Allow SMB_TCP record to contain multiple protocol identifiers/headers

2025-10-02 14:48:21 +00:00 · 2024-04-10 16:33:30 -07:00 · 2024-04-10 16:33:30 -07:00 · bac6ad62b5
commit bac6ad62b5
parent 5aa18287f1
11 changed files with 72 additions and 20 deletions
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-OSS-fuzz-54883/analyzer.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-OSS-fuzz-54883/analyzer.log
@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	analyzer
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	cause	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#types	time	string	string	string	string	string	addr	port	addr	port	string	string
+XXXXXXXXXX.XXXXXX	violation	protocol	SMB	CHhAvVGS1DHFjwGM9	-	10.0.0.1	48026	10.0.0.2	139	Binpac exception: binpac exception: out_of_bound: SMB1_write_andx_request:data: 762064980 > 32	-
+XXXXXXXXXX.XXXXXX	violation	protocol	SMB	CHhAvVGS1DHFjwGM9	-	10.0.0.1	48026	10.0.0.2	139	Binpac exception: binpac exception: out_of_bound: SMB1_write_andx_request:data: 4123 > 32	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-OSS-fuzz-54883/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-OSS-fuzz-54883/weird.log
@ -1,11 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	weird
-#open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
-#types	time	string	addr	port	addr	port	string	string	bool	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	48026	10.0.0.2	139	smb_tree_connect_andx_response_without_tree	current_cmd=WRITE_ANDX	F	zeek	-
-#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-max-pending-messages/out
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-max-pending-messages/out
@ -9,17 +9,19 @@ smb2_discarded_messages_state before, tree, 20
 smb2_discarded_messages_state after, tree, 0
 smb2_discarded_messages_state before, tree, 20
 smb2_discarded_messages_state after, tree, 0
-smb2_discarded_messages_state before, read, 15
+smb2_discarded_messages_state before, tree, 20
+smb2_discarded_messages_state after, tree, 0
+smb2_discarded_messages_state before, read, 17
 smb2_discarded_messages_state after, read, 0
-smb2_discarded_messages_state before, tree, 5
+smb2_discarded_messages_state before, tree, 3
 smb2_discarded_messages_state after, tree, 0
 smb2_discarded_messages_state before, tree, 20
 smb2_discarded_messages_state after, tree, 0
 smb2_discarded_messages_state before, tree, 20
 smb2_discarded_messages_state after, tree, 0
-smb2_discarded_messages_state before, read, 15
+smb2_discarded_messages_state before, read, 17
 smb2_discarded_messages_state after, read, 0
-smb2_discarded_messages_state before, tree, 5
+smb2_discarded_messages_state before, tree, 3
 smb2_discarded_messages_state after, tree, 0
 smb2_discarded_messages_state before, tree, 20
 smb2_discarded_messages_state after, tree, 0
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-multiple-pdus/out
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-multiple-pdus/out
@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+smb2_create_request, [credit_charge=1, status=0, command=5, credits=256, flags=0, message_id=920, process_id=65279, tree_id=400799417, session_id=3163393275, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=testfile.txt, disposition=1, create_options=0]
+smb2_file_delete, [credit_charge=1, status=0, command=17, credits=256, flags=4, message_id=921, process_id=65279, tree_id=400799417, session_id=3163393275, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]
+smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=4, message_id=922, process_id=65279, tree_id=400799417, session_id=3163393275, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]
+smb2_create_response, [credit_charge=1, status=0, command=5, credits=0, flags=1, message_id=920, process_id=65279, tree_id=400799417, session_id=3163393275, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=1683729331, volatile=1370986173], size=12, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=133512003510343707, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=133512016962187242, created=XXXXXXXXXX.XXXXXX, created_raw=133512003510341360, changed=XXXXXXXXXX.XXXXXX, changed_raw=133512003510343707], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_close_response, [credit_charge=1, status=0, command=6, credits=3, flags=5, message_id=922, process_id=65279, tree_id=400799417, session_id=3163393275, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=-1.16444736e+10, modified_raw=0, accessed=-1.16444736e+10, accessed_raw=0, created=-1.16444736e+10, created_raw=0, changed=-1.16444736e+10, changed_raw=0], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]]
--- a/testing/btest/Traces/smb/smb2-multiple-pdus.pcap
+++ b/testing/btest/Traces/smb/smb2-multiple-pdus.pcap
--- a/testing/btest/scripts/base/protocols/smb/smb1-OSS-fuzz-54883.test
+++ b/testing/btest/scripts/base/protocols/smb/smb1-OSS-fuzz-54883.test
@ -1,9 +1,8 @@
 #@TEST-EXEC: zeek -b -C -r $TRACES/smb/smb1-OSS-fuzz-54883.pcap %INPUT
-#@TEST-EXEC: btest-diff weird.log
+#@TEST-EXEC: btest-diff analyzer.log
 #@TEST-EXEC: ! test -f reporter.log

@load base/protocols/smb
-@load base/frameworks/notice/weird

 # The traffic generated by OSS Fuzz is broken to the extreme, ensure
 # the analyzer isn't disabled so the original scripting issue triggers.
--- a/testing/btest/scripts/base/protocols/smb/smb2-multiple-pdus.test
+++ b/testing/btest/scripts/base/protocols/smb/smb2-multiple-pdus.test
@ -0,0 +1,30 @@
+# @TEST-DOC: Tests handling of packets with mulitple SMB2 PDUs in them
+# @TEST-EXEC: zeek -b -r $TRACES/smb/smb2-multiple-pdus.pcap %INPUT 2>&1 >out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/smb
+
+event smb2_file_delete(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool)
+{
+    print "smb2_file_delete", hdr;
+}
+
+event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest)
+{
+    print "smb2_create_request", hdr, request;
+}
+
+event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID)
+{
+    print "smb2_close_request", hdr;
+}
+
+event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse)
+{
+    print "smb2_create_response", hdr, response;
+}
+
+event smb2_close_response(c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse)
+{
+    print "smb2_close_response", hdr, response;
+}
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@ -1 +1 @@
-43987517cd3af2ad34ae50b217591d392d76e012
+84059cf250af1277e01f16067570e8f535ad3573