Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Better dissection in the SMB dissector when captures contain tru

From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Tue, 2 Oct 2012 15:36:28 -0700
Hi folks,

I am often given captures that contain truncated packets.

It annoys me that in many places the SMB dissector does not attempt to
do all it could with the data.

For example, with TRANS2 FIND_FIRST2 it does not bother displaying any
of the files returned if the data is truncated.

The following small patch fixes that, although I want to go through
and do the same for all of the FF2 info levels:

Index: epan/dissectors/packet-smb.c
===================================================================
--- epan/dissectors/packet-smb.c        (revision 43693)
+++ epan/dissectors/packet-smb.c        (working copy)
@@ -14656,8 +14656,20 @@
        si = (smb_info_t *)pinfo->private_data;
        DISSECTOR_ASSERT(si);

+       /*
+        * We check this first before adding the sub-tree so things do not
+        * get ugly.
+        */
+
+       /* next entry offset */
+       CHECK_BYTE_COUNT_SUBR(4);
+       neo = tvb_get_letohl(tvb, offset);
+
+       /* Ensure we have the bytes we need, wich is up to neo */
+       tvb_ensure_bytes_exist(tvb, offset, neo);
+
        if (parent_tree) {
-               tvb_ensure_bytes_exist(tvb, offset, *bcp);
+               /*tvb_ensure_bytes_exist(tvb, offset, *bcp); */
                item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
                    val_to_str(si->info_level, ff2_il_vals, "Unknown
(0x%02x)"));
                tree = proto_item_add_subtree(item, ett_smb_ff2_data);
@@ -14669,9 +14681,6 @@
         * key" flag set.
         */

-       /* next entry offset */
-       CHECK_BYTE_COUNT_SUBR(4);
-       neo = tvb_get_letohl(tvb, offset);
        proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb,
offset, 4, neo);
        COUNT_BYTES_SUBR(4);



-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)