smb1: more exact tree connect record parsing

7 years ago · 668c747aee
parent 0ed00cf104
commit 668c747aee
2 changed files with 16 additions and 15 deletions
--- a/rust/src/smb/smb1.rs
+++ b/rust/src/smb/smb1.rs
@ -283,15 +283,13 @@ pub fn smb1_request_record<'b>(state: &mut SMBState, r: &SmbRecord<'b>) -> u32 {
        },
        SMB1_COMMAND_TREE_CONNECT_ANDX => {
            SCLogDebug!("SMB1_COMMAND_TREE_CONNECT_ANDX");
-            match parse_smb_connect_tree_andx_record(r.data) {
+            match parse_smb_connect_tree_andx_record(r.data, r) {
                IResult::Done(_, create_record) => {
                    let name_key = SMBCommonHdr::from1(r, SMBHDR_TYPE_TREE);
-                    let mut name_val = create_record.share.to_vec();
-                    name_val.retain(|&i|i != 0x00);
+                    let mut name_val = create_record.path;
                    if name_val.len() > 1 {
                        name_val = name_val[1..].to_vec();
                    }
-                    //state.ssn2vec_map.insert(name_key, name_val);

                    // store hdr as SMBHDR_TYPE_TREE, so with tree id 0
                    // when the response finds this we update it
--- a/rust/src/smb/smb1_records.rs
+++ b/rust/src/smb/smb1_records.rs
@ -139,7 +139,7 @@ named!(pub parse_smb_connect_tree_andx_response_record<Smb1ResponseRecordTreeCon
        >>  cond!(wct == 7, take!(8))   // access masks
        >>  bcc: le_u16
        >>  service: take_until_and_consume!("\x00")
-        >>  nativefs: rest
+        >>  nativefs: take_until_and_consume!("\x00")
        >> (Smb1ResponseRecordTreeConnectAndX {
                service:service,
                nativefs:nativefs,
@ -148,21 +148,24 @@ named!(pub parse_smb_connect_tree_andx_response_record<Smb1ResponseRecordTreeCon

 #[derive(Debug,PartialEq)]
 pub struct SmbRecordTreeConnectAndX<'a> {
-    pub share: &'a[u8],
+    pub path: Vec<u8>,
+    pub service: &'a[u8],
 }

-named!(pub parse_smb_connect_tree_andx_record<SmbRecordTreeConnectAndX>,
-    do_parse!(
-       skip1: take!(7)
+pub fn parse_smb_connect_tree_andx_record<'a>(i: &'a[u8], r: &SmbRecord) -> IResult<&'a[u8], SmbRecordTreeConnectAndX<'a>> {
+    do_parse!(i,
+       _skip1: take!(7)
       >> pwlen: le_u16
-       >> bcc: le_u16
-       >> pw: take!(pwlen)
-       >> share: cond!(bcc >= (6 + pwlen), take!(bcc - (6 + pwlen)))
-       >> service: take!(6)
+       >> _bcc: le_u16
+       >> _pw: take!(pwlen)
+       >> unicode: value!(r.has_unicode_support())
+       >> path: switch!(value!(unicode), true => call!(smb_get_unicode_string) | false => call!(smb_get_ascii_string))
+       >> service: take_until_and_consume!("\x00")
       >> (SmbRecordTreeConnectAndX {
-                share: share.unwrap_or(&[]),
+                path: path,
+                service: service,
           }))
-);
+}

 #[derive(Debug,PartialEq)]
 pub struct SmbRecordTransRequest<'a> {