Make "content blob" dynamically sized so it doesn't take up 20k of memory per conversation.

Add filterable expert info while we're at it. svn path=/trunk/; revision=51787
author: Michael Mann <mmann78@netscape.net> 2013-09-05 16:29:08 +0000
committer: Michael Mann <mmann78@netscape.net> 2013-09-05 16:29:08 +0000
commit: b3f4084c4e5dbe9180150082a321cefd662ba952 (patch)
tree: ee20eef9b704ee314b36a31efa5dcd1051f02022 /epan/dissectors/packet-ntlmssp.c
parent: 808d594087f9433ec6424f5cfa7e1b8605eb149d (diff)
1 files changed, 30 insertions, 10 deletions
diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c
index 975c164afd..70e8453e46 100644
--- a/epan/dissectors/packet-ntlmssp.c
+++ b/epan/dissectors/packet-ntlmssp.c
@@ -44,7 +44,7 @@
 #include <epan/packet.h>
 #include <epan/asn1.h>
 #include <epan/prefs.h>
-#include <epan/emem.h>
+#include <epan/wmem/wmem.h>
 #include <epan/tap.h>
 #include <epan/expert.h>
 #include <epan/show_exception.h>
@@ -266,13 +266,17 @@ static gint ett_ntlmssp_challenge_target_info_item = -1;
 static gint ett_ntlmssp_ntlmv2_response = -1;
 static gint ett_ntlmssp_ntlmv2_response_item = -1;
 
+static expert_field ei_ntlmssp_v2_key_too_long = EI_INIT;
+static expert_field ei_ntlmssp_blob_len_too_long = EI_INIT;
+static expert_field ei_ntlmssp_target_info_attr = EI_INIT;
+
 /* Configuration variables */
 const char *gbl_nt_password = NULL;
 
 #define MAX_BLOB_SIZE 10240
 typedef struct _ntlmssp_blob {
   guint16 length;
-  guint8  contents[MAX_BLOB_SIZE];
+  guint8* contents;
 } ntlmssp_blob;
 
 #define NTLMSSP_CONV_INFO_KEY 0
@@ -966,9 +970,9 @@ dissect_ntlmssp_blob (tvbuff_t *tvb, packet_info *pinfo,
 
   if (result != NULL) {
     result->length = blob_length;
-    memset(result->contents, 0, MAX_BLOB_SIZE);
     if (blob_length < MAX_BLOB_SIZE)
     {
+      result->contents = wmem_alloc(wmem_file_scope(), blob_length);
       tvb_memcpy(tvb, result->contents, blob_offset, blob_length);
       if (blob_hf == hf_ntlmssp_auth_lmresponse &&
           !(tvb_memeql(tvb, blob_offset+8, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", NTLMSSP_KEY_LEN)))
@@ -978,7 +982,9 @@ dissect_ntlmssp_blob (tvbuff_t *tvb, packet_info *pinfo,
                              tvb, blob_offset, 8, ENC_NA);
       }
     } else {
-      expert_add_info_format(pinfo, tf, PI_WARN, PI_UNDECODED,
+      result->length = 0;
+      result->contents = NULL;
+      expert_add_info_format_text(pinfo, tf, &ei_ntlmssp_v2_key_too_long,
                              "NTLM v2 key is %d bytes long, too big for our %d buffer", blob_length, MAX_BLOB_SIZE);
     }
   }
@@ -1257,7 +1263,6 @@ dissect_ntlmssp_target_info_list(tvbuff_t *tvb, packet_info *pinfo, proto_tree *
     guint32     type_offset;
     guint32     len_offset;
     const gchar *text = NULL;
-    proto_item *pi;
 
     int **hf_array_p = tif_p->hf_attr_array_p;
 
@@ -1307,8 +1312,8 @@ dissect_ntlmssp_target_info_list(tvbuff_t *tvb, packet_info *pinfo, proto_tree *
         break;
 
       default:
-        pi = proto_tree_add_text(target_info_tree, tvb, content_offset, content_length, "unknown content");
-        expert_add_info_format(pinfo, pi, PI_UNDECODED, PI_WARN, "unknown NTLMSSP Target Info Attribute");
+        proto_tree_add_expert(target_info_tree, pinfo, &ei_ntlmssp_target_info_attr,
+                                   tvb, content_offset, content_length);
         break;
       }
     }
@@ -1528,6 +1533,10 @@ dissect_ntlmssp_challenge (tvbuff_t *tvb, packet_info *pinfo, int offset,
     if (!(conv_ntlmssp_info->flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY))
     {
       conv_ntlmssp_info->rc4_state_initialized = 0;
+      /* XXX - Make sure there is 24 bytes for the key */
+      conv_ntlmssp_info->ntlm_response.contents = wmem_alloc0(wmem_file_scope(), 24);
+      conv_ntlmssp_info->lm_response.contents = wmem_alloc0(wmem_file_scope(), 24);
+
       create_ntlmssp_v1_key(gbl_nt_password, conv_ntlmssp_info->server_challenge, NULL, sspkey, NULL, conv_ntlmssp_info->flags, conv_ntlmssp_info->ntlm_response.contents, conv_ntlmssp_info->lm_response.contents, ntlmssph);
       if (memcmp(sspkey, gbl_zeros, NTLMSSP_KEY_LEN) != 0) {
         get_sealing_rc4key(sspkey, conv_ntlmssp_info->flags, &ssp_key_len, clientkey, serverkey);
@@ -1752,7 +1761,6 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset,
   data_start = MIN(data_start, item_start);
   data_end = MAX(data_end, item_end);
 
-  memset(sessionblob.contents, 0, MAX_BLOB_SIZE);
   sessionblob.length = 0;
   if (offset < data_start) {
     /* Session Key */
@@ -1791,7 +1799,7 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset,
   }
 
   if (sessionblob.length > NTLMSSP_KEY_LEN) {
-    expert_add_info_format(pinfo, NULL, PI_WARN, PI_UNDECODED, "Session blob length too long: %u", sessionblob.length);
+    expert_add_info_format_text(pinfo, NULL, &ei_ntlmssp_blob_len_too_long, "Session blob length too long: %u", sessionblob.length);
   } else if (sessionblob.length != 0) {
     memcpy(encryptedsessionkey, sessionblob.contents, sessionblob.length);
     /* Try to attach to an existing conversation if not then it's useless to try to do so
@@ -1807,7 +1815,11 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset,
         }
         else
         {
-          memcpy(conv_ntlmssp_info->client_challenge, conv_ntlmssp_info->lm_response.contents, 8);
+          if (conv_ntlmssp_info->lm_response.contents == NULL) {
+            memset(conv_ntlmssp_info->client_challenge, 0, 8);
+          } else {
+            memcpy(conv_ntlmssp_info->client_challenge, conv_ntlmssp_info->lm_response.contents, 8);
+          }
           create_ntlmssp_v1_key(gbl_nt_password, conv_ntlmssp_info->server_challenge, conv_ntlmssp_info->client_challenge, sspkey, encryptedsessionkey, conv_ntlmssp_info->flags, conv_ntlmssp_info->ntlm_response.contents, conv_ntlmssp_info->lm_response.contents, ntlmssph);
         }
         /* ssp is the exported session key */
@@ -3291,7 +3303,13 @@ proto_register_ntlmssp(void)
     &ett_ntlmssp_ntlmv2_response,
     &ett_ntlmssp_ntlmv2_response_item,
   };
+  static ei_register_info ei[] = {
+     { &ei_ntlmssp_v2_key_too_long, { "ntlmssp.v2_key_too_long", PI_UNDECODED, PI_WARN, "NTLM v2 key is too long", EXPFILL }},
+     { &ei_ntlmssp_blob_len_too_long, { "ntlmssp.blob.length.too_long", PI_UNDECODED, PI_WARN, "Session blob length too long", EXPFILL }},
+     { &ei_ntlmssp_target_info_attr, { "ntlmssp.target_info_attr.unknown", PI_UNDECODED, PI_WARN, "unknown NTLMSSP Target Info Attribute", EXPFILL }},
+  };
   module_t *ntlmssp_module;
+  expert_module_t* expert_ntlmssp;
 
   proto_ntlmssp = proto_register_protocol (
     "NTLM Secure Service Provider", /* name */
@@ -3300,6 +3318,8 @@ proto_register_ntlmssp(void)
     );
   proto_register_field_array (proto_ntlmssp, hf, array_length (hf));
   proto_register_subtree_array (ett, array_length (ett));
+  expert_ntlmssp = expert_register_protocol(proto_ntlmssp);
+  expert_register_field_array(expert_ntlmssp, ei, array_length(ei));
   register_init_routine(&ntlmssp_init_protocol);
 
   ntlmssp_module = prefs_register_protocol(proto_ntlmssp, NULL);
author	Michael Mann <mmann78@netscape.net>	2013-09-05 16:29:08 +0000
committer	Michael Mann <mmann78@netscape.net>	2013-09-05 16:29:08 +0000
commit	b3f4084c4e5dbe9180150082a321cefd662ba952 (patch)
tree	ee20eef9b704ee314b36a31efa5dcd1051f02022 /epan/dissectors/packet-ntlmssp.c
parent	808d594087f9433ec6424f5cfa7e1b8605eb149d (diff)