aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

smb1: parser cleanups

Browse Source
pull/3281/head
Victor Julien 7 years ago
parent d9e43d3e63
commit 7114d5d25b
2 changed files with 22 additions and 34 deletions
Show Stats Download Patch File Download Diff File

44
rust/src/smb/smb1_records.rs
Unescape Escape View File

@ -179,14 +179,14 @@ pub struct SmbPipeProtocolRecord<'a> {
} }
named!(pub parse_smb_trans_request_record_pipe<SmbPipeProtocolRecord>, named!(pub parse_smb_trans_request_record_pipe<SmbPipeProtocolRecord>,
dbg_dmp!(do_parse!( do_parse!(
fun: le_u16 fun: le_u16
>> fid: take!(2) >> fid: take!(2)
>> (SmbPipeProtocolRecord { >> (SmbPipeProtocolRecord {
function: fun, function: fun,
fid: fid, fid: fid,
}) })
)) )
); );
@ -201,7 +201,7 @@ pub struct SmbRecordTransRequestParams<> {
} }
named!(pub parse_smb_trans_request_record_params<(SmbRecordTransRequestParams, Option<SmbPipeProtocolRecord>)>, named!(pub parse_smb_trans_request_record_params<(SmbRecordTransRequestParams, Option<SmbPipeProtocolRecord>)>,
dbg_dmp!(do_parse!( do_parse!(
wct: le_u8 wct: le_u8
>> total_param_cnt: le_u16 >> total_param_cnt: le_u16
>> total_data_count: le_u16 >> total_data_count: le_u16
@ -218,7 +218,7 @@ named!(pub parse_smb_trans_request_record_params<(SmbRecordTransRequestParams, O
>> data_offset: le_u16 >> data_offset: le_u16
>> setup_cnt: le_u8 >> setup_cnt: le_u8
>> take!(1) // reserved >> take!(1) // reserved
>> pipe: cond!(wct == 16 && setup_cnt == 2, parse_smb_trans_request_record_pipe) // reserved >> pipe: cond!(wct == 16 && setup_cnt == 2, parse_smb_trans_request_record_pipe)
>> bcc: le_u16 >> bcc: le_u16
>> (( SmbRecordTransRequestParams { >> (( SmbRecordTransRequestParams {
max_data_cnt:max_data_cnt, max_data_cnt:max_data_cnt,
@ -228,7 +228,7 @@ named!(pub parse_smb_trans_request_record_params<(SmbRecordTransRequestParams, O
data_offset:data_offset, data_offset:data_offset,
bcc:bcc, bcc:bcc,
}, },
pipe)))) pipe)))
); );
#[derive(Debug,PartialEq)] #[derive(Debug,PartialEq)]
@ -284,31 +284,21 @@ pub fn parse_smb_trans_request_record<'a, 'b>(i: &'a[u8], r: &SmbRecord<'b>)
{ {
let (rem, (params, pipe)) = match parse_smb_trans_request_record_params(i) { let (rem, (params, pipe)) = match parse_smb_trans_request_record_params(i) {
IResult::Done(rem, (rd, p)) => (rem, (rd, p)), IResult::Done(rem, (rd, p)) => (rem, (rd, p)),
IResult::Incomplete(ii) => { IResult::Incomplete(ii) => { return IResult::Incomplete(ii); }
return IResult::Incomplete(ii); IResult::Error(e) => { return IResult::Error(e); }
}
IResult::Error(e) => {
return IResult::Error(e);
}
}; };
let mut offset = 32 + (i.len() - rem.len()); // init with SMB header let mut offset = 32 + (i.len() - rem.len()); // init with SMB header
SCLogDebug!("params {:?}: offset {}", params, offset); SCLogDebug!("params {:?}: offset {}", params, offset);
let name = if r.flags2 & 0x8000_u16 != 0 { // unicode let name = if r.has_unicode_support() {
SCLogDebug!("unicode flag set");
parse_smb_trans_request_tx_name_unicode(rem, offset) parse_smb_trans_request_tx_name_unicode(rem, offset)
} else { } else {
SCLogDebug!("unicode flag NOT set");
parse_smb_trans_request_tx_name_ascii(rem) parse_smb_trans_request_tx_name_ascii(rem)
}; };
let (rem2, n) = match name { let (rem2, n) = match name {
IResult::Done(rem, rd) => (rem, rd), IResult::Done(rem, rd) => (rem, rd),
IResult::Incomplete(ii) => { IResult::Incomplete(ii) => { return IResult::Incomplete(ii); }
return IResult::Incomplete(ii); IResult::Error(e) => { return IResult::Error(e); }
}
IResult::Error(e) => {
return IResult::Error(e);
}
}; };
offset += rem.len() - rem2.len(); offset += rem.len() - rem2.len();
SCLogDebug!("n {:?}: offset {}", n, offset); SCLogDebug!("n {:?}: offset {}", n, offset);
@ -338,12 +328,8 @@ pub fn parse_smb_trans_request_record<'a, 'b>(i: &'a[u8], r: &SmbRecord<'b>)
let d = match parse_smb_trans_request_record_data(rem2, let d = match parse_smb_trans_request_record_data(rem2,
pad1, params.param_cnt, pad2, params.data_cnt) { pad1, params.param_cnt, pad2, params.data_cnt) {
IResult::Done(_, rd) => rd, IResult::Done(_, rd) => rd,
IResult::Incomplete(ii) => { IResult::Incomplete(ii) => { return IResult::Incomplete(ii); }
return IResult::Incomplete(ii); IResult::Error(e) => { return IResult::Error(e); }
}
IResult::Error(e) => {
return IResult::Error(e);
}
}; };
SCLogDebug!("d {:?}", d); SCLogDebug!("d {:?}", d);
d d
@ -620,6 +606,12 @@ pub struct SmbRecord<'a> {
pub data: &'a[u8], pub data: &'a[u8],
} }
impl<'a> SmbRecord<'a> {
pub fn has_unicode_support(&self) -> bool {
self.flags2 & 0x8000_u16 != 0
}
}
named!(pub parse_smb_record<SmbRecord>, named!(pub parse_smb_record<SmbRecord>,
do_parse!( do_parse!(
server_component: tag!(b"\xffSMB") server_component: tag!(b"\xffSMB")

12
rust/src/smb/smb1_session.rs
Unescape Escape View File

@ -69,7 +69,7 @@ named!(pub get_nullterm_string<Vec<u8>>,
pub fn smb1_session_setup_request_host_info(r: &SmbRecord, blob: &[u8]) -> SessionSetupRequest pub fn smb1_session_setup_request_host_info(r: &SmbRecord, blob: &[u8]) -> SessionSetupRequest
{ {
if blob.len() > 1 && r.flags2 & 0x8000_u16 != 0 { if blob.len() > 1 && r.has_unicode_support() {
let offset = r.data.len() - blob.len(); let offset = r.data.len() - blob.len();
let blob = if offset % 2 == 1 { &blob[1..] } else { blob }; let blob = if offset % 2 == 1 { &blob[1..] } else { blob };
let (native_os, native_lm, primary_domain) = match get_unicode_string(blob) { let (native_os, native_lm, primary_domain) = match get_unicode_string(blob) {
@ -120,15 +120,13 @@ pub fn smb1_session_setup_request_host_info(r: &SmbRecord, blob: &[u8]) -> Sessi
pub fn smb1_session_setup_response_host_info(r: &SmbRecord, blob: &[u8]) -> SessionSetupResponse pub fn smb1_session_setup_response_host_info(r: &SmbRecord, blob: &[u8]) -> SessionSetupResponse
{ {
if blob.len() > 1 && r.flags2 & 0x8000_u16 != 0 { if blob.len() > 1 && r.has_unicode_support() {
let offset = r.data.len() - blob.len(); let offset = r.data.len() - blob.len();
let blob = if offset % 2 == 1 { &blob[1..] } else { blob }; let blob = if offset % 2 == 1 { &blob[1..] } else { blob };
let (native_os, native_lm) = match get_unicode_string(blob) { let (native_os, native_lm) = match get_unicode_string(blob) {
IResult::Done(rem, n1) => { IResult::Done(rem, n1) => {
match get_unicode_string(rem) { match get_unicode_string(rem) {
IResult::Done(_, n2) => { IResult::Done(_, n2) => (n1, n2),
(n1, n2)
},
_ => { (n1, Vec::new()) }, _ => { (n1, Vec::new()) },
} }
}, },
@ -145,9 +143,7 @@ pub fn smb1_session_setup_response_host_info(r: &SmbRecord, blob: &[u8]) -> Sess
let (native_os, native_lm) = match get_nullterm_string(blob) { let (native_os, native_lm) = match get_nullterm_string(blob) {
IResult::Done(rem, n1) => { IResult::Done(rem, n1) => {
match get_nullterm_string(rem) { match get_nullterm_string(rem) {
IResult::Done(_, n2) => { IResult::Done(_, n2) => (n1, n2),
(n1, n2)
},
_ => { (n1, Vec::new()) }, _ => { (n1, Vec::new()) },
} }
}, },

Write Preview
Loading…
Cancel
Save