T125: Add a heuristic test case.

Looks for common T.125 packet types such as erectDomainRequest and attachUserRequest. This correctly links COTP with T.125/MCS in case of RDP traffic, which results in RDP traffic actually being dissected by the RDP dissector. Change-Id: I14eecc417cf5038779d78207ac0ccf2dd22a1219 Reviewed-on: https://code.wireshark.org/review/29960 Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
author: Émilio Gonzalez <egg997@gmail.com> 2018-10-01 10:04:53 -0400
committer: Alexis La Goutte <alexis.lagoutte@gmail.com> 2018-10-06 05:59:24 +0000
commit: f710f21833e45ed34f23dc9eb66dd6e3e09ead5e (patch)
tree: 7b4ac6e49c6ec5bf0f5884d0b80dc0cc8158fc69 /epan/dissectors/packet-t125.c
parent: 5c878100b11c3518ee50519a33c3f7996be3d015 (diff)
1 files changed, 43 insertions, 5 deletions
diff --git a/epan/dissectors/packet-t125.c b/epan/dissectors/packet-t125.c
index d87b9321c2..d3fa7b9fc2 100644
--- a/epan/dissectors/packet-t125.c
+++ b/epan/dissectors/packet-t125.c
@@ -24,6 +24,7 @@
 #include <epan/exceptions.h>
 
 #include <epan/asn1.h>
+#include <epan/conversation.h>
 #include "packet-ber.h"
 #include "packet-per.h"
 
@@ -33,6 +34,16 @@
 #define PSNAME "T.125"
 #define PFNAME "t125"
 
+
+#define HF_T125_ERECT_DOMAIN_REQUEST 1
+#define HF_T125_DISCONNECT_PROVIDER_ULTIMATUM 8
+#define HF_T125_ATTACH_USER_REQUEST 10
+#define HF_T125_ATTACH_USER_CONFIRM 11
+#define HF_T125_CHANNEL_JOIN_REQUEST 14
+#define HF_T125_CHANNEL_JOIN_CONFIRM 15
+#define HF_T125_SEND_DATA_REQUEST 25
+#define HF_T125_SEND_DATA_INDICATION 26
+
 void proto_register_t125(void);
 void proto_reg_handoff_t125(void);
 
@@ -69,7 +80,7 @@ static int hf_t125_connect_additional = -1;       /* Connect_Additional */
 static int hf_t125_connect_result = -1;           /* Connect_Result */
 
 /*--- End of included file: packet-t125-hf.c ---*/
-#line 35 "./asn1/t125/packet-t125-template.c"
+#line 45 "./asn1/t125/packet-t125-template.c"
 
 /* Initialize the subtree pointers */
 static int ett_t125 = -1;
@@ -85,7 +96,7 @@ static gint ett_t125_Connect_Result_U = -1;
 static gint ett_t125_ConnectMCSPDU = -1;
 
 /*--- End of included file: packet-t125-ett.c ---*/
-#line 40 "./asn1/t125/packet-t125-template.c"
+#line 50 "./asn1/t125/packet-t125-template.c"
 
 static heur_dissector_list_t t125_heur_subdissector_list;
 
@@ -371,7 +382,7 @@ static int dissect_ConnectMCSPDU_PDU(tvbuff_t *tvb _U_, packet_info *pinfo _U_,
 
 
 /*--- End of included file: packet-t125-fn.c ---*/
-#line 44 "./asn1/t125/packet-t125-template.c"
+#line 54 "./asn1/t125/packet-t125-template.c"
 
 static int
 dissect_t125(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
@@ -409,6 +420,7 @@ dissect_t125_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, vo
   gboolean pc;
   gint32 tag;
   volatile gboolean failed;
+  gboolean is_t125;
 
   /*
    * We must catch all the "ran past the end of the packet" exceptions
@@ -419,6 +431,32 @@ dissect_t125_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, vo
    */
   failed = FALSE;
   TRY {
+    /*
+     * Check that the first byte of the packet is a valid t125/MCS header.
+     * This might not be enough, but since t125 only catch COTP packets,
+     * it should not be a problem.
+     */
+    guint8 first_byte = tvb_get_guint8(tvb, 0) >> 2;
+    switch (first_byte) {
+      case HF_T125_ERECT_DOMAIN_REQUEST:
+      case HF_T125_ATTACH_USER_REQUEST:
+      case HF_T125_ATTACH_USER_CONFIRM:
+      case HF_T125_CHANNEL_JOIN_REQUEST:
+      case HF_T125_CHANNEL_JOIN_CONFIRM:
+      case HF_T125_DISCONNECT_PROVIDER_ULTIMATUM:
+      case HF_T125_SEND_DATA_REQUEST:
+      case HF_T125_SEND_DATA_INDICATION:
+        is_t125 = TRUE;
+        break;
+      default:
+        is_t125 = FALSE;
+        break;
+    }
+    if(is_t125) {
+      dissect_t125(tvb, pinfo, parent_tree, NULL);
+      return TRUE;
+    }
+
     /* could be BER */
     get_ber_identifier(tvb, 0, &ber_class, &pc, &tag);
   } CATCH_BOUNDS_ERRORS {
@@ -546,7 +584,7 @@ void proto_register_t125(void) {
         NULL, HFILL }},
 
 /*--- End of included file: packet-t125-hfarr.c ---*/
-#line 114 "./asn1/t125/packet-t125-template.c"
+#line 151 "./asn1/t125/packet-t125-template.c"
   };
 
   /* List of subtrees */
@@ -563,7 +601,7 @@ void proto_register_t125(void) {
     &ett_t125_ConnectMCSPDU,
 
 /*--- End of included file: packet-t125-ettarr.c ---*/
-#line 120 "./asn1/t125/packet-t125-template.c"
+#line 157 "./asn1/t125/packet-t125-template.c"
   };
 
   /* Register protocol */
author	Émilio Gonzalez <egg997@gmail.com>	2018-10-01 10:04:53 -0400
committer	Alexis La Goutte <alexis.lagoutte@gmail.com>	2018-10-06 05:59:24 +0000
commit	f710f21833e45ed34f23dc9eb66dd6e3e09ead5e (patch)
tree	7b4ac6e49c6ec5bf0f5884d0b80dc0cc8158fc69 /epan/dissectors/packet-t125.c
parent	5c878100b11c3518ee50519a33c3f7996be3d015 (diff)