From: Victor Julien <victor@inliniac.net>
Date: Sat, 7 Jul 2018 08:37:59 +0000 (+0200)
Subject: smb1: improve NT Create response record parsing
X-Git-Tag: suricata-4.1.0-rc1~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c8a078a2c2e8ace810c4da707bb50ae5db38a8f;p=thirdparty%2Fsuricata.git

smb1: improve NT Create response record parsing
---

diff --git a/rust/src/smb/smb1_records.rs b/rust/src/smb/smb1_records.rs
index c4f9d395bd..dff292ebbc 100644
--- a/rust/src/smb/smb1_records.rs
+++ b/rust/src/smb/smb1_records.rs
@@ -649,7 +649,7 @@ named!(pub parse_smb_create_andx_response_record<SmbResponseCreateAndXRecord>,
     do_parse!(
             wct: le_u8
         >>  andx_command: le_u8
-        >>  take!(1)
+        >>  take!(1)    // reserved
         >>  andx_offset: le_u16
         >>  oplock_level: le_u8
         >>  fid: take!(2)
@@ -658,12 +658,14 @@ named!(pub parse_smb_create_andx_response_record<SmbResponseCreateAndXRecord>,
         >>  last_access_ts: le_u64
         >>  last_write_ts: le_u64
         >>  last_change_ts: le_u64
-        >>  take!(8)
+        >>  take!(4)
         >>  file_size: le_u64
-        >>  take!(8)
+        >>  eof: le_u64
         >>  file_type: le_u16
-        >>  take!(2)
+        >>  ipc_state: le_u16
         >>  is_dir: le_u8
+        >>  cond!(wct == 42, take!(32))
+        >>  bcc: le_u16
         >> (SmbResponseCreateAndXRecord {
                 fid:fid,
                 create_ts: SMBFiletime::new(create_ts),