[PATCH] nodiscriminant support for pidl wireshark.pm

Thu Jan 14 22:20:16 MST 2010

On Fri, 2010-01-15 at 16:15 +1100, ronnie sahlberg wrote:
> CUT-and-paste.
> 
> Terribly sorry!
> 
> 
> 
> On Fri, Jan 15, 2010 at 4:13 PM, ronnie sahlberg
> <ronniesahlberg at gmail.com> wrote:
> > very good!
> >
> >
> >        offset = mapi_dissect_element_AUX_HEADER_Type(tvb, offset,
> > pinfo, tree, drep, &switch_type);
> >        offset = mapi_dissect_element_AUX_HEADER_Payload_1(tvb,
> > offset, pinfo, tree, drep, switch_type);
> >        offset = mapi_dissect_element_AUX_HEADER_Payload_2(tvb,
> > offset, pinfo, tree, drep, switch_type);
> >
> > What is Payload_2?   just some old cunt-n-paste thing?

Oops, indeed it comes from a more recent dissector output.

After I get some sleep I'll post and detail other patches I have been
working on today:
- a patch that provide a preliminary implementation for inline arrays -
- a patch that implements logic for LIBNDR_FLAG_NOALIGN
(epan/dissectors/packet-dcerpc-ndr.c + pidl patch).

They are definitely not perfect but they avoid lot of hand-written work.

Btw, I have added to the dissector the lzxpress routine from
ndr_compression.c + turned defines into static functions. As a result,
the (under development) dissector is able to decompress or deobfuscate
MAPI data blobs for EcDoConnectEx (Exchange 2003/2007 pipe connect
function).

Cheers,
Julien.

> >
> >
> >
> > On Fri, Jan 15, 2010 at 1:09 AM, Julien Kerihuel
> > <j.kerihuel at openchange.org> wrote:
> >> Hi List,
> >>
> >> This one is pidl only, so probably better fits here ;-)
> >>
> >> One of the first issue I encountered while working on the MAPI dissector
> >> using PIDL is that OpenChange is widely using nodiscriminant unions.
> >> These kind of unions are not NDR compatible and logically not supported
> >> in the existing ws-parser.
> >>
> >> This patch implements support for nodiscriminant union in pidl only and
> >> generates code wireshark compiles properly + decode nicely.
> >>
> >> Please note this patch has a limited scope:
> >> - it does only work on elements within structures
> >> - it does not deal with switch_is at different sublevels such as
> >> switch_type(Type.my_switch_field) where Type is an element structure
> >> - it assumes the switch_is is an element only with no additional code
> >> such as switch_is(Type & 0xFF).
> >>
> >> The overall logic behind the patch is to tag the needed elements with
> >> keywords we next use to generate appropriate wireshark code. I couldn't
> >> come up with a better approach so far.
> >>
> >> The remaining TODO list can be applied in the future and won't
> >> presumably require lot of work.
> >>
> >> Further and detailed explanations including IDL snipset and generated
> >> code are available within the docpatch folder on the openchange
> >> dissector repository:
> >>
> >> http://websvn.openchange.org/filedetails.php?repname=dissector&path=%
> >> 2Fpidl%2Fdocpatch%2F001_nodiscriminant_support.txt
> >>
> >>
> >> Cheers,
> >> Julien.
> >>
> >> --
> >> Julien Kerihuel
> >> j.kerihuel at openchange.org
> >> OpenChange Project Manager
> >>
> >> GPG Fingerprint: 0B55 783D A781 6329 108A  B609 7EF6 FE11 A35F 1F79
> >>
> >>
> >
-- 
Julien Kerihuel
j.kerihuel at openchange.org
OpenChange Project Manager

GPG Fingerprint: 0B55 783D A781 6329 108A  B609 7EF6 FE11 A35F 1F79

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100115/88ea03a1/attachment.pgp>