From da0709451601df8a469ffa5612e49c775c0d0e38 Mon Sep 17 00:00:00 2001 From: Sam Cisneros Date: Tue, 22 May 2018 18:11:56 +0300 Subject: RNSAP over SCCP heuristic dissector Change-Id: Ife0612b52e96f3b379783515486751a11e65e86c Reviewed-on: https://code.wireshark.org/review/27721 Reviewed-by: Pascal Quantin --- epan/dissectors/packet-rnsap.c | 87 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 82 insertions(+), 5 deletions(-) (limited to 'epan/dissectors/packet-rnsap.c') diff --git a/epan/dissectors/packet-rnsap.c b/epan/dissectors/packet-rnsap.c index abb8547be7..c6bc4151f1 100644 --- a/epan/dissectors/packet-rnsap.c +++ b/epan/dissectors/packet-rnsap.c @@ -49111,6 +49111,84 @@ dissect_rnsap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) return dissect_RNSAP_PDU_PDU(tvb, pinfo, rnsap_tree, data); } +/* Highest ProcedureCode value, used in heuristics */ +#define RNSAP_MAX_PC 61 /* id-enhancedRelocationResourceRelease = 61*/ +#define RNSAP_MSG_MIN_LENGTH 7 +static gboolean +dissect_sccp_rnsap_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) +{ + guint8 pdu_type; + guint8 procedure_id; + guint8 dd_mode; + guint8 criticality; + guint8 transaction_id_type; + guint length; + int length_field_offset; + + #define PDU_TYPE_OFFSET 0 + #define PROC_CODE_OFFSET 1 + #define DD_CRIT_OFFSET 2 + if (tvb_captured_length(tvb) < RNSAP_MSG_MIN_LENGTH) { + return FALSE; + } + + pdu_type = tvb_get_guint8(tvb, PDU_TYPE_OFFSET); + if (pdu_type & 0x1F) { + /* pdu_type is not 0x00 (initiatingMessage), 0x20 (succesfulOutcome), + 0x40 (unsuccesfulOutcome) or 0x60 (outcome), ignore extension bit (0x80) */ + return FALSE; + } + + procedure_id = tvb_get_guint8(tvb, PROC_CODE_OFFSET); + if (procedure_id > RNSAP_MAX_PC) { + return FALSE; + } + + dd_mode = tvb_get_guint8(tvb, DD_CRIT_OFFSET) >> 5; + if (dd_mode >= 0x03) { + /* dd_mode is not 0x00 (tdd), 0x01 (fdd) or 0x02 (common) */ + return FALSE; + } + + criticality = (tvb_get_guint8(tvb, DD_CRIT_OFFSET) & 0x18) >> 3; + if (criticality == 0x03) { + /* criticality is not 0x00 (reject), 0x01 (ignore) or 0x02 (notify) */ + return FALSE; + } + + /* Finding the offset for the length field - depends on wether the transaction id is long or short */ + transaction_id_type = (tvb_get_guint8(tvb, DD_CRIT_OFFSET) & 0x04) >> 2; + if(transaction_id_type == 0x00) { /* Short transaction id - 1 byte*/ + length_field_offset = 4; + } + else { /* Long transaction id - 2 bytes*/ + length_field_offset = 5; + } + + /* compute aligned PER length determinant without calling dissect_per_length_determinant() + to avoid exceptions and info added to tree, info column and expert info */ + length = tvb_get_guint8(tvb, length_field_offset); + length_field_offset += 1; + if (length & 0x80) { + if ((length & 0xc0) == 0x80) { + length &= 0x3f; + length <<= 8; + length += tvb_get_guint8(tvb, length_field_offset); + length_field_offset += 1; + } else { + length = 0; + } + } + if (length!= (tvb_reported_length(tvb) - length_field_offset)){ + return FALSE; + } + + dissect_rnsap(tvb, pinfo, tree, data); + + return TRUE; +} + + /*--- proto_register_rnsap -------------------------------------------*/ void proto_register_rnsap(void) { @@ -61538,7 +61616,7 @@ void proto_register_rnsap(void) { "Outcome_value", HFILL }}, /*--- End of included file: packet-rnsap-hfarr.c ---*/ -#line 162 "./asn1/rnsap/packet-rnsap-template.c" +#line 240 "./asn1/rnsap/packet-rnsap-template.c" }; /* List of subtrees */ @@ -62976,7 +63054,7 @@ void proto_register_rnsap(void) { &ett_rnsap_Outcome, /*--- End of included file: packet-rnsap-ettarr.c ---*/ -#line 168 "./asn1/rnsap/packet-rnsap-template.c" +#line 246 "./asn1/rnsap/packet-rnsap-template.c" }; @@ -63008,8 +63086,7 @@ proto_reg_handoff_rnsap(void) rrc_ul_ccch_handle = find_dissector_add_dependency("rrc.ul.ccch", proto_rnsap); dissector_add_uint("sccp.ssn", SCCP_SSN_RNSAP, rnsap_handle); - /* Add heuristic dissector */ - /*heur_dissector_add("sccp", dissect_sccp_rnsap_heur, "RNSAP over SCCP", "ranap_sccp", proto_rnsap, HEURISTIC_DISABLE); */ + heur_dissector_add("sccp", dissect_sccp_rnsap_heur, "RNSAP over SCCP", "rnsap_sccp", proto_rnsap, HEURISTIC_ENABLE); /*--- Included file: packet-rnsap-dis-tab.c ---*/ @@ -63937,7 +64014,7 @@ proto_reg_handoff_rnsap(void) /*--- End of included file: packet-rnsap-dis-tab.c ---*/ -#line 203 "./asn1/rnsap/packet-rnsap-template.c" +#line 280 "./asn1/rnsap/packet-rnsap-template.c" } -- cgit v1.2.3