Wireshark mailing list archives
Re: Better dissection in the SMB dissector when captures contain truncated frames/packets
From: Jaap Keuter <jaap.keuter () xs4all nl>
Date: Wed, 03 Oct 2012 07:43:31 +0200
Hi, I think this is correct, checking for the availability of data in the TVB is independent of the question if the tree is available or not. That fact should not have influence on the interpretation of the data. Thanks, Jaap On 10/03/2012 12:36 AM, Richard Sharpe wrote:
Hi folks, I am often given captures that contain truncated packets. It annoys me that in many places the SMB dissector does not attempt to do all it could with the data. For example, with TRANS2 FIND_FIRST2 it does not bother displaying any of the files returned if the data is truncated. The following small patch fixes that, although I want to go through and do the same for all of the FF2 info levels: Index: epan/dissectors/packet-smb.c =================================================================== --- epan/dissectors/packet-smb.c (revision 43693) +++ epan/dissectors/packet-smb.c (working copy) @@ -14656,8 +14656,20 @@ si = (smb_info_t *)pinfo->private_data; DISSECTOR_ASSERT(si); + /* + * We check this first before adding the sub-tree so things do not + * get ugly. + */ + + /* next entry offset */ + CHECK_BYTE_COUNT_SUBR(4); + neo = tvb_get_letohl(tvb, offset); + + /* Ensure we have the bytes we need, wich is up to neo */ + tvb_ensure_bytes_exist(tvb, offset, neo); + if (parent_tree) { - tvb_ensure_bytes_exist(tvb, offset, *bcp); + /*tvb_ensure_bytes_exist(tvb, offset, *bcp); */ item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s", val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)")); tree = proto_item_add_subtree(item, ett_smb_ff2_data); @@ -14669,9 +14681,6 @@ * key" flag set. */ - /* next entry offset */ - CHECK_BYTE_COUNT_SUBR(4); - neo = tvb_get_letohl(tvb, offset); proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo); COUNT_BYTES_SUBR(4);
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Better dissection in the SMB dissector when captures contain truncated frames/packets Richard Sharpe (Oct 02)
- Re: Better dissection in the SMB dissector when captures contain truncated frames/packets Jaap Keuter (Oct 02)
- Re: Better dissection in the SMB dissector when captures contain truncated frames/packets Richard Sharpe (Oct 03)
- Re: Better dissection in the SMB dissector when captures contain truncated frames/packets Richard Sharpe (Oct 03)
- Re: Better dissection in the SMB dissector when captures contain truncated frames/packets Richard Sharpe (Oct 03)
- Re: Better dissection in the SMB dissector when captures contain truncated frames/packets Jaap Keuter (Oct 02)