From 64e81f2917f6865dff8df96e18cec1b8bf2fa836 Mon Sep 17 00:00:00 2001 From: guy Date: Mon, 15 Jan 2001 03:23:58 +0000 Subject: [PATCH] Handle IPX socket 0x553, which is some kind of NetBIOS-over-IPX socket. (We call it "nwlink-dgm" for now; Ethereal calls it a NWLink SMB datagram.) Don't throw every LLC frame with unknown SAPs at the NetBIOS-over-IPX dissector; just throw the frames for IPX sockets 0x455 and 0x553 at it, as those appear to be the sockets used (if there are any others, please add them to the IPX dissector - putting it back in the LLC dissector won't help, as all IPX frames, including LLC frames, should now be handed to the IPX dissector). Do better bounds checking in "ipx_netbios_print()" and "netbeui_print()", i.e. don't go past the end of the captured data in the packet when looking for the 0xFF S M B signature. --- interface.h | 4 ++-- ipx.h | 5 +++-- print-ipx.c | 7 ++++++- print-llc.c | 10 +--------- print-smb.c | 25 ++++++++++++++++++++----- 5 files changed, 32 insertions(+), 19 deletions(-) diff --git a/interface.h b/interface.h index 860c4d88..1ef06e5c 100644 --- a/interface.h +++ b/interface.h @@ -18,7 +18,7 @@ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * @(#) $Header: /tcpdump/master/tcpdump/interface.h,v 1.149 2001-01-02 22:47:06 guy Exp $ (LBL) + * @(#) $Header: /tcpdump/master/tcpdump/interface.h,v 1.150 2001-01-15 03:23:58 guy Exp $ (LBL) */ #ifndef tcpdump_interface_h @@ -253,7 +253,7 @@ extern void isakmp_print(const u_char *, u_int, const u_char *); extern int ipcomp_print(register const u_char *, register const u_char *, int *); extern void rx_print(register const u_char *, int, int, int, u_char *); extern void netbeui_print(u_short, const u_char *, const u_char *); -extern void ipx_netbios_print(const u_char *, const u_char *); +extern void ipx_netbios_print(const u_char *, u_int); extern void nbt_tcp_print(const u_char *, int); extern void nbt_udp137_print(const u_char *data, int); extern void nbt_udp138_print(const u_char *data, int); diff --git a/ipx.h b/ipx.h index 21557bd2..19092435 100644 --- a/ipx.h +++ b/ipx.h @@ -1,7 +1,7 @@ /* * IPX protocol formats * - * @(#) $Header: /tcpdump/master/tcpdump/ipx.h,v 1.3 2001-01-15 00:43:59 guy Exp $ + * @(#) $Header: /tcpdump/master/tcpdump/ipx.h,v 1.4 2001-01-15 03:23:59 guy Exp $ */ /* well-known sockets */ @@ -10,7 +10,8 @@ #define IPX_SKT_RIP 0x0453 #define IPX_SKT_NETBIOS 0x0455 #define IPX_SKT_DIAGNOSTICS 0x0456 -#define IPX_SKT_EIGRP 0x85be /* Cisco EIGRP over IPX */ +#define IPX_SKT_NWLINK_DGM 0x0553 /* NWLink datagram, may contain SMB */ +#define IPX_SKT_EIGRP 0x85be /* Cisco EIGRP over IPX */ /* IPX transport header */ struct ipxHdr { diff --git a/print-ipx.c b/print-ipx.c index 43b691ed..413d6ba9 100644 --- a/print-ipx.c +++ b/print-ipx.c @@ -24,7 +24,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /tcpdump/master/tcpdump/print-ipx.c,v 1.29 2001-01-15 02:23:25 guy Exp $"; + "@(#) $Header: /tcpdump/master/tcpdump/print-ipx.c,v 1.30 2001-01-15 03:23:59 guy Exp $"; #endif #ifdef HAVE_CONFIG_H @@ -108,10 +108,15 @@ ipx_decode(const struct ipxHdr *ipx, const u_char *datap, u_int length) break; case IPX_SKT_NETBIOS: (void)printf(" ipx-netbios %d", length); + ipx_netbios_print(datap, length); break; case IPX_SKT_DIAGNOSTICS: (void)printf(" ipx-diags %d", length); break; + case IPX_SKT_NWLINK_DGM: + (void)printf(" ipx-nwlink-dgm %d", length); + ipx_netbios_print(datap, length); + break; case IPX_SKT_EIGRP: (void)printf(" ipx-eigrp %d", length); break; diff --git a/print-llc.c b/print-llc.c index 880f7488..2d49d618 100644 --- a/print-llc.c +++ b/print-llc.c @@ -24,7 +24,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /tcpdump/master/tcpdump/print-llc.c,v 1.33 2001-01-15 00:33:59 guy Exp $"; + "@(#) $Header: /tcpdump/master/tcpdump/print-llc.c,v 1.34 2001-01-15 03:24:00 guy Exp $"; #endif #ifdef HAVE_CONFIG_H @@ -245,14 +245,6 @@ llc_print(const u_char *p, u_int length, u_int caplen, caplen -= 3; } } - - if (cmd == LLC_UI && f == 'C') { - /* - * we don't have a proper ipx decoder yet, but there - * is a partial one in the smb code - */ - ipx_netbios_print(p,p+min(caplen,length)); - } } else { char f; diff --git a/print-smb.c b/print-smb.c index 85e2b437..f3002e09 100644 --- a/print-smb.c +++ b/print-smb.c @@ -11,7 +11,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /tcpdump/master/tcpdump/print-smb.c,v 1.7 2000-12-05 06:42:47 guy Exp $"; + "@(#) $Header: /tcpdump/master/tcpdump/print-smb.c,v 1.8 2001-01-15 03:24:00 guy Exp $"; #endif #include @@ -1003,12 +1003,18 @@ void netbeui_print(u_short control, const uchar *data, const uchar *maxbuf) goto out; } + /* If there isn't enough data for "\377SMB", don't look for it. */ + if (!TTEST2(data2[3], 4)) + goto out; + if (memcmp(data2,"\377SMB",4)==0) { print_smb(data2,maxbuf); } else { int i; for (i=0;i<128;i++) { - if (&data2[i] >= maxbuf) + if (!TTEST2(data2[i], 4)) + break; + if (&data2[i+3] >= maxbuf) break; if (memcmp(&data2[i],"\377SMB",4)==0) { printf("found SMB packet at %d\n", i); @@ -1026,12 +1032,20 @@ out: /* print IPX-Netbios frames */ -void ipx_netbios_print(const uchar *data, const uchar *maxbuf) +void ipx_netbios_print(const uchar *data, u_int length) { - /* this is a hack till I work out how to parse the rest of the IPX stuff */ + /* this is a hack till I work out how to parse the rest of the + NetBIOS-over-IPX stuff */ int i; + const uchar *maxbuf; + + maxbuf = data + length; startbuf = data; - for (i=0;i<128;i++) + for (i=0;i<128;i++) { + if (!TTEST2(data[i], 4)) + break; + if (&data[i+3] >= maxbuf) + break; if (memcmp(&data[i],"\377SMB",4)==0) { fdata(data,"\n>>> IPX transport ",&data[i]); if (data != NULL) @@ -1040,6 +1054,7 @@ void ipx_netbios_print(const uchar *data, const uchar *maxbuf) fflush(stdout); break; } + } if (i==128) fdata(data,"\n>>> Unknown IPX ",maxbuf); } -- 2.39.5