smb1: improve error handling

8 years ago · 170edf7c44
parent 7ceb67138f
commit 170edf7c44
2 changed files with 49 additions and 35 deletions
--- a/rust/src/smb/smb1.rs
+++ b/rust/src/smb/smb1.rs
@ -465,27 +465,29 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32
            false
        },
        SMB1_COMMAND_NT_CREATE_ANDX => {
-            match parse_smb_create_andx_response_record(r.data) {
+            if r.nt_status == SMB_NTSTATUS_SUCCESS {
-                IResult::Done(_, cr) => {
+                match parse_smb_create_andx_response_record(r.data) {
-                    SCLogDebug!("Create AndX {:?}", cr);
+                    IResult::Done(_, cr) => {
-
+                        SCLogDebug!("Create AndX {:?}", cr);
-                    let guid_key = SMBCommonHdr::from1(r, SMBHDR_TYPE_FILENAME);
+
-                    match state.ssn2vec_map.remove(&guid_key) {
+                        let guid_key = SMBCommonHdr::from1(r, SMBHDR_TYPE_FILENAME);
-                        Some(mut p) => {
+                        match state.ssn2vec_map.remove(&guid_key) {
-                            p.retain(|&i|i != 0x00);
+                            Some(mut p) => {
-
+                                p.retain(|&i|i != 0x00);
-                            let mut fid = cr.fid.to_vec();
+
-                            fid.extend_from_slice(&u32_as_bytes(r.ssn_id));
+                                let mut fid = cr.fid.to_vec();
-                            SCLogDebug!("SMB1_COMMAND_NT_CREATE_ANDX fid {:?}", fid);
+                                fid.extend_from_slice(&u32_as_bytes(r.ssn_id));
-                            SCLogDebug!("fid {:?} name {:?}", fid, p);
+                                SCLogDebug!("SMB1_COMMAND_NT_CREATE_ANDX fid {:?}", fid);
-                            state.guid2name_map.insert(fid, p);
+                                SCLogDebug!("fid {:?} name {:?}", fid, p);
-                        },
+                                state.guid2name_map.insert(fid, p);
-                        _ => {
+                            },
-                            SCLogDebug!("SMBv1 response: GUID NOT FOUND");
+                            _ => {
-                        },
+                                SCLogDebug!("SMBv1 response: GUID NOT FOUND");
-                    }
+                            },
-                },
+                        }
-                _ => { events.push(SMBEvent::MalformedData); },
+                    },
                    _ => { events.push(SMBEvent::MalformedData); },
                }
            }
            false
        },
@ -494,18 +496,6 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32
            true
        },
        SMB1_COMMAND_SESSION_SETUP_ANDX => {
 /*
            SCLogDebug!("SMB1_COMMAND_SESSION_SETUP_ANDX user_id {}", r.user_id);
            match parse_smb_response_setup_andx_record(r.data) {
                IResult::Done(rem, _setup) => {
                    //parse_secblob(state, setup.sec_blob);
                    state.response_host = Some(smb1_session_setup_response_host_info(r, rem));
                },
                _ => {},
            }
            tx_sync = true;
            false
 */
            smb1_session_setup_response(state, r);
            true
        },
--- a/rust/src/smb/smb1_records.rs
+++ b/rust/src/smb/smb1_records.rs
@ -429,18 +429,42 @@ pub struct SmbResponseRecordSetupAndX<'a> {
    pub sec_blob: &'a[u8],
 }
-named!(pub parse_smb_response_setup_andx_record<SmbResponseRecordSetupAndX>,
+named!(response_setup_andx_record<SmbResponseRecordSetupAndX>,
    do_parse!(
       skip1: take!(7)
       >> sec_blob_len: le_u16
       >> bcc: le_u16
       >> sec_blob: take!(sec_blob_len)
       //>> skip3: rest
       >> (SmbResponseRecordSetupAndX {
                sec_blob:sec_blob,
           }))
 );
 named!(response_setup_andx_wct3_record<SmbResponseRecordSetupAndX>,
    do_parse!(
       skip1: take!(7)
       >> bcc: le_u16
       >> (SmbResponseRecordSetupAndX {
                sec_blob:&[],
           }))
 );
 named!(response_setup_andx_error_record<SmbResponseRecordSetupAndX>,
    do_parse!(
          wct: le_u8
       >> bcc: le_u16
       >> (SmbResponseRecordSetupAndX {
                sec_blob: &[],
           }))
 );
 named!(pub parse_smb_response_setup_andx_record<SmbResponseRecordSetupAndX>,
    switch!(peek!(le_u8), // wct
        0 => call!(response_setup_andx_error_record) |
        3 => call!(response_setup_andx_wct3_record)  |
        _ => call!(response_setup_andx_record))
 );
 #[derive(Debug,PartialEq)]
 pub struct SmbRequestReadAndXRecord<'a> {
    pub fid: &'a[u8],