From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Tue, 17 Apr 2018 06:32:59 +0000 (+0200)
Subject: Kerberos: check version in probing function
X-Git-Tag: suricata-4.1.0-rc1~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=645ba17509334c5d5c09964c6734dc72cd1b98e5;p=thirdparty%2Fsuricata.git

Kerberos: check version in probing function
---

diff --git a/rust/src/krb/krb5.rs b/rust/src/krb/krb5.rs
index 1b2fa4fbc8..b3f70fbb77 100644
--- a/rust/src/krb/krb5.rs
+++ b/rust/src/krb/krb5.rs
@@ -389,9 +389,17 @@ pub extern "C" fn rs_krb5_probing_parser(_flow: *const Flow, input:*const libc::
             if hdr.tag >= 30 { return unsafe{ALPROTO_FAILED}; }
             // Kerberos messages contain sequences
             if rem.is_empty() || rem[0] != 0x30 { return unsafe{ALPROTO_FAILED}; }
-            // XXX check kerberos version ?
-            // SCLogInfo!("probe hdr: {:?}", hdr);
-            return alproto;
+            // Check kerberos version
+            if let IResult::Done(rem,_hdr) = der_read_element_header(rem) {
+                if rem.len() > 5 {
+                    match (rem[2],rem[3],rem[4]) {
+                        // Encoding of DER integer 5 (version)
+                        (2,1,5) => { return alproto; },
+                        _       => (),
+                    }
+                }
+            }
+            return unsafe{ALPROTO_FAILED};
         },
         IResult::Incomplete(_) => {
             return ALPROTO_UNKNOWN;