smb1: improve error handling

8 years ago · 170edf7c44
parent 7ceb67138f
commit 170edf7c44
2 changed files with 49 additions and 35 deletions
--- a/rust/src/smb/smb1.rs
+++ b/rust/src/smb/smb1.rs
@ -465,27 +465,29 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32
            false
        },
        SMB1_COMMAND_NT_CREATE_ANDX => {
-            match parse_smb_create_andx_response_record(r.data) {
-                IResult::Done(_, cr) => {
-                    SCLogDebug!("Create AndX {:?}", cr);
-
-                    let guid_key = SMBCommonHdr::from1(r, SMBHDR_TYPE_FILENAME);
-                    match state.ssn2vec_map.remove(&guid_key) {
-                        Some(mut p) => {
-                            p.retain(|&i|i != 0x00);
-
-                            let mut fid = cr.fid.to_vec();
-                            fid.extend_from_slice(&u32_as_bytes(r.ssn_id));
-                            SCLogDebug!("SMB1_COMMAND_NT_CREATE_ANDX fid {:?}", fid);
-                            SCLogDebug!("fid {:?} name {:?}", fid, p);
-                            state.guid2name_map.insert(fid, p);
-                        },
-                        _ => {
-                            SCLogDebug!("SMBv1 response: GUID NOT FOUND");
-                        },
-                    }
-                },
-                _ => { events.push(SMBEvent::MalformedData); },
+            if r.nt_status == SMB_NTSTATUS_SUCCESS {
+                match parse_smb_create_andx_response_record(r.data) {
+                    IResult::Done(_, cr) => {
+                        SCLogDebug!("Create AndX {:?}", cr);
+
+                        let guid_key = SMBCommonHdr::from1(r, SMBHDR_TYPE_FILENAME);
+                        match state.ssn2vec_map.remove(&guid_key) {
+                            Some(mut p) => {
+                                p.retain(|&i|i != 0x00);
+
+                                let mut fid = cr.fid.to_vec();
+                                fid.extend_from_slice(&u32_as_bytes(r.ssn_id));
+                                SCLogDebug!("SMB1_COMMAND_NT_CREATE_ANDX fid {:?}", fid);
+                                SCLogDebug!("fid {:?} name {:?}", fid, p);
+                                state.guid2name_map.insert(fid, p);
+                            },
+                            _ => {
+                                SCLogDebug!("SMBv1 response: GUID NOT FOUND");
+                            },
+                        }
+                    },
+                    _ => { events.push(SMBEvent::MalformedData); },
+                }
            }
            false
        },
@ -494,18 +496,6 @@ pub fn smb1_response_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32
            true
        },
        SMB1_COMMAND_SESSION_SETUP_ANDX => {
-/*
-            SCLogDebug!("SMB1_COMMAND_SESSION_SETUP_ANDX user_id {}", r.user_id);
-            match parse_smb_response_setup_andx_record(r.data) {
-                IResult::Done(rem, _setup) => {
-                    //parse_secblob(state, setup.sec_blob);
-                    state.response_host = Some(smb1_session_setup_response_host_info(r, rem));
-                },
-                _ => {},
-            }
-            tx_sync = true;
-            false
-*/
            smb1_session_setup_response(state, r);
            true
        },
--- a/rust/src/smb/smb1_records.rs
+++ b/rust/src/smb/smb1_records.rs
@ -429,18 +429,42 @@ pub struct SmbResponseRecordSetupAndX<'a> {
    pub sec_blob: &'a[u8],
 }

-named!(pub parse_smb_response_setup_andx_record<SmbResponseRecordSetupAndX>,
+named!(response_setup_andx_record<SmbResponseRecordSetupAndX>,
    do_parse!(
       skip1: take!(7)
       >> sec_blob_len: le_u16
       >> bcc: le_u16
       >> sec_blob: take!(sec_blob_len)
-       //>> skip3: rest
       >> (SmbResponseRecordSetupAndX {
                sec_blob:sec_blob,
           }))
 );

+named!(response_setup_andx_wct3_record<SmbResponseRecordSetupAndX>,
+    do_parse!(
+       skip1: take!(7)
+       >> bcc: le_u16
+       >> (SmbResponseRecordSetupAndX {
+                sec_blob:&[],
+           }))
+);
+
+named!(response_setup_andx_error_record<SmbResponseRecordSetupAndX>,
+    do_parse!(
+          wct: le_u8
+       >> bcc: le_u16
+       >> (SmbResponseRecordSetupAndX {
+                sec_blob: &[],
+           }))
+);
+
+named!(pub parse_smb_response_setup_andx_record<SmbResponseRecordSetupAndX>,
+    switch!(peek!(le_u8), // wct
+        0 => call!(response_setup_andx_error_record) |
+        3 => call!(response_setup_andx_wct3_record)  |
+        _ => call!(response_setup_andx_record))
+);
+
 #[derive(Debug,PartialEq)]
 pub struct SmbRequestReadAndXRecord<'a> {
    pub fid: &'a[u8],