1 /* packet-tnef.c
2 * Routines for Transport-Neutral Encapsulation Format (TNEF) packet disassembly
3 *
4 * Copyright (c) 2007 by Graeme Lunt
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1999 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 #include "config.h"
14
15 #include <epan/packet.h>
16 #include <epan/expert.h>
17
18 #include <wiretap/tnef.h>
19
20 #include "packet-dcerpc.h"
21 #include "packet-dcerpc-nspi.h"
22 #include "packet-ber.h"
23
24 #define PNAME "Transport-Neutral Encapsulation Format"
25 #define PSNAME "TNEF"
26 #define PFNAME "tnef"
27
28 #define ATP_TRIPLES (0x0000)
29 #define ATP_STRING (0x0001)
30 #define ATP_TEXT (0x0002)
31 #define ATP_DATE (0x0003)
32 #define ATP_SHORT (0x0004)
33 #define ATP_LONG (0x0005)
34 #define ATP_BYTE (0x0006)
35 #define ATP_WORD (0x0007)
36 #define ATP_DWORD (0x0008)
37 #define ATP_MAX (0x0009)
38
39 #define ATT_OWNER (0x00060000) /* handled */
40 #define ATT_SENT_FOR (0x00060001) /* handled */
41 #define ATT_DELEGATE (0x00060002)
42 #define ATT_DATE_START (0x00030006) /* handled */
43 #define ATT_DATE_END (0x00030007) /* handled */
44 #define ATT_AID_OWNER (0x00040008)
45 #define ATT_REQUEST_RES (0x00040009)
46
47 #define ATT_FROM (0x00008000)
48 #define ATT_SUBJECT (0x00018004)
49 #define ATT_DATE_SENT (0x00038005) /* handled */
50 #define ATT_DATE_RECD (0x00038006) /* handled */
51 #define ATT_MESSAGE_STATUS (0x00068007)
52 #define ATT_MESSAGE_CLASS (0x00078008) /* handled */
53 #define ATT_MESSAGE_ID (0x00018009)
54 #define ATT_PARENT_ID (0x0001800A) /* handled */
55 #define ATT_CONVERSATION_ID (0x0001800B) /* handled */
56 #define ATT_BODY (0x0002800C)
57 #define ATT_PRIORITY (0x0004800D) /* handled */
58 #define ATT_ATTACH_DATA (0x0006800F)
59 #define ATT_ATTACH_TITLE (0x00018010) /* handled */
60 #define ATT_ATTACH_META_FILE (0x00068011)
61 #define ATT_ATTACH_CREATE_DATE (0x00038012) /* handled */
62 #define ATT_ATTACH_MODIFY_DATE (0x00038013) /* handled */
63 #define ATT_DATE_MODIFIED (0x00038020) /* handled */
64
65 #define ATT_ATTACH_TRANSPORT_FILENAME (0x00069001)
66 #define ATT_ATTACH_REND_DATA (0x00069002)
67 #define ATT_MAPI_PROPS (0x00069003) /* handled */
68 #define ATT_RECIP_TABLE (0x00069004)
69 #define ATT_ATTACHMENT (0x00069005)
70 #define ATT_TNEF_VERSION (0x00089006) /* handled */
71 #define ATT_OEM_CODEPAGE (0x00069007) /* handled */
72 #define ATT_ORIGINAL_MESSAGE_CLASS (0x00079008) /* handled */
73
74 void proto_register_tnef(void);
75 void proto_reg_handoff_tnef(void);
76
77 static int proto_tnef = -1;
78
79 static int hf_tnef_signature = -1;
80 static int hf_tnef_key = -1;
81 static int hf_tnef_attribute = -1;
82 static int hf_tnef_attribute_lvl = -1;
83 static int hf_tnef_attribute_tag = -1;
84 static int hf_tnef_attribute_tag_type = -1;
85 static int hf_tnef_attribute_tag_id = -1;
86 static int hf_tnef_attribute_length = -1;
87 static int hf_tnef_attribute_value = -1;
88 static int hf_tnef_attribute_string = -1;
89 static int hf_tnef_attribute_date = -1;
90 static int hf_tnef_attribute_display_name = -1;
91 static int hf_tnef_attribute_email_address = -1;
92 static int hf_tnef_attribute_checksum = -1;
93 static int hf_tnef_mapi_props = -1;
94 static int hf_tnef_oem_codepage = -1;
95 static int hf_tnef_version = -1;
96 static int hf_tnef_message_class = -1;
97 static int hf_tnef_original_message_class = -1;
98 static int hf_tnef_priority = -1;
99 static int hf_tnef_mapi_props_count = -1;
100
101 static int hf_tnef_property = -1;
102 static int hf_tnef_property_tag = -1;
103 static int hf_tnef_property_tag_type = -1;
104 static int hf_tnef_property_tag_id = -1;
105 static int hf_tnef_property_tag_set = -1;
106 static int hf_tnef_property_tag_kind = -1;
107 static int hf_tnef_property_tag_name_id = -1;
108 static int hf_tnef_property_tag_name_length = -1;
109 static int hf_tnef_property_tag_name_string = -1;
110 static int hf_tnef_property_padding = -1;
111 static int hf_tnef_padding = -1;
112
113 static int hf_tnef_values_count = -1;
114 static int hf_tnef_value_length = -1;
115
116 static int hf_tnef_attribute_date_year = -1;
117 static int hf_tnef_attribute_date_month = -1;
118 static int hf_tnef_attribute_date_day = -1;
119 static int hf_tnef_attribute_date_hour = -1;
120 static int hf_tnef_attribute_date_minute = -1;
121 static int hf_tnef_attribute_date_second = -1;
122 static int hf_tnef_attribute_date_day_of_week = -1;
123
124 static int hf_tnef_PropValue_i = -1;
125 static int hf_tnef_PropValue_l = -1;
126 static int hf_tnef_PropValue_b = -1;
127 static int hf_tnef_PropValue_lpszA = -1;
128 static int hf_tnef_PropValue_lpszW = -1;
129 static int hf_tnef_PropValue_lpguid = -1;
130 static int hf_tnef_PropValue_bin = -1;
131 static int hf_tnef_PropValue_ft = -1;
132 static int hf_tnef_PropValue_err = -1;
133 static int hf_tnef_PropValue_MVi = -1;
134 static int hf_tnef_PropValue_MVl = -1;
135 static int hf_tnef_PropValue_MVszA = -1;
136 static int hf_tnef_PropValue_MVbin = -1;
137 static int hf_tnef_PropValue_MVguid = -1;
138 static int hf_tnef_PropValue_MVszW = -1;
139 static int hf_tnef_PropValue_MVft = -1;
140 static int hf_tnef_PropValue_null = -1;
141 static int hf_tnef_PropValue_object = -1;
142
143 static int ett_tnef = -1;
144 static int ett_tnef_attribute = -1;
145 static int ett_tnef_attribute_tag = -1;
146 static int ett_tnef_mapi_props = -1;
147 static int ett_tnef_property = -1;
148 static int ett_tnef_property_tag = -1;
149 static int ett_tnef_counted_items = -1;
150 static int ett_tnef_attribute_date = -1;
151 static int ett_tnef_attribute_address = -1;
152
153 static expert_field ei_tnef_expect_single_item = EI_INIT;
154 static expert_field ei_tnef_incorrect_signature = EI_INIT;
155
156 static dissector_handle_t tnef_handle;
157
158 static const value_string tnef_Lvl_vals[] = {
159 { 1, "LVL-MESSAGE" },
160 { 2, "LVL-ATTACHMENT" },
161 { 0, NULL }
162 };
163
164 static const value_string tnef_Priority_vals[] = {
165 { 1, "Low" },
166 { 2, "High" },
167 { 3, "Normal" },
168 { 0, NULL }
169 };
170
171 static const value_string tnef_Types_vals[] = {
172 { ATP_TRIPLES, "Triples" },
173 { ATP_STRING, "String"},
174 { ATP_TEXT, "Text" },
175 { ATP_DATE, "Date"},
176 { ATP_SHORT, "Short"},
177 { ATP_LONG, "Long"},
178 { ATP_BYTE, "Byte"},
179 { ATP_WORD, "Word"},
180 { ATP_DWORD, "DWord"},
181 { ATP_MAX, "Max"},
182 { 0, NULL }
183 };
184
185 static const value_string weekday_vals[] = {
186 {0, "Sunday"},
187 {1, "Monday"},
188 {2, "Tuesday"},
189 {3, "Wednesday"},
190 {4, "Thursday"},
191 {5, "Friday"},
192 {6, "Saturday"},
193 {0, NULL}
194 };
195
196 static const value_string tnef_Attribute_vals[] = {
197 { ATT_OWNER, "ATT_OWNER" },
198 { ATT_SENT_FOR, "ATT_SENT_FOR" },
199 { ATT_DELEGATE, "ATT_DELEGATE" },
200 { ATT_OWNER, "ATT_OWNER" },
201 { ATT_DATE_START, "ATT_DATE_START" },
202 { ATT_DATE_END, "ATT_DATE_END" },
203 { ATT_AID_OWNER, "ATT_AID_OWNER" },
204 { ATT_REQUEST_RES, "ATT_REQUEST_RES" },
205 { ATT_FROM, "ATT_FROM" },
206 { ATT_SUBJECT, "ATT_SUBJECT" },
207 { ATT_DATE_SENT, "ATT_DATE_SENT" },
208 { ATT_DATE_RECD, "ATT_DATE_RECD" },
209 { ATT_MESSAGE_STATUS, "ATT_MESSAGE_STATUS" },
210 { ATT_MESSAGE_CLASS, "ATT_MESSAGE_CLASS" },
211 { ATT_MESSAGE_ID, "ATT_MESSAGE_ID" },
212 { ATT_PARENT_ID, "ATT_PARENT_ID" },
213 { ATT_CONVERSATION_ID, "ATT_CONVERSATION_ID" },
214 { ATT_BODY, "ATT_BODY" },
215 { ATT_PRIORITY, "ATT_PRIORITY" },
216 { ATT_ATTACH_DATA, "ATT_ATTACH_DATA" },
217 { ATT_ATTACH_TITLE, "ATT_ATTACH_TITLE" },
218 { ATT_ATTACH_META_FILE, "ATT_ATTACH_META_FILE" },
219 { ATT_ATTACH_CREATE_DATE, "ATT_ATTACH_CREATE_DATE" },
220 { ATT_ATTACH_MODIFY_DATE, "ATT_ATTACH_MODIFY_DATE" },
221 { ATT_DATE_MODIFIED, "ATT_DATE_MODIFIED" },
222 { ATT_ATTACH_TRANSPORT_FILENAME, "ATT_ATTACH_TRANSPORT_FILENAME" },
223 { ATT_ATTACH_REND_DATA, "ATT_ATTACH_REND_DATA" },
224 { ATT_MAPI_PROPS, "ATT_MAPI_PROPS" },
225 { ATT_RECIP_TABLE, "ATT_RECIP_TABLE" },
226 { ATT_ATTACHMENT, "ATT_ATTACHMENT" },
227 { ATT_TNEF_VERSION, "ATT_TNEF_VERSION" },
228 { ATT_OEM_CODEPAGE, "ATT_OEM_CODEPAGE" },
229 { ATT_ORIGINAL_MESSAGE_CLASS, "ATT_ORIGINAL_MESSAGE_CLASS" },
230 { 0, NULL }
231 };
232
dissect_counted_values(tvbuff_t * tvb,gint offset,int hf_id,packet_info * pinfo,proto_tree * tree,gboolean single,guint encoding)233 static gint dissect_counted_values(tvbuff_t *tvb, gint offset, int hf_id, packet_info *pinfo, proto_tree *tree, gboolean single, guint encoding)
234 {
235 proto_item *item;
236 guint32 length, count, i;
237
238 count = tvb_get_letohl(tvb, offset);
239 proto_tree_add_item(tree, hf_tnef_values_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
240
241 if(count > 1) {
242 if(single) {
243 item = proto_tree_add_expert_format(tree, pinfo, &ei_tnef_expect_single_item, tvb, offset, 4,
244 "Expecting a single item but found %d", count);
245 tree = proto_item_add_subtree(item, ett_tnef_counted_items);
246 }
247 }
248
249 offset += 4;
250
251 for(i = 0; i < count; i++) {
252
253 length = tvb_get_letohl(tvb, offset);
254 proto_tree_add_item(tree, hf_tnef_value_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
255 offset += 4;
256
257 proto_tree_add_item(tree, hf_id, tvb, offset, length, encoding);
258 offset += length;
259
260 /* XXX: may be padding ? */
261
262 }
263
264 return offset;
265 }
266
dissect_counted_address(tvbuff_t * tvb,gint offset,packet_info * pinfo _U_,proto_tree * tree)267 static gint dissect_counted_address(tvbuff_t *tvb, gint offset, packet_info *pinfo _U_, proto_tree *tree)
268 {
269 guint16 length;
270
271 length = tvb_get_letohs(tvb, offset);
272 proto_tree_add_item(tree, hf_tnef_value_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
273 offset += 2;
274
275 proto_tree_add_item(tree, hf_tnef_attribute_display_name, tvb, offset, length, ENC_ASCII|ENC_NA);
276 offset += length;
277
278 length = tvb_get_letohs(tvb, offset);
279 proto_tree_add_item(tree, hf_tnef_value_length, tvb, offset, 2, ENC_LITTLE_ENDIAN);
280 offset += 2;
281
282 proto_tree_add_item(tree, hf_tnef_attribute_email_address, tvb, offset, length, ENC_ASCII|ENC_NA);
283 offset += length;
284
285 return offset;
286 }
287
288
dissect_DTR(tvbuff_t * tvb,packet_info * pinfo _U_,proto_tree * tree)289 static void dissect_DTR(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree)
290 {
291 gint offset;
292
293 offset = 0;
294
295 proto_tree_add_item(tree, hf_tnef_attribute_date_year, tvb, offset, 2, ENC_LITTLE_ENDIAN);
296 offset +=2;
297
298 proto_tree_add_item(tree, hf_tnef_attribute_date_month, tvb, offset, 2, ENC_LITTLE_ENDIAN);
299 offset +=2;
300
301 proto_tree_add_item(tree, hf_tnef_attribute_date_day, tvb, offset, 2, ENC_LITTLE_ENDIAN);
302 offset +=2;
303
304 proto_tree_add_item(tree, hf_tnef_attribute_date_hour, tvb, offset, 2, ENC_LITTLE_ENDIAN);
305 offset +=2;
306
307 proto_tree_add_item(tree, hf_tnef_attribute_date_minute, tvb, offset, 2, ENC_LITTLE_ENDIAN);
308 offset +=2;
309
310 proto_tree_add_item(tree, hf_tnef_attribute_date_second, tvb, offset, 2, ENC_LITTLE_ENDIAN);
311 offset +=2;
312
313 proto_tree_add_item(tree, hf_tnef_attribute_date_day_of_week, tvb, offset, 2, ENC_LITTLE_ENDIAN);
314 /*offset +=2;*/
315 }
316
317
dissect_mapiprops(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,guint oem_encoding)318 static void dissect_mapiprops(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint oem_encoding)
319 {
320 proto_item *item, *prop_item;
321 proto_tree *prop_tree, *tag_tree;
322 guint32 /*count,*/ tag, tag_kind, tag_length;
323 guint16 padding;
324 gint offset, start_offset;
325
326 guint8 drep[] = {0x10 /* LE */, /* DCE_RPC_DREP_FP_IEEE */ 0 };
327 static dcerpc_info di;
328 static dcerpc_call_value call_data;
329
330 offset = 0;
331
332 di.conformant_run = 0;
333 /* we need di->call_data->flags.NDR64 == 0 */
334 di.call_data = &call_data;
335 di.dcerpc_procedure_name = "";
336
337 /* first the count */
338 proto_tree_add_item(tree, hf_tnef_mapi_props_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
339 /*count = tvb_get_letohl(tvb, offset);*/
340
341 offset += 4;
342
343 while(tvb_reported_length_remaining(tvb, offset) > 0 ) {
344
345 start_offset = offset;
346
347 /* get the property tag */
348
349 prop_item = proto_tree_add_item(tree, hf_tnef_property, tvb, offset, -1, ENC_NA);
350 prop_tree = proto_item_add_subtree(prop_item, ett_tnef_property);
351
352 item = proto_tree_add_item(prop_tree, hf_tnef_property_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
353 tag_tree = proto_item_add_subtree(item, ett_tnef_property_tag);
354
355 /* add a nice name to the property */
356 tag = tvb_get_letohl(tvb, offset);
357 proto_item_append_text(prop_item, " %s", val_to_str(tag, nspi_MAPITAGS_vals, "Unknown tag (0x%08lx)"));
358
359 proto_tree_add_item(tag_tree, hf_tnef_property_tag_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
360 offset += 2;
361
362 proto_tree_add_item(tag_tree, hf_tnef_property_tag_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
363 offset += 2;
364
365 if(tag & 0x80000000) {
366 const guint8* name_string = NULL;
367
368 /* it is a named property */
369 proto_tree_add_item(tag_tree, hf_tnef_property_tag_set, tvb, offset, 16, ENC_LITTLE_ENDIAN);
370 offset += 16;
371
372 tag_kind = tvb_get_letohl(tvb, offset);
373 proto_tree_add_item(tag_tree, hf_tnef_property_tag_kind, tvb, offset, 4, ENC_LITTLE_ENDIAN);
374 offset += 4;
375
376 if(tag_kind == 0) {
377 proto_tree_add_item(tag_tree, hf_tnef_property_tag_name_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
378 offset += 4;
379 } else {
380 tag_length = tvb_get_letohl(tvb, offset);
381 proto_tree_add_item(tag_tree, hf_tnef_property_tag_name_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
382 offset += 4;
383
384 proto_tree_add_item_ret_string(tag_tree, hf_tnef_property_tag_name_string, tvb, offset, tag_length,
385 ENC_UTF_16|ENC_LITTLE_ENDIAN, pinfo->pool, &name_string);
386 offset += tag_length;
387
388 if((padding = (4 - tag_length % 4)) != 4) {
389 proto_tree_add_item(tag_tree, hf_tnef_property_padding, tvb, offset, padding, ENC_NA);
390 offset += padding;
391 }
392 }
393 proto_item_append_text(prop_item, " [Named Property");
394 if (name_string)
395 proto_item_append_text(prop_item, ": %s", name_string);
396 proto_item_append_text(prop_item, "]");
397 }
398
399 switch(tag) {
400 /* handle any specific tags here */
401 default:
402 /* otherwise just use the type */
403 switch(tag & 0x0000ffff) {
404 case PT_I2:
405 offset = PIDL_dissect_uint16(tvb, offset, pinfo, prop_tree, &di, drep, hf_tnef_PropValue_i, 0);
406 break;
407 case PT_LONG:
408 offset = PIDL_dissect_uint32(tvb, offset, pinfo, prop_tree, &di, drep, hf_tnef_PropValue_l, 0);
409 break;
410 case PT_BOOLEAN:
411 offset = PIDL_dissect_uint16(tvb, offset, pinfo, prop_tree, &di, drep, hf_tnef_PropValue_b, 0);
412 break;
413 case PT_STRING8:
414 offset = dissect_counted_values(tvb, offset, hf_tnef_PropValue_lpszA, pinfo, prop_tree, TRUE, oem_encoding);
415 break;
416 case PT_BINARY:
417 offset = dissect_counted_values(tvb, offset, hf_tnef_PropValue_bin, pinfo, prop_tree, TRUE, ENC_NA);
418 break;
419 case PT_UNICODE:
420 offset = dissect_counted_values (tvb, offset, hf_tnef_PropValue_lpszW, pinfo, prop_tree, TRUE, ENC_UTF_16|ENC_LITTLE_ENDIAN);
421 break;
422 case PT_CLSID:
423 offset = nspi_dissect_struct_MAPIUID(tvb, offset, pinfo, prop_tree, &di, drep, hf_tnef_PropValue_lpguid, 0);
424 break;
425 case PT_SYSTIME:
426 offset = nspi_dissect_struct_FILETIME(tvb,offset,pinfo,prop_tree,&di,drep,hf_tnef_PropValue_ft,0);
427 break;
428 case PT_ERROR:
429 offset = nspi_dissect_enum_MAPISTATUS(tvb, offset, pinfo, prop_tree, &di, drep, hf_tnef_PropValue_err, 0);
430 break;
431 case PT_MV_I2:
432 offset = nspi_dissect_struct_SShortArray(tvb,offset,pinfo,prop_tree,&di,drep,hf_tnef_PropValue_MVi,0);
433 break;
434 case PT_MV_LONG:
435 offset = nspi_dissect_struct_MV_LONG_STRUCT(tvb,offset,pinfo,prop_tree,&di,drep,hf_tnef_PropValue_MVl,0);
436 break;
437 case PT_MV_STRING8:
438 offset = nspi_dissect_struct_SLPSTRArray(tvb,offset,pinfo,prop_tree,&di,drep,hf_tnef_PropValue_MVszA,0);
439 break;
440 case PT_MV_BINARY:
441 offset = nspi_dissect_struct_SBinaryArray(tvb,offset,pinfo,prop_tree,&di,drep,hf_tnef_PropValue_MVbin,0);
442 break;
443 case PT_MV_CLSID:
444 offset = nspi_dissect_struct_SGuidArray(tvb,offset,pinfo,prop_tree,&di,drep,hf_tnef_PropValue_MVguid,0);
445 break;
446 case PT_MV_UNICODE:
447 offset = nspi_dissect_struct_MV_UNICODE_STRUCT(tvb,offset,pinfo,prop_tree,&di,drep,hf_tnef_PropValue_MVszW,0);
448 break;
449 case PT_MV_SYSTIME:
450 offset = nspi_dissect_struct_SDateTimeArray(tvb,offset,pinfo,prop_tree,&di,drep,hf_tnef_PropValue_MVft,0);
451 break;
452 case PT_NULL:
453 offset = PIDL_dissect_uint32(tvb, offset, pinfo, prop_tree, &di, drep, hf_tnef_PropValue_null, 0);
454 break;
455 case PT_OBJECT:
456 offset = PIDL_dissect_uint32(tvb, offset, pinfo, prop_tree, &di, drep, hf_tnef_PropValue_object, 0);
457 break;
458 }
459 }
460
461 /* we may need to pad to a 4-byte boundary */
462 if((padding = (4 - (offset - start_offset) % 4)) != 4) {
463
464 /* we need to pad */
465 proto_tree_add_item(prop_tree, hf_tnef_property_padding, tvb, offset, padding, ENC_NA);
466
467 offset += padding;
468 }
469
470 proto_item_set_len(prop_item, offset - start_offset);
471 }
472 }
473
474
dissect_tnef(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data _U_)475 static int dissect_tnef(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
476 {
477 proto_item *attr_item, *item;
478 proto_tree *attr_tree, *tag_tree, *props_tree, *addr_tree, *date_tree;
479 guint32 tag, length, signature;
480 gint offset, start_offset;
481 tvbuff_t *next_tvb;
482 guint64 oem_code_page;
483 guint oem_encoding = ENC_ASCII|ENC_NA;
484
485 if(tree){
486 item = proto_tree_add_item(tree, proto_tnef, tvb, 0, -1, ENC_NA);
487 tree = proto_item_add_subtree(item, ett_tnef);
488 }
489
490 offset = 0;
491
492 /* first the signature */
493 signature = tvb_get_letohl(tvb, offset);
494 item = proto_tree_add_item(tree, hf_tnef_signature, tvb, offset, 4, ENC_LITTLE_ENDIAN);
495 offset += 4;
496
497 /* check the signature */
498 if(signature != TNEF_SIGNATURE) {
499
500 expert_add_info_format(pinfo, item, &ei_tnef_incorrect_signature,
501 " [Incorrect, should be 0x%x. No further dissection possible. Check any Content-Transfer-Encoding has been removed.]", TNEF_SIGNATURE);
502 return offset;
503
504 } else {
505
506 proto_item_append_text(item, " [Correct]");
507
508 }
509
510 proto_tree_add_item(tree, hf_tnef_key, tvb, offset, 2, ENC_LITTLE_ENDIAN);
511 offset += 2;
512
513 while(tvb_reported_length_remaining(tvb, offset) > 9 ) { /* there must be at least a level (1), tag (4) and length (4) to be valid */
514
515 start_offset = offset;
516
517 attr_item = proto_tree_add_item(tree, hf_tnef_attribute, tvb, offset, -1, ENC_NA);
518 attr_tree = proto_item_add_subtree(attr_item, ett_tnef_attribute);
519
520 proto_tree_add_item(attr_tree, hf_tnef_attribute_lvl, tvb, offset, 1, ENC_LITTLE_ENDIAN);
521 offset += 1;
522
523 item = proto_tree_add_item(attr_tree, hf_tnef_attribute_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
524 tag_tree = proto_item_add_subtree(item, ett_tnef_attribute_tag);
525
526 /* add a nice name to the property */
527 tag = tvb_get_letohl(tvb, offset);
528 proto_item_append_text(attr_item, " %s", val_to_str(tag, tnef_Attribute_vals, "Unknown tag (0x%08lx)"));
529
530 proto_tree_add_item(tag_tree, hf_tnef_attribute_tag_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
531 offset += 2;
532
533 proto_tree_add_item(tag_tree, hf_tnef_attribute_tag_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
534 /* remember the type for the value dissection */
535 offset += 2;
536
537 length = tvb_get_letohl(tvb, offset);
538 proto_tree_add_item(attr_tree, hf_tnef_attribute_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
539 offset += 4;
540
541 switch(tag) {
542 case ATT_OEM_CODEPAGE:
543 proto_tree_add_item_ret_uint64(attr_tree, hf_tnef_oem_codepage, tvb, offset, length, ENC_LITTLE_ENDIAN, &oem_code_page);
544 switch (oem_code_page) {
545
546 case 1250:
547 oem_encoding = ENC_WINDOWS_1250|ENC_NA;
548 break;
549
550 case 1251:
551 oem_encoding = ENC_WINDOWS_1251|ENC_NA;
552 break;
553
554 case 1252:
555 oem_encoding = ENC_WINDOWS_1252|ENC_NA;
556 break;
557
558 default:
559 oem_encoding = ENC_ASCII|ENC_NA; /* XXX - support more code pages */
560 break;
561 }
562 break;
563 case ATT_TNEF_VERSION:
564 proto_tree_add_item(attr_tree, hf_tnef_version, tvb, offset, length, ENC_LITTLE_ENDIAN);
565 break;
566 case ATT_MESSAGE_CLASS:
567 proto_tree_add_item(attr_tree, hf_tnef_message_class, tvb, offset, length, ENC_ASCII|ENC_NA);
568 break;
569 case ATT_ORIGINAL_MESSAGE_CLASS:
570 proto_tree_add_item(attr_tree, hf_tnef_original_message_class, tvb, offset, length, ENC_ASCII|ENC_NA);
571 break;
572 case ATT_MAPI_PROPS:
573 item = proto_tree_add_item(attr_tree, hf_tnef_mapi_props, tvb, offset, length, ENC_NA);
574 props_tree = proto_item_add_subtree(item, ett_tnef_mapi_props);
575
576 next_tvb = tvb_new_subset_length(tvb, offset, length);
577
578 dissect_mapiprops(next_tvb, pinfo, props_tree, oem_encoding);
579
580 break;
581 case ATT_OWNER:
582 case ATT_SENT_FOR:
583 addr_tree = proto_item_add_subtree(item, ett_tnef_attribute_address);
584
585 (void)dissect_counted_address(tvb, offset, pinfo, addr_tree);
586
587 break;
588 case ATT_PRIORITY:
589 proto_tree_add_item(attr_tree, hf_tnef_priority, tvb, offset, length, ENC_LITTLE_ENDIAN);
590 break;
591 default:
592 /* just do it on the type */
593 switch((tag >> 16) & 0xffff) {
594 case ATP_DATE:
595 item = proto_tree_add_item(attr_tree, hf_tnef_attribute_date, tvb, offset, length, ENC_NA);
596 date_tree = proto_item_add_subtree(item, ett_tnef_attribute_date);
597
598 next_tvb = tvb_new_subset_length(tvb, offset, length);
599
600 dissect_DTR(next_tvb, pinfo, date_tree);
601
602 break;
603 case ATP_STRING:
604 {
605 const guint8* atp;
606 proto_tree_add_item_ret_string(attr_tree, hf_tnef_attribute_string, tvb, offset, length, oem_encoding, pinfo->pool, &atp);
607 proto_item_append_text(attr_item, " %s", atp);
608 }
609 break;
610 default:
611 proto_tree_add_item(attr_tree, hf_tnef_attribute_value, tvb, offset, length, ENC_NA);
612 break;
613 }
614 }
615
616 /* check for overflow */
617 if (offset + length > (guint32)offset) {
618 offset += length;
619 }
620
621 proto_tree_add_checksum(attr_tree, tvb, offset, hf_tnef_attribute_checksum, -1, NULL, pinfo, 0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
622 offset += 2;
623
624 proto_item_set_len(attr_item, offset - start_offset);
625 }
626
627 /* there may be some padding */
628 if(tvb_reported_length_remaining(tvb, offset)) /* XXX: Not sure if they is really padding or not */
629 proto_tree_add_item(tree, hf_tnef_padding, tvb, offset, tvb_reported_length_remaining(tvb, offset), ENC_NA);
630
631 return tvb_captured_length(tvb);
632 }
633
dissect_tnef_file(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data _U_)634 static int dissect_tnef_file(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
635 {
636 col_set_str(pinfo->cinfo, COL_PROTOCOL, PSNAME);
637
638 col_set_str(pinfo->cinfo, COL_DEF_SRC, PSNAME " encoded file");
639
640 col_append_str(pinfo->cinfo, COL_INFO, PNAME);
641
642 dissect_tnef(tvb, pinfo, tree, NULL);
643 return tvb_captured_length(tvb);
644 }
645
646 /* Register all the bits needed by the filtering engine */
647
648 void
proto_register_tnef(void)649 proto_register_tnef(void)
650 {
651 static hf_register_info hf[] = {
652 { &hf_tnef_signature,
653 { "Signature", "tnef.signature", FT_UINT32, BASE_HEX, NULL, 0x0,
654 NULL, HFILL }},
655 { &hf_tnef_key,
656 { "Key", "tnef.key", FT_UINT16, BASE_HEX, NULL, 0x0,
657 NULL, HFILL }},
658 { &hf_tnef_attribute,
659 { "Attribute", "tnef.attribute", FT_NONE, BASE_NONE, NULL, 0x0,
660 NULL, HFILL }},
661 { &hf_tnef_attribute_lvl,
662 { "Type", "tnef.attribute.lvl", FT_UINT8, BASE_DEC, VALS(tnef_Lvl_vals), 0x0,
663 NULL, HFILL }},
664 { &hf_tnef_attribute_tag,
665 { "Tag", "tnef.attribute.tag", FT_UINT32, BASE_HEX, VALS(tnef_Attribute_vals), 0x0,
666 NULL, HFILL }},
667 { &hf_tnef_attribute_tag_type,
668 { "Type", "tnef.attribute.tag.type", FT_UINT16, BASE_HEX, VALS(tnef_Types_vals), 0x0,
669 NULL, HFILL }},
670 { &hf_tnef_attribute_tag_id,
671 { "Tag", "tnef.attribute.tag.id", FT_UINT16, BASE_HEX, NULL, 0x0,
672 NULL, HFILL }},
673 { &hf_tnef_attribute_length,
674 { "Length", "tnef.attribute.length", FT_UINT32, BASE_DEC, NULL, 0x0,
675 NULL, HFILL }},
676 { &hf_tnef_attribute_value,
677 { "Value", "tnef.attribute.value", FT_NONE, BASE_NONE, NULL, 0x0,
678 NULL, HFILL }},
679 { &hf_tnef_attribute_string,
680 { "String", "tnef.attribute.string", FT_STRING, BASE_NONE, NULL, 0x0,
681 NULL, HFILL }},
682 { &hf_tnef_attribute_date,
683 { "Date", "tnef.attribute.date", FT_NONE, BASE_NONE, NULL, 0x0,
684 NULL, HFILL }},
685 { &hf_tnef_attribute_display_name,
686 { "Display Name", "tnef.attribute.display_name", FT_STRING, BASE_NONE, NULL, 0x0,
687 NULL, HFILL }},
688 { &hf_tnef_attribute_email_address,
689 { "Email Address", "tnef.attribute.email_address", FT_STRING, BASE_NONE, NULL, 0x0,
690 NULL, HFILL }},
691 { &hf_tnef_attribute_date_year,
692 { "Year", "tnef.attribute.date.year", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }},
693 { &hf_tnef_attribute_date_month,
694 { "Month", "tnef.attribute.date.month", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }},
695 { &hf_tnef_attribute_date_day,
696 { "Day", "tnef.attribute.date.day", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }},
697 { &hf_tnef_attribute_date_hour,
698 { "Hour", "tnef.attribute.date.hour", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }},
699 { &hf_tnef_attribute_date_minute,
700 { "Minute", "tnef.attribute.date.minute", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }},
701 { &hf_tnef_attribute_date_second,
702 { "Second", "tnef.attribute.date.second", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }},
703 { &hf_tnef_attribute_date_day_of_week,
704 { "Day Of Week", "tnef.attribute.date.day_of_week", FT_UINT16, BASE_DEC, VALS(weekday_vals), 0, NULL, HFILL }},
705 { &hf_tnef_attribute_checksum,
706 { "Checksum", "tnef.attribute.checksum", FT_UINT16, BASE_HEX, NULL, 0x0,
707 NULL, HFILL }},
708 { &hf_tnef_mapi_props,
709 { "MAPI Properties", "tnef.mapi_props", FT_NONE, BASE_NONE, NULL, 0x0,
710 NULL, HFILL }},
711 { &hf_tnef_version,
712 { "Version", "tnef.version", FT_UINT32, BASE_HEX, NULL, 0x0,
713 NULL, HFILL }},
714 { &hf_tnef_oem_codepage,
715 { "OEM Codepage", "tnef.oem_codepage", FT_UINT64, BASE_DEC, NULL, 0x0,
716 NULL, HFILL }},
717 { &hf_tnef_message_class,
718 { "Message Class", "tnef.message_class", FT_STRING, BASE_NONE, NULL, 0x0,
719 NULL, HFILL }},
720 { &hf_tnef_original_message_class,
721 { "Original Message Class", "tnef.message_class.original", FT_STRING, BASE_NONE, NULL, 0x0,
722 NULL, HFILL }},
723 { &hf_tnef_priority,
724 { "Priority", "tnef.priority", FT_UINT16, BASE_DEC, VALS(tnef_Priority_vals), 0x0,
725 NULL, HFILL }},
726 { &hf_tnef_mapi_props_count,
727 { "Count", "tnef.mapi_props.count", FT_UINT32, BASE_DEC, NULL, 0x0,
728 NULL, HFILL }},
729 { &hf_tnef_property,
730 { "Property", "tnef.property", FT_NONE, BASE_NONE, NULL, 0x0,
731 NULL, HFILL }},
732 { &hf_tnef_property_tag,
733 { "Tag", "tnef.property.tag", FT_UINT32, BASE_HEX, VALS(nspi_MAPITAGS_vals), 0x0,
734 NULL, HFILL }},
735 { &hf_tnef_property_tag_type,
736 { "Type", "tnef.property.tag.type", FT_UINT16, BASE_HEX, VALS(nspi_property_types_vals), 0x0,
737 NULL, HFILL }},
738 { &hf_tnef_property_tag_id,
739 { "Tag", "tnef.property.tag.id", FT_UINT16, BASE_HEX, NULL, 0x0,
740 NULL, HFILL }},
741 { &hf_tnef_property_tag_set,
742 { "Set", "tnef.attribute.tag.set", FT_GUID, BASE_NONE, NULL, 0x0,
743 NULL, HFILL }},
744 { &hf_tnef_property_tag_kind,
745 { "Kind", "tnef.attribute.tag.kind", FT_UINT32, BASE_DEC, NULL, 0x0,
746 NULL, HFILL }},
747 { &hf_tnef_property_tag_name_id,
748 { "Name", "tnef.attribute.tag.name.id", FT_UINT32, BASE_HEX, NULL, 0x0,
749 NULL, HFILL }},
750 { &hf_tnef_property_tag_name_length,
751 { "Length", "tnef.attribute.tag.name.length", FT_UINT32, BASE_DEC, NULL, 0x0,
752 NULL, HFILL }},
753 { &hf_tnef_property_tag_name_string,
754 { "Name", "tnef.attribute.tag.name.string", FT_STRING, BASE_NONE, NULL, 0x0,
755 NULL, HFILL }},
756 { &hf_tnef_property_padding,
757 { "Padding", "tnef.property.padding", FT_NONE, BASE_NONE, NULL, 0x0,
758 NULL, HFILL }},
759 { &hf_tnef_padding,
760 { "Padding", "tnef.padding", FT_NONE, BASE_NONE, NULL, 0x0,
761 NULL, HFILL }},
762 { &hf_tnef_values_count,
763 { "Count", "tnef.values.count", FT_UINT32, BASE_DEC, NULL, 0x0,
764 NULL, HFILL }},
765 { &hf_tnef_value_length,
766 { "Length", "tnef.value.length", FT_UINT32, BASE_DEC, NULL, 0x0,
767 NULL, HFILL }},
768 { &hf_tnef_PropValue_i,
769 { "I", "tnef.PropValue.i", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }},
770 { &hf_tnef_PropValue_l,
771 { "L", "tnef.PropValue.l", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
772 { &hf_tnef_PropValue_b,
773 { "B", "tnef.PropValue.b", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }},
774 { &hf_tnef_PropValue_lpszA,
775 { "Lpsza", "tnef.PropValue.lpszA", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }},
776 { &hf_tnef_PropValue_lpszW,
777 { "Lpszw", "tnef.PropValue.lpszW", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }},
778 { &hf_tnef_PropValue_lpguid,
779 { "Lpguid", "tnef.PropValue.lpguid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
780 { &hf_tnef_PropValue_bin,
781 { "Bin", "tnef.PropValue.bin", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
782 { &hf_tnef_PropValue_ft,
783 { "Ft", "tnef.PropValue.ft", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
784 { &hf_tnef_PropValue_err,
785 { "Err", "tnef.PropValue.err", FT_UINT32, BASE_DEC, VALS(nspi_MAPISTATUS_vals), 0, NULL, HFILL }},
786 { &hf_tnef_PropValue_MVi,
787 { "Mvi", "tnef.PropValue.MVi", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
788 { &hf_tnef_PropValue_MVl,
789 { "Mvl", "tnef.PropValue.MVl", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
790 { &hf_tnef_PropValue_MVszA,
791 { "Mvsza", "tnef.PropValue.MVszA", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
792 { &hf_tnef_PropValue_MVbin,
793 { "Mvbin", "tnef.PropValue.MVbin", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
794 { &hf_tnef_PropValue_MVguid,
795 { "Mvguid", "tnef.PropValue.MVguid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
796 { &hf_tnef_PropValue_MVszW,
797 { "Mvszw", "tnef.PropValue.MVszW", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
798 { &hf_tnef_PropValue_MVft,
799 { "Mvft", "tnef.PropValue.MVft", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
800 { &hf_tnef_PropValue_null,
801 { "Null", "tnef.PropValue.null", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
802 { &hf_tnef_PropValue_object,
803 { "Object", "tnef.PropValue.object", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
804 };
805 static gint *ett[] = {
806 &ett_tnef,
807 &ett_tnef_attribute,
808 &ett_tnef_attribute_tag,
809 &ett_tnef_mapi_props,
810 &ett_tnef_property,
811 &ett_tnef_property_tag,
812 &ett_tnef_counted_items,
813 &ett_tnef_attribute_date,
814 &ett_tnef_attribute_address,
815 };
816
817 static ei_register_info ei[] = {
818 { &ei_tnef_expect_single_item, { "tnef.expect_single_item", PI_MALFORMED, PI_ERROR, "Expected single item", EXPFILL }},
819 { &ei_tnef_incorrect_signature, { "tnef.signature.incorrect", PI_MALFORMED, PI_WARN, "Incorrect signature", EXPFILL }},
820 };
821
822 expert_module_t* expert_tnef;
823
824 proto_tnef = proto_register_protocol(PNAME, PSNAME, PFNAME);
825
826 proto_register_field_array(proto_tnef, hf, array_length(hf));
827 proto_register_subtree_array(ett, array_length(ett));
828 expert_tnef = expert_register_protocol(proto_tnef);
829 expert_register_field_array(expert_tnef, ei, array_length(ei));
830
831 /* Allow dissector to find be found by name. */
832 tnef_handle = register_dissector(PFNAME, dissect_tnef, proto_tnef);
833
834 }
835
836 /* The registration hand-off routine */
837 void
proto_reg_handoff_tnef(void)838 proto_reg_handoff_tnef(void)
839 {
840 dissector_handle_t tnef_file_handle;
841
842 tnef_file_handle = create_dissector_handle(dissect_tnef_file, proto_tnef);
843
844 dissector_add_string("media_type", "application/ms-tnef", tnef_handle);
845
846 /* X.400 file transfer bodypart */
847 register_ber_oid_dissector_handle("1.2.840.113556.3.10.1", tnef_handle, proto_tnef, "id-et-tnef");
848
849 dissector_add_uint("wtap_encap", WTAP_ENCAP_TNEF, tnef_file_handle);
850 }
851
852 /*
853 * Editor modelines - https://www.wireshark.org/tools/modelines.html
854 *
855 * Local Variables:
856 * c-basic-offset: 2
857 * tab-width: 8
858 * indent-tabs-mode: nil
859 * End:
860 *
861 * ex: set shiftwidth=2 tabstop=8 expandtab:
862 * :indentSize=2:tabSize=8:noTabs=true:
863 */
864