smb1: improve error handling

8 years ago · 170edf7c44
parent 7ceb67138f
commit 170edf7c44
2 changed files with 49 additions and 35 deletions
--- a/rust/src/smb/smb1.rs
+++ b/rust/src/smb/smb1.rs
@ -465,6 +465,7 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32
            false
        },
        SMB1_COMMAND_NT_CREATE_ANDX => {
+            if r.nt_status == SMB_NTSTATUS_SUCCESS {
                match parse_smb_create_andx_response_record(r.data) {
                    IResult::Done(_, cr) => {
                        SCLogDebug!("Create AndX {:?}", cr);
@ -487,6 +488,7 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32
                    },
                    _ => { events.push(SMBEvent::MalformedData); },
                }
+            }
            false
        },
        SMB1_COMMAND_TRANS => {
@ -494,18 +496,6 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32
            true
        },
        SMB1_COMMAND_SESSION_SETUP_ANDX => {
-/*
-            SCLogDebug!("SMB1_COMMAND_SESSION_SETUP_ANDX user_id {}", r.user_id);
-            match parse_smb_response_setup_andx_record(r.data) {
-                IResult::Done(rem, _setup) => {
-                    //parse_secblob(state, setup.sec_blob);
-                    state.response_host = Some(smb1_session_setup_response_host_info(r, rem));
-                },
-                _ => {},
-            }
-            tx_sync = true;
-            false
-*/
            smb1_session_setup_response(state, r);
            true
        },
--- a/rust/src/smb/smb1_records.rs
+++ b/rust/src/smb/smb1_records.rs
@ -429,18 +429,42 @@ pub struct SmbResponseRecordSetupAndX<'a> {
    pub sec_blob: &'a[u8],
 }

-named!(pub parse_smb_response_setup_andx_record<SmbResponseRecordSetupAndX>,
+named!(response_setup_andx_record<SmbResponseRecordSetupAndX>,
    do_parse!(
       skip1: take!(7)
       >> sec_blob_len: le_u16
       >> bcc: le_u16
       >> sec_blob: take!(sec_blob_len)
-       //>> skip3: rest
       >> (SmbResponseRecordSetupAndX {
                sec_blob:sec_blob,
           }))
 );

+named!(response_setup_andx_wct3_record<SmbResponseRecordSetupAndX>,
+    do_parse!(
+       skip1: take!(7)
+       >> bcc: le_u16
+       >> (SmbResponseRecordSetupAndX {
+                sec_blob:&[],
+           }))
+);
+
+named!(response_setup_andx_error_record<SmbResponseRecordSetupAndX>,
+    do_parse!(
+          wct: le_u8
+       >> bcc: le_u16
+       >> (SmbResponseRecordSetupAndX {
+                sec_blob: &[],
+           }))
+);
+
+named!(pub parse_smb_response_setup_andx_record<SmbResponseRecordSetupAndX>,
+    switch!(peek!(le_u8), // wct
+        0 => call!(response_setup_andx_error_record) |
+        3 => call!(response_setup_andx_wct3_record)  |
+        _ => call!(response_setup_andx_record))
+);
+
 #[derive(Debug,PartialEq)]
 pub struct SmbRequestReadAndXRecord<'a> {
    pub fid: &'a[u8],