Merge remote-tracking branch 'security/topic/timw/131-smb-fscontrol-overflow'

* security/topic/timw/131-smb-fscontrol-overflow: Restore/rename field in SMB2::Fscontrol record type
2025-10-02 06:38:20 +00:00 · 2023-02-01 10:48:03 -07:00 · 2023-02-01 10:48:03 -07:00 · 0fd335f7f0
commit 0fd335f7f0
parent f33c697d6c 84ac362c67
6 changed files with 26 additions and 2 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+5.2.0-dev.604 | 2023-02-01 10:48:03 -0700
+
+  * Restore/rename field in SMB2::Fscontrol record type (Tim Wojtulewicz, Corelight)
+
+    b41a4bf06dc2f3a4218cfa0a95b536ec9d253917 removed a field from this record
+    because it had a duplicate name as another field. The field does need to
+    exist, but it needs the correct name.
+
 5.2.0-dev.602 | 2023-02-01 10:47:41 -0700

  * testing/http: http-11-request-then-cruft (Arne Welzel, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-5.2.0-dev.602
+5.2.0-dev.604
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -3603,8 +3603,10 @@ export {
 	type SMB2::Fscontrol: record {
 		## minimum amount of free disk space required to begin document filtering
 		free_space_start_filtering : int;
-		## minimum amount of free disk space required to continue document filtering
+		## minimum amount of free disk space required to continue filtering documents and merging word lists
 		free_space_threshold       : int;
+		## minimum amount of free disk space required to continue content filtering
+		free_space_stop_filtering  : int;
 		## default per-user disk quota
 		delete_quota_threshold     : count;
 		## default per-user disk limit
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fscontrol/out
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fscontrol/out
@ -0,0 +1,3 @@
+[credit_charge=0, status=0, command=17, credits=2, flags=255, message_id=576460756581679103, process_id=213, tree_id=0, session_id=11555726885438752000, signature=\x01\x05\x05\x02\xa0`0^\xa000.\x06\x09*\x86]
+[persistent=6859950276847483450, volatile=7016448126591398502]
+[free_space_start_filtering=1869373806, free_space_threshold=1601467760, free_space_stop_filtering=1933860724, delete_quota_threshold=7308895133777551220, default_quota_limit=100, fs_control_flags=4278190080]
--- a/testing/btest/Traces/smb/smb2_fscontrol.pcap
+++ b/testing/btest/Traces/smb/smb2_fscontrol.pcap
--- a/testing/btest/scripts/base/protocols/smb/smb2-fscontrol.test
+++ b/testing/btest/scripts/base/protocols/smb/smb2-fscontrol.test
@ -0,0 +1,11 @@
+# @TEST-EXEC: zeek -r $TRACES/smb/smb2_fscontrol.pcap %INPUT > out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/smb
+
+event smb2_file_fscontrol(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, fs_control: SMB2::Fscontrol)
+    {
+    print hdr;
+    print file_id;
+    print fs_control;
+    }