Add support for NTTIME_hyper and NTTIME_1sec

It's hyper with 8 bytes alignment it can have 1/100000 sec resolution or 1sec resolution

Bug: 10541
Change-Id: Iecc4c6d1bd1695a4c02db72e1617134254810cd9
Reviewed-on: https://code.wireshark.org/review/4606
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>

5 files changed, 39 insertions, 9 deletions

diff --git a/epan/dissectors/packet-dcerpc-nt.c b/epan/dissectors/packet-dcerpc-nt.c
index e6e0569a15..d66612a96f 100644
--- a/epan/dissectors/packet-dcerpc-nt.c
+++ b/epan/dissectors/packet-dcerpc-nt.c
@@ -470,6 +470,22 @@ dissect_ndr_nt_NTTIME (tvbuff_t *tvb, int offset,
 	return offset;
 }
 
+int
+dissect_ndr_nt_NTTIME_hyper (tvbuff_t *tvb, int offset,
+			packet_info *pinfo _U_, proto_tree *tree,
+			dcerpc_info *di, guint8 *drep _U_, int hf_index, gboolean onesec_resolution)
+{
+	if(di->conformant_run){
+		/*just a run to handle conformant arrays, nothing to dissect */
+		return offset;
+	}
+
+	ALIGN_TO_8_BYTES;
+
+	offset = dissect_nt_64bit_time_opt(tvb, tree, offset, hf_index, onesec_resolution);
+	return offset;
+}
+
 /* Define this symbol to display warnings about request/response and
    policy handle hash table collisions.	 This happens when a packet with
    the same conversation, smb fid and dcerpc call id occurs.  I think this
diff --git a/epan/dissectors/packet-dcerpc-nt.h b/epan/dissectors/packet-dcerpc-nt.h
index d81cd347d4..40b35d976b 100644
--- a/epan/dissectors/packet-dcerpc-nt.h
+++ b/epan/dissectors/packet-dcerpc-nt.h
@@ -153,6 +153,10 @@ dissect_ndr_nt_NTTIME (tvbuff_t *tvb, int offset,
 			packet_info *pinfo, proto_tree *tree,
 			dcerpc_info *di, guint8 *drep, int hf_index);
 int
+dissect_ndr_nt_NTTIME_hyper (tvbuff_t *tvb, int offset,
+				packet_info *pinfo, proto_tree *tree,
+				dcerpc_info *di, guint8 *drep, int hf_index, gboolean onesec_resolution);
+int
 dissect_ndr_nt_LOGON_HOURS(tvbuff_t *tvb, int offset,
 			packet_info *pinfo, proto_tree *parent_tree,
 			dcerpc_info *di, guint8 *drep);
diff --git a/epan/dissectors/packet-windows-common.c b/epan/dissectors/packet-windows-common.c
index 7e3f6d05d0..afbd698da1 100644
--- a/epan/dissectors/packet-windows-common.c
+++ b/epan/dissectors/packet-windows-common.c
@@ -1129,7 +1129,7 @@ value_string_ext ms_country_codes_ext = VALUE_STRING_EXT_INIT(ms_country_codes);
  *	Copyright (C) Andrew Tridgell 1992-1998
  */
 static gboolean
-nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
+nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv, gboolean onesec_resolution)
 {
 	guint64 d;
 	gint64 secs;
@@ -1144,6 +1144,10 @@ nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
 
 	d = ((guint64)filetime_high << 32) | filetime_low;
 
+	if (onesec_resolution) {
+		d *= 10000000;
+	}
+
 	/* Split into seconds and nanoseconds. */
 	secs = d / 10000000;
 	nsecs = (int)((d % 10000000)*100);
@@ -1164,13 +1168,13 @@ nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
 }
 
 int
-dissect_nt_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
+dissect_nt_64bit_time_opt(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, gboolean onesec_resolution _U_)
 {
-	return dissect_nt_64bit_time_ex(tvb, tree, offset, hf_date, NULL);
+	return dissect_nt_64bit_time_ex(tvb, tree, offset, hf_date, NULL, FALSE);
 }
 
 int
-dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, proto_item **createdItem)
+dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, proto_item **createdItem, gboolean onesec_resolution)
 {
 	guint32 filetime_high, filetime_low;
 	nstime_t ts;
@@ -1196,8 +1200,8 @@ dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_dat
 			    "%s: Infinity (absolute time)",
 			    proto_registrar_get_name(hf_date));
 		} else {
-			if (nt_time_to_nstime(filetime_high, filetime_low, &ts)) {
-				item = proto_tree_add_time(tree, hf_date, tvb,
+			if (nt_time_to_nstime(filetime_high, filetime_low, &ts, onesec_resolution)) {
+				proto_tree_add_time(tree, hf_date, tvb,
 				    offset, 8, &ts);
 			} else {
 				item = proto_tree_add_text(tree, tvb, offset, 8,
@@ -1215,6 +1219,11 @@ dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_dat
 	return offset;
 }
 
+int
+dissect_nt_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
+{
+	return dissect_nt_64bit_time_opt(tvb, tree, offset, hf_date, FALSE);
+}
 
 /* Well-known SIDs defined in http://support.microsoft.com/kb/243330 */
 
diff --git a/epan/dissectors/packet-windows-common.h b/epan/dissectors/packet-windows-common.h
index 14153abcc5..ecd78b1e2f 100644
--- a/epan/dissectors/packet-windows-common.h
+++ b/epan/dissectors/packet-windows-common.h
@@ -242,9 +242,10 @@ extern value_string_ext ms_country_codes_ext;
 
 WS_DLL_PUBLIC
 int dissect_nt_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date);
-
 WS_DLL_PUBLIC
-int dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, proto_item **createdItem);
+int dissect_nt_64bit_time_opt(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, gboolean onesec_resolution);
+WS_DLL_PUBLIC
+int dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, proto_item **createdItem, gboolean onesec_resolution);
 
 /*
  *  SIDs and RIDs
diff --git a/plugins/opcua/opcua_simpletypes.c b/plugins/opcua/opcua_simpletypes.c
index c500722079..5846fcbc29 100644
--- a/plugins/opcua/opcua_simpletypes.c
+++ b/plugins/opcua/opcua_simpletypes.c
@@ -664,7 +664,7 @@ proto_item* parseDouble(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIn
 proto_item* parseDateTime(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex)
 {
     proto_item *item = NULL;
-    *pOffset = dissect_nt_64bit_time_ex(tvb, tree, *pOffset, hfIndex, &item);
+    *pOffset = dissect_nt_64bit_time_ex(tvb, tree, *pOffset, hfIndex, &item, FALSE);
     return item;
 }