From: Russ Combs (rucombs) <rucombs@cisco.com>
Date: Thu, 21 Nov 2019 02:41:10 +0000 (+0000)
Subject: Merge pull request #1850 in SNORT/snort3 from ~BRASTULT/snort3:dce_smb_curse_fix... 
X-Git-Tag: 3.0.0-265~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2fdc55b8a0b45bd6fa1e42d8ea67cb51e71d1068;p=thirdparty%2Fsnort3.git

Merge pull request #1850 in SNORT/snort3 from ~BRASTULT/snort3:dce_smb_curse_fix to master

Squashed commit of the following:

commit a83a033a9ccc3ac8b1dc2b0a0ed474c1be08e1fd
Author: Brandon Stultz <brastult@cisco.com>
Date:   Thu Nov 14 17:36:24 2019 -0500

    wizard: handle NBSS startup in dce_smb_curse
---

diff --git a/src/service_inspectors/wizard/curses.cc b/src/service_inspectors/wizard/curses.cc
index 225eed022..011aeb80d 100644
--- a/src/service_inspectors/wizard/curses.cc
+++ b/src/service_inspectors/wizard/curses.cc
@@ -193,7 +193,8 @@ static bool dce_smb_curse(const uint8_t* data, unsigned len, CurseTracker* track
 {
     const uint32_t dce_smb_id = 0xff534d42;  /* \xffSMB */
     const uint32_t dce_smb2_id = 0xfe534d42;  /* \xfeSMB */
-    const uint8_t nbss_type_message = 0;
+    const uint8_t session_request = 0x81, session_response = 0x82,
+                  session_message = 0x00;
 
     uint32_t n = 0;
     while (n < len)
@@ -202,22 +203,40 @@ static bool dce_smb_curse(const uint8_t* data, unsigned len, CurseTracker* track
         {
         case STATE_0:
         {
-            if (data[n] != nbss_type_message)
+            if (data[n] == session_message)
             {
-                tracker->state = STATE_8;
+                tracker->state = (DCE_States)((int)tracker->state + 2);
+                break;
+            }
+
+            if (data[n] == session_request || data[n] == session_response)
+            {
+                tracker->state = (DCE_States)((int)tracker->state + 1);
                 return false;
             }
-            tracker->state = (DCE_States)((int)tracker->state + 1);
-            break;
+
+            tracker->state = STATE_9;
+            return false;
+        }
+        case STATE_1:
+        {
+            if (data[n] == session_message)
+            {
+                tracker->state = (DCE_States)((int)tracker->state + 1);
+                break;
+            }
+
+            tracker->state = STATE_9;
+            return false;
         }
-        case STATE_4:
+        case STATE_5:
         {
             tracker->helper = data[n];
             tracker->state = (DCE_States)((int)tracker->state + 1);
             break;
         }
-        case STATE_5:
         case STATE_6:
+        case STATE_7:
         {
             tracker->helper <<= 8;
             tracker->helper |= data[n];
@@ -225,7 +244,7 @@ static bool dce_smb_curse(const uint8_t* data, unsigned len, CurseTracker* track
             break;
         }
 
-        case STATE_7:
+        case STATE_8:
         {
             tracker->helper <<= 8;
             tracker->helper |= data[n];
@@ -236,7 +255,7 @@ static bool dce_smb_curse(const uint8_t* data, unsigned len, CurseTracker* track
             break;
         }
 
-        case STATE_8:
+        case STATE_9:
             // no match
             return false;