2 * Routines for {fragment,segment} reassembly
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
29 #include <epan/packet.h>
30 #include <epan/exceptions.h>
31 #include <epan/emem.h>
32 #include <epan/reassemble.h>
33 #include <epan/tvbuff-int.h>
36 * Functions for reassembly tables where the endpoint addresses, and a
37 * fragment ID, are used as the key.
39 typedef struct _fragment_addresses_key {
43 } fragment_addresses_key;
46 fragment_addresses_hash(gconstpointer k)
48 const fragment_addresses_key* key = (const fragment_addresses_key*) k;
56 /* More than likely: in most captures src and dst addresses are the
57 same, and would hash the same.
58 We only use id as the hash as an optimization.
60 for (i = 0; i < key->src.len; i++)
61 hash_val += key->src.data[i];
62 for (i = 0; i < key->dst.len; i++)
63 hash_val += key->dst.data[i];
72 fragment_addresses_equal(gconstpointer k1, gconstpointer k2)
74 const fragment_addresses_key* key1 = (const fragment_addresses_key*) k1;
75 const fragment_addresses_key* key2 = (const fragment_addresses_key*) k2;
78 * key.id is the first item to compare since it's the item most
79 * likely to differ between sessions, thus short-circuiting
80 * the comparison of addresses.
82 return (key1->id == key2->id) &&
83 (ADDRESSES_EQUAL(&key1->src, &key2->src)) &&
84 (ADDRESSES_EQUAL(&key1->dst, &key2->dst));
88 * Create a fragment key for temporary use; it can point to non-
89 * persistent data, and so must only be used to look up and
90 * delete entries, not to add them.
93 fragment_addresses_temporary_key(const packet_info *pinfo, const guint32 id,
96 fragment_addresses_key *key = g_slice_new(fragment_addresses_key);
99 * Do a shallow copy of the addresses.
101 key->src = pinfo->src;
102 key->dst = pinfo->dst;
105 return (gpointer)key;
109 * Create a fragment key for permanent use; it must point to persistent
110 * data, so that it can be used to add entries.
113 fragment_addresses_persistent_key(const packet_info *pinfo, const guint32 id,
114 const void *data _U_)
116 fragment_addresses_key *key = g_slice_new(fragment_addresses_key);
119 * Do a deep copy of the addresses.
121 COPY_ADDRESS(&key->src, &pinfo->src);
122 COPY_ADDRESS(&key->dst, &pinfo->dst);
125 return (gpointer)key;
129 fragment_addresses_free_temporary_key(gpointer ptr)
131 fragment_addresses_key *key = (fragment_addresses_key *)ptr;
134 g_slice_free(fragment_addresses_key, key);
138 fragment_addresses_free_persistent_key(gpointer ptr)
140 fragment_addresses_key *key = (fragment_addresses_key *)ptr;
144 * Free up the copies of the addresses from the old key.
146 g_free((gpointer)key->src.data);
147 g_free((gpointer)key->dst.data);
149 g_slice_free(fragment_addresses_key, key);
153 const reassembly_table_functions
154 addresses_reassembly_table_functions = {
155 fragment_addresses_hash,
156 fragment_addresses_equal,
157 fragment_addresses_temporary_key,
158 fragment_addresses_persistent_key,
159 fragment_addresses_free_temporary_key,
160 fragment_addresses_free_persistent_key
164 * Functions for reassembly tables where the endpoint addresses and ports,
165 * and a fragment ID, are used as the key.
167 typedef struct _fragment_addresses_ports_key {
173 } fragment_addresses_ports_key;
176 fragment_addresses_ports_hash(gconstpointer k)
178 const fragment_addresses_ports_key* key = (const fragment_addresses_ports_key*) k;
186 /* More than likely: in most captures src and dst addresses and ports
187 are the same, and would hash the same.
188 We only use id as the hash as an optimization.
190 for (i = 0; i < key->src.len; i++)
191 hash_val += key->src_addr.data[i];
192 for (i = 0; i < key->dst.len; i++)
193 hash_val += key->dst_addr.data[i];
194 hash_val += key->src_port;
195 hash_val += key->dst_port;
204 fragment_addresses_ports_equal(gconstpointer k1, gconstpointer k2)
206 const fragment_addresses_ports_key* key1 = (const fragment_addresses_ports_key*) k1;
207 const fragment_addresses_ports_key* key2 = (const fragment_addresses_ports_key*) k2;
210 * key.id is the first item to compare since it's the item most
211 * likely to differ between sessions, thus short-circuiting
212 * the comparison of addresses and ports.
214 return (key1->id == key2->id) &&
215 (ADDRESSES_EQUAL(&key1->src_addr, &key2->src_addr)) &&
216 (ADDRESSES_EQUAL(&key1->dst_addr, &key2->dst_addr)) &&
217 (key1->src_port == key2->src_port) &&
218 (key1->dst_port == key2->dst_port);
222 * Create a fragment key for temporary use; it can point to non-
223 * persistent data, and so must only be used to look up and
224 * delete entries, not to add them.
227 fragment_addresses_ports_temporary_key(const packet_info *pinfo, const guint32 id,
228 const void *data _U_)
230 fragment_addresses_ports_key *key = g_slice_new(fragment_addresses_ports_key);
233 * Do a shallow copy of the addresses.
235 key->src_addr = pinfo->src;
236 key->dst_addr = pinfo->dst;
237 key->src_port = pinfo->srcport;
238 key->dst_port = pinfo->destport;
241 return (gpointer)key;
245 * Create a fragment key for permanent use; it must point to persistent
246 * data, so that it can be used to add entries.
249 fragment_addresses_ports_persistent_key(const packet_info *pinfo,
250 const guint32 id, const void *data _U_)
252 fragment_addresses_ports_key *key = g_slice_new(fragment_addresses_ports_key);
255 * Do a deep copy of the addresses.
257 COPY_ADDRESS(&key->src_addr, &pinfo->src);
258 COPY_ADDRESS(&key->dst_addr, &pinfo->dst);
259 key->src_port = pinfo->srcport;
260 key->dst_port = pinfo->destport;
263 return (gpointer)key;
267 fragment_addresses_ports_free_temporary_key(gpointer ptr)
269 fragment_addresses_ports_key *key = (fragment_addresses_ports_key *)ptr;
272 g_slice_free(fragment_addresses_ports_key, key);
276 fragment_addresses_ports_free_persistent_key(gpointer ptr)
278 fragment_addresses_ports_key *key = (fragment_addresses_ports_key *)ptr;
282 * Free up the copies of the addresses from the old key.
284 g_free((gpointer)key->src_addr.data);
285 g_free((gpointer)key->dst_addr.data);
287 g_slice_free(fragment_addresses_ports_key, key);
291 const reassembly_table_functions
292 addresses_ports_reassembly_table_functions = {
293 fragment_addresses_ports_hash,
294 fragment_addresses_ports_equal,
295 fragment_addresses_ports_temporary_key,
296 fragment_addresses_ports_persistent_key,
297 fragment_addresses_ports_free_temporary_key,
298 fragment_addresses_ports_free_persistent_key
301 typedef struct _reassembled_key {
307 reassembled_equal(gconstpointer k1, gconstpointer k2)
309 const reassembled_key* key1 = (const reassembled_key*) k1;
310 const reassembled_key* key2 = (const reassembled_key*) k2;
313 * We assume that the frame numbers are unlikely to be equal,
314 * so we check them first.
316 return key1->frame == key2->frame && key1->id == key2->id;
320 reassembled_hash(gconstpointer k)
322 const reassembled_key* key = (const reassembled_key*) k;
328 * For a fragment hash table entry, free the associated fragments.
329 * The entry value (fd_chain) is freed herein and the entry is freed
330 * when the key freeing routine is called (as a consequence of returning
331 * TRUE from this function).
334 free_all_fragments(gpointer key_arg _U_, gpointer value, gpointer user_data _U_)
336 fragment_head *fd_head;
337 fragment_item *tmp_fd;
339 /* g_hash_table_new_full() was used to supply a function
340 * to free the key and anything to which it points
342 for (fd_head = (fragment_head *)value; fd_head != NULL; fd_head = tmp_fd) {
343 tmp_fd=fd_head->next;
345 if(fd_head->tvb_data && !(fd_head->flags&FD_SUBSET_TVB))
346 tvb_free(fd_head->tvb_data);
347 g_slice_free(fragment_item, fd_head);
353 /* ------------------------- */
354 static fragment_head *new_head(const guint32 flags)
356 fragment_head *fd_head;
357 /* If head/first structure in list only holds no other data than
358 * 'datalen' then we don't have to change the head of the list
359 * even if we want to keep it sorted
361 fd_head=g_slice_new0(fragment_head);
363 fd_head->flags=flags;
367 #define FD_VISITED_FREE 0xffff
370 * For a reassembled-packet hash table entry, free the fragment data
371 * to which the value refers and also the key itself.
374 free_all_reassembled_fragments(gpointer key_arg, gpointer value,
377 GPtrArray *allocated_fragments = (GPtrArray *) user_data;
378 fragment_head *fd_head;
380 for (fd_head = (fragment_head *)value; fd_head != NULL; fd_head = fd_head->next) {
382 * A reassembled packet is inserted into the
383 * hash table once for every frame that made
384 * up the reassembled packet; add first seen
385 * fragments to array and later free them in
388 if (fd_head->flags != FD_VISITED_FREE) {
389 if (fd_head->flags & FD_SUBSET_TVB)
390 fd_head->tvb_data = NULL;
391 g_ptr_array_add(allocated_fragments, fd_head);
392 fd_head->flags = FD_VISITED_FREE;
396 g_slice_free(reassembled_key, (reassembled_key *)key_arg);
402 free_fragments(gpointer data, gpointer user_data _U_)
404 fragment_item *fd_head = (fragment_item *) data;
406 if (fd_head->tvb_data)
407 tvb_free(fd_head->tvb_data);
408 g_slice_free(fragment_item, fd_head);
412 * Initialize a reassembly table, with specified functions.
415 reassembly_table_init(reassembly_table *table,
416 const reassembly_table_functions *funcs)
418 if (table->temporary_key_func == NULL)
419 table->temporary_key_func = funcs->temporary_key_func;
420 if (table->persistent_key_func == NULL)
421 table->persistent_key_func = funcs->persistent_key_func;
422 if (table->free_temporary_key_func == NULL)
423 table->free_temporary_key_func = funcs->free_temporary_key_func;
424 if (table->fragment_table != NULL) {
426 * The fragment hash table exists.
428 * Remove all entries and free fragment data for each entry.
430 * The keys, and anything to which they point, are freed by
431 * calling the table's key freeing function. The values
432 * are freed in free_all_fragments().
434 g_hash_table_foreach_remove(table->fragment_table,
435 free_all_fragments, NULL);
437 /* The fragment table does not exist. Create it */
438 table->fragment_table = g_hash_table_new_full(funcs->hash_func,
439 funcs->equal_func, funcs->free_persistent_key_func, NULL);
442 if (table->reassembled_table != NULL) {
443 GPtrArray *allocated_fragments;
446 * The reassembled-packet hash table exists.
448 * Remove all entries and free reassembled packet
449 * data and key for each entry.
452 allocated_fragments = g_ptr_array_new();
453 g_hash_table_foreach_remove(table->reassembled_table,
454 free_all_reassembled_fragments, allocated_fragments);
456 g_ptr_array_foreach(allocated_fragments, free_fragments, NULL);
457 g_ptr_array_free(allocated_fragments, TRUE);
459 /* The fragment table does not exist. Create it */
460 table->reassembled_table = g_hash_table_new(reassembled_hash,
466 * Destroy a reassembly table.
469 reassembly_table_destroy(reassembly_table *table)
472 * Clear the function pointers.
474 table->temporary_key_func = NULL;
475 table->persistent_key_func = NULL;
476 table->free_temporary_key_func = NULL;
477 if (table->fragment_table != NULL) {
479 * The fragment hash table exists.
481 * Remove all entries and free fragment data for each entry.
483 * The keys, and anything to which they point, are freed by
484 * calling the table's key freeing function. The values
485 * are freed in free_all_fragments().
487 g_hash_table_foreach_remove(table->fragment_table,
488 free_all_fragments, NULL);
491 * Now destroy the hash table.
493 g_hash_table_destroy(table->fragment_table);
494 table->fragment_table = NULL;
496 if (table->reassembled_table != NULL) {
497 GPtrArray *allocated_fragments;
500 * The reassembled-packet hash table exists.
502 * Remove all entries and free reassembled packet
503 * data and key for each entry.
506 allocated_fragments = g_ptr_array_new();
507 g_hash_table_foreach_remove(table->reassembled_table,
508 free_all_reassembled_fragments, allocated_fragments);
510 g_ptr_array_foreach(allocated_fragments, free_fragments, NULL);
511 g_ptr_array_free(allocated_fragments, TRUE);
514 * Now destroy the hash table.
516 g_hash_table_destroy(table->reassembled_table);
517 table->reassembled_table = NULL;
522 * Look up an fd_head in the fragment table, optionally returning the key
525 static fragment_head *
526 lookup_fd_head(reassembly_table *table, const packet_info *pinfo,
527 const guint32 id, const void *data, gpointer *orig_keyp)
532 /* Create key to search hash with */
533 key = table->temporary_key_func(pinfo, id, data);
536 * Look up the reassembly in the fragment table.
538 if (!g_hash_table_lookup_extended(table->fragment_table, key, orig_keyp,
542 table->free_temporary_key_func(key);
544 return (fragment_head *)value;
548 * Insert an fd_head into the fragment table, and return the key used.
551 insert_fd_head(reassembly_table *table, fragment_head *fd_head,
552 const packet_info *pinfo, const guint32 id, const void *data)
557 * We're going to use the key to insert the fragment,
558 * so make a persistent version of it.
560 key = table->persistent_key_func(pinfo, id, data);
561 g_hash_table_insert(table->fragment_table, key, fd_head);
565 /* This function cleans up the stored state and removes the reassembly data and
566 * (with one exception) all allocated memory for matching reassembly.
569 * If the PDU was already completely reassembled, then the tvbuff containing the
570 * reassembled data WILL NOT be free()d, and the pointer to that tvbuff will be
572 * Othervise the function will return NULL.
574 * So, if you call fragment_delete and it returns non-NULL, YOU are responsible
575 * to tvb_free() that tvbuff.
578 fragment_delete(reassembly_table *table, const packet_info *pinfo,
579 const guint32 id, const void *data)
581 fragment_head *fd_head;
583 tvbuff_t *fd_tvb_data=NULL;
586 fd_head = lookup_fd_head(table, pinfo, id, data, &key);
588 /* We do not recognize this as a PDU we have seen before. return */
592 fd_tvb_data=fd_head->tvb_data;
593 /* loop over all partial fragments and free any tvbuffs */
594 for(fd=fd_head->next;fd;){
595 fragment_item *tmp_fd;
598 if (fd->tvb_data && !(fd->flags & FD_SUBSET_TVB))
599 tvb_free(fd->tvb_data);
600 g_slice_free(fragment_item, fd);
603 g_slice_free(fragment_head, fd_head);
604 g_hash_table_remove(table->fragment_table, key);
609 /* This function is used to check if there is partial or completed reassembly state
610 * matching this packet. I.e. Is there reassembly going on or not for this packet?
613 fragment_get(reassembly_table *table, const packet_info *pinfo,
614 const guint32 id, const void *data)
616 return lookup_fd_head(table, pinfo, id, data, NULL);
619 /* id *must* be the frame number for this to work! */
621 fragment_get_reassembled(reassembly_table *table, const guint32 id)
623 fragment_head *fd_head;
626 /* create key to search hash with */
629 fd_head = (fragment_head *)g_hash_table_lookup(table->reassembled_table, &key);
635 fragment_get_reassembled_id(reassembly_table *table, const packet_info *pinfo,
638 fragment_head *fd_head;
641 /* create key to search hash with */
642 key.frame = pinfo->fd->num;
644 fd_head = (fragment_head *)g_hash_table_lookup(table->reassembled_table, &key);
649 /* To specify the offset for the fragment numbering, the first fragment is added with 0, and
650 * afterwards this offset is set. All additional calls to off_seq_check will calculate
651 * the number in sequence in regards to the offset */
653 fragment_add_seq_offset(reassembly_table *table, const packet_info *pinfo, const guint32 id,
654 const void *data, const guint32 fragment_offset)
656 fragment_head *fd_head;
658 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
662 /* Reseting the offset is not allowed */
663 if ( fd_head->fragment_nr_offset != 0 )
666 fd_head->fragment_nr_offset = fragment_offset;
669 /* This function can be used to explicitly set the total length (if known)
670 * for reassembly of a PDU.
671 * This is useful for reassembly of PDUs where one may have the total length specified
672 * in the first fragment instead of as for, say, IPv4 where a flag indicates which
673 * is the last fragment.
675 * Such protocols might fragment_add with a more_frags==TRUE for every fragment
676 * and just tell the reassembly engine the expected total length of the reassembled data
677 * using fragment_set_tot_len immediately after doing fragment_add for the first packet.
679 * Note that for FD_BLOCKSEQUENCE tot_len is the index for the tail fragment.
680 * i.e. since the block numbers start at 0, if we specify tot_len==2, that
681 * actually means we want to defragment 3 blocks, block 0, 1 and 2.
684 fragment_set_tot_len(reassembly_table *table, const packet_info *pinfo,
685 const guint32 id, const void *data, const guint32 tot_len)
687 fragment_head *fd_head;
689 guint32 max_offset = 0;
691 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
695 /* If we're setting a block sequence number, verify that it
696 * doesn't conflict with values set by existing fragments.
697 * XXX - eliminate this check?
700 if (fd_head->flags & FD_BLOCKSEQUENCE) {
702 if (fd->offset > max_offset) {
703 max_offset = fd->offset;
704 if (max_offset > tot_len) {
705 fd_head->error = "Bad total reassembly block count";
706 THROW_MESSAGE(ReassemblyError, fd_head->error);
713 if (fd_head->flags & FD_DEFRAGMENTED) {
714 if (max_offset != tot_len) {
715 fd_head->error = "Defragmented complete but total length not satisfied";
716 THROW_MESSAGE(ReassemblyError, fd_head->error);
720 /* We got this far so the value is sane. */
721 fd_head->datalen = tot_len;
722 fd_head->flags |= FD_DATALEN_SET;
726 fragment_get_tot_len(reassembly_table *table, const packet_info *pinfo,
727 const guint32 id, const void *data)
729 fragment_head *fd_head;
731 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
734 return fd_head->datalen;
741 /* This function will set the partial reassembly flag for a fh.
742 When this function is called, the fh MUST already exist, i.e.
743 the fh MUST be created by the initial call to fragment_add() before
744 this function is called.
745 Also note that this function MUST be called to indicate a fh will be
746 extended (increase the already stored data)
750 fragment_set_partial_reassembly(reassembly_table *table,
751 const packet_info *pinfo, const guint32 id,
754 fragment_head *fd_head;
756 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
759 * XXX - why not do all the stuff done early in "fragment_add_work()",
760 * turning off FD_DEFRAGMENTED and pointing the fragments' data
761 * pointers to the appropriate part of the already-reassembled
762 * data, and clearing the data length and "reassembled in" frame
763 * number, here? We currently have a hack in the TCP dissector
764 * not to set the "reassembled in" value if the "partial reassembly"
765 * flag is set, so that in the first pass through the packets
766 * we don't falsely set a packet as reassembled in that packet
767 * if the dissector decided that even more reassembly was needed.
770 fd_head->flags |= FD_PARTIAL_REASSEMBLY;
775 * This function gets rid of an entry from a fragment table, given
776 * a pointer to the key for that entry.
778 * The key freeing routine will be called by g_hash_table_remove().
781 fragment_unhash(reassembly_table *table, gpointer key)
784 * Remove the entry from the fragment table.
786 g_hash_table_remove(table->fragment_table, key);
790 * This function adds fragment_head structure to a reassembled-packet
791 * hash table, using the frame numbers of each of the frames from
792 * which it was reassembled as keys, and sets the "reassembled_in"
796 fragment_reassembled(reassembly_table *table, fragment_head *fd_head,
797 const packet_info *pinfo, const guint32 id)
799 reassembled_key *new_key;
802 if (fd_head->next == NULL) {
804 * This was not fragmented, so there's no fragment
805 * table; just hash it using the current frame number.
807 new_key = g_slice_new(reassembled_key);
808 new_key->frame = pinfo->fd->num;
810 g_hash_table_insert(table->reassembled_table, new_key, fd_head);
813 * Hash it with the frame numbers for all the frames.
815 for (fd = fd_head->next; fd != NULL; fd = fd->next){
816 new_key = g_slice_new(reassembled_key);
817 new_key->frame = fd->frame;
819 g_hash_table_insert(table->reassembled_table, new_key,
823 fd_head->flags |= FD_DEFRAGMENTED;
824 fd_head->reassembled_in = pinfo->fd->num;
828 LINK_FRAG(fragment_head *fd_head,fragment_item *fd)
832 /* add fragment to list, keep list sorted */
833 for(fd_i= fd_head; fd_i->next;fd_i=fd_i->next) {
834 if (fd->offset < fd_i->next->offset )
842 * This function adds a new fragment to the fragment hash table.
843 * If this is the first fragment seen for this datagram, a new entry
844 * is created in the hash table, otherwise this fragment is just added
845 * to the linked list of fragments for this packet.
846 * The list of fragments for a specific datagram is kept sorted for
849 * Returns a pointer to the head of the fragment data list if we have all the
850 * fragments, NULL otherwise.
852 * This function assumes frag_offset being a byte offset into the defragment
856 * Once the fh is defragmented (= FD_DEFRAGMENTED set), it can be
857 * extended using the FD_PARTIAL_REASSEMBLY flag. This flag should be set
858 * using fragment_set_partial_reassembly() before calling fragment_add
859 * with the new fragment. FD_TOOLONGFRAGMENT and FD_MULTIPLETAILS flags
860 * are lowered when a new extension process is started.
863 fragment_add_work(fragment_head *fd_head, tvbuff_t *tvb, const int offset,
864 const packet_info *pinfo, const guint32 frag_offset,
865 const guint32 frag_data_len, const gboolean more_frags)
869 guint32 max, dfpos, fraglen;
870 tvbuff_t *old_tvb_data;
873 /* create new fd describing this fragment */
874 fd = g_slice_new(fragment_item);
877 fd->frame = pinfo->fd->num;
878 fd->offset = frag_offset;
879 fd->fragment_nr_offset = 0; /* will only be used with sequence */
880 fd->len = frag_data_len;
885 * Are we adding to an already-completed reassembly?
887 if (fd_head->flags & FD_DEFRAGMENTED) {
889 * Yes. Does this fragment go past the end of the results
890 * of that reassembly?
891 * XXX - shouldn't this be ">"? If frag_offset + frag_data_len
892 * == fd_head->datalen, this overlaps the end of the
893 * reassembly, but doesn't go past it, right?
895 if (frag_offset + frag_data_len >= fd_head->datalen) {
897 * Yes. Have we been requested to continue reassembly?
899 if (fd_head->flags & FD_PARTIAL_REASSEMBLY) {
901 * Yes. Set flag in already empty fds &
902 * point old fds to malloc'ed data.
904 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
905 if( !fd_i->tvb_data ) {
906 fd_i->tvb_data = tvb_new_subset_remaining(fd_head->tvb_data, fd_i->offset);
907 fd_i->flags |= FD_SUBSET_TVB;
909 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
911 fd_head->flags &= ~(FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY|FD_DATALEN_SET);
912 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
914 fd_head->reassembled_in=0;
917 * No. Bail out since we have no idea what to
918 * do with this fragment (and if we keep going
919 * we'll run past the end of a buffer sooner
922 g_slice_free(fragment_item, fd);
925 * This is an attempt to add a fragment to a
926 * reassembly that had already completed.
927 * If it had no error, we don't want to
928 * mark it with an error, and if it had an
929 * error, we don't want to overwrite it, so
930 * we don't set fd_head->error.
932 if (frag_offset >= fd_head->datalen) {
934 * The fragment starts past the end
935 * of the reassembled data.
937 THROW_MESSAGE(ReassemblyError, "New fragment past old data limits");
940 * The fragment starts before the end
941 * of the reassembled data, but
942 * runs past the end. That could
943 * just be a retransmission.
945 THROW_MESSAGE(ReassemblyError, "New fragment overlaps old data (retransmission?)");
950 * No. That means it still overlaps that, so report
951 * this as a problem, possibly a retransmission.
953 g_slice_free(fragment_item, fd);
954 THROW_MESSAGE(ReassemblyError, "New fragment overlaps old data (retransmission?)");
958 /* Do this after we may have bailed out (above) so that we don't leave
959 * fd_head->frame in a bad state if we do */
960 if (fd->frame > fd_head->frame)
961 fd_head->frame = fd->frame;
965 * This is the tail fragment in the sequence.
967 if (fd_head->flags & FD_DATALEN_SET) {
968 /* ok we have already seen other tails for this packet
969 * it might be a duplicate.
971 if (fd_head->datalen != (fd->offset + fd->len) ){
972 /* Oops, this tail indicates a different packet
973 * len than the previous ones. Something's wrong.
975 fd->flags |= FD_MULTIPLETAILS;
976 fd_head->flags |= FD_MULTIPLETAILS;
979 /* This was the first tail fragment; now we know
980 * what the length of the packet should be.
982 fd_head->datalen = fd->offset + fd->len;
983 fd_head->flags |= FD_DATALEN_SET;
989 /* If the packet is already defragmented, this MUST be an overlap.
990 * The entire defragmented packet is in fd_head->data.
991 * Even if we have previously defragmented this packet, we still
992 * check it. Someone might play overlap and TTL games.
994 if (fd_head->flags & FD_DEFRAGMENTED) {
995 guint32 end_offset = fd->offset + fd->len;
996 fd->flags |= FD_OVERLAP;
997 fd_head->flags |= FD_OVERLAP;
998 /* make sure it's not too long */
999 if (end_offset > fd_head->datalen || end_offset < fd->offset || end_offset < fd->len) {
1000 fd->flags |= FD_TOOLONGFRAGMENT;
1001 fd_head->flags |= FD_TOOLONGFRAGMENT;
1003 /* make sure it doesn't conflict with previous data */
1004 else if ( tvb_memeql(fd_head->tvb_data, fd->offset,
1005 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
1006 fd->flags |= FD_OVERLAPCONFLICT;
1007 fd_head->flags |= FD_OVERLAPCONFLICT;
1009 /* it was just an overlap, link it and return */
1010 LINK_FRAG(fd_head,fd);
1016 /* If we have reached this point, the packet is not defragmented yet.
1017 * Save all payload in a buffer until we can defragment.
1018 * XXX - what if we didn't capture the entire fragment due
1019 * to a too-short snapshot length?
1021 fd->tvb_data = tvb_clone_offset_len(tvb, offset, fd->len);
1022 LINK_FRAG(fd_head,fd);
1025 if( !(fd_head->flags & FD_DATALEN_SET) ){
1026 /* if we dont know the datalen, there are still missing
1027 * packets. Cheaper than the check below.
1034 * Check if we have received the entire fragment.
1035 * This is easy since the list is sorted and the head is faked.
1037 * First, we compute the amount of contiguous data that's
1038 * available. (The check for fd_i->offset <= max rules out
1039 * fragments that don't start before or at the end of the
1040 * previous fragment, i.e. fragments that have a gap between
1041 * them and the previous fragment.)
1044 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1045 if ( ((fd_i->offset)<=max) &&
1046 ((fd_i->offset+fd_i->len)>max) ){
1047 max = fd_i->offset+fd_i->len;
1051 if (max < (fd_head->datalen)) {
1053 * The amount of contiguous data we have is less than the
1054 * amount of data we're trying to reassemble, so we haven't
1055 * received all packets yet.
1060 /* we have received an entire packet, defragment it and
1061 * free all fragments
1063 /* store old data just in case */
1064 old_tvb_data=fd_head->tvb_data;
1065 data = (guint8 *) g_malloc(fd_head->datalen);
1066 fd_head->tvb_data = tvb_new_real_data(data, fd_head->datalen, fd_head->datalen);
1067 tvb_set_free_cb(fd_head->tvb_data, g_free);
1069 /* add all data fragments */
1070 for (dfpos=0,fd_i=fd_head;fd_i;fd_i=fd_i->next) {
1073 * The loop above that calculates max also
1074 * ensures that the only gaps that exist here
1075 * are ones where a fragment starts past the
1076 * end of the reassembled datagram, and there's
1077 * a gap between the previous fragment and
1080 * A "DESEGMENT_UNTIL_FIN" was involved wherein the
1081 * FIN packet had an offset less than the highest
1082 * fragment offset seen. [Seen from a fuzz-test:
1085 * Note that the "overlap" compare must only be
1086 * done for fragments with (offset+len) <= fd_head->datalen
1087 * and thus within the newly g_malloc'd buffer.
1089 if (fd_i->offset + fd_i->len > dfpos) {
1090 if (fd_i->offset >= fd_head->datalen) {
1092 * Fragment starts after the end
1093 * of the reassembled packet.
1095 * This can happen if the length was
1096 * set after the offending fragment
1097 * was added to the reassembly.
1099 * Flag this fragment, but don't
1100 * try to extract any data from
1101 * it, as there's no place to put
1104 * XXX - add different flag value
1107 fd_i->flags |= FD_TOOLONGFRAGMENT;
1108 fd_head->flags |= FD_TOOLONGFRAGMENT;
1109 } else if (dfpos < fd_i->offset) {
1111 * XXX - can this happen? We've
1112 * already rejected fragments that
1113 * start past the end of the
1114 * reassembled datagram, and
1115 * the loop that calculated max
1116 * should have ruled out gaps,
1117 * but could fd_i->offset +
1118 * fd_i->len overflow?
1120 fd_head->error = "dfpos < offset";
1121 } else if (dfpos - fd_i->offset > fd_i->len)
1122 fd_head->error = "dfpos - offset > len";
1123 else if (!fd_head->tvb_data)
1124 fd_head->error = "no data";
1126 fraglen = fd_i->len;
1127 if (fd_i->offset + fraglen > fd_head->datalen) {
1129 * Fragment goes past the end
1130 * of the packet, as indicated
1131 * by the last fragment.
1133 * This can happen if the
1134 * length was set after the
1135 * offending fragment was
1136 * added to the reassembly.
1138 * Mark it as such, and only
1139 * copy from it what fits in
1142 fd_i->flags |= FD_TOOLONGFRAGMENT;
1143 fd_head->flags |= FD_TOOLONGFRAGMENT;
1144 fraglen = fd_head->datalen - fd_i->offset;
1146 if (fd_i->offset < dfpos) {
1147 guint32 cmp_len = MIN(fd_i->len,(dfpos-fd_i->offset));
1149 fd_i->flags |= FD_OVERLAP;
1150 fd_head->flags |= FD_OVERLAP;
1151 if ( memcmp(data + fd_i->offset,
1152 tvb_get_ptr(fd_i->tvb_data, 0, cmp_len),
1155 fd_i->flags |= FD_OVERLAPCONFLICT;
1156 fd_head->flags |= FD_OVERLAPCONFLICT;
1159 if (fraglen < dfpos - fd_i->offset) {
1161 * XXX - can this happen?
1163 fd_head->error = "fraglen < dfpos - offset";
1166 tvb_get_ptr(fd_i->tvb_data, (dfpos-fd_i->offset), fraglen-(dfpos-fd_i->offset)),
1167 fraglen-(dfpos-fd_i->offset));
1168 dfpos=MAX(dfpos, (fd_i->offset + fraglen));
1172 if (fd_i->offset + fd_i->len < fd_i->offset) {
1173 /* Integer overflow? */
1174 fd_head->error = "offset + len < offset";
1178 if (fd_i->flags & FD_SUBSET_TVB)
1179 fd_i->flags &= ~FD_SUBSET_TVB;
1180 else if (fd_i->tvb_data)
1181 tvb_free(fd_i->tvb_data);
1183 fd_i->tvb_data=NULL;
1188 tvb_add_to_chain(tvb, old_tvb_data);
1189 /* mark this packet as defragmented.
1190 allows us to skip any trailing fragments */
1191 fd_head->flags |= FD_DEFRAGMENTED;
1192 fd_head->reassembled_in=pinfo->fd->num;
1194 /* we don't throw until here to avoid leaking old_data and others */
1195 if (fd_head->error) {
1196 THROW_MESSAGE(ReassemblyError, fd_head->error);
1202 static fragment_head *
1203 fragment_add_common(reassembly_table *table, tvbuff_t *tvb, const int offset,
1204 const packet_info *pinfo, const guint32 id,
1205 const void *data, const guint32 frag_offset,
1206 const guint32 frag_data_len, const gboolean more_frags,
1207 const gboolean check_already_added)
1209 fragment_head *fd_head;
1210 fragment_item *fd_item;
1211 gboolean already_added;
1214 /* dissector shouldn't give us garbage tvb info */
1215 DISSECTOR_ASSERT(tvb_bytes_exist(tvb, offset, frag_data_len));
1217 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
1220 /* debug output of associated fragments. */
1221 /* leave it here for future debugging sessions */
1222 if(strcmp(pinfo->current_proto, "DCERPC") == 0) {
1223 printf("proto:%s num:%u id:%u offset:%u len:%u more:%u visited:%u\n",
1224 pinfo->current_proto, pinfo->fd->num, id, frag_offset, frag_data_len, more_frags, pinfo->fd->flags.visited);
1225 if(fd_head != NULL) {
1226 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
1227 printf("fd_frame:%u fd_offset:%u len:%u datalen:%u\n",
1228 fd_item->frame, fd_item->offset, fd_item->len, fd_item->datalen);
1235 * Is this the first pass through the capture?
1237 if (!pinfo->fd->flags.visited) {
1239 * Yes, so we could be doing reassembly. If
1240 * "check_already_added" is true, and fd_head is non-null,
1241 * meaning that this fragment would be added to an
1242 * in-progress reassembly, check if we have seen this
1243 * fragment before, i.e., if we have already added it to
1244 * that reassembly. That can be true even on the first pass
1245 * since we sometimes might call a subdissector multiple
1248 * We check both the frame number and the fragment offset,
1249 * so that we support multiple fragments from the same
1250 * frame being added to the same reassembled PDU.
1252 if (check_already_added && fd_head != NULL) {
1254 * fd_head->frame is the maximum of the frame
1255 * numbers of all the fragments added to this
1256 * reassembly; if this frame is later than that
1257 * frame, we know it hasn't been added yet.
1259 if (pinfo->fd->num <= fd_head->frame) {
1260 already_added = FALSE;
1262 * The first item in the reassembly list
1263 * is not a fragment, it's a data structure
1264 * for the reassembled packet, so we
1265 * start checking with the next item.
1267 for (fd_item = fd_head->next; fd_item;
1268 fd_item = fd_item->next) {
1269 if (pinfo->fd->num == fd_item->frame &&
1270 frag_offset == fd_item->offset) {
1271 already_added = TRUE;
1275 if (already_added) {
1277 * Have we already finished
1280 if (fd_head->flags & FD_DEFRAGMENTED) {
1283 * XXX - can this ever happen?
1285 THROW_MESSAGE(ReassemblyError,
1286 "Frame already added in first pass");
1298 * No, so we've already done all the reassembly and added
1299 * all the fragments. Do we have a reassembly and, if so,
1300 * have we finished reassembling?
1302 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1304 * Yes. This is probably being done after the
1305 * first pass, and we've already done the work
1306 * on the first pass.
1308 * If the reassembly got a fatal error, throw that
1312 THROW_MESSAGE(ReassemblyError, fd_head->error);
1315 * Is it later in the capture than all of the
1316 * fragments in the reassembly?
1318 if (pinfo->fd->num > fd_head->frame) {
1320 * Yes, so report this as a problem,
1321 * possibly a retransmission.
1323 THROW_MESSAGE(ReassemblyError, "New fragment overlaps old data (retransmission?)");
1327 * Does this fragment go past the end of the
1328 * results of that reassembly?
1330 if (frag_offset + frag_data_len > fd_head->datalen) {
1334 if (frag_offset >= fd_head->datalen) {
1336 * The fragment starts past the
1337 * end of the reassembled data.
1339 THROW_MESSAGE(ReassemblyError, "New fragment past old data limits");
1342 * The fragment starts before the end
1343 * of the reassembled data, but
1344 * runs past the end. That could
1345 * just be a retransmission.
1347 THROW_MESSAGE(ReassemblyError, "New fragment overlaps old data (retransmission?)");
1361 /* not found, this must be the first snooped fragment for this
1362 * packet. Create list-head.
1364 fd_head = new_head(0);
1367 * Insert it into the hash table.
1369 insert_fd_head(table, fd_head, pinfo, id, data);
1372 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
1373 frag_data_len, more_frags)) {
1375 * Reassembly is complete.
1380 * Reassembly isn't complete.
1387 fragment_add(reassembly_table *table, tvbuff_t *tvb, const int offset,
1388 const packet_info *pinfo, const guint32 id, const void *data,
1389 const guint32 frag_offset, const guint32 frag_data_len,
1390 const gboolean more_frags)
1392 return fragment_add_common(table, tvb, offset, pinfo, id, data,
1393 frag_offset, frag_data_len, more_frags, TRUE);
1397 * For use when you can have multiple fragments in the same frame added
1398 * to the same reassembled PDU, e.g. with ONC RPC-over-TCP.
1401 fragment_add_multiple_ok(reassembly_table *table, tvbuff_t *tvb,
1402 const int offset, const packet_info *pinfo,
1403 const guint32 id, const void *data,
1404 const guint32 frag_offset,
1405 const guint32 frag_data_len, const gboolean more_frags)
1407 return fragment_add_common(table, tvb, offset, pinfo, id, data,
1408 frag_offset, frag_data_len, more_frags, FALSE);
1412 fragment_add_check(reassembly_table *table, tvbuff_t *tvb, const int offset,
1413 const packet_info *pinfo, const guint32 id,
1414 const void *data, const guint32 frag_offset,
1415 const guint32 frag_data_len, const gboolean more_frags)
1417 reassembled_key reass_key;
1418 fragment_head *fd_head;
1422 * If this isn't the first pass, look for this frame in the table
1423 * of reassembled packets.
1425 if (pinfo->fd->flags.visited) {
1426 reass_key.frame = pinfo->fd->num;
1428 return (fragment_head *)g_hash_table_lookup(table->reassembled_table, &reass_key);
1431 /* Looks up a key in the GHashTable, returning the original key and the associated value
1432 * and a gboolean which is TRUE if the key was found. This is useful if you need to free
1433 * the memory allocated for the original key, for example before calling g_hash_table_remove()
1435 fd_head = lookup_fd_head(table, pinfo, id, data, &orig_key);
1436 if (fd_head == NULL) {
1437 /* not found, this must be the first snooped fragment for this
1438 * packet. Create list-head.
1440 fd_head = new_head(0);
1443 * Save the key, for unhashing it later.
1445 orig_key = insert_fd_head(table, fd_head, pinfo, id, data);
1449 * If this is a short frame, then we can't, and don't, do
1450 * reassembly on it. We just give up.
1452 if (tvb_reported_length(tvb) > tvb_length(tvb))
1455 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
1456 frag_data_len, more_frags)) {
1458 * Reassembly is complete.
1459 * Remove this from the table of in-progress
1460 * reassemblies, add it to the table of
1461 * reassembled packets, and return it.
1465 * Remove this from the table of in-progress reassemblies,
1466 * and free up any memory used for it in that table.
1468 fragment_unhash(table, orig_key);
1471 * Add this item to the table of reassembled packets.
1473 fragment_reassembled(table, fd_head, pinfo, id);
1477 * Reassembly isn't complete.
1484 fragment_defragment_and_free (fragment_head *fd_head, const packet_info *pinfo)
1486 fragment_item *fd_i = NULL;
1487 fragment_item *last_fd = NULL;
1488 guint32 dfpos = 0, size = 0;
1489 tvbuff_t *old_tvb_data = NULL;
1492 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1493 if(!last_fd || last_fd->offset!=fd_i->offset){
1499 /* store old data in case the fd_i->data pointers refer to it */
1500 old_tvb_data=fd_head->tvb_data;
1501 data = (guint8 *) g_malloc(size);
1502 fd_head->tvb_data = tvb_new_real_data(data, size, size);
1503 tvb_set_free_cb(fd_head->tvb_data, g_free);
1504 fd_head->len = size; /* record size for caller */
1506 /* add all data fragments */
1508 for (fd_i=fd_head->next; fd_i; fd_i=fd_i->next) {
1510 if(!last_fd || last_fd->offset != fd_i->offset) {
1511 /* First fragment or in-sequence fragment */
1512 memcpy(data+dfpos, tvb_get_ptr(fd_i->tvb_data, 0, fd_i->len), fd_i->len);
1515 /* duplicate/retransmission/overlap */
1516 fd_i->flags |= FD_OVERLAP;
1517 fd_head->flags |= FD_OVERLAP;
1518 if(last_fd->len != fd_i->len
1519 || tvb_memeql(last_fd->tvb_data, 0, tvb_get_ptr(fd_i->tvb_data, 0, last_fd->len), last_fd->len) ) {
1520 fd_i->flags |= FD_OVERLAPCONFLICT;
1521 fd_head->flags |= FD_OVERLAPCONFLICT;
1528 /* we have defragmented the pdu, now free all fragments*/
1529 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1530 if (fd_i->flags & FD_SUBSET_TVB)
1531 fd_i->flags &= ~FD_SUBSET_TVB;
1532 else if (fd_i->tvb_data)
1533 tvb_free(fd_i->tvb_data);
1534 fd_i->tvb_data=NULL;
1537 tvb_free(old_tvb_data);
1539 /* mark this packet as defragmented.
1540 * allows us to skip any trailing fragments.
1542 fd_head->flags |= FD_DEFRAGMENTED;
1543 fd_head->reassembled_in=pinfo->fd->num;
1547 * This function adds a new fragment to the entry for a reassembly
1550 * The list of fragments for a specific datagram is kept sorted for
1553 * Returns TRUE if we have all the fragments, FALSE otherwise.
1555 * This function assumes frag_number being a block sequence number.
1556 * The bsn for the first block is 0.
1559 fragment_add_seq_work(fragment_head *fd_head, tvbuff_t *tvb, const int offset,
1560 const packet_info *pinfo, const guint32 frag_number,
1561 const guint32 frag_data_len, const gboolean more_frags)
1564 fragment_item *fd_i;
1565 fragment_item *last_fd;
1567 guint32 frag_number_work;
1569 /* Enables the use of fragment sequence numbers, which do not start with 0 */
1570 frag_number_work = frag_number;
1571 if ( fd_head->fragment_nr_offset != 0 )
1572 if ( frag_number_work >= fd_head->fragment_nr_offset )
1573 frag_number_work = frag_number - fd_head->fragment_nr_offset;
1575 /* if the partial reassembly flag has been set, and we are extending
1576 * the pdu, un-reassemble the pdu. This means pointing old fds to malloc'ed data.
1578 if(fd_head->flags & FD_DEFRAGMENTED && frag_number_work >= fd_head->datalen &&
1579 fd_head->flags & FD_PARTIAL_REASSEMBLY){
1580 guint32 lastdfpos = 0;
1582 for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){
1583 if( !fd_i->tvb_data ) {
1584 if( fd_i->flags & FD_OVERLAP ) {
1585 /* this is a duplicate of the previous
1587 fd_i->tvb_data = tvb_new_subset_remaining(fd_head->tvb_data, lastdfpos);
1589 fd_i->tvb_data = tvb_new_subset_remaining(fd_head->tvb_data, dfpos);
1593 fd_i->flags |= FD_SUBSET_TVB;
1595 fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
1597 fd_head->flags &= ~(FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY|FD_DATALEN_SET);
1598 fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS);
1600 fd_head->reassembled_in=0;
1604 /* create new fd describing this fragment */
1605 fd = g_slice_new(fragment_item);
1608 fd->frame = pinfo->fd->num;
1609 fd->offset = frag_number_work;
1610 fd->len = frag_data_len;
1611 fd->tvb_data = NULL;
1616 * This is the tail fragment in the sequence.
1618 if (fd_head->flags&FD_DATALEN_SET) {
1619 /* ok we have already seen other tails for this packet
1620 * it might be a duplicate.
1622 if (fd_head->datalen != fd->offset ){
1623 /* Oops, this tail indicates a different packet
1624 * len than the previous ones. Something's wrong.
1626 fd->flags |= FD_MULTIPLETAILS;
1627 fd_head->flags |= FD_MULTIPLETAILS;
1630 /* this was the first tail fragment, now we know the
1631 * sequence number of that fragment (which is NOT
1632 * the length of the packet!)
1634 fd_head->datalen = fd->offset;
1635 fd_head->flags |= FD_DATALEN_SET;
1639 /* If the packet is already defragmented, this MUST be an overlap.
1640 * The entire defragmented packet is in fd_head->data
1641 * Even if we have previously defragmented this packet, we still check
1642 * check it. Someone might play overlap and TTL games.
1644 if (fd_head->flags & FD_DEFRAGMENTED) {
1645 fd->flags |= FD_OVERLAP;
1646 fd_head->flags |= FD_OVERLAP;
1648 /* make sure it's not past the end */
1649 if (fd->offset > fd_head->datalen) {
1650 /* new fragment comes after the end */
1651 fd->flags |= FD_TOOLONGFRAGMENT;
1652 fd_head->flags |= FD_TOOLONGFRAGMENT;
1653 LINK_FRAG(fd_head,fd);
1656 /* make sure it doesn't conflict with previous data */
1659 for (fd_i=fd_head->next;fd_i && (fd_i->offset!=fd->offset);fd_i=fd_i->next) {
1660 if (!last_fd || last_fd->offset!=fd_i->offset){
1666 /* new fragment overlaps existing fragment */
1667 if(fd_i->len!=fd->len){
1669 * They have different lengths; this
1670 * is definitely a conflict.
1672 fd->flags |= FD_OVERLAPCONFLICT;
1673 fd_head->flags |= FD_OVERLAPCONFLICT;
1674 LINK_FRAG(fd_head,fd);
1677 DISSECTOR_ASSERT(fd_head->len >= dfpos + fd->len);
1678 if (tvb_memeql(fd_head->tvb_data, dfpos,
1679 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
1681 * They have the same length, but the
1682 * data isn't the same.
1684 fd->flags |= FD_OVERLAPCONFLICT;
1685 fd_head->flags |= FD_OVERLAPCONFLICT;
1686 LINK_FRAG(fd_head,fd);
1689 /* it was just an overlap, link it and return */
1690 LINK_FRAG(fd_head,fd);
1694 * New fragment doesn't overlap an existing
1695 * fragment - there was presumably a gap in
1696 * the sequence number space.
1698 * XXX - what should we do here? Is it always
1699 * the case that there are no gaps, or are there
1700 * protcols using sequence numbers where there
1703 * If the former, the check below for having
1704 * received all the fragments should check for
1705 * holes in the sequence number space and for the
1706 * first sequence number being 0. If we do that,
1707 * the only way we can get here is if this fragment
1708 * is past the end of the sequence number space -
1709 * but the check for "fd->offset > fd_head->datalen"
1710 * would have caught that above, so it can't happen.
1712 * If the latter, we don't have a good way of
1713 * knowing whether reassembly is complete if we
1714 * get packet out of order such that the "last"
1715 * fragment doesn't show up last - but, unless
1716 * in-order reliable delivery of fragments is
1717 * guaranteed, an implementation of the protocol
1718 * has no way of knowing whether reassembly is
1721 * For now, we just link the fragment in and
1724 LINK_FRAG(fd_head,fd);
1729 /* If we have reached this point, the packet is not defragmented yet.
1730 * Save all payload in a buffer until we can defragment.
1731 * XXX - what if we didn't capture the entire fragment due
1732 * to a too-short snapshot length?
1734 /* check len, there may be a fragment with 0 len, that is actually the tail */
1736 fd->tvb_data = tvb_clone_offset_len(tvb, offset, fd->len);
1738 LINK_FRAG(fd_head,fd);
1741 if( !(fd_head->flags & FD_DATALEN_SET) ){
1742 /* if we dont know the sequence number of the last fragment,
1743 * there are definitely still missing packets. Cheaper than
1750 /* check if we have received the entire fragment
1751 * this is easy since the list is sorted and the head is faked.
1752 * common case the whole list is scanned.
1755 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1756 if ( fd_i->offset==max ){
1760 /* max will now be datalen+1 if all fragments have been seen */
1762 if (max <= fd_head->datalen) {
1763 /* we have not received all packets yet */
1768 if (max > (fd_head->datalen+1)) {
1769 /* oops, too long fragment detected */
1770 fd->flags |= FD_TOOLONGFRAGMENT;
1771 fd_head->flags |= FD_TOOLONGFRAGMENT;
1775 /* we have received an entire packet, defragment it and
1776 * free all fragments
1778 fragment_defragment_and_free(fd_head, pinfo);
1784 * This function adds a new fragment to the fragment hash table.
1785 * If this is the first fragment seen for this datagram, a new entry
1786 * is created in the hash table, otherwise this fragment is just added
1787 * to the linked list of fragments for this packet.
1789 * Returns a pointer to the head of the fragment data list if we have all the
1790 * fragments, NULL otherwise.
1792 * This function assumes frag_number being a block sequence number.
1793 * The bsn for the first block is 0.
1795 static fragment_head *
1796 fragment_add_seq_common(reassembly_table *table, tvbuff_t *tvb,
1797 const int offset, const packet_info *pinfo,
1798 const guint32 id, const void *data,
1799 guint32 frag_number, const guint32 frag_data_len,
1800 const gboolean more_frags, const guint32 flags,
1801 gpointer *orig_keyp)
1803 fragment_head *fd_head;
1806 fd_head = lookup_fd_head(table, pinfo, id, data, &orig_key);
1808 /* have we already seen this frame ?*/
1809 if (pinfo->fd->flags.visited) {
1810 if (fd_head != NULL && fd_head->flags & FD_DEFRAGMENTED) {
1811 if (orig_keyp != NULL)
1812 *orig_keyp = orig_key;
1820 /* not found, this must be the first snooped fragment for this
1821 * packet. Create list-head.
1823 fd_head= new_head(FD_BLOCKSEQUENCE);
1825 if((flags & (REASSEMBLE_FLAGS_NO_FRAG_NUMBER|REASSEMBLE_FLAGS_802_11_HACK))
1828 * This is the last fragment for this packet, and
1829 * is the only one we've seen.
1831 * Either we don't have sequence numbers, in which
1832 * case we assume this is the first fragment for
1833 * this packet, or we're doing special 802.11
1834 * processing, in which case we assume it's one
1835 * of those reassembled packets with a non-zero
1836 * fragment number (see packet-80211.c); just
1837 * return a pointer to the head of the list;
1838 * fragment_add_seq_check will then add it to the table
1839 * of reassembled packets.
1841 if (orig_keyp != NULL)
1843 fd_head->reassembled_in=pinfo->fd->num;
1847 orig_key = insert_fd_head(table, fd_head, pinfo, id, data);
1848 if (orig_keyp != NULL)
1849 *orig_keyp = orig_key;
1852 * If we weren't given an initial fragment number,
1855 if (flags & REASSEMBLE_FLAGS_NO_FRAG_NUMBER)
1858 if (orig_keyp != NULL)
1859 *orig_keyp = orig_key;
1861 if (flags & REASSEMBLE_FLAGS_NO_FRAG_NUMBER) {
1864 * If we weren't given an initial fragment number,
1865 * use the next expected fragment number as the fragment
1866 * number for this fragment.
1868 for (fd = fd_head; fd != NULL; fd = fd->next) {
1869 if (fd->next == NULL)
1870 frag_number = fd->offset + 1;
1876 * XXX I've copied this over from the old separate
1877 * fragment_add_seq_check_work, but I'm not convinced it's doing the
1878 * right thing -- rav
1880 * If we don't have all the data that is in this fragment,
1881 * then we can't, and don't, do reassembly on it.
1883 * If it's the first frame, handle it as an unfragmented packet.
1884 * Otherwise, just handle it as a fragment.
1886 * If "more_frags" isn't set, we get rid of the entry in the
1887 * hash table for this reassembly, as we don't need it any more.
1889 if ((flags & REASSEMBLE_FLAGS_CHECK_DATA_PRESENT) &&
1890 !tvb_bytes_exist(tvb, offset, frag_data_len)) {
1891 fd_head -> flags |= FD_DATA_NOT_PRESENT;
1892 if (frag_number == 0) {
1898 * Remove this from the table of in-progress
1899 * reassemblies, and free up any memory used for
1902 fragment_unhash(table, *orig_keyp);
1903 free_all_fragments(NULL, fd_head, NULL);
1909 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
1910 frag_number, frag_data_len, more_frags)) {
1912 * Reassembly is complete.
1917 * Reassembly isn't complete.
1924 fragment_add_seq(reassembly_table *table, tvbuff_t *tvb, const int offset,
1925 const packet_info *pinfo, const guint32 id, const void *data,
1926 const guint32 frag_number, const guint32 frag_data_len,
1927 const gboolean more_frags, const guint32 flags)
1929 return fragment_add_seq_common(table, tvb, offset, pinfo, id, data,
1930 frag_number, frag_data_len,
1931 more_frags, flags, NULL);
1935 * This does the work for "fragment_add_seq_check()" and
1936 * "fragment_add_seq_next()".
1938 * This function assumes frag_number being a block sequence number.
1939 * The bsn for the first block is 0.
1941 * If "no_frag_number" is TRUE, it uses the next expected fragment number
1942 * as the fragment number if there is a reassembly in progress, otherwise
1945 * If "no_frag_number" is FALSE, it uses the "frag_number" argument as
1946 * the fragment number.
1948 * If this is the first fragment seen for this datagram, a new
1949 * "fragment_head" structure is allocated to refer to the reassembled
1952 * This fragment is added to the linked list of fragments for this packet.
1954 * If "more_frags" is false and REASSEMBLE_FLAGS_802_11_HACK (as the name
1955 * implies, a special hack for 802.11) or REASSEMBLE_FLAGS_NO_FRAG_NUMBER
1956 * (implying messages must be in order since there's no sequence number) are
1957 * set in "flags", then this (one element) list is returned.
1959 * If, after processing this fragment, we have all the fragments,
1960 * "fragment_add_seq_check_work()" removes that from the fragment hash
1961 * table if necessary and adds it to the table of reassembled fragments,
1962 * and returns a pointer to the head of the fragment list.
1964 * Otherwise, it returns NULL.
1966 * XXX - Should we simply return NULL for zero-length fragments?
1968 static fragment_head *
1969 fragment_add_seq_check_work(reassembly_table *table, tvbuff_t *tvb,
1970 const int offset, const packet_info *pinfo,
1971 const guint32 id, const void *data,
1972 const guint32 frag_number,
1973 const guint32 frag_data_len,
1974 const gboolean more_frags, const guint32 flags)
1976 reassembled_key reass_key;
1977 fragment_head *fd_head;
1981 * Have we already seen this frame?
1982 * If so, look for it in the table of reassembled packets.
1984 if (pinfo->fd->flags.visited) {
1985 reass_key.frame = pinfo->fd->num;
1987 return (fragment_head *)g_hash_table_lookup(table->reassembled_table, &reass_key);
1990 fd_head = fragment_add_seq_common(table, tvb, offset, pinfo, id, data,
1991 frag_number, frag_data_len,
1993 flags|REASSEMBLE_FLAGS_CHECK_DATA_PRESENT,
1996 if(fd_head->flags & FD_DATA_NOT_PRESENT) {
1997 /* this is the first fragment of a datagram with
1998 * truncated fragments. Don't move it to the
1999 * reassembled table. */
2004 * Reassembly is complete.
2006 * If this is in the table of in-progress reassemblies,
2007 * remove it from that table. (It could be that this
2008 * was the first and last fragment, so that no
2009 * reassembly was done.)
2011 if (orig_key != NULL)
2012 fragment_unhash(table, orig_key);
2015 * Add this item to the table of reassembled packets.
2017 fragment_reassembled(table, fd_head, pinfo, id);
2021 * Reassembly isn't complete.
2028 fragment_add_seq_check(reassembly_table *table, tvbuff_t *tvb, const int offset,
2029 const packet_info *pinfo, const guint32 id,
2031 const guint32 frag_number, const guint32 frag_data_len,
2032 const gboolean more_frags)
2034 return fragment_add_seq_check_work(table, tvb, offset, pinfo, id, data,
2035 frag_number, frag_data_len,
2040 fragment_add_seq_802_11(reassembly_table *table, tvbuff_t *tvb,
2041 const int offset, const packet_info *pinfo,
2042 const guint32 id, const void *data,
2043 const guint32 frag_number, const guint32 frag_data_len,
2044 const gboolean more_frags)
2046 return fragment_add_seq_check_work(table, tvb, offset, pinfo, id, data,
2047 frag_number, frag_data_len,
2049 REASSEMBLE_FLAGS_802_11_HACK);
2053 fragment_add_seq_next(reassembly_table *table, tvbuff_t *tvb, const int offset,
2054 const packet_info *pinfo, const guint32 id,
2055 const void *data, const guint32 frag_data_len,
2056 const gboolean more_frags)
2058 return fragment_add_seq_check_work(table, tvb, offset, pinfo, id, data,
2059 0, frag_data_len, more_frags,
2060 REASSEMBLE_FLAGS_NO_FRAG_NUMBER);
2064 fragment_start_seq_check(reassembly_table *table, const packet_info *pinfo,
2065 const guint32 id, const void *data,
2066 const guint32 tot_len)
2068 fragment_head *fd_head;
2070 /* Have we already seen this frame ?*/
2071 if (pinfo->fd->flags.visited) {
2075 /* Check if fragment data exists */
2076 fd_head = lookup_fd_head(table, pinfo, id, data, NULL);
2078 if (fd_head == NULL) {
2079 /* Create list-head. */
2080 fd_head = g_slice_new(fragment_head);
2081 fd_head->next = NULL;
2082 fd_head->datalen = tot_len;
2083 fd_head->offset = 0;
2084 fd_head->fragment_nr_offset = 0;
2086 fd_head->flags = FD_BLOCKSEQUENCE|FD_DATALEN_SET;
2087 fd_head->tvb_data = NULL;
2088 fd_head->reassembled_in = 0;
2089 fd_head->error = NULL;
2091 insert_fd_head(table, fd_head, pinfo, id, data);
2096 fragment_end_seq_next(reassembly_table *table, const packet_info *pinfo,
2097 const guint32 id, const void *data)
2099 reassembled_key reass_key;
2100 reassembled_key *new_key;
2101 fragment_head *fd_head;
2105 * Have we already seen this frame?
2106 * If so, look for it in the table of reassembled packets.
2108 if (pinfo->fd->flags.visited) {
2109 reass_key.frame = pinfo->fd->num;
2111 return (fragment_head *)g_hash_table_lookup(table->reassembled_table, &reass_key);
2114 fd_head = lookup_fd_head(table, pinfo, id, data, &orig_key);
2117 if (fd_head->flags & FD_DATA_NOT_PRESENT) {
2122 fd_head->datalen = fd_head->offset;
2123 fd_head->flags |= FD_DATALEN_SET;
2125 fragment_defragment_and_free (fd_head, pinfo);
2128 * Remove this from the table of in-progress reassemblies,
2129 * and free up any memory used for it in that table.
2131 fragment_unhash(table, orig_key);
2134 * Add this item to the table of reassembled packets.
2136 fragment_reassembled(table, fd_head, pinfo, id);
2137 if (fd_head->next != NULL) {
2138 new_key = g_slice_new(reassembled_key);
2139 new_key->frame = pinfo->fd->num;
2141 g_hash_table_insert(table->reassembled_table, new_key, fd_head);
2147 * Fragment data not found.
2154 * Process reassembled data; if we're on the frame in which the data
2155 * was reassembled, put the fragment information into the protocol
2156 * tree, and construct a tvbuff with the reassembled data, otherwise
2157 * just put a "reassembled in" item into the protocol tree.
2160 process_reassembled_data(tvbuff_t *tvb, const int offset, packet_info *pinfo,
2161 const char *name, fragment_head *fd_head, const fragment_items *fit,
2162 gboolean *update_col_infop, proto_tree *tree)
2165 gboolean update_col_info;
2166 proto_item *frag_tree_item;
2168 if (fd_head != NULL && pinfo->fd->num == fd_head->reassembled_in) {
2170 * OK, we've reassembled this.
2171 * Is this something that's been reassembled from more
2172 * than one fragment?
2174 if (fd_head->next != NULL) {
2177 * Allocate a new tvbuff, referring to the
2178 * reassembled payload, and set
2179 * the tvbuff to the list of tvbuffs to which
2180 * the tvbuff we were handed refers, so it'll get
2181 * cleaned up when that tvbuff is cleaned up.
2183 next_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
2185 /* Add the defragmented data to the data source list. */
2186 add_new_data_source(pinfo, next_tvb, name);
2188 /* show all fragments */
2189 if (fd_head->flags & FD_BLOCKSEQUENCE) {
2190 update_col_info = !show_fragment_seq_tree(
2191 fd_head, fit, tree, pinfo, next_tvb, &frag_tree_item);
2193 update_col_info = !show_fragment_tree(fd_head,
2194 fit, tree, pinfo, next_tvb, &frag_tree_item);
2199 * Return a tvbuff with the payload.
2201 next_tvb = tvb_new_subset_remaining(tvb, offset);
2202 pinfo->fragmented = FALSE; /* one-fragment packet */
2203 update_col_info = TRUE;
2205 if (update_col_infop != NULL)
2206 *update_col_infop = update_col_info;
2209 * We don't have the complete reassembled payload, or this
2210 * isn't the final frame of that payload.
2215 * If we know what frame this was reassembled in,
2216 * and if there's a field to use for the number of
2217 * the frame in which the packet was reassembled,
2218 * add it to the protocol tree.
2220 if (fd_head != NULL && fit->hf_reassembled_in != NULL) {
2221 proto_tree_add_uint(tree,
2222 *(fit->hf_reassembled_in), tvb,
2223 0, 0, fd_head->reassembled_in);
2230 * Show a single fragment in a fragment subtree, and put information about
2231 * it in the top-level item for that subtree.
2234 show_fragment(fragment_item *fd, const int offset, const fragment_items *fit,
2235 proto_tree *ft, proto_item *fi, const gboolean first_frag,
2236 const guint32 count, tvbuff_t *tvb, packet_info *pinfo)
2238 proto_item *fei=NULL;
2244 name = g_strdup(proto_registrar_get_name(*(fit->hf_fragment)));
2246 name = g_strdup(proto_registrar_get_name(*(fit->hf_fragments)));
2248 proto_item_set_text(fi, "%u %s (%u byte%s): ", count, name, tvb_length(tvb),
2249 plurality(tvb_length(tvb), "", "s"));
2252 proto_item_append_text(fi, ", ");
2254 proto_item_append_text(fi, "#%u(%u)", fd->frame, fd->len);
2256 if (fd->flags & (FD_OVERLAPCONFLICT
2257 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
2258 hf = *(fit->hf_fragment_error);
2260 hf = *(fit->hf_fragment);
2263 fei = proto_tree_add_uint_format(ft, hf,
2264 tvb, offset, fd->len,
2266 "Frame: %u (no data)",
2269 fei = proto_tree_add_uint_format(ft, hf,
2270 tvb, offset, fd->len,
2272 "Frame: %u, payload: %u-%u (%u byte%s)",
2277 plurality(fd->len, "", "s"));
2279 PROTO_ITEM_SET_GENERATED(fei);
2280 mark_frame_as_depended_upon(pinfo, fd->frame);
2281 if (fd->flags & (FD_OVERLAP|FD_OVERLAPCONFLICT
2282 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
2283 /* this fragment has some flags set, create a subtree
2284 * for it and display the flags.
2286 proto_tree *fet=NULL;
2288 fet = proto_item_add_subtree(fei, *(fit->ett_fragment));
2289 if (fd->flags&FD_OVERLAP) {
2290 fei=proto_tree_add_boolean(fet,
2291 *(fit->hf_fragment_overlap),
2294 PROTO_ITEM_SET_GENERATED(fei);
2296 if (fd->flags&FD_OVERLAPCONFLICT) {
2297 fei=proto_tree_add_boolean(fet,
2298 *(fit->hf_fragment_overlap_conflict),
2301 PROTO_ITEM_SET_GENERATED(fei);
2303 if (fd->flags&FD_MULTIPLETAILS) {
2304 fei=proto_tree_add_boolean(fet,
2305 *(fit->hf_fragment_multiple_tails),
2308 PROTO_ITEM_SET_GENERATED(fei);
2310 if (fd->flags&FD_TOOLONGFRAGMENT) {
2311 fei=proto_tree_add_boolean(fet,
2312 *(fit->hf_fragment_too_long_fragment),
2315 PROTO_ITEM_SET_GENERATED(fei);
2321 show_fragment_errs_in_col(fragment_head *fd_head, const fragment_items *fit,
2324 if (fd_head->flags & (FD_OVERLAPCONFLICT
2325 |FD_MULTIPLETAILS|FD_TOOLONGFRAGMENT) ) {
2326 col_add_fstr(pinfo->cinfo, COL_INFO, "[Illegal %s]", fit->tag);
2333 /* This function will build the fragment subtree; it's for fragments
2334 reassembled with "fragment_add()".
2336 It will return TRUE if there were fragmentation errors
2337 or FALSE if fragmentation was ok.
2340 show_fragment_tree(fragment_head *fd_head, const fragment_items *fit,
2341 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
2345 gboolean first_frag;
2347 /* It's not fragmented. */
2348 pinfo->fragmented = FALSE;
2350 *fi = proto_tree_add_item(tree, *(fit->hf_fragments), tvb, 0, -1, ENC_NA);
2351 PROTO_ITEM_SET_GENERATED(*fi);
2353 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
2355 for (fd = fd_head->next; fd != NULL; fd = fd->next) {
2358 for (fd = fd_head->next; fd != NULL; fd = fd->next) {
2359 show_fragment(fd, fd->offset, fit, ft, *fi, first_frag, count, tvb, pinfo);
2363 if (fit->hf_fragment_count) {
2364 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_fragment_count),
2366 PROTO_ITEM_SET_GENERATED(fli);
2369 if (fit->hf_reassembled_length) {
2370 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_reassembled_length),
2371 tvb, 0, 0, tvb_length (tvb));
2372 PROTO_ITEM_SET_GENERATED(fli);
2375 if (fit->hf_reassembled_data) {
2376 proto_item *fli = proto_tree_add_item(ft, *(fit->hf_reassembled_data),
2377 tvb, 0, tvb_length(tvb), ENC_NA);
2378 PROTO_ITEM_SET_GENERATED(fli);
2381 return show_fragment_errs_in_col(fd_head, fit, pinfo);
2384 /* This function will build the fragment subtree; it's for fragments
2385 reassembled with "fragment_add_seq()" or "fragment_add_seq_check()".
2387 It will return TRUE if there were fragmentation errors
2388 or FALSE if fragmentation was ok.
2391 show_fragment_seq_tree(fragment_head *fd_head, const fragment_items *fit,
2392 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
2394 guint32 offset, next_offset, count = 0;
2395 fragment_item *fd, *last_fd;
2397 gboolean first_frag;
2399 /* It's not fragmented. */
2400 pinfo->fragmented = FALSE;
2402 *fi = proto_tree_add_item(tree, *(fit->hf_fragments), tvb, 0, -1, ENC_NA);
2403 PROTO_ITEM_SET_GENERATED(*fi);
2405 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
2410 for (fd = fd_head->next; fd != NULL; fd = fd->next){
2413 for (fd = fd_head->next; fd != NULL; fd = fd->next){
2414 if (last_fd == NULL || last_fd->offset != fd->offset) {
2415 offset = next_offset;
2416 next_offset += fd->len;
2419 show_fragment(fd, offset, fit, ft, *fi, first_frag, count, tvb, pinfo);
2423 if (fit->hf_fragment_count) {
2424 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_fragment_count),
2426 PROTO_ITEM_SET_GENERATED(fli);
2429 if (fit->hf_reassembled_length) {
2430 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_reassembled_length),
2431 tvb, 0, 0, tvb_length (tvb));
2432 PROTO_ITEM_SET_GENERATED(fli);
2435 if (fit->hf_reassembled_data) {
2436 proto_item *fli = proto_tree_add_item(ft, *(fit->hf_reassembled_data),
2437 tvb, 0, tvb_length(tvb), ENC_NA);
2438 PROTO_ITEM_SET_GENERATED(fli);
2441 return show_fragment_errs_in_col(fd_head, fit, pinfo);
2445 * Editor modelines - http://www.wireshark.org/tools/modelines.html
2450 * indent-tabs-mode: t
2453 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2454 * :indentSize=8:tabSize=8:noTabs=false:
git.samba.org / metze / wireshark / wip.git / blob