dcerpc: mimic gap behavior for invalid data#14829
Conversation
If invalid data is sent to the parser then instead of rejecting it at the first few bytes that do not conform to the header standards, mimic gap behavior and try to skip a few bytes until a possibly good DCERPC record is found. Ticket: 7251
|
WARNING:
Pipeline = 29640 |
|
Needs baseline update as per my evaluation. If you think it's incorrect, please feel free to remove the label and leave a comment about why you think so. Thanks a lot! |
|
How does this look to you, @catenacyber ? |
| let offset = cur_i.len() - pg.len(); | ||
| cur_i = &cur_i[offset..]; | ||
| consumed = offset as u32; | ||
| SCLogDebug!("Trying to catch up after GAP (input {})", i.len()); |
There was a problem hiding this comment.
I guess it is good but I feel it hard to read this handle_gap with skip_error_record instead of keeping the code in the main handle_input_data function
There was a problem hiding this comment.
ok but then i'd be duplicating the code at two places..
|
I think the problem here is https://redmine.openinfosecfoundation.org/issues/7254 we do not parse multiple PDUs in one go when we should as packet 67 has the beginning of a next PDU |
|
A simpler fix would be diff --git a/rust/src/dcerpc/dcerpc.rs b/rust/src/dcerpc/dcerpc.rs
index b13914a572..3fa3ff09c4 100644
--- a/rust/src/dcerpc/dcerpc.rs
+++ b/rust/src/dcerpc/dcerpc.rs
@@ -929,6 +929,9 @@ impl DCERPCState {
return AppLayerResult::err();
}
}
+ if rem > fraglen as u32 {
+ return AppLayerResult::incomplete(fraglen.into(), DCERPC_HDR_LEN.into());
+ }
self.post_gap_housekeeping(direction);
return AppLayerResult::ok(); |
Do you mean that this ticket is invalid and parsing multiple PDUs is all that needs to be done? |
Very nice. Minimalistic multi PDU support :P |
I think so wrt the SV test, unless you have other test cases that do not fit in this framework... |
Minimalistic, but not very nice :-p |
wait a second. This does not have correct Packet 67 indeed is rendered in wireshark to have next PDU's beginning (are those correct btw?) but it's a response packet so even if we do support multiple PDUs, how do we get to the next request that is rejected? |
Based on an internal discussion, we want both this and the multi PDU support as we should be able to recover from errors happening due to invalid data anyway |
3 participants
Previous PR: #14805
Changes since v5:
Link to ticket: https://redmine.openinfosecfoundation.org/issues/7251
SV_BRANCH=OISF/suricata-verify#2904
Note: QA deviations on dcerpc stats are expected. The pcaps I got from QA lab showed no errors and an increased number of txs looking like the corresponding s-v test that was updated.