mirror of https://github.com/OISF/suricata
dcerpc: fix gap handling
This patch addresses issues discovered by redmine ticket 3896. With the approach of finding latest record, there was a chance that no record was found at all and consumed + needed became input length. e.g. input_len = 1000 input = 01 05 00 02 00 03 a5 56 00 00 ..... There exists no |05 00| identifier in the rest of the record. After having parsed |05 00|, there was a search for another record with the leftover data. Current data length at this point would be 997. Since the identifier was not found in the data, we calculate the consumed bytes at this point i.e. consumed = current_data.len() - 1 which would be 996. Needed bytes still stay at a constant of 2. So, consumed + needed = 996 + 2 = 998 which is lesser than initial input length of 1000 and hence the assertion fails. There could be two fixes to this problem. 1. Finding the latest record but making use of the last found record in case no new record was found. 2. Always use the earliest record. This patch takes the approach (2). It also makes sure that the gap and current direction are the same.pull/5452/head
parent
4f963717f8
commit
97c67cd5ce
Loading…
Reference in New Issue