From 33f703e3005cad26c29174d63d134f3177efc692 Mon Sep 17 00:00:00 2001 From: Kirby Kuehl Date: Tue, 16 Feb 2010 11:42:15 -0600 Subject: [PATCH 2/2] add uuid to queue --- src/app-layer-dcerpc-udp.c | 50 ++++++++++++++++++++++++++++++++++--------- 1 files changed, 39 insertions(+), 11 deletions(-) diff --git a/src/app-layer-dcerpc-udp.c b/src/app-layer-dcerpc-udp.c index a0ff464..6029d6a 100644 --- a/src/app-layer-dcerpc-udp.c +++ b/src/app-layer-dcerpc-udp.c @@ -59,7 +59,7 @@ static uint32_t FragmentDataParser(Flow *f, void *dcerpcudp_state, * present to parse the entire header. A slow path is used to parse * fragmented packets. */ -static uint32_t DCERPCUDPParseHeader(Flow *f, void *dcerpcudp_state, +static int DCERPCUDPParseHeader(Flow *f, void *dcerpcudp_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { SCEnter(); @@ -70,6 +70,10 @@ static uint32_t DCERPCUDPParseHeader(Flow *f, void *dcerpcudp_state, case 0: if (input_len >= DCERPC_UDP_HDR_LEN) { sstate->dcerpchdrudp.rpc_vers = *p; + if (sstate->dcerpchdrudp.rpc_vers != 4) { + SCLogDebug("DCERPC UDP Header did not validate"); + SCReturnInt(-1); + } sstate->dcerpchdrudp.ptype = *(p + 1); sstate->dcerpchdrudp.flags1 = *(p + 2); sstate->dcerpchdrudp.flags2 = *(p + 3); @@ -179,16 +183,27 @@ static uint32_t DCERPCUDPParseHeader(Flow *f, void *dcerpcudp_state, sstate->uuid_entry = (struct uuid_entry *) calloc(1, sizeof(struct uuid_entry)); if (sstate->uuid_entry == NULL) { - SCReturnUInt(0); + SCReturnInt(-1); } else { memcpy(sstate->uuid_entry->uuid, sstate->dcerpchdrudp.activityuuid, sizeof(sstate->dcerpchdrudp.activityuuid)); + TAILQ_INSERT_HEAD(&sstate->uuid_list, sstate->uuid_entry, + next); +#ifdef UNITTESTS + if (RunmodeIsUnittests()) { + printUUID("DCERPC UDP", sstate->uuid_entry); + } +#endif } - SCReturnUInt(80U); + SCReturnInt(80); break; } else { sstate->dcerpchdrudp.rpc_vers = *(p++); + if (sstate->dcerpchdrudp.rpc_vers != 4) { + SCLogDebug("DCERPC UDP Header did not validate"); + SCReturnInt(-1); + } if (!(--input_len)) break; } @@ -520,18 +535,25 @@ static uint32_t DCERPCUDPParseHeader(Flow *f, void *dcerpcudp_state, sstate->uuid_entry = (struct uuid_entry *) calloc(1, sizeof(struct uuid_entry)); if (sstate->uuid_entry == NULL) { - SCReturnUInt(0); + SCReturnInt(-1); } else { memcpy(sstate->uuid_entry->uuid, sstate->dcerpchdrudp.activityuuid, sizeof(sstate->dcerpchdrudp.activityuuid)); + TAILQ_INSERT_HEAD(&sstate->uuid_list, sstate->uuid_entry, + next); +#ifdef UNITTESTS + if (RunmodeIsUnittests()) { + printUUID("DCERPC UDP", sstate->uuid_entry); + } +#endif } --input_len; break; } } sstate->bytesprocessed += (p - input); - SCReturnUInt((uint32_t)(p - input)); + SCReturnInt((p - input)); } static int DCERPCUDPParse(Flow *f, void *dcerpc_state, @@ -539,14 +561,20 @@ static int DCERPCUDPParse(Flow *f, void *dcerpc_state, AppLayerParserResult *output) { uint32_t retval = 0; uint32_t parsed = 0; + int hdrretval = 0; SCEnter(); DCERPCUDPState *sstate = (DCERPCUDPState *) dcerpc_state; while (sstate->bytesprocessed < DCERPC_UDP_HDR_LEN && input_len) { - retval = DCERPCUDPParseHeader(f, dcerpc_state, pstate, input, + hdrretval = DCERPCUDPParseHeader(f, dcerpc_state, pstate, input, input_len, output); - parsed += retval; - input_len -= retval; + if (hdrretval == -1) { + sstate->bytesprocessed = 0; + SCReturnInt(hdrretval); + } else { + parsed += retval; + input_len -= retval; + } } #if 0 printf("Done with DCERPCUDPParseHeader bytesprocessed %u/%u left %u\n", @@ -865,9 +893,9 @@ int DCERPCUDPParserTest01(void) { } if (dcerpc_state->dcerpchdrudp.opnum != 4) { - printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 4, dcerpc_state->dcerpchdrudp.opnum); - result = 0; - goto end; + printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 4, dcerpc_state->dcerpchdrudp.opnum); + result = 0; + goto end; } TAILQ_FOREACH(uuid_entry, &dcerpc_state->uuid_list, next) { -- 1.6.6