Bug #7547
opendcerpc: parser uses only one header for both directions
Description
Header handling is wrong in the case
packet A to server is fragmented (return AppLayerResult::incomplete)
packet B is to client, but uses the header of the to_server packet
Updated by Philippe Antoine about 2 months ago
- Copied from Bug #7254: dcerpc: parser does not support multiple PDUs added
Updated by Philippe Antoine about 2 months ago
Second commit of https://github.com/OISF/suricata/pull/12528 with its fixups should fix this
Updated by Victor Julien about 1 month ago
Was this addressed by https://github.com/OISF/suricata/pull/12532 ?
Updated by Shivani Bhardwaj about 1 month ago
Victor Julien wrote in #note-3:
Was this addressed by https://github.com/OISF/suricata/pull/12532 ?
No. There's still one header. I don't know if there was a bug found that led to this ticket btw. But, it does seem better to keep diff headers but to me it also seems better to move headers out of state altogether. Philippe already has done work around this: https://github.com/OISF/suricata/pull/12528/commits/a7db07d623337d3dd3d994b6427dd53e279aec4f, not sure why was that closed.
@Philippe Antoine ?
Updated by Philippe Antoine about 1 month ago
This is not yet addressed.
The fix is indeed https://github.com/OISF/suricata/pull/12528/commits/a7db07d623337d3dd3d994b6427dd53e279aec4f (will need to be rebased)
I did not push for it as there are other dcerpc tickets like https://redmine.openinfosecfoundation.org/issues/7254 and I am not sure which should come first.
And the "difficult" part would be to create a SV test (take a pcap with fragmented dcerpc, and then mix a bit the order of packets should do (to have one packet of the opposite direction between the 2 packets of a fragmented DCERPC PDU)
Updated by Victor Julien 8 days ago
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1