From: Victor Julien Date: Thu, 1 Mar 2018 07:50:04 +0000 (+0100) Subject: smb1: improve error handling X-Git-Tag: suricata-4.1.0-beta1~100 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=170edf7c445cfce8a608224227286b73035b1491;p=thirdparty%2Fsuricata.git smb1: improve error handling --- diff --git a/rust/src/smb/smb1.rs b/rust/src/smb/smb1.rs index 3ebf08373b..c7d612c1d4 100644 --- a/rust/src/smb/smb1.rs +++ b/rust/src/smb/smb1.rs @@ -465,27 +465,29 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32 false }, SMB1_COMMAND_NT_CREATE_ANDX => { - match parse_smb_create_andx_response_record(r.data) { - IResult::Done(_, cr) => { - SCLogDebug!("Create AndX {:?}", cr); - - let guid_key = SMBCommonHdr::from1(r, SMBHDR_TYPE_FILENAME); - match state.ssn2vec_map.remove(&guid_key) { - Some(mut p) => { - p.retain(|&i|i != 0x00); - - let mut fid = cr.fid.to_vec(); - fid.extend_from_slice(&u32_as_bytes(r.ssn_id)); - SCLogDebug!("SMB1_COMMAND_NT_CREATE_ANDX fid {:?}", fid); - SCLogDebug!("fid {:?} name {:?}", fid, p); - state.guid2name_map.insert(fid, p); - }, - _ => { - SCLogDebug!("SMBv1 response: GUID NOT FOUND"); - }, - } - }, - _ => { events.push(SMBEvent::MalformedData); }, + if r.nt_status == SMB_NTSTATUS_SUCCESS { + match parse_smb_create_andx_response_record(r.data) { + IResult::Done(_, cr) => { + SCLogDebug!("Create AndX {:?}", cr); + + let guid_key = SMBCommonHdr::from1(r, SMBHDR_TYPE_FILENAME); + match state.ssn2vec_map.remove(&guid_key) { + Some(mut p) => { + p.retain(|&i|i != 0x00); + + let mut fid = cr.fid.to_vec(); + fid.extend_from_slice(&u32_as_bytes(r.ssn_id)); + SCLogDebug!("SMB1_COMMAND_NT_CREATE_ANDX fid {:?}", fid); + SCLogDebug!("fid {:?} name {:?}", fid, p); + state.guid2name_map.insert(fid, p); + }, + _ => { + SCLogDebug!("SMBv1 response: GUID NOT FOUND"); + }, + } + }, + _ => { events.push(SMBEvent::MalformedData); }, + } } false }, @@ -494,18 +496,6 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32 true }, SMB1_COMMAND_SESSION_SETUP_ANDX => { -/* - SCLogDebug!("SMB1_COMMAND_SESSION_SETUP_ANDX user_id {}", r.user_id); - match parse_smb_response_setup_andx_record(r.data) { - IResult::Done(rem, _setup) => { - //parse_secblob(state, setup.sec_blob); - state.response_host = Some(smb1_session_setup_response_host_info(r, rem)); - }, - _ => {}, - } - tx_sync = true; - false -*/ smb1_session_setup_response(state, r); true }, diff --git a/rust/src/smb/smb1_records.rs b/rust/src/smb/smb1_records.rs index 90afedec0d..13bae3e334 100644 --- a/rust/src/smb/smb1_records.rs +++ b/rust/src/smb/smb1_records.rs @@ -429,18 +429,42 @@ pub struct SmbResponseRecordSetupAndX<'a> { pub sec_blob: &'a[u8], } -named!(pub parse_smb_response_setup_andx_record, +named!(response_setup_andx_record, do_parse!( skip1: take!(7) >> sec_blob_len: le_u16 >> bcc: le_u16 >> sec_blob: take!(sec_blob_len) - //>> skip3: rest >> (SmbResponseRecordSetupAndX { sec_blob:sec_blob, })) ); +named!(response_setup_andx_wct3_record, + do_parse!( + skip1: take!(7) + >> bcc: le_u16 + >> (SmbResponseRecordSetupAndX { + sec_blob:&[], + })) +); + +named!(response_setup_andx_error_record, + do_parse!( + wct: le_u8 + >> bcc: le_u16 + >> (SmbResponseRecordSetupAndX { + sec_blob: &[], + })) +); + +named!(pub parse_smb_response_setup_andx_record, + switch!(peek!(le_u8), // wct + 0 => call!(response_setup_andx_error_record) | + 3 => call!(response_setup_andx_wct3_record) | + _ => call!(response_setup_andx_record)) +); + #[derive(Debug,PartialEq)] pub struct SmbRequestReadAndXRecord<'a> { pub fid: &'a[u8],