smb/dce-rpc: Cleanup DCE-RPC analyzers when fid is closed and limit them

This patch does two things: 1) For SMB close requests, tear down any associated DCE-RPC analyzer if one exists. 2) Protect from fid_to_analyzer_map growing unbounded by introducing a new SMB::max_dce_rpc_analyzers limit and forcefully wipe the analyzers if exceeded. Propagate this to script land as event smb_discarded_dce_rpc_analyzers() for additional cleanup. This is mostly to fix how the binpac SMB analyzer tracks individual DCE-RPC analyzers per open fid. Connections that re-open the same or different pipe may currently allocate unbounded number of analyzers. Closes #3145.
2025-10-02 06:38:20 +00:00 · 2023-06-30 14:27:13 +02:00 · 2023-06-30 14:27:13 +02:00 · 6517ed94f2
commit 6517ed94f2
parent 1c9038f38d
7 changed files with 61 additions and 1 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -3054,6 +3054,12 @@ export {
 	##
 	## .. zeek:see:: smb2_discarded_messages_state
 	const SMB::max_pending_messages = 1000 &redef;
+
+	## Maximum number of DCE-RPC analyzers per connection
+	## before discarding them to avoid unbounded state growth.
+	##
+	## .. zeek:see:: smb_discarded_dce_rpc_analyzers
+	const max_dce_rpc_analyzers = 1000 &redef;
 }

 module SMB1;