smb/dce_iface: avoid deleting current ifaces from state

The smb dce_iface keyword must match for all those dcerpc requests and responses sent in the context of the given interface. They are not matching as the current bind interfaces are deleted by any non bind message. Ticket: 4767
4 years ago · bff0774767
parent 1ae22fd5de
commit bff0774767
1 changed files with 9 additions and 1 deletions
--- a/rust/src/smb/dcerpc.rs
+++ b/rust/src/smb/dcerpc.rs
@ -180,6 +180,7 @@ pub fn smb_write_dcerpc_record<'b>(state: &mut SMBState,
        data: &'b [u8]) -> bool
 {
    let mut bind_ifaces : Option<Vec<DCERPCIface>> = None;
+    let mut is_bind = false;

    SCLogDebug!("called for {} bytes of data", data.len());
    match parse_dcerpc_record(data) {
@ -259,6 +260,7 @@ pub fn smb_write_dcerpc_record<'b>(state: &mut SMBState,
                    };
                    match brec {
                        Ok((_, bindr)) => {
+                            is_bind = true;
                            SCLogDebug!("SMB DCERPC {:?} BIND {:?}", dcer, bindr);

                            if bindr.ifaces.len() > 0 {
@ -304,7 +306,13 @@ pub fn smb_write_dcerpc_record<'b>(state: &mut SMBState,
        },
    }

-    state.dcerpc_ifaces = bind_ifaces; // TODO store per ssn
+    if is_bind {
+        // We have to write here the interfaces
+        // rather than in the BIND block
+        // due to borrow issues with the tx mutable reference
+        // that is part of the state
+        state.dcerpc_ifaces = bind_ifaces; // TODO store per ssn
+    }
    return true;
 }