smb/dce-rpc: Cleanup DCE-RPC analyzers when fid is closed and limit them

This patch does two things: 1) For SMB close requests, tear down any associated DCE-RPC analyzer if one exists. 2) Protect from fid_to_analyzer_map growing unbounded by introducing a new SMB::max_dce_rpc_analyzers limit and forcefully wipe the analyzers if exceeded. Propagate this to script land as event smb_discarded_dce_rpc_analyzers() for additional cleanup. This is mostly to fix how the binpac SMB analyzer tracks individual DCE-RPC analyzers per open fid. Connections that re-open the same or different pipe may currently allocate unbounded number of analyzers. Closes #3145.
2025-10-02 14:48:21 +00:00 · 2023-06-30 14:27:13 +02:00 · 2023-06-30 14:27:13 +02:00 · 6517ed94f2
commit 6517ed94f2
parent 1c9038f38d
7 changed files with 61 additions and 1 deletions
--- a/scripts/base/frameworks/notice/weird.zeek
+++ b/scripts/base/frameworks/notice/weird.zeek
@ -211,6 +211,7 @@ export {
 		["spontaneous_RST"]                     = ACTION_IGNORE,
 		["SMB_parsing_error"]                   = ACTION_LOG,
 		["SMB_discarded_messages_state"]        = ACTION_LOG,
+		["SMB_discarded_dce_rpc_analyzers"]     = ACTION_LOG,
 		["no_smb_session_using_parsesambamsg"]  = ACTION_LOG,
 		["smb_andx_command_failed_to_parse"]    = ACTION_LOG,
 		["smb_tree_connect_andx_response_without_tree"] = ACTION_LOG_PER_CONN,
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -3054,6 +3054,12 @@ export {
 	##
 	## .. zeek:see:: smb2_discarded_messages_state
 	const SMB::max_pending_messages = 1000 &redef;
+
+	## Maximum number of DCE-RPC analyzers per connection
+	## before discarding them to avoid unbounded state growth.
+	##
+	## .. zeek:see:: smb_discarded_dce_rpc_analyzers
+	const max_dce_rpc_analyzers = 1000 &redef;
 }

 module SMB1;
--- a/scripts/base/protocols/dce-rpc/main.zeek
+++ b/scripts/base/protocols/dce-rpc/main.zeek
@ -216,6 +216,15 @@ event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, s
 		}
 	}

+event smb_discarded_dce_rpc_analyzers(c: connection)
+	{
+	# This event is raised when the DCE-RPC analyzers table
+	# grew too large. Assume things are broken and wipe
+	# the backing table.
+	delete c$dce_rpc_backing;
+	Reporter::conn_weird("SMB_discarded_dce_rpc_analyzers", c, "", "SMB");
+	}
+
 hook finalize_dce_rpc(c: connection)
 	{
 	if ( ! c?$dce_rpc )