dcerpc/tcp: implement trunc logic

When one side of the connection reaches the STREAM_DEPTH condition the parser should be aware of this. Otherwise transactions will forever be waiting for data in that direction.
5 years ago · 8b2886635f
parent 4da0d9bdea
commit 8b2886635f
2 changed files with 26 additions and 0 deletions
--- a/rust/src/dcerpc/dcerpc.rs
+++ b/rust/src/dcerpc/dcerpc.rs
@ -306,6 +306,8 @@ pub struct DCERPCState {
    pub tc_gap: bool,
    pub ts_ssn_gap: bool,
    pub tc_ssn_gap: bool,
+    pub ts_ssn_trunc: bool, /// true if Truncated in this direction
+    pub tc_ssn_trunc: bool,
 }

 impl DCERPCState {
@ -330,6 +332,8 @@ impl DCERPCState {
            tc_gap: false,
            ts_ssn_gap: false,
            tc_ssn_gap: false,
+            ts_ssn_trunc: false,
+            tc_ssn_trunc: false,
        };
    }

@ -340,6 +344,8 @@ impl DCERPCState {
        tx.call_id = call_id;
        tx.endianness = endianness;
        self.tx_id += 1;
+        tx.req_done = self.ts_ssn_trunc;
+        tx.resp_done = self.tc_ssn_trunc;
        tx
    }

@ -1153,6 +1159,24 @@ pub extern "C" fn rs_dcerpc_state_transaction_free(_state: *mut std::os::raw::c_
    // do nothing
 }

+#[no_mangle]
+pub extern "C" fn rs_dcerpc_state_trunc(state: *mut std::os::raw::c_void, direction: u8) {
+    let dce_state = cast_pointer!(state, DCERPCState);
+    if direction & core::STREAM_TOSERVER != 0 {
+        dce_state.ts_ssn_trunc = true;
+        for tx in &mut dce_state.transactions {
+            tx.req_done = true;
+        }
+        SCLogDebug!("dce_state.ts_ssn_trunc = true; txs {}", dce_state.transactions.len());
+    } else if direction & core::STREAM_TOCLIENT != 0 {
+        dce_state.tc_ssn_trunc = true;
+        for tx in &mut dce_state.transactions {
+            tx.resp_done = true;
+        }
+        SCLogDebug!("dce_state.tc_ssn_trunc = true; txs {}", dce_state.transactions.len());
+    }
+}
+
 #[no_mangle]
 pub extern "C" fn rs_dcerpc_get_tx_detect_state(
    vtx: *mut std::os::raw::c_void,
--- a/src/app-layer-dcerpc.c
+++ b/src/app-layer-dcerpc.c
@ -182,6 +182,8 @@ void RegisterDCERPCParsers(void)
                                                               DCERPCGetAlstateProgressCompletionStatus);
        /* This parser accepts gaps. */
        AppLayerParserRegisterOptionFlags(IPPROTO_TCP, ALPROTO_DCERPC, APP_LAYER_PARSER_OPT_ACCEPT_GAPS);
+
+        AppLayerParserRegisterTruncateFunc(IPPROTO_TCP, ALPROTO_DCERPC, rs_dcerpc_state_trunc);
    } else {
        SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
                  "still on.", proto_name);