Bug #4343
closedProtocol detection evasion enip-SMB
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28388
Problem is that rs_smb_probe_tcp
uses search_smb_record
. which searches a SMB record at any position
Before this record, there might be another valid protocol such as ENIP
Why is not parse_nbss_record_partial
good enough ?
Files
Updated by Jeff Lucovsky almost 4 years ago
- Copied from Bug #4232: Protocol detection evasion enip-SMB added
Updated by Jeff Lucovsky almost 4 years ago
- Status changed from Assigned to In Review
Updated by Jeff Lucovsky almost 4 years ago
Updated by Victor Julien almost 4 years ago
- Status changed from In Review to Assigned
- Target version changed from 5.0.6 to 5.0.7
- Affected Versions 5.0.5, 5.0.6 added
- Affected Versions deleted (
6.0.1)
Postponing this as the suggested fix breaks other tests for me, and backporting a requirement (https://github.com/OISF/suricata/commit/c6aadf0dfa0d438e3a4a46db2de893b62e76d7ce) is too intrusive for the age of this branch.
Updated by Jason Ish over 3 years ago
Does this still need a 5.0 backport? 5.0.x contains commit https://github.com/OISF/suricata/commit/83070102557d2755b9ffc67bb14b9b4d48b039e9 which appears to be part of this fix. And master-5.0.x appears to pass the repo steps listed in this ticket. Remove that commit and master-5.0.x and it appears to fail.
Updated by Jeff Lucovsky over 3 years ago
- Status changed from Assigned to Rejected
I'm closing this
- Not able to reproduce the issue in master-5.0.x