rust/smb: search for record on midstream start

Calls with both START and MIDSTREAM mean the record might be cut and the start of it could be missing. For this case, enable the same logic as is used when catching up after a GAP. Search for the start of the record instead of assuming it sits exactly at the start of the input data.
7 years ago · 2e6014b15c
parent 905d9a1dd8
commit 2e6014b15c
2 changed files with 16 additions and 4 deletions
--- a/rust/src/smb/smb.rs
+++ b/rust/src/smb/smb.rs
@ -1720,12 +1720,18 @@ pub extern "C" fn rs_smb_parse_request_tcp(_flow: *mut Flow,
                                       _pstate: *mut libc::c_void,
                                       input: *mut libc::uint8_t,
                                       input_len: libc::uint32_t,
-                                       _data: *mut libc::c_void)
+                                       _data: *mut libc::c_void,
+                                       flags: u8)
                                       -> libc::int8_t
 {
    let buf = unsafe{std::slice::from_raw_parts(input, input_len as usize)};
    SCLogDebug!("parsing {} bytes of request data", input_len);

+    /* START with MISTREAM set: record might be starting the middle. */
+    if flags & (STREAM_START|STREAM_MIDSTREAM) == (STREAM_START|STREAM_MIDSTREAM) {
+        state.ts_gap = true;
+    }
+
    if state.parse_tcp_data_ts(buf) == 0 {
        return 1;
    } else {
@ -1752,12 +1758,18 @@ pub extern "C" fn rs_smb_parse_response_tcp(_flow: *mut Flow,
                                        _pstate: *mut libc::c_void,
                                        input: *mut libc::uint8_t,
                                        input_len: libc::uint32_t,
-                                        _data: *mut libc::c_void)
+                                        _data: *mut libc::c_void,
+                                        flags: u8)
                                        -> libc::int8_t
 {
    SCLogDebug!("parsing {} bytes of response data", input_len);
    let buf = unsafe{std::slice::from_raw_parts(input, input_len as usize)};

+    /* START with MISTREAM set: record might be starting the middle. */
+    if flags & (STREAM_START|STREAM_MIDSTREAM) == (STREAM_START|STREAM_MIDSTREAM) {
+        state.tc_gap = true;
+    }
+
    if state.parse_tcp_data_tc(buf) == 0 {
        return 1;
    } else {
--- a/src/app-layer-smb-tcp-rust.c
+++ b/src/app-layer-smb-tcp-rust.c
@ -45,7 +45,7 @@ static int RustSMBTCPParseRequest(Flow *f, void *state,
        res = rs_smb_parse_request_tcp_gap(state, input_len);
    } else {
        res = rs_smb_parse_request_tcp(f, state, pstate, input, input_len,
-            local_data);
+            local_data, flags);
    }
    if (res != 1) {
        SCLogNotice("SMB request%s of %u bytes, retval %d",
@ -68,7 +68,7 @@ static int RustSMBTCPParseResponse(Flow *f, void *state,
        res = rs_smb_parse_response_tcp_gap(state, input_len);
    } else {
        res = rs_smb_parse_response_tcp(f, state, pstate, input, input_len,
-            local_data);
+            local_data, flags);
    }
    if (res != 1) {
        SCLogNotice("SMB response%s of %u bytes, retval %d",