NT ACL structure dissection, from Ronnie Sahlberg.

svn path=/trunk/; revision=4405
author: Guy Harris <guy@alum.mit.edu> 2001-12-15 23:59:23 +0000
committer: Guy Harris <guy@alum.mit.edu> 2001-12-15 23:59:23 +0000
commit: 0ff947183059c90f315a0988e3826e5b0a6592db (patch)
tree: 7df92a6ed1b4b4737fa60fdec4349dc95ed69ba9 /packet-smb.c
parent: e9397510706248864f5c8dda2e3726c3ba2b1e74 (diff)
download: wireshark-0ff947183059c90f315a0988e3826e5b0a6592db.tar.gz
wireshark-0ff947183059c90f315a0988e3826e5b0a6592db.tar.bz2
wireshark-0ff947183059c90f315a0988e3826e5b0a6592db.zip
1 files changed, 391 insertions, 3 deletions
diff --git a/packet-smb.c b/packet-smb.c
index ea36b40685..95106ad48d 100644
--- a/packet-smb.c
+++ b/packet-smb.c
@@ -2,7 +2,7 @@
  * Routines for smb packet dissection
  * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
  *
- * $Id: packet-smb.c,v 1.186 2001/12/15 04:35:50 guy Exp $
+ * $Id: packet-smb.c,v 1.187 2001/12/15 23:59:23 guy Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@ethereal.com>
@@ -408,6 +408,29 @@ static int hf_smb_sec_desc_revision = -1;
 static int hf_smb_sec_desc_flags = -1;
 static int hf_smb_sid_revision = -1;
 static int hf_smb_sid_num_auth = -1;
+static int hf_smb_acl_revision = -1;
+static int hf_smb_acl_size = -1;
+static int hf_smb_acl_num_aces = -1;
+static int hf_smb_ace_type = -1;
+static int hf_smb_ace_size = -1;
+static int hf_smb_ace_flags_object_inherit = -1;
+static int hf_smb_ace_flags_container_inherit = -1;
+static int hf_smb_ace_flags_no_propagate_inherit = -1;
+static int hf_smb_ace_flags_inherit_only = -1;
+static int hf_smb_ace_flags_inherited_ace = -1;
+static int hf_smb_ace_flags_valid_inherit = -1;
+static int hf_smb_ace_flags_successful_access = -1;
+static int hf_smb_ace_flags_failed_access = -1;
+static int hf_smb_ace_mask_query = -1;
+static int hf_smb_ace_mask_set = -1;
+static int hf_smb_ace_mask_create_subkey = -1;
+static int hf_smb_ace_mask_enum_subkey = -1;
+static int hf_smb_ace_mask_notify = -1;
+static int hf_smb_ace_mask_create_link = -1;
+static int hf_smb_ace_mask_delete = -1;
+static int hf_smb_ace_mask_read_control = -1;
+static int hf_smb_ace_mask_write_dac = -1;
+static int hf_smb_ace_mask_write_owner = -1;
 static int hf_smb_nt_qsd_owner = -1;
 static int hf_smb_nt_qsd_group = -1;
 static int hf_smb_nt_qsd_dacl = -1;
@@ -577,6 +600,10 @@ static gint ett_smb_fs_attributes = -1;
 static gint ett_smb_segments = -1;
 static gint ett_smb_sec_desc = -1;
 static gint ett_smb_sid = -1;
+static gint ett_smb_acl = -1;
+static gint ett_smb_ace = -1;
+static gint ett_smb_ace_flags = -1;
+static gint ett_smb_ace_mask = -1;
 
 proto_tree *top_tree=NULL;     /* ugly */
 
@@ -6336,8 +6363,265 @@ dissect_nt_sid(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent
   
 	}
 
+	proto_item_set_len(item, offset-old_offset);
+	return offset;
+}
+
+
+static const true_false_string tfs_ace_mask_query = {
+    "QUERY rights are set",
+    "Query rights are NOT set"
+};
+static const true_false_string tfs_ace_mask_set = {
+  "SET rights are set",
+  "Set rights are NOT set"
+};
+static const true_false_string tfs_ace_mask_create_subkey = {
+  "CREATE SUBKEY is set",
+  "Create subkey is NOT set"
+};
+static const true_false_string tfs_ace_mask_enum_subkey = {
+  "ENUM SUBKEY is set",
+  "Enum subkey is NOT set"
+};
+static const true_false_string tfs_ace_mask_notify = {
+  "NOTIFY is set",
+  "Notify is NOT set"
+};
+static const true_false_string tfs_ace_mask_create_link = {
+  "CREATE LINK is set",
+  "Create link is NOT set"
+};
+static const true_false_string tfs_ace_mask_delete = {
+  "DELETE rights are set",
+  "Delete rights are NOT set"
+};
+static const true_false_string tfs_ace_mask_read_control = {
+  "READ CONTROL is set",
+  "Read control is NOT set"
+};
+static const true_false_string tfs_ace_mask_write_dac = {
+  "WRITE DAC is set",
+  "Write dac is NOT set"
+};
+static const true_false_string tfs_ace_mask_write_owner = {
+  "WRITE OWNER rights are set",
+  "Write owner rights are NOT set"
+};
+
+
+static int
+dissect_nt_ace_mask(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree)
+{
+	proto_item *item = NULL;
+	proto_tree *tree = NULL;
+	guint32 mask;
+
+	mask = tvb_get_letohl(tvb, offset);
+	if(parent_tree){
+		item = proto_tree_add_text(parent_tree, tvb, offset, 4,
+					   "Mask: 0x%08x", mask);
+		tree = proto_item_add_subtree(item, ett_smb_ace_mask);
+	}
+
+	proto_tree_add_boolean(tree, hf_smb_ace_mask_write_owner,
+			       tvb, offset, 4, mask);
+	proto_tree_add_boolean(tree, hf_smb_ace_mask_write_dac,
+			       tvb, offset, 4, mask);
+	proto_tree_add_boolean(tree, hf_smb_ace_mask_read_control,
+			       tvb, offset, 4, mask);
+	proto_tree_add_boolean(tree, hf_smb_ace_mask_delete,
+			       tvb, offset, 4, mask);
+	proto_tree_add_boolean(tree, hf_smb_ace_mask_create_link,
+			       tvb, offset, 4, mask);
+	proto_tree_add_boolean(tree, hf_smb_ace_mask_notify,
+			       tvb, offset, 4, mask);
+	proto_tree_add_boolean(tree, hf_smb_ace_mask_enum_subkey,
+			       tvb, offset, 4, mask);
+	proto_tree_add_boolean(tree, hf_smb_ace_mask_create_subkey,
+			       tvb, offset, 4, mask);
+	proto_tree_add_boolean(tree, hf_smb_ace_mask_set,
+			       tvb, offset, 4, mask);
+	proto_tree_add_boolean(tree, hf_smb_ace_mask_query,
+			       tvb, offset, 4, mask);
+
+	offset += 4;
+	return offset;
+}
 /*qqq*/
 
+
+static const value_string ace_type_vals[] = {
+  { 0, "Access Allowed"},
+  { 1, "Access Denied"},
+  { 2, "System Audit"},
+  { 3, "System Alarm"},
+  { 0, NULL}
+};
+static const true_false_string tfs_ace_flags_object_inherit = {
+  "Object Inherit IS SET",
+  "Object Inherit is NOT set"
+};
+static const true_false_string tfs_ace_flags_container_inherit = {
+  "Container Inherit IS SET",
+  "Container Inherit is NOT set"
+};
+static const true_false_string tfs_ace_flags_no_propagate_inherit = {
+  "No Propagate Inherit IS SET",
+  "No Propagate Inherit is NOT set"
+};
+static const true_false_string tfs_ace_flags_inherit_only = {
+  "Inherit Only IS SET",
+  "Inherit Only is NOT set"
+};
+static const true_false_string tfs_ace_flags_inherited_ace = {
+  "Inherited ACE IS SET",
+  "Inherited ACE is NOT set"
+};
+static const true_false_string tfs_ace_flags_valid_inherit = {
+  "Valid Inherit IS SET",
+  "Valid Inherit is NOT set"
+};
+static const true_false_string tfs_ace_flags_successful_access = {
+  "Successful Access IS SET",
+  "Successful Access is NOT set"
+};
+static const true_false_string tfs_ace_flags_failed_access = {
+  "Failed Access IS SET",
+  "Failed Access is NOT set"
+};
+
+#define APPEND_ACE_TEXT(flag, item, string) \
+        if(item && flag){                                     \
+                  proto_item_append_text(item, string);       \
+        }
+
+static int
+dissect_nt_v2_ace_flags(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree)
+{
+	proto_item *item = NULL;
+	proto_tree *tree = NULL;
+	guint8 mask;
+
+	mask = tvb_get_guint8(tvb, offset);
+	if(parent_tree){
+		item = proto_tree_add_text(parent_tree, tvb, offset, 1,
+					   "NT ACE Flags:0x%02x", mask);
+		tree = proto_item_add_subtree(item, ett_smb_ace_flags);
+	}
+
+	proto_tree_add_boolean(tree, hf_smb_ace_flags_failed_access,
+		       tvb, offset, 1, mask);
+	APPEND_ACE_TEXT(mask&0x80, item, "  Failed Access,");
+
+	proto_tree_add_boolean(tree, hf_smb_ace_flags_successful_access,
+		       tvb, offset, 1, mask);
+	APPEND_ACE_TEXT(mask&0x40, item, "  Successful Access,");
+
+	proto_tree_add_boolean(tree, hf_smb_ace_flags_valid_inherit,
+		       tvb, offset, 1, mask);
+	APPEND_ACE_TEXT(mask&0x20, item, "  Valid Inherit,");
+
+	proto_tree_add_boolean(tree, hf_smb_ace_flags_inherited_ace,
+		       tvb, offset, 1, mask);
+	APPEND_ACE_TEXT(mask&0x10, item, "  Inherited ACE,");
+
+	proto_tree_add_boolean(tree, hf_smb_ace_flags_inherit_only,
+		       tvb, offset, 1, mask);
+	APPEND_ACE_TEXT(mask&0x08, item, "  Inherit Only,");
+
+	proto_tree_add_boolean(tree, hf_smb_ace_flags_no_propagate_inherit,
+		       tvb, offset, 1, mask);
+	APPEND_ACE_TEXT(mask&0x04, item, "  No Propagate Inherit,");
+
+	proto_tree_add_boolean(tree, hf_smb_ace_flags_container_inherit,
+		       tvb, offset, 1, mask);
+	APPEND_ACE_TEXT(mask&0x02, item, "  Container Inherit,");
+
+	proto_tree_add_boolean(tree, hf_smb_ace_flags_object_inherit,
+		       tvb, offset, 1, mask);
+	APPEND_ACE_TEXT(mask&0x01, item, "  Object Inherit,");
+
+
+	offset += 1;
+	return offset;
+}
+
+static int
+dissect_nt_v2_ace(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree)
+{
+	proto_item *item = NULL;
+	proto_tree *tree = NULL;
+	int old_offset = offset;
+	
+	if(parent_tree){
+		item = proto_tree_add_text(parent_tree, tvb, offset, 0,
+					   "NT ACE: ");
+		tree = proto_item_add_subtree(item, ett_smb_ace);
+	}
+
+	/* type */
+	if(item){
+	  proto_item_append_text(item, val_to_str(tvb_get_guint8(tvb, offset), ace_type_vals, "Unknown ACE type (%u)"));
+	}
+	proto_tree_add_item(tree, hf_smb_ace_type, tvb, offset, 1, TRUE);
+	offset += 1;
+
+	/* flags */
+	offset = dissect_nt_v2_ace_flags(tvb, pinfo, offset, tree);
+
+	/* size */
+	proto_tree_add_item(tree, hf_smb_ace_size, tvb, offset, 2, TRUE);
+	offset += 2;
+
+	/* access mask */
+	offset = dissect_nt_ace_mask(tvb, pinfo, offset, tree);
+
+	/* SID */
+	offset = dissect_nt_sid(tvb, pinfo, offset, tree, "SID");
+
+	proto_item_set_len(item, offset-old_offset);
+	return offset;
+}
+
+static int
+dissect_nt_acl(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, char *name)
+{
+	proto_item *item = NULL;
+	proto_tree *tree = NULL;
+	int old_offset = offset;
+	guint16 revision, size;
+	guint32 num_aces;
+
+	if(parent_tree){
+		item = proto_tree_add_text(parent_tree, tvb, offset, 0,
+					   "NT %s ACL", name);
+		tree = proto_item_add_subtree(item, ett_smb_acl);
+	}
+
+	/* revision */
+	revision = tvb_get_letohs(tvb, offset);
+	proto_tree_add_uint(tree, hf_smb_acl_revision,
+		tvb, offset, 2, revision);
+	offset += 2;
+
+	switch(revision){
+	case 2:  /* only version we will ever see of this structure?*/
+	  /* size */
+	  proto_tree_add_item(tree, hf_smb_acl_size, tvb, offset, 2, TRUE);
+	  offset += 2;
+
+	  /* number of ace structures */
+	  num_aces = tvb_get_letohl(tvb, offset);
+	  proto_tree_add_uint(tree, hf_smb_acl_num_aces,
+			      tvb, offset, 4, num_aces);
+	  offset += 4;
+
+	  while(num_aces--){
+	    offset=dissect_nt_v2_ace(tvb, pinfo, offset, tree);
+	  }
+	}
+
 	proto_item_set_len(item, offset-old_offset);
 	return offset;
 }
@@ -6402,10 +6686,18 @@ dissect_nt_sec_desc(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *p
 	    dissect_nt_sid(tvb, pinfo, old_offset+group_sid_offset, tree, "Group");
 	  }
 
-	  /*qqq*/
+	  /* sacl */
+	  if(sacl_offset){
+	    dissect_nt_acl(tvb, pinfo, old_offset+sacl_offset, tree, "System");
+	  }
+
+	  /* dacl */
+	  if(dacl_offset){
+	    dissect_nt_acl(tvb, pinfo, old_offset+dacl_offset, tree, "User");
+	  }
+
 	}
 
-	/*qqq*/
 	return offset+len;
 }
 
@@ -15244,6 +15536,97 @@ proto_register_smb(void)
 		{ "Num Auth", "smb.sid.num_auth", FT_UINT8, BASE_DEC,
 		NULL, 0, "Number of authorities for this SID", HFILL }},
 
+	{ &hf_smb_acl_revision,
+		{ "Revision", "smb.acl.revision", FT_UINT16, BASE_DEC,
+		NULL, 0, "Version of NT ACL structure", HFILL }},
+
+	{ &hf_smb_acl_size,
+		{ "Size", "smb.acl.size", FT_UINT16, BASE_DEC,
+		NULL, 0, "Size of NT ACL structure", HFILL }},
+
+	{ &hf_smb_acl_num_aces,
+		{ "Num ACEs", "smb.acl.num_aces", FT_UINT32, BASE_DEC,
+		NULL, 0, "Number of ACE structures for this ACL", HFILL }},
+
+	{ &hf_smb_ace_type,
+		{ "Type", "smb.ace.type", FT_UINT8, BASE_DEC,
+		VALS(ace_type_vals), 0, "Type of ACE", HFILL }},
+
+	{ &hf_smb_ace_size,
+		{ "Size", "smb.ace.size", FT_UINT16, BASE_DEC,
+		NULL, 0, "Size of this ACE", HFILL }},
+
+	{ &hf_smb_ace_flags_object_inherit,
+		{ "", "smb.ace.flags.object_inherit", FT_BOOLEAN, 8,
+		TFS(&tfs_ace_flags_object_inherit), 0x01, "Object Inherit", HFILL }},
+
+	{ &hf_smb_ace_flags_container_inherit,
+		{ "", "smb.ace.flags.container_inherit", FT_BOOLEAN, 8,
+		TFS(&tfs_ace_flags_container_inherit), 0x02, "Container Inherit", HFILL }},
+
+	{ &hf_smb_ace_flags_no_propagate_inherit,
+		{ "", "smb.ace.flags.no_propagate_inherit", FT_BOOLEAN, 8,
+		TFS(&tfs_ace_flags_no_propagate_inherit), 0x04, "No Propagate Inherit", HFILL }},
+
+	{ &hf_smb_ace_flags_inherit_only,
+		{ "", "smb.ace.flags.inherit_only", FT_BOOLEAN, 8,
+		TFS(&tfs_ace_flags_inherit_only), 0x08, "Inherit Only", HFILL }},
+
+	{ &hf_smb_ace_flags_inherited_ace,
+		{ "", "smb.ace.flags.inherited_ace", FT_BOOLEAN, 8,
+		TFS(&tfs_ace_flags_inherited_ace), 0x10, "Inherited ACE", HFILL }},
+
+	{ &hf_smb_ace_flags_valid_inherit,
+		{ "", "smb.ace.flags.valid_inherit", FT_BOOLEAN, 8,
+		TFS(&tfs_ace_flags_valid_inherit), 0x20, "Valid Inherit", HFILL }},
+
+	{ &hf_smb_ace_flags_successful_access,
+		{ "", "smb.ace.flags.successful_access", FT_BOOLEAN, 8,
+		TFS(&tfs_ace_flags_successful_access), 0x40, "Successful Access", HFILL }},
+
+	{ &hf_smb_ace_flags_failed_access,
+		{ "", "smb.ace.flags.failed_access", FT_BOOLEAN, 8,
+		TFS(&tfs_ace_flags_failed_access), 0x80, "Failed Access", HFILL }},
+
+	{ &hf_smb_ace_mask_query,
+	  { "", "smb.ace.mask.query", FT_BOOLEAN, 32,
+	    TFS(&tfs_ace_mask_query), 0x00000001, "Query value rights?", HFILL }},
+	{ &hf_smb_ace_mask_set,
+	  { "", "smb.ace.mask.set", FT_BOOLEAN, 32,
+	    TFS(&tfs_ace_mask_set), 0x00000002, "Set value rights?", HFILL }},
+
+	{ &hf_smb_ace_mask_create_subkey,
+	  { "", "smb.ace.mask.create_subkey", FT_BOOLEAN, 32,
+	    TFS(&tfs_ace_mask_create_subkey), 0x00000004, "Create Subkey rights?", HFILL }},
+
+	{ &hf_smb_ace_mask_enum_subkey,
+	  { "", "smb.ace.mask.enum_subkey", FT_BOOLEAN, 32,
+	    TFS(&tfs_ace_mask_enum_subkey), 0x00000008, "Enum subkey rights?", HFILL }},
+
+	{ &hf_smb_ace_mask_notify,
+	  { "", "smb.ace.mask.notify", FT_BOOLEAN, 32,
+	    TFS(&tfs_ace_mask_notify), 0x00000010, "Notify rights?", HFILL }},
+
+	{ &hf_smb_ace_mask_create_link,
+	  { "", "smb.ace.mask.create_link", FT_BOOLEAN, 32,
+	    TFS(&tfs_ace_mask_create_link), 0x00000020, "Create Link rights?", HFILL }},
+
+	{ &hf_smb_ace_mask_delete,
+	  { "", "smb.ace.mask.delete", FT_BOOLEAN, 32,
+	    TFS(&tfs_ace_mask_delete), 0x00010000, "Delete rights?", HFILL }},
+
+	{ &hf_smb_ace_mask_read_control,
+	  { "", "smb.ace.mask.read_control", FT_BOOLEAN, 32,
+	    TFS(&tfs_ace_mask_read_control), 0x00020000, "Read Control rights?", HFILL }},
+
+	{ &hf_smb_ace_mask_write_dac,
+	  { "", "smb.ace.mask.write_dac", FT_BOOLEAN, 32,
+	    TFS(&tfs_ace_mask_write_dac), 0x00040000, "Write DAC rights?", HFILL }},
+
+	{ &hf_smb_ace_mask_write_owner,
+	  { "", "smb.ace.mask.write_owner", FT_BOOLEAN, 32,
+	    TFS(&tfs_ace_mask_write_owner), 0x00080000, "Write owner rights?", HFILL }},
+	
 
 	};
 	static gint *ett[] = {
@@ -15310,6 +15693,10 @@ proto_register_smb(void)
 		&ett_smb_segments,
 		&ett_smb_sec_desc,
 		&ett_smb_sid,
+		&ett_smb_acl,
+		&ett_smb_ace,
+		&ett_smb_ace_flags,
+		&ett_smb_ace_mask,
 	};
 	module_t *smb_module;
 
@@ -15336,3 +15723,4 @@ proto_reg_handoff_smb(void)
 {
 	heur_dissector_add("netbios", dissect_smb, proto_smb);
 }
+
author	Guy Harris <guy@alum.mit.edu>	2001-12-15 23:59:23 +0000
committer	Guy Harris <guy@alum.mit.edu>	2001-12-15 23:59:23 +0000
commit	0ff947183059c90f315a0988e3826e5b0a6592db (patch)
tree	7df92a6ed1b4b4737fa60fdec4349dc95ed69ba9 /packet-smb.c
parent	e9397510706248864f5c8dda2e3726c3ba2b1e74 (diff)
download	wireshark-0ff947183059c90f315a0988e3826e5b0a6592db.tar.gz wireshark-0ff947183059c90f315a0988e3826e5b0a6592db.tar.bz2 wireshark-0ff947183059c90f315a0988e3826e5b0a6592db.zip