read_string: Fix 8-aligned parsing

We were facing a bug when reading a 8-aligned Nix daemon string: we were missing the null termination byte. Adding this null byte when needed.
Add basic Nix daemon string support
2023-09-14 14:01:47 +02:00 · 2023-09-14 12:15:00 +02:00
1 changed files with 68 additions and 1 deletions
--- a/nix-packet.lua
+++ b/nix-packet.lua
@ -13,6 +13,10 @@ local daemon_hello_version_field = ProtoField.uint64("nix.daemonhello.protolvers

 local op_name_field = ProtoField.string("nix.opname", "Operation Name")

+local op_addtostore = ProtoField.bytes("nix.addtostore", "Add to store operation")
+local op_addtostore_name = ProtoField.string("nix.addtostore.name", "Add to store name")
+local op_addtostore_camstr = ProtoField.string("nix.camstr.name", "Add to store camstr")
+
 nix_proto.fields = {
   dst_field,
   src_field,
@ -24,7 +28,10 @@ nix_proto.fields = {
   daemon_hello_field,
   daemon_hello_magic_field,
   daemon_hello_version_field,
-   op_name_field
+   op_name_field,
+   op_addtostore,
+   op_addtostore_name,
+   op_addtostore_camstr
 }

 local op_table = {
@ -90,8 +97,68 @@ function parse_daemon_hello(tvb, pinfo, tree, offset)
   return offset + 8
 end

+-- Reads a Nix daemon string from tvb.
+-- The Nix daemon strings are composed of two fields:
+-- 1. The size of the string (8 bytes)
+-- 2. The string itself, 8-aligned (padding with \0), non null
+--    terminated.
+function read_string(tvb, pinfo, tree, offset)
+   local str
+
+   -- Read size (u_size)
+   local size = tvb(offset,4):le_int()
+   local offset = offset + 8
+
+   -- Strings are 8-aligned. We need to discard the potential padding.
+   if (size % 8) ~= 0 then
+      -- Parting the string. They are null-padded, so we'll get a the
+      -- null terminaison wireshark is expecting for free.
+      str = tvb(offset,size):string()
+      offset = offset + (size + ((8 - (size % 8))))
+   else
+      -- The string is already 8-aligned. This is a bit annoying:
+      -- Wireshark expects the strings to be null terminated. Nix
+      -- daemon is not null-terminating the strings it sends to the
+      -- wire.
+      --
+      -- We have to extract the string to a new tvb to append a null
+      -- byte at the end. We can then send this new null-terminated
+      -- string to wireshark.
+      --
+      -- Note: the offset indexes the original tvb, not the
+      -- temporarily created one. There's no need to take this new
+      -- null bit into account.
+      local tvb_clone = tvb:bytes(offset, size + 1)
+      tvb_clone:set_index(size, 0)
+      str = tvb_clone(0,size+1):tvb():range(0,size+1):string()
+      offset = offset + size
+   end
+
+   return offset, str
+end
+
+function parse_add_to_store(tvb, pinfo, tree, offset)
+   local initoffset = offset
+   local offsetname = 0
+
+   offsetname, name = read_string(tvb, pinfo, tree, offset)
+   offset, camstr = read_string(tvb, pinfo, tree, offsetname)
+
+   local subtree = tree:add(op_addtostore, tvb(initoffset, offset - initoffset))
+   subtree:add(op_addtostore_name, tvb(initoffset, offsetname - initoffset), name)
+   subtree:add(op_addtostore_camstr, tvb(offsetname, offset - offsetname), camstr)
+
+   return offset
+end
+
 function parse_op(tvb, pinfo, tree, offset, op)
   tree:add(op_name_field, tvb(offset, 8), op_table[op])
+   offset = offset + 8
+
+   if op_table[op] == "AddToStore" then
+      offset = parse_add_to_store(tvb, pinfo, tree, offset)
+   end
+   return offset
 end