rename dcerpc_smb_store_pol_name to dcerpc_store_polhnd_name

rename dcerpc_smb_fetch_pol  to dcerpc_fetch_polhnd_data and also make 
it take an additional parameter to return the "type" of the policy 
handle, if such a type was stored.

extend the pol_value structure used to track policy handles to also 
store a type to represent what created the policy handle
types could be USER/ALIAS/CONNECT/... etc handles returned from the 
SAMR interface

add a new helper function  dcerpc_store_polhnd_type()

track policy handles between request/responses for dcerpc

update the samr.cnf file to make the samr dissectors for
SetSecurity/QuerySecurity dissect the specific bits for the security 
descriptor correctly based on whether the policy handle refers to a 
CONNECT/DOMAIN/USER/ALIAS or GROUP




git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@22703 f5534014-38df-0310-8fa8-9805f1628bb7

1 files changed, 56 insertions, 18 deletions

diff --git a/epan/dissectors/packet-dcerpc-nt.c b/epan/dissectors/packet-dcerpc-nt.c
index ebae197a04..a94526566a 100644
--- a/epan/dissectors/packet-dcerpc-nt.c
+++ b/epan/dissectors/packet-dcerpc-nt.c
@@ -400,14 +400,6 @@ typedef struct {
 	guint8 policy_hnd[20];
 } pol_hash_key;
 
-typedef struct pol_value {
-	struct pol_value *next;          /* Next entry in hash bucket */
-	guint32 open_frame, close_frame; /* Frame numbers for open/close */
-	guint32 first_frame;             /* First frame in which this instance was seen */
-	guint32 last_frame;              /* Last frame in which this instance was seen */
-	char *name;			 /* Name of policy handle */
-} pol_value;
-
 typedef struct {
 	pol_value *list;                 /* List of policy handle entries */
 } pol_hash_value;
@@ -612,15 +604,43 @@ void dcerpc_smb_store_pol_pkts(e_ctx_hnd *policy_hnd, packet_info *pinfo,
 	pol->close_frame = is_close ? pinfo->fd->num : 0;
 	pol->first_frame = pinfo->fd->num;
 	pol->last_frame = pol->close_frame;	/* if 0, unknown; if non-0, known */
-
+	pol->type=0;
 	pol->name = NULL;
 
 	add_pol_handle(policy_hnd, pinfo->fd->num, pol, value);
 }
 
-/* Store a text string with a policy handle */
+/* Store the type of a policy handle */
+static void dcerpc_store_polhnd_type(e_ctx_hnd *policy_hnd, packet_info *pinfo,
+			       guint32 type)
+{
+	pol_hash_value *value;
+	pol_value *pol;
+
+	/*
+	 * By the time the first pass is done, the policy handle database
+	 * has been completely constructed.  If we've already seen this
+	 * frame, there's nothing to do.
+	 */
+	if (pinfo->fd->flags.visited)
+		return;
+
+	if (is_null_pol(policy_hnd))
+		return;
+
+	/* Look up existing value */
+	pol = find_pol_handle(policy_hnd, pinfo->fd->num, &value);
 
-void dcerpc_smb_store_pol_name(e_ctx_hnd *policy_hnd, packet_info *pinfo,
+	if (pol != NULL) {
+		/*
+		 * Update the existing value as appropriate.
+		 */
+		pol->type=type;
+	}
+}
+
+/* Store a text string with a policy handle */
+void dcerpc_store_polhnd_name(e_ctx_hnd *policy_hnd, packet_info *pinfo,
 			       const char *name)
 {
 	pol_hash_value *value;
@@ -666,7 +686,7 @@ void dcerpc_smb_store_pol_name(e_ctx_hnd *policy_hnd, packet_info *pinfo,
 	pol->close_frame = 0;
 	pol->first_frame = pinfo->fd->num;
 	pol->last_frame = 0;
-
+	pol->type = 0;
 	if (name)
 		pol->name = strdup(name);
 	else
@@ -683,7 +703,8 @@ void dcerpc_smb_store_pol_name(e_ctx_hnd *policy_hnd, packet_info *pinfo,
  * close operations?
  */
 
-gboolean dcerpc_smb_fetch_pol(e_ctx_hnd *policy_hnd, char **name,
+gboolean dcerpc_fetch_polhnd_data(e_ctx_hnd *policy_hnd, 
+			      char **name, guint32 *type,
 			      guint32 *open_frame, guint32 *close_frame,
 			      guint32 cur_frame)
 {
@@ -695,12 +716,15 @@ gboolean dcerpc_smb_fetch_pol(e_ctx_hnd *policy_hnd, char **name,
 	if (name)
 		*name = NULL;
 
+	if (type)
+		*type = 0;
+
 	if (open_frame)
 		*open_frame = 0;
 
 	if (close_frame)
 		*close_frame = 0;
-
+	
 	/* Look up existing value */
 	pol = find_pol_handle(policy_hnd, cur_frame, &value);
 
@@ -708,6 +732,9 @@ gboolean dcerpc_smb_fetch_pol(e_ctx_hnd *policy_hnd, char **name,
 		if (name)
 			*name = pol->name;
 
+		if (type)
+			*type = pol->type;
+
 		if (open_frame)
 			*open_frame = pol->open_frame;
 
@@ -872,9 +899,8 @@ dissect_nt_hnd(tvbuff_t *tvb, gint offset, packet_info *pinfo,
 	dcerpc_smb_store_pol_pkts(&hnd, pinfo, is_open, is_close);
 
 	/* Insert open/close/name information if known */
-
-	if (dcerpc_smb_fetch_pol(&hnd, &name, &open_frame, &close_frame,
-	    pinfo->fd->num)) {
+	if (dcerpc_fetch_polhnd_data(&hnd, &name, NULL, &open_frame, 
+			&close_frame, pinfo->fd->num)) {
 
 		if (open_frame) {
 			proto_item *item;
@@ -973,7 +999,19 @@ PIDL_dissect_policy_hnd(tvbuff_t *tvb, gint offset, packet_info *pinfo,
 			pol_name="<...>";
 		}
 		pol_string=ep_strdup_printf("%s(%s)", pinfo->dcerpc_procedure_name, pol_name);
-		dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_string);
+		dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_string);
+		dcerpc_store_polhnd_type(&policy_hnd, pinfo, param&PIDL_POLHND_TYPE_MASK);
+	}
+
+	/* Track this policy handle for the response */
+	if(!pinfo->fd->flags.visited
+	&& !di->conformant_run){
+		dcerpc_call_value *dcv;
+
+		dcv = (dcerpc_call_value *)di->call_data;
+		if(!dcv->pol){
+			dcv->pol=se_memdup(&policy_hnd, sizeof(e_ctx_hnd));
+		}
 	}
 
 	return offset;