Bug Summary

File:builds/wireshark/wireshark/epan/reassemble.c
Warning:line 1524, column 6
Potential leak of memory pointed to by 'data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name reassemble.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan -isystem /builds/wireshark/wireshark/build/epan -isystem /usr/include/mit-krb5 -isystem /usr/include/lua5.4 -isystem /usr/include/libxml2 -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -D epan_EXPORTS -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -I /builds/wireshark/wireshark/wiretap -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2026-04-28-100343-3641-1 -x c /builds/wireshark/wireshark/epan/reassemble.c
1/* reassemble.c
2 * Routines for {fragment,segment} reassembly
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <[email protected]>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
10
11#include "config.h"
12
13#include <string.h>
14
15#include <epan/packet.h>
16#include <epan/exceptions.h>
17#include <epan/reassemble.h>
18#include <epan/tvbuff-int.h>
19
20#include <wsutil/str_util.h>
21#include <wsutil/ws_assert.h>
22
23/*
24 * Functions for reassembly tables where the endpoint addresses, and a
25 * fragment ID, are used as the key.
26 */
27typedef struct _fragment_addresses_key {
28 address src;
29 address dst;
30 uint32_t id;
31} fragment_addresses_key;
32
33GList* reassembly_table_list;
34
35static unsigned
36fragment_addresses_hash(const void *k)
37{
38 const fragment_addresses_key* key = (const fragment_addresses_key*) k;
39 unsigned hash_val;
40/*
41 int i;
42*/
43
44 hash_val = 0;
45
46/* More than likely: in most captures src and dst addresses are the
47 same, and would hash the same.
48 We only use id as the hash as an optimization.
49
50 for (i = 0; i < key->src.len; i++)
51 hash_val += key->src.data[i];
52 for (i = 0; i < key->dst.len; i++)
53 hash_val += key->dst.data[i];
54*/
55
56 hash_val += key->id;
57
58 return hash_val;
59}
60
61static int
62fragment_addresses_equal(const void *k1, const void *k2)
63{
64 const fragment_addresses_key* key1 = (const fragment_addresses_key*) k1;
65 const fragment_addresses_key* key2 = (const fragment_addresses_key*) k2;
66
67 /*
68 * key.id is the first item to compare since it's the item most
69 * likely to differ between sessions, thus short-circuiting
70 * the comparison of addresses.
71 */
72 return (key1->id == key2->id) &&
73 (addresses_equal(&key1->src, &key2->src)) &&
74 (addresses_equal(&key1->dst, &key2->dst));
75}
76
77/*
78 * Create a fragment key for temporary use; it can point to non-
79 * persistent data, and so must only be used to look up and
80 * delete entries, not to add them.
81 */
82static void *
83fragment_addresses_temporary_key(const packet_info *pinfo, const uint32_t id,
84 const void *data _U___attribute__((unused)))
85{
86 fragment_addresses_key *key = g_slice_new(fragment_addresses_key)((fragment_addresses_key*) g_slice_alloc (sizeof (fragment_addresses_key
)));
87
88 /*
89 * Do a shallow copy of the addresses.
90 */
91 copy_address_shallow(&key->src, &pinfo->src);
92 copy_address_shallow(&key->dst, &pinfo->dst);
93 key->id = id;
94
95 return (void *)key;
96}
97
98/*
99 * Create a fragment key for permanent use; it must point to persistent
100 * data, so that it can be used to add entries.
101 */
102static void *
103fragment_addresses_persistent_key(const packet_info *pinfo, const uint32_t id,
104 const void *data _U___attribute__((unused)))
105{
106 fragment_addresses_key *key = g_slice_new(fragment_addresses_key)((fragment_addresses_key*) g_slice_alloc (sizeof (fragment_addresses_key
)));
107
108 /*
109 * Do a deep copy of the addresses.
110 */
111 copy_address(&key->src, &pinfo->src);
112 copy_address(&key->dst, &pinfo->dst);
113 key->id = id;
114
115 return (void *)key;
116}
117
118static void
119fragment_addresses_free_temporary_key(void *ptr)
120{
121 fragment_addresses_key *key = (fragment_addresses_key *)ptr;
122 g_slice_free(fragment_addresses_key, key)do { if (1) g_slice_free1 (sizeof (fragment_addresses_key), (
key)); else (void) ((fragment_addresses_key*) 0 == (key)); } while
(0);
123}
124
125static void
126fragment_addresses_free_persistent_key(void *ptr)
127{
128 fragment_addresses_key *key = (fragment_addresses_key *)ptr;
129
130 if(key){
131 /*
132 * Free up the copies of the addresses from the old key.
133 */
134 free_address(&key->src);
135 free_address(&key->dst);
136
137 g_slice_free(fragment_addresses_key, key)do { if (1) g_slice_free1 (sizeof (fragment_addresses_key), (
key)); else (void) ((fragment_addresses_key*) 0 == (key)); } while
(0);
138 }
139}
140
141const reassembly_table_functions
142addresses_reassembly_table_functions = {
143 fragment_addresses_hash,
144 fragment_addresses_equal,
145 fragment_addresses_temporary_key,
146 fragment_addresses_persistent_key,
147 fragment_addresses_free_temporary_key,
148 fragment_addresses_free_persistent_key
149};
150
151/*
152 * Functions for reassembly tables where the endpoint addresses and ports,
153 * and a fragment ID, are used as the key.
154 */
155typedef struct _fragment_addresses_ports_key {
156 address src_addr;
157 address dst_addr;
158 uint32_t src_port;
159 uint32_t dst_port;
160 uint32_t id;
161} fragment_addresses_ports_key;
162
163static unsigned
164fragment_addresses_ports_hash(const void *k)
165{
166 const fragment_addresses_ports_key* key = (const fragment_addresses_ports_key*) k;
167 unsigned hash_val;
168/*
169 int i;
170*/
171
172 hash_val = 0;
173
174/* More than likely: in most captures src and dst addresses and ports
175 are the same, and would hash the same.
176 We only use id as the hash as an optimization.
177
178 for (i = 0; i < key->src.len; i++)
179 hash_val += key->src_addr.data[i];
180 for (i = 0; i < key->dst.len; i++)
181 hash_val += key->dst_addr.data[i];
182 hash_val += key->src_port;
183 hash_val += key->dst_port;
184*/
185
186 hash_val += key->id;
187
188 return hash_val;
189}
190
191static int
192fragment_addresses_ports_equal(const void *k1, const void *k2)
193{
194 const fragment_addresses_ports_key* key1 = (const fragment_addresses_ports_key*) k1;
195 const fragment_addresses_ports_key* key2 = (const fragment_addresses_ports_key*) k2;
196
197 /*
198 * key.id is the first item to compare since it's the item most
199 * likely to differ between sessions, thus short-circuiting
200 * the comparison of addresses and ports.
201 */
202 return (key1->id == key2->id) &&
203 (addresses_equal(&key1->src_addr, &key2->src_addr)) &&
204 (addresses_equal(&key1->dst_addr, &key2->dst_addr)) &&
205 (key1->src_port == key2->src_port) &&
206 (key1->dst_port == key2->dst_port);
207}
208
209/*
210 * Create a fragment key for temporary use; it can point to non-
211 * persistent data, and so must only be used to look up and
212 * delete entries, not to add them.
213 */
214static void *
215fragment_addresses_ports_temporary_key(const packet_info *pinfo, const uint32_t id,
216 const void *data _U___attribute__((unused)))
217{
218 fragment_addresses_ports_key *key = g_slice_new(fragment_addresses_ports_key)((fragment_addresses_ports_key*) g_slice_alloc (sizeof (fragment_addresses_ports_key
)));
219
220 /*
221 * Do a shallow copy of the addresses.
222 */
223 copy_address_shallow(&key->src_addr, &pinfo->src);
224 copy_address_shallow(&key->dst_addr, &pinfo->dst);
225 key->src_port = pinfo->srcport;
226 key->dst_port = pinfo->destport;
227 key->id = id;
228
229 return (void *)key;
230}
231
232/*
233 * Create a fragment key for permanent use; it must point to persistent
234 * data, so that it can be used to add entries.
235 */
236static void *
237fragment_addresses_ports_persistent_key(const packet_info *pinfo,
238 const uint32_t id, const void *data _U___attribute__((unused)))
239{
240 fragment_addresses_ports_key *key = g_slice_new(fragment_addresses_ports_key)((fragment_addresses_ports_key*) g_slice_alloc (sizeof (fragment_addresses_ports_key
)));
241
242 /*
243 * Do a deep copy of the addresses.
244 */
245 copy_address(&key->src_addr, &pinfo->src);
246 copy_address(&key->dst_addr, &pinfo->dst);
247 key->src_port = pinfo->srcport;
248 key->dst_port = pinfo->destport;
249 key->id = id;
250
251 return (void *)key;
252}
253
254static void
255fragment_addresses_ports_free_temporary_key(void *ptr)
256{
257 fragment_addresses_ports_key *key = (fragment_addresses_ports_key *)ptr;
258 g_slice_free(fragment_addresses_ports_key, key)do { if (1) g_slice_free1 (sizeof (fragment_addresses_ports_key
), (key)); else (void) ((fragment_addresses_ports_key*) 0 == (
key)); } while (0);
259}
260
261static void
262fragment_addresses_ports_free_persistent_key(void *ptr)
263{
264 fragment_addresses_ports_key *key = (fragment_addresses_ports_key *)ptr;
265
266 if(key){
267 /*
268 * Free up the copies of the addresses from the old key.
269 */
270 free_address(&key->src_addr);
271 free_address(&key->dst_addr);
272
273 g_slice_free(fragment_addresses_ports_key, key)do { if (1) g_slice_free1 (sizeof (fragment_addresses_ports_key
), (key)); else (void) ((fragment_addresses_ports_key*) 0 == (
key)); } while (0);
274 }
275}
276
277const reassembly_table_functions
278addresses_ports_reassembly_table_functions = {
279 fragment_addresses_ports_hash,
280 fragment_addresses_ports_equal,
281 fragment_addresses_ports_temporary_key,
282 fragment_addresses_ports_persistent_key,
283 fragment_addresses_ports_free_temporary_key,
284 fragment_addresses_ports_free_persistent_key
285};
286
287typedef struct _reassembled_key {
288 uint32_t id;
289 uint32_t frame;
290} reassembled_key;
291
292static int
293reassembled_equal(const void *k1, const void *k2)
294{
295 const reassembled_key* key1 = (const reassembled_key*) k1;
296 const reassembled_key* key2 = (const reassembled_key*) k2;
297
298 /*
299 * We assume that the frame numbers are unlikely to be equal,
300 * so we check them first.
301 */
302 return key1->frame == key2->frame && key1->id == key2->id;
303}
304
305static unsigned
306reassembled_hash(const void *k)
307{
308 const reassembled_key* key = (const reassembled_key*) k;
309
310 return key->frame;
311}
312
313static void
314reassembled_key_free(void *ptr)
315{
316 g_slice_free(reassembled_key, (reassembled_key *)ptr)do { if (1) g_slice_free1 (sizeof (reassembled_key), ((reassembled_key
*)ptr)); else (void) ((reassembled_key*) 0 == ((reassembled_key
*)ptr)); } while (0);
317}
318
319/* --------------fragment_item functions ----------- */
320static fragment_item*
321new_fragment_item(uint32_t frame, uint32_t offset, uint32_t len)
322{
323 fragment_item *fd;
324
325 fd = g_slice_new(fragment_item)((fragment_item*) g_slice_alloc (sizeof (fragment_item)));
326 fd->next = NULL((void*)0);
327 fd->flags = 0;
328 fd->frame = frame;
329 fd->offset = offset;
330 fd->len = len;
331 fd->tvb_data = NULL((void*)0);
332
333 return fd;
334}
335
336static void
337fragment_item_free_tvb(fragment_item *fd_i)
338{
339 /* If this is a subset of the tvb created for the head after
340 * dissembly, don't free it (that would cause memory errors;
341 * the parent will be freed later.) */
342 if (fd_i->flags & FD_SUBSET_TVB0x0020)
343 fd_i->flags &= ~FD_SUBSET_TVB0x0020;
344 else if (fd_i->tvb_data)
345 tvb_free(fd_i->tvb_data);
346
347 fd_i->tvb_data=NULL((void*)0);
348}
349
350/* Returns the pointer to the next item so that the list can be freed. */
351static fragment_item*
352fragment_item_free(fragment_item *fd_i)
353{
354 fragment_item *fd_next = fd_i->next;
355 fragment_item_free_tvb(fd_i);
356 g_slice_free(fragment_item, fd_i)do { if (1) g_slice_free1 (sizeof (fragment_item), (fd_i)); else
(void) ((fragment_item*) 0 == (fd_i)); } while (0);
357 return fd_next;
358}
359
360/* ------------------------- */
361static fragment_head *new_head(const uint32_t flags)
362{
363 fragment_head *fd_head;
364 /* If head/first structure in list only holds no other data than
365 * 'datalen' then we don't have to change the head of the list
366 * even if we want to keep it sorted
367 */
368 fd_head=g_slice_new0(fragment_head)((fragment_head*) g_slice_alloc0 (sizeof (fragment_head)));
369
370 fd_head->flags=flags;
371 return fd_head;
372}
373
374/*
375 * For a reassembled-packet hash table entry, free the fragment data
376 * to which the value refers. (The key is freed by reassembled_key_free.)
377 */
378static void
379free_fd_head(fragment_head *fd_head)
380{
381 fragment_item *fd_i;
382
383 if (fd_head->flags & FD_SUBSET_TVB0x0020)
384 fd_head->tvb_data = NULL((void*)0);
385 if (fd_head->tvb_data)
386 tvb_free(fd_head->tvb_data);
387 fd_i = fd_head->next;
388 while (fd_i != NULL((void*)0)) {
389 fd_i = fragment_item_free(fd_i);
390 }
391 g_slice_free(fragment_head, fd_head)do { if (1) g_slice_free1 (sizeof (fragment_head), (fd_head))
; else (void) ((fragment_head*) 0 == (fd_head)); } while (0);
392}
393
394static void
395unref_fd_head(void *data)
396{
397 fragment_head *fd_head = (fragment_head *) data;
398 fd_head->ref_count--;
399
400 if (fd_head->ref_count == 0) {
401 free_fd_head(fd_head);
402 }
403}
404
405/*
406 * For a fragment hash table entry, free the associated fragments.
407 * The entry value (fd_chain) is freed herein and the entry is freed
408 * when the key freeing routine is called (as a consequence of returning
409 * true from this function).
410 */
411static gboolean
412free_all_fragments(void *key_arg _U___attribute__((unused)), void *value, void *user_data _U___attribute__((unused)))
413{
414 fragment_head *fd_head;
415
416 /* g_hash_table_new_full() was used to supply a function
417 * to free the key and anything to which it points
418 */
419 fd_head = (fragment_head *)value;
420 free_fd_head(fd_head);
421
422 return TRUE(!(0));
423}
424
425static void
426reassembled_table_insert(GHashTable *reassembled_table, reassembled_key *key, fragment_head *fd_head)
427{
428 fragment_head *old_fd_head;
429 fd_head->ref_count++;
430 if ((old_fd_head = g_hash_table_lookup(reassembled_table, key)) != NULL((void*)0)) {
431 if (old_fd_head->ref_count == 1) {
432 /* We're replacing the last entry in the reassembled
433 * table for an old reassembly. Does it have a tvb?
434 * We might still be using that tvb's memory for an
435 * address via set_address_tvb(). (See #19094.)
436 */
437 if (old_fd_head->tvb_data && fd_head->tvb_data) {
438 /* Free it when the new tvb is freed */
439 tvb_set_child_real_data_tvbuff(fd_head->tvb_data, old_fd_head->tvb_data);
440 }
441 /* XXX: Set the old data to NULL regardless. If we
442 * have old data but not new data, that is odd (we're
443 * replacing a reassembly with tvb data with something
444 * with no tvb data, possibly because a zero length or
445 * null tvb was passed into a defragment function,
446 * which is a dissector bug.)
447 * This leaks the tvb data if we couldn't add it to
448 * a new tvb's chain, but we might not be able to free
449 * it yet if set_address_tvb() was used.
450 */
451 old_fd_head->tvb_data = NULL((void*)0);
452 }
453 }
454 g_hash_table_insert(reassembled_table, key, fd_head);
455}
456
457typedef struct register_reassembly_table {
458 reassembly_table *table;
459 const reassembly_table_functions *funcs;
460} register_reassembly_table_t;
461
462/*
463 * Register a reassembly table.
464 */
465void
466reassembly_table_register(reassembly_table *table,
467 const reassembly_table_functions *funcs)
468{
469 register_reassembly_table_t* reg_table;
470
471 DISSECTOR_ASSERT(table)((void) ((table) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/reassemble.c", 471, "table"))));
472 DISSECTOR_ASSERT(funcs)((void) ((funcs) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/reassemble.c", 472, "funcs"))));
473
474 reg_table = g_new(register_reassembly_table_t,1)((register_reassembly_table_t *) g_malloc_n ((1), sizeof (register_reassembly_table_t
)));
475
476 reg_table->table = table;
477 reg_table->funcs = funcs;
478
479 reassembly_table_list = g_list_prepend(reassembly_table_list, reg_table);
480}
481
482/*
483 * Initialize a reassembly table, with specified functions.
484 */
485void
486reassembly_table_init(reassembly_table *table,
487 const reassembly_table_functions *funcs)
488{
489 if (table->temporary_key_func == NULL((void*)0))
490 table->temporary_key_func = funcs->temporary_key_func;
491 if (table->persistent_key_func == NULL((void*)0))
492 table->persistent_key_func = funcs->persistent_key_func;
493 if (table->free_temporary_key_func == NULL((void*)0))
494 table->free_temporary_key_func = funcs->free_temporary_key_func;
495 if (table->fragment_table != NULL((void*)0)) {
496 /*
497 * The fragment hash table exists.
498 *
499 * Remove all entries and free fragment data for each entry.
500 *
501 * The keys, and anything to which they point, are freed by
502 * calling the table's key freeing function. The values
503 * are freed in free_all_fragments().
504 */
505 g_hash_table_foreach_remove(table->fragment_table,
506 free_all_fragments, NULL((void*)0));
507 } else {
508 /* The fragment table does not exist. Create it */
509 table->fragment_table = g_hash_table_new_full(funcs->hash_func,
510 funcs->equal_func, funcs->free_persistent_key_func, NULL((void*)0));
511 }
512
513 if (table->reassembled_table != NULL((void*)0)) {
514 /*
515 * The reassembled-packet hash table exists.
516 *
517 * Remove all entries and free reassembled packet
518 * data and key for each entry.
519 */
520 g_hash_table_remove_all(table->reassembled_table);
521 } else {
522 /* The fragment table does not exist. Create it */
523 table->reassembled_table = g_hash_table_new_full(reassembled_hash,
524 reassembled_equal, reassembled_key_free, unref_fd_head);
525 }
526}
527
528/*
529 * Destroy a reassembly table.
530 */
531void
532reassembly_table_destroy(reassembly_table *table)
533{
534 /*
535 * Clear the function pointers.
536 */
537 table->temporary_key_func = NULL((void*)0);
538 table->persistent_key_func = NULL((void*)0);
539 table->free_temporary_key_func = NULL((void*)0);
540 if (table->fragment_table != NULL((void*)0)) {
541 /*
542 * The fragment hash table exists.
543 *
544 * Remove all entries and free fragment data for each entry.
545 *
546 * The keys, and anything to which they point, are freed by
547 * calling the table's key freeing function. The values
548 * are freed in free_all_fragments().
549 */
550 g_hash_table_foreach_remove(table->fragment_table,
551 free_all_fragments, NULL((void*)0));
552
553 /*
554 * Now destroy the hash table.
555 */
556 g_hash_table_destroy(table->fragment_table);
557 table->fragment_table = NULL((void*)0);
558 }
559 if (table->reassembled_table != NULL((void*)0)) {
560 /*
561 * The reassembled-packet hash table exists.
562 *
563 * Remove all entries and free reassembled packet
564 * data and key for each entry.
565 */
566
567 g_hash_table_remove_all(table->reassembled_table);
568
569 /*
570 * Now destroy the hash table.
571 */
572 g_hash_table_destroy(table->reassembled_table);
573 table->reassembled_table = NULL((void*)0);
574 }
575}
576
577/*
578 * Look up an fd_head in the fragment table, optionally returning the key
579 * for it.
580 */
581static fragment_head *
582lookup_fd_head(reassembly_table *table, const packet_info *pinfo,
583 const uint32_t id, const void *data, void * *orig_keyp)
584{
585 void *key;
586 void *value;
587
588 /* Create key to search hash with */
589 key = table->temporary_key_func(pinfo, id, data);
590
591 /*
592 * Look up the reassembly in the fragment table.
593 */
594 if (!g_hash_table_lookup_extended(table->fragment_table, key, orig_keyp,
595 &value))
596 value = NULL((void*)0);
597 /* Free the key */
598 table->free_temporary_key_func(key);
599
600 return (fragment_head *)value;
601}
602
603/*
604 * Insert an fd_head into the fragment table, and return the key used.
605 */
606static void *
607insert_fd_head(reassembly_table *table, fragment_head *fd_head,
608 const packet_info *pinfo, const uint32_t id, const void *data)
609{
610 void *key;
611
612 /*
613 * We're going to use the key to insert the fragment,
614 * so make a persistent version of it.
615 */
616 key = table->persistent_key_func(pinfo, id, data);
617 g_hash_table_insert(table->fragment_table, key, fd_head);
618 return key;
619}
620
621/* This function cleans up the stored state and removes the reassembly data and
622 * (with one exception) all allocated memory for matching reassembly.
623 *
624 * The exception is :
625 * If the PDU was already completely reassembled, then the tvbuff containing the
626 * reassembled data WILL NOT be free()d, and the pointer to that tvbuff will be
627 * returned.
628 * Othervise the function will return NULL.
629 *
630 * So, if you call fragment_delete and it returns non-NULL, YOU are responsible
631 * to tvb_free() that tvbuff.
632 */
633tvbuff_t *
634fragment_delete(reassembly_table *table, const packet_info *pinfo,
635 const uint32_t id, const void *data)
636{
637 fragment_head *fd_head;
638 fragment_item *fd;
639 tvbuff_t *fd_tvb_data=NULL((void*)0);
640 void *key;
641
642 fd_head = lookup_fd_head(table, pinfo, id, data, &key);
643 if(fd_head==NULL((void*)0)){
644 /* We do not recognize this as a PDU we have seen before. return */
645 return NULL((void*)0);
646 }
647
648 fd_tvb_data=fd_head->tvb_data;
649 /* loop over all partial fragments and free any tvbuffs */
650 fd = fd_head->next;
651 while (fd != NULL((void*)0)) {
652 fd = fragment_item_free(fd);
653 }
654 g_slice_free(fragment_head, fd_head)do { if (1) g_slice_free1 (sizeof (fragment_head), (fd_head))
; else (void) ((fragment_head*) 0 == (fd_head)); } while (0);
655 g_hash_table_remove(table->fragment_table, key);
656
657 return fd_tvb_data;
658}
659
660/* This function is used to check if there is partial or completed reassembly state
661 * matching this packet. I.e. Is there reassembly going on or not for this packet?
662 */
663fragment_head *
664fragment_get(reassembly_table *table, const packet_info *pinfo,
665 const uint32_t id, const void *data)
666{
667 return lookup_fd_head(table, pinfo, id, data, NULL((void*)0));
668}
669
670fragment_head *
671fragment_get_reassembled_id(reassembly_table *table, const packet_info *pinfo,
672 const uint32_t id)
673{
674 fragment_head *fd_head;
675 reassembled_key key;
676
677 /* create key to search hash with */
678 key.frame = pinfo->num;
679 key.id = id;
680 fd_head = (fragment_head *)g_hash_table_lookup(table->reassembled_table, &key);
681
682 return fd_head;
683}
684
685/* To specify the offset for the fragment numbering, the first fragment is added with 0, and
686 * afterwards this offset is set. All additional calls to off_seq_check will calculate
687 * the number in sequence in regards to the offset */
688void
689fragment_add_seq_offset(reassembly_table *table, const packet_info *pinfo, const uint32_t id,
690 const void *data, const uint32_t fragment_offset)
691{
692 fragment_head *fd_head;
693
694 fd_head = lookup_fd_head(table, pinfo, id, data, NULL((void*)0));
695 if (!fd_head)
696 return;
697
698 /* Resetting the offset is not allowed */
699 if ( fd_head->fragment_nr_offset != 0 )
700 return;
701
702 fd_head->fragment_nr_offset = fragment_offset;
703}
704
705static void
706update_first_gap(fragment_head *fd_head, fragment_item *inserted, bool_Bool multi_insert)
707{
708 uint32_t frag_end = inserted->offset + inserted->len;
709 fragment_item *iter;
710 uint32_t contiguous;
711
712 if (inserted->offset > fd_head->contiguous_len) {
713 /* first inserted node is after first gap */
714 return;
715 } else if (fd_head->first_gap == NULL((void*)0)) {
716 /* we haven't seen first fragment yet */
717 if (inserted->offset != 0) {
718 /* inserted node is not first fragment */
719 return;
720 }
721 contiguous = inserted->len;
722 iter = inserted;
723 } else {
724 contiguous = MAX(fd_head->contiguous_len, frag_end)(((fd_head->contiguous_len) > (frag_end)) ? (fd_head->
contiguous_len) : (frag_end));
725 iter = multi_insert ? inserted : fd_head->first_gap;
726 }
727
728 while (iter->next) {
729 if (iter->next->offset > contiguous) {
730 break;
731 }
732 iter = iter->next;
733 contiguous = MAX(contiguous, iter->offset + iter->len)(((contiguous) > (iter->offset + iter->len)) ? (contiguous
) : (iter->offset + iter->len));
734 }
735
736 /* iter is either pointing to last fragment before gap or tail */
737 fd_head->first_gap = iter;
738 fd_head->contiguous_len = contiguous;
739}
740
741/*
742 * Keeping first gap and contiguous length in sync significantly speeds up
743 * LINK_FRAG() when fragments in capture file are mostly ordered. However, when
744 * fragments are removed from the list, the first gap can point to fragments
745 * that were either moved to another list or freed. Therefore when any fragment
746 * before first gap is removed, the first gap (and contiguous length) must be
747 * invalidated.
748 */
749static void fragment_reset_first_gap(fragment_head *fd_head)
750{
751 fd_head->first_gap = NULL((void*)0);
752 fd_head->contiguous_len = 0;
753 if (fd_head->next) {
754 bool_Bool multi_insert = (fd_head->next->next != NULL((void*)0));
755 update_first_gap(fd_head, fd_head->next, multi_insert);
756 }
757}
758
759/*
760 * Determines whether list modification requires first gap reset. On entry
761 * modified is NULL if all elements were removed, otherwise it points to
762 * element (reachable from fd_head) whose next pointer was changed.
763 */
764static void fragment_items_removed(fragment_head *fd_head, fragment_item *modified)
765{
766 if ((fd_head->first_gap == modified) ||
767 ((modified != NULL((void*)0)) && (modified->offset > fd_head->contiguous_len))) {
768 /* Removed elements were after first gap */
769 return;
770 }
771 fragment_reset_first_gap(fd_head);
772}
773
774/*
775 * For use with fragment_add (and not the fragment_add_seq functions).
776 * When the reassembled result is wrong (perhaps it needs to be extended), this
777 * function clears any previous reassembly result, allowing the new reassembled
778 * length to be set again.
779 */
780static void
781fragment_reset_defragmentation(fragment_head *fd_head)
782{
783 /* Caller must ensure that this function is only called when
784 * defragmentation is safe to undo. */
785 DISSECTOR_ASSERT(fd_head->flags & FD_DEFRAGMENTED)((void) ((fd_head->flags & 0x0001) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/reassemble.c", 785, "fd_head->flags & 0x0001"
))));
786
787 fd_head->flags &= ~(FD_DEFRAGMENTED0x0001|FD_PARTIAL_REASSEMBLY0x0040|FD_DATALEN_SET0x0400);
788 /* We have to clear TOOLONGFRAGMENT and MULTIPLETAILS because they
789 * might change when extending the reassembly. If those flags weren't
790 * set on the head, they're not set on any item. */
791 if (fd_head->flags & (FD_TOOLONGFRAGMENT0x0010|FD_MULTIPLETAILS0x0008)) {
792 for (fragment_item *fd_i = fd_head->next; fd_i; fd_i = fd_i->next) {
793 fd_i->flags &= (~FD_TOOLONGFRAGMENT0x0010) & (~FD_MULTIPLETAILS0x0008);
794 }
795 fd_head->flags &= ~(FD_TOOLONGFRAGMENT0x0010|FD_MULTIPLETAILS0x0008);
796 }
797 fd_head->datalen = 0;
798 fd_head->reassembled_in = 0;
799 fd_head->reas_in_layer_num = 0;
800}
801
802/* This function can be used to explicitly set the total length (if known)
803 * for reassembly of a PDU.
804 * This is useful for reassembly of PDUs where one may have the total length specified
805 * in the first fragment instead of as for, say, IPv4 where a flag indicates which
806 * is the last fragment.
807 *
808 * Such protocols might fragment_add with a more_frags==true for every fragment
809 * and just tell the reassembly engine the expected total length of the reassembled data
810 * using fragment_set_tot_len immediately after doing fragment_add for the first packet.
811 *
812 * Note that for FD_BLOCKSEQUENCE tot_len is the index for the tail fragment.
813 * i.e. since the block numbers start at 0, if we specify tot_len==2, that
814 * actually means we want to defragment 3 blocks, block 0, 1 and 2.
815 */
816void
817fragment_set_tot_len(reassembly_table *table, const packet_info *pinfo,
818 const uint32_t id, const void *data, const uint32_t tot_len)
819{
820 fragment_head *fd_head;
821 fragment_item *fd;
822 uint32_t max_offset = 0;
823
824 fd_head = lookup_fd_head(table, pinfo, id, data, NULL((void*)0));
825 if (!fd_head)
826 return;
827
828 /* If we're setting a block sequence number, verify that it
829 * doesn't conflict with values set by existing fragments.
830 * XXX - eliminate this check?
831 */
832 if (fd_head->flags & FD_BLOCKSEQUENCE0x0100) {
833 for (fd = fd_head->next; fd; fd = fd->next) {
834 if (fd->offset > max_offset) {
835 max_offset = fd->offset;
836 if (max_offset > tot_len) {
837 fd_head->error = "Bad total reassembly block count";
838 THROW_MESSAGE(ReassemblyError, fd_head->error)except_throw(1, (9), (fd_head->error));
839 }
840 }
841 }
842 }
843
844 if (fd_head->flags & FD_DEFRAGMENTED0x0001) {
845 if (max_offset != tot_len) {
846 fd_head->error = "Defragmented complete but total length not satisfied";
847 THROW_MESSAGE(ReassemblyError, fd_head->error)except_throw(1, (9), (fd_head->error));
848 }
849 }
850
851 /* We got this far so the value is sane. */
852 fd_head->datalen = tot_len;
853 fd_head->flags |= FD_DATALEN_SET0x0400;
854}
855
856void
857fragment_reset_tot_len(reassembly_table *table, const packet_info *pinfo,
858 const uint32_t id, const void *data, const uint32_t tot_len)
859{
860 fragment_head *fd_head;
861
862 fd_head = lookup_fd_head(table, pinfo, id, data, NULL((void*)0));
863 if (!fd_head)
864 return;
865
866 /*
867 * If FD_PARTIAL_REASSEMBLY is set, it would make the next fragment_add
868 * call set the reassembled length based on the fragment offset and
869 * length. As the length is known now, be sure to disable that magic.
870 */
871 fd_head->flags &= ~FD_PARTIAL_REASSEMBLY0x0040;
872
873 /* If the length is already as expected, there is nothing else to do. */
874 if (tot_len == fd_head->datalen)
875 return;
876
877 if (fd_head->flags & FD_DEFRAGMENTED0x0001) {
878 /*
879 * Fragments were reassembled before, clear it to allow
880 * increasing the reassembled length.
881 */
882 fragment_reset_defragmentation(fd_head);
883 }
884
885 fd_head->datalen = tot_len;
886 fd_head->flags |= FD_DATALEN_SET0x0400;
887}
888
889void
890fragment_truncate(reassembly_table *table, const packet_info *pinfo,
891 const uint32_t id, const void *data, const uint32_t tot_len)
892
893{
894 tvbuff_t *old_tvb_data;
895 fragment_head *fd_head;
896
897 fd_head = lookup_fd_head(table, pinfo, id, data, NULL((void*)0));
898 if (!fd_head)
899 return;
900
901 /* Caller must ensure that this function is only called when
902 * we are defragmented. */
903 DISSECTOR_ASSERT(fd_head->flags & FD_DEFRAGMENTED)((void) ((fd_head->flags & 0x0001) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/reassemble.c", 903, "fd_head->flags & 0x0001"
))));
904
905 /*
906 * If FD_PARTIAL_REASSEMBLY is set, it would make the next fragment_add
907 * call set the reassembled length based on the fragment offset and
908 * length. As the length is known now, be sure to disable that magic.
909 */
910 fd_head->flags &= ~FD_PARTIAL_REASSEMBLY0x0040;
911
912 /* If the length is already as expected, there is nothing else to do. */
913 if (tot_len == fd_head->datalen)
914 return;
915
916 DISSECTOR_ASSERT(fd_head->datalen > tot_len)((void) ((fd_head->datalen > tot_len) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/reassemble.c", 916, "fd_head->datalen > tot_len"
))));
917
918 old_tvb_data=fd_head->tvb_data;
919 fd_head->tvb_data = tvb_clone_offset_len(old_tvb_data, 0, tot_len);
920 tvb_set_free_cb(fd_head->tvb_data, g_free);
921
922 if (old_tvb_data)
923 tvb_add_to_chain(fd_head->tvb_data, old_tvb_data);
924 fd_head->datalen = tot_len;
925
926 /* Keep the fragments before the split point, dividing any if
927 * necessary.
928 * XXX: In rare cases, there might be fragments marked as overlap that
929 * have data both before and after the split point, and which only
930 * overlap after the split point. In that case, after dividing the
931 * fragments the first part no longer overlap.
932 * However, at this point we can't test for overlap conflicts,
933 * so we'll just leave the overlap flags as-is.
934 */
935 fd_head->flags &= ~(FD_OVERLAP0x0002|FD_OVERLAPCONFLICT0x0004|FD_TOOLONGFRAGMENT0x0010|FD_MULTIPLETAILS0x0008);
936 fragment_item *fd_i, *prev_fd = NULL((void*)0);
937 for (fd_i = fd_head->next; fd_i && (fd_i->offset < tot_len); fd_i = fd_i->next) {
938 fd_i->flags &= ~(FD_TOOLONGFRAGMENT0x0010|FD_MULTIPLETAILS0x0008);
939 /* Check for the split point occurring in the middle of the
940 * fragment. */
941 if (fd_i->offset + fd_i->len > tot_len) {
942 fd_i->len = tot_len - fd_i->offset;
943 }
944 fd_head->flags |= fd_i->flags & (FD_OVERLAP0x0002|FD_OVERLAPCONFLICT0x0004);
945 prev_fd = fd_i;
946
947 /* Below should do nothing since this is already defragmented */
948 fragment_item_free_tvb(fd_i);
949 }
950
951 /* Remove all the other fragments, as they are past the split point. */
952 if (prev_fd) {
953 prev_fd->next = NULL((void*)0);
954 } else {
955 fd_head->next = NULL((void*)0);
956 }
957 fd_head->contiguous_len = MIN(fd_head->contiguous_len, tot_len)(((fd_head->contiguous_len) < (tot_len)) ? (fd_head->
contiguous_len) : (tot_len));
958 fragment_items_removed(fd_head, prev_fd);
959 while (fd_i != NULL((void*)0)) {
960 fd_i = fragment_item_free(fd_i);
961 }
962}
963
964uint32_t
965fragment_get_tot_len(reassembly_table *table, const packet_info *pinfo,
966 const uint32_t id, const void *data)
967{
968 fragment_head *fd_head;
969
970 fd_head = lookup_fd_head(table, pinfo, id, data, NULL((void*)0));
971
972 if(fd_head){
973 return fd_head->datalen;
974 }
975
976 return 0;
977}
978
979/* This function will set the partial reassembly flag for a fh.
980 When this function is called, the fh MUST already exist, i.e.
981 the fh MUST be created by the initial call to fragment_add() before
982 this function is called.
983 Also note that this function MUST be called to indicate a fh will be
984 extended (increase the already stored data)
985*/
986
987void
988fragment_set_partial_reassembly(reassembly_table *table,
989 const packet_info *pinfo, const uint32_t id,
990 const void *data)
991{
992 fragment_head *fd_head;
993
994 fd_head = lookup_fd_head(table, pinfo, id, data, NULL((void*)0));
995
996 /*
997 * XXX - why not do all the stuff done early in "fragment_add_work()",
998 * turning off FD_DEFRAGMENTED and pointing the fragments' data
999 * pointers to the appropriate part of the already-reassembled
1000 * data, and clearing the data length and "reassembled in" frame
1001 * number, here? We currently have a hack in the TCP dissector
1002 * not to set the "reassembled in" value if the "partial reassembly"
1003 * flag is set, so that in the first pass through the packets
1004 * we don't falsely set a packet as reassembled in that packet
1005 * if the dissector decided that even more reassembly was needed.
1006 */
1007 if(fd_head){
1008 fd_head->flags |= FD_PARTIAL_REASSEMBLY0x0040;
1009 }
1010}
1011
1012/*
1013 * This function gets rid of an entry from a fragment table, given
1014 * a pointer to the key for that entry.
1015 *
1016 * The key freeing routine will be called by g_hash_table_remove().
1017 */
1018static void
1019fragment_unhash(reassembly_table *table, void *key)
1020{
1021 /*
1022 * Remove the entry from the fragment table.
1023 */
1024 g_hash_table_remove(table->fragment_table, key);
1025}
1026
1027/*
1028 * This function adds fragment_head structure to a reassembled-packet
1029 * hash table, using the frame numbers of each of the frames from
1030 * which it was reassembled as keys, and sets the "reassembled_in"
1031 * frame number.
1032 */
1033static void
1034fragment_reassembled(reassembly_table *table, fragment_head *fd_head,
1035 const packet_info *pinfo, const uint32_t id)
1036{
1037 reassembled_key *new_key;
1038 fragment_item *fd;
1039
1040 fd_head->ref_count = 0;
1041 if (fd_head->next == NULL((void*)0)) {
1042 /*
1043 * This was not fragmented, so there's no fragment
1044 * table; just hash it using the current frame number.
1045 */
1046 new_key = g_slice_new(reassembled_key)((reassembled_key*) g_slice_alloc (sizeof (reassembled_key)));
1047 new_key->frame = pinfo->num;
1048 new_key->id = id;
1049 reassembled_table_insert(table->reassembled_table, new_key, fd_head);
1050 } else {
1051 /*
1052 * Hash it with the frame numbers for all the frames.
1053 */
1054 for (fd = fd_head->next; fd != NULL((void*)0); fd = fd->next){
1055 new_key = g_slice_new(reassembled_key)((reassembled_key*) g_slice_alloc (sizeof (reassembled_key)));
1056 new_key->frame = fd->frame;
1057 new_key->id = id;
1058 reassembled_table_insert(table->reassembled_table, new_key, fd_head);
1059 }
1060 }
1061 fd_head->flags |= FD_DEFRAGMENTED0x0001;
1062 fd_head->reassembled_in = pinfo->num;
1063 fd_head->reas_in_layer_num = pinfo->curr_layer_num;
1064}
1065
1066/*
1067 * This function is a variant of the above for the single sequence
1068 * case, using id+offset (i.e., the original sequence number) for the id
1069 * in the key.
1070 */
1071static void
1072fragment_reassembled_single(reassembly_table *table, fragment_head *fd_head,
1073 const packet_info *pinfo, const uint32_t id)
1074{
1075 reassembled_key *new_key;
1076 fragment_item *fd;
1077
1078 fd_head->ref_count = 0;
1079 if (fd_head->next == NULL((void*)0)) {
1080 /*
1081 * This was not fragmented, so there's no fragment
1082 * table; just hash it using the current frame number.
1083 */
1084 new_key = g_slice_new(reassembled_key)((reassembled_key*) g_slice_alloc (sizeof (reassembled_key)));
1085 new_key->frame = pinfo->num;
1086 new_key->id = id;
1087 reassembled_table_insert(table->reassembled_table, new_key, fd_head);
1088 } else {
1089 /*
1090 * Hash it with the frame numbers for all the frames.
1091 */
1092 for (fd = fd_head->next; fd != NULL((void*)0); fd = fd->next){
1093 new_key = g_slice_new(reassembled_key)((reassembled_key*) g_slice_alloc (sizeof (reassembled_key)));
1094 new_key->frame = fd->frame;
1095 new_key->id = id + fd->offset;
1096 reassembled_table_insert(table->reassembled_table, new_key, fd_head);
1097 }
1098 }
1099 fd_head->flags |= FD_DEFRAGMENTED0x0001;
1100 fd_head->reassembled_in = pinfo->num;
1101 fd_head->reas_in_layer_num = pinfo->curr_layer_num;
1102}
1103
1104static void
1105LINK_FRAG(fragment_head *fd_head,fragment_item *fd)
1106{
1107 fragment_item *fd_i;
1108
1109 /* add fragment to list, keep list sorted */
1110 /* It is important that new fragments are added *after* any
1111 * fragments with the same offset (as currently done.) */
1112 if (fd_head->next == NULL((void*)0) || fd->offset < fd_head->next->offset) {
1113 /* New first fragment */
1114 fd->next = fd_head->next;
1115 fd_head->next = fd;
1116 } else {
1117 fd_i = fd_head->next;
1118 if (fd_head->first_gap != NULL((void*)0)) {
1119 if (fd->offset >= fd_head->first_gap->offset) {
1120 /* fragment is after first gap */
1121 fd_i = fd_head->first_gap;
1122 }
1123 }
1124 for(; fd_i->next; fd_i=fd_i->next) {
1125 if (fd->offset < fd_i->next->offset )
1126 break;
1127 }
1128 fd->next = fd_i->next;
1129 fd_i->next = fd;
1130 }
1131
1132 update_first_gap(fd_head, fd, false0);
1133}
1134
1135static void
1136MERGE_FRAG(fragment_head *fd_head, fragment_item *fd)
1137{
1138 fragment_item *fd_i, *tmp, *inserted = fd;
1139 bool_Bool multi_insert;
1140
1141 if (fd == NULL((void*)0)) return;
1142
1143 multi_insert = (fd->next != NULL((void*)0));
1144
1145 if (fd_head->next == NULL((void*)0)) {
1146 fd_head->next = fd;
1147 update_first_gap(fd_head, fd, multi_insert);
1148 return;
1149 }
1150
1151 if ((fd_head->first_gap != NULL((void*)0)) &&
1152 (fd->offset >= fd_head->first_gap->offset)) {
1153 /* all new fragments go after first gap */
1154 fd_i = fd_head->first_gap;
1155 } else {
1156 /* at least one new fragment goes before first gap */
1157 if (fd->offset < fd_head->next->offset) {
1158 /* inserted fragment is new head, "swap" the lists */
1159 tmp = fd_head->next;
1160 fd_head->next = fd;
1161 fd = tmp;
1162 }
1163 fd_i = fd_head->next;
1164 }
1165
1166 /* Traverse the list linked to fragment head ("main" list), checking if
1167 * fd pointer ("merge" list) should go before or after fd_i->next. Swap
1168 * fd_i->next ("main") and fd pointers ("merge") if "merge" list should
1169 * go before iterated element (fd_i). After the swap what formerly was
1170 * "merge" list essentially becomes part of "main" list (just detached
1171 * element, i.e. fd, is now head of new "merge list").
1172 */
1173 for(; fd_i->next; fd_i=fd_i->next) {
1174 if (fd->offset < fd_i->next->offset) {
1175 tmp = fd_i->next;
1176 fd_i->next = fd;
1177 fd = tmp;
1178 }
1179 }
1180 /* Reached "main" list end, attach remaining elements */
1181 fd_i->next = fd;
1182
1183 update_first_gap(fd_head, inserted, multi_insert);
1184}
1185
1186/*
1187 * This function adds a new fragment to the fragment hash table.
1188 * If this is the first fragment seen for this datagram, a new entry
1189 * is created in the hash table, otherwise this fragment is just added
1190 * to the linked list of fragments for this packet.
1191 * The list of fragments for a specific datagram is kept sorted for
1192 * easier handling.
1193 *
1194 * Returns a pointer to the head of the fragment data list if we have all the
1195 * fragments, NULL otherwise.
1196 *
1197 * This function assumes frag_offset being a byte offset into the defragment
1198 * packet.
1199 *
1200 * 01-2002
1201 * Once the fh is defragmented (= FD_DEFRAGMENTED set), it can be
1202 * extended using the FD_PARTIAL_REASSEMBLY flag. This flag should be set
1203 * using fragment_set_partial_reassembly() before calling fragment_add
1204 * with the new fragment. FD_TOOLONGFRAGMENT and FD_MULTIPLETAILS flags
1205 * are lowered when a new extension process is started.
1206 */
1207static bool_Bool
1208fragment_add_work(fragment_head *fd_head, tvbuff_t *tvb, const int offset,
1209 const packet_info *pinfo, const uint32_t frag_offset,
1210 const uint32_t frag_data_len, const bool_Bool more_frags,
1211 const uint32_t frag_frame, const bool_Bool allow_overlaps)
1212{
1213 fragment_item *fd;
1214 fragment_item *fd_i;
1215 uint32_t dfpos, fraglen, overlap;
1216 tvbuff_t *old_tvb_data;
1217 uint8_t *data;
1218
1219 /* create new fd describing this fragment */
1220 fd = new_fragment_item(frag_frame, frag_offset, frag_data_len);
1221
1222 /*
1223 * Are we adding to an already-completed reassembly?
1224 */
1225 if (fd_head->flags & FD_DEFRAGMENTED0x0001) {
9
Assuming the condition is false
10
Taking false branch
1226 /*
1227 * Yes. Does this fragment go past the end of the results
1228 * of that reassembly?
1229 */
1230 if (frag_offset + frag_data_len > fd_head->datalen) {
1231 /*
1232 * Yes. Have we been requested to continue reassembly?
1233 */
1234 if (fd_head->flags & FD_PARTIAL_REASSEMBLY0x0040) {
1235 /*
1236 * Yes. Set flag in already empty fds &
1237 * point old fds to malloc'ed data.
1238 */
1239 fragment_reset_defragmentation(fd_head);
1240 } else if (!allow_overlaps) {
1241 /*
1242 * No. Bail out since we have no idea what to
1243 * do with this fragment (and if we keep going
1244 * we'll run past the end of a buffer sooner
1245 * or later).
1246 */
1247 g_slice_free(fragment_item, fd)do { if (1) g_slice_free1 (sizeof (fragment_item), (fd)); else
(void) ((fragment_item*) 0 == (fd)); } while (0);
1248
1249 /*
1250 * This is an attempt to add a fragment to a
1251 * reassembly that had already completed.
1252 * If it had no error, we don't want to
1253 * mark it with an error, and if it had an
1254 * error, we don't want to overwrite it, so
1255 * we don't set fd_head->error.
1256 */
1257 if (frag_offset >= fd_head->datalen) {
1258 /*
1259 * The fragment starts past the end
1260 * of the reassembled data.
1261 */
1262 THROW_MESSAGE(ReassemblyError, "New fragment past old data limits")except_throw(1, (9), ("New fragment past old data limits"));
1263 } else {
1264 /*
1265 * The fragment starts before the end
1266 * of the reassembled data, but
1267 * runs past the end. That could
1268 * just be a retransmission with extra
1269 * data, but the calling dissector
1270 * didn't set FD_PARTIAL_REASSEMBLY
1271 * so it won't be handled correctly.
1272 *
1273 * XXX: We could set FD_TOOLONGFRAGMENT
1274 * below instead.
1275 */
1276 THROW_MESSAGE(ReassemblyError, "New fragment overlaps old data (retransmission?)")except_throw(1, (9), ("New fragment overlaps old data (retransmission?)"
));
1277 }
1278 }
1279 } else {
1280 /*
1281 * No. That means it overlaps the completed reassembly.
1282 * This is probably a retransmission and normal
1283 * behavior. (If not, it's because the dissector
1284 * doesn't handle reused sequence numbers correctly,
1285 * e.g. #10503). Handle below.
1286 */
1287 }
1288 }
1289
1290 /* Do this after we may have bailed out (above) so that we don't leave
1291 * fd_head->frame in a bad state if we do */
1292 if (fd->frame > fd_head->frame)
11
Assuming 'fd->frame' is <= 'fd_head->frame'
12
Taking false branch
1293 fd_head->frame = fd->frame;
1294
1295 if (!more_frags) {
13
Assuming 'more_frags' is true
14
Taking false branch
1296 /*
1297 * This is the tail fragment in the sequence.
1298 */
1299 if (fd_head->flags & FD_DATALEN_SET0x0400) {
1300 /* ok we have already seen other tails for this packet
1301 * it might be a duplicate.
1302 */
1303 if (fd_head->datalen != (fd->offset + fd->len) ){
1304 /* Oops, this tail indicates a different packet
1305 * len than the previous ones. Something's wrong.
1306 */
1307 fd->flags |= FD_MULTIPLETAILS0x0008;
1308 fd_head->flags |= FD_MULTIPLETAILS0x0008;
1309 }
1310 } else {
1311 /* This was the first tail fragment; now we know
1312 * what the length of the packet should be.
1313 */
1314 fd_head->datalen = fd->offset + fd->len;
1315 fd_head->flags |= FD_DATALEN_SET0x0400;
1316 }
1317 }
1318
1319
1320
1321 /* If the packet is already defragmented, this MUST be an overlap.
1322 * The entire defragmented packet is in fd_head->data.
1323 * Even if we have previously defragmented this packet, we still
1324 * check it. Someone might play overlap and TTL games.
1325 */
1326 if (fd_head->flags & FD_DEFRAGMENTED0x0001) {
15
Taking false branch
1327 uint32_t end_offset = fd->offset + fd->len;
1328 fd->flags |= FD_OVERLAP0x0002|FD_DEFRAGMENTED0x0001;
1329 fd_head->flags |= FD_OVERLAP0x0002;
1330 /* make sure it's not too long */
1331 /* XXX: We probably don't call this, unlike the _seq()
1332 * functions, because we throw an exception above.
1333 */
1334 if (end_offset > fd_head->datalen || end_offset < fd->offset || end_offset < fd->len) {
1335 fd->flags |= FD_TOOLONGFRAGMENT0x0010;
1336 fd_head->flags |= FD_TOOLONGFRAGMENT0x0010;
1337 }
1338 /* make sure it doesn't conflict with previous data */
1339 else if ( tvb_memeql(fd_head->tvb_data, fd->offset,
1340 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
1341 fd->flags |= FD_OVERLAPCONFLICT0x0004;
1342 fd_head->flags |= FD_OVERLAPCONFLICT0x0004;
1343 }
1344 /* it was just an overlap, link it and return */
1345 LINK_FRAG(fd_head,fd);
1346 return true1;
1347 }
1348
1349
1350
1351 /* If we have reached this point, the packet is not defragmented yet.
1352 * Save all payload in a buffer until we can defragment.
1353 */
1354 if (!tvb_bytes_exist(tvb, offset, fd->len)) {
16
Assuming the condition is false
17
Taking false branch
1355 g_slice_free(fragment_item, fd)do { if (1) g_slice_free1 (sizeof (fragment_item), (fd)); else
(void) ((fragment_item*) 0 == (fd)); } while (0);
1356 THROW(BoundsError)except_throw(1, (1), ((void*)0));
1357 }
1358 fd->tvb_data = tvb_clone_offset_len(tvb, offset, fd->len);
1359 LINK_FRAG(fd_head,fd);
1360
1361
1362 if( !(fd_head->flags & FD_DATALEN_SET0x0400) ){
18
Assuming the condition is false
19
Taking false branch
1363 /* if we don't know the datalen, there are still missing
1364 * packets. Cheaper than the check below.
1365 */
1366 return false0;
1367 }
1368
1369 /* Check if we have received the entire fragment. */
1370 if (fd_head->contiguous_len < fd_head->datalen) {
20
Assuming field 'contiguous_len' is >= field 'datalen'
21
Taking false branch
1371 /*
1372 * The amount of contiguous data we have is less than the
1373 * amount of data we're trying to reassemble, so we haven't
1374 * received all packets yet.
1375 */
1376 return false0;
1377 }
1378
1379 /* we have received an entire packet, defragment it and
1380 * free all fragments
1381 */
1382 /* store old data just in case */
1383 old_tvb_data=fd_head->tvb_data;
1384 data = (uint8_t *) g_malloc(fd_head->datalen);
22
Memory is allocated
1385 fd_head->tvb_data = tvb_new_real_data(data, fd_head->datalen, fd_head->datalen);
1386 tvb_set_free_cb(fd_head->tvb_data, g_free);
1387
1388 dfpos = old_tvb_data ? tvb_captured_length(old_tvb_data) : 0;
23
Assuming 'old_tvb_data' is null
24
'?' condition is false
1389 if (dfpos
24.1
'dfpos' is 0
) {
25
Taking false branch
1390 memcpy(data, tvb_get_ptr(old_tvb_data, 0, dfpos), MIN(fd_head->datalen, dfpos)(((fd_head->datalen) < (dfpos)) ? (fd_head->datalen)
: (dfpos)));
1391 }
1392 /* add all data fragments that have not already been added, i.e.,
1393 * if the defragmentation was reset after partial reassembly,
1394 * but we have to check the previously added ones as well for
1395 * TOOLONGFRAGMENT as the datalen has changed. */
1396 for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
26
Loop condition is false. Execution jumps to the end of the function
1397 if (fd_i->len) {
1398 /*
1399 * The contiguous length check above also
1400 * ensures that the only gaps that exist here
1401 * are ones where a fragment starts past the
1402 * end of the reassembled datagram, and there's
1403 * a gap between the previous fragment and
1404 * that fragment.
1405 *
1406 * A "DESEGMENT_UNTIL_FIN" was involved wherein the
1407 * FIN packet had an offset less than the highest
1408 * fragment offset seen. [Seen from a fuzz-test:
1409 * bug #2470]).
1410 *
1411 * Note that the "overlap" compare must only be
1412 * done for fragments with (offset+len) <= fd_head->datalen
1413 * and thus within the newly g_malloc'd buffer.
1414 */
1415
1416 if (fd_i->offset >= fd_head->datalen) {
1417 /*
1418 * Fragment starts after the end
1419 * of the reassembled packet.
1420 *
1421 * This can happen if the length was
1422 * set after the offending fragment
1423 * was added to the reassembly.
1424 *
1425 * Flag this fragment, but don't
1426 * try to extract any data from
1427 * it, as there's no place to put
1428 * it.
1429 *
1430 * XXX - add different flag value
1431 * for this.
1432 */
1433 fd_i->flags |= FD_TOOLONGFRAGMENT0x0010;
1434 fd_head->flags |= FD_TOOLONGFRAGMENT0x0010;
1435 } else if (fd_i->offset + fd_i->len < fd_i->offset) {
1436 /* Integer overflow, unhandled by rest of
1437 * code so error out. This check handles
1438 * all possible remaining overflows.
1439 */
1440 fd_head->error = "offset + len < offset";
1441 } else {
1442 fraglen = fd_i->len;
1443 if (fd_i->offset + fraglen > fd_head->datalen) {
1444 /*
1445 * Fragment goes past the end
1446 * of the packet, as indicated
1447 * by the last fragment.
1448 *
1449 * This can happen if the
1450 * length was set after the
1451 * offending fragment was
1452 * added to the reassembly.
1453 *
1454 * Mark it as such, and only
1455 * copy from it what fits in
1456 * the packet.
1457 */
1458 fd_i->flags |= FD_TOOLONGFRAGMENT0x0010;
1459 fd_head->flags |= FD_TOOLONGFRAGMENT0x0010;
1460 fraglen = fd_head->datalen - fd_i->offset;
1461 }
1462 if (fd_i->flags & FD_DEFRAGMENTED0x0001) {
1463 /* If we already added the item the
1464 * previous time, we're done. */
1465 continue;
1466 }
1467 if (!fd_i->tvb_data) {
1468 /* We check this here because
1469 * previously added items now
1470 * have no data (not an error). */
1471 fd_head->error = "no data";
1472 continue;
1473 }
1474 overlap = 0;
1475 if (fd_i->offset < dfpos) {
1476 /* The new item's begins before the
1477 * existing end. How much overlap? */
1478 overlap = dfpos - fd_i->offset;
1479 /* duplicate/retransmission/overlap */
1480 uint32_t cmp_len = MIN(fd_i->len,overlap)(((fd_i->len) < (overlap)) ? (fd_i->len) : (overlap)
);
1481
1482 fd_i->flags |= FD_OVERLAP0x0002;
1483 fd_head->flags |= FD_OVERLAP0x0002;
1484 if ( memcmp(data + fd_i->offset,
1485 tvb_get_ptr(fd_i->tvb_data, 0, cmp_len),
1486 cmp_len)
1487 ) {
1488 fd_i->flags |= FD_OVERLAPCONFLICT0x0004;
1489 fd_head->flags |= FD_OVERLAPCONFLICT0x0004;
1490 }
1491 }
1492 /* XXX: As in the fragment_add_seq funcs
1493 * like fragment_defragment_and_free() the
1494 * existing behavior does not overwrite
1495 * overlapping bytes even if there is a
1496 * conflict. It only adds new bytes.
1497 *
1498 * Since we only add fragments to a reassembly
1499 * if the reassembly isn't complete, the most
1500 * common case for overlap conflicts is when
1501 * an earlier reassembly isn't fully contained
1502 * in the capture, and we've reused an
1503 * identification number / wrapped around
1504 * offset sequence numbers much later in the
1505 * capture. In that case, we probably *do*
1506 * want to overwrite conflicting bytes, since
1507 * the earlier fragments didn't form a complete
1508 * reassembly and should be effectively thrown
1509 * out rather than mixed with the new ones?
1510 */
1511 if (fd_i->offset + fraglen > dfpos) {
1512 memcpy(data+dfpos,
1513 tvb_get_ptr(fd_i->tvb_data, overlap, fraglen-overlap),
1514 fraglen-overlap);
1515 dfpos = fd_i->offset + fraglen;
1516 }
1517 }
1518 /* Mark that this fragment as used and clear data. */
1519 fd_i->flags |= FD_DEFRAGMENTED0x0001;
1520 fragment_item_free_tvb(fd_i);
1521 }
1522 }
1523
1524 if (old_tvb_data)
27
Potential leak of memory pointed to by 'data'
1525 tvb_add_to_chain(tvb, old_tvb_data);
1526 /* mark this packet as defragmented.
1527 allows us to skip any trailing fragments */
1528 fd_head->flags |= FD_DEFRAGMENTED0x0001;
1529 fd_head->reassembled_in=pinfo->num;
1530 fd_head->reas_in_layer_num = pinfo->curr_layer_num;
1531
1532 /* we don't throw until here to avoid leaking old_data and others */
1533 if (fd_head->error) {
1534 THROW_MESSAGE(ReassemblyError, fd_head->error)except_throw(1, (9), (fd_head->error));
1535 }
1536
1537 return true1;
1538}
1539
1540static fragment_head *
1541fragment_add_common(reassembly_table *table, tvbuff_t *tvb, const int offset,
1542 const packet_info *pinfo, const uint32_t id,
1543 const void *data, const uint32_t frag_offset,
1544 const uint32_t frag_data_len, const bool_Bool more_frags,
1545 const bool_Bool check_already_added,
1546 const uint32_t frag_frame)
1547{
1548 fragment_head *fd_head;
1549 fragment_item *fd_item;
1550 bool_Bool already_added;
1551
1552
1553 /*
1554 * Dissector shouldn't give us garbage tvb info.
1555 *
1556 * XXX - should this code take responsibility for preventing
1557 * reassembly if data is missing due to the packets being
1558 * sliced, rather than leaving it up to dissectors?
1559 */
1560 DISSECTOR_ASSERT(tvb_bytes_exist(tvb, offset, frag_data_len))((void) ((tvb_bytes_exist(tvb, offset, frag_data_len)) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/reassemble.c", 1560, "tvb_bytes_exist(tvb, offset, frag_data_len)"
))));
1561
1562 fd_head = lookup_fd_head(table, pinfo, id, data, NULL((void*)0));
1563
1564#if 0
1565 /* debug output of associated fragments. */
1566 /* leave it here for future debugging sessions */
1567 if(strcmp(pinfo->current_proto, "DCERPC") == 0) {
1568 printf("proto:%s num:%u id:%u offset:%u len:%u more:%u visited:%u\n",
1569 pinfo->current_proto, pinfo->num, id, frag_offset, frag_data_len, more_frags, pinfo->fd->visited);
1570 if(fd_head != NULL((void*)0)) {
1571 for(fd_item=fd_head->next;fd_item;fd_item=fd_item->next){
1572 printf("fd_frame:%u fd_offset:%u len:%u datalen:%u\n",
1573 fd_item->frame, fd_item->offset, fd_item->len, fd_item->datalen);
1574 }
1575 }
1576 }
1577#endif
1578
1579 /*
1580 * Is this the first pass through the capture?
1581 */
1582 if (!pinfo->fd->visited) {
1583 /*
1584 * Yes, so we could be doing reassembly. If
1585 * "check_already_added" is true, and fd_head is non-null,
1586 * meaning that this fragment would be added to an
1587 * in-progress reassembly, check if we have seen this
1588 * fragment before, i.e., if we have already added it to
1589 * that reassembly. That can be true even on the first pass
1590 * since we sometimes might call a subdissector multiple
1591 * times.
1592 *
1593 * We check both the frame number and the fragment offset,
1594 * so that we support multiple fragments from the same
1595 * frame being added to the same reassembled PDU.
1596 */
1597 if (check_already_added && fd_head != NULL((void*)0)) {
1598 /*
1599 * fd_head->frame is the maximum of the frame
1600 * numbers of all the fragments added to this
1601 * reassembly; if this frame is later than that
1602 * frame, we know it hasn't been added yet.
1603 */
1604 if (frag_frame <= fd_head->frame) {
1605 already_added = false0;
1606 /*
1607 * The first item in the reassembly list
1608 * is not a fragment, it's a data structure
1609 * for the reassembled packet, so we
1610 * start checking with the next item.
1611 */
1612 for (fd_item = fd_head->next; fd_item;
1613 fd_item = fd_item->next) {
1614 if (frag_frame == fd_item->frame &&
1615 frag_offset == fd_item->offset) {
1616 already_added = true1;
1617 break;
1618 }
1619 }
1620 if (already_added) {
1621 /*
1622 * Have we already finished
1623 * reassembling?
1624 */
1625 if (fd_head->flags & FD_DEFRAGMENTED0x0001) {
1626 /*
1627 * Yes.
1628 * XXX - can this ever happen?
1629 */
1630 THROW_MESSAGE(ReassemblyError,except_throw(1, (9), ("Frame already added in first pass"))
1631 "Frame already added in first pass")except_throw(1, (9), ("Frame already added in first pass"));
1632 } else {
1633 /*
1634 * No.
1635 */
1636 return NULL((void*)0);
1637 }
1638 }
1639 }
1640 }
1641 } else {
1642 /*
1643 * No, so we've already done all the reassembly and added
1644 * all the fragments. Do we have a reassembly and, if so,
1645 * have we finished reassembling?
1646 */
1647 if (fd_head != NULL((void*)0) && fd_head->flags & FD_DEFRAGMENTED0x0001) {
1648 /*
1649 * Yes. This is probably being done after the
1650 * first pass, and we've already done the work
1651 * on the first pass.
1652 *
1653 * If the reassembly got a fatal error, throw that
1654 * error again.
1655 */
1656 if (fd_head->error)
1657 THROW_MESSAGE(ReassemblyError, fd_head->error)except_throw(1, (9), (fd_head->error));
1658
1659 /*
1660 * Is it later in the capture than all of the
1661 * fragments in the reassembly?
1662 */
1663 if (frag_frame > fd_head->frame) {
1664 /*
1665 * Yes, so report this as a problem,
1666 * possibly a retransmission.
1667 */
1668 THROW_MESSAGE(ReassemblyError, "New fragment overlaps old data (retransmission?)")except_throw(1, (9), ("New fragment overlaps old data (retransmission?)"
));
1669 }
1670
1671 /*
1672 * Does this fragment go past the end of the
1673 * results of that reassembly?
1674 */
1675 if (frag_offset + frag_data_len > fd_head->datalen) {
1676 /*
1677 * Yes.
1678 */
1679 if (frag_offset >= fd_head->datalen) {
1680 /*
1681 * The fragment starts past the
1682 * end of the reassembled data.
1683 */
1684 THROW_MESSAGE(ReassemblyError, "New fragment past old data limits")except_throw(1, (9), ("New fragment past old data limits"));
1685 } else {
1686 /*
1687 * The fragment starts before the end
1688 * of the reassembled data, but
1689 * runs past the end. That could
1690 * just be a retransmission.
1691 */
1692 THROW_MESSAGE(ReassemblyError, "New fragment overlaps old data (retransmission?)")except_throw(1, (9), ("New fragment overlaps old data (retransmission?)"
));
1693 }
1694 }
1695
1696 return fd_head;
1697 } else {
1698 /*
1699 * No.
1700 */
1701 return NULL((void*)0);
1702 }
1703 }
1704
1705 if (fd_head==NULL((void*)0)){
1706 /* not found, this must be the first snooped fragment for this
1707 * packet. Create list-head.
1708 */
1709 fd_head = new_head(0);
1710
1711 /*
1712 * Insert it into the hash table.
1713 */
1714 insert_fd_head(table, fd_head, pinfo, id, data);
1715 }
1716
1717 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
1718 frag_data_len, more_frags, frag_frame, false0)) {
1719 /*
1720 * Reassembly is complete.
1721 */
1722 return fd_head;
1723 } else {
1724 /*
1725 * Reassembly isn't complete.
1726 */
1727 return NULL((void*)0);
1728 }
1729}
1730
1731fragment_head *
1732fragment_add(reassembly_table *table, tvbuff_t *tvb, const int offset,
1733 const packet_info *pinfo, const uint32_t id, const void *data,
1734 const uint32_t frag_offset, const uint32_t frag_data_len,
1735 const bool_Bool more_frags)
1736{
1737 return fragment_add_common(table, tvb, offset, pinfo, id, data,
1738 frag_offset, frag_data_len, more_frags, true1, pinfo->num);
1739}
1740
1741/*
1742 * For use when you can have multiple fragments in the same frame added
1743 * to the same reassembled PDU, e.g. with ONC RPC-over-TCP.
1744 */
1745fragment_head *
1746fragment_add_multiple_ok(reassembly_table *table, tvbuff_t *tvb,
1747 const int offset, const packet_info *pinfo,
1748 const uint32_t id, const void *data,
1749 const uint32_t frag_offset,
1750 const uint32_t frag_data_len, const bool_Bool more_frags)
1751{
1752 return fragment_add_common(table, tvb, offset, pinfo, id, data,
1753 frag_offset, frag_data_len, more_frags, false0, pinfo->num);
1754}
1755
1756/*
1757 * For use in protocols like TCP when you are adding an out of order segment
1758 * that arrived in an earlier frame because the correct fragment id could not
1759 * be determined until later. By allowing fd->frame to be different than
1760 * pinfo->num, show_fragment_tree will display the correct fragment numbers.
1761 *
1762 * Note that pinfo is still used to set reassembled_in if we have all the
1763 * fragments, so that results on subsequent passes can be the same as the
1764 * first pass.
1765 */
1766fragment_head *
1767fragment_add_out_of_order(reassembly_table *table, tvbuff_t *tvb,
1768 const int offset, const packet_info *pinfo,
1769 const uint32_t id, const void *data,
1770 const uint32_t frag_offset,
1771 const uint32_t frag_data_len,
1772 const bool_Bool more_frags, const uint32_t frag_frame)
1773{
1774 return fragment_add_common(table, tvb, offset, pinfo, id, data,
1775 frag_offset, frag_data_len, more_frags, true1, frag_frame);
1776}
1777
1778fragment_head *
1779fragment_add_check_with_fallback(reassembly_table *table, tvbuff_t *tvb, const int offset,
1780 const packet_info *pinfo, const uint32_t id,
1781 const void *data, const uint32_t frag_offset,
1782 const uint32_t frag_data_len, const bool_Bool more_frags,
1783 const uint32_t fallback_frame)
1784{
1785 reassembled_key reass_key;
1786 fragment_head *fd_head;
1787 void *orig_key;
1788 bool_Bool late_retransmission = false0;
1789
1790 /*
1791 * If this isn't the first pass, look for this frame in the table
1792 * of reassembled packets.
1793 */
1794 if (pinfo->fd->visited) {
2
Assuming field 'visited' is 0
3
Taking false branch
1795 reass_key.frame = pinfo->num;
1796 reass_key.id = id;
1797 return (fragment_head *)g_hash_table_lookup(table->reassembled_table, &reass_key);
1798 }
1799
1800 /* Looks up a key in the GHashTable, returning the original key and the associated value
1801 * and a bool which is true if the key was found. This is useful if you need to free
1802 * the memory allocated for the original key, for example before calling g_hash_table_remove()
1803 */
1804 fd_head = lookup_fd_head(table, pinfo, id, data, &orig_key);
1805 if ((fd_head == NULL((void*)0)) && (fallback_frame != pinfo->num)) {
4
Assuming 'fd_head' is not equal to NULL
1806 /* Check if there is completed reassembly reachable from fallback frame */
1807 reass_key.frame = fallback_frame;
1808 reass_key.id = id;
1809 fd_head = (fragment_head *)g_hash_table_lookup(table->reassembled_table, &reass_key);
1810 if (fd_head != NULL((void*)0)) {
1811 /* Found completely reassembled packet, hash it with current frame number */
1812 reassembled_key *new_key = g_slice_new(reassembled_key)((reassembled_key*) g_slice_alloc (sizeof (reassembled_key)));
1813 new_key->frame = pinfo->num;
1814 new_key->id = id;
1815 reassembled_table_insert(table->reassembled_table, new_key, fd_head);
1816 late_retransmission = true1;
1817 }
1818 }
1819 if (fd_head
4.1
'fd_head' is not equal to NULL
 == NULL((void*)0)) {
5
Taking false branch
1820 /* not found, this must be the first snooped fragment for this
1821 * packet. Create list-head.
1822 */
1823 fd_head = new_head(0);
1824
1825 /*
1826 * Save the key, for unhashing it later.
1827 */
1828 orig_key = insert_fd_head(table, fd_head, pinfo, id, data);
1829 }
1830
1831 /*
1832 * If this is a short frame, then we can't, and don't, do
1833 * reassembly on it. We just give up.
1834 */
1835 if (!tvb_bytes_exist(tvb, offset, frag_data_len)) {
6
Assuming the condition is false
7
Taking false branch
1836 return NULL((void*)0);
1837 }
1838
1839 if (fragment_add_work(fd_head, tvb, offset, pinfo, frag_offset,
8
Calling 'fragment_add_work'
1840 frag_data_len, more_frags, pinfo->num, late_retransmission)) {
1841 /* Nothing left to do if it was a late retransmission */
1842 if (late_retransmission) {
1843 return fd_head;
1844 }
1845 /*
1846 * Reassembly is complete.
1847 * Remove this from the table of in-progress
1848 * reassemblies, add it to the table of
1849 * reassembled packets, and return it.
1850 */
1851
1852 /*
1853 * Remove this from the table of in-progress reassemblies,
1854 * and free up any memory used for it in that table.
1855 */
1856 fragment_unhash(table, orig_key);
1857
1858 /*
1859 * Add this item to the table of reassembled packets.
1860 */
1861 fragment_reassembled(table, fd_head, pinfo, id);
1862 return fd_head;
1863 } else {
1864 /*
1865 * Reassembly isn't complete.
1866 */
1867 return NULL((void*)0);
1868 }
1869}
1870
1871fragment_head *
1872fragment_add_check(reassembly_table *table, tvbuff_t *tvb, const int offset,
1873 const packet_info *pinfo, const uint32_t id,
1874 const void *data, const uint32_t frag_offset,
1875 const uint32_t frag_data_len, const bool_Bool more_frags)
1876{
1877 return fragment_add_check_with_fallback(table, tvb, offset, pinfo, id, data,
1
Calling 'fragment_add_check_with_fallback'
1878 frag_offset, frag_data_len, more_frags, pinfo->num);
1879}
1880
1881static void
1882fragment_defragment_and_free (fragment_head *fd_head, const packet_info *pinfo)
1883{
1884 fragment_item *fd_i = NULL((void*)0);
1885 fragment_item *last_fd = NULL((void*)0);
1886 uint32_t dfpos = 0, old_dfpos = 0, size = 0;
1887 tvbuff_t *old_tvb_data = NULL((void*)0);
1888 uint8_t *data;
1889
1890 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
1891 if(!last_fd || last_fd->offset!=fd_i->offset){
1892 size+=fd_i->len;
1893 }
1894 last_fd=fd_i;
1895 }
1896
1897 /* store old data in case the fd_i->data pointers refer to it */
1898 old_tvb_data=fd_head->tvb_data;
1899 data = (uint8_t *) g_malloc(size);
1900 fd_head->tvb_data = tvb_new_real_data(data, size, size);
1901 tvb_set_free_cb(fd_head->tvb_data, g_free);
1902 fd_head->len = size; /* record size for caller */
1903
1904 if (old_tvb_data) {
1905 dfpos = tvb_captured_length(old_tvb_data);
1906 memcpy(data, tvb_get_ptr(old_tvb_data, 0, dfpos), MIN(size, dfpos)(((size) < (dfpos)) ? (size) : (dfpos)));
1907 }
1908
1909 /* add all data fragments */
1910 last_fd=NULL((void*)0);
1911 dfpos = 0;
1912 for (fd_i=fd_head->next; fd_i; fd_i=fd_i->next) {
1913 if (fd_i->len) {
1914 if(!last_fd || last_fd->offset != fd_i->offset) {
1915 /* First fragment or in-sequence fragment */
1916 if (!(fd_i->flags & FD_DEFRAGMENTED0x0001)) {
1917 /* Already copied on the first pass */
1918 memcpy(data+dfpos, tvb_get_ptr(fd_i->tvb_data, 0, fd_i->len), fd_i->len);
1919 }
1920 /* But we need the position for overlap calculation of new fragments */
1921 old_dfpos = dfpos;
1922 dfpos += fd_i->len;
1923 } else if (!(fd_i->flags & FD_DEFRAGMENTED0x0001)){
1924 /* duplicate/retransmission/overlap */
1925 /* Note that overlaps of old fragments were already calculated. */
1926 fd_i->flags |= FD_OVERLAP0x0002;
1927 fd_head->flags |= FD_OVERLAP0x0002;
1928 if(last_fd->len != fd_i->len || (old_dfpos + fd_i->len > size)
1929 || tvb_memeql(fd_i->tvb_data, 0, data+old_dfpos, fd_i->len) ) {
1930 fd_i->flags |= FD_OVERLAPCONFLICT0x0004;
1931 fd_head->flags |= FD_OVERLAPCONFLICT0x0004;
1932 }
1933 }
1934 fragment_item_free_tvb(fd_i);
1935 fd_i->flags |= FD_DEFRAGMENTED0x0001;
1936 }
1937 last_fd=fd_i;
1938 }
1939
1940 if (old_tvb_data)
1941 tvb_free(old_tvb_data);
1942
1943 /* mark this packet as defragmented.
1944 * allows us to skip any trailing fragments.
1945 */
1946 fd_head->flags |= FD_DEFRAGMENTED0x0001;
1947 fd_head->reassembled_in=pinfo->num;
1948 fd_head->reas_in_layer_num = pinfo->curr_layer_num;
1949}
1950
1951/*
1952 * This function adds a new fragment to the entry for a reassembly
1953 * operation.
1954 *
1955 * The list of fragments for a specific datagram is kept sorted for
1956 * easier handling.
1957 *
1958 * Returns true if we have all the fragments, false otherwise.
1959 *
1960 * This function assumes frag_number being a block sequence number.
1961 * The bsn for the first block is 0.
1962 */
1963static bool_Bool
1964fragment_add_seq_work(fragment_head *fd_head, tvbuff_t *tvb, const int offset,
1965 const packet_info *pinfo, const uint32_t frag_number,
1966 const uint32_t frag_data_len, const bool_Bool more_frags)
1967{
1968 fragment_item *fd;
1969 fragment_item *fd_i;
1970 fragment_item *last_fd;
1971 uint32_t max, dfpos;
1972 uint32_t frag_number_work;
1973
1974 /* Enables the use of fragment sequence numbers, which do not start with 0 */
1975 frag_number_work = frag_number;
1976 if ( fd_head->fragment_nr_offset != 0 )
1977 if ( frag_number_work >= fd_head->fragment_nr_offset )
1978 frag_number_work = frag_number - fd_head->fragment_nr_offset;
1979
1980 /* if the partial reassembly flag has been set, and we are extending
1981 * the pdu, un-reassemble the pdu. This means pointing old fds to malloc'ed data.
1982 */
1983 if(fd_head->flags & FD_DEFRAGMENTED0x0001 && frag_number_work >= fd_head->datalen &&
1984 fd_head->flags & FD_PARTIAL_REASSEMBLY0x0040){
1985
1986 fragment_reset_defragmentation(fd_head);
1987 }
1988
1989
1990 /* create new fd describing this fragment */
1991 fd = new_fragment_item(pinfo->num, frag_number_work, frag_data_len);
1992
1993 /* fd_head->frame is the maximum of the frame numbers of all the
1994 * fragments added to the reassembly. */
1995 if (fd->frame > fd_head->frame)
1996 fd_head->frame = fd->frame;
1997
1998 if (!more_frags) {
1999 /*
2000 * This is the tail fragment in the sequence.
2001 */
2002 if (fd_head->flags&FD_DATALEN_SET0x0400) {
2003 /* ok we have already seen other tails for this packet
2004 * it might be a duplicate.
2005 */
2006 if (fd_head->datalen != fd->offset ){
2007 /* Oops, this tail indicates a different packet
2008 * len than the previous ones. Something's wrong.
2009 */
2010 fd->flags |= FD_MULTIPLETAILS0x0008;
2011 fd_head->flags |= FD_MULTIPLETAILS0x0008;
2012 }
2013 } else {
2014 /* this was the first tail fragment, now we know the
2015 * sequence number of that fragment (which is NOT
2016 * the length of the packet!)
2017 */
2018 fd_head->datalen = fd->offset;
2019 fd_head->flags |= FD_DATALEN_SET0x0400;
2020 }
2021 }
2022
2023 /* If the packet is already defragmented, this MUST be an overlap.
2024 * The entire defragmented packet is in fd_head->data
2025 * Even if we have previously defragmented this packet, we still check
2026 * check it. Someone might play overlap and TTL games.
2027 */
2028 if (fd_head->flags & FD_DEFRAGMENTED0x0001) {
2029 fd->flags |= FD_OVERLAP0x0002|FD_DEFRAGMENTED0x0001;
2030 fd_head->flags |= FD_OVERLAP0x0002;
2031
2032 /* make sure it's not past the end */
2033 if (fd->offset > fd_head->datalen) {
2034 /* new fragment comes after the end */
2035 fd->flags |= FD_TOOLONGFRAGMENT0x0010;
2036 fd_head->flags |= FD_TOOLONGFRAGMENT0x0010;
2037 LINK_FRAG(fd_head,fd);
2038 return true1;
2039 }
2040 /* make sure it doesn't conflict with previous data */
2041 dfpos=0;
2042 last_fd=NULL((void*)0);
2043 for (fd_i=fd_head->next;fd_i && (fd_i->offset!=fd->offset);fd_i=fd_i->next) {
2044 if (!last_fd || last_fd->offset!=fd_i->offset){
2045 dfpos += fd_i->len;
2046 }
2047 last_fd=fd_i;
2048 }
2049 if(fd_i){
2050 /* new fragment overlaps existing fragment */
2051 if(fd_i->len!=fd->len){
2052 /*
2053 * They have different lengths; this
2054 * is definitely a conflict.
2055 */
2056 fd->flags |= FD_OVERLAPCONFLICT0x0004;
2057 fd_head->flags |= FD_OVERLAPCONFLICT0x0004;
2058 LINK_FRAG(fd_head,fd);
2059 return true1;
2060 }
2061 DISSECTOR_ASSERT(fd_head->len >= dfpos + fd->len)((void) ((fd_head->len >= dfpos + fd->len) ? (void)0
: (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/reassemble.c", 2061, "fd_head->len >= dfpos + fd->len"
))));
2062 if (tvb_memeql(fd_head->tvb_data, dfpos,
2063 tvb_get_ptr(tvb,offset,fd->len),fd->len) ){
2064 /*
2065 * They have the same length, but the
2066 * data isn't the same.
2067 */
2068 fd->flags |= FD_OVERLAPCONFLICT0x0004;
2069 fd_head->flags |= FD_OVERLAPCONFLICT0x0004;
2070 LINK_FRAG(fd_head,fd);
2071 return true1;
2072 }
2073 /* it was just an overlap, link it and return */
2074 LINK_FRAG(fd_head,fd);
2075 return true1;
2076 } else {
2077 /*
2078 * New fragment doesn't overlap an existing
2079 * fragment - there was presumably a gap in
2080 * the sequence number space.
2081 *
2082 * XXX - what should we do here? Is it always
2083 * the case that there are no gaps, or are there
2084 * protcols using sequence numbers where there
2085 * can be gaps?
2086 *
2087 * If the former, the check below for having
2088 * received all the fragments should check for
2089 * holes in the sequence number space and for the
2090 * first sequence number being 0. If we do that,
2091 * the only way we can get here is if this fragment
2092 * is past the end of the sequence number space -
2093 * but the check for "fd->offset > fd_head->datalen"
2094 * would have caught that above, so it can't happen.
2095 *
2096 * If the latter, we don't have a good way of
2097 * knowing whether reassembly is complete if we
2098 * get packet out of order such that the "last"
2099 * fragment doesn't show up last - but, unless
2100 * in-order reliable delivery of fragments is
2101 * guaranteed, an implementation of the protocol
2102 * has no way of knowing whether reassembly is
2103 * complete, either.
2104 *
2105 * For now, we just link the fragment in and
2106 * return.
2107 */
2108 LINK_FRAG(fd_head,fd);
2109 return true1;
2110 }
2111 }
2112
2113 /* If we have reached this point, the packet is not defragmented yet.
2114 * Save all payload in a buffer until we can defragment.
2115 */
2116 /* check len, there may be a fragment with 0 len, that is actually the tail */
2117 if (fd->len) {
2118 if (!tvb_bytes_exist(tvb, offset, fd->len)) {
2119 /* abort if we didn't capture the entire fragment due
2120 * to a too-short snapshot length */
2121 g_slice_free(fragment_item, fd)do { if (1) g_slice_free1 (sizeof (fragment_item), (fd)); else
(void) ((fragment_item*) 0 == (fd)); } while (0);
2122 return false0;
2123 }
2124
2125 fd->tvb_data = tvb_clone_offset_len(tvb, offset, fd->len);
2126 }
2127 LINK_FRAG(fd_head,fd);
2128
2129
2130 if( !(fd_head->flags & FD_DATALEN_SET0x0400) ){
2131 /* if we don't know the sequence number of the last fragment,
2132 * there are definitely still missing packets. Cheaper than
2133 * the check below.
2134 */
2135 return false0;
2136 }
2137
2138
2139 /* check if we have received the entire fragment
2140 * this is easy since the list is sorted and the head is faked.
2141 * common case the whole list is scanned.
2142 */
2143 max = 0;
2144 for(fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
2145 if ( fd_i->offset==max ){
2146 max++;
2147 }
2148 }
2149 /* max will now be datalen+1 if all fragments have been seen */
2150
2151 if (max <= fd_head->datalen) {
2152 /* we have not received all packets yet */
2153 return false0;
2154 }
2155
2156
2157 if (max > (fd_head->datalen+1)) {
2158 /* oops, too long fragment detected */
2159 fd->flags |= FD_TOOLONGFRAGMENT0x0010;
2160 fd_head->flags |= FD_TOOLONGFRAGMENT0x0010;
2161 }
2162
2163
2164 /* we have received an entire packet, defragment it and
2165 * free all fragments
2166 */
2167 fragment_defragment_and_free(fd_head, pinfo);
2168
2169 return true1;
2170}
2171
2172/*
2173 * This function adds a new fragment to the fragment hash table.
2174 * If this is the first fragment seen for this datagram, a new entry
2175 * is created in the hash table, otherwise this fragment is just added
2176 * to the linked list of fragments for this packet.
2177 *
2178 * Returns a pointer to the head of the fragment data list if we have all the
2179 * fragments, NULL otherwise.
2180 *
2181 * This function assumes frag_number being a block sequence number.
2182 * The bsn for the first block is 0.
2183 */
2184static fragment_head *
2185fragment_add_seq_common(reassembly_table *table, tvbuff_t *tvb,
2186 const int offset, const packet_info *pinfo,
2187 const uint32_t id, const void *data,
2188 uint32_t frag_number, const uint32_t frag_data_len,
2189 const bool_Bool more_frags, const uint32_t flags,
2190 void * *orig_keyp)
2191{
2192 fragment_head *fd_head;
2193 void *orig_key;
2194
2195 fd_head = lookup_fd_head(table, pinfo, id, data, &orig_key);
2196
2197 /* have we already seen this frame ?*/
2198 if (pinfo->fd->visited) {
2199 if (fd_head != NULL((void*)0) && fd_head->flags & FD_DEFRAGMENTED0x0001) {
2200 if (orig_keyp != NULL((void*)0))
2201 *orig_keyp = orig_key;
2202 return fd_head;
2203 } else {
2204 return NULL((void*)0);
2205 }
2206 }
2207
2208 if (fd_head==NULL((void*)0)){
2209 /* not found, this must be the first snooped fragment for this
2210 * packet. Create list-head.
2211 */
2212 fd_head = new_head(FD_BLOCKSEQUENCE0x0100);
2213
2214 if((flags & (REASSEMBLE_FLAGS_NO_FRAG_NUMBER0x0001|REASSEMBLE_FLAGS_802_11_HACK0x0002))
2215 && !more_frags) {
2216 /*
2217 * This is the last fragment for this packet, and
2218 * is the only one we've seen.
2219 *
2220 * Either we don't have sequence numbers, in which
2221 * case we assume this is the first fragment for
2222 * this packet, or we're doing special 802.11
2223 * processing, in which case we assume it's one
2224 * of those reassembled packets with a non-zero
2225 * fragment number (see packet-80211.c); just
2226 * return a pointer to the head of the list;
2227 * fragment_add_seq_check will then add it to the table
2228 * of reassembled packets.
2229 */
2230 if (orig_keyp != NULL((void*)0))
2231 *orig_keyp = NULL((void*)0);
2232 /* To save memory, we don't actually copy the
2233 * fragment from the tvbuff to the fragment, and in
2234 * process_reassembled_data just return back a subset
2235 * of the original tvbuff (which must be passed in).
2236 */
2237 fd_head->len = frag_data_len;
2238 fd_head->reassembled_in=pinfo->num;
2239 fd_head->reas_in_layer_num = pinfo->curr_layer_num;
2240 return fd_head;
2241 }
2242
2243 orig_key = insert_fd_head(table, fd_head, pinfo, id, data);
2244 if (orig_keyp != NULL((void*)0))
2245 *orig_keyp = orig_key;
2246
2247 /*
2248 * If we weren't given an initial fragment number,
2249 * make it 0.
2250 */
2251 if (flags & REASSEMBLE_FLAGS_NO_FRAG_NUMBER0x0001)
2252 frag_number = 0;
2253 } else {
2254 if (orig_keyp != NULL((void*)0))
2255 *orig_keyp = orig_key;
2256
2257 if (flags & REASSEMBLE_FLAGS_NO_FRAG_NUMBER0x0001) {
2258 fragment_item *fd;
2259 /*
2260 * If we weren't given an initial fragment number,
2261 * use the next expected fragment number as the fragment
2262 * number for this fragment.
2263 */
2264 for (fd = fd_head->next; fd != NULL((void*)0); fd = fd->next) {
2265 if (fd->next == NULL((void*)0))
2266 frag_number = fd->offset + 1;
2267 }
2268 }
2269 }
2270
2271 if (fragment_add_seq_work(fd_head, tvb, offset, pinfo,
2272 frag_number, frag_data_len, more_frags)) {
2273 /*
2274 * Reassembly is complete.
2275 */
2276 return fd_head;
2277 } else {
2278 /*
2279 * Reassembly isn't complete.
2280 */
2281 return NULL((void*)0);
2282 }
2283}
2284
2285fragment_head *
2286fragment_add_seq(reassembly_table *table, tvbuff_t *tvb, const int offset,
2287 const packet_info *pinfo, const uint32_t id, const void *data,
2288 const uint32_t frag_number, const uint32_t frag_data_len,
2289 const bool_Bool more_frags, const uint32_t flags)
2290{
2291 return fragment_add_seq_common(table, tvb, offset, pinfo, id, data,
2292 frag_number, frag_data_len,
2293 more_frags, flags, NULL((void*)0));
2294}
2295
2296/*
2297 * This does the work for "fragment_add_seq_check()" and
2298 * "fragment_add_seq_next()".
2299 *
2300 * This function assumes frag_number being a block sequence number.
2301 * The bsn for the first block is 0.
2302 *
2303 * If REASSEMBLE_FLAGS_NO_FRAG_NUMBER, it uses the next expected fragment number
2304 * as the fragment number if there is a reassembly in progress, otherwise
2305 * it uses 0.
2306 *
2307 * If not REASSEMBLE_FLAGS_NO_FRAG_NUMBER, it uses the "frag_number" argument as
2308 * the fragment number.
2309 *
2310 * If this is the first fragment seen for this datagram, a new
2311 * "fragment_head" structure is allocated to refer to the reassembled
2312 * packet.
2313 *
2314 * This fragment is added to the linked list of fragments for this packet.
2315 *
2316 * If "more_frags" is false and REASSEMBLE_FLAGS_802_11_HACK (as the name
2317 * implies, a special hack for 802.11) or REASSEMBLE_FLAGS_NO_FRAG_NUMBER
2318 * (implying messages must be in order since there's no sequence number) are
2319 * set in "flags", then this (one element) list is returned.
2320 *
2321 * If, after processing this fragment, we have all the fragments,
2322 * "fragment_add_seq_check_work()" removes that from the fragment hash
2323 * table if necessary and adds it to the table of reassembled fragments,
2324 * and returns a pointer to the head of the fragment list.
2325 *
2326 * Otherwise, it returns NULL.
2327 *
2328 * XXX - Should we simply return NULL for zero-length fragments?
2329 */
2330static fragment_head *
2331fragment_add_seq_check_work(reassembly_table *table, tvbuff_t *tvb,
2332 const int offset, const packet_info *pinfo,
2333 const uint32_t id, const void *data,
2334 const uint32_t frag_number,
2335 const uint32_t frag_data_len,
2336 const bool_Bool more_frags, const uint32_t flags)
2337{
2338 reassembled_key reass_key;
2339 fragment_head *fd_head;
2340 void *orig_key;
2341
2342 /*
2343 * Have we already seen this frame?
2344 * If so, look for it in the table of reassembled packets.
2345 */
2346 if (pinfo->fd->visited) {
2347 reass_key.frame = pinfo->num;
2348 reass_key.id = id;
2349 return (fragment_head *)g_hash_table_lookup(table->reassembled_table, &reass_key);
2350 }
2351
2352 fd_head = fragment_add_seq_common(table, tvb, offset, pinfo, id, data,
2353 frag_number, frag_data_len,
2354 more_frags,
2355 flags,
2356 &orig_key);
2357 if (fd_head) {
2358 /*
2359 * Reassembly is complete.
2360 *
2361 * If this is in the table of in-progress reassemblies,
2362 * remove it from that table. (It could be that this
2363 * was the first and last fragment, so that no
2364 * reassembly was done.)
2365 */
2366 if (orig_key != NULL((void*)0))
2367 fragment_unhash(table, orig_key);
2368
2369 /*
2370 * Add this item to the table of reassembled packets.
2371 */
2372 fragment_reassembled(table, fd_head, pinfo, id);
2373 return fd_head;
2374 } else {
2375 /*
2376 * Reassembly isn't complete.
2377 */
2378 return NULL((void*)0);
2379 }
2380}
2381
2382fragment_head *
2383fragment_add_seq_check(reassembly_table *table, tvbuff_t *tvb, const int offset,
2384 const packet_info *pinfo, const uint32_t id,
2385 const void *data,
2386 const uint32_t frag_number, const uint32_t frag_data_len,
2387 const bool_Bool more_frags)
2388{
2389 return fragment_add_seq_check_work(table, tvb, offset, pinfo, id, data,
2390 frag_number, frag_data_len,
2391 more_frags, 0);
2392}
2393
2394fragment_head *
2395fragment_add_seq_802_11(reassembly_table *table, tvbuff_t *tvb,
2396 const int offset, const packet_info *pinfo,
2397 const uint32_t id, const void *data,
2398 const uint32_t frag_number, const uint32_t frag_data_len,
2399 const bool_Bool more_frags)
2400{
2401 return fragment_add_seq_check_work(table, tvb, offset, pinfo, id, data,
2402 frag_number, frag_data_len,
2403 more_frags,
2404 REASSEMBLE_FLAGS_802_11_HACK0x0002);
2405}
2406
2407fragment_head *
2408fragment_add_seq_next(reassembly_table *table, tvbuff_t *tvb, const int offset,
2409 const packet_info *pinfo, const uint32_t id,
2410 const void *data, const uint32_t frag_data_len,
2411 const bool_Bool more_frags)
2412{
2413 /* Use a dummy frag_number (0), it is ignored since
2414 * REASSEMBLE_FLAGS_NO_FRAG_NUMBER is set. */
2415 return fragment_add_seq_check_work(table, tvb, offset, pinfo, id, data,
2416 0, frag_data_len, more_frags,
2417 REASSEMBLE_FLAGS_NO_FRAG_NUMBER0x0001);
2418}
2419
2420static void
2421fragment_add_seq_single_move(reassembly_table *table, const packet_info *pinfo,
2422 const uint32_t id, const void *data,
2423 const uint32_t offset)
2424{
2425 fragment_head *fh, *new_fh;
2426 fragment_item *fd, *prev_fd;
2427 tvbuff_t *old_tvb_data;
2428 if (offset == 0) {
2429 return;
2430 }
2431 fh = lookup_fd_head(table, pinfo, id, data, NULL((void*)0));
2432 if (fh == NULL((void*)0)) {
2433 /* Shouldn't be called this way.
2434 * Probably wouldn't hurt to just create fh in this case. */
2435 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/reassemble.c", 2435
, __func__, "assertion \"not reached\" failed");
2436 return;
2437 }
2438 if (fh->flags & FD_DATALEN_SET0x0400 && fh->datalen <= offset) {
2439 /* Don't take from past the end. <= because we don't
2440 * want to take a First fragment from the next one
2441 * either */
2442 return;
2443 }
2444 new_fh = lookup_fd_head(table, pinfo, id+offset, data, NULL((void*)0));
2445 if (new_fh != NULL((void*)0)) {
2446 /* Attach to the end of the sorted list. */
2447 prev_fd = NULL((void*)0);
2448 for(fd = fh->next; fd != NULL((void*)0); fd=fd->next) {
2449 prev_fd = fd;
2450 }
2451 /* Don't take a reassembly starting with a First fragment. */
2452 fd = new_fh->next;
2453 if (fd && fd->offset != 0) {
2454 fragment_item *inserted = fd;
2455 bool_Bool multi_insert = (inserted->next != NULL((void*)0));
2456 if (prev_fd) {
2457 prev_fd->next = fd;
2458 } else {
2459 fh->next = fd;
2460 }
2461 for (; fd; fd=fd->next) {
2462 fd->offset += offset;
2463 if (fh->frame < fd->frame) {
2464 fh->frame = fd->frame;
2465 }
2466 }
2467 update_first_gap(fh, inserted, multi_insert);
2468 /* If previously found a Last fragment,
2469 * transfer that info to the new one. */
2470 if (new_fh->flags & FD_DATALEN_SET0x0400) {
2471 fh->flags |= FD_DATALEN_SET0x0400;
2472 fh->datalen = new_fh->datalen + offset;
2473 }
2474 /* Now remove and delete */
2475 new_fh->next = NULL((void*)0);
2476 old_tvb_data = fragment_delete(table, pinfo, id+offset, data);
2477 if (old_tvb_data)
2478 tvb_free(old_tvb_data);
2479 }
2480 }
2481}
2482
2483static fragment_head *
2484fragment_add_seq_single_work(reassembly_table *table, tvbuff_t *tvb,
2485 const int offset, const packet_info *pinfo,
2486 const uint32_t id, const void* data,
2487 const uint32_t frag_data_len,
2488 const bool_Bool first, const bool_Bool last,
2489 const uint32_t max_frags, const uint32_t max_age,
2490 const uint32_t flags)
2491{
2492 reassembled_key reass_key;
2493 tvbuff_t *old_tvb_data;
2494 void *orig_key;
2495 fragment_head *fh, *new_fh;
2496 fragment_item *fd, *prev_fd;
2497 uint32_t frag_number, tmp_offset;
2498 /* Have we already seen this frame?
2499 * If so, look for it in the table of reassembled packets.
2500 * Note here we store in the reassembly table by the single sequence
2501 * number rather than the sequence number of the First fragment. */
2502 if (pinfo->fd->visited) {
2503 reass_key.frame = pinfo->num;
2504 reass_key.id = id;
2505 fh = (fragment_head *)g_hash_table_lookup(table->reassembled_table, &reass_key);
2506 return fh;
2507 }
2508 /* First let's figure out where we want to add our new fragment */
2509 fh = NULL((void*)0);
2510 if (first) {
2511 frag_number = 0;
2512 fh = lookup_fd_head(table, pinfo, id-frag_number, data, NULL((void*)0));
2513 if ((flags & REASSEMBLE_FLAGS_AGING0x0001) &&
2514 fh && ((fh->frame + max_age) < pinfo->num)) {
2515 old_tvb_data = fragment_delete(table, pinfo, id-frag_number, data);
2516 if (old_tvb_data)
2517 tvb_free(old_tvb_data);
2518 fh = NULL((void*)0);
2519 }
2520 if (fh == NULL((void*)0)) {
2521 /* Not found. Create list-head. */
2522 fh = new_head(FD_BLOCKSEQUENCE0x0100);
2523 insert_fd_head(table, fh, pinfo, id-frag_number, data);
2524 }
2525 /* As this is the first fragment, we might have added segments
2526 * for this reassembly to the previous one in-progress. */
2527 fd = NULL((void*)0);
2528 for (frag_number=1; frag_number < max_frags; frag_number++) {
2529 new_fh = lookup_fd_head(table, pinfo, id-frag_number, data, NULL((void*)0));
2530 if (new_fh != NULL((void*)0)) {
2531 prev_fd = NULL((void*)0);
2532 new_fh->frame = 0;
2533 for (fd=new_fh->next; fd && fd->offset < frag_number; fd=fd->next) {
2534 prev_fd = fd;
2535 if (new_fh->frame < fd->frame) {
2536 new_fh->frame = fd->frame;
2537 }
2538 }
2539 if (prev_fd) {
2540 prev_fd->next = NULL((void*)0);
2541 } else {
2542 new_fh->next = NULL((void*)0);
2543 }
2544 fragment_items_removed(new_fh, prev_fd);
2545 break;
2546 }
2547 }
2548 if (fd != NULL((void*)0)) {
2549 tmp_offset = 0;
2550 for (prev_fd = fd; prev_fd; prev_fd = prev_fd->next) {
2551 prev_fd->offset -= frag_number;
2552 tmp_offset = prev_fd->offset;
2553 if (fh->frame < prev_fd->frame) {
2554 fh->frame = prev_fd->frame;
2555 }
2556 }
2557 MERGE_FRAG(fh, fd);
2558 if (new_fh != NULL((void*)0)) {
2559 /* If we've moved a Last packet, change datalen.
2560 * Second part of this test prob. redundant? */
2561 if (new_fh->flags & FD_DATALEN_SET0x0400 &&
2562 new_fh->datalen >= frag_number) {
2563 fh->flags |= FD_DATALEN_SET0x0400;
2564 fh->datalen = new_fh->datalen - frag_number;
2565 new_fh->flags &= ~FD_DATALEN_SET0x0400;
2566 new_fh->datalen = 0;
2567 }
2568 /* If we've moved all the fragments,
2569 * delete the old head */
2570 if (new_fh->next == NULL((void*)0)) {
2571 old_tvb_data = fragment_delete(table, pinfo, id-frag_number, data);
2572 if (old_tvb_data)
2573 tvb_free(old_tvb_data);
2574 }
2575 } else {
2576 /* Look forward and take off the next (this is
2577 * necessary in some edge cases where max_frags
2578 * prevented some fragments from going on the
2579 * previous First, but they can go on this one. */
2580 fragment_add_seq_single_move(table, pinfo, id,
2581 data, tmp_offset);
2582 }
2583 }
2584 frag_number = 0; /* For the rest of the function */
2585 } else {
2586 for (frag_number=1; frag_number < max_frags; frag_number++) {
2587 fh = lookup_fd_head(table, pinfo, id-frag_number, data, NULL((void*)0));
2588 if ((flags & REASSEMBLE_FLAGS_AGING0x0001) &&
2589 fh && ((fh->frame + max_age) < pinfo->num)) {
2590 old_tvb_data = fragment_delete(table, pinfo, id-frag_number, data);
2591 if (old_tvb_data)
2592 tvb_free(old_tvb_data);
2593 fh = NULL((void*)0);
2594 }
2595 if (fh != NULL((void*)0)) {
2596 if (fh->flags & FD_DATALEN_SET0x0400 &&
2597 fh->datalen < frag_number) {
2598 /* This fragment is after the Last
2599 * fragment, so must go after here. */
2600 fh = NULL((void*)0);
2601 }
2602 break;
2603 }
2604 }
2605 if (fh == NULL((void*)0)) { /* Didn't find location, use default */
2606 frag_number = 1;
2607 /* Already looked for frag_number 1, so just create */
2608 fh = new_head(FD_BLOCKSEQUENCE0x0100);
2609 insert_fd_head(table, fh, pinfo, id-frag_number, data);
2610 }
2611 }
2612 if (last) {
2613 /* Look for fragments past the end set by this Last fragment. */
2614 prev_fd = NULL((void*)0);
2615 for (fd=fh->next; fd && fd->offset <= frag_number; fd=fd->next) {
2616 prev_fd = fd;
2617 }
2618 /* fd is now all fragments offset > frag_number (the Last).
2619 * It shouldn't have a fragment with offset frag_number+1,
2620 * as that would be a First fragment not marked as such.
2621 * However, this can happen if we had unreassembled fragments
2622 * (missing, or at the start of the capture) and we've also
2623 * looped around on the sequence numbers. It can also happen
2624 * if bit errors mess up Last or First. */
2625 if (fd != NULL((void*)0)) {
2626 if (prev_fd) {
2627 prev_fd->next = NULL((void*)0);
2628 } else {
2629 fh->next = NULL((void*)0);
2630 }
2631 fragment_items_removed(fh, prev_fd);
2632 fh->frame = 0;
2633 for (prev_fd=fh->next; prev_fd; prev_fd=prev_fd->next) {
2634 if (fh->frame < prev_fd->frame) {
2635 fh->frame = prev_fd->frame;
2636 }
2637 }
2638 while (fd && fd->offset == frag_number+1) {
2639 /* Definitely have bad data here. Best to
2640 * delete these and leave unreassembled. */
2641 fd = fragment_item_free(fd);
2642 }
2643 }
2644 if (fd != NULL((void*)0)) {
2645 /* Move these onto the next frame. */
2646 new_fh = lookup_fd_head(table, pinfo, id+1, data, NULL((void*)0));
2647 if (new_fh==NULL((void*)0)) {
2648 /* Not found. Create list-head. */
2649 new_fh = new_head(FD_BLOCKSEQUENCE0x0100);
2650 insert_fd_head(table, new_fh, pinfo, id+1, data);
2651 }
2652 tmp_offset = 0;
2653 for (prev_fd = fd; prev_fd; prev_fd = prev_fd->next) {
2654 prev_fd->offset -= (frag_number+1);
2655 tmp_offset = prev_fd->offset;
2656 if (new_fh->frame < fd->frame) {
2657 new_fh->frame = fd->frame;
2658 }
2659 }
2660 MERGE_FRAG(new_fh, fd);
2661 /* If we previously found a different Last fragment,
2662 * transfer that information to the new reassembly. */
2663 if (fh->flags & FD_DATALEN_SET0x0400 &&
2664 fh->datalen > frag_number) {
2665 new_fh->flags |= FD_DATALEN_SET0x0400;
2666 new_fh->datalen = fh->datalen - (frag_number+1);
2667 fh->flags &= ~FD_DATALEN_SET0x0400;
2668 fh->datalen = 0;
2669 } else {
2670 /* Look forward and take off the next (this is
2671 * necessary in some edge cases where max_frags
2672 * prevented some fragments from going on the
2673 * previous First, but they can go on this one. */
2674 fragment_add_seq_single_move(table, pinfo, id+1,
2675 data, tmp_offset);
2676 }
2677 }
2678 } else {
2679 fragment_add_seq_single_move(table, pinfo, id-frag_number, data,
2680 frag_number+1);
2681 }
2682 /* Having cleaned up everything, finally ready to add our new
2683 * fragment. Note that only this will ever complete a reassembly. */
2684 fh = fragment_add_seq_common(table, tvb, offset, pinfo,
2685 id-frag_number, data,
2686 frag_number, frag_data_len,
2687 !last, 0, &orig_key);
2688 if (fh) {
2689 /*
2690 * Reassembly is complete.
2691 *
2692 * If this is in the table of in-progress reassemblies,
2693 * remove it from that table. (It could be that this
2694 * was the first and last fragment, so that no
2695 * reassembly was done.)
2696 */
2697 if (orig_key != NULL((void*)0))
2698 fragment_unhash(table, orig_key);
2699
2700 /*
2701 * Add this item to the table of reassembled packets.
2702 */
2703 fragment_reassembled_single(table, fh, pinfo, id-frag_number);
2704 return fh;
2705 } else {
2706 /*
2707 * Reassembly isn't complete.
2708 */
2709 return NULL((void*)0);
2710 }
2711}
2712
2713fragment_head *
2714fragment_add_seq_single(reassembly_table *table, tvbuff_t *tvb,
2715 const int offset, const packet_info *pinfo,
2716 const uint32_t id, const void* data,
2717 const uint32_t frag_data_len,
2718 const bool_Bool first, const bool_Bool last,
2719 const uint32_t max_frags)
2720{
2721 return fragment_add_seq_single_work(table, tvb, offset, pinfo,
2722 id, data, frag_data_len,
2723 first, last, max_frags, 0, 0);
2724}
2725
2726fragment_head *
2727fragment_add_seq_single_aging(reassembly_table *table, tvbuff_t *tvb,
2728 const int offset, const packet_info *pinfo,
2729 const uint32_t id, const void* data,
2730 const uint32_t frag_data_len,
2731 const bool_Bool first, const bool_Bool last,
2732 const uint32_t max_frags, const uint32_t max_age)
2733{
2734 return fragment_add_seq_single_work(table, tvb, offset, pinfo,
2735 id, data, frag_data_len,
2736 first, last, max_frags, max_age,
2737 REASSEMBLE_FLAGS_AGING0x0001);
2738}
2739
2740void
2741fragment_start_seq_check(reassembly_table *table, const packet_info *pinfo,
2742 const uint32_t id, const void *data,
2743 const uint32_t tot_len)
2744{
2745 fragment_head *fd_head;
2746
2747 /* Have we already seen this frame ?*/
2748 if (pinfo->fd->visited) {
2749 return;
2750 }
2751
2752 /* Check if fragment data exists */
2753 fd_head = lookup_fd_head(table, pinfo, id, data, NULL((void*)0));
2754
2755 if (fd_head == NULL((void*)0)) {
2756 /* Create list-head. */
2757 fd_head = new_head(FD_BLOCKSEQUENCE0x0100|FD_DATALEN_SET0x0400);
2758 fd_head->datalen = tot_len;
2759
2760 insert_fd_head(table, fd_head, pinfo, id, data);
2761 }
2762}
2763
2764fragment_head *
2765fragment_end_seq_next(reassembly_table *table, const packet_info *pinfo,
2766 const uint32_t id, const void *data)
2767{
2768 reassembled_key reass_key;
2769 reassembled_key *new_key;
2770 fragment_head *fd_head;
2771 fragment_item *fd;
2772 void *orig_key;
2773 uint32_t max_offset = 0;
2774
2775 /*
2776 * Have we already seen this frame?
2777 * If so, look for it in the table of reassembled packets.
2778 */
2779 if (pinfo->fd->visited) {
2780 reass_key.frame = pinfo->num;
2781 reass_key.id = id;
2782 return (fragment_head *)g_hash_table_lookup(table->reassembled_table, &reass_key);
2783 }
2784
2785 fd_head = lookup_fd_head(table, pinfo, id, data, &orig_key);
2786
2787 if (fd_head) {
2788 for (fd = fd_head->next; fd; fd = fd->next) {
2789 if (fd->offset > max_offset) {
2790 max_offset = fd->offset;
2791 }
2792 }
2793 fd_head->datalen = max_offset;
2794 fd_head->flags |= FD_DATALEN_SET0x0400;
2795
2796 fragment_defragment_and_free (fd_head, pinfo);
2797
2798 /*
2799 * Remove this from the table of in-progress reassemblies,
2800 * and free up any memory used for it in that table.
2801 */
2802 fragment_unhash(table, orig_key);
2803
2804 /*
2805 * Add this item to the table of reassembled packets.
2806 */
2807 fragment_reassembled(table, fd_head, pinfo, id);
2808 if (fd_head->next != NULL((void*)0)) {
2809 new_key = g_slice_new(reassembled_key)((reassembled_key*) g_slice_alloc (sizeof (reassembled_key)));
2810 new_key->frame = pinfo->num;
2811 new_key->id = id;
2812 reassembled_table_insert(table->reassembled_table, new_key, fd_head);
2813 }
2814
2815 return fd_head;
2816 } else {
2817 /*
2818 * Fragment data not found.
2819 */
2820 return NULL((void*)0);
2821 }
2822}
2823
2824/*
2825 * Process reassembled data; if we're on the frame in which the data
2826 * was reassembled, put the fragment information into the protocol
2827 * tree, and construct a tvbuff with the reassembled data, otherwise
2828 * just put a "reassembled in" item into the protocol tree.
2829 * offset from start of tvb, result up to end of tvb
2830 */
2831tvbuff_t *
2832process_reassembled_data(tvbuff_t *tvb, const int offset, packet_info *pinfo,
2833 const char *name, fragment_head *fd_head, const fragment_items *fit,
2834 bool_Bool *update_col_infop, proto_tree *tree)
2835{
2836 tvbuff_t *next_tvb;
2837 bool_Bool update_col_info;
2838 proto_item *frag_tree_item;
2839
2840 if (fd_head != NULL((void*)0) && pinfo->num == fd_head->reassembled_in && pinfo->curr_layer_num == fd_head->reas_in_layer_num) {
2841 /*
2842 * OK, we've reassembled this.
2843 * Is this something that's been reassembled from more
2844 * than one fragment?
2845 */
2846 if (fd_head->next != NULL((void*)0)) {
2847 /*
2848 * Yes.
2849 * Allocate a new tvbuff, referring to the
2850 * reassembled payload, and set
2851 * the tvbuff to the list of tvbuffs to which
2852 * the tvbuff we were handed refers, so it'll get
2853 * cleaned up when that tvbuff is cleaned up.
2854 */
2855 next_tvb = tvb_new_chain(tvb, fd_head->tvb_data);
2856
2857 /* Add the defragmented data to the data source list. */
2858 add_new_data_source(pinfo, next_tvb, name);
2859
2860 /* show all fragments */
2861 if (fd_head->flags & FD_BLOCKSEQUENCE0x0100) {
2862 update_col_info = !show_fragment_seq_tree(
2863 fd_head, fit, tree, pinfo, next_tvb, &frag_tree_item);
2864 } else {
2865 update_col_info = !show_fragment_tree(fd_head,
2866 fit, tree, pinfo, next_tvb, &frag_tree_item);
2867 }
2868 } else {
2869 /*
2870 * No.
2871 * Return a tvbuff with the payload, a subset of the
2872 * tvbuff passed in. (The dissector SHOULD pass in
2873 * the correct tvbuff and offset.)
2874 */
2875 int len;
2876 /* For FD_BLOCKSEQUENCE, len is the length in bytes,
2877 * datalen is the number of fragments.
2878 */
2879 if (fd_head->flags & FD_BLOCKSEQUENCE0x0100) {
2880 len = fd_head->len;
2881 } else {
2882 // XXX Do the non-seq functions have this optimization?
2883 len = fd_head->datalen;
2884 }
2885 next_tvb = tvb_new_subset_length(tvb, offset, len);
2886 pinfo->fragmented = false0; /* one-fragment packet */
2887 update_col_info = true1;
2888 }
2889 if (update_col_infop != NULL((void*)0))
2890 *update_col_infop = update_col_info;
2891 } else {
2892 /*
2893 * We don't have the complete reassembled payload, or this
2894 * isn't the final frame of that payload.
2895 */
2896 next_tvb = NULL((void*)0);
2897
2898 /*
2899 * If we know what frame this was reassembled in,
2900 * and if there's a field to use for the number of
2901 * the frame in which the packet was reassembled,
2902 * add it to the protocol tree.
2903 */
2904 if (fd_head != NULL((void*)0) && fit->hf_reassembled_in != NULL((void*)0)) {
2905 proto_item *fei = proto_tree_add_uint(tree,
2906 *(fit->hf_reassembled_in), tvb,
2907 0, 0, fd_head->reassembled_in);
2908 proto_item_set_generated(fei);
2909 }
2910 }
2911 return next_tvb;
2912}
2913
2914/*
2915 * Show a single fragment in a fragment subtree, and put information about
2916 * it in the top-level item for that subtree.
2917 */
2918static void
2919show_fragment(fragment_item *fd, const int offset, const fragment_items *fit,
2920 proto_tree *ft, proto_item *fi, const bool_Bool first_frag,
2921 const uint32_t count, tvbuff_t *tvb, packet_info *pinfo)
2922{
2923 proto_item *fei=NULL((void*)0);
2924 int hf;
2925
2926 if (first_frag) {
2927 char *name;
2928 if (count == 1) {
2929 name = g_strdup(proto_registrar_get_name(*(fit->hf_fragment)))g_strdup_inline (proto_registrar_get_name(*(fit->hf_fragment
)));
2930 } else {
2931 name = g_strdup(proto_registrar_get_name(*(fit->hf_fragments)))g_strdup_inline (proto_registrar_get_name(*(fit->hf_fragments
)));
2932 }
2933 proto_item_set_text(fi, "%u %s (%u byte%s): ", count, name, tvb_captured_length(tvb),
2934 plurality(tvb_captured_length(tvb), "", "s")((tvb_captured_length(tvb)) == 1 ? ("") : ("s")));
2935 g_free(name);
2936 } else {
2937 proto_item_append_text(fi, ", ");
2938 }
2939 proto_item_append_text(fi, "#%u(%u)", fd->frame, fd->len);
2940
2941 if (fd->flags & (FD_OVERLAPCONFLICT0x0004
2942 |FD_MULTIPLETAILS0x0008|FD_TOOLONGFRAGMENT0x0010) ) {
2943 hf = *(fit->hf_fragment_error);
2944 } else {
2945 hf = *(fit->hf_fragment);
2946 }
2947 if (fd->len == 0) {
2948 fei = proto_tree_add_uint_format(ft, hf,
2949 tvb, offset, fd->len,
2950 fd->frame,
2951 "Frame: %u (no data)",
2952 fd->frame);
2953 } else {
2954 fei = proto_tree_add_uint_format(ft, hf,
2955 tvb, offset, fd->len,
2956 fd->frame,
2957 "Frame: %u, payload: %u-%u (%u byte%s)",
2958 fd->frame,
2959 offset,
2960 offset+fd->len-1,
2961 fd->len,
2962 plurality(fd->len, "", "s")((fd->len) == 1 ? ("") : ("s")));
2963 }
2964 proto_item_set_generated(fei);
2965 mark_frame_as_depended_upon(pinfo->fd, fd->frame);
2966 if (fd->flags & (FD_OVERLAP0x0002|FD_OVERLAPCONFLICT0x0004
2967 |FD_MULTIPLETAILS0x0008|FD_TOOLONGFRAGMENT0x0010) ) {
2968 /* this fragment has some flags set, create a subtree
2969 * for it and display the flags.
2970 */
2971 proto_tree *fet=NULL((void*)0);
2972
2973 fet = proto_item_add_subtree(fei, *(fit->ett_fragment));
2974 if (fd->flags&FD_OVERLAP0x0002) {
2975 fei=proto_tree_add_boolean(fet,
2976 *(fit->hf_fragment_overlap),
2977 tvb, 0, 0,
2978 true1);
2979 proto_item_set_generated(fei);
2980 }
2981 if (fd->flags&FD_OVERLAPCONFLICT0x0004) {
2982 fei=proto_tree_add_boolean(fet,
2983 *(fit->hf_fragment_overlap_conflict),
2984 tvb, 0, 0,
2985 true1);
2986 proto_item_set_generated(fei);
2987 }
2988 if (fd->flags&FD_MULTIPLETAILS0x0008) {
2989 fei=proto_tree_add_boolean(fet,
2990 *(fit->hf_fragment_multiple_tails),
2991 tvb, 0, 0,
2992 true1);
2993 proto_item_set_generated(fei);
2994 }
2995 if (fd->flags&FD_TOOLONGFRAGMENT0x0010) {
2996 fei=proto_tree_add_boolean(fet,
2997 *(fit->hf_fragment_too_long_fragment),
2998 tvb, 0, 0,
2999 true1);
3000 proto_item_set_generated(fei);
3001 }
3002 }
3003}
3004
3005static bool_Bool
3006show_fragment_errs_in_col(fragment_head *fd_head, const fragment_items *fit,
3007 packet_info *pinfo)
3008{
3009 if (fd_head->flags & (FD_OVERLAPCONFLICT0x0004
3010 |FD_MULTIPLETAILS0x0008|FD_TOOLONGFRAGMENT0x0010) ) {
3011 col_add_fstr(pinfo->cinfo, COL_INFO, "[Illegal %s]", fit->tag);
3012 return true1;
3013 }
3014
3015 return false0;
3016}
3017
3018/* This function will build the fragment subtree; it's for fragments
3019 reassembled with "fragment_add()".
3020
3021 It will return true if there were fragmentation errors
3022 or false if fragmentation was ok.
3023*/
3024bool_Bool
3025show_fragment_tree(fragment_head *fd_head, const fragment_items *fit,
3026 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
3027{
3028 fragment_item *fd;
3029 proto_tree *ft;
3030 bool_Bool first_frag;
3031 uint32_t count = 0;
3032 /* It's not fragmented. */
3033 pinfo->fragmented = false0;
3034
3035 *fi = proto_tree_add_item(tree, *(fit->hf_fragments), tvb, 0, -1, ENC_NA0x00000000);
3036 proto_item_set_generated(*fi);
3037
3038 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
3039 first_frag = true1;
3040 for (fd = fd_head->next; fd != NULL((void*)0); fd = fd->next) {
3041 count++;
3042 }
3043 for (fd = fd_head->next; fd != NULL((void*)0); fd = fd->next) {
3044 show_fragment(fd, fd->offset, fit, ft, *fi, first_frag, count, tvb, pinfo);
3045 first_frag = false0;
3046 }
3047
3048 if (fit->hf_fragment_count) {
3049 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_fragment_count),
3050 tvb, 0, 0, count);
3051 proto_item_set_generated(fli);
3052 }
3053
3054 if (fit->hf_reassembled_length) {
3055 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_reassembled_length),
3056 tvb, 0, 0, tvb_captured_length (tvb));
3057 proto_item_set_generated(fli);
3058 }
3059
3060 if (fit->hf_reassembled_data) {
3061 proto_item *fli = proto_tree_add_item(ft, *(fit->hf_reassembled_data),
3062 tvb, 0, tvb_captured_length(tvb), ENC_NA0x00000000);
3063 proto_item_set_generated(fli);
3064 }
3065
3066 return show_fragment_errs_in_col(fd_head, fit, pinfo);
3067}
3068
3069/* This function will build the fragment subtree; it's for fragments
3070 reassembled with "fragment_add_seq()" or "fragment_add_seq_check()".
3071
3072 It will return true if there were fragmentation errors
3073 or false if fragmentation was ok.
3074*/
3075bool_Bool
3076show_fragment_seq_tree(fragment_head *fd_head, const fragment_items *fit,
3077 proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, proto_item **fi)
3078{
3079 uint32_t offset, next_offset, count = 0;
3080 fragment_item *fd, *last_fd;
3081 proto_tree *ft;
3082 bool_Bool first_frag;
3083
3084 /* It's not fragmented. */
3085 pinfo->fragmented = false0;
3086
3087 *fi = proto_tree_add_item(tree, *(fit->hf_fragments), tvb, 0, -1, ENC_NA0x00000000);
3088 proto_item_set_generated(*fi);
3089
3090 ft = proto_item_add_subtree(*fi, *(fit->ett_fragments));
3091 offset = 0;
3092 next_offset = 0;
3093 last_fd = NULL((void*)0);
3094 first_frag = true1;
3095 for (fd = fd_head->next; fd != NULL((void*)0); fd = fd->next){
3096 count++;
3097 }
3098 for (fd = fd_head->next; fd != NULL((void*)0); fd = fd->next){
3099 if (last_fd == NULL((void*)0) || last_fd->offset != fd->offset) {
3100 offset = next_offset;
3101 next_offset += fd->len;
3102 }
3103 last_fd = fd;
3104 show_fragment(fd, offset, fit, ft, *fi, first_frag, count, tvb, pinfo);
3105 first_frag = false0;
3106 }
3107
3108 if (fit->hf_fragment_count) {
3109 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_fragment_count),
3110 tvb, 0, 0, count);
3111 proto_item_set_generated(fli);
3112 }
3113
3114 if (fit->hf_reassembled_length) {
3115 proto_item *fli = proto_tree_add_uint(ft, *(fit->hf_reassembled_length),
3116 tvb, 0, 0, tvb_captured_length (tvb));
3117 proto_item_set_generated(fli);
3118 }
3119
3120 if (fit->hf_reassembled_data) {
3121 proto_item *fli = proto_tree_add_item(ft, *(fit->hf_reassembled_data),
3122 tvb, 0, tvb_captured_length(tvb), ENC_NA0x00000000);
3123 proto_item_set_generated(fli);
3124 }
3125
3126 return show_fragment_errs_in_col(fd_head, fit, pinfo);
3127}
3128
3129static void
3130reassembly_table_init_reg_table(void *p, void *user_data _U___attribute__((unused)))
3131{
3132 register_reassembly_table_t* reg_table = (register_reassembly_table_t*)p;
3133 reassembly_table_init(reg_table->table, reg_table->funcs);
3134}
3135
3136static void
3137reassembly_table_init_reg_tables(void)
3138{
3139 g_list_foreach(reassembly_table_list, reassembly_table_init_reg_table, NULL((void*)0));
3140}
3141
3142static void
3143reassembly_table_cleanup_reg_table(void *p, void *user_data _U___attribute__((unused)))
3144{
3145 register_reassembly_table_t* reg_table = (register_reassembly_table_t*)p;
3146 reassembly_table_destroy(reg_table->table);
3147}
3148
3149static void
3150reassembly_table_cleanup_reg_tables(void)
3151{
3152 g_list_foreach(reassembly_table_list, reassembly_table_cleanup_reg_table, NULL((void*)0));
3153}
3154
3155void reassembly_tables_init(void)
3156{
3157 register_init_routine(&reassembly_table_init_reg_tables);
3158 register_cleanup_routine(&reassembly_table_cleanup_reg_tables);
3159}
3160
3161static void
3162reassembly_table_free(void *p, void *user_data _U___attribute__((unused)))
3163{
3164 register_reassembly_table_t* reg_table = (register_reassembly_table_t*)p;
3165 reassembly_table_destroy(reg_table->table);
3166 g_free(reg_table);
3167}
3168
3169void
3170reassembly_table_cleanup(void)
3171{
3172 g_list_foreach(reassembly_table_list, reassembly_table_free, NULL((void*)0));
3173 g_list_free(reassembly_table_list);
3174}
3175
3176/* One instance of this structure is created for each pdu that spans across
3177 * multiple segments. (MSP) */
3178typedef struct _multisegment_pdu_t {
3179 uint64_t first_frame;
3180 uint64_t last_frame;
3181 unsigned start_offset_at_first_frame;
3182 unsigned end_offset_at_last_frame;
3183 int length; /* length of this MSP */
3184 uint32_t streaming_reassembly_id;
3185 /* pointer to previous multisegment_pdu */
3186 struct _multisegment_pdu_t* prev_msp;
3187} multisegment_pdu_t;
3188
3189/* struct for keeping the reassembly information of each stream */
3190struct streaming_reassembly_info_t {
3191 /* This map is keyed by frame num and keeps track of all MSPs for this
3192 * stream. Different frames will point to the same MSP if they contain
3193 * part data of this MSP. If a frame contains data that
3194 * belongs to two MSPs, it will point to the second MSP. */
3195 wmem_map_t* multisegment_pdus;
3196 /* This map is keyed by frame num and keeps track of the frag_offset
3197 * of the first byte of frames for fragment_add() after first scan. */
3198 wmem_map_t* frame_num_frag_offset_map;
3199 /* how many bytes the current uncompleted MSP still needs. (only valid for first scan) */
3200 int prev_deseg_len;
3201 /* the current uncompleted MSP (only valid for first scan) */
3202 multisegment_pdu_t* last_msp;
3203};
3204
3205static uint32_t
3206create_streaming_reassembly_id(void)
3207{
3208 static uint32_t global_streaming_reassembly_id = 0;
3209 return ++global_streaming_reassembly_id;
3210}
3211
3212streaming_reassembly_info_t*
3213streaming_reassembly_info_new(void)
3214{
3215 return wmem_new0(wmem_file_scope(), streaming_reassembly_info_t)((streaming_reassembly_info_t*)wmem_alloc0((wmem_file_scope()
), sizeof(streaming_reassembly_info_t)));
3216}
3217
3218/* Following is an example of ProtoA and ProtoB protocols from the declaration of this function in 'reassemble.h':
3219 *
3220 * +------------------ A Multisegment PDU of ProtoB ----------------------+
3221 * | |
3222 * +--- ProtoA payload1 ---+ +- payload2 -+ +- Payload3 -+ +- Payload4 -+ +- ProtoA payload5 -+
3223 * | EoMSP | OmNFP | BoMSP | | MoMSP | | MoMSP | | MoMSP | | EoMSP | BoMSP |
3224 * +-------+-------+-------+ +------------+ +------------+ +------------+ +---------+---------+
3225 * | |
3226 * +----------------------------------------------------------------------+
3227 *
3228 * For a ProtoA payload composed of EoMSP + OmNFP + BoMSP will call fragment_add() twice on EoMSP and BoMSP; and call
3229 * process_reassembled_data() once for generating tvb of a MSP to which EoMSP belongs; and call subdissector twice on
3230 * reassembled MSP of EoMSP and OmNFP + BoMSP. After that finds BoMSP is a beginning of a MSP at first scan.
3231 *
3232 * The rules are:
3233 *
3234 * - If a ProtoA payload contains EoMSP, we will need call fragment_add(), process_reassembled_data() and subdissector
3235 * once on it to end a MSP. (May run twice or more times at first scan, because subdissector may only return the
3236 * head length of message by pinfo->desegment_len. We need run second time for subdissector to determine the length
3237 * of entire message).
3238 *
3239 * - If a ProtoA payload contains OmNFP, we will need only call subdissector once on it. The subdissector need dissect
3240 * all non-fragment PDUs in it. (no desegment_len should output)
3241 *
3242 * - If a ProtoA payload contains BoMSP, we will need call subdissector once on BoMSP or OmNFP+BoMSP (because unknown
3243 * during first scan). The subdissector will output desegment_len (!= 0). Then we will call fragment_add()
3244 * with a new reassembly id on BoMSP for starting a new MSP.
3245 *
3246 * - If a ProtoA payload only contains MoMSP (entire payload is part of a MSP), we will only call fragment_add() once
3247 * or twice (at first scan) on it. The subdissector will not be called.
3248 *
3249 * In this implementation, only multisegment PDUs are recorded in multisegment_pdus map keyed by the numbers (uint64_t)
3250 * of frames belongs to MSPs. Each MSP in the map has a pointer referred to previous MSP, because we may need
3251 * two MSPs to dissect a ProtoA payload that contains EoMSP + BoMSP at the same time. The multisegment_pdus map is built
3252 * during first scan (pinfo->visited == false) with help of prev_deseg_len and last_msp fields of streaming_reassembly_info_t
3253 * for each direction of a ProtoA STREAM. The prev_deseg_len record how many bytes of subsequent ProtoA payloads belong to
3254 * previous PDU during first scan. The last_msp member of streaming_reassembly_info_t is always point to last MSP which
3255 * is created during scan previous or early ProtoA payloads. Since subdissector might return only the head length of entire
3256 * message (by pinfo->desegment_len) when there is not enough data to determine the message length, we need to reopen
3257 * reassembly fragments for adding more bytes during scanning the next ProtoA payload. We have to use fragment_add()
3258 * instead of fragment_add_check() or fragment_add_seq_next().
3259 *
3260 * Read more: please refer to comments of the declaration of this function in 'reassemble.h'.
3261 */
3262int
3263reassemble_streaming_data_and_call_subdissector(
3264 tvbuff_t* tvb, packet_info* pinfo, unsigned offset, int length,
3265 proto_tree* segment_tree, proto_tree* reassembled_tree, reassembly_table streaming_reassembly_table,
3266 streaming_reassembly_info_t* reassembly_info, uint64_t cur_frame_num,
3267 dissector_handle_t subdissector_handle, proto_tree* subdissector_tree, void* subdissector_data,
3268 const char* label, const fragment_items* frag_hf_items, int hf_segment_data
3269)
3270{
3271 int orig_length = length;
3272 int datalen = 0;
3273 int bytes_belong_to_prev_msp = 0; /* bytes belong to previous MSP */
3274 uint32_t reassembly_id = 0, frag_offset = 0;
3275 fragment_head* head = NULL((void*)0);
3276 bool_Bool need_more = false0;
3277 bool_Bool found_BoMSP = false0;
3278 multisegment_pdu_t* cur_msp = NULL((void*)0), * prev_msp = NULL((void*)0);
3279 uint16_t save_can_desegment;
3280 int save_desegment_offset;
3281 uint32_t save_desegment_len;
3282 uint64_t* frame_ptr;
3283
3284 save_can_desegment = pinfo->can_desegment;
3285 save_desegment_offset = pinfo->desegment_offset;
3286 save_desegment_len = pinfo->desegment_len;
3287
3288 /* calculate how many bytes of this payload belongs to previous MSP (EoMSP) */
3289 if (!PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
3290 /* this is first scan */
3291 if (reassembly_info->prev_deseg_len == DESEGMENT_ONE_MORE_SEGMENT0x0fffffff) {
3292 /* assuming the entire tvb belongs to the previous MSP */
3293 bytes_belong_to_prev_msp = length;
3294 reassembly_info->prev_deseg_len = length;
3295 } else if (reassembly_info->prev_deseg_len > 0) {
3296 /* part or all of current payload belong to previous MSP */
3297 bytes_belong_to_prev_msp = MIN(reassembly_info->prev_deseg_len, length)(((reassembly_info->prev_deseg_len) < (length)) ? (reassembly_info
->prev_deseg_len) : (length));
3298 reassembly_info->prev_deseg_len -= bytes_belong_to_prev_msp;
3299 need_more = (reassembly_info->prev_deseg_len > 0);
3300 } /* else { beginning of a new PDU (might be a NFP or MSP) } */
3301
3302 if (bytes_belong_to_prev_msp > 0) {
3303 DISSECTOR_ASSERT(reassembly_info->last_msp != NULL)((void) ((reassembly_info->last_msp != ((void*)0)) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/reassemble.c", 3303, "reassembly_info->last_msp != ((void*)0)"
))));
3304 reassembly_id = reassembly_info->last_msp->streaming_reassembly_id;
3305 frag_offset = reassembly_info->last_msp->length;
3306 if (reassembly_info->frame_num_frag_offset_map == NULL((void*)0)) {
3307 reassembly_info->frame_num_frag_offset_map = wmem_map_new(wmem_file_scope(), g_int64_hash, g_int64_equal);
3308 }
3309 frame_ptr = (uint64_t*)wmem_memdup(wmem_file_scope(), &cur_frame_num, sizeof(uint64_t));
3310 wmem_map_insert(reassembly_info->frame_num_frag_offset_map, frame_ptr, GUINT_TO_POINTER(frag_offset)((gpointer) (gulong) (frag_offset)));
3311 /* This payload contains the data of previous msp, so we point to it. That may be overridden late. */
3312 wmem_map_insert(reassembly_info->multisegment_pdus, frame_ptr, reassembly_info->last_msp);
3313 }
3314 } else {
3315 /* not first scan, use information of multisegment_pdus built during first scan */
3316 if (reassembly_info->multisegment_pdus) {
3317 cur_msp = (multisegment_pdu_t*)wmem_map_lookup(reassembly_info->multisegment_pdus, &cur_frame_num);
3318 }
3319 if (cur_msp) {
3320 if (cur_msp->first_frame == cur_frame_num) {
3321 /* Current payload contains a beginning of a MSP. (BoMSP)
3322 * The cur_msp contains information about the beginning MSP.
3323 * If prev_msp is not null, that means this payload also contains
3324 * the last part of previous MSP. (EoMSP) */
3325 prev_msp = cur_msp->prev_msp;
3326 } else {
3327 /* Current payload is not a first frame of a MSP (not include BoMSP). */
3328 prev_msp = cur_msp;
3329 cur_msp = NULL((void*)0);
3330 }
3331 }
3332
3333 if (prev_msp && prev_msp->last_frame >= cur_frame_num) {
3334 if (prev_msp->last_frame == cur_frame_num) {
3335 /* this payload contains part of previous MSP (contains EoMSP) */
3336 bytes_belong_to_prev_msp = prev_msp->end_offset_at_last_frame - offset;
3337 } else { /* if (prev_msp->last_frame > cur_frame_num) */
3338 /* this payload all belongs to previous MSP */
3339 bytes_belong_to_prev_msp = length;
3340 need_more = true1;
3341 }
3342 reassembly_id = prev_msp->streaming_reassembly_id;
3343 }
3344 if (reassembly_info->frame_num_frag_offset_map) {
3345 frag_offset = GPOINTER_TO_UINT(wmem_map_lookup(reassembly_info->frame_num_frag_offset_map, &cur_frame_num))((guint) (gulong) (wmem_map_lookup(reassembly_info->frame_num_frag_offset_map
, &cur_frame_num)));
3346 }
3347 }
3348
3349 /* handling EoMSP or MoMSP (entire payload being middle part of a MSP) */
3350 while (bytes_belong_to_prev_msp > 0) {
3351 tvbuff_t* reassembled_tvb = NULL((void*)0);
3352 DISSECTOR_ASSERT(reassembly_id > 0)((void) ((reassembly_id > 0) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/reassemble.c", 3352,
"reassembly_id > 0"))));
3353 pinfo->can_desegment = 2; /* this will be decreased one while passing to subdissector */
3354 pinfo->desegment_offset = 0;
3355 pinfo->desegment_len = 0;
3356
3357 head = fragment_add(&streaming_reassembly_table, tvb, offset, pinfo, reassembly_id, NULL((void*)0),
3358 frag_offset, bytes_belong_to_prev_msp, need_more);
3359
3360 if (head) {
3361 if (frag_hf_items->hf_reassembled_in) {
3362 proto_item_set_generated(
3363 proto_tree_add_uint(segment_tree, *(frag_hf_items->hf_reassembled_in), tvb, offset,
3364 bytes_belong_to_prev_msp, head->reassembled_in)
3365 );
3366 }
3367
3368 if (!need_more) {
3369 reassembled_tvb = process_reassembled_data(tvb, offset, pinfo,
3370 wmem_strdup_printf(pinfo->pool, "Reassembled %s", label),
3371 head, frag_hf_items, NULL((void*)0), reassembled_tree);
3372 }
3373 }
3374
3375 proto_tree_add_bytes_format(segment_tree, hf_segment_data, tvb, offset,
3376 bytes_belong_to_prev_msp, NULL((void*)0), "%s Segment data (%u byte%s)", label,
3377 bytes_belong_to_prev_msp, plurality(bytes_belong_to_prev_msp, "", "s")((bytes_belong_to_prev_msp) == 1 ? ("") : ("s")));
3378
3379 if (reassembled_tvb) {
3380 /* normally, this stage will dissect one or more completed pdus */
3381 /* Note, don't call_dissector_with_data because sometime the pinfo->curr_layer_num will changed
3382 * after calling that will make reassembly failed! */
3383 call_dissector_only(subdissector_handle, reassembled_tvb, pinfo, subdissector_tree, subdissector_data);
3384 }
3385
3386 if (pinfo->desegment_len) {
3387 /* that must only happen during first scan the reassembly_info->prev_deseg_len might be only the
3388 * head length of entire message. */
3389 DISSECTOR_ASSERT(!PINFO_FD_VISITED(pinfo))((void) ((!((pinfo)->fd->visited)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/reassemble.c", 3389,
"!((pinfo)->fd->visited)"))));
3390 DISSECTOR_ASSERT_HINT(pinfo->desegment_len != DESEGMENT_UNTIL_FIN, "Subdissector MUST NOT "((void) ((pinfo->desegment_len != 0x0ffffffe) ? (void)0 : (
proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/reassemble.c", 3392, "pinfo->desegment_len != 0x0ffffffe"
, "Subdissector MUST NOT " "set pinfo->desegment_len to DESEGMENT_UNTIL_FIN. Instead, it can set pinfo->desegment_len to "
" DESEGMENT_ONE_MORE_SEGMENT or the length of head if the length of entire message is not able to be determined."
))))
3391 "set pinfo->desegment_len to DESEGMENT_UNTIL_FIN. Instead, it can set pinfo->desegment_len to "((void) ((pinfo->desegment_len != 0x0ffffffe) ? (void)0 : (
proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/reassemble.c", 3392, "pinfo->desegment_len != 0x0ffffffe"
, "Subdissector MUST NOT " "set pinfo->desegment_len to DESEGMENT_UNTIL_FIN. Instead, it can set pinfo->desegment_len to "
" DESEGMENT_ONE_MORE_SEGMENT or the length of head if the length of entire message is not able to be determined."
))))
3392 " DESEGMENT_ONE_MORE_SEGMENT or the length of head if the length of entire message is not able to be determined.")((void) ((pinfo->desegment_len != 0x0ffffffe) ? (void)0 : (
proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/reassemble.c", 3392, "pinfo->desegment_len != 0x0ffffffe"
, "Subdissector MUST NOT " "set pinfo->desegment_len to DESEGMENT_UNTIL_FIN. Instead, it can set pinfo->desegment_len to "
" DESEGMENT_ONE_MORE_SEGMENT or the length of head if the length of entire message is not able to be determined."
))));
3393
3394 if (pinfo->desegment_offset > 0) {
3395 DISSECTOR_ASSERT_HINT(pinfo->desegment_offset > reassembly_info->last_msp->length((void) ((pinfo->desegment_offset > reassembly_info->
last_msp->length && pinfo->desegment_offset <
reassembly_info->last_msp->length + bytes_belong_to_prev_msp
) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/reassemble.c", 3399, "pinfo->desegment_offset > reassembly_info->last_msp->length && pinfo->desegment_offset < reassembly_info->last_msp->length + bytes_belong_to_prev_msp"
, wmem_strdup_printf(pinfo->pool, "Subdissector MUST NOT set pinfo->desegment_offset(%d) in previous or next part of MSP, must between (%d, %d)."
, pinfo->desegment_offset, reassembly_info->last_msp->
length, reassembly_info->last_msp->length + bytes_belong_to_prev_msp
)))))
3396 && pinfo->desegment_offset < reassembly_info->last_msp->length + bytes_belong_to_prev_msp,((void) ((pinfo->desegment_offset > reassembly_info->
last_msp->length && pinfo->desegment_offset <
reassembly_info->last_msp->length + bytes_belong_to_prev_msp
) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/reassemble.c", 3399, "pinfo->desegment_offset > reassembly_info->last_msp->length && pinfo->desegment_offset < reassembly_info->last_msp->length + bytes_belong_to_prev_msp"
, wmem_strdup_printf(pinfo->pool, "Subdissector MUST NOT set pinfo->desegment_offset(%d) in previous or next part of MSP, must between (%d, %d)."
, pinfo->desegment_offset, reassembly_info->last_msp->
length, reassembly_info->last_msp->length + bytes_belong_to_prev_msp
)))))
3397 wmem_strdup_printf(pinfo->pool,((void) ((pinfo->desegment_offset > reassembly_info->
last_msp->length && pinfo->desegment_offset <
reassembly_info->last_msp->length + bytes_belong_to_prev_msp
) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/reassemble.c", 3399, "pinfo->desegment_offset > reassembly_info->last_msp->length && pinfo->desegment_offset < reassembly_info->last_msp->length + bytes_belong_to_prev_msp"
, wmem_strdup_printf(pinfo->pool, "Subdissector MUST NOT set pinfo->desegment_offset(%d) in previous or next part of MSP, must between (%d, %d)."
, pinfo->desegment_offset, reassembly_info->last_msp->
length, reassembly_info->last_msp->length + bytes_belong_to_prev_msp
)))))
3398 "Subdissector MUST NOT set pinfo->desegment_offset(%d) in previous or next part of MSP, must between (%d, %d).",((void) ((pinfo->desegment_offset > reassembly_info->
last_msp->length && pinfo->desegment_offset <
reassembly_info->last_msp->length + bytes_belong_to_prev_msp
) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/reassemble.c", 3399, "pinfo->desegment_offset > reassembly_info->last_msp->length && pinfo->desegment_offset < reassembly_info->last_msp->length + bytes_belong_to_prev_msp"
, wmem_strdup_printf(pinfo->pool, "Subdissector MUST NOT set pinfo->desegment_offset(%d) in previous or next part of MSP, must between (%d, %d)."
, pinfo->desegment_offset, reassembly_info->last_msp->
length, reassembly_info->last_msp->length + bytes_belong_to_prev_msp
)))))
3399 pinfo->desegment_offset, reassembly_info->last_msp->length, reassembly_info->last_msp->length + bytes_belong_to_prev_msp))((void) ((pinfo->desegment_offset > reassembly_info->
last_msp->length && pinfo->desegment_offset <
reassembly_info->last_msp->length + bytes_belong_to_prev_msp
) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/reassemble.c", 3399, "pinfo->desegment_offset > reassembly_info->last_msp->length && pinfo->desegment_offset < reassembly_info->last_msp->length + bytes_belong_to_prev_msp"
, wmem_strdup_printf(pinfo->pool, "Subdissector MUST NOT set pinfo->desegment_offset(%d) in previous or next part of MSP, must between (%d, %d)."
, pinfo->desegment_offset, reassembly_info->last_msp->
length, reassembly_info->last_msp->length + bytes_belong_to_prev_msp
)))));
3400
3401 /* shorten the bytes_belong_to_prev_msp and just truncate the reassembled tvb */
3402 bytes_belong_to_prev_msp = pinfo->desegment_offset - reassembly_info->last_msp->length;
3403 fragment_truncate(&streaming_reassembly_table, pinfo, reassembly_id, NULL((void*)0), pinfo->desegment_offset);
3404 found_BoMSP = true1;
3405 } else {
3406 if (pinfo->desegment_len == DESEGMENT_ONE_MORE_SEGMENT0x0fffffff) {
3407 /* just need more bytes, all remaining bytes belongs to previous MSP (to run fragment_add again) */
3408 bytes_belong_to_prev_msp = length;
3409 }
3410
3411 /* Remove the data added by previous fragment_add(), and reopen fragments for adding more bytes. */
3412 fragment_truncate(&streaming_reassembly_table, pinfo, reassembly_id, NULL((void*)0), reassembly_info->last_msp->length);
3413 fragment_set_partial_reassembly(&streaming_reassembly_table, pinfo, reassembly_id, NULL((void*)0));
3414
3415 reassembly_info->prev_deseg_len = bytes_belong_to_prev_msp + pinfo->desegment_len;
3416 bytes_belong_to_prev_msp = MIN(reassembly_info->prev_deseg_len, length)(((reassembly_info->prev_deseg_len) < (length)) ? (reassembly_info
->prev_deseg_len) : (length));
3417 reassembly_info->prev_deseg_len -= bytes_belong_to_prev_msp;
3418 need_more = (reassembly_info->prev_deseg_len > 0);
3419 continue;
3420 }
3421 }
3422
3423 if (pinfo->desegment_len == 0 || found_BoMSP) {
3424 /* We will arrive here, only when the MSP is defragmented and dissected or this
3425 * payload all belongs to previous MSP (only fragment_add() with need_more=true called)
3426 * or BoMSP is parsed while pinfo->desegment_offset > 0 and pinfo->desegment_len != 0
3427 */
3428 offset += bytes_belong_to_prev_msp;
3429 length -= bytes_belong_to_prev_msp;
3430 DISSECTOR_ASSERT(length >= 0)((void) ((length >= 0) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/reassemble.c", 3430,
"length >= 0"))));
3431 if (!PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
3432 reassembly_info->last_msp->length += bytes_belong_to_prev_msp;
3433 }
3434
3435 if (!PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited) && reassembled_tvb) {
3436 /* completed current msp */
3437 reassembly_info->last_msp->last_frame = cur_frame_num;
3438 reassembly_info->last_msp->end_offset_at_last_frame = offset;
3439 reassembly_info->prev_deseg_len = pinfo->desegment_len;
3440 }
3441 bytes_belong_to_prev_msp = 0; /* break */
3442 }
3443 }
3444
3445 /* to find and handle OmNFP, and find BoMSP at first scan. */
3446 if (length > 0 && !found_BoMSP) {
3447 if (!PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
3448 /* It is first scan, to dissect remaining bytes to find whether it is OmNFP only, or BoMSP only or OmNFP + BoMSP. */
3449 datalen = length;
3450 DISSECTOR_ASSERT(cur_msp == NULL)((void) ((cur_msp == ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/reassemble.c", 3450,
"cur_msp == ((void*)0)"))));
3451 } else {
3452 /* Not first scan */
3453 if (cur_msp) {
3454 /* There's a BoMSP. Let's calculate the length of OmNFP between EoMSP and BoMSP */
3455 datalen = cur_msp->start_offset_at_first_frame - offset; /* if result is zero that means no OmNFP */
3456 } else {
3457 /* This payload is not a beginning of MSP. The remaining bytes all belong to OmNFP without BoMSP */
3458 datalen = length;
3459 }
3460 }
3461 DISSECTOR_ASSERT(datalen >= 0)((void) ((datalen >= 0) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/reassemble.c", 3461,
"datalen >= 0"))));
3462
3463 /* Dissect the remaining of this payload. If (datalen == 0) means remaining only have one BoMSP without OmNFP. */
3464 if (datalen > 0) {
3465 /* we dissect if it is not dissected before or it is a non-fragment pdu (between two multisegment pdus) */
3466 pinfo->can_desegment = 2;
3467 pinfo->desegment_offset = 0;
3468 pinfo->desegment_len = 0;
3469
3470 call_dissector_only(subdissector_handle, tvb_new_subset_length(tvb, offset, datalen),
3471 pinfo, subdissector_tree, subdissector_data);
3472
3473 if (pinfo->desegment_len) {
3474 DISSECTOR_ASSERT_HINT(pinfo->desegment_len != DESEGMENT_UNTIL_FIN, "Subdissector MUST NOT "((void) ((pinfo->desegment_len != 0x0ffffffe) ? (void)0 : (
proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/reassemble.c", 3476, "pinfo->desegment_len != 0x0ffffffe"
, "Subdissector MUST NOT " "set pinfo->desegment_len to DESEGMENT_UNTIL_FIN. Instead, it can set pinfo->desegment_len to "
" DESEGMENT_ONE_MORE_SEGMENT or the length of head if the length of entire message is not able to be determined."
))))
3475 "set pinfo->desegment_len to DESEGMENT_UNTIL_FIN. Instead, it can set pinfo->desegment_len to "((void) ((pinfo->desegment_len != 0x0ffffffe) ? (void)0 : (
proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/reassemble.c", 3476, "pinfo->desegment_len != 0x0ffffffe"
, "Subdissector MUST NOT " "set pinfo->desegment_len to DESEGMENT_UNTIL_FIN. Instead, it can set pinfo->desegment_len to "
" DESEGMENT_ONE_MORE_SEGMENT or the length of head if the length of entire message is not able to be determined."
))))
3476 " DESEGMENT_ONE_MORE_SEGMENT or the length of head if the length of entire message is not able to be determined.")((void) ((pinfo->desegment_len != 0x0ffffffe) ? (void)0 : (
proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/reassemble.c", 3476, "pinfo->desegment_len != 0x0ffffffe"
, "Subdissector MUST NOT " "set pinfo->desegment_len to DESEGMENT_UNTIL_FIN. Instead, it can set pinfo->desegment_len to "
" DESEGMENT_ONE_MORE_SEGMENT or the length of head if the length of entire message is not able to be determined."
))));
3477 /* only happen during first scan */
3478 DISSECTOR_ASSERT(!PINFO_FD_VISITED(pinfo) && datalen == length)((void) ((!((pinfo)->fd->visited) && datalen ==
length) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/reassemble.c", 3478, "!((pinfo)->fd->visited) && datalen == length"
))));
3479 offset += pinfo->desegment_offset;
3480 length -= pinfo->desegment_offset;
3481 } else {
3482 /* all remaining bytes are consumed by subdissector */
3483 offset += datalen;
3484 length -= datalen;
3485 }
3486 if (!PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
3487 reassembly_info->prev_deseg_len = pinfo->desegment_len;
3488 }
3489 } /* else all remaining bytes (BoMSP) belong to a new MSP */
3490 DISSECTOR_ASSERT(length >= 0)((void) ((length >= 0) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/reassemble.c", 3490,
"length >= 0"))));
3491 }
3492
3493 /* handling BoMSP */
3494 if (length > 0) {
3495 col_append_sep_fstr(pinfo->cinfo, COL_INFO, " ", "[%s segment of a reassembled PDU] ", label);
3496 if (!PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
3497 /* create a msp for current frame during first scan */
3498 cur_msp = wmem_new0(wmem_file_scope(), multisegment_pdu_t)((multisegment_pdu_t*)wmem_alloc0((wmem_file_scope()), sizeof
(multisegment_pdu_t)));
3499 cur_msp->first_frame = cur_frame_num;
3500 cur_msp->last_frame = UINT64_MAX(18446744073709551615UL);
3501 cur_msp->start_offset_at_first_frame = offset;
3502 cur_msp->length = length;
3503 cur_msp->streaming_reassembly_id = reassembly_id = create_streaming_reassembly_id();
3504 cur_msp->prev_msp = reassembly_info->last_msp;
3505 reassembly_info->last_msp = cur_msp;
3506 if (reassembly_info->multisegment_pdus == NULL((void*)0)) {
3507 reassembly_info->multisegment_pdus = wmem_map_new(wmem_file_scope(), g_int64_hash, g_int64_equal);
3508 }
3509 frame_ptr = (uint64_t*)wmem_memdup(wmem_file_scope(), &cur_frame_num, sizeof(uint64_t));
3510 wmem_map_insert(reassembly_info->multisegment_pdus, frame_ptr, cur_msp);
3511 } else {
3512 DISSECTOR_ASSERT(cur_msp && cur_msp->start_offset_at_first_frame == offset)((void) ((cur_msp && cur_msp->start_offset_at_first_frame
== offset) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/reassemble.c", 3512, "cur_msp && cur_msp->start_offset_at_first_frame == offset"
))));
3513 reassembly_id = cur_msp->streaming_reassembly_id;
3514 }
3515 /* add first fragment of the new MSP to reassembly table */
3516 head = fragment_add(&streaming_reassembly_table, tvb, offset, pinfo, reassembly_id,
3517 NULL((void*)0), 0, length, true1);
3518
3519 if (head && frag_hf_items->hf_reassembled_in) {
3520 proto_item_set_generated(
3521 proto_tree_add_uint(segment_tree, *(frag_hf_items->hf_reassembled_in),
3522 tvb, offset, length, head->reassembled_in)
3523 );
3524 }
3525 proto_tree_add_bytes_format(segment_tree, hf_segment_data, tvb, offset, length,
3526 NULL((void*)0), "%s Segment data (%u byte%s)", label, length, plurality(length, "", "s")((length) == 1 ? ("") : ("s")));
3527 }
3528
3529 pinfo->can_desegment = save_can_desegment;
3530 pinfo->desegment_offset = save_desegment_offset;
3531 pinfo->desegment_len = save_desegment_len;
3532
3533 return orig_length;
3534}
3535
3536int
3537additional_bytes_expected_to_complete_reassembly(streaming_reassembly_info_t* reassembly_info)
3538{
3539 return reassembly_info->prev_deseg_len;
3540}
3541
3542/*
3543 * Editor modelines - https://www.wireshark.org/tools/modelines.html
3544 *
3545 * Local variables:
3546 * c-basic-offset: 8
3547 * tab-width: 8
3548 * indent-tabs-mode: t
3549 * End:
3550 *
3551 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
3552 * :indentSize=8:tabSize=8:noTabs=false:
3553 */