Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] [PATCH] some DCERPC fixes

From: "Stefan (metze) Metzmacher" <metze@xxxxxxxxx>
Date: Thu, 23 Nov 2006 08:57:37 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

this patch fixes some problems with encrypted DCERPC traffic

can someone apply it?

metze
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFFZVRxm70gjA5TCD8RApJGAKDKfgMAexxcb1rkq/7q/xXv1rUDBwCgr297
yptBKz9DSh8c1DIGB/8DqwQ=
=PYVS
-----END PGP SIGNATURE-----
Index: epan/dissectors/packet-dcerpc.c
===================================================================
--- epan/dissectors/packet-dcerpc.c	(Revision 19944)
+++ epan/dissectors/packet-dcerpc.c	(Arbeitskopie)
@@ -2127,7 +2127,7 @@
     dcerpc_dissect_fnct_t *volatile sub_dissect;
     const char *volatile saved_proto;
     void *volatile saved_private_data;
-    guint length, reported_length;
+    guint length = 0, reported_length = 0;
     tvbuff_t *volatile stub_tvb;
     volatile guint auth_pad_len;
     volatile int auth_pad_offset;
@@ -2183,8 +2183,9 @@
 	    proc->dissect_rqst : proc->dissect_resp;
 
     if (tree) {
-        sub_item = proto_tree_add_item (tree, sub_proto->proto_id, tvb, 0,
-                                        -1, FALSE);
+        sub_item = proto_tree_add_item (tree, sub_proto->proto_id,
+					(decrypted_tvb != NULL)?decrypted_tvb:tvb,
+					0, -1, FALSE);
 
         if (sub_item) {
             sub_tree = proto_item_add_subtree (sub_item, sub_proto->ett);
@@ -2230,12 +2231,13 @@
 
             init_ndr_pointer_list(pinfo);
 
+            length = tvb_length(decrypted_tvb);
+            reported_length = tvb_reported_length(decrypted_tvb);
+
             /*
              * Remove the authentication padding from the stub data.
              */
             if (auth_info != NULL && auth_info->auth_pad_len != 0) {
-                length = tvb_length(decrypted_tvb);
-                reported_length = tvb_reported_length(decrypted_tvb);
                 if (reported_length >= auth_info->auth_pad_len) {
                     /*
                      * OK, the padding length isn't so big that it
@@ -2253,7 +2255,7 @@
                     if (length > reported_length)
                         length = reported_length;
 
-                    stub_tvb = tvb_new_subset(tvb, 0, length, reported_length);
+                    stub_tvb = tvb_new_subset(decrypted_tvb, 0, length, reported_length);
                     auth_pad_len = auth_info->auth_pad_len;
                     auth_pad_offset = reported_length;
                 } else {
@@ -2266,6 +2268,8 @@
                     stub_tvb = NULL;
                     auth_pad_len = reported_length;
                     auth_pad_offset = 0;
+                    length = 0;
+                    reported_length = 0;
                 }
             } else {
                 /*
@@ -2276,6 +2280,10 @@
                 auth_pad_offset = 0;
             }
 
+            if (sub_item) {
+              	proto_item_set_len(sub_item, length);
+            }
+
             if (stub_tvb != NULL) {
                 /*
                  * Catch all exceptions other than BoundsError, so that even
@@ -2287,25 +2295,24 @@
                  * dissect; just re-throw that exception.
                  */
                 TRY {
-                    offset = sub_dissect (decrypted_tvb, 0, pinfo, sub_tree,
+                    offset = sub_dissect (stub_tvb, 0, pinfo, sub_tree,
                                           drep);
-                    if(tree) {
+                    if(tree && offset > 0) {
                         proto_item_set_len(sub_item, offset);
                     }
 
                     /* If we have a subdissector and it didn't dissect all
                        data in the tvb, make a note of it. */
-                    /* XXX - don't do this, as this could be just another RPC Req./Resp. in this PDU */
-                    /*if (tvb_reported_length_remaining(stub_tvb, offset) > 0) {
+                    if (tvb_reported_length_remaining(stub_tvb, offset) > 0) {
                         if (check_col(pinfo->cinfo, COL_INFO))
                             col_append_fstr(pinfo->cinfo, COL_INFO,
                                             "[Long frame (%d bytes)]",
                                             tvb_reported_length_remaining(stub_tvb, offset));
-                    }*/
+                    }
                 } CATCH(BoundsError) {
                     RETHROW;
                 } CATCH_ALL {
-                    show_exception(decrypted_tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE);
+                    show_exception(stub_tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE);
                 } ENDTRY;
             }
 

Attachment: dcerpc-fix-01.diff.sig
Description: PGP signature