Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix setup field handling in smb1_com_transaction_request messages

Browse source 
This field is an array of 16 bit words and was parsed as an array of
32 bit words. Moreover, one can not assume the format is going to be a
16 bits opcode followed by a 16 bit file ID, the content of the setup
field is different according to its first 16 bits word that defines
the subcommand code. See MS-CIFS section 2.2.4.33.1 :

Setup (variable): An array of two-byte words that provides transaction
context to the server. The size and content of the array are specific
to individual subcommands.
This commit is contained in:
Jeffrey Bencteux 2018-01-12 15:30:03 +01:00
parent f7a8726ffc
commit 00be145b1b
1 changed files with 2 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/analyzer/protocol/smb/smb1-com-transaction.pac
View file

@ -132,11 +132,6 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub
pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE);
};
type SMB1_transaction_setup = record {
op_code : uint16;
file_id : uint16;
}
type SMB1_transaction_request(header: SMB_Header) = record {
word_count : uint8;
total_param_count : uint16;
@ -155,7 +150,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
setup_count : uint8;
reserved3 : uint8;
# word_count 16 is a different dialect that behaves a bit differently.
setup : SMB1_transaction_setup[word_count == 16 ? 1 : setup_count];
setup : uint16[setup_count];
byte_count : uint16;
name : SMB_string(header.unicode, offsetof(name));
@ -164,7 +159,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
pad2 : padding to data_offset - SMB_Header_length;
data : SMB1_transaction_data(header, true, data_count, sub_cmd, transtype, is_pipe);
} &let {
sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0].op_code : 0;
sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0] : 0;
transtype : int = determine_transaction_type(header, name);
is_pipe : bool = (transtype == SMB_PIPE || (transtype == SMB_UNKNOWN && $context.connection.get_tree_is_pipe(header.tid)));