From: Ilya Bakhtin <ilya.bakhtin@gmail.com>
Date: Sun, 21 Jul 2024 17:15:00 +0000 (+0200)
Subject: protodetect/dcerpc: improve DCERPC UDP probing parser
X-Git-Tag: suricata-8.0.0-beta1~486
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27f0db752630b9f66bb5bc5338b57109a7659b9c;p=thirdparty%2Fsuricata.git

protodetect/dcerpc: improve DCERPC UDP probing parser

Several additional checks are added to the probing parser to avoid false
detection of DNS as DCERPC

Ticket - 7111
---

diff --git a/rust/src/dcerpc/dcerpc_udp.rs b/rust/src/dcerpc/dcerpc_udp.rs
index 673d1608ae..634e02ad60 100644
--- a/rust/src/dcerpc/dcerpc_udp.rs
+++ b/rust/src/dcerpc/dcerpc_udp.rs
@@ -300,9 +300,11 @@ pub unsafe extern "C" fn rs_dcerpc_udp_get_tx_cnt(vtx: *mut std::os::raw::c_void
 /// Probe input to see if it looks like DCERPC.
 fn probe(input: &[u8]) -> (bool, bool) {
     match parser::parse_dcerpc_udp_header(input) {
-        Ok((_, hdr)) => {
+        Ok((leftover_bytes, hdr)) => {
             let is_request = hdr.pkt_type == 0x00;
             let is_dcerpc = hdr.rpc_vers == 0x04 &&
+                hdr.fragnum == 0 &&
+                leftover_bytes.len() >= hdr.fraglen as usize &&
                 (hdr.flags2 & 0xfc == 0) &&
                 (hdr.drep[0] & 0xee == 0) &&
                 (hdr.drep[1] <= 3);