enip: fix too restrictive check in probing parser

As is shown later in the code, enip_len can be ENIP_LEN_REGISTER_SESSION which is 4, which is smaller than sizeof(ENIPEncapHdr) which is 24
3 years ago · ed11e32076
parent 09c84d0c26
commit ed11e32076
1 changed files with 6 additions and 9 deletions
--- a/src/app-layer-enip.c
+++ b/src/app-layer-enip.c
@ -359,15 +359,7 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
    uint32_t option;
    uint16_t nbitems;

-    int ret = ByteExtractUint16(
-            &enip_len, BYTE_LITTLE_ENDIAN, sizeof(uint16_t), (const uint8_t *)(input + 2));
-    if (ret < 0) {
-        return ALPROTO_FAILED;
-    }
-    if (enip_len < sizeof(ENIPEncapHdr)) {
-        return ALPROTO_FAILED;
-    }
-    ret = ByteExtractUint32(
+    int ret = ByteExtractUint32(
            &status, BYTE_LITTLE_ENDIAN, sizeof(uint32_t), (const uint8_t *)(input + 8));
    if (ret < 0) {
        return ALPROTO_FAILED;
@ -394,6 +386,11 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
    if (ret < 0) {
        return ALPROTO_FAILED;
    }
+    ret = ByteExtractUint16(
+            &enip_len, BYTE_LITTLE_ENDIAN, sizeof(uint16_t), (const uint8_t *)(input + 2));
+    if (ret < 0) {
+        return ALPROTO_FAILED;
+    }

    //ok for all the known commands
    switch(cmd) {