| blob | d13ffd742e221c440da1fae46f9a3f915ac70357 |
1 /* packet-rpc.c
2 * Routines for rpc dissection
3 * Copyright 1999, Uwe Girlich <Uwe.Girlich@philosys.de>
4 *
5 * $Id$
6 *
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
10 *
11 * Copied from packet-smb.c
12 *
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 */
30 #include <glib.h>
32 #include <string.h>
34 #include <epan/packet.h>
35 #include <epan/exceptions.h>
36 #include <wsutil/pint.h>
37 #include <epan/conversation.h>
38 #include <epan/wmem/wmem.h>
39 #include <epan/prefs.h>
40 #include <epan/reassemble.h>
41 #include <epan/tap.h>
42 #include <epan/strutil.h>
43 #include <epan/garrayfix.h>
44 #include <epan/show_exception.h>
50 /*
51 * See:
52 *
53 * RFC 1831, "RPC: Remote Procedure Call Protocol Specification
54 * Version 2";
55 *
56 * RFC 1832, "XDR: External Data Representation Standard";
57 *
58 * RFC 2203, "RPCSEC_GSS Protocol Specification".
59 *
60 * See also
61 *
62 * RFC 2695, "Authentication Mechanisms for ONC RPC"
63 *
64 * although we don't currently dissect AUTH_DES or AUTH_KERB.
65 *
66 * RFC 5531, "Appendix C: Current Number Assignments" defines AUTH_RSA.
67 * AUTH_RSA is not implemented for any known RPC-protocols. The Gluster
68 * protocols (ab)use AUTH_RSA for their own AUTH-flavor. AUTH_RSA is
69 * therefore dissected as the inofficial AUTH_GLUSTER.
70 */
72 /* desegmentation of RPC over TCP */
75 /* defragmentation of fragmented RPC over TCP records */
78 /* try to dissect RPC packets for programs that are not known
79 * (proprietary ones) by wireshark.
80 */
83 /* try to find RPC fragment start if normal decode fails
84 * (good when starting decode of mid-stream capture)
85 */
96 };
102 };
123 };
131 };
140 };
147 };
157 };
163 };
174 };
180 };
182 /* the protocol number */
289 NULL,
291 /* Reassembled data field */
292 NULL,
293 "fragments"
294 };
296 /* Hash table with info on RPC program numbers */
299 /* Hash table with info on RPC procedure numbers */
309 /***********************************/
310 /* Hash array with procedure names */
311 /***********************************/
313 /* compare 2 keys */
314 static gint
316 {
324 }
326 /* calculate a hash key */
327 static guint
329 {
333 }
336 /* insert some entries */
337 void
340 {
341 rpc_prog_info_key rpc_prog_key;
345 /*
346 * Add the operation number hfinfo value for this version of the
347 * program.
348 */
353 vers);
371 }
372 }
375 /* return the name associated with a previously registered procedure. */
378 {
379 rpc_proc_info_key key;
390 /* happens only with strange program versions or
391 non-existing dissectors */
393 }
395 }
397 /*----------------------------------------*/
398 /* end of Hash array with procedure names */
399 /*----------------------------------------*/
402 /*********************************/
403 /* Hash array with program names */
404 /*********************************/
406 /* compare 2 keys */
407 static gint
409 {
415 }
418 /* calculate a hash key */
419 static guint
421 {
425 }
428 void
430 {
445 }
449 /* return the hf_field associated with a previously registered program.
450 */
451 int
453 {
454 rpc_prog_info_key rpc_prog_key;
460 }
462 }
464 /* return the name associated with a previously registered program. This
465 should probably eventually be expanded to use the rpc YP/NIS map
466 so that it can give names for programs not handled by wireshark */
469 {
471 rpc_prog_info_key rpc_prog_key;
477 }
480 }
482 }
485 /*--------------------------------------*/
486 /* end of Hash array with program names */
487 /*--------------------------------------*/
489 /* One of these structures are created for each conversation that contains
490 * RPC and contains the state we need to maintain for the conversation.
491 */
497 /* we can not hang this off the conversation structure above since the context
498 will be reused across all tcp connections between the client and the server.
499 a global tree for all contexts should still be unlikely to have collissions
500 here.
501 */
504 unsigned int
506 {
510 /* Check for overflow */
514 }
517 int
520 {
523 }
526 int
529 {
532 }
535 int
538 {
546 }
548 /*
549 * We want to make this function available outside this file and
550 * allow callers to pass a dissection function for the opaque data
551 */
552 int
560 {
565 guint32 string_length;
566 guint32 string_length_full;
567 guint32 string_length_packet;
568 guint32 string_length_captured;
569 guint32 string_length_copy;
572 guint32 fill_length;
573 guint32 fill_length_packet;
574 guint32 fill_length_captured;
575 guint32 fill_length_copy;
578 /* int string_item_offset; */
586 }
590 }
595 /* truncated string */
602 else
604 }
606 /* full string data */
614 /* truncated fill bytes */
619 else
621 }
623 /* full fill bytes */
626 }
627 }
629 /*
630 * If we were passed a dissection routine, make a TVB of the data
631 * and call the dissection routine
632 */
638 string_length);
642 }
647 string_buffer = (char *)tvb_memcpy(tvb, wmem_alloc(wmem_packet_scope(), string_length_copy+1), data_offset, string_length_copy);
648 }
650 /* calculate a nice printable string */
657 /* copy over the data and append <TRUNCATED> */
658 string_buffer_print=wmem_strdup_printf(wmem_packet_scope(), "%s%s", formatted, RPC_STRING_TRUNCATED);
661 }
664 string_buffer_print =
668 }
669 }
672 }
675 /* string_item_offset = offset; */
678 string_buffer_print);
680 ett_rpc_string);
681 }
687 }
693 string_buffer,
698 string_buffer,
700 }
701 }
711 }
716 }
717 }
719 }
727 /*
728 * If the data was truncated, throw the appropriate exception,
729 * so that dissection stops and the frame is properly marked.
730 */
734 }
737 int
740 {
744 }
747 int
750 {
754 }
757 int
761 {
765 }
768 int
771 {
772 guint32 value_follows;
781 }
784 }
785 }
788 }
790 int
794 {
797 guint32 num;
812 }
819 }
823 }
825 static int
827 {
828 guint gids_count;
829 guint gids_i;
830 guint gids_entry;
839 }
842 /* first, open with [ */
851 }
853 /* add at most 16 GIDs to the text */
861 }
863 }
865 /* finally, close with ] */
870 }
872 static int
874 {
875 guint stamp;
876 guint uid;
877 guint gid;
900 }
903 guint32 create_frame;
904 guint32 destroy_frame;
908 static int
912 {
917 guint32 context_length;
926 ett_gss_context);
939 /* we only track contexts up to 16 bytes in size */
941 }
961 }
964 }
967 }
971 it = proto_tree_add_uint(context_tree, hf_rpc_authgss_ctx_create_frame, tvb, 0, 0, context_info->create_frame);
973 }
977 it = proto_tree_add_uint(context_tree, hf_rpc_authgss_ctx_destroy_frame, tvb, 0, 0, context_info->destroy_frame);
979 }
984 }
986 static int
989 {
990 guint agc_v;
991 guint agc_proc;
992 guint agc_seq;
993 guint agc_svc;
1015 offset = dissect_rpc_authgss_context(tree, tvb, offset, pinfo, rpc_conv_info, FALSE, agc_proc == RPCSEC_GSS_DESTROY ? TRUE : FALSE);
1018 }
1020 static int
1023 {
1024 guint32 value_low;
1025 guint32 value_high;
1033 value_low);
1034 }
1037 }
1039 static int
1041 {
1042 guint adc_namekind;
1052 {
1060 window);
1067 nickname);
1070 }
1073 }
1075 static int
1077 {
1088 }
1090 static int
1092 {
1108 }
1110 static int
1112 {
1113 guint agc_v;
1114 guint agc_msg;
1127 offset);
1130 }
1132 static int
1135 {
1136 guint flavor;
1137 guint length;
1159 /*
1160 case AUTH_SHORT:
1162 break;
1163 */
1169 /* AUTH_RSA is (ab)used by Gluster */
1190 }
1191 }
1195 }
1197 /*
1198 * XDR opaque object, the contents of which are interpreted as a GSS-API
1199 * token.
1200 */
1201 static int
1204 {
1235 }
1238 }
1240 /* AUTH_DES verifiers are asymmetrical, so we need to know what type of
1241 * verifier we're decoding (CALL or REPLY).
1242 */
1243 static int
1246 {
1247 guint flavor;
1248 guint length;
1275 {
1276 guint window;
1283 }
1284 else
1285 {
1286 /* must be an RPC_REPLY */
1287 guint nickname;
1294 }
1306 }
1307 }
1311 }
1313 static int
1316 {
1318 }
1320 static int
1323 {
1346 }
1348 static int
1351 {
1352 guint version;
1360 }
1365 }
1371 }
1373 static int
1376 {
1377 guint version;
1386 }
1392 }
1396 offset);
1402 }
1409 }
1417 }
1419 static int
1421 {
1423 offset);
1425 }
1427 static int
1431 {
1436 /* set the current protocol name */
1441 /* call the dissector for the next level */
1444 /* restore the protocol name */
1446 }
1449 }
1452 static int
1457 {
1477 /* offset = */
1480 }
1485 }
1487 static int
1490 {
1492 /* int return_offset; */
1500 ENC_NA);
1503 /* cant decrypt if we dont have SPNEGO */
1507 }
1514 /* failed to decrypt the data */
1517 }
1521 }
1523 /*
1524 * Dissect the arguments to an indirect call; used by the portmapper/RPCBIND
1525 * dissector for the CALLIT procedure.
1526 *
1527 * Record these in the same table as the direct calls
1528 * so we can find it when dissecting an indirect call reply.
1529 * (There should not be collissions between xid between direct and
1530 * indirect calls.)
1531 */
1532 int
1535 {
1538 rpc_proc_info_key key;
1543 guint32 xid;
1551 /* Keep track of the address whence the call came, and the
1552 port to which the call is being sent, so that we can
1553 match up calls with replies.
1555 If the transport is connection-oriented (we check, for
1556 now, only for "pinfo->ptype" of PT_TCP), we also take
1557 into account the port from which the call was sent
1558 and the address to which the call was sent, because
1559 the addresses and ports of the two endpoints should be
1560 the same for all calls and replies. (XXX - what if
1561 the connection is broken and re-established?)
1563 If the transport is connectionless, we don't worry
1564 about the address to which the call was sent and from
1565 which the reply was sent, because there's no
1566 guarantee that the reply will come from the address
1567 to which the call was sent. We also don't worry about
1568 the port *from* which the call was sent and *to* which
1569 the reply was sent, because some clients (*cough* OS X
1570 NFS client *cough) might send retransmissions from a
1571 different port from the original request. */
1577 /*
1578 * XXX - you currently still have to pass a non-null
1579 * pointer for the second address argument even
1580 * if you use NO_ADDR_B.
1581 */
1585 }
1587 /* It's not part of any conversation - create a new
1588 one.
1590 XXX - this should never happen, as we should've
1591 created a conversation for it in the RPC
1592 dissector. */
1601 }
1602 }
1603 /*
1604 * Do we already have a state structure for this conv
1605 */
1608 /* No. Attach that information to the conversation, and add
1609 * it to the list of information structures.
1610 */
1615 }
1617 /* Make the dissector for this conversation the non-heuristic
1618 RPC dissector. */
1622 /* Dissectors for RPC procedure calls and replies shouldn't
1623 create new tvbuffs, and we don't create one ourselves,
1624 so we should have been handed the tvbuff for this RPC call;
1625 as such, the XID is at offset 0 in this tvbuff. */
1626 /* look up the request */
1630 /* We didn't find it; create a new entry.
1631 Prepare the value data.
1632 Not all of it is needed for handling indirect
1633 calls, so we set a bunch of items to 0. */
1642 /*
1643 * XXX - what about RPCSEC_GSS?
1644 * Do we have to worry about it?
1645 */
1650 /* store it */
1652 }
1653 }
1655 /* We don't know the procedure.
1656 Happens only with strange program versions or
1657 non-existing dissectors.
1658 Just show the arguments as opaque data. */
1660 offset);
1662 }
1665 {
1669 }
1672 /* Dissect the arguments */
1676 }
1678 /*
1679 * Dissect the results in an indirect reply; used by the portmapper/RPCBIND
1680 * dissector.
1681 */
1682 int
1685 {
1692 guint32 xid;
1694 /* Look for the matching call in the xid table.
1695 A reply must match a call that we've seen, and the
1696 reply must be sent to the same address that the call came
1697 from, and must come from the port to which the call was sent.
1699 If the transport is connection-oriented (we check, for
1700 now, only for "pinfo->ptype" of PT_TCP), we take
1701 into account the port from which the call was sent
1702 and the address to which the call was sent, because
1703 the addresses and ports of the two endpoints should be
1704 the same for all calls and replies.
1706 If the transport is connectionless, we don't worry
1707 about the address to which the call was sent and from
1708 which the reply was sent, because there's no
1709 guarantee that the reply will come from the address
1710 to which the call was sent. We also don't worry about
1711 the port *from* which the call was sent and *to* which
1712 the reply was sent, because some clients (*cough* OS X
1713 NFS client *cough) might send retransmissions from a
1714 different port from the original request. */
1719 /*
1720 * XXX - you currently still have to pass a non-null
1721 * pointer for the second address argument even
1722 * if you use NO_ADDR_B.
1723 */
1726 }
1728 /* We haven't seen an RPC call for that conversation,
1729 so we can't check for a reply to that call.
1730 Just show the reply stuff as opaque data. */
1732 offset);
1734 }
1735 /*
1736 * Do we already have a state structure for this conv
1737 */
1740 /* No. Attach that information to the conversation, and add
1741 * it to the list of information structures.
1742 */
1746 }
1748 /* The XIDs of the call and reply must match. */
1752 /* The XID doesn't match a call from that
1753 conversation, so it's probably not an RPC reply.
1754 Just show the reply stuff as opaque data. */
1756 offset);
1758 }
1764 }
1767 }
1768 }
1770 #if 0
1772 #endif
1774 }
1777 {
1780 /* Put the program, version, and procedure into the tree. */
1793 }
1796 /* We don't know how to dissect the reply procedure.
1797 Just show the reply stuff as opaque data. */
1799 offset);
1801 }
1803 /* Put the length of the reply value into the tree. */
1808 /* Dissect the return value */
1812 }
1814 /*
1815 * Just mark this as a continuation of an earlier packet.
1816 */
1817 static void
1819 {
1828 ENC_NA);
1831 }
1832 }
1835 /**
1836 * Produce a dummy RPC program entry for the given RPC program key
1837 * and version values.
1838 */
1840 static void
1842 {
1843 /* sanity check: no one uses versions > 10 */
1846 }
1849 /* ok this is not a known rpc program so we
1850 * will have to fake it.
1851 */
1857 };
1867 }
1868 }
1870 static gboolean
1874 {
1875 guint32 msg_type;
1878 rpc_prog_info_key rpc_prog_key;
1913 rpc_proc_info_key key;
1917 nstime_t ns;
1925 /*
1926 * Check to see whether this looks like an RPC call or reply.
1927 */
1929 /* Captured data in packet isn't enough to let us tell. */
1931 }
1933 /* both directions need at least this */
1939 /* check for RPC call */
1941 /* Captured data in packet isn't enough to let us
1942 tell. */
1944 }
1946 /* XID can be anything, so dont check it.
1947 We already have the message type.
1948 Check whether an RPC version number of 2 is in the
1949 location where it would be, and that an RPC program
1950 number we know about is in the location where it would be.
1952 XXX - Sun's snoop appears to recognize as RPC even calls
1953 to stuff it doesn't dissect; does it just look for a 2
1954 at that location, which seems far to weak a heuristic
1955 (too many false positives), or does it have some additional
1956 checks it does?
1958 We could conceivably check for any of the program numbers
1959 in the list at
1961 ftp://ftp.tau.ac.il/pub/users/eilon/rpc/rpc
1963 and report it as RPC (but not dissect the payload if
1964 we don't have a subdissector) if it matches. */
1967 /* we only dissect version 2 */
1970 }
1971 /* let the user be able to weaken the heuristics if he need
1972 * to look at proprietary protocols not known
1973 * to wireshark.
1974 */
1976 guint32 version;
1978 /* if the user has specified that he wants to try to
1979 * dissect even completely unknown RPC program numbers
1980 * then let him do that.
1981 * In this case we only check that the program number
1982 * is neither 0 nor -1 which is better than nothing.
1983 */
1986 }
1989 }
1990 if( (rpc_prog = (rpc_prog_info_value *)g_hash_table_lookup(rpc_progs, &rpc_prog_key)) == NULL) {
1991 /* They're not, so it's probably not an RPC call. */
1993 }
1997 /* Check for RPC reply. A reply must match a call that
1998 we've seen, and the reply must be sent to the same
1999 address that the call came from, and must come from
2000 the port to which the call was sent.
2002 If the transport is connection-oriented (we check, for
2003 now, only for "pinfo->ptype" of PT_TCP), we take
2004 into account the port from which the call was sent
2005 and the address to which the call was sent, because
2006 the addresses and ports of the two endpoints should be
2007 the same for all calls and replies.
2009 If the transport is connectionless, we don't worry
2010 about the address to which the call was sent and from
2011 which the reply was sent, because there's no
2012 guarantee that the reply will come from the address
2013 to which the call was sent. We also don't worry about
2014 the port *from* which the call was sent and *to* which
2015 the reply was sent, because some clients (*cough* OS X
2016 NFS client *cough) might send retransmissions from a
2017 different port from the original request. */
2023 /*
2024 * XXX - you currently still have to pass a non-null
2025 * pointer for the second address argument even
2026 * if you use NO_ADDR_B.
2027 */
2031 }
2033 /* We haven't seen an RPC call for that conversation,
2034 so we can't check for a reply to that call. */
2036 }
2037 /*
2038 * Do we already have a state structure for this conv
2039 */
2042 /* No. Attach that information to the conversation, and add
2043 * it to the list of information structures.
2044 */
2049 }
2051 /* The XIDs of the call and reply must match. */
2055 /* The XID doesn't match a call from that
2056 conversation, so it's probably not an RPC reply. */
2058 /* unless we're permitted to scan for embedded records
2059 * and this is a connection-oriented transport, give up */
2062 }
2064 /* in parse-partials, so define a dummy conversation for this reply */
2079 /* store it */
2082 /* and fake up a matching program */
2084 }
2086 /* pass rpc_info to subdissectors */
2091 /* The putative message type field contains neither
2092 RPC_CALL nor RPC_REPLY, so it's not an RPC call or
2093 reply. */
2095 }
2098 /*
2099 * This is RPC-over-TCP; check if this is the last
2100 * fragment.
2101 */
2103 /*
2104 * This isn't the last fragment.
2105 * If we're doing reassembly, just return
2106 * TRUE to indicate that this looks like
2107 * the beginning of an RPC message,
2108 * and let them do fragment reassembly.
2109 */
2112 }
2113 }
2118 ENC_NA);
2124 }
2135 }
2142 /* we know already the proto-entry, the ETT-const,
2143 and "rpc_prog" */
2153 }
2161 }
2163 /* Set the protocol name to the underlying
2164 program name. */
2171 }
2182 }
2184 /* happens only with strange program versions or
2185 non-existing dissectors */
2186 #if 0
2188 #endif
2190 }
2192 /* Check for RPCSEC_GSS and AUTH_GSSAPI */
2197 /*
2198 * It's GSS-API authentication...
2199 */
2201 /*
2202 * ...and we have the procedure
2203 * and service information for it.
2204 */
2209 /*
2210 * ...but the procedure and service
2211 * information isn't available.
2212 */
2214 }
2218 /*
2219 * AUTH_GSSAPI flavor. If auth_msg is TRUE,
2220 * then this is an AUTH_GSSAPI message and
2221 * not an application level message.
2222 */
2232 }
2233 }
2237 /*
2238 * It's not GSS-API authentication.
2239 */
2242 }
2243 }
2249 }
2251 /* Print the program version, procedure name, and message type (call or reply). */
2254 else
2256 /* Special case for NFSv4 - if the type is COMPOUND, do not print the procedure name */
2259 msg_type_name);
2260 else
2264 /* Keep track of the address whence the call came, and the
2265 port to which the call is being sent, so that we can
2266 match up calls with replies.
2268 If the transport is connection-oriented (we check, for
2269 now, only for "pinfo->ptype" of PT_TCP), we also take
2270 into account the port from which the call was sent
2271 and the address to which the call was sent, because
2272 the addresses and ports of the two endpoints should be
2273 the same for all calls and replies. (XXX - what if
2274 the connection is broken and re-established?)
2276 If the transport is connectionless, we don't worry
2277 about the address to which the call was sent and from
2278 which the reply was sent, because there's no
2279 guarantee that the reply will come from the address
2280 to which the call was sent. We also don't worry about
2281 the port *from* which the call was sent and *to* which
2282 the reply was sent, because some clients (*cough* OS X
2283 NFS client *cough) might send retransmissions from a
2284 different port from the original request. */
2290 /*
2291 * XXX - you currently still have to pass a non-null
2292 * pointer for the second address argument even
2293 * if you use NO_ADDR_B.
2294 */
2298 }
2300 /* It's not part of any conversation - create a new
2301 one. */
2310 }
2311 }
2312 /*
2313 * Do we already have a state structure for this conv
2314 */
2317 /* No. Attach that information to the conversation, and add
2318 * it to the list of information structures.
2319 */
2323 }
2326 /* Make the dissector for this conversation the non-heuristic
2327 RPC dissector. */
2331 /* look up the request */
2334 /* We've seen a request with this XID, with the same
2335 source and destination, before - but was it
2336 *this* request? */
2338 /* No, so it's a duplicate request.
2339 Mark it as such. */
2347 }
2350 }
2352 /* Prepare the value data.
2353 "req_num" and "rep_num" are frame numbers;
2354 frame numbers are 1-origin, so we use 0
2355 to mean "we don't yet know in which frame
2356 the reply for this call appears". */
2371 /* store it */
2373 }
2383 }
2388 /* pass rpc_info to subdissectors */
2392 /* there is no verifier for GSS destroy packets */
2394 }
2398 /* go to the next dissector */
2403 /* we know already the type from the calling routine,
2404 and we already have "rpc_call" set above. */
2416 }
2419 }
2420 }
2422 #if 0
2424 #endif
2426 }
2428 /*
2429 * If this is an AUTH_GSSAPI message, then the RPC procedure
2430 * is not an application procedure, but rather an auth level
2431 * procedure, so it would be misleading to print the RPC
2432 * procname. Replace the RPC procname with the corresponding
2433 * AUTH_GSSAPI procname.
2434 */
2437 }
2440 if ((rpc_prog = (rpc_prog_info_value *)g_hash_table_lookup(rpc_progs,&rpc_prog_key)) == NULL) {
2445 }
2452 /* Set the protocol name to the underlying
2453 program name. */
2455 }
2457 /* Print the program version, procedure name, and message type (call or reply). */
2460 else
2462 /* Special case for NFSv4 - if the type is COMPOUND, do not print the procedure name */
2466 else
2483 }
2489 }
2492 /* Indicate the frame to which this is a reply. */
2508 }
2512 /* We have not yet seen a reply to that call, so
2513 this must be the first reply; remember its
2514 frame number. */
2517 /* We have seen a reply to this call - but was it
2518 *this* reply? */
2522 /* No, so it's a duplicate reply.
2523 Mark it as such. */
2533 }
2534 }
2544 }
2549 /* go to the next dissector */
2557 hf_rpc_programversion_min,
2560 hf_rpc_programversion_max,
2562 }
2565 /*
2566 * There's no protocol reply, so don't
2567 * try to dissect it.
2568 */
2573 /*
2574 * There's no protocol reply, so don't
2575 * try to dissect it.
2576 */
2579 }
2587 reject_state);
2588 }
2596 hf_rpc_version_min,
2599 hf_rpc_version_max,
2601 }
2608 auth_state);
2609 }
2611 }
2613 /*
2614 * There's no protocol reply, so don't
2615 * try to dissect it.
2616 */
2621 /*
2622 * This isn't a valid reply state, so we have
2623 * no clue what's going on; don't try to dissect
2624 * the protocol reply.
2625 */
2628 }
2632 /*
2633 * The switch statement at the top returned if
2634 * this was neither an RPC call nor a reply.
2635 */
2637 }
2639 /* now we know, that RPC was shorter */
2645 }
2648 /*
2649 * There's no RPC call or reply here; just dissect
2650 * whatever's left as data.
2651 */
2655 }
2657 /* we must queue this packet to the tap system before we actually
2658 call the subdissectors since short packets (i.e. nfs read reply)
2659 will cause an exception and execution would never reach the call
2660 to tap_queue_packet() in that case
2661 */
2665 /* If this is encrypted data we have to try to decrypt the data first before we
2666 * we create a tree.
2667 * the reason for this is because if we can decrypt the data we must create the
2668 * item/tree for the next protocol using the decrypted tdb and not the current
2669 * tvb.
2670 */
2675 if (flavor == FLAVOR_GSSAPI && gss_proc == RPCSEC_GSS_DATA && gss_svc == RPCSEC_GSS_SVC_PRIVACY) {
2684 proto_tree_add_item(gss_tree, hf_rpc_authgss_seq, pinfo->gssapi_decrypted_tvb, 0, 4, ENC_BIG_ENDIAN);
2686 /* Switcheroo to the new tvb that contains the decrypted payload */
2689 }
2690 }
2693 /* create here the program specific sub-tree */
2706 /*
2707 * No such element in the GArray.
2708 */
2710 }
2720 }
2721 }
2723 /* proto==0 if this is an unknown program */
2726 }
2728 /*
2729 * Don't call any subdissector if we have no more date to dissect.
2730 */
2733 }
2735 /*
2736 * Handle RPCSEC_GSS and AUTH_GSSAPI specially.
2737 */
2741 /*
2742 * We don't know the authentication flavor, so we can't
2743 * dissect the payload.
2744 */
2750 /*
2751 * It's not GSS-API authentication. Just dissect the
2752 * payload.
2753 */
2759 /*
2760 * It's GSS-API authentication, but we don't have the
2761 * procedure and service information, so we can't dissect
2762 * the payload.
2763 */
2769 /*
2770 * It's GSS-API authentication, and we have the procedure
2771 * and service information; process the GSS-API stuff,
2772 * and process the payload if there is any.
2773 */
2781 }
2785 }
2792 dissect_function,
2794 }
2798 dissect_function,
2800 }
2806 dissect_function,
2809 }
2810 }
2815 }
2819 /*
2820 * This is an AUTH_GSSAPI message. It contains data
2821 * only for the authentication procedure and not for the
2822 * application level RPC procedure. Reset the column
2823 * protocol and info fields to indicate that this is
2824 * an RPC auth level message, then process the args.
2825 */
2843 }
2853 }
2855 /* Adjust the length to account for the auth message. */
2858 }
2862 /*
2863 * An RPC with AUTH_GSSAPI authentication. The data
2864 * portion is always private, so don't call the dissector.
2865 */
2868 }
2871 /*
2872 * dissect any remaining bytes (incomplete dissection) as pure
2873 * data in the ptree
2874 */
2878 }
2880 /* XXX this should really loop over all fhandles registred for the frame */
2887 }
2893 }
2895 }
2896 }
2899 }
2901 static gboolean
2903 {
2905 TRUE);
2906 }
2908 static void
2910 {
2912 TRUE)) {
2915 }
2916 }
2919 /* Defragmentation of RPC-over-TCP records */
2920 /* table to hold defragmented RPC records */
2923 /*
2924 * XXX - can we eliminate this by defining our own key-handling functions
2925 * for rpc_fragment_table? (Note that those functions must look at
2926 * not only the addresses of the endpoints, but the ports of the endpoints,
2927 * so that they don't try to combine fragments from different TCP
2928 * connections.)
2929 */
2933 guint32 conv_id;
2934 guint32 seq;
2935 guint32 offset;
2936 guint32 port;
2937 /* xxx */
2938 guint32 start_seq;
2941 static guint
2943 {
2947 }
2949 static gint
2951 {
2957 }
2959 static void
2961 {
2964 guint32 fraglen;
2976 rpc_rm);
2978 rpc_rm);
2979 }
2980 }
2982 static void
2984 {
2986 /*
2987 * Show the fragment header and the data for the fragment.
2988 */
2991 }
2992 }
2994 static void
2996 guint32 rpc_rm)
2997 {
3008 }
3010 void
3013 {
3020 /*
3021 * This message was not all in one fragment,
3022 * so show the fragment header *and* the data
3023 * for the fragment (which is the last fragment),
3024 * and a tree with information about all fragments.
3025 */
3028 /*
3029 * Show a tree with information about all fragments.
3030 */
3033 /*
3034 * This message was all in one fragment, so just show
3035 * the fragment header.
3036 */
3038 }
3039 }
3041 static gboolean
3045 {
3053 TRY {
3056 }
3057 CATCH_NONFATAL_ERRORS {
3058 /*
3059 * Somebody threw an exception that means that there
3060 * was a problem dissecting the payload; that means
3061 * that a dissector was found, so we don't need to
3062 * dissect the payload as data or update the protocol
3063 * or info columns.
3064 *
3065 * Just show the exception and then continue dissecting.
3066 */
3070 /* Restore the private_data structure in case one of the
3071 * called dissectors modified it (and, due to the exception,
3072 * was unable to restore it).
3073 */
3076 /*
3077 * We treat this as a "successful" dissection of
3078 * an RPC packet, as "dissect_rpc_message()"
3079 * *did* decide it was an RPC packet, throwing
3080 * an exception while dissecting it as such.
3081 */
3083 }
3084 ENDTRY;
3086 }
3088 static int
3092 {
3093 guint32 seq;
3094 guint32 rpc_rm;
3096 gint32 seglen;
3099 gboolean rpc_succeeded;
3100 gboolean save_fragmented;
3108 }
3112 /*
3113 * Get the record mark.
3114 */
3116 /*
3117 * XXX - we should somehow arrange to handle
3118 * a record mark split across TCP segments.
3119 */
3121 }
3126 /*
3127 * Do TCP desegmentation, if enabled.
3128 *
3129 * reject fragments bigger than this preference setting.
3130 * This is arbitrary, but should at least prevent
3131 * some crashes from either packets with really
3132 * large RPC-over-TCP fragments or from stuff that's
3133 * not really valid for this protocol.
3134 */
3141 /*
3142 * This frame doesn't have all of the
3143 * data for this message, but we can do
3144 * reassembly on it.
3145 *
3146 * If this is a heuristic dissector, just
3147 * return 0 - we don't want to try to get
3148 * more data, as that's too likely to cause
3149 * us to misidentify this as valid.
3150 *
3151 * XXX - this means that we won't
3152 * recognize the first fragment of a
3153 * multi-fragment RPC operation unless
3154 * we've already identified this
3155 * conversation as being an RPC
3156 * conversation (and thus aren't running
3157 * heuristically) - that would be a problem
3158 * if, for example, the first segment were
3159 * the beginning of a large NFS WRITE.
3160 *
3161 * If this isn't a heuristic dissector,
3162 * we've already identified this conversation
3163 * as containing data for this protocol, as we
3164 * saw valid data in previous frames. Try to
3165 * get more data.
3166 */
3173 }
3174 }
3175 }
3184 tvb_reported_len);
3186 /*
3187 * If we're not defragmenting, just hand this to the
3188 * disssector.
3189 */
3191 /*
3192 * This is the first fragment we've seen, and it's also
3193 * the last fragment; that means the record wasn't
3194 * fragmented. Hand the dissector the tvbuff for the
3195 * fragment as the tvbuff for the record.
3196 */
3200 /*
3201 * Mark this as fragmented, so if somebody throws an
3202 * exception, we don't report it as a malformed frame.
3203 */
3212 }
3214 /*
3215 * First, we check to see if this fragment is part of a record
3216 * that we're in the process of defragmenting.
3217 *
3218 * The key is the conversation ID for the conversation to which
3219 * the packet belongs and the current sequence number.
3220 * We must first find the conversation and, if we don't find
3221 * one, create it. We know this is running over TCP, so the
3222 * conversation should not wildcard either address or port.
3223 */
3227 /*
3228 * It's not part of any conversation - create a new one.
3229 */
3232 }
3239 /*
3240 * This fragment was not found in our table, so it doesn't
3241 * contain a continuation of a higher-level PDU.
3242 * Is it the last fragment?
3243 */
3245 /*
3246 * This isn't the last fragment, so we don't
3247 * have the complete record.
3248 *
3249 * It's the first fragment we've seen, so if
3250 * it's truly the first fragment of the record,
3251 * and it has enough data, the dissector can at
3252 * least check whether it looks like a valid
3253 * message, as it contains the start of the
3254 * message.
3255 *
3256 * The dissector should not dissect anything
3257 * if the "last fragment" flag isn't set in
3258 * the record marker, so it shouldn't throw
3259 * an exception.
3260 */
3265 /*
3266 * OK, now start defragmentation with that
3267 * fragment. Add this fragment, and set up
3268 * next packet/sequence number as well.
3269 *
3270 * We must remember this fragment.
3271 */
3281 /*
3282 * Start defragmentation.
3283 */
3289 /*
3290 * Make sure that defragmentation isn't complete;
3291 * it shouldn't be, as this is the first fragment
3292 * we've seen, and the "last fragment" bit wasn't
3293 * set on it.
3294 */
3303 new_rfk);
3305 /*
3306 * This is part of a fragmented record,
3307 * but it's not the first part.
3308 * Show it as a record marker plus data, under
3309 * a top-level tree for this protocol.
3310 */
3313 /*
3314 * No more processing need be done, as we don't
3315 * have a complete record.
3316 */
3319 /* oddly, we have a first fragment, not marked as last,
3320 * but which the defragmenter thinks is complete.
3321 * So rather than creating a fragment reassembly tree,
3322 * we simply throw away the partial fragment structure
3323 * and fall though to our "sole fragment" processing below.
3324 */
3325 }
3326 }
3328 /*
3329 * This is the first fragment we've seen, and it's also
3330 * the last fragment; that means the record wasn't
3331 * fragmented. Hand the dissector the tvbuff for the
3332 * fragment as the tvbuff for the record.
3333 */
3337 /*
3338 * OK, this fragment was found, which means it continues
3339 * a record. This means we must defragment it.
3340 * Add it to the defragmentation lists.
3341 */
3347 /*
3348 * fragment_add_multiple_ok() returned NULL.
3349 * This means that defragmentation is not
3350 * completed yet.
3351 *
3352 * We must add an entry to the hash table with
3353 * the sequence number following this fragment
3354 * as the starting sequence number, so that when
3355 * we see that fragment we'll find that entry.
3356 *
3357 * XXX - as TCP stream data is not currently
3358 * guaranteed to be provided in order to dissectors,
3359 * RPC fragments aren't guaranteed to be provided
3360 * in order, either.
3361 */
3369 new_rfk);
3371 /*
3372 * This is part of a fragmented record,
3373 * but it's not the first part.
3374 * Show it as a record marker plus data, under
3375 * a top-level tree for this protocol,
3376 * but don't hand it to the dissector
3377 */
3380 /*
3381 * No more processing need be done, as we don't
3382 * have a complete record.
3383 */
3385 }
3387 /*
3388 * It's completely defragmented.
3389 *
3390 * We only call subdissector for the last fragment.
3391 * XXX - this assumes in-order delivery of RPC
3392 * fragments, which requires in-order delivery of TCP
3393 * segments.
3394 */
3396 /*
3397 * Well, it's defragmented, but this isn't
3398 * the last fragment; this probably means
3399 * this isn't the first pass, so we don't
3400 * need to start defragmentation.
3401 *
3402 * This is part of a fragmented record,
3403 * but it's not the first part.
3404 * Show it as a record marker plus data, under
3405 * a top-level tree for this protocol,
3406 * but don't show it to the dissector.
3407 */
3410 /*
3411 * No more processing need be done, as we
3412 * only disssect the data with the last
3413 * fragment.
3414 */
3416 }
3418 /*
3419 * OK, this is the last segment.
3420 * Create a tvbuff for the defragmented
3421 * record.
3422 */
3424 /*
3425 * Create a new TVB structure for
3426 * defragmented data.
3427 */
3430 /*
3431 * Add defragmented data to the data source list.
3432 */
3434 }
3436 /*
3437 * We have something to hand to the RPC message
3438 * dissector.
3439 */
3446 /**
3447 * Scans tvb, starting at given offset, to see if we can find
3448 * what looks like a valid RPC-over-TCP reply header.
3449 *
3450 * @param tvb Buffer to inspect for RPC reply header.
3451 * @param offset Offset to begin search of tvb at.
3452 *
3453 * @return -1 if no reply header found, else offset to start of header
3454 * (i.e., to the RPC record mark field).
3455 */
3457 static int
3459 {
3461 /*
3462 * Looking for partial header sequence. From beginning of
3463 * stream-style header, including "record mark", full ONC-RPC
3464 * looks like:
3465 * BE int32 record mark (rfc 1831 sec. 10)
3466 * ? int32 XID (rfc 1831 sec. 8)
3467 * BE int32 msg_type (ibid sec. 8, call = 0, reply = 1)
3468 *
3469 * -------------------------------------------------------------
3470 * Then reply-specific fields are
3471 * BE int32 reply_stat (ibid, accept = 0, deny = 1)
3472 *
3473 * Then, assuming accepted,
3474 * opaque_auth
3475 * BE int32 auth_flavor (ibid, none = 0)
3476 * BE int32 ? auth_len (ibid, none = 0)
3477 *
3478 * BE int32 accept_stat (ibid, success = 0, errs are 1..5 in rpc v2)
3479 *
3480 * -------------------------------------------------------------
3481 * Or, call-specific fields are
3482 * BE int32 rpc_vers (rfc 1831 sec 8, always == 2)
3483 * BE int32 prog (NFS == 000186A3)
3484 * BE int32 prog_ver (NFS v2/3 == 2 or 3)
3485 * BE int32 proc_id (NFS, <= 256 ???)
3486 * opaque_auth
3487 * ...
3488 */
3490 /* Initially, we search only for something matching the template
3491 * of a successful reply with no auth verifier.
3492 * Our first qualification test is search for a string of zero bytes,
3493 * corresponding the four guint32 values
3494 * reply_stat
3495 * auth_flavor
3496 * auth_len
3497 * accept_stat
3498 *
3499 * If this string of zeros matches, then we go back and check the
3500 * preceding msg_type and record_mark fields.
3501 */
3514 guint32 ulMsgType;
3515 guint32 ulRecMark;
3522 /* start search at first possible location */
3526 /* nothing to search, so claim no RPC */
3528 }
3532 /* probably never take this, as get_ptr seems to assert */
3534 }
3537 /* First test for long tail of zeros, starting at the back.
3538 * A failure lets us skip the maximum possible buffer amount.
3539 */
3542 {
3544 {
3545 /* match failure. Since we need N contiguous zeros,
3546 * we can increment next match start so zero testing
3547 * begins right after this failure spot.
3548 */
3552 }
3554 pbBuf --;
3555 }
3559 }
3561 /* got a match in zero-fill region, verify reply ID and
3562 * record mark fields */
3568 /* looks ok, try dissect */
3570 }
3572 /* no match yet, nor egregious miss either. Inch along to next try */
3573 ibSearchStart ++;
3574 }
3580 /**
3581 * Scans tvb for what looks like a valid RPC call / reply header.
3582 * If found, calls standard dissect_rpc_fragment() logic to digest
3583 * the (hopefully valid) fragment.
3584 *
3585 * With any luck, one invocation of this will be sufficient to get
3586 * us back in alignment with the stream, and no further calls to
3587 * this routine will be needed for a given conversation. As if. :-)
3588 *
3589 * Can return:
3590 * Same as dissect_rpc_fragment(). Will return zero (no frame)
3591 * if no valid RPC header is found.
3592 */
3594 static int
3597 gboolean is_heur,
3599 {
3606 /* could search for request, but not needed (or testable) thus far */
3608 }
3613 defragment,
3616 /* misses are reported as-is */
3618 {
3620 }
3622 /* returning a non-zero length, correct it to reflect the extra offset
3623 * we found necessary
3624 */
3627 }
3629 /* negative length seems to only be used as a flag,
3630 * don't mess it up until found necessary
3631 */
3632 /* len -= offReply - offset; */
3633 }
3640 /*
3641 * Can return:
3642 *
3643 * NEED_MORE_DATA, if we don't have enough data to dissect anything;
3644 *
3645 * IS_RPC, if we dissected at least one message in its entirety
3646 * as RPC;
3647 *
3648 * IS_NOT_RPC, if we found no RPC message.
3649 */
3651 NEED_MORE_DATA,
3652 IS_RPC,
3653 IS_NOT_RPC
3656 static rpc_tcp_return_t
3659 {
3666 /*
3667 * Process this fragment.
3668 */
3674 /*
3675 * Try discarding some leading bytes from tvb, on assumption
3676 * that we are looking at the middle of a stream-based transfer
3677 */
3681 }
3685 /*
3686 * We need more data from the TCP stream for
3687 * this fragment.
3688 */
3690 }
3692 /*
3693 * It's not RPC. Stop processing.
3694 */
3696 }
3698 /* Set a fence so whatever the subdissector put in the
3699 * Info column stays there. This is useful when the
3700 * subdissector clears the column (which it might have to do
3701 * if it runs over some other protocol too) and there are
3702 * multiple PDUs in one frame.
3703 */
3706 /* PDU tracking
3707 If the length indicates that the PDU continues beyond
3708 the end of this tvb, then tell TCP about it so that it
3709 knows where the next PDU starts.
3710 This is to help TCP detect when PDUs are not aligned to
3711 segment boundaries and allow it to find RPC headers
3712 that starts in the middle of a TCP segment.
3713 */
3718 }
3719 }
3722 }
3724 }
3726 static gboolean
3728 {
3740 /* "Can't happen" */
3743 }
3744 }
3746 static int
3748 {
3755 }
3757 /* Discard any state we've saved. */
3758 static void
3760 {
3764 }
3767 rpc_fragment_equal);
3771 }
3773 /* will be called once from register.c at startup time */
3774 void
3776 {
3904 HFILL }},
3908 HFILL }},
3912 HFILL }},
3971 { "Conflicting data in fragment overlap", "rpc.fragment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
3975 { "Multiple tail fragments found", "rpc.fragment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
4002 };
4019 };
4024 /* this is a dummy dissector for all those unknown rpc programs */
4032 "Whether the RPC dissector should reassemble messages spanning multiple TCP segments."
4033 " To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
4040 prefs_register_uint_preference(rpc_module, "max_tcp_pdu_size", "Maximum size of a RPC-over-TCP PDU",
4041 "Set the maximum size of RPCoverTCP PDUs. "
4042 " If the size field of the record marker is larger "
4048 "Whether the RPC dissector should attempt to dissect RPC PDUs containing programs that are not known to Wireshark. This will make the heuristics significantly weaker and elevate the risk for falsely identifying and misdissecting packets significantly.",
4053 "Whether the RPC dissector should attempt to locate RPC PDU boundaries when initial fragment alignment is not known. This may cause false positives, or slow operation.",
4060 /*
4061 * Init the hash tables. Dissectors for RPC protocols must
4062 * have a "handoff registration" routine that registers the
4063 * protocol with RPC; they must not do it in their protocol
4064 * registration routine, as their protocol registration
4065 * routine might be called before this routine is called and
4066 * thus might be called before the hash tables are initialized,
4067 * but it's guaranteed that all protocol registration routines
4068 * will be called before any handoff registration routines
4069 * are called.
4070 */
4075 }
4077 void
4079 {
4080 /* tcp/udp port 111 is used by portmapper which is an onc-rpc service.
4081 we register onc-rpc on this port so that we can choose RPC in
4082 the list offered by DecodeAs, and so that traffic to or from
4083 port 111 from or to a higher-numbered port is dissected as RPC
4084 even if there's a dissector registered on the other port (it's
4085 probably RPC traffic from some randomly-chosen port that happens
4086 to match some port for which we have a dissector)
4087 */
4098 }
4100 /*
4101 * Editor modelines
4102 *
4103 * Local Variables:
4104 * c-basic-offset: 8
4105 * tab-width: 8
4106 * indent-tabs-mode: t
4107 * End:
4108 *
4109 * ex: set shiftwidth=8 tabstop=8 noexpandtab:
4110 * :indentSize=8:tabSize=8:noTabs=false:
4111 */