From bff0774767757b0ccab8165e293024fa39d0a952 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Eloy=20P=C3=A9rez=20Gonz=C3=A1lez?= Date: Fri, 22 Oct 2021 13:53:39 +0200 Subject: [PATCH] smb/dce_iface: avoid deleting current ifaces from state The smb dce_iface keyword must match for all those dcerpc requests and responses sent in the context of the given interface. They are not matching as the current bind interfaces are deleted by any non bind message. Ticket: 4767 --- rust/src/smb/dcerpc.rs | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/rust/src/smb/dcerpc.rs b/rust/src/smb/dcerpc.rs index c379189fc3..c83d4ad7ce 100644 --- a/rust/src/smb/dcerpc.rs +++ b/rust/src/smb/dcerpc.rs @@ -180,6 +180,7 @@ pub fn smb_write_dcerpc_record<'b>(state: &mut SMBState, data: &'b [u8]) -> bool { let mut bind_ifaces : Option> = None; + let mut is_bind = false; SCLogDebug!("called for {} bytes of data", data.len()); match parse_dcerpc_record(data) { @@ -259,6 +260,7 @@ pub fn smb_write_dcerpc_record<'b>(state: &mut SMBState, }; match brec { Ok((_, bindr)) => { + is_bind = true; SCLogDebug!("SMB DCERPC {:?} BIND {:?}", dcer, bindr); if bindr.ifaces.len() > 0 { @@ -304,7 +306,13 @@ pub fn smb_write_dcerpc_record<'b>(state: &mut SMBState, }, } - state.dcerpc_ifaces = bind_ifaces; // TODO store per ssn + if is_bind { + // We have to write here the interfaces + // rather than in the BIND block + // due to borrow issues with the tx mutable reference + // that is part of the state + state.dcerpc_ifaces = bind_ifaces; // TODO store per ssn + } return true; } -- 2.47.2