rust/smb: search for record on midstream start

Calls with both START and MIDSTREAM mean the record might be cut and the
start of it could be missing. For this case, enable the same logic as is
used when catching up after a GAP. Search for the start of the record
instead of assuming it sits exactly at the start of the input data.

diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs
index 9f55bf358a8c0d79c83191858ed29dd4f97bf1cc..2e96e448e72b3fad5c41c99dc482871b5782cc56 100644 (file)
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@@ -1720,12 +1720,18 @@ pub extern "C" fn rs_smb_parse_request_tcp(_flow: *mut Flow,
                                        _pstate: *mut libc::c_void,
                                        input: *mut libc::uint8_t,
                                        input_len: libc::uint32_t,
-                                       _data: *mut libc::c_void)
+                                       _data: *mut libc::c_void,
+                                       flags: u8)
                                        -> libc::int8_t
 {
     let buf = unsafe{std::slice::from_raw_parts(input, input_len as usize)};
     SCLogDebug!("parsing {} bytes of request data", input_len);
 
+    /* START with MISTREAM set: record might be starting the middle. */
+    if flags & (STREAM_START|STREAM_MIDSTREAM) == (STREAM_START|STREAM_MIDSTREAM) {
+        state.ts_gap = true;
+    }
+
     if state.parse_tcp_data_ts(buf) == 0 {
         return 1;
     } else {
@@ -1752,12 +1758,18 @@ pub extern "C" fn rs_smb_parse_response_tcp(_flow: *mut Flow,
                                         _pstate: *mut libc::c_void,
                                         input: *mut libc::uint8_t,
                                         input_len: libc::uint32_t,
-                                        _data: *mut libc::c_void)
+                                        _data: *mut libc::c_void,
+                                        flags: u8)
                                         -> libc::int8_t
 {
     SCLogDebug!("parsing {} bytes of response data", input_len);
     let buf = unsafe{std::slice::from_raw_parts(input, input_len as usize)};
 
+    /* START with MISTREAM set: record might be starting the middle. */
+    if flags & (STREAM_START|STREAM_MIDSTREAM) == (STREAM_START|STREAM_MIDSTREAM) {
+        state.tc_gap = true;
+    }
+
     if state.parse_tcp_data_tc(buf) == 0 {
         return 1;
     } else {

diff --git a/src/app-layer-smb-tcp-rust.c b/src/app-layer-smb-tcp-rust.c
index e8df01cdb8d315d5f7542e06d97e2d1626e3ed52..634e90dc2abe4fb41181bb00467c25d0e1b4310c 100644 (file)
--- a/src/app-layer-smb-tcp-rust.c
+++ b/src/app-layer-smb-tcp-rust.c
@@ -45,7 +45,7 @@ static int RustSMBTCPParseRequest(Flow *f, void *state,
         res = rs_smb_parse_request_tcp_gap(state, input_len);
     } else {
         res = rs_smb_parse_request_tcp(f, state, pstate, input, input_len,
-            local_data);
+            local_data, flags);
     }
     if (res != 1) {
         SCLogNotice("SMB request%s of %u bytes, retval %d",
@@ -68,7 +68,7 @@ static int RustSMBTCPParseResponse(Flow *f, void *state,
         res = rs_smb_parse_response_tcp_gap(state, input_len);
     } else {
         res = rs_smb_parse_response_tcp(f, state, pstate, input, input_len,
-            local_data);
+            local_data, flags);
     }
     if (res != 1) {
         SCLogNotice("SMB response%s of %u bytes, retval %d",