},
20683
20684 { &hf_smb_short_file_name,
20685 { "Short File Name", "smb.short_file", FT_STRING, BASE_NONE,
20686 NULL, 0, "Short (8.3) File Name", HFILL }},
20687
20688 { &hf_smb_short_file_name_len,
20689 { "Short File Name Len", "smb.short_file_name_len", FT_UINT32, BASE_DEC,
20690 NULL, 0, "Length of Short (8.3) File Name", HFILL }},
20691
20692 { &hf_smb_fs_id,
20693 { "FS Id", "smb.fs_id", FT_UINT32, BASE_DEC,
20694 NULL, 0, "File System ID (NT Server always returns 0)", HFILL }},
20695
20696 { &hf_smb_sector_unit,
20697 { "Sectors/Unit", "smb.fs_sector_per_unit", FT_UINT32, BASE_DEC,
20698 NULL, 0, "Sectors per allocation unit", HFILL }},
20699
20700 { &hf_smb_fs_units,
20701 { "Total Units", "smb.fs_units", FT_UINT32, BASE_DEC,
20702 NULL, 0, "Total number of units on this filesystem", HFILL }},
20703
20704 { &hf_smb_fs_sector,
20705 { "Bytes per Sector", "smb.fs_bytes_per_sector", FT_UINT32, BASE_DEC,
20706 NULL, 0, NULL, HFILL }},
20707
20708 { &hf_smb_avail_units,
20709 { "Available Units", "smb.avail.units", FT_UINT32, BASE_DEC,
20710 NULL, 0, "Total number of available units on this filesystem", HFILL }},
20711
20712 { &hf_smb_volume_serial_num,
20713 { "Volume Serial Number", "smb.volume.serial", FT_UINT32, BASE_HEX,
20714 NULL, 0, NULL, HFILL }},
20715
20716 { &hf_smb_volume_label_len,
20717 { "Label Length", "smb.volume.label.len", FT_UINT32, BASE_DEC,
20718 NULL, 0, "Length of volume label", HFILL }},
20719
20720 { &hf_smb_volume_label,
20721 { "Label", "smb.volume.label", FT_STRING, BASE_NONE,
20722 NULL, 0, "Volume label", HFILL }},
20723
20724 { &hf_smb_free_alloc_units64,
20725 { "Free Units", "smb.free_alloc_units", FT_UINT64, BASE_DEC,
20726 NULL, 0, "Number of free allocation units", HFILL }},
20727
20728 { &hf_smb_caller_free_alloc_units64,
20729 { "Caller Free Units", "smb.caller_free_alloc_units", FT_UINT64, BASE_DEC,
20730 NULL, 0, "Number of caller free allocation units", HFILL }},
20731
20732 { &hf_smb_actual_free_alloc_units64,
20733 { "Actual Free Units", "smb.actual_free_alloc_units", FT_UINT64, BASE_DEC,
20734 NULL, 0, "Number of actual free allocation units", HFILL }},
20735
20736 { &hf_smb_soft_quota_limit,
20737 { "(Soft) Quota Threshold", "smb.quota.soft.default", FT_UINT64, BASE_DEC,
20738 NULL, 0, "Soft Quota threshold", HFILL }},
20739
20740 { &hf_smb_hard_quota_limit,
20741 { "(Hard) Quota Limit", "smb.quota.hard.default", FT_UINT64, BASE_DEC,
20742 NULL, 0, "Hard Quota limit", HFILL }},
20743
20744 { &hf_smb_user_quota_used,
20745 { "Quota Used", "smb.quota.used", FT_UINT64, BASE_DEC,
20746 NULL, 0, "How much Quota is used by this user", HFILL }},
20747
20748 { &hf_smb_max_name_len,
20749 { "Max name length", "smb.fs_max_name_len", FT_UINT32, BASE_DEC,
20750 NULL, 0, "Maximum length of each file name component in number of bytes", HFILL }},
20751
20752 { &hf_smb_fs_name_len,
20753 { "Label Length", "smb.fs_name.len", FT_UINT32, BASE_DEC,
20754 NULL, 0, "Length of filesystem name in bytes", HFILL }},
20755
20756 { &hf_smb_fs_name,
20757 { "FS Name", "smb.fs_name", FT_STRING, BASE_NONE,
20758 NULL, 0, "Name of filesystem", HFILL }},
20759
20760 { &hf_smb_device_char,
20761 { "Device Characteristics", "smb.device", FT_UINT32, BASE_HEX,
20762 NULL, 0x0, NULL, HFILL }},
20763
20764 { &hf_smb_device_char_removable,
20765 { "Removable", "smb.device.removable", FT_BOOLEAN, 32,
20766 TFS(&tfs_device_char_removable), 0x00000001, "Is this a removable device", HFILL }},
20767
20768 { &hf_smb_device_char_read_only,
20769 { "Read Only", "smb.device.read_only", FT_BOOLEAN, 32,
20770 TFS(&tfs_device_char_read_only), 0x00000002, "Is this a read-only device", HFILL }},
20771
20772 { &hf_smb_device_char_floppy,
20773 { "Floppy", "smb.device.floppy", FT_BOOLEAN, 32,
20774 TFS(&tfs_device_char_floppy), 0x00000004, "Is this a floppy disk", HFILL }},
20775
20776 { &hf_smb_device_char_write_once,
20777 { "Write Once", "smb.device.write_once", FT_BOOLEAN, 32,
20778 TFS(&tfs_device_char_write_once), 0x00000008, "Is this a write-once device", HFILL }},
20779
20780 { &hf_smb_device_char_remote,
20781 { "Remote", "smb.device.remote", FT_BOOLEAN, 32,
20782 TFS(&tfs_device_char_remote), 0x00000010, "Is this a remote device", HFILL }},
20783
20784 { &hf_smb_device_char_mounted,
20785 { "Mounted", "smb.device.mounted", FT_BOOLEAN, 32,
20786 TFS(&tfs_device_char_mounted), 0x00000020, "Is this a mounted device", HFILL }},
20787
20788 { &hf_smb_device_char_virtual,
20789 { "Virtual", "smb.device.virtual", FT_BOOLEAN, 32,
20790 TFS(&tfs_device_char_virtual), 0x00000040, "Is this a virtual device", HFILL }},
20791
20792 { &hf_smb_device_char_secure_open,
20793 { "Secure Open", "smb.device.secure_open", FT_BOOLEAN, 32,
20794 TFS(&tfs_device_char_secure_open), 0x00000100, "Is this a secure open device", HFILL }},
20795
20796 { &hf_smb_device_char_ts,
20797 { "Terminal Services", "smb.device.ts", FT_BOOLEAN, 32,
20798 TFS(&tfs_device_char_ts), 0x00001000, "Is this a terminal services device", HFILL }},
20799
20800 { &hf_smb_device_char_webdav,
20801 { "Webdav", "smb.device.webdav", FT_BOOLEAN, 32,
20802 TFS(&tfs_device_char_webdav), 0x00002000, "Is this a WEBDAV device", HFILL }},
20803
20804 { &hf_smb_device_char_aat,
20805 { "Allow Appcontainer Traversal", "smb.device.aat", FT_BOOLEAN, 32,
20806 TFS(&tfs_device_char_aat), 0x00020000, "Does this device allow appcontainer traversal", HFILL }},
20807
20808 { &hf_smb_device_char_portable,
20809 { "Portable", "smb.device.portable", FT_BOOLEAN, 32,
20810 TFS(&tfs_device_char_portable), 0x00004000, "Is this a portable device", HFILL }},
20811
20812 { &hf_smb_fs_attr,
20813 { "FS Attributes", "smb.fs_attr", FT_UINT32, BASE_HEX,
20814 NULL, 0x0, NULL, HFILL }},
20815
20816 { &hf_smb_fs_attr_css,
20817 { "Case Sensitive Search", "smb.fs_attr.css", FT_BOOLEAN, 32,
20818 TFS(&tfs_fs_attr_css), 0x00000001, "Does this FS support Case Sensitive Search?", HFILL }},
20819
20820 { &hf_smb_fs_attr_cpn,
20821 { "Case Preserving", "smb.fs_attr.cpn", FT_BOOLEAN, 32,
20822 TFS(&tfs_fs_attr_cpn), 0x00000002, "Will this FS Preserve Name Case?", HFILL }},
20823
20824 { &hf_smb_fs_attr_uod,
20825 { "Unicode On Disk", "smb.fs_attr.uod", FT_BOOLEAN, 32,
20826 TFS(&tfs_fs_attr_uod), 0x00000004, "Does this FS support Unicode On Disk?", HFILL }},
20827
20828 { &hf_smb_fs_attr_pacls,
20829 { "Persistent ACLs", "smb.fs_attr.pacls", FT_BOOLEAN, 32,
20830 TFS(&tfs_fs_attr_pacls), 0x00000008, "Does this FS support Persistent ACLs?", HFILL }},
20831
20832 { &hf_smb_fs_attr_fc,
20833 { "Compression", "smb.fs_attr.fc", FT_BOOLEAN, 32,
20834 TFS(&tfs_fs_attr_fc), 0x00000010, "Does this FS support File Compression?", HFILL }},
20835
20836 { &hf_smb_fs_attr_vq,
20837 { "Volume Quotas", "smb.fs_attr.vq", FT_BOOLEAN, 32,
20838 TFS(&tfs_fs_attr_vq), 0x00000020, "Does this FS support Volume Quotas?", HFILL }},
20839
20840 { &hf_smb_fs_attr_ssf,
20841 { "Sparse Files", "smb.fs_attr.ssf", FT_BOOLEAN, 32,
20842 TFS(&tfs_fs_attr_ssf), 0x00000040, "Does this FS support SPARSE FILES?", HFILL }},
20843
20844 { &hf_smb_fs_attr_srp,
20845 { "Reparse Points", "smb.fs_attr.srp", FT_BOOLEAN, 32,
20846 TFS(&tfs_fs_attr_srp), 0x00000080, "Does this FS support REPARSE POINTS?", HFILL }},
20847
20848 { &hf_smb_fs_attr_srs,
20849 { "Remote Storage", "smb.fs_attr.srs", FT_BOOLEAN, 32,
20850 TFS(&tfs_fs_attr_srs), 0x00000100, "Does this FS support REMOTE STORAGE?", HFILL }},
20851
20852 { &hf_smb_fs_attr_sla,
20853 { "LFN APIs", "smb.fs_attr.sla", FT_BOOLEAN, 32,
20854 TFS(&tfs_fs_attr_sla), 0x00004000, "Does this FS support LFN APIs?", HFILL }},
20855
20856 { &hf_smb_fs_attr_vic,
20857 { "Volume Is Compressed", "smb.fs_attr.vis", FT_BOOLEAN, 32,
20858 TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS on a compressed volume?", HFILL }},
20859
20860 { &hf_smb_fs_attr_soids,
20861 { "Supports OIDs", "smb.fs_attr.soids", FT_BOOLEAN, 32,
20862 TFS(&tfs_fs_attr_soids), 0x00010000, "Does this FS support OIDs?", HFILL }},
20863
20864 { &hf_smb_fs_attr_se,
20865 { "Supports Encryption", "smb.fs_attr.se", FT_BOOLEAN, 32,
20866 TFS(&tfs_fs_attr_se), 0x00020000, "Does this FS support encryption?", HFILL }},
20867
20868 { &hf_smb_fs_attr_ns,
20869 { "Named Streams", "smb.fs_attr.ns", FT_BOOLEAN, 32,
20870 TFS(&tfs_fs_attr_ns), 0x00040000, "Does this FS support named streams?", HFILL }},
20871
20872 { &hf_smb_fs_attr_rov,
20873 { "Read Only Volume", "smb.fs_attr.rov", FT_BOOLEAN, 32,
20874 TFS(&tfs_fs_attr_rov), 0x00080000, "Is this FS on a read only volume?", HFILL }},
20875
20876 { &hf_smb_fs_attr_swo,
20877 { "Sequential Write Once", "smb.fs_attr.swo", FT_BOOLEAN, 32,
20878 TFS(&tfs_fs_attr_swo), 0x00100000, "Is this FS on a sequential write once volume?", HFILL }},
20879
20880 { &hf_smb_fs_attr_st,
20881 { "Transactions", "smb.fs_attr.st", FT_BOOLEAN, 32,
20882 TFS(&tfs_fs_attr_st), 0x00200000, "Does this FS support transactions?", HFILL }},
20883
20884 { &hf_smb_fs_attr_shl,
20885 { "Hard Links", "smb.fs_attr.shl", FT_BOOLEAN, 32,
20886 TFS(&tfs_fs_attr_shl), 0x00400000, "Does this FS support hard links?", HFILL }},
20887
20888 { &hf_smb_fs_attr_sis,
20889 { "Integrity Streams", "smb.fs_attr.sis", FT_BOOLEAN, 32,
20890 TFS(&tfs_fs_attr_sis), 0x04000000, "Does this FS support integrity streams?", HFILL }},
20891
20892 { &hf_smb_fs_attr_sbr,
20893 { "Block Refcounting", "smb.fs_attr.sbr", FT_BOOLEAN, 32,
20894 TFS(&tfs_fs_attr_sbr), 0x08000000, "Does this FS support block refcounting?", HFILL }},
20895
20896 { &hf_smb_fs_attr_ssv,
20897 { "Sparse VDL", "smb.fs_attr.ssv", FT_BOOLEAN, 32,
20898 TFS(&tfs_fs_attr_ssv), 0x10000000, "Does this FS support sparse VDL?", HFILL }},
20899
20900 { &hf_smb_user_quota_change_time,
20901 { "Change Time", "smb.quota.user.change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
20902 NULL, 0x0, "The last time the quota was changed", HFILL }},
20903
20904 { &hf_smb_length_of_sid,
20905 { "Length of SID", "smb.length_of_sid", FT_UINT32, BASE_DEC,
20906 NULL, 0x0, NULL, HFILL }},
20907
20908 { &hf_smb_user_quota_offset,
20909 { "Next Offset", "smb.quota.user.offset", FT_UINT32, BASE_DEC,
20910 NULL, 0, "Relative offset to next user quota structure", HFILL }},
20911
20912 { &hf_smb_pipe_write_len,
20913 { "Pipe Write Len", "smb.pipe.write_len", FT_UINT16, BASE_DEC,
20914 NULL, 0, "Number of bytes written to pipe", HFILL }},
20915
20916 { &hf_smb_quota_flags_deny_disk,
20917 { "Deny Disk", "smb.quota.flags.deny_disk", FT_BOOLEAN, 8,
20918 TFS(&tfs_quota_flags_deny_disk), 0x02, "Is the default quota limit enforced?", HFILL }},
20919
20920 { &hf_smb_quota_flags_log_limit,
20921 { "Log Limit", "smb.quota.flags.log_limit", FT_BOOLEAN, 8,
20922 TFS(&tfs_quota_flags_log_limit), 0x20, "Should the server log an event when the limit is exceeded?", HFILL }},
20923
20924 { &hf_smb_quota_flags_log_warning,
20925 { "Log Warning", "smb.quota.flags.log_warning", FT_BOOLEAN, 8,
20926 TFS(&tfs_quota_flags_log_warning), 0x10, "Should the server log an event when the warning level is exceeded?", HFILL }},
20927
20928 { &hf_smb_quota_flags,
20929 { "Quota Flags", "smb.quota.flags", FT_UINT8, BASE_HEX,
20930 NULL, 0x0, NULL, HFILL }},
20931
20932 { &hf_smb_quota_flags_enabled,
20933 { "Enabled", "smb.quota.flags.enabled", FT_BOOLEAN, 8,
20934 TFS(&tfs_quota_flags_enabled), 0x01, "Is quotas enabled of this FS?", HFILL }},
20935
20936 { &hf_smb_segment_overlap,
20937 { "Fragment overlap", "smb.segment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
20938 "Fragment overlaps with other fragments", HFILL }},
20939
20940 { &hf_smb_segment_overlap_conflict,
20941 { "Conflicting data in fragment overlap", "smb.segment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
20942 "Overlapping fragments contained conflicting data", HFILL }},
20943
20944 { &hf_smb_segment_multiple_tails,
20945 { "Multiple tail fragments found", "smb.segment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
20946 "Several tails were found when defragmenting the packet", HFILL }},
20947
20948 { &hf_smb_segment_too_long_fragment,
20949 { "Fragment too long", "smb.segment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
20950 "Fragment contained data past end of packet", HFILL }},
20951
20952 { &hf_smb_segment_error,
20953 { "Defragmentation error", "smb.segment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
20954 "Defragmentation error due to illegal fragments", HFILL }},
20955
20956 { &hf_smb_segment_count,
20957 { "Fragment count", "smb.fragment.count", FT_UINT32, BASE_DEC, NULL, 0x0,
20958 NULL, HFILL }},
20959
20960 { &hf_smb_reassembled_length,
20961 { "Reassembled SMB length", "smb.reassembled.length", FT_UINT32, BASE_DEC, NULL, 0x0,
20962 "The total length of the reassembled payload", HFILL }},
20963
20964 { &hf_smb_opened_in,
20965 { "Opened in", "smb.fid.opened_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
20966 "The frame this fid was opened", HFILL }},
20967
20968 { &hf_smb_closed_in,
20969 { "Closed in", "smb.fid.closed_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
20970 "The frame this fid was closed", HFILL }},
20971
20972 { &hf_smb_mapped_in,
20973 { "Mapped in", "smb.fid.mapped_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
20974 "The frame this share was mapped", HFILL }},
20975
20976 { &hf_smb_unmapped_in,
20977 { "Unmapped in", "smb.fid.unmapped_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
20978 "The frame this share was unmapped", HFILL }},
20979
20980 { &hf_smb_segment,
20981 { "SMB Segment", "smb.segment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
20982 NULL, HFILL }},
20983
20984 { &hf_smb_segments,
20985 { "SMB Segments", "smb.segment.segments", FT_NONE, BASE_NONE, NULL, 0x0,
20986 NULL, HFILL }},
20987
20988 { &hf_smb_unix_major_version,
20989 { "Major Version", "smb.unix.major_version", FT_UINT16, BASE_DEC,
20990 NULL, 0, "UNIX Major Version", HFILL }},
20991
20992 { &hf_smb_unix_minor_version,
20993 { "Minor Version", "smb.unix.minor_version", FT_UINT16, BASE_DEC,
20994 NULL, 0, "UNIX Minor Version", HFILL }},
20995
20996 { &hf_smb_unix_capability,
20997 { "Capabilities", "smb.unix.capability", FT_UINT64, BASE_HEX,
20998 NULL, 0x0, NULL, HFILL }},
20999
21000 { &hf_smb_unix_capability_fcntl,
21001 { "FCNTL Capability", "smb.unix.capability.fcntl", FT_BOOLEAN, 32,
21002 TFS(&tfs_set_notset), 0x00000001, NULL, HFILL }},
21003
21004 { &hf_smb_unix_capability_posix_acl,
21005 { "POSIX ACL Capability", "smb.unix.capability.posix_acl", FT_BOOLEAN, 32,
21006 TFS(&tfs_set_notset), 0x00000002, NULL, HFILL }},
21007
21008 { &hf_smb_unix_capability_xattr,
21009 { "EA Capability", "smb.unix.capability.ea", FT_BOOLEAN, 32,
21010 TFS(&tfs_set_notset), 0x00000004, NULL, HFILL }},
21011
21012 { &hf_smb_unix_capability_attr,
21013 { "Additional Attributes Capability", "smb.unix.capability.attr", FT_BOOLEAN, 32,
21014 TFS(&tfs_set_notset), 0x00000008, NULL, HFILL }},
21015
21016 { &hf_smb_unix_capability_posix_paths,
21017 { "POSIX Pathnames Capability", "smb.unix.capability.posix_paths", FT_BOOLEAN, 32,
21018 TFS(&tfs_set_notset), 0x00000010, NULL, HFILL }},
21019
21020 { &hf_smb_unix_capability_posix_path_ops,
21021 { "POSIX Path Operations Capability", "smb.unix.capability.posix_path_ops", FT_BOOLEAN, 32,
21022 TFS(&tfs_set_notset), 0x00000020, NULL, HFILL }},
21023
21024 { &hf_smb_unix_capability_large_read,
21025 { "Large Read Capability", "smb.unix.capability.large_read", FT_BOOLEAN, 32,
21026 TFS(&tfs_set_notset), 0x00000040, NULL, HFILL }},
21027
21028 { &hf_smb_unix_capability_large_write,
21029 { "Large Write Capability", "smb.unix.capability.large_write", FT_BOOLEAN, 32,
21030 TFS(&tfs_set_notset), 0x00000080, NULL, HFILL }},
21031
21032 { &hf_smb_unix_capability_encryption,
21033 { "Encryption Capability", "smb.unix.capability.encryption", FT_BOOLEAN, 32,
21034 TFS(&tfs_set_notset), 0x00000100, NULL, HFILL }},
21035
21036 { &hf_smb_unix_capability_mandatory_crypto,
21037 { "Mandatory Encryption Capability", "smb.unix.capability.mandatory_crypto", FT_BOOLEAN, 32,
21038 TFS(&tfs_set_notset), 0x00000200, NULL, HFILL }},
21039
21040 { &hf_smb_unix_capability_proxy,
21041 { "Proxy Capability", "smb.unix.capability.proxy", FT_BOOLEAN, 32,
21042 TFS(&tfs_set_notset), 0x00000400, NULL, HFILL }},
21043
21044 { &hf_smb_file_access_mask_read_data,
21045 { "Read Data", "smb.file.accessmask.read_data", FT_BOOLEAN, 32,
21046 TFS(&tfs_set_notset), 0x00000001, NULL, HFILL }},
21047
21048 { &hf_smb_file_access_mask_write_data,
21049 { "Write Data", "smb.file.accessmask.write_data", FT_BOOLEAN, 32,
21050 TFS(&tfs_set_notset), 0x00000002, NULL, HFILL }},
21051
21052 { &hf_smb_file_access_mask_append_data,
21053 { "Append Data", "smb.file.accessmask.append_data", FT_BOOLEAN, 32,
21054 TFS(&tfs_set_notset), 0x00000004, NULL, HFILL }},
21055
21056 { &hf_smb_file_access_mask_read_ea,
21057 { "Read EA", "smb.file.accessmask.read_ea", FT_BOOLEAN, 32,
21058 TFS(&tfs_set_notset), 0x00000008, NULL, HFILL }},
21059
21060 { &hf_smb_file_access_mask_write_ea,
21061 { "Write EA", "smb.file.accessmask.write_ea", FT_BOOLEAN, 32,
21062 TFS(&tfs_set_notset), 0x00000010, NULL, HFILL }},
21063
21064 { &hf_smb_file_access_mask_execute,
21065 { "Execute", "smb.file.accessmask.execute", FT_BOOLEAN, 32,
21066 TFS(&tfs_set_notset), 0x00000020, NULL, HFILL }},
21067
21068 { &hf_smb_file_access_mask_read_attribute,
21069 { "Read Attribute", "smb.file.accessmask.read_attribute", FT_BOOLEAN, 32,
21070 TFS(&tfs_set_notset), 0x00000080, NULL, HFILL }},
21071
21072 { &hf_smb_file_access_mask_write_attribute,
21073 { "Write Attribute", "smb.file.accessmask.write_attribute", FT_BOOLEAN, 32,
21074 TFS(&tfs_set_notset), 0x00000100, NULL, HFILL }},
21075
21076 { &hf_smb_dir_access_mask_list,
21077 { "List", "smb.dir.accessmask.list", FT_BOOLEAN, 32,
21078 TFS(&tfs_set_notset), 0x00000001, NULL, HFILL }},
21079
21080 { &hf_smb_dir_access_mask_add_file,
21081 { "Add File", "smb.dir.accessmask.add_file", FT_BOOLEAN, 32,
21082 TFS(&tfs_set_notset), 0x00000002, NULL, HFILL }},
21083
21084 { &hf_smb_dir_access_mask_add_subdir,
21085 { "Add Subdir", "smb.dir.accessmask.add_subdir", FT_BOOLEAN, 32,
21086 TFS(&tfs_set_notset), 0x00000004, NULL, HFILL }},
21087
21088 { &hf_smb_dir_access_mask_read_ea,
21089 { "Read EA", "smb.dir.accessmask.read_ea", FT_BOOLEAN, 32,
21090 TFS(&tfs_set_notset), 0x00000008, NULL, HFILL }},
21091
21092 { &hf_smb_dir_access_mask_write_ea,
21093 { "Write EA", "smb.dir.accessmask.write_ea", FT_BOOLEAN, 32,
21094 TFS(&tfs_set_notset), 0x00000010, NULL, HFILL }},
21095
21096 { &hf_smb_dir_access_mask_traverse,
21097 { "Traverse", "smb.dir.accessmask.traverse", FT_BOOLEAN, 32,
21098 TFS(&tfs_set_notset), 0x00000020, NULL, HFILL }},
21099
21100 { &hf_smb_dir_access_mask_delete_child,
21101 { "Delete Child", "smb.dir.accessmask.delete_child", FT_BOOLEAN, 32,
21102 TFS(&tfs_set_notset), 0x00000040, NULL, HFILL }},
21103
21104 { &hf_smb_dir_access_mask_read_attribute,
21105 { "Read Attribute", "smb.dir.accessmask.read_attribute", FT_BOOLEAN, 32,
21106 TFS(&tfs_set_notset), 0x00000080, NULL, HFILL }},
21107
21108 { &hf_smb_dir_access_mask_write_attribute,
21109 { "Write Attribute", "smb.dir.accessmask.write_attribute", FT_BOOLEAN, 32,
21110 TFS(&tfs_set_notset), 0x00000100, NULL, HFILL }},
21111
21112 { &hf_smb_unix_file_link_dest,
21113 { "Link destination", "smb.unix.file.link_dest", FT_STRING,
21114 BASE_NONE, NULL, 0, NULL, HFILL }},
21115
21116 { &hf_smb_unix_file_size,
21117 { "File size", "smb.unix.file.size", FT_UINT64, BASE_DEC,
21118 NULL, 0, NULL, HFILL }},
21119
21120 { &hf_smb_unix_file_num_bytes,
21121 { "Number of bytes", "smb.unix.file.num_bytes", FT_UINT64, BASE_DEC,
21122 NULL, 0, "Number of bytes used to store the file", HFILL }},
21123
21124 { &hf_smb_unix_file_last_status,
21125 { "Last status change", "smb.unix.file.stime", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
21126 NULL, 0, NULL, HFILL }},
21127
21128 { &hf_smb_unix_file_last_access,
21129 { "Last access", "smb.unix.file.atime", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
21130 NULL, 0, NULL, HFILL }},
21131
21132 { &hf_smb_unix_file_last_change,
21133 { "Last modification", "smb.unix.file.mtime", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
21134 NULL, 0, NULL, HFILL }},
21135
21136 { &hf_smb_unix_file_creation_time,
21137 { "Creation time", "smb.unix.file.crtime", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
21138 NULL, 0, NULL, HFILL }},
21139
21140 { &hf_smb_unix_file_uid,
21141 { "UID", "smb.unix.file.uid", FT_UINT64, BASE_DEC,
21142 NULL, 0, NULL, HFILL }},
21143
21144 { &hf_smb_unix_file_gid,
21145 { "GID", "smb.unix.file.gid", FT_UINT64, BASE_DEC,
21146 NULL, 0, NULL, HFILL }},
21147
21148 { &hf_smb_unix_file_type,
21149 { "File type", "smb.unix.file.file_type", FT_UINT32, BASE_DEC,
21150 VALS(unix_file_type_vals), 0, NULL, HFILL }},
21151
21152 { &hf_smb_unix_file_dev_major,
21153 { "Major device", "smb.unix.file.dev_major", FT_UINT64, BASE_HEX,
21154 NULL, 0, NULL, HFILL }},
21155
21156 { &hf_smb_unix_file_dev_minor,
21157 { "Minor device", "smb.unix.file.dev_minor", FT_UINT64, BASE_HEX,
21158 NULL, 0, NULL, HFILL }},
21159
21160 { &hf_smb_unix_file_unique_id,
21161 { "Unique ID", "smb.unix.file.unique_id", FT_UINT64, BASE_HEX,
21162 NULL, 0, NULL, HFILL }},
21163
21164 { &hf_smb_unix_file_permissions,
21165 { "File permissions", "smb.unix.file.perms", FT_UINT64, BASE_HEX,
21166 NULL, 0, NULL, HFILL }},
21167
21168 { &hf_smb_unix_file_nlinks,
21169 { "Num links", "smb.unix.file.num_links", FT_UINT64, BASE_DEC,
21170 NULL, 0, NULL, HFILL }},
21171
21172 { &hf_smb_unix_info2_file_flags,
21173 { "Flags", "smb.unix_info2.file.flags", FT_UINT32, BASE_HEX,
21174 NULL, 0, NULL, HFILL }},
21175
21176 { &hf_smb_unix_info2_file_flags_mask,
21177 { "Flags mask", "smb.unix_info2.file.flags_mask", FT_UINT32, BASE_HEX,
21178 NULL, 0, NULL, HFILL }},
21179
21180 { &hf_smb_unix_info2_file_flags_secure_delete,
21181 { "Secure delete", "smb.unix_info2.file.flags.secure_delete", FT_BOOLEAN, 32,
21182 NULL, 0x00000001, NULL, HFILL }},
21183
21184 { &hf_smb_unix_info2_file_flags_enable_undelete,
21185 { "Enable undelete", "smb.unix_info2.file.flags.enable_undelete", FT_BOOLEAN, 32,
21186 NULL, 0x00000002, NULL, HFILL }},
21187
21188 { &hf_smb_unix_info2_file_flags_synchronous,
21189 { "Synchronous", "smb.unix_info2.file.flags.synchronous", FT_BOOLEAN, 32,
21190 NULL, 0x00000004, NULL, HFILL }},
21191
21192 { &hf_smb_unix_info2_file_flags_immutable,
21193 { "Immutable", "smb.unix_info2.file.flags.immutable", FT_BOOLEAN, 32,
21194 NULL, 0x00000008, NULL, HFILL }},
21195
21196 { &hf_smb_unix_info2_file_flags_append_only,
21197 { "Append-only", "smb.unix_info2.file.flags.append_only", FT_BOOLEAN, 32,
21198 NULL, 0x00000010, NULL, HFILL }},
21199
21200 { &hf_smb_unix_info2_file_flags_do_not_backup,
21201 { "Do not backup", "smb.unix_info2.file.flags.do_not_backup", FT_BOOLEAN, 32,
21202 NULL, 0x00000020, NULL, HFILL }},
21203
21204 { &hf_smb_unix_info2_file_flags_no_update_atime,
21205 { "Don't update atime", "smb.unix_info2.file.flags.no_update_atime", FT_BOOLEAN, 32,
21206 NULL, 0x00000040, NULL, HFILL }},
21207
21208 { &hf_smb_unix_info2_file_flags_hidden,
21209 { "Hidden", "smb.unix_info2.file.flags.hidden", FT_BOOLEAN, 32,
21210 NULL, 0x00000080, NULL, HFILL }},
21211
21212 { &hf_smb_unix_file_name_length,
21213 { "File name length", "smb.unix.file.name_length", FT_UINT32, BASE_DEC,
21214 NULL, 0, NULL, HFILL }},
21215
21216 { &hf_smb_unix_file_name,
21217 { "File name", "smb.unix.file.name", FT_STRING,
21218 BASE_NONE, NULL, 0, NULL, HFILL }},
21219
21220 { &hf_smb_unix_find_file_nextoffset,
21221 { "Next entry offset", "smb.unix.find_file.next_offset", FT_UINT32, BASE_DEC,
21222 NULL, 0, NULL, HFILL }},
21223
21224 { &hf_smb_unix_find_file_resumekey,
21225 { "Resume key", "smb.unix.find_file.resume_key", FT_UINT32, BASE_DEC,
21226 NULL, 0, NULL, HFILL }},
21227
21228 { &hf_smb_unix_whoami_mapflags,
21229 { "UNIX whoami mapping flags", "smb.unix.whoami.mapflags", FT_UINT32, BASE_DEC,
21230 NULL, 0, NULL, HFILL }},
21231
21232 { &hf_smb_unix_whoami_mapflags_mask,
21233 { "UNIX whoami mapping flags mask", "smb.unix.whoami.mapflags_mask", FT_UINT32, BASE_DEC,
21234 NULL, 0, NULL, HFILL }},
21235
21236 { &hf_smb_unix_whoami_num_supl_gids,
21237 { "Number of supplementary UNIX GIDs", "smb.unix.whoami.num_gids", FT_UINT32, BASE_DEC,
21238 NULL, 0, NULL, HFILL }},
21239
21240 { &hf_smb_unix_whoami_num_supl_sids,
21241 { "Number of supplementary SIDs", "smb.unix.whoami.num_sids", FT_UINT32, BASE_DEC,
21242 NULL, 0, NULL, HFILL }},
21243
21244 { &hf_smb_unix_whoami_sids_buflen,
21245 { "Supplementary SIDs buffer length", "smb.unix.whoami.sids_buflen", FT_UINT32, BASE_DEC,
21246 NULL, 0, NULL, HFILL }},
21247
21248 { &hf_smb_create_flags,
21249 { "Create Flags", "smb.create_flags", FT_UINT32, BASE_HEX,
21250 NULL, 0, NULL, HFILL }},
21251
21252 { &hf_smb_create_options,
21253 { "Create Options", "smb.create_options", FT_UINT32, BASE_HEX,
21254 NULL, 0, NULL, HFILL }},
21255
21256 { &hf_smb_share_access,
21257 { "Share Access", "smb.share_access", FT_UINT32, BASE_HEX,
21258 NULL, 0, NULL, HFILL }},
21259
21260 { &hf_smb_access_mask,
21261 { "Access Mask", "smb.access_mask", FT_UINT32, BASE_HEX,
21262 NULL, 0, NULL, HFILL }},
21263
21264 { &hf_smb_mode,
21265 { "Mode", "smb.mode", FT_UINT32, BASE_HEX,
21266 NULL, 0, NULL, HFILL }},
21267
21268 { &hf_smb_attribute,
21269 { "Attribute", "smb.attribute", FT_UINT32, BASE_HEX,
21270 NULL, 0, NULL, HFILL }},
21271
21272 { &hf_smb_reparse_tag,
21273 { "Reparse Tag", "smb.reparse_tag", FT_UINT32, BASE_HEX,
21274 NULL, 0, NULL, HFILL }},
21275
21276 { &hf_smb_disposition_delete_on_close,
21277 { "Delete on close", "smb.disposition.delete_on_close", FT_BOOLEAN, 8,
21278 TFS(&tfs_disposition_delete_on_close), 0x01, NULL, HFILL }},
21279
21280 { &hf_smb_pipe_info_flag,
21281 { "Pipe Info", "smb.pipe_info_flag", FT_BOOLEAN, 8,
21282 TFS(&tfs_pipe_info_flag), 0x01, NULL, HFILL }},
21283
21284 { &hf_smb_logged_in,
21285 { "Logged In", "smb.logged_in", FT_FRAMENUM, BASE_NONE,
21286 NULL, 0, NULL, HFILL }},
21287
21288 { &hf_smb_logged_out,
21289 { "Logged Out", "smb.logged_out", FT_FRAMENUM, BASE_NONE,
21290 NULL, 0, NULL, HFILL }},
21291
21292 { &hf_smb_file_rw_offset,
21293 { "File Offset", "smb.file.rw.offset", FT_UINT64, BASE_DEC,
21294 NULL, 0, NULL, HFILL }},
21295
21296 { &hf_smb_file_rw_length,
21297 { "File RW Length", "smb.file.rw.length", FT_UINT32, BASE_DEC,
21298 NULL, 0, NULL, HFILL }},
21299
21300 { &hf_smb_posix_acl_version,
21301 { "Posix ACL version", "smb.posix_acl.version", FT_UINT16, BASE_DEC,
21302 NULL, 0, NULL, HFILL }},
21303
21304 { &hf_smb_posix_num_file_aces,
21305 { "Number of file ACEs", "smb.posix_acl.num_file_aces", FT_UINT16, BASE_DEC,
21306 NULL, 0, NULL, HFILL }},
21307
21308 { &hf_smb_posix_num_def_aces,
21309 { "Number of default ACEs", "smb.posix_acl.num_def_aces", FT_UINT16, BASE_DEC,
21310 NULL, 0, NULL, HFILL }},
21311
21312 { &hf_smb_posix_ace_type,
21313 { "ACE Type", "smb.posix_acl.ace_type", FT_UINT8, BASE_DEC,
21314 VALS(ace_type_vals), 0, NULL, HFILL }},
21315
21316 { &hf_smb_posix_ace_flags,
21317 { "Permissions", "smb.posix_acl.ace_perms", FT_UINT8, BASE_HEX,
21318 NULL, 0, NULL, HFILL }},
21319
21320 { &hf_smb_posix_ace_perm_read,
21321 {"READ", "smb.posix_acl.ace_perms.read", FT_BOOLEAN, 8,
21322 NULL, 0x04, NULL, HFILL}},
21323
21324 { &hf_smb_posix_ace_perm_write,
21325 {"WRITE", "smb.posix_acl.ace_perms.write", FT_BOOLEAN, 8,
21326 NULL, 0x02, NULL, HFILL}},
21327
21328 { &hf_smb_posix_ace_perm_execute,
21329 {"EXECUTE", "smb.posix_acl.ace_perms.execute", FT_BOOLEAN, 8,
21330 NULL, 0x01, NULL, HFILL}},
21331
21332 { &hf_smb_posix_ace_perm_owner_uid,
21333 { "Owner UID", "smb.posix_acl.ace_perms.owner_uid", FT_UINT32, BASE_DEC,
21334 NULL, 0, NULL, HFILL }},
21335
21336 { &hf_smb_posix_ace_perm_owner_gid,
21337 { "Owner GID", "smb.posix_acl.ace_perms.owner_gid", FT_UINT32, BASE_DEC,
21338 NULL, 0, NULL, HFILL }},
21339
21340 { &hf_smb_posix_ace_perm_uid,
21341 { "UID", "smb.posix_acl.ace_perms.uid", FT_UINT32, BASE_DEC,
21342 NULL, 0, NULL, HFILL }},
21343
21344 { &hf_smb_posix_ace_perm_gid,
21345 { "GID", "smb.posix_acl.ace_perms.gid", FT_UINT32, BASE_DEC,
21346 NULL, 0, NULL, HFILL }},
21347
21348 { &hf_smb_trans_data_setup_word,
21349 { "Setup Word", "smb.trans_data.setup_word", FT_UINT16, BASE_HEX,
21350 NULL, 0x0, NULL, HFILL }},
21351
21352 { &hf_smb_trans_data_parameters,
21353 { "Parameters", "smb.trans_data.parameters", FT_BYTES, BASE_NONE,
21354 NULL, 0x0, NULL, HFILL }},
21355
21356 { &hf_smb_trans_data,
21357 { "Data", "smb.trans_data", FT_BYTES, BASE_NONE,
21358 NULL, 0x0, NULL, HFILL }},
21359
21360 { &hf_smb_extra_byte_parameters,
21361 { "Extra byte parameters", "smb.extra_byte_parameters", FT_BYTES, BASE_NONE,
21362 NULL, 0x0, NULL, HFILL }},
21363
21364 { &hf_smb_file_access_mask_full_control,
21365 { "FULL CONTROL", "smb.file.accessmask.full_control", FT_UINT32, BASE_HEX,
21366 NULL, 0x000001ff, NULL, HFILL }},
21367
21368 { &hf_smb_dir_access_mask_full_control,
21369 { "FULL CONTROL", "smb.dir.accessmask.full_control", FT_UINT32, BASE_HEX,
21370 NULL, 0x000001ff, NULL, HFILL }},
21371
21372 { &hf_smb_word_unk_response_format,
21373 { "Words for unknown response format", "smb.word_unk_response_format", FT_BYTES, BASE_NONE,
21374 NULL, 0x0, NULL, HFILL }},
21375
21376 { &hf_smb_nt_transaction_setup,
21377 { "NT Transaction Setup", "smb.nt_transaction_setup", FT_BYTES, BASE_NONE,
21378 NULL, 0x0, NULL, HFILL }},
21379
21380 { &hf_smb_server_component,
21381 { "Server Component", "smb.server_component", FT_UINT32, BASE_HEX,
21382 NULL, 0x0, NULL, HFILL }},
21383
21384 { &hf_smb_byte_parameters,
21385 { "Byte parameters", "smb.byte_parameters", FT_BYTES, BASE_NONE,
21386 NULL, 0x0, NULL, HFILL }},
21387
21388 { &hf_smb_word_parameters,
21389 { "Word parameters", "smb.word_parameters", FT_BYTES, BASE_NONE,
21390 NULL, 0x0, NULL, HFILL }},
21391 };
21392
21393 static int *ett[] = {
21394 &ett_smb,
21395 &ett_smb_fid,
21396 &ett_smb_tid,
21397 &ett_smb_uid,
21398 &ett_smb_hdr,
21399 &ett_smb_command,
21400 &ett_smb_fileattributes,
21401 &ett_smb_capabilities,
21402 &ett_smb_aflags,
21403 &ett_smb_dialect,
21404 &ett_smb_dialects,
21405 &ett_smb_mode,
21406 &ett_smb_rawmode,
21407 &ett_smb_flags,
21408 &ett_smb_flags2,
21409 &ett_smb_desiredaccess,
21410 &ett_smb_search,
21411 &ett_smb_file,
21412 &ett_smb_openfunction,
21413 &ett_smb_filetype,
21414 &ett_smb_openaction,
21415 &ett_smb_writemode,
21416 &ett_smb_lock_type,
21417 &ett_smb_ssetupandxaction,
21418 &ett_smb_optionsup,
21419 &ett_smb_time_date,
21420 &ett_smb_move_copy_flags,
21421 &ett_smb_file_attributes,
21422 &ett_smb_search_resume_key,
21423 &ett_smb_search_dir_info,
21424 &ett_smb_unlocks,
21425 &ett_smb_unlock,
21426 &ett_smb_locks,
21427 &ett_smb_lock,
21428 &ett_smb_open_flags,
21429 &ett_smb_ipc_state,
21430 &ett_smb_open_action,
21431 &ett_smb_setup_action,
21432 &ett_smb_connect_flags,
21433 &ett_smb_connect_support_bits,
21434 &ett_smb_nt_access_mask,
21435 &ett_smb_nt_create_bits,
21436 &ett_smb_nt_create_options,
21437 &ett_smb_nt_share_access,
21438 &ett_smb_nt_security_flags,
21439 &ett_smb_nt_trans_setup,
21440 &ett_smb_nt_trans_data,
21441 &ett_smb_nt_trans_param,
21442 &ett_smb_nt_notify_completion_filter,
21443 &ett_smb_nt_ioctl_flags,
21444 &ett_smb_security_information_mask,
21445 &ett_smb_print_queue_entry,
21446 &ett_smb_transaction_flags,
21447 &ett_smb_transaction_params,
21448 &ett_smb_find_first2_flags,
21449 #if 0
21450 &ett_smb_ioflag,
21451 #endif
21452 &ett_smb_transaction_data,
21453 &ett_smb_stream_info,
21454 &ett_smb_dfs_referrals,
21455 &ett_smb_dfs_referral,
21456 &ett_smb_dfs_referral_flags,
21457 &ett_smb_dfs_referral_expnames,
21458 &ett_smb_get_dfs_flags,
21459 &ett_smb_ff2_data,
21460 &ett_smb_device_characteristics,
21461 &ett_smb_fs_attributes,
21462 &ett_smb_segments,
21463 &ett_smb_segment,
21464 &ett_smb_quotaflags,
21465 &ett_smb_secblob,
21466 &ett_smb_mac_support_flags,
21467 &ett_smb_unicode_password,
21468 &ett_smb_ea,
21469 &ett_smb_unix_capabilities,
21470 &ett_smb_unix_whoami_gids,
21471 &ett_smb_unix_whoami_sids,
21472 &ett_smb_posix_ace,
21473 &ett_smb_posix_ace_perms,
21474 &ett_smb_info2_file_flags
21475 };
21476
21477 static ei_register_info ei[] = {
21478 { &ei_smb_missing_word_parameters, {"smb.missing_word_parameters", PI_MALFORMED, PI_ERROR, "The word parameters are missing, so the byte parameters cannot be dissected.", EXPFILL }},
21479 { &ei_smb_mal_information_level, { "smb.information_level.malformed", PI_MALFORMED, PI_ERROR, "Information level structure goes past the end of the transaction data.", EXPFILL }},
21480 { &ei_smb_not_implemented, { "smb.not_implemented", PI_UNDECODED, PI_WARN, "Not Implemented yet", EXPFILL }},
21481 { &ei_smb_nt_transaction_setup, { "smb.nt_transaction_setup.unknown", PI_PROTOCOL, PI_NOTE, "Unknown NT Transaction Setup (matching request not seen)", EXPFILL }},
21482 { &ei_smb_posix_ace_type, { "smb.posix_acl.ace_type.unknown", PI_PROTOCOL, PI_WARN, "Unknown posix ace type", EXPFILL }},
21483 { &ei_smb_info_level_unknown, { "smb.info_level_unknown", PI_PROTOCOL, PI_WARN, "Information level unknown", EXPFILL }},
21484 { &ei_smb_info_level_not_understood, { "smb.info_level_not_understood", PI_PROTOCOL, PI_WARN, "Information level not understood", EXPFILL }},
21485 };
21486
21487 module_t *smb_module;
21488 expert_module_t* expert_smb;
21489
21490 proto_smb = proto_register_protocol("SMB (Server Message Block Protocol)",
21491 "SMB", "smb");
21492 proto_register_subtree_array(ett, array_length(ett));
21493 proto_register_field_array(proto_smb, hf, array_length(hf));
21494 expert_smb = expert_register_protocol(proto_smb);
21495 expert_register_field_array(expert_smb, ei, array_length(ei));
21496
21497 proto_do_register_windows_common(proto_smb);
21498
21499 register_cleanup_routine(&smb_cleanup);
21500 smb_module = prefs_register_protocol(proto_smb, NULL);
21501 prefs_register_bool_preference(smb_module, "trans_reassembly",
21502 "Reassemble SMB Transaction payload",
21503 "Whether the dissector should reassemble the payload of SMB Transaction commands spanning multiple SMB PDUs",
21504 &smb_trans_reassembly);
21505 prefs_register_bool_preference(smb_module, "dcerpc_reassembly",
21506 "Reassemble DCERPC over SMB",
21507 "Whether the dissector should reassemble DCERPC over SMB commands",
21508 &smb_dcerpc_reassembly);
21509 prefs_register_bool_preference(smb_module, "sid_name_snooping",
21510 "Snoop SID to Name mappings",
21511 "Whether the dissector should snoop SMB and related CIFS protocols to discover and display Names associated with SIDs",
21512 &sid_name_snooping);
21513
21514 /* For display of SIDs and RIDs in Hex option */
21515 prefs_register_bool_preference(smb_module, "sid_display_hex",
21516 "Display SIDs in Hex",
21517 "Whether the dissector should display SIDs and RIDs in hexadecimal rather than decimal",
21518 &sid_display_hex);
21519
21520 /* Will Export Object take name as fid ? */
21521 prefs_register_bool_preference(smb_module, "eosmb_take_name_as_fid",
21522 "Use the full file name as File ID when exporting an SMB object",
21523 "Whether the export object functionality will take the full path file name as file identifier",
21524 &eosmb_take_name_as_fid);
21525
21526 /*
21527 * XXX - addresses_ports_reassembly_table_functions?
21528 * Probably correct for SMB-over-NBT and SMB-over-TCP,
21529 * as stuff from two different connections should
21530 * probably not be combined, but what about other
21531 * transports for SMB, e.g. NBF or Netware?
21532 */
21533 reassembly_table_register(&smb_trans_reassembly_table,
21534 &addresses_reassembly_table_functions);
21535
21536 smb_tap = register_tap("smb");
21537
21538 smb_handle = register_dissector("smb", dissect_smb, proto_smb);
21539
21540 register_srt_table(proto_smb, NULL, 3, smbstat_packet, smbstat_init, NULL);
21541 /* Register the tap for the "Export Object" function */
21542 smb_eo_tap = register_export_object(proto_smb, smb_eo_packet, smb_eo_cleanup);
21543 }
21544
21545 void
21546 proto_reg_handoff_smb(void)
21547 {
21548 gssapi_handle = find_dissector_add_dependency("gssapi", proto_smb);
21549 ntlmssp_handle = find_dissector_add_dependency("ntlmssp", proto_smb);
21550
21551 heur_dissector_add("netbios", dissect_smb_heur, "SMB over Netbios", "smb_netbios", proto_smb, HEURISTIC_ENABLE);
21552 heur_dissector_add("smb_direct", dissect_smb_heur, "SMB over SMB Direct", "smb_smb_direct", proto_smb, HEURISTIC_ENABLE);
21553 heur_dissector_add("cotp", dissect_smb_heur, "SMB over COTP", "smb_cotp", proto_smb, HEURISTIC_ENABLE);
21554 heur_dissector_add("vines_spp", dissect_smb_heur, "SMB over Vines", "smb_vines", proto_smb, HEURISTIC_ENABLE);
21555
21556 dissector_add_uint("ipx.socket", IPX_SOCKET_NWLINK_SMB_SERVER, smb_handle);
21557 dissector_add_uint("ipx.socket", IPX_SOCKET_NWLINK_SMB_REDIR, smb_handle);
21558 dissector_add_uint("ipx.socket", IPX_SOCKET_NWLINK_SMB_MESSENGER, smb_handle);
21559 dissector_add_uint("spp.socket", IDP_SOCKET_SMB, smb_handle);
21560 }
21561
21562 /*
21563 * Editor modelines - https://www.wireshark.org/tools/modelines.html
21564 *
21565 * Local variables:
21566 * c-basic-offset: 8
21567 * tab-width: 8
21568 * indent-tabs-mode: t
21569 * End:
21570 *
21571 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
21572 * :indentSize=8:tabSize=8:noTabs=false:
21573 */
Metzes wireshark repo