From: Victor Julien <victor@inliniac.net>
Date: Fri, 3 May 2019 07:47:23 +0000 (+0200)
Subject: detect/dcerpc: move endian handling from pointer to flags
X-Git-Tag: suricata-5.0.0-rc1~522
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55db6d6fb4ba5c443704e6142f58b64718813798;p=thirdparty%2Fsuricata.git

detect/dcerpc: move endian handling from pointer to flags
---

diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c
index 60d4f8bc61..d26d361c83 100644
--- a/src/detect-dce-stub-data.c
+++ b/src/detect-dce-stub-data.c
@@ -183,6 +183,7 @@ static int InspectEngineDceStubData(ThreadVars *tv,
     uint32_t buffer_len = 0;
     uint8_t *buffer = NULL;
     DCERPCState *dcerpc_state = NULL;
+    uint8_t ci_flags = DETECT_CI_FLAGS_SINGLE;
 
     if (f->alproto == ALPROTO_SMB) {
         uint8_t dir = flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
@@ -202,6 +203,11 @@ static int InspectEngineDceStubData(ThreadVars *tv,
             buffer_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
             buffer = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
         }
+        if (dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) {
+            ci_flags |= DETECT_CI_FLAGS_DCE_LE;
+        } else {
+            ci_flags |= DETECT_CI_FLAGS_DCE_BE;
+        }
     }
     if (buffer == NULL ||buffer_len == 0)
         goto end;
@@ -212,7 +218,7 @@ static int InspectEngineDceStubData(ThreadVars *tv,
     int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
                                           f,
                                           buffer, buffer_len,
-                                          0, DETECT_CI_FLAGS_SINGLE,
+                                          0, ci_flags,
                                           DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE,
                                           dcerpc_state);
     if (r == 1)
diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index baafb9072a..582f416b95 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -464,11 +464,10 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
 
         /* if we have dce enabled we will have to use the endianness
          * specified by the dce header */
-        if (btflags & DETECT_BYTETEST_DCE && data != NULL) {
-            DCERPCState *dcerpc_state = (DCERPCState *)data;
+        if (btflags & DETECT_BYTETEST_DCE) {
             /* enable the endianness flag temporarily.  once we are done
              * processing we reset the flags to the original value*/
-            btflags |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) ?
+            btflags |= ((flags & DETECT_CI_FLAGS_DCE_LE) ?
                       DETECT_BYTETEST_LITTLE: 0);
         }
 
@@ -490,11 +489,10 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
 
         /* if we have dce enabled we will have to use the endianness
          * specified by the dce header */
-        if (bjflags & DETECT_BYTEJUMP_DCE && data != NULL) {
-            DCERPCState *dcerpc_state = (DCERPCState *)data;
+        if (bjflags & DETECT_BYTEJUMP_DCE) {
             /* enable the endianness flag temporarily.  once we are done
              * processing we reset the flags to the original value*/
-            bjflags |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) ?
+            bjflags |= ((flags & DETECT_CI_FLAGS_DCE_LE) ?
                       DETECT_BYTEJUMP_LITTLE: 0);
         }
 
@@ -513,12 +511,12 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
         /* if we have dce enabled we will have to use the endianness
          * specified by the dce header */
         if ((bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) &&
-            endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE && data != NULL) {
+            endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE &&
+            flags & (DETECT_CI_FLAGS_DCE_LE|DETECT_CI_FLAGS_DCE_BE)) {
 
-            DCERPCState *dcerpc_state = (DCERPCState *)data;
             /* enable the endianness flag temporarily.  once we are done
              * processing we reset the flags to the original value*/
-            endian |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] == 0x10) ?
+            endian |= ((flags & DETECT_CI_FLAGS_DCE_LE) ?
                        DETECT_BYTE_EXTRACT_ENDIAN_LITTLE : DETECT_BYTE_EXTRACT_ENDIAN_BIG);
         }
 
diff --git a/src/detect-engine-content-inspection.h b/src/detect-engine-content-inspection.h
index 6d6d4e3945..7b567fb08e 100644
--- a/src/detect-engine-content-inspection.h
+++ b/src/detect-engine-content-inspection.h
@@ -37,6 +37,8 @@ enum {
 #define DETECT_CI_FLAGS_START   BIT_U8(0)   /**< unused, reserved for future use */
 #define DETECT_CI_FLAGS_END     BIT_U8(1)   /**< indication that current buffer
                                              *   is the end of the data */
+#define DETECT_CI_FLAGS_DCE_LE  BIT_U8(2)   /**< DCERPC record in little endian */
+#define DETECT_CI_FLAGS_DCE_BE  BIT_U8(3)   /**< DCERPC record in big endian */
 
 /** buffer is a single, non-streaming, buffer. Data sent to the content
  *  inspection function contains both start and end of the data. */