Project

General

Profile

Actions
Copy link

Bug #7547

closed
PA PA

dcerpc: parser uses only one header for both directions

Bug #7547: dcerpc: parser uses only one header for both directions

Added by Philippe Antoine about 1 year ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
9.0.0-beta1
Affected Versions:
8.0.0
Effort:
Difficulty:
Label:

Description

Header handling is wrong in the case

packet A to server is fragmented (return AppLayerResult::incomplete)
packet B is to client, but uses the header of the to_server packet

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #7254: dcerpc: parser does not support multiple PDUsClosedPhilippe AntoineActions

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #1

  • Copied from Bug #7254: dcerpc: parser does not support multiple PDUs added

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #2

Second commit of https://github.com/OISF/suricata/pull/12528 with its fixups should fix this

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #3

SB Updated by Shivani Bhardwaj about 1 year ago Actions
Copy link
 #4

Victor Julien wrote in #note-3:

Was this addressed by https://github.com/OISF/suricata/pull/12532 ?

No. There's still one header. I don't know if there was a bug found that led to this ticket btw. But, it does seem better to keep diff headers but to me it also seems better to move headers out of state altogether. Philippe already has done work around this: https://github.com/OISF/suricata/pull/12528/commits/a7db07d623337d3dd3d994b6427dd53e279aec4f, not sure why was that closed.
@Philippe Antoine ?

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #5

This is not yet addressed.
The fix is indeed https://github.com/OISF/suricata/pull/12528/commits/a7db07d623337d3dd3d994b6427dd53e279aec4f (will need to be rebased)

I did not push for it as there are other dcerpc tickets like https://redmine.openinfosecfoundation.org/issues/7254 and I am not sure which should come first.

And the "difficult" part would be to create a SV test (take a pcap with fragmented dcerpc, and then mix a bit the order of packets should do (to have one packet of the opposite direction between the 2 packets of a fragmented DCERPC PDU)

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #6

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1

SB Updated by Shivani Bhardwaj 11 months ago Actions
Copy link
 #7

  • Assignee changed from Shivani Bhardwaj to Philippe Antoine

as Philippe has already worked on this that I'll be using.

VJ Updated by Victor Julien 10 months ago Actions
Copy link
 #8

  • Target version changed from 8.0.0-rc1 to 9.0.0-beta1

PA Updated by Philippe Antoine 10 months ago Actions
Copy link
 #9

  • Assignee changed from Philippe Antoine to Shivani Bhardwaj

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #10

  • Affected Versions 8.0.0 added

SB Updated by Shivani Bhardwaj 3 months ago Actions
Copy link
 #11

  • Status changed from New to In Review
  • Assignee changed from Shivani Bhardwaj to Philippe Antoine

SB Updated by Shivani Bhardwaj 3 months ago Actions
Copy link
 #12

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: PDF Atom