From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 2 Feb 2021 12:31:08 +0000 (+0100)
Subject: smb: probing parser for start and midstream
X-Git-Tag: suricata-6.0.2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bfa66c6d6cd3cab30f08ca86478f99c2f0c3a2c0;p=thirdparty%2Fsuricata.git

smb: probing parser for start and midstream

The probing parser is more strict at the start of the stream

(cherry picked from commit 1b6e81cd7284355cb4315606cac30325e144d25a)
---

diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs
index ada497b579..f81be26062 100644
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@@ -1977,8 +1977,10 @@ pub extern "C" fn rs_smb_probe_tcp(flags: u8,
     -> i8
 {
     let slice = build_slice!(input, len as usize);
-    if rs_smb_probe_tcp_midstream(flags, slice, rdir) == 1 {
-        return 1;
+    if flags & STREAM_MIDSTREAM == STREAM_MIDSTREAM {
+        if rs_smb_probe_tcp_midstream(flags, slice, rdir) == 1 {
+            return 1;
+        }
     }
     match parse_nbss_record_partial(slice) {
         Ok((_, ref hdr)) => {