Project

General

Profile

Actions

Optimization #7251

open

dcerpc: mimic gap behavior if invalid data is sent to protocol parser

Added by Shivani Bhardwaj 2 months ago.

Status:
Assigned
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Let's assume that the RFC XXX of a Protocol P defines that its:
  • header is 4 bytes in total
  • byte 1 tells protocol version
  • byte 2 tells the type of request/response
  • bytes 3 and 4 of its header tell how big the entire fragment is
  • rest of the bytes are the fragment data

Request 1:

--------------------------
|       Header (4B)      |  <- this tells that the total length of the fragment is 20 bytes
--------------------------
|                        |
|                        |
|         DATA           |
|                        |
--------------------------

Observation: Request 1 is hence completed.

Request 2:

--------------------------
|                        |
|                        |
|         DATA           |
|                        |
--------------------------

Observation: The header of this request gives a protocol version and request type that are invalid so the protocol parser rejects it and returns an error.

Behavior to be implemented: In case of Request 2, the parser should mimic gap behavior i.e. skip over the invalid data for as long as it lasts.

Challenges:

  • No way to know the length of the invalid data beforehand.

Possible solutions:

  • Maybe Applayer:: API can be extended to have a fn that allows to skip over data until a certain byte pattern is found. To be discussed.
  • The protocol parser can itself just not do anything w the data and ask for more data until it has valid data.

No data to display

Actions

Also available in: Atom PDF