diff options
author | Aurelien Aptel <aaptel@suse.com> | 2019-07-05 16:08:18 +0200 |
---|---|---|
committer | Peter Wu <peter@lekensteyn.nl> | 2019-07-15 21:00:14 +0000 |
commit | 0db39ae59aaefc13a38ec4e7728da44a647b1a10 (patch) | |
tree | e82f234b0928c832d23bd6fe128958611131c060 /test | |
parent | 1a91aac9747ec3d937dd20ec962c86a149248876 (diff) |
smb2: add support for decompression
The latest iteration of Microsoft updates to SMB3 added compression to
the protocol. This commit implements decompressing and dissecting
compressed payloads.
The compression algorithms that can be used are "Plain LZ77",
"LZ77+Huffman" and "LZNT1" which you can read more about in the
[MS-XCA] documentation. This set of algorithm is sometimes referred to
as XPRESS.
This commit reuses the existing uncompression API scheme already in
place with zlib and brotli and adds 3 tvb_uncompress_*() function
implemented in:
* epan/tvbuff_lz77.c
* epan/tvbuff_lz77huff.c
* epan/tvbuff_lznt1.c
A new function wmem_array_try_index() was added to the wmem_array API
to make bound checked reads that fail gracefully. New tests for it
have been added as well.
Since both reads (tvb) and writes (wmem_array) are bound checked the
risk for buffer overruns is drastically reduced. LZ77+Huffman has
decoding tables and special care was taken to bound check these.
Simplified versions of the implementations were succesfully tested
against AFL (American Fuzzy Lop) for ~150 millions executions each.
The SMB2/3 dissector was changed to deal with the new transform header
for compressed packets (new protocol_id value) and READ request
flags (COMPRESSED). Badly compressed or encrypted packets are now
reported as such, and the decryption test suite was changed to reflect
that.
This commit also adds a test capture with 1 packet compressed with
each algorithm as returned by Windows Server 2019, along with 3
matching tests in test/suite_dissection.py
Change-Id: I2b84f56541f2f4ee7d886152794b993987dd10e7
Reviewed-on: https://code.wireshark.org/review/33855
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Diffstat (limited to 'test')
-rw-r--r-- | test/captures/smb311-lz77-lz77huff-lznt1.pcap.gz | bin | 0 -> 446 bytes | |||
-rw-r--r-- | test/suite_decryption.py | 4 | ||||
-rw-r--r-- | test/suite_dissection.py | 20 |
3 files changed, 22 insertions, 2 deletions
diff --git a/test/captures/smb311-lz77-lz77huff-lznt1.pcap.gz b/test/captures/smb311-lz77-lz77huff-lznt1.pcap.gz Binary files differnew file mode 100644 index 0000000000..f14bfbaf42 --- /dev/null +++ b/test/captures/smb311-lz77-lz77huff-lznt1.pcap.gz diff --git a/test/suite_decryption.py b/test/suite_decryption.py index 568e095a43..e87358ee86 100644 --- a/test/suite_decryption.py +++ b/test/suite_decryption.py @@ -1068,7 +1068,7 @@ class case_decrypt_smb2(subprocesstest.SubprocessTestCase): '-o', 'uat:smb2_seskey_list:{},{}'.format(sesid, seskey), '-Y', 'frame.number == 7', )) - self.assertIn('unknown', proc.stdout_str) + self.assertIn('Invalid header', proc.stdout_str) def test_smb311_bad_key(self, cmd_tshark, capture_file): seskey = 'ffffffffffffffffffffffffffffffff' @@ -1078,7 +1078,7 @@ class case_decrypt_smb2(subprocesstest.SubprocessTestCase): '-o', 'uat:smb2_seskey_list:{},{}'.format(sesid, seskey), '-Y', 'frame.number == 7' )) - self.assertIn('unknown', proc.stdout_str) + self.assertIn('Invalid header', proc.stdout_str) def test_smb300_aes128ccm(self, cmd_tshark, capture_file): '''Check SMB 3.0 AES128CCM decryption.''' diff --git a/test/suite_dissection.py b/test/suite_dissection.py index 06725e1181..772b40f5ca 100644 --- a/test/suite_dissection.py +++ b/test/suite_dissection.py @@ -199,3 +199,23 @@ class case_dissect_tls(subprocesstest.SubprocessTestCase): '''Verify that TCP and TLS handshake reassembly works (second pass).''' self.check_tls_handshake_reassembly( cmd_tshark, capture_file, extraArgs=['-2']) + +@fixtures.mark_usefixtures('test_env') +@fixtures.uses_fixtures +class case_decompress_smb2(subprocesstest.SubprocessTestCase): + def extract_compressed_payload(self, cmd_tshark, capture_file, frame_num): + proc = self.assertRun((cmd_tshark, + '-r', capture_file('smb311-lz77-lz77huff-lznt1.pcap.gz'), + '-Tfields', '-edata.data', + '-Y', 'frame.number == %d'%frame_num, + )) + self.assertEqual(b'a'*4096, bytes.fromhex(proc.stdout_str.strip())) + + def test_smb311_read_lz77(self, cmd_tshark, capture_file): + self.extract_compressed_payload(cmd_tshark, capture_file, 1) + + def test_smb311_read_lz77huff(self, cmd_tshark, capture_file): + self.extract_compressed_payload(cmd_tshark, capture_file, 2) + + def test_smb311_read_lznt1(self, cmd_tshark, capture_file): + self.extract_compressed_payload(cmd_tshark, capture_file, 3) |