From bcdbd12839859910c7876104fcdd15abd4e84175 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 20 Dec 2016 15:37:33 -0600 Subject: [PATCH] dns (tcp): register a to_client (response) probing parser Just a minimal parser to make sure the data contains at least a header. --- src/app-layer-dns-tcp.c | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/src/app-layer-dns-tcp.c b/src/app-layer-dns-tcp.c index 8ddae27a95..b27d8d87e9 100644 --- a/src/app-layer-dns-tcp.c +++ b/src/app-layer-dns-tcp.c @@ -627,6 +627,28 @@ static uint16_t DNSTcpProbingParser(uint8_t *input, uint32_t ilen, uint32_t *off return ALPROTO_DNS; } +/** + * \brief Probing parser for TCP DNS responses. + * + * This is a minimal parser that just checks that the input contains enough + * data for a TCP DNS response. + */ +static uint16_t DNSTcpProbeResponse(uint8_t *input, uint32_t len, + uint32_t *offset) +{ + if (len == 0 || len < sizeof(DNSTcpHeader)) { + return ALPROTO_UNKNOWN; + } + + DNSTcpHeader *dns_header = (DNSTcpHeader *)input; + + if (ntohs(dns_header->len) < sizeof(DNSHeader)) { + return ALPROTO_FAILED; + } + + return ALPROTO_DNS; +} + void RegisterDNSTCPParsers(void) { char *proto_name = "dns"; @@ -646,7 +668,8 @@ void RegisterDNSTCPParsers(void) int have_cfg = AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP, proto_name, ALPROTO_DNS, 0, sizeof(DNSTcpHeader), - DNSTcpProbingParser, NULL); + DNSTcpProbingParser, + DNSTcpProbeResponse); /* if we have no config, we enable the default port 53 */ if (!have_cfg) { SCLogWarning(SC_ERR_DNS_CONFIG, "no DNS TCP config found, " @@ -654,7 +677,8 @@ void RegisterDNSTCPParsers(void) "port 53."); AppLayerProtoDetectPPRegister(IPPROTO_TCP, "53", ALPROTO_DNS, 0, sizeof(DNSTcpHeader), - STREAM_TOSERVER, DNSTcpProbingParser, NULL); + STREAM_TOSERVER, DNSTcpProbingParser, + DNSTcpProbeResponse); } } } else { -- 2.47.2