Project

General

Profile

Download (26.8 KB)

Bug #61 » 0001-fix-bug-61.patch

fix for bug 61 - Kirby Kuehl, 01/18/2010 01:44 PM

View differences:

src/app-layer-dcerpc.c
sstate->result = *p;
sstate->result |= *(p + 1) << 8;
TAILQ_FOREACH(uuid_entry, &sstate->uuid_list, next) {
if(uuid_entry->ctxid == sstate->numctxitems - sstate->numctxitemsleft) {
if (uuid_entry->ctxid == sstate->numctxitems
- sstate->numctxitemsleft) {
uuid_entry->result = sstate->result;
//printUUID("BIND_ACK", uuid_entry);
break;
......
break;
case 23:
TAILQ_FOREACH(uuid_entry, &sstate->uuid_list, next) {
if(uuid_entry->ctxid == sstate->numctxitems - sstate->numctxitemsleft) {
if (uuid_entry->ctxid == sstate->numctxitems
- sstate->numctxitemsleft) {
uuid_entry->result = sstate->result;
//printUUID("BIND_ACK", uuid_entry);
break;
......
&& input_len) {
retval = DCERPCParseBIND(f, dcerpc_state, pstate, input + parsed,
input_len, output);
parsed += retval;
input_len -= retval;
if (retval) {
parsed += retval;
input_len -= retval;
} else if (input_len) {
SCLogDebug("Error Parsing DCERPC BIND");
parsed -= input_len;
input_len = 0;
}
}
SCLogDebug(
"Done with DCERPCParseBIND bytesprocessed %u/%u -- Should be 12\n",
......
< sstate->dcerpc.frag_length && input_len) {
retval = DCERPCParseBINDCTXItem(f, dcerpc_state, pstate, input
+ parsed, input_len, output);
if (sstate->ctxbytesprocessed == 44) {
sstate->ctxbytesprocessed = 0;
if (retval) {
if (sstate->ctxbytesprocessed == 44) {
sstate->ctxbytesprocessed = 0;
}
parsed += retval;
input_len -= retval;
SCLogDebug("BIND processed %u/%u\n", sstate->bytesprocessed,
sstate->dcerpc.frag_length);
} else if (input_len) {
SCLogDebug("Error Parsing CTX Item");
parsed -= input_len;
input_len = 0;
sstate->numctxitemsleft = 0;
}
parsed += retval;
input_len -= retval;
}
SCLogDebug("BIND processed %u/%u\n", sstate->bytesprocessed,
sstate->dcerpc.frag_length);
if (sstate->bytesprocessed == sstate->dcerpc.frag_length) {
sstate->bytesprocessed = 0;
sstate->ctxbytesprocessed = 0;
......
&& input_len) {
retval = DCERPCParseBINDACK(f, dcerpc_state, pstate,
input + parsed, input_len, output);
parsed += retval;
input_len -= retval;
if (retval) {
parsed += retval;
input_len -= retval;
SCLogDebug("DCERPCParseBINDACK processed %u/%u left %u\n",
sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len);
} else if (input_len) {
SCLogDebug("Error parsing BIND_ACK");
parsed -= input_len;
input_len = 0;
}
}
SCLogDebug("DCERPCParseBINDACK processed %u/%u left %u\n",
sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len);
while (sstate->bytesprocessed < DCERPC_HDR_LEN + 10
+ sstate->secondaryaddrlen && input_len
&& sstate->bytesprocessed < sstate->dcerpc.frag_length) {
retval = DCERPCParseSecondaryAddr(f, dcerpc_state, pstate, input
+ parsed, input_len, output);
parsed += retval;
input_len -= retval;
if (retval) {
parsed += retval;
input_len -= retval;
SCLogDebug(
"DCERPCParseSecondaryAddr %u/%u left %u secondaryaddr len(%u)\n",
sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len,
sstate->secondaryaddrlen);
} else if (input_len) {
SCLogDebug("Error parsing Secondary Address");
parsed -= input_len;
input_len = 0;
}
}
SCLogDebug(
"DCERPCParseSecondaryAddr %u/%u left %u secondaryaddr len(%u)\n",
sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len,
sstate->secondaryaddrlen);
if (sstate->bytesprocessed == DCERPC_HDR_LEN + 10
+ sstate->secondaryaddrlen) {
......
&& sstate->bytesprocessed < sstate->dcerpc.frag_length) {
retval = PaddingParser(f, dcerpc_state, pstate, input + parsed,
input_len, output);
parsed += retval;
input_len -= retval;
if (retval) {
parsed += retval;
input_len -= retval;
SCLogDebug("PaddingParser %u/%u left %u pad(%u)\n",
sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len,
sstate->pad);
} else if (input_len) {
SCLogDebug("Error parsing DCERPC Padding");
parsed -= input_len;
input_len = 0;
}
}
SCLogDebug("PaddingParser %u/%u left %u pad(%u)\n",
sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len,
sstate->pad);
while (sstate->bytesprocessed >= DCERPC_HDR_LEN + 10 + sstate->pad
+ sstate->secondaryaddrlen && sstate->bytesprocessed
......
&& sstate->bytesprocessed < sstate->dcerpc.frag_length) {
retval = DCERPCGetCTXItems(f, dcerpc_state, pstate, input + parsed,
input_len, output);
parsed += retval;
input_len -= retval;
if (retval) {
parsed += retval;
input_len -= retval;
SCLogDebug("DCERPCGetCTXItems %u/%u (%u)\n", sstate->bytesprocessed,
sstate->dcerpc.frag_length, sstate->numctxitems);
} else if (input_len) {
SCLogDebug("Error parsing CTX Items");
parsed -= input_len;
input_len = 0;
}
}
SCLogDebug("DCERPCGetCTXItems %u/%u (%u)\n", sstate->bytesprocessed,
sstate->dcerpc.frag_length, sstate->numctxitems);
if (sstate->bytesprocessed == DCERPC_HDR_LEN + 14 + sstate->pad
+ sstate->secondaryaddrlen) {
......
< sstate->dcerpc.frag_length) {
retval = DCERPCParseBINDACKCTXItem(f, dcerpc_state, pstate, input
+ parsed, input_len, output);
if (sstate->ctxbytesprocessed == 24) {
sstate->ctxbytesprocessed = 0;
if (retval) {
if (sstate->ctxbytesprocessed == 24) {
sstate->ctxbytesprocessed = 0;
}
parsed += retval;
input_len -= retval;
} else if (input_len) {
SCLogDebug("Error parsing CTX Items");
parsed -= input_len;
input_len = 0;
sstate->numctxitemsleft = 0;
}
parsed += retval;
input_len -= retval;
}
SCLogDebug("BINDACK processed %u/%u\n", sstate->bytesprocessed,
sstate->dcerpc.frag_length);
......
&& input_len) {
retval = DCERPCParseREQUEST(f, dcerpc_state, pstate,
input + parsed, input_len, output);
parsed += retval;
input_len -= retval;
if (retval) {
parsed += retval;
input_len -= retval;
} else if (input_len) {
SCLogDebug("Error parsing DCERPC Request");
parsed -= input_len;
input_len = 0;
}
}
while (sstate->bytesprocessed >= DCERPC_HDR_LEN + 8
&& sstate->bytesprocessed < sstate->dcerpc.frag_length
&& input_len) {
retval = StubDataParser(f, dcerpc_state, pstate, input + parsed,
input_len, output);
parsed += retval;
input_len -= retval;
if (retval) {
parsed += retval;
input_len -= retval;
} else if (input_len) {
SCLogDebug("Error parsing DCERPC Stub Data");
parsed -= input_len;
input_len = 0;
}
}
SCLogDebug("REQUEST processed %u/%u\n", sstate->bytesprocessed,
sstate->dcerpc.frag_length);
src/app-layer-smb.c
sstate->andx.datalength |= *(p + 21) << 24;
sstate->andx.dataoffset = *(p + 22);
sstate->andx.dataoffset |= *(p + 23) << 8;
sstate->andx.dataoffset |= (uint64_t) * (p + 24) << 56;
sstate->andx.dataoffset |= (uint64_t) * (p + 25) << 48;
sstate->andx.dataoffset |= (uint64_t) * (p + 26) << 40;
sstate->andx.dataoffset |= (uint64_t) * (p + 27) << 32;
sstate->andx.dataoffset |= (uint64_t) *(p + 24) << 56;
sstate->andx.dataoffset |= (uint64_t) *(p + 25) << 48;
sstate->andx.dataoffset |= (uint64_t) *(p + 26) << 40;
sstate->andx.dataoffset |= (uint64_t) *(p + 27) << 32;
sstate->bytesprocessed += 28;
SCReturnUInt(28U);
} else {
......
if (!(--input_len))
break;
case 24:
sstate->andx.dataoffset |= (uint64_t) * (p++) << 56;
sstate->andx.dataoffset |= (uint64_t) *(p++) << 56;
if (!(--input_len))
break;
case 25:
sstate->andx.dataoffset |= (uint64_t) * (p++) << 48;
sstate->andx.dataoffset |= (uint64_t) *(p++) << 48;
if (!(--input_len))
break;
case 26:
sstate->andx.dataoffset |= (uint64_t) * (p++) << 40;
sstate->andx.dataoffset |= (uint64_t) *(p++) << 40;
if (!(--input_len))
break;
case 27:
sstate->andx.dataoffset |= (uint64_t) * (p++) << 32;
sstate->andx.dataoffset |= (uint64_t) *(p++) << 32;
--input_len;
break;
}
......
sstate->andx.datalength |= *(p + 11) << 8;
sstate->andx.dataoffset = *(p + 12);
sstate->andx.dataoffset |= *(p + 13) << 8;
sstate->andx.datalength |= (uint64_t) * (p + 14) << 32;
sstate->andx.datalength |= (uint64_t) * (p + 15) << 40;
sstate->andx.datalength |= (uint64_t) * (p + 16) << 48;
sstate->andx.datalength |= (uint64_t) * (p + 17) << 56;
sstate->andx.datalength |= (uint64_t) *(p + 14) << 32;
sstate->andx.datalength |= (uint64_t) *(p + 15) << 40;
sstate->andx.datalength |= (uint64_t) *(p + 16) << 48;
sstate->andx.datalength |= (uint64_t) *(p + 17) << 56;
sstate->bytesprocessed += 24;
SCReturnUInt(24U);
} else {
......
sstate->andx.datalength |= *(p + 23) << 8;
sstate->andx.dataoffset = *(p + 24);
sstate->andx.dataoffset |= *(p + 25) << 8;
sstate->andx.datalength |= (uint64_t) * (p + 14) << 56;
sstate->andx.datalength |= (uint64_t) * (p + 15) << 48;
sstate->andx.datalength |= (uint64_t) * (p + 16) << 40;
sstate->andx.datalength |= (uint64_t) * (p + 17) << 32;
sstate->andx.datalength |= (uint64_t) *(p + 14) << 56;
sstate->andx.datalength |= (uint64_t) *(p + 15) << 48;
sstate->andx.datalength |= (uint64_t) *(p + 16) << 40;
sstate->andx.datalength |= (uint64_t) *(p + 17) << 32;
sstate->bytesprocessed += 24;
SCReturnUInt(24U);
} else {
......
SCEnter();
SMBState *sstate = (SMBState *) smb_state;
uint8_t *p = input;
while ((uint32_t)(sstate->bytesprocessed + (p - input))
printf("Inside Padding Parser");
/* Check for validity of dataoffset */
if (sstate->bytesprocessed > sstate->andx.dataoffset) {
printf("The offset was not valid.");
sstate->andx.paddingparsed = 1;
SCReturnUInt((uint32_t)(p - input));
}
printf("bytesprocessed %u data offset %"PRIu64" input_len %u\n",
sstate->bytesprocessed, sstate->andx.dataoffset, input_len);
while ((uint32_t) (sstate->bytesprocessed + (p - input))
< sstate->andx.dataoffset && sstate->bytecount.bytecount--
&& input_len--) {
printf("0x%02x", *p);
p++;
}
if ((uint32_t)(sstate->bytesprocessed + (p - input))
if ((uint32_t) (sstate->bytesprocessed + (p - input))
== sstate->andx.dataoffset) {
sstate->andx.paddingparsed = 1;
}
......
if (((sstate->smb.flags & SMB_FLAGS_SERVER_TO_REDIR) && sstate->smb.command
== SMB_COM_READ_ANDX) || (((sstate->smb.flags
& SMB_FLAGS_SERVER_TO_REDIR) == 0) && sstate->smb.command
== SMB_COM_WRITE_ANDX) ||
(sstate->smb.command == SMB_COM_TRANSACTION)) {
== SMB_COM_WRITE_ANDX) || (sstate->smb.command
== SMB_COM_TRANSACTION)) {
if (sstate->andx.paddingparsed == 0) {
retval = PaddingParser(sstate, pstate, input + parsed, input_len,
output);
parsed += retval;
input_len -= retval;
}
if (sstate->andx.datalength) {
retval = DataParser(sstate, pstate, input + parsed, input_len,
output);
......
}
while (sstate->bytecount.bytecount && input_len) {
SCLogDebug("0x%02x bytecount %u input_len %u", *p,
printf("0x%02x bytecount %u input_len %u", *p,
sstate->bytecount.bytecount, input_len);
p++;
sstate->wordcount.wordcount--;
sstate->bytecount.bytecount--;
input_len--;
}
printf("\n");
sstate->bytesprocessed += (p - input);
SCReturnUInt((uint32_t)(p - input));
}
......
sstate->smb.flags2 |= *(p + 11);
sstate->smb.pidhigh = *(p + 12) << 8;
sstate->smb.pidhigh |= *(p + 13);
sstate->smb.securitysignature = (uint64_t) * (p + 14) << 56;
sstate->smb.securitysignature |= (uint64_t) * (p + 15) << 48;
sstate->smb.securitysignature |= (uint64_t) * (p + 16) << 40;
sstate->smb.securitysignature |= (uint64_t) * (p + 17) << 32;
sstate->smb.securitysignature |= (uint64_t) * (p + 18) << 24;
sstate->smb.securitysignature |= (uint64_t) * (p + 19) << 16;
sstate->smb.securitysignature |= (uint64_t) * (p + 20) << 8;
sstate->smb.securitysignature |= (uint64_t) * (p + 21);
sstate->smb.securitysignature = (uint64_t) *(p + 14) << 56;
sstate->smb.securitysignature |= (uint64_t) *(p + 15) << 48;
sstate->smb.securitysignature |= (uint64_t) *(p + 16) << 40;
sstate->smb.securitysignature |= (uint64_t) *(p + 17) << 32;
sstate->smb.securitysignature |= (uint64_t) *(p + 18) << 24;
sstate->smb.securitysignature |= (uint64_t) *(p + 19) << 16;
sstate->smb.securitysignature |= (uint64_t) *(p + 20) << 8;
sstate->smb.securitysignature |= (uint64_t) *(p + 21);
sstate->smb.tid = *(p + 24) << 8;
sstate->smb.tid |= *(p + 25);
sstate->smb.pid = *(p + 26) << 8;
......
if (!(--input_len))
break;
case 18:
sstate->smb.securitysignature = (uint64_t) * (p++) << 56;
sstate->smb.securitysignature = (uint64_t) *(p++) << 56;
if (!(--input_len))
break;
case 19:
sstate->smb.securitysignature |= (uint64_t) * (p++) << 48;
sstate->smb.securitysignature |= (uint64_t) *(p++) << 48;
if (!(--input_len))
break;
case 20:
sstate->smb.securitysignature |= (uint64_t) * (p++) << 40;
sstate->smb.securitysignature |= (uint64_t) *(p++) << 40;
if (!(--input_len))
break;
case 21:
sstate->smb.securitysignature |= (uint64_t) * (p++) << 32;
sstate->smb.securitysignature |= (uint64_t) *(p++) << 32;
if (!(--input_len))
break;
case 22:
sstate->smb.securitysignature |= (uint64_t) * (p++) << 24;
sstate->smb.securitysignature |= (uint64_t) *(p++) << 24;
if (!(--input_len))
break;
case 23:
sstate->smb.securitysignature |= (uint64_t) * (p++) << 16;
sstate->smb.securitysignature |= (uint64_t) *(p++) << 16;
if (!(--input_len))
break;
case 24:
sstate->smb.securitysignature |= (uint64_t) * (p++) << 8;
sstate->smb.securitysignature |= (uint64_t) *(p++) << 8;
if (!(--input_len))
break;
case 25:
sstate->smb.securitysignature |= (uint64_t) * (p++);
sstate->smb.securitysignature |= (uint64_t) *(p++);
if (!(--input_len))
break;
case 26:
......
retval
= NBSSParseHeader(f, smb_state, pstate, input, input_len,
output);
parsed += retval;
input_len -= retval;
SCLogDebug(
"NBSS Header (%u/%u) Type 0x%02x Length 0x%04x parsed %ld input_len %u",
sstate->bytesprocessed, NBSS_HDR_LEN, sstate->nbss.type,
sstate->nbss.length, parsed, input_len);
if (retval) {
parsed += retval;
input_len -= retval;
SCLogDebug(
"NBSS Header (%u/%u) Type 0x%02x Length 0x%04x parsed %ld input_len %u",
sstate->bytesprocessed, NBSS_HDR_LEN, sstate->nbss.type,
sstate->nbss.length, parsed, input_len);
} else if (input_len) {
SCLogDebug("Error parsing NBSS Header\n");
parsed += input_len;
input_len = 0;
}
}
switch (sstate->nbss.type) {
......
&& sstate->bytesprocessed < NBSS_HDR_LEN + SMB_HDR_LEN)) {
retval = SMBParseHeader(f, smb_state, pstate, input + parsed,
input_len, output);
parsed += retval;
input_len -= retval;
SCLogDebug(
"SMB Header (%u/%u) Command 0x%02x parsed %ld input_len %u",
sstate->bytesprocessed, NBSS_HDR_LEN + SMB_HDR_LEN,
sstate->smb.command, parsed, input_len);
if (retval) {
parsed += retval;
input_len -= retval;
SCLogDebug(
"SMB Header (%u/%u) Command 0x%02x parsed %ld input_len %u",
sstate->bytesprocessed, NBSS_HDR_LEN + SMB_HDR_LEN,
sstate->smb.command, parsed, input_len);
} else if (input_len) {
SCLogDebug("Error parsing SMB Word Count\n");
parsed += input_len;
input_len = 0;
}
}
do {
......
+ SMB_HDR_LEN)) {
retval = SMBGetWordCount(f, smb_state, pstate, input + parsed,
input_len, output);
parsed += retval;
input_len -= retval;
SCLogDebug("wordcount (%u) parsed %ld input_len %u",
sstate->wordcount.wordcount, parsed, input_len);
if (retval) {
parsed += retval;
input_len -= retval;
} else if (input_len) {
SCLogDebug("Error parsing SMB Word Count\n");
parsed += input_len;
input_len = 0;
}
}
while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN
......
+ SMB_HDR_LEN + 1 + sstate->wordcount.wordcount)) {
retval = SMBParseWordCount(f, smb_state, pstate,
input + parsed, input_len, output);
parsed += retval;
input_len -= retval;
if (retval) {
parsed += retval;
input_len -= retval;
} else if (input_len) {
SCLogDebug("Error parsing SMB Word Count Data\n");
parsed += input_len;
input_len = 0;
}
}
while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN
......
+ sstate->wordcount.wordcount)) {
retval = SMBGetByteCount(f, smb_state, pstate, input + parsed,
input_len, output);
parsed += retval;
input_len -= retval;
if (retval) {
parsed += retval;
input_len -= retval;
} else if (input_len) {
SCLogDebug("Error parsing SMB Byte Count\n");
parsed += input_len;
input_len = 0;
}
}
while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN
......
&& sstate->bytesprocessed < NBSS_HDR_LEN + SMB_HDR_LEN + 3
+ sstate->wordcount.wordcount
+ sstate->bytecount.bytecount)) {
retval = SMBParseByteCount(f, smb_state, pstate,
input + parsed, input_len, output);
parsed += retval;
input_len -= retval;
if (retval) {
parsed += retval;
input_len -= retval;
} else if (input_len) {
SCLogDebug("Error parsing SMB Byte Count Data\n");
parsed += input_len;
input_len = 0;
}
}
} while (sstate->andx.andxcommand != SMB_NO_SECONDARY_ANDX_COMMAND
&& input_len);
(2-2/2)