Bug #42 » 0001-64-bit-portability.patch
src/app-layer-dcerpc.c | ||
---|---|---|
printf(" Major Version 0x%04x Minor Version 0x%04x\n", uuid->version, uuid->versionminor);
|
||
}
|
||
static int DCERPCParseSecondaryAddr(Flow *f, void *dcerpc_state, AppLayerParserState *pstate,
|
||
static uint32_t DCERPCParseSecondaryAddr(Flow *f, void *dcerpc_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output)
|
||
{
|
||
SCEnter();
|
||
... | ... | |
p++;
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
SCReturnInt(p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
static int PaddingParser(Flow *f, void *dcerpc_state, AppLayerParserState *pstate,
|
||
static uint32_t PaddingParser(Flow *f, void *dcerpc_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
DCERPCState *sstate = (DCERPCState *)dcerpc_state;
|
||
uint8_t *p = input;
|
||
while (sstate->padleft-- && input_len--) {
|
||
... | ... | |
p++;
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
return (p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
static int DCERPCGetCTXItems(Flow *f, void *dcerpc_state, AppLayerParserState *pstate,
|
||
static uint32_t DCERPCGetCTXItems(Flow *f, void *dcerpc_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
DCERPCState *sstate = (DCERPCState *)dcerpc_state;
|
||
... | ... | |
if (input_len) {
|
||
switch(sstate->ctxbytesprocessed) {
|
||
case 0:
|
||
/*if (input_len >= 4) {
|
||
if (input_len >= 4) {
|
||
sstate->numctxitems = *p;
|
||
sstate->numctxitemsleft = sstate->numctxitems;
|
||
sstate->ctxbytesprocessed += (4);
|
||
SCReturnInt(4);
|
||
} else { */
|
||
sstate->ctxbytesprocessed += 4;
|
||
sstate->bytesprocessed += 4;
|
||
SCReturnUInt(4U);
|
||
} else {
|
||
sstate->numctxitems = *(p++);
|
||
sstate->numctxitemsleft = sstate->numctxitems;
|
||
if (!(--input_len)) break;
|
||
//}
|
||
}
|
||
case 1:
|
||
p++;
|
||
if (!(--input_len)) break;
|
||
... | ... | |
}
|
||
sstate->ctxbytesprocessed += (p - input);
|
||
sstate->bytesprocessed += (p - input);
|
||
SCReturnInt(p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
static int DCERPCParseBINDCTXItem(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
static uint32_t DCERPCParseBINDCTXItem(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
DCERPCState *sstate = (DCERPCState *)dcerpc_state;
|
||
uint8_t *p = input;
|
||
... | ... | |
sstate->versionminor |= *(p + 23) << 8;
|
||
sstate->uuid_entry = (struct uuid_entry *) calloc(1, sizeof(struct uuid_entry));
|
||
if (sstate->uuid_entry == NULL) {
|
||
SCReturnInt(-1);
|
||
SCReturnUInt(0);
|
||
} else {
|
||
memcpy(sstate->uuid_entry->uuid, sstate->uuid,
|
||
sizeof(sstate->uuid));
|
||
... | ... | |
sstate->uuid_entry->version = sstate->version;
|
||
sstate->uuid_entry->versionminor = sstate->versionminor;
|
||
TAILQ_INSERT_HEAD(&sstate->uuid_list, sstate->uuid_entry, next);
|
||
printUUID("BIND", sstate->uuid_entry);
|
||
//printUUID("BIND", sstate->uuid_entry);
|
||
}
|
||
sstate->numctxitemsleft--;
|
||
sstate->bytesprocessed += (44);
|
||
sstate->ctxbytesprocessed += (44);
|
||
SCReturnInt(44);
|
||
SCReturnUInt(44U);
|
||
} else {
|
||
sstate->ctxid = *(p++);
|
||
if (!(--input_len)) break;
|
||
... | ... | |
case 43:
|
||
sstate->numctxitemsleft--;
|
||
if (sstate->uuid_entry == NULL) {
|
||
SCReturnInt(-1);
|
||
SCReturnUInt(0);
|
||
} else {
|
||
memcpy(sstate->uuid_entry->uuid, sstate->uuid,
|
||
sizeof(sstate->uuid));
|
||
... | ... | |
}
|
||
sstate->ctxbytesprocessed += (p - input);
|
||
sstate->bytesprocessed += (p - input);
|
||
SCReturnInt(p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
static int DCERPCParseBINDACKCTXItem(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
static uint32_t DCERPCParseBINDACKCTXItem(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
DCERPCState *sstate = (DCERPCState *)dcerpc_state;
|
||
uint8_t *p = input;
|
||
... | ... | |
TAILQ_FOREACH(uuid_entry, &sstate->uuid_list, next) {
|
||
if(uuid_entry->ctxid == sstate->numctxitems - sstate->numctxitemsleft) {
|
||
uuid_entry->result = sstate->result;
|
||
printUUID("BIND_ACK", uuid_entry);
|
||
//printUUID("BIND_ACK", uuid_entry);
|
||
break;
|
||
}
|
||
}
|
||
sstate->numctxitemsleft--;
|
||
sstate->bytesprocessed += (24);
|
||
sstate->ctxbytesprocessed += (24);
|
||
SCReturnInt(24);
|
||
SCReturnUInt(24U);
|
||
} else {
|
||
sstate->result = *(p++);
|
||
if (!(--input_len)) break;
|
||
... | ... | |
TAILQ_FOREACH(uuid_entry, &sstate->uuid_list, next) {
|
||
if(uuid_entry->ctxid == sstate->numctxitems - sstate->numctxitemsleft) {
|
||
uuid_entry->result = sstate->result;
|
||
printUUID("BIND_ACK", uuid_entry);
|
||
//printUUID("BIND_ACK", uuid_entry);
|
||
break;
|
||
}
|
||
}
|
||
... | ... | |
}
|
||
sstate->ctxbytesprocessed += (p - input);
|
||
sstate->bytesprocessed += (p - input);
|
||
SCReturnInt(p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
static int DCERPCParseBIND(Flow *f, void *dcerpc_state, AppLayerParserState *pstate,
|
||
static uint32_t DCERPCParseBIND(Flow *f, void *dcerpc_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
DCERPCState *sstate = (DCERPCState *)dcerpc_state;
|
||
... | ... | |
sstate->numctxitems = *(p+8);
|
||
sstate->numctxitemsleft = sstate->numctxitems;
|
||
sstate->bytesprocessed += 12;
|
||
SCReturnInt(12);
|
||
SCReturnUInt(12U);
|
||
} else {
|
||
/* max_xmit_frag */
|
||
p++;
|
||
... | ... | |
}
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
SCReturnInt(p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
static int DCERPCParseBINDACK(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
static uint32_t DCERPCParseBINDACK(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
DCERPCState *sstate = (DCERPCState *)dcerpc_state;
|
||
uint8_t *p = input;
|
||
... | ... | |
sstate->secondaryaddrlen |= *(p+9) << 8;
|
||
sstate->secondaryaddrlenleft = sstate->secondaryaddrlen;
|
||
sstate->bytesprocessed += 10;
|
||
SCReturnInt(10);
|
||
SCReturnUInt(10U);
|
||
} else {
|
||
/* max_xmit_frag */
|
||
p++;
|
||
... | ... | |
break;
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
SCReturnInt(p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
static int DCERPCParseHeader(Flow *f, void *dcerpc_state, AppLayerParserState
|
||
static uint32_t DCERPCParseHeader(Flow *f, void *dcerpc_state, AppLayerParserState
|
||
*pstate, uint8_t *input, uint32_t input_len,
|
||
AppLayerParserResult *output) {
|
||
SCEnter();
|
||
... | ... | |
sstate->dcerpc.call_id |= *(p + 14) << 8;
|
||
sstate->dcerpc.call_id |= *(p + 15);
|
||
sstate->bytesprocessed = DCERPC_HDR_LEN;
|
||
SCReturnInt(DCERPC_HDR_LEN);
|
||
SCReturnUInt(16U);
|
||
break;
|
||
} else {
|
||
sstate->dcerpc.rpc_vers = *(p++);
|
||
... | ... | |
sstate->dcerpc.call_id |= *(p++);
|
||
--input_len;
|
||
break;
|
||
default: // SHOULD NEVER OCCUR
|
||
SCLogDebug("Odd");
|
||
SCReturnInt(8);
|
||
}
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
SCReturnInt(p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
static int DCERPCParse(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
... | ... | |
parsed += retval;
|
||
input_len -= retval;
|
||
}
|
||
SCLogDebug("Done with DCERPCParseHeader bytesprocessed %u\n", sstate->bytesprocessed);
|
||
switch (sstate->dcerpc.type) {
|
||
case BIND:
|
||
... | ... | |
parsed += retval;
|
||
input_len -= retval;
|
||
}
|
||
SCLogDebug("Done with DCERPCParseBIND bytesprocessed %u\n", sstate->bytesprocessed);
|
||
while (sstate->numctxitemsleft && sstate->bytesprocessed < sstate->dcerpc.frag_length &&
|
||
input_len) {
|
||
... | ... | |
parsed += retval;
|
||
input_len -= retval;
|
||
}
|
||
SCLogDebug("Done with DCERPCParseBINDCTXItem bytesprocessed %u\n", sstate->bytesprocessed);
|
||
if (sstate->bytesprocessed == sstate->dcerpc.frag_length) {
|
||
sstate->bytesprocessed = 0;
|
||
... | ... | |
parsed += retval;
|
||
input_len -= retval;
|
||
}
|
||
SCLogDebug("Done with DCERPCParseBINDACK bytesprocessed %u\n", sstate->bytesprocessed);
|
||
while (sstate->bytesprocessed < DCERPC_HDR_LEN + 10 + sstate->secondaryaddrlen && input_len--) {
|
||
retval = DCERPCParseSecondaryAddr(f, dcerpc_state, pstate, input + parsed, input_len,
|
||
... | ... | |
parsed += retval;
|
||
input_len -= retval;
|
||
}
|
||
SCLogDebug("Done with DCERPCParseSecondaryAddr bytesprocessed %u\n", sstate->bytesprocessed);
|
||
if(sstate->bytesprocessed == DCERPC_HDR_LEN + 10 + sstate->secondaryaddrlen) {
|
||
sstate->pad = sstate->bytesprocessed % 4;
|
||
sstate->padleft = sstate->pad;
|
||
}
|
||
SCLogDebug("pad %u\n", sstate->pad);
|
||
while (sstate->bytesprocessed < DCERPC_HDR_LEN + 10 + sstate->secondaryaddrlen + sstate->pad && input_len--) {
|
||
retval = PaddingParser(f, dcerpc_state, pstate, input + parsed, input_len,
|
||
... | ... | |
parsed += retval;
|
||
input_len -= retval;
|
||
}
|
||
SCLogDebug("Done with PaddingParser bytesprocessed %u\n", sstate->bytesprocessed);
|
||
while(sstate->bytesprocessed >= DCERPC_HDR_LEN + 10 + sstate->pad + sstate->secondaryaddrlen &&
|
||
sstate->bytesprocessed < DCERPC_HDR_LEN + 14 + sstate->pad + sstate->secondaryaddrlen) {
|
||
... | ... | |
parsed += retval;
|
||
input_len -= retval;
|
||
}
|
||
SCLogDebug("Done with DCERPCGetCTXItems bytesprocessed %u\n", sstate->bytesprocessed);
|
||
if (sstate->bytesprocessed == DCERPC_HDR_LEN + 14 + sstate->pad + sstate->secondaryaddrlen) {
|
||
sstate->ctxbytesprocessed = 0;
|
||
... | ... | |
parsed += retval;
|
||
input_len -= retval;
|
||
}
|
||
SCLogDebug("Done with DCERPCParseBINDACKCTXItem bytesprocessed %u\n", sstate->bytesprocessed);
|
||
if (sstate->bytesprocessed == sstate->dcerpc.frag_length) {
|
||
sstate->bytesprocessed = 0;
|
||
... | ... | |
void RegisterDCERPCParsers(void) {
|
||
AppLayerRegisterProto("dcerpc", ALPROTO_DCERPC, STREAM_TOSERVER, DCERPCParse);
|
||
AppLayerRegisterProto("dcerpc", ALPROTO_DCERPC, STREAM_TOCLIENT, DCERPCParse);
|
||
AppLayerRegisterParser("dcerpc.hdr", ALPROTO_DCERPC, DCERPC_PARSE_DCERPC_HEADER, DCERPCParseHeader, "dcerpc");
|
||
AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc, DCERPCStateFree);
|
||
}
|
||
src/app-layer-smb.c | ||
---|---|---|
* \brief SMB Write AndX Request Parsing
|
||
*/
|
||
/* For WriteAndX we need to get writeandxdataoffset */
|
||
static int SMBParseWriteAndX(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
static uint32_t SMBParseWriteAndX(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
SMBState *sstate = (SMBState *) smb_state;
|
||
uint8_t *p = input;
|
||
switch (sstate->andx.andxbytesprocessed) {
|
||
... | ... | |
sstate->andx.dataoffset|= (uint64_t) *(p+25) << 48;
|
||
sstate->andx.dataoffset|= (uint64_t) *(p+26) << 40;
|
||
sstate->andx.dataoffset|= (uint64_t) *(p+27) << 32;
|
||
input_len -= 28;
|
||
sstate->bytesprocessed += 28;
|
||
return 28;
|
||
SCReturnUInt(28U);
|
||
} else {
|
||
sstate->andx.andxcommand = *(p++);
|
||
if (!(--input_len)) break;
|
||
... | ... | |
sstate->andx.dataoffset|= (uint64_t) *(p++) << 32;
|
||
--input_len;
|
||
break;
|
||
default:
|
||
// SHOULD NEVER OCCUR
|
||
return 0;
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
return (p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
/**
|
||
* \brief SMB Read AndX Response Parsing
|
||
*/
|
||
static int SMBParseReadAndX(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
static uint32_t SMBParseReadAndX(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
SMBState *sstate = (SMBState *) smb_state;
|
||
uint8_t *p = input;
|
||
switch (sstate->andx.andxbytesprocessed) {
|
||
... | ... | |
sstate->andx.datalength |= (uint64_t) *(p+15) << 48;
|
||
sstate->andx.datalength |= (uint64_t) *(p+16) << 40;
|
||
sstate->andx.datalength |= (uint64_t) *(p+17) << 32;
|
||
input_len -= 24;
|
||
sstate->bytesprocessed += 24;
|
||
return 24;
|
||
SCReturnUInt(24U);
|
||
} else {
|
||
sstate->andx.andxcommand = *(p++);
|
||
if (!(--input_len)) break;
|
||
... | ... | |
p++;
|
||
--input_len;
|
||
break;
|
||
default:
|
||
// SHOULD NEVER OCCUR
|
||
return 0;
|
||
}
|
||
return 0;
|
||
sstate->bytesprocessed += (p - input);
|
||
return (p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
/**
|
||
* Handle variable length padding for WriteAndX and ReadAndX
|
||
*/
|
||
static int PaddingParser(void *smb_state, AppLayerParserState *pstate,
|
||
static uint32_t PaddingParser(void *smb_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
SMBState *sstate = (SMBState *) smb_state;
|
||
uint8_t *p = input;
|
||
while ((uint32_t)(sstate->bytesprocessed + (p - input)) < sstate->andx.dataoffset && sstate->bytecount.bytecount-- && input_len--) {
|
||
... | ... | |
sstate->andx.paddingparsed = 1;
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
return (p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
/**
|
||
* \brief Parse WriteAndX and ReadAndX Data
|
||
* \todo Hand off to DCERPC parser for DCERPC over SMB
|
||
*/
|
||
static int DataParser(void *smb_state, AppLayerParserState *pstate,
|
||
static uint32_t DataParser(void *smb_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
SMBState *sstate = (SMBState *) smb_state;
|
||
uint8_t *p = input;
|
||
... | ... | |
}
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
return (p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
... | ... | |
* Reset bytecount.bytecountbytes to 0.
|
||
* Determine if this is an SMB AndX Command
|
||
*/
|
||
static int SMBGetWordCount(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
static uint32_t SMBGetWordCount(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output)
|
||
{
|
||
SCEnter();
|
||
... | ... | |
sstate->bytecount.bytecountbytes = 0;
|
||
sstate->andx.isandx = isAndX(sstate);
|
||
SCLogDebug("Wordcount (%u):", sstate->wordcount.wordcount);
|
||
SCReturnInt(1);
|
||
SCReturnUInt(1U);
|
||
}
|
||
SCReturnInt(0);
|
||
SCReturnUInt(0);
|
||
}
|
||
/*
|
||
... | ... | |
* is after the first bytecount byte.
|
||
*/
|
||
static int SMBGetByteCount(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
static uint32_t SMBGetByteCount(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output)
|
||
{
|
||
SCEnter();
|
||
... | ... | |
SCLogDebug("Bytecount %u", sstate->bytecount.bytecount);
|
||
--input_len;
|
||
}
|
||
SCReturnInt(p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
/**
|
||
* \brief SMBParseWordCount parses the SMB Wordcount portion of the SMB Transaction.
|
||
* until sstate->wordcount.wordcount bytes are parsed.
|
||
*/
|
||
static int SMBParseWordCount(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
static uint32_t SMBParseWordCount(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output)
|
||
{
|
||
SCEnter();
|
||
... | ... | |
parsed += retval;
|
||
input_len -= retval;
|
||
sstate->wordcount.wordcount -= retval;
|
||
return retval;
|
||
SCReturnUInt(retval);
|
||
} else if (((sstate->smb.flags & SMB_FLAGS_SERVER_TO_REDIR) == 0) && sstate->smb.command == SMB_COM_WRITE_ANDX) {
|
||
retval = SMBParseWriteAndX(f, sstate, pstate, input + parsed, input_len, output);
|
||
parsed += retval;
|
||
input_len -= retval;
|
||
sstate->wordcount.wordcount -= retval;
|
||
return retval;
|
||
SCReturnUInt(retval);
|
||
} else { /* Generic WordCount Handler */
|
||
while (sstate->wordcount.wordcount-- && input_len--) {
|
||
SCLogDebug("0x%02x ", *p);
|
||
p++;
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
SCReturnInt(p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
}
|
||
... | ... | |
* until sstate->bytecount.bytecount bytes are parsed.
|
||
*/
|
||
static int SMBParseByteCount(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
static uint32_t SMBParseByteCount(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output)
|
||
{
|
||
SCEnter();
|
||
... | ... | |
parsed += retval;
|
||
input_len -= retval;
|
||
}
|
||
SCReturnUInt(retval);
|
||
}
|
||
while (sstate->bytecount.bytecount && input_len) {
|
||
SCLogDebug("0x%02x bytecount %u input_len %u", *p,
|
||
sstate->bytecount.bytecount, input_len);
|
||
p++;
|
||
sstate->wordcount.wordcount--;
|
||
input_len--;
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
SCReturnInt(p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
//#define DEBUG 1
|
||
static int NBSSParseHeader(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
static uint32_t NBSSParseHeader(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output)
|
||
{
|
||
SCEnter();
|
||
... | ... | |
sstate->nbss.length = (*(p + 1) & 0x01) << 16;
|
||
sstate->nbss.length |= *(p + 2) << 8;
|
||
sstate->nbss.length |= *(p + 3);
|
||
input_len -= NBSS_HDR_LEN;
|
||
sstate->bytesprocessed += NBSS_HDR_LEN;
|
||
SCReturnInt(NBSS_HDR_LEN);
|
||
SCReturnUInt(4U);
|
||
} else {
|
||
sstate->nbss.type = *(p++);
|
||
if (!(--input_len)) break;
|
||
... | ... | |
sstate->nbss.length |= *(p++);
|
||
--input_len;
|
||
break;
|
||
default:
|
||
SCReturnInt(-1);
|
||
break;
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
}
|
||
SCReturnInt(p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
static int SMBParseHeader(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
static uint32_t SMBParseHeader(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output)
|
||
{
|
||
SCEnter();
|
||
... | ... | |
if (input_len >= SMB_HDR_LEN) {
|
||
if (memcmp(p, "\xff\x53\x4d\x42", 4) != 0) {
|
||
SCLogDebug("SMB Header did not validate");
|
||
SCReturnInt(0);
|
||
SCReturnUInt(0);
|
||
}
|
||
sstate->smb.command = *(p + 4);
|
||
sstate->smb.status = *(p + 5) << 24;
|
||
... | ... | |
sstate->smb.uid |= *(p + 29);
|
||
sstate->smb.mid = *(p + 30) << 8;
|
||
sstate->smb.mid |= *(p + 31);
|
||
input_len -= SMB_HDR_LEN;
|
||
sstate->bytesprocessed += SMB_HDR_LEN;
|
||
SCReturnInt(SMB_HDR_LEN);
|
||
SCReturnUInt(32U);
|
||
break;
|
||
} else {
|
||
//sstate->smb.protocol[0] = *(p++);
|
||
... | ... | |
sstate->smb.mid |= *(p++);
|
||
--input_len;
|
||
break;
|
||
default: // SHOULD NEVER OCCUR
|
||
SCReturnInt(8);
|
||
}
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
SCReturnInt(p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate,
|
||
... | ... | |
SCEnter();
|
||
SMBState *sstate = (SMBState *) smb_state;
|
||
uint32_t retval = 0;
|
||
uint32_t parsed = 0;
|
||
long int retval = 0;
|
||
long int parsed = 0;
|
||
if (pstate == NULL)
|
||
SCReturnInt(-1);
|
||
... | ... | |
parsed += retval;
|
||
input_len -= retval;
|
||
SCLogDebug("NBSS Header (%u/%u) Type 0x%02x Length 0x%04x parsed %u input_len %u",
|
||
SCLogDebug("NBSS Header (%u/%u) Type 0x%02x Length 0x%04x parsed %ld input_len %u",
|
||
sstate->bytesprocessed, NBSS_HDR_LEN, sstate->nbss.type,
|
||
sstate->nbss.length, parsed, input_len);
|
||
}
|
||
... | ... | |
parsed, input_len, output);
|
||
parsed += retval;
|
||
input_len -= retval;
|
||
SCLogDebug("SMB Header (%u/%u) Command 0x%02x parsed %u input_len %u",
|
||
SCLogDebug("SMB Header (%u/%u) Command 0x%02x parsed %ld input_len %u",
|
||
sstate->bytesprocessed, NBSS_HDR_LEN + SMB_HDR_LEN,
|
||
sstate->smb.command, parsed, input_len);
|
||
}
|
||
... | ... | |
output);
|
||
parsed += retval;
|
||
input_len -= retval;
|
||
SCLogDebug("wordcount (%u) parsed %u input_len %u",
|
||
SCLogDebug("wordcount (%u) parsed %ld input_len %u",
|
||
sstate->wordcount.wordcount, parsed, input_len);
|
||
}
|
||
... | ... | |
*/
|
||
int isAndX(SMBState *smb_state) {
|
||
SCEnter();
|
||
switch (smb_state->smb.command) {
|
||
case SMB_NO_SECONDARY_ANDX_COMMAND:
|
||
case SMB_COM_LOCKING_ANDX:
|
||
... | ... | |
case SMB_COM_TREE_CONNECT_ANDX:
|
||
case SMB_COM_NT_CREATE_ANDX:
|
||
smb_state->andx.andxbytesprocessed = 0;
|
||
return 1;
|
||
SCReturnInt(1);
|
||
default:
|
||
return 0;
|
||
SCReturnInt(0);
|
||
}
|
||
}
|
||
src/app-layer-smb2.c | ||
---|---|---|
SMB_FIELD_MAX,
|
||
};
|
||
//#define DEBUG 1
|
||
static int NBSSParseHeader(void *smb2_state, AppLayerParserState *pstate,
|
||
static uint32_t NBSSParseHeader(void *smb2_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
SMB2State *sstate = (SMB2State *) smb2_state;
|
||
uint8_t *p = input;
|
||
... | ... | |
sstate->nbss.length = (*(p + 1) & 0x01) << 16;
|
||
sstate->nbss.length |= *(p + 2) << 8;
|
||
sstate->nbss.length |= *(p + 3);
|
||
input_len -= NBSS_HDR_LEN;
|
||
sstate->bytesprocessed += NBSS_HDR_LEN;
|
||
return NBSS_HDR_LEN;
|
||
SCReturnUInt(4U);
|
||
} else {
|
||
sstate->nbss.type = *(p++);
|
||
if (!(--input_len)) break;
|
||
... | ... | |
sstate->nbss.length |= *(p++);
|
||
--input_len;
|
||
break;
|
||
default:
|
||
return -1;
|
||
break;
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
}
|
||
return (p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
static int SMB2ParseHeader(void *smb2_state, AppLayerParserState *pstate,
|
||
static uint32_t SMB2ParseHeader(void *smb2_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
SMB2State *sstate = (SMB2State *) smb2_state;
|
||
uint8_t *p = input;
|
||
if (input_len) {
|
||
... | ... | |
sstate->smb2.Signature[13] = *(p + 61);
|
||
sstate->smb2.Signature[14] = *(p + 62);
|
||
sstate->smb2.Signature[15] = *(p + 63);
|
||
input_len -= SMB2_HDR_LEN;
|
||
sstate->bytesprocessed += SMB2_HDR_LEN;
|
||
return SMB2_HDR_LEN;
|
||
SCReturnUInt(64U);
|
||
break;
|
||
} else {
|
||
//sstate->smb2.protocol[0] = *(p++);
|
||
... | ... | |
sstate->smb2.Signature[15] = *(p++);
|
||
--input_len;
|
||
break;
|
||
default: // SHOULD NEVER OCCUR
|
||
return 0;
|
||
}
|
||
}
|
||
sstate->bytesprocessed += (p - input);
|
||
return (p - input);
|
||
SCReturnUInt((uint32_t)(p - input));
|
||
}
|
||
static int SMB2Parse(Flow *f, void *smb2_state, AppLayerParserState *pstate,
|
||
uint8_t *input, uint32_t input_len, AppLayerParserResult *output) {
|
||
SCEnter();
|
||
SMB2State *sstate = (SMB2State *) smb2_state;
|
||
uint32_t retval = 0;
|
||
uint32_t parsed = 0;
|
||
... | ... | |
}
|
||
pstate->parse_field = 0;
|
||
pstate->flags |= APP_LAYER_PARSER_DONE;
|
||
return 1;
|
||
SCReturnInt(1);
|
||
}
|
||
... | ... | |
void RegisterSMB2Parsers(void) {
|
||
AppLayerRegisterProto("smb", ALPROTO_SMB2, STREAM_TOSERVER, SMB2Parse);
|
||
AppLayerRegisterProto("smb", ALPROTO_SMB2, STREAM_TOCLIENT, SMB2Parse);
|
||
/*AppLayerRegisterParser("nbss.hdr", ALPROTO_SMB, SMB_PARSE_NBSS_HEADER,
|
||
NBSSParseHeader, "smb");
|
||
AppLayerRegisterParser("smb.hdr", ALPROTO_SMB, SMB_PARSE_SMB_HEADER,
|
||
SMBParseHeader, "smb");
|
||
AppLayerRegisterParser("smb.getwordcount", ALPROTO_SMB, SMB_PARSE_GET_WORDCOUNT,
|
||
SMBGetWordCount, "smb");
|
||
AppLayerRegisterParser("smb.wordcount", ALPROTO_SMB, SMB_PARSE_WORDCOUNT,
|
||
SMBParseWordCount, "smb");
|
||
AppLayerRegisterParser("smb.getbytecount", ALPROTO_SMB, SMB_PARSE_GET_BYTECOUNT,
|
||
SMBGetByteCount, "smb");
|
||
AppLayerRegisterParser("smb.bytecount", ALPROTO_SMB, SMB_PARSE_BYTECOUNT,
|
||
SMBParseByteCount, "smb");
|
||
*/
|
||
AppLayerRegisterStateFuncs(ALPROTO_SMB2, SMB2StateAlloc, SMB2StateFree);
|
||
}
|
||