From: Bhargava Jandhyala (bjandhya) <bjandhya@cisco.com>
Date: Wed, 3 Feb 2021 05:12:00 +0000 (+0000)
Subject: Merge pull request #2730 in SNORT/snort3 from ~DIPANDIT/snort3:handle_async to master
X-Git-Tag: 3.1.2.0~51
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27e0b9f854eec9c4e96f9a8b2e7a5662adb3ecd5;p=thirdparty%2Fsnort3.git

Merge pull request #2730 in SNORT/snort3 from ~DIPANDIT/snort3:handle_async to master

Squashed commit of the following:

commit 904c98bc58f715b3369622c07fe727e2492d904f
Author: Dipto Pandit (dipandit) <dipandit@cisco.com>
Date:   Fri Jan 29 05:52:41 2021 -0500

    dce_rpc: handle async responses in smbv2
---

diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc
index a53565f4d..99b0698b8 100644
--- a/src/service_inspectors/dce_rpc/dce_smb2.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2.cc
@@ -189,14 +189,18 @@ void DCE2_Smb2SessionTracker::removeSessionFromAllConnection()
 }
 
 static inline bool DCE2_Smb2FindSidTid(DCE2_Smb2SsnData* ssd, const uint64_t sid,
-    const uint32_t tid, DCE2_Smb2SessionTracker** str, DCE2_Smb2TreeTracker** ttr)
+    const uint32_t tid, const uint32_t mid, DCE2_Smb2SessionTracker** str, DCE2_Smb2TreeTracker** ttr)
 {
     *str = DCE2_Smb2FindSidInSsd(ssd, sid);
     if (!*str)
         return false;
-
-    *ttr = (*str)->findTtracker(tid);
-    if (!*ttr)
+    
+    if(!tid)
+        *ttr = find_tree_for_message(*str, mid);
+    else
+        *ttr = (*str)->findTtracker(tid);
+        
+    if(!*ttr)
         return false;
 
     return true;
@@ -229,7 +233,7 @@ static void DCE2_Smb2Inspect(DCE2_Smb2SsnData* ssd, const Smb2Hdr* smb_hdr,
         break;
     case SMB2_COM_READ:
         dce2_smb_stats.v2_read++;
-        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, &str, &ttr) or
+        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, mid, &str, &ttr) or
             SMB2_SHARE_TYPE_DISK != ttr->get_share_type())
         {
             dce2_smb_stats.v2_read_ignored++;
@@ -240,7 +244,7 @@ static void DCE2_Smb2Inspect(DCE2_Smb2SsnData* ssd, const Smb2Hdr* smb_hdr,
         break;
     case SMB2_COM_WRITE:
         dce2_smb_stats.v2_wrt++;
-        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, &str, &ttr) or
+        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, mid, &str, &ttr) or
             SMB2_SHARE_TYPE_DISK != ttr->get_share_type())
         {
             dce2_smb_stats.v2_wrt_ignored++;
@@ -251,7 +255,7 @@ static void DCE2_Smb2Inspect(DCE2_Smb2SsnData* ssd, const Smb2Hdr* smb_hdr,
         break;
     case SMB2_COM_SET_INFO:
         dce2_smb_stats.v2_stinf++;
-        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, &str, &ttr) or
+        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, mid, &str, &ttr) or
             SMB2_SHARE_TYPE_DISK != ttr->get_share_type())
         {
             dce2_smb_stats.v2_stinf_ignored++;
@@ -262,7 +266,7 @@ static void DCE2_Smb2Inspect(DCE2_Smb2SsnData* ssd, const Smb2Hdr* smb_hdr,
         break;
     case SMB2_COM_CLOSE:
         dce2_smb_stats.v2_cls++;
-        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, &str, &ttr) or
+        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, mid, &str, &ttr) or
             SMB2_SHARE_TYPE_DISK != ttr->get_share_type())
         {
             dce2_smb_stats.v2_cls_ignored++;
@@ -282,7 +286,7 @@ static void DCE2_Smb2Inspect(DCE2_Smb2SsnData* ssd, const Smb2Hdr* smb_hdr,
         break;
     case SMB2_COM_TREE_DISCONNECT:
         dce2_smb_stats.v2_tree_discn++;
-        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, &str, &ttr))
+        if (!DCE2_Smb2FindSidTid(ssd, sid, tid, mid, &str, &ttr))
         {
             dce2_smb_stats.v2_tree_discn_ignored++;
             return;
diff --git a/src/service_inspectors/dce_rpc/dce_smb2_commands.cc b/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
index 6645c41ff..50b60d17b 100644
--- a/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
@@ -78,6 +78,17 @@ static void DCE2_Smb2CleanFtrackerTcpRef(DCE2_Smb2SessionTracker* str, uint64_t
     }
 }
 
+DCE2_Smb2TreeTracker *find_tree_for_message(DCE2_Smb2SessionTracker *str, const uint64_t mid)
+{
+    auto all_tree_trackers = str->tree_trackers.get_all_entry();
+    for ( auto& h : all_tree_trackers )
+    {
+        if(h.second->findRtracker(mid))
+            return h.second;
+    }
+    return nullptr;
+}
+
 bool DCE2_Smb2ProcessFileData(DCE2_Smb2SsnData* ssd, const uint8_t* file_data,
     uint32_t data_size)
 {
@@ -401,6 +412,8 @@ void DCE2_Smb2Create(DCE2_Smb2SsnData* ssd, const Smb2Hdr* smb_hdr,
             smb_data, end, SMB2_CREATE_RESPONSE_STRUC_SIZE - 1,
             dce2_smb_stats.v2_crt_resp_hdr_err, SMB2_COM_CREATE)
 
+        if(!tid)
+            ttr = find_tree_for_message(str, mid);
         if (!ttr)
         {
             debug_logf(dce_smb_trace, DetectionEngine::get_current_packet(),
diff --git a/src/service_inspectors/dce_rpc/dce_smb2_commands.h b/src/service_inspectors/dce_rpc/dce_smb2_commands.h
index 97a86d9bc..22c93a973 100644
--- a/src/service_inspectors/dce_rpc/dce_smb2_commands.h
+++ b/src/service_inspectors/dce_rpc/dce_smb2_commands.h
@@ -62,5 +62,7 @@ void DCE2_Smb2CloseCmd(DCE2_Smb2SsnData*, const Smb2Hdr*,
 void DCE2_Smb2Logoff(DCE2_Smb2SsnData*, const uint8_t* smb_data,
     const uint64_t sid);
 
+DCE2_Smb2TreeTracker *find_tree_for_message(DCE2_Smb2SessionTracker*, const uint64_t);
+
 #endif