diff options
author | wmeier <wmeier@f5534014-38df-0310-8fa8-9805f1628bb7> | 2011-03-04 15:09:29 +0000 |
---|---|---|
committer | wmeier <wmeier@f5534014-38df-0310-8fa8-9805f1628bb7> | 2011-03-04 15:09:29 +0000 |
commit | 41a5408e5abe2c7d871d11087eb9f0e5025bccef (patch) | |
tree | e521b83923938b8b3e3fbf790179d9a55034da9a /epan/dissectors/packet-nbns.c | |
parent | 3496d4288add4be3e07510bebbe830d093b945c4 (diff) |
From Stefan Metzmacher: Patch that fixes false positives and allows large smb1/2 pdus
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4914
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@36140 f5534014-38df-0310-8fa8-9805f1628bb7
Diffstat (limited to 'epan/dissectors/packet-nbns.c')
-rw-r--r-- | epan/dissectors/packet-nbns.c | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/epan/dissectors/packet-nbns.c b/epan/dissectors/packet-nbns.c index 85d288ed93..9a779e2329 100644 --- a/epan/dissectors/packet-nbns.c +++ b/epan/dissectors/packet-nbns.c @@ -1682,6 +1682,27 @@ dissect_nbss(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) } /* + * The larged size in for non-SMB NBSS traffic is + * 17 bits (0x1FFFF). + * + * The SMB1 unix extensions and the SMB2 multi credit + * feature allow more than 17 bits (0x1FFFF), they allow + * 24 bits (0xFFFFFF). + * + * So if it is a SESSION_MESSAGE and SMB1 or SMB2 + * mark it as is_cifs. + */ + if (tvb_length_remaining(tvb, offset) >=8 + && tvb_get_guint8(tvb,offset+0) == SESSION_MESSAGE + && tvb_get_guint8(tvb,offset+5) == 'S' + && tvb_get_guint8(tvb,offset+6) == 'M' + && tvb_get_guint8(tvb,offset+7) == 'B') { + is_cifs = TRUE; + } else { + is_cifs = FALSE; + } + + /* * We have enough data for an NBSS header. * Get the flags and length of the message, * and see if they're sane. @@ -1693,7 +1714,7 @@ dissect_nbss(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) flags = tvb_get_guint8(tvb, offset + 1); length = tvb_get_ntohs(tvb, offset + 2); if (flags & NBSS_FLAGS_E) - length += 65536; + length += 0x10000; } if ((flags & (~NBSS_FLAGS_E)) != 0) { /* @@ -1715,15 +1736,6 @@ dissect_nbss(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) if (length == 0) goto continuation; - /* - * I added this IF test to catch issues when the dissector loses track of the stream normally - * because of missing frames in the capture and the first byte of the TCP data being check - * happens to be a 0. I'm adding a second sanity test to try to reject false positives. - * I've haven't seen any real world CIFS/SMB traffic where the NBSS PDU length is greater then - * 65536 bytes. I could have added this with an OR argument to the previous IF test but I added it - * this way for clarity. - Frank Schorr */ - if (length > 65536) - goto continuation; break; case SESSION_REQUEST: |