From fcc6474b2eecc8ec9412e0221894a3f74a7651ea Mon Sep 17 00:00:00 2001 From: root Date: Mon, 18 Jan 2010 14:05:16 -0600 Subject: [PATCH] fix bug 61 --- src/app-layer-dcerpc.c | 134 ++++++++++++++++++++++++++++----------- src/app-layer-smb.c | 168 ++++++++++++++++++++++++++++++----------------- 2 files changed, 204 insertions(+), 98 deletions(-) diff --git a/src/app-layer-dcerpc.c b/src/app-layer-dcerpc.c index 5965c40..aff6f8c 100644 --- a/src/app-layer-dcerpc.c +++ b/src/app-layer-dcerpc.c @@ -457,7 +457,8 @@ static uint32_t DCERPCParseBINDACKCTXItem(Flow *f, void *dcerpc_state, sstate->result = *p; sstate->result |= *(p + 1) << 8; TAILQ_FOREACH(uuid_entry, &sstate->uuid_list, next) { - if(uuid_entry->ctxid == sstate->numctxitems - sstate->numctxitemsleft) { + if (uuid_entry->ctxid == sstate->numctxitems + - sstate->numctxitemsleft) { uuid_entry->result = sstate->result; //printUUID("BIND_ACK", uuid_entry); break; @@ -564,7 +565,8 @@ static uint32_t DCERPCParseBINDACKCTXItem(Flow *f, void *dcerpc_state, break; case 23: TAILQ_FOREACH(uuid_entry, &sstate->uuid_list, next) { - if(uuid_entry->ctxid == sstate->numctxitems - sstate->numctxitemsleft) { + if (uuid_entry->ctxid == sstate->numctxitems + - sstate->numctxitemsleft) { uuid_entry->result = sstate->result; //printUUID("BIND_ACK", uuid_entry); break; @@ -983,8 +985,14 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, && input_len) { retval = DCERPCParseBIND(f, dcerpc_state, pstate, input + parsed, input_len, output); - parsed += retval; - input_len -= retval; + if (retval) { + parsed += retval; + input_len -= retval; + } else if (input_len) { + SCLogDebug("Error Parsing DCERPC BIND"); + parsed -= input_len; + input_len = 0; + } } SCLogDebug( "Done with DCERPCParseBIND bytesprocessed %u/%u -- Should be 12\n", @@ -994,14 +1002,21 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, < sstate->dcerpc.frag_length && input_len) { retval = DCERPCParseBINDCTXItem(f, dcerpc_state, pstate, input + parsed, input_len, output); - if (sstate->ctxbytesprocessed == 44) { - sstate->ctxbytesprocessed = 0; + if (retval) { + if (sstate->ctxbytesprocessed == 44) { + sstate->ctxbytesprocessed = 0; + } + parsed += retval; + input_len -= retval; + SCLogDebug("BIND processed %u/%u\n", sstate->bytesprocessed, + sstate->dcerpc.frag_length); + } else if (input_len) { + SCLogDebug("Error Parsing CTX Item"); + parsed -= input_len; + input_len = 0; + sstate->numctxitemsleft = 0; } - parsed += retval; - input_len -= retval; } - SCLogDebug("BIND processed %u/%u\n", sstate->bytesprocessed, - sstate->dcerpc.frag_length); if (sstate->bytesprocessed == sstate->dcerpc.frag_length) { sstate->bytesprocessed = 0; sstate->ctxbytesprocessed = 0; @@ -1014,24 +1029,36 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, && input_len) { retval = DCERPCParseBINDACK(f, dcerpc_state, pstate, input + parsed, input_len, output); - parsed += retval; - input_len -= retval; + if (retval) { + parsed += retval; + input_len -= retval; + SCLogDebug("DCERPCParseBINDACK processed %u/%u left %u\n", + sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len); + } else if (input_len) { + SCLogDebug("Error parsing BIND_ACK"); + parsed -= input_len; + input_len = 0; + } } - SCLogDebug("DCERPCParseBINDACK processed %u/%u left %u\n", - sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len); while (sstate->bytesprocessed < DCERPC_HDR_LEN + 10 + sstate->secondaryaddrlen && input_len && sstate->bytesprocessed < sstate->dcerpc.frag_length) { retval = DCERPCParseSecondaryAddr(f, dcerpc_state, pstate, input + parsed, input_len, output); - parsed += retval; - input_len -= retval; + if (retval) { + parsed += retval; + input_len -= retval; + SCLogDebug( + "DCERPCParseSecondaryAddr %u/%u left %u secondaryaddr len(%u)\n", + sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len, + sstate->secondaryaddrlen); + } else if (input_len) { + SCLogDebug("Error parsing Secondary Address"); + parsed -= input_len; + input_len = 0; + } } - SCLogDebug( - "DCERPCParseSecondaryAddr %u/%u left %u secondaryaddr len(%u)\n", - sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len, - sstate->secondaryaddrlen); if (sstate->bytesprocessed == DCERPC_HDR_LEN + 10 + sstate->secondaryaddrlen) { @@ -1044,12 +1071,18 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, && sstate->bytesprocessed < sstate->dcerpc.frag_length) { retval = PaddingParser(f, dcerpc_state, pstate, input + parsed, input_len, output); - parsed += retval; - input_len -= retval; + if (retval) { + parsed += retval; + input_len -= retval; + SCLogDebug("PaddingParser %u/%u left %u pad(%u)\n", + sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len, + sstate->pad); + } else if (input_len) { + SCLogDebug("Error parsing DCERPC Padding"); + parsed -= input_len; + input_len = 0; + } } - SCLogDebug("PaddingParser %u/%u left %u pad(%u)\n", - sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len, - sstate->pad); while (sstate->bytesprocessed >= DCERPC_HDR_LEN + 10 + sstate->pad + sstate->secondaryaddrlen && sstate->bytesprocessed @@ -1057,11 +1090,17 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, && sstate->bytesprocessed < sstate->dcerpc.frag_length) { retval = DCERPCGetCTXItems(f, dcerpc_state, pstate, input + parsed, input_len, output); - parsed += retval; - input_len -= retval; + if (retval) { + parsed += retval; + input_len -= retval; + SCLogDebug("DCERPCGetCTXItems %u/%u (%u)\n", sstate->bytesprocessed, + sstate->dcerpc.frag_length, sstate->numctxitems); + } else if (input_len) { + SCLogDebug("Error parsing CTX Items"); + parsed -= input_len; + input_len = 0; + } } - SCLogDebug("DCERPCGetCTXItems %u/%u (%u)\n", sstate->bytesprocessed, - sstate->dcerpc.frag_length, sstate->numctxitems); if (sstate->bytesprocessed == DCERPC_HDR_LEN + 14 + sstate->pad + sstate->secondaryaddrlen) { @@ -1072,11 +1111,19 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, < sstate->dcerpc.frag_length) { retval = DCERPCParseBINDACKCTXItem(f, dcerpc_state, pstate, input + parsed, input_len, output); - if (sstate->ctxbytesprocessed == 24) { - sstate->ctxbytesprocessed = 0; + if (retval) { + if (sstate->ctxbytesprocessed == 24) { + sstate->ctxbytesprocessed = 0; + } + parsed += retval; + input_len -= retval; + } else if (input_len) { + SCLogDebug("Error parsing CTX Items"); + parsed -= input_len; + input_len = 0; + sstate->numctxitemsleft = 0; + } - parsed += retval; - input_len -= retval; } SCLogDebug("BINDACK processed %u/%u\n", sstate->bytesprocessed, sstate->dcerpc.frag_length); @@ -1092,16 +1139,29 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, && input_len) { retval = DCERPCParseREQUEST(f, dcerpc_state, pstate, input + parsed, input_len, output); - parsed += retval; - input_len -= retval; + if (retval) { + parsed += retval; + input_len -= retval; + } else if (input_len) { + SCLogDebug("Error parsing DCERPC Request"); + parsed -= input_len; + input_len = 0; + } } while (sstate->bytesprocessed >= DCERPC_HDR_LEN + 8 && sstate->bytesprocessed < sstate->dcerpc.frag_length && input_len) { retval = StubDataParser(f, dcerpc_state, pstate, input + parsed, input_len, output); - parsed += retval; - input_len -= retval; + if (retval) { + parsed += retval; + input_len -= retval; + } else if (input_len) { + SCLogDebug("Error parsing DCERPC Stub Data"); + parsed -= input_len; + input_len = 0; + + } } SCLogDebug("REQUEST processed %u/%u\n", sstate->bytesprocessed, sstate->dcerpc.frag_length); diff --git a/src/app-layer-smb.c b/src/app-layer-smb.c index dd4ef87..d1ab77c 100644 --- a/src/app-layer-smb.c +++ b/src/app-layer-smb.c @@ -122,10 +122,10 @@ static uint32_t SMBParseWriteAndX(Flow *f, void *smb_state, sstate->andx.datalength |= *(p + 21) << 24; sstate->andx.dataoffset = *(p + 22); sstate->andx.dataoffset |= *(p + 23) << 8; - sstate->andx.dataoffset |= (uint64_t) * (p + 24) << 56; - sstate->andx.dataoffset |= (uint64_t) * (p + 25) << 48; - sstate->andx.dataoffset |= (uint64_t) * (p + 26) << 40; - sstate->andx.dataoffset |= (uint64_t) * (p + 27) << 32; + sstate->andx.dataoffset |= (uint64_t) *(p + 24) << 56; + sstate->andx.dataoffset |= (uint64_t) *(p + 25) << 48; + sstate->andx.dataoffset |= (uint64_t) *(p + 26) << 40; + sstate->andx.dataoffset |= (uint64_t) *(p + 27) << 32; sstate->bytesprocessed += 28; SCReturnUInt(28U); } else { @@ -244,19 +244,19 @@ static uint32_t SMBParseWriteAndX(Flow *f, void *smb_state, if (!(--input_len)) break; case 24: - sstate->andx.dataoffset |= (uint64_t) * (p++) << 56; + sstate->andx.dataoffset |= (uint64_t) *(p++) << 56; if (!(--input_len)) break; case 25: - sstate->andx.dataoffset |= (uint64_t) * (p++) << 48; + sstate->andx.dataoffset |= (uint64_t) *(p++) << 48; if (!(--input_len)) break; case 26: - sstate->andx.dataoffset |= (uint64_t) * (p++) << 40; + sstate->andx.dataoffset |= (uint64_t) *(p++) << 40; if (!(--input_len)) break; case 27: - sstate->andx.dataoffset |= (uint64_t) * (p++) << 32; + sstate->andx.dataoffset |= (uint64_t) *(p++) << 32; --input_len; break; } @@ -284,10 +284,10 @@ static uint32_t SMBParseReadAndX(Flow *f, void *smb_state, sstate->andx.datalength |= *(p + 11) << 8; sstate->andx.dataoffset = *(p + 12); sstate->andx.dataoffset |= *(p + 13) << 8; - sstate->andx.datalength |= (uint64_t) * (p + 14) << 32; - sstate->andx.datalength |= (uint64_t) * (p + 15) << 40; - sstate->andx.datalength |= (uint64_t) * (p + 16) << 48; - sstate->andx.datalength |= (uint64_t) * (p + 17) << 56; + sstate->andx.datalength |= (uint64_t) *(p + 14) << 32; + sstate->andx.datalength |= (uint64_t) *(p + 15) << 40; + sstate->andx.datalength |= (uint64_t) *(p + 16) << 48; + sstate->andx.datalength |= (uint64_t) *(p + 17) << 56; sstate->bytesprocessed += 24; SCReturnUInt(24U); } else { @@ -395,10 +395,10 @@ static uint32_t SMBParseTransact(Flow *f, void *smb_state, sstate->andx.datalength |= *(p + 23) << 8; sstate->andx.dataoffset = *(p + 24); sstate->andx.dataoffset |= *(p + 25) << 8; - sstate->andx.datalength |= (uint64_t) * (p + 14) << 56; - sstate->andx.datalength |= (uint64_t) * (p + 15) << 48; - sstate->andx.datalength |= (uint64_t) * (p + 16) << 40; - sstate->andx.datalength |= (uint64_t) * (p + 17) << 32; + sstate->andx.datalength |= (uint64_t) *(p + 14) << 56; + sstate->andx.datalength |= (uint64_t) *(p + 15) << 48; + sstate->andx.datalength |= (uint64_t) *(p + 16) << 40; + sstate->andx.datalength |= (uint64_t) *(p + 17) << 32; sstate->bytesprocessed += 24; SCReturnUInt(24U); } else { @@ -553,12 +553,22 @@ static uint32_t PaddingParser(void *smb_state, AppLayerParserState *pstate, SCEnter(); SMBState *sstate = (SMBState *) smb_state; uint8_t *p = input; - while ((uint32_t)(sstate->bytesprocessed + (p - input)) + printf("Inside Padding Parser"); + /* Check for validity of dataoffset */ + if (sstate->bytesprocessed > sstate->andx.dataoffset) { + printf("The offset was not valid."); + sstate->andx.paddingparsed = 1; + SCReturnUInt((uint32_t)(p - input)); + } + printf("bytesprocessed %u data offset %"PRIu64" input_len %u\n", + sstate->bytesprocessed, sstate->andx.dataoffset, input_len); + while ((uint32_t) (sstate->bytesprocessed + (p - input)) < sstate->andx.dataoffset && sstate->bytecount.bytecount-- && input_len--) { + printf("0x%02x", *p); p++; } - if ((uint32_t)(sstate->bytesprocessed + (p - input)) + if ((uint32_t) (sstate->bytesprocessed + (p - input)) == sstate->andx.dataoffset) { sstate->andx.paddingparsed = 1; } @@ -697,14 +707,15 @@ static uint32_t SMBParseByteCount(Flow *f, void *smb_state, if (((sstate->smb.flags & SMB_FLAGS_SERVER_TO_REDIR) && sstate->smb.command == SMB_COM_READ_ANDX) || (((sstate->smb.flags & SMB_FLAGS_SERVER_TO_REDIR) == 0) && sstate->smb.command - == SMB_COM_WRITE_ANDX) || - (sstate->smb.command == SMB_COM_TRANSACTION)) { + == SMB_COM_WRITE_ANDX) || (sstate->smb.command + == SMB_COM_TRANSACTION)) { if (sstate->andx.paddingparsed == 0) { retval = PaddingParser(sstate, pstate, input + parsed, input_len, output); parsed += retval; input_len -= retval; } + if (sstate->andx.datalength) { retval = DataParser(sstate, pstate, input + parsed, input_len, output); @@ -715,12 +726,13 @@ static uint32_t SMBParseByteCount(Flow *f, void *smb_state, } while (sstate->bytecount.bytecount && input_len) { - SCLogDebug("0x%02x bytecount %u input_len %u", *p, + printf("0x%02x bytecount %u input_len %u", *p, sstate->bytecount.bytecount, input_len); p++; - sstate->wordcount.wordcount--; + sstate->bytecount.bytecount--; input_len--; } + printf("\n"); sstate->bytesprocessed += (p - input); SCReturnUInt((uint32_t)(p - input)); } @@ -794,14 +806,14 @@ static uint32_t SMBParseHeader(Flow *f, void *smb_state, sstate->smb.flags2 |= *(p + 11); sstate->smb.pidhigh = *(p + 12) << 8; sstate->smb.pidhigh |= *(p + 13); - sstate->smb.securitysignature = (uint64_t) * (p + 14) << 56; - sstate->smb.securitysignature |= (uint64_t) * (p + 15) << 48; - sstate->smb.securitysignature |= (uint64_t) * (p + 16) << 40; - sstate->smb.securitysignature |= (uint64_t) * (p + 17) << 32; - sstate->smb.securitysignature |= (uint64_t) * (p + 18) << 24; - sstate->smb.securitysignature |= (uint64_t) * (p + 19) << 16; - sstate->smb.securitysignature |= (uint64_t) * (p + 20) << 8; - sstate->smb.securitysignature |= (uint64_t) * (p + 21); + sstate->smb.securitysignature = (uint64_t) *(p + 14) << 56; + sstate->smb.securitysignature |= (uint64_t) *(p + 15) << 48; + sstate->smb.securitysignature |= (uint64_t) *(p + 16) << 40; + sstate->smb.securitysignature |= (uint64_t) *(p + 17) << 32; + sstate->smb.securitysignature |= (uint64_t) *(p + 18) << 24; + sstate->smb.securitysignature |= (uint64_t) *(p + 19) << 16; + sstate->smb.securitysignature |= (uint64_t) *(p + 20) << 8; + sstate->smb.securitysignature |= (uint64_t) *(p + 21); sstate->smb.tid = *(p + 24) << 8; sstate->smb.tid |= *(p + 25); sstate->smb.pid = *(p + 26) << 8; @@ -879,35 +891,35 @@ static uint32_t SMBParseHeader(Flow *f, void *smb_state, if (!(--input_len)) break; case 18: - sstate->smb.securitysignature = (uint64_t) * (p++) << 56; + sstate->smb.securitysignature = (uint64_t) *(p++) << 56; if (!(--input_len)) break; case 19: - sstate->smb.securitysignature |= (uint64_t) * (p++) << 48; + sstate->smb.securitysignature |= (uint64_t) *(p++) << 48; if (!(--input_len)) break; case 20: - sstate->smb.securitysignature |= (uint64_t) * (p++) << 40; + sstate->smb.securitysignature |= (uint64_t) *(p++) << 40; if (!(--input_len)) break; case 21: - sstate->smb.securitysignature |= (uint64_t) * (p++) << 32; + sstate->smb.securitysignature |= (uint64_t) *(p++) << 32; if (!(--input_len)) break; case 22: - sstate->smb.securitysignature |= (uint64_t) * (p++) << 24; + sstate->smb.securitysignature |= (uint64_t) *(p++) << 24; if (!(--input_len)) break; case 23: - sstate->smb.securitysignature |= (uint64_t) * (p++) << 16; + sstate->smb.securitysignature |= (uint64_t) *(p++) << 16; if (!(--input_len)) break; case 24: - sstate->smb.securitysignature |= (uint64_t) * (p++) << 8; + sstate->smb.securitysignature |= (uint64_t) *(p++) << 8; if (!(--input_len)) break; case 25: - sstate->smb.securitysignature |= (uint64_t) * (p++); + sstate->smb.securitysignature |= (uint64_t) *(p++); if (!(--input_len)) break; case 26: @@ -971,13 +983,18 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, retval = NBSSParseHeader(f, smb_state, pstate, input, input_len, output); - parsed += retval; - input_len -= retval; - - SCLogDebug( - "NBSS Header (%u/%u) Type 0x%02x Length 0x%04x parsed %ld input_len %u", - sstate->bytesprocessed, NBSS_HDR_LEN, sstate->nbss.type, - sstate->nbss.length, parsed, input_len); + if (retval) { + parsed += retval; + input_len -= retval; + SCLogDebug( + "NBSS Header (%u/%u) Type 0x%02x Length 0x%04x parsed %ld input_len %u", + sstate->bytesprocessed, NBSS_HDR_LEN, sstate->nbss.type, + sstate->nbss.length, parsed, input_len); + } else if (input_len) { + SCLogDebug("Error parsing NBSS Header\n"); + parsed += input_len; + input_len = 0; + } } switch (sstate->nbss.type) { @@ -986,12 +1003,18 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, && sstate->bytesprocessed < NBSS_HDR_LEN + SMB_HDR_LEN)) { retval = SMBParseHeader(f, smb_state, pstate, input + parsed, input_len, output); - parsed += retval; - input_len -= retval; - SCLogDebug( - "SMB Header (%u/%u) Command 0x%02x parsed %ld input_len %u", - sstate->bytesprocessed, NBSS_HDR_LEN + SMB_HDR_LEN, - sstate->smb.command, parsed, input_len); + if (retval) { + parsed += retval; + input_len -= retval; + SCLogDebug( + "SMB Header (%u/%u) Command 0x%02x parsed %ld input_len %u", + sstate->bytesprocessed, NBSS_HDR_LEN + SMB_HDR_LEN, + sstate->smb.command, parsed, input_len); + } else if (input_len) { + SCLogDebug("Error parsing SMB Word Count\n"); + parsed += input_len; + input_len = 0; + } } do { @@ -999,10 +1022,14 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, + SMB_HDR_LEN)) { retval = SMBGetWordCount(f, smb_state, pstate, input + parsed, input_len, output); - parsed += retval; - input_len -= retval; - SCLogDebug("wordcount (%u) parsed %ld input_len %u", - sstate->wordcount.wordcount, parsed, input_len); + if (retval) { + parsed += retval; + input_len -= retval; + } else if (input_len) { + SCLogDebug("Error parsing SMB Word Count\n"); + parsed += input_len; + input_len = 0; + } } while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN @@ -1010,8 +1037,14 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, + SMB_HDR_LEN + 1 + sstate->wordcount.wordcount)) { retval = SMBParseWordCount(f, smb_state, pstate, input + parsed, input_len, output); - parsed += retval; - input_len -= retval; + if (retval) { + parsed += retval; + input_len -= retval; + } else if (input_len) { + SCLogDebug("Error parsing SMB Word Count Data\n"); + parsed += input_len; + input_len = 0; + } } while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN @@ -1020,8 +1053,14 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, + sstate->wordcount.wordcount)) { retval = SMBGetByteCount(f, smb_state, pstate, input + parsed, input_len, output); - parsed += retval; - input_len -= retval; + if (retval) { + parsed += retval; + input_len -= retval; + } else if (input_len) { + SCLogDebug("Error parsing SMB Byte Count\n"); + parsed += input_len; + input_len = 0; + } } while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN @@ -1029,10 +1068,17 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, && sstate->bytesprocessed < NBSS_HDR_LEN + SMB_HDR_LEN + 3 + sstate->wordcount.wordcount + sstate->bytecount.bytecount)) { + retval = SMBParseByteCount(f, smb_state, pstate, input + parsed, input_len, output); - parsed += retval; - input_len -= retval; + if (retval) { + parsed += retval; + input_len -= retval; + } else if (input_len) { + SCLogDebug("Error parsing SMB Byte Count Data\n"); + parsed += input_len; + input_len = 0; + } } } while (sstate->andx.andxcommand != SMB_NO_SECONDARY_ANDX_COMMAND && input_len); -- 1.6.5.2