Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] packet-smb not properly handling transact requests and responses

From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Sat, 9 Jun 2012 15:12:39 -0700
Hi folks,

So, in Samba bug https://bugzilla.samba.org/show_bug.cgi?id=8989 you
will find two captures relating to the handling of NT TRANSACT SET
SECURITY DESCRIPTOR.

Wireshark does not handle the dissection of these correctly, and I
suspect, normal SMB TRANSACT and SMB TRANSACT2 requests/responses.

In dissect_smb, in the code for a normal bidirectional request or
response we lookup, using g_hash_table_lookup, the sip for the pid_mid
for the current frame. However, we look it up in the unmatched
requests.

By the time we see a secondary, the original request with that pid_mid
is no longer unmatched, so we have a null sip. Later, when we call
smb_trans_defragment on the secondary (so we can give this fragment to
the original request), we do not have a sip, so we do nothing.

It seems that in dissect_smb, if the request is an XXX_SECONDARY, we
should look up the sip in the matched packets not the unmatched
packets.

What say ye?

I will give that a try to see if I can make progress.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)