From: Victor Julien <victor@inliniac.net>
Date: Tue, 31 Jul 2018 17:20:15 +0000 (+0200)
Subject: smb: probing parser improvement
X-Git-Tag: suricata-4.1.0-rc2~177
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=177966970a93b1c18c69fe705e108363fae1ac7a;p=thirdparty%2Fsuricata.git

smb: probing parser improvement
---

diff --git a/rust/src/smb/nbss_records.rs b/rust/src/smb/nbss_records.rs
index cd7d96f19c..c07b02a056 100644
--- a/rust/src/smb/nbss_records.rs
+++ b/rust/src/smb/nbss_records.rs
@@ -32,7 +32,7 @@ pub struct NbssRecord<'a> {
 }
 
 impl<'a> NbssRecord<'a> {
-    pub fn is_smb(&self) -> bool {
+    pub fn is_valid(&self) -> bool {
         let valid = match self.message_type {
             NBSS_MSGTYPE_SESSION_MESSAGE |
             NBSS_MSGTYPE_SESSION_REQUEST |
@@ -42,6 +42,10 @@ impl<'a> NbssRecord<'a> {
             NBSS_MSGTYPE_KEEP_ALIVE => true,
             _ => false,
         };
+        valid
+    }
+    pub fn is_smb(&self) -> bool {
+        let valid = self.is_valid();
         let smb = if self.data.len() >= 4 &&
             self.data[1] == 'S' as u8 && self.data[2] == 'M' as u8 && self.data[3] == 'B' as u8 &&
             (self.data[0] == b'\xFE' || self.data[0] == b'\xFF' || self.data[0] == b'\xFD')
diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs
index 874ff64c14..84d0e1b303 100644
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@@ -1857,22 +1857,36 @@ pub extern "C" fn rs_smb_parse_response_tcp_gap(
     return -1;
 }
 
+// probing parser
+// return 1 if found, 0 is not found
 #[no_mangle]
 pub extern "C" fn rs_smb_probe_tcp(input: *const libc::uint8_t, len: libc::uint32_t)
                                -> libc::int8_t
 {
-    let slice: &[u8] = unsafe {
-        std::slice::from_raw_parts(input as *mut u8, len as usize)
-    };
+    let slice = build_slice!(input, len as usize);
+    match search_smb_record(slice) {
+        IResult::Done(_, _) => {
+            SCLogDebug!("smb found");
+            return 1;
+        },
+        _ => {
+            SCLogDebug!("smb not found in {:?}", slice);
+        },
+    }
     match parse_nbss_record_partial(slice) {
         IResult::Done(_, ref hdr) => {
             if hdr.is_smb() {
+                SCLogDebug!("smb found");
+                return 1;
+            } else if hdr.is_valid() {
+                SCLogDebug!("nbss found, assume smb");
                 return 1;
             }
         },
         _ => { },
     }
-    return 1
+    SCLogDebug!("no smb");
+    return -1
 }
 
 #[no_mangle]
diff --git a/src/app-layer-smb-tcp-rust.c b/src/app-layer-smb-tcp-rust.c
index a12307c1bf..8ec3fa279d 100644
--- a/src/app-layer-smb-tcp-rust.c
+++ b/src/app-layer-smb-tcp-rust.c
@@ -86,12 +86,16 @@ static uint16_t RustSMBTCPProbe(Flow *f,
         return ALPROTO_UNKNOWN;
     }
 
-    // Validate and return ALPROTO_FAILED if needed.
-    if (!rs_smb_probe_tcp(input, len)) {
-        return ALPROTO_FAILED;
+    const int r = rs_smb_probe_tcp(input, len);
+    switch (r) {
+        case 1:
+            return ALPROTO_SMB;
+        case 0:
+            return ALPROTO_UNKNOWN;
+        case -1:
+        default:
+            return ALPROTO_FAILED;
     }
-
-    return ALPROTO_SMB;
 }
 
 static int RustSMBGetAlstateProgress(void *tx, uint8_t direction)