git.ipfire.org Git - people/ms/suricata.git/commit

author	Shivani Bhardwaj <shivanib134@gmail.com>
	Wed, 23 Sep 2020 04:50:56 +0000 (10:20 +0530)
committer	Victor Julien <victor@inliniac.net>
	Mon, 28 Sep 2020 09:32:38 +0000 (11:32 +0200)
commit	97c67cd5ce6d4016f72b3d1f19cadfb410c28b1d
tree	55129177dbb54ec752f94b18621cf87fe0dc0949	tree \| snapshot
parent	4f963717f8dc0a9806480ff76615ab14e023431f	commit \| diff

dcerpc: fix gap handling

This patch addresses issues discovered by redmine ticket 3896. With the
approach of finding latest record, there was a chance that no record was
found at all and consumed + needed became input length.

e.g.
input_len = 1000
input = 01 05 00 02 00 03 a5 56 00 00 .....

There exists no |05 00| identifier in the rest of the record. After
having parsed |05 00|, there was a search for another record with the
leftover data. Current data length at this point would be 997. Since the
identifier was not found in the data, we calculate the consumed bytes at
this point i.e. consumed = current_data.len() - 1 which would be 996.
Needed bytes still stay at a constant of 2. So, consumed + needed = 996
+ 2 = 998 which is lesser than initial input length of 1000 and hence
the assertion fails.

There could be two fixes to this problem.
1. Finding the latest record but making use of the last found record in
case no new record was found.
2. Always use the earliest record.

This patch takes the approach (2). It also makes sure that the gap and
current direction are the same.