Allow SMB_TCP record to contain multiple protocol identifiers/headers

2025-10-02 06:38:20 +00:00 · 2024-04-10 16:33:30 -07:00 · 2024-04-10 16:33:30 -07:00 · bac6ad62b5
commit bac6ad62b5
parent 5aa18287f1
11 changed files with 72 additions and 20 deletions
--- a/3
+++ b/3
@ -36,6 +36,9 @@ New Functionality
  might be "7.0.0-dev.114-XXX-debug". For Docker builds, the ``LOCALVERSION``
  environment variable configures the addition.

+- SMB2 packets containing multiple PDUs now correctly parse all of the headers,
+  instead of just the first one and ignoring the rest.
+
 Changed Functionality
 ---------------------

--- a/src/analyzer/protocol/smb/smb.pac
+++ b/src/analyzer/protocol/smb/smb.pac
@ -115,7 +115,7 @@ type SMB_TCP(is_orig: bool) = record {
 	len24        : uint24;
 	body         : case message_type of {
 		# SMB/SMB2 packets are required to use NBSS session messages.
-		0       -> nbss : SMB_Protocol_Identifier(is_orig, len);
+		0       -> nbss : SMB_Protocol_Identifier(is_orig, len)[] &until($element.end_of_chain);

 		# TODO: support more nbss message types?
 		default -> skip : bytestring &transient &restofdata;
@ -126,7 +126,7 @@ type SMB_TCP(is_orig: bool) = record {

 type SMB_Protocol_Identifier(is_orig: bool, msg_len: uint32) = record {
 	# Sort of cheating by reading this in as an integer instead of a string.
-	protocol          : uint32 &byteorder=bigendian;
+	protocol          : int32 &byteorder=bigendian;
 	smb_1_or_2        : case protocol of {
 		SMB1    -> smb1    : SMB_PDU(is_orig, msg_len);
 		SMB2    -> smb2    : SMB2_PDU(is_orig);
@ -134,6 +134,11 @@ type SMB_Protocol_Identifier(is_orig: bool, msg_len: uint32) = record {
 		SMB3    -> smb3    : SMB2_transform_header;
 		default -> unknown : empty;
 	};
+} &let {
+    # For smb2, a packet can contain multiple PDUs. Check for the end of the chain based
+    # on the smb2 header to end the array in SMB_TCP. If smb1 or smb3, it's always
+    # the end of the chain.
+    end_of_chain: bool = (protocol == SMB2) ? smb2.end_of_chain : true;
 };

 %include smb1-protocol.pac
--- a/src/analyzer/protocol/smb/smb2-protocol.pac
+++ b/src/analyzer/protocol/smb/smb2-protocol.pac
@ -166,6 +166,12 @@ type SMB2_PDU(is_orig: bool) = record {
 		true  -> err : SMB2_error_response(header);
 		false -> msg : SMB2_Message(header, is_orig);
 	};
+    pad        : case header.next_command of {
+        0 ->       none: empty;
+        default -> chain_pad: bytestring &length = header.next_command - header.head_length - @sizeof(message);
+    };
+} &let {
+    end_of_chain: bool = header.next_command == 0;
 };

 type SMB2_Message(header: SMB2_Header, is_orig: bool) = case is_orig of {
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-OSS-fuzz-54883/analyzer.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-OSS-fuzz-54883/analyzer.log
@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	analyzer
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	cause	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#types	time	string	string	string	string	string	addr	port	addr	port	string	string
+XXXXXXXXXX.XXXXXX	violation	protocol	SMB	CHhAvVGS1DHFjwGM9	-	10.0.0.1	48026	10.0.0.2	139	Binpac exception: binpac exception: out_of_bound: SMB1_write_andx_request:data: 762064980 > 32	-
+XXXXXXXXXX.XXXXXX	violation	protocol	SMB	CHhAvVGS1DHFjwGM9	-	10.0.0.1	48026	10.0.0.2	139	Binpac exception: binpac exception: out_of_bound: SMB1_write_andx_request:data: 4123 > 32	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-OSS-fuzz-54883/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-OSS-fuzz-54883/weird.log
@ -1,11 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	weird
-#open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
-#types	time	string	addr	port	addr	port	string	string	bool	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	48026	10.0.0.2	139	smb_tree_connect_andx_response_without_tree	current_cmd=WRITE_ANDX	F	zeek	-
-#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-max-pending-messages/out
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-max-pending-messages/out
@ -9,17 +9,19 @@ smb2_discarded_messages_state before, tree, 20
 smb2_discarded_messages_state after, tree, 0
 smb2_discarded_messages_state before, tree, 20
 smb2_discarded_messages_state after, tree, 0
-smb2_discarded_messages_state before, read, 15
+smb2_discarded_messages_state before, tree, 20
+smb2_discarded_messages_state after, tree, 0
+smb2_discarded_messages_state before, read, 17
 smb2_discarded_messages_state after, read, 0
-smb2_discarded_messages_state before, tree, 5
+smb2_discarded_messages_state before, tree, 3
 smb2_discarded_messages_state after, tree, 0
 smb2_discarded_messages_state before, tree, 20
 smb2_discarded_messages_state after, tree, 0
 smb2_discarded_messages_state before, tree, 20
 smb2_discarded_messages_state after, tree, 0
-smb2_discarded_messages_state before, read, 15
+smb2_discarded_messages_state before, read, 17
 smb2_discarded_messages_state after, read, 0
-smb2_discarded_messages_state before, tree, 5
+smb2_discarded_messages_state before, tree, 3
 smb2_discarded_messages_state after, tree, 0
 smb2_discarded_messages_state before, tree, 20
 smb2_discarded_messages_state after, tree, 0
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-multiple-pdus/out
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-multiple-pdus/out
@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+smb2_create_request, [credit_charge=1, status=0, command=5, credits=256, flags=0, message_id=920, process_id=65279, tree_id=400799417, session_id=3163393275, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=testfile.txt, disposition=1, create_options=0]
+smb2_file_delete, [credit_charge=1, status=0, command=17, credits=256, flags=4, message_id=921, process_id=65279, tree_id=400799417, session_id=3163393275, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]
+smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=4, message_id=922, process_id=65279, tree_id=400799417, session_id=3163393275, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]
+smb2_create_response, [credit_charge=1, status=0, command=5, credits=0, flags=1, message_id=920, process_id=65279, tree_id=400799417, session_id=3163393275, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=1683729331, volatile=1370986173], size=12, times=[modified=XXXXXXXXXX.XXXXXX, modified_raw=133512003510343707, accessed=XXXXXXXXXX.XXXXXX, accessed_raw=133512016962187242, created=XXXXXXXXXX.XXXXXX, created_raw=133512003510341360, changed=XXXXXXXXXX.XXXXXX, changed_raw=133512003510343707], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_close_response, [credit_charge=1, status=0, command=6, credits=3, flags=5, message_id=922, process_id=65279, tree_id=400799417, session_id=3163393275, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=-1.16444736e+10, modified_raw=0, accessed=-1.16444736e+10, accessed_raw=0, created=-1.16444736e+10, created_raw=0, changed=-1.16444736e+10, changed_raw=0], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]]
--- a/testing/btest/Traces/smb/smb2-multiple-pdus.pcap
+++ b/testing/btest/Traces/smb/smb2-multiple-pdus.pcap
--- a/testing/btest/scripts/base/protocols/smb/smb1-OSS-fuzz-54883.test
+++ b/testing/btest/scripts/base/protocols/smb/smb1-OSS-fuzz-54883.test
@ -1,9 +1,8 @@
 #@TEST-EXEC: zeek -b -C -r $TRACES/smb/smb1-OSS-fuzz-54883.pcap %INPUT
-#@TEST-EXEC: btest-diff weird.log
+#@TEST-EXEC: btest-diff analyzer.log
 #@TEST-EXEC: ! test -f reporter.log

@load base/protocols/smb
-@load base/frameworks/notice/weird

 # The traffic generated by OSS Fuzz is broken to the extreme, ensure
 # the analyzer isn't disabled so the original scripting issue triggers.
--- a/testing/btest/scripts/base/protocols/smb/smb2-multiple-pdus.test
+++ b/testing/btest/scripts/base/protocols/smb/smb2-multiple-pdus.test
@ -0,0 +1,30 @@
+# @TEST-DOC: Tests handling of packets with mulitple SMB2 PDUs in them
+# @TEST-EXEC: zeek -b -r $TRACES/smb/smb2-multiple-pdus.pcap %INPUT 2>&1 >out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/smb
+
+event smb2_file_delete(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool)
+{
+    print "smb2_file_delete", hdr;
+}
+
+event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest)
+{
+    print "smb2_create_request", hdr, request;
+}
+
+event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID)
+{
+    print "smb2_close_request", hdr;
+}
+
+event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse)
+{
+    print "smb2_create_response", hdr, response;
+}
+
+event smb2_close_response(c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse)
+{
+    print "smb2_close_response", hdr, response;
+}
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@ -1 +1 @@
-43987517cd3af2ad34ae50b217591d392d76e012
+84059cf250af1277e01f16067570e8f535ad3573