From: Eloy Pérez González <zer1t0ps@protonmail.com>
Date: Fri, 22 Oct 2021 11:53:39 +0000 (+0200)
Subject: smb/dce_iface: avoid deleting current ifaces from state
X-Git-Tag: suricata-5.0.10~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ceec0ae5984dfe5966c811df5b8a8b7e1b5d7e90;p=thirdparty%2Fsuricata.git

smb/dce_iface: avoid deleting current ifaces from state

The smb dce_iface keyword must match for all those dcerpc requests
and responses sent in the context of the given interface. They are
not matching as the current bind interfaces are deleted by any
non bind message.

Ticket: 4767
(cherry picked from commit bff0774767757b0ccab8165e293024fa39d0a952)
---

diff --git a/rust/src/smb/dcerpc.rs b/rust/src/smb/dcerpc.rs
index 4bb9fa0196..836bb2489c 100644
--- a/rust/src/smb/dcerpc.rs
+++ b/rust/src/smb/dcerpc.rs
@@ -252,6 +252,7 @@ pub fn smb_write_dcerpc_record<'b>(state: &mut SMBState,
         data: &'b [u8]) -> bool
 {
     let mut bind_ifaces : Option<Vec<DCERPCIface>> = None;
+    let mut is_bind = false;
 
     SCLogDebug!("called for {} bytes of data", data.len());
     match parse_dcerpc_record(data) {
@@ -331,6 +332,7 @@ pub fn smb_write_dcerpc_record<'b>(state: &mut SMBState,
                     };
                     match brec {
                         Ok((_, bindr)) => {
+                            is_bind = true;
                             SCLogDebug!("SMB DCERPC {:?} BIND {:?}", dcer, bindr);
 
                             if bindr.ifaces.len() > 0 {
@@ -374,7 +376,13 @@ pub fn smb_write_dcerpc_record<'b>(state: &mut SMBState,
         },
     }
 
-    state.dcerpc_ifaces = bind_ifaces; // TODO store per ssn
+    if is_bind {
+        // We have to write here the interfaces
+        // rather than in the BIND block
+        // due to borrow issues with the tx mutable reference
+        // that is part of the state
+        state.dcerpc_ifaces = bind_ifaces; // TODO store per ssn
+    }
     return true;
 }