From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 16 Mar 2021 12:07:16 +0000 (+0100)
Subject: nfs: improve probing parser
X-Git-Tag: suricata-6.0.4~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c42b81b769ba6592b6c44a9baab994c96b70fff3;p=thirdparty%2Fsuricata.git

nfs: improve probing parser

Checks credentials flavor is known

(cherry picked from commit b3c1f2ab489c22494900476426fd5cad9ba08cd1)
---

diff --git a/rust/src/nfs/nfs.rs b/rust/src/nfs/nfs.rs
index 532ed0886e..55aab50e4c 100644
--- a/rust/src/nfs/nfs.rs
+++ b/rust/src/nfs/nfs.rs
@@ -1791,7 +1791,7 @@ pub fn nfs_probe(i: &[u8], direction: u8) -> i8 {
                    rpc.program == 100003 &&
                    rpc.procedure <= NFSPROC3_COMMIT
                 {
-                    return 1;
+                    return rpc_auth_type_known(rpc.creds_flavor);
                 } else {
                     return -1;
                 }
diff --git a/rust/src/nfs/types.rs b/rust/src/nfs/types.rs
index d3f313a39d..c8ddfafc11 100644
--- a/rust/src/nfs/types.rs
+++ b/rust/src/nfs/types.rs
@@ -177,6 +177,14 @@ pub fn rpc_auth_type_string(auth_type: u32) -> String {
     }.to_string()
 }
 
+pub fn rpc_auth_type_known(auth_type: u32) -> i8 {
+    // RPCAUTH_GSS is the maximum
+    if auth_type <= RPCAUTH_GSS {
+        return 1;
+    }
+    return -1;
+}
+
 /* http://www.iana.org/assignments/rpc-authentication-numbers/rpc-authentication-numbers.xhtml */
 pub const RPCAUTH_OK:                   u32 = 0;  // success/failed at remote end    [RFC5531]
 pub const RPCAUTH_BADCRED:              u32 = 1;  // bad credential (seal broken)    [RFC5531]