search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
epan/dissectors/pidl/ C99 drsuapi
[wireshark-sm.git] / epan / dissectors / packet-smb2.c
blob0c4c187b8a03890ce421d7f79f2a7c75aa89b016
1 /* packet-smb2.c
2 * Routines for smb2 packet dissection
3 * Ronnie Sahlberg 2005
4 *
5 * For documentation of this protocol, see:
6 *
7 * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/
8 * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/
9 * https://gitlab.com/wireshark/wireshark/-/wikis/SMB2
10 *
11 * If you edit this file, keep the wiki updated as well.
12 *
13 * Wireshark - Network traffic analyzer
14 * By Gerald Combs <gerald@wireshark.org>
15 * Copyright 1998 Gerald Combs
16 *
17 * SPDX-License-Identifier: GPL-2.0-or-later
18 */
19
20 #define WS_LOG_DOMAIN "packet-smb2"
21 #include "config.h"
22 #include <wireshark.h>
23
24
25 #include <epan/packet.h>
26 #include <epan/exceptions.h>
27 #include <epan/prefs.h>
28 #include <epan/expert.h>
29 #include <epan/tap.h>
30 #include <epan/srt_table.h>
31 #include <epan/aftypes.h>
32 #include <epan/to_str.h>
33 #include <epan/strutil.h>
34 #include <epan/asn1.h>
35 #include <epan/reassemble.h>
36 #include <epan/uat.h>
37 #include <epan/tfs.h>
38 #include <wsutil/array.h>
39
40 #include "packet-smb2.h"
41 #include "packet-ntlmssp.h"
42 #include "packet-kerberos.h"
43 #include "packet-windows-common.h"
44 #include "packet-dcerpc-nt.h"
45
46 #include "read_keytab_file.h"
47
48 #include <wsutil/wsgcrypt.h>
49 #include <wsutil/ws_roundup.h>
50 #include <wsutil/crc32.h>
51
52
53 #ifdef _WIN32
54 #include <windows.h>
55 #else
56 /* Defined in winnt.h */
57 #define OWNER_SECURITY_INFORMATION 0x00000001
58 #define GROUP_SECURITY_INFORMATION 0x00000002
59 #define DACL_SECURITY_INFORMATION 0x00000004
60 #define SACL_SECURITY_INFORMATION 0x00000008
61 #define LABEL_SECURITY_INFORMATION 0x00000010
62 #define ATTRIBUTE_SECURITY_INFORMATION 0x00000020
63 #define SCOPE_SECURITY_INFORMATION 0x00000040
64 #define BACKUP_SECURITY_INFORMATION 0x00010000
65 #endif
66
67 #define NT_STATUS_PENDING 0x00000103
68 #define NT_STATUS_BUFFER_TOO_SMALL 0xC0000023
69 #define NT_STATUS_STOPPED_ON_SYMLINK 0x8000002D
70 #define NT_STATUS_BAD_NETWORK_NAME 0xC00000CC
71
72 void proto_register_smb2(void);
73 void proto_reg_handoff_smb2(void);
74
75 #define SMB2_NORM_HEADER 0xFE
76 #define SMB2_ENCR_HEADER 0xFD
77 #define SMB2_COMP_HEADER 0xFC
78
79 static wmem_map_t *smb2_sessions;
80
81 static const char smb_header_label[] = "SMB2 Header";
82 static const char smb_transform_header_label[] = "SMB2 Transform Header";
83 static const char smb_comp_transform_header_label[] = "SMB2 Compression Transform Header";
84 static const char smb_bad_header_label[] = "Bad SMB2 Header";
85
86 static int proto_smb2;
87 static int hf_smb2_cmd;
88 static int hf_smb2_nt_status;
89 static int hf_smb2_response_to;
90 static int hf_smb2_response_in;
91 static int hf_smb2_time;
92 static int hf_smb2_preauth_hash;
93 static int hf_smb2_header_len;
94 static int hf_smb2_msg_id;
95 static int hf_smb2_header_reserved;
96 static int hf_smb2_tid;
97 static int hf_smb2_aid;
98 static int hf_smb2_sesid;
99 static int hf_smb2_previous_sesid;
100 static int hf_smb2_flags_response;
101 static int hf_smb2_flags_async_cmd;
102 static int hf_smb2_flags_dfs_op;
103 static int hf_smb2_flags_chained;
104 static int hf_smb2_flags_signature;
105 static int hf_smb2_flags_replay_operation;
106 static int hf_smb2_flags_priority_mask;
107 static int hf_smb2_chain_offset;
108 static int hf_smb2_security_blob;
109 static int hf_smb2_ioctl_in_data;
110 static int hf_smb2_ioctl_out_data;
111 static int hf_smb2_unknown;
112 static int hf_smb2_root_directory_mbz;
113 static int hf_smb2_twrp_timestamp;
114 static int hf_smb2_mxac_timestamp;
115 static int hf_smb2_mxac_status;
116 static int hf_smb2_qfid_fid;
117 static int hf_smb2_create_timestamp;
118 static int hf_smb2_oplock;
119 static int hf_smb2_close_flags;
120 static int hf_smb2_notify_flags;
121 static int hf_smb2_last_access_timestamp;
122 static int hf_smb2_last_write_timestamp;
123 static int hf_smb2_last_change_timestamp;
124 static int hf_smb2_current_time;
125 static int hf_smb2_boot_time;
126 static int hf_smb2_filename;
127 static int hf_smb2_filename_len;
128 static int hf_smb2_replace_if;
129 static int hf_smb2_nlinks;
130 static int hf_smb2_delete_pending;
131 static int hf_smb2_is_directory;
132 static int hf_smb2_file_id;
133 static int hf_smb2_allocation_size;
134 static int hf_smb2_end_of_file;
135 static int hf_smb2_tree;
136 static int hf_smb2_find_pattern;
137 static int hf_smb2_find_info_level;
138 static int hf_smb2_find_info_blob;
139 static int hf_smb2_client_guid;
140 static int hf_smb2_server_guid;
141 static int hf_smb2_object_id;
142 static int hf_smb2_birth_volume_id;
143 static int hf_smb2_birth_object_id;
144 static int hf_smb2_domain_id;
145 static int hf_smb2_class;
146 static int hf_smb2_infolevel;
147 static int hf_smb2_infolevel_file_info;
148 static int hf_smb2_infolevel_fs_info;
149 static int hf_smb2_infolevel_sec_info;
150 static int hf_smb2_max_response_size;
151 static int hf_smb2_max_ioctl_in_size;
152 static int hf_smb2_max_ioctl_out_size;
153 static int hf_smb2_flags;
154 static int hf_smb2_required_buffer_size;
155 static int hf_smb2_getinfo_input_size;
156 static int hf_smb2_getinfo_input_offset;
157 static int hf_smb2_getsetinfo_additional;
158 static int hf_smb2_getsetinfo_additionals;
159 static int hf_smb2_getsetinfo_additional_owner;
160 static int hf_smb2_getsetinfo_additional_group;
161 static int hf_smb2_getsetinfo_additional_dacl;
162 static int hf_smb2_getsetinfo_additional_sacl;
163 static int hf_smb2_getsetinfo_additional_label;
164 static int hf_smb2_getsetinfo_additional_attribute;
165 static int hf_smb2_getsetinfo_additional_scope;
166 static int hf_smb2_getsetinfo_additional_backup;
167 static int hf_smb2_getinfo_flags;
168 static int hf_smb2_setinfo_size;
169 static int hf_smb2_setinfo_offset;
170 static int hf_smb2_setinfo_reserved;
171 static int hf_smb2_file_basic_info;
172 static int hf_smb2_file_standard_info;
173 static int hf_smb2_file_internal_info;
174 static int hf_smb2_file_ea_info;
175 static int hf_smb2_file_access_info;
176 static int hf_smb2_file_rename_info;
177 static int hf_smb2_file_link_info;
178 static int hf_smb2_file_disposition_info;
179 static int hf_smb2_file_position_info;
180 static int hf_smb2_file_full_ea_info;
181 static int hf_smb2_file_mode_info;
182 static int hf_smb2_file_alignment_info;
183 static int hf_smb2_file_all_info;
184 static int hf_smb2_file_allocation_info;
185 static int hf_smb2_file_endoffile_info;
186 static int hf_smb2_file_alternate_name_info;
187 static int hf_smb2_file_stream_info;
188 static int hf_smb2_file_pipe_info;
189 static int hf_smb2_file_compression_info;
190 static int hf_smb2_file_network_open_info;
191 static int hf_smb2_file_attribute_tag_info;
192 static int hf_smb2_file_normalized_name_info;
193 static int hf_smb2_fs_info_01;
194 static int hf_smb2_fs_info_03;
195 static int hf_smb2_fs_info_04;
196 static int hf_smb2_fs_info_05;
197 static int hf_smb2_fs_info_06;
198 static int hf_smb2_fs_info_07;
199 static int hf_smb2_fs_objectid_info;
200 static int hf_smb2_fs_posix_info;
201 static int hf_smb2_fs_posix_optimal_transfer_size;
202 static int hf_smb2_fs_posix_block_size;
203 static int hf_smb2_fs_posix_total_blocks;
204 static int hf_smb2_fs_posix_blocks_available;
205 static int hf_smb2_fs_posix_user_blocks_available;
206 static int hf_smb2_fs_posix_total_file_nodes;
207 static int hf_smb2_fs_posix_free_file_nodes;
208 static int hf_smb2_fs_posix_fs_identifier;
209 static int hf_smb2_sec_info_00;
210 static int hf_smb2_quota_info;
211 static int hf_smb2_query_quota_info;
212 static int hf_smb2_qq_single;
213 static int hf_smb2_qq_restart;
214 static int hf_smb2_qq_sidlist_len;
215 static int hf_smb2_qq_start_sid_len;
216 static int hf_smb2_qq_start_sid_offset;
217 static int hf_smb2_fid;
218 static int hf_smb2_write_length;
219 static int hf_smb2_write_data;
220 static int hf_smb2_write_flags;
221 static int hf_smb2_write_flags_write_through;
222 static int hf_smb2_write_flags_write_unbuffered;
223 static int hf_smb2_write_count;
224 static int hf_smb2_write_remaining;
225 static int hf_smb2_read_blob;
226 static int hf_smb2_read_length;
227 static int hf_smb2_read_remaining;
228 static int hf_smb2_read_padding;
229 static int hf_smb2_read_flags;
230 static int hf_smb2_read_flags_unbuffered;
231 static int hf_smb2_read_flags_compressed;
232 static int hf_smb2_file_offset;
233 static int hf_smb2_qfr_length;
234 static int hf_smb2_qfr_usage;
235 static int hf_smb2_qfr_flags;
236 static int hf_smb2_qfr_total_region_entry_count;
237 static int hf_smb2_qfr_region_entry_count;
238 static int hf_smb2_read_data;
239 static int hf_smb2_disposition_delete_on_close;
240 static int hf_smb2_create_disposition;
241 static int hf_smb2_create_chain_offset;
242 static int hf_smb2_create_chain_data;
243 static int hf_smb2_data_offset;
244 static int hf_smb2_extrainfo;
245 static int hf_smb2_create_action;
246 static int hf_smb2_create_rep_flags;
247 static int hf_smb2_create_rep_flags_reparse_point;
248 static int hf_smb2_next_offset;
249 static int hf_smb2_negotiate_context_type;
250 static int hf_smb2_negotiate_context_data_length;
251 static int hf_smb2_negotiate_context_offset;
252 static int hf_smb2_negotiate_context_reserved;
253 static int hf_smb2_negotiate_context_reserved2;
254 static int hf_smb2_negotiate_context_count;
255 static int hf_smb2_hash_alg_count;
256 static int hf_smb2_hash_algorithm;
257 static int hf_smb2_salt_length;
258 static int hf_smb2_salt;
259 static int hf_smb2_cipher_count;
260 static int hf_smb2_cipher_id;
261 static int hf_smb2_signing_alg_count;
262 static int hf_smb2_signing_alg_id;
263 static int hf_smb2_comp_alg_count;
264 static int hf_smb2_comp_alg_id;
265 static int hf_smb2_comp_alg_flags;
266 static int hf_smb2_comp_alg_flags_chained;
267 static int hf_smb2_comp_alg_flags_reserved;
268 static int hf_smb2_netname_neg_id;
269 static int hf_smb2_transport_ctx_flags;
270 static int hf_smb2_rdma_transform_count;
271 static int hf_smb2_rdma_transform_reserved1;
272 static int hf_smb2_rdma_transform_reserved2;
273 static int hf_smb2_rdma_transform_id;
274 static int hf_smb2_posix_reserved;
275 static int hf_smb2_dev;
276 static int hf_smb2_inode;
277 static int hf_smb2_ea_size;
278 static int hf_smb2_ea_flags;
279 static int hf_smb2_ea_name_len;
280 static int hf_smb2_ea_data_len;
281 static int hf_smb2_ea_name;
282 static int hf_smb2_ea_data;
283 static int hf_smb2_position_information;
284 static int hf_smb2_mode_information;
285 static int hf_smb2_mode_file_write_through;
286 static int hf_smb2_mode_file_sequential_only;
287 static int hf_smb2_mode_file_no_intermediate_buffering;
288 static int hf_smb2_mode_file_synchronous_io_alert;
289 static int hf_smb2_mode_file_synchronous_io_nonalert;
290 static int hf_smb2_mode_file_delete_on_close;
291 static int hf_smb2_alignment_information;
292 static int hf_smb2_buffer_code;
293 static int hf_smb2_buffer_code_len;
294 static int hf_smb2_buffer_code_flags_dyn;
295 static int hf_smb2_olb_offset;
296 static int hf_smb2_olb_length;
297 static int hf_smb2_tag;
298 static int hf_smb2_impersonation_level;
299 static int hf_smb2_ioctl_function;
300 static int hf_smb2_ioctl_function_device;
301 static int hf_smb2_ioctl_function_access;
302 static int hf_smb2_ioctl_function_function;
303 static int hf_smb2_fsctl_pipe_wait_timeout;
304 static int hf_smb2_fsctl_pipe_wait_name;
305
306 static int hf_smb2_fsctl_odx_token_type;
307 static int hf_smb2_fsctl_odx_token_idlen;
308 static int hf_smb2_fsctl_odx_token_idraw;
309 static int hf_smb2_fsctl_odx_token_ttl;
310 static int hf_smb2_fsctl_odx_size;
311 static int hf_smb2_fsctl_odx_flags;
312 static int hf_smb2_fsctl_odx_file_offset;
313 static int hf_smb2_fsctl_odx_copy_length;
314 static int hf_smb2_fsctl_odx_xfer_length;
315 static int hf_smb2_fsctl_odx_token_offset;
316
317 static int hf_smb2_fsctl_infoex_enable_integrity;
318 static int hf_smb2_fsctl_infoex_keep_integrity_state;
319 static int hf_smb2_fsctl_infoex_reserved;
320 static int hf_smb2_fsctl_infoex_reserved2;
321 static int hf_smb2_fsctl_infoex_flags;
322 static int hf_smb2_fsctl_infoex_version;
323
324 static int hf_smb2_fsctl_sparse_flag;
325 static int hf_smb2_fsctl_range_offset;
326 static int hf_smb2_fsctl_range_length;
327 static int hf_smb2_ioctl_function_method;
328 static int hf_smb2_ioctl_resiliency_timeout;
329 static int hf_smb2_ioctl_resiliency_reserved;
330 static int hf_smb2_ioctl_shared_virtual_disk_support;
331 static int hf_smb2_ioctl_shared_virtual_disk_handle_state;
332 static int hf_smb2_ioctl_sqos_protocol_version;
333 static int hf_smb2_ioctl_sqos_reserved;
334 static int hf_smb2_ioctl_sqos_options;
335 static int hf_smb2_ioctl_sqos_op_set_logical_flow_id;
336 static int hf_smb2_ioctl_sqos_op_set_policy;
337 static int hf_smb2_ioctl_sqos_op_probe_policy;
338 static int hf_smb2_ioctl_sqos_op_get_status;
339 static int hf_smb2_ioctl_sqos_op_update_counters;
340 static int hf_smb2_ioctl_sqos_logical_flow_id;
341 static int hf_smb2_ioctl_sqos_policy_id;
342 static int hf_smb2_ioctl_sqos_initiator_id;
343 static int hf_smb2_ioctl_sqos_limit;
344 static int hf_smb2_ioctl_sqos_reservation;
345 static int hf_smb2_ioctl_sqos_initiator_name;
346 static int hf_smb2_ioctl_sqos_initiator_node_name;
347 static int hf_smb2_ioctl_sqos_io_count_increment;
348 static int hf_smb2_ioctl_sqos_normalized_io_count_increment;
349 static int hf_smb2_ioctl_sqos_latency_increment;
350 static int hf_smb2_ioctl_sqos_lower_latency_increment;
351 static int hf_smb2_ioctl_sqos_bandwidth_limit;
352 static int hf_smb2_ioctl_sqos_kilobyte_count_increment;
353 static int hf_smb2_ioctl_sqos_time_to_live;
354 static int hf_smb2_ioctl_sqos_status;
355 static int hf_smb2_ioctl_sqos_maximum_io_rate;
356 static int hf_smb2_ioctl_sqos_minimum_io_rate;
357 static int hf_smb2_ioctl_sqos_base_io_size;
358 static int hf_smb2_ioctl_sqos_reserved2;
359 static int hf_smb2_ioctl_sqos_maximum_bandwidth;
360 static int hf_windows_sockaddr_family;
361 static int hf_windows_sockaddr_port;
362 static int hf_windows_sockaddr_in_addr;
363 static int hf_windows_sockaddr_in6_flowinfo;
364 static int hf_windows_sockaddr_in6_addr;
365 static int hf_windows_sockaddr_in6_scope_id;
366 static int hf_smb2_ioctl_network_interface_next_offset;
367 static int hf_smb2_ioctl_network_interface_index;
368 static int hf_smb2_ioctl_network_interface_reserved;
369 static int hf_smb2_ioctl_network_interface_capabilities;
370 static int hf_smb2_ioctl_network_interface_capability_rss;
371 static int hf_smb2_ioctl_network_interface_capability_rdma;
372 static int hf_smb2_ioctl_network_interface_link_speed;
373 static int hf_smb2_ioctl_enumerate_snapshots_num_snapshots;
374 static int hf_smb2_ioctl_enumerate_snapshots_num_snapshots_returned;
375 static int hf_smb2_ioctl_enumerate_snapshots_snapshot_array_size;
376 static int hf_smb2_ioctl_enumerate_snapshots_snapshot;
377 static int hf_smb2_ioctl_get_ntfs_volume_data_volume_serial;
378 static int hf_smb2_ioctl_get_ntfs_volume_data_num_sectors;
379 static int hf_smb2_ioctl_get_ntfs_volume_data_total_clusters;
380 static int hf_smb2_ioctl_get_ntfs_volume_data_free_clusters;
381 static int hf_smb2_ioctl_get_ntfs_volume_data_total_reserved;
382 static int hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_sector;
383 static int hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_cluster;
384 static int hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_file_record_segment;
385 static int hf_smb2_ioctl_get_ntfs_volume_data_clusters_per_file_record_segment;
386 static int hf_smb2_ioctl_get_ntfs_volume_data_mft_valid_data_length;
387 static int hf_smb2_ioctl_get_ntfs_volume_data_mft_start_lcn;
388 static int hf_smb2_ioctl_get_ntfs_volume_data_mft2_start_lcn;
389 static int hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_start;
390 static int hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_end;
391 static int hf_smb2_compression_format;
392 static int hf_smb2_checksum_algorithm;
393 static int hf_smb2_integrity_reserved;
394 static int hf_smb2_integrity_flags;
395 static int hf_smb2_integrity_flags_enforcement_off;
396 static int hf_smb2_FILE_OBJECTID_BUFFER;
397 static int hf_smb2_lease_key;
398 static int hf_smb2_lease_state;
399 static int hf_smb2_lease_state_read_caching;
400 static int hf_smb2_lease_state_handle_caching;
401 static int hf_smb2_lease_state_write_caching;
402 static int hf_smb2_lease_flags;
403 static int hf_smb2_lease_flags_break_ack_required;
404 static int hf_smb2_lease_flags_parent_lease_key_set;
405 static int hf_smb2_lease_flags_break_in_progress;
406 static int hf_smb2_lease_duration;
407 static int hf_smb2_parent_lease_key;
408 static int hf_smb2_lease_epoch;
409 static int hf_smb2_lease_reserved;
410 static int hf_smb2_lease_break_reason;
411 static int hf_smb2_lease_access_mask_hint;
412 static int hf_smb2_lease_share_mask_hint;
413 static int hf_smb2_acct_name;
414 static int hf_smb2_domain_name;
415 static int hf_smb2_host_name;
416 static int hf_smb2_auth_frame;
417 static int hf_smb2_tcon_frame;
418 static int hf_smb2_tdcon_frame;
419 static int hf_smb2_share_type;
420 static int hf_smb2_signature;
421 static int hf_smb2_credit_charge;
422 static int hf_smb2_credits_requested;
423 static int hf_smb2_credits_granted;
424 static int hf_smb2_channel_sequence;
425 static int hf_smb2_dialect_count;
426 static int hf_smb2_security_mode;
427 static int hf_smb2_secmode_flags_sign_required;
428 static int hf_smb2_secmode_flags_sign_enabled;
429 static int hf_smb2_ses_req_flags;
430 static int hf_smb2_ses_req_flags_session_binding;
431 static int hf_smb2_capabilities;
432 static int hf_smb2_cap_dfs;
433 static int hf_smb2_cap_leasing;
434 static int hf_smb2_cap_large_mtu;
435 static int hf_smb2_cap_multi_channel;
436 static int hf_smb2_cap_persistent_handles;
437 static int hf_smb2_cap_directory_leasing;
438 static int hf_smb2_cap_encryption;
439 static int hf_smb2_cap_notifications;
440 static int hf_smb2_dialect;
441 static int hf_smb2_max_trans_size;
442 static int hf_smb2_max_read_size;
443 static int hf_smb2_max_write_size;
444 static int hf_smb2_channel;
445 static int hf_smb2_rdma_v1_offset;
446 static int hf_smb2_rdma_v1_token;
447 static int hf_smb2_rdma_v1_length;
448 static int hf_smb2_session_flags;
449 static int hf_smb2_ses_flags_guest;
450 static int hf_smb2_ses_flags_null;
451 static int hf_smb2_ses_flags_encrypt;
452 static int hf_smb2_share_flags;
453 static int hf_smb2_share_flags_dfs;
454 static int hf_smb2_share_flags_dfs_root;
455 static int hf_smb2_share_flags_restrict_exclusive_opens;
456 static int hf_smb2_share_flags_force_shared_delete;
457 static int hf_smb2_share_flags_allow_namespace_caching;
458 static int hf_smb2_share_flags_access_based_dir_enum;
459 static int hf_smb2_share_flags_force_levelii_oplock;
460 static int hf_smb2_share_flags_enable_hash_v1;
461 static int hf_smb2_share_flags_enable_hash_v2;
462 static int hf_smb2_share_flags_encrypt_data;
463 static int hf_smb2_share_flags_identity_remoting;
464 static int hf_smb2_share_flags_compress_data;
465 static int hf_smb2_share_flags_isolated_transport;
466 static int hf_smb2_share_caching;
467 static int hf_smb2_share_caps;
468 static int hf_smb2_share_caps_dfs;
469 static int hf_smb2_share_caps_continuous_availability;
470 static int hf_smb2_share_caps_scaleout;
471 static int hf_smb2_share_caps_cluster;
472 static int hf_smb2_share_caps_asymmetric;
473 static int hf_smb2_share_caps_redirect_to_owner;
474 static int hf_smb2_create_flags;
475 static int hf_smb2_lock_count;
476 static int hf_smb2_lock_sequence_number;
477 static int hf_smb2_lock_sequence_index;
478 static int hf_smb2_min_count;
479 static int hf_smb2_remaining_bytes;
480 static int hf_smb2_channel_info_offset;
481 static int hf_smb2_channel_info_length;
482 static int hf_smb2_channel_info_blob;
483 static int hf_smb2_ioctl_flags;
484 static int hf_smb2_ioctl_is_fsctl;
485 static int hf_smb2_close_pq_attrib;
486 static int hf_smb2_notify_watch_tree;
487 static int hf_smb2_output_buffer_len;
488 static int hf_smb2_notify_out_data;
489 static int hf_smb2_notify_info;
490 static int hf_smb2_notify_next_offset;
491 static int hf_smb2_notify_action;
492 static int hf_smb2_find_flags;
493 static int hf_smb2_find_flags_restart_scans;
494 static int hf_smb2_find_flags_single_entry;
495 static int hf_smb2_find_flags_index_specified;
496 static int hf_smb2_find_flags_reopen;
497 static int hf_smb2_file_index;
498 static int hf_smb2_file_directory_info;
499 static int hf_smb2_both_directory_info;
500 static int hf_smb2_posix_info;
501 static int hf_smb2_short_name_len;
502 static int hf_smb2_short_name;
503 static int hf_smb2_id_both_directory_info;
504 static int hf_smb2_full_directory_info;
505 static int hf_smb2_lock_info;
506 static int hf_smb2_lock_length;
507 static int hf_smb2_lock_flags;
508 static int hf_smb2_lock_flags_shared;
509 static int hf_smb2_lock_flags_exclusive;
510 static int hf_smb2_lock_flags_unlock;
511 static int hf_smb2_lock_flags_fail_immediately;
512 static int hf_smb2_dhnq_buffer_reserved;
513 static int hf_smb2_dh2x_buffer_timeout;
514 static int hf_smb2_dh2x_buffer_flags;
515 static int hf_smb2_dh2x_buffer_flags_persistent_handle;
516 static int hf_smb2_dh2x_buffer_reserved;
517 static int hf_smb2_dh2x_buffer_create_guid;
518 static int hf_smb2_APP_INSTANCE_buffer_struct_size;
519 static int hf_smb2_APP_INSTANCE_buffer_reserved;
520 static int hf_smb2_APP_INSTANCE_buffer_app_guid;
521 static int hf_smb2_svhdx_open_device_context_version;
522 static int hf_smb2_svhdx_open_device_context_has_initiator_id;
523 static int hf_smb2_svhdx_open_device_context_reserved;
524 static int hf_smb2_svhdx_open_device_context_initiator_id;
525 static int hf_smb2_svhdx_open_device_context_flags;
526 static int hf_smb2_svhdx_open_device_context_originator_flags;
527 static int hf_smb2_svhdx_open_device_context_open_request_id;
528 static int hf_smb2_svhdx_open_device_context_initiator_host_name_len;
529 static int hf_smb2_svhdx_open_device_context_initiator_host_name;
530 static int hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized;
531 static int hf_smb2_svhdx_open_device_context_server_service_version;
532 static int hf_smb2_svhdx_open_device_context_virtual_sector_size;
533 static int hf_smb2_svhdx_open_device_context_physical_sector_size;
534 static int hf_smb2_svhdx_open_device_context_virtual_size;
535 static int hf_smb2_app_instance_version_struct_size;
536 static int hf_smb2_app_instance_version_reserved;
537 static int hf_smb2_app_instance_version_padding;
538 static int hf_smb2_app_instance_version_high;
539 static int hf_smb2_app_instance_version_low;
540 static int hf_smb2_posix_perms;
541 static int hf_smb2_aapl_command_code;
542 static int hf_smb2_aapl_reserved;
543 static int hf_smb2_aapl_server_query_bitmask;
544 static int hf_smb2_aapl_server_query_bitmask_server_caps;
545 static int hf_smb2_aapl_server_query_bitmask_volume_caps;
546 static int hf_smb2_aapl_server_query_bitmask_model_info;
547 static int hf_smb2_aapl_server_query_caps;
548 static int hf_smb2_aapl_server_query_caps_supports_read_dir_attr;
549 static int hf_smb2_aapl_server_query_caps_supports_osx_copyfile;
550 static int hf_smb2_aapl_server_query_caps_unix_based;
551 static int hf_smb2_aapl_server_query_caps_supports_nfs_ace;
552 static int hf_smb2_aapl_server_query_volume_caps;
553 static int hf_smb2_aapl_server_query_volume_caps_support_resolve_id;
554 static int hf_smb2_aapl_server_query_volume_caps_case_sensitive;
555 static int hf_smb2_aapl_server_query_volume_caps_supports_full_sync;
556 static int hf_smb2_aapl_server_query_model_string;
557 static int hf_smb2_aapl_server_query_server_path;
558 static int hf_smb2_error_context_count;
559 static int hf_smb2_error_reserved;
560 static int hf_smb2_error_byte_count;
561 static int hf_smb2_error_data;
562 static int hf_smb2_error_context;
563 static int hf_smb2_error_context_length;
564 static int hf_smb2_error_context_id;
565 static int hf_smb2_error_min_buf_length;
566 static int hf_smb2_error_redir_context;
567 static int hf_smb2_error_redir_struct_size;
568 static int hf_smb2_error_redir_notif_type;
569 static int hf_smb2_error_redir_flags;
570 static int hf_smb2_error_redir_target_type;
571 static int hf_smb2_error_redir_ip_count;
572 static int hf_smb2_error_redir_ip_list;
573 static int hf_smb2_error_redir_res_name;
574 static int hf_smb2_reserved;
575 static int hf_smb2_reserved_random;
576 static int hf_smb2_transform_signature;
577 static int hf_smb2_transform_nonce;
578 static int hf_smb2_transform_msg_size;
579 static int hf_smb2_transform_reserved;
580 static int hf_smb2_transform_flags;
581 static int hf_smb2_transform_flags_encrypted;
582 static int hf_smb2_transform_encrypted_data;
583 static int hf_smb2_protocol_id;
584 static int hf_smb2_comp_transform_orig_size;
585 static int hf_smb2_comp_transform_comp_alg;
586 static int hf_smb2_comp_transform_flags;
587 static int hf_smb2_comp_transform_offset;
588 static int hf_smb2_comp_transform_length;
589 static int hf_smb2_comp_transform_data;
590 static int hf_smb2_comp_transform_orig_payload_size;
591 static int hf_smb2_comp_pattern_v1_pattern;
592 static int hf_smb2_comp_pattern_v1_reserved1;
593 static int hf_smb2_comp_pattern_v1_reserved2;
594 static int hf_smb2_comp_pattern_v1_repetitions;
595 static int hf_smb2_truncated;
596 static int hf_smb2_pipe_fragments;
597 static int hf_smb2_pipe_fragment;
598 static int hf_smb2_pipe_fragment_overlap;
599 static int hf_smb2_pipe_fragment_overlap_conflict;
600 static int hf_smb2_pipe_fragment_multiple_tails;
601 static int hf_smb2_pipe_fragment_too_long_fragment;
602 static int hf_smb2_pipe_fragment_error;
603 static int hf_smb2_pipe_fragment_count;
604 static int hf_smb2_pipe_reassembled_in;
605 static int hf_smb2_pipe_reassembled_length;
606 static int hf_smb2_pipe_reassembled_data;
607 static int hf_smb2_cchunk_resume_key;
608 static int hf_smb2_cchunk_count;
609 static int hf_smb2_cchunk_src_offset;
610 static int hf_smb2_cchunk_dst_offset;
611 static int hf_smb2_cchunk_xfer_len;
612 static int hf_smb2_cchunk_chunks_written;
613 static int hf_smb2_cchunk_bytes_written;
614 static int hf_smb2_cchunk_total_written;
615 static int hf_smb2_reparse_data_buffer;
616 static int hf_smb2_reparse_tag;
617 static int hf_smb2_reparse_guid;
618 static int hf_smb2_reparse_data_length;
619 static int hf_smb2_nfs_type;
620 static int hf_smb2_nfs_symlink_target;
621 static int hf_smb2_nfs_chr_major;
622 static int hf_smb2_nfs_chr_minor;
623 static int hf_smb2_nfs_blk_major;
624 static int hf_smb2_nfs_blk_minor;
625 static int hf_smb2_symlink_error_response;
626 static int hf_smb2_symlink_length;
627 static int hf_smb2_symlink_error_tag;
628 static int hf_smb2_unparsed_path_length;
629 static int hf_smb2_symlink_substitute_name;
630 static int hf_smb2_symlink_print_name;
631 static int hf_smb2_symlink_flags;
632 static int hf_smb2_bad_signature;
633 static int hf_smb2_good_signature;
634 static int hf_smb2_fscc_file_attr;
635 static int hf_smb2_fscc_file_attr_archive;
636 static int hf_smb2_fscc_file_attr_compressed;
637 static int hf_smb2_fscc_file_attr_directory;
638 static int hf_smb2_fscc_file_attr_encrypted;
639 static int hf_smb2_fscc_file_attr_hidden;
640 static int hf_smb2_fscc_file_attr_normal;
641 static int hf_smb2_fscc_file_attr_not_content_indexed;
642 static int hf_smb2_fscc_file_attr_offline;
643 static int hf_smb2_fscc_file_attr_read_only;
644 static int hf_smb2_fscc_file_attr_reparse_point;
645 static int hf_smb2_fscc_file_attr_sparse_file;
646 static int hf_smb2_fscc_file_attr_system;
647 static int hf_smb2_fscc_file_attr_temporary;
648 static int hf_smb2_fscc_file_attr_integrity_stream;
649 static int hf_smb2_fscc_file_attr_no_scrub_data;
650 static int hf_smb2_fscc_file_attr_recall_on_open;
651 static int hf_smb2_fscc_file_attr_pinned;
652 static int hf_smb2_fscc_file_attr_unpinned;
653 static int hf_smb2_fscc_file_attr_recall_on_data_access;
654 static int hf_smb2_tree_connect_flags;
655 static int hf_smb2_tc_cluster_reconnect;
656 static int hf_smb2_tc_redirect_to_owner;
657 static int hf_smb2_tc_extension_present;
658 static int hf_smb2_tc_reserved;
659 static int hf_smb2_notification_type;
660 static int hf_smb2_query_info_flags;
661 static int hf_smb2_query_info_flag_restart_scan;
662 static int hf_smb2_query_info_flag_return_single_entry;
663 static int hf_smb2_query_info_flag_index_specified;
664 static int hf_smb2_fscc_refs_snapshot_mgmt_operation;
665 static int hf_smb2_fscc_refs_snapshot_mgmt_namelen;
666 static int hf_smb2_fscc_refs_snapshot_mgmt_input_buffer_len;
667 static int hf_smb2_fscc_refs_snapshot_mgmt_reserved;
668 static int hf_smb2_fscc_refs_snapshot_mgmt_name;
669 static int hf_smb2_fscc_refs_snapshot_query_delta_buffer_startvcn;
670 static int hf_smb2_fscc_refs_snapshot_query_delta_buffer_flags;
671 static int hf_smb2_fscc_refs_snapshot_query_delta_buffer_reserved;
672 static int hf_smb2_flush_reserved2;
673 static int hf_smb2_file_id_hash;
674 static int hf_smb2_num_matched;
675
676 static int ett_smb2;
677 static int ett_smb2_olb;
678 static int ett_smb2_ea;
679 static int ett_smb2_header;
680 static int ett_smb2_encrypted;
681 static int ett_smb2_compressed;
682 static int ett_smb2_decompressed;
683 static int ett_smb2_command;
684 static int ett_smb2_secblob;
685 static int ett_smb2_negotiate_context_element;
686 static int ett_smb2_file_basic_info;
687 static int ett_smb2_file_standard_info;
688 static int ett_smb2_file_internal_info;
689 static int ett_smb2_file_ea_info;
690 static int ett_smb2_file_access_info;
691 static int ett_smb2_file_position_info;
692 static int ett_smb2_file_mode_info;
693 static int ett_smb2_file_alignment_info;
694 static int ett_smb2_file_all_info;
695 static int ett_smb2_file_allocation_info;
696 static int ett_smb2_file_endoffile_info;
697 static int ett_smb2_file_alternate_name_info;
698 static int ett_smb2_file_stream_info;
699 static int ett_smb2_file_pipe_info;
700 static int ett_smb2_file_compression_info;
701 static int ett_smb2_file_network_open_info;
702 static int ett_smb2_file_attribute_tag_info;
703 static int ett_smb2_file_rename_info;
704 static int ett_smb2_file_link_info;
705 static int ett_smb2_file_disposition_info;
706 static int ett_smb2_file_full_ea_info;
707 static int ett_smb2_file_normalized_name_info;
708 static int ett_smb2_fs_info_01;
709 static int ett_smb2_fs_info_03;
710 static int ett_smb2_fs_info_04;
711 static int ett_smb2_fs_info_05;
712 static int ett_smb2_fs_info_06;
713 static int ett_smb2_fs_info_07;
714 static int ett_smb2_fs_objectid_info;
715 static int ett_smb2_fs_posix_info;
716 static int ett_smb2_sec_info_00;
717 static int ett_smb2_additional_information_sec_mask;
718 static int ett_smb2_quota_info;
719 static int ett_smb2_query_quota_info;
720 static int ett_smb2_tid_tree;
721 static int ett_smb2_sesid_tree;
722 static int ett_smb2_create_chain_element;
723 static int ett_smb2_MxAc_buffer;
724 static int ett_smb2_QFid_buffer;
725 static int ett_smb2_RqLs_buffer;
726 static int ett_smb2_ioctl_function;
727 static int ett_smb2_FILE_OBJECTID_BUFFER;
728 static int ett_smb2_flags;
729 static int ett_smb2_sec_mode;
730 static int ett_smb2_capabilities;
731 static int ett_smb2_ses_req_flags;
732 static int ett_smb2_ses_flags;
733 static int ett_smb2_lease_state;
734 static int ett_smb2_lease_flags;
735 static int ett_smb2_share_flags;
736 static int ett_smb2_create_rep_flags;
737 static int ett_smb2_share_caps;
738 static int ett_smb2_comp_alg_flags;
739 static int ett_smb2_ioctl_flags;
740 static int ett_smb2_ioctl_network_interface;
741 static int ett_smb2_ioctl_sqos_opeations;
742 static int ett_smb2_fsctl_range_data;
743 static int ett_windows_sockaddr;
744 static int ett_smb2_close_flags;
745 static int ett_smb2_notify_info;
746 static int ett_smb2_notify_flags;
747 static int ett_smb2_write_flags;
748 static int ett_smb2_rdma_v1;
749 static int ett_smb2_DH2Q_buffer;
750 static int ett_smb2_DH2C_buffer;
751 static int ett_smb2_dh2x_flags;
752 static int ett_smb2_APP_INSTANCE_buffer;
753 static int ett_smb2_svhdx_open_device_context;
754 static int ett_smb2_app_instance_version_buffer;
755 static int ett_smb2_app_instance_version_buffer_version;
756 static int ett_smb2_aapl_create_context_request;
757 static int ett_smb2_aapl_server_query_bitmask;
758 static int ett_smb2_aapl_server_query_caps;
759 static int ett_smb2_aapl_create_context_response;
760 static int ett_smb2_aapl_server_query_volume_caps;
761 static int ett_smb2_integrity_flags;
762 static int ett_smb2_find_flags;
763 static int ett_smb2_file_directory_info;
764 static int ett_smb2_both_directory_info;
765 static int ett_smb2_id_both_directory_info;
766 static int ett_smb2_full_directory_info;
767 static int ett_smb2_posix_info;
768 static int ett_smb2_file_name_info;
769 static int ett_smb2_lock_info;
770 static int ett_smb2_lock_flags;
771 static int ett_smb2_buffercode;
772 static int ett_smb2_ioctl_network_interface_capabilities;
773 static int ett_smb2_tree_connect_flags;
774 static int ett_qfr_entry;
775 static int ett_smb2_pipe_fragment;
776 static int ett_smb2_pipe_fragments;
777 static int ett_smb2_cchunk_entry;
778 static int ett_smb2_fsctl_odx_token;
779 static int ett_smb2_symlink_error_response;
780 static int ett_smb2_reparse_data_buffer;
781 static int ett_smb2_error_data;
782 static int ett_smb2_error_context;
783 static int ett_smb2_error_redir_context;
784 static int ett_smb2_error_redir_ip_list;
785 static int ett_smb2_read_flags;
786 static int ett_smb2_signature;
787 static int ett_smb2_transform_flags;
788 static int ett_smb2_fscc_file_attributes;
789 static int ett_smb2_comp_payload;
790 static int ett_smb2_comp_pattern_v1;
791 static int ett_smb2_query_info_flags;
792 static int ett_smb2_server_notification;
793 static int ett_smb2_fscc_refs_snapshot_query_delta_buffer;
794
795 static expert_field ei_smb2_invalid_length;
796 static expert_field ei_smb2_bad_response;
797 static expert_field ei_smb2_bad_negprot_negotiate_context_count;
798 static expert_field ei_smb2_bad_negprot_negotiate_context_offset;
799 static expert_field ei_smb2_bad_negprot_reserved;
800 static expert_field ei_smb2_bad_negprot_reserved2;
801 static expert_field ei_smb2_invalid_getinfo_offset;
802 static expert_field ei_smb2_invalid_getinfo_size;
803 static expert_field ei_smb2_empty_getinfo_buffer;
804 static expert_field ei_smb2_invalid_signature;
805
806 static int smb2_tap;
807 static int smb2_eo_tap;
808
809 static dissector_handle_t gssapi_handle;
810 static dissector_handle_t ntlmssp_handle;
811 static dissector_handle_t rsvd_handle;
812
813 static heur_dissector_list_t smb2_pipe_subdissector_list;
814
815 static const fragment_items smb2_pipe_frag_items = {
816 &ett_smb2_pipe_fragment,
817 &ett_smb2_pipe_fragments,
818 &hf_smb2_pipe_fragments,
819 &hf_smb2_pipe_fragment,
820 &hf_smb2_pipe_fragment_overlap,
821 &hf_smb2_pipe_fragment_overlap_conflict,
822 &hf_smb2_pipe_fragment_multiple_tails,
823 &hf_smb2_pipe_fragment_too_long_fragment,
824 &hf_smb2_pipe_fragment_error,
825 &hf_smb2_pipe_fragment_count,
826 &hf_smb2_pipe_reassembled_in,
827 &hf_smb2_pipe_reassembled_length,
828 &hf_smb2_pipe_reassembled_data,
829 "Fragments"
830 };
831
832 #define FILE_BYTE_ALIGNMENT 0x00
833 #define FILE_WORD_ALIGNMENT 0x01
834 #define FILE_LONG_ALIGNMENT 0x03
835 #define FILE_QUAD_ALIGNMENT 0x07
836 #define FILE_OCTA_ALIGNMENT 0x0f
837 #define FILE_32_BYTE_ALIGNMENT 0x1f
838 #define FILE_64_BYTE_ALIGNMENT 0x3f
839 #define FILE_128_BYTE_ALIGNMENT 0x7f
840 #define FILE_256_BYTE_ALIGNMENT 0xff
841 #define FILE_512_BYTE_ALIGNMENT 0x1ff
842 static const value_string smb2_alignment_vals[] = {
843 { FILE_BYTE_ALIGNMENT, "FILE_BYTE_ALIGNMENT" },
844 { FILE_WORD_ALIGNMENT, "FILE_WORD_ALIGNMENT" },
845 { FILE_LONG_ALIGNMENT, "FILE_LONG_ALIGNMENT" },
846 { FILE_OCTA_ALIGNMENT, "FILE_OCTA_ALIGNMENT" },
847 { FILE_32_BYTE_ALIGNMENT, "FILE_32_BYTE_ALIGNMENT" },
848 { FILE_64_BYTE_ALIGNMENT, "FILE_64_BYTE_ALIGNMENT" },
849 { FILE_128_BYTE_ALIGNMENT, "FILE_128_BYTE_ALIGNMENT" },
850 { FILE_256_BYTE_ALIGNMENT, "FILE_256_BYTE_ALIGNMENT" },
851 { FILE_512_BYTE_ALIGNMENT, "FILE_512_BYTE_ALIGNMENT" },
852 { 0, NULL }
853 };
854
855
856 #define SMB2_CLASS_FILE_INFO 0x01
857 #define SMB2_CLASS_FS_INFO 0x02
858 #define SMB2_CLASS_SEC_INFO 0x03
859 #define SMB2_CLASS_QUOTA_INFO 0x04
860 static const value_string smb2_class_vals[] = {
861 { SMB2_CLASS_FILE_INFO, "FILE_INFO"},
862 { SMB2_CLASS_FS_INFO, "FS_INFO"},
863 { SMB2_CLASS_SEC_INFO, "SEC_INFO"},
864 { SMB2_CLASS_QUOTA_INFO, "QUOTA_INFO"},
865 { 0, NULL }
866 };
867
868 #define SMB2_SHARE_TYPE_DISK 0x01
869 #define SMB2_SHARE_TYPE_PIPE 0x02
870 #define SMB2_SHARE_TYPE_PRINT 0x03
871 static const value_string smb2_share_type_vals[] = {
872 { SMB2_SHARE_TYPE_DISK, "Physical disk" },
873 { SMB2_SHARE_TYPE_PIPE, "Named pipe" },
874 { SMB2_SHARE_TYPE_PRINT, "Printer" },
875 { 0, NULL }
876 };
877
878
879 #define SMB2_FILE_BASIC_INFO 0x04
880 #define SMB2_FILE_STANDARD_INFO 0x05
881 #define SMB2_FILE_INTERNAL_INFO 0x06
882 #define SMB2_FILE_EA_INFO 0x07
883 #define SMB2_FILE_ACCESS_INFO 0x08
884 #define SMB2_FILE_RENAME_INFO 0x0a
885 #define SMB2_FILE_LINK_INFO 0x0b
886 #define SMB2_FILE_DISPOSITION_INFO 0x0d
887 #define SMB2_FILE_POSITION_INFO 0x0e
888 #define SMB2_FILE_FULL_EA_INFO 0x0f
889 #define SMB2_FILE_MODE_INFO 0x10
890 #define SMB2_FILE_ALIGNMENT_INFO 0x11
891 #define SMB2_FILE_ALL_INFO 0x12
892 #define SMB2_FILE_ALLOCATION_INFO 0x13
893 #define SMB2_FILE_ENDOFFILE_INFO 0x14
894 #define SMB2_FILE_ALTERNATE_NAME_INFO 0x15
895 #define SMB2_FILE_STREAM_INFO 0x16
896 #define SMB2_FILE_PIPE_INFO 0x17
897 #define SMB2_FILE_COMPRESSION_INFO 0x1c
898 #define SMB2_FILE_NETWORK_OPEN_INFO 0x22
899 #define SMB2_FILE_ATTRIBUTE_TAG_INFO 0x23
900 #define SMB2_FILE_NORMALIZED_NAME_INFO 0x30
901 #define SMB2_FILE_POSIX_INFO 0x64
902 #define SMB2_FILE_ID_INFO 0x3b
903 #define SMB2_FILE_PIPE_LOCAL_INFO 0x18
904 #define SMB2_FILE_PIPE_REMOTE_INFO 0x19
905 #define SMB2_FILE_BOTH_DIRECTORY_INFO 0x03
906 #define SMB2_FILE_DIRECTORY_INFO 0x01
907 #define SMB2_FILE_FULL_DIRECTORY_INFO 0x02
908 #define SMB2_FILE_FULL_HARD_LINK_INFO 0x2e
909 #define SMB2_FILE_ID_BOTH_DIRECTORY_INFO 0x25
910 #define SMB2_FILE_ID_EXTD_DIRECTORY_INFO 0x3c
911 #define SMB2_FILE_ID_FULL_DIRECTORY_INFO 0x26
912 #define SMB2_FILE_ID_GLOBAL_TX_DIRECTORY_INFO 0x32
913 #define SMB2_FILE_LINK_INFO 0x0b
914 #define SMB2_FILE_MAIL_SLOT_SET_INFO 0x1b
915 #define SMB2_FILE_MOVE_CLUSTER_INFO 0x1f
916 #define SMB2_FILE_NAME_INFO 0x09
917 #define SMB2_FILE_NAMES_INFO 0x0c
918 #define SMB2_FILE_OBJECTID_INFO 0x1d
919 #define SMB2_FILE_QUOTA_INFO 0x20
920 #define SMB2_FILE_REPARSE_POINT_INFO 0x21
921 #define SMB2_FILE_SFIO_RESERVE_INFO 0x2c
922 #define SMB2_FILE_SFIO_VOLUME_INFO 0x2d
923 #define SMB2_FILE_SHORT_NAME_INFO 0x28
924 #define SMB2_FILE_STANDARD_LINK_INFO 0x36
925 #define SMB2_FILE_TRACKING_INFO 0x24
926 #define SMB2_VALID_DATA_LENGTH_INFO 0x27
927
928 static const value_string smb2_file_info_levels[] = {
929 {SMB2_FILE_DIRECTORY_INFO, "SMB2_FILE_DIRECTORY_INFO"},
930 {SMB2_FILE_FULL_DIRECTORY_INFO, "SMB2_FILE_FULL_DIRECTORY_INFO"},
931 {SMB2_FILE_BOTH_DIRECTORY_INFO, "SMB2_FILE_BOTH_DIRECTORY_INFO"},
932 {SMB2_FILE_BASIC_INFO, "SMB2_FILE_BASIC_INFO" },
933 {SMB2_FILE_STANDARD_INFO, "SMB2_FILE_STANDARD_INFO" },
934 {SMB2_FILE_INTERNAL_INFO, "SMB2_FILE_INTERNAL_INFO" },
935 {SMB2_FILE_EA_INFO, "SMB2_FILE_EA_INFO" },
936 {SMB2_FILE_ACCESS_INFO, "SMB2_FILE_ACCESS_INFO" },
937 {SMB2_FILE_NAME_INFO, "SMB2_FILE_NAME_INFO"},
938 {SMB2_FILE_RENAME_INFO, "SMB2_FILE_RENAME_INFO" },
939 {SMB2_FILE_LINK_INFO, "SMB2_FILE_LINK_INFO" },
940 {SMB2_FILE_NAMES_INFO, "SMB2_FILE_NAMES_INFO"},
941 {SMB2_FILE_DISPOSITION_INFO, "SMB2_FILE_DISPOSITION_INFO" },
942 {SMB2_FILE_POSITION_INFO, "SMB2_FILE_POSITION_INFO" },
943 {SMB2_FILE_FULL_EA_INFO, "SMB2_FILE_FULL_EA_INFO" },
944 {SMB2_FILE_MODE_INFO, "SMB2_FILE_MODE_INFO" },
945 {SMB2_FILE_ALIGNMENT_INFO, "SMB2_FILE_ALIGNMENT_INFO" },
946 {SMB2_FILE_ALL_INFO, "SMB2_FILE_ALL_INFO" },
947 {SMB2_FILE_ALLOCATION_INFO, "SMB2_FILE_ALLOCATION_INFO" },
948 {SMB2_FILE_ENDOFFILE_INFO, "SMB2_FILE_ENDOFFILE_INFO" },
949 {SMB2_FILE_ALTERNATE_NAME_INFO, "SMB2_FILE_ALTERNATE_NAME_INFO" },
950 {SMB2_FILE_STREAM_INFO, "SMB2_FILE_STREAM_INFO" },
951 {SMB2_FILE_PIPE_INFO, "SMB2_FILE_PIPE_INFO" },
952 {SMB2_FILE_PIPE_LOCAL_INFO, "SMB2_FILE_PIPE_LOCAL_INFO"},
953 {SMB2_FILE_PIPE_REMOTE_INFO, "SMB2_FILE_PIPE_REMOTE_INFO"},
954 {SMB2_FILE_MAIL_SLOT_SET_INFO, "SMB2_FILE_MAIL_SLOT_SET_INFO"},
955 {SMB2_FILE_COMPRESSION_INFO, "SMB2_FILE_COMPRESSION_INFO" },
956 {SMB2_FILE_OBJECTID_INFO, "SMB2_FILE_OBJECTID_INFO"},
957 {SMB2_FILE_MOVE_CLUSTER_INFO, "SMB2_FILE_MOVE_CLUSTER_INFO"},
958 {SMB2_FILE_QUOTA_INFO, "SMB2_FILE_QUOTA_INFO"},
959 {SMB2_FILE_REPARSE_POINT_INFO, "SMB2_FILE_REPARSE_POINT_INFO"},
960 {SMB2_FILE_NETWORK_OPEN_INFO, "SMB2_FILE_NETWORK_OPEN_INFO" },
961 {SMB2_FILE_ATTRIBUTE_TAG_INFO, "SMB2_FILE_ATTRIBUTE_TAG_INFO" },
962 {SMB2_FILE_TRACKING_INFO, "SMB2_FILE_TRACKING_INFO"},
963 {SMB2_FILE_ID_BOTH_DIRECTORY_INFO,"SMB2_FILE_ID_BOTH_DIRECTORY_INFO" },
964 {SMB2_FILE_ID_FULL_DIRECTORY_INFO, "SMB2_FILE_ID_FULL_DIRECTORY_INFO"},
965 {SMB2_VALID_DATA_LENGTH_INFO, "SMB2_VALID_DATA_LENGTH_INFO"},
966 {SMB2_FILE_SHORT_NAME_INFO, "SMB2_FILE_SHORT_NAME_INFO"},
967 {SMB2_FILE_SFIO_RESERVE_INFO, "SMB2_FILE_SFIO_RESERVE_INFO"},
968 {SMB2_FILE_SFIO_VOLUME_INFO, "SMB2_FILE_SFIO_VOLUME_INFO"},
969 {SMB2_FILE_FULL_HARD_LINK_INFO, "SMB2_FILE_FULL_HARD_LINK_INFO"},
970 {SMB2_FILE_NORMALIZED_NAME_INFO,"SMB2_FILE_NORMALIZED_NAME_INFO" },
971 {SMB2_FILE_ID_GLOBAL_TX_DIRECTORY_INFO, "SMB2_FILE_ID_GLOBAL_TX_DIRECTORY_INFO"},
972 {SMB2_FILE_STANDARD_LINK_INFO, "SMB2_FILE_STANDARD_LINK_INFO"},
973 {SMB2_FILE_ID_INFO, "SMB2_FILE_ID_INFO"},
974 {SMB2_FILE_ID_EXTD_DIRECTORY_INFO,"SMB2_FILE_ID_EXTD_DIRECTORY_INFO"},
975 {SMB2_FILE_POSIX_INFO, "SMB2_FILE_POSIX_INFO" },
976 { 0, NULL }
977 };
978 static value_string_ext smb2_file_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_file_info_levels);
979
980
981
982 #define SMB2_FS_INFO_01 0x01
983 #define SMB2_FS_LABEL_INFO 0x02
984 #define SMB2_FS_INFO_03 0x03
985 #define SMB2_FS_INFO_04 0x04
986 #define SMB2_FS_INFO_05 0x05
987 #define SMB2_FS_INFO_06 0x06
988 #define SMB2_FS_INFO_07 0x07
989 #define SMB2_FS_OBJECTID_INFO 0x08
990 #define SMB2_FS_DRIVER_PATH_INFO 0x09
991 #define SMB2_FS_VOLUME_FLAGS_INFO 0x0a
992 #define SMB2_FS_SECTOR_SIZE_INFO 0x0b
993 #define SMB2_FS_POSIX_INFO 0x64
994
995 static const value_string smb2_fs_info_levels[] = {
996 {SMB2_FS_INFO_01, "FileFsVolumeInformation" },
997 {SMB2_FS_LABEL_INFO, "FileFsLabelInformation" },
998 {SMB2_FS_INFO_03, "FileFsSizeInformation" },
999 {SMB2_FS_INFO_04, "FileFsDeviceInformation" },
1000 {SMB2_FS_INFO_05, "FileFsAttributeInformation" },
1001 {SMB2_FS_INFO_06, "FileFsControlInformation" },
1002 {SMB2_FS_INFO_07, "FileFsFullSizeInformation" },
1003 {SMB2_FS_OBJECTID_INFO, "FileFsObjectIdInformation" },
1004 {SMB2_FS_DRIVER_PATH_INFO, "FileFsDriverPathInformation" },
1005 {SMB2_FS_VOLUME_FLAGS_INFO, "FileFsVolumeFlagsInformation" },
1006 {SMB2_FS_SECTOR_SIZE_INFO, "FileFsSectorSizeInformation" },
1007 {SMB2_FS_POSIX_INFO, "FileFsPosixInformation" },
1008 { 0, NULL }
1009 };
1010 static value_string_ext smb2_fs_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_fs_info_levels);
1011
1012 #define SMB2_SEC_INFO_00 0x00
1013 static const value_string smb2_sec_info_levels[] = {
1014 {SMB2_SEC_INFO_00, "SMB2_SEC_INFO_00" },
1015 { 0, NULL }
1016 };
1017 static value_string_ext smb2_sec_info_levels_ext = VALUE_STRING_EXT_INIT(smb2_sec_info_levels);
1018
1019 #define SMB2_FIND_DIRECTORY_INFO 0x01
1020 #define SMB2_FIND_FULL_DIRECTORY_INFO 0x02
1021 #define SMB2_FIND_BOTH_DIRECTORY_INFO 0x03
1022 #define SMB2_FIND_INDEX_SPECIFIED 0x04
1023 #define SMB2_FIND_NAME_INFO 0x0C
1024 #define SMB2_FIND_ID_BOTH_DIRECTORY_INFO 0x25
1025 #define SMB2_FIND_ID_FULL_DIRECTORY_INFO 0x26
1026 #define SMB2_FIND_POSIX_INFO 0x64
1027 static const value_string smb2_find_info_levels[] = {
1028 { SMB2_FIND_DIRECTORY_INFO, "SMB2_FIND_DIRECTORY_INFO" },
1029 { SMB2_FIND_FULL_DIRECTORY_INFO, "SMB2_FIND_FULL_DIRECTORY_INFO" },
1030 { SMB2_FIND_BOTH_DIRECTORY_INFO, "SMB2_FIND_BOTH_DIRECTORY_INFO" },
1031 { SMB2_FIND_INDEX_SPECIFIED, "SMB2_FIND_INDEX_SPECIFIED" },
1032 { SMB2_FIND_NAME_INFO, "SMB2_FIND_NAME_INFO" },
1033 { SMB2_FIND_ID_BOTH_DIRECTORY_INFO, "SMB2_FIND_ID_BOTH_DIRECTORY_INFO" },
1034 { SMB2_FIND_ID_FULL_DIRECTORY_INFO, "SMB2_FIND_ID_FULL_DIRECTORY_INFO" },
1035 { SMB2_FIND_POSIX_INFO, "SMB2_FIND_POSIX_INFO" },
1036 { 0, NULL }
1037 };
1038
1039 #define SMB2_PREAUTH_INTEGRITY_CAPABILITIES 0x0001
1040 #define SMB2_ENCRYPTION_CAPABILITIES 0x0002
1041 #define SMB2_COMPRESSION_CAPABILITIES 0x0003
1042 #define SMB2_NETNAME_NEGOTIATE_CONTEXT_ID 0x0005
1043 #define SMB2_TRANSPORT_CAPABILITIES 0x0006
1044 #define SMB2_RDMA_TRANSFORM_CAPABILITIES 0x0007
1045 #define SMB2_SIGNING_CAPABILITIES 0x0008
1046 #define SMB2_POSIX_EXTENSIONS_CAPABILITIES 0x0100
1047 static const value_string smb2_negotiate_context_types[] = {
1048 { SMB2_PREAUTH_INTEGRITY_CAPABILITIES, "SMB2_PREAUTH_INTEGRITY_CAPABILITIES" },
1049 { SMB2_ENCRYPTION_CAPABILITIES, "SMB2_ENCRYPTION_CAPABILITIES" },
1050 { SMB2_COMPRESSION_CAPABILITIES, "SMB2_COMPRESSION_CAPABILITIES" },
1051 { SMB2_NETNAME_NEGOTIATE_CONTEXT_ID, "SMB2_NETNAME_NEGOTIATE_CONTEXT_ID" },
1052 { SMB2_TRANSPORT_CAPABILITIES, "SMB2_TRANSPORT_CAPABILITIES" },
1053 { SMB2_RDMA_TRANSFORM_CAPABILITIES, "SMB2_RDMA_TRANSFORM_CAPABILITIES" },
1054 { SMB2_SIGNING_CAPABILITIES, "SMB2_SIGNING_CAPABILITIES" },
1055 { SMB2_POSIX_EXTENSIONS_CAPABILITIES, "SMB2_POSIX_EXTENSIONS_CAPABILITIES" },
1056 { 0, NULL }
1057 };
1058
1059 #define SMB2_HASH_ALGORITHM_SHA_512 0x0001
1060 static const value_string smb2_hash_algorithm_types[] = {
1061 { SMB2_HASH_ALGORITHM_SHA_512, "SHA-512" },
1062 { 0, NULL }
1063 };
1064
1065 #define SMB2_SIGNING_ALG_HMAC_SHA256 0x0000
1066 #define SMB2_SIGNING_ALG_AES_CMAC 0x0001
1067 #define SMB2_SIGNING_ALG_AES_GMAC 0x0002
1068 static const value_string smb2_signing_alg_types[] = {
1069 { SMB2_SIGNING_ALG_HMAC_SHA256, "HMAC-SHA256" },
1070 { SMB2_SIGNING_ALG_AES_CMAC, "AES-CMAC" },
1071 { SMB2_SIGNING_ALG_AES_GMAC, "AES-GMAC" },
1072 { 0, NULL },
1073 };
1074
1075 #define SMB2_CIPHER_AES_128_CCM 0x0001
1076 #define SMB2_CIPHER_AES_128_GCM 0x0002
1077 #define SMB2_CIPHER_AES_256_CCM 0x0003
1078 #define SMB2_CIPHER_AES_256_GCM 0x0004
1079 static const value_string smb2_cipher_types[] = {
1080 { SMB2_CIPHER_AES_128_CCM, "AES-128-CCM" },
1081 { SMB2_CIPHER_AES_128_GCM, "AES-128-GCM" },
1082 { SMB2_CIPHER_AES_256_CCM, "AES-256-CCM" },
1083 { SMB2_CIPHER_AES_256_GCM, "AES-256-GCM" },
1084 { 0, NULL }
1085 };
1086
1087 #define SMB2_TRANSFORM_FLAGS_ENCRYPTED 0x0001
1088 static int * const smb2_transform_flags[] = {
1089 &hf_smb2_transform_flags_encrypted,
1090 NULL,
1091 };
1092
1093 #define SMB2_COMP_ALG_FLAGS_CHAINED 0x00000001
1094
1095 #define SMB2_COMP_ALG_NONE 0x0000
1096 #define SMB2_COMP_ALG_LZNT1 0x0001
1097 #define SMB2_COMP_ALG_LZ77 0x0002
1098 #define SMB2_COMP_ALG_LZ77HUFF 0x0003
1099 #define SMB2_COMP_ALG_PATTERN_V1 0x0004
1100 static const value_string smb2_comp_alg_types[] = {
1101 { SMB2_COMP_ALG_NONE, "None" },
1102 { SMB2_COMP_ALG_LZNT1, "LZNT1" },
1103 { SMB2_COMP_ALG_LZ77, "LZ77" },
1104 { SMB2_COMP_ALG_LZ77HUFF, "LZ77+Huffman" },
1105 { SMB2_COMP_ALG_PATTERN_V1, "Pattern_V1" },
1106 { 0, NULL }
1107 };
1108
1109 #define SMB2_COMP_FLAG_NONE 0x0000
1110 #define SMB2_COMP_FLAG_CHAINED 0x0001
1111 static const value_string smb2_comp_transform_flags_vals[] = {
1112 { SMB2_COMP_FLAG_NONE, "None" },
1113 { SMB2_COMP_FLAG_CHAINED, "Chained" },
1114 { 0, NULL }
1115 };
1116
1117 #define SMB2_RDMA_TRANSFORM_NONE 0x0000
1118 #define SMB2_RDMA_TRANSFORM_ENCRYPTION 0x0001
1119 #define SMB2_RDMA_TRANSFORM_SIGNING 0x0002
1120 static const value_string smb2_rdma_transform_types[] = {
1121 { SMB2_RDMA_TRANSFORM_NONE, "None" },
1122 { SMB2_RDMA_TRANSFORM_ENCRYPTION, "Encryption" },
1123 { SMB2_RDMA_TRANSFORM_SIGNING, "Signing" },
1124 { 0, NULL }
1125 };
1126
1127 #define OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE 24 /* [MS-SMB2] 2.2.23.1, 2.2.24.1 and 2.2.25.1 */
1128 #define OPLOCK_BREAK_LEASE_NOTIFICATION_STRUCTURE_SIZE 44 /* [MS-SMB2] 2.2.23.2 Lease Break Notification */
1129 #define OPLOCK_BREAK_LEASE_ACKNOWLEDGMENT_STRUCTURE_SIZE 36 /* [MS-SMB2] 2.2.24.2 Lease Break Acknowledgment */
1130 #define OPLOCK_BREAK_LEASE_RESPONSE_STRUCTURE_SIZE 36 /* [MS-SMB2] 2.2.25.2 Lease Break Response */
1131
1132 static const val64_string unique_unsolicited_response[] = {
1133 { 0xffffffffffffffff, "unsolicited response" },
1134 { 0, NULL }
1135 };
1136
1137 #define SMB2_ERROR_ID_DEFAULT 0x00000000
1138 #define SMB2_ERROR_ID_SHARE_REDIRECT 0x72645253
1139 static const value_string smb2_error_id_vals[] = {
1140 { SMB2_ERROR_ID_DEFAULT, "ERROR_ID_DEFAULT" },
1141 { SMB2_ERROR_ID_SHARE_REDIRECT, "ERROR_ID_SHARE_REDIRECT" },
1142 { 0, NULL }
1143 };
1144
1145 #define SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY 0x00000001
1146 static const value_string smb2_transport_ctx_flags_vals[] = {
1147 { SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY, "SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY" },
1148 { 0, NULL }
1149 };
1150
1151 #define REPARSE_TAG_RESERVED_ZERO 0x00000000 /* Reserved reparse tag value. */
1152 #define REPARSE_TAG_RESERVED_ONE 0x00000001 /* Reserved reparse tag value. */
1153 #define REPARSE_TAG_MOUNT_POINT 0xA0000003 /* Used for mount point */
1154 #define REPARSE_TAG_HSM 0xC0000004 /* Obsolete. Used by legacy Hierarchical Storage Manager Product. */
1155 #define REPARSE_TAG_DRIVER_EXTENDER 0x80000005 /* Home server drive extender. */
1156 #define REPARSE_TAG_HSM2 0x80000006 /* Obsolete. Used by legacy Hierarchical Storage Manager Product. */
1157 #define REPARSE_TAG_SIS 0x80000007 /* Used by single-instance storage (SIS) filter driver. */
1158 #define REPARSE_TAG_DFS 0x8000000A /* Used by the DFS filter. */
1159 #define REPARSE_TAG_FILTER_MANAGER 0x8000000B /* Used by filter manager test harness */
1160 #define REPARSE_TAG_SYMLINK 0xA000000C /* Used for symbolic link support. */
1161 #define REPARSE_TAG_DFSR 0x80000012 /* Used by the DFS filter. */
1162 #define REPARSE_TAG_NFS 0x80000014 /* Used by the Network File System (NFS) component. */
1163 #define REPARSE_TAG_LX_SYMLINK 0xA000001D /* WSL symbolic link */
1164 #define REPARSE_TAG_AF_UNIX 0x80000023 /* WSL unix socket */
1165 #define REPARSE_TAG_LX_FIFO 0x80000024 /* WSL fifo pipe */
1166 #define REPARSE_TAG_LX_CHR 0x80000025 /* WSL char device */
1167 #define REPARSE_TAG_LX_BLK 0x80000026 /* WSL block device */
1168 static const value_string reparse_tag_vals[] = {
1169 { REPARSE_TAG_RESERVED_ZERO, "REPARSE_TAG_RESERVED_ZERO"},
1170 { REPARSE_TAG_RESERVED_ONE, "REPARSE_TAG_RESERVED_ONE"},
1171 { REPARSE_TAG_MOUNT_POINT, "REPARSE_TAG_MOUNT_POINT"},
1172 { REPARSE_TAG_HSM, "REPARSE_TAG_HSM"},
1173 { REPARSE_TAG_DRIVER_EXTENDER, "REPARSE_TAG_DRIVER_EXTENDER"},
1174 { REPARSE_TAG_HSM2, "REPARSE_TAG_HSM2"},
1175 { REPARSE_TAG_SIS, "REPARSE_TAG_SIS"},
1176 { REPARSE_TAG_DFS, "REPARSE_TAG_DFS"},
1177 { REPARSE_TAG_FILTER_MANAGER, "REPARSE_TAG_FILTER_MANAGER"},
1178 { REPARSE_TAG_SYMLINK, "REPARSE_TAG_SYMLINK"},
1179 { REPARSE_TAG_DFSR, "REPARSE_TAG_DFSR"},
1180 { REPARSE_TAG_NFS, "REPARSE_TAG_NFS"},
1181 { REPARSE_TAG_LX_SYMLINK, "REPARSE_TAG_LX_SYMLINK"},
1182 { REPARSE_TAG_AF_UNIX, "REPARSE_TAG_AF_UNIX"},
1183 { REPARSE_TAG_LX_FIFO, "REPARSE_TAG_LX_FIFO"},
1184 { REPARSE_TAG_LX_CHR, "REPARSE_TAG_LX_CHR"},
1185 { REPARSE_TAG_LX_BLK, "REPARSE_TAG_LX_BLK"},
1186 { 0, NULL }
1187 };
1188
1189 #define NFS_SPECFILE_LNK 0x00000000014B4E4C
1190 #define NFS_SPECFILE_CHR 0x0000000000524843
1191 #define NFS_SPECFILE_BLK 0x00000000004B4C42
1192 #define NFS_SPECFILE_FIFO 0x000000004F464946
1193 #define NFS_SPECFILE_SOCK 0x000000004B434F53
1194 static const val64_string nfs_type_vals[] = {
1195 { NFS_SPECFILE_LNK, "Symbolic Link" },
1196 { NFS_SPECFILE_CHR, "Character Device" },
1197 { NFS_SPECFILE_BLK, "Block Device" },
1198 { NFS_SPECFILE_FIFO, "FIFO" },
1199 { NFS_SPECFILE_SOCK, "UNIX Socket" },
1200 { 0, NULL }
1201 };
1202
1203 #define SMB2_NUM_PROCEDURES 256
1204 #define MAX_UNCOMPRESSED_SIZE (1<<24) /* 16MB */
1205
1206 #define SMB2_DIALECT_202 0x0202
1207 #define SMB2_DIALECT_210 0x0210
1208 #define SMB2_DIALECT_2FF 0x02FF
1209 #define SMB2_DIALECT_222 0x0222
1210 #define SMB2_DIALECT_224 0x0224
1211 #define SMB2_DIALECT_300 0x0300
1212 #define SMB2_DIALECT_302 0x0302
1213 #define SMB2_DIALECT_310 0x0310
1214 #define SMB2_DIALECT_311 0x0311
1215
1216 static const value_string smb2_dialect_vals[] = {
1217 { SMB2_DIALECT_202, "SMB 2.0.2" },
1218 { SMB2_DIALECT_210, "SMB 2.1" },
1219 { SMB2_DIALECT_2FF, "SMB2 wildcard" },
1220 { SMB2_DIALECT_222, "SMB 2.2.2 (deprecated; should be 3.0)" },
1221 { SMB2_DIALECT_224, "SMB 2.2.4 (deprecated; should be 3.0)" },
1222 { SMB2_DIALECT_300, "SMB 3.0" },
1223 { SMB2_DIALECT_302, "SMB 3.0.2" },
1224 { SMB2_DIALECT_310, "SMB 3.1.0 (deprecated; should be 3.1.1)" },
1225 { SMB2_DIALECT_311, "SMB 3.1.1" },
1226 { 0, NULL }
1227 };
1228
1229 static const value_string smb2_fsctl_infoex_integrity_modes[] = {
1230 { 0x00, "CHECKSUM_TYPE_NONE" },
1231 { 0x01, "CHECKSUM_TYPE_CRC32_OR_CRC64" },
1232 { 0, NULL }
1233 };
1234
1235 static const value_string smb2_fsctl_infoex_integrity_state[] = {
1236 { 0x00, "Change state" },
1237 { 0x01, "No state change" },
1238 { 0, NULL }
1239 };
1240
1241 #define SMB2_SL_RESTART_SCAN 0x00000001
1242 #define SMB2_SL_RETURN_SINGLE_ENTRY 0x00000002
1243 #define SL_INDEX_SPECIFIED 0x00000004
1244
1245 #define NOTIFY_SESSION_CLOSED 0x0
1246 static const value_string server_notification_types[] = {
1247 { NOTIFY_SESSION_CLOSED, "SmbNotifySessionClosed" },
1248 { 0, NULL }
1249 };
1250
1251 #define REFS_STREAM_SNAPSHOT_OPERATION_INVALID 0x00000000
1252 #define REFS_STREAM_SNAPSHOT_OPERATION_CREATE 0x00000001
1253 #define REFS_STREAM_SNAPSHOT_OPERATION_LIST 0x00000002
1254 #define REFS_STREAM_SNAPSHOT_OPERATION_QUERY_DELTAS 0x00000003
1255 #define REFS_STREAM_SNAPSHOT_OPERATION_REVERT 0x00000004
1256 #define REFS_STREAM_SNAPSHOT_OPERATION_SET_SHADOW_BTREE 0x00000005
1257 #define REFS_STREAM_SNAPSHOT_OPERATION_CLEAR_SHADOW_BTREE 0x00000006
1258
1259 static const value_string refs_stream_snapshot_operation_types[] = {
1260 { REFS_STREAM_SNAPSHOT_OPERATION_INVALID, "Invalid" },
1261 { REFS_STREAM_SNAPSHOT_OPERATION_CREATE, "Create" },
1262 { REFS_STREAM_SNAPSHOT_OPERATION_LIST, "List" },
1263 { REFS_STREAM_SNAPSHOT_OPERATION_QUERY_DELTAS, "Query Deltas" },
1264 { REFS_STREAM_SNAPSHOT_OPERATION_REVERT, "Revert" },
1265 { REFS_STREAM_SNAPSHOT_OPERATION_SET_SHADOW_BTREE, "Set Shadow Btree" },
1266 { REFS_STREAM_SNAPSHOT_OPERATION_CLEAR_SHADOW_BTREE, "Clear Shadow Btree" },
1267 { 0, NULL }
1268 };
1269
1270 #define FILE_FULL_EA_INFORMATION_FLAG_NONE 0x00000000
1271 #define FILE_FULL_EA_INFORMATION_FLAG_NEED_EA 0x00000001
1272
1273 static const value_string file_full_ea_information_flags[] = {
1274 { FILE_FULL_EA_INFORMATION_FLAG_NONE, "None" },
1275 { FILE_FULL_EA_INFORMATION_FLAG_NEED_EA, "Need EA" },
1276 { 0, NULL }
1277 };
1278
1279 static int dissect_windows_sockaddr_storage(tvbuff_t *, packet_info *, proto_tree *, int, int);
1280 static void dissect_smb2_error_data(tvbuff_t *, packet_info *, proto_tree *, int, int, smb2_info_t *);
1281 static unsigned smb2_eo_files_hash(const void *k);
1282 static int smb2_eo_files_equal(const void *k1, const void *k2);
1283
1284 static void update_preauth_hash(void *buf, packet_info *pinfo, tvbuff_t *tvb)
1285 {
1286 gcry_error_t err;
1287 gcry_md_hd_t md;
1288 void *pkt;
1289
1290 err = gcry_md_open(&md, GCRY_MD_SHA512, 0);
1291 if (err)
1292 return;
1293
1294 /* we dup in case of non-contiguous packet */
1295 pkt = tvb_memdup(pinfo->pool, tvb, 0, tvb_captured_length(tvb));
1296 gcry_md_write(md, buf, SMB2_PREAUTH_HASH_SIZE);
1297 gcry_md_write(md, pkt, tvb_captured_length(tvb));
1298 gcry_md_final(md);
1299 memcpy(buf, gcry_md_read(md, 0), SMB2_PREAUTH_HASH_SIZE);
1300 gcry_md_close(md);
1301 }
1302
1303 static void
1304 smb2stat_init(struct register_srt* srt _U_, GArray* srt_array)
1305 {
1306 srt_stat_table *smb2_srt_table;
1307 uint32_t i;
1308
1309 smb2_srt_table = init_srt_table("SMB2", NULL, srt_array, SMB2_NUM_PROCEDURES, "Commands", "smb2.cmd", NULL);
1310 for (i = 0; i < SMB2_NUM_PROCEDURES; i++)
1311 {
1312 init_srt_table_row(smb2_srt_table, i, val_to_str_ext_const(i, &smb2_cmd_vals_ext, "<unknown>"));
1313 }
1314 }
1315
1316 static tap_packet_status
1317 smb2stat_packet(void *pss, packet_info *pinfo, epan_dissect_t *edt _U_, const void *prv, tap_flags_t flags _U_)
1318 {
1319 unsigned i = 0;
1320 srt_stat_table *smb2_srt_table;
1321 srt_data_t *data = (srt_data_t *)pss;
1322 const smb2_info_t *si=(const smb2_info_t *)prv;
1323
1324 /* we are only interested in response packets */
1325 if(!(si->flags&SMB2_FLAGS_RESPONSE)){
1326 return TAP_PACKET_DONT_REDRAW;
1327 }
1328 /* We should not include cancel and oplock break requests either */
1329 if (si->opcode == SMB2_COM_CANCEL || si->opcode == SMB2_COM_BREAK) {
1330 return TAP_PACKET_DONT_REDRAW;
1331 }
1332
1333 /* if we haven't seen the request, just ignore it */
1334 if(!si->saved){
1335 return TAP_PACKET_DONT_REDRAW;
1336 }
1337
1338 /* SMB2 SRT can be very inaccurate in the presence of retransmissions. Retransmitted responses
1339 * not only add additional (bogus) transactions but also the latency associated with them.
1340 * This can greatly inflate the maximum and average SRT stats especially in the case of
1341 * retransmissions triggered by the expiry of the rexmit timer (RTOs). Only calculating SRT
1342 * for the last received response accomplishes this goal without requiring the TCP pref
1343 * "Do not call subdissectors for error packets" to be set. */
1344 if (si->saved->frame_res != pinfo->num)
1345 return TAP_PACKET_DONT_REDRAW;
1346
1347 smb2_srt_table = g_array_index(data->srt_array, srt_stat_table*, i);
1348 add_srt_table_data(smb2_srt_table, si->opcode, &si->saved->req_time, pinfo);
1349 return TAP_PACKET_REDRAW;
1350 }
1351
1352 /* Structure for SessionID <=> SessionKey mapping for decryption. */
1353 typedef struct _smb2_seskey_field_t {
1354 /* session id */
1355 unsigned char *id; /* *little-endian* - not necessarily host-endian! */
1356 unsigned id_len;
1357 /* session key */
1358 unsigned char *seskey;
1359 unsigned seskey_len;
1360 /* server to client key */
1361 unsigned char *s2ckey;
1362 unsigned s2ckey_len;
1363 /* client to server key */
1364 unsigned char *c2skey;
1365 unsigned c2skey_len;
1366 } smb2_seskey_field_t;
1367
1368 static smb2_seskey_field_t *seskey_list;
1369 static unsigned num_seskey_list;
1370
1371 static const int8_t zeros[NTLMSSP_KEY_LEN] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
1372
1373 /* Callbacks for SessionID <=> SessionKey mapping. */
1374 UAT_BUFFER_CB_DEF(seskey_list, id, smb2_seskey_field_t, id, id_len)
1375 UAT_BUFFER_CB_DEF(seskey_list, seskey, smb2_seskey_field_t, seskey, seskey_len)
1376 UAT_BUFFER_CB_DEF(seskey_list, s2ckey, smb2_seskey_field_t, s2ckey, s2ckey_len)
1377 UAT_BUFFER_CB_DEF(seskey_list, c2skey, smb2_seskey_field_t, c2skey, c2skey_len)
1378
1379 #define SMB_SESSION_ID_SIZE 8
1380
1381 static bool seskey_list_update_cb(void *r, char **err)
1382 {
1383 smb2_seskey_field_t *rec = (smb2_seskey_field_t *)r;
1384 bool has_seskey = rec->seskey_len != 0;
1385 bool has_s2ckey = rec->s2ckey_len != 0;
1386 bool has_c2skey = rec->c2skey_len != 0;
1387
1388 *err = NULL;
1389
1390 if (rec->id_len != SMB_SESSION_ID_SIZE) {
1391 *err = g_strdup("Session ID must be " G_STRINGIFY(SMB_SESSION_ID_SIZE) " bytes long and in hexadecimal");
1392 return false;
1393 }
1394
1395 if (!has_seskey && !(has_c2skey || has_s2ckey)) {
1396 *err = g_strdup("Decryption requires either the Session Key or at least one of the client-server AES keys");
1397 return false;
1398 }
1399
1400
1401 if (rec->seskey_len > NTLMSSP_KEY_LEN) {
1402 *err = g_strdup("Session Key must be a hexadecimal string representing at most " G_STRINGIFY(NTLMSSP_KEY_LEN) " bytes");
1403 return false;
1404 }
1405
1406 if (has_s2ckey && ((rec->s2ckey_len != AES_KEY_SIZE) && (rec->s2ckey_len != AES_KEY_SIZE*2))) {
1407 *err = g_strdup("Server-to-Client key must be a hexadecimal string representing "
1408 G_STRINGIFY(AES_KEY_SIZE) " or " G_STRINGIFY(AES_KEY_SIZE*2));
1409 return false;
1410 }
1411
1412 if (has_c2skey && ((rec->c2skey_len != AES_KEY_SIZE) && (rec->c2skey_len != AES_KEY_SIZE*2))) {
1413 *err = g_strdup("Client-to-Server key must be a hexadecimal string representing "
1414 G_STRINGIFY(AES_KEY_SIZE) " or " G_STRINGIFY(AES_KEY_SIZE*2));
1415 return false;
1416 }
1417
1418 return true;
1419 }
1420
1421 static void* seskey_list_copy_cb(void *n, const void *o, size_t siz _U_)
1422 {
1423 smb2_seskey_field_t *new_rec = (smb2_seskey_field_t *)n;
1424 const smb2_seskey_field_t *old_rec = (const smb2_seskey_field_t *)o;
1425
1426 new_rec->id_len = old_rec->id_len;
1427 new_rec->id = old_rec->id ? (unsigned char *)g_memdup2(old_rec->id, old_rec->id_len) : NULL;
1428 new_rec->seskey_len = old_rec->seskey_len;
1429 new_rec->seskey = old_rec->seskey ? (unsigned char *)g_memdup2(old_rec->seskey, old_rec->seskey_len) : NULL;
1430 new_rec->s2ckey_len = old_rec->s2ckey_len;
1431 new_rec->s2ckey = old_rec->s2ckey ? (unsigned char *)g_memdup2(old_rec->s2ckey, old_rec->s2ckey_len) : NULL;
1432 new_rec->c2skey_len = old_rec->c2skey_len;
1433 new_rec->c2skey = old_rec->c2skey ? (unsigned char *)g_memdup2(old_rec->c2skey, old_rec->c2skey_len) : NULL;
1434
1435 return new_rec;
1436 }
1437
1438 static void seskey_list_free_cb(void *r)
1439 {
1440 smb2_seskey_field_t *rec = (smb2_seskey_field_t *)r;
1441
1442 g_free(rec->id);
1443 g_free(rec->seskey);
1444 g_free(rec->s2ckey);
1445 g_free(rec->c2skey);
1446 }
1447
1448 static bool seskey_find_sid_key(uint64_t sesid, uint8_t *out_seskey,
1449 unsigned *out_seskey_len,
1450 uint8_t *out_s2ckey16,
1451 uint8_t *out_c2skey16,
1452 uint8_t *out_s2ckey32,
1453 uint8_t *out_c2skey32)
1454 {
1455 unsigned i;
1456 uint64_t sesid_le;
1457
1458 /*
1459 * The session IDs in the UAT are octet arrays, in little-endian
1460 * byte order (as it appears on the wire); they have been
1461 * checked to make sure they're 8 bytes (SMB_SESSION_ID_SIZE)
1462 * long. They're *probably* aligned on an appropriate boundary,
1463 * but let's not assume that - let's just use memcmp().
1464 *
1465 * The session ID passed to us, however, is in *host* byte order.
1466 * This is *NOT* necessarily little-endian; it's big-endian on,
1467 * for example, System/390 and z/Architecture ("s390" and "s390x"
1468 * in Linuxland), SPARC, and most PowerPC systems. We must,
1469 * therefore, put it into little-endian byte order before
1470 * comparing it with the IDs in the UAT values.
1471 */
1472 sesid_le = GUINT64_TO_LE(sesid);
1473
1474 for (i = 0; i < num_seskey_list; i++) {
1475 const smb2_seskey_field_t *p = &seskey_list[i];
1476 if (memcmp(&sesid_le, p->id, SMB_SESSION_ID_SIZE) == 0) {
1477 *out_seskey_len = 0;
1478 memset(out_seskey, 0, NTLMSSP_KEY_LEN*2);
1479 memset(out_s2ckey16, 0, AES_KEY_SIZE);
1480 memset(out_c2skey16, 0, AES_KEY_SIZE);
1481 memset(out_s2ckey32, 0, AES_KEY_SIZE*2);
1482 memset(out_c2skey32, 0, AES_KEY_SIZE*2);
1483
1484 if (p->seskey_len > 0 && p->seskey_len <= NTLMSSP_KEY_LEN*2) {
1485 memcpy(out_seskey, p->seskey, p->seskey_len);
1486 *out_seskey_len = p->seskey_len;
1487 }
1488 if (p->s2ckey_len == AES_KEY_SIZE)
1489 memcpy(out_s2ckey16, p->s2ckey, p->s2ckey_len);
1490 if (p->s2ckey_len == AES_KEY_SIZE*2)
1491 memcpy(out_s2ckey32, p->s2ckey, p->s2ckey_len);
1492 if (p->c2skey_len == AES_KEY_SIZE)
1493 memcpy(out_c2skey16, p->c2skey, p->c2skey_len);
1494 if (p->c2skey_len == AES_KEY_SIZE*2)
1495 memcpy(out_c2skey32, p->c2skey, p->c2skey_len);
1496
1497 return true;
1498 }
1499 }
1500
1501 return false;
1502 }
1503
1504 /* ExportObject preferences variable */
1505 bool eosmb2_take_name_as_fid = false ;
1506
1507 /* unmatched smb_saved_info structures.
1508 For unmatched smb_saved_info structures we store the smb_saved_info
1509 structure using the msg_id field.
1510 */
1511 static int
1512 smb2_saved_info_equal_unmatched(const void *k1, const void *k2)
1513 {
1514 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
1515 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
1516 return key1->msg_id == key2->msg_id;
1517 }
1518 static unsigned
1519 smb2_saved_info_hash_unmatched(const void *k)
1520 {
1521 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
1522 uint32_t hash;
1523
1524 hash = (uint32_t) (key->msg_id&0xffffffff);
1525 return hash;
1526 }
1527
1528 /* matched smb_saved_info structures.
1529 For matched smb_saved_info structures we store the smb_saved_info
1530 structure using the msg_id field.
1531 */
1532 static int
1533 smb2_saved_info_equal_matched(const void *k1, const void *k2)
1534 {
1535 const smb2_saved_info_t *key1 = (const smb2_saved_info_t *)k1;
1536 const smb2_saved_info_t *key2 = (const smb2_saved_info_t *)k2;
1537 return key1->msg_id == key2->msg_id;
1538 }
1539 static unsigned
1540 smb2_saved_info_hash_matched(const void *k)
1541 {
1542 const smb2_saved_info_t *key = (const smb2_saved_info_t *)k;
1543 uint32_t hash;
1544
1545 hash = (uint32_t) (key->msg_id&0xffffffff);
1546 return hash;
1547 }
1548
1549 /* For Tids of a specific conversation.
1550 This keeps track of tid->sharename mappings and other information about the
1551 tid.
1552 qqq
1553 We might need to refine this if it occurs that tids are reused on a single
1554 conversation. we don't worry about that yet for simplicity
1555 */
1556 static int
1557 smb2_tid_info_equal(const void *k1, const void *k2)
1558 {
1559 const smb2_tid_info_t *key1 = (const smb2_tid_info_t *)k1;
1560 const smb2_tid_info_t *key2 = (const smb2_tid_info_t *)k2;
1561 return key1->tid == key2->tid;
1562 }
1563 static unsigned
1564 smb2_tid_info_hash(const void *k)
1565 {
1566 const smb2_tid_info_t *key = (const smb2_tid_info_t *)k;
1567 uint32_t hash;
1568
1569 hash = key->tid;
1570 return hash;
1571 }
1572
1573 /* For Uids of a specific conversation.
1574 This keeps track of uid->acct_name mappings and other information about the
1575 uid.
1576 qqq
1577 We might need to refine this if it occurs that uids are reused on a single
1578 conversation. we don't worry about that yet for simplicity
1579 */
1580 static int
1581 smb2_sesid_info_equal(const void *k1, const void *k2)
1582 {
1583 const smb2_sesid_info_t *key1 = (const smb2_sesid_info_t *)k1;
1584 const smb2_sesid_info_t *key2 = (const smb2_sesid_info_t *)k2;
1585 return key1->sesid == key2->sesid;
1586 }
1587 static unsigned
1588 smb2_sesid_info_hash(const void *k)
1589 {
1590 const smb2_sesid_info_t *key = (const smb2_sesid_info_t *)k;
1591 uint32_t hash;
1592
1593 hash = (uint32_t)( ((key->sesid>>32)&0xffffffff)+((key->sesid)&0xffffffff) );
1594 return hash;
1595 }
1596
1597 /*
1598 * For File IDs of a specific conversation.
1599 * This keeps track of fid to name mapping and application level conversations
1600 * over named pipes.
1601 *
1602 * This handles implementation bugs, where the fid_persitent is 0 or
1603 * the fid_persitent/fid_volative is not unique per conversation.
1604 */
1605 static int
1606 smb2_fid_info_equal(const void *k1, const void *k2)
1607 {
1608 const smb2_fid_info_t *key = (const smb2_fid_info_t *)k1;
1609 const smb2_fid_info_t *val = (const smb2_fid_info_t *)k2;
1610
1611 if (!key->frame_key) {
1612 key = (const smb2_fid_info_t *)k2;
1613 val = (const smb2_fid_info_t *)k1;
1614 }
1615
1616 if (key->fid_persistent != val->fid_persistent) {
1617 return 0;
1618 }
1619
1620 if (key->fid_volatile != val->fid_volatile) {
1621 return 0;
1622 }
1623
1624 if (key->sesid != val->sesid) {
1625 return 0;
1626 }
1627
1628 if (key->tid != val->tid) {
1629 return 0;
1630 }
1631
1632 if (!(val->frame_beg <= key->frame_key && key->frame_key <= val->frame_end)) {
1633 return 0;
1634 }
1635
1636 return 1;
1637 }
1638
1639 static unsigned
1640 smb2_fid_info_hash(const void *k)
1641 {
1642 const smb2_fid_info_t *key = (const smb2_fid_info_t *)k;
1643 uint32_t hash;
1644
1645 if (key->fid_persistent != 0) {
1646 hash = (uint32_t)( ((key->fid_persistent>>32)&0xffffffff)+((key->fid_persistent)&0xffffffff) );
1647 } else {
1648 hash = (uint32_t)( ((key->fid_volatile>>32)&0xffffffff)+((key->fid_volatile)&0xffffffff) );
1649 }
1650
1651 return hash;
1652 }
1653
1654 /* Callback for destroying the glib hash tables associated with a conversation
1655 * struct. */
1656 static bool
1657 smb2_conv_destroy(wmem_allocator_t *allocator _U_, wmem_cb_event_t event _U_,
1658 void *user_data)
1659 {
1660 smb2_conv_info_t *conv = (smb2_conv_info_t *)user_data;
1661
1662 g_hash_table_destroy(conv->matched);
1663 g_hash_table_destroy(conv->unmatched);
1664
1665 /* This conversation is gone, return false to indicate we don't
1666 * want to be called again for this conversation. */
1667 return false;
1668 }
1669
1670 static smb2_sesid_info_t *
1671 smb2_get_session(smb2_conv_info_t *conv _U_, uint64_t id, packet_info *pinfo, smb2_info_t *si)
1672 {
1673 smb2_sesid_info_t key = {.sesid = id};
1674 smb2_sesid_info_t *ses = (smb2_sesid_info_t *)wmem_map_lookup(smb2_sessions, &key);
1675
1676 if (!ses) {
1677 ses = wmem_new0(wmem_file_scope(), smb2_sesid_info_t);
1678 ses->sesid = id;
1679 ses->auth_frame = (uint32_t)-1;
1680 ses->tids = wmem_map_new(wmem_file_scope(), smb2_tid_info_hash, smb2_tid_info_equal);
1681 ses->fids = wmem_map_new(wmem_file_scope(), smb2_fid_info_hash, smb2_fid_info_equal);
1682 ses->files = wmem_map_new(wmem_file_scope(), smb2_eo_files_hash, smb2_eo_files_equal);
1683
1684 ses->session_key_frame = UINT32_MAX;
1685 seskey_find_sid_key(id,
1686 ses->session_key,
1687 &ses->session_key_len,
1688 ses->client_decryption_key16,
1689 ses->server_decryption_key16,
1690 ses->client_decryption_key32,
1691 ses->server_decryption_key32);
1692 if (pinfo && si) {
1693 if (ses->session_key_len != 0) {
1694 ses->session_key_frame = pinfo->num;
1695 }
1696 if (si->flags & SMB2_FLAGS_RESPONSE) {
1697 ses->server_port = pinfo->srcport;
1698 } else {
1699 ses->server_port = pinfo->destport;
1700 }
1701 }
1702 wmem_map_insert(smb2_sessions, ses, ses);
1703 }
1704
1705 return ses;
1706 }
1707
1708 static void
1709 smb2_add_session_info(proto_tree *ses_tree, proto_item *ses_item, tvbuff_t *tvb, int start, smb2_sesid_info_t *ses)
1710 {
1711 proto_item *new_item;
1712 if (!ses)
1713 return;
1714
1715 if (ses->acct_name) {
1716 new_item = proto_tree_add_string(ses_tree, hf_smb2_acct_name, tvb, start, 0, ses->acct_name);
1717 proto_item_set_generated(new_item);
1718 proto_item_append_text(ses_item, " Acct:%s", ses->acct_name);
1719 }
1720
1721 if (ses->domain_name) {
1722 new_item = proto_tree_add_string(ses_tree, hf_smb2_domain_name, tvb, start, 0, ses->domain_name);
1723 proto_item_set_generated(new_item);
1724 proto_item_append_text(ses_item, " Domain:%s", ses->domain_name);
1725 }
1726
1727 if (ses->host_name) {
1728 new_item = proto_tree_add_string(ses_tree, hf_smb2_host_name, tvb, start, 0, ses->host_name);
1729 proto_item_set_generated(new_item);
1730 proto_item_append_text(ses_item, " Host:%s", ses->host_name);
1731 }
1732
1733 if (ses->auth_frame != (uint32_t)-1) {
1734 new_item = proto_tree_add_uint(ses_tree, hf_smb2_auth_frame, tvb, start, 0, ses->auth_frame);
1735 proto_item_set_generated(new_item);
1736 }
1737 }
1738
1739 static void smb2_key_derivation(const uint8_t *KI, uint32_t KI_len,
1740 const uint8_t *Label, uint32_t Label_len,
1741 const uint8_t *Context, uint32_t Context_len,
1742 uint8_t *KO, uint32_t KO_len)
1743 {
1744 gcry_md_hd_t hd = NULL;
1745 uint8_t buf[4];
1746 uint8_t *digest = NULL;
1747 uint32_t L;
1748
1749 /*
1750 * a simplified version of
1751 * "NIST Special Publication 800-108" section 5.1
1752 * using hmac-sha256.
1753 */
1754 /* XXX This routine should indicate a success/failure indication, so that the failure of gcry_md_open()
1755 * can be reported to the caller.
1756 */
1757 if (gcry_md_open(&hd, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC) != 0)
1758 return;
1759 gcry_md_setkey(hd, KI, KI_len);
1760
1761 memset(buf, 0, sizeof(buf));
1762 buf[3] = 1;
1763 gcry_md_write(hd, buf, sizeof(buf));
1764 gcry_md_write(hd, Label, Label_len);
1765 gcry_md_write(hd, buf, 1);
1766 gcry_md_write(hd, Context, Context_len);
1767 L = KO_len * 8;
1768 memset(buf, 0, sizeof(buf));
1769 buf[3] = ((L) >> (0)) & 0xff;
1770 buf[2] = ((L) >> (8)) & 0xff;
1771 gcry_md_write(hd, buf, sizeof(buf));
1772
1773 digest = gcry_md_read(hd, GCRY_MD_SHA256);
1774
1775 memcpy(KO, digest, KO_len);
1776
1777 gcry_md_close(hd);
1778 }
1779
1780 /* for export-object-smb2 */
1781 static char *policy_hnd_to_file_id(wmem_allocator_t *pool, const e_ctx_hnd *hnd) {
1782 return guid_to_str(pool, &hnd->uuid);
1783 }
1784 static unsigned smb2_eo_files_hash(const void *k) {
1785 return g_str_hash(policy_hnd_to_file_id(wmem_packet_scope(), (const e_ctx_hnd *)k));
1786 }
1787 static int smb2_eo_files_equal(const void *k1, const void *k2) {
1788 int are_equal;
1789 const e_ctx_hnd *key1 = (const e_ctx_hnd *)k1;
1790 const e_ctx_hnd *key2 = (const e_ctx_hnd *)k2;
1791
1792 are_equal = (key1->uuid.data1==key2->uuid.data1 &&
1793 key1->uuid.data2==key2->uuid.data2 &&
1794 key1->uuid.data3==key2->uuid.data3 &&
1795 key1->uuid.data4[0]==key2->uuid.data4[0] &&
1796 key1->uuid.data4[1]==key2->uuid.data4[1] &&
1797 key1->uuid.data4[2]==key2->uuid.data4[2] &&
1798 key1->uuid.data4[3]==key2->uuid.data4[3] &&
1799 key1->uuid.data4[4]==key2->uuid.data4[4] &&
1800 key1->uuid.data4[5]==key2->uuid.data4[5] &&
1801 key1->uuid.data4[6]==key2->uuid.data4[6] &&
1802 key1->uuid.data4[7]==key2->uuid.data4[7]);
1803
1804 return are_equal;
1805 }
1806
1807 static void
1808 feed_eo_smb2(tvbuff_t * tvb,packet_info *pinfo,smb2_info_t * si, uint16_t dataoffset,uint32_t length, uint64_t file_offset) {
1809
1810 char *fid_name = NULL;
1811 uint32_t open_frame = 0, close_frame = 0;
1812 tvbuff_t *data_tvb = NULL;
1813 smb_eo_t *eo_info;
1814 char *file_id;
1815 char *auxstring;
1816 char **aux_string_v;
1817
1818 /* Create a new tvb to point to the payload data */
1819 data_tvb = tvb_new_subset_length(tvb, dataoffset, length);
1820 /* Create the eo_info to pass to the listener */
1821 eo_info = wmem_new(pinfo->pool, smb_eo_t);
1822 /* Fill in eo_info */
1823 eo_info->smbversion=2;
1824 /* cmd == opcode */
1825 eo_info->cmd=si->opcode;
1826 /* We don't keep track of uid in SMB v2 */
1827 eo_info->uid=0;
1828
1829 /* Try to get file id and filename */
1830 file_id=policy_hnd_to_file_id(pinfo->pool, &si->saved->policy_hnd);
1831 dcerpc_fetch_polhnd_data(&si->saved->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num);
1832 if (fid_name && g_strcmp0(fid_name,"File: ")!=0) {
1833 auxstring=fid_name;
1834 /* Remove "File: " from filename */
1835 if (g_str_has_prefix(auxstring, "File: ")) {
1836 aux_string_v = g_strsplit(auxstring, "File: ", -1);
1837 eo_info->filename = wmem_strdup_printf(pinfo->pool, "\\%s",aux_string_v[g_strv_length(aux_string_v)-1]);
1838 g_strfreev(aux_string_v);
1839 } else {
1840 if (g_str_has_prefix(auxstring, "\\")) {
1841 eo_info->filename = wmem_strdup(pinfo->pool, auxstring);
1842 } else {
1843 eo_info->filename = wmem_strdup_printf(pinfo->pool, "\\%s",auxstring);
1844 }
1845 }
1846 } else {
1847 auxstring=wmem_strdup_printf(pinfo->pool, "File_Id_%s", file_id);
1848 eo_info->filename=auxstring;
1849 }
1850
1851
1852
1853 if (eosmb2_take_name_as_fid) {
1854 eo_info->fid = g_str_hash(eo_info->filename);
1855 } else {
1856 eo_info->fid = g_str_hash(file_id);
1857 }
1858
1859 /* tid, hostname, tree_id */
1860 if (si->tree) {
1861 eo_info->tid=si->tree->tid;
1862 if (strlen(si->tree->name)>0 && strlen(si->tree->name)<=256) {
1863 eo_info->hostname = wmem_strdup(pinfo->pool, si->tree->name);
1864 } else {
1865 eo_info->hostname = wmem_strdup_printf(pinfo->pool, "\\\\%s\\TREEID_%i",tree_ip_str(pinfo,si->opcode),si->tree->tid);
1866 }
1867 } else {
1868 eo_info->tid=0;
1869 eo_info->hostname = wmem_strdup_printf(pinfo->pool, "\\\\%s\\TREEID_UNKNOWN",tree_ip_str(pinfo,si->opcode));
1870 }
1871
1872 /* packet number */
1873 eo_info->pkt_num = pinfo->num;
1874
1875 /* fid type */
1876 if (si->eo_file_info->attr_mask & SMB2_FLAGS_ATTR_DIRECTORY) {
1877 eo_info->fid_type=SMB2_FID_TYPE_DIR;
1878 } else {
1879 if (si->eo_file_info->attr_mask &
1880 (SMB2_FLAGS_ATTR_ARCHIVE | SMB2_FLAGS_ATTR_NORMAL |
1881 SMB2_FLAGS_ATTR_HIDDEN | SMB2_FLAGS_ATTR_READONLY |
1882 SMB2_FLAGS_ATTR_SYSTEM) ) {
1883 eo_info->fid_type=SMB2_FID_TYPE_FILE;
1884 } else {
1885 eo_info->fid_type=SMB2_FID_TYPE_OTHER;
1886 }
1887 }
1888
1889 /* end_of_file */
1890 eo_info->end_of_file=si->eo_file_info->end_of_file;
1891
1892 /* data offset and chunk length */
1893 eo_info->smb_file_offset=file_offset;
1894 eo_info->smb_chunk_len=length;
1895 /* XXX is this right? */
1896 if (length<si->saved->bytes_moved) {
1897 si->saved->file_offset=si->saved->file_offset+length;
1898 si->saved->bytes_moved=si->saved->bytes_moved-length;
1899 }
1900
1901 /* Payload */
1902 eo_info->payload_len = length;
1903 eo_info->payload_data = tvb_get_ptr(data_tvb, 0, length);
1904
1905 tap_queue_packet(smb2_eo_tap, pinfo, eo_info);
1906
1907 }
1908
1909 static int dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si);
1910
1911
1912 /* This is a helper to dissect the common string type
1913 * uint16 offset
1914 * uint16 length
1915 * ...
1916 * char *string
1917 *
1918 * This function is called twice, first to decode the offset/length and
1919 * second time to dissect the actual string.
1920 * It is done this way since there is no guarantee that we have the full packet and we don't
1921 * want to abort dissection too early if the packet ends somewhere between the
1922 * length/offset and the actual buffer.
1923 *
1924 */
1925 enum offset_length_buffer_offset_size {
1926 OLB_O_UINT16_S_UINT16,
1927 OLB_O_UINT16_S_UINT32,
1928 OLB_O_UINT8_P_UINT8_S_UINT32,
1929 OLB_O_UINT32_S_UINT32,
1930 OLB_S_UINT32_O_UINT32
1931 };
1932 typedef struct _offset_length_buffer_t {
1933 uint32_t off;
1934 uint32_t len;
1935 int off_offset;
1936 int len_offset;
1937 enum offset_length_buffer_offset_size offset_size;
1938 int hfindex;
1939 } offset_length_buffer_t;
1940 static int
1941 dissect_smb2_olb_length_offset(tvbuff_t *tvb, int offset, offset_length_buffer_t *olb,
1942 enum offset_length_buffer_offset_size offset_size, int hfindex)
1943 {
1944 olb->hfindex = hfindex;
1945 olb->offset_size = offset_size;
1946 switch (offset_size) {
1947 case OLB_O_UINT16_S_UINT16:
1948 olb->off = tvb_get_letohs(tvb, offset);
1949 olb->off_offset = offset;
1950 offset += 2;
1951 olb->len = tvb_get_letohs(tvb, offset);
1952 olb->len_offset = offset;
1953 offset += 2;
1954 break;
1955 case OLB_O_UINT16_S_UINT32:
1956 olb->off = tvb_get_letohs(tvb, offset);
1957 olb->off_offset = offset;
1958 offset += 2;
1959 olb->len = tvb_get_letohl(tvb, offset);
1960 olb->len_offset = offset;
1961 offset += 4;
1962 break;
1963 case OLB_O_UINT8_P_UINT8_S_UINT32:
1964 olb->off = tvb_get_uint8(tvb, offset);
1965 olb->off_offset = offset;
1966 offset += 1;
1967 /* 1 byte reserved */
1968 offset += 1;
1969 olb->len = tvb_get_letohl(tvb, offset);
1970 olb->len_offset = offset;
1971 offset += 4;
1972 break;
1973 case OLB_O_UINT32_S_UINT32:
1974 olb->off = tvb_get_letohl(tvb, offset);
1975 olb->off_offset = offset;
1976 offset += 4;
1977 olb->len = tvb_get_letohl(tvb, offset);
1978 olb->len_offset = offset;
1979 offset += 4;
1980 break;
1981 case OLB_S_UINT32_O_UINT32:
1982 olb->len = tvb_get_letohl(tvb, offset);
1983 olb->len_offset = offset;
1984 offset += 4;
1985 olb->off = tvb_get_letohl(tvb, offset);
1986 olb->off_offset = offset;
1987 offset += 4;
1988 break;
1989 }
1990
1991 return offset;
1992 }
1993
1994 #define OLB_TYPE_UNICODE_STRING 0x01
1995 #define OLB_TYPE_ASCII_STRING 0x02
1996 static const uint8_t *
1997 dissect_smb2_olb_off_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int base, int type)
1998 {
1999 int len, off;
2000 proto_item *item = NULL;
2001 proto_tree *tree = NULL;
2002 const uint8_t *name = NULL;
2003
2004 olb->off += base;
2005
2006 len = olb->len;
2007 off = olb->off;
2008
2009
2010 /* sanity check */
2011 tvb_ensure_bytes_exist(tvb, off, len);
2012 if (((off+len)<off)
2013 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
2014 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, off, -1,
2015 "Invalid offset/length. Malformed packet");
2016
2017 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
2018
2019 return NULL;
2020 }
2021
2022
2023 switch (type) {
2024 case OLB_TYPE_UNICODE_STRING:
2025 item = proto_tree_add_item_ret_string(parent_tree,
2026 olb->hfindex, tvb, off, len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
2027 pinfo->pool, &name);
2028 tree = proto_item_add_subtree(item, ett_smb2_olb);
2029 break;
2030 case OLB_TYPE_ASCII_STRING:
2031 item = proto_tree_add_item_ret_string(parent_tree,
2032 olb->hfindex, tvb, off, len, ENC_ASCII|ENC_NA,
2033 pinfo->pool, &name);
2034 tree = proto_item_add_subtree(item, ett_smb2_olb);
2035 break;
2036 }
2037
2038 switch (olb->offset_size) {
2039 case OLB_O_UINT16_S_UINT16:
2040 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
2041 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
2042 break;
2043 case OLB_O_UINT16_S_UINT32:
2044 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
2045 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2046 break;
2047 case OLB_O_UINT8_P_UINT8_S_UINT32:
2048 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 1, ENC_NA);
2049 proto_tree_add_item(tree, hf_smb2_reserved, tvb, olb->off_offset+1, 1, ENC_NA);
2050 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2051 break;
2052 case OLB_O_UINT32_S_UINT32:
2053 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
2054 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2055 break;
2056 case OLB_S_UINT32_O_UINT32:
2057 proto_tree_add_item(tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2058 proto_tree_add_item(tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
2059 break;
2060 }
2061
2062 return name;
2063 }
2064
2065 static const uint8_t *
2066 dissect_smb2_olb_string(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, offset_length_buffer_t *olb, int type)
2067 {
2068 return dissect_smb2_olb_off_string(pinfo, parent_tree, tvb, olb, 0, type);
2069 }
2070
2071 static void
2072 dissect_smb2_olb_buffer(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb,
2073 offset_length_buffer_t *olb, smb2_info_t *si,
2074 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si))
2075 {
2076 int len, off;
2077 proto_item *sub_item = NULL;
2078 proto_tree *sub_tree = NULL;
2079 tvbuff_t *sub_tvb = NULL;
2080 int offset;
2081
2082 offset = olb->off;
2083 len = olb->len;
2084 off = olb->off;
2085
2086 /* sanity check */
2087 tvb_ensure_bytes_exist(tvb, off, len);
2088 if (((off+len)<off)
2089 || ((off+len)>(off+tvb_reported_length_remaining(tvb, off)))) {
2090 proto_tree_add_expert_format(parent_tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
2091 "Invalid offset/length. Malformed packet");
2092
2093 col_append_str(pinfo->cinfo, COL_INFO, " [Malformed packet]");
2094
2095 return;
2096 }
2097
2098 switch (olb->offset_size) {
2099 case OLB_O_UINT16_S_UINT16:
2100 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
2101 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 2, ENC_LITTLE_ENDIAN);
2102 break;
2103 case OLB_O_UINT16_S_UINT32:
2104 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 2, ENC_LITTLE_ENDIAN);
2105 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2106 break;
2107 case OLB_O_UINT8_P_UINT8_S_UINT32:
2108 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 1, ENC_NA);
2109 proto_tree_add_item(parent_tree, hf_smb2_reserved, tvb, olb->off_offset+1, 1, ENC_NA);
2110 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2111 break;
2112 case OLB_O_UINT32_S_UINT32:
2113 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
2114 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2115 break;
2116 case OLB_S_UINT32_O_UINT32:
2117 proto_tree_add_item(parent_tree, hf_smb2_olb_length, tvb, olb->len_offset, 4, ENC_LITTLE_ENDIAN);
2118 proto_tree_add_item(parent_tree, hf_smb2_olb_offset, tvb, olb->off_offset, 4, ENC_LITTLE_ENDIAN);
2119 break;
2120 }
2121
2122 /* if we don't want/need a subtree */
2123 if (olb->hfindex == -1) {
2124 sub_item = parent_tree;
2125 sub_tree = parent_tree;
2126 } else {
2127 if (parent_tree) {
2128 sub_item = proto_tree_add_item(parent_tree, olb->hfindex, tvb, offset, len, ENC_NA);
2129 sub_tree = proto_item_add_subtree(sub_item, ett_smb2_olb);
2130 }
2131 }
2132
2133 if (off == 0 || len == 0) {
2134 proto_item_append_text(sub_item, ": NO DATA");
2135 return;
2136 }
2137
2138 if (!dissector) {
2139 return;
2140 }
2141
2142 sub_tvb = tvb_new_subset_length_caplen(tvb, off, MIN((int)len, tvb_captured_length_remaining(tvb, off)), len);
2143
2144 dissector(sub_tvb, pinfo, sub_tree, si);
2145 }
2146
2147 static int
2148 dissect_smb2_olb_tvb_max_offset(int offset, offset_length_buffer_t *olb)
2149 {
2150 if (olb->off == 0) {
2151 return offset;
2152 }
2153 return MAX(offset, (int)(olb->off + olb->len));
2154 }
2155
2156 typedef struct _smb2_function {
2157 int (*request) (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
2158 int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
2159 } smb2_function;
2160
2161 static const true_false_string tfs_smb2_svhdx_has_initiator_id = {
2162 "Has an initiator id",
2163 "Does not have an initiator id"
2164 };
2165
2166 static const true_false_string tfs_flags_response = {
2167 "This is a RESPONSE",
2168 "This is a REQUEST"
2169 };
2170
2171 static const true_false_string tfs_flags_async_cmd = {
2172 "This is an ASYNC command",
2173 "This is a SYNC command"
2174 };
2175
2176 static const true_false_string tfs_flags_dfs_op = {
2177 "This is a DFS OPERATION",
2178 "This is a normal operation"
2179 };
2180
2181 static const true_false_string tfs_flags_chained = {
2182 "This pdu is a CHAINED command",
2183 "This pdu is NOT a chained command"
2184 };
2185
2186 static const true_false_string tfs_flags_signature = {
2187 "This pdu is SIGNED",
2188 "This pdu is NOT signed"
2189 };
2190
2191 static const true_false_string tfs_flags_replay_operation = {
2192 "This is a REPLAY OPERATION",
2193 "This is NOT a replay operation"
2194 };
2195
2196 static const true_false_string tfs_flags_priority_mask = {
2197 "This pdu contains a PRIORITY",
2198 "This pdu does NOT contain a PRIORITY"
2199 };
2200
2201 static const true_false_string tfs_cap_dfs = {
2202 "This host supports DFS",
2203 "This host does NOT support DFS"
2204 };
2205
2206 static const true_false_string tfs_cap_leasing = {
2207 "This host supports LEASING",
2208 "This host does NOT support LEASING"
2209 };
2210
2211 static const true_false_string tfs_cap_large_mtu = {
2212 "This host supports LARGE_MTU",
2213 "This host does NOT support LARGE_MTU"
2214 };
2215
2216 static const true_false_string tfs_cap_multi_channel = {
2217 "This host supports MULTI CHANNEL",
2218 "This host does NOT support MULTI CHANNEL"
2219 };
2220
2221 static const true_false_string tfs_cap_persistent_handles = {
2222 "This host supports PERSISTENT HANDLES",
2223 "This host does NOT support PERSISTENT HANDLES"
2224 };
2225
2226 static const true_false_string tfs_cap_directory_leasing = {
2227 "This host supports DIRECTORY LEASING",
2228 "This host does NOT support DIRECTORY LEASING"
2229 };
2230
2231 static const true_false_string tfs_cap_encryption = {
2232 "This host supports ENCRYPTION",
2233 "This host does NOT support ENCRYPTION"
2234 };
2235
2236 static const true_false_string tfs_cap_notifications = {
2237 "This host supports receiving NOTIFICATIONS",
2238 "This host does NOT support receiving NOTIFICATIONS"
2239 };
2240
2241 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rss = {
2242 "This interface supports RSS",
2243 "This interface does not support RSS"
2244 };
2245
2246 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rdma = {
2247 "This interface supports RDMA",
2248 "This interface does not support RDMA"
2249 };
2250
2251 static const value_string file_region_usage_vals[] = {
2252 { 0x00000001, "FILE_REGION_USAGE_VALID_CACHED_DATA" },
2253 { 0, NULL }
2254 };
2255
2256 static const value_string originator_flags_vals[] = {
2257 { 1, "SVHDX_ORIGINATOR_PVHDPARSER" },
2258 { 4, "SVHDX_ORIGINATOR_VHDMP" },
2259 { 0, NULL }
2260 };
2261
2262 static const value_string compression_format_vals[] = {
2263 { 0, "COMPRESSION_FORMAT_NONE" },
2264 { 1, "COMPRESSION_FORMAT_DEFAULT" },
2265 { 2, "COMPRESSION_FORMAT_LZNT1" },
2266 { 0, NULL }
2267 };
2268
2269 static const value_string checksum_algorithm_vals[] = {
2270 { 0x0000, "CHECKSUM_TYPE_NONE" },
2271 { 0x0002, "CHECKSUM_TYPE_CRC64" },
2272 { 0xFFFF, "CHECKSUM_TYPE_UNCHANGED" },
2273 { 0, NULL }
2274 };
2275
2276 /* Note: All uncommented are "dissector not implemented" */
2277 static const value_string smb2_ioctl_vals[] = {
2278 {0x00060194, "FSCTL_DFS_GET_REFERRALS"}, /* dissector implemented */
2279 {0x000601B0, "FSCTL_DFS_GET_REFERRALS_EX"},
2280 {0x00090000, "FSCTL_REQUEST_OPLOCK_LEVEL_1"},
2281 {0x00090004, "FSCTL_REQUEST_OPLOCK_LEVEL_2"},
2282 {0x00090008, "FSCTL_REQUEST_BATCH_OPLOCK"},
2283 {0x0009000C, "FSCTL_OPLOCK_BREAK_ACKNOWLEDGE"},
2284 {0x00090010, "FSCTL_OPBATCH_ACK_CLOSE_PENDING"},
2285 {0x00090014, "FSCTL_OPLOCK_BREAK_NOTIFY"},
2286 {0x00090018, "FSCTL_LOCK_VOLUME"},
2287 {0x0009001C, "FSCTL_UNLOCK_VOLUME"},
2288 {0x00090020, "FSCTL_DISMOUNT_VOLUME"},
2289 {0x00090028, "FSCTL_IS_VOLUME_MOUNTED"},
2290 {0x0009002C, "FSCTL_IS_PATHNAME_VALID"},
2291 {0x00090030, "FSCTL_MARK_VOLUME_DIRTY"},
2292 {0x0009003B, "FSCTL_QUERY_RETRIEVAL_POINTERS"},
2293 {0x0009003C, "FSCTL_GET_COMPRESSION"}, /* dissector implemented */
2294 {0x0009004F, "FSCTL_MARK_AS_SYSTEM_HIVE"},
2295 {0x00090050, "FSCTL_OPLOCK_BREAK_ACK_NO_2"},
2296 {0x00090054, "FSCTL_INVALIDATE_VOLUMES"},
2297 {0x00090058, "FSCTL_QUERY_FAT_BPB"},
2298 {0x0009005C, "FSCTL_REQUEST_FILTER_OPLOCK"},
2299 {0x00090060, "FSCTL_FILESYSTEM_GET_STATISTICS"},
2300 {0x00090064, "FSCTL_GET_NTFS_VOLUME_DATA"},
2301 {0x00090068, "FSCTL_GET_NTFS_FILE_RECORD"},
2302 {0x0009006F, "FSCTL_GET_VOLUME_BITMAP"},
2303 {0x00090073, "FSCTL_GET_RETRIEVAL_POINTERS"},
2304 {0x00090074, "FSCTL_MOVE_FILE"},
2305 {0x00090078, "FSCTL_IS_VOLUME_DIRTY"},
2306 {0x0009007C, "FSCTL_GET_HFS_INFORMATION"},
2307 {0x00090083, "FSCTL_ALLOW_EXTENDED_DASD_IO"},
2308 {0x00090087, "FSCTL_READ_PROPERTY_DATA"},
2309 {0x0009008B, "FSCTL_WRITE_PROPERTY_DATA"},
2310 {0x0009008F, "FSCTL_FIND_FILES_BY_SID"},
2311 {0x00090097, "FSCTL_DUMP_PROPERTY_DATA"},
2312 {0x0009009C, "FSCTL_GET_OBJECT_ID"}, /* dissector implemented */
2313 {0x000900A4, "FSCTL_SET_REPARSE_POINT"}, /* dissector implemented */
2314 {0x000900A8, "FSCTL_GET_REPARSE_POINT"}, /* dissector implemented */
2315 {0x000900C0, "FSCTL_CREATE_OR_GET_OBJECT_ID"}, /* dissector implemented */
2316 {0x000900C4, "FSCTL_SET_SPARSE"}, /* dissector implemented */
2317 {0x000900D4, "FSCTL_SET_ENCRYPTION"},
2318 {0x000900DB, "FSCTL_ENCRYPTION_FSCTL_IO"},
2319 {0x000900DF, "FSCTL_WRITE_RAW_ENCRYPTED"},
2320 {0x000900E3, "FSCTL_READ_RAW_ENCRYPTED"},
2321 {0x000900F0, "FSCTL_EXTEND_VOLUME"},
2322 {0x00090244, "FSCTL_CSV_TUNNEL_REQUEST"},
2323 {0x0009027C, "FSCTL_GET_INTEGRITY_INFORMATION"},
2324 {0x00090284, "FSCTL_QUERY_FILE_REGIONS"}, /* dissector implemented */
2325 {0x000902c8, "FSCTL_CSV_SYNC_TUNNEL_REQUEST"},
2326 {0x00090300, "FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT"}, /* dissector implemented */
2327 {0x00090304, "FSCTL_SVHDX_SYNC_TUNNEL_REQUEST"}, /* dissector implemented */
2328 {0x00090308, "FSCTL_SVHDX_SET_INITIATOR_INFORMATION"},
2329 {0x0009030C, "FSCTL_SET_EXTERNAL_BACKING"},
2330 {0x00090310, "FSCTL_GET_EXTERNAL_BACKING"},
2331 {0x00090314, "FSCTL_DELETE_EXTERNAL_BACKING"},
2332 {0x00090318, "FSCTL_ENUM_EXTERNAL_BACKING"},
2333 {0x0009031F, "FSCTL_ENUM_OVERLAY"},
2334 {0x00090350, "FSCTL_STORAGE_QOS_CONTROL"}, /* dissector implemented */
2335 {0x00090364, "FSCTL_SVHDX_ASYNC_TUNNEL_REQUEST"}, /* dissector implemented */
2336 {0x00090380, "FSCTL_SET_INTEGRITY_INFORMATION_EX"}, /* dissector implemented */
2337 {0x00090440, "FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT"}, /* dissector implemented */
2338 {0x000940B3, "FSCTL_ENUM_USN_DATA"},
2339 {0x000940B7, "FSCTL_SECURITY_ID_CHECK"},
2340 {0x000940BB, "FSCTL_READ_USN_JOURNAL"},
2341 {0x000940CF, "FSCTL_QUERY_ALLOCATED_RANGES"}, /* dissector implemented */
2342 {0x000940E7, "FSCTL_CREATE_USN_JOURNAL"},
2343 {0x000940EB, "FSCTL_READ_FILE_USN_DATA"},
2344 {0x000940EF, "FSCTL_WRITE_USN_CLOSE_RECORD"},
2345 {0x00094264, "FSCTL_OFFLOAD_READ"}, /* dissector implemented */
2346 {0x00098098, "FSCTL_SET_OBJECT_ID"}, /* dissector implemented */
2347 {0x000980A0, "FSCTL_DELETE_OBJECT_ID"}, /* no data in/out */
2348 {0x000980A4, "FSCTL_SET_REPARSE_POINT"},
2349 {0x000980AC, "FSCTL_DELETE_REPARSE_POINT"},
2350 {0x000980BC, "FSCTL_SET_OBJECT_ID_EXTENDED"}, /* dissector implemented */
2351 {0x000980C8, "FSCTL_SET_ZERO_DATA"}, /* dissector implemented */
2352 {0x000980D0, "FSCTL_ENABLE_UPGRADE"},
2353 {0x00098208, "FSCTL_FILE_LEVEL_TRIM"},
2354 {0x00098268, "FSCTL_OFFLOAD_WRITE"}, /* dissector implemented */
2355 {0x0009C040, "FSCTL_SET_COMPRESSION"}, /* dissector implemented */
2356 {0x0009C280, "FSCTL_SET_INTEGRITY_INFORMATION"}, /* dissector implemented */
2357 {0x00110018, "FSCTL_PIPE_WAIT"}, /* dissector implemented */
2358 {0x0011400C, "FSCTL_PIPE_PEEK"},
2359 {0x0011C017, "FSCTL_PIPE_TRANSCEIVE"}, /* dissector implemented */
2360 {0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"},
2361 {0x001401D4, "FSCTL_LMR_REQUEST_RESILIENCY"}, /* dissector implemented */
2362 {0x001401FC, "FSCTL_QUERY_NETWORK_INTERFACE_INFO"}, /* dissector implemented */
2363 {0x00140200, "FSCTL_VALIDATE_NEGOTIATE_INFO_224"}, /* dissector implemented */
2364 {0x00140204, "FSCTL_VALIDATE_NEGOTIATE_INFO"}, /* dissector implemented */
2365 {0x00144064, "FSCTL_SRV_ENUMERATE_SNAPSHOTS"}, /* dissector implemented */
2366 {0x001440F2, "FSCTL_SRV_COPYCHUNK"},
2367 {0x001441bb, "FSCTL_SRV_READ_HASH"},
2368 {0x001480F2, "FSCTL_SRV_COPYCHUNK_WRITE"},
2369 { 0, NULL }
2370 };
2371 static value_string_ext smb2_ioctl_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_vals);
2372
2373 static const value_string smb2_ioctl_device_vals[] = {
2374 { 0x0001, "BEEP" },
2375 { 0x0002, "CD_ROM" },
2376 { 0x0003, "CD_ROM_FILE_SYSTEM" },
2377 { 0x0004, "CONTROLLER" },
2378 { 0x0005, "DATALINK" },
2379 { 0x0006, "DFS" },
2380 { 0x0007, "DISK" },
2381 { 0x0008, "DISK_FILE_SYSTEM" },
2382 { 0x0009, "FILE_SYSTEM" },
2383 { 0x000a, "INPORT_PORT" },
2384 { 0x000b, "KEYBOARD" },
2385 { 0x000c, "MAILSLOT" },
2386 { 0x000d, "MIDI_IN" },
2387 { 0x000e, "MIDI_OUT" },
2388 { 0x000f, "MOUSE" },
2389 { 0x0010, "MULTI_UNC_PROVIDER" },
2390 { 0x0011, "NAMED_PIPE" },
2391 { 0x0012, "NETWORK" },
2392 { 0x0013, "NETWORK_BROWSER" },
2393 { 0x0014, "NETWORK_FILE_SYSTEM" },
2394 { 0x0015, "NULL" },
2395 { 0x0016, "PARALLEL_PORT" },
2396 { 0x0017, "PHYSICAL_NETCARD" },
2397 { 0x0018, "PRINTER" },
2398 { 0x0019, "SCANNER" },
2399 { 0x001a, "SERIAL_MOUSE_PORT" },
2400 { 0x001b, "SERIAL_PORT" },
2401 { 0x001c, "SCREEN" },
2402 { 0x001d, "SOUND" },
2403 { 0x001e, "STREAMS" },
2404 { 0x001f, "TAPE" },
2405 { 0x0020, "TAPE_FILE_SYSTEM" },
2406 { 0x0021, "TRANSPORT" },
2407 { 0x0022, "UNKNOWN" },
2408 { 0x0023, "VIDEO" },
2409 { 0x0024, "VIRTUAL_DISK" },
2410 { 0x0025, "WAVE_IN" },
2411 { 0x0026, "WAVE_OUT" },
2412 { 0x0027, "8042_PORT" },
2413 { 0x0028, "NETWORK_REDIRECTOR" },
2414 { 0x0029, "BATTERY" },
2415 { 0x002a, "BUS_EXTENDER" },
2416 { 0x002b, "MODEM" },
2417 { 0x002c, "VDM" },
2418 { 0x002d, "MASS_STORAGE" },
2419 { 0x002e, "SMB" },
2420 { 0x002f, "KS" },
2421 { 0x0030, "CHANGER" },
2422 { 0x0031, "SMARTCARD" },
2423 { 0x0032, "ACPI" },
2424 { 0x0033, "DVD" },
2425 { 0x0034, "FULLSCREEN_VIDEO" },
2426 { 0x0035, "DFS_FILE_SYSTEM" },
2427 { 0x0036, "DFS_VOLUME" },
2428 { 0x0037, "SERENUM" },
2429 { 0x0038, "TERMSRV" },
2430 { 0x0039, "KSEC" },
2431 { 0, NULL }
2432 };
2433 static value_string_ext smb2_ioctl_device_vals_ext = VALUE_STRING_EXT_INIT(smb2_ioctl_device_vals);
2434
2435 static const value_string smb2_ioctl_access_vals[] = {
2436 { 0x00, "FILE_ANY_ACCESS" },
2437 { 0x01, "FILE_READ_ACCESS" },
2438 { 0x02, "FILE_WRITE_ACCESS" },
2439 { 0x03, "FILE_READ_WRITE_ACCESS" },
2440 { 0, NULL }
2441 };
2442
2443 static const value_string smb2_ioctl_method_vals[] = {
2444 { 0x00, "METHOD_BUFFERED" },
2445 { 0x01, "METHOD_IN_DIRECT" },
2446 { 0x02, "METHOD_OUT_DIRECT" },
2447 { 0x03, "METHOD_NEITHER" },
2448 { 0, NULL }
2449 };
2450
2451 static const value_string smb2_ioctl_shared_virtual_disk_vals[] = {
2452 { 0x01, "SharedVirtualDisksSupported" },
2453 { 0x07, "SharedVirtualDiskCDPSnapshotsSupported" },
2454 { 0, NULL }
2455 };
2456
2457 static const value_string smb2_ioctl_shared_virtual_disk_hstate_vals[] = {
2458 { 0x00, "HandleStateNone" },
2459 { 0x01, "HandleStateFileShared" },
2460 { 0x03, "HandleStateShared" },
2461 { 0, NULL }
2462 };
2463
2464 /* this is called from both smb and smb2. */
2465 int
2466 dissect_smb2_ioctl_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, uint32_t *ioctlfunc)
2467 {
2468 proto_item *item = NULL;
2469 proto_tree *tree = NULL;
2470 uint32_t ioctl_function;
2471
2472 if (parent_tree) {
2473 item = proto_tree_add_item(parent_tree, hf_smb2_ioctl_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2474 tree = proto_item_add_subtree(item, ett_smb2_ioctl_function);
2475 }
2476
2477 ioctl_function = tvb_get_letohl(tvb, offset);
2478 if (ioctlfunc)
2479 *ioctlfunc = ioctl_function;
2480 if (ioctl_function) {
2481 const char *unknown = "unknown";
2482 const char *ioctl_name = val_to_str_ext_const(ioctl_function,
2483 &smb2_ioctl_vals_ext,
2484 unknown);
2485
2486 /*
2487 * val_to_str_const() doesn't work with a unknown == NULL
2488 */
2489 if (ioctl_name == unknown) {
2490 ioctl_name = NULL;
2491 }
2492
2493 if (ioctl_name != NULL) {
2494 col_append_fstr(
2495 pinfo->cinfo, COL_INFO, " %s", ioctl_name);
2496 }
2497
2498 /* device */
2499 proto_tree_add_item(tree, hf_smb2_ioctl_function_device, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2500 if (ioctl_name == NULL) {
2501 col_append_fstr(
2502 pinfo->cinfo, COL_INFO, " %s",
2503 val_to_str_ext((ioctl_function>>16)&0xffff, &smb2_ioctl_device_vals_ext,
2504 "Unknown (0x%08X)"));
2505 }
2506
2507 /* access */
2508 proto_tree_add_item(tree, hf_smb2_ioctl_function_access, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2509
2510 /* function */
2511 proto_tree_add_item(tree, hf_smb2_ioctl_function_function, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2512 if (ioctl_name == NULL) {
2513 col_append_fstr(
2514 pinfo->cinfo, COL_INFO, " Function:0x%04x",
2515 (ioctl_function>>2)&0x0fff);
2516 }
2517
2518 /* method */
2519 proto_tree_add_item(tree, hf_smb2_ioctl_function_method, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2520 }
2521
2522 offset += 4;
2523
2524 return offset;
2525 }
2526
2527 /* fake the dce/rpc support structures so we can piggy back on
2528 * dissect_nt_policy_hnd() since this will allow us
2529 * a cheap way to track where FIDs are opened, closed
2530 * and fid->filename mappings
2531 * if we want to do those things in the future.
2532 */
2533 #define FID_MODE_OPEN 0
2534 #define FID_MODE_CLOSE 1
2535 #define FID_MODE_USE 2
2536 #define FID_MODE_DHNQ 3
2537 #define FID_MODE_DHNC 4
2538 static int
2539 dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si, int mode)
2540 {
2541 uint8_t drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
2542 static dcerpc_info di; /* fake dcerpc_info struct */
2543 static dcerpc_call_value call_data;
2544 e_ctx_hnd policy_hnd = {0, DCERPC_UUID_NULL};
2545 e_ctx_hnd *policy_hnd_hashtablekey;
2546 proto_item *hnd_item = NULL;
2547 char *fid_name;
2548 uint32_t open_frame = 0, close_frame = 0;
2549 smb2_eo_file_info_t *eo_file_info;
2550 smb2_fid_info_t sfi_key;
2551 smb2_fid_info_t *sfi = NULL;
2552 uint8_t buf[8];
2553 uint64_t pol_uuid;
2554
2555 memset(&sfi_key, 0, sizeof(sfi_key));
2556 sfi_key.fid_persistent = tvb_get_letoh64(tvb, offset);
2557 sfi_key.fid_volatile = tvb_get_letoh64(tvb, offset+8);
2558 sfi_key.sesid = si->sesid;
2559 sfi_key.tid = si->tid;
2560 sfi_key.frame_key = pinfo->num;
2561 sfi_key.name = NULL;
2562
2563 di.conformant_run = 0;
2564 /* we need di->call_data->flags.NDR64 == 0 */
2565 di.call_data = &call_data;
2566
2567 switch (mode) {
2568 case FID_MODE_OPEN:
2569 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, PIDL_POLHND_OPEN);
2570 if (!pinfo->fd->visited) {
2571 sfi = wmem_new(wmem_file_scope(), smb2_fid_info_t);
2572 *sfi = sfi_key;
2573 sfi->frame_key = 0;
2574 sfi->frame_beg = si->saved ? si->saved->frame_req : pinfo->num;
2575 sfi->frame_end = UINT32_MAX;
2576
2577 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
2578 sfi->name = wmem_strdup(wmem_file_scope(), (char *)si->saved->extra_info);
2579 } else {
2580 sfi->name = wmem_strdup_printf(wmem_file_scope(), "[unknown]");
2581 }
2582
2583 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
2584 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: %s", (char *)si->saved->extra_info);
2585 } else {
2586 fid_name = wmem_strdup_printf(wmem_file_scope(), "File: ");
2587 }
2588 dcerpc_store_polhnd_name(&policy_hnd, pinfo,
2589 fid_name);
2590
2591 wmem_map_insert(si->session->fids, sfi, sfi);
2592 si->file = sfi;
2593
2594 /* If needed, create the file entry and save the policy hnd */
2595 if (si->saved) {
2596 si->saved->file = sfi;
2597 si->saved->policy_hnd = policy_hnd;
2598 }
2599
2600 if (si->conv) {
2601 eo_file_info = (smb2_eo_file_info_t *)wmem_map_lookup(si->session->files,&policy_hnd);
2602 if (!eo_file_info) {
2603 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
2604 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
2605 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
2606 eo_file_info->end_of_file=0;
2607 wmem_map_insert(si->session->files,policy_hnd_hashtablekey,eo_file_info);
2608 }
2609 si->eo_file_info=eo_file_info;
2610 }
2611 }
2612 break;
2613 case FID_MODE_CLOSE:
2614 if (!pinfo->fd->visited) {
2615 smb2_fid_info_t *fid = (smb2_fid_info_t *)wmem_map_lookup(si->session->fids, &sfi_key);
2616 if (fid) {
2617 /* set last frame */
2618 fid->frame_end = pinfo->num;
2619 }
2620 }
2621 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, PIDL_POLHND_CLOSE);
2622 break;
2623 case FID_MODE_USE:
2624 case FID_MODE_DHNQ:
2625 case FID_MODE_DHNC:
2626 offset = dissect_nt_guid_hnd(tvb, offset, pinfo, tree, &di, drep, hf_smb2_fid, &policy_hnd, &hnd_item, PIDL_POLHND_USE);
2627 break;
2628 }
2629
2630 si->file = (smb2_fid_info_t *)wmem_map_lookup(si->session->fids, &sfi_key);
2631 if (si->file) {
2632 if (si->saved) {
2633 si->saved->file = si->file;
2634 }
2635 if (si->file->name) {
2636 if (hnd_item) {
2637 proto_item_append_text(hnd_item, " File: %s", si->file->name);
2638 }
2639 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s", si->file->name);
2640 }
2641 }
2642
2643 if (dcerpc_fetch_polhnd_data(&policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num)) {
2644 /* look for the eo_file_info */
2645 if (!si->eo_file_info) {
2646 if (si->saved) { si->saved->policy_hnd = policy_hnd; }
2647 if (si->conv) {
2648 eo_file_info = (smb2_eo_file_info_t *)wmem_map_lookup(si->session->files,&policy_hnd);
2649 if (eo_file_info) {
2650 si->eo_file_info=eo_file_info;
2651 } else { /* XXX This should never happen */
2652 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
2653 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
2654 memcpy(policy_hnd_hashtablekey, &policy_hnd, sizeof(e_ctx_hnd));
2655 eo_file_info->end_of_file=0;
2656 wmem_map_insert(si->session->files,policy_hnd_hashtablekey,eo_file_info);
2657 }
2658 }
2659 }
2660 }
2661 /* Calculate GUID (FID) hash
2662 * This provides hash that can be filtered on to provide the SMB2 requests and responses
2663 * associated with a given FID. Note that filtering instead on the FID only returns the CREATE
2664 * response, and SMB2 requests but not their responses.
2665 */
2666 if(!pinfo->fd->visited && si->saved
2667 && policy_hnd.uuid.data1 > 0
2668 && policy_hnd.uuid.data1 < 0xffffffff) {
2669 pol_uuid = policy_hnd.uuid.data1 + policy_hnd.uuid.data2 + policy_hnd.uuid.data3;
2670 for(int i = 0; i < 8; i++) {
2671 buf[i] = (pol_uuid >> (56 - i * 8)) & 0xFF;
2672 }
2673 si->saved->fid_hash = crc32_ccitt(buf, 8);
2674 }
2675
2676 return offset;
2677 }
2678
2679 #define SMB2_FSCC_FILE_ATTRIBUTE_READ_ONLY 0x00000001
2680 #define SMB2_FSCC_FILE_ATTRIBUTE_HIDDEN 0x00000002
2681 #define SMB2_FSCC_FILE_ATTRIBUTE_SYSTEM 0x00000004
2682 #define SMB2_FSCC_FILE_ATTRIBUTE_DIRECTORY 0x00000010
2683 #define SMB2_FSCC_FILE_ATTRIBUTE_ARCHIVE 0x00000020
2684 #define SMB2_FSCC_FILE_ATTRIBUTE_NORMAL 0x00000080
2685 #define SMB2_FSCC_FILE_ATTRIBUTE_TEMPORARY 0x00000100
2686 #define SMB2_FSCC_FILE_ATTRIBUTE_SPARSE_FILE 0x00000200
2687 #define SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT 0x00000400
2688 #define SMB2_FSCC_FILE_ATTRIBUTE_COMPRESSED 0x00000800
2689 #define SMB2_FSCC_FILE_ATTRIBUTE_OFFLINE 0x00001000
2690 #define SMB2_FSCC_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
2691 #define SMB2_FSCC_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
2692 #define SMB2_FSCC_FILE_ATTRIBUTE_INTEGRITY_STREAM 0x00008000
2693 #define SMB2_FSCC_FILE_ATTRIBUTE_NO_SCRUB_DATA 0x00020000
2694 #define SMB2_FSCC_FILE_ATTRIBUTE_RECALL_ON_OPEN 0x00040000
2695 #define SMB2_FSCC_FILE_ATTRIBUTE_PINNED 0x00080000
2696 #define SMB2_FSCC_FILE_ATTRIBUTE_UNPINNED 0x00100000
2697 #define SMB2_FSCC_FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS 0x00400000
2698
2699
2700 static const true_false_string tfs_fscc_file_attribute_reparse = {
2701 "Has an associated REPARSE POINT",
2702 "Does NOT have an associated reparse point"
2703 };
2704 static const true_false_string tfs_fscc_file_attribute_compressed = {
2705 "COMPRESSED",
2706 "Uncompressed"
2707 };
2708 static const true_false_string tfs_fscc_file_attribute_offline = {
2709 "OFFLINE",
2710 "Online"
2711 };
2712 static const true_false_string tfs_fscc_file_attribute_not_content_indexed = {
2713 "Is not indexed by the content indexing service",
2714 "Is indexed by the content indexing service"
2715 };
2716 static const true_false_string tfs_fscc_file_attribute_integrity_stream = {
2717 "Has Integrity Support",
2718 "Does NOT have Integrity Support"
2719 };
2720 static const true_false_string tfs_fscc_file_attribute_no_scrub_data = {
2721 "Is excluded from the data integrity scan",
2722 "Is not excluded from the data integrity scan"
2723 };
2724 static const true_false_string tfs_fscc_file_attribute_recall_on_open = {
2725 "When OPENED, remote file should be fetched from remote storage",
2726 "When OPENED, remote file should NOT be fetched from remote storage"
2727 };
2728 static const true_false_string tfs_fscc_file_attribute_pinned = {
2729 "File/dir should be kept locally even when unused",
2730 "File/dir should NOT be kept locally when unused"
2731 };
2732 static const true_false_string tfs_fscc_file_attribute_unpinned = {
2733 "File/dir should NOT be fully kept locally except when accessed",
2734 "File/dir should be fully kept locally when accessed"
2735 };
2736 static const true_false_string tfs_fscc_file_attribute_recall_on_data_access = {
2737 "When accessed remote content of file/dir should be fetched",
2738 "When accessed remote content of file/dir should NOT be fetched"
2739 };
2740
2741 /*
2742 * File Attributes, section 2.6 in the [MS-FSCC] spec
2743 */
2744 static int
2745 dissect_fscc_file_attr(tvbuff_t* tvb, proto_tree* parent_tree, int offset, uint32_t* attr)
2746 {
2747 uint32_t mask = tvb_get_letohl(tvb, offset);
2748 static int* const mask_fields[] = {
2749 &hf_smb2_fscc_file_attr_read_only,
2750 &hf_smb2_fscc_file_attr_hidden,
2751 &hf_smb2_fscc_file_attr_system,
2752 &hf_smb2_fscc_file_attr_directory,
2753 &hf_smb2_fscc_file_attr_archive,
2754 &hf_smb2_fscc_file_attr_normal,
2755 &hf_smb2_fscc_file_attr_temporary,
2756 &hf_smb2_fscc_file_attr_sparse_file,
2757 &hf_smb2_fscc_file_attr_reparse_point,
2758 &hf_smb2_fscc_file_attr_compressed,
2759 &hf_smb2_fscc_file_attr_offline,
2760 &hf_smb2_fscc_file_attr_not_content_indexed,
2761 &hf_smb2_fscc_file_attr_encrypted,
2762 &hf_smb2_fscc_file_attr_integrity_stream,
2763 &hf_smb2_fscc_file_attr_no_scrub_data,
2764 &hf_smb2_fscc_file_attr_recall_on_open,
2765 &hf_smb2_fscc_file_attr_pinned,
2766 &hf_smb2_fscc_file_attr_unpinned,
2767 &hf_smb2_fscc_file_attr_recall_on_data_access,
2768 NULL
2769 };
2770
2771 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset, hf_smb2_fscc_file_attr, ett_smb2_fscc_file_attributes, mask_fields, mask, BMT_NO_APPEND);
2772
2773 offset += 4;
2774
2775 if (attr)
2776 *attr = mask;
2777
2778 return offset;
2779 }
2780
2781 /* this info level is unique to SMB2 and differst from the corresponding
2782 * SMB_FILE_ALL_INFO in SMB
2783 */
2784 static int
2785 dissect_smb2_file_all_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2786 {
2787 proto_item *item = NULL;
2788 proto_tree *tree = NULL;
2789 int length;
2790 static int * const mode_fields[] = {
2791 &hf_smb2_mode_file_write_through,
2792 &hf_smb2_mode_file_sequential_only,
2793 &hf_smb2_mode_file_no_intermediate_buffering,
2794 &hf_smb2_mode_file_synchronous_io_alert,
2795 &hf_smb2_mode_file_synchronous_io_nonalert,
2796 &hf_smb2_mode_file_delete_on_close,
2797 NULL,
2798 };
2799
2800 if (parent_tree) {
2801 item = proto_tree_add_item(parent_tree, hf_smb2_file_all_info, tvb, offset, -1, ENC_NA);
2802 tree = proto_item_add_subtree(item, ett_smb2_file_all_info);
2803 }
2804
2805 /* create time */
2806 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
2807 offset += 8;
2808
2809 /* last access */
2810 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
2811 offset += 8;
2812
2813 /* last write */
2814 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
2815 offset += 8;
2816
2817 /* last change */
2818 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
2819 offset += 8;
2820
2821 /* File Attributes */
2822 offset = dissect_fscc_file_attr(tvb, tree, offset, NULL);
2823
2824 /* some unknown bytes */
2825 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
2826 offset += 4;
2827
2828 /* allocation size */
2829 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2830 offset += 8;
2831
2832 /* end of file */
2833 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2834 offset += 8;
2835
2836 /* number of links */
2837 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2838 offset += 4;
2839
2840 /* delete pending */
2841 proto_tree_add_item(tree, hf_smb2_delete_pending, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2842 offset += 1;
2843
2844 /* is directory */
2845 proto_tree_add_item(tree, hf_smb2_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
2846 offset += 1;
2847
2848 /* padding */
2849 offset += 2;
2850
2851 /* file id */
2852 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
2853 offset += 8;
2854
2855 /* ea size */
2856 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2857 offset += 4;
2858
2859 /* access mask */
2860 offset = dissect_smb_access_mask(tvb, tree, offset);
2861
2862 /* Position Information */
2863 proto_tree_add_item(tree, hf_smb2_position_information, tvb, offset, 8, ENC_NA);
2864 offset += 8;
2865
2866 /* Mode Information */
2867 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_mode_information, ett_smb2_file_mode_info, mode_fields, ENC_LITTLE_ENDIAN);
2868 offset += 4;
2869
2870 /* Alignment Information */
2871 proto_tree_add_item(tree, hf_smb2_alignment_information, tvb, offset, 4, ENC_NA);
2872 offset +=4;
2873
2874 /* file name length */
2875 length = tvb_get_letohs(tvb, offset);
2876 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2877 offset += 4;
2878
2879 /* file name */
2880 if (length) {
2881 proto_tree_add_item(tree, hf_smb2_filename,
2882 tvb, offset, length, ENC_UTF_16|ENC_LITTLE_ENDIAN);
2883 offset += length;
2884 }
2885
2886 return offset;
2887 }
2888
2889
2890 static int
2891 dissect_smb2_file_allocation_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2892 {
2893 proto_item *item = NULL;
2894 proto_tree *tree = NULL;
2895 uint16_t bc;
2896 bool trunc;
2897
2898 if (parent_tree) {
2899 item = proto_tree_add_item(parent_tree, hf_smb2_file_allocation_info, tvb, offset, -1, ENC_NA);
2900 tree = proto_item_add_subtree(item, ett_smb2_file_allocation_info);
2901 }
2902
2903 bc = tvb_captured_length_remaining(tvb, offset);
2904 offset = dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2905
2906 return offset;
2907 }
2908
2909 static int
2910 dissect_smb2_file_endoffile_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2911 {
2912 proto_item *item = NULL;
2913 proto_tree *tree = NULL;
2914 uint16_t bc;
2915 bool trunc;
2916
2917 if (parent_tree) {
2918 item = proto_tree_add_item(parent_tree, hf_smb2_file_endoffile_info, tvb, offset, -1, ENC_NA);
2919 tree = proto_item_add_subtree(item, ett_smb2_file_endoffile_info);
2920 }
2921
2922 bc = tvb_captured_length_remaining(tvb, offset);
2923 offset = dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
2924
2925 return offset;
2926 }
2927
2928 static int
2929 dissect_smb2_file_alternate_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2930 {
2931 proto_item *item = NULL;
2932 proto_tree *tree = NULL;
2933 uint16_t bc;
2934 bool trunc;
2935
2936 if (parent_tree) {
2937 item = proto_tree_add_item(parent_tree, hf_smb2_file_alternate_name_info, tvb, offset, -1, ENC_NA);
2938 tree = proto_item_add_subtree(item, ett_smb2_file_alternate_name_info);
2939 }
2940
2941 bc = tvb_captured_length_remaining(tvb, offset);
2942 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, &bc, &trunc, /* XXX assumption hack */ true);
2943
2944 return offset;
2945 }
2946
2947 static int
2948 dissect_smb2_file_normalized_name_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2949 {
2950 proto_item *item = NULL;
2951 proto_tree *tree = NULL;
2952 uint16_t bc;
2953 bool trunc;
2954
2955 if (parent_tree) {
2956 item = proto_tree_add_item(parent_tree, hf_smb2_file_normalized_name_info, tvb, offset, -1, ENC_NA);
2957 tree = proto_item_add_subtree(item, ett_smb2_file_normalized_name_info);
2958 }
2959
2960 bc = tvb_captured_length_remaining(tvb, offset);
2961 offset = dissect_qfi_SMB_FILE_NAME_INFO(tvb, pinfo, tree, offset, &bc, &trunc, /* XXX assumption hack */ true);
2962
2963 return offset;
2964 }
2965
2966 static int
2967 dissect_smb2_file_basic_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
2968 {
2969 proto_item *item = NULL;
2970 proto_tree *tree = NULL;
2971
2972 if (parent_tree) {
2973 item = proto_tree_add_item(parent_tree, hf_smb2_file_basic_info, tvb, offset, -1, ENC_NA);
2974 tree = proto_item_add_subtree(item, ett_smb2_file_basic_info);
2975 }
2976
2977 /* create time */
2978 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
2979 offset += 8;
2980
2981 /* last access */
2982 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
2983 offset += 8;
2984
2985 /* last write */
2986 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
2987 offset += 8;
2988
2989 /* last change */
2990 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
2991 offset += 8;
2992
2993 /* File Attributes */
2994 offset = dissect_fscc_file_attr(tvb, tree, offset, NULL);
2995
2996 /* some unknown bytes */
2997 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
2998 offset += 4;
2999
3000 return offset;
3001 }
3002
3003 static int
3004 dissect_smb2_file_standard_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3005 {
3006 proto_item *item = NULL;
3007 proto_tree *tree = NULL;
3008 uint16_t bc;
3009 bool trunc;
3010
3011 if (parent_tree) {
3012 item = proto_tree_add_item(parent_tree, hf_smb2_file_standard_info, tvb, offset, -1, ENC_NA);
3013 tree = proto_item_add_subtree(item, ett_smb2_file_standard_info);
3014 }
3015
3016 bc = tvb_captured_length_remaining(tvb, offset);
3017 offset = dissect_qfi_SMB_FILE_STANDARD_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3018
3019 return offset;
3020 }
3021 static int
3022 dissect_smb2_file_internal_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3023 {
3024 proto_item *item = NULL;
3025 proto_tree *tree = NULL;
3026 uint16_t bc;
3027 bool trunc;
3028
3029 if (parent_tree) {
3030 item = proto_tree_add_item(parent_tree, hf_smb2_file_internal_info, tvb, offset, -1, ENC_NA);
3031 tree = proto_item_add_subtree(item, ett_smb2_file_internal_info);
3032 }
3033
3034 bc = tvb_captured_length_remaining(tvb, offset);
3035 offset = dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3036
3037 return offset;
3038 }
3039 static int
3040 dissect_smb2_file_mode_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3041 {
3042 proto_item *item = NULL;
3043 proto_tree *tree = NULL;
3044 uint16_t bc;
3045 bool trunc;
3046
3047 if (parent_tree) {
3048 item = proto_tree_add_item(parent_tree, hf_smb2_file_mode_info, tvb, offset, -1, ENC_NA);
3049 tree = proto_item_add_subtree(item, ett_smb2_file_mode_info);
3050 }
3051
3052 bc = tvb_captured_length_remaining(tvb, offset);
3053 offset = dissect_qsfi_SMB_FILE_MODE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3054
3055 return offset;
3056 }
3057 static int
3058 dissect_smb2_file_alignment_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3059 {
3060 proto_item *item = NULL;
3061 proto_tree *tree = NULL;
3062 uint16_t bc;
3063 bool trunc;
3064
3065 if (parent_tree) {
3066 item = proto_tree_add_item(parent_tree, hf_smb2_file_alignment_info, tvb, offset, -1, ENC_NA);
3067 tree = proto_item_add_subtree(item, ett_smb2_file_alignment_info);
3068 }
3069
3070 bc = tvb_captured_length_remaining(tvb, offset);
3071 offset = dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3072
3073 return offset;
3074 }
3075 static int
3076 dissect_smb2_file_position_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3077 {
3078 proto_item *item = NULL;
3079 proto_tree *tree = NULL;
3080 uint16_t bc;
3081 bool trunc;
3082
3083 if (parent_tree) {
3084 item = proto_tree_add_item(parent_tree, hf_smb2_file_position_info, tvb, offset, -1, ENC_NA);
3085 tree = proto_item_add_subtree(item, ett_smb2_file_position_info);
3086 }
3087
3088 bc = tvb_captured_length_remaining(tvb, offset);
3089 offset = dissect_qsfi_SMB_FILE_POSITION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3090
3091 return offset;
3092 }
3093
3094 static int
3095 dissect_smb2_file_access_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3096 {
3097 proto_item *item = NULL;
3098 proto_tree *tree = NULL;
3099
3100 if (parent_tree) {
3101 item = proto_tree_add_item(parent_tree, hf_smb2_file_access_info, tvb, offset, -1, ENC_NA);
3102 tree = proto_item_add_subtree(item, ett_smb2_file_access_info);
3103 }
3104
3105 /* access mask */
3106 offset = dissect_smb_access_mask(tvb, tree, offset);
3107
3108 return offset;
3109 }
3110
3111 static int
3112 dissect_smb2_file_ea_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3113 {
3114 proto_item *item = NULL;
3115 proto_tree *tree = NULL;
3116 uint16_t bc;
3117 bool trunc;
3118
3119 if (parent_tree) {
3120 item = proto_tree_add_item(parent_tree, hf_smb2_file_ea_info, tvb, offset, -1, ENC_NA);
3121 tree = proto_item_add_subtree(item, ett_smb2_file_ea_info);
3122 }
3123
3124 bc = tvb_captured_length_remaining(tvb, offset);
3125 offset = dissect_qfi_SMB_FILE_EA_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3126
3127 return offset;
3128 }
3129
3130 static int
3131 dissect_smb2_file_stream_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3132 {
3133 proto_item *item = NULL;
3134 proto_tree *tree = NULL;
3135 uint16_t bc;
3136 bool trunc;
3137
3138 if (parent_tree) {
3139 item = proto_tree_add_item(parent_tree, hf_smb2_file_stream_info, tvb, offset, -1, ENC_NA);
3140 tree = proto_item_add_subtree(item, ett_smb2_file_stream_info);
3141 }
3142
3143 bc = tvb_captured_length_remaining(tvb, offset);
3144 offset = dissect_qfi_SMB_FILE_STREAM_INFO(tvb, pinfo, tree, offset, &bc, &trunc, true);
3145
3146 return offset;
3147 }
3148
3149 static int
3150 dissect_smb2_file_pipe_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3151 {
3152 proto_item *item = NULL;
3153 proto_tree *tree = NULL;
3154 uint16_t bc;
3155 bool trunc;
3156
3157 if (parent_tree) {
3158 item = proto_tree_add_item(parent_tree, hf_smb2_file_pipe_info, tvb, offset, -1, ENC_NA);
3159 tree = proto_item_add_subtree(item, ett_smb2_file_pipe_info);
3160 }
3161
3162 bc = tvb_captured_length_remaining(tvb, offset);
3163 offset = dissect_sfi_SMB_FILE_PIPE_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3164
3165 return offset;
3166 }
3167
3168 static int
3169 dissect_smb2_file_compression_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3170 {
3171 proto_item *item = NULL;
3172 proto_tree *tree = NULL;
3173 uint16_t bc;
3174 bool trunc;
3175
3176 if (parent_tree) {
3177 item = proto_tree_add_item(parent_tree, hf_smb2_file_compression_info, tvb, offset, -1, ENC_NA);
3178 tree = proto_item_add_subtree(item, ett_smb2_file_compression_info);
3179 }
3180
3181 bc = tvb_captured_length_remaining(tvb, offset);
3182 offset = dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3183
3184 return offset;
3185 }
3186
3187 static int
3188 dissect_smb2_file_network_open_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3189 {
3190 proto_item *item = NULL;
3191 proto_tree *tree = NULL;
3192 uint16_t bc;
3193 bool trunc;
3194
3195 if (parent_tree) {
3196 item = proto_tree_add_item(parent_tree, hf_smb2_file_network_open_info, tvb, offset, -1, ENC_NA);
3197 tree = proto_item_add_subtree(item, ett_smb2_file_network_open_info);
3198 }
3199
3200
3201 bc = tvb_captured_length_remaining(tvb, offset);
3202 offset = dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3203
3204 return offset;
3205 }
3206
3207 static int
3208 dissect_smb2_file_attribute_tag_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3209 {
3210 proto_item *item = NULL;
3211 proto_tree *tree = NULL;
3212 uint16_t bc;
3213 bool trunc;
3214
3215 if (parent_tree) {
3216 item = proto_tree_add_item(parent_tree, hf_smb2_file_attribute_tag_info, tvb, offset, -1, ENC_NA);
3217 tree = proto_item_add_subtree(item, ett_smb2_file_attribute_tag_info);
3218 }
3219
3220
3221 bc = tvb_captured_length_remaining(tvb, offset);
3222 offset = dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb, pinfo, tree, offset, &bc, &trunc);
3223
3224 return offset;
3225 }
3226
3227 static const true_false_string tfs_disposition_delete_on_close = {
3228 "DELETE this file when closed",
3229 "Normal access, do not delete on close"
3230 };
3231
3232 static int
3233 dissect_smb2_file_disposition_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3234 {
3235 proto_item *item = NULL;
3236 proto_tree *tree = NULL;
3237
3238 if (parent_tree) {
3239 item = proto_tree_add_item(parent_tree, hf_smb2_file_disposition_info, tvb, offset, -1, ENC_NA);
3240 tree = proto_item_add_subtree(item, ett_smb2_file_disposition_info);
3241 }
3242
3243 /* file disposition */
3244 proto_tree_add_item(tree, hf_smb2_disposition_delete_on_close, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3245
3246 return offset;
3247 }
3248
3249 static int
3250 dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3251 {
3252 proto_item *item = NULL;
3253 proto_tree *tree = NULL;
3254 uint32_t next_offset;
3255 uint8_t ea_name_len;
3256 uint16_t ea_data_len;
3257
3258 if (parent_tree) {
3259 item = proto_tree_add_item(parent_tree, hf_smb2_file_full_ea_info, tvb, offset, -1, ENC_NA);
3260 tree = proto_item_add_subtree(item, ett_smb2_file_full_ea_info);
3261 }
3262
3263 while (1) {
3264 char *name = NULL;
3265 char *data = NULL;
3266 int start_offset = offset;
3267 proto_item *ea_item;
3268 proto_tree *ea_tree;
3269
3270 ea_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_ea, &ea_item, "EA:");
3271
3272 /* next offset */
3273 next_offset = tvb_get_letohl(tvb, offset);
3274 proto_tree_add_item(ea_tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3275 offset += 4;
3276
3277 /* EA flags */
3278 proto_tree_add_item(ea_tree, hf_smb2_ea_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3279 offset += 1;
3280
3281 /* EA Name Length */
3282 ea_name_len = tvb_get_uint8(tvb, offset);
3283 proto_tree_add_item(ea_tree, hf_smb2_ea_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3284 offset += 1;
3285
3286 /* EA Data Length */
3287 ea_data_len = tvb_get_letohs(tvb, offset);
3288 proto_tree_add_item(ea_tree, hf_smb2_ea_data_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3289 offset += 2;
3290
3291 /* ea name */
3292 if (ea_name_len) {
3293 proto_tree_add_item_ret_display_string(ea_tree, hf_smb2_ea_name,
3294 tvb, offset, ea_name_len, ENC_ASCII|ENC_NA,
3295 pinfo->pool, &name);
3296 }
3297
3298 /* The name is terminated with a NULL */
3299 offset += ea_name_len + 1;
3300
3301 /* ea data */
3302 if (ea_data_len) {
3303 proto_tree_add_item_ret_display_string(ea_tree, hf_smb2_ea_data,
3304 tvb, offset, ea_data_len, ENC_NA,
3305 pinfo->pool, &data);
3306 }
3307 offset += ea_data_len;
3308
3309
3310 if (ea_item) {
3311 proto_item_append_text(ea_item, " %s := %s",
3312 name ? name : "",
3313 data ? data : "");
3314 }
3315 proto_item_set_len(ea_item, offset-start_offset);
3316
3317
3318 if (!next_offset) {
3319 break;
3320 }
3321
3322 offset = start_offset+next_offset;
3323 }
3324
3325 return offset;
3326 }
3327
3328 static const true_false_string tfs_replace_if_exists = {
3329 "Replace the target if it exists",
3330 "Fail if the target exists"
3331 };
3332
3333 static int
3334 dissect_smb2_file_rename_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3335 {
3336 proto_item *item = NULL;
3337 proto_tree *tree = NULL;
3338 int length;
3339
3340
3341 if (parent_tree) {
3342 item = proto_tree_add_item(parent_tree, hf_smb2_file_rename_info, tvb, offset, -1, ENC_NA);
3343 tree = proto_item_add_subtree(item, ett_smb2_file_rename_info);
3344 }
3345
3346 /* ReplaceIfExists */
3347 proto_tree_add_item(tree, hf_smb2_replace_if, tvb, offset, 1, ENC_NA);
3348 offset += 1;
3349
3350 /* reserved */
3351 proto_tree_add_item(tree, hf_smb2_reserved_random, tvb, offset, 7, ENC_NA);
3352 offset += 7;
3353
3354 /* Root Directory Handle, MBZ */
3355 proto_tree_add_item(tree, hf_smb2_root_directory_mbz, tvb, offset, 8, ENC_NA);
3356 offset += 8;
3357
3358 /* file name length */
3359 length = tvb_get_letohs(tvb, offset);
3360 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3361 offset += 4;
3362
3363 /* file name */
3364 if (length) {
3365 char *display_string;
3366
3367 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
3368 tvb, offset, length, ENC_UTF_16|ENC_LITTLE_ENDIAN,
3369 pinfo->pool, &display_string);
3370 col_append_fstr(pinfo->cinfo, COL_INFO, " NewName:%s",
3371 display_string);
3372 offset += length;
3373 }
3374
3375 return offset;
3376 }
3377
3378 static int
3379 dissect_smb2_file_link_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3380 {
3381 proto_item *item = NULL;
3382 proto_tree *tree = NULL;
3383 int length;
3384 char *display_string = NULL;
3385
3386
3387 if (parent_tree) {
3388 item = proto_tree_add_item(parent_tree, hf_smb2_file_link_info, tvb, offset, -1, ENC_NA);
3389 tree = proto_item_add_subtree(item, ett_smb2_file_link_info);
3390 }
3391
3392 /* ReplaceIfExists */
3393 proto_tree_add_item(tree, hf_smb2_replace_if, tvb, offset, 1, ENC_NA);
3394 offset += 1;
3395
3396 /* reserved */
3397 proto_tree_add_item(tree, hf_smb2_reserved_random, tvb, offset, 7, ENC_NA);
3398 offset += 7;
3399
3400 /* Root Directory Handle, MBZ */
3401 proto_tree_add_item(tree, hf_smb2_root_directory_mbz, tvb, offset, 8, ENC_NA);
3402 offset += 8;
3403
3404 /* file name length */
3405 length = tvb_get_letohs(tvb, offset);
3406 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3407 offset += 4;
3408
3409 /* file name */
3410 if (length < 1) {
3411 return offset;
3412 }
3413
3414 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
3415 tvb, offset, length, ENC_UTF_16|ENC_LITTLE_ENDIAN,
3416 pinfo->pool, &display_string);
3417 col_append_fstr(pinfo->cinfo, COL_INFO, " NewLink:%s",
3418 display_string);
3419 offset += length;
3420
3421 return offset;
3422 }
3423
3424 static int
3425 dissect_smb2_sec_info_00(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3426 {
3427 proto_item *item = NULL;
3428 proto_tree *tree = NULL;
3429
3430 if (parent_tree) {
3431 item = proto_tree_add_item(parent_tree, hf_smb2_sec_info_00, tvb, offset, -1, ENC_NA);
3432 tree = proto_item_add_subtree(item, ett_smb2_sec_info_00);
3433 }
3434
3435 /* security descriptor */
3436 offset = dissect_nt_sec_desc(tvb, offset, pinfo, tree, NULL, true, tvb_captured_length_remaining(tvb, offset), NULL);
3437
3438 return offset;
3439 }
3440
3441 static int
3442 dissect_smb2_quota_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3443 {
3444 proto_item *item = NULL;
3445 proto_tree *tree = NULL;
3446 uint16_t bcp;
3447
3448 if (parent_tree) {
3449 item = proto_tree_add_item(parent_tree, hf_smb2_quota_info, tvb, offset, -1, ENC_NA);
3450 tree = proto_item_add_subtree(item, ett_smb2_quota_info);
3451 }
3452
3453 bcp = tvb_captured_length_remaining(tvb, offset);
3454 offset = dissect_nt_user_quota(tvb, tree, offset, &bcp);
3455
3456 return offset;
3457 }
3458
3459 static int
3460 dissect_smb2_fs_info_05(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3461 {
3462 proto_item *item = NULL;
3463 proto_tree *tree = NULL;
3464 uint16_t bc;
3465
3466 if (parent_tree) {
3467 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_05, tvb, offset, -1, ENC_NA);
3468 tree = proto_item_add_subtree(item, ett_smb2_fs_info_05);
3469 }
3470
3471 bc = tvb_captured_length_remaining(tvb, offset);
3472 offset = dissect_qfsi_FS_ATTRIBUTE_INFO(tvb, pinfo, tree, offset, &bc);
3473
3474 return offset;
3475 }
3476
3477 static int
3478 dissect_smb2_fs_info_06(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3479 {
3480 proto_item *item = NULL;
3481 proto_tree *tree = NULL;
3482 uint16_t bc;
3483
3484 if (parent_tree) {
3485 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_06, tvb, offset, -1, ENC_NA);
3486 tree = proto_item_add_subtree(item, ett_smb2_fs_info_06);
3487 }
3488
3489 bc = tvb_captured_length_remaining(tvb, offset);
3490 offset = dissect_nt_quota(tvb, tree, offset, &bc);
3491
3492 return offset;
3493 }
3494
3495 static int
3496 dissect_smb2_FS_OBJECTID_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3497 {
3498 proto_item *item = NULL;
3499 proto_tree *tree = NULL;
3500
3501 if (parent_tree) {
3502 item = proto_tree_add_item(parent_tree, hf_smb2_fs_objectid_info, tvb, offset, -1, ENC_NA);
3503 tree = proto_item_add_subtree(item, ett_smb2_fs_objectid_info);
3504 }
3505
3506 /* FILE_OBJECTID_BUFFER */
3507 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
3508
3509 return offset;
3510 }
3511
3512 static int
3513 dissect_smb2_fs_info_07(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3514 {
3515 proto_item *item = NULL;
3516 proto_tree *tree = NULL;
3517 uint16_t bc;
3518
3519 if (parent_tree) {
3520 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_07, tvb, offset, -1, ENC_NA);
3521 tree = proto_item_add_subtree(item, ett_smb2_fs_info_07);
3522 }
3523
3524 bc = tvb_captured_length_remaining(tvb, offset);
3525 offset = dissect_qfsi_FS_FULL_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
3526
3527 return offset;
3528 }
3529
3530 static int
3531 dissect_smb2_fs_info_01(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3532 {
3533 proto_item *item = NULL;
3534 proto_tree *tree = NULL;
3535 uint16_t bc;
3536
3537 if (parent_tree) {
3538 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_01, tvb, offset, -1, ENC_NA);
3539 tree = proto_item_add_subtree(item, ett_smb2_fs_info_01);
3540 }
3541
3542
3543 bc = tvb_captured_length_remaining(tvb, offset);
3544 offset = dissect_qfsi_FS_VOLUME_INFO(tvb, pinfo, tree, offset, &bc, true);
3545
3546 return offset;
3547 }
3548
3549 static int
3550 dissect_smb2_fs_info_03(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3551 {
3552 proto_item *item = NULL;
3553 proto_tree *tree = NULL;
3554 uint16_t bc;
3555
3556 if (parent_tree) {
3557 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_03, tvb, offset, -1, ENC_NA);
3558 tree = proto_item_add_subtree(item, ett_smb2_fs_info_03);
3559 }
3560
3561
3562 bc = tvb_captured_length_remaining(tvb, offset);
3563 offset = dissect_qfsi_FS_SIZE_INFO(tvb, pinfo, tree, offset, &bc);
3564
3565 return offset;
3566 }
3567
3568 static int
3569 dissect_smb2_fs_info_04(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3570 {
3571 proto_item *item = NULL;
3572 proto_tree *tree = NULL;
3573 uint16_t bc;
3574
3575 if (parent_tree) {
3576 item = proto_tree_add_item(parent_tree, hf_smb2_fs_info_04, tvb, offset, -1, ENC_NA);
3577 tree = proto_item_add_subtree(item, ett_smb2_fs_info_04);
3578 }
3579
3580
3581 bc = tvb_captured_length_remaining(tvb, offset);
3582 offset = dissect_qfsi_FS_DEVICE_INFO(tvb, pinfo, tree, offset, &bc);
3583
3584 return offset;
3585 }
3586
3587 static int
3588 dissect_smb2_fs_posix_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
3589 {
3590 proto_item *item = NULL;
3591 proto_tree *tree = NULL;
3592
3593 if (parent_tree) {
3594 item = proto_tree_add_item(parent_tree, hf_smb2_fs_posix_info, tvb, offset, -1, ENC_NA);
3595 tree = proto_item_add_subtree(item, ett_smb2_fs_posix_info);
3596 }
3597
3598 proto_tree_add_item(tree, hf_smb2_fs_posix_optimal_transfer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3599 offset += 4;
3600
3601 proto_tree_add_item(tree, hf_smb2_fs_posix_block_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3602 offset += 4;
3603
3604 proto_tree_add_item(tree, hf_smb2_fs_posix_total_blocks, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3605 offset += 8;
3606
3607 proto_tree_add_item(tree, hf_smb2_fs_posix_blocks_available, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3608 offset += 8;
3609
3610 proto_tree_add_item(tree, hf_smb2_fs_posix_user_blocks_available, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3611 offset += 8;
3612
3613 proto_tree_add_item(tree, hf_smb2_fs_posix_total_file_nodes, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3614 offset += 8;
3615
3616 proto_tree_add_item(tree, hf_smb2_fs_posix_free_file_nodes, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3617 offset += 8;
3618
3619 proto_tree_add_item(tree, hf_smb2_fs_posix_fs_identifier, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3620 offset += 8;
3621
3622 return offset;
3623 }
3624
3625 static const value_string oplock_vals[] = {
3626 { 0x00, "No oplock" },
3627 { 0x01, "Level2 oplock" },
3628 { 0x08, "Exclusive oplock" },
3629 { 0x09, "Batch oplock" },
3630 { 0xff, "Lease" },
3631 { 0, NULL }
3632 };
3633
3634 static int
3635 dissect_smb2_oplock(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
3636 {
3637 proto_tree_add_item(parent_tree, hf_smb2_oplock, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3638
3639 offset += 1;
3640 return offset;
3641 }
3642
3643 static int
3644 dissect_smb2_buffercode(proto_tree *parent_tree, tvbuff_t *tvb, int offset, uint16_t *length)
3645 {
3646 proto_tree *tree;
3647 proto_item *item;
3648 uint16_t buffer_code;
3649
3650 /* dissect the first 2 bytes of the command PDU */
3651 buffer_code = tvb_get_letohs(tvb, offset);
3652 item = proto_tree_add_uint(parent_tree, hf_smb2_buffer_code, tvb, offset, 2, buffer_code);
3653 tree = proto_item_add_subtree(item, ett_smb2_buffercode);
3654 proto_tree_add_item(tree, hf_smb2_buffer_code_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3655 proto_tree_add_item(tree, hf_smb2_buffer_code_flags_dyn, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3656 offset += 2;
3657
3658 if (length) {
3659 *length = buffer_code; /*&0xfffe don't mask it here, mask it on caller side */
3660 }
3661
3662 return offset;
3663 }
3664
3665 #define NEGPROT_CAP_DFS 0x00000001
3666 #define NEGPROT_CAP_LEASING 0x00000002
3667 #define NEGPROT_CAP_LARGE_MTU 0x00000004
3668 #define NEGPROT_CAP_MULTI_CHANNEL 0x00000008
3669 #define NEGPROT_CAP_PERSISTENT_HANDLES 0x00000010
3670 #define NEGPROT_CAP_DIRECTORY_LEASING 0x00000020
3671 #define NEGPROT_CAP_ENCRYPTION 0x00000040
3672 #define NEGPROT_CAP_NOTIFICATIONS 0x00000080
3673 static int
3674 dissect_smb2_capabilities(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
3675 {
3676 static int * const flags[] = {
3677 &hf_smb2_cap_dfs,
3678 &hf_smb2_cap_leasing,
3679 &hf_smb2_cap_large_mtu,
3680 &hf_smb2_cap_multi_channel,
3681 &hf_smb2_cap_persistent_handles,
3682 &hf_smb2_cap_directory_leasing,
3683 &hf_smb2_cap_encryption,
3684 &hf_smb2_cap_notifications,
3685 NULL
3686 };
3687
3688 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_capabilities, ett_smb2_capabilities, flags, ENC_LITTLE_ENDIAN);
3689 offset += 4;
3690
3691 return offset;
3692 }
3693
3694
3695
3696 #define NEGPROT_SIGN_REQ 0x02
3697 #define NEGPROT_SIGN_ENABLED 0x01
3698
3699 static int
3700 dissect_smb2_secmode(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
3701 {
3702 static int * const flags[] = {
3703 &hf_smb2_secmode_flags_sign_enabled,
3704 &hf_smb2_secmode_flags_sign_required,
3705 NULL
3706 };
3707
3708 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_security_mode, ett_smb2_sec_mode, flags, ENC_LITTLE_ENDIAN);
3709 offset += 1;
3710
3711 return offset;
3712 }
3713
3714 #define SES_REQ_FLAGS_SESSION_BINDING 0x01
3715
3716 static int
3717 dissect_smb2_ses_req_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
3718 {
3719 static int * const flags[] = {
3720 &hf_smb2_ses_req_flags_session_binding,
3721 NULL
3722 };
3723
3724 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_ses_req_flags, ett_smb2_ses_req_flags, flags, ENC_LITTLE_ENDIAN);
3725 offset += 1;
3726
3727 return offset;
3728 }
3729
3730 #define SES_FLAGS_GUEST 0x0001
3731 #define SES_FLAGS_NULL 0x0002
3732 #define SES_FLAGS_ENCRYPT 0x0004
3733
3734 static int
3735 dissect_smb2_ses_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
3736 {
3737 static int * const flags[] = {
3738 &hf_smb2_ses_flags_guest,
3739 &hf_smb2_ses_flags_null,
3740 &hf_smb2_ses_flags_encrypt,
3741 NULL
3742 };
3743
3744 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_session_flags, ett_smb2_ses_flags, flags, ENC_LITTLE_ENDIAN);
3745 offset += 2;
3746
3747 return offset;
3748 }
3749
3750 #define SHARE_FLAGS_manual_caching 0x00000000
3751 #define SHARE_FLAGS_auto_caching 0x00000010
3752 #define SHARE_FLAGS_vdo_caching 0x00000020
3753 #define SHARE_FLAGS_no_caching 0x00000030
3754
3755 static const value_string share_cache_vals[] = {
3756 { SHARE_FLAGS_manual_caching, "Manual caching" },
3757 { SHARE_FLAGS_auto_caching, "Auto caching" },
3758 { SHARE_FLAGS_vdo_caching, "VDO caching" },
3759 { SHARE_FLAGS_no_caching, "No caching" },
3760 { 0, NULL }
3761 };
3762
3763 #define SHARE_FLAGS_dfs 0x00000001
3764 #define SHARE_FLAGS_dfs_root 0x00000002
3765 #define SHARE_FLAGS_restrict_exclusive_opens 0x00000100
3766 #define SHARE_FLAGS_force_shared_delete 0x00000200
3767 #define SHARE_FLAGS_allow_namespace_caching 0x00000400
3768 #define SHARE_FLAGS_access_based_dir_enum 0x00000800
3769 #define SHARE_FLAGS_force_levelii_oplock 0x00001000
3770 #define SHARE_FLAGS_enable_hash_v1 0x00002000
3771 #define SHARE_FLAGS_enable_hash_v2 0x00004000
3772 #define SHARE_FLAGS_encryption_required 0x00008000
3773 #define SHARE_FLAGS_identity_remoting 0x00040000
3774 #define SHARE_FLAGS_compress_data 0x00100000
3775 #define SHARE_FLAGS_isolated_transport 0x00200000
3776
3777 static int
3778 dissect_smb2_share_flags(proto_tree *tree, tvbuff_t *tvb, int offset)
3779 {
3780 static int * const sf_fields[] = {
3781 &hf_smb2_share_flags_dfs,
3782 &hf_smb2_share_flags_dfs_root,
3783 &hf_smb2_share_flags_restrict_exclusive_opens,
3784 &hf_smb2_share_flags_force_shared_delete,
3785 &hf_smb2_share_flags_allow_namespace_caching,
3786 &hf_smb2_share_flags_access_based_dir_enum,
3787 &hf_smb2_share_flags_force_levelii_oplock,
3788 &hf_smb2_share_flags_enable_hash_v1,
3789 &hf_smb2_share_flags_enable_hash_v2,
3790 &hf_smb2_share_flags_encrypt_data,
3791 &hf_smb2_share_flags_identity_remoting,
3792 &hf_smb2_share_flags_compress_data,
3793 &hf_smb2_share_flags_isolated_transport,
3794 NULL
3795 };
3796 proto_item *item;
3797 uint32_t cp;
3798
3799 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_flags, ett_smb2_share_flags, sf_fields, ENC_LITTLE_ENDIAN);
3800
3801 cp = tvb_get_letohl(tvb, offset);
3802 cp &= 0x00000030;
3803 proto_tree_add_uint_format(item, hf_smb2_share_caching, tvb, offset, 4, cp, "Caching policy: %s (%08x)", val_to_str(cp, share_cache_vals, "Unknown:%u"), cp);
3804
3805
3806 offset += 4;
3807
3808 return offset;
3809 }
3810
3811 #define SHARE_CAPS_DFS 0x00000008
3812 #define SHARE_CAPS_CONTINUOUS_AVAILABILITY 0x00000010
3813 #define SHARE_CAPS_SCALEOUT 0x00000020
3814 #define SHARE_CAPS_CLUSTER 0x00000040
3815 #define SHARE_CAPS_ASYMMETRIC 0x00000080
3816 #define SHARE_CAPS_REDIRECT_TO_OWNER 0x00000100
3817
3818 static int
3819 dissect_smb2_share_caps(proto_tree *tree, tvbuff_t *tvb, int offset)
3820 {
3821 static int * const sc_fields[] = {
3822 &hf_smb2_share_caps_dfs,
3823 &hf_smb2_share_caps_continuous_availability,
3824 &hf_smb2_share_caps_scaleout,
3825 &hf_smb2_share_caps_cluster,
3826 &hf_smb2_share_caps_asymmetric,
3827 &hf_smb2_share_caps_redirect_to_owner,
3828 NULL
3829 };
3830
3831 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_share_caps, ett_smb2_share_caps, sc_fields, ENC_LITTLE_ENDIAN);
3832
3833 offset += 4;
3834
3835 return offset;
3836 }
3837
3838 static void
3839 dissect_smb2_secblob(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
3840 {
3841 if ((tvb_captured_length(tvb)>=7)
3842 && (!tvb_memeql(tvb, 0, (const uint8_t*)"NTLMSSP", 7))) {
3843 call_dissector(ntlmssp_handle, tvb, pinfo, tree);
3844 } else {
3845 call_dissector(gssapi_handle, tvb, pinfo, tree);
3846 }
3847 }
3848
3849 /*
3850 * Derive client and server decryption keys from the secret session key
3851 * and set them in the session object.
3852 */
3853 static void smb2_generate_decryption_keys(smb2_conv_info_t *conv, smb2_sesid_info_t *ses)
3854 {
3855 bool has_seskey = memcmp(ses->session_key, zeros, NTLMSSP_KEY_LEN) != 0;
3856 bool has_signkey = memcmp(ses->signing_key, zeros, NTLMSSP_KEY_LEN) != 0;
3857 bool has_client_key = memcmp(ses->client_decryption_key16, zeros, AES_KEY_SIZE) != 0;
3858 bool has_server_key = memcmp(ses->server_decryption_key16, zeros, AES_KEY_SIZE) != 0;
3859
3860 /* if all decryption keys are provided, nothing to do */
3861 if (has_client_key && has_server_key && has_signkey)
3862 return;
3863
3864 /* otherwise, generate them from session key, if it's there */
3865 if (!has_seskey || ses->session_key_len == 0)
3866 return;
3867
3868 /* generate decryption keys */
3869 if (conv->dialect <= SMB2_DIALECT_210) {
3870 if (!has_signkey)
3871 memcpy(ses->signing_key, ses->session_key,
3872 NTLMSSP_KEY_LEN);
3873 } else if (conv->dialect < SMB2_DIALECT_311) {
3874 if (!has_server_key)
3875 smb2_key_derivation(ses->session_key,
3876 NTLMSSP_KEY_LEN,
3877 "SMB2AESCCM", 11,
3878 "ServerIn ", 10,
3879 ses->server_decryption_key16, 16);
3880 if (!has_client_key)
3881 smb2_key_derivation(ses->session_key,
3882 NTLMSSP_KEY_LEN,
3883 "SMB2AESCCM", 11,
3884 "ServerOut", 10,
3885 ses->client_decryption_key16, 16);
3886 if (!has_signkey)
3887 smb2_key_derivation(ses->session_key,
3888 NTLMSSP_KEY_LEN,
3889 "SMB2AESCMAC", 12,
3890 "SmbSign", 8,
3891 ses->signing_key, 16);
3892 } else if (conv->dialect >= SMB2_DIALECT_311) {
3893 if (!has_server_key) {
3894 smb2_key_derivation(ses->session_key,
3895 NTLMSSP_KEY_LEN,
3896 "SMBC2SCipherKey", 16,
3897 ses->preauth_hash, SMB2_PREAUTH_HASH_SIZE,
3898 ses->server_decryption_key16, 16);
3899 smb2_key_derivation(ses->session_key,
3900 ses->session_key_len,
3901 "SMBC2SCipherKey", 16,
3902 ses->preauth_hash, SMB2_PREAUTH_HASH_SIZE,
3903 ses->server_decryption_key32, 32);
3904 }
3905 if (!has_client_key) {
3906 smb2_key_derivation(ses->session_key,
3907 NTLMSSP_KEY_LEN,
3908 "SMBS2CCipherKey", 16,
3909 ses->preauth_hash, SMB2_PREAUTH_HASH_SIZE,
3910 ses->client_decryption_key16, 16);
3911 smb2_key_derivation(ses->session_key,
3912 ses->session_key_len,
3913 "SMBS2CCipherKey", 16,
3914 ses->preauth_hash, SMB2_PREAUTH_HASH_SIZE,
3915 ses->client_decryption_key32, 32);
3916 }
3917 if (!has_signkey)
3918 smb2_key_derivation(ses->session_key,
3919 NTLMSSP_KEY_LEN,
3920 "SMBSigningKey", 14,
3921 ses->preauth_hash, SMB2_PREAUTH_HASH_SIZE,
3922 ses->signing_key, 16);
3923 }
3924
3925 ws_log_buffer(ses->signing_key, NTLMSSP_KEY_LEN, "Generated Sign key");
3926 ws_log_buffer(ses->client_decryption_key16, AES_KEY_SIZE, "Generated S2C key16");
3927 ws_log_buffer(ses->client_decryption_key32, AES_KEY_SIZE*2, "Generated S2C key32");
3928 ws_log_buffer(ses->server_decryption_key16, AES_KEY_SIZE, "Generated C2S key16");
3929 ws_log_buffer(ses->server_decryption_key32, AES_KEY_SIZE*2, "Generated C2S key32");
3930 }
3931
3932 static int
3933 dissect_smb2_session_setup_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
3934 {
3935 offset_length_buffer_t s_olb;
3936 const ntlmssp_header_t *ntlmssph;
3937 static int ntlmssp_tap_id = 0;
3938 smb2_saved_info_t *ssi = si->saved;
3939 proto_item *hash_item;
3940 int idx;
3941
3942 if (!ntlmssp_tap_id) {
3943 GString *error_string;
3944 /* We don't specify any callbacks at all.
3945 * Instead we manually fetch the tapped data after the
3946 * security blob has been fully dissected and before
3947 * we exit from this dissector.
3948 */
3949 error_string = register_tap_listener("ntlmssp", NULL, NULL,
3950 TL_IS_DISSECTOR_HELPER, NULL, NULL, NULL, NULL);
3951 if (!error_string) {
3952 ntlmssp_tap_id = find_tap_id("ntlmssp");
3953 } else {
3954 g_string_free(error_string, true);
3955 }
3956 }
3957
3958 if (!pinfo->fd->visited && ssi) {
3959 /* compute preauth hash on first pass */
3960
3961 /* start from last preauth hash of the connection if 1st request */
3962 if (si->sesid == 0)
3963 memcpy(si->conv->preauth_hash_ses, si->conv->preauth_hash_con, SMB2_PREAUTH_HASH_SIZE);
3964
3965 ssi->preauth_hash_req = (uint8_t*)wmem_alloc0(wmem_file_scope(), SMB2_PREAUTH_HASH_SIZE);
3966 update_preauth_hash(si->conv->preauth_hash_current, pinfo, tvb);
3967 memcpy(ssi->preauth_hash_req, si->conv->preauth_hash_current, SMB2_PREAUTH_HASH_SIZE);
3968 }
3969
3970 if (ssi && ssi->preauth_hash_req) {
3971 hash_item = proto_tree_add_bytes_with_length(tree, hf_smb2_preauth_hash, tvb,
3972 0, tvb_captured_length(tvb),
3973 ssi->preauth_hash_req, SMB2_PREAUTH_HASH_SIZE);
3974 proto_item_set_generated(hash_item);
3975 }
3976
3977 /* buffer code */
3978 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
3979 /* some unknown bytes */
3980
3981 /* flags */
3982 offset = dissect_smb2_ses_req_flags(tree, tvb, offset);
3983
3984 /* security mode */
3985 offset = dissect_smb2_secmode(tree, tvb, offset);
3986
3987 /* capabilities */
3988 offset = dissect_smb2_capabilities(tree, tvb, offset);
3989
3990 /* channel */
3991 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3992 offset += 4;
3993
3994 /* security blob offset/length */
3995 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
3996
3997 /* previous session id */
3998 proto_tree_add_item(tree, hf_smb2_previous_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
3999 offset += 8;
4000
4001
4002 /* the security blob itself */
4003 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
4004
4005 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
4006
4007 /* If we have found a uid->acct_name mapping, store it */
4008 if (!pinfo->fd->visited) {
4009 idx = 0;
4010 while ((ntlmssph = (const ntlmssp_header_t *)fetch_tapped_data(ntlmssp_tap_id, idx++)) != NULL) {
4011 if (ntlmssph && ntlmssph->type == NTLMSSP_AUTH) {
4012 si->session = smb2_get_session(si->conv, si->sesid, pinfo, si);
4013 si->session->acct_name = wmem_strdup(wmem_file_scope(), ntlmssph->acct_name);
4014 si->session->domain_name = wmem_strdup(wmem_file_scope(), ntlmssph->domain_name);
4015 si->session->host_name = wmem_strdup(wmem_file_scope(), ntlmssph->host_name);
4016 /* don't overwrite session key from preferences */
4017 if (memcmp(si->session->session_key, zeros, NTLMSSP_KEY_LEN) == 0) {
4018 memcpy(si->session->session_key, ntlmssph->session_key, NTLMSSP_KEY_LEN);
4019 si->session->session_key_len = NTLMSSP_KEY_LEN;
4020 si->session->session_key_frame = pinfo->num;
4021 }
4022 si->session->auth_frame = pinfo->num;
4023 }
4024 }
4025 }
4026
4027 return offset;
4028 }
4029
4030 static void
4031 dissect_smb2_share_redirect_error(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
4032 {
4033 proto_tree *tree;
4034 proto_item *item;
4035 proto_tree *ips_tree;
4036 proto_item *ips_item;
4037
4038 offset_length_buffer_t res_olb;
4039 uint32_t i, ip_count;
4040
4041 item = proto_tree_add_item(parent_tree, hf_smb2_error_redir_context, tvb, offset, 0, ENC_NA);
4042 tree = proto_item_add_subtree(item, ett_smb2_error_redir_context);
4043
4044 /* structure size */
4045 proto_tree_add_item(tree, hf_smb2_error_redir_struct_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4046 offset += 4;
4047
4048 /* notification type */
4049 proto_tree_add_item(tree, hf_smb2_error_redir_notif_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4050 offset += 4;
4051
4052 /* resource name offset/length */
4053 offset = dissect_smb2_olb_length_offset(tvb, offset, &res_olb, OLB_O_UINT32_S_UINT32, hf_smb2_error_redir_res_name);
4054
4055 /* flags */
4056 proto_tree_add_item(tree, hf_smb2_error_redir_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4057 offset += 2;
4058
4059 /* target type */
4060 proto_tree_add_item(tree, hf_smb2_error_redir_target_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4061 offset += 2;
4062
4063 /* ip addr count */
4064 proto_tree_add_item_ret_uint(tree, hf_smb2_error_redir_ip_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &ip_count);
4065 offset += 4;
4066
4067 /* ip addr list */
4068 ips_item = proto_tree_add_item(tree, hf_smb2_error_redir_ip_list, tvb, offset, 0, ENC_NA);
4069 ips_tree = proto_item_add_subtree(ips_item, ett_smb2_error_redir_ip_list);
4070 for (i = 0; i < ip_count; i++)
4071 offset += dissect_windows_sockaddr_storage(tvb, pinfo, ips_tree, offset, -1);
4072
4073 /* resource name */
4074 dissect_smb2_olb_off_string(pinfo, tree, tvb, &res_olb, offset, OLB_TYPE_UNICODE_STRING);
4075 }
4076
4077 static void
4078 dissect_smb2_STATUS_STOPPED_ON_SYMLINK(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
4079 {
4080 proto_tree *tree;
4081 proto_item *item;
4082
4083 offset_length_buffer_t s_olb, p_olb;
4084
4085 item = proto_tree_add_item(parent_tree, hf_smb2_symlink_error_response, tvb, offset, -1, ENC_NA);
4086 tree = proto_item_add_subtree(item, ett_smb2_symlink_error_response);
4087
4088 /* symlink length */
4089 proto_tree_add_item(tree, hf_smb2_symlink_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4090 offset += 4;
4091
4092 /* symlink error tag */
4093 proto_tree_add_item(tree, hf_smb2_symlink_error_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4094 offset += 4;
4095
4096 /* reparse tag */
4097 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4098 offset += 4;
4099
4100 proto_tree_add_item(tree, hf_smb2_reparse_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4101 offset += 2;
4102
4103 proto_tree_add_item(tree, hf_smb2_unparsed_path_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4104 offset += 2;
4105
4106 /* substitute name offset/length */
4107 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_substitute_name);
4108
4109 /* print name offset/length */
4110 offset = dissect_smb2_olb_length_offset(tvb, offset, &p_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_print_name);
4111
4112 /* flags */
4113 proto_tree_add_item(tree, hf_smb2_symlink_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4114 offset += 4;
4115
4116 /* substitute name string */
4117 dissect_smb2_olb_off_string(pinfo, tree, tvb, &s_olb, offset, OLB_TYPE_UNICODE_STRING);
4118
4119 /* print name string */
4120 dissect_smb2_olb_off_string(pinfo, tree, tvb, &p_olb, offset, OLB_TYPE_UNICODE_STRING);
4121 }
4122
4123 static int
4124 // NOLINTNEXTLINE(misc-no-recursion)
4125 dissect_smb2_error_context(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
4126 {
4127 proto_tree *tree;
4128 proto_item *item;
4129 tvbuff_t *sub_tvb;
4130 uint32_t length;
4131 uint32_t id;
4132
4133 item = proto_tree_add_item(parent_tree, hf_smb2_error_context, tvb, offset, -1, ENC_NA);
4134 tree = proto_item_add_subtree(item, ett_smb2_error_context);
4135
4136 proto_tree_add_item_ret_uint(tree, hf_smb2_error_context_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
4137 offset += 4;
4138
4139 proto_tree_add_item_ret_uint(tree, hf_smb2_error_context_id, tvb, offset, 4, ENC_LITTLE_ENDIAN, &id);
4140 offset += 4;
4141
4142 sub_tvb = tvb_new_subset_length(tvb, offset, length);
4143 dissect_smb2_error_data(sub_tvb, pinfo, tree, 0, id, si);
4144 offset += length;
4145
4146 return offset;
4147 }
4148
4149 /*
4150 * Assumes it is being called with a sub-tvb (dissects at offsets 0)
4151 */
4152 static void
4153 // NOLINTNEXTLINE(misc-no-recursion)
4154 dissect_smb2_error_data(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree,
4155 int error_context_count, int error_id,
4156 smb2_info_t *si _U_)
4157 {
4158 proto_tree *tree;
4159 proto_item *item;
4160
4161 int offset = 0;
4162 int i;
4163
4164 item = proto_tree_add_item(parent_tree, hf_smb2_error_data, tvb, offset, -1, ENC_NA);
4165 tree = proto_item_add_subtree(item, ett_smb2_error_data);
4166
4167 if (error_context_count == 0) {
4168 if (tvb_captured_length_remaining(tvb, offset) <= 1)
4169 return;
4170 switch (si->status) {
4171 case NT_STATUS_STOPPED_ON_SYMLINK:
4172 dissect_smb2_STATUS_STOPPED_ON_SYMLINK(tvb, pinfo, tree, offset, si);
4173 break;
4174 case NT_STATUS_BUFFER_TOO_SMALL:
4175 proto_tree_add_item(tree, hf_smb2_error_min_buf_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4176 break;
4177 case NT_STATUS_BAD_NETWORK_NAME:
4178 if (error_id == SMB2_ERROR_ID_SHARE_REDIRECT)
4179 dissect_smb2_share_redirect_error(tvb, pinfo, tree, offset, si);
4180 default:
4181 break;
4182 }
4183 } else {
4184 increment_dissection_depth(pinfo);
4185 for (i = 0; i < error_context_count; i++) {
4186 offset += dissect_smb2_error_context(tvb, pinfo, tree, offset, si);
4187 }
4188 decrement_dissection_depth(pinfo);
4189 }
4190 }
4191
4192 /*
4193 * SMB2 Error responses are a bit convoluted. Error data can be a list
4194 * of error contexts which themselves can hold an error data field.
4195 * See [MS-SMB2] 2.2.2.1.
4196 *
4197 * ERROR_RESP := ERROR_DATA
4198 *
4199 * ERROR_DATA := ( ERROR_CONTEXT + )
4200 * | ERROR_STATUS_STOPPED_ON_SYMLINK
4201 * | ERROR_ID_SHARE_REDIRECT
4202 * | ERROR_BUFFER_TOO_SMALL
4203 *
4204 * ERROR_CONTEXT := ... + ERROR_DATA
4205 * | ERROR_ID_SHARE_REDIRECT
4206 *
4207 * This needs more fixes for cases when the original header had also the constant value of 9.
4208 * This should be fixed on caller side where it decides if it has to call this or not.
4209 *
4210 */
4211 static int
4212 dissect_smb2_error_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si,
4213 bool* continue_dissection)
4214 {
4215 int byte_count;
4216 uint8_t error_context_count;
4217 uint16_t length;
4218 tvbuff_t *sub_tvb;
4219
4220 /* buffer code */
4221 offset = dissect_smb2_buffercode(tree, tvb, offset, &length);
4222
4223 /* FIX: error response uses this constant, if not then it is not an error response */
4224 if(length != 9)
4225 {
4226 if(continue_dissection)
4227 *continue_dissection = true;
4228 } else {
4229 if(continue_dissection)
4230 *continue_dissection = false;
4231
4232 /* ErrorContextCount (1 bytes) */
4233 error_context_count = tvb_get_uint8(tvb, offset);
4234 proto_tree_add_item(tree, hf_smb2_error_context_count, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4235 offset += 1;
4236
4237 /* Reserved (1 bytes) */
4238 proto_tree_add_item(tree, hf_smb2_error_reserved, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4239 offset += 1;
4240
4241 /* ByteCount (4 bytes): The number of bytes of data contained in ErrorData[]. */
4242 byte_count = tvb_get_letohl(tvb, offset);
4243 proto_tree_add_item(tree, hf_smb2_error_byte_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4244 offset += 4;
4245
4246 /* If the ByteCount field is zero then the server MUST supply an ErrorData field
4247 that is one byte in length */
4248 if (byte_count == 0) byte_count = 1;
4249
4250 /* ErrorData (variable): A variable-length data field that contains extended
4251 error information.*/
4252 sub_tvb = tvb_new_subset_length(tvb, offset, byte_count);
4253 offset += byte_count;
4254
4255 dissect_smb2_error_data(sub_tvb, pinfo, tree, error_context_count, 0, si);
4256 }
4257
4258 return offset;
4259 }
4260
4261 static int
4262 dissect_smb2_session_setup_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4263 {
4264 offset_length_buffer_t s_olb;
4265 proto_item *hash_item;
4266 smb2_saved_info_t *ssi = si->saved;
4267
4268 si->session = smb2_get_session(si->conv, si->sesid, pinfo, si);
4269 if (si->status == 0) {
4270 si->session->auth_frame = pinfo->num;
4271 }
4272
4273 /* compute preauth hash on first pass */
4274 if (!pinfo->fd->visited && ssi) {
4275 ssi->preauth_hash_res = (uint8_t*)wmem_alloc0(wmem_file_scope(), SMB2_PREAUTH_HASH_SIZE);
4276 /*
4277 * Preauth hash can only be used if the session is
4278 * established i.e. last session setup response has a
4279 * success status. As per the specification, the last
4280 * response is NOT hashed.
4281 */
4282 if (si->status != 0) {
4283 /*
4284 * Not successful means either more req/rsp
4285 * processing is required or we reached an
4286 * error, so update hash.
4287 */
4288 update_preauth_hash(si->conv->preauth_hash_current, pinfo, tvb);
4289 } else {
4290 /*
4291 * Session is established, remember the last preauth hash
4292 */
4293 memcpy(si->session->preauth_hash, si->conv->preauth_hash_current, SMB2_PREAUTH_HASH_SIZE);
4294 }
4295
4296 /* In all cases, stash the preauth hash */
4297 memcpy(ssi->preauth_hash_res, si->conv->preauth_hash_current, SMB2_PREAUTH_HASH_SIZE);
4298 }
4299
4300 if (ssi && ssi->preauth_hash_res) {
4301 hash_item = proto_tree_add_bytes_with_length(tree, hf_smb2_preauth_hash, tvb,
4302 0, tvb_captured_length(tvb),
4303 ssi->preauth_hash_res, SMB2_PREAUTH_HASH_SIZE);
4304 proto_item_set_generated(hash_item);
4305 }
4306
4307 /* session_setup is special and we don't use dissect_smb2_error_response() here! */
4308
4309 /* buffer code */
4310 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4311
4312 /* session flags */
4313 offset = dissect_smb2_ses_flags(tree, tvb, offset);
4314
4315 /* security blob offset/length */
4316 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
4317
4318 /* the security blob itself */
4319 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
4320
4321 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
4322
4323 /* If we have found a uid->acct_name mapping, store it */
4324 #ifdef HAVE_KERBEROS
4325 if (!pinfo->fd->visited &&
4326 ((si->session->session_key_frame == UINT32_MAX) ||
4327 (si->session->session_key_frame < pinfo->num)))
4328 {
4329 enc_key_t *ek;
4330
4331 if (krb_decrypt) {
4332 read_keytab_file_from_preferences();
4333 }
4334
4335 for (ek=enc_key_list;ek;ek=ek->next) {
4336 if (!ek->is_ap_rep_key) {
4337 continue;
4338 }
4339 if (ek->fd_num == (int)pinfo->num) {
4340 break;
4341 }
4342 }
4343
4344 if (ek != NULL) {
4345 /*
4346 * If we remembered information from the PAC content
4347 * from GSSAPI AP exchange we use it, otherwise we
4348 * can only give a hint about the used session key.
4349 */
4350 if (ek->pac_names.account_name) {
4351 si->session->acct_name = wmem_strdup(wmem_file_scope(),
4352 ek->pac_names.account_name);
4353 si->session->domain_name = wmem_strdup(wmem_file_scope(),
4354 ek->pac_names.account_domain);
4355 if (ek->pac_names.device_sid) {
4356 si->session->host_name = wmem_strdup_printf(wmem_file_scope(),
4357 "DEVICE[%s]",
4358 ek->pac_names.device_sid);
4359 } else {
4360 si->session->host_name = NULL;
4361 }
4362 } else {
4363 si->session->acct_name = wmem_strdup_printf(wmem_file_scope(),
4364 "KERBEROS[%s]",
4365 ek->key_origin);
4366 si->session->domain_name = wmem_strdup_printf(wmem_file_scope(),
4367 "KERBEROS[%s]",
4368 ek->id_str);
4369 si->session->host_name = NULL;
4370 }
4371 /* don't overwrite session key from preferences */
4372 if (memcmp(si->session->session_key, zeros, NTLMSSP_KEY_LEN) == 0) {
4373 si->session->session_key_len = MIN(NTLMSSP_KEY_LEN*2, ek->keylength);
4374 memcpy(si->session->session_key,
4375 ek->keyvalue,
4376 si->session->session_key_len);
4377 si->session->session_key_frame = pinfo->num;
4378 }
4379 }
4380 }
4381 #endif
4382
4383 if (si->status == 0) {
4384 /*
4385 * Session is established, we can generate the keys
4386 */
4387 smb2_generate_decryption_keys(si->conv, si->session);
4388 }
4389
4390 return offset;
4391 }
4392
4393 static int
4394 dissect_smb2_tree_connect_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
4395 {
4396 offset_length_buffer_t olb;
4397 const uint8_t *buf;
4398 uint16_t flags;
4399 proto_item *item;
4400 static int * const connect_flags[] = {
4401 &hf_smb2_tc_cluster_reconnect,
4402 &hf_smb2_tc_redirect_to_owner,
4403 &hf_smb2_tc_extension_present,
4404 &hf_smb2_tc_reserved,
4405 NULL
4406 };
4407
4408 /* buffer code */
4409 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4410
4411 /* flags */
4412 item = proto_tree_get_parent(tree);
4413 flags = tvb_get_letohs(tvb, offset);
4414 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_tree_connect_flags, ett_smb2_tree_connect_flags, connect_flags, ENC_LITTLE_ENDIAN);
4415
4416 if (flags != 0) {
4417 proto_item_append_text(item, "%s%s%s",
4418 (flags & 0x0001)?", CLUSTER_RECONNECT":"",
4419 (flags & 0x0002)?", REDIRECT_TO_OWNER":"",
4420 (flags & 0x0004)?", EXTENSION_PRESENT":"");
4421 }
4422 offset += 2;
4423
4424 /* tree offset/length */
4425 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_tree);
4426
4427 /* tree string */
4428 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
4429
4430 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
4431
4432 if (!pinfo->fd->visited && si->saved && buf && olb.len) {
4433 si->saved->extra_info_type = SMB2_EI_TREENAME;
4434 si->saved->extra_info = wmem_strdup(wmem_file_scope(), buf);
4435 }
4436
4437 if (buf) {
4438 col_append_fstr(pinfo->cinfo, COL_INFO, ", Tree: '%s'",
4439 format_text(pinfo->pool, buf, strlen(buf)));
4440 }
4441
4442 return offset;
4443 }
4444 static int
4445 dissect_smb2_tree_connect_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
4446 {
4447 uint8_t share_type;
4448 bool continue_dissection;
4449
4450 switch (si->status) {
4451 /* buffer code */
4452 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4453 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4454 if (!continue_dissection) return offset;
4455 }
4456
4457 /* share type */
4458 share_type = tvb_get_uint8(tvb, offset);
4459 proto_tree_add_item(tree, hf_smb2_share_type, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4460 offset += 1;
4461
4462 /* byte is reserved and must be set to zero */
4463 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
4464 offset += 1;
4465
4466 if (!pinfo->fd->visited && si->saved && si->saved->extra_info_type == SMB2_EI_TREENAME && si->session) {
4467 smb2_tid_info_t *tid, tid_key;
4468
4469 tid_key.tid = si->tid;
4470 tid = (smb2_tid_info_t *)wmem_map_lookup(si->session->tids, &tid_key);
4471 if (tid) {
4472 wmem_map_remove(si->session->tids, &tid_key);
4473 }
4474 tid = wmem_new(wmem_file_scope(), smb2_tid_info_t);
4475 tid->tid = si->tid;
4476 tid->name = (char *)si->saved->extra_info;
4477 tid->connect_frame = pinfo->num;
4478 tid->disconnect_frame = 0;
4479 tid->share_type = share_type;
4480
4481 wmem_map_insert(si->session->tids, tid, tid);
4482
4483 si->saved->extra_info_type = SMB2_EI_NONE;
4484 si->saved->extra_info = NULL;
4485 }
4486
4487 if (si->tree)
4488 col_append_fstr(pinfo->cinfo, COL_INFO, ", Tree: '%s'", si->tree->name);
4489
4490 /* share flags */
4491 offset = dissect_smb2_share_flags(tree, tvb, offset);
4492
4493 /* share capabilities */
4494 offset = dissect_smb2_share_caps(tree, tvb, offset);
4495
4496 /* this is some sort of access mask */
4497 offset = dissect_smb_access_mask(tvb, tree, offset);
4498
4499 return offset;
4500 }
4501
4502 static int
4503 dissect_smb2_tree_disconnect_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4504 {
4505 /* buffer code */
4506 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4507
4508 if (si->tree)
4509 col_append_fstr(pinfo->cinfo, COL_INFO, ", Tree: '%s'", si->tree->name);
4510
4511 /* reserved */
4512 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4513 offset += 2;
4514
4515 return offset;
4516 }
4517
4518 static int
4519 dissect_smb2_tree_disconnect_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4520 {
4521 bool continue_dissection;
4522
4523 switch (si->status) {
4524 /* buffer code */
4525 case 0x00000000:
4526 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4527 break;
4528
4529 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4530 if (!continue_dissection) return offset;
4531 }
4532
4533 if (si->tree) {
4534 si->tree->disconnect_frame = pinfo->fd->num;
4535 col_append_fstr(pinfo->cinfo, COL_INFO, ", Tree: '%s'", si->tree->name);
4536 }
4537
4538 /* reserved */
4539 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4540 offset += 2;
4541
4542 return offset;
4543 }
4544
4545 static int
4546 dissect_smb2_sessionlogoff_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4547 {
4548 /* buffer code */
4549 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4550
4551 /* reserved bytes */
4552 offset += 2;
4553
4554 return offset;
4555 }
4556
4557 static int
4558 dissect_smb2_sessionlogoff_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4559 {
4560 bool continue_dissection;
4561
4562 switch (si->status) {
4563 /* buffer code */
4564 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4565 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4566 if (!continue_dissection) return offset;
4567 }
4568
4569 /* reserved bytes */
4570 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
4571 offset += 2;
4572
4573 return offset;
4574 }
4575
4576 static int
4577 dissect_smb2_keepalive_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4578 {
4579 /* buffer code */
4580 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4581
4582 /* some unknown bytes */
4583 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4584 offset += 2;
4585
4586 return offset;
4587 }
4588
4589 static int
4590 dissect_smb2_keepalive_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
4591 {
4592 bool continue_dissection;
4593
4594 switch (si->status) {
4595 /* buffer code */
4596 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4597 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4598 if (!continue_dissection) return offset;
4599 }
4600
4601 /* some unknown bytes */
4602 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
4603 offset += 2;
4604
4605 return offset;
4606 }
4607
4608 static int
4609 dissect_smb2_notify_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4610 {
4611 proto_tree *flags_tree = NULL;
4612 proto_item *flags_item = NULL;
4613 proto_item *item;
4614
4615 /* buffer code */
4616 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4617
4618 /* notify flags */
4619 if (tree) {
4620 flags_item = proto_tree_add_item(tree, hf_smb2_notify_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4621 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_notify_flags);
4622 }
4623 proto_tree_add_item(flags_tree, hf_smb2_notify_watch_tree, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4624 offset += 2;
4625
4626 /* output buffer length */
4627 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4628 offset += 4;
4629
4630 /* fid hash */
4631 if (si->saved && si->saved->fid_hash) {
4632 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
4633 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
4634 proto_item_set_generated(item);
4635 }
4636
4637 /* fid */
4638 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4639
4640 /* completion filter */
4641 offset = dissect_nt_notify_completion_filter(tvb, tree, offset);
4642
4643 /* reserved */
4644 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
4645 offset += 4;
4646
4647 return offset;
4648 }
4649
4650 static const value_string notify_action_vals[] = {
4651 {0x01, "FILE_ACTION_ADDED"},
4652 {0x02, "FILE_ACTION_REMOVED"},
4653 {0x03, "FILE_ACTION_MODIFIED"},
4654 {0x04, "FILE_ACTION_RENAMED_OLD_NAME"},
4655 {0x05, "FILE_ACTION_RENAMED_NEW_NAME"},
4656 {0x06, "FILE_ACTION_ADDED_STREAM"},
4657 {0x07, "FILE_ACTION_REMOVED_STREAM"},
4658 {0x08, "FILE_ACTION_MODIFIED_STREAM"},
4659 {0x09, "FILE_ACTION_REMOVED_BY_DELETE"},
4660 {0, NULL}
4661 };
4662
4663 static void
4664 dissect_smb2_notify_data_out(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
4665 {
4666 proto_tree *tree = NULL;
4667 proto_item *item = NULL;
4668 int offset = 0;
4669
4670 while (tvb_reported_length_remaining(tvb, offset) > 4) {
4671 uint32_t start_offset = offset;
4672 uint32_t next_offset;
4673 uint32_t length;
4674
4675 if (parent_tree) {
4676 item = proto_tree_add_item(parent_tree, hf_smb2_notify_info, tvb, offset, -1, ENC_NA);
4677 tree = proto_item_add_subtree(item, ett_smb2_notify_info);
4678 }
4679
4680 /* next offset */
4681 proto_tree_add_item_ret_uint(tree, hf_smb2_notify_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &next_offset);
4682 offset += 4;
4683
4684 proto_tree_add_item(tree, hf_smb2_notify_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4685 offset += 4;
4686
4687 /* file name length */
4688 proto_tree_add_item_ret_uint(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
4689 offset += 4;
4690
4691 /* file name */
4692 if (length) {
4693 proto_tree_add_item(tree, hf_smb2_filename,
4694 tvb, offset, length, ENC_UTF_16|ENC_LITTLE_ENDIAN);
4695 }
4696
4697 if (!next_offset) {
4698 break;
4699 }
4700
4701 offset = start_offset+next_offset;
4702 }
4703 }
4704
4705 static int
4706 dissect_smb2_notify_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
4707 {
4708 offset_length_buffer_t olb;
4709 bool continue_dissection;
4710 proto_item *item;
4711
4712 switch (si->status) {
4713 /* MS-SMB2 3.3.4.4 says STATUS_NOTIFY_ENUM_DIR is not treated as an error */
4714 case 0x0000010c: /* STATUS_NOTIFY_ENUM_DIR */
4715 case 0x00000000: /* buffer code */
4716 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
4717 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
4718 if (!continue_dissection) return offset;
4719 }
4720
4721 /* fid hash */
4722 if (si->saved && si->saved->fid_hash) {
4723 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
4724 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
4725 proto_item_set_generated(item);
4726 }
4727
4728 /* out buffer offset/length */
4729 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_notify_out_data);
4730
4731 /* out buffer */
4732 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_notify_data_out);
4733 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
4734
4735 return offset;
4736 }
4737
4738 #define SMB2_FIND_FLAG_RESTART_SCANS 0x01
4739 #define SMB2_FIND_FLAG_SINGLE_ENTRY 0x02
4740 #define SMB2_FIND_FLAG_INDEX_SPECIFIED 0x04
4741 #define SMB2_FIND_FLAG_REOPEN 0x10
4742
4743 static int
4744 dissect_smb2_find_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
4745 {
4746 offset_length_buffer_t olb;
4747 const uint8_t *buf;
4748 uint8_t il;
4749 static int * const f_fields[] = {
4750 &hf_smb2_find_flags_restart_scans,
4751 &hf_smb2_find_flags_single_entry,
4752 &hf_smb2_find_flags_index_specified,
4753 &hf_smb2_find_flags_reopen,
4754 NULL
4755 };
4756 proto_item *item;
4757
4758
4759 /* buffer code */
4760 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
4761
4762 il = tvb_get_uint8(tvb, offset);
4763 if (si->saved) {
4764 si->saved->infolevel = il;
4765 }
4766
4767 /* infolevel */
4768 proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 1, il);
4769 offset += 1;
4770
4771 /* find flags */
4772 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_find_flags, ett_smb2_find_flags, f_fields, ENC_LITTLE_ENDIAN);
4773 offset += 1;
4774
4775 /* file index */
4776 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4777 offset += 4;
4778
4779 /* fid hash */
4780 if (si->saved && si->saved->fid_hash) {
4781 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
4782 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
4783 proto_item_set_generated(item);
4784 }
4785
4786 /* fid */
4787 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
4788
4789 /* search pattern offset/length */
4790 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT16, hf_smb2_find_pattern);
4791
4792 /* output buffer length */
4793 proto_tree_add_item(tree, hf_smb2_output_buffer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4794 offset += 4;
4795
4796 /* search pattern */
4797 buf = dissect_smb2_olb_string(pinfo, tree, tvb, &olb, OLB_TYPE_UNICODE_STRING);
4798
4799 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
4800
4801 if (!pinfo->fd->visited && si->saved && olb.len) {
4802 si->saved->extra_info_type = SMB2_EI_FINDPATTERN;
4803 si->saved->extra_info = wmem_strdup(wmem_file_scope(), buf);
4804 }
4805
4806 col_append_fstr(pinfo->cinfo, COL_INFO, " %s Pattern: %s",
4807 val_to_str(il, smb2_find_info_levels, "(Level:0x%02x)"),
4808 buf);
4809
4810 return offset;
4811 }
4812
4813 static void dissect_smb2_file_directory_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si _U_)
4814 {
4815 int offset = 0;
4816 proto_item *item = NULL;
4817 proto_tree *tree = NULL;
4818
4819 while (tvb_reported_length_remaining(tvb, offset) > 4) {
4820 int old_offset = offset;
4821 int next_offset;
4822 int file_name_len;
4823
4824 if (parent_tree) {
4825 item = proto_tree_add_item(parent_tree, hf_smb2_file_directory_info, tvb, offset, -1, ENC_NA);
4826 tree = proto_item_add_subtree(item, ett_smb2_file_directory_info);
4827 }
4828
4829 /* next offset */
4830 next_offset = tvb_get_letohl(tvb, offset);
4831 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4832 offset += 4;
4833
4834 /* file index */
4835 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4836 offset += 4;
4837
4838 /* create time */
4839 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
4840 offset += 8;
4841
4842 /* last access */
4843 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
4844 offset += 8;
4845
4846 /* last write */
4847 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
4848 offset += 8;
4849
4850 /* last change */
4851 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
4852 offset += 8;
4853
4854 /* end of file */
4855 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4856 offset += 8;
4857
4858 /* allocation size */
4859 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4860 offset += 8;
4861
4862 /* File Attributes */
4863 offset = dissect_fscc_file_attr(tvb, tree, offset, NULL);
4864
4865 /* file name length */
4866 file_name_len = tvb_get_letohl(tvb, offset);
4867 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4868 offset += 4;
4869
4870 /* file name */
4871 if (file_name_len) {
4872 char *display_string;
4873
4874 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
4875 tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
4876 pinfo->pool, &display_string);
4877 proto_item_append_text(item, ": %s", display_string);
4878 offset += file_name_len;
4879 }
4880
4881 proto_item_set_len(item, offset-old_offset);
4882
4883 if (si->saved)
4884 si->saved->num_matched++;
4885
4886 if (next_offset == 0) {
4887 return;
4888 }
4889
4890 offset = old_offset+next_offset;
4891 if (offset < old_offset) {
4892 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
4893 "Invalid offset/length. Malformed packet");
4894 return;
4895 }
4896 }
4897 }
4898
4899 static void dissect_smb2_full_directory_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si _U_)
4900 {
4901 int offset = 0;
4902 proto_item *item = NULL;
4903 proto_tree *tree = NULL;
4904
4905 while (tvb_reported_length_remaining(tvb, offset) > 4) {
4906 int old_offset = offset;
4907 int next_offset;
4908 int file_name_len;
4909 uint32_t attr;
4910
4911 if (parent_tree) {
4912 item = proto_tree_add_item(parent_tree, hf_smb2_full_directory_info, tvb, offset, -1, ENC_NA);
4913 tree = proto_item_add_subtree(item, ett_smb2_full_directory_info);
4914 }
4915
4916 /* next offset */
4917 next_offset = tvb_get_letohl(tvb, offset);
4918 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4919 offset += 4;
4920
4921 /* file index */
4922 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4923 offset += 4;
4924
4925 /* create time */
4926 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
4927 offset += 8;
4928
4929 /* last access */
4930 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
4931 offset += 8;
4932
4933 /* last write */
4934 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
4935 offset += 8;
4936
4937 /* last change */
4938 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
4939 offset += 8;
4940
4941 /* end of file */
4942 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4943 offset += 8;
4944
4945 /* allocation size */
4946 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4947 offset += 8;
4948
4949 /* File Attributes */
4950 offset = dissect_fscc_file_attr(tvb, tree, offset, &attr);
4951
4952 /* file name length */
4953 file_name_len = tvb_get_letohl(tvb, offset);
4954 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4955 offset += 4;
4956
4957 /* ea size or reparse tag */
4958 if (attr & SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT)
4959 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4960 else
4961 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4962 offset += 4;
4963
4964 /* file name */
4965 if (file_name_len) {
4966 char *display_string;
4967
4968 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
4969 tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
4970 pinfo->pool, &display_string);
4971 proto_item_append_text(item, ": %s", display_string);
4972 offset += file_name_len;
4973 }
4974
4975 proto_item_set_len(item, offset-old_offset);
4976
4977 if (si->saved)
4978 si->saved->num_matched++;
4979
4980 if (next_offset == 0) {
4981 return;
4982 }
4983
4984 offset = old_offset+next_offset;
4985 if (offset < old_offset) {
4986 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
4987 "Invalid offset/length. Malformed packet");
4988 return;
4989 }
4990 }
4991 }
4992
4993 static void dissect_smb2_both_directory_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si _U_)
4994 {
4995 int offset = 0;
4996 proto_item *item = NULL;
4997 proto_tree *tree = NULL;
4998
4999 while (tvb_reported_length_remaining(tvb, offset) > 4) {
5000 int old_offset = offset;
5001 int next_offset;
5002 int file_name_len;
5003 int short_name_len;
5004 uint32_t attr;
5005
5006 if (parent_tree) {
5007 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
5008 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
5009 }
5010
5011 /* next offset */
5012 next_offset = tvb_get_letohl(tvb, offset);
5013 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5014 offset += 4;
5015
5016 /* file index */
5017 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5018 offset += 4;
5019
5020 /* create time */
5021 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
5022 offset += 8;
5023
5024 /* last access */
5025 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
5026 offset += 8;
5027
5028 /* last write */
5029 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
5030 offset += 8;
5031
5032 /* last change */
5033 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
5034 offset += 8;
5035
5036 /* end of file */
5037 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5038 offset += 8;
5039
5040 /* allocation size */
5041 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5042 offset += 8;
5043
5044 /* File Attributes */
5045 offset = dissect_fscc_file_attr(tvb, tree, offset, &attr);
5046
5047 /* file name length */
5048 file_name_len = tvb_get_letohl(tvb, offset);
5049 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5050 offset += 4;
5051
5052 /* ea size or reparse tag */
5053 if (attr & SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT)
5054 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5055 else
5056 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5057 offset += 4;
5058
5059 /* short name length */
5060 short_name_len = tvb_get_uint8(tvb, offset);
5061 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
5062 offset += 1;
5063
5064 /* reserved */
5065 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
5066 offset += 1;
5067
5068 /* short name */
5069 if (short_name_len) {
5070 proto_tree_add_item(tree, hf_smb2_short_name,
5071 tvb, offset, short_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
5072 }
5073 offset += 24;
5074
5075 /* file name */
5076 if (file_name_len) {
5077 char *display_string;
5078
5079 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
5080 tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
5081 pinfo->pool, &display_string);
5082 proto_item_append_text(item, ": %s", display_string);
5083 offset += file_name_len;
5084 }
5085
5086 proto_item_set_len(item, offset-old_offset);
5087
5088 if (si->saved)
5089 si->saved->num_matched++;
5090
5091 if (next_offset == 0) {
5092 return;
5093 }
5094
5095 offset = old_offset+next_offset;
5096 if (offset < old_offset) {
5097 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
5098 "Invalid offset/length. Malformed packet");
5099 return;
5100 }
5101 }
5102 }
5103
5104 static void dissect_smb2_file_name_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si _U_)
5105 {
5106 int offset = 0;
5107 proto_item *item = NULL;
5108 proto_tree *tree = NULL;
5109
5110 while (tvb_reported_length_remaining(tvb, offset) > 4) {
5111 int old_offset = offset;
5112 int next_offset;
5113 int file_name_len;
5114
5115 if (parent_tree) {
5116 item = proto_tree_add_item(parent_tree, hf_smb2_both_directory_info, tvb, offset, -1, ENC_NA);
5117 tree = proto_item_add_subtree(item, ett_smb2_both_directory_info);
5118 }
5119
5120 /* next offset */
5121 next_offset = tvb_get_letohl(tvb, offset);
5122 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5123 offset += 4;
5124
5125 /* file index */
5126 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5127 offset += 4;
5128
5129 /* file name length */
5130 file_name_len = tvb_get_letohl(tvb, offset);
5131 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5132 offset += 4;
5133
5134 /* file name */
5135 if (file_name_len) {
5136 char *display_string;
5137
5138 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
5139 tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
5140 pinfo->pool, &display_string);
5141 proto_item_append_text(item, ": %s", display_string);
5142 offset += file_name_len;
5143 }
5144
5145 if (si->saved)
5146 si->saved->num_matched++;
5147
5148 proto_item_set_len(item, offset-old_offset);
5149
5150 if (next_offset == 0) {
5151 return;
5152 }
5153
5154 offset = old_offset+next_offset;
5155 if (offset < old_offset) {
5156 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
5157 "Invalid offset/length. Malformed packet");
5158 return;
5159 }
5160 }
5161 }
5162
5163 static void dissect_smb2_id_both_directory_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si _U_)
5164 {
5165 int offset = 0;
5166 proto_item *item = NULL;
5167 proto_tree *tree = NULL;
5168
5169 while (tvb_reported_length_remaining(tvb, offset) > 4) {
5170 int old_offset = offset;
5171 int next_offset;
5172 int file_name_len;
5173 int short_name_len;
5174 uint32_t attr;
5175
5176 if (parent_tree) {
5177 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
5178 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
5179 }
5180
5181 /* next offset */
5182 next_offset = tvb_get_letohl(tvb, offset);
5183 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5184 offset += 4;
5185
5186 /* file index */
5187 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5188 offset += 4;
5189
5190 /* create time */
5191 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
5192 offset += 8;
5193
5194 /* last access */
5195 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
5196 offset += 8;
5197
5198 /* last write */
5199 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
5200 offset += 8;
5201
5202 /* last change */
5203 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
5204 offset += 8;
5205
5206 /* end of file */
5207 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5208 offset += 8;
5209
5210 /* allocation size */
5211 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5212 offset += 8;
5213
5214 /* File Attributes */
5215 offset = dissect_fscc_file_attr(tvb, tree, offset, &attr);
5216
5217 /* file name length */
5218 file_name_len = tvb_get_letohl(tvb, offset);
5219 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5220 offset += 4;
5221
5222 /* ea size or reparse tag */
5223 if (attr & SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT)
5224 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5225 else
5226 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5227 offset += 4;
5228
5229 /* short name length */
5230 short_name_len = tvb_get_uint8(tvb, offset);
5231 proto_tree_add_item(tree, hf_smb2_short_name_len, tvb, offset, 1, ENC_LITTLE_ENDIAN);
5232 offset += 1;
5233
5234 /* reserved */
5235 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
5236 offset += 1;
5237
5238 /* short name */
5239 if (short_name_len) {
5240 proto_tree_add_item(tree, hf_smb2_short_name,
5241 tvb, offset, short_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
5242 }
5243 offset += 24;
5244
5245 /* reserved */
5246 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5247 offset += 2;
5248
5249 /* file id */
5250 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5251 offset += 8;
5252
5253 /* file name */
5254 if (file_name_len) {
5255 char *display_string;
5256
5257 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
5258 tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
5259 pinfo->pool, &display_string);
5260 proto_item_append_text(item, ": %s", display_string);
5261 offset += file_name_len;
5262 }
5263
5264 proto_item_set_len(item, offset-old_offset);
5265
5266 if (si->saved)
5267 si->saved->num_matched++;
5268
5269 if (next_offset == 0) {
5270 return;
5271 }
5272
5273 offset = old_offset+next_offset;
5274 if (offset < old_offset) {
5275 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
5276 "Invalid offset/length. Malformed packet");
5277 return;
5278 }
5279 }
5280 }
5281
5282
5283 static void dissect_smb2_id_full_directory_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si _U_)
5284 {
5285 int offset = 0;
5286 proto_item *item = NULL;
5287 proto_tree *tree = NULL;
5288
5289 while (tvb_reported_length_remaining(tvb, offset) > 4) {
5290 int old_offset = offset;
5291 int next_offset;
5292 int file_name_len;
5293 uint32_t attr;
5294
5295 if (parent_tree) {
5296 item = proto_tree_add_item(parent_tree, hf_smb2_id_both_directory_info, tvb, offset, -1, ENC_NA);
5297 tree = proto_item_add_subtree(item, ett_smb2_id_both_directory_info);
5298 }
5299
5300 /* next offset */
5301 next_offset = tvb_get_letohl(tvb, offset);
5302 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5303 offset += 4;
5304
5305 /* file index */
5306 proto_tree_add_item(tree, hf_smb2_file_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5307 offset += 4;
5308
5309 /* create time */
5310 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
5311 offset += 8;
5312
5313 /* last access */
5314 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
5315 offset += 8;
5316
5317 /* last write */
5318 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
5319 offset += 8;
5320
5321 /* last change */
5322 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
5323 offset += 8;
5324
5325 /* end of file */
5326 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5327 offset += 8;
5328
5329 /* allocation size */
5330 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5331 offset += 8;
5332
5333 /* File Attributes */
5334 offset = dissect_fscc_file_attr(tvb, tree, offset, &attr);
5335
5336 /* file name length */
5337 file_name_len = tvb_get_letohl(tvb, offset);
5338 proto_tree_add_item(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5339 offset += 4;
5340
5341 /* ea size or reparse tag */
5342 if (attr & SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT)
5343 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5344 else
5345 proto_tree_add_item(tree, hf_smb2_ea_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5346 offset += 4;
5347
5348 /* reserved */
5349 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5350 offset += 4;
5351
5352 /* file id */
5353 proto_tree_add_item(tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5354 offset += 8;
5355
5356 /* file name */
5357 if (file_name_len) {
5358 char *display_string;
5359
5360 proto_tree_add_item_ret_display_string(tree, hf_smb2_filename,
5361 tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
5362 pinfo->pool, &display_string);
5363 proto_item_append_text(item, ": %s", display_string);
5364 offset += file_name_len;
5365 }
5366
5367 proto_item_set_len(item, offset-old_offset);
5368
5369 if (si->saved)
5370 si->saved->num_matched++;
5371
5372 if (next_offset == 0) {
5373 return;
5374 }
5375
5376 offset = old_offset+next_offset;
5377 if (offset < old_offset) {
5378 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
5379 "Invalid offset/length. Malformed packet");
5380 return;
5381 }
5382 }
5383 }
5384
5385 static int dissect_smb2_posix_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5386 {
5387 /* create time */
5388 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
5389 offset += 8;
5390
5391 /* last access */
5392 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
5393 offset += 8;
5394
5395 /* last write */
5396 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
5397 offset += 8;
5398
5399 /* last change */
5400 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
5401 offset += 8;
5402
5403 /* end of file */
5404 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5405 offset += 8;
5406
5407 /* allocation size */
5408 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5409 offset += 8;
5410
5411 /* File Attributes */
5412 offset = dissect_fscc_file_attr(tvb, tree, offset, NULL);
5413
5414 /* file index */
5415 proto_tree_add_item(tree, hf_smb2_inode, tvb, offset, 8, ENC_LITTLE_ENDIAN);
5416 offset += 8;
5417
5418 /* dev id */
5419 proto_tree_add_item(tree, hf_smb2_dev, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5420 offset += 4;
5421
5422 /* zero */
5423 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5424 offset += 4;
5425
5426 /* Hardlinks */
5427 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5428 offset += 4;
5429
5430 /* Reparse tag */
5431 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5432 offset += 4;
5433
5434 /* POSIX mode bits */
5435 proto_tree_add_item(tree, hf_smb2_posix_perms, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5436 offset += 4;
5437
5438 /* Owner and Group SID */
5439 offset = dissect_nt_sid(tvb, offset, tree, "Owner SID", NULL, -1);
5440 offset = dissect_nt_sid(tvb, offset, tree, "Group SID", NULL, -1);
5441
5442 if (si->saved)
5443 si->saved->num_matched++;
5444
5445 return offset;
5446 }
5447
5448 static void dissect_smb2_posix_directory_info(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
5449 {
5450 int offset = 0;
5451 proto_item *item = NULL;
5452 proto_tree *tree = NULL;
5453
5454 while (tvb_reported_length_remaining(tvb, offset) > 4) {
5455 int old_offset = offset;
5456 int next_offset;
5457 int file_name_len;
5458
5459 if (parent_tree) {
5460 item = proto_tree_add_item(parent_tree, hf_smb2_posix_info, tvb, offset, -1, ENC_NA);
5461 tree = proto_item_add_subtree(item, ett_smb2_posix_info);
5462 }
5463
5464 /* next offset */
5465 next_offset = tvb_get_letohl(tvb, offset);
5466 proto_tree_add_item(tree, hf_smb2_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5467 offset += 4;
5468 offset += 4;
5469
5470 offset = dissect_smb2_posix_info(tvb, pinfo, tree, offset, si);
5471
5472 /* file name length */
5473 proto_tree_add_item_ret_uint(tree, hf_smb2_filename_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &file_name_len);
5474 offset += 4;
5475
5476 /* file name */
5477 if (file_name_len) {
5478 proto_tree_add_item(tree, hf_smb2_filename, tvb, offset, file_name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
5479 offset += file_name_len;
5480 }
5481
5482 proto_item_set_len(item, offset-old_offset);
5483
5484 if (next_offset == 0) {
5485 return;
5486 }
5487
5488 offset = old_offset+next_offset;
5489 if (offset < old_offset) {
5490 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
5491 "Invalid offset/length. Malformed packet");
5492 return;
5493 }
5494 }
5495 }
5496
5497
5498 typedef struct _smb2_find_dissector_t {
5499 uint32_t level;
5500 void (*dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
5501 } smb2_find_dissector_t;
5502
5503 static smb2_find_dissector_t smb2_find_dissectors[] = {
5504 {SMB2_FIND_DIRECTORY_INFO, dissect_smb2_file_directory_info},
5505 {SMB2_FIND_FULL_DIRECTORY_INFO, dissect_smb2_full_directory_info},
5506 {SMB2_FIND_BOTH_DIRECTORY_INFO, dissect_smb2_both_directory_info},
5507 {SMB2_FIND_NAME_INFO, dissect_smb2_file_name_info},
5508 {SMB2_FIND_ID_BOTH_DIRECTORY_INFO,dissect_smb2_id_both_directory_info},
5509 {SMB2_FIND_ID_FULL_DIRECTORY_INFO,dissect_smb2_id_full_directory_info},
5510 {SMB2_FIND_POSIX_INFO, dissect_smb2_posix_directory_info},
5511 {0, NULL}
5512 };
5513
5514 static void
5515 dissect_smb2_find_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
5516 {
5517 smb2_find_dissector_t *dis = smb2_find_dissectors;
5518
5519 if (si->saved)
5520 si->saved->num_matched = 0;
5521
5522 while (dis->dissector) {
5523 if (si->saved) {
5524 if (dis->level == si->saved->infolevel) {
5525 dis->dissector(tvb, pinfo, tree, si);
5526 return;
5527 }
5528 }
5529 dis++;
5530 }
5531
5532
5533 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
5534 }
5535
5536 static int
5537 dissect_smb2_find_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
5538 {
5539 offset_length_buffer_t olb;
5540 proto_item *item = NULL;
5541 bool continue_dissection;
5542
5543 /* fid hash */
5544 if (si->saved && si->saved->fid_hash) {
5545 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
5546 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
5547 proto_item_set_generated(item);
5548 }
5549
5550 if (si->saved) {
5551 /* infolevel */
5552 item = proto_tree_add_uint(tree, hf_smb2_find_info_level, tvb, offset, 0, si->saved->infolevel);
5553 proto_item_set_generated(item);
5554 }
5555
5556 if (si->saved && si->saved->extra_info_type == SMB2_EI_FINDPATTERN) {
5557 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s Pattern: %s",
5558 val_to_str(si->saved->infolevel, smb2_find_info_levels, "(Level:0x%02x)"),
5559 (const char *)si->saved->extra_info);
5560 }
5561
5562 switch (si->status) {
5563 /* buffer code */
5564 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
5565 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5566 if (!continue_dissection) return offset;
5567 }
5568
5569 /* findinfo offset */
5570 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, hf_smb2_find_info_blob);
5571
5572 /* the buffer */
5573 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_find_data);
5574
5575 offset = dissect_smb2_olb_tvb_max_offset(offset, &olb);
5576
5577 if (si->saved) {
5578 item = proto_tree_add_uint_format(tree, hf_smb2_num_matched, tvb, 0, 0,
5579 si->saved->num_matched, "Matched: %u names", si->saved->num_matched);
5580 proto_item_set_generated(item);
5581
5582 col_append_fstr(
5583 pinfo->cinfo, COL_INFO, ", %u matches", si->saved->num_matched);
5584 }
5585
5586 return offset;
5587 }
5588
5589 static int
5590 dissect_smb2_negotiate_context(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
5591 {
5592 uint16_t type;
5593 const char *type_str;
5594 uint32_t i, data_length, salt_length, hash_count, cipher_count, comp_count, transform_count;
5595 uint32_t signing_count;
5596 proto_item *sub_item;
5597 proto_tree *sub_tree;
5598 static int * const comp_alg_flags_fields[] = {
5599 &hf_smb2_comp_alg_flags_chained,
5600 &hf_smb2_comp_alg_flags_reserved,
5601 NULL
5602 };
5603
5604 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_negotiate_context_element, &sub_item, "Negotiate Context");
5605
5606 /* type */
5607 type = tvb_get_letohl(tvb, offset);
5608 type_str = val_to_str(type, smb2_negotiate_context_types, "Unknown Type: (0x%0x)");
5609 proto_item_append_text(sub_item, ": %s ", type_str);
5610 proto_tree_add_item(sub_tree, hf_smb2_negotiate_context_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5611 offset += 2;
5612
5613 /* data length */
5614 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_negotiate_context_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &data_length);
5615 proto_item_set_len(sub_item, data_length + 8);
5616 offset += 2;
5617
5618 /* reserved */
5619 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
5620 offset += 4;
5621
5622 switch (type)
5623 {
5624 case SMB2_PREAUTH_INTEGRITY_CAPABILITIES:
5625 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_hash_alg_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &hash_count);
5626 offset += 2;
5627 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_salt_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &salt_length);
5628 offset += 2;
5629
5630 for (i = 0; i < hash_count; i++)
5631 {
5632 proto_tree_add_item(sub_tree, hf_smb2_hash_algorithm, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5633 offset += 2;
5634 }
5635
5636 if (salt_length)
5637 {
5638 proto_tree_add_item(sub_tree, hf_smb2_salt, tvb, offset, salt_length, ENC_NA);
5639 offset += salt_length;
5640 }
5641 break;
5642
5643 case SMB2_ENCRYPTION_CAPABILITIES:
5644 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_cipher_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &cipher_count);
5645 offset += 2;
5646
5647 for (i = 0; i < cipher_count; i ++)
5648 {
5649 /* in SMB3.1.1 the first cipher returned by the server session encryption algorithm */
5650 if (i == 0 && si && si->conv && (si->flags & SMB2_FLAGS_RESPONSE)) {
5651 uint16_t first_cipher = tvb_get_letohs(tvb, offset);
5652 si->conv->enc_alg = first_cipher;
5653 }
5654 proto_tree_add_item(sub_tree, hf_smb2_cipher_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5655 offset += 2;
5656 }
5657 break;
5658
5659 case SMB2_COMPRESSION_CAPABILITIES:
5660 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_comp_alg_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &comp_count);
5661 offset += 2;
5662
5663 /* padding */
5664 offset += 2;
5665
5666 /* flags */
5667 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_comp_alg_flags, ett_smb2_comp_alg_flags, comp_alg_flags_fields, ENC_LITTLE_ENDIAN);
5668 offset += 4;
5669
5670 for (i = 0; i < comp_count; i ++) {
5671 proto_tree_add_item(sub_tree, hf_smb2_comp_alg_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5672 offset += 2;
5673 }
5674 break;
5675
5676 case SMB2_NETNAME_NEGOTIATE_CONTEXT_ID:
5677 proto_tree_add_item(sub_tree, hf_smb2_netname_neg_id, tvb, offset,
5678 data_length, ENC_UTF_16|ENC_LITTLE_ENDIAN);
5679 offset += data_length;
5680 break;
5681
5682 case SMB2_TRANSPORT_CAPABILITIES:
5683 proto_tree_add_item(sub_tree, hf_smb2_transport_ctx_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5684 offset += 4;
5685 break;
5686
5687 case SMB2_RDMA_TRANSFORM_CAPABILITIES:
5688 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_rdma_transform_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &transform_count);
5689 offset += 2;
5690
5691 proto_tree_add_item(sub_tree, hf_smb2_rdma_transform_reserved1, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5692 offset += 2;
5693 proto_tree_add_item(sub_tree, hf_smb2_rdma_transform_reserved2, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5694 offset += 4;
5695
5696 for (i = 0; i < transform_count; i++) {
5697 proto_tree_add_item(sub_tree, hf_smb2_rdma_transform_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5698 offset += 2;
5699 }
5700 break;
5701
5702 case SMB2_SIGNING_CAPABILITIES:
5703 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_signing_alg_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &signing_count);
5704 offset += 2;
5705
5706 for (i = 0; i < signing_count; i++) {
5707 /* in SMB3.1.1 the first cipher returned by the server session encryption algorithm */
5708 if (i == 0 && si && si->conv && (si->flags & SMB2_FLAGS_RESPONSE)) {
5709 uint16_t first_sign_alg = tvb_get_letohs(tvb, offset);
5710 si->conv->sign_alg = first_sign_alg;
5711 }
5712 proto_tree_add_item(sub_tree, hf_smb2_signing_alg_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5713 offset += 2;
5714 }
5715 break;
5716
5717 case SMB2_POSIX_EXTENSIONS_CAPABILITIES:
5718 proto_tree_add_item(sub_tree, hf_smb2_posix_reserved, tvb, offset, data_length, ENC_NA);
5719 offset += data_length;
5720 break;
5721
5722 default:
5723 proto_tree_add_item(sub_tree, hf_smb2_unknown, tvb, offset, data_length, ENC_NA);
5724 offset += data_length;
5725 break;
5726 }
5727
5728 return offset;
5729 }
5730
5731 static int
5732 dissect_smb2_negotiate_protocol_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5733 {
5734 uint16_t dc;
5735 uint16_t i;
5736 proto_item *nco_item, *ncc_item;
5737 bool supports_smb_3_10 = false;
5738 uint32_t nco;
5739 uint32_t ncc;
5740 proto_item *hash_item = NULL;
5741 smb2_saved_info_t *ssi = si->saved;
5742
5743 /* compute preauth hash on first pass */
5744 if (!pinfo->fd->visited && ssi) {
5745 ssi->preauth_hash_req = (uint8_t*)wmem_alloc0(wmem_file_scope(), SMB2_PREAUTH_HASH_SIZE);
5746 memset(si->conv->preauth_hash_ses, 0, SMB2_PREAUTH_HASH_SIZE);
5747 memset(si->conv->preauth_hash_con, 0, SMB2_PREAUTH_HASH_SIZE);
5748 si->conv->preauth_hash_current = si->conv->preauth_hash_con;
5749 update_preauth_hash(si->conv->preauth_hash_current, pinfo, tvb);
5750 memcpy(ssi->preauth_hash_req, si->conv->preauth_hash_current, SMB2_PREAUTH_HASH_SIZE);
5751 }
5752
5753 if (ssi && ssi->preauth_hash_req) {
5754 hash_item = proto_tree_add_bytes_with_length(tree,
5755 hf_smb2_preauth_hash, tvb,
5756 0, tvb_captured_length(tvb),
5757 ssi->preauth_hash_req, SMB2_PREAUTH_HASH_SIZE);
5758 proto_item_set_generated(hash_item);
5759 }
5760
5761 /* buffer code */
5762 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5763
5764 /* dialect count */
5765 dc = tvb_get_letohs(tvb, offset);
5766 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5767 offset += 2;
5768
5769 /* security mode, skip second byte */
5770 offset = dissect_smb2_secmode(tree, tvb, offset);
5771 offset++;
5772
5773
5774 /* reserved */
5775 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5776 offset += 2;
5777
5778 /* capabilities */
5779 offset = dissect_smb2_capabilities(tree, tvb, offset);
5780
5781 /* client guid */
5782 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5783 offset += 16;
5784
5785 /* negotiate context offset */
5786 nco_item = proto_tree_add_item_ret_uint(tree, hf_smb2_negotiate_context_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &nco);
5787 offset += 4;
5788
5789 /* negotiate context count */
5790 ncc_item = proto_tree_add_item_ret_uint(tree, hf_smb2_negotiate_context_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &ncc);
5791 offset += 2;
5792
5793 /* reserved */
5794 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
5795 offset += 2;
5796
5797 for (i = 0 ; i < dc; i++) {
5798 uint16_t d = tvb_get_letohs(tvb, offset);
5799 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5800 offset += 2;
5801
5802 if (d >= SMB2_DIALECT_310) {
5803 supports_smb_3_10 = true;
5804 }
5805 }
5806
5807 if (!supports_smb_3_10) {
5808 /*
5809 * XXX - if 3.10 or later isn't supported, those fields
5810 * should be dissected as an 8-byte ClientStartTime field...
5811 * ...which should always be set to zero by the
5812 * client and ignored by the server. Doing that would
5813 * require that we look ahead and scan the dialect list
5814 * but what if that's either cut off by a snapshot
5815 * length or missing due to the packet being malformed
5816 * or not reassembled or...?
5817 *
5818 * [MS-SMB2] says 3.11, but 3.10 is deprecated, and
5819 * it appears to work the same way in this regard
5820 * as 3.11.
5821 */
5822 if (ncc != 0) {
5823 expert_add_info(pinfo, ncc_item, &ei_smb2_bad_negprot_negotiate_context_count);
5824 ncc = 0;
5825 }
5826 if (nco != 0) {
5827 expert_add_info(pinfo, nco_item, &ei_smb2_bad_negprot_negotiate_context_offset);
5828 nco = 0;
5829 }
5830 }
5831
5832 if (nco != 0) {
5833 uint32_t tmp = 0x40 + 36 + dc * 2;
5834
5835 if (nco >= tmp) {
5836 offset += nco - tmp;
5837 } else {
5838 ncc = 0;
5839 }
5840 }
5841
5842 for (i = 0; i < ncc; i++) {
5843 offset = WS_ROUNDUP_8(offset);
5844 offset = dissect_smb2_negotiate_context(tvb, pinfo, tree, offset, si);
5845 }
5846
5847 return offset;
5848 }
5849
5850 static int
5851 dissect_smb2_negotiate_protocol_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
5852 {
5853 offset_length_buffer_t s_olb;
5854 uint16_t i;
5855 uint32_t nco;
5856 uint32_t ncc;
5857 bool continue_dissection;
5858 proto_item *hash_item = NULL;
5859 smb2_saved_info_t *ssi = si->saved;
5860
5861 /* compute preauth hash on first pass */
5862 if (!pinfo->fd->visited && ssi) {
5863 ssi->preauth_hash_res = (uint8_t*)wmem_alloc0(wmem_file_scope(), SMB2_PREAUTH_HASH_SIZE);
5864 update_preauth_hash(si->conv->preauth_hash_current, pinfo, tvb);
5865 memcpy(ssi->preauth_hash_res, si->conv->preauth_hash_current, SMB2_PREAUTH_HASH_SIZE);
5866
5867 /*
5868 * All new sessions on this conversation must reuse
5869 * the preauth hash value at the time of the negprot
5870 * response, so we stash it and switch buffers
5871 */
5872 memcpy(si->conv->preauth_hash_ses, si->conv->preauth_hash_current, SMB2_PREAUTH_HASH_SIZE);
5873 si->conv->preauth_hash_current = si->conv->preauth_hash_ses;
5874 }
5875
5876 if (ssi && ssi->preauth_hash_res) {
5877 hash_item = proto_tree_add_bytes_with_length(tree,
5878 hf_smb2_preauth_hash, tvb,
5879 0, tvb_captured_length(tvb),
5880 ssi->preauth_hash_res, SMB2_PREAUTH_HASH_SIZE);
5881 proto_item_set_generated(hash_item);
5882 }
5883
5884 switch (si->status) {
5885 /* buffer code */
5886 case 0x00000000:
5887 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
5888 break;
5889
5890 default:
5891 offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
5892 if (!continue_dissection)
5893 return offset;
5894 }
5895
5896 /* security mode, skip second byte */
5897 offset = dissect_smb2_secmode(tree, tvb, offset);
5898 offset++;
5899
5900 /* dialect picked */
5901 si->conv->dialect = tvb_get_letohs(tvb, offset);
5902 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
5903 offset += 2;
5904
5905 /* negotiate context count/reserved */
5906 /*
5907 * If 3.10 or later isn't the chosen dialect, this field
5908 * should be dissected as a reserved field
5909 * ...which should always be set to zero by the
5910 * client and ignored by the server.
5911 *
5912 * [MS-SMB2] says 3.11, but 3.10 is deprecated, and
5913 * it appears to work the same way in this regard
5914 * as 3.11.
5915 */
5916 if (si->conv->dialect >= SMB2_DIALECT_310) {
5917 proto_tree_add_item_ret_uint(tree, hf_smb2_negotiate_context_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &ncc);
5918 } else {
5919 proto_item *reserved_item;
5920
5921 reserved_item = proto_tree_add_item_ret_uint(tree, hf_smb2_negotiate_context_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN, &ncc);
5922 if (ncc != 0) {
5923 expert_add_info(pinfo, reserved_item, &ei_smb2_bad_negprot_reserved);
5924 ncc = 0;
5925 }
5926 }
5927 offset += 2;
5928
5929 /* server GUID */
5930 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
5931 offset += 16;
5932
5933 /* capabilities */
5934 offset = dissect_smb2_capabilities(tree, tvb, offset);
5935
5936 /* max trans size */
5937 proto_tree_add_item(tree, hf_smb2_max_trans_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5938 offset += 4;
5939
5940 /* max read size */
5941 proto_tree_add_item(tree, hf_smb2_max_read_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5942 offset += 4;
5943
5944 /* max write size */
5945 proto_tree_add_item(tree, hf_smb2_max_write_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
5946 offset += 4;
5947
5948 /* current time */
5949 dissect_nttime(tvb, tree, offset, hf_smb2_current_time, ENC_LITTLE_ENDIAN);
5950 offset += 8;
5951
5952 /* boot time */
5953 dissect_nttime(tvb, tree, offset, hf_smb2_boot_time, ENC_LITTLE_ENDIAN);
5954 offset += 8;
5955
5956 /* security blob offset/length */
5957 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_security_blob);
5958
5959 /* the security blob itself */
5960 dissect_smb2_olb_buffer(pinfo, tree, tvb, &s_olb, si, dissect_smb2_secblob);
5961
5962 /* negotiate context offset/reserved2 */
5963 /*
5964 * If 3.10 or later isn't the chosen dialect, this field
5965 * should be dissected as a reserved field
5966 * ...which should always be set to zero by the
5967 * client and ignored by the server.
5968 *
5969 * [MS-SMB2] says 3.11, but 3.10 is deprecated, and
5970 * it appears to work the same way in this regard
5971 * as 3.11.
5972 */
5973 if (si->conv->dialect >= SMB2_DIALECT_310) {
5974 proto_tree_add_item_ret_uint(tree, hf_smb2_negotiate_context_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &nco);
5975 } else {
5976 proto_item *reserved2_item;
5977
5978 reserved2_item = proto_tree_add_item_ret_uint(tree, hf_smb2_negotiate_context_reserved2, tvb, offset, 4, ENC_LITTLE_ENDIAN, &nco);
5979 if (nco != 0) {
5980 expert_add_info(pinfo, reserved2_item, &ei_smb2_bad_negprot_reserved2);
5981 nco = 0;
5982 }
5983 }
5984 offset += 4;
5985
5986 offset = dissect_smb2_olb_tvb_max_offset(offset, &s_olb);
5987
5988 if (si->conv->dialect == SMB2_DIALECT_300 || si->conv->dialect == SMB2_DIALECT_302) {
5989 /* If we know we are decrypting SMB3.0, it must be CCM */
5990 si->conv->enc_alg = SMB2_CIPHER_AES_128_CCM;
5991 }
5992
5993 if (si->conv->dialect >= SMB2_DIALECT_300) {
5994 /* If we know we are decrypting SMB3.0, it's CMAC by default */
5995 si->conv->sign_alg = SMB2_SIGNING_ALG_AES_CMAC;
5996 } else {
5997 si->conv->sign_alg = SMB2_SIGNING_ALG_HMAC_SHA256;
5998 }
5999
6000 if (si->conv->dialect < SMB2_DIALECT_310) {
6001 ncc = 0;
6002 }
6003
6004 if (nco != 0) {
6005 uint32_t tmp = 0x40 + 64 + s_olb.len;
6006
6007 if (nco >= tmp) {
6008 offset += nco - tmp;
6009 } else {
6010 ncc = 0;
6011 }
6012 }
6013
6014 for (i = 0; i < ncc; i++) {
6015 offset = WS_ROUNDUP_8(offset);
6016 offset = dissect_smb2_negotiate_context(tvb, pinfo, tree, offset, si);
6017 }
6018
6019 return offset;
6020 }
6021
6022 static const true_false_string tfs_additional_owner = {
6023 "Requesting OWNER security information",
6024 "NOT requesting owner security information",
6025 };
6026
6027 static const true_false_string tfs_additional_group = {
6028 "Requesting GROUP security information",
6029 "NOT requesting group security information",
6030 };
6031
6032 static const true_false_string tfs_additional_dacl = {
6033 "Requesting DACL security information",
6034 "NOT requesting DACL security information",
6035 };
6036
6037 static const true_false_string tfs_additional_sacl = {
6038 "Requesting SACL security information",
6039 "NOT requesting SACL security information",
6040 };
6041
6042 static const true_false_string tfs_additional_label = {
6043 "Requesting integrity label security information",
6044 "NOT requesting integrity label security information",
6045 };
6046
6047 static const true_false_string tfs_additional_attribute = {
6048 "Requesting resource attribute security information",
6049 "NOT requesting resource attribute security information",
6050 };
6051
6052 static const true_false_string tfs_additional_scope = {
6053 "Requesting central access policy security information",
6054 "NOT requesting central access policy security information",
6055 };
6056
6057 static const true_false_string tfs_additional_backup = {
6058 "Requesting backup operation security information",
6059 "NOT requesting backup operation security information",
6060 };
6061
6062 static int
6063 dissect_additional_information_sec_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset)
6064 {
6065 /* Note that in SMB1 protocol some security flags were not defined yet - see dissect_security_information_mask()
6066 So for SMB2 we have to use own dissector */
6067 static int * const flags[] = {
6068 &hf_smb2_getsetinfo_additional_owner,
6069 &hf_smb2_getsetinfo_additional_group,
6070 &hf_smb2_getsetinfo_additional_dacl,
6071 &hf_smb2_getsetinfo_additional_sacl,
6072 &hf_smb2_getsetinfo_additional_label,
6073 &hf_smb2_getsetinfo_additional_attribute,
6074 &hf_smb2_getsetinfo_additional_scope,
6075 &hf_smb2_getsetinfo_additional_backup,
6076 NULL
6077 };
6078
6079 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_smb2_getsetinfo_additionals,
6080 ett_smb2_additional_information_sec_mask, flags, ENC_LITTLE_ENDIAN);
6081 offset += 4;
6082
6083 return offset;
6084 }
6085
6086 static int
6087 dissect_smb2_getinfo_parameters(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
6088 {
6089 static int* const flag_entries[] = {
6090 &hf_smb2_query_info_flag_restart_scan,
6091 &hf_smb2_query_info_flag_return_single_entry,
6092 &hf_smb2_query_info_flag_index_specified,
6093 NULL
6094 };
6095
6096 /* Additional Info */
6097 switch (si->saved->smb2_class) {
6098 case SMB2_CLASS_SEC_INFO:
6099 dissect_additional_information_sec_mask(tvb, tree, offset);
6100 break;
6101 default:
6102 proto_tree_add_item(tree, hf_smb2_getsetinfo_additional, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6103 }
6104 offset += 4;
6105
6106 /* Flags */
6107 if (si->saved->infolevel == SMB2_FILE_FULL_EA_INFO) {
6108 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_query_info_flags, ett_smb2_query_info_flags, flag_entries, ENC_LITTLE_ENDIAN);
6109 } else {
6110 proto_tree_add_item(tree, hf_smb2_getinfo_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6111 }
6112 offset += 4;
6113
6114 return offset;
6115 }
6116
6117
6118 static int
6119 dissect_smb2_getinfo_buffer_quota(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, smb2_info_t *si _U_)
6120 {
6121 uint32_t sidlist_len = 0;
6122 uint32_t startsid_len = 0;
6123 uint32_t startsid_offset = 0;
6124
6125 proto_item *item = NULL;
6126 proto_tree *tree = NULL;
6127
6128 if (parent_tree) {
6129 item = proto_tree_add_item(parent_tree, hf_smb2_query_quota_info, tvb, offset, -1, ENC_NA);
6130 tree = proto_item_add_subtree(item, ett_smb2_query_quota_info);
6131 }
6132
6133 proto_tree_add_item(tree, hf_smb2_qq_single, tvb, offset, 1, ENC_LITTLE_ENDIAN);
6134 offset += 1;
6135
6136 proto_tree_add_item(tree, hf_smb2_qq_restart, tvb, offset, 1, ENC_LITTLE_ENDIAN);
6137 offset += 1;
6138
6139 /* reserved */
6140 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6141 offset += 2;
6142
6143 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_sidlist_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &sidlist_len);
6144 offset += 4;
6145
6146 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_start_sid_len, tvb, offset, 4, ENC_LITTLE_ENDIAN, &startsid_len);
6147 offset += 4;
6148
6149 proto_tree_add_item_ret_uint(tree, hf_smb2_qq_start_sid_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &startsid_offset);
6150 offset += 4;
6151
6152 if (sidlist_len != 0) {
6153 offset = dissect_nt_get_user_quota(tvb, tree, offset, &sidlist_len);
6154 } else if (startsid_len != 0) {
6155 offset = dissect_nt_sid(tvb, offset + startsid_offset, tree, "Start SID", NULL, -1);
6156 }
6157
6158 return offset;
6159 }
6160
6161 static int
6162 dissect_smb2_class_infolevel(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si)
6163 {
6164 uint8_t cl, il;
6165 proto_item *item;
6166 int hfindex;
6167 value_string_ext *vsx;
6168
6169 if (si->flags & SMB2_FLAGS_RESPONSE) {
6170 if (!si->saved) {
6171 return offset;
6172 }
6173 cl = si->saved->smb2_class;
6174 il = si->saved->infolevel;
6175 } else {
6176 cl = tvb_get_uint8(tvb, offset);
6177 il = tvb_get_uint8(tvb, offset+1);
6178 if (si->saved) {
6179 si->saved->smb2_class = cl;
6180 si->saved->infolevel = il;
6181 }
6182 }
6183
6184
6185 switch (cl) {
6186 case SMB2_CLASS_FILE_INFO:
6187 hfindex = hf_smb2_infolevel_file_info;
6188 vsx = &smb2_file_info_levels_ext;
6189 break;
6190 case SMB2_CLASS_FS_INFO:
6191 hfindex = hf_smb2_infolevel_fs_info;
6192 vsx = &smb2_fs_info_levels_ext;
6193 break;
6194 case SMB2_CLASS_SEC_INFO:
6195 hfindex = hf_smb2_infolevel_sec_info;
6196 vsx = &smb2_sec_info_levels_ext;
6197 break;
6198 case SMB2_CLASS_QUOTA_INFO:
6199 /* infolevel is not being used for quota */
6200 hfindex = hf_smb2_infolevel;
6201 vsx = NULL;
6202 break;
6203 default:
6204 hfindex = hf_smb2_infolevel;
6205 vsx = NULL; /* allowed arg to val_to_str_ext() */
6206 }
6207
6208
6209 /* class */
6210 item = proto_tree_add_uint(tree, hf_smb2_class, tvb, offset, 1, cl);
6211 if (si->flags & SMB2_FLAGS_RESPONSE) {
6212 proto_item_set_generated(item);
6213 }
6214 /* infolevel */
6215 item = proto_tree_add_uint(tree, hfindex, tvb, offset+1, 1, il);
6216 if (si->flags & SMB2_FLAGS_RESPONSE) {
6217 proto_item_set_generated(item);
6218 }
6219 offset += 2;
6220
6221 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
6222 /* Only update COL_INFO for requests. It clutters the
6223 * display a bit too much if we do it for replies
6224 * as well.
6225 */
6226 col_append_fstr(pinfo->cinfo, COL_INFO, " %s/%s",
6227 val_to_str(cl, smb2_class_vals, "(Class:0x%02x)"),
6228 val_to_str_ext(il, vsx, "(Level:0x%02x)"));
6229 }
6230
6231 return offset;
6232 }
6233
6234 static int
6235 dissect_smb2_getinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6236 {
6237 uint32_t getinfo_size = 0;
6238 uint32_t getinfo_offset = 0;
6239 proto_item *offset_item;
6240 proto_item *item;
6241
6242 /* buffer code */
6243 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6244
6245 /* class and info level */
6246 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
6247
6248 /* max response size */
6249 proto_tree_add_item(tree, hf_smb2_max_response_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6250 offset += 4;
6251
6252 /* offset */
6253 offset_item = proto_tree_add_item_ret_uint(tree, hf_smb2_getinfo_input_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN, &getinfo_offset);
6254 offset += 2;
6255
6256 /* reserved */
6257 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6258 offset += 2;
6259
6260 /* size */
6261 proto_tree_add_item_ret_uint(tree, hf_smb2_getinfo_input_size, tvb, offset, 4, ENC_LITTLE_ENDIAN, &getinfo_size);
6262 offset += 4;
6263
6264 /* parameters */
6265 if (si->saved) {
6266 offset = dissect_smb2_getinfo_parameters(tvb, pinfo, tree, offset, si);
6267 } else {
6268 /* some unknown bytes */
6269 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 8, ENC_NA);
6270 offset += 8;
6271 }
6272
6273 /* fid hash */
6274 if (si->saved && si->saved->fid_hash) {
6275 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6276 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6277 proto_item_set_generated(item);
6278 }
6279
6280 /* fid */
6281 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6282
6283 /* buffer */
6284 if (si->saved) {
6285 if (getinfo_size != 0) {
6286 /*
6287 * 2.2.37 says "For quota requests, this MUST be
6288 * the length of the contained SMB2_QUERY_QUOTA_INFO
6289 * embedded in the request. For FileFullEaInformation
6290 * requests, this MUST be set to the length of the
6291 * user supplied EA list specified in [MS-FSCC]
6292 * section 2.4.15.1. For other information queries,
6293 * this field SHOULD be set to 0 and the server MUST
6294 * ignore it on receipt.
6295 *
6296 * This seems to imply that, for requests other
6297 * than those to types, we should either completely
6298 * ignore a non-zero getinfo_size or should, at
6299 * most, add a warning-level expert info at the
6300 * protocol level saying that it should be zero,
6301 * but not try and interpret it or check its
6302 * validity.
6303 */
6304 if (si->saved->smb2_class == SMB2_CLASS_QUOTA_INFO ||
6305 (si->saved->smb2_class == SMB2_CLASS_FILE_INFO &&
6306 si->saved->infolevel == SMB2_FILE_FULL_EA_INFO)) {
6307 /*
6308 * According to 2.2.37 SMB2 QUERY_INFO
6309 * Request in the current MS-SMB2 spec,
6310 * these are the only info requests that
6311 * have an input buffer.
6312 */
6313
6314 /*
6315 * Make sure that the input buffer is after
6316 * the fixed-length part of the message.
6317 */
6318 if (getinfo_offset < (unsigned)offset) {
6319 expert_add_info(pinfo, offset_item, &ei_smb2_invalid_getinfo_offset);
6320 return offset;
6321 }
6322
6323 /*
6324 * Make sure the input buffer is within the
6325 * message, i.e. that it's within the tvbuff.
6326 *
6327 * We check for offset+length overflowing and
6328 * for offset+length being beyond the reported
6329 * length of the tvbuff.
6330 */
6331 if (getinfo_offset + getinfo_size < getinfo_offset ||
6332 getinfo_offset + getinfo_size > tvb_reported_length(tvb)) {
6333 expert_add_info(pinfo, offset_item, &ei_smb2_invalid_getinfo_size);
6334 return offset;
6335 }
6336
6337 if (si->saved->smb2_class == SMB2_CLASS_QUOTA_INFO) {
6338 dissect_smb2_getinfo_buffer_quota(tvb, pinfo, tree, getinfo_offset, si);
6339 } else {
6340 /*
6341 * XXX - handle user supplied EA info.
6342 */
6343 proto_tree_add_item(tree, hf_smb2_unknown, tvb, getinfo_offset, getinfo_size, ENC_NA);
6344 }
6345 offset = getinfo_offset + getinfo_size;
6346 }
6347 } else {
6348 /*
6349 * The buffer size is 0, meaning it's not present.
6350 *
6351 * 2.2.37 says "For FileFullEaInformation requests,
6352 * the input buffer MUST contain the user supplied
6353 * EA list with zero or more FILE_GET_EA_INFORMATION
6354 * structures, specified in [MS-FSCC] section
6355 * 2.4.15.1.", so it seems that, for a "get full
6356 * EA information" request, the size can be zero -
6357 * there's no other obvious way for the list to
6358 * have zero structures.
6359 *
6360 * 2.2.37 also says "For quota requests, the input
6361 * buffer MUST contain an SMB2_QUERY_QUOTA_INFO,
6362 * as specified in section 2.2.37.1."; that seems
6363 * to imply that the input buffer must not be empty
6364 * in that case.
6365 */
6366 if (si->saved->smb2_class == SMB2_CLASS_QUOTA_INFO)
6367 expert_add_info(pinfo, offset_item, &ei_smb2_empty_getinfo_buffer);
6368 }
6369 }
6370
6371 return offset;
6372 }
6373
6374 static int
6375 dissect_smb2_infolevel(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si, uint8_t smb2_class, uint8_t infolevel)
6376 {
6377 int old_offset = offset;
6378
6379 switch (smb2_class) {
6380 case SMB2_CLASS_FILE_INFO:
6381 switch (infolevel) {
6382 case SMB2_FILE_BASIC_INFO:
6383 offset = dissect_smb2_file_basic_info(tvb, pinfo, tree, offset, si);
6384 break;
6385 case SMB2_FILE_STANDARD_INFO:
6386 offset = dissect_smb2_file_standard_info(tvb, pinfo, tree, offset, si);
6387 break;
6388 case SMB2_FILE_INTERNAL_INFO:
6389 offset = dissect_smb2_file_internal_info(tvb, pinfo, tree, offset, si);
6390 break;
6391 case SMB2_FILE_EA_INFO:
6392 offset = dissect_smb2_file_ea_info(tvb, pinfo, tree, offset, si);
6393 break;
6394 case SMB2_FILE_ACCESS_INFO:
6395 offset = dissect_smb2_file_access_info(tvb, pinfo, tree, offset, si);
6396 break;
6397 case SMB2_FILE_RENAME_INFO:
6398 offset = dissect_smb2_file_rename_info(tvb, pinfo, tree, offset, si);
6399 break;
6400 case SMB2_FILE_LINK_INFO:
6401 offset = dissect_smb2_file_link_info(tvb, pinfo, tree, offset, si);
6402 break;
6403 case SMB2_FILE_DISPOSITION_INFO:
6404 offset = dissect_smb2_file_disposition_info(tvb, pinfo, tree, offset, si);
6405 break;
6406 case SMB2_FILE_POSITION_INFO:
6407 offset = dissect_smb2_file_position_info(tvb, pinfo, tree, offset, si);
6408 break;
6409 case SMB2_FILE_FULL_EA_INFO:
6410 offset = dissect_smb2_file_full_ea_info(tvb, pinfo, tree, offset, si);
6411 break;
6412 case SMB2_FILE_MODE_INFO:
6413 offset = dissect_smb2_file_mode_info(tvb, pinfo, tree, offset, si);
6414 break;
6415 case SMB2_FILE_ALIGNMENT_INFO:
6416 offset = dissect_smb2_file_alignment_info(tvb, pinfo, tree, offset, si);
6417 break;
6418 case SMB2_FILE_ALL_INFO:
6419 offset = dissect_smb2_file_all_info(tvb, pinfo, tree, offset, si);
6420 break;
6421 case SMB2_FILE_ALLOCATION_INFO:
6422 offset = dissect_smb2_file_allocation_info(tvb, pinfo, tree, offset, si);
6423 break;
6424 case SMB2_FILE_ENDOFFILE_INFO:
6425 dissect_smb2_file_endoffile_info(tvb, pinfo, tree, offset, si);
6426 break;
6427 case SMB2_FILE_ALTERNATE_NAME_INFO:
6428 offset = dissect_smb2_file_alternate_name_info(tvb, pinfo, tree, offset, si);
6429 break;
6430 case SMB2_FILE_STREAM_INFO:
6431 offset = dissect_smb2_file_stream_info(tvb, pinfo, tree, offset, si);
6432 break;
6433 case SMB2_FILE_PIPE_INFO:
6434 offset = dissect_smb2_file_pipe_info(tvb, pinfo, tree, offset, si);
6435 break;
6436 case SMB2_FILE_COMPRESSION_INFO:
6437 offset = dissect_smb2_file_compression_info(tvb, pinfo, tree, offset, si);
6438 break;
6439 case SMB2_FILE_NETWORK_OPEN_INFO:
6440 offset = dissect_smb2_file_network_open_info(tvb, pinfo, tree, offset, si);
6441 break;
6442 case SMB2_FILE_ATTRIBUTE_TAG_INFO:
6443 offset = dissect_smb2_file_attribute_tag_info(tvb, pinfo, tree, offset, si);
6444 break;
6445 case SMB2_FILE_NORMALIZED_NAME_INFO:
6446 offset = dissect_smb2_file_normalized_name_info(tvb, pinfo, tree, offset, si);
6447 break;
6448 case SMB2_FILE_POSIX_INFO:
6449 offset = dissect_smb2_posix_info(tvb, pinfo, tree, offset, si);
6450 break;
6451 default:
6452 /* we don't handle this infolevel yet */
6453 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
6454 offset += tvb_captured_length_remaining(tvb, offset);
6455 }
6456 break;
6457 case SMB2_CLASS_FS_INFO:
6458 switch (infolevel) {
6459 case SMB2_FS_INFO_01:
6460 offset = dissect_smb2_fs_info_01(tvb, pinfo, tree, offset, si);
6461 break;
6462 case SMB2_FS_INFO_03:
6463 offset = dissect_smb2_fs_info_03(tvb, pinfo, tree, offset, si);
6464 break;
6465 case SMB2_FS_INFO_04:
6466 offset = dissect_smb2_fs_info_04(tvb, pinfo, tree, offset, si);
6467 break;
6468 case SMB2_FS_INFO_05:
6469 offset = dissect_smb2_fs_info_05(tvb, pinfo, tree, offset, si);
6470 break;
6471 case SMB2_FS_INFO_06:
6472 offset = dissect_smb2_fs_info_06(tvb, pinfo, tree, offset, si);
6473 break;
6474 case SMB2_FS_INFO_07:
6475 offset = dissect_smb2_fs_info_07(tvb, pinfo, tree, offset, si);
6476 break;
6477 case SMB2_FS_OBJECTID_INFO:
6478 offset = dissect_smb2_FS_OBJECTID_INFO(tvb, pinfo, tree, offset, si);
6479 break;
6480 case SMB2_FS_POSIX_INFO:
6481 offset = dissect_smb2_fs_posix_info(tvb, pinfo, tree, offset, si);
6482 break;
6483 default:
6484 /* we don't handle this infolevel yet */
6485 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
6486 offset += tvb_captured_length_remaining(tvb, offset);
6487 }
6488 break;
6489 case SMB2_CLASS_SEC_INFO:
6490 switch (infolevel) {
6491 case SMB2_SEC_INFO_00:
6492 offset = dissect_smb2_sec_info_00(tvb, pinfo, tree, offset, si);
6493 break;
6494 default:
6495 /* we don't handle this infolevel yet */
6496 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
6497 offset += tvb_captured_length_remaining(tvb, offset);
6498 }
6499 break;
6500 case SMB2_CLASS_QUOTA_INFO:
6501 offset = dissect_smb2_quota_info(tvb, pinfo, tree, offset, si);
6502 break;
6503 default:
6504 /* we don't handle this class yet */
6505 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, tvb_captured_length_remaining(tvb, offset), ENC_NA);
6506 offset += tvb_captured_length_remaining(tvb, offset);
6507 }
6508
6509 /* if we get BUFFER_OVERFLOW there will be truncated data */
6510 if (si->status == 0x80000005) {
6511 proto_item *item;
6512 item = proto_tree_add_item(tree, hf_smb2_truncated, tvb, old_offset, 0, ENC_NA);
6513 proto_item_set_generated(item);
6514 }
6515 return offset;
6516 }
6517
6518 static void
6519 dissect_smb2_getinfo_response_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
6520 {
6521 /* data */
6522 if (si->saved) {
6523 dissect_smb2_infolevel(tvb, pinfo, tree, 0, si, si->saved->smb2_class, si->saved->infolevel);
6524 } else {
6525 /* some unknown bytes */
6526 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
6527 }
6528
6529 }
6530
6531
6532 static int
6533 dissect_smb2_getinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6534 {
6535 offset_length_buffer_t olb;
6536 bool continue_dissection;
6537 proto_item *item;
6538
6539 /* class/infolevel */
6540 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
6541
6542 switch (si->status) {
6543 case 0x00000000:
6544 /* if we get BUFFER_OVERFLOW there will be truncated data */
6545 case 0x80000005:
6546 /* if we get BUFFER_TOO_SMALL there will not be any data there, only
6547 * a guin32 specifying how big the buffer needs to be
6548 */
6549 /* buffer code */
6550 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6551 break;
6552 case 0xc0000023:
6553 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6554 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
6555 proto_tree_add_item(tree, hf_smb2_required_buffer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6556 offset += 4;
6557
6558 return offset;
6559 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6560 if (!continue_dissection) return offset;
6561 }
6562
6563 /* response buffer offset and size */
6564 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb, OLB_O_UINT16_S_UINT32, -1);
6565
6566 /* response data*/
6567 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_getinfo_response_data);
6568
6569 /* fid hash */
6570 if (si->saved && si->saved->fid_hash) {
6571 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6572 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6573 proto_item_set_generated(item);
6574 }
6575
6576 return offset;
6577 }
6578
6579 static int
6580 dissect_smb2_close_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6581 {
6582 proto_tree *flags_tree = NULL;
6583 proto_item *flags_item = NULL;
6584 proto_item *item;
6585
6586 /* buffer code */
6587 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6588
6589 /* close flags */
6590 if (tree) {
6591 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6592 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
6593 }
6594 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6595 offset += 2;
6596
6597 /* padding */
6598 offset += 4;
6599
6600 /* fid hash */
6601 if (si->saved && si->saved->fid_hash) {
6602 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6603 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6604 proto_item_set_generated(item);
6605 }
6606
6607 /* fid */
6608 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_CLOSE);
6609
6610 return offset;
6611 }
6612
6613 static int
6614 dissect_smb2_close_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si)
6615 {
6616 proto_tree *flags_tree = NULL;
6617 proto_item *flags_item = NULL;
6618 proto_item *item;
6619 bool continue_dissection;
6620
6621 switch (si->status) {
6622 /* buffer code */
6623 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6624 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6625 if (!continue_dissection) return offset;
6626 }
6627
6628 /* close flags */
6629 if (tree) {
6630 flags_item = proto_tree_add_item(tree, hf_smb2_close_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6631 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_close_flags);
6632 }
6633 proto_tree_add_item(flags_tree, hf_smb2_close_pq_attrib, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6634 offset += 2;
6635
6636 /* reserved */
6637 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6638 offset += 4;
6639
6640 /* create time */
6641 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
6642 offset += 8;
6643
6644 /* last access */
6645 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
6646 offset += 8;
6647
6648 /* last write */
6649 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
6650 offset += 8;
6651
6652 /* last change */
6653 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
6654 offset += 8;
6655
6656 /* allocation size */
6657 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6658 offset += 8;
6659
6660 /* end of file */
6661 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6662 offset += 8;
6663
6664 /* File Attributes */
6665 offset = dissect_fscc_file_attr(tvb, tree, offset, NULL);
6666
6667 /* fid hash */
6668 if (si->saved && si->saved->fid_hash) {
6669 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6670 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6671 proto_item_set_generated(item);
6672 }
6673
6674 return offset;
6675 }
6676
6677 static int
6678 dissect_smb2_flush_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6679 {
6680 proto_item *item;
6681
6682 /* buffer code */
6683 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6684
6685 /* reserved1 */
6686 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6687 offset += 2;
6688
6689 /* reserved2 */
6690 proto_tree_add_item(tree, hf_smb2_flush_reserved2, tvb, offset, 4, ENC_NA);
6691 offset += 4;
6692
6693 /* fid hash */
6694 if (si->saved && si->saved->fid_hash) {
6695 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6696 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6697 proto_item_set_generated(item);
6698 }
6699
6700 /* fid */
6701 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6702
6703 return offset;
6704 }
6705
6706 static int
6707 dissect_smb2_flush_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
6708 {
6709 bool continue_dissection;
6710 proto_item *item;
6711
6712 switch (si->status) {
6713 /* buffer code */
6714 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6715 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6716 if (!continue_dissection) return offset;
6717 }
6718
6719 /* fid hash */
6720 if (si->saved && si->saved->fid_hash) {
6721 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6722 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6723 proto_item_set_generated(item);
6724 }
6725
6726 /* reserved bytes */
6727 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6728 offset += 2;
6729
6730 return offset;
6731 }
6732
6733
6734 static int
6735 dissect_smb2_lock_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
6736 {
6737 uint16_t lock_count;
6738 proto_item *item;
6739
6740 /* buffer code */
6741 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6742
6743 /* lock count */
6744 lock_count = tvb_get_letohs(tvb, offset);
6745 proto_tree_add_item(tree, hf_smb2_lock_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
6746 offset += 2;
6747
6748 /* Lock Sequence Number/Index */
6749 proto_tree_add_item(tree, hf_smb2_lock_sequence_number, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6750 proto_tree_add_item(tree, hf_smb2_lock_sequence_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
6751 offset += 4;
6752
6753 /* fid hash */
6754 if (si->saved && si->saved->fid_hash) {
6755 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6756 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6757 proto_item_set_generated(item);
6758 }
6759
6760 /* fid */
6761 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
6762
6763 while (lock_count--) {
6764 proto_item *lock_item = NULL;
6765 proto_tree *lock_tree = NULL;
6766 static int * const lf_fields[] = {
6767 &hf_smb2_lock_flags_shared,
6768 &hf_smb2_lock_flags_exclusive,
6769 &hf_smb2_lock_flags_unlock,
6770 &hf_smb2_lock_flags_fail_immediately,
6771 NULL
6772 };
6773
6774 if (tree) {
6775 lock_item = proto_tree_add_item(tree, hf_smb2_lock_info, tvb, offset, 24, ENC_NA);
6776 lock_tree = proto_item_add_subtree(lock_item, ett_smb2_lock_info);
6777 }
6778
6779 /* offset */
6780 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6781 offset += 8;
6782
6783 /* count */
6784 proto_tree_add_item(lock_tree, hf_smb2_lock_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
6785 offset += 8;
6786
6787 /* flags */
6788 proto_tree_add_bitmask(lock_tree, tvb, offset, hf_smb2_lock_flags, ett_smb2_lock_flags, lf_fields, ENC_LITTLE_ENDIAN);
6789 offset += 4;
6790
6791 /* reserved */
6792 proto_tree_add_item(lock_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
6793 offset += 4;
6794 }
6795
6796 return offset;
6797 }
6798
6799 static int
6800 dissect_smb2_lock_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
6801 {
6802 bool continue_dissection;
6803 proto_item *item;
6804
6805 switch (si->status) {
6806 /* buffer code */
6807 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
6808 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
6809 if (!continue_dissection) return offset;
6810 }
6811
6812 /* fid hash */
6813 if (si->saved && si->saved->fid_hash) {
6814 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
6815 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
6816 proto_item_set_generated(item);
6817 }
6818
6819 /* reserved */
6820 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
6821 offset += 2;
6822
6823 return offset;
6824 }
6825 static int
6826 dissect_smb2_cancel_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
6827 {
6828 /* buffer code */
6829 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
6830
6831 /* some unknown bytes */
6832 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 2, ENC_NA);
6833 offset += 2;
6834
6835 return offset;
6836 }
6837
6838 static const smb2_fid_info_t *
6839 smb2_pipe_get_fid_info(const smb2_info_t *si)
6840 {
6841 smb2_fid_info_t *file = NULL;
6842
6843 if (si == NULL) {
6844 return NULL;
6845 }
6846 if (si->file != NULL) {
6847 file = si->file;
6848 } else if (si->saved != NULL) {
6849 file = si->saved->file;
6850 }
6851 if (file == NULL) {
6852 return NULL;
6853 }
6854
6855 return file;
6856 }
6857
6858 static void
6859 smb2_pipe_set_file_id(packet_info *pinfo, smb2_info_t *si)
6860 {
6861 uint64_t persistent;
6862 const smb2_fid_info_t *file = NULL;
6863
6864 file = smb2_pipe_get_fid_info(si);
6865 if (file == NULL) {
6866 return;
6867 }
6868
6869 persistent = GPOINTER_TO_UINT(file);
6870
6871 dcerpc_set_transport_salt(persistent, pinfo);
6872 }
6873
6874 static bool smb2_pipe_reassembly = true;
6875 static bool smb2_verify_signatures;
6876 static reassembly_table smb2_pipe_reassembly_table;
6877
6878 static int
6879 dissect_file_data_smb2_pipe(tvbuff_t *raw_tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, uint32_t datalen, proto_tree *top_tree, void *data)
6880 {
6881 /*
6882 * Note: si is NULL for some callers from packet-smb.c
6883 */
6884 const smb2_info_t *si = (const smb2_info_t *)data;
6885 bool result=false;
6886 bool save_fragmented;
6887 int remaining;
6888 unsigned reported_len;
6889 const smb2_fid_info_t *file = NULL;
6890 uint32_t id;
6891 fragment_head *fd_head;
6892 fragment_item *fd_i;
6893 tvbuff_t *tvb;
6894 tvbuff_t *new_tvb;
6895 proto_item *frag_tree_item;
6896 heur_dtbl_entry_t *hdtbl_entry;
6897
6898 file = smb2_pipe_get_fid_info(si);
6899 id = (uint32_t)(GPOINTER_TO_UINT(file) & UINT32_MAX);
6900
6901 remaining = tvb_captured_length_remaining(raw_tvb, offset);
6902
6903 tvb = tvb_new_subset_length_caplen(raw_tvb, offset,
6904 MIN((int)datalen, remaining),
6905 datalen);
6906
6907 /*
6908 * Offer desegmentation service to Named Pipe subdissectors (e.g. DCERPC)
6909 * if we have all the data. Otherwise, reassembly is (probably) impossible.
6910 */
6911 pinfo->can_desegment = 0;
6912 pinfo->desegment_offset = 0;
6913 pinfo->desegment_len = 0;
6914 reported_len = tvb_reported_length(tvb);
6915 if (smb2_pipe_reassembly && tvb_captured_length(tvb) >= reported_len) {
6916 pinfo->can_desegment = 2;
6917 }
6918
6919 save_fragmented = pinfo->fragmented;
6920
6921 /*
6922 * if we are not offering desegmentation, just try the heuristics
6923 *and bail out
6924 */
6925 if (!pinfo->can_desegment) {
6926 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
6927 tvb, pinfo, top_tree,
6928 &hdtbl_entry, data);
6929 goto clean_up_and_exit;
6930 }
6931
6932 /* below this line, we know we are doing reassembly */
6933
6934 /*
6935 * this is a new packet, see if we are already reassembling this
6936 * pdu and if not, check if the dissector wants us
6937 * to reassemble it
6938 */
6939 if (!pinfo->fd->visited) {
6940 /*
6941 * This is the first pass.
6942 *
6943 * Check if we are already reassembling this PDU or not;
6944 * we check for an in-progress reassembly for this FID
6945 * in this direction, by searching for its reassembly
6946 * structure.
6947 */
6948 fd_head = fragment_get(&smb2_pipe_reassembly_table,
6949 pinfo, id, NULL);
6950 if (!fd_head) {
6951 /*
6952 * No reassembly, so this is a new pdu. check if the
6953 * dissector wants us to reassemble it or if we
6954 * already got the full pdu in this tvb.
6955 */
6956
6957 /*
6958 * Try the heuristic dissectors and see if we
6959 * find someone that recognizes this payload.
6960 */
6961 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
6962 tvb, pinfo, top_tree,
6963 &hdtbl_entry, data);
6964
6965 /* no this didn't look like something we know */
6966 if (!result) {
6967 goto clean_up_and_exit;
6968 }
6969
6970 /* did the subdissector want us to reassemble any
6971 more data ?
6972 */
6973 if (pinfo->desegment_len) {
6974 fragment_add_check(&smb2_pipe_reassembly_table,
6975 tvb, 0, pinfo, id, NULL,
6976 0, reported_len, true);
6977 fragment_set_tot_len(&smb2_pipe_reassembly_table,
6978 pinfo, id, NULL,
6979 pinfo->desegment_len+reported_len);
6980 }
6981 goto clean_up_and_exit;
6982 }
6983
6984 /* OK, we're already doing a reassembly for this FID.
6985 skip to last segment in the existing reassembly structure
6986 and add this fragment there
6987
6988 XXX we might add code here to use any offset values
6989 we might pick up from the Read/Write calls instead of
6990 assuming we always get them in the correct order
6991 */
6992 for (fd_i = fd_head->next; fd_i->next; fd_i = fd_i->next) {}
6993 fd_head = fragment_add_check(&smb2_pipe_reassembly_table,
6994 tvb, 0, pinfo, id, NULL,
6995 fd_i->offset+fd_i->len,
6996 reported_len, true);
6997
6998 /* if we completed reassembly */
6999 if (fd_head) {
7000 new_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
7001 add_new_data_source(pinfo, new_tvb,
7002 "Named Pipe over SMB2");
7003 pinfo->fragmented=false;
7004
7005 tvb = new_tvb;
7006
7007 /* list what segments we have */
7008 show_fragment_tree(fd_head, &smb2_pipe_frag_items,
7009 tree, pinfo, tvb, &frag_tree_item);
7010
7011 /* dissect the full PDU */
7012 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
7013 tvb, pinfo, top_tree,
7014 &hdtbl_entry, data);
7015 }
7016 goto clean_up_and_exit;
7017 }
7018
7019 /*
7020 * This is not the first pass; see if it's in the table of
7021 * reassembled packets.
7022 *
7023 * XXX - we know that several of the arguments aren't going to
7024 * be used, so we pass bogus variables. Can we clean this
7025 * up so that we don't have to distinguish between the first
7026 * pass and subsequent passes?
7027 */
7028 fd_head = fragment_add_check(&smb2_pipe_reassembly_table,
7029 tvb, 0, pinfo, id, NULL, 0, 0, true);
7030 if (!fd_head) {
7031 /* we didn't find it, try any of the heuristic dissectors
7032 and bail out
7033 */
7034 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
7035 tvb, pinfo, top_tree,
7036 &hdtbl_entry, data);
7037 goto clean_up_and_exit;
7038 }
7039 if (!(fd_head->flags&FD_DEFRAGMENTED)) {
7040 /* we don't have a fully reassembled frame */
7041 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
7042 tvb, pinfo, top_tree,
7043 &hdtbl_entry, data);
7044 goto clean_up_and_exit;
7045 }
7046
7047 /* it is reassembled but it was reassembled in a different frame */
7048 if (pinfo->num != fd_head->reassembled_in) {
7049 proto_item *item;
7050 item = proto_tree_add_uint(top_tree, hf_smb2_pipe_reassembled_in,
7051 tvb, 0, 0, fd_head->reassembled_in);
7052 proto_item_set_generated(item);
7053 goto clean_up_and_exit;
7054 }
7055
7056 /* display the reassembled pdu */
7057 new_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
7058 add_new_data_source(pinfo, new_tvb,
7059 "Named Pipe over SMB2");
7060 pinfo->fragmented = false;
7061
7062 tvb = new_tvb;
7063
7064 /* list what segments we have */
7065 show_fragment_tree(fd_head, &smb2_pipe_frag_items,
7066 top_tree, pinfo, tvb, &frag_tree_item);
7067
7068 /* dissect the full PDU */
7069 result = dissector_try_heuristic(smb2_pipe_subdissector_list,
7070 tvb, pinfo, top_tree,
7071 &hdtbl_entry, data);
7072
7073 clean_up_and_exit:
7074 /* clear out the variables */
7075 pinfo->can_desegment=0;
7076 pinfo->desegment_offset = 0;
7077 pinfo->desegment_len = 0;
7078
7079 if (!result) {
7080 call_data_dissector(tvb, pinfo, top_tree);
7081 }
7082
7083 pinfo->fragmented = save_fragmented;
7084
7085 offset += datalen;
7086 return offset;
7087 }
7088
7089 #define SMB2_CHANNEL_NONE 0x00000000
7090 #define SMB2_CHANNEL_RDMA_V1 0x00000001
7091 #define SMB2_CHANNEL_RDMA_V1_INVALIDATE 0x00000002
7092 #define SMB2_CHANNEL_RDMA_TRANSFORM 0x00000003
7093
7094 static const value_string smb2_channel_vals[] = {
7095 { SMB2_CHANNEL_NONE, "None" },
7096 { SMB2_CHANNEL_RDMA_V1, "RDMA V1" },
7097 { SMB2_CHANNEL_RDMA_V1_INVALIDATE, "RDMA V1_INVALIDATE" },
7098 { SMB2_CHANNEL_RDMA_TRANSFORM, "RDMA TRANSFORM" },
7099 { 0, NULL }
7100 };
7101
7102 static void
7103 dissect_smb2_rdma_v1_blob(tvbuff_t *tvb, packet_info *pinfo _U_,
7104 proto_tree *parent_tree, smb2_info_t *si _U_)
7105 {
7106 int offset = 0;
7107 int len;
7108 int i;
7109 int num;
7110 proto_tree *sub_tree;
7111 proto_item *parent_item;
7112
7113 parent_item = proto_tree_get_parent(parent_tree);
7114
7115 len = tvb_reported_length(tvb);
7116
7117 num = len / 16;
7118
7119 if (parent_item) {
7120 proto_item_append_text(parent_item, ": SMBDirect Buffer Descriptor V1: (%d elements)", num);
7121 }
7122
7123 for (i = 0; i < num; i++) {
7124 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, 8, ett_smb2_rdma_v1, NULL, "RDMA V1");
7125
7126 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7127 offset += 8;
7128
7129 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_token, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7130 offset += 4;
7131
7132 proto_tree_add_item(sub_tree, hf_smb2_rdma_v1_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7133 offset += 4;
7134 }
7135 }
7136
7137 #define SMB2_WRITE_FLAG_WRITE_THROUGH 0x00000001
7138 #define SMB2_WRITE_FLAG_WRITE_UNBUFFERED 0x00000002
7139
7140 static const true_false_string tfs_write_through = {
7141 "Client is asking for WRITE_THROUGH",
7142 "Client is NOT asking for WRITE_THROUGH"
7143 };
7144
7145 static const true_false_string tfs_write_unbuffered = {
7146 "Client is asking for UNBUFFERED write",
7147 "Client is NOT asking for UNBUFFERED write"
7148 };
7149
7150 static int
7151 dissect_smb2_write_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
7152 {
7153 uint16_t dataoffset = 0;
7154 uint32_t data_tvb_len;
7155 offset_length_buffer_t c_olb;
7156 uint32_t channel;
7157 uint32_t length;
7158 uint64_t off;
7159 proto_item *item;
7160 static int * const f_fields[] = {
7161 &hf_smb2_write_flags_write_through,
7162 &hf_smb2_write_flags_write_unbuffered,
7163 NULL
7164 };
7165
7166 /* buffer code */
7167 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
7168
7169 /* data offset */
7170 dataoffset=tvb_get_letohs(tvb,offset);
7171 proto_tree_add_item(tree, hf_smb2_data_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7172 offset += 2;
7173
7174 /* length */
7175 length = tvb_get_letohl(tvb, offset);
7176 proto_tree_add_item(tree, hf_smb2_write_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7177 offset += 4;
7178
7179 /* offset */
7180 off = tvb_get_letoh64(tvb, offset);
7181 if (si->saved) si->saved->file_offset=off;
7182 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7183 offset += 8;
7184
7185 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" PRIu64, length, off);
7186
7187 /* fid hash */
7188 if (si->saved && si->saved->fid_hash) {
7189 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
7190 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
7191 proto_item_set_generated(item);
7192 }
7193
7194 /* fid */
7195 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
7196
7197 /* channel */
7198 channel = tvb_get_letohl(tvb, offset);
7199 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7200 offset += 4;
7201
7202 /* remaining bytes */
7203 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7204 offset += 4;
7205
7206 /* write channel info blob offset/length */
7207 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
7208
7209 /* flags */
7210 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_write_flags, ett_smb2_write_flags, f_fields, ENC_LITTLE_ENDIAN);
7211 offset += 4;
7212
7213 /* the write channel info blob itself */
7214 switch (channel) {
7215 case SMB2_CHANNEL_RDMA_V1:
7216 case SMB2_CHANNEL_RDMA_V1_INVALIDATE:
7217 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
7218 break;
7219 case SMB2_CHANNEL_NONE:
7220 default:
7221 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
7222 break;
7223 }
7224
7225 data_tvb_len=(uint32_t)tvb_captured_length_remaining(tvb, offset);
7226
7227 /* data or namedpipe ?*/
7228 if (length) {
7229 int oldoffset = offset;
7230 smb2_pipe_set_file_id(pinfo, si);
7231 offset = dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, length, si->top_tree, si);
7232 if (offset != oldoffset) {
7233 /* managed to dissect pipe data */
7234 goto out;
7235 }
7236 }
7237
7238 /* just ordinary data */
7239 proto_tree_add_item(tree, hf_smb2_write_data, tvb, offset, length, ENC_NA);
7240
7241 offset += MIN(length,(uint32_t)tvb_captured_length_remaining(tvb, offset));
7242
7243 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
7244
7245 out:
7246 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == length)) {
7247 if (si->saved && si->eo_file_info) { /* without this data we don't know which file this belongs to */
7248 feed_eo_smb2(tvb,pinfo,si,dataoffset,length,off);
7249 }
7250 }
7251
7252 return offset;
7253 }
7254
7255
7256 static int
7257 dissect_smb2_write_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, smb2_info_t *si _U_)
7258 {
7259 bool continue_dissection;
7260 proto_item *item;
7261
7262 switch (si->status) {
7263 /* buffer code */
7264 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
7265 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
7266 if (!continue_dissection) return offset;
7267 }
7268
7269 /* reserved */
7270 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
7271 offset += 2;
7272
7273 /* fid hash */
7274 if (si->saved && si->saved->fid_hash) {
7275 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
7276 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
7277 proto_item_set_generated(item);
7278 }
7279
7280 /* count */
7281 proto_tree_add_item(tree, hf_smb2_write_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7282 offset += 4;
7283
7284 /* remaining, must be set to 0 */
7285 proto_tree_add_item(tree, hf_smb2_write_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7286 offset += 4;
7287
7288 /* write channel info offset */
7289 proto_tree_add_item(tree, hf_smb2_channel_info_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7290 offset += 2;
7291
7292 /* write channel info length */
7293 proto_tree_add_item(tree, hf_smb2_channel_info_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7294 offset += 2;
7295
7296 return offset;
7297 }
7298
7299 /* The STORAGE_OFFLOAD_TOKEN is used for "Offload Data Transfer" (ODX) operations,
7300 including FSCTL_OFFLOAD_READ, FSCTL_OFFLOAD_WRITE. Ref: MS-FSCC 2.3.79
7301 Note: Unlike most of SMB2, the token fields are BIG-endian! */
7302 static int
7303 dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
7304 {
7305 proto_tree *sub_tree;
7306 proto_item *sub_item;
7307 uint32_t idlen = 0;
7308 uint32_t idtype = 0;
7309
7310 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 512, ett_smb2_fsctl_odx_token, &sub_item, "Token");
7311
7312 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_fsctl_odx_token_type, tvb, offset, 4, ENC_BIG_ENDIAN, &idtype);
7313 offset += 4;
7314
7315 proto_item_append_text(sub_item, " (IdType 0x%x)", idtype);
7316
7317 /* reserved */
7318 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
7319 offset += 2;
7320
7321 /* TokenIdLength */
7322 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_fsctl_odx_token_idlen, tvb, offset, 2, ENC_BIG_ENDIAN, &idlen);
7323 offset += 2;
7324
7325 /* idlen is what the server says is the "meaningful" part of the token.
7326 However, token ID is always 504 bytes */
7327 proto_tree_add_bytes_format_value(sub_tree, hf_smb2_fsctl_odx_token_idraw, tvb,
7328 offset, idlen, NULL, "Opaque Data");
7329 offset += 504;
7330
7331 return (offset);
7332 }
7333
7334 /* MS-FSCC 2.3.77, 2.3.78 */
7335 static void
7336 dissect_smb2_FSCTL_OFFLOAD_READ(tvbuff_t *tvb,
7337 packet_info *pinfo _U_,
7338 proto_tree *tree,
7339 int offset,
7340 bool in)
7341 {
7342 proto_tree_add_item(tree, hf_smb2_fsctl_odx_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7343 offset += 4;
7344
7345 proto_tree_add_item(tree, hf_smb2_fsctl_odx_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7346 offset += 4;
7347
7348 if (in) {
7349 proto_tree_add_item(tree, hf_smb2_fsctl_odx_token_ttl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7350 offset += 4;
7351
7352 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7353 offset += 4;
7354
7355 proto_tree_add_item(tree, hf_smb2_fsctl_odx_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7356 offset += 8;
7357
7358 proto_tree_add_item(tree, hf_smb2_fsctl_odx_copy_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7359 /* offset += 8; */
7360 } else {
7361 proto_tree_add_item(tree, hf_smb2_fsctl_odx_xfer_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7362 offset += 8;
7363
7364 (void) dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvb, pinfo, tree, offset);
7365 }
7366 }
7367
7368 /* MS-FSCC 2.3.80, 2.3.81 */
7369 static void
7370 dissect_smb2_FSCTL_OFFLOAD_WRITE(tvbuff_t *tvb,
7371 packet_info *pinfo _U_,
7372 proto_tree *tree,
7373 int offset,
7374 bool in)
7375 {
7376 proto_tree_add_item(tree, hf_smb2_fsctl_odx_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7377 offset += 4;
7378
7379 proto_tree_add_item(tree, hf_smb2_fsctl_odx_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7380 offset += 4;
7381
7382 if (in) {
7383 proto_tree_add_item(tree, hf_smb2_fsctl_odx_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7384 offset += 8;
7385
7386 proto_tree_add_item(tree, hf_smb2_fsctl_odx_copy_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7387 offset += 8;
7388
7389 proto_tree_add_item(tree, hf_smb2_fsctl_odx_token_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7390 offset += 8;
7391
7392 dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvb, pinfo, tree, offset);
7393
7394 } else {
7395 proto_tree_add_item(tree, hf_smb2_fsctl_odx_xfer_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7396 /* offset += 8; */
7397 }
7398 }
7399
7400 static void
7401 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, proto_tree *top_tree, bool data_in _U_, void *data)
7402 {
7403 dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, tvb_captured_length_remaining(tvb, offset), top_tree, data);
7404 }
7405
7406 static void
7407 dissect_smb2_FSCTL_PIPE_WAIT(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, int offset, proto_tree *top_tree, bool data_in _U_)
7408 {
7409 int timeout_offset;
7410 uint32_t name_len;
7411 uint8_t timeout_specified;
7412 char *display_string;
7413
7414 /* Timeout */
7415 timeout_offset = offset;
7416 offset += 8;
7417
7418 /* Name length */
7419 /* XXX - put the name length into the tree */
7420 name_len = tvb_get_letohl(tvb, offset);
7421 offset += 4;
7422
7423 /* Timeout specified */
7424 timeout_specified = tvb_get_uint8(tvb, offset);
7425 if (timeout_specified) {
7426 proto_tree_add_item(top_tree, hf_smb2_fsctl_pipe_wait_timeout,
7427 tvb, timeout_offset, 8, ENC_LITTLE_ENDIAN);
7428 }
7429 offset += 1;
7430
7431 /* Padding */
7432 offset += 1;
7433
7434 /* Name */
7435 proto_tree_add_item_ret_display_string(top_tree, hf_smb2_fsctl_pipe_wait_name,
7436 tvb, offset, name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN,
7437 pinfo->pool, &display_string);
7438
7439 col_append_fstr(pinfo->cinfo, COL_INFO, " Pipe: %s", display_string);
7440 }
7441
7442 static int
7443 dissect_smb2_FSCTL_SET_SPARSE(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
7444 {
7445
7446 /* There is no out data */
7447 if (!data_in) {
7448 return offset;
7449 }
7450
7451 /* sparse flag (optional) */
7452 if (tvb_reported_length_remaining(tvb, offset) >= 1) {
7453 proto_tree_add_item(tree, hf_smb2_fsctl_sparse_flag, tvb, offset, 1, ENC_NA);
7454 offset += 1;
7455 }
7456
7457 return offset;
7458 }
7459
7460 static int
7461 dissect_smb2_FSCTL_SET_ZERO_DATA(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
7462 {
7463 proto_tree *sub_tree;
7464 proto_item *sub_item;
7465
7466 /* There is no out data */
7467 if (!data_in) {
7468 return offset;
7469 }
7470
7471 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
7472
7473 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7474 offset += 8;
7475
7476 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7477 offset += 8;
7478
7479 return offset;
7480 }
7481
7482 static void
7483 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, bool data_in)
7484 {
7485 proto_tree *sub_tree;
7486 proto_item *sub_item;
7487
7488 if (data_in) {
7489 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
7490
7491 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7492 offset += 8;
7493
7494 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7495 offset += 8;
7496 } else {
7497 /* Zero or more allocated ranges may be reported. */
7498 while (tvb_reported_length_remaining(tvb, offset) >= 16) {
7499
7500 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 16, ett_smb2_fsctl_range_data, &sub_item, "Range");
7501
7502 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7503 offset += 8;
7504
7505 proto_tree_add_item(sub_tree, hf_smb2_fsctl_range_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7506 offset += 8;
7507 }
7508 }
7509 }
7510
7511
7512 static void
7513 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, int offset _U_, bool data_in)
7514 {
7515
7516 if (data_in) {
7517 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7518 offset += 8;
7519
7520 proto_tree_add_item(tree, hf_smb2_qfr_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7521 offset += 8;
7522
7523 proto_tree_add_item(tree, hf_smb2_qfr_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7524 offset += 4;
7525
7526 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7527 offset += 4;
7528 } else {
7529 uint32_t entry_count = 0;
7530
7531 proto_tree_add_item(tree, hf_smb2_qfr_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7532 offset += 4;
7533
7534 proto_tree_add_item(tree, hf_smb2_qfr_total_region_entry_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7535 offset += 4;
7536
7537 proto_tree_add_item_ret_uint(tree, hf_smb2_qfr_region_entry_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &entry_count);
7538 offset += 4;
7539
7540 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7541 offset += 4;
7542
7543 while (entry_count && tvb_reported_length_remaining(tvb, offset)) {
7544 proto_tree *sub_tree;
7545 proto_item *sub_item;
7546
7547 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 24, ett_qfr_entry, &sub_item, "Entry");
7548
7549 proto_tree_add_item(sub_tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7550 offset += 8;
7551
7552 proto_tree_add_item(sub_tree, hf_smb2_qfr_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7553 offset += 8;
7554
7555 proto_tree_add_item(sub_tree, hf_smb2_qfr_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7556 offset += 4;
7557
7558 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
7559 offset += 4;
7560
7561 entry_count--;
7562 }
7563 }
7564 }
7565
7566 static void
7567 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
7568 {
7569 /* There is no out data */
7570 if (!data_in) {
7571 return;
7572 }
7573
7574 /* timeout */
7575 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7576 offset += 4;
7577
7578 /* reserved */
7579 proto_tree_add_item(tree, hf_smb2_ioctl_resiliency_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7580 }
7581
7582 static void
7583 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
7584 {
7585 /* There is no in data */
7586 if (data_in) {
7587 return;
7588 }
7589
7590 proto_tree_add_item(tree, hf_smb2_ioctl_shared_virtual_disk_support, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7591 offset += 4;
7592
7593 proto_tree_add_item(tree, hf_smb2_ioctl_shared_virtual_disk_handle_state, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7594 }
7595
7596 #define STORAGE_QOS_CONTROL_FLAG_SET_LOGICAL_FLOW_ID 0x00000001
7597 #define STORAGE_QOS_CONTROL_FLAG_SET_POLICY 0x00000002
7598 #define STORAGE_QOS_CONTROL_FLAG_PROBE_POLICY 0x00000004
7599 #define STORAGE_QOS_CONTROL_FLAG_GET_STATUS 0x00000008
7600 #define STORAGE_QOS_CONTROL_FLAG_UPDATE_COUNTERS 0x00000010
7601
7602 static const value_string smb2_ioctl_sqos_protocol_version_vals[] = {
7603 { 0x0100, "Storage QoS Protocol Version 1.0" },
7604 { 0x0101, "Storage QoS Protocol Version 1.1" },
7605 { 0, NULL }
7606 };
7607
7608 static const value_string smb2_ioctl_sqos_status_vals[] = {
7609 { 0x00, "StorageQoSStatusOk" },
7610 { 0x01, "StorageQoSStatusInsufficientThroughput" },
7611 { 0x02, "StorageQoSUnknownPolicyId" },
7612 { 0x04, "StorageQoSStatusConfigurationMismatch" },
7613 { 0x05, "StorageQoSStatusNotAvailable" },
7614 { 0, NULL }
7615 };
7616
7617 static void
7618 dissect_smb2_FSCTL_STORAGE_QOS_CONTROL(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, bool data_in)
7619 {
7620 static int * const operations[] = {
7621 &hf_smb2_ioctl_sqos_op_set_logical_flow_id,
7622 &hf_smb2_ioctl_sqos_op_set_policy,
7623 &hf_smb2_ioctl_sqos_op_probe_policy,
7624 &hf_smb2_ioctl_sqos_op_get_status,
7625 &hf_smb2_ioctl_sqos_op_update_counters,
7626 NULL
7627 };
7628
7629 int proto_ver;
7630
7631 /* Both request and reply have the same common header */
7632
7633 proto_ver = tvb_get_letohs(tvb, offset);
7634 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_protocol_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7635 offset += 2;
7636
7637 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7638 offset += 2;
7639
7640 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_ioctl_sqos_options,
7641 ett_smb2_ioctl_sqos_opeations, operations, ENC_LITTLE_ENDIAN);
7642 offset += 4;
7643
7644 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_logical_flow_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7645 offset += 16;
7646
7647 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_policy_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7648 offset += 16;
7649
7650 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_initiator_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7651 offset += 16;
7652
7653 if (data_in) {
7654 offset_length_buffer_t host_olb, node_olb;
7655
7656 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_limit, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7657 offset += 8;
7658
7659 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_reservation, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7660 offset += 8;
7661
7662 offset = dissect_smb2_olb_length_offset(tvb, offset, &host_olb, OLB_O_UINT16_S_UINT16, hf_smb2_ioctl_sqos_initiator_name);
7663
7664 offset = dissect_smb2_olb_length_offset(tvb, offset, &node_olb, OLB_O_UINT16_S_UINT16, hf_smb2_ioctl_sqos_initiator_node_name);
7665
7666 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_io_count_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7667 offset += 8;
7668
7669 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_normalized_io_count_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7670 offset += 8;
7671
7672 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_latency_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7673 offset += 8;
7674
7675 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_lower_latency_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7676 offset += 8;
7677
7678 if (proto_ver > 0x0100) {
7679 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_bandwidth_limit, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7680 offset += 8;
7681
7682 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_kilobyte_count_increment, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7683 /*offset += 8;*/
7684 }
7685
7686 dissect_smb2_olb_string(pinfo, tree, tvb, &host_olb, OLB_TYPE_UNICODE_STRING);
7687
7688 dissect_smb2_olb_string(pinfo, tree, tvb, &node_olb, OLB_TYPE_UNICODE_STRING);
7689 } else {
7690 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_time_to_live, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7691 offset += 4;
7692
7693 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7694 offset += 4;
7695
7696 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_maximum_io_rate, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7697 offset += 8;
7698
7699 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_minimum_io_rate, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7700 offset += 8;
7701
7702 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_base_io_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7703 offset += 4;
7704
7705 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_reserved2, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7706
7707 if (proto_ver > 0x0100) {
7708 offset += 4;
7709 proto_tree_add_item(tree, hf_smb2_ioctl_sqos_maximum_bandwidth, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7710 }
7711 }
7712 }
7713
7714 static int
7715 dissect_windows_sockaddr_in(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
7716 {
7717 proto_item *sub_item;
7718 proto_tree *sub_tree;
7719 proto_item *parent_item;
7720
7721 if (len == -1) {
7722 len = 8;
7723 }
7724
7725 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
7726 parent_item = proto_tree_get_parent(parent_tree);
7727
7728 /* family */
7729 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7730 offset += 2;
7731
7732 /* port */
7733 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7734 offset += 2;
7735
7736 /* IPv4 address */
7737 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in_addr, tvb, offset, 4, ENC_BIG_ENDIAN);
7738 proto_item_append_text(sub_item, ", IPv4: %s", tvb_ip_to_str(pinfo->pool, tvb, offset));
7739 proto_item_append_text(parent_item, ", IPv4: %s", tvb_ip_to_str(pinfo->pool, tvb, offset));
7740 offset += 4;
7741 return offset;
7742 }
7743
7744 static int
7745 dissect_windows_sockaddr_in6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, int len)
7746 {
7747 proto_item *sub_item;
7748 proto_tree *sub_tree;
7749 proto_item *parent_item;
7750
7751 if (len == -1) {
7752 len = 26;
7753 }
7754
7755 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
7756 parent_item = proto_tree_get_parent(parent_tree);
7757
7758 /* family */
7759 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7760 offset += 2;
7761
7762 /* port */
7763 proto_tree_add_item(sub_tree, hf_windows_sockaddr_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7764 offset += 2;
7765
7766 /* sin6_flowinfo */
7767 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_flowinfo, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7768 offset += 4;
7769
7770 /* IPv6 address */
7771 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_addr, tvb, offset, 16, ENC_NA);
7772 proto_item_append_text(sub_item, ", IPv6: %s", tvb_ip6_to_str(pinfo->pool, tvb, offset));
7773 proto_item_append_text(parent_item, ", IPv6: %s", tvb_ip6_to_str(pinfo->pool, tvb, offset));
7774 offset += 16;
7775
7776 /* sin6_scope_id */
7777 proto_tree_add_item(sub_tree, hf_windows_sockaddr_in6_scope_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7778 offset += 2;
7779
7780 return offset;
7781 }
7782
7783 static int
7784 dissect_windows_sockaddr_storage(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, int len)
7785 {
7786 proto_item *sub_item;
7787 proto_tree *sub_tree;
7788 proto_item *parent_item;
7789 uint16_t family;
7790
7791 family = tvb_get_letohs(tvb, offset);
7792 switch (family) {
7793 case WINSOCK_AF_INET:
7794 return dissect_windows_sockaddr_in(tvb, pinfo, parent_tree, offset, len);
7795 case WINSOCK_AF_INET6:
7796 return dissect_windows_sockaddr_in6(tvb, pinfo, parent_tree, offset, len);
7797 }
7798
7799 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_windows_sockaddr, &sub_item, "Socket Address");
7800 parent_item = proto_tree_get_parent(parent_tree);
7801
7802 /* ss_family */
7803 proto_tree_add_item(sub_tree, hf_windows_sockaddr_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7804 proto_item_append_text(sub_item, ", Family: %d (0x%04x)", family, family);
7805 proto_item_append_text(parent_item, ", Family: %d (0x%04x)", family, family);
7806 return offset + len;
7807 }
7808
7809 #define NETWORK_INTERFACE_CAP_RSS 0x00000001
7810 #define NETWORK_INTERFACE_CAP_RDMA 0x00000002
7811
7812 static void
7813 // NOLINTNEXTLINE(misc-no-recursion)
7814 dissect_smb2_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
7815 {
7816 uint32_t next_offset;
7817 int offset = 0;
7818 int len = -1;
7819 proto_item *sub_item;
7820 proto_tree *sub_tree;
7821 proto_item *item;
7822 uint32_t capabilities;
7823 uint64_t link_speed;
7824 float val = 0;
7825 const char *unit = NULL;
7826 static int * const capability_flags[] = {
7827 &hf_smb2_ioctl_network_interface_capability_rdma,
7828 &hf_smb2_ioctl_network_interface_capability_rss,
7829 NULL
7830 };
7831
7832 next_offset = tvb_get_letohl(tvb, offset);
7833 if (next_offset) {
7834 len = next_offset;
7835 }
7836
7837 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_smb2_ioctl_network_interface, &sub_item, "Network Interface");
7838 item = proto_tree_get_parent(parent_tree);
7839
7840 /* next offset */
7841 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_next_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7842 offset += 4;
7843
7844 /* interface index */
7845 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7846 offset += 4;
7847
7848 /* capabilities */
7849 capabilities = tvb_get_letohl(tvb, offset);
7850 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_ioctl_network_interface_capabilities, ett_smb2_ioctl_network_interface_capabilities, capability_flags, ENC_LITTLE_ENDIAN);
7851
7852 if (capabilities != 0) {
7853 proto_item_append_text(item, "%s%s",
7854 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
7855 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
7856 proto_item_append_text(sub_item, "%s%s",
7857 (capabilities & NETWORK_INTERFACE_CAP_RDMA)?", RDMA":"",
7858 (capabilities & NETWORK_INTERFACE_CAP_RSS)?", RSS":"");
7859 }
7860 offset += 4;
7861
7862 /* reserved (was rss queue count for release 38 and 39) */
7863 proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
7864 offset += 4;
7865
7866 /* link speed */
7867 link_speed = tvb_get_letoh64(tvb, offset);
7868 item = proto_tree_add_item(sub_tree, hf_smb2_ioctl_network_interface_link_speed, tvb, offset, 8, ENC_LITTLE_ENDIAN);
7869 if (link_speed >= (1000*1000*1000)) {
7870 val = (float)(link_speed / (1000*1000*1000));
7871 unit = "G";
7872 } else if (link_speed >= (1000*1000)) {
7873 val = (float)(link_speed / (1000*1000));
7874 unit = "M";
7875 } else if (link_speed >= (1000)) {
7876 val = (float)(link_speed / (1000));
7877 unit = "K";
7878 } else {
7879 val = (float)(link_speed);
7880 unit = "";
7881 }
7882 proto_item_append_text(item, ", %.1f %sBits/s", val, unit);
7883 proto_item_append_text(sub_item, ", %.1f %sBits/s", val, unit);
7884
7885 offset += 8;
7886
7887 /* socket address */
7888 dissect_windows_sockaddr_storage(tvb, pinfo, sub_tree, offset, -1);
7889
7890 if (next_offset) {
7891 tvbuff_t *next_tvb;
7892 next_tvb = tvb_new_subset_remaining(tvb, next_offset);
7893
7894 /* next extra info */
7895 increment_dissection_depth(pinfo);
7896 dissect_smb2_NETWORK_INTERFACE_INFO(next_tvb, pinfo, parent_tree);
7897 decrement_dissection_depth(pinfo);
7898 }
7899 }
7900
7901 static void
7902 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, bool data_in)
7903 {
7904 /* There is no in data */
7905 if (data_in) {
7906 return;
7907 }
7908
7909 dissect_smb2_NETWORK_INTERFACE_INFO(tvb, pinfo, tree);
7910 }
7911
7912 static void
7913 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, bool data_in)
7914 {
7915 /*
7916 * This is only used by Windows 8 beta
7917 */
7918 if (data_in) {
7919 /* capabilities */
7920 offset = dissect_smb2_capabilities(tree, tvb, offset);
7921
7922 /* client guid */
7923 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7924 offset += 16;
7925
7926 /* security mode, skip second byte */
7927 offset = dissect_smb2_secmode(tree, tvb, offset);
7928 offset++;
7929
7930 /* dialect */
7931 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7932 offset += 2;
7933 } else {
7934 /* capabilities */
7935 offset = dissect_smb2_capabilities(tree, tvb, offset);
7936
7937 /* server guid */
7938 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7939 offset += 16;
7940
7941 /* security mode, skip second byte */
7942 offset = dissect_smb2_secmode(tree, tvb, offset);
7943 offset++;
7944
7945 /* dialect */
7946 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7947 offset += 2;
7948 }
7949 }
7950
7951 static void
7952 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset _U_, bool data_in)
7953 {
7954 if (data_in) {
7955 uint16_t dc;
7956
7957 /* capabilities */
7958 offset = dissect_smb2_capabilities(tree, tvb, offset);
7959
7960 /* client guid */
7961 proto_tree_add_item(tree, hf_smb2_client_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7962 offset += 16;
7963
7964 /* security mode, skip second byte */
7965 offset = dissect_smb2_secmode(tree, tvb, offset);
7966 offset++;
7967
7968 /* dialect count */
7969 dc = tvb_get_letohs(tvb, offset);
7970 proto_tree_add_item(tree, hf_smb2_dialect_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7971 offset += 2;
7972
7973 for ( ; dc>0; dc--) {
7974 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7975 offset += 2;
7976 }
7977 } else {
7978 /* capabilities */
7979 offset = dissect_smb2_capabilities(tree, tvb, offset);
7980
7981 /* server guid */
7982 proto_tree_add_item(tree, hf_smb2_server_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
7983 offset += 16;
7984
7985 /* security mode, skip second byte */
7986 offset = dissect_smb2_secmode(tree, tvb, offset);
7987 offset++;
7988
7989 /* dialect */
7990 proto_tree_add_item(tree, hf_smb2_dialect, tvb, offset, 2, ENC_LITTLE_ENDIAN);
7991 offset += 2;
7992 }
7993 }
7994
7995 static void
7996 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
7997 {
7998 uint32_t num_snapshots;
7999
8000 /* There is no in data */
8001 if (data_in) {
8002 return;
8003 }
8004
8005 /* NumberOfSnapShots */
8006 proto_tree_add_item(tree, hf_smb2_ioctl_enumerate_snapshots_num_snapshots, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8007 offset += 4;
8008
8009 /* NumberOfSnapshotsReturned */
8010 proto_tree_add_item_ret_uint(tree, hf_smb2_ioctl_enumerate_snapshots_num_snapshots_returned, tvb, offset, 4, ENC_LITTLE_ENDIAN, &num_snapshots);
8011 offset += 4;
8012
8013 /* SnapShotArraySize */
8014 proto_tree_add_item(tree, hf_smb2_ioctl_enumerate_snapshots_snapshot_array_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8015 offset += 4;
8016
8017 while (num_snapshots--) {
8018 int len;
8019 int old_offset = offset;
8020
8021 proto_tree_add_item_ret_length(tree, hf_smb2_ioctl_enumerate_snapshots_snapshot,
8022 tvb, offset, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN, &len);
8023
8024 offset = old_offset+len;
8025 }
8026 }
8027
8028 int
8029 dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
8030 {
8031 proto_item *item = NULL;
8032 proto_tree *tree = NULL;
8033
8034 /* FILE_OBJECTID_BUFFER */
8035 if (parent_tree) {
8036 item = proto_tree_add_item(parent_tree, hf_smb2_FILE_OBJECTID_BUFFER, tvb, offset, 64, ENC_NA);
8037 tree = proto_item_add_subtree(item, ett_smb2_FILE_OBJECTID_BUFFER);
8038 }
8039
8040 /* Object ID */
8041 proto_tree_add_item(tree, hf_smb2_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8042 offset += 16;
8043
8044 /* Birth Volume ID */
8045 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8046 offset += 16;
8047
8048 /* Birth Object ID */
8049 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8050 offset += 16;
8051
8052 /* Domain ID */
8053 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8054 offset += 16;
8055
8056 return offset;
8057 }
8058
8059 static int
8060 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8061 {
8062
8063 /* There is no in data */
8064 if (data_in) {
8065 return offset;
8066 }
8067
8068 /* FILE_OBJECTID_BUFFER */
8069 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
8070
8071 return offset;
8072 }
8073
8074 static int
8075 dissect_smb2_FSCTL_GET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8076 {
8077
8078 /* There is no in data */
8079 if (data_in) {
8080 return offset;
8081 }
8082
8083 /* compression format */
8084 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8085 offset += 2;
8086
8087 return offset;
8088 }
8089
8090 static int
8091 dissect_smb2_FSCTL_SET_COMPRESSION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8092 {
8093
8094 /* There is no out data */
8095 if (!data_in) {
8096 return offset;
8097 }
8098
8099 /* compression format */
8100 proto_tree_add_item(tree, hf_smb2_compression_format, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8101 offset += 2;
8102
8103 return offset;
8104 }
8105
8106 static int
8107 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8108 {
8109 static int * const integrity_flags[] = {
8110 &hf_smb2_integrity_flags_enforcement_off,
8111 NULL
8112 };
8113
8114 /* There is no out data */
8115 if (!data_in) {
8116 return offset;
8117 }
8118
8119 proto_tree_add_item(tree, hf_smb2_checksum_algorithm, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8120 offset += 2;
8121
8122 proto_tree_add_item(tree, hf_smb2_integrity_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8123 offset += 2;
8124
8125 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_integrity_flags, ett_smb2_integrity_flags, integrity_flags, ENC_LITTLE_ENDIAN);
8126 offset += 4;
8127
8128 return offset;
8129 }
8130
8131 static int
8132 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION_EX(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8133 {
8134 static int * const integrity_flags[] = {
8135 &hf_smb2_integrity_flags_enforcement_off,
8136 NULL
8137 };
8138
8139 if (!data_in) {
8140 return offset;
8141 }
8142
8143 proto_tree_add_item(tree, hf_smb2_fsctl_infoex_enable_integrity, tvb, offset, 1, ENC_LITTLE_ENDIAN);
8144 offset += 1;
8145
8146 proto_tree_add_item(tree, hf_smb2_fsctl_infoex_keep_integrity_state, tvb, offset, 1, ENC_LITTLE_ENDIAN);
8147 offset += 1;
8148
8149 proto_tree_add_item(tree, hf_smb2_fsctl_infoex_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8150 offset += 2;
8151
8152 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_fsctl_infoex_flags, ett_smb2_integrity_flags, integrity_flags, ENC_LITTLE_ENDIAN);
8153 offset += 4;
8154
8155 proto_tree_add_item(tree, hf_smb2_fsctl_infoex_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
8156 offset += 1;
8157
8158 proto_tree_add_item(tree, hf_smb2_fsctl_infoex_reserved2, tvb, offset, 7, ENC_LITTLE_ENDIAN);
8159 offset += 7;
8160
8161 return offset;
8162 }
8163
8164 static int
8165 dissect_smb2_FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT_Query_Delta(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
8166 {
8167 proto_tree *sub_tree;
8168
8169 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_fscc_refs_snapshot_query_delta_buffer, NULL, "Query Delta Buffer");
8170
8171 proto_tree_add_item(sub_tree, hf_smb2_fscc_refs_snapshot_query_delta_buffer_startvcn, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8172 offset += 8;
8173
8174 proto_tree_add_item(sub_tree, hf_smb2_fscc_refs_snapshot_query_delta_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8175 offset += 4;
8176
8177 proto_tree_add_item(sub_tree, hf_smb2_fscc_refs_snapshot_query_delta_buffer_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8178 offset += 4;
8179
8180 return offset;
8181 }
8182
8183 static int
8184 dissect_smb2_FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, bool data_in)
8185 {
8186 uint32_t operation;
8187 uint32_t name_len;
8188 uint32_t input_buffer_len;
8189
8190 /* There is no in data */
8191 if (!data_in) {
8192 return offset;
8193 }
8194
8195 proto_tree_add_item_ret_uint(tree, hf_smb2_fscc_refs_snapshot_mgmt_operation, tvb, offset, 4, ENC_LITTLE_ENDIAN, &operation);
8196 offset += 4;
8197
8198 proto_tree_add_item_ret_uint(tree, hf_smb2_fscc_refs_snapshot_mgmt_namelen, tvb, offset, 2, ENC_LITTLE_ENDIAN, &name_len);
8199 offset += 2;
8200
8201 proto_tree_add_item_ret_uint(tree, hf_smb2_fscc_refs_snapshot_mgmt_input_buffer_len, tvb, offset, 2, ENC_LITTLE_ENDIAN, &input_buffer_len);
8202 offset += 2;
8203
8204 proto_tree_add_item(tree, hf_smb2_fscc_refs_snapshot_mgmt_reserved, tvb, offset, 16, ENC_NA);
8205 offset += 16;
8206
8207 if (name_len) {
8208 proto_tree_add_item(tree, hf_smb2_fscc_refs_snapshot_mgmt_name, tvb, offset, name_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
8209 offset += name_len;
8210 }
8211
8212 if (operation == REFS_STREAM_SNAPSHOT_OPERATION_QUERY_DELTAS) {
8213 offset += dissect_smb2_FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT_Query_Delta(tvb, pinfo, tree, offset);
8214 }
8215
8216 return offset;
8217 }
8218
8219 static int
8220 dissect_smb2_FSCTL_SET_OBJECT_ID(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8221 {
8222
8223 /* There is no out data */
8224 if (!data_in) {
8225 return offset;
8226 }
8227
8228 /* FILE_OBJECTID_BUFFER */
8229 offset = dissect_smb2_FILE_OBJECTID_BUFFER(tvb, pinfo, tree, offset);
8230
8231 return offset;
8232 }
8233
8234 static int
8235 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8236 {
8237
8238 /* There is no out data */
8239 if (!data_in) {
8240 return offset;
8241 }
8242
8243 /* FILE_OBJECTID_BUFFER->ExtendedInfo */
8244
8245 /* Birth Volume ID */
8246 proto_tree_add_item(tree, hf_smb2_birth_volume_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8247 offset += 16;
8248
8249 /* Birth Object ID */
8250 proto_tree_add_item(tree, hf_smb2_birth_object_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8251 offset += 16;
8252
8253 /* Domain ID */
8254 proto_tree_add_item(tree, hf_smb2_domain_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
8255 offset += 16;
8256
8257 return offset;
8258 }
8259
8260 static int
8261 dissect_smb2_cchunk_RESUME_KEY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
8262 {
8263
8264 proto_tree_add_bytes_format_value(tree, hf_smb2_cchunk_resume_key, tvb,
8265 offset, 24, NULL, "Opaque Data");
8266 offset += 24;
8267
8268 return (offset);
8269 }
8270
8271 static void
8272 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8273 {
8274
8275 /* There is no in data */
8276 if (data_in) {
8277 return;
8278 }
8279
8280 offset = dissect_smb2_cchunk_RESUME_KEY(tvb, pinfo, tree, offset);
8281
8282 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8283 }
8284
8285 static void
8286 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8287 {
8288 proto_tree *sub_tree;
8289 proto_item *sub_item;
8290 uint32_t chunk_count = 0;
8291
8292 /* Output is simpler - handle that first. */
8293 if (!data_in) {
8294 proto_tree_add_item(tree, hf_smb2_cchunk_chunks_written, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8295 proto_tree_add_item(tree, hf_smb2_cchunk_bytes_written, tvb, offset+4, 4, ENC_LITTLE_ENDIAN);
8296 proto_tree_add_item(tree, hf_smb2_cchunk_total_written, tvb, offset+8, 4, ENC_LITTLE_ENDIAN);
8297 return;
8298 }
8299
8300 /* Input data, fixed part */
8301 offset = dissect_smb2_cchunk_RESUME_KEY(tvb, pinfo, tree, offset);
8302 proto_tree_add_item_ret_uint(tree, hf_smb2_cchunk_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &chunk_count);
8303 offset += 4;
8304
8305 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8306 offset += 4;
8307
8308 /* Zero or more allocated ranges may be reported. */
8309 while (chunk_count && tvb_reported_length_remaining(tvb, offset) >= 24) {
8310 sub_tree = proto_tree_add_subtree(tree, tvb, offset, 24, ett_smb2_cchunk_entry, &sub_item, "Chunk");
8311
8312 proto_tree_add_item(sub_tree, hf_smb2_cchunk_src_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8313 offset += 8;
8314
8315 proto_tree_add_item(sub_tree, hf_smb2_cchunk_dst_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8316 offset += 8;
8317
8318 proto_tree_add_item(sub_tree, hf_smb2_cchunk_xfer_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8319 offset += 4;
8320
8321 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8322 offset += 4;
8323
8324 chunk_count--;
8325 }
8326 }
8327
8328 static void
8329 dissect_smb2_reparse_nfs(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, uint32_t length)
8330 {
8331 uint64_t type;
8332 int symlink_length;
8333
8334 type = tvb_get_letoh64(tvb, offset);
8335 proto_tree_add_item(tree, hf_smb2_nfs_type, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8336 offset += 8;
8337
8338 switch (type) {
8339 case NFS_SPECFILE_LNK:
8340 /*
8341 * According to [MS-FSCC] 2.1.2.6 "length" contains
8342 * the 8-byte type plus the symlink target in Unicode
8343 * non-NULL terminated.
8344 */
8345 if (length < 8) {
8346 THROW(ReportedBoundsError);
8347 }
8348 symlink_length = length - 8;
8349 proto_tree_add_item(tree, hf_smb2_nfs_symlink_target, tvb, offset,
8350 symlink_length, ENC_UTF_16|ENC_LITTLE_ENDIAN);
8351 break;
8352 case NFS_SPECFILE_CHR:
8353 proto_tree_add_item(tree, hf_smb2_nfs_chr_major, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8354 offset += 4;
8355 proto_tree_add_item(tree, hf_smb2_nfs_chr_minor, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8356 break;
8357 case NFS_SPECFILE_BLK:
8358 proto_tree_add_item(tree, hf_smb2_nfs_blk_major, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8359 offset += 4;
8360 proto_tree_add_item(tree, hf_smb2_nfs_blk_minor, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8361 break;
8362 case NFS_SPECFILE_FIFO:
8363 case NFS_SPECFILE_SOCK:
8364 /* no data */
8365 break;
8366 }
8367 }
8368
8369 static void
8370 dissect_smb2_FSCTL_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset)
8371 {
8372 proto_item *item = NULL;
8373 proto_tree *tree = NULL;
8374
8375 uint32_t tag;
8376 uint32_t length;
8377 offset_length_buffer_t s_olb, p_olb;
8378
8379 /* REPARSE_DATA_BUFFER */
8380 if (parent_tree) {
8381 item = proto_tree_add_item(parent_tree, hf_smb2_reparse_data_buffer, tvb, offset, -1, ENC_NA);
8382 tree = proto_item_add_subtree(item, ett_smb2_reparse_data_buffer);
8383 }
8384
8385 /* reparse tag */
8386 tag = tvb_get_letohl(tvb, offset);
8387 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8388 offset += 4;
8389
8390 /* reparse data length */
8391 length = tvb_get_letohs(tvb, offset);
8392 proto_tree_add_item(tree, hf_smb2_reparse_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
8393 offset += 2;
8394
8395 /* reserved */
8396 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
8397 offset += 2;
8398
8399 if (!(tag & 0x80000000)) {
8400 /* if high bit is not set, this buffer has a GUID field */
8401 /* reparse guid */
8402 proto_tree_add_item(tree, hf_smb2_reparse_guid, tvb, offset, 16, ENC_NA);
8403 offset += 16;
8404 }
8405
8406 switch (tag) {
8407 case REPARSE_TAG_SYMLINK:
8408 /* substitute name offset/length */
8409 offset = dissect_smb2_olb_length_offset(tvb, offset, &s_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_substitute_name);
8410
8411 /* print name offset/length */
8412 offset = dissect_smb2_olb_length_offset(tvb, offset, &p_olb, OLB_O_UINT16_S_UINT16, hf_smb2_symlink_print_name);
8413
8414 /* flags */
8415 proto_tree_add_item(tree, hf_smb2_symlink_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8416 offset += 4;
8417
8418 /* substitute name string */
8419 dissect_smb2_olb_off_string(pinfo, tree, tvb, &s_olb, offset, OLB_TYPE_UNICODE_STRING);
8420
8421 /* print name string */
8422 dissect_smb2_olb_off_string(pinfo, tree, tvb, &p_olb, offset, OLB_TYPE_UNICODE_STRING);
8423 break;
8424 case REPARSE_TAG_NFS:
8425 dissect_smb2_reparse_nfs(tvb, pinfo, tree, offset, length);
8426 break;
8427 default:
8428 proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, length, ENC_NA);
8429 }
8430 }
8431
8432 static void
8433 dissect_smb2_FSCTL_SET_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, bool data_in)
8434 {
8435 if (!data_in) {
8436 return;
8437 }
8438
8439 dissect_smb2_FSCTL_REPARSE_POINT(tvb, pinfo, parent_tree, offset);
8440 }
8441
8442 static void
8443 dissect_smb2_FSCTL_GET_REPARSE_POINT(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, int offset, bool data_in)
8444 {
8445 if (data_in) {
8446 return;
8447 }
8448
8449 dissect_smb2_FSCTL_REPARSE_POINT(tvb, pinfo, parent_tree, offset);
8450 }
8451
8452 static void
8453 dissect_smb2_FSCTL_GET_NTFS_VOLUME_DATA(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, bool data_in)
8454 {
8455 /* There is no in data */
8456 if (data_in) {
8457 return;
8458 }
8459
8460 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_volume_serial, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8461 offset += 8;
8462
8463 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_num_sectors, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8464 offset += 8;
8465
8466 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_total_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8467 offset += 8;
8468
8469 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_free_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8470 offset += 8;
8471
8472 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_total_reserved, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8473 offset += 8;
8474
8475 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8476 offset += 4;
8477
8478 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_cluster, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8479 offset += 4;
8480
8481 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_file_record_segment, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8482 offset += 4;
8483
8484 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_clusters_per_file_record_segment, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8485 offset += 4;
8486
8487 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_mft_valid_data_length, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8488 offset += 8;
8489
8490 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_mft_start_lcn, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8491 offset += 8;
8492
8493 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_mft2_start_lcn, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8494 offset += 8;
8495
8496 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_start, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8497 offset += 8;
8498
8499 proto_tree_add_item(tree, hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_end, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8500 }
8501
8502 void
8503 dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *top_tree, uint32_t ioctl_function, bool data_in, void *private_data _U_)
8504 {
8505 uint16_t dc;
8506
8507 dc = tvb_reported_length(tvb);
8508
8509 switch (ioctl_function) {
8510 case 0x00060194: /* FSCTL_DFS_GET_REFERRALS */
8511 if (data_in) {
8512 dissect_get_dfs_request_data(tvb, pinfo, tree, 0, &dc, true);
8513 } else {
8514 dissect_get_dfs_referral_data(tvb, pinfo, tree, 0, &dc, true);
8515 }
8516 break;
8517 case 0x000940CF: /* FSCTL_QUERY_ALLOCATED_RANGES */
8518 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvb, pinfo, tree, 0, data_in);
8519 break;
8520 case 0x00094264: /* FSCTL_OFFLOAD_READ */
8521 dissect_smb2_FSCTL_OFFLOAD_READ(tvb, pinfo, tree, 0, data_in);
8522 break;
8523 case 0x00098268: /* FSCTL_OFFLOAD_WRITE */
8524 dissect_smb2_FSCTL_OFFLOAD_WRITE(tvb, pinfo, tree, 0, data_in);
8525 break;
8526 case 0x0011c017: /* FSCTL_PIPE_TRANSCEIVE */
8527 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvb, pinfo, tree, 0, top_tree, data_in, private_data);
8528 break;
8529 case 0x00110018: /* FSCTL_PIPE_WAIT */
8530 dissect_smb2_FSCTL_PIPE_WAIT(tvb, pinfo, tree, 0, top_tree, data_in);
8531 break;
8532 case 0x00140078: /* FSCTL_SRV_REQUEST_RESUME_KEY */
8533 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvb, pinfo, tree, 0, data_in);
8534 break;
8535 case 0x001401D4: /* FSCTL_LMR_REQUEST_RESILIENCY */
8536 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvb, pinfo, tree, 0, data_in);
8537 break;
8538 case 0x001401FC: /* FSCTL_QUERY_NETWORK_INTERFACE_INFO */
8539 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvb, pinfo, tree, 0, data_in);
8540 break;
8541 case 0x00140200: /* FSCTL_VALIDATE_NEGOTIATE_INFO_224 */
8542 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvb, pinfo, tree, 0, data_in);
8543 break;
8544 case 0x00140204: /* FSCTL_VALIDATE_NEGOTIATE_INFO */
8545 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvb, pinfo, tree, 0, data_in);
8546 break;
8547 case 0x00144064: /* FSCTL_SRV_ENUMERATE_SNAPSHOTS */
8548 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvb, pinfo, tree, 0, data_in);
8549 break;
8550 case 0x001440F2: /* FSCTL_SRV_COPYCHUNK */
8551 case 0x001480F2: /* FSCTL_SRV_COPYCHUNK_WRITE */
8552 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvb, pinfo, tree, 0, data_in);
8553 break;
8554 case 0x000900A4: /* FSCTL_SET_REPARSE_POINT */
8555 dissect_smb2_FSCTL_SET_REPARSE_POINT(tvb, pinfo, tree, 0, data_in);
8556 break;
8557 case 0x000900A8: /* FSCTL_GET_REPARSE_POINT */
8558 dissect_smb2_FSCTL_GET_REPARSE_POINT(tvb, pinfo, tree, 0, data_in);
8559 break;
8560 case 0x0009009C: /* FSCTL_GET_OBJECT_ID */
8561 case 0x000900c0: /* FSCTL_CREATE_OR_GET_OBJECT_ID */
8562 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
8563 break;
8564 case 0x000900c4: /* FSCTL_SET_SPARSE */
8565 dissect_smb2_FSCTL_SET_SPARSE(tvb, pinfo, tree, 0, data_in);
8566 break;
8567 case 0x00098098: /* FSCTL_SET_OBJECT_ID */
8568 dissect_smb2_FSCTL_SET_OBJECT_ID(tvb, pinfo, tree, 0, data_in);
8569 break;
8570 case 0x000980BC: /* FSCTL_SET_OBJECT_ID_EXTENDED */
8571 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvb, pinfo, tree, 0, data_in);
8572 break;
8573 case 0x000980C8: /* FSCTL_SET_ZERO_DATA */
8574 dissect_smb2_FSCTL_SET_ZERO_DATA(tvb, pinfo, tree, 0, data_in);
8575 break;
8576 case 0x0009003C: /* FSCTL_GET_COMPRESSION */
8577 dissect_smb2_FSCTL_GET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
8578 break;
8579 case 0x00090300: /* FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT */
8580 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvb, pinfo, tree, 0, data_in);
8581 break;
8582 case 0x00090304: /* FSCTL_SVHDX_SYNC_TUNNEL or response */
8583 case 0x00090364: /* FSCTL_SVHDX_ASYNC_TUNNEL or response */
8584 call_dissector_with_data(rsvd_handle, tvb, pinfo, top_tree, &data_in);
8585 break;
8586 case 0x00090350: /* FSCTL_STORAGE_QOS_CONTROL */
8587 dissect_smb2_FSCTL_STORAGE_QOS_CONTROL(tvb, pinfo, tree, 0, data_in);
8588 break;
8589 case 0x0009C040: /* FSCTL_SET_COMPRESSION */
8590 dissect_smb2_FSCTL_SET_COMPRESSION(tvb, pinfo, tree, 0, data_in);
8591 break;
8592 case 0x00090284: /* FSCTL_QUERY_FILE_REGIONS */
8593 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvb, pinfo, tree, 0, data_in);
8594 break;
8595 case 0x0009C280: /* FSCTL_SET_INTEGRITY_INFORMATION request or response */
8596 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvb, pinfo, tree, 0, data_in);
8597 break;
8598 case 0x00090064: /* FSCTL_GET_NTFS_VOLUME_DATA */
8599 dissect_smb2_FSCTL_GET_NTFS_VOLUME_DATA(tvb, pinfo, tree, 0, data_in);
8600 break;
8601 case 0x00090380:
8602 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION_EX(tvb, pinfo, tree, 0, data_in);
8603 break;
8604 case 0x00090440:
8605 dissect_smb2_FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT(tvb, pinfo, tree, 0, data_in);
8606 break;
8607 default:
8608 proto_tree_add_item(tree, hf_smb2_unknown, tvb, 0, tvb_captured_length(tvb), ENC_NA);
8609 }
8610 }
8611
8612 static void
8613 dissect_smb2_ioctl_data_in(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
8614 {
8615 smb2_pipe_set_file_id(pinfo, si);
8616 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, true, si);
8617 }
8618
8619 static void
8620 dissect_smb2_ioctl_data_out(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
8621 {
8622 smb2_pipe_set_file_id(pinfo, si);
8623 dissect_smb2_ioctl_data(tvb, pinfo, tree, si->top_tree, si->ioctl_function, false, si);
8624 }
8625
8626 static int
8627 dissect_smb2_ioctl_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8628 {
8629 offset_length_buffer_t o_olb;
8630 offset_length_buffer_t i_olb;
8631 proto_tree *flags_tree = NULL;
8632 proto_item *flags_item = NULL;
8633 proto_item *item;
8634
8635 /* buffer code */
8636 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
8637
8638 /* reserved */
8639 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
8640 offset += 2;
8641
8642 /* ioctl function */
8643 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
8644
8645 /* fid hash */
8646 if (si->saved && si->saved->fid_hash) {
8647 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
8648 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
8649 proto_item_set_generated(item);
8650 }
8651
8652 /* fid */
8653 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
8654
8655 /* in buffer offset/length */
8656 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
8657
8658 /* max ioctl in size */
8659 proto_tree_add_item(tree, hf_smb2_max_ioctl_in_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8660 offset += 4;
8661
8662 /* out buffer offset/length */
8663 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
8664
8665 /* max ioctl out size */
8666 proto_tree_add_item(tree, hf_smb2_max_ioctl_out_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8667 offset += 4;
8668
8669 /* flags */
8670 if (tree) {
8671 flags_item = proto_tree_add_item(tree, hf_smb2_ioctl_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8672 flags_tree = proto_item_add_subtree(flags_item, ett_smb2_ioctl_flags);
8673 }
8674 proto_tree_add_item(flags_tree, hf_smb2_ioctl_is_fsctl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8675 offset += 4;
8676
8677 /* reserved */
8678 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8679 offset += 4;
8680
8681 /* try to decode these blobs in the order they were encoded
8682 * so that for "short" packets we will dissect as much as possible
8683 * before aborting with "short packet"
8684 */
8685 if (i_olb.off>o_olb.off) {
8686 /* out buffer */
8687 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
8688 /* in buffer */
8689 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
8690 } else {
8691 /* in buffer */
8692 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
8693 /* out buffer */
8694 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
8695 }
8696
8697 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
8698 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
8699
8700 return offset;
8701 }
8702
8703 static int
8704 dissect_smb2_ioctl_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8705 {
8706 offset_length_buffer_t o_olb;
8707 offset_length_buffer_t i_olb;
8708 bool continue_dissection;
8709 proto_item *item;
8710
8711 switch (si->status) {
8712 /* buffer code */
8713 /* if we get BUFFER_OVERFLOW there will be truncated data */
8714 case 0x80000005:
8715 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
8716 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
8717 if (!continue_dissection) return offset;
8718 }
8719
8720 /* reserved */
8721 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
8722 offset += 2;
8723
8724 /* ioctl function */
8725 offset = dissect_smb2_ioctl_function(tvb, pinfo, tree, offset, &si->ioctl_function);
8726
8727 /* fid hash */
8728 if (si->saved && si->saved->fid_hash) {
8729 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
8730 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
8731 proto_item_set_generated(item);
8732 }
8733
8734 /* fid */
8735 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
8736
8737 /* in buffer offset/length */
8738 offset = dissect_smb2_olb_length_offset(tvb, offset, &i_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_in_data);
8739
8740 /* out buffer offset/length */
8741 offset = dissect_smb2_olb_length_offset(tvb, offset, &o_olb, OLB_O_UINT32_S_UINT32, hf_smb2_ioctl_out_data);
8742
8743
8744 /* flags: reserved: must be zero */
8745 proto_tree_add_item(tree, hf_smb2_flags, tvb, offset, 4, ENC_NA);
8746 offset += 4;
8747
8748 /* reserved */
8749 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8750 offset += 4;
8751
8752 /* try to decode these blobs in the order they were encoded
8753 * so that for "short" packets we will dissect as much as possible
8754 * before aborting with "short packet"
8755 */
8756 if (i_olb.off>o_olb.off) {
8757 /* out buffer */
8758 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
8759 /* in buffer */
8760 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
8761 } else {
8762 /* in buffer */
8763 dissect_smb2_olb_buffer(pinfo, tree, tvb, &i_olb, si, dissect_smb2_ioctl_data_in);
8764 /* out buffer */
8765 dissect_smb2_olb_buffer(pinfo, tree, tvb, &o_olb, si, dissect_smb2_ioctl_data_out);
8766 }
8767
8768 offset = dissect_smb2_olb_tvb_max_offset(offset, &i_olb);
8769 offset = dissect_smb2_olb_tvb_max_offset(offset, &o_olb);
8770
8771 return offset;
8772 }
8773
8774
8775 #define SMB2_READFLAG_READ_UNBUFFERED 0x01
8776 #define SMB2_READFLAG_READ_COMPRESSED 0x02
8777
8778 static const true_false_string tfs_read_unbuffered = {
8779 "Client is asking for UNBUFFERED read",
8780 "Client is NOT asking for UNBUFFERED read"
8781 };
8782
8783 static const true_false_string tfs_read_compressed = {
8784 "Client is asking for COMPRESSED data",
8785 "Client is NOT asking for COMPRESSED data"
8786 };
8787
8788 static int
8789 dissect_smb2_read_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
8790 {
8791 offset_length_buffer_t c_olb;
8792 uint32_t channel;
8793 uint32_t len;
8794 uint64_t off;
8795 proto_item *item;
8796
8797 static int * const flags[] = {
8798 &hf_smb2_read_flags_unbuffered,
8799 &hf_smb2_read_flags_compressed,
8800 NULL
8801 };
8802
8803 /* buffer code */
8804 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
8805
8806 /* padding */
8807 proto_tree_add_item(tree, hf_smb2_read_padding, tvb, offset, 1, ENC_LITTLE_ENDIAN);
8808 offset += 1;
8809
8810 /* flags */
8811 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_read_flags,
8812 ett_smb2_read_flags, flags, ENC_LITTLE_ENDIAN);
8813 offset += 1;
8814
8815 /* length */
8816 len = tvb_get_letohl(tvb, offset);
8817 proto_tree_add_item(tree, hf_smb2_read_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8818 offset += 4;
8819
8820 /* offset */
8821 off = tvb_get_letoh64(tvb, offset);
8822 proto_tree_add_item(tree, hf_smb2_file_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
8823 offset += 8;
8824
8825 col_append_fstr(pinfo->cinfo, COL_INFO, " Len:%d Off:%" PRIu64, len, off);
8826
8827 /* fid hash */
8828 if (si->saved && si->saved->fid_hash) {
8829 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
8830 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
8831 proto_item_set_generated(item);
8832 }
8833
8834 /* fid */
8835 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
8836
8837 /* minimum count */
8838 proto_tree_add_item(tree, hf_smb2_min_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8839 offset += 4;
8840
8841 /* channel */
8842 channel = tvb_get_letohl(tvb, offset);
8843 proto_tree_add_item(tree, hf_smb2_channel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8844 offset += 4;
8845
8846 /* remaining bytes */
8847 proto_tree_add_item(tree, hf_smb2_remaining_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8848 offset += 4;
8849
8850 /* read channel info blob offset/length */
8851 offset = dissect_smb2_olb_length_offset(tvb, offset, &c_olb, OLB_O_UINT16_S_UINT16, hf_smb2_channel_info_blob);
8852
8853 /* the read channel info blob itself */
8854 switch (channel) {
8855 case SMB2_CHANNEL_RDMA_V1:
8856 case SMB2_CHANNEL_RDMA_V1_INVALIDATE:
8857 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, dissect_smb2_rdma_v1_blob);
8858 break;
8859 case SMB2_CHANNEL_NONE:
8860 default:
8861 dissect_smb2_olb_buffer(pinfo, tree, tvb, &c_olb, si, NULL);
8862 break;
8863 }
8864
8865 offset = dissect_smb2_olb_tvb_max_offset(offset, &c_olb);
8866
8867 /* Store len and offset */
8868 if (si->saved) {
8869 si->saved->file_offset=off;
8870 si->saved->bytes_moved=len;
8871 }
8872
8873 return offset;
8874 }
8875
8876 static void
8877 dissect_smb2_read_blob(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
8878 {
8879 int offset = 0;
8880 int length = tvb_captured_length_remaining(tvb, offset);
8881
8882 smb2_pipe_set_file_id(pinfo, si);
8883
8884 offset = dissect_file_data_smb2_pipe(tvb, pinfo, tree, offset, length, si->top_tree, si);
8885 if (offset != 0) {
8886 /* managed to dissect pipe data */
8887 return;
8888 }
8889
8890 /* data */
8891 proto_tree_add_item(tree, hf_smb2_read_data, tvb, offset, length, ENC_NA);
8892 }
8893
8894 static int
8895 dissect_smb2_read_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si _U_)
8896 {
8897 offset_length_buffer_t olb;
8898 uint32_t data_tvb_len;
8899 bool continue_dissection;
8900 proto_item *item;
8901
8902 switch (si->status) {
8903 /* buffer code */
8904 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
8905 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
8906 if (!continue_dissection) return offset;
8907 }
8908
8909 /* data offset 8 bit, 8 bit reserved, length 32bit */
8910 offset = dissect_smb2_olb_length_offset(tvb, offset, &olb,
8911 OLB_O_UINT8_P_UINT8_S_UINT32,
8912 hf_smb2_read_blob);
8913
8914 /* remaining */
8915 proto_tree_add_item(tree, hf_smb2_read_remaining, tvb, offset, 4, ENC_LITTLE_ENDIAN);
8916 offset += 4;
8917
8918 /* fid hash */
8919 if (si->saved && si->saved->fid_hash) {
8920 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
8921 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
8922 proto_item_set_generated(item);
8923 }
8924
8925 /* reserved */
8926 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
8927 offset += 4;
8928
8929 data_tvb_len=(uint32_t)tvb_captured_length_remaining(tvb, offset);
8930
8931 dissect_smb2_olb_buffer(pinfo, tree, tvb, &olb, si, dissect_smb2_read_blob);
8932
8933 offset += MIN(olb.len, data_tvb_len);
8934
8935 if (have_tap_listener(smb2_eo_tap) && (data_tvb_len == olb.len)) {
8936 if (si->saved && si->eo_file_info) { /* without this data we don't know which file this belongs to */
8937 feed_eo_smb2(tvb,pinfo,si,olb.off,olb.len,si->saved->file_offset);
8938 }
8939 }
8940
8941 return offset;
8942 }
8943
8944 static void
8945 report_create_context_malformed_buffer(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, const char *buffer_desc)
8946 {
8947 proto_tree_add_expert_format(tree, pinfo, &ei_smb2_bad_response, tvb, 0, -1,
8948 "%s SHOULD NOT be generated", buffer_desc);
8949 }
8950 static void
8951 dissect_smb2_ExtA_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
8952 {
8953 proto_item *item = NULL;
8954 if (tree) {
8955 item = proto_tree_get_parent(tree);
8956 proto_item_append_text(item, ": SMB2_FILE_FULL_EA_INFO");
8957 }
8958 dissect_smb2_file_full_ea_info(tvb, pinfo, tree, 0, si);
8959 }
8960
8961 static void
8962 dissect_smb2_ExtA_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
8963 {
8964 report_create_context_malformed_buffer(tvb, pinfo, tree, "ExtA Response");
8965 }
8966
8967 static void
8968 dissect_smb2_SecD_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
8969 {
8970 proto_item *item = NULL;
8971 if (tree) {
8972 item = proto_tree_get_parent(tree);
8973 proto_item_append_text(item, ": SMB2_SEC_INFO_00");
8974 }
8975 dissect_smb2_sec_info_00(tvb, pinfo, tree, 0, si);
8976 }
8977
8978 static void
8979 dissect_smb2_SecD_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
8980 {
8981 report_create_context_malformed_buffer(tvb, pinfo, tree, "SecD Response");
8982 }
8983
8984 /*
8985 * Add the timestamp to the info column and to the name of the file if
8986 * we have not visited this packet before.
8987 */
8988 static void
8989 add_timestamp_to_info_col(tvbuff_t *tvb, packet_info *pinfo, smb2_info_t *si,
8990 int offset)
8991 {
8992 uint32_t filetime_high, filetime_low;
8993 uint64_t ft;
8994 nstime_t ts;
8995
8996 filetime_low = tvb_get_letohl(tvb, offset);
8997 filetime_high = tvb_get_letohl(tvb, offset + 4);
8998
8999 ft = ((uint64_t)filetime_high << 32) | filetime_low;
9000 if (!filetime_to_nstime(&ts, ft)) {
9001 return;
9002 }
9003
9004 col_append_fstr(pinfo->cinfo, COL_INFO, "@%s",
9005 abs_time_to_str(pinfo->pool, &ts, ABSOLUTE_TIME_UTC,
9006 false));
9007
9008 /* Append the timestamp */
9009 if (!pinfo->fd->visited) {
9010 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
9011 char *saved_name = (char *)si->saved->extra_info;
9012
9013 si->saved->extra_info = wmem_strdup_printf(wmem_file_scope(),
9014 "%s@%s", (char *)saved_name,
9015 abs_time_to_str(pinfo->pool, &ts,
9016 ABSOLUTE_TIME_UTC, false));
9017 wmem_free(wmem_file_scope(), saved_name);
9018 }
9019 }
9020 }
9021
9022 static void
9023 dissect_smb2_TWrp_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9024 {
9025 proto_item *item = NULL;
9026 if (tree) {
9027 item = proto_tree_get_parent(tree);
9028 proto_item_append_text(item, ": Timestamp");
9029 }
9030 add_timestamp_to_info_col(tvb, pinfo, si, 0);
9031 dissect_nttime(tvb, tree, 0, hf_smb2_twrp_timestamp, ENC_LITTLE_ENDIAN);
9032 }
9033
9034 static void
9035 dissect_smb2_TWrp_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9036 {
9037 report_create_context_malformed_buffer(tvb, pinfo, tree, "TWrp Response");
9038 }
9039
9040 static void
9041 dissect_smb2_QFid_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9042 {
9043 proto_item *item = NULL;
9044
9045 if (tree) {
9046 item = proto_tree_get_parent(tree);
9047 }
9048
9049 if (item) {
9050 if (tvb_reported_length(tvb) == 0) {
9051 proto_item_append_text(item, ": NO DATA");
9052 } else {
9053 proto_item_append_text(item, ": QFid request should have no data, malformed packet");
9054 }
9055 }
9056 }
9057
9058 static void
9059 dissect_smb2_QFid_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9060 {
9061 int offset = 0;
9062 proto_item *item;
9063 proto_item *sub_tree;
9064
9065 item = proto_tree_get_parent(tree);
9066
9067 proto_item_append_text(item, ": QFid INFO");
9068 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_QFid_buffer, NULL, "QFid INFO");
9069
9070 proto_tree_add_item(sub_tree, hf_smb2_qfid_fid, tvb, offset, 32, ENC_NA);
9071 }
9072
9073 static void
9074 dissect_smb2_AlSi_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9075 {
9076 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, 0, 8, ENC_LITTLE_ENDIAN);
9077 }
9078
9079 static void
9080 dissect_smb2_AlSi_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9081 {
9082 report_create_context_malformed_buffer(tvb, pinfo, tree, "AlSi Response");
9083 }
9084
9085 static void
9086 dissect_smb2_DHnQ_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
9087 {
9088 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNQ);
9089 }
9090
9091 static void
9092 dissect_smb2_DHnQ_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9093 {
9094 proto_tree_add_item(tree, hf_smb2_dhnq_buffer_reserved, tvb, 0, 8, ENC_LITTLE_ENDIAN);
9095 }
9096
9097 static void
9098 dissect_smb2_DHnC_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
9099 {
9100 dissect_smb2_fid(tvb, pinfo, tree, 0, si, FID_MODE_DHNC);
9101 }
9102
9103 static void
9104 dissect_smb2_DHnC_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
9105 {
9106 report_create_context_malformed_buffer(tvb, pinfo, tree, "DHnC Response");
9107 }
9108
9109 /*
9110 * SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
9111 * 4 - timeout
9112 * 4 - flags
9113 * 8 - reserved
9114 * 16 - create guid
9115 *
9116 * SMB2_CREATE_DURABLE_HANDLE_RESPONSE_V2
9117 * 4 - timeout
9118 * 4 - flags
9119 *
9120 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
9121 * 16 - file id
9122 * 16 - create guid
9123 * 4 - flags
9124 *
9125 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
9126 * - nothing -
9127 */
9128 #define SMB2_DH2X_FLAGS_PERSISTENT_HANDLE 0x00000002
9129
9130 static void
9131 dissect_smb2_DH2Q_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9132 {
9133 static int * const dh2x_flags_fields[] = {
9134 &hf_smb2_dh2x_buffer_flags_persistent_handle,
9135 NULL
9136 };
9137 int offset = 0;
9138 proto_item *item;
9139 proto_item *sub_tree;
9140
9141 item = proto_tree_get_parent(tree);
9142
9143 proto_item_append_text(item, ": DH2Q Request");
9144 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2Q_buffer, NULL, "DH2Q Request");
9145
9146 /* timeout */
9147 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9148 offset += 4;
9149
9150 /* flags */
9151 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_dh2x_buffer_flags,
9152 ett_smb2_dh2x_flags, dh2x_flags_fields, ENC_LITTLE_ENDIAN);
9153 offset += 4;
9154
9155 /* reserved */
9156 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_reserved, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9157 offset += 8;
9158
9159 /* create guid */
9160 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
9161 }
9162
9163 static void
9164 dissect_smb2_DH2Q_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9165 {
9166 int offset = 0;
9167 proto_item *item;
9168 proto_item *sub_tree;
9169
9170 item = proto_tree_get_parent(tree);
9171
9172 proto_item_append_text(item, ": DH2Q Response");
9173 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2Q_buffer, NULL, "DH2Q Response");
9174
9175 /* timeout */
9176 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_timeout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9177 offset += 4;
9178
9179 /* flags */
9180 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9181 }
9182
9183 static void
9184 dissect_smb2_DH2C_buffer_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si)
9185 {
9186 int offset = 0;
9187 proto_item *item;
9188 proto_item *sub_tree;
9189
9190 item = proto_tree_get_parent(tree);
9191
9192 proto_item_append_text(item, ": DH2C Request");
9193 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_DH2C_buffer, NULL, "DH2C Request");
9194
9195 /* file id */
9196 dissect_smb2_fid(tvb, pinfo, sub_tree, offset, si, FID_MODE_DHNC);
9197 offset += 16;
9198
9199 /* create guid */
9200 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_create_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
9201 offset += 16;
9202
9203 /* flags */
9204 proto_tree_add_item(sub_tree, hf_smb2_dh2x_buffer_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9205 }
9206
9207 static void
9208 dissect_smb2_DH2C_buffer_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si _U_)
9209 {
9210 report_create_context_malformed_buffer(tvb, pinfo, tree, "DH2C Response");
9211 }
9212
9213 static void
9214 dissect_smb2_MxAc_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9215 {
9216 int offset = 0;
9217 proto_item *item = NULL;
9218
9219 if (tree) {
9220 item = proto_tree_get_parent(tree);
9221 }
9222
9223 if (tvb_reported_length(tvb) == 0) {
9224 if (item) {
9225 proto_item_append_text(item, ": NO DATA");
9226 }
9227 return;
9228 }
9229
9230 if (item) {
9231 proto_item_append_text(item, ": Timestamp");
9232 }
9233
9234 dissect_nttime(tvb, tree, offset, hf_smb2_mxac_timestamp, ENC_LITTLE_ENDIAN);
9235 }
9236
9237 static void
9238 dissect_smb2_MxAc_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9239 {
9240 int offset = 0;
9241 proto_item *item;
9242 proto_tree *sub_tree;
9243
9244 item = proto_tree_get_parent(tree);
9245
9246 if (tvb_reported_length(tvb) == 0) {
9247 proto_item_append_text(item, ": NO DATA");
9248 return;
9249 }
9250
9251 proto_item_append_text(item, ": MxAc INFO");
9252 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_MxAc_buffer, NULL, "MxAc INFO");
9253
9254 proto_tree_add_item(sub_tree, hf_smb2_mxac_status, tvb, offset, 4, ENC_BIG_ENDIAN);
9255 offset += 4;
9256
9257 dissect_smb_access_mask(tvb, sub_tree, offset);
9258 }
9259
9260 /*
9261 * SMB2_CREATE_REQUEST_LEASE 32
9262 * 16 - lease key
9263 * 4 - lease state
9264 * 4 - lease flags
9265 * 8 - lease duration
9266 *
9267 * SMB2_CREATE_REQUEST_LEASE_V2 52
9268 * 16 - lease key
9269 * 4 - lease state
9270 * 4 - lease flags
9271 * 8 - lease duration
9272 * 16 - parent lease key
9273 * 2 - epoch
9274 * 2 - reserved
9275 */
9276 #define SMB2_LEASE_STATE_READ_CACHING 0x00000001
9277 #define SMB2_LEASE_STATE_HANDLE_CACHING 0x00000002
9278 #define SMB2_LEASE_STATE_WRITE_CACHING 0x00000004
9279
9280 #define SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED 0x00000001
9281 #define SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS 0x00000002
9282 #define SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET 0x00000004
9283
9284 static int * const lease_state_fields[] = {
9285 &hf_smb2_lease_state_read_caching,
9286 &hf_smb2_lease_state_handle_caching,
9287 &hf_smb2_lease_state_write_caching,
9288 NULL
9289 };
9290 static int * const lease_flags_fields[] = {
9291 &hf_smb2_lease_flags_break_ack_required,
9292 &hf_smb2_lease_flags_break_in_progress,
9293 &hf_smb2_lease_flags_parent_lease_key_set,
9294 NULL
9295 };
9296
9297 static void
9298 dissect_SMB2_CREATE_LEASE_VX(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *parent_tree, smb2_info_t *si _U_)
9299 {
9300 int offset = 0;
9301 int len;
9302 proto_tree *sub_tree = NULL;
9303 proto_item *parent_item;
9304
9305 parent_item = proto_tree_get_parent(parent_tree);
9306
9307 len = tvb_reported_length(tvb);
9308
9309 switch (len) {
9310 case 32: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE */
9311 proto_item_append_text(parent_item, ": LEASE_V1");
9312 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_RqLs_buffer, NULL, "LEASE_V1");
9313 break;
9314 case 52: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE_V2 */
9315 proto_item_append_text(parent_item, ": LEASE_V2");
9316 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_RqLs_buffer, NULL, "LEASE_V2");
9317 break;
9318 default:
9319 report_create_context_malformed_buffer(tvb, pinfo, parent_tree, "RqLs");
9320 break;
9321 }
9322
9323 proto_tree_add_item(sub_tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
9324 offset += 16;
9325
9326 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_state,
9327 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
9328 offset += 4;
9329
9330 proto_tree_add_bitmask(sub_tree, tvb, offset, hf_smb2_lease_flags,
9331 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
9332 offset += 4;
9333
9334 proto_tree_add_item(sub_tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9335 offset += 8;
9336
9337 if (len < 52) {
9338 return;
9339 }
9340
9341 proto_tree_add_item(sub_tree, hf_smb2_parent_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
9342 offset += 16;
9343
9344 proto_tree_add_item(sub_tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9345 offset += 2;
9346
9347 proto_tree_add_item(sub_tree, hf_smb2_lease_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
9348 }
9349
9350 static void
9351 dissect_smb2_RqLs_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9352 {
9353 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
9354 }
9355
9356 static void
9357 dissect_smb2_RqLs_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9358 {
9359 dissect_SMB2_CREATE_LEASE_VX(tvb, pinfo, tree, si);
9360 }
9361
9362 /*
9363 * SMB2_CREATE_APP_INSTANCE_ID
9364 * 2 - structure size - 20
9365 * 2 - reserved
9366 * 16 - application guid
9367 */
9368
9369 static void
9370 dissect_smb2_APP_INSTANCE_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9371 {
9372 int offset = 0;
9373 proto_item *item;
9374 proto_item *sub_tree;
9375
9376 item = proto_tree_get_parent(tree);
9377
9378 proto_item_append_text(item, ": CREATE APP INSTANCE ID");
9379 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_APP_INSTANCE_buffer, NULL, "APP INSTANCE ID");
9380
9381 /* struct size */
9382 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_struct_size,
9383 tvb, offset, 2, ENC_LITTLE_ENDIAN);
9384 offset += 2;
9385
9386 /* reserved */
9387 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_reserved,
9388 tvb, offset, 2, ENC_LITTLE_ENDIAN);
9389 offset += 2;
9390
9391 /* create guid */
9392 proto_tree_add_item(sub_tree, hf_smb2_APP_INSTANCE_buffer_app_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
9393 }
9394
9395 static void
9396 dissect_smb2_APP_INSTANCE_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9397 {
9398 report_create_context_malformed_buffer(tvb, pinfo, tree, "APP INSTANCE Response");
9399 }
9400
9401 /*
9402 * Dissect the MS-RSVD stuff that turns up when HyperV uses SMB3.x
9403 */
9404 static void
9405 dissect_smb2_svhdx_open_device_context(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9406 {
9407 int offset = 0;
9408 uint32_t version;
9409 proto_item *item;
9410 proto_item *sub_tree;
9411
9412 item = proto_tree_get_parent(tree);
9413
9414 proto_item_append_text(item, ": SVHDX OPEN DEVICE CONTEXT");
9415 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_svhdx_open_device_context, NULL, "SVHDX OPEN DEVICE CONTEXT");
9416
9417 /* Version */
9418 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_svhdx_open_device_context_version,
9419 tvb, offset, 4, ENC_LITTLE_ENDIAN, &version);
9420 offset += 4;
9421
9422 /* HasInitiatorId */
9423 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_has_initiator_id,
9424 tvb, offset, 1, ENC_LITTLE_ENDIAN);
9425 offset += 1;
9426
9427 /* Reserved */
9428 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_reserved,
9429 tvb, offset, 3, ENC_NA);
9430 offset += 3;
9431
9432 /* InitiatorId */
9433 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_id,
9434 tvb, offset, 16, ENC_LITTLE_ENDIAN);
9435 offset += 16;
9436
9437 /* Flags TODO: Dissect these*/
9438 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_flags,
9439 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9440 offset += 4;
9441
9442 /* OriginatorFlags */
9443 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_originator_flags,
9444 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9445 offset += 4;
9446
9447 /* OpenRequestId */
9448 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_open_request_id,
9449 tvb, offset, 8, ENC_LITTLE_ENDIAN);
9450 offset += 8;
9451
9452 /* InitiatorHostNameLength */
9453 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_host_name_len,
9454 tvb, offset, 2, ENC_LITTLE_ENDIAN);
9455 offset += 2;
9456
9457 /* InitiatorHostName */
9458 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_initiator_host_name,
9459 tvb, offset, 126, ENC_ASCII | ENC_NA);
9460 offset += 126;
9461
9462 if (version == 2) {
9463 /* VirtualDiskPropertiesInitialized */
9464 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized,
9465 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9466 offset += 4;
9467
9468 /* ServerServiceVersion */
9469 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_server_service_version,
9470 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9471 offset += 4;
9472
9473 /* VirtualSectorSize */
9474 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_virtual_sector_size,
9475 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9476 offset += 4;
9477
9478 /* PhysicalSectorSize */
9479 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_physical_sector_size,
9480 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9481 offset += 4;
9482
9483 /* VirtualSize */
9484 proto_tree_add_item(sub_tree, hf_smb2_svhdx_open_device_context_virtual_size,
9485 tvb, offset, 8, ENC_LITTLE_ENDIAN);
9486 }
9487 }
9488
9489 /*
9490 * SMB2_CREATE_APP_INSTANCE_VERSION
9491 * 2 - structure size - 24
9492 * 2 - reserved
9493 * 4 - padding
9494 * 8 - AppInstanceVersionHigh
9495 * 8 - AppInstanceVersionHigh
9496 */
9497
9498 static void
9499 dissect_smb2_app_instance_version_buffer_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9500 {
9501 int offset = 0;
9502 proto_item *item;
9503 proto_item *sub_tree;
9504 proto_item *version_sub_tree;
9505 uint64_t version_high;
9506 uint64_t version_low;
9507
9508 item = proto_tree_get_parent(tree);
9509
9510 proto_item_append_text(item, ": CREATE APP INSTANCE VERSION");
9511 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_app_instance_version_buffer, NULL, "APP INSTANCE VERSION");
9512
9513 /* struct size */
9514 proto_tree_add_item(sub_tree, hf_smb2_app_instance_version_struct_size,
9515 tvb, offset, 2, ENC_LITTLE_ENDIAN);
9516 offset += 2;
9517
9518 /* reserved */
9519 proto_tree_add_item(sub_tree, hf_smb2_app_instance_version_reserved,
9520 tvb, offset, 2, ENC_LITTLE_ENDIAN);
9521 offset += 2;
9522
9523 /* padding */
9524 proto_tree_add_item(sub_tree, hf_smb2_app_instance_version_padding,
9525 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9526 offset += 4;
9527
9528 version_sub_tree = proto_tree_add_subtree(sub_tree, tvb, offset, -1, ett_smb2_app_instance_version_buffer_version, NULL, "version");
9529
9530 /* version high */
9531 proto_tree_add_item_ret_uint64(version_sub_tree, hf_smb2_app_instance_version_high,
9532 tvb, offset, 8, ENC_LITTLE_ENDIAN, &version_high);
9533 offset += 8;
9534
9535 /* version low */
9536 proto_tree_add_item_ret_uint64(version_sub_tree, hf_smb2_app_instance_version_low,
9537 tvb, offset, 8, ENC_LITTLE_ENDIAN, &version_low);
9538
9539 proto_item_append_text(version_sub_tree, " : %" PRIu64 ".%" PRIu64, version_high, version_low);
9540 proto_item_append_text(sub_tree, ", version: %" PRIu64 ".%" PRIu64, version_high, version_low);
9541 }
9542
9543 static void
9544 dissect_smb2_app_instance_version_buffer_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, smb2_info_t *si _U_)
9545 {
9546 report_create_context_malformed_buffer(tvb, pinfo, tree, "APP INSTANCE Version Response");
9547 }
9548
9549 static void
9550 dissect_smb2_posix_buffer_request(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
9551 {
9552 int offset = 0;
9553 proto_item *item;
9554
9555 item = proto_tree_get_parent(tree);
9556 proto_item_append_text(item, ": POSIX Create Context request");
9557
9558 /* POSIX mode bits */
9559 proto_tree_add_item(tree, hf_smb2_posix_perms, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9560 }
9561
9562 static void
9563 dissect_smb2_posix_buffer_response(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
9564 {
9565 int offset = 0;
9566 proto_item *item;
9567
9568 item = proto_tree_get_parent(tree);
9569 proto_item_append_text(item, ": POSIX Create Context response");
9570
9571 /* Hardlinks */
9572 proto_tree_add_item(tree, hf_smb2_nlinks, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9573 offset += 4;
9574
9575 /* Reparse tag */
9576 proto_tree_add_item(tree, hf_smb2_reparse_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9577 offset += 4;
9578
9579 /* POSIX mode bits */
9580 proto_tree_add_item(tree, hf_smb2_posix_perms, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9581 offset += 4;
9582
9583 /* Owner and Group SID */
9584 offset = dissect_nt_sid(tvb, offset, tree, "Owner SID", NULL, -1);
9585 dissect_nt_sid(tvb, offset, tree, "Group SID", NULL, -1);
9586 }
9587
9588 #define SMB2_AAPL_SERVER_QUERY 1
9589 #define SMB2_AAPL_RESOLVE_ID 2
9590
9591 static const value_string aapl_command_code_vals[] = {
9592 { SMB2_AAPL_SERVER_QUERY, "Server query"},
9593 { SMB2_AAPL_RESOLVE_ID, "Resolve ID"},
9594 { 0, NULL }
9595 };
9596
9597 #define SMB2_AAPL_SERVER_CAPS 0x00000001
9598 #define SMB2_AAPL_VOLUME_CAPS 0x00000002
9599 #define SMB2_AAPL_MODEL_INFO 0x00000004
9600
9601 static int * const aapl_server_query_bitmap_fields[] = {
9602 &hf_smb2_aapl_server_query_bitmask_server_caps,
9603 &hf_smb2_aapl_server_query_bitmask_volume_caps,
9604 &hf_smb2_aapl_server_query_bitmask_model_info,
9605 NULL
9606 };
9607
9608 #define SMB2_AAPL_SUPPORTS_READ_DIR_ATTR 0x00000001
9609 #define SMB2_AAPL_SUPPORTS_OSX_COPYFILE 0x00000002
9610 #define SMB2_AAPL_UNIX_BASED 0x00000004
9611 #define SMB2_AAPL_SUPPORTS_NFS_ACE 0x00000008
9612
9613 static int * const aapl_server_query_caps_fields[] = {
9614 &hf_smb2_aapl_server_query_caps_supports_read_dir_attr,
9615 &hf_smb2_aapl_server_query_caps_supports_osx_copyfile,
9616 &hf_smb2_aapl_server_query_caps_unix_based,
9617 &hf_smb2_aapl_server_query_caps_supports_nfs_ace,
9618 NULL
9619 };
9620
9621 static void
9622 dissect_smb2_AAPL_buffer_request(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
9623 {
9624 int offset = 0;
9625 proto_item *item;
9626 proto_item *sub_tree;
9627 uint32_t command_code;
9628
9629 item = proto_tree_get_parent(tree);
9630
9631 proto_item_append_text(item, ": AAPL Create Context request");
9632 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_aapl_create_context_request, NULL, "AAPL Create Context request");
9633
9634 /* Command code */
9635 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_aapl_command_code,
9636 tvb, offset, 4, ENC_LITTLE_ENDIAN, &command_code);
9637 offset += 4;
9638
9639 /* Reserved */
9640 proto_tree_add_item(sub_tree, hf_smb2_aapl_reserved,
9641 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9642 offset += 4;
9643
9644 switch (command_code) {
9645
9646 case SMB2_AAPL_SERVER_QUERY:
9647 /* Request bitmap */
9648 proto_tree_add_bitmask(sub_tree, tvb, offset,
9649 hf_smb2_aapl_server_query_bitmask,
9650 ett_smb2_aapl_server_query_bitmask,
9651 aapl_server_query_bitmap_fields,
9652 ENC_LITTLE_ENDIAN);
9653 offset += 8;
9654
9655 /* Client capabilities */
9656 proto_tree_add_bitmask(sub_tree, tvb, offset,
9657 hf_smb2_aapl_server_query_caps,
9658 ett_smb2_aapl_server_query_caps,
9659 aapl_server_query_caps_fields,
9660 ENC_LITTLE_ENDIAN);
9661 break;
9662
9663 case SMB2_AAPL_RESOLVE_ID:
9664 /* file ID */
9665 proto_tree_add_item(sub_tree, hf_smb2_file_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9666 break;
9667
9668 default:
9669 break;
9670 }
9671 }
9672
9673 #define SMB2_AAPL_SUPPORTS_RESOLVE_ID 0x00000001
9674 #define SMB2_AAPL_CASE_SENSITIVE 0x00000002
9675 #define SMB2_AAPL_SUPPORTS_FULL_SYNC 0x00000004
9676
9677 static int * const aapl_server_query_volume_caps_fields[] = {
9678 &hf_smb2_aapl_server_query_volume_caps_support_resolve_id,
9679 &hf_smb2_aapl_server_query_volume_caps_case_sensitive,
9680 &hf_smb2_aapl_server_query_volume_caps_supports_full_sync,
9681 NULL
9682 };
9683
9684 static void
9685 dissect_smb2_AAPL_buffer_response(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, smb2_info_t *si _U_)
9686 {
9687 int offset = 0;
9688 proto_item *item;
9689 proto_item *sub_tree;
9690 uint32_t command_code;
9691 uint64_t server_query_bitmask;
9692
9693 item = proto_tree_get_parent(tree);
9694
9695 proto_item_append_text(item, ": AAPL Create Context response");
9696 sub_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_aapl_create_context_response, NULL, "AAPL Create Context response");
9697
9698 /* Command code */
9699 proto_tree_add_item_ret_uint(sub_tree, hf_smb2_aapl_command_code,
9700 tvb, offset, 4, ENC_LITTLE_ENDIAN, &command_code);
9701 offset += 4;
9702
9703 /* Reserved */
9704 proto_tree_add_item(sub_tree, hf_smb2_aapl_reserved,
9705 tvb, offset, 4, ENC_LITTLE_ENDIAN);
9706 offset += 4;
9707
9708 switch (command_code) {
9709
9710 case SMB2_AAPL_SERVER_QUERY:
9711 /* Reply bitmap */
9712 proto_tree_add_bitmask_ret_uint64(sub_tree, tvb, offset,
9713 hf_smb2_aapl_server_query_bitmask,
9714 ett_smb2_aapl_server_query_bitmask,
9715 aapl_server_query_bitmap_fields,
9716 ENC_LITTLE_ENDIAN,
9717 &server_query_bitmask);
9718 offset += 8;
9719
9720 if (server_query_bitmask & SMB2_AAPL_SERVER_CAPS) {
9721 /* Server capabilities */
9722 proto_tree_add_bitmask(sub_tree, tvb, offset,
9723 hf_smb2_aapl_server_query_caps,
9724 ett_smb2_aapl_server_query_caps,
9725 aapl_server_query_caps_fields,
9726 ENC_LITTLE_ENDIAN);
9727 offset += 8;
9728 }
9729 if (server_query_bitmask & SMB2_AAPL_VOLUME_CAPS) {
9730 /* Volume capabilities */
9731 proto_tree_add_bitmask(sub_tree, tvb, offset,
9732 hf_smb2_aapl_server_query_volume_caps,
9733 ett_smb2_aapl_server_query_volume_caps,
9734 aapl_server_query_volume_caps_fields,
9735 ENC_LITTLE_ENDIAN);
9736 offset += 8;
9737 }
9738 if (server_query_bitmask & SMB2_AAPL_MODEL_INFO) {
9739 /* Padding */
9740 offset += 4;
9741
9742 /* Model string */
9743 proto_tree_add_item(sub_tree, hf_smb2_aapl_server_query_model_string,
9744 tvb, offset, 4,
9745 ENC_UTF_16|ENC_LITTLE_ENDIAN);
9746 }
9747 break;
9748
9749 case SMB2_AAPL_RESOLVE_ID:
9750 /* NT status */
9751 proto_tree_add_item(sub_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9752 offset += 4;
9753
9754 /* Server path */
9755 proto_tree_add_item(sub_tree, hf_smb2_aapl_server_query_server_path,
9756 tvb, offset, 4,
9757 ENC_UTF_16|ENC_LITTLE_ENDIAN);
9758 break;
9759
9760 default:
9761 break;
9762 }
9763 }
9764
9765 typedef void (*create_context_data_dissector_t)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, smb2_info_t *si);
9766
9767 typedef struct create_context_data_dissectors {
9768 create_context_data_dissector_t request;
9769 create_context_data_dissector_t response;
9770 } create_context_data_dissectors_t;
9771
9772 struct create_context_data_tag_dissectors {
9773 const char *tag;
9774 const char *val;
9775 create_context_data_dissectors_t dissectors;
9776 };
9777
9778 static struct create_context_data_tag_dissectors create_context_dissectors_array[] = {
9779 { "ExtA", "SMB2_CREATE_EA_BUFFER",
9780 { dissect_smb2_ExtA_buffer_request, dissect_smb2_ExtA_buffer_response } },
9781 { "SecD", "SMB2_CREATE_SD_BUFFER",
9782 { dissect_smb2_SecD_buffer_request, dissect_smb2_SecD_buffer_response } },
9783 { "AlSi", "SMB2_CREATE_ALLOCATION_SIZE",
9784 { dissect_smb2_AlSi_buffer_request, dissect_smb2_AlSi_buffer_response } },
9785 { "MxAc", "SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST",
9786 { dissect_smb2_MxAc_buffer_request, dissect_smb2_MxAc_buffer_response } },
9787 { "DHnQ", "SMB2_CREATE_DURABLE_HANDLE_REQUEST",
9788 { dissect_smb2_DHnQ_buffer_request, dissect_smb2_DHnQ_buffer_response } },
9789 { "DHnC", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT",
9790 { dissect_smb2_DHnC_buffer_request, dissect_smb2_DHnC_buffer_response } },
9791 { "DH2Q", "SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2",
9792 { dissect_smb2_DH2Q_buffer_request, dissect_smb2_DH2Q_buffer_response } },
9793 { "DH2C", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2",
9794 { dissect_smb2_DH2C_buffer_request, dissect_smb2_DH2C_buffer_response } },
9795 { "TWrp", "SMB2_CREATE_TIMEWARP_TOKEN",
9796 { dissect_smb2_TWrp_buffer_request, dissect_smb2_TWrp_buffer_response } },
9797 { "QFid", "SMB2_CREATE_QUERY_ON_DISK_ID",
9798 { dissect_smb2_QFid_buffer_request, dissect_smb2_QFid_buffer_response } },
9799 { "RqLs", "SMB2_CREATE_REQUEST_LEASE",
9800 { dissect_smb2_RqLs_buffer_request, dissect_smb2_RqLs_buffer_response } },
9801 { "744D142E-46FA-0890-4AF7-A7EF6AA6BC45", "SMB2_CREATE_APP_INSTANCE_ID",
9802 { dissect_smb2_APP_INSTANCE_buffer_request, dissect_smb2_APP_INSTANCE_buffer_response } },
9803 { "6aa6bc45-a7ef-4af7-9008-fa462e144d74", "SMB2_CREATE_APP_INSTANCE_ID",
9804 { dissect_smb2_APP_INSTANCE_buffer_request, dissect_smb2_APP_INSTANCE_buffer_response } },
9805 { "9ecfcb9c-c104-43e6-980e-158da1f6ec83", "SVHDX_OPEN_DEVICE_CONTEXT",
9806 { dissect_smb2_svhdx_open_device_context, dissect_smb2_svhdx_open_device_context} },
9807 { "b7d082b9-563b-4f07-a07b-524a8116a010", "SMB2_CREATE_APP_INSTANCE_VERSION",
9808 { dissect_smb2_app_instance_version_buffer_request, dissect_smb2_app_instance_version_buffer_response } },
9809 { "5025ad93-b49c-e711-b423-83de968bcd7c", "SMB2_POSIX_CREATE_CONTEXT",
9810 { dissect_smb2_posix_buffer_request, dissect_smb2_posix_buffer_response } },
9811 { "AAPL", "SMB2_AAPL_CREATE_CONTEXT",
9812 { dissect_smb2_AAPL_buffer_request, dissect_smb2_AAPL_buffer_response } },
9813 };
9814
9815 static struct create_context_data_tag_dissectors*
9816 get_create_context_data_tag_dissectors(const char *tag)
9817 {
9818 static struct create_context_data_tag_dissectors INVALID = {
9819 NULL, "<invalid>", { NULL, NULL }
9820 };
9821
9822 size_t i;
9823
9824 for (i = 0; i<array_length(create_context_dissectors_array); i++) {
9825 if (!strcmp(tag, create_context_dissectors_array[i].tag))
9826 return &create_context_dissectors_array[i];
9827 }
9828 return &INVALID;
9829 }
9830
9831 static void
9832 // NOLINTNEXTLINE(misc-no-recursion)
9833 dissect_smb2_create_extra_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, smb2_info_t *si)
9834 {
9835 offset_length_buffer_t tag_olb;
9836 offset_length_buffer_t data_olb;
9837 const uint8_t *tag;
9838 uint16_t chain_offset;
9839 int offset = 0;
9840 int len = -1;
9841 proto_item *sub_item;
9842 proto_tree *sub_tree;
9843 proto_item *parent_item = NULL;
9844 create_context_data_dissectors_t *dissectors = NULL;
9845 create_context_data_dissector_t dissector = NULL;
9846 struct create_context_data_tag_dissectors *tag_dissectors;
9847
9848 chain_offset = tvb_get_letohl(tvb, offset);
9849 if (chain_offset) {
9850 len = chain_offset;
9851 }
9852
9853 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, len, ett_smb2_create_chain_element, &sub_item, "Chain Element");
9854 parent_item = proto_tree_get_parent(parent_tree);
9855
9856 /* chain offset */
9857 proto_tree_add_item(sub_tree, hf_smb2_create_chain_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9858 offset += 4;
9859
9860 /* tag offset/length */
9861 offset = dissect_smb2_olb_length_offset(tvb, offset, &tag_olb, OLB_O_UINT16_S_UINT32, hf_smb2_tag);
9862
9863 /* data offset/length */
9864 dissect_smb2_olb_length_offset(tvb, offset, &data_olb, OLB_O_UINT16_S_UINT32, hf_smb2_create_chain_data);
9865
9866 /*
9867 * These things are all either 4-char strings, like DH2C, or GUIDs,
9868 * however, at least one of them appears to be a GUID as a string and
9869 * one appears to be a binary guid. So, check if the length is
9870 * 16, and if so, pull the GUID and convert it to a string. Otherwise
9871 * call dissect_smb2_olb_string.
9872 */
9873 if (tag_olb.len == 16) {
9874 e_guid_t tag_guid;
9875 proto_item *tag_item;
9876 proto_tree *tag_tree;
9877
9878 tvb_get_letohguid(tvb, tag_olb.off, &tag_guid);
9879 tag = guid_to_str(pinfo->pool, &tag_guid);
9880
9881 tag_item = proto_tree_add_string(sub_tree, tag_olb.hfindex, tvb, tag_olb.off, tag_olb.len, tag);
9882 tag_tree = proto_item_add_subtree(tag_item, ett_smb2_olb);
9883 proto_tree_add_item(tag_tree, hf_smb2_olb_offset, tvb, tag_olb.off_offset, 2, ENC_LITTLE_ENDIAN);
9884 proto_tree_add_item(tag_tree, hf_smb2_olb_length, tvb, tag_olb.len_offset, 2, ENC_LITTLE_ENDIAN);
9885
9886 } else {
9887 /* tag string */
9888 tag = dissect_smb2_olb_string(pinfo, sub_tree, tvb, &tag_olb, OLB_TYPE_ASCII_STRING);
9889 }
9890
9891 tag_dissectors = get_create_context_data_tag_dissectors(tag);
9892
9893 proto_item_append_text(parent_item, " %s", tag_dissectors->val);
9894 proto_item_append_text(sub_item, ": %s \"%s\"", tag_dissectors->val, tag);
9895
9896 /* data */
9897 dissectors = &tag_dissectors->dissectors;
9898 if (dissectors)
9899 dissector = (si->flags & SMB2_FLAGS_RESPONSE) ? dissectors->response : dissectors->request;
9900
9901 dissect_smb2_olb_buffer(pinfo, sub_tree, tvb, &data_olb, si, dissector);
9902
9903 if (chain_offset) {
9904 tvbuff_t *chain_tvb;
9905 chain_tvb = tvb_new_subset_remaining(tvb, chain_offset);
9906
9907 /* next extra info */
9908 increment_dissection_depth(pinfo);
9909 dissect_smb2_create_extra_info(chain_tvb, pinfo, parent_tree, si);
9910 decrement_dissection_depth(pinfo);
9911 }
9912 }
9913
9914 static int
9915 dissect_smb2_create_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
9916 {
9917 offset_length_buffer_t f_olb, e_olb;
9918 const uint8_t *fname;
9919 proto_item *item;
9920
9921 /* buffer code */
9922 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
9923
9924 /* security flags */
9925 offset++;
9926
9927 /* oplock */
9928 offset = dissect_smb2_oplock(tree, tvb, offset);
9929
9930 /* impersonation level */
9931 proto_tree_add_item(tree, hf_smb2_impersonation_level, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9932 offset += 4;
9933
9934 /* create flags */
9935 proto_tree_add_item(tree, hf_smb2_create_flags, tvb, offset, 8, ENC_LITTLE_ENDIAN);
9936 offset += 8;
9937
9938 /* reserved */
9939 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 8, ENC_NA);
9940 offset += 8;
9941
9942 /* access mask */
9943 offset = dissect_smb_access_mask(tvb, tree, offset);
9944
9945 /* File Attributes */
9946 offset = dissect_fscc_file_attr(tvb, tree, offset, NULL);
9947
9948 /* share access */
9949 offset = dissect_nt_share_access(tvb, tree, offset);
9950
9951 /* create disposition */
9952 proto_tree_add_item(tree, hf_smb2_create_disposition, tvb, offset, 4, ENC_LITTLE_ENDIAN);
9953 offset += 4;
9954
9955 /* create options */
9956 offset = dissect_nt_create_options(tvb, tree, offset);
9957
9958 /* fid hash */
9959 if (si->saved && si->saved->fid_hash) {
9960 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
9961 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
9962 proto_item_set_generated(item);
9963 }
9964
9965 /* filename offset/length */
9966 offset = dissect_smb2_olb_length_offset(tvb, offset, &f_olb, OLB_O_UINT16_S_UINT16, hf_smb2_filename);
9967
9968 /* extrainfo offset */
9969 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
9970
9971 /* filename string */
9972 fname = dissect_smb2_olb_string(pinfo, tree, tvb, &f_olb, OLB_TYPE_UNICODE_STRING);
9973 col_append_fstr(pinfo->cinfo, COL_INFO, " File: %s",
9974 format_text(pinfo->pool, fname, strlen(fname)));
9975
9976 /* save the name if it looks sane */
9977 if (!pinfo->fd->visited) {
9978 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
9979 wmem_free(wmem_file_scope(), si->saved->extra_info);
9980 si->saved->extra_info = NULL;
9981 si->saved->extra_info_type = SMB2_EI_NONE;
9982 }
9983 if (si->saved && f_olb.len < 1024) {
9984 si->saved->extra_info_type = SMB2_EI_FILENAME;
9985 si->saved->extra_info = wmem_strdup(wmem_file_scope(), fname);
9986 }
9987 }
9988
9989 /* If extrainfo_offset is non-null then this points to another
9990 * buffer. The offset is relative to the start of the smb packet
9991 */
9992 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
9993
9994 offset = dissect_smb2_olb_tvb_max_offset(offset, &f_olb);
9995 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
9996
9997 return offset;
9998 }
9999
10000 #define SMB2_CREATE_REP_FLAGS_REPARSE_POINT 0x01
10001
10002 static int
10003 dissect_smb2_create_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
10004 {
10005 uint64_t end_of_file;
10006 uint32_t attr_mask;
10007 offset_length_buffer_t e_olb;
10008 static int * const create_rep_flags_fields[] = {
10009 &hf_smb2_create_rep_flags_reparse_point,
10010 NULL
10011 };
10012 bool continue_dissection;
10013 proto_item *item;
10014
10015 switch (si->status) {
10016 /* buffer code */
10017 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
10018 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
10019 if (!continue_dissection) return offset;
10020 }
10021
10022 /* oplock */
10023 offset = dissect_smb2_oplock(tree, tvb, offset);
10024
10025 /* reserved */
10026 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_create_rep_flags,
10027 ett_smb2_create_rep_flags, create_rep_flags_fields, ENC_LITTLE_ENDIAN);
10028 offset += 1;
10029
10030 /* create action */
10031 proto_tree_add_item(tree, hf_smb2_create_action, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10032 offset += 4;
10033
10034 /* create time */
10035 dissect_nttime(tvb, tree, offset, hf_smb2_create_timestamp, ENC_LITTLE_ENDIAN);
10036 offset += 8;
10037
10038 /* last access */
10039 dissect_nttime(tvb, tree, offset, hf_smb2_last_access_timestamp, ENC_LITTLE_ENDIAN);
10040 offset += 8;
10041
10042 /* last write */
10043 dissect_nttime(tvb, tree, offset, hf_smb2_last_write_timestamp, ENC_LITTLE_ENDIAN);
10044 offset += 8;
10045
10046 /* last change */
10047 dissect_nttime(tvb, tree, offset, hf_smb2_last_change_timestamp, ENC_LITTLE_ENDIAN);
10048 offset += 8;
10049
10050 /* allocation size */
10051 proto_tree_add_item(tree, hf_smb2_allocation_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
10052 offset += 8;
10053
10054 /* end of file */
10055 end_of_file = tvb_get_letoh64(tvb, offset);
10056 if (si->eo_file_info) {
10057 si->eo_file_info->end_of_file = tvb_get_letoh64(tvb, offset);
10058 }
10059 proto_tree_add_item(tree, hf_smb2_end_of_file, tvb, offset, 8, ENC_LITTLE_ENDIAN);
10060 offset += 8;
10061
10062 /* File Attributes */
10063 offset = dissect_fscc_file_attr(tvb, tree, offset, &attr_mask);
10064
10065 /* reserved */
10066 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
10067 offset += 4;
10068
10069 /* fid hash */
10070 if (si->saved && si->saved->fid_hash) {
10071 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
10072 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
10073 proto_item_set_generated(item);
10074 }
10075
10076 /* fid */
10077 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_OPEN);
10078
10079 /* We save this after dissect_smb2_fid just because it would be
10080 possible to have this response without having the mathing request.
10081 In that case the entry in the file info hash table has been created
10082 in dissect_smb2_fid */
10083 if (si->eo_file_info) {
10084 si->eo_file_info->end_of_file = end_of_file;
10085 si->eo_file_info->attr_mask = attr_mask;
10086 }
10087
10088 /* extrainfo offset */
10089 offset = dissect_smb2_olb_length_offset(tvb, offset, &e_olb, OLB_O_UINT32_S_UINT32, hf_smb2_extrainfo);
10090
10091 /* If extrainfo_offset is non-null then this points to another
10092 * buffer. The offset is relative to the start of the smb packet
10093 */
10094 dissect_smb2_olb_buffer(pinfo, tree, tvb, &e_olb, si, dissect_smb2_create_extra_info);
10095
10096 offset = dissect_smb2_olb_tvb_max_offset(offset, &e_olb);
10097
10098 /* free si->saved->extra_info we don't need it any more */
10099 if (si->saved && si->saved->extra_info_type == SMB2_EI_FILENAME) {
10100 wmem_free(wmem_file_scope(), si->saved->extra_info);
10101 si->saved->extra_info = NULL;
10102 si->saved->extra_info_type = SMB2_EI_NONE;
10103 }
10104
10105 return offset;
10106 }
10107
10108
10109 static int
10110 dissect_smb2_setinfo_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
10111 {
10112 uint32_t setinfo_size;
10113 uint16_t setinfo_offset;
10114 proto_item *item;
10115
10116 /* buffer code */
10117 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
10118
10119 /* class and info level */
10120 offset = dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
10121
10122 /* size */
10123 setinfo_size = tvb_get_letohl(tvb, offset);
10124 proto_tree_add_item(tree, hf_smb2_setinfo_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10125 offset += 4;
10126
10127 /* offset */
10128 setinfo_offset = tvb_get_letohs(tvb, offset);
10129 proto_tree_add_item(tree, hf_smb2_setinfo_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10130 offset += 2;
10131
10132 /* reserved */
10133 proto_tree_add_item(tree, hf_smb2_setinfo_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10134 offset += 2;
10135
10136 if (si->saved && si->saved->smb2_class == SMB2_CLASS_SEC_INFO) {
10137 /* AdditionalInformation (4 bytes): Provides additional information to the server.
10138 If security information is being set, this value MUST contain a 4-byte bit field
10139 of flags indicating what security attributes MUST be applied. */
10140 offset = dissect_additional_information_sec_mask(tvb, tree, offset);
10141 } else {
10142 /* For all other set requests, this field MUST be 0. */
10143 proto_tree_add_item(tree, hf_smb2_getsetinfo_additional, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10144 offset += 4;
10145 }
10146
10147 /* fid hash */
10148 if (si->saved && si->saved->fid_hash) {
10149 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
10150 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
10151 proto_item_set_generated(item);
10152 }
10153
10154 /* fid */
10155 dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
10156
10157 /* data */
10158 if (si->saved)
10159 dissect_smb2_infolevel(tvb, pinfo, tree, setinfo_offset, si, si->saved->smb2_class, si->saved->infolevel);
10160 offset = setinfo_offset + setinfo_size;
10161
10162 return offset;
10163 }
10164
10165 static int
10166 dissect_smb2_setinfo_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
10167 {
10168 bool continue_dissection;
10169 proto_item *item;
10170
10171 /* class/infolevel */
10172 dissect_smb2_class_infolevel(pinfo, tvb, offset, tree, si);
10173
10174 /* fid hash */
10175 if (si->saved && si->saved->fid_hash) {
10176 item = proto_tree_add_uint_format(tree, hf_smb2_file_id_hash, tvb, 0, 0,
10177 si->saved->fid_hash, "File Id Hash: 0x%04x", si->saved->fid_hash);
10178 proto_item_set_generated(item);
10179 }
10180
10181 /* buffer code */
10182 switch (si->status) {
10183 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
10184 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
10185 if (!continue_dissection) return offset;
10186 }
10187
10188 return offset;
10189 }
10190
10191 static int
10192 dissect_smb2_break_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
10193 {
10194 uint16_t buffer_code;
10195
10196 /* buffer code */
10197 buffer_code = tvb_get_letohs(tvb, offset);
10198 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
10199
10200 if (buffer_code == OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE) {
10201 /* OPLOCK Break */
10202
10203 /* oplock */
10204 offset = dissect_smb2_oplock(tree, tvb, offset);
10205
10206 /* reserved */
10207 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
10208 offset += 1;
10209
10210 /* reserved */
10211 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
10212 offset += 4;
10213
10214 /* fid */
10215 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
10216
10217 return offset;
10218 }
10219
10220 if (buffer_code == OPLOCK_BREAK_LEASE_ACKNOWLEDGMENT_STRUCTURE_SIZE) {
10221 /* Lease Break Acknowledgment */
10222
10223 /* reserved */
10224 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
10225 offset +=2;
10226
10227 /* lease flags */
10228 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
10229 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
10230 offset += 4;
10231
10232 /* lease key */
10233 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
10234 offset += 16;
10235
10236 /* lease state */
10237 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
10238 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
10239 offset += 4;
10240
10241 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
10242 offset += 8;
10243
10244 return offset;
10245 }
10246
10247 return offset;
10248 }
10249
10250 static int
10251 dissect_smb2_break_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
10252 {
10253 uint16_t buffer_code;
10254 bool continue_dissection;
10255
10256 /* buffer code */
10257 buffer_code = tvb_get_letohs(tvb, offset);
10258 switch (si->status) {
10259 case 0x00000000: offset = dissect_smb2_buffercode(tree, tvb, offset, NULL); break;
10260 default: offset = dissect_smb2_error_response(tvb, pinfo, tree, offset, si, &continue_dissection);
10261 if (!continue_dissection) return offset;
10262 }
10263
10264 if (buffer_code == OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE) {
10265 /* OPLOCK Break Notification */
10266
10267 /* oplock */
10268 offset = dissect_smb2_oplock(tree, tvb, offset);
10269
10270 /* reserved */
10271 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 1, ENC_NA);
10272 offset += 1;
10273
10274 /* reserved */
10275 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
10276 offset += 4;
10277
10278 /* fid */
10279 offset = dissect_smb2_fid(tvb, pinfo, tree, offset, si, FID_MODE_USE);
10280
10281 /* in break requests from server to client here're 24 byte zero bytes
10282 * which are likely a bug in windows (they may use 2* 24 bytes instead of just
10283 * 1 *24 bytes
10284 */
10285 return offset;
10286 }
10287
10288 if (buffer_code == OPLOCK_BREAK_LEASE_NOTIFICATION_STRUCTURE_SIZE) {
10289 proto_item *item;
10290
10291 /* Lease Break Notification */
10292
10293 /* new lease epoch */
10294 proto_tree_add_item(tree, hf_smb2_lease_epoch, tvb, offset, 2, ENC_LITTLE_ENDIAN);
10295 offset += 2;
10296
10297 /* lease flags */
10298 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
10299 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
10300 offset += 4;
10301
10302 /* lease key */
10303 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
10304 offset += 16;
10305
10306 /* current lease state */
10307 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
10308 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
10309 if (item) {
10310 proto_item_prepend_text(item, "Current ");
10311 }
10312 offset += 4;
10313
10314 /* new lease state */
10315 item = proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
10316 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
10317 if (item) {
10318 proto_item_prepend_text(item, "New ");
10319 }
10320 offset += 4;
10321
10322 /* break reason - reserved */
10323 proto_tree_add_item(tree, hf_smb2_lease_break_reason, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10324 offset += 4;
10325
10326 /* access mask hint - reserved */
10327 proto_tree_add_item(tree, hf_smb2_lease_access_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10328 offset += 4;
10329
10330 /* share mask hint - reserved */
10331 proto_tree_add_item(tree, hf_smb2_lease_share_mask_hint, tvb, offset, 4, ENC_LITTLE_ENDIAN);
10332 offset += 4;
10333
10334 return offset;
10335 }
10336
10337 if (buffer_code == OPLOCK_BREAK_LEASE_RESPONSE_STRUCTURE_SIZE) {
10338 /* Lease Break Response */
10339
10340 /* reserved */
10341 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
10342 offset +=2;
10343
10344 /* lease flags */
10345 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_flags,
10346 ett_smb2_lease_flags, lease_flags_fields, ENC_LITTLE_ENDIAN);
10347 offset += 4;
10348
10349 /* lease key */
10350 proto_tree_add_item(tree, hf_smb2_lease_key, tvb, offset, 16, ENC_LITTLE_ENDIAN);
10351 offset += 16;
10352
10353 /* lease state */
10354 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_lease_state,
10355 ett_smb2_lease_state, lease_state_fields, ENC_LITTLE_ENDIAN);
10356 offset += 4;
10357
10358 proto_tree_add_item(tree, hf_smb2_lease_duration, tvb, offset, 8, ENC_LITTLE_ENDIAN);
10359 offset += 8;
10360
10361 return offset;
10362 }
10363
10364 return offset;
10365 }
10366
10367 static int
10368 dissect_smb2_notify_session_closed(tvbuff_t *tvb, proto_tree *parent_tree, packet_info *pinfo _U_, int offset, smb2_info_t *si _U_)
10369 {
10370 proto_tree *sub_tree;
10371
10372 sub_tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_smb2_server_notification, NULL, "Notification");
10373
10374 /* reserved */
10375 proto_tree_add_item(sub_tree, hf_smb2_reserved, tvb, offset, 4, ENC_NA);
10376 offset += 4;
10377
10378 return offset;
10379 }
10380
10381 static int
10382 dissect_smb2_server_to_client_notification(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si)
10383 {
10384 uint32_t notification_type;
10385
10386 offset = dissect_smb2_buffercode(tree, tvb, offset, NULL);
10387
10388 /* reserved */
10389 proto_tree_add_item(tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
10390 offset += 2;
10391
10392 /* notification type */
10393 proto_tree_add_item_ret_uint(tree, hf_smb2_notification_type, tvb, offset, 4, ENC_NA, &notification_type);
10394 offset += 4;
10395
10396 switch(notification_type) {
10397 case NOTIFY_SESSION_CLOSED:
10398 default:
10399 offset = dissect_smb2_notify_session_closed(tvb, tree, pinfo, offset, si);
10400 break;
10401 }
10402
10403 return offset;
10404 }
10405
10406 /* names here are just until we find better names for these functions */
10407 static const value_string smb2_cmd_vals[] = {
10408 { 0x00, "Negotiate Protocol" },
10409 { 0x01, "Session Setup" },
10410 { 0x02, "Session Logoff" },
10411 { 0x03, "Tree Connect" },
10412 { 0x04, "Tree Disconnect" },
10413 { 0x05, "Create" },
10414 { 0x06, "Close" },
10415 { 0x07, "Flush" },
10416 { 0x08, "Read" },
10417 { 0x09, "Write" },
10418 { 0x0A, "Lock" },
10419 { 0x0B, "Ioctl" },
10420 { 0x0C, "Cancel" },
10421 { 0x0D, "KeepAlive" },
10422 { 0x0E, "Find" },
10423 { 0x0F, "Notify" },
10424 { 0x10, "GetInfo" },
10425 { 0x11, "SetInfo" },
10426 { 0x12, "Break" },
10427 { 0x13, "Server notification" },
10428 { 0x14, "unknown-0x14" },
10429 { 0x15, "unknown-0x15" },
10430 { 0x16, "unknown-0x16" },
10431 { 0x17, "unknown-0x17" },
10432 { 0x18, "unknown-0x18" },
10433 { 0x19, "unknown-0x19" },
10434 { 0x1A, "unknown-0x1A" },
10435 { 0x1B, "unknown-0x1B" },
10436 { 0x1C, "unknown-0x1C" },
10437 { 0x1D, "unknown-0x1D" },
10438 { 0x1E, "unknown-0x1E" },
10439 { 0x1F, "unknown-0x1F" },
10440 { 0x20, "unknown-0x20" },
10441 { 0x21, "unknown-0x21" },
10442 { 0x22, "unknown-0x22" },
10443 { 0x23, "unknown-0x23" },
10444 { 0x24, "unknown-0x24" },
10445 { 0x25, "unknown-0x25" },
10446 { 0x26, "unknown-0x26" },
10447 { 0x27, "unknown-0x27" },
10448 { 0x28, "unknown-0x28" },
10449 { 0x29, "unknown-0x29" },
10450 { 0x2A, "unknown-0x2A" },
10451 { 0x2B, "unknown-0x2B" },
10452 { 0x2C, "unknown-0x2C" },
10453 { 0x2D, "unknown-0x2D" },
10454 { 0x2E, "unknown-0x2E" },
10455 { 0x2F, "unknown-0x2F" },
10456 { 0x30, "unknown-0x30" },
10457 { 0x31, "unknown-0x31" },
10458 { 0x32, "unknown-0x32" },
10459 { 0x33, "unknown-0x33" },
10460 { 0x34, "unknown-0x34" },
10461 { 0x35, "unknown-0x35" },
10462 { 0x36, "unknown-0x36" },
10463 { 0x37, "unknown-0x37" },
10464 { 0x38, "unknown-0x38" },
10465 { 0x39, "unknown-0x39" },
10466 { 0x3A, "unknown-0x3A" },
10467 { 0x3B, "unknown-0x3B" },
10468 { 0x3C, "unknown-0x3C" },
10469 { 0x3D, "unknown-0x3D" },
10470 { 0x3E, "unknown-0x3E" },
10471 { 0x3F, "unknown-0x3F" },
10472 { 0x40, "unknown-0x40" },
10473 { 0x41, "unknown-0x41" },
10474 { 0x42, "unknown-0x42" },
10475 { 0x43, "unknown-0x43" },
10476 { 0x44, "unknown-0x44" },
10477 { 0x45, "unknown-0x45" },
10478 { 0x46, "unknown-0x46" },
10479 { 0x47, "unknown-0x47" },
10480 { 0x48, "unknown-0x48" },
10481 { 0x49, "unknown-0x49" },
10482 { 0x4A, "unknown-0x4A" },
10483 { 0x4B, "unknown-0x4B" },
10484 { 0x4C, "unknown-0x4C" },
10485 { 0x4D, "unknown-0x4D" },
10486 { 0x4E, "unknown-0x4E" },
10487 { 0x4F, "unknown-0x4F" },
10488 { 0x50, "unknown-0x50" },
10489 { 0x51, "unknown-0x51" },
10490 { 0x52, "unknown-0x52" },
10491 { 0x53, "unknown-0x53" },
10492 { 0x54, "unknown-0x54" },
10493 { 0x55, "unknown-0x55" },
10494 { 0x56, "unknown-0x56" },
10495 { 0x57, "unknown-0x57" },
10496 { 0x58, "unknown-0x58" },
10497 { 0x59, "unknown-0x59" },
10498 { 0x5A, "unknown-0x5A" },
10499 { 0x5B, "unknown-0x5B" },
10500 { 0x5C, "unknown-0x5C" },
10501 { 0x5D, "unknown-0x5D" },
10502 { 0x5E, "unknown-0x5E" },
10503 { 0x5F, "unknown-0x5F" },
10504 { 0x60, "unknown-0x60" },
10505 { 0x61, "unknown-0x61" },
10506 { 0x62, "unknown-0x62" },
10507 { 0x63, "unknown-0x63" },
10508 { 0x64, "unknown-0x64" },
10509 { 0x65, "unknown-0x65" },
10510 { 0x66, "unknown-0x66" },
10511 { 0x67, "unknown-0x67" },
10512 { 0x68, "unknown-0x68" },
10513 { 0x69, "unknown-0x69" },
10514 { 0x6A, "unknown-0x6A" },
10515 { 0x6B, "unknown-0x6B" },
10516 { 0x6C, "unknown-0x6C" },
10517 { 0x6D, "unknown-0x6D" },
10518 { 0x6E, "unknown-0x6E" },
10519 { 0x6F, "unknown-0x6F" },
10520 { 0x70, "unknown-0x70" },
10521 { 0x71, "unknown-0x71" },
10522 { 0x72, "unknown-0x72" },
10523 { 0x73, "unknown-0x73" },
10524 { 0x74, "unknown-0x74" },
10525 { 0x75, "unknown-0x75" },
10526 { 0x76, "unknown-0x76" },
10527 { 0x77, "unknown-0x77" },
10528 { 0x78, "unknown-0x78" },
10529 { 0x79, "unknown-0x79" },
10530 { 0x7A, "unknown-0x7A" },
10531 { 0x7B, "unknown-0x7B" },
10532 { 0x7C, "unknown-0x7C" },
10533 { 0x7D, "unknown-0x7D" },
10534 { 0x7E, "unknown-0x7E" },
10535 { 0x7F, "unknown-0x7F" },
10536 { 0x80, "unknown-0x80" },
10537 { 0x81, "unknown-0x81" },
10538 { 0x82, "unknown-0x82" },
10539 { 0x83, "unknown-0x83" },
10540 { 0x84, "unknown-0x84" },
10541 { 0x85, "unknown-0x85" },
10542 { 0x86, "unknown-0x86" },
10543 { 0x87, "unknown-0x87" },
10544 { 0x88, "unknown-0x88" },
10545 { 0x89, "unknown-0x89" },
10546 { 0x8A, "unknown-0x8A" },
10547 { 0x8B, "unknown-0x8B" },
10548 { 0x8C, "unknown-0x8C" },
10549 { 0x8D, "unknown-0x8D" },
10550 { 0x8E, "unknown-0x8E" },
10551 { 0x8F, "unknown-0x8F" },
10552 { 0x90, "unknown-0x90" },
10553 { 0x91, "unknown-0x91" },
10554 { 0x92, "unknown-0x92" },
10555 { 0x93, "unknown-0x93" },
10556 { 0x94, "unknown-0x94" },
10557 { 0x95, "unknown-0x95" },
10558 { 0x96, "unknown-0x96" },
10559 { 0x97, "unknown-0x97" },
10560 { 0x98, "unknown-0x98" },
10561 { 0x99, "unknown-0x99" },
10562 { 0x9A, "unknown-0x9A" },
10563 { 0x9B, "unknown-0x9B" },
10564 { 0x9C, "unknown-0x9C" },
10565 { 0x9D, "unknown-0x9D" },
10566 { 0x9E, "unknown-0x9E" },
10567 { 0x9F, "unknown-0x9F" },
10568 { 0xA0, "unknown-0xA0" },
10569 { 0xA1, "unknown-0xA1" },
10570 { 0xA2, "unknown-0xA2" },
10571 { 0xA3, "unknown-0xA3" },
10572 { 0xA4, "unknown-0xA4" },
10573 { 0xA5, "unknown-0xA5" },
10574 { 0xA6, "unknown-0xA6" },
10575 { 0xA7, "unknown-0xA7" },
10576 { 0xA8, "unknown-0xA8" },
10577 { 0xA9, "unknown-0xA9" },
10578 { 0xAA, "unknown-0xAA" },
10579 { 0xAB, "unknown-0xAB" },
10580 { 0xAC, "unknown-0xAC" },
10581 { 0xAD, "unknown-0xAD" },
10582 { 0xAE, "unknown-0xAE" },
10583 { 0xAF, "unknown-0xAF" },
10584 { 0xB0, "unknown-0xB0" },
10585 { 0xB1, "unknown-0xB1" },
10586 { 0xB2, "unknown-0xB2" },
10587 { 0xB3, "unknown-0xB3" },
10588 { 0xB4, "unknown-0xB4" },
10589 { 0xB5, "unknown-0xB5" },
10590 { 0xB6, "unknown-0xB6" },
10591 { 0xB7, "unknown-0xB7" },
10592 { 0xB8, "unknown-0xB8" },
10593 { 0xB9, "unknown-0xB9" },
10594 { 0xBA, "unknown-0xBA" },
10595 { 0xBB, "unknown-0xBB" },
10596 { 0xBC, "unknown-0xBC" },
10597 { 0xBD, "unknown-0xBD" },
10598 { 0xBE, "unknown-0xBE" },
10599 { 0xBF, "unknown-0xBF" },
10600 { 0xC0, "unknown-0xC0" },
10601 { 0xC1, "unknown-0xC1" },
10602 { 0xC2, "unknown-0xC2" },
10603 { 0xC3, "unknown-0xC3" },
10604 { 0xC4, "unknown-0xC4" },
10605 { 0xC5, "unknown-0xC5" },
10606 { 0xC6, "unknown-0xC6" },
10607 { 0xC7, "unknown-0xC7" },
10608 { 0xC8, "unknown-0xC8" },
10609 { 0xC9, "unknown-0xC9" },
10610 { 0xCA, "unknown-0xCA" },
10611 { 0xCB, "unknown-0xCB" },
10612 { 0xCC, "unknown-0xCC" },
10613 { 0xCD, "unknown-0xCD" },
10614 { 0xCE, "unknown-0xCE" },
10615 { 0xCF, "unknown-0xCF" },
10616 { 0xD0, "unknown-0xD0" },
10617 { 0xD1, "unknown-0xD1" },
10618 { 0xD2, "unknown-0xD2" },
10619 { 0xD3, "unknown-0xD3" },
10620 { 0xD4, "unknown-0xD4" },
10621 { 0xD5, "unknown-0xD5" },
10622 { 0xD6, "unknown-0xD6" },
10623 { 0xD7, "unknown-0xD7" },
10624 { 0xD8, "unknown-0xD8" },
10625 { 0xD9, "unknown-0xD9" },
10626 { 0xDA, "unknown-0xDA" },
10627 { 0xDB, "unknown-0xDB" },
10628 { 0xDC, "unknown-0xDC" },
10629 { 0xDD, "unknown-0xDD" },
10630 { 0xDE, "unknown-0xDE" },
10631 { 0xDF, "unknown-0xDF" },
10632 { 0xE0, "unknown-0xE0" },
10633 { 0xE1, "unknown-0xE1" },
10634 { 0xE2, "unknown-0xE2" },
10635 { 0xE3, "unknown-0xE3" },
10636 { 0xE4, "unknown-0xE4" },
10637 { 0xE5, "unknown-0xE5" },
10638 { 0xE6, "unknown-0xE6" },
10639 { 0xE7, "unknown-0xE7" },
10640 { 0xE8, "unknown-0xE8" },
10641 { 0xE9, "unknown-0xE9" },
10642 { 0xEA, "unknown-0xEA" },
10643 { 0xEB, "unknown-0xEB" },
10644 { 0xEC, "unknown-0xEC" },
10645 { 0xED, "unknown-0xED" },
10646 { 0xEE, "unknown-0xEE" },
10647 { 0xEF, "unknown-0xEF" },
10648 { 0xF0, "unknown-0xF0" },
10649 { 0xF1, "unknown-0xF1" },
10650 { 0xF2, "unknown-0xF2" },
10651 { 0xF3, "unknown-0xF3" },
10652 { 0xF4, "unknown-0xF4" },
10653 { 0xF5, "unknown-0xF5" },
10654 { 0xF6, "unknown-0xF6" },
10655 { 0xF7, "unknown-0xF7" },
10656 { 0xF8, "unknown-0xF8" },
10657 { 0xF9, "unknown-0xF9" },
10658 { 0xFA, "unknown-0xFA" },
10659 { 0xFB, "unknown-0xFB" },
10660 { 0xFC, "unknown-0xFC" },
10661 { 0xFD, "unknown-0xFD" },
10662 { 0xFE, "unknown-0xFE" },
10663 { 0xFF, "unknown-0xFF" },
10664 { 0x00, NULL },
10665 };
10666 value_string_ext smb2_cmd_vals_ext = VALUE_STRING_EXT_INIT(smb2_cmd_vals);
10667
10668 static const char *decode_smb2_name(uint16_t cmd)
10669 {
10670 if (cmd > 0xFF) return "unknown";
10671 return smb2_cmd_vals[cmd & 0xFF].strptr;
10672 }
10673
10674 static const smb2_function smb2_dissector[256] = {
10675 /* 0x00 NegotiateProtocol*/
10676 {dissect_smb2_negotiate_protocol_request,
10677 dissect_smb2_negotiate_protocol_response},
10678 /* 0x01 SessionSetup*/
10679 {dissect_smb2_session_setup_request,
10680 dissect_smb2_session_setup_response},
10681 /* 0x02 SessionLogoff*/
10682 {dissect_smb2_sessionlogoff_request,
10683 dissect_smb2_sessionlogoff_response},
10684 /* 0x03 TreeConnect*/
10685 {dissect_smb2_tree_connect_request,
10686 dissect_smb2_tree_connect_response},
10687 /* 0x04 TreeDisconnect*/
10688 {dissect_smb2_tree_disconnect_request,
10689 dissect_smb2_tree_disconnect_response},
10690 /* 0x05 Create*/
10691 {dissect_smb2_create_request,
10692 dissect_smb2_create_response},
10693 /* 0x06 Close*/
10694 {dissect_smb2_close_request,
10695 dissect_smb2_close_response},
10696 /* 0x07 Flush*/
10697 {dissect_smb2_flush_request,
10698 dissect_smb2_flush_response},
10699 /* 0x08 Read*/
10700 {dissect_smb2_read_request,
10701 dissect_smb2_read_response},
10702 /* 0x09 Write*/
10703 {dissect_smb2_write_request,
10704 dissect_smb2_write_response},
10705 /* 0x0a Lock */
10706 {dissect_smb2_lock_request,
10707 dissect_smb2_lock_response},
10708 /* 0x0b Ioctl*/
10709 {dissect_smb2_ioctl_request,
10710 dissect_smb2_ioctl_response},
10711 /* 0x0c Cancel*/
10712 {dissect_smb2_cancel_request,
10713 NULL},
10714 /* 0x0d KeepAlive*/
10715 {dissect_smb2_keepalive_request,
10716 dissect_smb2_keepalive_response},
10717 /* 0x0e Find*/
10718 {dissect_smb2_find_request,
10719 dissect_smb2_find_response},
10720 /* 0x0f Notify*/
10721 {dissect_smb2_notify_request,
10722 dissect_smb2_notify_response},
10723 /* 0x10 GetInfo*/
10724 {dissect_smb2_getinfo_request,
10725 dissect_smb2_getinfo_response},
10726 /* 0x11 SetInfo*/
10727 {dissect_smb2_setinfo_request,
10728 dissect_smb2_setinfo_response},
10729 /* 0x12 Break */
10730 {dissect_smb2_break_request,
10731 dissect_smb2_break_response},
10732 /* 0x13 Server to client notification */
10733 {NULL,
10734 dissect_smb2_server_to_client_notification},
10735 /* 0x14 */ {NULL, NULL},
10736 /* 0x15 */ {NULL, NULL},
10737 /* 0x16 */ {NULL, NULL},
10738 /* 0x17 */ {NULL, NULL},
10739 /* 0x18 */ {NULL, NULL},
10740 /* 0x19 */ {NULL, NULL},
10741 /* 0x1a */ {NULL, NULL},
10742 /* 0x1b */ {NULL, NULL},
10743 /* 0x1c */ {NULL, NULL},
10744 /* 0x1d */ {NULL, NULL},
10745 /* 0x1e */ {NULL, NULL},
10746 /* 0x1f */ {NULL, NULL},
10747 /* 0x20 */ {NULL, NULL},
10748 /* 0x21 */ {NULL, NULL},
10749 /* 0x22 */ {NULL, NULL},
10750 /* 0x23 */ {NULL, NULL},
10751 /* 0x24 */ {NULL, NULL},
10752 /* 0x25 */ {NULL, NULL},
10753 /* 0x26 */ {NULL, NULL},
10754 /* 0x27 */ {NULL, NULL},
10755 /* 0x28 */ {NULL, NULL},
10756 /* 0x29 */ {NULL, NULL},
10757 /* 0x2a */ {NULL, NULL},
10758 /* 0x2b */ {NULL, NULL},
10759 /* 0x2c */ {NULL, NULL},
10760 /* 0x2d */ {NULL, NULL},
10761 /* 0x2e */ {NULL, NULL},
10762 /* 0x2f */ {NULL, NULL},
10763 /* 0x30 */ {NULL, NULL},
10764 /* 0x31 */ {NULL, NULL},
10765 /* 0x32 */ {NULL, NULL},
10766 /* 0x33 */ {NULL, NULL},
10767 /* 0x34 */ {NULL, NULL},
10768 /* 0x35 */ {NULL, NULL},
10769 /* 0x36 */ {NULL, NULL},
10770 /* 0x37 */ {NULL, NULL},
10771 /* 0x38 */ {NULL, NULL},
10772 /* 0x39 */ {NULL, NULL},
10773 /* 0x3a */ {NULL, NULL},
10774 /* 0x3b */ {NULL, NULL},
10775 /* 0x3c */ {NULL, NULL},
10776 /* 0x3d */ {NULL, NULL},
10777 /* 0x3e */ {NULL, NULL},
10778 /* 0x3f */ {NULL, NULL},
10779 /* 0x40 */ {NULL, NULL},
10780 /* 0x41 */ {NULL, NULL},
10781 /* 0x42 */ {NULL, NULL},
10782 /* 0x43 */ {NULL, NULL},
10783 /* 0x44 */ {NULL, NULL},
10784 /* 0x45 */ {NULL, NULL},
10785 /* 0x46 */ {NULL, NULL},
10786 /* 0x47 */ {NULL, NULL},
10787 /* 0x48 */ {NULL, NULL},
10788 /* 0x49 */ {NULL, NULL},
10789 /* 0x4a */ {NULL, NULL},
10790 /* 0x4b */ {NULL, NULL},
10791 /* 0x4c */ {NULL, NULL},
10792 /* 0x4d */ {NULL, NULL},
10793 /* 0x4e */ {NULL, NULL},
10794 /* 0x4f */ {NULL, NULL},
10795 /* 0x50 */ {NULL, NULL},
10796 /* 0x51 */ {NULL, NULL},
10797 /* 0x52 */ {NULL, NULL},
10798 /* 0x53 */ {NULL, NULL},
10799 /* 0x54 */ {NULL, NULL},
10800 /* 0x55 */ {NULL, NULL},
10801 /* 0x56 */ {NULL, NULL},
10802 /* 0x57 */ {NULL, NULL},
10803 /* 0x58 */ {NULL, NULL},
10804 /* 0x59 */ {NULL, NULL},
10805 /* 0x5a */ {NULL, NULL},
10806 /* 0x5b */ {NULL, NULL},
10807 /* 0x5c */ {NULL, NULL},
10808 /* 0x5d */ {NULL, NULL},
10809 /* 0x5e */ {NULL, NULL},
10810 /* 0x5f */ {NULL, NULL},
10811 /* 0x60 */ {NULL, NULL},
10812 /* 0x61 */ {NULL, NULL},
10813 /* 0x62 */ {NULL, NULL},
10814 /* 0x63 */ {NULL, NULL},
10815 /* 0x64 */ {NULL, NULL},
10816 /* 0x65 */ {NULL, NULL},
10817 /* 0x66 */ {NULL, NULL},
10818 /* 0x67 */ {NULL, NULL},
10819 /* 0x68 */ {NULL, NULL},
10820 /* 0x69 */ {NULL, NULL},
10821 /* 0x6a */ {NULL, NULL},
10822 /* 0x6b */ {NULL, NULL},
10823 /* 0x6c */ {NULL, NULL},
10824 /* 0x6d */ {NULL, NULL},
10825 /* 0x6e */ {NULL, NULL},
10826 /* 0x6f */ {NULL, NULL},
10827 /* 0x70 */ {NULL, NULL},
10828 /* 0x71 */ {NULL, NULL},
10829 /* 0x72 */ {NULL, NULL},
10830 /* 0x73 */ {NULL, NULL},
10831 /* 0x74 */ {NULL, NULL},
10832 /* 0x75 */ {NULL, NULL},
10833 /* 0x76 */ {NULL, NULL},
10834 /* 0x77 */ {NULL, NULL},
10835 /* 0x78 */ {NULL, NULL},
10836 /* 0x79 */ {NULL, NULL},
10837 /* 0x7a */ {NULL, NULL},
10838 /* 0x7b */ {NULL, NULL},
10839 /* 0x7c */ {NULL, NULL},
10840 /* 0x7d */ {NULL, NULL},
10841 /* 0x7e */ {NULL, NULL},
10842 /* 0x7f */ {NULL, NULL},
10843 /* 0x80 */ {NULL, NULL},
10844 /* 0x81 */ {NULL, NULL},
10845 /* 0x82 */ {NULL, NULL},
10846 /* 0x83 */ {NULL, NULL},
10847 /* 0x84 */ {NULL, NULL},
10848 /* 0x85 */ {NULL, NULL},
10849 /* 0x86 */ {NULL, NULL},
10850 /* 0x87 */ {NULL, NULL},
10851 /* 0x88 */ {NULL, NULL},
10852 /* 0x89 */ {NULL, NULL},
10853 /* 0x8a */ {NULL, NULL},
10854 /* 0x8b */ {NULL, NULL},
10855 /* 0x8c */ {NULL, NULL},
10856 /* 0x8d */ {NULL, NULL},
10857 /* 0x8e */ {NULL, NULL},
10858 /* 0x8f */ {NULL, NULL},
10859 /* 0x90 */ {NULL, NULL},
10860 /* 0x91 */ {NULL, NULL},
10861 /* 0x92 */ {NULL, NULL},
10862 /* 0x93 */ {NULL, NULL},
10863 /* 0x94 */ {NULL, NULL},
10864 /* 0x95 */ {NULL, NULL},
10865 /* 0x96 */ {NULL, NULL},
10866 /* 0x97 */ {NULL, NULL},
10867 /* 0x98 */ {NULL, NULL},
10868 /* 0x99 */ {NULL, NULL},
10869 /* 0x9a */ {NULL, NULL},
10870 /* 0x9b */ {NULL, NULL},
10871 /* 0x9c */ {NULL, NULL},
10872 /* 0x9d */ {NULL, NULL},
10873 /* 0x9e */ {NULL, NULL},
10874 /* 0x9f */ {NULL, NULL},
10875 /* 0xa0 */ {NULL, NULL},
10876 /* 0xa1 */ {NULL, NULL},
10877 /* 0xa2 */ {NULL, NULL},
10878 /* 0xa3 */ {NULL, NULL},
10879 /* 0xa4 */ {NULL, NULL},
10880 /* 0xa5 */ {NULL, NULL},
10881 /* 0xa6 */ {NULL, NULL},
10882 /* 0xa7 */ {NULL, NULL},
10883 /* 0xa8 */ {NULL, NULL},
10884 /* 0xa9 */ {NULL, NULL},
10885 /* 0xaa */ {NULL, NULL},
10886 /* 0xab */ {NULL, NULL},
10887 /* 0xac */ {NULL, NULL},
10888 /* 0xad */ {NULL, NULL},
10889 /* 0xae */ {NULL, NULL},
10890 /* 0xaf */ {NULL, NULL},
10891 /* 0xb0 */ {NULL, NULL},
10892 /* 0xb1 */ {NULL, NULL},
10893 /* 0xb2 */ {NULL, NULL},
10894 /* 0xb3 */ {NULL, NULL},
10895 /* 0xb4 */ {NULL, NULL},
10896 /* 0xb5 */ {NULL, NULL},
10897 /* 0xb6 */ {NULL, NULL},
10898 /* 0xb7 */ {NULL, NULL},
10899 /* 0xb8 */ {NULL, NULL},
10900 /* 0xb9 */ {NULL, NULL},
10901 /* 0xba */ {NULL, NULL},
10902 /* 0xbb */ {NULL, NULL},
10903 /* 0xbc */ {NULL, NULL},
10904 /* 0xbd */ {NULL, NULL},
10905 /* 0xbe */ {NULL, NULL},
10906 /* 0xbf */ {NULL, NULL},
10907 /* 0xc0 */ {NULL, NULL},
10908 /* 0xc1 */ {NULL, NULL},
10909 /* 0xc2 */ {NULL, NULL},
10910 /* 0xc3 */ {NULL, NULL},
10911 /* 0xc4 */ {NULL, NULL},
10912 /* 0xc5 */ {NULL, NULL},
10913 /* 0xc6 */ {NULL, NULL},
10914 /* 0xc7 */ {NULL, NULL},
10915 /* 0xc8 */ {NULL, NULL},
10916 /* 0xc9 */ {NULL, NULL},
10917 /* 0xca */ {NULL, NULL},
10918 /* 0xcb */ {NULL, NULL},
10919 /* 0xcc */ {NULL, NULL},
10920 /* 0xcd */ {NULL, NULL},
10921 /* 0xce */ {NULL, NULL},
10922 /* 0xcf */ {NULL, NULL},
10923 /* 0xd0 */ {NULL, NULL},
10924 /* 0xd1 */ {NULL, NULL},
10925 /* 0xd2 */ {NULL, NULL},
10926 /* 0xd3 */ {NULL, NULL},
10927 /* 0xd4 */ {NULL, NULL},
10928 /* 0xd5 */ {NULL, NULL},
10929 /* 0xd6 */ {NULL, NULL},
10930 /* 0xd7 */ {NULL, NULL},
10931 /* 0xd8 */ {NULL, NULL},
10932 /* 0xd9 */ {NULL, NULL},
10933 /* 0xda */ {NULL, NULL},
10934 /* 0xdb */ {NULL, NULL},
10935 /* 0xdc */ {NULL, NULL},
10936 /* 0xdd */ {NULL, NULL},
10937 /* 0xde */ {NULL, NULL},
10938 /* 0xdf */ {NULL, NULL},
10939 /* 0xe0 */ {NULL, NULL},
10940 /* 0xe1 */ {NULL, NULL},
10941 /* 0xe2 */ {NULL, NULL},
10942 /* 0xe3 */ {NULL, NULL},
10943 /* 0xe4 */ {NULL, NULL},
10944 /* 0xe5 */ {NULL, NULL},
10945 /* 0xe6 */ {NULL, NULL},
10946 /* 0xe7 */ {NULL, NULL},
10947 /* 0xe8 */ {NULL, NULL},
10948 /* 0xe9 */ {NULL, NULL},
10949 /* 0xea */ {NULL, NULL},
10950 /* 0xeb */ {NULL, NULL},
10951 /* 0xec */ {NULL, NULL},
10952 /* 0xed */ {NULL, NULL},
10953 /* 0xee */ {NULL, NULL},
10954 /* 0xef */ {NULL, NULL},
10955 /* 0xf0 */ {NULL, NULL},
10956 /* 0xf1 */ {NULL, NULL},
10957 /* 0xf2 */ {NULL, NULL},
10958 /* 0xf3 */ {NULL, NULL},
10959 /* 0xf4 */ {NULL, NULL},
10960 /* 0xf5 */ {NULL, NULL},
10961 /* 0xf6 */ {NULL, NULL},
10962 /* 0xf7 */ {NULL, NULL},
10963 /* 0xf8 */ {NULL, NULL},
10964 /* 0xf9 */ {NULL, NULL},
10965 /* 0xfa */ {NULL, NULL},
10966 /* 0xfb */ {NULL, NULL},
10967 /* 0xfc */ {NULL, NULL},
10968 /* 0xfd */ {NULL, NULL},
10969 /* 0xfe */ {NULL, NULL},
10970 /* 0xff */ {NULL, NULL},
10971 };
10972
10973
10974 #define SMB3_AES128CCM_NONCE 11
10975 #define SMB3_AES128GCM_NONCE 12
10976
10977 static bool is_decrypted_header_ok(uint8_t *p, size_t size)
10978 {
10979 if (size < 4)
10980 return false;
10981
10982 if ((p[0] == SMB2_COMP_HEADER || p[0] == SMB2_NORM_HEADER)
10983 && (p[1] == 'S' || p[2] == 'M' || p[3] == 'B')) {
10984 return true;
10985 }
10986
10987 ws_debug("decrypt: bad SMB header");
10988 return false;
10989 }
10990
10991 static bool
10992 do_decrypt(uint8_t *data,
10993 size_t data_size,
10994 const uint8_t *key,
10995 const uint8_t *aad,
10996 int aad_size,
10997 const uint8_t *nonce,
10998 int alg)
10999 {
11000 gcry_error_t err;
11001 gcry_cipher_hd_t cipher_hd = NULL;
11002 int algo;
11003 size_t keylen;
11004 int mode;
11005 int iv_size;
11006 uint64_t lengths[3];
11007
11008 switch (alg) {
11009 case SMB2_CIPHER_AES_128_CCM:
11010 algo = GCRY_CIPHER_AES128;
11011 keylen = AES_KEY_SIZE;
11012 mode = GCRY_CIPHER_MODE_CCM;
11013 iv_size = SMB3_AES128CCM_NONCE;
11014 break;
11015 case SMB2_CIPHER_AES_128_GCM:
11016 algo = GCRY_CIPHER_AES128;
11017 keylen = AES_KEY_SIZE;
11018 mode = GCRY_CIPHER_MODE_GCM;
11019 iv_size = SMB3_AES128GCM_NONCE;
11020 break;
11021 case SMB2_CIPHER_AES_256_CCM:
11022 algo = GCRY_CIPHER_AES256;
11023 keylen = AES_KEY_SIZE*2;
11024 mode = GCRY_CIPHER_MODE_CCM;
11025 iv_size = SMB3_AES128CCM_NONCE;
11026 break;
11027 case SMB2_CIPHER_AES_256_GCM:
11028 algo = GCRY_CIPHER_AES256;
11029 keylen = AES_KEY_SIZE*2;
11030 mode = GCRY_CIPHER_MODE_GCM;
11031 iv_size = SMB3_AES128GCM_NONCE;
11032 break;
11033 default:
11034 return false;
11035 }
11036
11037 /* Open the cipher */
11038 err = gcry_cipher_open(&cipher_hd, algo, mode, 0);
11039 if (err != GPG_ERR_NO_ERROR) {
11040 ws_debug("GCRY: open %s/%s", gcry_strsource(err), gcry_strerror(err));
11041 return false;
11042 }
11043
11044 /* Set the key */
11045 err = gcry_cipher_setkey(cipher_hd, key, keylen);
11046 if (err != GPG_ERR_NO_ERROR) {
11047 ws_debug("GCRY: setkey %s/%s", gcry_strsource(err), gcry_strerror(err));
11048 gcry_cipher_close(cipher_hd);
11049 return false;
11050 }
11051
11052 /* Set the initial value */
11053 err = gcry_cipher_setiv(cipher_hd, nonce, iv_size);
11054 if (err != GPG_ERR_NO_ERROR) {
11055 ws_debug("GCRY: setiv %s/%s", gcry_strsource(err), gcry_strerror(err));
11056 gcry_cipher_close(cipher_hd);
11057 return false;
11058 }
11059
11060 lengths[0] = data_size; /* encrypted length */
11061 lengths[1] = aad_size; /* AAD length */
11062 lengths[2] = 16; /* tag length (signature size) */
11063
11064 if (mode == GCRY_CIPHER_MODE_CCM) {
11065 err = gcry_cipher_ctl(cipher_hd, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
11066 if (err != GPG_ERR_NO_ERROR) {
11067 ws_debug("GCRY: ctl %s/%s", gcry_strsource(err), gcry_strerror(err));
11068 gcry_cipher_close(cipher_hd);
11069 return false;
11070 }
11071 }
11072
11073 err = gcry_cipher_authenticate(cipher_hd, aad, aad_size);
11074 if (err != GPG_ERR_NO_ERROR) {
11075 ws_debug("GCRY: auth %s/%s", gcry_strsource(err), gcry_strerror(err));
11076 gcry_cipher_close(cipher_hd);
11077 return false;
11078 }
11079
11080 err = gcry_cipher_decrypt(cipher_hd, data, data_size, NULL, 0);
11081 if (err != GPG_ERR_NO_ERROR) {
11082 ws_debug("GCRY: decrypt %s/%s", gcry_strsource(err), gcry_strerror(err));
11083 gcry_cipher_close(cipher_hd);
11084 return false;
11085 }
11086
11087 /* Done with the cipher */
11088 gcry_cipher_close(cipher_hd);
11089 return is_decrypted_header_ok(data, data_size);
11090 }
11091
11092 static uint8_t*
11093 decrypt_smb_payload(packet_info *pinfo,
11094 tvbuff_t *tvb, int offset,
11095 int offset_aad,
11096 smb2_transform_info_t *sti)
11097 {
11098 const uint8_t *aad = NULL;
11099 uint8_t *data = NULL;
11100 uint8_t *key16 = NULL;
11101 uint8_t *keys16[2];
11102 uint8_t *key32 = NULL;
11103 uint8_t *keys32[2];
11104 bool ok;
11105 int aad_size;
11106 int alg;
11107
11108 /* AAD is the rest of transform header after the ProtocolID and Signature */
11109 aad_size = 32;
11110
11111 if ((unsigned)tvb_captured_length_remaining(tvb, offset) < sti->size)
11112 return NULL;
11113
11114 if (tvb_captured_length_remaining(tvb, offset_aad) < aad_size)
11115 return NULL;
11116
11117 if (pinfo->destport == sti->session->server_port) {
11118 keys16[0] = sti->session->server_decryption_key16;
11119 keys16[1] = sti->session->client_decryption_key16;
11120 keys32[0] = sti->session->server_decryption_key32;
11121 keys32[1] = sti->session->client_decryption_key32;
11122 } else {
11123 keys16[1] = sti->session->server_decryption_key16;
11124 keys16[0] = sti->session->client_decryption_key16;
11125 keys32[1] = sti->session->server_decryption_key32;
11126 keys32[0] = sti->session->client_decryption_key32;
11127 }
11128
11129 aad = tvb_get_ptr(tvb, offset_aad, aad_size);
11130 data = (uint8_t *)tvb_memdup(pinfo->pool, tvb, offset, sti->size);
11131
11132 /*
11133 * In SMB3.0 the transform header had a Algorithm field to
11134 * know which type of encryption was used but only CCM was
11135 * supported.
11136 *
11137 * SMB3.1.1 turned that field into a generic "Encrypted" flag
11138 * which cannot be used to determine the encryption
11139 * type. Instead the type is decided in the NegProt response,
11140 * within the Encryption Capability context which should only
11141 * have one element. That element is saved in the conversation
11142 * struct (si->conv) and checked here.
11143 *
11144 * If the trace didn't contain NegProt packets, we have to
11145 * guess the encryption type by trying them all.
11146 *
11147 * Similarly, if we don't have unencrypted packets telling us
11148 * which host is the server and which host is the client, we
11149 * have to guess by trying both keys.
11150 */
11151
11152 ws_debug("dialect 0x%x alg 0x%x conv alg 0x%x", sti->conv->dialect, sti->flags, sti->conv->enc_alg);
11153
11154 for (unsigned i = 0; i < G_N_ELEMENTS(keys16); i++) {
11155 bool try_ccm16, try_gcm16;
11156 bool try_ccm32, try_gcm32;
11157 try_ccm16 = try_gcm16 = false;
11158 try_ccm32 = try_gcm32 = false;
11159 ok = false;
11160
11161 key16 = keys16[i];
11162 key32 = keys32[i];
11163
11164 switch (sti->conv->enc_alg) {
11165 case SMB2_CIPHER_AES_128_CCM:
11166 try_ccm16 = true;
11167 break;
11168 case SMB2_CIPHER_AES_128_GCM:
11169 try_gcm16 = true;
11170 break;
11171 case SMB2_CIPHER_AES_256_CCM:
11172 try_ccm32 = true;
11173 break;
11174 case SMB2_CIPHER_AES_256_GCM:
11175 try_gcm32 = true;
11176 break;
11177 default:
11178 /* we don't know, try all */
11179 try_gcm16 = true;
11180 try_ccm16 = true;
11181 try_gcm32 = true;
11182 try_ccm32 = true;
11183 }
11184
11185 if (try_gcm16) {
11186 uint8_t *key = key16;
11187 ws_debug("trying AES-128-GCM decryption");
11188 alg = SMB2_CIPHER_AES_128_GCM;
11189 tvb_memcpy(tvb, data, offset, sti->size);
11190 ok = do_decrypt(data, sti->size, key, aad, aad_size, sti->nonce, alg);
11191 if (ok)
11192 break;
11193 ws_debug("bad decrypted buffer with AES-128-GCM");
11194 }
11195 if (try_ccm16) {
11196 uint8_t *key = key16;
11197 ws_debug("trying AES-128-CCM decryption");
11198 alg = SMB2_CIPHER_AES_128_CCM;
11199 ok = do_decrypt(data, sti->size, key, aad, aad_size, sti->nonce, alg);
11200 if (ok)
11201 break;
11202 ws_debug("bad decrypted buffer with AES-128-CCM");
11203 }
11204 if (try_gcm32) {
11205 uint8_t *key = key32;
11206 ws_debug("trying AES-256-GCM decryption");
11207 alg = SMB2_CIPHER_AES_256_GCM;
11208 tvb_memcpy(tvb, data, offset, sti->size);
11209 ok = do_decrypt(data, sti->size, key, aad, aad_size, sti->nonce, alg);
11210 if (ok)
11211 break;
11212 ws_debug("bad decrypted buffer with AES-256-GCM");
11213 }
11214 if (try_ccm32) {
11215 uint8_t *key = key32;
11216 ws_debug("trying AES-256-CCM decryption");
11217 alg = SMB2_CIPHER_AES_256_CCM;
11218 ok = do_decrypt(data, sti->size, key, aad, aad_size, sti->nonce, alg);
11219 if (ok)
11220 break;
11221 ws_debug("bad decrypted buffer with AES-256-CCM");
11222 }
11223 ws_debug("trying to decrypt with swapped client/server keys");
11224 tvb_memcpy(tvb, data, offset, sti->size);
11225 }
11226
11227 if (!ok)
11228 return NULL;
11229
11230 /* Remember what worked */
11231 sti->conv->enc_alg = alg;
11232 if (key16 == sti->session->server_decryption_key16)
11233 sti->session->server_port = pinfo->destport;
11234 else
11235 sti->session->server_port = pinfo->srcport;
11236 return data;
11237 }
11238
11239 /*
11240 Append tvb[offset:offset+length] to out
11241 */
11242 static void
11243 append_uncompress_data(wmem_array_t *out, tvbuff_t *tvb, int offset, unsigned length)
11244 {
11245 const uint8_t *ptr = tvb_get_ptr(tvb, offset, length);
11246 if (ptr)
11247 wmem_array_append(out, tvb_get_ptr(tvb, offset, length), length);
11248 }
11249
11250 static int
11251 dissect_smb2_compression_pattern_v1(proto_tree *tree,
11252 tvbuff_t *tvb, int offset, int length,
11253 wmem_array_t *out)
11254 {
11255 proto_item *pat_item;
11256 proto_tree *pat_tree;
11257 unsigned pattern, times;
11258
11259 pat_tree = proto_tree_add_subtree_format(tree, tvb, offset, length,
11260 ett_smb2_comp_pattern_v1, &pat_item,
11261 "Pattern");
11262
11263 proto_tree_add_item_ret_uint(pat_tree, hf_smb2_comp_pattern_v1_pattern, tvb, offset, 1, ENC_LITTLE_ENDIAN, &pattern);
11264 offset += 1;
11265
11266 proto_tree_add_item(pat_tree, hf_smb2_comp_pattern_v1_reserved1, tvb, offset, 1, ENC_LITTLE_ENDIAN);
11267 offset += 1;
11268
11269 proto_tree_add_item(pat_tree, hf_smb2_comp_pattern_v1_reserved2, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11270 offset += 2;
11271
11272 proto_tree_add_item_ret_uint(pat_tree, hf_smb2_comp_pattern_v1_repetitions, tvb, offset, 4, ENC_LITTLE_ENDIAN, &times);
11273 offset += 4;
11274
11275 proto_item_append_text(pat_item, " 0x%02x repeated %u times", pattern, times);
11276
11277 if (out && times < MAX_UNCOMPRESSED_SIZE) {
11278 uint8_t v = (uint8_t)pattern;
11279
11280 for (unsigned i = 0; i < times; i++)
11281 wmem_array_append(out, &v, 1);
11282 }
11283
11284 return offset;
11285 }
11286
11287 static int
11288 dissect_smb2_chained_comp_payload(packet_info *pinfo, proto_tree *tree,
11289 tvbuff_t *tvb, int offset,
11290 wmem_array_t *out,
11291 bool *ok)
11292 {
11293 proto_tree *subtree;
11294 proto_item *subitem;
11295 unsigned alg, length, flags, orig_size = 0;
11296 tvbuff_t *uncomp_tvb = NULL;
11297 bool lz_based = false;
11298
11299 *ok = true;
11300
11301 subtree = proto_tree_add_subtree_format(tree, tvb, offset, 0, ett_smb2_comp_payload, &subitem, "COMPRESSION_PAYLOAD_HEADER");
11302 proto_tree_add_item_ret_uint(subtree, hf_smb2_comp_transform_comp_alg, tvb, offset, 2, ENC_LITTLE_ENDIAN, &alg);
11303 offset += 2;
11304
11305 proto_tree_add_item_ret_uint(subtree, hf_smb2_comp_transform_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN, &flags);
11306 offset += 2;
11307
11308 proto_tree_add_item_ret_uint(subtree, hf_smb2_comp_transform_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
11309 offset += 4;
11310
11311 proto_item_set_len(subitem, length);
11312
11313 lz_based = (SMB2_COMP_ALG_LZNT1 <= alg && alg <= SMB2_COMP_ALG_LZ77HUFF);
11314 if (lz_based) {
11315 proto_tree_add_item_ret_uint(subtree, hf_smb2_comp_transform_orig_payload_size,
11316 tvb, offset, 4, ENC_LITTLE_ENDIAN, &orig_size);
11317 offset += 4;
11318 length -= 4;
11319 }
11320
11321 if (length > MAX_UNCOMPRESSED_SIZE) {
11322 /* decompression error */
11323 col_append_str(pinfo->cinfo, COL_INFO, "Comp. SMB3 (invalid)");
11324 *ok = false;
11325 goto out;
11326 }
11327
11328 switch (alg) {
11329 case SMB2_COMP_ALG_NONE:
11330 append_uncompress_data(out, tvb, offset, length);
11331 break;
11332 case SMB2_COMP_ALG_LZ77:
11333 uncomp_tvb = tvb_uncompress_lz77(tvb, offset, length);
11334 break;
11335 case SMB2_COMP_ALG_LZ77HUFF:
11336 uncomp_tvb = tvb_uncompress_lz77huff(tvb, offset, length);
11337 break;
11338 case SMB2_COMP_ALG_LZNT1:
11339 uncomp_tvb = tvb_uncompress_lznt1(tvb, offset, length);
11340 break;
11341 case SMB2_COMP_ALG_PATTERN_V1:
11342 dissect_smb2_compression_pattern_v1(subtree, tvb, offset, length, out);
11343 break;
11344 default:
11345 col_append_str(pinfo->cinfo, COL_INFO, "Comp. SMB3 (unknown)");
11346 uncomp_tvb = NULL;
11347 break;
11348 }
11349
11350 if (lz_based) {
11351 if (!uncomp_tvb || tvb_reported_length(uncomp_tvb) != orig_size) {
11352 /* decompression error */
11353 col_append_str(pinfo->cinfo, COL_INFO, "Comp. SMB3 (invalid)");
11354 *ok = false;
11355 goto out;
11356 }
11357 append_uncompress_data(out, uncomp_tvb, 0, tvb_reported_length(uncomp_tvb));
11358 }
11359
11360 out:
11361 if (uncomp_tvb)
11362 tvb_free(uncomp_tvb);
11363 proto_tree_add_item(subtree, hf_smb2_comp_transform_data, tvb, offset, length, ENC_NA);
11364 offset += length;
11365
11366 return offset;
11367 }
11368
11369 static int
11370 dissect_smb2_comp_transform_header(packet_info *pinfo, proto_tree *tree,
11371 tvbuff_t *tvb, int offset,
11372 smb2_comp_transform_info_t *scti,
11373 tvbuff_t **comp_tvb,
11374 tvbuff_t **plain_tvb)
11375 {
11376 int in_size;
11377 tvbuff_t *uncomp_tvb = NULL;
11378 unsigned flags;
11379 wmem_array_t *uncomp_data;
11380
11381 *comp_tvb = NULL;
11382 *plain_tvb = NULL;
11383
11384 /*
11385 "old" compressed method:
11386
11387 [COMPRESS_TRANSFORM_HEADER with Flags=0]
11388 [OPTIONAL UNCOMPRESSED DATA]
11389 [COMPRESSED DATA]
11390
11391 new "chained" compressed method:
11392
11393 [fist 8 bytes of COMPRESS_TRANSFORM_HEADER with Flags=CHAINED]
11394 [ sequence of
11395 [ COMPRESSION_PAYLOAD_HEADER ]
11396 [ COMPRESSED PAYLOAD ]
11397 ]
11398 */
11399
11400 /* SMB2_COMPRESSION_TRANSFORM marker */
11401 proto_tree_add_item(tree, hf_smb2_protocol_id, tvb, offset, 4, ENC_BIG_ENDIAN);
11402 offset += 4;
11403
11404 proto_tree_add_item_ret_uint(tree, hf_smb2_comp_transform_orig_size, tvb, offset, 4, ENC_LITTLE_ENDIAN, &scti->orig_size);
11405 offset += 4;
11406
11407 uncomp_data = wmem_array_sized_new(pinfo->pool, 1, 1024);
11408
11409 flags = tvb_get_letohs(tvb, offset+2);
11410 if (flags & SMB2_COMP_FLAG_CHAINED) {
11411 bool all_ok = true;
11412
11413 *comp_tvb = tvb_new_subset_length(tvb, offset, tvb_reported_length_remaining(tvb, offset));
11414 do {
11415 bool ok = false;
11416
11417 offset = dissect_smb2_chained_comp_payload(pinfo, tree, tvb, offset, uncomp_data, &ok);
11418 if (!ok)
11419 all_ok = false;
11420 } while (tvb_reported_length_remaining(tvb, offset) > 8);
11421 if (all_ok)
11422 goto decompression_ok;
11423 else
11424 goto out;
11425
11426 }
11427
11428 proto_tree_add_item_ret_uint(tree, hf_smb2_comp_transform_comp_alg, tvb, offset, 2, ENC_LITTLE_ENDIAN, &scti->alg);
11429 offset += 2;
11430
11431 proto_tree_add_item_ret_uint(tree, hf_smb2_comp_transform_flags, tvb, offset, 2, ENC_LITTLE_ENDIAN, &flags);
11432 offset += 2;
11433
11434 proto_tree_add_item_ret_uint(tree, hf_smb2_comp_transform_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &scti->comp_offset);
11435 offset += 4;
11436
11437 *comp_tvb = tvb_new_subset_length(tvb, offset, tvb_reported_length_remaining(tvb, offset));
11438
11439 if (scti->orig_size > MAX_UNCOMPRESSED_SIZE || scti->comp_offset > MAX_UNCOMPRESSED_SIZE) {
11440 col_append_str(pinfo->cinfo, COL_INFO, "Comp. SMB3 (too big)");
11441 goto out;
11442 }
11443
11444 /*
11445 * final uncompressed size is the partial normal packet + uncompressed segment
11446 * final_size = scti->orig_size + scti->comp_offset
11447 */
11448
11449 append_uncompress_data(uncomp_data, tvb, offset, scti->comp_offset);
11450 in_size = tvb_reported_length_remaining(tvb, offset + scti->comp_offset);
11451
11452 /* decompress compressed segment */
11453 switch (scti->alg) {
11454 case SMB2_COMP_ALG_LZ77:
11455 uncomp_tvb = tvb_uncompress_lz77(tvb, offset + scti->comp_offset, in_size);
11456 break;
11457 case SMB2_COMP_ALG_LZ77HUFF:
11458 uncomp_tvb = tvb_uncompress_lz77huff(tvb, offset + scti->comp_offset, in_size);
11459 break;
11460 case SMB2_COMP_ALG_LZNT1:
11461 uncomp_tvb = tvb_uncompress_lznt1(tvb, offset + scti->comp_offset, in_size);
11462 break;
11463 default:
11464 col_append_str(pinfo->cinfo, COL_INFO, "Comp. SMB3 (unknown)");
11465 uncomp_tvb = NULL;
11466 goto out;
11467 }
11468
11469 if (!uncomp_tvb || tvb_reported_length(uncomp_tvb) != scti->orig_size) {
11470 /* decompression error */
11471 col_append_str(pinfo->cinfo, COL_INFO, "Comp. SMB3 (invalid)");
11472 goto out;
11473 }
11474
11475 /* write decompressed segment at the end of partial packet */
11476 append_uncompress_data(uncomp_data, uncomp_tvb, 0, scti->orig_size);
11477
11478 decompression_ok:
11479 col_append_str(pinfo->cinfo, COL_INFO, "Decomp. SMB3");
11480 *plain_tvb = tvb_new_child_real_data(tvb,
11481 (uint8_t *)wmem_array_get_raw(uncomp_data),
11482 wmem_array_get_count(uncomp_data),
11483 wmem_array_get_count(uncomp_data));
11484 add_new_data_source(pinfo, *plain_tvb, "Decomp. SMB3");
11485
11486 out:
11487 if (uncomp_tvb)
11488 tvb_free(uncomp_tvb);
11489 return offset;
11490 }
11491
11492 static int
11493 dissect_smb2_transform_header(packet_info *pinfo, proto_tree *tree,
11494 tvbuff_t *tvb, int offset,
11495 smb2_transform_info_t *sti,
11496 tvbuff_t **enc_tvb, tvbuff_t **plain_tvb)
11497 {
11498 proto_item *sesid_item = NULL;
11499 proto_tree *sesid_tree = NULL;
11500 int sesid_offset;
11501 uint8_t *plain_data = NULL;
11502 int offset_aad;
11503
11504 *enc_tvb = NULL;
11505 *plain_tvb = NULL;
11506
11507 /* signature */
11508 proto_tree_add_item(tree, hf_smb2_transform_signature, tvb, offset, 16, ENC_NA);
11509 offset += 16;
11510
11511 offset_aad = offset;
11512
11513 /* nonce */
11514 proto_tree_add_item(tree, hf_smb2_transform_nonce, tvb, offset, 16, ENC_NA);
11515 tvb_memcpy(tvb, sti->nonce, offset, 16);
11516 offset += 16;
11517
11518 /* size */
11519 proto_tree_add_item(tree, hf_smb2_transform_msg_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11520 sti->size = tvb_get_letohl(tvb, offset);
11521 offset += 4;
11522
11523 /* reserved */
11524 proto_tree_add_item(tree, hf_smb2_transform_reserved, tvb, offset, 2, ENC_NA);
11525 offset += 2;
11526
11527 /* flags */
11528 proto_tree_add_bitmask(tree, tvb, offset, hf_smb2_transform_flags,
11529 ett_smb2_transform_flags,
11530 smb2_transform_flags, ENC_LITTLE_ENDIAN);
11531 sti->flags = tvb_get_letohs(tvb, offset);
11532 offset += 2;
11533
11534 /* session ID */
11535 sesid_offset = offset;
11536 sti->sesid = tvb_get_letoh64(tvb, offset);
11537 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
11538 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
11539 offset += 8;
11540
11541 /* now we need to first lookup the uid session */
11542 sti->session = smb2_get_session(sti->conv, sti->sesid, NULL, NULL);
11543 smb2_add_session_info(sesid_tree, sesid_item, tvb, sesid_offset, sti->session);
11544
11545 if (sti->flags & SMB2_TRANSFORM_FLAGS_ENCRYPTED) {
11546 plain_data = decrypt_smb_payload(pinfo, tvb, offset, offset_aad, sti);
11547 }
11548 *enc_tvb = tvb_new_subset_length(tvb, offset, sti->size);
11549
11550 if (plain_data != NULL) {
11551 *plain_tvb = tvb_new_child_real_data(*enc_tvb, plain_data, sti->size, sti->size);
11552 add_new_data_source(pinfo, *plain_tvb, "Decrypted SMB3");
11553 }
11554
11555 offset += sti->size;
11556 return offset;
11557 }
11558
11559 static const char *
11560 get_special_packet_title(uint16_t cmd, uint32_t flags, uint64_t msg_id, tvbuff_t *tvb, int offset)
11561 {
11562 /* for some types of packets we don't have request/response packets but something else
11563 * to show more correct names while displaying them we use this logic to override standard naming convention
11564 */
11565
11566 uint16_t buffer_code;
11567 /* detect oplock/lease break packets */
11568 if (cmd != SMB2_COM_BREAK) {
11569 return NULL;
11570 }
11571
11572 buffer_code = tvb_get_letohs(tvb, offset);
11573 if (flags & SMB2_FLAGS_RESPONSE) {
11574 switch (buffer_code) {
11575 case OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE:
11576 /* note - Notification and Response packets for Oplock Break are equivalent,
11577 * we can distinguish them only via msg_id value */
11578 if (msg_id == 0xFFFFFFFFFFFFFFFF) /* see [MS-SMB2] 3.3.4.6 Object Store Indicates an Oplock Break */
11579 return "Oplock Break Notification";
11580 else
11581 return "Oplock Break Response";
11582 case OPLOCK_BREAK_LEASE_NOTIFICATION_STRUCTURE_SIZE:
11583 return "Lease Break Notification";
11584 case OPLOCK_BREAK_LEASE_RESPONSE_STRUCTURE_SIZE:
11585 return "Lease Break Response";
11586 }
11587 } else {
11588 switch (buffer_code) {
11589 case OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE:
11590 return "Oplock Break Acknowledgment";
11591 case OPLOCK_BREAK_LEASE_ACKNOWLEDGMENT_STRUCTURE_SIZE:
11592 return "Lease Break Acknowledgment";
11593 }
11594 }
11595 /* return back to standard notation if we can't detect packet type of break packet */
11596 return NULL;
11597 }
11598
11599 static int
11600 dissect_smb2_command(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
11601 {
11602 int (*cmd_dissector)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
11603 proto_item *cmd_item;
11604 proto_tree *cmd_tree;
11605 int old_offset = offset;
11606 const char *packet_title = get_special_packet_title(si->opcode, si->flags, si->msg_id, tvb, offset);
11607
11608 if (packet_title) {
11609 cmd_tree = proto_tree_add_subtree_format(tree, tvb, offset, -1,
11610 ett_smb2_command, &cmd_item, "%s (0x%02x)",
11611 packet_title,
11612 si->opcode);
11613 } else {
11614 cmd_tree = proto_tree_add_subtree_format(tree, tvb, offset, -1,
11615 ett_smb2_command, &cmd_item, "%s %s (0x%02x)",
11616 decode_smb2_name(si->opcode),
11617 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request",
11618 si->opcode);
11619 }
11620
11621 cmd_dissector = (si->flags & SMB2_FLAGS_RESPONSE)?
11622 smb2_dissector[si->opcode&0xff].response:
11623 smb2_dissector[si->opcode&0xff].request;
11624 if (cmd_dissector) {
11625 offset = (*cmd_dissector)(tvb, pinfo, cmd_tree, offset, si);
11626 } else {
11627 proto_tree_add_item(cmd_tree, hf_smb2_unknown, tvb, offset, -1, ENC_NA);
11628 offset = tvb_captured_length(tvb);
11629 }
11630
11631 proto_item_set_len(cmd_item, offset-old_offset);
11632
11633 return offset;
11634 }
11635
11636 static int
11637 dissect_smb2_tid_sesid(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, int offset, smb2_info_t *si)
11638 {
11639 proto_item *tid_item = NULL;
11640 proto_tree *tid_tree = NULL;
11641 smb2_tid_info_t tid_key;
11642 int tid_offset = 0;
11643 proto_item *sesid_item = NULL;
11644 proto_tree *sesid_tree = NULL;
11645 smb2_sesid_info_t sesid_key;
11646 int sesid_offset;
11647 proto_item *item;
11648
11649
11650 if (si->flags&SMB2_FLAGS_ASYNC_CMD) {
11651 proto_tree_add_item(tree, hf_smb2_aid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
11652 offset += 8;
11653 } else {
11654 /* Reserved */
11655 proto_tree_add_item(tree, hf_smb2_header_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11656 offset += 4;
11657
11658 /* Tree ID */
11659 tid_offset = offset;
11660 si->tid = tvb_get_letohl(tvb, offset);
11661 tid_item = proto_tree_add_item(tree, hf_smb2_tid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11662 tid_tree = proto_item_add_subtree(tid_item, ett_smb2_tid_tree);
11663 offset += 4;
11664 }
11665
11666 /* Session ID */
11667 sesid_offset = offset;
11668 si->sesid = tvb_get_letoh64(tvb, offset);
11669 sesid_item = proto_tree_add_item(tree, hf_smb2_sesid, tvb, offset, 8, ENC_LITTLE_ENDIAN);
11670 sesid_tree = proto_item_add_subtree(sesid_item, ett_smb2_sesid_tree);
11671 offset += 8;
11672
11673 /* now we need to first lookup the uid session */
11674 sesid_key.sesid = si->sesid;
11675 si->session = (smb2_sesid_info_t *)wmem_map_lookup(smb2_sessions, &sesid_key);
11676 if (!si->session) {
11677 si->session = smb2_get_session(si->conv, si->sesid, pinfo, si);
11678 return offset;
11679 }
11680
11681 smb2_add_session_info(sesid_tree, sesid_item, tvb, sesid_offset, si->session);
11682
11683 if (!(si->flags&SMB2_FLAGS_ASYNC_CMD)) {
11684 /* see if we can find the name for this tid */
11685 tid_key.tid = si->tid;
11686 si->tree = (smb2_tid_info_t *)wmem_map_lookup(si->session->tids, &tid_key);
11687 if (!si->tree) return offset;
11688
11689 item = proto_tree_add_string(tid_tree, hf_smb2_tree, tvb, tid_offset, 4, si->tree->name);
11690 proto_item_set_generated(item);
11691 proto_item_append_text(tid_item, " %s", si->tree->name);
11692
11693 item = proto_tree_add_uint(tid_tree, hf_smb2_share_type, tvb, tid_offset, 0, si->tree->share_type);
11694 proto_item_set_generated(item);
11695
11696 item = proto_tree_add_uint(tid_tree, hf_smb2_tcon_frame, tvb, tid_offset, 0, si->tree->connect_frame);
11697 proto_item_set_generated(item);
11698
11699 item = proto_tree_add_uint(tid_tree, hf_smb2_tdcon_frame, tvb, tid_offset, 0, si->tree->disconnect_frame);
11700 proto_item_set_generated(item);
11701
11702 }
11703
11704 return offset;
11705 }
11706
11707 static void
11708 dissect_smb2_signature(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si)
11709 {
11710 proto_item *item = NULL;
11711 proto_tree *stree = NULL;
11712 gcry_error_t err;
11713 gcry_mac_hd_t md;
11714 uint8_t mac[NTLMSSP_KEY_LEN] = { 0, };
11715 size_t len = NTLMSSP_KEY_LEN;
11716 int i, remaining;
11717 bool use_mac = false;
11718
11719 item = proto_tree_add_item(tree, hf_smb2_signature, tvb, offset, 16, ENC_NA);
11720
11721 if (!si || !si->session ||!si->conv)
11722 return;
11723
11724 if (!smb2_verify_signatures || !(si->flags & SMB2_FLAGS_SIGNATURE))
11725 return;
11726
11727 if (memcmp(si->session->signing_key, zeros, NTLMSSP_KEY_LEN) == 0) {
11728 return;
11729 }
11730
11731 if (tvb_reported_length(tvb) > tvb_captured_length(tvb))
11732 return;
11733
11734 remaining = tvb_reported_length_remaining(tvb, offset + NTLMSSP_KEY_LEN);
11735
11736 if (si->conv->sign_alg == SMB2_SIGNING_ALG_HMAC_SHA256) {
11737 err = gcry_mac_open(&md, GCRY_MAC_HMAC_SHA256, 0, NULL);
11738 if (err)
11739 return;
11740 use_mac = true;
11741 } else if (si->conv->sign_alg == SMB2_SIGNING_ALG_AES_CMAC) {
11742 err = gcry_mac_open(&md, GCRY_MAC_CMAC_AES, 0, NULL);
11743 if (err)
11744 return;
11745 use_mac = true;
11746 }
11747
11748 if (use_mac) {
11749 gcry_mac_setkey(md, si->session->signing_key, len);
11750 gcry_mac_write(md, tvb_get_ptr(tvb, 0, 48), 48);
11751 gcry_mac_write(md, zeros, NTLMSSP_KEY_LEN);
11752 gcry_mac_write(md, tvb_get_ptr(tvb, offset + NTLMSSP_KEY_LEN, remaining), remaining);
11753 gcry_mac_read(md, &mac[0], &len);
11754 gcry_mac_close(md);
11755 }
11756
11757 stree = proto_item_add_subtree(item, ett_smb2_signature);
11758
11759 if (memcmp(&mac[0], tvb_get_ptr(tvb, offset, NTLMSSP_KEY_LEN), NTLMSSP_KEY_LEN) == 0) {
11760 proto_tree_add_item(stree, hf_smb2_good_signature, tvb, offset, 16, ENC_NA);
11761 return; /* signature matched */
11762 }
11763
11764 item = proto_tree_add_item(stree, hf_smb2_bad_signature, tvb, offset, 16, ENC_NA);
11765 proto_item_append_text(item, " ");
11766 for (i = 0; i < NTLMSSP_KEY_LEN; i++)
11767 proto_item_append_text(item, "%02x", mac[i]);
11768 proto_item_set_generated(item);
11769 expert_add_info(pinfo, item, &ei_smb2_invalid_signature);
11770
11771 return;
11772 }
11773
11774 static int
11775 // NOLINTNEXTLINE(misc-no-recursion)
11776 dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, bool first_in_chain)
11777 {
11778 int msg_type;
11779 proto_item *item = NULL;
11780 proto_tree *tree = NULL;
11781 proto_item *header_item = NULL;
11782 proto_tree *header_tree = NULL;
11783 int offset = 0;
11784 int chain_offset = 0;
11785 const char *label = smb_header_label;
11786 conversation_t *conversation;
11787 smb2_saved_info_t *ssi = NULL, ssi_key;
11788 smb2_info_t *si;
11789 smb2_transform_info_t *sti;
11790 smb2_comp_transform_info_t *scti;
11791 char *fid_name;
11792 uint32_t open_frame,close_frame;
11793 smb2_eo_file_info_t *eo_file_info;
11794 e_ctx_hnd *policy_hnd_hashtablekey;
11795 const char *packet_title;
11796
11797 sti = wmem_new(pinfo->pool, smb2_transform_info_t);
11798 scti = wmem_new(pinfo->pool, smb2_comp_transform_info_t);
11799 si = wmem_new0(pinfo->pool, smb2_info_t);
11800 si->top_tree = parent_tree;
11801
11802 msg_type = tvb_get_uint8(tvb, 0);
11803
11804 switch (msg_type) {
11805 case SMB2_COMP_HEADER:
11806 label = smb_comp_transform_header_label;
11807 break;
11808 case SMB2_ENCR_HEADER:
11809 label = smb_transform_header_label;
11810 break;
11811 case SMB2_NORM_HEADER:
11812 label = smb_header_label;
11813 break;
11814 default:
11815 label = smb_bad_header_label;
11816 break;
11817 }
11818
11819 increment_dissection_depth(pinfo);
11820
11821 /* find which conversation we are part of and get the data for that
11822 * conversation
11823 */
11824 conversation = find_or_create_conversation(pinfo);
11825 si->conv = (smb2_conv_info_t *)conversation_get_proto_data(conversation, proto_smb2);
11826 if (!si->conv) {
11827 /* no smb2_into_t structure for this conversation yet,
11828 * create it.
11829 */
11830 si->conv = wmem_new0(wmem_file_scope(), smb2_conv_info_t);
11831 /* qqq this leaks memory for now since we never free
11832 the hashtables */
11833 si->conv->matched = g_hash_table_new(smb2_saved_info_hash_matched,
11834 smb2_saved_info_equal_matched);
11835 si->conv->unmatched = g_hash_table_new(smb2_saved_info_hash_unmatched,
11836 smb2_saved_info_equal_unmatched);
11837 si->conv->preauth_hash_current = si->conv->preauth_hash_con;
11838
11839 /* Bit of a hack to avoid leaking the hash tables - register a
11840 * callback to free them. Ideally wmem would implement a simple
11841 * hash table so we wouldn't have to do this. */
11842 wmem_register_callback(wmem_file_scope(), smb2_conv_destroy,
11843 si->conv);
11844
11845 conversation_add_proto_data(conversation, proto_smb2, si->conv);
11846 }
11847
11848 sti->conv = si->conv;
11849 scti->conv = si->conv;
11850
11851 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB2");
11852 if (first_in_chain) {
11853 /* first packet */
11854 col_clear(pinfo->cinfo, COL_INFO);
11855 } else {
11856 col_append_str(pinfo->cinfo, COL_INFO, "; ");
11857 }
11858
11859 item = proto_tree_add_item(parent_tree, proto_smb2, tvb, offset, -1, ENC_NA);
11860 tree = proto_item_add_subtree(item, ett_smb2);
11861
11862 header_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_smb2_header, &header_item, label);
11863
11864 /* Decode the header */
11865
11866 if (msg_type == SMB2_NORM_HEADER) {
11867 /* SMB2 marker */
11868 proto_tree_add_item(header_tree, hf_smb2_protocol_id, tvb, offset, 4, ENC_BIG_ENDIAN);
11869 offset += 4;
11870
11871 /* we need the flags before we know how to parse the credits field */
11872 si->flags = tvb_get_letohl(tvb, offset+12);
11873
11874 /* header length */
11875 proto_tree_add_item(header_tree, hf_smb2_header_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11876 offset += 2;
11877
11878 /* credit charge (previously "epoch" (unused) which has been deprecated as of "SMB 2.1") */
11879 proto_tree_add_item(header_tree, hf_smb2_credit_charge, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11880 offset += 2;
11881
11882 /* Status Code */
11883 if (si->flags & SMB2_FLAGS_RESPONSE) {
11884 si->status = tvb_get_letohl(tvb, offset);
11885 proto_tree_add_item(header_tree, hf_smb2_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11886 offset += 4;
11887 } else {
11888 si->status = 0;
11889 proto_tree_add_item(header_tree, hf_smb2_channel_sequence, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11890 offset += 2;
11891 proto_tree_add_item(header_tree, hf_smb2_reserved, tvb, offset, 2, ENC_NA);
11892 offset += 2;
11893 }
11894
11895 /* opcode */
11896 si->opcode = tvb_get_letohs(tvb, offset);
11897 proto_tree_add_item(header_tree, hf_smb2_cmd, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11898 offset += 2;
11899
11900 /* credits */
11901 if (si->flags & SMB2_FLAGS_RESPONSE) {
11902 proto_tree_add_item(header_tree, hf_smb2_credits_granted, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11903 } else {
11904 proto_tree_add_item(header_tree, hf_smb2_credits_requested, tvb, offset, 2, ENC_LITTLE_ENDIAN);
11905 }
11906 offset += 2;
11907
11908 /* flags */
11909 if (header_tree) {
11910 static int * const flags[] = {
11911 &hf_smb2_flags_response,
11912 &hf_smb2_flags_async_cmd,
11913 &hf_smb2_flags_chained,
11914 &hf_smb2_flags_signature,
11915 &hf_smb2_flags_priority_mask,
11916 &hf_smb2_flags_dfs_op,
11917 &hf_smb2_flags_replay_operation,
11918 NULL
11919 };
11920
11921 proto_tree_add_bitmask(header_tree, tvb, offset, hf_smb2_flags,
11922 ett_smb2_flags, flags, ENC_LITTLE_ENDIAN);
11923 }
11924
11925 offset += 4;
11926
11927 /* Next Command */
11928 chain_offset = tvb_get_letohl(tvb, offset);
11929 proto_tree_add_item(header_tree, hf_smb2_chain_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
11930 offset += 4;
11931
11932 /* Message ID */
11933 si->msg_id = tvb_get_letoh64(tvb, offset);
11934 ssi_key.msg_id = si->msg_id;
11935 proto_tree_add_item(header_tree, hf_smb2_msg_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
11936 offset += 8;
11937
11938 /* Tree ID and Session ID */
11939 offset = dissect_smb2_tid_sesid(pinfo, header_tree, tvb, offset, si);
11940
11941 /* Signature */
11942 dissect_smb2_signature(pinfo, tvb, offset, header_tree, si);
11943 offset += 16;
11944 proto_item_set_len(header_item, offset);
11945
11946 /* Check if this is a special packet type and it has non-regular title */
11947 packet_title = get_special_packet_title(si->opcode, si->flags, si->msg_id, tvb, offset);
11948 if (packet_title) {
11949 col_append_str(pinfo->cinfo, COL_INFO, packet_title);
11950 } else {
11951 /* Regular packets have standard title */
11952 col_append_fstr(pinfo->cinfo, COL_INFO, "%s %s",
11953 decode_smb2_name(si->opcode),
11954 (si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request");
11955 }
11956 if (si->status) {
11957 col_append_fstr(
11958 pinfo->cinfo, COL_INFO, ", Error: %s",
11959 val_to_str_ext(si->status, &NT_errors_ext,
11960 "Unknown (0x%08X)"));
11961 }
11962
11963
11964 if (!pinfo->fd->visited) {
11965 /* see if we can find this msg_id in the unmatched table */
11966 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
11967
11968 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
11969 /* This is a request */
11970 if (ssi) {
11971 /* this is a request and we already found
11972 * an older ssi so just delete the previous
11973 * one
11974 */
11975 g_hash_table_remove(si->conv->unmatched, ssi);
11976 ssi = NULL;
11977 }
11978
11979 if (!ssi) {
11980 /* no we couldn't find it, so just add it then
11981 * if was a request we are decoding
11982 */
11983 ssi = wmem_new0(wmem_file_scope(), smb2_saved_info_t);
11984 ssi->msg_id = ssi_key.msg_id;
11985 ssi->frame_req = pinfo->num;
11986 ssi->frame_res = UINT32_MAX;
11987 ssi->req_time = pinfo->abs_ts;
11988 ssi->extra_info_type = SMB2_EI_NONE;
11989 g_hash_table_insert(si->conv->unmatched, ssi, ssi);
11990 }
11991 } else {
11992 /* This is a response */
11993 if (!((si->flags & SMB2_FLAGS_ASYNC_CMD)
11994 && si->status == NT_STATUS_PENDING)
11995 && ssi) {
11996 /* just set the response frame and move it to the matched table */
11997 ssi->frame_res = pinfo->num;
11998 g_hash_table_remove(si->conv->unmatched, ssi);
11999 g_hash_table_insert(si->conv->matched, ssi, ssi);
12000 }
12001 }
12002 } else {
12003 /* see if we can find this msg_id in the matched table */
12004 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->matched, &ssi_key);
12005 /* if we couldn't find it in the matched table, it might still
12006 * be in the unmatched table
12007 */
12008 if (!ssi) {
12009 ssi = (smb2_saved_info_t *)g_hash_table_lookup(si->conv->unmatched, &ssi_key);
12010 }
12011 }
12012
12013 if (ssi) {
12014 if (dcerpc_fetch_polhnd_data(&ssi->policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->num)) {
12015 /* If needed, create the file entry and save the policy hnd */
12016 if (!si->eo_file_info) {
12017 if (si->conv) {
12018 eo_file_info = (smb2_eo_file_info_t *)wmem_map_lookup(si->session->files,&ssi->policy_hnd);
12019 if (!eo_file_info) { /* XXX This should never happen */
12020 /* assert(1==0); */
12021 eo_file_info = wmem_new(wmem_file_scope(), smb2_eo_file_info_t);
12022 policy_hnd_hashtablekey = wmem_new(wmem_file_scope(), e_ctx_hnd);
12023 memcpy(policy_hnd_hashtablekey, &ssi->policy_hnd, sizeof(e_ctx_hnd));
12024 eo_file_info->end_of_file=0;
12025 wmem_map_insert(si->session->files,policy_hnd_hashtablekey,eo_file_info);
12026 }
12027 si->eo_file_info=eo_file_info;
12028 }
12029 }
12030
12031 }
12032
12033 if (!(si->flags & SMB2_FLAGS_RESPONSE)) {
12034 if (ssi->frame_res != UINT32_MAX) {
12035 proto_item *tmp_item;
12036 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_in, tvb, 0, 0, ssi->frame_res);
12037 proto_item_set_generated(tmp_item);
12038 }
12039 } else {
12040 if (ssi->frame_req != UINT32_MAX) {
12041 proto_item *tmp_item;
12042 nstime_t t, deltat;
12043
12044 tmp_item = proto_tree_add_uint(header_tree, hf_smb2_response_to, tvb, 0, 0, ssi->frame_req);
12045 proto_item_set_generated(tmp_item);
12046 t = pinfo->abs_ts;
12047 nstime_delta(&deltat, &t, &ssi->req_time);
12048 tmp_item = proto_tree_add_time(header_tree, hf_smb2_time, tvb,
12049 0, 0, &deltat);
12050 proto_item_set_generated(tmp_item);
12051 }
12052 }
12053 if (si->file != NULL) {
12054 ssi->file = si->file;
12055 } else {
12056 si->file = ssi->file;
12057 }
12058 }
12059 /* if we don't have ssi yet we must fake it */
12060 /*qqq*/
12061 si->saved = ssi;
12062
12063 tap_queue_packet(smb2_tap, pinfo, si);
12064
12065 /* Decode the payload */
12066 offset = dissect_smb2_command(pinfo, tree, tvb, offset, si);
12067 } else if (msg_type == SMB2_ENCR_HEADER) {
12068 proto_tree *enc_tree;
12069 tvbuff_t *enc_tvb = NULL;
12070 tvbuff_t *plain_tvb = NULL;
12071
12072 /* SMB2_TRANSFORM marker */
12073 proto_tree_add_item(header_tree, hf_smb2_protocol_id, tvb, offset, 4, ENC_BIG_ENDIAN);
12074 offset += 4;
12075
12076 offset = dissect_smb2_transform_header(pinfo, header_tree, tvb, offset, sti,
12077 &enc_tvb, &plain_tvb);
12078
12079 enc_tree = proto_tree_add_subtree(tree, enc_tvb, 0, sti->size, ett_smb2_encrypted, NULL, "Encrypted SMB3 data");
12080 if (plain_tvb != NULL) {
12081 col_append_str(pinfo->cinfo, COL_INFO, "Decrypted SMB3");
12082 dissect_smb2(plain_tvb, pinfo, enc_tree, false);
12083 } else {
12084 col_append_str(pinfo->cinfo, COL_INFO, "Encrypted SMB3");
12085 proto_tree_add_item(enc_tree, hf_smb2_transform_encrypted_data,
12086 enc_tvb, 0, sti->size, ENC_NA);
12087 }
12088
12089 if (tvb_reported_length_remaining(tvb, offset) > 0) {
12090 chain_offset = offset;
12091 }
12092 } else if (msg_type == SMB2_COMP_HEADER) {
12093 proto_tree *comp_tree;
12094 proto_item *decomp_item;
12095 tvbuff_t *plain_tvb = NULL;
12096 tvbuff_t *comp_tvb = NULL;
12097
12098 offset = dissect_smb2_comp_transform_header(pinfo, header_tree, tvb, offset,
12099 scti, &comp_tvb, &plain_tvb);
12100
12101 comp_tree = proto_tree_add_subtree(header_tree, tvb, offset,
12102 tvb_reported_length_remaining(tvb, offset),
12103 ett_smb2_compressed, NULL,
12104 "Compressed SMB3 data");
12105 proto_tree_add_item(comp_tree, hf_smb2_comp_transform_data,
12106 tvb, offset,
12107 tvb_reported_length_remaining(tvb, offset),
12108 ENC_NA);
12109
12110 if (plain_tvb) {
12111 proto_tree *decomp_tree;
12112
12113 decomp_tree = proto_tree_add_subtree(header_tree, plain_tvb, 0,
12114 tvb_reported_length_remaining(plain_tvb, 0),
12115 ett_smb2_decompressed, &decomp_item,
12116 "Decompressed SMB3 data");
12117 proto_item_set_generated(decomp_item);
12118 dissect_smb2(plain_tvb, pinfo, decomp_tree, false);
12119 }
12120
12121 offset += tvb_reported_length_remaining(tvb, offset);
12122 } else {
12123 col_append_str(pinfo->cinfo, COL_INFO, "Invalid header");
12124
12125 /* bad packet after decompressing/decrypting */
12126 offset += tvb_reported_length_remaining(tvb, offset);
12127 }
12128
12129 if (chain_offset > 0) {
12130 tvbuff_t *next_tvb;
12131
12132 proto_item_set_len(item, chain_offset);
12133
12134 next_tvb = tvb_new_subset_remaining(tvb, chain_offset);
12135 offset = dissect_smb2(next_tvb, pinfo, parent_tree, false);
12136 }
12137
12138 decrement_dissection_depth(pinfo);
12139 return offset;
12140 }
12141
12142 static bool
12143 dissect_smb2_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
12144 {
12145 uint8_t b;
12146
12147 /* must check that this really is a smb2 packet */
12148 if (tvb_captured_length(tvb) < 4)
12149 return false;
12150
12151 b = tvb_get_uint8(tvb, 0);
12152 if (((b != SMB2_COMP_HEADER) && (b != SMB2_ENCR_HEADER) && (b != SMB2_NORM_HEADER))
12153 || (tvb_get_uint8(tvb, 1) != 'S')
12154 || (tvb_get_uint8(tvb, 2) != 'M')
12155 || (tvb_get_uint8(tvb, 3) != 'B') ) {
12156 return false;
12157 }
12158
12159 dissect_smb2(tvb, pinfo, parent_tree, true);
12160
12161 return true;
12162 }
12163
12164 void
12165 proto_register_smb2(void)
12166 {
12167 module_t *smb2_module;
12168 static hf_register_info hf[] = {
12169 { &hf_smb2_cmd,
12170 { "Command", "smb2.cmd", FT_UINT16, BASE_DEC | BASE_EXT_STRING,
12171 &smb2_cmd_vals_ext, 0, "SMB2 Command Opcode", HFILL }
12172 },
12173
12174 { &hf_smb2_response_to,
12175 { "Response to", "smb2.response_to", FT_FRAMENUM, BASE_NONE,
12176 FRAMENUM_TYPE(FT_FRAMENUM_REQUEST), 0, "This packet is a response to the packet in this frame", HFILL }
12177 },
12178
12179 { &hf_smb2_response_in,
12180 { "Response in", "smb2.response_in", FT_FRAMENUM, BASE_NONE,
12181 FRAMENUM_TYPE(FT_FRAMENUM_RESPONSE), 0, "The response to this packet is in this packet", HFILL }
12182 },
12183
12184 { &hf_smb2_time,
12185 { "Time from request", "smb2.time", FT_RELATIVE_TIME, BASE_NONE,
12186 NULL, 0, "Time between Request and Response for SMB2 cmds", HFILL }
12187 },
12188
12189 { &hf_smb2_preauth_hash,
12190 { "Preauth Hash", "smb2.preauth_hash", FT_BYTES, BASE_NONE,
12191 NULL, 0, "SMB3.1.1 pre-authentication SHA512 hash after hashing the packet", HFILL }
12192 },
12193
12194 { &hf_smb2_header_len,
12195 { "Header Length", "smb2.header_len", FT_UINT16, BASE_DEC,
12196 NULL, 0, "SMB2 Size of Header", HFILL }
12197 },
12198
12199 { &hf_smb2_nt_status,
12200 { "NT Status", "smb2.nt_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
12201 &NT_errors_ext, 0, "NT Status code", HFILL }
12202 },
12203
12204 { &hf_smb2_msg_id,
12205 { "Message ID", "smb2.msg_id", FT_UINT64, BASE_DEC|BASE_VAL64_STRING|BASE_SPECIAL_VALS,
12206 VALS64(unique_unsolicited_response), 0, NULL, HFILL }
12207 },
12208
12209 { &hf_smb2_tid,
12210 { "Tree Id", "smb2.tid", FT_UINT32, BASE_HEX,
12211 NULL, 0, NULL, HFILL }
12212 },
12213
12214 { &hf_smb2_aid,
12215 { "Async Id", "smb2.aid", FT_UINT64, BASE_HEX,
12216 NULL, 0, NULL, HFILL }
12217 },
12218
12219 { &hf_smb2_sesid,
12220 { "Session Id", "smb2.sesid", FT_UINT64, BASE_HEX,
12221 NULL, 0, NULL, HFILL }
12222 },
12223
12224 { &hf_smb2_previous_sesid,
12225 { "Previous Session Id", "smb2.previous_sesid", FT_UINT64, BASE_HEX,
12226 NULL, 0, NULL, HFILL }
12227 },
12228
12229 { &hf_smb2_chain_offset,
12230 { "Chain Offset", "smb2.chain_offset", FT_UINT32, BASE_HEX,
12231 NULL, 0, NULL, HFILL }
12232 },
12233
12234 { &hf_smb2_end_of_file,
12235 { "End Of File", "smb2.eof", FT_UINT64, BASE_DEC,
12236 NULL, 0, "SMB2 End Of File/File size", HFILL }
12237 },
12238
12239 { &hf_smb2_nlinks,
12240 { "Number of Links", "smb2.nlinks", FT_UINT32, BASE_DEC,
12241 NULL, 0, "Number of links to this object", HFILL }
12242 },
12243
12244 { &hf_smb2_file_id,
12245 { "File Id", "smb2.file_id", FT_UINT64, BASE_HEX,
12246 NULL, 0, NULL, HFILL }
12247 },
12248
12249 { &hf_smb2_allocation_size,
12250 { "Allocation Size", "smb2.allocation_size", FT_UINT64, BASE_DEC,
12251 NULL, 0, NULL, HFILL }
12252 },
12253
12254 { &hf_smb2_max_response_size,
12255 { "Max Response Size", "smb2.max_response_size", FT_UINT32, BASE_DEC,
12256 NULL, 0, NULL, HFILL }
12257 },
12258
12259 { &hf_smb2_getinfo_input_size,
12260 { "Getinfo Input Size", "smb2.getinfo_input_size", FT_UINT32, BASE_DEC,
12261 NULL, 0, NULL, HFILL }
12262 },
12263
12264 { &hf_smb2_getinfo_input_offset,
12265 { "Getinfo Input Offset", "smb2.getinfo_input_offset", FT_UINT16, BASE_HEX,
12266 NULL, 0, NULL, HFILL }
12267 },
12268
12269 { &hf_smb2_getsetinfo_additional,
12270 { "Additional Info", "smb2.getsetinfo_additional", FT_UINT32, BASE_HEX,
12271 NULL, 0, NULL, HFILL }
12272 },
12273
12274 { &hf_smb2_getsetinfo_additionals,
12275 { "Additional Info", "smb2.getsetinfo_additionals", FT_UINT32, BASE_HEX,
12276 NULL, 0, NULL, HFILL }
12277 },
12278
12279 { &hf_smb2_getsetinfo_additional_owner,
12280 { "Owner", "smb2.getsetinfo_additional_secinfo.owner", FT_BOOLEAN, 32,
12281 TFS(&tfs_additional_owner), OWNER_SECURITY_INFORMATION, "Is owner security information being queried?", HFILL }},
12282
12283 { &hf_smb2_getsetinfo_additional_group,
12284 { "Group", "smb2.getsetinfo_additional_secinfo.group", FT_BOOLEAN, 32,
12285 TFS(&tfs_additional_group), GROUP_SECURITY_INFORMATION, "Is group security information being queried?", HFILL }},
12286
12287 { &hf_smb2_getsetinfo_additional_dacl,
12288 { "DACL", "smb2.getsetinfo_additional_secinfo.dacl", FT_BOOLEAN, 32,
12289 TFS(&tfs_additional_dacl), DACL_SECURITY_INFORMATION, "Is DACL security information being queried?", HFILL }},
12290
12291 { &hf_smb2_getsetinfo_additional_sacl,
12292 { "SACL", "smb2.getsetinfo_additional_secinfo.sacl", FT_BOOLEAN, 32,
12293 TFS(&tfs_additional_sacl), SACL_SECURITY_INFORMATION, "Is SACL security information being queried?", HFILL }},
12294
12295 { &hf_smb2_getsetinfo_additional_label,
12296 { "Integrity label", "smb2.getsetinfo_additional_secinfo.label", FT_BOOLEAN, 32,
12297 TFS(&tfs_additional_label), LABEL_SECURITY_INFORMATION, "Is integrity label security information being queried?", HFILL }},
12298
12299 { &hf_smb2_getsetinfo_additional_attribute,
12300 { "Resource attribute", "smb2.getsetinfo_additional_secinfo.attribute", FT_BOOLEAN, 32,
12301 TFS(&tfs_additional_attribute), ATTRIBUTE_SECURITY_INFORMATION, "Is resource attribute security information being queried?", HFILL }},
12302
12303 { &hf_smb2_getsetinfo_additional_scope,
12304 { "Central access policy", "smb2.getsetinfo_additional_secinfo.scope", FT_BOOLEAN, 32,
12305 TFS(&tfs_additional_scope), SCOPE_SECURITY_INFORMATION, "Is central access policy security information being queried?", HFILL }},
12306
12307 { &hf_smb2_getsetinfo_additional_backup,
12308 { "Backup operation", "smb2.getsetinfo_additional_secinfo.backup", FT_BOOLEAN, 32,
12309 TFS(&tfs_additional_backup), BACKUP_SECURITY_INFORMATION, "Is backup operation security information being queried?", HFILL }},
12310
12311 { &hf_smb2_getinfo_flags,
12312 { "Flags", "smb2.getinfo_flags", FT_UINT32, BASE_HEX,
12313 NULL, 0, NULL, HFILL }
12314 },
12315
12316 { &hf_smb2_setinfo_size,
12317 { "Setinfo Size", "smb2.setinfo_size", FT_UINT32, BASE_DEC,
12318 NULL, 0, NULL, HFILL }
12319 },
12320
12321 { &hf_smb2_setinfo_offset,
12322 { "Setinfo Offset", "smb2.setinfo_offset", FT_UINT16, BASE_HEX,
12323 NULL, 0, NULL, HFILL }
12324 },
12325
12326 { &hf_smb2_setinfo_reserved,
12327 { "Reserved", "smb2.setinfo_reserved", FT_UINT16, BASE_DEC,
12328 NULL, 0, NULL, HFILL }
12329 },
12330
12331 { &hf_smb2_max_ioctl_out_size,
12332 { "Max Ioctl Out Size", "smb2.max_ioctl_out_size", FT_UINT32, BASE_DEC,
12333 NULL, 0, NULL, HFILL }
12334 },
12335
12336 { &hf_smb2_max_ioctl_in_size,
12337 { "Max Ioctl In Size", "smb2.max_ioctl_in_size", FT_UINT32, BASE_DEC,
12338 NULL, 0, NULL, HFILL }
12339 },
12340
12341 { &hf_smb2_required_buffer_size,
12342 { "Required Buffer Size", "smb2.required_size", FT_UINT32, BASE_DEC,
12343 NULL, 0, NULL, HFILL }
12344 },
12345
12346 { &hf_smb2_header_reserved,
12347 { "Reserved", "smb2.header_reserved", FT_UINT32, BASE_HEX,
12348 NULL, 0, NULL, HFILL }
12349 },
12350
12351
12352 /* SMB2 header flags */
12353 { &hf_smb2_flags,
12354 { "Flags", "smb2.flags", FT_UINT32, BASE_HEX,
12355 NULL, 0, "SMB2 flags", HFILL }
12356 },
12357
12358 { &hf_smb2_flags_response,
12359 { "Response", "smb2.flags.response", FT_BOOLEAN, 32,
12360 TFS(&tfs_flags_response), SMB2_FLAGS_RESPONSE, "Whether this is an SMB2 Request or Response", HFILL }
12361 },
12362
12363 { &hf_smb2_flags_async_cmd,
12364 { "Async command", "smb2.flags.async", FT_BOOLEAN, 32,
12365 TFS(&tfs_flags_async_cmd), SMB2_FLAGS_ASYNC_CMD, NULL, HFILL }
12366 },
12367
12368 { &hf_smb2_flags_dfs_op,
12369 { "DFS operation", "smb2.flags.dfs", FT_BOOLEAN, 32,
12370 TFS(&tfs_flags_dfs_op), SMB2_FLAGS_DFS_OP, NULL, HFILL }
12371 },
12372
12373 { &hf_smb2_flags_chained,
12374 { "Chained", "smb2.flags.chained", FT_BOOLEAN, 32,
12375 TFS(&tfs_flags_chained), SMB2_FLAGS_CHAINED, "Whether the pdu continues a chain or not", HFILL }
12376 },
12377 { &hf_smb2_flags_signature,
12378 { "Signing", "smb2.flags.signature", FT_BOOLEAN, 32,
12379 TFS(&tfs_flags_signature), SMB2_FLAGS_SIGNATURE, "Whether the pdu is signed or not", HFILL }
12380 },
12381
12382 { &hf_smb2_flags_replay_operation,
12383 { "Replay operation", "smb2.flags.replay", FT_BOOLEAN, 32,
12384 TFS(&tfs_flags_replay_operation), SMB2_FLAGS_REPLAY_OPERATION, "Whether this is a replay operation", HFILL }
12385 },
12386
12387 { &hf_smb2_flags_priority_mask,
12388 { "Priority", "smb2.flags.priority_mask", FT_BOOLEAN, 32,
12389 TFS(&tfs_flags_priority_mask), SMB2_FLAGS_PRIORITY_MASK, "Priority Mask", HFILL }
12390 },
12391
12392 { &hf_smb2_tree,
12393 { "Tree", "smb2.tree", FT_STRING, BASE_NONE,
12394 NULL, 0, "Name of the Tree/Share", HFILL }
12395 },
12396
12397 { &hf_smb2_filename,
12398 { "Filename", "smb2.filename", FT_STRING, BASE_NONE,
12399 NULL, 0, NULL, HFILL }
12400 },
12401
12402 { &hf_smb2_filename_len,
12403 { "Filename Length", "smb2.filename.len", FT_UINT32, BASE_DEC,
12404 NULL, 0, NULL, HFILL }
12405 },
12406
12407 { &hf_smb2_file_id_hash,
12408 { "FileId Hash", "smb2.fid_hash", FT_UINT32, BASE_HEX,
12409 NULL, 0, "Used to find all instances of a File ID", HFILL }
12410 },
12411
12412 { &hf_smb2_num_matched,
12413 { "Matched pattern", "smb2.num_matched", FT_UINT16, BASE_DEC,
12414 NULL, 0, "Number of files matching the find pattern", HFILL }
12415 },
12416
12417
12418 { &hf_smb2_replace_if,
12419 { "Replace If", "smb2.rename.replace_if", FT_BOOLEAN, 8,
12420 TFS(&tfs_replace_if_exists), 0xFF, "Whether to replace if the target exists", HFILL }
12421 },
12422
12423 { &hf_smb2_data_offset,
12424 { "Data Offset", "smb2.data_offset", FT_UINT16, BASE_HEX,
12425 NULL, 0, "Offset to data", HFILL }
12426 },
12427
12428 { &hf_smb2_find_info_level,
12429 { "Info Level", "smb2.find.infolevel", FT_UINT32, BASE_DEC,
12430 VALS(smb2_find_info_levels), 0, "Find_Info Infolevel", HFILL }
12431 },
12432 { &hf_smb2_find_flags,
12433 { "Find Flags", "smb2.find.flags", FT_UINT8, BASE_HEX,
12434 NULL, 0, NULL, HFILL }
12435 },
12436
12437 { &hf_smb2_find_pattern,
12438 { "Search Pattern", "smb2.find.pattern", FT_STRING, BASE_NONE,
12439 NULL, 0, "Find pattern", HFILL }
12440 },
12441
12442 { &hf_smb2_find_info_blob,
12443 { "Info", "smb2.find.info_blob", FT_BYTES, BASE_NONE,
12444 NULL, 0, "Find Info", HFILL }
12445 },
12446
12447 { &hf_smb2_ea_size,
12448 { "EA Size", "smb2.ea_size", FT_UINT32, BASE_DEC,
12449 NULL, 0, "Size of EA data", HFILL }
12450 },
12451
12452 { &hf_smb2_position_information,
12453 { "Position Information", "smb2.position_info", FT_UINT64, BASE_DEC,
12454 NULL, 0, "Current file position", HFILL }
12455 },
12456
12457 { &hf_smb2_mode_information,
12458 { "Mode Information", "smb2.mode_info", FT_UINT32, BASE_HEX,
12459 NULL, 0, "File mode information", HFILL }
12460 },
12461
12462 { &hf_smb2_mode_file_write_through,
12463 { "FILE_WRITE_THROUGH", "smb2.mode.file_write_through", FT_UINT32, BASE_HEX,
12464 NULL, 0x02, NULL, HFILL }
12465 },
12466
12467 { &hf_smb2_mode_file_sequential_only,
12468 { "FILE_SEQUENTIAL_ONLY", "smb2.mode.file_sequential_only", FT_UINT32, BASE_HEX,
12469 NULL, 0x04, NULL, HFILL }
12470 },
12471
12472 { &hf_smb2_mode_file_no_intermediate_buffering,
12473 { "FILE_NO_INTERMEDIATE_BUFFERING", "smb2.mode.file_no_intermediate_buffering", FT_UINT32, BASE_HEX,
12474 NULL, 0x08, NULL, HFILL }
12475 },
12476
12477 { &hf_smb2_mode_file_synchronous_io_alert,
12478 { "FILE_SYNCHRONOUS_IO_ALERT", "smb2.mode.file_synchronous_io_alert", FT_UINT32, BASE_HEX,
12479 NULL, 0x10, NULL, HFILL }
12480 },
12481
12482 { &hf_smb2_mode_file_synchronous_io_nonalert,
12483 { "FILE_SYNCHRONOUS_IO_NONALERT", "smb2.mode.file_synchronous_io_nonalert", FT_UINT32, BASE_HEX,
12484 NULL, 0x20, NULL, HFILL }
12485 },
12486
12487 { &hf_smb2_mode_file_delete_on_close,
12488 { "FILE_DELETE_ON_CLOSE", "smb2.mode.file_delete_on_close", FT_UINT32, BASE_HEX,
12489 NULL, 0x1000, NULL, HFILL }
12490 },
12491
12492 { &hf_smb2_alignment_information,
12493 { "Alignment Information", "smb2.alignment_info", FT_UINT32, BASE_HEX,
12494 VALS(smb2_alignment_vals), 0, "File alignment", HFILL}
12495 },
12496
12497 { &hf_smb2_class,
12498 { "Class", "smb2.class", FT_UINT8, BASE_HEX,
12499 VALS(smb2_class_vals), 0, "Info class", HFILL }
12500 },
12501
12502 { &hf_smb2_infolevel,
12503 { "InfoLevel", "smb2.infolevel", FT_UINT8, BASE_HEX,
12504 NULL, 0, NULL, HFILL }
12505 },
12506
12507 { &hf_smb2_infolevel_file_info,
12508 { "InfoLevel", "smb2.file_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
12509 &smb2_file_info_levels_ext, 0, "File_Info Infolevel", HFILL }
12510 },
12511
12512 { &hf_smb2_infolevel_fs_info,
12513 { "InfoLevel", "smb2.fs_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
12514 &smb2_fs_info_levels_ext, 0, "Fs_Info Infolevel", HFILL }
12515 },
12516
12517 { &hf_smb2_infolevel_sec_info,
12518 { "InfoLevel", "smb2.sec_info.infolevel", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
12519 &smb2_sec_info_levels_ext, 0, "Sec_Info Infolevel", HFILL }
12520 },
12521
12522 { &hf_smb2_write_length,
12523 { "Write Length", "smb2.write_length", FT_UINT32, BASE_DEC,
12524 NULL, 0, "Amount of data to write", HFILL }
12525 },
12526
12527 { &hf_smb2_read_blob,
12528 { "Info", "smb2.read.blob", FT_BYTES, BASE_NONE,
12529 NULL, 0, "Read Blob", HFILL }
12530 },
12531
12532 { &hf_smb2_read_length,
12533 { "Read Length", "smb2.read_length", FT_UINT32, BASE_DEC,
12534 NULL, 0, "Amount of data to read", HFILL }
12535 },
12536
12537 { &hf_smb2_read_remaining,
12538 { "Read Remaining", "smb2.read_remaining", FT_UINT32, BASE_DEC,
12539 NULL, 0, NULL, HFILL }
12540 },
12541
12542 { &hf_smb2_read_padding,
12543 { "Padding", "smb2.read_padding", FT_UINT8, BASE_HEX,
12544 NULL, 0, NULL, HFILL }
12545 },
12546
12547 { &hf_smb2_read_flags,
12548 { "Flags", "smb2.read_flags", FT_UINT8, BASE_HEX,
12549 NULL, 0, NULL, HFILL }
12550 },
12551
12552 { &hf_smb2_read_flags_unbuffered,
12553 { "Unbuffered", "smb2.read_flags.unbuffered", FT_BOOLEAN, 8,
12554 TFS(&tfs_read_unbuffered), SMB2_READFLAG_READ_UNBUFFERED, "If client requests unbuffered read", HFILL }
12555 },
12556
12557 { &hf_smb2_read_flags_compressed,
12558 { "Compressed", "smb2.read_flags.compressed", FT_BOOLEAN, 8,
12559 TFS(&tfs_read_compressed), SMB2_READFLAG_READ_COMPRESSED, "If client requests compressed response", HFILL }
12560 },
12561
12562 { &hf_smb2_create_flags,
12563 { "Create Flags", "smb2.create_flags", FT_UINT64, BASE_HEX,
12564 NULL, 0, NULL, HFILL }
12565 },
12566
12567 { &hf_smb2_file_offset,
12568 { "File Offset", "smb2.file_offset", FT_UINT64, BASE_DEC,
12569 NULL, 0, NULL, HFILL }
12570 },
12571
12572 { &hf_smb2_fsctl_range_offset,
12573 { "File Offset", "smb2.fsctl.range_offset", FT_UINT64, BASE_DEC,
12574 NULL, 0, NULL, HFILL }
12575 },
12576
12577 { &hf_smb2_fsctl_range_length,
12578 { "Length", "smb2.fsctl.range_length", FT_UINT64, BASE_DEC,
12579 NULL, 0, NULL, HFILL }
12580 },
12581
12582 { &hf_smb2_qfr_length,
12583 { "Length", "smb2.qfr_length", FT_UINT64, BASE_DEC,
12584 NULL, 0, NULL, HFILL }
12585 },
12586
12587 { &hf_smb2_qfr_usage,
12588 { "Desired Usage", "smb2.qfr_usage", FT_UINT32, BASE_HEX,
12589 VALS(file_region_usage_vals), 0, NULL, HFILL }
12590 },
12591
12592 { &hf_smb2_qfr_flags,
12593 { "Flags", "smb2.qfr_flags", FT_UINT32, BASE_HEX,
12594 NULL, 0, NULL, HFILL }
12595 },
12596
12597 { &hf_smb2_qfr_total_region_entry_count,
12598 { "Total Region Entry Count", "smb2.qfr_tot_region_entry_count", FT_UINT32, BASE_HEX,
12599 NULL, 0, NULL, HFILL }
12600 },
12601
12602 { &hf_smb2_qfr_region_entry_count,
12603 { "Region Entry Count", "smb2.qfr_region_entry_count", FT_UINT32, BASE_HEX,
12604 NULL, 0, NULL, HFILL }
12605 },
12606
12607 { &hf_smb2_security_blob,
12608 { "Security Blob", "smb2.security_blob", FT_BYTES, BASE_NONE,
12609 NULL, 0, NULL, HFILL }
12610 },
12611
12612 { &hf_smb2_ioctl_out_data,
12613 { "Out Data", "smb2.ioctl.out", FT_NONE, BASE_NONE,
12614 NULL, 0, "Ioctl Out", HFILL }
12615 },
12616
12617 { &hf_smb2_ioctl_in_data,
12618 { "In Data", "smb2.ioctl.in", FT_NONE, BASE_NONE,
12619 NULL, 0, "Ioctl In", HFILL }
12620 },
12621
12622 { &hf_smb2_server_guid,
12623 { "Server Guid", "smb2.server_guid", FT_GUID, BASE_NONE,
12624 NULL, 0, NULL, HFILL }
12625 },
12626
12627 { &hf_smb2_client_guid,
12628 { "Client Guid", "smb2.client_guid", FT_GUID, BASE_NONE,
12629 NULL, 0, NULL, HFILL }
12630 },
12631
12632 { &hf_smb2_object_id,
12633 { "ObjectId", "smb2.object_id", FT_GUID, BASE_NONE,
12634 NULL, 0, "ObjectID for this FID", HFILL }
12635 },
12636
12637 { &hf_smb2_birth_volume_id,
12638 { "BirthVolumeId", "smb2.birth_volume_id", FT_GUID, BASE_NONE,
12639 NULL, 0, "ObjectID for the volume where this FID was originally created", HFILL }
12640 },
12641
12642 { &hf_smb2_birth_object_id,
12643 { "BirthObjectId", "smb2.birth_object_id", FT_GUID, BASE_NONE,
12644 NULL, 0, "ObjectID for this FID when it was originally created", HFILL }
12645 },
12646
12647 { &hf_smb2_domain_id,
12648 { "DomainId", "smb2.domain_id", FT_GUID, BASE_NONE,
12649 NULL, 0, NULL, HFILL }
12650 },
12651
12652 { &hf_smb2_create_timestamp,
12653 { "Create", "smb2.create.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
12654 NULL, 0, "Time when this object was created", HFILL }
12655 },
12656
12657 { &hf_smb2_fid,
12658 { "File Id", "smb2.fid", FT_GUID, BASE_NONE,
12659 NULL, 0, "SMB2 File Id", HFILL }
12660 },
12661
12662 { &hf_smb2_write_data,
12663 { "Write Data", "smb2.write_data", FT_BYTES, BASE_NONE,
12664 NULL, 0, "SMB2 Data to be written", HFILL }
12665 },
12666
12667 { &hf_smb2_write_flags,
12668 { "Write Flags", "smb2.write.flags", FT_UINT32, BASE_HEX,
12669 NULL, 0, NULL, HFILL }
12670 },
12671
12672 { &hf_smb2_write_flags_write_through,
12673 { "Write through", "smb2.write.flags.write_through", FT_BOOLEAN, 32,
12674 TFS(&tfs_write_through), SMB2_WRITE_FLAG_WRITE_THROUGH, "If the client requests WRITE_THROUGH", HFILL }
12675 },
12676
12677 { &hf_smb2_write_flags_write_unbuffered,
12678 { "Unbuffered", "smb2.write.flags.unbuffered", FT_BOOLEAN, 32,
12679 TFS(&tfs_write_unbuffered), SMB2_WRITE_FLAG_WRITE_UNBUFFERED, "If client requests UNBUFFERED read", HFILL }
12680 },
12681
12682 { &hf_smb2_write_count,
12683 { "Write Count", "smb2.write.count", FT_UINT32, BASE_DEC,
12684 NULL, 0, NULL, HFILL }
12685 },
12686
12687 { &hf_smb2_write_remaining,
12688 { "Write Remaining", "smb2.write.remaining", FT_UINT32, BASE_DEC,
12689 NULL, 0, NULL, HFILL }
12690 },
12691
12692 { &hf_smb2_read_data,
12693 { "Read Data", "smb2.read_data", FT_BYTES, BASE_NONE,
12694 NULL, 0, "SMB2 Data that is read", HFILL }
12695 },
12696
12697 { &hf_smb2_last_access_timestamp,
12698 { "Last Access", "smb2.last_access.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
12699 NULL, 0, "Time when this object was last accessed", HFILL }
12700 },
12701
12702 { &hf_smb2_last_write_timestamp,
12703 { "Last Write", "smb2.last_write.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
12704 NULL, 0, "Time when this object was last written to", HFILL }
12705 },
12706
12707 { &hf_smb2_last_change_timestamp,
12708 { "Last Change", "smb2.last_change.time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
12709 NULL, 0, "Time when this object was last changed", HFILL }
12710 },
12711
12712 { &hf_smb2_file_all_info,
12713 { "SMB2_FILE_ALL_INFO", "smb2.file_all_info", FT_NONE, BASE_NONE,
12714 NULL, 0, NULL, HFILL }
12715 },
12716
12717 { &hf_smb2_file_allocation_info,
12718 { "SMB2_FILE_ALLOCATION_INFO", "smb2.file_allocation_info", FT_NONE, BASE_NONE,
12719 NULL, 0, NULL, HFILL }
12720 },
12721
12722 { &hf_smb2_file_endoffile_info,
12723 { "SMB2_FILE_ENDOFFILE_INFO", "smb2.file_endoffile_info", FT_NONE, BASE_NONE,
12724 NULL, 0, NULL, HFILL }
12725 },
12726
12727 { &hf_smb2_good_signature,
12728 { "Good signature", "smb2.good_signature", FT_NONE, BASE_NONE,
12729 NULL, 0, NULL, HFILL }
12730 },
12731
12732 { &hf_smb2_bad_signature,
12733 { "Bad signature. Should be", "smb2.bad_signature", FT_NONE, BASE_NONE,
12734 NULL, 0, NULL, HFILL }
12735 },
12736
12737 { &hf_smb2_file_alternate_name_info,
12738 { "SMB2_FILE_ALTERNATE_NAME_INFO", "smb2.file_alternate_name_info", FT_NONE, BASE_NONE,
12739 NULL, 0, NULL, HFILL }
12740 },
12741
12742 { &hf_smb2_file_normalized_name_info,
12743 { "SMB2_FILE_NORMALIZED_NAME_INFO", "smb2.file_normalized_name_info", FT_NONE, BASE_NONE,
12744 NULL, 0, NULL, HFILL }
12745 },
12746
12747 { &hf_smb2_file_stream_info,
12748 { "SMB2_FILE_STREAM_INFO", "smb2.file_stream_info", FT_NONE, BASE_NONE,
12749 NULL, 0, NULL, HFILL }
12750 },
12751
12752 { &hf_smb2_file_pipe_info,
12753 { "SMB2_FILE_PIPE_INFO", "smb2.file_pipe_info", FT_NONE, BASE_NONE,
12754 NULL, 0, NULL, HFILL }
12755 },
12756
12757 { &hf_smb2_file_compression_info,
12758 { "SMB2_FILE_COMPRESSION_INFO", "smb2.file_compression_info", FT_NONE, BASE_NONE,
12759 NULL, 0, NULL, HFILL }
12760 },
12761
12762 { &hf_smb2_file_basic_info,
12763 { "SMB2_FILE_BASIC_INFO", "smb2.file_basic_info", FT_NONE, BASE_NONE,
12764 NULL, 0, NULL, HFILL }
12765 },
12766
12767 { &hf_smb2_file_standard_info,
12768 { "SMB2_FILE_STANDARD_INFO", "smb2.file_standard_info", FT_NONE, BASE_NONE,
12769 NULL, 0, NULL, HFILL }
12770 },
12771
12772 { &hf_smb2_file_internal_info,
12773 { "SMB2_FILE_INTERNAL_INFO", "smb2.file_internal_info", FT_NONE, BASE_NONE,
12774 NULL, 0, NULL, HFILL }
12775 },
12776
12777 { &hf_smb2_file_mode_info,
12778 { "SMB2_FILE_MODE_INFO", "smb2.file_mode_info", FT_NONE, BASE_NONE,
12779 NULL, 0, NULL, HFILL }
12780 },
12781
12782 { &hf_smb2_file_alignment_info,
12783 { "SMB2_FILE_ALIGNMENT_INFO", "smb2.file_alignment_info", FT_NONE, BASE_NONE,
12784 NULL, 0, NULL, HFILL }
12785 },
12786
12787 { &hf_smb2_file_position_info,
12788 { "SMB2_FILE_POSITION_INFO", "smb2.file_position_info", FT_NONE, BASE_NONE,
12789 NULL, 0, NULL, HFILL }
12790 },
12791
12792 { &hf_smb2_file_access_info,
12793 { "SMB2_FILE_ACCESS_INFO", "smb2.file_access_info", FT_NONE, BASE_NONE,
12794 NULL, 0, NULL, HFILL }
12795 },
12796
12797 { &hf_smb2_file_ea_info,
12798 { "SMB2_FILE_EA_INFO", "smb2.file_ea_info", FT_NONE, BASE_NONE,
12799 NULL, 0, NULL, HFILL }
12800 },
12801
12802 { &hf_smb2_file_network_open_info,
12803 { "SMB2_FILE_NETWORK_OPEN_INFO", "smb2.file_network_open_info", FT_NONE, BASE_NONE,
12804 NULL, 0, NULL, HFILL }
12805 },
12806
12807 { &hf_smb2_file_attribute_tag_info,
12808 { "SMB2_FILE_ATTRIBUTE_TAG_INFO", "smb2.file_attribute_tag_info", FT_NONE, BASE_NONE,
12809 NULL, 0, NULL, HFILL }
12810 },
12811
12812 { &hf_smb2_file_disposition_info,
12813 { "SMB2_FILE_DISPOSITION_INFO", "smb2.file_disposition_info", FT_NONE, BASE_NONE,
12814 NULL, 0, NULL, HFILL }
12815 },
12816
12817 { &hf_smb2_file_full_ea_info,
12818 { "SMB2_FILE_FULL_EA_INFO", "smb2.file_full_ea_info", FT_NONE, BASE_NONE,
12819 NULL, 0, NULL, HFILL }
12820 },
12821
12822 { &hf_smb2_file_rename_info,
12823 { "SMB2_FILE_RENAME_INFO", "smb2.file_rename_info", FT_NONE, BASE_NONE,
12824 NULL, 0, NULL, HFILL }
12825 },
12826
12827 { &hf_smb2_file_link_info,
12828 { "SMB2_FILE_LINK_INFO", "smb2.file_link_info", FT_NONE, BASE_NONE,
12829 NULL, 0, NULL, HFILL }
12830 },
12831
12832 { &hf_smb2_fs_info_01,
12833 { "FileFsVolumeInformation", "smb2.fs_volume_info", FT_NONE, BASE_NONE,
12834 NULL, 0, NULL, HFILL }
12835 },
12836
12837 { &hf_smb2_fs_info_03,
12838 { "FileFsSizeInformation", "smb2.fs_size_info", FT_NONE, BASE_NONE,
12839 NULL, 0, NULL, HFILL }
12840 },
12841
12842 { &hf_smb2_fs_info_04,
12843 { "FileFsDeviceInformation", "smb2.fs_device_info", FT_NONE, BASE_NONE,
12844 NULL, 0, NULL, HFILL }
12845 },
12846
12847 { &hf_smb2_fs_info_05,
12848 { "FileFsAttributeInformation", "smb2.fs_attribute_info", FT_NONE, BASE_NONE,
12849 NULL, 0, NULL, HFILL }
12850 },
12851
12852 { &hf_smb2_fs_info_06,
12853 { "FileFsControlInformation", "smb2.fs_control_info", FT_NONE, BASE_NONE,
12854 NULL, 0, NULL, HFILL }
12855 },
12856
12857 { &hf_smb2_fs_info_07,
12858 { "FileFsFullSizeInformation", "smb2.fs_full_size_info", FT_NONE, BASE_NONE,
12859 NULL, 0, NULL, HFILL }
12860 },
12861
12862 { &hf_smb2_fs_objectid_info,
12863 { "FileFsObjectIdInformation", "smb2.fs_objectid_info", FT_NONE, BASE_NONE,
12864 NULL, 0, NULL, HFILL }
12865 },
12866
12867 { &hf_smb2_fs_posix_info,
12868 { "FileFsPOSIXInformation", "smb2.fs_posix_info", FT_NONE, BASE_NONE,
12869 NULL, 0, NULL, HFILL }
12870 },
12871
12872 { &hf_smb2_fs_posix_optimal_transfer_size,
12873 { "Optimal Transfer Size", "smb2.fs_posix_optimal_transfer_size", FT_UINT32, BASE_DEC,
12874 NULL, 0, NULL, HFILL }
12875 },
12876
12877 { &hf_smb2_fs_posix_block_size,
12878 { "Block Size", "smb2.fs_posix_block_size", FT_UINT32, BASE_DEC,
12879 NULL, 0, NULL, HFILL }
12880 },
12881
12882 { &hf_smb2_fs_posix_total_blocks,
12883 { "Total Blocks", "smb2.fs_posix_total_blocks", FT_UINT64, BASE_DEC,
12884 NULL, 0, NULL, HFILL }
12885 },
12886
12887 { &hf_smb2_fs_posix_blocks_available,
12888 { "Blocks Available", "smb2.fs_posix_blocks_available", FT_UINT64, BASE_DEC,
12889 NULL, 0, NULL, HFILL }
12890 },
12891
12892 { &hf_smb2_fs_posix_user_blocks_available,
12893 { "User Blocks Available", "smb2.fs_posix_user_blocks_available", FT_UINT64, BASE_DEC,
12894 NULL, 0, NULL, HFILL }
12895 },
12896
12897 { &hf_smb2_fs_posix_total_file_nodes,
12898 { "Total File Nodes", "smb2.fs_posix_total_file_nodes", FT_UINT64, BASE_DEC,
12899 NULL, 0, NULL, HFILL }
12900 },
12901
12902 { &hf_smb2_fs_posix_free_file_nodes,
12903 { "Free File Nodes", "smb2.fs_posix_free_file_nodes", FT_UINT64, BASE_DEC,
12904 NULL, 0, NULL, HFILL }
12905 },
12906
12907 { &hf_smb2_fs_posix_fs_identifier,
12908 { "Fs-Identifier", "smb2.fs_posix_fs_identifier", FT_UINT64, BASE_HEX,
12909 NULL, 0, NULL, HFILL }
12910 },
12911
12912 { &hf_smb2_sec_info_00,
12913 { "SMB2_SEC_INFO_00", "smb2.sec_info_00", FT_NONE, BASE_NONE,
12914 NULL, 0, NULL, HFILL }
12915 },
12916
12917 { &hf_smb2_quota_info,
12918 { "SMB2_QUOTA_INFO", "smb2.quota_info", FT_NONE, BASE_NONE,
12919 NULL, 0, NULL, HFILL }
12920 },
12921
12922 { &hf_smb2_query_quota_info,
12923 { "SMB2_QUERY_QUOTA_INFO", "smb2.query_quota_info", FT_NONE, BASE_NONE,
12924 NULL, 0, NULL, HFILL }
12925 },
12926
12927 { &hf_smb2_qq_single,
12928 { "ReturnSingle", "smb2.query_quota_info.single", FT_BOOLEAN, 8,
12929 NULL, 0xff, NULL, HFILL }
12930 },
12931
12932 { &hf_smb2_qq_restart,
12933 { "RestartScan", "smb2.query_quota_info.restart", FT_BOOLEAN, 8,
12934 NULL, 0xff, NULL, HFILL }
12935 },
12936
12937 { &hf_smb2_qq_sidlist_len,
12938 { "SidListLength", "smb2.query_quota_info.sidlistlen", FT_UINT32, BASE_DEC,
12939 NULL, 0, NULL, HFILL }
12940 },
12941
12942 { &hf_smb2_qq_start_sid_len,
12943 { "StartSidLength", "smb2.query_quota_info.startsidlen", FT_UINT32, BASE_DEC,
12944 NULL, 0, NULL, HFILL }
12945 },
12946
12947 { &hf_smb2_qq_start_sid_offset,
12948 { "StartSidOffset", "smb2.query_quota_info.startsidoffset", FT_UINT32, BASE_DEC,
12949 NULL, 0, NULL, HFILL }
12950 },
12951
12952 { &hf_smb2_disposition_delete_on_close,
12953 { "Delete on close", "smb2.disposition.delete_on_close", FT_BOOLEAN, 8,
12954 TFS(&tfs_disposition_delete_on_close), 0x01, NULL, HFILL }
12955 },
12956
12957
12958 { &hf_smb2_create_disposition,
12959 { "Disposition", "smb2.create.disposition", FT_UINT32, BASE_DEC,
12960 VALS(create_disposition_vals), 0, "Create disposition, what to do if the file does/does not exist", HFILL }
12961 },
12962
12963 { &hf_smb2_create_action,
12964 { "Create Action", "smb2.create.action", FT_UINT32, BASE_DEC,
12965 VALS(oa_open_vals), 0, NULL, HFILL }
12966 },
12967
12968 { &hf_smb2_create_rep_flags,
12969 { "Response Flags", "smb2.create.rep_flags", FT_UINT8, BASE_HEX,
12970 NULL, 0, NULL, HFILL }
12971 },
12972
12973 { &hf_smb2_create_rep_flags_reparse_point,
12974 { "ReparsePoint", "smb2.create.rep_flags.reparse_point", FT_BOOLEAN, 8,
12975 NULL, SMB2_CREATE_REP_FLAGS_REPARSE_POINT, NULL, HFILL }
12976 },
12977
12978 { &hf_smb2_extrainfo,
12979 { "ExtraInfo", "smb2.create.extrainfo", FT_NONE, BASE_NONE,
12980 NULL, 0, "Create ExtraInfo", HFILL }
12981 },
12982
12983 { &hf_smb2_create_chain_offset,
12984 { "Chain Offset", "smb2.create.chain_offset", FT_UINT32, BASE_HEX,
12985 NULL, 0, "Offset to next entry in chain or 0", HFILL }
12986 },
12987
12988 { &hf_smb2_create_chain_data,
12989 { "Data", "smb2.create.chain_data", FT_NONE, BASE_NONE,
12990 NULL, 0, "Chain Data", HFILL }
12991 },
12992
12993 { &hf_smb2_FILE_OBJECTID_BUFFER,
12994 { "FILE_OBJECTID_BUFFER", "smb2.FILE_OBJECTID_BUFFER", FT_NONE, BASE_NONE,
12995 NULL, 0, NULL, HFILL }
12996 },
12997
12998 { &hf_smb2_lease_key,
12999 { "Lease Key", "smb2.lease.lease_key", FT_GUID, BASE_NONE,
13000 NULL, 0, NULL, HFILL }
13001 },
13002
13003 { &hf_smb2_lease_state,
13004 { "Lease State", "smb2.lease.lease_state", FT_UINT32, BASE_HEX,
13005 NULL, 0, NULL, HFILL }
13006 },
13007
13008 { &hf_smb2_lease_state_read_caching,
13009 { "Read Caching", "smb2.lease.lease_state.read_caching", FT_BOOLEAN, 32,
13010 NULL, SMB2_LEASE_STATE_READ_CACHING, NULL, HFILL }
13011 },
13012
13013 { &hf_smb2_lease_state_handle_caching,
13014 { "Handle Caching", "smb2.lease.lease_state.handle_caching", FT_BOOLEAN, 32,
13015 NULL, SMB2_LEASE_STATE_HANDLE_CACHING, NULL, HFILL }
13016 },
13017
13018 { &hf_smb2_lease_state_write_caching,
13019 { "Write Caching", "smb2.lease.lease_state.write_caching", FT_BOOLEAN, 32,
13020 NULL, SMB2_LEASE_STATE_WRITE_CACHING, NULL, HFILL }
13021 },
13022
13023 { &hf_smb2_lease_flags,
13024 { "Lease Flags", "smb2.lease.lease_flags", FT_UINT32, BASE_HEX,
13025 NULL, 0, NULL, HFILL }
13026 },
13027
13028 { &hf_smb2_lease_flags_break_ack_required,
13029 { "Break Ack Required", "smb2.lease.lease_state.break_ack_required", FT_BOOLEAN, 32,
13030 NULL, SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED, NULL, HFILL }
13031 },
13032
13033 { &hf_smb2_lease_flags_break_in_progress,
13034 { "Break In Progress", "smb2.lease.lease_state.break_in_progress", FT_BOOLEAN, 32,
13035 NULL, SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS, NULL, HFILL }
13036 },
13037
13038 { &hf_smb2_lease_flags_parent_lease_key_set,
13039 { "Parent Lease Key Set", "smb2.lease.lease_state.parent_lease_key_set", FT_BOOLEAN, 32,
13040 NULL, SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET, NULL, HFILL }
13041 },
13042
13043 { &hf_smb2_lease_duration,
13044 { "Lease Duration", "smb2.lease.lease_duration", FT_UINT64, BASE_HEX,
13045 NULL, 0, NULL, HFILL }
13046 },
13047
13048 { &hf_smb2_parent_lease_key,
13049 { "Parent Lease Key", "smb2.lease.parent_lease_key", FT_GUID, BASE_NONE,
13050 NULL, 0, NULL, HFILL }
13051 },
13052
13053 { &hf_smb2_lease_epoch,
13054 { "Lease Epoch", "smb2.lease.lease_oplock", FT_UINT16, BASE_HEX,
13055 NULL, 0, NULL, HFILL }
13056 },
13057
13058 { &hf_smb2_lease_reserved,
13059 { "Lease Reserved", "smb2.lease.lease_reserved", FT_UINT16, BASE_HEX,
13060 NULL, 0, NULL, HFILL }
13061 },
13062
13063 { &hf_smb2_lease_break_reason,
13064 { "Lease Break Reason", "smb2.lease.lease_break_reason", FT_UINT32, BASE_HEX,
13065 NULL, 0, NULL, HFILL }
13066 },
13067
13068 { &hf_smb2_lease_access_mask_hint,
13069 { "Access Mask Hint", "smb2.lease.access_mask_hint", FT_UINT32, BASE_HEX,
13070 NULL, 0, NULL, HFILL }
13071 },
13072
13073 { &hf_smb2_lease_share_mask_hint,
13074 { "Share Mask Hint", "smb2.lease.share_mask_hint", FT_UINT32, BASE_HEX,
13075 NULL, 0, NULL, HFILL }
13076 },
13077
13078 { &hf_smb2_next_offset,
13079 { "Next Offset", "smb2.next_offset", FT_UINT32, BASE_DEC,
13080 NULL, 0, "Offset to next buffer or 0", HFILL }
13081 },
13082
13083 { &hf_smb2_negotiate_context_type,
13084 { "Type", "smb2.negotiate_context.type", FT_UINT16, BASE_HEX,
13085 VALS(smb2_negotiate_context_types), 0, NULL, HFILL }
13086 },
13087
13088 { &hf_smb2_negotiate_context_data_length,
13089 { "DataLength", "smb2.negotiate_context.data_length", FT_UINT16, BASE_DEC,
13090 NULL, 0, NULL, HFILL }
13091 },
13092
13093 { &hf_smb2_negotiate_context_offset,
13094 { "NegotiateContextOffset", "smb2.negotiate_context.offset", FT_UINT32, BASE_HEX,
13095 NULL, 0, NULL, HFILL }
13096 },
13097
13098 { &hf_smb2_negotiate_context_reserved2,
13099 { "Reserved2", "smb2.negotiate_context.reserved2", FT_UINT32, BASE_HEX,
13100 NULL, 0, NULL, HFILL }
13101 },
13102
13103 { &hf_smb2_negotiate_context_count,
13104 { "NegotiateContextCount", "smb2.negotiate_context.count", FT_UINT16, BASE_DEC,
13105 NULL, 0, NULL, HFILL }
13106 },
13107
13108 { &hf_smb2_negotiate_context_reserved,
13109 { "Reserved", "smb2.negotiate_context.reserved", FT_UINT16, BASE_DEC,
13110 NULL, 0, NULL, HFILL }
13111 },
13112
13113 { &hf_smb2_hash_alg_count,
13114 { "HashAlgorithmCount", "smb2.negotiate_context.hash_alg_count", FT_UINT16, BASE_DEC,
13115 NULL, 0, NULL, HFILL }},
13116
13117 { &hf_smb2_hash_algorithm,
13118 { "HashAlgorithm", "smb2.negotiate_context.hash_algorithm", FT_UINT16, BASE_HEX,
13119 VALS(smb2_hash_algorithm_types), 0, NULL, HFILL }},
13120
13121 { &hf_smb2_salt_length,
13122 { "SaltLength", "smb2.negotiate_context.salt_length", FT_UINT16, BASE_DEC,
13123 NULL, 0, NULL, HFILL }},
13124
13125 { &hf_smb2_salt,
13126 { "Salt", "smb2.negotiate_context.salt", FT_BYTES, BASE_NONE,
13127 NULL, 0, NULL, HFILL }},
13128
13129 { &hf_smb2_signing_alg_count,
13130 { "SigningAlgorithmCount", "smb2.negotiate_context.signing_alg_count", FT_UINT16, BASE_DEC,
13131 NULL, 0, NULL, HFILL }},
13132
13133 { &hf_smb2_signing_alg_id,
13134 { "SigningAlgorithmId", "smb2.negotiate_context.signing_id", FT_UINT16, BASE_HEX,
13135 VALS(smb2_signing_alg_types), 0, NULL, HFILL }},
13136
13137 { &hf_smb2_cipher_count,
13138 { "CipherCount", "smb2.negotiate_context.cipher_count", FT_UINT16, BASE_DEC,
13139 NULL, 0, NULL, HFILL }},
13140
13141 { &hf_smb2_cipher_id,
13142 { "CipherId", "smb2.negotiate_context.cipher_id", FT_UINT16, BASE_HEX,
13143 VALS(smb2_cipher_types), 0, NULL, HFILL }},
13144
13145 { &hf_smb2_posix_reserved,
13146 { "POSIX Reserved", "smb2.negotiate_context.posix_reserved", FT_BYTES, BASE_NONE,
13147 NULL, 0, NULL, HFILL }
13148 },
13149
13150 { &hf_smb2_dev,
13151 { "Device", "smb2.dev", FT_UINT32, BASE_HEX,
13152 NULL, 0, NULL, HFILL }
13153 },
13154
13155 { &hf_smb2_inode,
13156 { "Inode", "smb2.inode", FT_UINT64, BASE_HEX,
13157 NULL, 0, NULL, HFILL }
13158 },
13159
13160 { &hf_smb2_comp_alg_count,
13161 { "CompressionAlgorithmCount", "smb2.negotiate_context.comp_alg_count", FT_UINT16, BASE_DEC,
13162 NULL, 0, NULL, HFILL }},
13163
13164 { &hf_smb2_comp_alg_id,
13165 { "CompressionAlgorithmId", "smb2.negotiate_context.comp_alg_id", FT_UINT16, BASE_HEX,
13166 VALS(smb2_comp_alg_types), 0, NULL, HFILL }},
13167
13168 { &hf_smb2_comp_alg_flags,
13169 { "Flags", "smb2.negotiate_context.comp_alg_flags", FT_UINT32, BASE_HEX,
13170 NULL, 0, NULL, HFILL }
13171 },
13172
13173 { &hf_smb2_comp_alg_flags_chained,
13174 { "Chained", "smb2.negotiate_context.comp_alg_flags.chained", FT_BOOLEAN, 32,
13175 NULL, SMB2_COMP_ALG_FLAGS_CHAINED, "Chained compression is supported on this connection", HFILL }
13176 },
13177
13178 { &hf_smb2_comp_alg_flags_reserved,
13179 { "Reserved", "smb2.negotiate_context.comp_alg_flags.reserved", FT_UINT32, BASE_HEX,
13180 NULL, 0xFFFFFFFE, "Must be zero", HFILL }
13181 },
13182
13183 { &hf_smb2_netname_neg_id,
13184 { "Netname", "smb2.negotiate_context.netname", FT_STRING,
13185 BASE_NONE, NULL, 0x0, NULL, HFILL }
13186 },
13187
13188 { &hf_smb2_transport_ctx_flags,
13189 { "Flags", "smb2.negotiate_context.transport_flags", FT_UINT32, BASE_HEX,
13190 VALS(smb2_transport_ctx_flags_vals), 0, NULL, HFILL }
13191 },
13192
13193 { &hf_smb2_rdma_transform_count,
13194 { "TransformCount", "smb2.negotiate_context.rdma_transform_count", FT_UINT16, BASE_DEC,
13195 NULL, 0, NULL, HFILL }
13196 },
13197
13198 { &hf_smb2_rdma_transform_reserved1,
13199 { "Reserved1", "smb2.negotiate_context.rdma_transform_reserved1", FT_UINT16, BASE_HEX,
13200 NULL, 0, NULL, HFILL }
13201 },
13202
13203 { &hf_smb2_rdma_transform_reserved2,
13204 { "Reserved2", "smb2.negotiate_context.rdma_transform_reserved2", FT_UINT32, BASE_HEX,
13205 NULL, 0, NULL, HFILL }
13206 },
13207
13208 { &hf_smb2_rdma_transform_id,
13209 { "RDMATransformId", "smb2.negotiate_context.rdma_transform_id", FT_UINT16, BASE_HEX,
13210 VALS(smb2_rdma_transform_types), 0, NULL, HFILL }
13211 },
13212
13213 { &hf_smb2_current_time,
13214 { "Current Time", "smb2.current_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
13215 NULL, 0, "Current Time at server", HFILL }
13216 },
13217
13218 { &hf_smb2_boot_time,
13219 { "Boot Time", "smb2.boot_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
13220 NULL, 0, "Boot Time at server", HFILL }
13221 },
13222
13223 { &hf_smb2_ea_flags,
13224 { "EA Flags", "smb2.ea.flags", FT_UINT8, BASE_HEX,
13225 VALS(file_full_ea_information_flags), 0, NULL, HFILL }
13226 },
13227
13228 { &hf_smb2_ea_name_len,
13229 { "EA Name Length", "smb2.ea.name_len", FT_UINT8, BASE_DEC,
13230 NULL, 0, NULL, HFILL }
13231 },
13232
13233 { &hf_smb2_ea_data_len,
13234 { "EA Data Length", "smb2.ea.data_len", FT_UINT16, BASE_DEC,
13235 NULL, 0, NULL, HFILL }
13236 },
13237
13238 { &hf_smb2_delete_pending,
13239 { "Delete Pending", "smb2.delete_pending", FT_UINT8, BASE_DEC,
13240 NULL, 0, NULL, HFILL }
13241 },
13242
13243 { &hf_smb2_is_directory,
13244 { "Is Directory", "smb2.is_directory", FT_UINT8, BASE_DEC,
13245 NULL, 0, "Is this a directory?", HFILL }
13246 },
13247
13248 { &hf_smb2_oplock,
13249 { "Oplock", "smb2.create.oplock", FT_UINT8, BASE_HEX,
13250 VALS(oplock_vals), 0, "Oplock type", HFILL }
13251 },
13252
13253 { &hf_smb2_close_flags,
13254 { "Close Flags", "smb2.close.flags", FT_UINT16, BASE_HEX,
13255 NULL, 0, NULL, HFILL }
13256 },
13257
13258 { &hf_smb2_notify_flags,
13259 { "Notify Flags", "smb2.notify.flags", FT_UINT16, BASE_HEX,
13260 NULL, 0, NULL, HFILL }
13261 },
13262
13263 { &hf_smb2_buffer_code,
13264 { "StructureSize", "smb2.buffer_code", FT_UINT16, BASE_HEX,
13265 NULL, 0, NULL, HFILL }
13266 },
13267
13268 { &hf_smb2_buffer_code_len,
13269 { "Fixed Part Length", "smb2.buffer_code.length", FT_UINT16, BASE_DEC,
13270 NULL, 0xFFFE, "Length of fixed portion of PDU", HFILL }
13271 },
13272
13273 { &hf_smb2_olb_length,
13274 { "Blob Length", "smb2.olb.length", FT_UINT32, BASE_DEC,
13275 NULL, 0, "Length of the buffer", HFILL }
13276 },
13277
13278 { &hf_smb2_olb_offset,
13279 { "Blob Offset", "smb2.olb.offset", FT_UINT32, BASE_HEX,
13280 NULL, 0, "Offset to the buffer", HFILL }
13281 },
13282
13283 { &hf_smb2_buffer_code_flags_dyn,
13284 { "Dynamic Part", "smb2.buffer_code.dynamic", FT_BOOLEAN, 16,
13285 NULL, 0x0001, "Whether a dynamic length blob follows", HFILL }
13286 },
13287
13288 { &hf_smb2_ea_data,
13289 { "EA Data", "smb2.ea.data", FT_BYTES, BASE_NONE|BASE_SHOW_ASCII_PRINTABLE,
13290 NULL, 0, NULL, HFILL }
13291 },
13292
13293 { &hf_smb2_ea_name,
13294 { "EA Name", "smb2.ea.name", FT_STRING, BASE_NONE,
13295 NULL, 0, NULL, HFILL }
13296 },
13297
13298 { &hf_smb2_impersonation_level,
13299 { "Impersonation level", "smb2.impersonation.level", FT_UINT32, BASE_DEC,
13300 VALS(impersonation_level_vals), 0, NULL, HFILL }
13301 },
13302
13303 { &hf_smb2_ioctl_function,
13304 { "Function", "smb2.ioctl.function", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
13305 &smb2_ioctl_vals_ext, 0, "Ioctl function", HFILL }
13306 },
13307
13308 { &hf_smb2_ioctl_function_device,
13309 { "Device", "smb2.ioctl.function.device", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
13310 &smb2_ioctl_device_vals_ext, 0xffff0000, "Device for Ioctl", HFILL }
13311 },
13312
13313 { &hf_smb2_ioctl_function_access,
13314 { "Access", "smb2.ioctl.function.access", FT_UINT32, BASE_HEX,
13315 VALS(smb2_ioctl_access_vals), 0x0000c000, "Access for Ioctl", HFILL }
13316 },
13317
13318 { &hf_smb2_ioctl_function_function,
13319 { "Function", "smb2.ioctl.function.function", FT_UINT32, BASE_HEX,
13320 NULL, 0x00003ffc, "Function for Ioctl", HFILL }
13321 },
13322
13323 { &hf_smb2_ioctl_function_method,
13324 { "Method", "smb2.ioctl.function.method", FT_UINT32, BASE_HEX,
13325 VALS(smb2_ioctl_method_vals), 0x00000003, "Method for Ioctl", HFILL }
13326 },
13327
13328 { &hf_smb2_fsctl_pipe_wait_timeout,
13329 { "Timeout", "smb2.fsctl.wait.timeout", FT_INT64, BASE_DEC,
13330 NULL, 0, "Wait timeout", HFILL }
13331 },
13332
13333 { &hf_smb2_fsctl_pipe_wait_name,
13334 { "Name", "smb2.fsctl.wait.name", FT_STRING, BASE_NONE,
13335 NULL, 0, "Pipe name", HFILL }
13336 },
13337
13338 { &hf_smb2_fsctl_odx_token_type,
13339 { "TokenType", "smb2.fsctl.odx.token.type", FT_UINT32, BASE_HEX,
13340 NULL, 0, NULL, HFILL }
13341 },
13342
13343 { &hf_smb2_fsctl_odx_token_idlen,
13344 { "TokenIdLength", "smb2.fsctl.odx.token.idlen", FT_UINT16, BASE_DEC,
13345 NULL, 0, NULL, HFILL }
13346 },
13347
13348 { &hf_smb2_fsctl_odx_token_idraw,
13349 { "TokenId", "smb2.fsctl.odx.token.id", FT_BYTES, BASE_NONE,
13350 NULL, 0, "Token ID (opaque)", HFILL }
13351 },
13352
13353 { &hf_smb2_fsctl_odx_token_ttl,
13354 { "TokenTimeToLive", "smb2.fsctl.odx.token_ttl", FT_UINT32, BASE_DEC,
13355 NULL, 0, "TTL requested for the token (in milliseconds)", HFILL }
13356 },
13357
13358 { &hf_smb2_fsctl_odx_size,
13359 { "Size", "smb2.fsctl.odx.size", FT_UINT32, BASE_DEC,
13360 NULL, 0, "Size of this data element", HFILL }
13361 },
13362
13363 { &hf_smb2_fsctl_odx_flags,
13364 { "Flags", "smb2.fsctl.odx.flags", FT_UINT32, BASE_HEX,
13365 NULL, 0, "Flags for this operation", HFILL }
13366 },
13367
13368 { &hf_smb2_fsctl_odx_file_offset,
13369 { "FileOffset", "smb2.fsctl.odx.file_offset", FT_UINT64, BASE_DEC,
13370 NULL, 0, NULL, HFILL }
13371 },
13372
13373 { &hf_smb2_fsctl_odx_copy_length,
13374 { "CopyLength", "smb2.fsctl.odx.copy_length", FT_UINT64, BASE_DEC,
13375 NULL, 0, NULL, HFILL }
13376 },
13377
13378 { &hf_smb2_fsctl_odx_xfer_length,
13379 { "TransferLength", "smb2.fsctl.odx.xfer_length", FT_UINT64, BASE_DEC,
13380 NULL, 0, NULL, HFILL }
13381 },
13382
13383 { &hf_smb2_fsctl_odx_token_offset,
13384 { "TokenOffset", "smb2.fsctl.odx.token_offset", FT_UINT64, BASE_DEC,
13385 NULL, 0, "Token Offset (relative to start of token)", HFILL }
13386 },
13387
13388 { &hf_smb2_fsctl_sparse_flag,
13389 { "SetSparse", "smb2.fsctl.set_sparse", FT_BOOLEAN, 8,
13390 NULL, 0xFF, NULL, HFILL }
13391 },
13392
13393 { &hf_smb2_ioctl_resiliency_timeout,
13394 { "Timeout", "smb2.ioctl.resiliency.timeout", FT_UINT32, BASE_DEC,
13395 NULL, 0, "Resiliency timeout", HFILL }
13396 },
13397
13398 { &hf_smb2_ioctl_resiliency_reserved,
13399 { "Reserved", "smb2.ioctl.resiliency.reserved", FT_UINT32, BASE_DEC,
13400 NULL, 0, "Resiliency reserved", HFILL }
13401 },
13402
13403 { &hf_smb2_ioctl_shared_virtual_disk_support,
13404 { "SharedVirtualDiskSupport", "smb2.ioctl.shared_virtual_disk.support", FT_UINT32, BASE_HEX,
13405 VALS(smb2_ioctl_shared_virtual_disk_vals), 0, "Supported shared capabilities", HFILL }
13406 },
13407
13408 { &hf_smb2_ioctl_shared_virtual_disk_handle_state,
13409 { "SharedVirtualDiskHandleState", "smb2.ioctl.shared_virtual_disk.handle_state", FT_UINT32, BASE_HEX,
13410 VALS(smb2_ioctl_shared_virtual_disk_hstate_vals), 0, NULL, HFILL }
13411 },
13412
13413 { &hf_smb2_ioctl_sqos_protocol_version,
13414 { "ProtocolVersion", "smb2.ioctl.sqos.protocol_version", FT_UINT16, BASE_HEX,
13415 VALS(smb2_ioctl_sqos_protocol_version_vals), 0, NULL, HFILL }
13416 },
13417
13418 { &hf_smb2_ioctl_sqos_reserved,
13419 { "Reserved", "smb2.ioctl.sqos.reserved", FT_UINT16, BASE_DEC,
13420 NULL, 0, NULL, HFILL }
13421 },
13422
13423 { &hf_smb2_ioctl_sqos_options,
13424 { "Operations", "smb2.ioctl.sqos.operations", FT_UINT32, BASE_HEX,
13425 NULL, 0, "SQOS operations", HFILL }
13426 },
13427
13428 { &hf_smb2_ioctl_sqos_op_set_logical_flow_id,
13429 { "Set Logical Flow ID", "smb2.ioctl.sqos.operations.set_logical_flow_id", FT_BOOLEAN, 32,
13430 NULL, STORAGE_QOS_CONTROL_FLAG_SET_LOGICAL_FLOW_ID, "Whether Set Logical Flow ID operation is performed", HFILL }
13431 },
13432
13433 { &hf_smb2_ioctl_sqos_op_set_policy,
13434 { "Set Policy", "smb2.ioctl.sqos.operations.set_policy", FT_BOOLEAN, 32,
13435 NULL, STORAGE_QOS_CONTROL_FLAG_SET_POLICY, "Whether Set Policy operation is performed", HFILL }
13436 },
13437
13438 { &hf_smb2_ioctl_sqos_op_probe_policy,
13439 { "Probe Policy", "smb2.ioctl.sqos.operations.probe_policy", FT_BOOLEAN, 32,
13440 NULL, STORAGE_QOS_CONTROL_FLAG_PROBE_POLICY, "Whether Probe Policy operation is performed", HFILL }
13441 },
13442
13443 { &hf_smb2_ioctl_sqos_op_get_status,
13444 { "Get Status", "smb2.ioctl.sqos.operations.get_status", FT_BOOLEAN, 32,
13445 NULL, STORAGE_QOS_CONTROL_FLAG_GET_STATUS, "Whether Get Status operation is performed", HFILL }
13446 },
13447
13448 { &hf_smb2_ioctl_sqos_op_update_counters,
13449 { "Update Counters", "smb2.ioctl.sqos.operations.update_counters", FT_BOOLEAN, 32,
13450 NULL, STORAGE_QOS_CONTROL_FLAG_UPDATE_COUNTERS, "Whether Update Counters operation is performed", HFILL }
13451 },
13452
13453 { &hf_smb2_ioctl_sqos_logical_flow_id,
13454 { "LogicalFlowID", "smb2.ioctl.sqos.logical_flow_id", FT_GUID, BASE_NONE,
13455 NULL, 0, NULL, HFILL }
13456 },
13457
13458 { &hf_smb2_ioctl_sqos_policy_id,
13459 { "PolicyID", "smb2.ioctl.sqos.policy_id", FT_GUID, BASE_NONE,
13460 NULL, 0, NULL, HFILL }
13461 },
13462
13463 { &hf_smb2_ioctl_sqos_initiator_id,
13464 { "InitiatorID", "smb2.ioctl.sqos.initiator_id", FT_GUID, BASE_NONE,
13465 NULL, 0, NULL, HFILL }
13466 },
13467
13468 { &hf_smb2_ioctl_sqos_limit,
13469 { "Limit", "smb2.ioctl.sqos.limit", FT_UINT64, BASE_DEC,
13470 NULL, 0, "Desired maximum throughput for the logical flow, in normalized IOPS", HFILL }
13471 },
13472
13473 { &hf_smb2_ioctl_sqos_reservation,
13474 { "Reservation", "smb2.ioctl.sqos.reservation", FT_UINT64, BASE_DEC,
13475 NULL, 0, "Desired minimum throughput for the logical flow, in normalized 8KB IOPS", HFILL }
13476 },
13477
13478 { &hf_smb2_ioctl_sqos_initiator_name,
13479 { "InitiatorName", "smb2.ioctl.sqos.initiator_name", FT_STRING, BASE_NONE,
13480 NULL, 0x0, NULL, HFILL }
13481 },
13482
13483 { &hf_smb2_ioctl_sqos_initiator_node_name,
13484 { "InitiatorNodeName", "smb2.ioctl.sqos.initiator_node_name", FT_STRING, BASE_NONE,
13485 NULL, 0x0, NULL, HFILL }
13486 },
13487
13488 { &hf_smb2_ioctl_sqos_io_count_increment,
13489 { "IoCountIncrement", "smb2.ioctl.sqos.io_count_increment", FT_UINT64, BASE_DEC,
13490 NULL, 0, "The total number of I/O requests issued by the initiator on the logical flow", HFILL }
13491 },
13492
13493 { &hf_smb2_ioctl_sqos_normalized_io_count_increment,
13494 { "NormalizedIoCountIncrement", "smb2.ioctl.sqos.normalized_io_count_increment", FT_UINT64, BASE_DEC,
13495 NULL, 0, "The total number of normalized 8-KB I/O requests issued by the initiator on the logical flow", HFILL }
13496 },
13497
13498 { &hf_smb2_ioctl_sqos_latency_increment,
13499 { "LatencyIncrement", "smb2.ioctl.sqos.latency_increment", FT_UINT64, BASE_DEC,
13500 NULL, 0, "The total latency (including initiator's queues delays) measured by the initiator", HFILL }
13501 },
13502
13503 { &hf_smb2_ioctl_sqos_lower_latency_increment,
13504 { "LowerLatencyIncrement", "smb2.ioctl.sqos.lower_latency_increment", FT_UINT64, BASE_DEC,
13505 NULL, 0, "The total latency (excluding initiator's queues delays) measured by the initiator", HFILL }
13506 },
13507
13508 { &hf_smb2_ioctl_sqos_bandwidth_limit,
13509 { "BandwidthLimit", "smb2.ioctl.sqos.bandwidth_limit", FT_UINT64, BASE_DEC,
13510 NULL, 0, "Desired maximum bandwidth for the logical flow, in kilobytes per second", HFILL }
13511 },
13512
13513 { &hf_smb2_ioctl_sqos_kilobyte_count_increment,
13514 { "KilobyteCountIncrement", "smb2.ioctl.sqos.kilobyte_count_increment", FT_UINT64, BASE_DEC,
13515 NULL, 0, "The total data transfer length of all I/O requests, in kilobyte units, issued by the initiator on the logical flow", HFILL }
13516 },
13517
13518 { &hf_smb2_ioctl_sqos_time_to_live,
13519 { "TimeToLive", "smb2.ioctl.sqos.time_to_live", FT_UINT32, BASE_DEC,
13520 NULL, 0, "The expected period of validity of the Status, MaximumIoRate and MinimumIoRate fields, expressed in milliseconds", HFILL }
13521 },
13522
13523 { &hf_smb2_ioctl_sqos_status,
13524 { "Status", "smb2.ioctl.sqos.status", FT_UINT32, BASE_HEX,
13525 VALS(smb2_ioctl_sqos_status_vals), 0, "The current status of the logical flow", HFILL }
13526 },
13527
13528 { &hf_smb2_ioctl_sqos_maximum_io_rate,
13529 { "MaximumIoRate", "smb2.ioctl.sqos.maximum_io_rate", FT_UINT64, BASE_DEC,
13530 NULL, 0, "The maximum I/O initiation rate currently assigned to the logical flow, expressed in normalized input/output operations per second (normalized IOPS)", HFILL }
13531 },
13532
13533 { &hf_smb2_ioctl_sqos_minimum_io_rate,
13534 { "MinimumIoRate", "smb2.ioctl.sqos.minimum_io_rate", FT_UINT64, BASE_DEC,
13535 NULL, 0, "The minimum I/O completion rate currently assigned to the logical flow, expressed in normalized IOPS", HFILL }
13536 },
13537
13538 { &hf_smb2_ioctl_sqos_base_io_size,
13539 { "BaseIoSize", "smb2.ioctl.sqos.base_io_size", FT_UINT32, BASE_DEC,
13540 NULL, 0, "The base I/O size used to compute the normalized size of an I/O request for the logical flow", HFILL }
13541 },
13542
13543 { &hf_smb2_ioctl_sqos_reserved2,
13544 { "Reserved", "smb2.ioctl.sqos.reserved2", FT_UINT32, BASE_DEC,
13545 NULL, 0, NULL, HFILL }
13546 },
13547
13548 { &hf_smb2_ioctl_sqos_maximum_bandwidth,
13549 { "MaximumBandwidth", "smb2.ioctl.sqos.maximum_bandwidth", FT_UINT64, BASE_DEC,
13550 NULL, 0, "The maximum bandwidth currently assigned to the logical flow, expressed in kilobytes per second", HFILL }
13551 },
13552
13553
13554 { &hf_windows_sockaddr_family,
13555 { "Socket Family", "smb2.windows.sockaddr.family", FT_UINT16, BASE_DEC,
13556 NULL, 0, "The socket address family (on windows)", HFILL }
13557 },
13558
13559 { &hf_windows_sockaddr_port,
13560 { "Socket Port", "smb2.windows.sockaddr.port", FT_UINT16, BASE_DEC,
13561 NULL, 0, "The socket address port", HFILL }
13562 },
13563
13564 { &hf_windows_sockaddr_in_addr,
13565 { "Socket IPv4", "smb2.windows.sockaddr.in.addr", FT_IPv4, BASE_NONE,
13566 NULL, 0, "The IPv4 address", HFILL }
13567 },
13568
13569 { &hf_windows_sockaddr_in6_flowinfo,
13570 { "IPv6 Flow Info", "smb2.windows.sockaddr.in6.flow_info", FT_UINT32, BASE_HEX,
13571 NULL, 0, "The socket IPv6 flow info", HFILL }
13572 },
13573
13574 { &hf_windows_sockaddr_in6_addr,
13575 { "Socket IPv6", "smb2.windows.sockaddr.in6.addr", FT_IPv6, BASE_NONE,
13576 NULL, 0, "The IPv6 address", HFILL }
13577 },
13578
13579 { &hf_windows_sockaddr_in6_scope_id,
13580 { "IPv6 Scope ID", "smb2.windows.sockaddr.in6.scope_id", FT_UINT32, BASE_DEC,
13581 NULL, 0, "The socket IPv6 scope id", HFILL }
13582 },
13583
13584 { &hf_smb2_ioctl_network_interface_next_offset,
13585 { "Next Offset", "smb2.ioctl.network_interfaces.next_offset", FT_UINT32, BASE_HEX,
13586 NULL, 0, "Offset to next entry in chain or 0", HFILL }
13587 },
13588
13589 { &hf_smb2_ioctl_network_interface_index,
13590 { "Interface Index", "smb2.ioctl.network_interfaces.index", FT_UINT32, BASE_DEC,
13591 NULL, 0, "The index of the interface", HFILL }
13592 },
13593
13594 { &hf_smb2_ioctl_network_interface_reserved,
13595 { "Reserved", "smb2.ioctl.network_interfaces.reserved", FT_UINT32, BASE_DEC,
13596 NULL, 0, "Was RSS Queue Count", HFILL }
13597 },
13598
13599 { &hf_smb2_ioctl_network_interface_capabilities,
13600 { "Interface Cababilities", "smb2.ioctl.network_interfaces.capabilities", FT_UINT32, BASE_HEX,
13601 NULL, 0, "The capabilities of the network interface", HFILL }
13602 },
13603
13604 { &hf_smb2_ioctl_network_interface_capability_rss,
13605 { "RSS", "smb2.ioctl.network_interfaces.capabilities.rss", FT_BOOLEAN, 32,
13606 TFS(&tfs_smb2_ioctl_network_interface_capability_rss), NETWORK_INTERFACE_CAP_RSS, "If the host supports RSS", HFILL }
13607 },
13608
13609 { &hf_smb2_ioctl_network_interface_capability_rdma,
13610 { "RDMA", "smb2.ioctl.network_interfaces.capabilities.rdma", FT_BOOLEAN, 32,
13611 TFS(&tfs_smb2_ioctl_network_interface_capability_rdma), NETWORK_INTERFACE_CAP_RDMA, "If the host supports RDMA", HFILL }
13612 },
13613
13614 { &hf_smb2_ioctl_network_interface_link_speed,
13615 { "Link Speed", "smb2.ioctl.network_interfaces.link_speed", FT_UINT64, BASE_DEC,
13616 NULL, 0, "The link speed of the interface", HFILL }
13617 },
13618
13619 { &hf_smb2_ioctl_enumerate_snapshots_num_snapshots,
13620 { "Number of snapshots", "smb2.ioctl.enumerate_snapshots.num_snapshots", FT_UINT32, BASE_DEC,
13621 NULL, 0, "Number of previous versions associated with the volume", HFILL }
13622 },
13623
13624 { &hf_smb2_ioctl_enumerate_snapshots_num_snapshots_returned,
13625 { "Number of snapshots returned", "smb2.ioctl.enumerate_snapshots.num_snapshots_returned", FT_UINT32, BASE_DEC,
13626 NULL, 0, "Number of previous version time stamps returned", HFILL }
13627 },
13628
13629 { &hf_smb2_ioctl_enumerate_snapshots_snapshot_array_size,
13630 { "Array size", "smb2.ioctl.enumerate_snapshots.array_size", FT_UINT32, BASE_DEC,
13631 NULL, 0, "Number of bytes for snapshot time stamp strings", HFILL }
13632 },
13633
13634 { &hf_smb2_ioctl_enumerate_snapshots_snapshot,
13635 { "Snapshot", "smb2.ioctl.enumerate_snapshots.snapshot", FT_STRINGZ, BASE_NONE,
13636 NULL, 0, "Time stamp of previous version", HFILL }
13637 },
13638
13639 { &hf_smb2_ioctl_get_ntfs_volume_data_volume_serial, {
13640 "VolumeSerialNumber",
13641 "smb2.ioctl.get_ntfs_volume_data.volume_serial_number",
13642 FT_UINT64, BASE_DEC,
13643 NULL, 0, "Volume Serial Number", HFILL },
13644 },
13645
13646 { &hf_smb2_ioctl_get_ntfs_volume_data_num_sectors, {
13647 "NumberSectors",
13648 "smb2.ioctl.get_ntfs_volume_data.num_sectors",
13649 FT_UINT64, BASE_DEC,
13650 NULL, 0, "Number Sectors", HFILL },
13651 },
13652
13653 { &hf_smb2_ioctl_get_ntfs_volume_data_total_clusters, {
13654 "TotalClusters",
13655 "smb2.ioctl.get_ntfs_volume_data.total_clusters",
13656 FT_UINT64, BASE_DEC,
13657 NULL, 0, "Total Clusters", HFILL },
13658 },
13659
13660 { &hf_smb2_ioctl_get_ntfs_volume_data_free_clusters, {
13661 "FreeClusters",
13662 "smb2.ioctl.get_ntfs_volume_data.free_clusters",
13663 FT_UINT64, BASE_DEC,
13664 NULL, 0, "Free Clusters", HFILL },
13665 },
13666
13667 { &hf_smb2_ioctl_get_ntfs_volume_data_total_reserved, {
13668 "TotalReserved",
13669 "smb2.ioctl.get_ntfs_volume_data.total_reserved",
13670 FT_UINT64, BASE_DEC,
13671 NULL, 0, "Total Reserved", HFILL },
13672 },
13673
13674 { &hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_sector, {
13675 "BytesPerSector",
13676 "smb2.ioctl.get_ntfs_volume_data.bytes_per_sector",
13677 FT_UINT32, BASE_DEC,
13678 NULL, 0, "Bytes Per Sector", HFILL },
13679 },
13680
13681 { &hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_cluster, {
13682 "BytesPerCluster",
13683 "smb2.ioctl.get_ntfs_volume_data.bytes_per_cluster",
13684 FT_UINT32, BASE_DEC,
13685 NULL, 0, "Bytes Per Cluster", HFILL },
13686 },
13687
13688 { &hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_file_record_segment, {
13689 "BytesPerFileRecordSegment",
13690 "smb2.ioctl.get_ntfs_volume_data.bytes_per_file_record_segment",
13691 FT_UINT32, BASE_DEC,
13692 NULL, 0, "Bytes Per File Record Segment", HFILL },
13693 },
13694
13695 { &hf_smb2_ioctl_get_ntfs_volume_data_clusters_per_file_record_segment, {
13696 "ClustersPerFileRecordSegment",
13697 "smb2.ioctl.get_ntfs_volume_data.clusters_per_file_record_segment",
13698 FT_UINT32, BASE_DEC,
13699 NULL, 0, "Clusters Per File Record Segment", HFILL },
13700 },
13701
13702 { &hf_smb2_ioctl_get_ntfs_volume_data_mft_valid_data_length, {
13703 "MftValidDataLength",
13704 "smb2.ioctl.get_ntfs_volume_data.mft_valid_data_length",
13705 FT_UINT64, BASE_DEC,
13706 NULL, 0, "Mft Valid Data Length", HFILL },
13707 },
13708
13709 { &hf_smb2_ioctl_get_ntfs_volume_data_mft_start_lcn, {
13710 "MftStartLcn",
13711 "smb2.ioctl.get_ntfs_volume_data.mft_start_lcn",
13712 FT_UINT64, BASE_DEC,
13713 NULL, 0, "Mft Start Lcn", HFILL },
13714 },
13715
13716 { &hf_smb2_ioctl_get_ntfs_volume_data_mft2_start_lcn, {
13717 "Mft2StartLcn",
13718 "smb2.ioctl.get_ntfs_volume_data.mft2_start_lcn",
13719 FT_UINT64, BASE_DEC,
13720 NULL, 0, "Mft2 Start Lcn", HFILL },
13721 },
13722
13723 { &hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_start, {
13724 "MftZoneStart",
13725 "smb2.ioctl.get_ntfs_volume_data.mft_zone_start",
13726 FT_UINT64, BASE_DEC,
13727 NULL, 0, "Mft Zone Start", HFILL },
13728 },
13729
13730 { &hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_end, {
13731 "MftZoneEnd",
13732 "smb2.ioctl.get_ntfs_volume_data.mft_zone_end",
13733 FT_UINT64, BASE_DEC,
13734 NULL, 0, "Mft Zone End", HFILL },
13735 },
13736
13737 { &hf_smb2_tree_connect_flags,
13738 { "Flags", "smb2.tc.flags", FT_UINT16, BASE_HEX,
13739 NULL, 0, "Tree Connect flags", HFILL }
13740 },
13741
13742 { &hf_smb2_tc_cluster_reconnect,
13743 { "Cluster Reconnect", "smb2.tc.cluster_reconnect", FT_BOOLEAN, 16,
13744 TFS(&tfs_set_notset), 0x0001, "If this is a Cluster Reconnect", HFILL }
13745 },
13746
13747 { &hf_smb2_tc_redirect_to_owner,
13748 { "Redirect To Owner", "smb2.tc.redirect_to_owner", FT_BOOLEAN, 16,
13749 TFS(&tfs_set_notset), 0x0002, "Set if the client can handle Share Redirects", HFILL }
13750 },
13751
13752 { &hf_smb2_tc_extension_present,
13753 { "Extension Present", "smb2.tc.extension_present", FT_BOOLEAN, 16,
13754 TFS(&tfs_set_notset), 0x0004, "Set if an extension structure is present", HFILL }
13755 },
13756
13757 { &hf_smb2_tc_reserved,
13758 { "Reserved", "smb2.tc.reserved", FT_UINT16, BASE_HEX,
13759 NULL, 0xFFF8, "Must be zero", HFILL }
13760 },
13761
13762 { &hf_smb2_compression_format,
13763 { "Compression Format", "smb2.compression_format", FT_UINT16, BASE_DEC,
13764 VALS(compression_format_vals), 0, NULL, HFILL }
13765 },
13766
13767 { &hf_smb2_checksum_algorithm,
13768 { "Checksum Algorithm", "smb2.checksum_algorithm", FT_UINT16, BASE_HEX,
13769 VALS(checksum_algorithm_vals), 0, NULL, HFILL }
13770 },
13771
13772 { &hf_smb2_integrity_reserved,
13773 { "Reserved", "smb2.integrity_reserved", FT_UINT16, BASE_DEC,
13774 NULL, 0, NULL, HFILL }
13775 },
13776
13777 { &hf_smb2_integrity_flags,
13778 { "Flags", "smb2.integrity_flags", FT_UINT32, BASE_HEX,
13779 NULL, 0, NULL, HFILL }
13780 },
13781
13782 { &hf_smb2_integrity_flags_enforcement_off,
13783 { "FSCTL_INTEGRITY_FLAG_CHECKSUM_ENFORCEMENT_OFF", "smb2.integrity_flags_enforcement", FT_BOOLEAN, 32,
13784 NULL, 0x1, "If checksum error enforcement is off", HFILL }
13785 },
13786
13787 { &hf_smb2_share_type,
13788 { "Share Type", "smb2.share_type", FT_UINT8, BASE_HEX,
13789 VALS(smb2_share_type_vals), 0, "Type of share", HFILL }
13790 },
13791
13792 { &hf_smb2_credit_charge,
13793 { "Credit Charge", "smb2.credit.charge", FT_UINT16, BASE_DEC,
13794 NULL, 0, NULL, HFILL }
13795 },
13796
13797 { &hf_smb2_credits_requested,
13798 { "Credits requested", "smb2.credits.requested", FT_UINT16, BASE_DEC,
13799 NULL, 0, NULL, HFILL }
13800 },
13801
13802 { &hf_smb2_credits_granted,
13803 { "Credits granted", "smb2.credits.granted", FT_UINT16, BASE_DEC,
13804 NULL, 0, NULL, HFILL }
13805 },
13806
13807 { &hf_smb2_channel_sequence,
13808 { "Channel Sequence", "smb2.channel_sequence", FT_UINT16, BASE_DEC,
13809 NULL, 0, NULL, HFILL }
13810 },
13811
13812 { &hf_smb2_dialect_count,
13813 { "Dialect count", "smb2.dialect_count", FT_UINT16, BASE_DEC,
13814 NULL, 0, NULL, HFILL }
13815 },
13816
13817 { &hf_smb2_dialect,
13818 { "Dialect", "smb2.dialect", FT_UINT16, BASE_HEX,
13819 VALS(smb2_dialect_vals), 0, NULL, HFILL }
13820 },
13821
13822 { &hf_smb2_security_mode,
13823 { "Security mode", "smb2.sec_mode", FT_UINT8, BASE_HEX,
13824 NULL, 0, NULL, HFILL }
13825 },
13826
13827 { &hf_smb2_session_flags,
13828 { "Session Flags", "smb2.session_flags", FT_UINT16, BASE_HEX,
13829 NULL, 0, NULL, HFILL }
13830 },
13831
13832 { &hf_smb2_lock_count,
13833 { "Lock Count", "smb2.lock_count", FT_UINT16, BASE_DEC,
13834 NULL, 0, NULL, HFILL }
13835 },
13836
13837 { &hf_smb2_lock_sequence_number,
13838 { "Lock Sequence Number", "smb2.lock_sequence_number", FT_UINT32, BASE_DEC,
13839 NULL, 0x0000000F, NULL, HFILL }
13840 },
13841
13842 { &hf_smb2_lock_sequence_index,
13843 { "Lock Sequence Index", "smb2.lock_sequence_index", FT_UINT32, BASE_DEC,
13844 NULL, 0xFFFFFFF0, NULL, HFILL }
13845 },
13846
13847 { &hf_smb2_capabilities,
13848 { "Capabilities", "smb2.capabilities", FT_UINT32, BASE_HEX,
13849 NULL, 0, NULL, HFILL }
13850 },
13851
13852 { &hf_smb2_auth_frame,
13853 { "Authenticated in Frame", "smb2.auth_frame", FT_FRAMENUM, BASE_NONE,
13854 NULL, 0, "Which frame this user was authenticated in", HFILL }
13855 },
13856
13857 { &hf_smb2_tcon_frame,
13858 { "Connected in Frame", "smb2.tcon_frame", FT_FRAMENUM, BASE_NONE,
13859 NULL, 0, "Which frame this share was connected in", HFILL }
13860 },
13861
13862 { &hf_smb2_tdcon_frame,
13863 { "Disconnected in Frame", "smb2.tdcon_frame", FT_FRAMENUM, BASE_NONE,
13864 NULL, 0, "Which frame this share was disconnected in", HFILL }
13865 },
13866
13867 { &hf_smb2_tag,
13868 { "Tag", "smb2.tag", FT_STRING, BASE_NONE,
13869 NULL, 0, "Tag of chain entry", HFILL }
13870 },
13871
13872 { &hf_smb2_acct_name,
13873 { "Account", "smb2.acct", FT_STRING, BASE_NONE,
13874 NULL, 0, "Account Name", HFILL }
13875 },
13876
13877 { &hf_smb2_domain_name,
13878 { "Domain", "smb2.domain", FT_STRING, BASE_NONE,
13879 NULL, 0, "Domain Name", HFILL }
13880 },
13881
13882 { &hf_smb2_host_name,
13883 { "Host", "smb2.host", FT_STRING, BASE_NONE,
13884 NULL, 0, "Host Name", HFILL }
13885 },
13886
13887 { &hf_smb2_signature,
13888 { "Signature", "smb2.signature", FT_BYTES, BASE_NONE,
13889 NULL, 0, NULL, HFILL }
13890 },
13891
13892 { &hf_smb2_unknown,
13893 { "Unknown", "smb2.unknown", FT_BYTES, BASE_NONE,
13894 NULL, 0, NULL, HFILL }
13895 },
13896
13897 { &hf_smb2_twrp_timestamp,
13898 { "Timestamp", "smb2.twrp_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
13899 NULL, 0, "TWrp timestamp", HFILL }
13900 },
13901
13902 { &hf_smb2_mxac_timestamp,
13903 { "Timestamp", "smb2.mxac_timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
13904 NULL, 0, "MxAc timestamp", HFILL }
13905 },
13906
13907 { &hf_smb2_mxac_status,
13908 { "Query Status", "smb2.mxac_status", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
13909 &NT_errors_ext, 0, "NT Status code", HFILL }
13910 },
13911
13912 { &hf_smb2_qfid_fid,
13913 { "Opaque File ID", "smb2.qfid_fid", FT_BYTES, BASE_NONE,
13914 NULL, 0, NULL, HFILL }
13915 },
13916
13917 { &hf_smb2_ses_flags_guest,
13918 { "Guest", "smb2.ses_flags.guest", FT_BOOLEAN, 16,
13919 NULL, SES_FLAGS_GUEST, NULL, HFILL }
13920 },
13921
13922 { &hf_smb2_ses_flags_null,
13923 { "Null", "smb2.ses_flags.null", FT_BOOLEAN, 16,
13924 NULL, SES_FLAGS_NULL, NULL, HFILL }
13925 },
13926
13927 { &hf_smb2_ses_flags_encrypt,
13928 { "Encrypt", "smb2.ses_flags.encrypt", FT_BOOLEAN, 16,
13929 NULL, SES_FLAGS_ENCRYPT, NULL, HFILL }},
13930
13931 { &hf_smb2_secmode_flags_sign_required,
13932 { "Signing required", "smb2.sec_mode.sign_required", FT_BOOLEAN, 8,
13933 NULL, NEGPROT_SIGN_REQ, "Is signing required", HFILL }
13934 },
13935
13936 { &hf_smb2_secmode_flags_sign_enabled,
13937 { "Signing enabled", "smb2.sec_mode.sign_enabled", FT_BOOLEAN, 8,
13938 NULL, NEGPROT_SIGN_ENABLED, "Is signing enabled", HFILL }
13939 },
13940
13941 { &hf_smb2_ses_req_flags,
13942 { "Flags", "smb2.ses_req_flags", FT_UINT8, BASE_DEC,
13943 NULL, 0, NULL, HFILL }
13944 },
13945
13946 { &hf_smb2_ses_req_flags_session_binding,
13947 { "Session Binding Request", "smb2.ses_req_flags.session_binding", FT_BOOLEAN, 8,
13948 NULL, SES_REQ_FLAGS_SESSION_BINDING, "The client wants to bind to an existing session", HFILL }
13949 },
13950
13951 { &hf_smb2_cap_dfs,
13952 { "DFS", "smb2.capabilities.dfs", FT_BOOLEAN, 32,
13953 TFS(&tfs_cap_dfs), NEGPROT_CAP_DFS, "If the host supports dfs", HFILL }
13954 },
13955
13956 { &hf_smb2_cap_leasing,
13957 { "LEASING", "smb2.capabilities.leasing", FT_BOOLEAN, 32,
13958 TFS(&tfs_cap_leasing), NEGPROT_CAP_LEASING, "If the host supports leasing", HFILL }
13959 },
13960
13961 { &hf_smb2_cap_large_mtu,
13962 { "LARGE MTU", "smb2.capabilities.large_mtu", FT_BOOLEAN, 32,
13963 TFS(&tfs_cap_large_mtu), NEGPROT_CAP_LARGE_MTU, "If the host supports LARGE MTU", HFILL }
13964 },
13965
13966 { &hf_smb2_cap_multi_channel,
13967 { "MULTI CHANNEL", "smb2.capabilities.multi_channel", FT_BOOLEAN, 32,
13968 TFS(&tfs_cap_multi_channel), NEGPROT_CAP_MULTI_CHANNEL, "If the host supports MULTI CHANNEL", HFILL }
13969 },
13970
13971 { &hf_smb2_cap_persistent_handles,
13972 { "PERSISTENT HANDLES", "smb2.capabilities.persistent_handles", FT_BOOLEAN, 32,
13973 TFS(&tfs_cap_persistent_handles), NEGPROT_CAP_PERSISTENT_HANDLES, "If the host supports PERSISTENT HANDLES", HFILL }
13974 },
13975
13976 { &hf_smb2_cap_directory_leasing,
13977 { "DIRECTORY LEASING", "smb2.capabilities.directory_leasing", FT_BOOLEAN, 32,
13978 TFS(&tfs_cap_directory_leasing), NEGPROT_CAP_DIRECTORY_LEASING, "If the host supports DIRECTORY LEASING", HFILL }
13979 },
13980
13981 { &hf_smb2_cap_encryption,
13982 { "ENCRYPTION", "smb2.capabilities.encryption", FT_BOOLEAN, 32,
13983 TFS(&tfs_cap_encryption), NEGPROT_CAP_ENCRYPTION, "If the host supports ENCRYPTION", HFILL }
13984 },
13985
13986 { &hf_smb2_cap_notifications,
13987 { "NOTIFICATIONS", "smb2.capabilities.notifications", FT_BOOLEAN, 32,
13988 TFS(&tfs_cap_notifications), NEGPROT_CAP_NOTIFICATIONS, "If the host supports receiving notifications from server", HFILL }
13989 },
13990
13991 { &hf_smb2_max_trans_size,
13992 { "Max Transaction Size", "smb2.max_trans_size", FT_UINT32, BASE_DEC,
13993 NULL, 0, NULL, HFILL }
13994 },
13995
13996 { &hf_smb2_max_read_size,
13997 { "Max Read Size", "smb2.max_read_size", FT_UINT32, BASE_DEC,
13998 NULL, 0, NULL, HFILL }
13999 },
14000
14001 { &hf_smb2_max_write_size,
14002 { "Max Write Size", "smb2.max_write_size", FT_UINT32, BASE_DEC,
14003 NULL, 0, NULL, HFILL }
14004 },
14005
14006 { &hf_smb2_channel,
14007 { "Channel", "smb2.channel", FT_UINT32, BASE_HEX,
14008 VALS(smb2_channel_vals), 0, NULL, HFILL }
14009 },
14010
14011 { &hf_smb2_rdma_v1_offset,
14012 { "Offset", "smb2.buffer_descriptor.offset", FT_UINT64, BASE_DEC,
14013 NULL, 0, NULL, HFILL }
14014 },
14015
14016 { &hf_smb2_rdma_v1_token,
14017 { "Token", "smb2.buffer_descriptor.token", FT_UINT32, BASE_HEX,
14018 NULL, 0, NULL, HFILL }
14019 },
14020
14021 { &hf_smb2_rdma_v1_length,
14022 { "Length", "smb2.buffer_descriptor.length", FT_UINT32, BASE_DEC,
14023 NULL, 0, NULL, HFILL }
14024 },
14025
14026 { &hf_smb2_share_flags,
14027 { "Share flags", "smb2.share_flags", FT_UINT32, BASE_HEX,
14028 NULL, 0, NULL, HFILL }
14029 },
14030
14031 { &hf_smb2_share_flags_dfs,
14032 { "DFS", "smb2.share_flags.dfs", FT_BOOLEAN, 32,
14033 NULL, SHARE_FLAGS_dfs, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }
14034 },
14035
14036 { &hf_smb2_share_flags_dfs_root,
14037 { "DFS root", "smb2.share_flags.dfs_root", FT_BOOLEAN, 32,
14038 NULL, SHARE_FLAGS_dfs_root, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL }
14039 },
14040
14041 { &hf_smb2_share_flags_restrict_exclusive_opens,
14042 { "Restrict exclusive opens", "smb2.share_flags.restrict_exclusive_opens", FT_BOOLEAN, 32,
14043 NULL, SHARE_FLAGS_restrict_exclusive_opens, "The specified share disallows exclusive file opens that deny reads to an open file", HFILL }
14044 },
14045
14046 { &hf_smb2_share_flags_force_shared_delete,
14047 { "Force shared delete", "smb2.share_flags.force_shared_delete", FT_BOOLEAN, 32,
14048 NULL, SHARE_FLAGS_force_shared_delete, "Shared files in the specified share can be forcibly deleted", HFILL }
14049 },
14050
14051 { &hf_smb2_share_flags_allow_namespace_caching,
14052 { "Allow namespace caching", "smb2.share_flags.allow_namespace_caching", FT_BOOLEAN, 32,
14053 NULL, SHARE_FLAGS_allow_namespace_caching, "Clients are allowed to cache the namespace of the specified share", HFILL }
14054 },
14055
14056 { &hf_smb2_share_flags_access_based_dir_enum,
14057 { "Access based directory enum", "smb2.share_flags.access_based_dir_enum", FT_BOOLEAN, 32,
14058 NULL, SHARE_FLAGS_access_based_dir_enum, "The server will filter directory entries based on the access permissions of the client", HFILL }
14059 },
14060
14061 { &hf_smb2_share_flags_force_levelii_oplock,
14062 { "Force level II oplock", "smb2.share_flags.force_levelii_oplock", FT_BOOLEAN, 32,
14063 NULL, SHARE_FLAGS_force_levelii_oplock, "The server will not issue exclusive caching rights on this share", HFILL }
14064 },
14065
14066 { &hf_smb2_share_flags_enable_hash_v1,
14067 { "Enable hash V1", "smb2.share_flags.enable_hash_v1", FT_BOOLEAN, 32,
14068 NULL, SHARE_FLAGS_enable_hash_v1, "The share supports hash generation V1 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }
14069 },
14070
14071 { &hf_smb2_share_flags_enable_hash_v2,
14072 { "Enable hash V2", "smb2.share_flags.enable_hash_v2", FT_BOOLEAN, 32,
14073 NULL, SHARE_FLAGS_enable_hash_v2, "The share supports hash generation V2 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL }
14074 },
14075
14076 { &hf_smb2_share_flags_encrypt_data,
14077 { "Encrypted data required", "smb2.share_flags.encrypt_data", FT_BOOLEAN, 32,
14078 NULL, SHARE_FLAGS_encryption_required, "The share require data encryption", HFILL }
14079 },
14080
14081 { &hf_smb2_share_flags_identity_remoting,
14082 { "Identity Remoting", "smb2.share_flags.identity_remoting", FT_BOOLEAN, 32,
14083 NULL, SHARE_FLAGS_identity_remoting, "The specified share supports Identity Remoting", HFILL }
14084 },
14085
14086 { &hf_smb2_share_flags_compress_data,
14087 { "Compressed IO", "smb2.share_flags.compress_data", FT_BOOLEAN, 32,
14088 NULL, SHARE_FLAGS_compress_data, "The share supports compression of read/write messages", HFILL }
14089 },
14090
14091 { &hf_smb2_share_flags_isolated_transport,
14092 { "Isolated Transport", "smb2.share_flags.isolated_transport", FT_BOOLEAN, 32,
14093 NULL, SHARE_FLAGS_isolated_transport, "The server indicates that administrator set share property telling client that it is preferable to isolate communication to that share on a separate set of connections.", HFILL }
14094 },
14095
14096 { &hf_smb2_share_caching,
14097 { "Caching policy", "smb2.share.caching", FT_UINT32, BASE_HEX,
14098 VALS(share_cache_vals), 0, NULL, HFILL }
14099 },
14100
14101 { &hf_smb2_share_caps,
14102 { "Share Capabilities", "smb2.share_caps", FT_UINT32, BASE_HEX,
14103 NULL, 0, NULL, HFILL }
14104 },
14105
14106 { &hf_smb2_share_caps_dfs,
14107 { "DFS", "smb2.share_caps.dfs", FT_BOOLEAN, 32,
14108 NULL, SHARE_CAPS_DFS, "The specified share is present in a DFS tree structure", HFILL }
14109 },
14110
14111 { &hf_smb2_share_caps_continuous_availability,
14112 { "CONTINUOUS AVAILABILITY", "smb2.share_caps.continuous_availability", FT_BOOLEAN, 32,
14113 NULL, SHARE_CAPS_CONTINUOUS_AVAILABILITY, "The specified share is continuously available", HFILL }
14114 },
14115
14116 { &hf_smb2_share_caps_scaleout,
14117 { "SCALEOUT", "smb2.share_caps.scaleout", FT_BOOLEAN, 32,
14118 NULL, SHARE_CAPS_SCALEOUT, "The specified share is a scaleout share", HFILL }
14119 },
14120
14121 { &hf_smb2_share_caps_cluster,
14122 { "CLUSTER", "smb2.share_caps.cluster", FT_BOOLEAN, 32,
14123 NULL, SHARE_CAPS_CLUSTER, "The specified share is a cluster share", HFILL }
14124 },
14125
14126 { &hf_smb2_share_caps_asymmetric,
14127 { "ASYMMETRIC", "smb2.share_caps.asymmetric", FT_BOOLEAN, 32,
14128 NULL, SHARE_CAPS_ASYMMETRIC, "The specified share allows dynamic changes in ownership of the share", HFILL }
14129 },
14130
14131 { &hf_smb2_share_caps_redirect_to_owner,
14132 { "REDIRECT_TO_OWNER", "smb2.share_caps.redirect_to_owner", FT_BOOLEAN, 32,
14133 NULL, SHARE_CAPS_REDIRECT_TO_OWNER, "The specified share supports synchronous share level redirection", HFILL }
14134 },
14135
14136 { &hf_smb2_ioctl_flags,
14137 { "Flags", "smb2.ioctl.flags", FT_UINT32, BASE_HEX,
14138 NULL, 0, NULL, HFILL }
14139 },
14140
14141 { &hf_smb2_min_count,
14142 { "Min Count", "smb2.min_count", FT_UINT32, BASE_DEC,
14143 NULL, 0, NULL, HFILL }
14144 },
14145
14146 { &hf_smb2_remaining_bytes,
14147 { "Remaining Bytes", "smb2.remaining_bytes", FT_UINT32, BASE_DEC,
14148 NULL, 0, NULL, HFILL }
14149 },
14150
14151 { &hf_smb2_channel_info_offset,
14152 { "Channel Info Offset", "smb2.channel_info_offset", FT_UINT16, BASE_DEC,
14153 NULL, 0, NULL, HFILL }
14154 },
14155
14156 { &hf_smb2_channel_info_length,
14157 { "Channel Info Length", "smb2.channel_info_length", FT_UINT16, BASE_DEC,
14158 NULL, 0, NULL, HFILL }
14159 },
14160
14161 { &hf_smb2_channel_info_blob,
14162 { "Channel Info Blob", "smb2.channel_info_blob", FT_NONE, BASE_NONE,
14163 NULL, 0, NULL, HFILL }
14164 },
14165
14166 { &hf_smb2_ioctl_is_fsctl,
14167 { "Is FSCTL", "smb2.ioctl.is_fsctl", FT_BOOLEAN, 32,
14168 NULL, 0x00000001, NULL, HFILL }
14169 },
14170
14171 { &hf_smb2_output_buffer_len,
14172 { "Output Buffer Length", "smb2.output_buffer_len", FT_UINT32, BASE_DEC,
14173 NULL, 0, NULL, HFILL }
14174 },
14175
14176 { &hf_smb2_close_pq_attrib,
14177 { "PostQuery Attrib", "smb2.close.pq_attrib", FT_BOOLEAN, 16,
14178 NULL, 0x0001, NULL, HFILL }
14179 },
14180
14181 { &hf_smb2_notify_watch_tree,
14182 { "Watch Tree", "smb2.notify.watch_tree", FT_BOOLEAN, 16,
14183 NULL, 0x0001, NULL, HFILL }
14184 },
14185
14186 { &hf_smb2_notify_out_data,
14187 { "Out Data", "smb2.notify.out", FT_NONE, BASE_NONE,
14188 NULL, 0, NULL, HFILL }
14189 },
14190
14191 { &hf_smb2_notify_info,
14192 { "Notify Info", "smb2.notify.info", FT_NONE, BASE_NONE,
14193 NULL, 0, NULL, HFILL }
14194 },
14195
14196 { &hf_smb2_notify_next_offset,
14197 { "Next Offset", "smb2.notify.next_offset", FT_UINT32, BASE_HEX,
14198 NULL, 0, "Offset to next entry in chain or 0", HFILL }
14199 },
14200
14201 { &hf_smb2_notify_action,
14202 { "Action", "smb2.notify.action", FT_UINT32, BASE_HEX,
14203 VALS(notify_action_vals), 0, "Notify Action", HFILL }
14204 },
14205
14206
14207 { &hf_smb2_find_flags_restart_scans,
14208 { "Restart Scans", "smb2.find.restart_scans", FT_BOOLEAN, 8,
14209 NULL, SMB2_FIND_FLAG_RESTART_SCANS, NULL, HFILL }
14210 },
14211
14212 { &hf_smb2_find_flags_single_entry,
14213 { "Single Entry", "smb2.find.single_entry", FT_BOOLEAN, 8,
14214 NULL, SMB2_FIND_FLAG_SINGLE_ENTRY, NULL, HFILL }
14215 },
14216
14217 { &hf_smb2_find_flags_index_specified,
14218 { "Index Specified", "smb2.find.index_specified", FT_BOOLEAN, 8,
14219 NULL, SMB2_FIND_FLAG_INDEX_SPECIFIED, NULL, HFILL }
14220 },
14221
14222 { &hf_smb2_find_flags_reopen,
14223 { "Reopen", "smb2.find.reopen", FT_BOOLEAN, 8,
14224 NULL, SMB2_FIND_FLAG_REOPEN, NULL, HFILL }
14225 },
14226
14227 { &hf_smb2_file_index,
14228 { "File Index", "smb2.file_index", FT_UINT32, BASE_HEX,
14229 NULL, 0, NULL, HFILL }
14230 },
14231
14232 { &hf_smb2_file_directory_info,
14233 { "FileDirectoryInfo", "smb2.find.file_directory_info", FT_NONE, BASE_NONE,
14234 NULL, 0, NULL, HFILL }
14235 },
14236
14237 { &hf_smb2_full_directory_info,
14238 { "FullDirectoryInfo", "smb2.find.full_directory_info", FT_NONE, BASE_NONE,
14239 NULL, 0, NULL, HFILL }
14240 },
14241
14242 { &hf_smb2_both_directory_info,
14243 { "FileBothDirectoryInfo", "smb2.find.both_directory_info", FT_NONE, BASE_NONE,
14244 NULL, 0, NULL, HFILL }
14245 },
14246
14247 { &hf_smb2_id_both_directory_info,
14248 { "FileIdBothDirectoryInfo", "smb2.find.id_both_directory_info", FT_NONE, BASE_NONE,
14249 NULL, 0, NULL, HFILL }
14250 },
14251
14252 { &hf_smb2_posix_info,
14253 { "FilePosixInfo", "smb2.find.posix_info", FT_NONE, BASE_NONE,
14254 NULL, 0, NULL, HFILL }
14255 },
14256
14257 { &hf_smb2_short_name_len,
14258 { "Short Name Length", "smb2.short_name_len", FT_UINT8, BASE_DEC,
14259 NULL, 0, NULL, HFILL }
14260 },
14261
14262 { &hf_smb2_short_name,
14263 { "Short Name", "smb2.shortname", FT_STRING, BASE_NONE,
14264 NULL, 0, NULL, HFILL }
14265 },
14266
14267 { &hf_smb2_lock_info,
14268 { "Lock Info", "smb2.lock_info", FT_NONE, BASE_NONE,
14269 NULL, 0, NULL, HFILL }
14270 },
14271
14272 { &hf_smb2_lock_length,
14273 { "Length", "smb2.lock_length", FT_UINT64, BASE_DEC,
14274 NULL, 0, NULL, HFILL }
14275 },
14276
14277 { &hf_smb2_lock_flags,
14278 { "Flags", "smb2.lock_flags", FT_UINT32, BASE_HEX,
14279 NULL, 0, NULL, HFILL }
14280 },
14281
14282 { &hf_smb2_lock_flags_shared,
14283 { "Shared", "smb2.lock_flags.shared", FT_BOOLEAN, 32,
14284 NULL, 0x00000001, NULL, HFILL }
14285 },
14286
14287 { &hf_smb2_lock_flags_exclusive,
14288 { "Exclusive", "smb2.lock_flags.exclusive", FT_BOOLEAN, 32,
14289 NULL, 0x00000002, NULL, HFILL }
14290 },
14291
14292 { &hf_smb2_lock_flags_unlock,
14293 { "Unlock", "smb2.lock_flags.unlock", FT_BOOLEAN, 32,
14294 NULL, 0x00000004, NULL, HFILL }
14295 },
14296
14297 { &hf_smb2_lock_flags_fail_immediately,
14298 { "Fail Immediately", "smb2.lock_flags.fail_immediately", FT_BOOLEAN, 32,
14299 NULL, 0x00000010, NULL, HFILL }
14300 },
14301
14302 { &hf_smb2_error_context_count,
14303 { "Error Context Count", "smb2.error.context_count", FT_UINT8, BASE_DEC,
14304 NULL, 0, NULL, HFILL }
14305 },
14306
14307 { &hf_smb2_error_reserved,
14308 { "Reserved", "smb2.error.reserved", FT_UINT8, BASE_HEX,
14309 NULL, 0, NULL, HFILL }
14310 },
14311
14312 { &hf_smb2_error_byte_count,
14313 { "Byte Count", "smb2.error.byte_count", FT_UINT32, BASE_DEC,
14314 NULL, 0, NULL, HFILL }
14315 },
14316
14317 { &hf_smb2_error_data,
14318 { "Error Data", "smb2.error.data", FT_BYTES, BASE_NONE,
14319 NULL, 0, NULL, HFILL }
14320 },
14321
14322 { &hf_smb2_error_context,
14323 { "Error Context", "smb2.error.context", FT_BYTES, BASE_NONE,
14324 NULL, 0, NULL, HFILL }
14325 },
14326
14327 { &hf_smb2_error_context_id,
14328 { "Type", "smb2.error.context.id", FT_UINT32, BASE_HEX,
14329 VALS(smb2_error_id_vals), 0, NULL, HFILL }
14330 },
14331
14332 { &hf_smb2_error_context_length,
14333 { "Type", "smb2.error.context.length", FT_UINT32, BASE_DEC,
14334 NULL, 0, NULL, HFILL }
14335 },
14336
14337 { &hf_smb2_error_min_buf_length,
14338 { "Minimum required buffer length", "smb2.error.min_buf_length", FT_UINT32, BASE_DEC,
14339 NULL, 0, NULL, HFILL }
14340 },
14341
14342 { &hf_smb2_error_redir_context,
14343 { "Share Redirect", "smb2.error.share_redirect", FT_NONE, BASE_NONE,
14344 NULL, 0, NULL, HFILL }
14345 },
14346
14347 { &hf_smb2_error_redir_struct_size,
14348 { "Struct Size", "smb2.error.share_redirect.struct_size", FT_UINT32, BASE_DEC,
14349 NULL, 0, NULL, HFILL }
14350 },
14351
14352 { &hf_smb2_error_redir_notif_type,
14353 { "Notification Type", "smb2.error.share_redirect.notif_type", FT_UINT32, BASE_DEC,
14354 NULL, 0, NULL, HFILL }
14355 },
14356
14357 { &hf_smb2_error_redir_flags,
14358 { "Flags", "smb2.error.share_redirect.flags", FT_UINT16, BASE_HEX,
14359 NULL, 0, NULL, HFILL }
14360 },
14361
14362 { &hf_smb2_error_redir_target_type,
14363 { "Target Type", "smb2.error.share_redirect.target_type", FT_UINT16, BASE_HEX,
14364 NULL, 0, NULL, HFILL }
14365 },
14366
14367 { &hf_smb2_error_redir_ip_count,
14368 { "IP Addr Count", "smb2.error.share_redirect.ip_count", FT_UINT32, BASE_DEC,
14369 NULL, 0, NULL, HFILL }
14370 },
14371
14372 { &hf_smb2_error_redir_ip_list,
14373 { "IP Addr List", "smb2.error.share_redirect.ip_list", FT_NONE, BASE_NONE,
14374 NULL, 0, NULL, HFILL }
14375 },
14376
14377 { &hf_smb2_error_redir_res_name,
14378 { "Resource Name", "smb2.error.share_redirect.res_name", FT_STRING, BASE_NONE,
14379 NULL, 0, NULL, HFILL }
14380 },
14381
14382 { &hf_smb2_reserved,
14383 { "Reserved", "smb2.reserved", FT_BYTES, BASE_NONE,
14384 NULL, 0, NULL, HFILL }
14385 },
14386
14387 { &hf_smb2_reserved_random,
14388 { "Reserved (Random)", "smb2.reserved.random", FT_BYTES, BASE_NONE,
14389 NULL, 0, "Reserved bytes, random data", HFILL }
14390 },
14391
14392 { &hf_smb2_root_directory_mbz,
14393 { "Root Dir Handle (MBZ)", "smb2.root_directory", FT_BYTES, BASE_NONE,
14394 NULL, 0, NULL, HFILL }
14395 },
14396
14397 { &hf_smb2_dhnq_buffer_reserved,
14398 { "Reserved", "smb2.dhnq_buffer_reserved", FT_UINT64, BASE_HEX,
14399 NULL, 0, NULL, HFILL }
14400 },
14401
14402 { &hf_smb2_dh2x_buffer_timeout,
14403 { "Timeout", "smb2.dh2x.timeout", FT_UINT32, BASE_DEC,
14404 NULL, 0, NULL, HFILL }
14405 },
14406
14407 { &hf_smb2_dh2x_buffer_flags,
14408 { "Flags", "smb2.dh2x.flags", FT_UINT32, BASE_HEX,
14409 NULL, 0, NULL, HFILL }
14410 },
14411
14412 { &hf_smb2_dh2x_buffer_flags_persistent_handle,
14413 { "Persistent Handle", "smb2.dh2x.flags.persistent_handle", FT_BOOLEAN, 32,
14414 NULL, SMB2_DH2X_FLAGS_PERSISTENT_HANDLE, NULL, HFILL }
14415 },
14416
14417 { &hf_smb2_dh2x_buffer_reserved,
14418 { "Reserved", "smb2.dh2x.reserved", FT_UINT64, BASE_HEX,
14419 NULL, 0, NULL, HFILL }
14420 },
14421
14422 { &hf_smb2_dh2x_buffer_create_guid,
14423 { "Create Guid", "smb2.dh2x.create_guid", FT_GUID, BASE_NONE,
14424 NULL, 0, NULL, HFILL }
14425 },
14426
14427 { &hf_smb2_APP_INSTANCE_buffer_struct_size,
14428 { "Struct Size", "smb2.app_instance.struct_size", FT_UINT16, BASE_DEC,
14429 NULL, 0, NULL, HFILL }
14430 },
14431
14432 { &hf_smb2_APP_INSTANCE_buffer_reserved,
14433 { "Reserved", "smb2.app_instance.reserved", FT_UINT16, BASE_HEX,
14434 NULL, 0, NULL, HFILL }
14435 },
14436
14437 { &hf_smb2_APP_INSTANCE_buffer_app_guid,
14438 { "Application Guid", "smb2.app_instance.app_guid", FT_GUID, BASE_NONE,
14439 NULL, 0, NULL, HFILL }
14440 },
14441
14442 { &hf_smb2_svhdx_open_device_context_version,
14443 { "Version", "smb2.svhdx_open_device_context.version", FT_UINT32, BASE_DEC,
14444 NULL, 0, NULL, HFILL }
14445 },
14446
14447 { &hf_smb2_svhdx_open_device_context_has_initiator_id,
14448 { "HasInitiatorId", "smb2.svhdx_open_device_context.initiator_has_id", FT_BOOLEAN, BASE_NONE,
14449 TFS(&tfs_smb2_svhdx_has_initiator_id), 0, "Whether the host has an initiator", HFILL }
14450 },
14451
14452 { &hf_smb2_svhdx_open_device_context_reserved,
14453 { "Reserved", "smb2.svhdx_open_device_context.reserved", FT_BYTES, BASE_NONE,
14454 NULL, 0, NULL, HFILL }
14455 },
14456
14457 { &hf_smb2_svhdx_open_device_context_initiator_id,
14458 { "InitiatorId", "smb2.svhdx_open_device_context.initiator_id", FT_GUID, BASE_NONE,
14459 NULL, 0, NULL, HFILL }
14460 },
14461
14462 { &hf_smb2_svhdx_open_device_context_flags,
14463 { "Flags", "smb2.svhdx_open_device_context.flags", FT_UINT32, BASE_HEX,
14464 NULL, 0, NULL, HFILL }
14465 },
14466
14467 { &hf_smb2_svhdx_open_device_context_originator_flags,
14468 { "OriginatorFlags", "smb2.svhdx_open_device_context.originator_flags", FT_UINT32, BASE_HEX,
14469 VALS(originator_flags_vals), 0, NULL, HFILL }
14470 },
14471
14472 { &hf_smb2_svhdx_open_device_context_open_request_id,
14473 { "OpenRequestId","smb2.svhxd_open_device_context.open_request_id", FT_UINT64, BASE_HEX,
14474 NULL, 0, NULL, HFILL }
14475 },
14476
14477 { &hf_smb2_svhdx_open_device_context_initiator_host_name_len,
14478 { "HostNameLength", "smb2.svhxd_open_device_context.initiator_host_name_len", FT_UINT16, BASE_DEC,
14479 NULL, 0, NULL, HFILL }
14480 },
14481
14482 { &hf_smb2_svhdx_open_device_context_initiator_host_name,
14483 { "HostName", "smb2.svhdx_open_device_context.host_name", FT_STRING, BASE_NONE,
14484 NULL, 0, NULL, HFILL }
14485 },
14486
14487 { &hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized,
14488 { "VirtualDiskPropertiesInitialized", "smb2.svhdx_open_device_context.virtual_disk_properties_initialized", FT_BOOLEAN, BASE_NONE,
14489 NULL, 0, "Whether VirtualSectorSize, PhysicalSectorSize, and VirtualSize fields are filled", HFILL }
14490 },
14491
14492 { &hf_smb2_svhdx_open_device_context_server_service_version,
14493 { "ServerServiceVersion", "smb2.svhdx_open_device_context.server_service_version", FT_UINT32, BASE_DEC,
14494 NULL, 0, "The current version of the protocol running on the server", HFILL }
14495 },
14496
14497 { &hf_smb2_svhdx_open_device_context_virtual_sector_size,
14498 { "VirtualSectorSize", "smb2.svhdx_open_device_context.virtual_sector_size", FT_UINT32, BASE_DEC,
14499 NULL, 0, "The virtual sector size of the virtual disk", HFILL }
14500 },
14501
14502 { &hf_smb2_svhdx_open_device_context_physical_sector_size,
14503 { "PhysicalSectorSize", "smb2.svhdx_open_device_context.physical_sector_size", FT_UINT32, BASE_DEC,
14504 NULL, 0, "The physical sector size of the virtual disk", HFILL }
14505 },
14506
14507 { &hf_smb2_svhdx_open_device_context_virtual_size,
14508 { "VirtualSize", "smb2.svhdx_open_device_context.virtual_size", FT_UINT64, BASE_DEC,
14509 NULL, 0, "The current length of the virtual disk, in bytes", HFILL }
14510 },
14511
14512 { &hf_smb2_app_instance_version_struct_size,
14513 { "Struct Size", "smb2.app_instance_version.struct_size", FT_UINT16, BASE_DEC,
14514 NULL, 0, NULL, HFILL }
14515 },
14516
14517 { &hf_smb2_app_instance_version_reserved,
14518 { "Reserved", "smb2.app_instance_version.reserved", FT_UINT16, BASE_DEC,
14519 NULL, 0, NULL, HFILL }
14520 },
14521
14522 { &hf_smb2_app_instance_version_padding,
14523 { "Padding", "smb2.app_instance_version.padding", FT_UINT32, BASE_HEX,
14524 NULL, 0, NULL, HFILL }
14525 },
14526
14527 { &hf_smb2_app_instance_version_high,
14528 { "AppInstanceVersionHigh", "smb2.app_instance_version.version.high", FT_UINT64, BASE_DEC,
14529 NULL, 0, NULL, HFILL }
14530 },
14531
14532 { &hf_smb2_app_instance_version_low,
14533 { "AppInstanceVersionLow", "smb2.app_instance_version.version.low", FT_UINT64, BASE_DEC,
14534 NULL, 0, NULL, HFILL }
14535 },
14536
14537 { &hf_smb2_posix_perms,
14538 { "POSIX perms", "smb2.posix_perms", FT_UINT32, BASE_OCT,
14539 NULL, 0, NULL, HFILL }
14540 },
14541
14542 { &hf_smb2_aapl_command_code,
14543 { "Command code", "smb2.aapl.command_code", FT_UINT32, BASE_DEC,
14544 VALS(aapl_command_code_vals), 0, NULL, HFILL }
14545 },
14546
14547 { &hf_smb2_aapl_reserved,
14548 { "Reserved", "smb2.aapl.reserved", FT_UINT32, BASE_HEX,
14549 NULL, 0, NULL, HFILL }
14550 },
14551
14552 { &hf_smb2_aapl_server_query_bitmask,
14553 { "Query bitmask", "smb2.aapl.query_bitmask", FT_UINT64, BASE_HEX,
14554 NULL, 0, NULL, HFILL }
14555 },
14556
14557 { &hf_smb2_aapl_server_query_bitmask_server_caps,
14558 { "Server capabilities", "smb2.aapl.bitmask.server_caps", FT_BOOLEAN, 64,
14559 NULL, SMB2_AAPL_SERVER_CAPS, NULL, HFILL }
14560 },
14561
14562 { &hf_smb2_aapl_server_query_bitmask_volume_caps,
14563 { "Volume capabilities", "smb2.aapl.bitmask.volume_caps", FT_BOOLEAN, 64,
14564 NULL, SMB2_AAPL_VOLUME_CAPS, NULL, HFILL }
14565 },
14566
14567 { &hf_smb2_aapl_server_query_bitmask_model_info,
14568 { "Model information", "smb2.aapl.bitmask.model_info", FT_BOOLEAN, 64,
14569 NULL, SMB2_AAPL_MODEL_INFO, NULL, HFILL }
14570 },
14571
14572 { &hf_smb2_aapl_server_query_caps,
14573 { "Client/Server capabilities", "smb2.aapl.caps", FT_UINT64, BASE_HEX,
14574 NULL, 0, NULL, HFILL }
14575 },
14576
14577 { &hf_smb2_aapl_server_query_caps_supports_read_dir_attr,
14578 { "Supports READDIRATTR", "smb2.aapl.caps.supports_read_dir_addr", FT_BOOLEAN, 64,
14579 NULL, SMB2_AAPL_SUPPORTS_READ_DIR_ATTR, NULL, HFILL }
14580 },
14581
14582 { &hf_smb2_aapl_server_query_caps_supports_osx_copyfile,
14583 { "Supports macOS copyfile", "smb2.aapl.caps.supports_osx_copyfile", FT_BOOLEAN, 64,
14584 NULL, SMB2_AAPL_SUPPORTS_OSX_COPYFILE, NULL, HFILL }
14585 },
14586
14587 { &hf_smb2_aapl_server_query_caps_unix_based,
14588 { "UNIX-based", "smb2.aapl.caps.unix_based", FT_BOOLEAN, 64,
14589 NULL, SMB2_AAPL_UNIX_BASED, NULL, HFILL }
14590 },
14591
14592 { &hf_smb2_aapl_server_query_caps_supports_nfs_ace,
14593 { "Supports NFS ACE", "smb2.aapl.supports_nfs_ace", FT_BOOLEAN, 64,
14594 NULL, SMB2_AAPL_SUPPORTS_NFS_ACE, NULL, HFILL }
14595 },
14596
14597 { &hf_smb2_aapl_server_query_volume_caps,
14598 { "Volume capabilities", "smb2.aapl.volume_caps", FT_UINT64, BASE_HEX,
14599 NULL, 0, NULL, HFILL }
14600 },
14601
14602 { &hf_smb2_aapl_server_query_volume_caps_support_resolve_id,
14603 { "Supports Resolve ID", "smb2.aapl.volume_caps.supports_resolve_id", FT_BOOLEAN, 64,
14604 NULL, SMB2_AAPL_SUPPORTS_RESOLVE_ID, NULL, HFILL }
14605 },
14606
14607 { &hf_smb2_aapl_server_query_volume_caps_case_sensitive,
14608 { "Case sensitive", "smb2.aapl.volume_caps.case_sensitive", FT_BOOLEAN, 64,
14609 NULL, SMB2_AAPL_CASE_SENSITIVE, NULL, HFILL }
14610 },
14611
14612 { &hf_smb2_aapl_server_query_volume_caps_supports_full_sync,
14613 { "Supports full sync", "smb2.aapl.volume_caps.supports_full_sync", FT_BOOLEAN, 64,
14614 NULL, SMB2_AAPL_SUPPORTS_FULL_SYNC, NULL, HFILL }
14615 },
14616
14617 { &hf_smb2_aapl_server_query_model_string,
14618 { "Model string", "smb2.aapl.model_string", FT_UINT_STRING, BASE_NONE,
14619 NULL, 0, NULL, HFILL }
14620 },
14621
14622 { &hf_smb2_aapl_server_query_server_path,
14623 { "Server path", "smb2.aapl.server_path", FT_UINT_STRING, BASE_NONE,
14624 NULL, 0, NULL, HFILL }
14625 },
14626
14627 { &hf_smb2_transform_signature,
14628 { "Signature", "smb2.header.transform.signature", FT_BYTES, BASE_NONE,
14629 NULL, 0, NULL, HFILL }
14630 },
14631
14632 { &hf_smb2_transform_nonce,
14633 { "Nonce", "smb2.header.transform.nonce", FT_BYTES, BASE_NONE,
14634 NULL, 0, NULL, HFILL }
14635 },
14636
14637 { &hf_smb2_transform_msg_size,
14638 { "Message size", "smb2.header.transform.msg_size", FT_UINT32, BASE_DEC,
14639 NULL, 0, NULL, HFILL }
14640 },
14641
14642 { &hf_smb2_transform_reserved,
14643 { "Reserved", "smb2.header.transform.reserved", FT_BYTES, BASE_NONE,
14644 NULL, 0, NULL, HFILL }
14645 },
14646
14647 /* SMB2 header flags */
14648 { &hf_smb2_transform_flags,
14649 { "Flags", "smb2.header.transform.flags", FT_UINT16, BASE_HEX,
14650 NULL, 0, "SMB2 transform flags", HFILL }
14651 },
14652
14653 { &hf_smb2_transform_flags_encrypted,
14654 { "Encrypted", "smb2.header.transform.flags.encrypted", FT_BOOLEAN, 16,
14655 NULL, SMB2_TRANSFORM_FLAGS_ENCRYPTED,
14656 "Whether the payload is encrypted", HFILL }
14657 },
14658
14659 { &hf_smb2_transform_encrypted_data,
14660 { "Data", "smb2.header.transform.enc_data", FT_BYTES, BASE_NONE,
14661 NULL, 0, NULL, HFILL }
14662 },
14663
14664 { &hf_smb2_comp_transform_orig_size,
14665 { "OriginalSize", "smb2.header.comp_transform.original_size", FT_UINT32, BASE_DEC,
14666 NULL, 0, NULL, HFILL }
14667 },
14668
14669 { &hf_smb2_comp_transform_comp_alg,
14670 { "CompressionAlgorithm", "smb2.header.comp_transform.comp_alg", FT_UINT16, BASE_HEX,
14671 VALS(smb2_comp_alg_types), 0, NULL, HFILL }
14672 },
14673
14674 { &hf_smb2_comp_transform_flags,
14675 { "Flags", "smb2.header.comp_transform.flags", FT_UINT16, BASE_HEX,
14676 VALS(smb2_comp_transform_flags_vals), 0, NULL, HFILL }
14677 },
14678
14679 { &hf_smb2_comp_transform_offset,
14680 { "Offset", "smb2.header.comp_transform.offset", FT_UINT32, BASE_HEX,
14681 NULL, 0, NULL, HFILL }
14682 },
14683
14684 { &hf_smb2_comp_transform_length,
14685 { "Length", "smb2.header.comp_transform.length", FT_UINT32, BASE_HEX,
14686 NULL, 0, NULL, HFILL }
14687 },
14688
14689 { &hf_smb2_comp_transform_data,
14690 { "CompressedData", "smb2.header.comp_transform.data", FT_BYTES, BASE_NONE,
14691 NULL, 0, NULL, HFILL }
14692 },
14693
14694 { &hf_smb2_comp_transform_orig_payload_size,
14695 { "OriginalPayloadSize", "smb2.header.comp_transform.orig_payload_size", FT_UINT32, BASE_DEC,
14696 NULL, 0, NULL, HFILL }
14697 },
14698
14699 { &hf_smb2_comp_pattern_v1_pattern,
14700 { "Pattern", "smb2.pattern_v1.pattern", FT_UINT8, BASE_HEX,
14701 NULL, 0, NULL, HFILL }
14702 },
14703
14704 { &hf_smb2_comp_pattern_v1_reserved1,
14705 { "Reserved1", "smb2.pattern_v1.reserved1", FT_UINT8, BASE_HEX,
14706 NULL, 0, NULL, HFILL }
14707 },
14708
14709 { &hf_smb2_comp_pattern_v1_reserved2,
14710 { "Reserved2", "smb2.pattern_v1.reserved2", FT_UINT16, BASE_HEX,
14711 NULL, 0, NULL, HFILL }
14712 },
14713
14714 { &hf_smb2_comp_pattern_v1_repetitions,
14715 { "Repetitions", "smb2.pattern_v1.repetitions", FT_UINT32, BASE_DEC,
14716 NULL, 0, NULL, HFILL }
14717 },
14718
14719 { &hf_smb2_protocol_id,
14720 { "ProtocolId", "smb2.protocol_id", FT_UINT32, BASE_HEX,
14721 NULL, 0, NULL, HFILL }
14722 },
14723
14724 { &hf_smb2_truncated,
14725 { "Truncated...", "smb2.truncated", FT_NONE, BASE_NONE,
14726 NULL, 0, NULL, HFILL }
14727 },
14728
14729 { &hf_smb2_pipe_fragment_overlap,
14730 { "Fragment overlap", "smb2.pipe.fragment.overlap", FT_BOOLEAN, BASE_NONE,
14731 NULL, 0x0, "Fragment overlaps with other fragments", HFILL }
14732 },
14733
14734 { &hf_smb2_pipe_fragment_overlap_conflict,
14735 { "Conflicting data in fragment overlap", "smb2.pipe.fragment.overlap.conflict", FT_BOOLEAN, BASE_NONE,
14736 NULL, 0x0, NULL, HFILL }
14737 },
14738
14739 { &hf_smb2_pipe_fragment_multiple_tails,
14740 { "Multiple tail fragments found", "smb2.pipe.fragment.multipletails", FT_BOOLEAN, BASE_NONE,
14741 NULL, 0x0, "Several tails were found when defragmenting the packet", HFILL }
14742 },
14743
14744 { &hf_smb2_pipe_fragment_too_long_fragment,
14745 { "Fragment too long", "smb2.pipe.fragment.toolongfragment", FT_BOOLEAN, BASE_NONE,
14746 NULL, 0x0, "Fragment contained data past end of packet", HFILL }
14747 },
14748
14749 { &hf_smb2_pipe_fragment_error,
14750 { "Defragmentation error", "smb2.pipe.fragment.error", FT_FRAMENUM, BASE_NONE,
14751 NULL, 0x0, "Defragmentation error due to illegal fragments", HFILL }
14752 },
14753
14754 { &hf_smb2_pipe_fragment_count,
14755 { "Fragment count", "smb2.pipe.fragment.count", FT_UINT32, BASE_DEC,
14756 NULL, 0x0, NULL, HFILL }
14757 },
14758
14759 { &hf_smb2_pipe_fragment,
14760 { "Fragment SMB2 Named Pipe", "smb2.pipe.fragment", FT_FRAMENUM, BASE_NONE,
14761 NULL, 0x0, NULL, HFILL }
14762 },
14763
14764 { &hf_smb2_pipe_fragments,
14765 { "Reassembled SMB2 Named Pipe fragments", "smb2.pipe.fragments", FT_NONE, BASE_NONE,
14766 NULL, 0x0, NULL, HFILL }
14767 },
14768
14769 { &hf_smb2_pipe_reassembled_in,
14770 { "This SMB2 Named Pipe payload is reassembled in frame", "smb2.pipe.reassembled_in", FT_FRAMENUM, BASE_NONE,
14771 NULL, 0x0, "The Named Pipe PDU is completely reassembled in this frame", HFILL }
14772 },
14773
14774 { &hf_smb2_pipe_reassembled_length,
14775 { "Reassembled SMB2 Named Pipe length", "smb2.pipe.reassembled.length", FT_UINT32, BASE_DEC,
14776 NULL, 0x0, "The total length of the reassembled payload", HFILL }
14777 },
14778
14779 { &hf_smb2_pipe_reassembled_data,
14780 { "Reassembled SMB2 Named Pipe Data", "smb2.pipe.reassembled.data", FT_BYTES, BASE_NONE,
14781 NULL, 0x0, "The reassembled payload", HFILL }
14782 },
14783
14784 { &hf_smb2_cchunk_resume_key,
14785 { "ResumeKey", "smb2.fsctl.cchunk.resume_key", FT_BYTES, BASE_NONE,
14786 NULL, 0x0, "Opaque data representing source of copy", HFILL }
14787 },
14788
14789 { &hf_smb2_cchunk_count,
14790 { "Chunk Count", "smb2.fsctl.cchunk.count", FT_UINT32, BASE_DEC,
14791 NULL, 0x0, NULL, HFILL }
14792 },
14793
14794 { &hf_smb2_cchunk_src_offset,
14795 { "Source Offset", "smb2.fsctl.cchunk.src_offset", FT_UINT64, BASE_DEC,
14796 NULL, 0x0, NULL, HFILL }
14797 },
14798
14799 { &hf_smb2_cchunk_dst_offset,
14800 { "Target Offset", "smb2.fsctl.cchunk.dst_offset", FT_UINT64, BASE_DEC,
14801 NULL, 0x0, NULL, HFILL }
14802 },
14803
14804 { &hf_smb2_cchunk_xfer_len,
14805 { "Transfer Length", "smb2.fsctl.cchunk.xfer_len", FT_UINT32, BASE_DEC,
14806 NULL, 0x0, NULL, HFILL }
14807 },
14808
14809 { &hf_smb2_cchunk_chunks_written,
14810 { "Chunks Written", "smb2.fsctl.cchunk.chunks_written", FT_UINT32, BASE_DEC,
14811 NULL, 0x0, NULL, HFILL }
14812 },
14813
14814 { &hf_smb2_cchunk_bytes_written,
14815 { "Chunk Bytes Written", "smb2.fsctl.cchunk.bytes_written", FT_UINT32, BASE_DEC,
14816 NULL, 0x0, NULL, HFILL }
14817 },
14818
14819 { &hf_smb2_cchunk_total_written,
14820 { "Total Bytes Written", "smb2.fsctl.cchunk.total_written", FT_UINT32, BASE_DEC,
14821 NULL, 0x0, NULL, HFILL }
14822 },
14823 { &hf_smb2_reparse_tag,
14824 { "Reparse Tag", "smb2.reparse_tag", FT_UINT32, BASE_HEX,
14825 VALS(reparse_tag_vals), 0x0, NULL, HFILL }
14826 },
14827 { &hf_smb2_reparse_guid,
14828 { "Reparse GUID", "smb2.reparse_guid", FT_NONE, BASE_NONE,
14829 NULL, 0, NULL, HFILL }
14830 },
14831 { &hf_smb2_reparse_data_length,
14832 { "Reparse Data Length", "smb2.reparse_data_length", FT_UINT16, BASE_DEC,
14833 NULL, 0x0, NULL, HFILL }
14834 },
14835 { &hf_smb2_reparse_data_buffer,
14836 { "Reparse Data Buffer", "smb2.reparse_data_buffer", FT_NONE, BASE_NONE,
14837 NULL, 0, NULL, HFILL }
14838 },
14839 { &hf_smb2_nfs_type,
14840 { "NFS file type", "smb2.nfs.type", FT_UINT64, BASE_HEX|BASE_VAL64_STRING,
14841 VALS64(nfs_type_vals), 0x0, NULL, HFILL }
14842 },
14843 { &hf_smb2_nfs_symlink_target,
14844 { "Symlink Target", "smb2.nfs.symlink.target", FT_STRING,
14845 BASE_NONE, NULL, 0x0, NULL, HFILL }
14846 },
14847 { &hf_smb2_nfs_chr_major,
14848 { "Major", "smb2.nfs.char.major", FT_UINT32,
14849 BASE_HEX, NULL, 0x0, NULL, HFILL }
14850 },
14851 { &hf_smb2_nfs_chr_minor,
14852 { "Minor", "smb2.nfs.char.minor", FT_UINT32,
14853 BASE_HEX, NULL, 0x0, NULL, HFILL }
14854 },
14855 { &hf_smb2_nfs_blk_major,
14856 { "Major", "smb2.nfs.block.major", FT_UINT32,
14857 BASE_HEX, NULL, 0x0, NULL, HFILL }
14858 },
14859 { &hf_smb2_nfs_blk_minor,
14860 { "Minor", "smb2.nfs.block.minor", FT_UINT32,
14861 BASE_HEX, NULL, 0x0, NULL, HFILL }
14862 },
14863 { &hf_smb2_symlink_error_response,
14864 { "Symbolic Link Error Response", "smb2.symlink_error_response", FT_NONE, BASE_NONE,
14865 NULL, 0, NULL, HFILL }
14866 },
14867 { &hf_smb2_symlink_length,
14868 { "SymLink Length", "smb2.symlink.length", FT_UINT32,
14869 BASE_DEC, NULL, 0x0, NULL, HFILL }
14870 },
14871 { &hf_smb2_symlink_error_tag,
14872 { "SymLink Error Tag", "smb2.symlink.error_tag", FT_UINT32,
14873 BASE_HEX, NULL, 0x0, NULL, HFILL }
14874 },
14875 { &hf_smb2_unparsed_path_length,
14876 { "Unparsed Path Length", "smb2.symlink.unparsed_path_length", FT_UINT16, BASE_DEC,
14877 NULL, 0x0, NULL, HFILL }
14878 },
14879 { &hf_smb2_symlink_substitute_name,
14880 { "Substitute Name", "smb2.symlink.substitute_name", FT_STRING, BASE_NONE,
14881 NULL, 0x0, NULL, HFILL }
14882 },
14883 { &hf_smb2_symlink_print_name,
14884 { "Print Name", "smb2.symlink.print_name", FT_STRING, BASE_NONE,
14885 NULL, 0x0, NULL, HFILL }
14886 },
14887 { &hf_smb2_symlink_flags,
14888 { "Flags", "smb2.symlink.flags", FT_UINT32, BASE_DEC,
14889 NULL, 0x0, NULL, HFILL }
14890 },
14891 { &hf_smb2_fscc_file_attr,
14892 { "File Attributes", "smb2.file_attribute", FT_UINT32, BASE_HEX,
14893 NULL, 0x0, NULL, HFILL }
14894 },
14895 { &hf_smb2_fscc_file_attr_read_only,
14896 { "Read Only", "smb2.file_attribute.read_only", FT_BOOLEAN, 32,
14897 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_READ_ONLY, "READ ONLY file attribute", HFILL } },
14898
14899 { &hf_smb2_fscc_file_attr_hidden,
14900 { "Hidden", "smb2.file_attribute.hidden", FT_BOOLEAN, 32,
14901 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_HIDDEN, "HIDDEN file attribute", HFILL } },
14902
14903 { &hf_smb2_fscc_file_attr_system,
14904 { "System", "smb2.file_attribute.system", FT_BOOLEAN, 32,
14905 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_SYSTEM, "SYSTEM file attribute", HFILL } },
14906
14907 { &hf_smb2_fscc_file_attr_directory,
14908 { "Directory", "smb2.file_attribute.directory", FT_BOOLEAN, 32,
14909 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_DIRECTORY, "DIRECTORY file attribute", HFILL } },
14910
14911 { &hf_smb2_fscc_file_attr_archive,
14912 { "Requires archived", "smb2.file_attribute.archive", FT_BOOLEAN, 32,
14913 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_ARCHIVE, "ARCHIVE file attribute", HFILL } },
14914
14915 { &hf_smb2_fscc_file_attr_normal,
14916 { "Normal", "smb2.file_attribute.normal", FT_BOOLEAN, 32,
14917 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_NORMAL, "Is this a normal file?", HFILL } },
14918
14919 { &hf_smb2_fscc_file_attr_temporary,
14920 { "Temporary", "smb2.file_attribute.temporary", FT_BOOLEAN, 32,
14921 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_TEMPORARY, "Is this a temporary file?", HFILL } },
14922
14923 { &hf_smb2_fscc_file_attr_sparse_file,
14924 { "Sparse", "smb2.file_attribute.sparse", FT_BOOLEAN, 32,
14925 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_SPARSE_FILE, "Is this a sparse file?", HFILL } },
14926
14927 { &hf_smb2_fscc_file_attr_reparse_point,
14928 { "Reparse Point", "smb2.file_attribute.reparse", FT_BOOLEAN, 32,
14929 TFS(&tfs_fscc_file_attribute_reparse), SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT, "Does this file have an associated reparse point?", HFILL } },
14930
14931 { &hf_smb2_fscc_file_attr_compressed,
14932 { "Compressed", "smb2.file_attribute.compressed", FT_BOOLEAN, 32,
14933 TFS(&tfs_fscc_file_attribute_compressed), SMB2_FSCC_FILE_ATTRIBUTE_COMPRESSED, "Is this file compressed?", HFILL } },
14934
14935 { &hf_smb2_fscc_file_attr_offline,
14936 { "Offline", "smb2.file_attribute.offline", FT_BOOLEAN, 32,
14937 TFS(&tfs_fscc_file_attribute_offline), SMB2_FSCC_FILE_ATTRIBUTE_OFFLINE, "Is this file offline?", HFILL } },
14938
14939 { &hf_smb2_fscc_file_attr_not_content_indexed,
14940 { "Not Content Indexed", "smb2.file_attribute.not_content_indexed", FT_BOOLEAN, 32,
14941 TFS(&tfs_fscc_file_attribute_not_content_indexed), SMB2_FSCC_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, "May this file be indexed by the content indexing service", HFILL } },
14942
14943 { &hf_smb2_fscc_file_attr_encrypted,
14944 { "Encrypted", "smb2.file_attribute.encrypted", FT_BOOLEAN, 32,
14945 TFS(&tfs_yes_no), SMB2_FSCC_FILE_ATTRIBUTE_ENCRYPTED, "Is this file encrypted?", HFILL } },
14946
14947 { &hf_smb2_fscc_file_attr_integrity_stream,
14948 { "Integrity Stream", "smb2.file_attribute.integrity_stream", FT_BOOLEAN, 32,
14949 TFS(&tfs_fscc_file_attribute_integrity_stream), SMB2_FSCC_FILE_ATTRIBUTE_INTEGRITY_STREAM, "Is this file configured with integrity support?", HFILL } },
14950
14951 { &hf_smb2_fscc_file_attr_no_scrub_data,
14952 { "No Scrub Data", "smb2.file_attribute.no_scrub_data", FT_BOOLEAN, 32,
14953 TFS(&tfs_fscc_file_attribute_no_scrub_data), SMB2_FSCC_FILE_ATTRIBUTE_NO_SCRUB_DATA, "Is this file configured to be excluded from the data integrity scan?", HFILL } },
14954
14955 { &hf_smb2_fscc_file_attr_recall_on_open,
14956 { "Recall on open", "smb2.file_attribute.recall_on_open", FT_BOOLEAN, 32,
14957 TFS(&tfs_fscc_file_attribute_recall_on_open), SMB2_FSCC_FILE_ATTRIBUTE_RECALL_ON_OPEN, "When OPENED does some/all of the file/dir need to be fetched from remote storage?", HFILL } },
14958
14959 { &hf_smb2_fscc_file_attr_pinned,
14960 { "Pinned", "smb2.file_attribute.pinned", FT_BOOLEAN, 32,
14961 TFS(&tfs_fscc_file_attribute_pinned), SMB2_FSCC_FILE_ATTRIBUTE_PINNED, "Should the file/dir be kept fully present locally even when not being used?", HFILL } },
14962
14963 { &hf_smb2_fscc_file_attr_unpinned,
14964 { "Unpinned", "smb2.file_attribute.unpinned", FT_BOOLEAN, 32,
14965 TFS(&tfs_fscc_file_attribute_unpinned), SMB2_FSCC_FILE_ATTRIBUTE_UNPINNED, "Should file/dir NOT be fully kept locally except when ACCESSED?", HFILL } },
14966
14967 { &hf_smb2_fscc_file_attr_recall_on_data_access,
14968 { "Recall on data access", "smb2.file_attribute.recall_on_data_access", FT_BOOLEAN, 32,
14969 TFS(&tfs_fscc_file_attribute_recall_on_data_access), SMB2_FSCC_FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS, "Should the remote content be fetched when ACCESSED?", HFILL } },
14970
14971 { &hf_smb2_fsctl_infoex_enable_integrity,
14972 {"Enable Integrity", "smb2.fsctl.infoex.enable_integrity", FT_UINT8, BASE_HEX,
14973 VALS(smb2_fsctl_infoex_integrity_modes), 0, NULL, HFILL } },
14974
14975 { &hf_smb2_fsctl_infoex_keep_integrity_state,
14976 {"Integrity State", "smb2.fsctl.infoex.keep_integrity_state", FT_UINT8, BASE_HEX,
14977 VALS(smb2_fsctl_infoex_integrity_state), 0, NULL, HFILL } },
14978
14979 { &hf_smb2_fsctl_infoex_reserved,
14980 {"Reserved", "smb2.fsctl.infoex.reserved", FT_UINT16, BASE_HEX,
14981 NULL, 0, NULL, HFILL } },
14982
14983 { &hf_smb2_fsctl_infoex_flags,
14984 { "Flags", "smb2.fsctl.infoex.flags", FT_UINT32, BASE_HEX,
14985 NULL, 0, NULL, HFILL } },
14986
14987 { &hf_smb2_fsctl_infoex_version,
14988 { "Version", "smb2.fsctl.infoex.version", FT_UINT8, BASE_DEC,
14989 NULL, 0, NULL, HFILL } },
14990
14991 { &hf_smb2_fsctl_infoex_reserved2,
14992 { "Reserved", "smb2.fsctl.infoex.reserved2", FT_UINT56, BASE_HEX,
14993 NULL, 0, NULL, HFILL } },
14994
14995 { &hf_smb2_query_info_flags,
14996 {"Flags", "smb2.query_info.flags", FT_UINT32, BASE_HEX,
14997 NULL, 0, NULL, HFILL }},
14998
14999 { &hf_smb2_query_info_flag_restart_scan,
15000 {"SL Restart Scan", "smb2.query_info.flags.restart_scan", FT_BOOLEAN, 32,
15001 NULL, SMB2_SL_RESTART_SCAN, "Restart the scan for EAs from the beginning", HFILL } },
15002
15003 { &hf_smb2_query_info_flag_return_single_entry,
15004 {"SL Return Single Entry", "smb2.query_info.flags.return_single_entry", FT_BOOLEAN, 32,
15005 NULL, SMB2_SL_RETURN_SINGLE_ENTRY, "Return a single EA entry in the response buffer.", HFILL } },
15006
15007 { &hf_smb2_query_info_flag_index_specified,
15008 {"SL Index Specified", "smb2.query_info.flags.index_specified", FT_BOOLEAN, 32,
15009 NULL, SL_INDEX_SPECIFIED, "The caller has specified an EA index.", HFILL } },
15010
15011 { &hf_smb2_notification_type,
15012 { "Notification Type", "smb2.notification.type", FT_UINT32, BASE_HEX,
15013 VALS(server_notification_types), 0, NULL, HFILL } },
15014
15015 {
15016 &hf_smb2_fscc_refs_snapshot_mgmt_operation,
15017 { "Operation", "smb2.refs.snapshot.mgmt.op", FT_UINT32, BASE_HEX,
15018 VALS(refs_stream_snapshot_operation_types), 0, NULL, HFILL }},
15019
15020 {
15021 &hf_smb2_fscc_refs_snapshot_mgmt_namelen,
15022 { "Name Length", "smb2.refs.snapshot.mgmt.namelen", FT_UINT16, BASE_DEC,
15023 NULL, 0, NULL, HFILL }},
15024
15025 {
15026 &hf_smb2_fscc_refs_snapshot_mgmt_input_buffer_len,
15027 { "Input Buffer Length", "smb2.refs.snapshot.mgmt.input_buffer_len", FT_UINT16, BASE_DEC,
15028 NULL, 0, NULL, HFILL }},
15029
15030 {
15031 &hf_smb2_fscc_refs_snapshot_mgmt_reserved,
15032 { "Reserved", "smb2.refs.snapshot.mgmt.reserved", FT_BYTES, BASE_NONE,
15033 NULL, 0, NULL, HFILL }},
15034
15035 {
15036 &hf_smb2_fscc_refs_snapshot_mgmt_name,
15037 { "Name", "smb2.refs.snapshot.mgmt.name", FT_STRING, BASE_NONE,
15038 NULL, 0x0, NULL, HFILL }},
15039
15040 {
15041 &hf_smb2_fscc_refs_snapshot_query_delta_buffer_startvcn,
15042 { "Starting VCN", "smb2.refs.snapshot.query.delta_buffer.startvcn", FT_UINT64, BASE_DEC,
15043 NULL, 0, NULL, HFILL }},
15044
15045 {
15046 &hf_smb2_fscc_refs_snapshot_query_delta_buffer_flags,
15047 { "Flags", "smb2.refs.snapshot.query.delta_buffer.flags", FT_UINT32, BASE_DEC,
15048 NULL, 0, NULL, HFILL }},
15049
15050 {
15051 &hf_smb2_fscc_refs_snapshot_query_delta_buffer_reserved,
15052 { "Reserved", "smb2.refs.snapshot.query.delta_buffer.reserved", FT_UINT32, BASE_DEC,
15053 NULL, 0, NULL, HFILL }},
15054
15055 { &hf_smb2_flush_reserved2,
15056 { "Reserved2", "smb2.flush.reserved2", FT_BYTES, BASE_NONE,
15057 NULL, 0, NULL, HFILL }},
15058
15059 };
15060
15061 static int *ett[] = {
15062 &ett_smb2,
15063 &ett_smb2_ea,
15064 &ett_smb2_olb,
15065 &ett_smb2_header,
15066 &ett_smb2_encrypted,
15067 &ett_smb2_compressed,
15068 &ett_smb2_decompressed,
15069 &ett_smb2_command,
15070 &ett_smb2_secblob,
15071 &ett_smb2_negotiate_context_element,
15072 &ett_smb2_file_basic_info,
15073 &ett_smb2_file_standard_info,
15074 &ett_smb2_file_internal_info,
15075 &ett_smb2_file_ea_info,
15076 &ett_smb2_file_access_info,
15077 &ett_smb2_file_rename_info,
15078 &ett_smb2_file_link_info,
15079 &ett_smb2_file_disposition_info,
15080 &ett_smb2_file_position_info,
15081 &ett_smb2_file_full_ea_info,
15082 &ett_smb2_file_mode_info,
15083 &ett_smb2_file_alignment_info,
15084 &ett_smb2_file_all_info,
15085 &ett_smb2_file_allocation_info,
15086 &ett_smb2_file_endoffile_info,
15087 &ett_smb2_file_alternate_name_info,
15088 &ett_smb2_file_stream_info,
15089 &ett_smb2_file_pipe_info,
15090 &ett_smb2_file_compression_info,
15091 &ett_smb2_file_network_open_info,
15092 &ett_smb2_file_attribute_tag_info,
15093 &ett_smb2_file_normalized_name_info,
15094 &ett_smb2_fs_info_01,
15095 &ett_smb2_fs_info_03,
15096 &ett_smb2_fs_info_04,
15097 &ett_smb2_fs_info_05,
15098 &ett_smb2_fs_info_06,
15099 &ett_smb2_fs_info_07,
15100 &ett_smb2_fs_objectid_info,
15101 &ett_smb2_fs_posix_info,
15102 &ett_smb2_sec_info_00,
15103 &ett_smb2_additional_information_sec_mask,
15104 &ett_smb2_quota_info,
15105 &ett_smb2_query_quota_info,
15106 &ett_smb2_tid_tree,
15107 &ett_smb2_sesid_tree,
15108 &ett_smb2_create_chain_element,
15109 &ett_smb2_MxAc_buffer,
15110 &ett_smb2_QFid_buffer,
15111 &ett_smb2_RqLs_buffer,
15112 &ett_smb2_ioctl_function,
15113 &ett_smb2_FILE_OBJECTID_BUFFER,
15114 &ett_smb2_flags,
15115 &ett_smb2_sec_mode,
15116 &ett_smb2_capabilities,
15117 &ett_smb2_ses_req_flags,
15118 &ett_smb2_ses_flags,
15119 &ett_smb2_create_rep_flags,
15120 &ett_smb2_lease_state,
15121 &ett_smb2_lease_flags,
15122 &ett_smb2_share_flags,
15123 &ett_smb2_share_caps,
15124 &ett_smb2_comp_alg_flags,
15125 &ett_smb2_ioctl_flags,
15126 &ett_smb2_ioctl_network_interface,
15127 &ett_smb2_ioctl_sqos_opeations,
15128 &ett_smb2_fsctl_range_data,
15129 &ett_windows_sockaddr,
15130 &ett_smb2_close_flags,
15131 &ett_smb2_notify_info,
15132 &ett_smb2_notify_flags,
15133 &ett_smb2_rdma_v1,
15134 &ett_smb2_write_flags,
15135 &ett_smb2_find_flags,
15136 &ett_smb2_file_directory_info,
15137 &ett_smb2_both_directory_info,
15138 &ett_smb2_id_both_directory_info,
15139 &ett_smb2_full_directory_info,
15140 &ett_smb2_posix_info,
15141 &ett_smb2_file_name_info,
15142 &ett_smb2_lock_info,
15143 &ett_smb2_lock_flags,
15144 &ett_smb2_DH2Q_buffer,
15145 &ett_smb2_DH2C_buffer,
15146 &ett_smb2_dh2x_flags,
15147 &ett_smb2_APP_INSTANCE_buffer,
15148 &ett_smb2_svhdx_open_device_context,
15149 &ett_smb2_app_instance_version_buffer,
15150 &ett_smb2_app_instance_version_buffer_version,
15151 &ett_smb2_aapl_create_context_request,
15152 &ett_smb2_aapl_server_query_bitmask,
15153 &ett_smb2_aapl_server_query_caps,
15154 &ett_smb2_aapl_create_context_response,
15155 &ett_smb2_aapl_server_query_volume_caps,
15156 &ett_smb2_integrity_flags,
15157 &ett_smb2_buffercode,
15158 &ett_smb2_ioctl_network_interface_capabilities,
15159 &ett_smb2_tree_connect_flags,
15160 &ett_qfr_entry,
15161 &ett_smb2_pipe_fragment,
15162 &ett_smb2_pipe_fragments,
15163 &ett_smb2_cchunk_entry,
15164 &ett_smb2_fsctl_odx_token,
15165 &ett_smb2_symlink_error_response,
15166 &ett_smb2_reparse_data_buffer,
15167 &ett_smb2_error_data,
15168 &ett_smb2_error_context,
15169 &ett_smb2_error_redir_context,
15170 &ett_smb2_error_redir_ip_list,
15171 &ett_smb2_read_flags,
15172 &ett_smb2_signature,
15173 &ett_smb2_transform_flags,
15174 &ett_smb2_fscc_file_attributes,
15175 &ett_smb2_comp_pattern_v1,
15176 &ett_smb2_comp_payload,
15177 &ett_smb2_query_info_flags,
15178 &ett_smb2_server_notification,
15179 &ett_smb2_fscc_refs_snapshot_query_delta_buffer,
15180 };
15181
15182 static ei_register_info ei[] = {
15183 { &ei_smb2_invalid_length, { "smb2.invalid_length", PI_MALFORMED, PI_ERROR, "Invalid length", EXPFILL }},
15184 { &ei_smb2_bad_response, { "smb2.bad_response", PI_MALFORMED, PI_ERROR, "Bad response", EXPFILL }},
15185 { &ei_smb2_bad_negprot_negotiate_context_count, { "smb2.bad_negprot_negotiate_context_count", PI_MALFORMED, PI_ERROR, "Negotiate Protocol request NegotiateContextCount is nonzero without SMB 3.11 support", EXPFILL }},
15186 { &ei_smb2_bad_negprot_negotiate_context_offset, { "smb2.bad_negprot_negotiate_context_offset", PI_MALFORMED, PI_ERROR, "Negotiate Protocol request NegotiateContextOffset is nonzero without SMB 3.11 support", EXPFILL }},
15187 { &ei_smb2_bad_negprot_reserved, { "smb2.bad_negprot_reserved", PI_MALFORMED, PI_ERROR, "Negotiate Protocol response Reserved is nonzero", EXPFILL }},
15188 { &ei_smb2_bad_negprot_reserved2, { "smb2.bad_negprot_reserved2", PI_MALFORMED, PI_ERROR, "Negotiate Protocol response Reserved2 is nonzero", EXPFILL }},
15189 { &ei_smb2_invalid_getinfo_offset, { "smb2.invalid_getinfo_offset", PI_MALFORMED, PI_ERROR, "Input buffer offset isn't past the fixed data in the message", EXPFILL }},
15190 { &ei_smb2_invalid_getinfo_size, { "smb2.invalid_getinfo_size", PI_MALFORMED, PI_ERROR, "Input buffer length goes past the end of the message", EXPFILL }},
15191 { &ei_smb2_empty_getinfo_buffer, { "smb2.empty_getinfo_buffer", PI_PROTOCOL, PI_WARN, "Input buffer length is empty for a quota request", EXPFILL }},
15192 { &ei_smb2_invalid_signature, { "smb2.invalid_signature", PI_MALFORMED, PI_ERROR, "Invalid Signature", EXPFILL }},
15193 };
15194
15195 expert_module_t* expert_smb2;
15196
15197 /* SessionID <=> SessionKey mappings for decryption */
15198 uat_t *seskey_uat;
15199
15200 static uat_field_t seskey_uat_fields[] = {
15201 UAT_FLD_BUFFER(seskey_list, id, "Session ID", "The session ID buffer, coded as hex string, as it appears on the wire (LE)."),
15202 UAT_FLD_BUFFER(seskey_list, seskey, "Session Key", "The secret session key buffer, coded as 16-byte hex string."),
15203 UAT_FLD_BUFFER(seskey_list, s2ckey, "Server-to-Client", "The AES-128 key used by the client to decrypt server messages, coded as 16-byte hex string."),
15204 UAT_FLD_BUFFER(seskey_list, c2skey, "Client-to-Server", "The AES-128 key used by the server to decrypt client messages, coded as 16-byte hex string."),
15205 UAT_END_FIELDS
15206 };
15207
15208 proto_smb2 = proto_register_protocol("SMB2 (Server Message Block Protocol version 2)",
15209 "SMB2", "smb2");
15210 proto_register_subtree_array(ett, array_length(ett));
15211 proto_register_field_array(proto_smb2, hf, array_length(hf));
15212 expert_smb2 = expert_register_protocol(proto_smb2);
15213 expert_register_field_array(expert_smb2, ei, array_length(ei));
15214
15215 smb2_module = prefs_register_protocol(proto_smb2, NULL);
15216 prefs_register_bool_preference(smb2_module, "eosmb2_take_name_as_fid",
15217 "Use the full file name as File ID when exporting an SMB2 object",
15218 "Whether the export object functionality will take the full path file name as file identifier",
15219 &eosmb2_take_name_as_fid);
15220
15221 prefs_register_bool_preference(smb2_module, "pipe_reassembly",
15222 "Reassemble Named Pipes over SMB2",
15223 "Whether the dissector should reassemble Named Pipes over SMB2 commands",
15224 &smb2_pipe_reassembly);
15225
15226 prefs_register_bool_preference(smb2_module, "verify_signatures",
15227 "Verify SMB2 Signatures",
15228 "Whether the dissector should try to verify SMB2 signatures",
15229 &smb2_verify_signatures);
15230
15231 seskey_uat = uat_new("Secret session key to use for decryption",
15232 sizeof(smb2_seskey_field_t),
15233 "smb2_seskey_list",
15234 true,
15235 &seskey_list,
15236 &num_seskey_list,
15237 (UAT_AFFECTS_DISSECTION | UAT_AFFECTS_FIELDS),
15238 NULL,
15239 seskey_list_copy_cb,
15240 seskey_list_update_cb,
15241 seskey_list_free_cb,
15242 NULL,
15243 NULL,
15244 seskey_uat_fields);
15245
15246 prefs_register_uat_preference(smb2_module,
15247 "seskey_list",
15248 "Secret session keys for decryption",
15249 "A table of Session ID to Session keys mappings used to decrypt traffic.",
15250 seskey_uat);
15251
15252 smb2_pipe_subdissector_list = register_heur_dissector_list_with_description("smb2_pipe_subdissectors", "SMB2 Pipe data", proto_smb2);
15253 /*
15254 * XXX - addresses_ports_reassembly_table_functions?
15255 * Probably correct for SMB-over-NBT and SMB-over-TCP,
15256 * as stuff from two different connections should
15257 * probably not be combined, but what about other
15258 * transports for SMB, e.g. NBF or Netware?
15259 */
15260 reassembly_table_register(&smb2_pipe_reassembly_table,
15261 &addresses_reassembly_table_functions);
15262
15263 smb2_tap = register_tap("smb2");
15264 smb2_eo_tap = register_tap("smb_eo"); /* SMB Export Object tap */
15265
15266 register_srt_table(proto_smb2, NULL, 1, smb2stat_packet, smb2stat_init, NULL);
15267 smb2_sessions = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), smb2_sesid_info_hash, smb2_sesid_info_equal);
15268 }
15269
15270 void
15271 proto_reg_handoff_smb2(void)
15272 {
15273 gssapi_handle = find_dissector_add_dependency("gssapi", proto_smb2);
15274 ntlmssp_handle = find_dissector_add_dependency("ntlmssp", proto_smb2);
15275 rsvd_handle = find_dissector_add_dependency("rsvd", proto_smb2);
15276 heur_dissector_add("netbios", dissect_smb2_heur, "SMB2 over Netbios", "smb2_netbios", proto_smb2, HEURISTIC_ENABLE);
15277 heur_dissector_add("smb_direct", dissect_smb2_heur, "SMB2 over SMB Direct", "smb2_smb_direct", proto_smb2, HEURISTIC_ENABLE);
15278 }
15279
15280 /*
15281 * Editor modelines - https://www.wireshark.org/tools/modelines.html
15282 *
15283 * Local variables:
15284 * c-basic-offset: 8
15285 * tab-width: 8
15286 * indent-tabs-mode: t
15287 * End:
15288 *
15289 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
15290 * :indentSize=8:tabSize=8:noTabs=false:
15291 */
Metzes wireshark repo