diff options
| author | Armin Felder <Armin.Felder@gmail.com> | 2021-12-30 20:24:02 +0100 |
|---|---|---|
| committer | Wireshark GitLab Utility <gerald+gitlab-utility@wireshark.org> | 2021-12-31 14:44:00 +0000 |
| commit | e8e6a2c6df5ffaf983bdc8b4ccb88c340df8b6cf (patch) | |
| tree | dc2f54bfbba4cf07372b115c6af39b3e654c29ba | |
| parent | 777aaeda62dc13de5a916e25d3f83c055dd39807 (diff) | |
NTLMv2 dissector: skip target info for AUTHENTICATE_MESSAGE
if the NTLMv2 Message is of type AUTHENTICATE_MESSAGE,
there are no target fields, according to MS-NLMP 2.2.1.3,
Fixes #17817
| -rw-r--r-- | epan/dissectors/packet-dcerpc-netlogon.c | 2 | ||||
| -rw-r--r-- | epan/dissectors/packet-ntlmssp.c | 17 | ||||
| -rw-r--r-- | epan/dissectors/packet-ntlmssp.h | 2 | ||||
| -rw-r--r-- | epan/dissectors/packet-smb.c | 3 |
4 files changed, 14 insertions, 10 deletions
diff --git a/epan/dissectors/packet-dcerpc-netlogon.c b/epan/dissectors/packet-dcerpc-netlogon.c index 4bc958725f..aa69f4f36b 100644 --- a/epan/dissectors/packet-dcerpc-netlogon.c +++ b/epan/dissectors/packet-dcerpc-netlogon.c @@ -712,7 +712,7 @@ static void dissect_ndr_lm_nt_byte_array(packet_info *pinfo, cb_ref->response->length = len; cb_ref->response->contents = (guint8 *)tvb_memdup(pinfo->pool, tvb, offset, len); if (len > 24) { - dissect_ntlmv2_response(tvb, pinfo, tree, offset, len); + dissect_ntlmv2_response(tvb, pinfo, tree, offset, len, state->ntlmssph.type); } dissect_LOGON_INFO_STATE_finish(state); diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c index 2c61c6b329..817071dd21 100644 --- a/epan/dissectors/packet-ntlmssp.c +++ b/epan/dissectors/packet-ntlmssp.c @@ -1126,7 +1126,7 @@ dissect_ntlmssp_string (tvbuff_t *tvb, int offset, static int dissect_ntlmssp_blob (tvbuff_t *tvb, packet_info *pinfo, proto_tree *ntlmssp_tree, int offset, - int blob_hf, int *end, ntlmssp_blob *result) + int blob_hf, int *end, ntlmssp_blob *result, guint32 type) { proto_item *tf = NULL; proto_tree *tree = NULL; @@ -1214,7 +1214,7 @@ dissect_ntlmssp_blob (tvbuff_t *tvb, packet_info *pinfo, * is at least 32 bytes, so an NTLMv2_RESPONSE is at least * 48 bytes long. */ - dissect_ntlmv2_response(tvb, pinfo, tree, blob_offset, blob_length); + dissect_ntlmv2_response(tvb, pinfo, tree, blob_offset, blob_length, type); } } @@ -1464,7 +1464,7 @@ dissect_ntlmssp_target_info_list(tvbuff_t *tvb, packet_info *pinfo, proto_tree * /** See [MS-NLMP] 3.3.2 */ int -dissect_ntlmv2_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int len) +dissect_ntlmv2_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int len, guint32 type) { proto_item *ntlmv2_item = NULL; proto_tree *ntlmv2_tree = NULL; @@ -1503,7 +1503,10 @@ dissect_ntlmv2_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto_tree_add_item(ntlmv2_tree, hf_ntlmssp_ntlmv2_response_z, tvb, offset, 4, ENC_NA); offset += 4; - offset = dissect_ntlmssp_target_info_list(tvb, pinfo, ntlmv2_tree, offset, len - (offset - orig_offset), &ntlmssp_ntlmv2_response_tif); + if (type != NTLMSSP_AUTH) { + offset = dissect_ntlmssp_target_info_list(tvb, pinfo, ntlmv2_tree, offset, len - (offset - orig_offset), + &ntlmssp_ntlmv2_response_tif); + } if ((offset - orig_offset) < len) { proto_tree_add_item(ntlmv2_tree, hf_ntlmssp_ntlmv2_response_z, tvb, offset, 4, ENC_NA); @@ -1973,7 +1976,7 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset, hf_ntlmssp_auth_lmresponse, &item_end, conv_ntlmssp_info == NULL ? NULL : - &conv_ntlmssp_info->lm_response); + &conv_ntlmssp_info->lm_response, ntlmssph->type); data_end = MAX(data_end, item_end); /* NTLM response */ @@ -1982,7 +1985,7 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset, hf_ntlmssp_auth_ntresponse, &item_end, conv_ntlmssp_info == NULL ? NULL : - &conv_ntlmssp_info->ntlm_response); + &conv_ntlmssp_info->ntlm_response, ntlmssph->type); data_start = MIN(data_start, item_start); data_end = MAX(data_end, item_end); @@ -2023,7 +2026,7 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset, /* Session Key */ offset = dissect_ntlmssp_blob(tvb, pinfo, ntlmssp_tree, offset, hf_ntlmssp_auth_sesskey, - &item_end, &sessionblob); + &item_end, &sessionblob, ntlmssph->type); data_end = MAX(data_end, item_end); } diff --git a/epan/dissectors/packet-ntlmssp.h b/epan/dissectors/packet-ntlmssp.h index 2893158b14..3babeb07f1 100644 --- a/epan/dissectors/packet-ntlmssp.h +++ b/epan/dissectors/packet-ntlmssp.h @@ -34,7 +34,7 @@ get_md4pass_list(wmem_allocator_t *pool, md4_pass** p_pass_list); /* Dissect a ntlmv2 response */ int -dissect_ntlmv2_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ntlmssp_tree, int offset, int len); +dissect_ntlmv2_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ntlmssp_tree, int offset, int len, guint32 type); /* the ntlmssp data passed to tap listeners */ typedef struct _ntlmssp_header_t { diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c index 6f8e971692..21bd917a95 100644 --- a/epan/dissectors/packet-smb.c +++ b/epan/dissectors/packet-smb.c @@ -7824,7 +7824,8 @@ dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree if (upwlen > 24) { proto_tree *subtree; subtree = proto_item_add_subtree(item, ett_smb_unicode_password); - dissect_ntlmv2_response(tvb, pinfo, subtree, offset, upwlen); + guint32 type = tvb_get_letohs(tvb, 8); + dissect_ntlmv2_response(tvb, pinfo, subtree, offset, upwlen, type); } COUNT_BYTES(upwlen); |