Merge pull request #1850 in SNORT/snort3 from ~BRASTULT/snort3:dce_smb_curse_fix...

author Russ Combs (rucombs) <rucombs@cisco.com>

Thu, 21 Nov 2019 02:41:10 +0000 (02:41 +0000)

committer Russ Combs (rucombs) <rucombs@cisco.com>

Thu, 21 Nov 2019 02:41:10 +0000 (02:41 +0000)
author Russ Combs (rucombs) <rucombs@cisco.com>
Thu, 21 Nov 2019 02:41:10 +0000 (02:41 +0000)
committer Russ Combs (rucombs) <rucombs@cisco.com>
Thu, 21 Nov 2019 02:41:10 +0000 (02:41 +0000)
diff --git a/src/service_inspectors/wizard/curses.cc b/src/service_inspectors/wizard/curses.cc

index 225eed0221e8006a3304e165727a5a34945a7ba4..011aeb80dbde54f54c4aaaaffc816072aebbfea8 100644 (file)
--- a/src/service_inspectors/wizard/curses.cc
+++ b/src/service_inspectors/wizard/curses.cc
@@ -193,7 +193,8 @@ static bool dce_smb_curse(const uint8_t* data, unsigned len, CurseTracker* track
  {
      const uint32_t dce_smb_id = 0xff534d42;  /* \xffSMB */
      const uint32_t dce_smb2_id = 0xfe534d42;  /* \xfeSMB */
-    const uint8_t nbss_type_message = 0;
+    const uint8_t session_request = 0x81, session_response = 0x82,
+                  session_message = 0x00;
  
      uint32_t n = 0;
      while (n < len)
@@ -202,22 +203,40 @@ static bool dce_smb_curse(const uint8_t* data, unsigned len, CurseTracker* track
          {
          case STATE_0:
          {
-            if (data[n] != nbss_type_message)
+            if (data[n] == session_message)
              {
-                tracker->state = STATE_8;
+                tracker->state = (DCE_States)((int)tracker->state + 2);
+                break;
+            }
+
+            if (data[n] == session_request || data[n] == session_response)
+            {
+                tracker->state = (DCE_States)((int)tracker->state + 1);
                  return false;
              }
-            tracker->state = (DCE_States)((int)tracker->state + 1);
-            break;
+
+            tracker->state = STATE_9;
+            return false;
+        }
+        case STATE_1:
+        {
+            if (data[n] == session_message)
+            {
+                tracker->state = (DCE_States)((int)tracker->state + 1);
+                break;
+            }
+
+            tracker->state = STATE_9;
+            return false;
          }
-        case STATE_4:
+        case STATE_5:
          {
              tracker->helper = data[n];
              tracker->state = (DCE_States)((int)tracker->state + 1);
              break;
          }
-        case STATE_5:
          case STATE_6:
+        case STATE_7:
          {
              tracker->helper <<= 8;
              tracker->helper |= data[n];
@@ -225,7 +244,7 @@ static bool dce_smb_curse(const uint8_t* data, unsigned len, CurseTracker* track
              break;
          }
  
-        case STATE_7:
+        case STATE_8:
          {
              tracker->helper <<= 8;
              tracker->helper |= data[n];
@@ -236,7 +255,7 @@ static bool dce_smb_curse(const uint8_t* data, unsigned len, CurseTracker* track
              break;
          }
  
-        case STATE_8:
+        case STATE_9:
              // no match
              return false;
author	Russ Combs (rucombs) <rucombs@cisco.com>
	Thu, 21 Nov 2019 02:41:10 +0000 (02:41 +0000)
committer	Russ Combs (rucombs) <rucombs@cisco.com>
	Thu, 21 Nov 2019 02:41:10 +0000 (02:41 +0000)