suricata
app-layer-dcerpc.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Kirby Kuehl <kkuehl@gmail.com>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * \file DCE/RPC parser and decoder
25  *
26  * \todo Remove all the unnecessary per byte incremental loops with a full one
27  * time jump, i.e.
28  *
29  * input[0], input_len
30  * for (i = 0; i < x; i++)
31  * input++;
32  *
33  * with
34  *
35  * input += x;
36  *
37  * You'll be surprised at how many such cases we have here. We also need
38  * to do the same for htp parser. Should speed up the engine drastically.
39  */
40 
41 #include "suricata-common.h"
42 #include "suricata.h"
43 
44 #include "debug.h"
45 #include "decode.h"
46 #include "threads.h"
47 
48 #include "util-print.h"
49 #include "util-pool.h"
50 #include "util-debug.h"
51 
52 #include "flow-util.h"
53 
54 #include "detect-engine-state.h"
55 
56 #include "stream-tcp-private.h"
57 #include "stream-tcp-reassemble.h"
58 #include "stream-tcp.h"
59 #include "stream.h"
60 
61 #include "app-layer-protos.h"
62 #include "app-layer-parser.h"
63 #include "app-layer.h"
64 
65 #include "util-spm.h"
66 #include "util-unittest.h"
67 
68 #include "app-layer-dcerpc.h"
69 
70 enum {
76  /* must be last */
78 };
79 
80 void DCERPCUuidListFree(DCERPCUuidEntryList *list);
81 
82 /* \brief hexdump function from libdnet, used for debugging only */
83 void hexdump(/*Flow *f,*/ const void *buf, size_t len)
84 {
85  /* dumps len bytes of *buf to stdout. Looks like:
86  * [0000] 75 6E 6B 6E 6F 77 6E 20
87  * 30 FF 00 00 00 00 39 00 unknown 0.....9.
88  * (in a single line of course)
89  */
90 
91  const unsigned char *p = buf;
92  unsigned char c;
93  size_t n;
94  char bytestr[4] = {0};
95  char addrstr[17] = {0};
96  char hexstr[ 16*3 + 5] = {0};
97  char charstr[16*1 + 5] = {0};
98  for (n=1; n<=len; n++) {
99  if (n%16 == 1) {
100  /* store address for this line */
101 #if __WORDSIZE == 64
102  snprintf(addrstr, sizeof(addrstr), "%.4"PRIx64,
103  ((uint64_t)p-(uint64_t)buf) );
104 #else
105  snprintf(addrstr, sizeof(addrstr), "%.4"PRIx32,
106  ((uint32_t)p-(uint32_t)buf) );
107 #endif
108  }
109 
110  c = *p;
111  if (isalnum(c) == 0) {
112  c = '.';
113  }
114 
115  /* store hex str (for left side) */
116  snprintf(bytestr, sizeof(bytestr), "%02X ", *p);
117  strlcat(hexstr, bytestr, sizeof(hexstr)-strlen(hexstr)-1);
118 
119  /* store char str (for right side) */
120  snprintf(bytestr, sizeof(bytestr), "%c", c);
121  strlcat(charstr, bytestr, sizeof(charstr)-strlen(charstr)-1);
122 
123  if(n%16 == 0) {
124  /* line completed */
125  printf("[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr);
126  hexstr[0] = 0;
127  charstr[0] = 0;
128  } else if(n%8 == 0) {
129  /* half line: add whitespaces */
130  strlcat(hexstr, " ", sizeof(hexstr)-strlen(hexstr)-1);
131  strlcat(charstr, " ", sizeof(charstr)-strlen(charstr)-1);
132  }
133  p++; /* next byte */
134  }
135 
136  if (strlen(hexstr) > 0) {
137  /* print rest of buffer if not empty */
138  printf("[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr);
139  }
140 }
141 
142 /**
143  * \brief printUUID function used to print UUID, Major and Minor Version Number
144  * and if it was Accepted or Rejected in the BIND_ACK.
145  */
146 void printUUID(const char *type, DCERPCUuidEntry *uuid)
147 {
148  uint8_t i = 0;
149  if (uuid == NULL) {
150  return;
151  }
152  printf("%s UUID [%2u] %s ", type, uuid->ctxid,
153  (uuid->result == 0) ? "Accepted" : "Rejected");
154  for (i = 0; i < 16; i++) {
155  printf("%02x", uuid->uuid[i]);
156  }
157  printf(" Major Version 0x%04x Minor Version 0x%04x\n", uuid->version,
158  uuid->versionminor);
159 }
160 
161 /**
162  * \brief DCERPCParseSecondaryAddr reads secondaryaddrlen bytes from the BIND_ACK
163  * DCERPC call.
164  */
165 static uint32_t DCERPCParseSecondaryAddr(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
166 {
167  SCEnter();
168  uint8_t *p = input;
169  while (dcerpc->dcerpcbindbindack.secondaryaddrlenleft-- && input_len--) {
170  SCLogDebug("0x%02x ", *p);
171  p++;
172  }
173  dcerpc->bytesprocessed += (p - input);
174  SCReturnUInt((uint32_t)(p - input));
175 }
176 
177 static uint32_t PaddingParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
178 {
179  SCEnter();
180  uint8_t *p = input;
181  while (dcerpc->padleft-- && input_len--) {
182  SCLogDebug("0x%02x ", *p);
183  p++;
184  }
185  dcerpc->bytesprocessed += (p - input);
186  SCReturnUInt((uint32_t)(p - input));
187 }
188 
189 static uint32_t DCERPCGetCTXItems(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
190 {
191  SCEnter();
192  uint8_t *p = input;
193  if (input_len) {
194  switch (dcerpc->dcerpcbindbindack.ctxbytesprocessed) {
195  case 0:
196  if (input_len >= 4) {
197  dcerpc->dcerpcbindbindack.numctxitems = *p;
200  dcerpc->bytesprocessed += 4;
201  SCReturnUInt(4U);
202  } else {
203  dcerpc->dcerpcbindbindack.numctxitems = *(p++);
205  if (!(--input_len))
206  break;
207  }
208  /* fall through */
209  case 1:
210  p++;
211  if (!(--input_len))
212  break;
213  /* fall through */
214  case 2:
215  p++;
216  if (!(--input_len))
217  break;
218  /* fall through */
219  case 3:
220  p++;
221  input_len--;
222  break;
223  }
224  }
225  dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input);
226  dcerpc->bytesprocessed += (p - input);
227  SCReturnUInt((uint32_t)(p - input));
228 }
229 
230 /**
231  * \brief DCERPCParseBINDCTXItem is called for each CTXItem found the DCERPC BIND call.
232  * each UUID is added to a TAILQ.
233  */
234 
235 static uint32_t DCERPCParseBINDCTXItem(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
236 {
237  SCEnter();
238  uint8_t *p = input;
239 
240  if (input_len) {
241  switch (dcerpc->dcerpcbindbindack.ctxbytesprocessed) {
242  case 0:
243  if (input_len >= 44) {
244  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
245  dcerpc->dcerpcbindbindack.ctxid = *(p);
246  dcerpc->dcerpcbindbindack.ctxid |= *(p + 1) << 8;
247  dcerpc->dcerpcbindbindack.uuid[3] = *(p + 4);
248  dcerpc->dcerpcbindbindack.uuid[2] = *(p + 5);
249  dcerpc->dcerpcbindbindack.uuid[1] = *(p + 6);
250  dcerpc->dcerpcbindbindack.uuid[0] = *(p + 7);
251  dcerpc->dcerpcbindbindack.uuid[5] = *(p + 8);
252  dcerpc->dcerpcbindbindack.uuid[4] = *(p + 9);
253  dcerpc->dcerpcbindbindack.uuid[7] = *(p + 10);
254  dcerpc->dcerpcbindbindack.uuid[6] = *(p + 11);
255  dcerpc->dcerpcbindbindack.uuid[8] = *(p + 12);
256  dcerpc->dcerpcbindbindack.uuid[9] = *(p + 13);
257  dcerpc->dcerpcbindbindack.uuid[10] = *(p + 14);
258  dcerpc->dcerpcbindbindack.uuid[11] = *(p + 15);
259  dcerpc->dcerpcbindbindack.uuid[12] = *(p + 16);
260  dcerpc->dcerpcbindbindack.uuid[13] = *(p + 17);
261  dcerpc->dcerpcbindbindack.uuid[14] = *(p + 18);
262  dcerpc->dcerpcbindbindack.uuid[15] = *(p + 19);
263  dcerpc->dcerpcbindbindack.version = *(p + 20);
264  dcerpc->dcerpcbindbindack.version |= *(p + 21) << 8;
265  dcerpc->dcerpcbindbindack.versionminor = *(p + 22);
266  dcerpc->dcerpcbindbindack.versionminor |= *(p + 23) << 8;
267  } else { /* Big Endian */
268  dcerpc->dcerpcbindbindack.ctxid = *(p) << 8;
269  dcerpc->dcerpcbindbindack.ctxid |= *(p + 1);
270  dcerpc->dcerpcbindbindack.uuid[0] = *(p + 4);
271  dcerpc->dcerpcbindbindack.uuid[1] = *(p + 5);
272  dcerpc->dcerpcbindbindack.uuid[2] = *(p + 6);
273  dcerpc->dcerpcbindbindack.uuid[3] = *(p + 7);
274  dcerpc->dcerpcbindbindack.uuid[4] = *(p + 8);
275  dcerpc->dcerpcbindbindack.uuid[5] = *(p + 9);
276  dcerpc->dcerpcbindbindack.uuid[6] = *(p + 10);
277  dcerpc->dcerpcbindbindack.uuid[7] = *(p + 11);
278  dcerpc->dcerpcbindbindack.uuid[8] = *(p + 12);
279  dcerpc->dcerpcbindbindack.uuid[9] = *(p + 13);
280  dcerpc->dcerpcbindbindack.uuid[10] = *(p + 14);
281  dcerpc->dcerpcbindbindack.uuid[11] = *(p + 15);
282  dcerpc->dcerpcbindbindack.uuid[12] = *(p + 16);
283  dcerpc->dcerpcbindbindack.uuid[13] = *(p + 17);
284  dcerpc->dcerpcbindbindack.uuid[14] = *(p + 18);
285  dcerpc->dcerpcbindbindack.uuid[15] = *(p + 19);
286  dcerpc->dcerpcbindbindack.version = *(p + 20) << 8;
287  dcerpc->dcerpcbindbindack.version |= *(p + 21);
288  dcerpc->dcerpcbindbindack.versionminor = *(p + 22) << 8;
289  dcerpc->dcerpcbindbindack.versionminor |= *(p + 23);
290  }
291  //if (dcerpc->dcerpcbindbindack.ctxid == dcerpc->dcerpcbindbindack.numctxitems
292  // - dcerpc->dcerpcbindbindack.numctxitemsleft) {
293 
295  if (dcerpc->dcerpcbindbindack.uuid_entry == NULL) {
296  SCLogDebug("UUID Entry is NULL");
297  SCReturnUInt(0);
298  }
299 
301 
302  memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid,
303  dcerpc->dcerpcbindbindack.uuid,
304  sizeof(dcerpc->dcerpcbindbindack.uuid));
305 
309 
310  /* store the first frag flag in the uuid as pfc_flags will
311  * be overwritten by new packets. */
312  if (dcerpc->dcerpchdr.pfc_flags & PFC_FIRST_FRAG) {
314  }
315 
318  next);
319 
320 #ifdef UNITTESTS
321  if (RunmodeIsUnittests()) {
322  printUUID("BIND", dcerpc->dcerpcbindbindack.uuid_entry);
323  }
324 #endif
326  dcerpc->bytesprocessed += (44);
327  dcerpc->dcerpcbindbindack.ctxbytesprocessed += (44);
328  SCReturnUInt(44U);
329 
330  //} else {
331  // SCLogDebug("ctxitem %u, expected %u\n", dcerpc->dcerpcbindbindack.ctxid,
332  // dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft);
333  // SCReturnUInt(0);
334  //}
335  } else {
336  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
337  dcerpc->dcerpcbindbindack.ctxid = *(p++);
338  } else {
339  dcerpc->dcerpcbindbindack.ctxid = *(p++) << 8;
340  }
341  if (!(--input_len))
342  break;
343  }
344  /* fall through */
345  case 1:
346  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
347  dcerpc->dcerpcbindbindack.ctxid |= *(p++) << 8;
348  } else {
349  dcerpc->dcerpcbindbindack.ctxid |= *(p++);
350  }
351  if (!(--input_len))
352  break;
353  /* fall through */
354  case 2:
355  /* num transact items */
356  p++;
357  if (!(--input_len))
358  break;
359  /* fall through */
360  case 3:
361  /* reserved */
362  p++;
363  if (!(--input_len))
364  break;
365  /* fall through */
366  case 4:
367  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
368  dcerpc->dcerpcbindbindack.uuid[3] = *(p++);
369  } else {
370  dcerpc->dcerpcbindbindack.uuid[0] = *(p++);
371  }
372  if (!(--input_len))
373  break;
374  /* fall through */
375  case 5:
376  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
377  dcerpc->dcerpcbindbindack.uuid[2] = *(p++);
378  } else {
379  dcerpc->dcerpcbindbindack.uuid[1] = *(p++);
380  }
381  if (!(--input_len))
382  break;
383  /* fall through */
384  case 6:
385  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
386  dcerpc->dcerpcbindbindack.uuid[1] = *(p++);
387  } else {
388  dcerpc->dcerpcbindbindack.uuid[2] = *(p++);
389  }
390  if (!(--input_len))
391  break;
392  /* fall through */
393  case 7:
394  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
395  dcerpc->dcerpcbindbindack.uuid[0] = *(p++);
396  } else {
397  dcerpc->dcerpcbindbindack.uuid[3] = *(p++);
398  }
399  if (!(--input_len))
400  break;
401  /* fall through */
402  case 8:
403  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
404  dcerpc->dcerpcbindbindack.uuid[5] = *(p++);
405  } else {
406  dcerpc->dcerpcbindbindack.uuid[4] = *(p++);
407  }
408  if (!(--input_len))
409  break;
410  /* fall through */
411  case 9:
412  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
413  dcerpc->dcerpcbindbindack.uuid[4] = *(p++);
414  } else {
415  dcerpc->dcerpcbindbindack.uuid[5] = *(p++);
416  }
417  if (!(--input_len))
418  break;
419  /* fall through */
420  case 10:
421  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
422  dcerpc->dcerpcbindbindack.uuid[7] = *(p++);
423  } else {
424  dcerpc->dcerpcbindbindack.uuid[6] = *(p++);
425  }
426  if (!(--input_len))
427  break;
428  /* fall through */
429  case 11:
430  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
431  dcerpc->dcerpcbindbindack.uuid[6] = *(p++);
432  } else {
433  dcerpc->dcerpcbindbindack.uuid[7] = *(p++);
434  }
435  if (!(--input_len))
436  break;
437  /* fall through */
438  case 12:
439  /* The following bytes are in the same order for both big and little endian */
440  dcerpc->dcerpcbindbindack.uuid[8] = *(p++);
441  if (!(--input_len))
442  break;
443  /* fall through */
444  case 13:
445  dcerpc->dcerpcbindbindack.uuid[9] = *(p++);
446  if (!(--input_len))
447  break;
448  /* fall through */
449  case 14:
450  dcerpc->dcerpcbindbindack.uuid[10] = *(p++);
451  if (!(--input_len))
452  break;
453  /* fall through */
454  case 15:
455  dcerpc->dcerpcbindbindack.uuid[11] = *(p++);
456  if (!(--input_len))
457  break;
458  /* fall through */
459  case 16:
460  dcerpc->dcerpcbindbindack.uuid[12] = *(p++);
461  if (!(--input_len))
462  break;
463  /* fall through */
464  case 17:
465  dcerpc->dcerpcbindbindack.uuid[13] = *(p++);
466  if (!(--input_len))
467  break;
468  /* fall through */
469  case 18:
470  dcerpc->dcerpcbindbindack.uuid[14] = *(p++);
471  if (!(--input_len))
472  break;
473  /* fall through */
474  case 19:
475  dcerpc->dcerpcbindbindack.uuid[15] = *(p++);
476  if (!(--input_len))
477  break;
478  /* fall through */
479  case 20:
480  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
481  dcerpc->dcerpcbindbindack.version = *(p++);
482  } else {
483  dcerpc->dcerpcbindbindack.version = *(p++) << 8;
484  }
485  if (!(--input_len))
486  break;
487  /* fall through */
488  case 21:
489  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
490  dcerpc->dcerpcbindbindack.version |= *(p++) << 8;
491  } else {
492  dcerpc->dcerpcbindbindack.version |= *(p++);
493  }
494  if (!(--input_len))
495  break;
496  /* fall through */
497  case 22:
498  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
499  dcerpc->dcerpcbindbindack.versionminor = *(p++);
500  } else {
501  dcerpc->dcerpcbindbindack.versionminor = *(p++) << 8;
502  }
503  if (!(--input_len))
504  break;
505  /* fall through */
506  case 23:
507  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
508  dcerpc->dcerpcbindbindack.versionminor |= *(p++) << 8;
509  } else {
510  dcerpc->dcerpcbindbindack.versionminor |= *(p++);
511  }
512  if (!(--input_len))
513  break;
514  /* fall through */
515  case 24:
516  p++;
517  if (!(--input_len))
518  break;
519  /* fall through */
520  case 25:
521  p++;
522  if (!(--input_len))
523  break;
524  /* fall through */
525  case 26:
526  p++;
527  if (!(--input_len))
528  break;
529  /* fall through */
530  case 27:
531  p++;
532  if (!(--input_len))
533  break;
534  /* fall through */
535  case 28:
536  p++;
537  if (!(--input_len))
538  break;
539  /* fall through */
540  case 29:
541  p++;
542  if (!(--input_len))
543  break;
544  /* fall through */
545  case 30:
546  p++;
547  if (!(--input_len))
548  break;
549  /* fall through */
550  case 31:
551  p++;
552  if (!(--input_len))
553  break;
554  /* fall through */
555  case 32:
556  p++;
557  if (!(--input_len))
558  break;
559  /* fall through */
560  case 33:
561  p++;
562  if (!(--input_len))
563  break;
564  /* fall through */
565  case 34:
566  p++;
567  if (!(--input_len))
568  break;
569  /* fall through */
570  case 35:
571  p++;
572  if (!(--input_len))
573  break;
574  /* fall through */
575  case 36:
576  p++;
577  if (!(--input_len))
578  break;
579  /* fall through */
580  case 37:
581  p++;
582  if (!(--input_len))
583  break;
584  /* fall through */
585  case 38:
586  p++;
587  if (!(--input_len))
588  break;
589  /* fall through */
590  case 39:
591  p++;
592  if (!(--input_len))
593  break;
594  /* fall through */
595  case 40:
596  p++;
597  if (!(--input_len))
598  break;
599  /* fall through */
600  case 41:
601  p++;
602  if (!(--input_len))
603  break;
604  /* fall through */
605  case 42:
606  p++;
607  if (!(--input_len))
608  break;
609  /* fall through */
610  case 43:
611  p++;
612  --input_len;
613  //if (dcerpc->dcerpcbindbindack.ctxid == dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft) {
615  SCCalloc(1, sizeof(DCERPCUuidEntry));
616  if (dcerpc->dcerpcbindbindack.uuid_entry == NULL) {
617  SCLogDebug("UUID Entry is NULL\n");
618  SCReturnUInt(0);
619  }
620 
623  memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid,
624  dcerpc->dcerpcbindbindack.uuid,
625  sizeof(dcerpc->dcerpcbindbindack.uuid));
629 
630  /* store the first frag flag in the uuid as pfc_flags will
631  * be overwritten by new packets. */
632  if (dcerpc->dcerpchdr.pfc_flags & PFC_FIRST_FRAG) {
634  }
635 
638  next);
639 #ifdef UNITTESTS
640  if (RunmodeIsUnittests()) {
641  printUUID("BINDACK", dcerpc->dcerpcbindbindack.uuid_entry);
642  }
643 #endif
645  dcerpc->bytesprocessed += (p - input);
646  dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input);
647  SCReturnUInt((uint32_t)(p - input));
648 
649  //} else {
650  // SCLogDebug("ctxitem %u, expected %u\n", dcerpc->dcerpcbindbindack.ctxid,
651  // dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft);
652  // SCReturnUInt(0);
653  //}
654  break;
655  }
656  }
657  dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input);
658  dcerpc->bytesprocessed += (p - input);
659  SCReturnUInt((uint32_t)(p - input));
660 }
661 
662 /**
663  * \brief DCERPCParseBINDACKCTXItem is called for each CTXItem found in
664  * the BIND_ACK call. The result (Accepted or Rejected) is added to the
665  * correct UUID from the BIND call.
666  */
667 static uint32_t DCERPCParseBINDACKCTXItem(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
668 {
669  SCEnter();
670  uint8_t *p = input;
671  DCERPCUuidEntry *uuid_entry;
672 
673  if (input_len) {
674  switch (dcerpc->dcerpcbindbindack.ctxbytesprocessed) {
675  case 0:
676  if (input_len >= 24) {
677  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
678  dcerpc->dcerpcbindbindack.result = *p;
679  dcerpc->dcerpcbindbindack.result |= *(p + 1) << 8;
680  } else {
681  dcerpc->dcerpcbindbindack.result = *p << 8;
682  dcerpc->dcerpcbindbindack.result |= *(p + 1);
683  }
684  TAILQ_FOREACH(uuid_entry, &dcerpc->dcerpcbindbindack.uuid_list, next) {
685  if (uuid_entry->internal_id == dcerpc->dcerpcbindbindack.uuid_internal_id) {
686  uuid_entry->result = dcerpc->dcerpcbindbindack.result;
687 #ifdef UNITTESTS
688  if (RunmodeIsUnittests()) {
689  printUUID("BIND_ACK", uuid_entry);
690  }
691 #endif
692  if (uuid_entry->result != 0)
693  break;
694 
696  SCCalloc(1, sizeof(DCERPCUuidEntry));
697  if (dcerpc->dcerpcbindbindack.uuid_entry != NULL) {
698  memcpy(dcerpc->dcerpcbindbindack.uuid_entry,
699  uuid_entry,
700  sizeof(DCERPCUuidEntry));
703  next);
704  }
705  break;
706  }
707  }
710  dcerpc->bytesprocessed += (24);
711  dcerpc->dcerpcbindbindack.ctxbytesprocessed += (24);
712  SCReturnUInt(24U);
713  } else {
714  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
715  dcerpc->dcerpcbindbindack.result = *(p++);
716  } else {
717  dcerpc->dcerpcbindbindack.result = *(p++) << 8;
718  }
719  if (!(--input_len))
720  break;
721  }
722  /* fall through */
723  case 1:
724  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
725  dcerpc->dcerpcbindbindack.result |= *(p++) << 8;
726  } else {
727  dcerpc->dcerpcbindbindack.result |= *(p++);
728  }
729  if (!(--input_len))
730  break;
731  /* fall through */
732  case 2:
733  /* num transact items */
734  p++;
735  if (!(--input_len))
736  break;
737  /* fall through */
738  case 3:
739  /* reserved */
740  p++;
741  if (!(--input_len))
742  break;
743  /* fall through */
744  case 4:
745  p++;
746  if (!(--input_len))
747  break;
748  /* fall through */
749  case 5:
750  p++;
751  if (!(--input_len))
752  break;
753  /* fall through */
754  case 6:
755  p++;
756  if (!(--input_len))
757  break;
758  /* fall through */
759  case 7:
760  p++;
761  if (!(--input_len))
762  break;
763  /* fall through */
764  case 8:
765  p++;
766  if (!(--input_len))
767  break;
768  /* fall through */
769  case 9:
770  p++;
771  if (!(--input_len))
772  break;
773  /* fall through */
774  case 10:
775  p++;
776  if (!(--input_len))
777  break;
778  /* fall through */
779  case 11:
780  p++;
781  if (!(--input_len))
782  break;
783  /* fall through */
784  case 12:
785  p++;
786  if (!(--input_len))
787  break;
788  /* fall through */
789  case 13:
790  p++;
791  if (!(--input_len))
792  break;
793  /* fall through */
794  case 14:
795  p++;
796  if (!(--input_len))
797  break;
798  /* fall through */
799  case 15:
800  p++;
801  if (!(--input_len))
802  break;
803  /* fall through */
804  case 16:
805  p++;
806  if (!(--input_len))
807  break;
808  /* fall through */
809  case 17:
810  p++;
811  if (!(--input_len))
812  break;
813  /* fall through */
814  case 18:
815  p++;
816  if (!(--input_len))
817  break;
818  /* fall through */
819  case 19:
820  p++;
821  if (!(--input_len))
822  break;
823  /* fall through */
824  case 20:
825  p++;
826  if (!(--input_len))
827  break;
828  /* fall through */
829  case 21:
830  p++;
831  if (!(--input_len))
832  break;
833  /* fall through */
834  case 22:
835  p++;
836  if (!(--input_len))
837  break;
838  /* fall through */
839  case 23:
840  TAILQ_FOREACH(uuid_entry, &dcerpc->dcerpcbindbindack.uuid_list, next) {
841  if (uuid_entry->internal_id == dcerpc->dcerpcbindbindack.uuid_internal_id) {
842  uuid_entry->result = dcerpc->dcerpcbindbindack.result;
843 #ifdef UNITTESTS
844  if (RunmodeIsUnittests()) {
845  printUUID("BIND_ACK", uuid_entry);
846  }
847 #endif
848  if (uuid_entry->result != 0)
849  break;
850 
852  SCCalloc(1, sizeof(DCERPCUuidEntry));
853  if (dcerpc->dcerpcbindbindack.uuid_entry != NULL) {
854  memcpy(dcerpc->dcerpcbindbindack.uuid_entry,
855  uuid_entry,
856  sizeof(DCERPCUuidEntry));
859  next);
860  }
861  break;
862  }
863  }
866  p++;
867  --input_len;
868  break;
869 
870  }
871  }
872  dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input);
873  dcerpc->bytesprocessed += (p - input);
874  SCReturnUInt((uint32_t)(p - input));
875 }
876 
877 static uint32_t DCERPCParseBIND(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
878 {
879  SCEnter();
880  uint8_t *p = input;
881  if (input_len) {
882  switch (dcerpc->bytesprocessed) {
883  case 16:
884  dcerpc->dcerpcbindbindack.numctxitems = 0;
885  if (input_len >= 12) {
887  if (dcerpc->dcerpchdr.type == BIND) {
889  }
891  dcerpc->dcerpcbindbindack.numctxitems = *(p + 8);
893  dcerpc->bytesprocessed += 12;
894  SCReturnUInt(12U);
895  } else {
896  /* max_xmit_frag */
897  p++;
898  if (!(--input_len))
899  break;
900  }
901  /* fall through */
902  case 17:
903  /* max_xmit_frag */
904  p++;
905  if (!(--input_len))
906  break;
907  /* fall through */
908  case 18:
909  /* max_recv_frag */
910  p++;
911  if (!(--input_len))
912  break;
913  /* fall through */
914  case 19:
915  /* max_recv_frag */
916  p++;
917  if (!(--input_len))
918  break;
919  /* fall through */
920  case 20:
921  /* assoc_group_id */
922  p++;
923  if (!(--input_len))
924  break;
925  /* fall through */
926  case 21:
927  /* assoc_group_id */
928  p++;
929  if (!(--input_len))
930  break;
931  /* fall through */
932  case 22:
933  /* assoc_group_id */
934  p++;
935  if (!(--input_len))
936  break;
937  /* fall through */
938  case 23:
939  /* assoc_group_id */
940  p++;
941  if (!(--input_len))
942  break;
943  /* fall through */
944  case 24:
946  if (dcerpc->dcerpchdr.type == BIND) {
948  }
950  dcerpc->dcerpcbindbindack.numctxitems = *(p++);
952  if (!(--input_len))
953  break;
954  /* fall through */
955  case 25:
956  /* pad byte 1 */
957  p++;
958  if (!(--input_len))
959  break;
960  /* fall through */
961  case 26:
962  /* pad byte 2 */
963  p++;
964  if (!(--input_len))
965  break;
966  /* fall through */
967  case 27:
968  /* pad byte 3 */
969  p++;
970  --input_len;
971  break;
972  /* fall through */
973  default:
974  dcerpc->bytesprocessed++;
975  SCReturnUInt(1);
976  break;
977  }
978  }
979  dcerpc->bytesprocessed += (p - input);
980  SCReturnUInt((uint32_t)(p - input));
981 }
982 
983 static uint32_t DCERPCParseBINDACK(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
984 {
985  SCEnter();
986  uint8_t *p = input;
987 
988  switch (dcerpc->bytesprocessed) {
989  case 16:
991  dcerpc->dcerpcbindbindack.numctxitems = 0;
992  if (input_len >= 10) {
993  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
994  dcerpc->dcerpcbindbindack.secondaryaddrlen = *(p + 8);
995  dcerpc->dcerpcbindbindack.secondaryaddrlen |= *(p + 9) << 8;
996  } else {
997  dcerpc->dcerpcbindbindack.secondaryaddrlen = *(p + 8) << 8;
998  dcerpc->dcerpcbindbindack.secondaryaddrlen |= *(p + 9);
999  }
1001  dcerpc->bytesprocessed += 10;
1002  SCReturnUInt(10U);
1003  } else {
1004  /* max_xmit_frag */
1005  p++;
1006  if (!(--input_len))
1007  break;
1008  }
1009  /* fall through */
1010  case 17:
1011  /* max_xmit_frag */
1012  p++;
1013  if (!(--input_len))
1014  break;
1015  /* fall through */
1016  case 18:
1017  /* max_recv_frag */
1018  p++;
1019  if (!(--input_len))
1020  break;
1021  /* fall through */
1022  case 19:
1023  /* max_recv_frag */
1024  p++;
1025  if (!(--input_len))
1026  break;
1027  /* fall through */
1028  case 20:
1029  /* assoc_group_id */
1030  p++;
1031  if (!(--input_len))
1032  break;
1033  /* fall through */
1034  case 21:
1035  /* assoc_group_id */
1036  p++;
1037  if (!(--input_len))
1038  break;
1039  /* fall through */
1040  case 22:
1041  /* assoc_group_id */
1042  p++;
1043  if (!(--input_len))
1044  break;
1045  /* fall through */
1046  case 23:
1047  /* assoc_group_id */
1048  p++;
1049  if (!(--input_len))
1050  break;
1051  /* fall through */
1052  case 24:
1053  dcerpc->dcerpcbindbindack.secondaryaddrlen = *(p++) << 8;
1054  if (!(--input_len))
1055  break;
1056  /* fall through */
1057  case 25:
1058  dcerpc->dcerpcbindbindack.secondaryaddrlen |= *(p++);
1059  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
1061  }
1063  SCLogDebug("secondaryaddrlen %u 0x%04x\n", dcerpc->dcerpcbindbindack.secondaryaddrlen,
1065  --input_len;
1066  break;
1067  default:
1068  dcerpc->bytesprocessed++;
1069  SCReturnUInt(1);
1070  break;
1071  }
1072  dcerpc->bytesprocessed += (p - input);
1073  SCReturnUInt((uint32_t)(p - input));
1074 }
1075 
1076 static uint32_t DCERPCParseREQUEST(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
1077 {
1078  SCEnter();
1079  uint8_t *p = input;
1080 
1081  switch (dcerpc->bytesprocessed) {
1082  case 16:
1083  dcerpc->dcerpcbindbindack.numctxitems = 0;
1084  if (input_len >= 8) {
1085  if (dcerpc->dcerpchdr.type == REQUEST) {
1086  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
1087  dcerpc->dcerpcrequest.ctxid = *(p + 4);
1088  dcerpc->dcerpcrequest.ctxid |= *(p + 5) << 8;
1089  dcerpc->dcerpcrequest.opnum = *(p + 6);
1090  dcerpc->dcerpcrequest.opnum |= *(p + 7) << 8;
1091  } else {
1092  dcerpc->dcerpcrequest.ctxid = *(p + 4) << 8;
1093  dcerpc->dcerpcrequest.ctxid |= *(p + 5);
1094  dcerpc->dcerpcrequest.opnum = *(p + 6) << 8;
1095  dcerpc->dcerpcrequest.opnum |= *(p + 7);
1096  }
1097  dcerpc->dcerpcrequest.first_request_seen = 1;
1098  }
1099  dcerpc->bytesprocessed += 8;
1100  SCReturnUInt(8U);
1101  } else {
1102  /* alloc hint 1 */
1103  p++;
1104  if (!(--input_len))
1105  break;
1106  }
1107  /* fall through */
1108  case 17:
1109  /* alloc hint 2 */
1110  p++;
1111  if (!(--input_len))
1112  break;
1113  /* fall through */
1114  case 18:
1115  /* alloc hint 3 */
1116  p++;
1117  if (!(--input_len))
1118  break;
1119  /* fall through */
1120  case 19:
1121  /* alloc hint 4 */
1122  p++;
1123  if (!(--input_len))
1124  break;
1125  /* fall through */
1126  case 20:
1127  /* context id 1 */
1128  dcerpc->dcerpcrequest.ctxid = *(p++);
1129  if (!(--input_len))
1130  break;
1131  /* fall through */
1132  case 21:
1133  /* context id 2 */
1134  dcerpc->dcerpcrequest.ctxid |= *(p++) << 8;
1135  if (!(dcerpc->dcerpchdr.packed_drep[0] & 0x10)) {
1136  dcerpc->dcerpcrequest.ctxid = SCByteSwap16(dcerpc->dcerpcrequest.ctxid);
1137  }
1138  dcerpc->dcerpcrequest.first_request_seen = 1;
1139  if (!(--input_len))
1140  break;
1141  /* fall through */
1142  case 22:
1143  if (dcerpc->dcerpchdr.type == REQUEST) {
1144  dcerpc->dcerpcrequest.opnum = *(p++);
1145  } else {
1146  p++;
1147  }
1148  if (!(--input_len))
1149  break;
1150  /* fall through */
1151  case 23:
1152  if (dcerpc->dcerpchdr.type == REQUEST) {
1153  dcerpc->dcerpcrequest.opnum |= *(p++) << 8;
1154  if (!(dcerpc->dcerpchdr.packed_drep[0] & 0x10)) {
1155  dcerpc->dcerpcrequest.opnum = SCByteSwap16(dcerpc->dcerpcrequest.opnum);
1156  }
1157  } else {
1158  p++;
1159  }
1160  --input_len;
1161  break;
1162  default:
1163  dcerpc->bytesprocessed++;
1164  SCReturnUInt(1);
1165  break;
1166  }
1167  dcerpc->bytesprocessed += (p - input);
1168  SCReturnUInt((uint32_t)(p - input));
1169 }
1170 
1171 /** \internal
1172  * \retval stub_len or 0 in case of error */
1173 static uint32_t StubDataParser(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
1174 {
1175  SCEnter();
1176  uint8_t **stub_data_buffer = NULL;
1177  uint32_t *stub_data_buffer_len = NULL;
1178 
1179  SCLogDebug("input_len %u", input_len);
1180 
1181  /* request PDU. Retrieve the request stub buffer */
1182  if (dcerpc->dcerpchdr.type == REQUEST) {
1183  stub_data_buffer = &dcerpc->dcerpcrequest.stub_data_buffer;
1184  stub_data_buffer_len = &dcerpc->dcerpcrequest.stub_data_buffer_len;
1185 
1186  SCLogDebug("REQUEST stub_data_buffer_len %u", *stub_data_buffer_len);
1187 
1188  /* response PDU. Retrieve the response stub buffer */
1189  } else {
1190  stub_data_buffer = &dcerpc->dcerpcresponse.stub_data_buffer;
1191  stub_data_buffer_len = &dcerpc->dcerpcresponse.stub_data_buffer_len;
1192 
1193  SCLogDebug("RESPONSE stub_data_buffer_len %u", *stub_data_buffer_len);
1194  }
1195  if (*stub_data_buffer_len > (1024 * 1024)) {
1196  SCFree(*stub_data_buffer);
1197  *stub_data_buffer = NULL;
1198  SCReturnUInt(0);
1199  }
1200 
1201  uint32_t stub_len = MIN(dcerpc->padleft, input_len);
1202  if (stub_len == 0) {
1203  SCReturnInt(0);
1204  }
1205  SCLogDebug("stub_len %u input_len %u", stub_len, input_len);
1206 
1207  const uint8_t f = dcerpc->dcerpchdr.pfc_flags & (PFC_FIRST_FRAG|PFC_LAST_FRAG);
1208  SCLogDebug("f %02x, FIRST %s LAST %s", f,
1209  f & PFC_FIRST_FRAG ? "true" : "false",
1210  f & PFC_LAST_FRAG ? "true" : "false");
1211  if (stub_len == dcerpc->padleft && ((f == 0) || (f & PFC_LAST_FRAG))) {
1212  if (dcerpc->dcerpchdr.type == REQUEST) {
1213  dcerpc->dcerpcrequest.stub_data_buffer_reset = true;
1214  SCLogDebug("REQUEST reset stub");
1215  } else {
1216  dcerpc->dcerpcresponse.stub_data_buffer_reset = true;
1217  SCLogDebug("RESPONSE reset stub");
1218  }
1219  }
1220 
1221  void *ptmp = SCRealloc(*stub_data_buffer, *stub_data_buffer_len + stub_len);
1222  if (ptmp == NULL) {
1223  SCFree(*stub_data_buffer);
1224  *stub_data_buffer = NULL;
1225  SCReturnUInt(0);
1226  }
1227  *stub_data_buffer = ptmp;
1228 
1229  memcpy(*stub_data_buffer + *stub_data_buffer_len, input, stub_len);
1230 
1231  /* length of the buffered stub */
1232  *stub_data_buffer_len += stub_len;
1233  /* To see the total reassembled stubdata */
1234  //hexdump(*stub_data_buffer, *stub_data_buffer_len);
1235 
1236  dcerpc->padleft -= stub_len;
1237  dcerpc->bytesprocessed += stub_len;
1238 
1239  SCLogDebug("padleft %u bytesprocessed %u", dcerpc->padleft, dcerpc->bytesprocessed);
1240 
1241 #ifdef DEBUG
1242  if (SCLogDebugEnabled()) {
1243  uint32_t i = 0;
1244  for (i = 0; i < stub_len; i++) {
1245  SCLogDebug("0x%02x ", input[i]);
1246  }
1247  }
1248 #endif
1249  SCReturnUInt((uint32_t)stub_len);
1250 }
1251 
1252 /**
1253  * \brief DCERPCParseHeader parses the 16 byte DCERPC header
1254  * A fast path for normal decoding is used when there is enough bytes
1255  * present to parse the entire header. A slow path is used to parse
1256  * fragmented packets.
1257  * \retval -1 if DCERPC Header does not validate
1258  * \retval Number of bytes processed
1259  */
1260 static int DCERPCParseHeader(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
1261 {
1262  SCEnter();
1263  uint8_t *p = input;
1264 
1265  if (input_len) {
1266  SCLogDebug("dcerpc->bytesprocessed %u", dcerpc->bytesprocessed);
1267  switch (dcerpc->bytesprocessed) {
1268  case 0:
1269  if (input_len >= DCERPC_HDR_LEN) {
1270  dcerpc->dcerpchdr.rpc_vers = *p;
1271  dcerpc->dcerpchdr.rpc_vers_minor = *(p + 1);
1272  if ((dcerpc->dcerpchdr.rpc_vers != 5) ||
1273  ((dcerpc->dcerpchdr.rpc_vers_minor != 0) &&
1274  (dcerpc->dcerpchdr.rpc_vers_minor != 1))) {
1275  SCLogDebug("DCERPC Header did not validate");
1276  SCReturnInt(-1);
1277  }
1278  dcerpc->dcerpchdr.type = *(p + 2);
1279  SCLogDebug("dcerpc->dcerpchdr.type %02x",
1280  dcerpc->dcerpchdr.type);
1281  dcerpc->dcerpchdr.pfc_flags = *(p + 3);
1282  dcerpc->dcerpchdr.packed_drep[0] = *(p + 4);
1283  dcerpc->dcerpchdr.packed_drep[1] = *(p + 5);
1284  dcerpc->dcerpchdr.packed_drep[2] = *(p + 6);
1285  dcerpc->dcerpchdr.packed_drep[3] = *(p + 7);
1286  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
1287  dcerpc->dcerpchdr.frag_length = *(p + 8);
1288  dcerpc->dcerpchdr.frag_length |= *(p + 9) << 8;
1289  dcerpc->dcerpchdr.auth_length = *(p + 10);
1290  dcerpc->dcerpchdr.auth_length |= *(p + 11) << 8;
1291  dcerpc->dcerpchdr.call_id = (uint32_t) *(p + 12) << 24;
1292  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p + 13) << 16;
1293  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p + 14) << 8;
1294  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p + 15);
1295  } else {
1296  dcerpc->dcerpchdr.frag_length = *(p + 8) << 8;
1297  dcerpc->dcerpchdr.frag_length |= *(p + 9);
1298  dcerpc->dcerpchdr.auth_length = *(p + 10) << 8;
1299  dcerpc->dcerpchdr.auth_length |= *(p + 11);
1300  dcerpc->dcerpchdr.call_id = (uint32_t) *(p + 12);
1301  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p + 13) << 8;
1302  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p + 14) << 16;
1303  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p + 15) << 24;
1304  }
1305  dcerpc->bytesprocessed = DCERPC_HDR_LEN;
1306  SCReturnInt(16);
1307  break;
1308  } else {
1309  dcerpc->dcerpchdr.rpc_vers = *(p++);
1310  if (!(--input_len))
1311  break;
1312  }
1313  /* fall through */
1314  case 1:
1315  dcerpc->dcerpchdr.rpc_vers_minor = *(p++);
1316  if ((dcerpc->dcerpchdr.rpc_vers != 5) ||
1317  ((dcerpc->dcerpchdr.rpc_vers_minor != 0) &&
1318  (dcerpc->dcerpchdr.rpc_vers_minor != 1))) {
1319  SCLogDebug("DCERPC Header did not validate");
1320  SCReturnInt(-1);
1321  }
1322  if (!(--input_len))
1323  break;
1324  /* fall through */
1325  case 2:
1326  dcerpc->dcerpchdr.type = *(p++);
1327  SCLogDebug("dcerpc->dcerpchdr.type %02x",
1328  dcerpc->dcerpchdr.type);
1329  if (!(--input_len))
1330  break;
1331  /* fall through */
1332  case 3:
1333  dcerpc->dcerpchdr.pfc_flags = *(p++);
1334  if (!(--input_len))
1335  break;
1336  /* fall through */
1337  case 4:
1338  dcerpc->dcerpchdr.packed_drep[0] = *(p++);
1339  if (!(--input_len))
1340  break;
1341  /* fall through */
1342  case 5:
1343  dcerpc->dcerpchdr.packed_drep[1] = *(p++);
1344  if (!(--input_len))
1345  break;
1346  /* fall through */
1347  case 6:
1348  dcerpc->dcerpchdr.packed_drep[2] = *(p++);
1349  if (!(--input_len))
1350  break;
1351  /* fall through */
1352  case 7:
1353  dcerpc->dcerpchdr.packed_drep[3] = *(p++);
1354  if (!(--input_len))
1355  break;
1356  /* fall through */
1357  case 8:
1358  dcerpc->dcerpchdr.frag_length = *(p++);
1359  if (!(--input_len))
1360  break;
1361  /* fall through */
1362  case 9:
1363  dcerpc->dcerpchdr.frag_length |= *(p++) << 8;
1364  if (!(--input_len))
1365  break;
1366  /* fall through */
1367  case 10:
1368  dcerpc->dcerpchdr.auth_length = *(p++);
1369  if (!(--input_len))
1370  break;
1371  /* fall through */
1372  case 11:
1373  dcerpc->dcerpchdr.auth_length |= *(p++) << 8;
1374  if (!(--input_len))
1375  break;
1376  /* fall through */
1377  case 12:
1378  dcerpc->dcerpchdr.call_id = (uint32_t) *(p++);
1379  if (!(--input_len))
1380  break;
1381  /* fall through */
1382  case 13:
1383  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p++) << 8;
1384  if (!(--input_len))
1385  break;
1386  /* fall through */
1387  case 14:
1388  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p++) << 16;
1389  if (!(--input_len))
1390  break;
1391  /* fall through */
1392  case 15:
1393  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p++) << 24;
1394  if (!(dcerpc->dcerpchdr.packed_drep[0] & 0x10)) {
1397  dcerpc->dcerpchdr.call_id = SCByteSwap32(dcerpc->dcerpchdr.call_id);
1398  }
1399  --input_len;
1400  break;
1401  default:
1402  dcerpc->bytesprocessed++;
1403  SCReturnInt(1);
1404  }
1405  }
1406  dcerpc->bytesprocessed += (p - input);
1407  SCReturnInt((p - input));
1408 }
1409 
1410 static inline void DCERPCResetParsingState(DCERPC *dcerpc)
1411 {
1412  dcerpc->bytesprocessed = 0;
1414 
1415  return;
1416 }
1417 
1418 static inline void DCERPCResetStub(DCERPC *dcerpc)
1419 {
1420  if (dcerpc->dcerpchdr.type == REQUEST) {
1421  SCLogDebug("REQUEST resetting stub");
1422  dcerpc->dcerpcrequest.stub_data_buffer_len = 0;
1423  dcerpc->dcerpcrequest.stub_data_buffer_reset = false;
1424  } else if (dcerpc->dcerpchdr.type == RESPONSE) {
1425  SCLogDebug("RESPONSE resetting stub");
1427  dcerpc->dcerpcresponse.stub_data_buffer_reset = false;
1428  }
1429 
1430  return;
1431 }
1432 
1433 static inline int DCERPCThrowOutExtraData(DCERPC *dcerpc, uint8_t *input,
1434  uint16_t input_len)
1435 {
1436  int parsed = 0;
1437  /* the function always assumes that
1438  * dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length */
1439  if (input_len > (dcerpc->dcerpchdr.frag_length - dcerpc->bytesprocessed)) {
1440  parsed = dcerpc->dcerpchdr.frag_length - dcerpc->bytesprocessed;
1441  } else {
1442  parsed = input_len;
1443  }
1444  dcerpc->bytesprocessed += parsed;
1445 
1446  return parsed;
1447 }
1448 
1449 /**
1450  * \todo - Currently the parser is very generic. Enable target based
1451  * reassembly.
1452  * - Disable reiniting tailq for mid and last bind/alter_context pdus.
1453  * - Use a PM to search for subsequent 05 00 when we see an inconsistent
1454  * pdu. This should be done for each platform based on how it handles
1455  * a condition where it has receives a segment with 2 pdus, while the
1456  * first pdu in the segment is corrupt.
1457  */
1458 int32_t DCERPCParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
1459 {
1460  SCEnter();
1461 
1462  uint32_t retval = 0;
1463  uint32_t parsed = 0;
1464  int hdrretval = 0;
1465 
1466  /* temporary use. we will get rid of this later, once we have ironed out
1467  * all the endless loops cases */
1468  int counter = 0;
1469 
1470  while (input_len) {
1471  /* in case we have any corner cases remainging, we have this */
1472  if (counter++ == 30) {
1473  SCLogDebug("Somehow seem to be stuck inside the dce "
1474  "parser for quite sometime. Let's get out of here.");
1475  DCERPCResetParsingState(dcerpc);
1476  SCReturnInt(0);
1477  }
1478 
1479  while (dcerpc->bytesprocessed < DCERPC_HDR_LEN && input_len) {
1480  hdrretval = DCERPCParseHeader(dcerpc, input + parsed, input_len);
1481  if (hdrretval == -1 || hdrretval > (int32_t)input_len) {
1482  SCLogDebug("Error parsing dce header. Discarding "
1483  "PDU and reseting parsing state to parse next PDU");
1484  /* error parsing pdu header. Let's clear the dce state */
1485  DCERPCResetParsingState(dcerpc);
1486  SCReturnInt(0);
1487  } else {
1488  parsed += hdrretval;
1489  input_len -= hdrretval;
1490  }
1491  }
1492  SCLogDebug("Done with DCERPCParseHeader bytesprocessed %u/%u left %u",
1493  dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len);
1494 #if 0
1495  printf("Done with DCERPCParseHeader bytesprocessed %u/%u input_len left %u\n",
1496  dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len);
1497  printf("\nDCERPC Version:\t%u\n", dcerpc->dcerpchdr.rpc_vers);
1498  printf("DCERPC Version Minor:\t%u\n", dcerpc->dcerpchdr.rpc_vers_minor);
1499  printf("DCERPC Type:\t%u\n", dcerpc->dcerpchdr.type);
1500  printf("DCERPC Flags:\t0x%02x\n", dcerpc->dcerpchdr.pfc_flags);
1501  printf("DCERPC Packed Drep:\t%02x %02x %02x %02x\n",
1502  dcerpc->dcerpchdr.packed_drep[0], dcerpc->dcerpchdr.packed_drep[1],
1503  dcerpc->dcerpchdr.packed_drep[2], dcerpc->dcerpchdr.packed_drep[3]);
1504  printf("DCERPC Frag Length:\t0x%04x %u\n",
1505  dcerpc->dcerpchdr.frag_length, dcerpc->dcerpchdr.frag_length);
1506  printf("DCERPC Auth Length:\t0x%04x\n", dcerpc->dcerpchdr.auth_length);
1507  printf("DCERPC Call Id:\t0x%08x\n", dcerpc->dcerpchdr.call_id);
1508 #endif
1509 
1510  /* check if we have parsed the entire input passed in the header parser.
1511  * If we have, time to leave */
1512  if (input_len == 0) {
1513  if (dcerpc->bytesprocessed < 10) {
1514 
1515  } else {
1516  if (dcerpc->bytesprocessed >= dcerpc->dcerpchdr.frag_length) {
1517  SCLogDebug("Weird DCE PDU");
1518  DCERPCResetParsingState(dcerpc);
1519  }
1520  }
1521  SCReturnInt(parsed);
1522  }
1523  switch (dcerpc->dcerpchdr.type) {
1524  case BIND:
1525  case ALTER_CONTEXT:
1526  while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 12
1527  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length
1528  && input_len) {
1529  retval = DCERPCParseBIND(dcerpc, input + parsed, input_len);
1530  if (retval && retval <= input_len) {
1531  parsed += retval;
1532  input_len -= retval;
1533  } else if (input_len) {
1534  SCLogDebug("Error Parsing DCERPC %s PDU",
1535  (dcerpc->dcerpchdr.type == BIND) ?
1536  "BIND" : "ALTER_CONTEXT");
1537  parsed = 0;
1538  (void)parsed; /* for scan-build */
1539  input_len = 0;
1540  (void)input_len; /* for scan-build */
1541  DCERPCResetParsingState(dcerpc);
1542  SCReturnInt(0);
1543  }
1544  }
1545  SCLogDebug("Done with DCERPCParseBIND bytesprocessed %u/%u numctxitems %u",
1546  dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length,
1547  dcerpc->dcerpcbindbindack.numctxitems);
1548  while (dcerpc->dcerpcbindbindack.numctxitemsleft && dcerpc->bytesprocessed
1549  < dcerpc->dcerpchdr.frag_length && input_len) {
1550  retval = DCERPCParseBINDCTXItem(dcerpc, input + parsed, input_len);
1551  if (retval && retval <= input_len) {
1552  if (dcerpc->dcerpcbindbindack.ctxbytesprocessed == 44) {
1554  }
1555  parsed += retval;
1556  input_len -= retval;
1557  SCLogDebug("BIND processed %u/%u ctxitems %u/%u input_len left %u\n",
1558  dcerpc->bytesprocessed,
1559  dcerpc->dcerpchdr.frag_length,
1561  dcerpc->dcerpcbindbindack.numctxitems, input_len);
1562  } else if (input_len) {
1563  //parsed -= input_len;
1564  SCLogDebug("Error Parsing CTX Item %u\n", parsed);
1565  parsed = 0;
1566  (void)parsed; /* for scan-build */
1567  input_len = 0;
1568  (void)input_len; /* for scan-build */
1569  dcerpc->dcerpcbindbindack.numctxitemsleft = 0;
1570  DCERPCResetParsingState(dcerpc);
1571  SCReturnInt(0);
1572  }
1573  }
1574  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1575  DCERPCResetParsingState(dcerpc);
1576  } else if (dcerpc->bytesprocessed > dcerpc->dcerpchdr.frag_length) {
1577  DCERPCResetParsingState(dcerpc);
1578  SCReturnInt(0);
1579  } else {
1580  /* temporary fix */
1581  if (input_len) {
1582  retval = DCERPCThrowOutExtraData(dcerpc, input + parsed,
1583  input_len);
1584  if (retval && retval <= input_len) {
1585  input_len -= retval;
1586  parsed += retval;
1587  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1588  DCERPCResetParsingState(dcerpc);
1589  }
1590  } else {
1591  SCLogDebug("Error Parsing DCERPC");
1592  parsed = 0;
1593  (void)parsed; /* for scan-build */
1594  input_len = 0;
1595  (void)input_len; /* for scan-build */
1596  DCERPCResetParsingState(dcerpc);
1597  SCReturnInt(0);
1598  }
1599  }
1600  }
1601  break;
1602 
1603  case BIND_ACK:
1604  case ALTER_CONTEXT_RESP:
1605  while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 9
1606  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length
1607  && input_len) {
1608  retval = DCERPCParseBINDACK(dcerpc, input + parsed, input_len);
1609  if (retval && retval <= input_len) {
1610  parsed += retval;
1611  input_len -= retval;
1612  SCLogDebug("DCERPCParseBINDACK processed %u/%u input_len left %u",
1613  dcerpc->bytesprocessed,
1614  dcerpc->dcerpchdr.frag_length, input_len);
1615  } else if (input_len) {
1616  SCLogDebug("Error parsing %s\n",
1617  (dcerpc->dcerpchdr.type == BIND_ACK) ?
1618  "BIND_ACK" : "ALTER_CONTEXT_RESP");
1619  parsed = 0;
1620  (void)parsed; /* for scan-build */
1621  input_len = 0;
1622  (void)input_len; /* for scan-build */
1623  DCERPCResetParsingState(dcerpc);
1624  SCReturnInt(0);
1625  }
1626  }
1627 
1628  while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 10
1630  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length && input_len) {
1631  retval = DCERPCParseSecondaryAddr(dcerpc, input + parsed, input_len);
1632  if (retval && retval <= input_len) {
1633  parsed += retval;
1634  input_len -= retval;
1635  SCLogDebug("DCERPCParseSecondaryAddr %u/%u left %u secondaryaddr len(%u)",
1636  dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len,
1638  } else if (input_len) {
1639  SCLogDebug("Error parsing Secondary Address");
1640  parsed = 0;
1641  (void)parsed; /* for scan-build */
1642  input_len = 0;
1643  (void)input_len; /* for scan-build */
1644  DCERPCResetParsingState(dcerpc);
1645  SCReturnInt(0);
1646  }
1647  }
1648 
1649  if (dcerpc->bytesprocessed == DCERPC_HDR_LEN + 10
1650  + dcerpc->dcerpcbindbindack.secondaryaddrlen) {
1651  if (dcerpc->bytesprocessed % 4) {
1652  dcerpc->pad = (4 - dcerpc->bytesprocessed % 4);
1653  dcerpc->padleft = dcerpc->pad;
1654  }
1655  }
1656 
1657  while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 10
1658  + dcerpc->dcerpcbindbindack.secondaryaddrlen + dcerpc->pad
1659  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length && input_len) {
1660  retval = PaddingParser(dcerpc, input + parsed, input_len);
1661  if (retval && retval <= input_len) {
1662  parsed += retval;
1663  input_len -= retval;
1664  SCLogDebug("PaddingParser %u/%u left %u pad(%u)",
1665  dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len,
1666  dcerpc->pad);
1667  } else if (input_len) {
1668  SCLogDebug("Error parsing DCERPC Padding");
1669  parsed = 0;
1670  (void)parsed; /* for scan-build */
1671  input_len = 0;
1672  (void)input_len; /* for scan-build */
1673  DCERPCResetParsingState(dcerpc);
1674  SCReturnInt(0);
1675  }
1676  }
1677 
1678  while (dcerpc->bytesprocessed >= DCERPC_HDR_LEN + 10 + dcerpc->pad
1680  < DCERPC_HDR_LEN + 14 + dcerpc->pad + dcerpc->dcerpcbindbindack.secondaryaddrlen
1681  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length && input_len) {
1682  retval = DCERPCGetCTXItems(dcerpc, input + parsed, input_len);
1683  if (retval && retval <= input_len) {
1684  parsed += retval;
1685  input_len -= retval;
1686  SCLogDebug("DCERPCGetCTXItems %u/%u (%u)", dcerpc->bytesprocessed,
1688  } else if (input_len) {
1689  SCLogDebug("Error parsing CTX Items");
1690  parsed = 0;
1691  (void)parsed; /* for scan-build */
1692  input_len = 0;
1693  (void)input_len; /* for scan-build */
1694  DCERPCResetParsingState(dcerpc);
1695  SCReturnInt(0);
1696  }
1697  }
1698 
1699  if (dcerpc->bytesprocessed == DCERPC_HDR_LEN + 14 + dcerpc->pad
1700  + dcerpc->dcerpcbindbindack.secondaryaddrlen) {
1702  }
1703 
1704  while (dcerpc->dcerpcbindbindack.numctxitemsleft && dcerpc->bytesprocessed
1705  < dcerpc->dcerpchdr.frag_length && input_len) {
1706  retval = DCERPCParseBINDACKCTXItem(dcerpc, input + parsed, input_len);
1707  if (retval && retval <= input_len) {
1708  if (dcerpc->dcerpcbindbindack.ctxbytesprocessed == 24) {
1710  }
1711  parsed += retval;
1712  input_len -= retval;
1713  } else if (input_len) {
1714  SCLogDebug("Error parsing CTX Items");
1715  parsed = 0;
1716  (void)parsed; /* for scan-build */
1717  input_len = 0;
1718  (void)input_len; /* for scan-build */
1719  dcerpc->dcerpcbindbindack.numctxitemsleft = 0;
1720  DCERPCResetParsingState(dcerpc);
1721  SCReturnInt(0);
1722  }
1723  }
1724  SCLogDebug("BINDACK processed %u/%u input_len left %u",
1725  dcerpc->bytesprocessed,
1726  dcerpc->dcerpchdr.frag_length, input_len);
1727 
1728  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1729  /* response and request done */
1730  if (dcerpc->dcerpchdr.type == BIND_ACK) {
1731  /* update transaction id */
1732  dcerpc->transaction_id++;
1733  SCLogDebug("transaction_id updated to %"PRIu16,
1734  dcerpc->transaction_id);
1735  }
1736  DCERPCResetParsingState(dcerpc);
1737  } else if (dcerpc->bytesprocessed > dcerpc->dcerpchdr.frag_length) {
1738  DCERPCResetParsingState(dcerpc);
1739  SCReturnInt(0);
1740  } else {
1741  /* temporary fix */
1742  if (input_len) {
1743  retval = DCERPCThrowOutExtraData(dcerpc, input + parsed,
1744  input_len);
1745  if (retval && retval <= input_len) {
1746  input_len -= retval;
1747  parsed += retval;
1748  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1749  DCERPCResetParsingState(dcerpc);
1750  }
1751  } else {
1752  SCLogDebug("Error Parsing DCERPC");
1753  parsed = 0;
1754  (void)parsed; /* for scan-build */
1755  input_len = 0;
1756  (void)input_len; /* for scan-build */
1757  DCERPCResetParsingState(dcerpc);
1758  SCReturnInt(0);
1759  }
1760  }
1761  }
1762  break;
1763 
1764  case REQUEST:
1765  case RESPONSE:
1766  SCLogDebug("parsing DCERPC %s",
1767  (dcerpc->dcerpchdr.type == REQUEST) ? "REQUEST" : "RESPONSE");
1768  if ((dcerpc->dcerpchdr.type == REQUEST &&
1770  (dcerpc->dcerpchdr.type == RESPONSE &&
1772  {
1773  DCERPCResetStub(dcerpc);
1774  }
1775 
1776  while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 8
1777  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length
1778  && input_len) {
1779  retval = DCERPCParseREQUEST(dcerpc, input + parsed, input_len);
1780  if (retval && retval <= input_len) {
1781  parsed += retval;
1782  input_len -= retval;
1783  dcerpc->padleft = dcerpc->dcerpchdr.frag_length - dcerpc->bytesprocessed;
1784  } else if (input_len) {
1785  SCLogDebug("Error parsing DCERPC %s",
1786  (dcerpc->dcerpchdr.type == REQUEST) ? "REQUEST" : "RESPONSE");
1787  parsed = 0;
1788  (void)parsed; /* for scan-build */
1789  dcerpc->padleft = 0;
1790  input_len = 0;
1791  (void)input_len; /* for scan-build */
1792  DCERPCResetParsingState(dcerpc);
1793  SCReturnInt(0);
1794  }
1795  }
1796 
1797  while (dcerpc->bytesprocessed >= DCERPC_HDR_LEN + 8
1798  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length
1799  && dcerpc->padleft && input_len) {
1800  retval = StubDataParser(dcerpc, input + parsed, input_len);
1801  if (retval && retval <= input_len) {
1802  parsed += retval;
1803  input_len -= retval;
1804  } else if (input_len) {
1805  SCLogDebug("Error parsing DCERPC Stub Data");
1806  parsed = 0;
1807  (void)parsed; /* for scan-build */
1808  input_len = 0;
1809  (void)input_len; /* for scan-build */
1810  DCERPCResetParsingState(dcerpc);
1811  SCReturnInt(0);
1812  }
1813  }
1814 
1815  if (dcerpc->dcerpchdr.type == REQUEST) {
1816  SCLogDebug("REQUEST processed %u frag length %u opnum %u input_len %u", dcerpc->bytesprocessed,
1817  dcerpc->dcerpchdr.frag_length, dcerpc->dcerpcrequest.opnum, input_len);
1818  } else {
1819  SCLogDebug("RESPONSE processed %u frag length %u opnum %u input_len %u", dcerpc->bytesprocessed,
1820  dcerpc->dcerpchdr.frag_length, dcerpc->dcerpcrequest.opnum, input_len);
1821  }
1822 
1823  /* don't see how we could break the parser for request pdus, by
1824  * pusing bytesprocessed beyond frag_length. Let's have the
1825  * check anyways */
1826  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1827  DCERPCResetParsingState(dcerpc);
1828  } else if (dcerpc->bytesprocessed > dcerpc->dcerpchdr.frag_length) {
1829  DCERPCResetParsingState(dcerpc);
1830  SCReturnInt(0);
1831  } else {
1832  /* temporary fix */
1833  if (input_len) {
1834  retval = DCERPCThrowOutExtraData(dcerpc, input + parsed,
1835  input_len);
1836  if (retval && retval <= input_len) {
1837  input_len -= retval;
1838  parsed += retval;
1839  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1840  DCERPCResetParsingState(dcerpc);
1841  }
1842  } else {
1843  SCLogDebug("Error Parsing DCERPC");
1844  parsed = 0;
1845  (void)parsed; /* for scan-build */
1846  input_len = 0;
1847  (void)input_len; /* for scan-build */
1848  DCERPCResetParsingState(dcerpc);
1849  SCReturnInt(0);
1850  }
1851  }
1852  }
1853 
1854  /* response and request done */
1855  if (dcerpc->dcerpchdr.type == RESPONSE) {
1856  /* update transaction id */
1857  dcerpc->transaction_id++;
1858  SCLogDebug("transaction_id updated to %"PRIu16,
1859  dcerpc->transaction_id);
1860  }
1861  break;
1862 
1863  default:
1864  SCLogDebug("DCERPC Type 0x%02x not implemented yet", dcerpc->dcerpchdr.type);
1865  retval = DCERPCThrowOutExtraData(dcerpc, input + parsed,
1866  input_len);
1867  if (retval && retval <= input_len) {
1868  input_len -= retval;
1869  parsed += retval;
1870  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1871  DCERPCResetParsingState(dcerpc);
1872  }
1873  } else {
1874  SCLogDebug("Error Parsing DCERPC");
1875  parsed = 0;
1876  (void)parsed; /* for scan-build */
1877  input_len = 0;
1878  (void)input_len; /* for scan-build */
1879  DCERPCResetParsingState(dcerpc);
1880  SCReturnInt(0);
1881  }
1882  break;
1883  }
1884  }
1885 
1886  SCReturnInt(parsed);
1887 }
1888 
1889 static int DCERPCParse(Flow *f, void *dcerpc_state,
1890  AppLayerParserState *pstate,
1891  uint8_t *input, uint32_t input_len,
1892  void *local_data, int dir)
1893 {
1894  SCEnter();
1895 
1896  int32_t retval = 0;
1897  DCERPCState *sstate = (DCERPCState *) dcerpc_state;
1898 
1899  if (input == NULL && AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF)) {
1900  SCReturnInt(1);
1901  } else if (input == NULL || input_len == 0) {
1902  SCReturnInt(-1);
1903  }
1904 
1905  if (sstate->dcerpc.bytesprocessed != 0 && sstate->data_needed_for_dir != dir) {
1906  SCReturnInt(-1);
1907  }
1908 
1909  retval = DCERPCParser(&sstate->dcerpc, input, input_len);
1910  if (retval == -1) {
1911  SCReturnInt(0);
1912  }
1913 
1914  sstate->data_needed_for_dir = dir;
1915 
1916  if (pstate == NULL)
1917  SCReturnInt(-1);
1918 
1919  SCReturnInt(1);
1920 }
1921 
1922 static int DCERPCParseRequest(Flow *f, void *dcerpc_state,
1923  AppLayerParserState *pstate,
1924  uint8_t *input, uint32_t input_len,
1925  void *local_data, const uint8_t flags)
1926 {
1927  return DCERPCParse(f, dcerpc_state, pstate, input, input_len,
1928  local_data, 0);
1929 }
1930 
1931 static int DCERPCParseResponse(Flow *f, void *dcerpc_state,
1932  AppLayerParserState *pstate,
1933  uint8_t *input, uint32_t input_len,
1934  void *local_data, const uint8_t flags)
1935 {
1936  return DCERPCParse(f, dcerpc_state, pstate, input, input_len,
1937  local_data, 1);
1938 }
1939 
1940 void DCERPCInit(DCERPC *dcerpc)
1941 {
1942  dcerpc->transaction_id = 1;
1943 
1946 }
1947 
1948 static void *DCERPCStateAlloc(void)
1949 {
1950  SCEnter();
1951 
1952  DCERPCState *s = SCCalloc(1, sizeof(DCERPCState));
1953  if (unlikely(s == NULL)) {
1954  SCReturnPtr(NULL, "void");
1955  }
1956 
1957  DCERPCInit(&s->dcerpc);
1958 
1959  SCReturnPtr((void *)s, "void");
1960 }
1961 
1962 void DCERPCUuidListFree(DCERPCUuidEntryList *list)
1963 {
1964  DCERPCUuidEntry *entry;
1965 
1966  while ((entry = TAILQ_FIRST(list))) {
1967  TAILQ_REMOVE(list, entry, next);
1968  SCFree(entry);
1969  }
1970 }
1971 
1972 void DCERPCCleanup(DCERPC *dcerpc)
1973 {
1976 
1977  if (dcerpc->dcerpcrequest.stub_data_buffer != NULL) {
1979  dcerpc->dcerpcrequest.stub_data_buffer = NULL;
1980  dcerpc->dcerpcrequest.stub_data_buffer_len = 0;
1981  }
1982  if (dcerpc->dcerpcresponse.stub_data_buffer != NULL) {
1984  dcerpc->dcerpcresponse.stub_data_buffer = NULL;
1986  }
1987 }
1988 
1989 static void DCERPCStateFree(void *s)
1990 {
1991  DCERPCState *sstate = (DCERPCState *) s;
1992 
1993  DCERPCCleanup(&sstate->dcerpc);
1994 
1995  if (sstate->de_state != NULL) {
1997  }
1998 
1999  SCFree(s);
2000 }
2001 
2002 static int DCERPCSetTxDetectState(void *vtx, DetectEngineState *de_state)
2003 {
2004  DCERPCState *dce_state = (DCERPCState *)vtx;
2005  dce_state->de_state = de_state;
2006  return 0;
2007 }
2008 
2009 static DetectEngineState *DCERPCGetTxDetectState(void *vtx)
2010 {
2011  DCERPCState *dce_state = (DCERPCState *)vtx;
2012  return dce_state->de_state;
2013 }
2014 
2015 static void DCERPCStateTransactionFree(void *state, uint64_t tx_id)
2016 {
2017  /* do nothing */
2018 }
2019 
2020 static void *DCERPCGetTx(void *state, uint64_t tx_id)
2021 {
2022  DCERPCState *dce_state = (DCERPCState *)state;
2023  return dce_state;
2024 }
2025 
2026 static uint64_t DCERPCGetTxCnt(void *state)
2027 {
2028  /* single tx */
2029  return 1;
2030 }
2031 
2032 static int DCERPCGetAlstateProgressCompletionStatus(uint8_t direction)
2033 {
2034  return 1;
2035 }
2036 
2037 static int DCERPCGetAlstateProgress(void *tx, uint8_t direction)
2038 {
2039  return 0;
2040 }
2041 
2042 static int DCERPCRegisterPatternsForProtocolDetection(void)
2043 {
2045  "|05 00|", 2, 0, STREAM_TOSERVER) < 0)
2046  {
2047  return -1;
2048  }
2050  "|05 00|", 2, 0, STREAM_TOCLIENT) < 0)
2051  {
2052  return -1;
2053  }
2054 
2055  return 0;
2056 }
2057 
2059 {
2060  const char *proto_name = "dcerpc";
2061 
2062  if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) {
2064  if (DCERPCRegisterPatternsForProtocolDetection() < 0)
2065  return;
2066  } else {
2067  SCLogInfo("Protocol detection and parser disabled for %s protocol.",
2068  proto_name);
2069  return;
2070  }
2071 
2072  if (AppLayerParserConfParserEnabled("tcp", proto_name)) {
2074  DCERPCParseRequest);
2076  DCERPCParseResponse);
2077  AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCStateAlloc,
2078  DCERPCStateFree);
2080 
2081 
2082  AppLayerParserRegisterTxFreeFunc(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCStateTransactionFree);
2083 
2085  DCERPCGetTxDetectState, DCERPCSetTxDetectState);
2086 
2087  AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCGetTx);
2088 
2089  AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCGetTxCnt);
2090 
2091  AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCGetAlstateProgress);
2092 
2094  DCERPCGetAlstateProgressCompletionStatus);
2095  } else {
2096  SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
2097  "still on.", proto_name);
2098  }
2099 #ifdef UNITTESTS
2101 #endif
2102 
2103  return;
2104 }
2105 
2106 /* UNITTESTS */
2107 #ifdef UNITTESTS
2108 /** \test DCERPC Header Parsing and BIND / BIND_ACK multiple UUID handling
2109 */
2110 
2111 /* set this to 1 to see problem */
2112 
2113 static int DCERPCParserTest01(void)
2114 {
2115  int result = 1;
2116  Flow f;
2117  uint8_t dcerpcbind[] = {
2118  0x05, 0x00,
2119  0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x3c, 0x04,
2120  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd0, 0x16,
2121  0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00,
2122  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x2c, 0xd0,
2123  0x28, 0xda, 0x76, 0x91, 0xf6, 0x6e, 0xcb, 0x0f,
2124  0xbf, 0x85, 0xcd, 0x9b, 0xf6, 0x39, 0x01, 0x00,
2125  0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2126  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2127  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00,
2128  0x01, 0x00, 0x2c, 0x75, 0xce, 0x7e, 0x82, 0x3b,
2129  0x06, 0xac, 0x1b, 0xf0, 0xf5, 0xb7, 0xa7, 0xf7,
2130  0x28, 0xaf, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d,
2131  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2132  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2133  0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xe3, 0xb2,
2134  0x10, 0xd1, 0xd0, 0x0c, 0xcc, 0x3d, 0x2f, 0x80,
2135  0x20, 0x7c, 0xef, 0xe7, 0x09, 0xe0, 0x04, 0x00,
2136  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2137  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2138  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00,
2139  0x01, 0x00, 0xde, 0x85, 0x70, 0xc4, 0x02, 0x7c,
2140  0x60, 0x23, 0x67, 0x0c, 0x22, 0xbf, 0x18, 0x36,
2141  0x79, 0x17, 0x01, 0x00, 0x02, 0x00, 0x04, 0x5d,
2142  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2143  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2144  0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x41, 0x65,
2145  0x29, 0x51, 0xaa, 0xe7, 0x7b, 0xa8, 0xf2, 0x37,
2146  0x0b, 0xd0, 0x3f, 0xb3, 0x36, 0xed, 0x05, 0x00,
2147  0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2148  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2149  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00,
2150  0x01, 0x00, 0x14, 0x96, 0x80, 0x01, 0x2e, 0x78,
2151  0xfb, 0x5d, 0xb4, 0x3c, 0x14, 0xb3, 0x3d, 0xaa,
2152  0x02, 0xfb, 0x06, 0x00, 0x00, 0x00, 0x04, 0x5d,
2153  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2154  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2155  0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 0x3b, 0x04,
2156  0x68, 0x3e, 0x63, 0xfe, 0x9f, 0xd8, 0x64, 0x55,
2157  0xcd, 0xe7, 0x39, 0xaf, 0x98, 0x9f, 0x03, 0x00,
2158  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2159  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2160  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00,
2161  0x01, 0x00, 0x16, 0x7a, 0x4f, 0x1b, 0xdb, 0x25,
2162  0x92, 0x55, 0xdd, 0xae, 0x9e, 0x5b, 0x3e, 0x93,
2163  0x66, 0x93, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d,
2164  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2165  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2166  0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0xe8, 0xa4,
2167  0x8a, 0xcf, 0x95, 0x6c, 0xc7, 0x8f, 0x14, 0xcc,
2168  0x56, 0xfc, 0x7b, 0x5f, 0x4f, 0xe8, 0x04, 0x00,
2169  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2170  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2171  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x09, 0x00,
2172  0x01, 0x00, 0xd8, 0xda, 0xfb, 0xbc, 0xa2, 0x55,
2173  0x6f, 0x5d, 0xc0, 0x2d, 0x88, 0x6f, 0x00, 0x17,
2174  0x52, 0x8d, 0x06, 0x00, 0x03, 0x00, 0x04, 0x5d,
2175  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2176  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2177  0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x3f, 0x17,
2178  0x55, 0x0c, 0xf4, 0x23, 0x3c, 0xca, 0xe6, 0xa0,
2179  0xaa, 0xcc, 0xb5, 0xe3, 0xf9, 0xce, 0x04, 0x00,
2180  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2181  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2182  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00,
2183  0x01, 0x00, 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1,
2184  0xd0, 0x11, 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9,
2185  0x2e, 0xf5, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d,
2186  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2187  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2188  0x00, 0x00, 0x0c, 0x00, 0x01, 0x00, 0xc9, 0x9f,
2189  0x3e, 0x6e, 0x82, 0x0a, 0x2b, 0x28, 0x37, 0x78,
2190  0xe1, 0x13, 0x70, 0x05, 0x38, 0x4d, 0x01, 0x00,
2191  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2192  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2193  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x00,
2194  0x01, 0x00, 0x11, 0xaa, 0x4b, 0x15, 0xdf, 0xa6,
2195  0x86, 0x3f, 0xfb, 0xe0, 0x09, 0xb7, 0xf8, 0x56,
2196  0xd2, 0x3f, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d,
2197  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2198  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2199  0x00, 0x00, 0x0e, 0x00, 0x01, 0x00, 0xee, 0x99,
2200  0xc4, 0x25, 0x11, 0xe4, 0x95, 0x62, 0x29, 0xfa,
2201  0xfd, 0x26, 0x57, 0x02, 0xf1, 0xce, 0x03, 0x00,
2202  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2203  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2204  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x00,
2205  0x01, 0x00, 0xba, 0x81, 0x9e, 0x1a, 0xdf, 0x2b,
2206  0xba, 0xe4, 0xd3, 0x17, 0x41, 0x60, 0x6d, 0x2d,
2207  0x9e, 0x28, 0x03, 0x00, 0x03, 0x00, 0x04, 0x5d,
2208  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2209  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2210  0x00, 0x00, 0x10, 0x00, 0x01, 0x00, 0xa0, 0x24,
2211  0x03, 0x9a, 0xa9, 0x99, 0xfb, 0xbe, 0x49, 0x11,
2212  0xad, 0x77, 0x30, 0xaa, 0xbc, 0xb6, 0x02, 0x00,
2213  0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2214  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2215  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x11, 0x00,
2216  0x01, 0x00, 0x32, 0x04, 0x7e, 0xae, 0xec, 0x28,
2217  0xd1, 0x55, 0x83, 0x4e, 0xc3, 0x47, 0x5d, 0x1d,
2218  0xc6, 0x65, 0x02, 0x00, 0x03, 0x00, 0x04, 0x5d,
2219  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2220  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2221  0x00, 0x00, 0x12, 0x00, 0x01, 0x00, 0xc6, 0xa4,
2222  0x81, 0x48, 0x66, 0x2a, 0x74, 0x7d, 0x56, 0x6e,
2223  0xc5, 0x1d, 0x19, 0xf2, 0xb5, 0xb6, 0x03, 0x00,
2224  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2225  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2226  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x13, 0x00,
2227  0x01, 0x00, 0xcb, 0xae, 0xb3, 0xc0, 0x0c, 0xf4,
2228  0xa4, 0x5e, 0x91, 0x72, 0xdd, 0x53, 0x24, 0x70,
2229  0x89, 0x02, 0x05, 0x00, 0x03, 0x00, 0x04, 0x5d,
2230  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2231  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2232  0x00, 0x00, 0x14, 0x00, 0x01, 0x00, 0xb8, 0xd0,
2233  0xa0, 0x1a, 0x5e, 0x7a, 0x2d, 0xfe, 0x35, 0xc6,
2234  0x7d, 0x08, 0x0d, 0x33, 0x73, 0x18, 0x02, 0x00,
2235  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2236  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2237  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x15, 0x00,
2238  0x01, 0x00, 0x21, 0xd3, 0xaa, 0x09, 0x03, 0xa7,
2239  0x0b, 0xc2, 0x06, 0x45, 0xd9, 0x6c, 0x75, 0xc2,
2240  0x15, 0xa8, 0x01, 0x00, 0x03, 0x00, 0x04, 0x5d,
2241  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2242  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2243  0x00, 0x00, 0x16, 0x00, 0x01, 0x00, 0xe1, 0xbd,
2244  0x59, 0xfc, 0xbc, 0xa9, 0x95, 0xc2, 0x68, 0x79,
2245  0xf3, 0x75, 0xe0, 0xae, 0x6c, 0xe5, 0x04, 0x00,
2246  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2247  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2248  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x17, 0x00,
2249  0x01, 0x00, 0x06, 0x52, 0xb4, 0x71, 0x70, 0x15,
2250  0x4e, 0xf5, 0x7f, 0x08, 0x86, 0x14, 0xe6, 0x17,
2251  0xd5, 0x97, 0x04, 0x00, 0x00, 0x00, 0x04, 0x5d,
2252  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2253  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2254  0x00, 0x00};
2255 
2256  uint8_t dcerpcbindack[] = {
2257  0x05, 0x00, 0x0c, 0x03,
2258  0x10, 0x00, 0x00, 0x00, 0x6c, 0x02, 0x00, 0x00,
2259  0x00, 0x00, 0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10,
2260  0xce, 0x47, 0x00, 0x00, 0x0c, 0x00, 0x5c, 0x50,
2261  0x49, 0x50, 0x45, 0x5c, 0x6c, 0x73, 0x61, 0x73,
2262  0x73, 0x00, 0xf6, 0x6e, 0x18, 0x00, 0x00, 0x00,
2263  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2264  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2265  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2266  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2267  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2268  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2269  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2270  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2271  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2272  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2273  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2274  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2275  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2276  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2277  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2278  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2279  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2280  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2281  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2282  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2283  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2284  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2285  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2286  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2287  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2288  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2289  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2290  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2291  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2292  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2293  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2294  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2295  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2296  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2297  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2298  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2299  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2300  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2301  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2302  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2303  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2304  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2305  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2306  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2307  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2308  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2309  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2310  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2311  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2312  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2313  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2314  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2315  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2316  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2317  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2318  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2319  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2320  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2321  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2322  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2323  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2324  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2325  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2326  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2327  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2328  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2329  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2330  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2331  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2332  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2333  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2334  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
2335 
2336  uint8_t dcerpcrequest[] = {
2337  0x05, 0x00, 0x00, 0x00, 0x10,
2338  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
2339  0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x0b,
2340  0x00, 0x09, 0x00, 0x45, 0x00, 0x2c, 0x00, 0x4d,
2341  0x00, 0x73, 0x00, 0x53, 0x00, 0x59, 0x00, 0x2a,
2342  0x00, 0x4a, 0x00, 0x7a, 0x00, 0x3e, 0x00, 0x58,
2343  0x00, 0x21, 0x00, 0x4a, 0x00, 0x30, 0x00, 0x41,
2344  0x00, 0x4b, 0x00, 0x4b, 0x00, 0x3c, 0x00, 0x48,
2345  0x00, 0x24, 0x00, 0x38, 0x00, 0x54, 0x00, 0x60,
2346  0x00, 0x2d, 0x00, 0x29, 0x00, 0x64, 0x00, 0x5b,
2347  0x00, 0x77, 0x00, 0x3a, 0x00, 0x4c, 0x00, 0x24,
2348  0x00, 0x23, 0x00, 0x66, 0x00, 0x43, 0x00, 0x68,
2349  0x00, 0x22, 0x00, 0x55, 0x00, 0x29, 0x00, 0x2c,
2350  0x00, 0x4f, 0x00, 0x5a, 0x00, 0x50, 0x00, 0x61,
2351  0x00, 0x2a, 0x00, 0x6f, 0x00, 0x2f, 0x00, 0x4d,
2352  0x00, 0x68, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x67,
2353  0x00, 0x68, 0x00, 0x68, 0x00, 0x49, 0x00, 0x45,
2354  0x00, 0x4c, 0x00, 0x72, 0x00, 0x53, 0x00, 0x4c,
2355  0x00, 0x25, 0x00, 0x4d, 0x00, 0x67, 0x00, 0x2e,
2356  0x00, 0x4f, 0x00, 0x64, 0x00, 0x61, 0x00, 0x73,
2357  0x00, 0x24, 0x00, 0x46, 0x00, 0x35, 0x00, 0x2e,
2358  0x00, 0x45, 0x00, 0x6f, 0x00, 0x40, 0x00, 0x41,
2359  0x00, 0x33, 0x00, 0x38, 0x00, 0x47, 0x00, 0x71,
2360  0x00, 0x5a, 0x00, 0x37, 0x00, 0x7a, 0x00, 0x35,
2361  0x00, 0x6b, 0x00, 0x3c, 0x00, 0x26, 0x00, 0x37,
2362  0x00, 0x69, 0x00, 0x75, 0x00, 0x36, 0x00, 0x37,
2363  0x00, 0x47, 0x00, 0x21, 0x00, 0x2d, 0x00, 0x69,
2364  0x00, 0x37, 0x00, 0x78, 0x00, 0x5f, 0x00, 0x72,
2365  0x00, 0x4b, 0x00, 0x5c, 0x00, 0x74, 0x00, 0x3e,
2366  0x00, 0x52, 0x00, 0x7a, 0x00, 0x49, 0x00, 0x31,
2367  0x00, 0x5a, 0x00, 0x7b, 0x00, 0x29, 0x00, 0x3b,
2368  0x00, 0x78, 0x00, 0x3b, 0x00, 0x55, 0x00, 0x3e,
2369  0x00, 0x35, 0x00, 0x2b, 0x00, 0x4e, 0x00, 0x4f,
2370  0x00, 0x59, 0x00, 0x38, 0x00, 0x2a, 0x00, 0x59,
2371  0x00, 0x6b, 0x00, 0x42, 0x00, 0x4c, 0x00, 0x3e,
2372  0x00, 0x6a, 0x00, 0x49, 0x00, 0x2c, 0x00, 0x79,
2373  0x00, 0x6e, 0x00, 0x35, 0x00, 0x4f, 0x00, 0x49,
2374  0x00, 0x55, 0x00, 0x35, 0x00, 0x61, 0x00, 0x72,
2375  0x00, 0x77, 0x00, 0x38, 0x00, 0x32, 0x00, 0x24,
2376  0x00, 0x46, 0x00, 0x32, 0x00, 0x32, 0x00, 0x27,
2377  0x00, 0x64, 0x00, 0x5a, 0x00, 0x77, 0x00, 0x2e,
2378  0x00, 0x37, 0x00, 0x77, 0x00, 0x2e, 0x00, 0x28,
2379  0x00, 0x63, 0x00, 0x4f, 0x00, 0x67, 0x00, 0x64,
2380  0x00, 0x39, 0x00, 0x37, 0x00, 0x31, 0x00, 0x30,
2381  0x00, 0x28, 0x00, 0x2e, 0x00, 0x6f, 0x00, 0x3e,
2382  0x00, 0x59, 0x00, 0x28, 0x00, 0x67, 0x00, 0x52,
2383  0x00, 0x35, 0x00, 0x5a, 0x00, 0x7c, 0x00, 0x56,
2384  0x00, 0x6a, 0x00, 0x5c, 0x00, 0x3c, 0x00, 0x30,
2385  0x00, 0x59, 0x00, 0x5c, 0x00, 0x5e, 0x00, 0x38,
2386  0x00, 0x54, 0x00, 0x5c, 0x00, 0x5b, 0x00, 0x42,
2387  0x00, 0x62, 0x00, 0x70, 0x00, 0x34, 0x00, 0x5c,
2388  0x00, 0x57, 0x00, 0x7a, 0x00, 0x4b, 0x00, 0x2f,
2389  0x00, 0x6b, 0x00, 0x6a, 0x00, 0x4f, 0x00, 0x41,
2390  0x00, 0x33, 0x00, 0x52, 0x00, 0x36, 0x00, 0x27,
2391  0x00, 0x30, 0x00, 0x6d, 0x00, 0x4a, 0x00, 0x30,
2392  0x00, 0x78, 0x00, 0x46, 0x00, 0x65, 0x00, 0x4e,
2393  0x00, 0x29, 0x00, 0x66, 0x00, 0x3f, 0x00, 0x72,
2394  0x00, 0x71, 0x00, 0x75, 0x00, 0x4c, 0x00, 0x2b,
2395  0x00, 0x5c, 0x00, 0x46, 0x00, 0x52, 0x00, 0x7b,
2396  0x00, 0x5c, 0x00, 0x69, 0x00, 0x66, 0x00, 0x56,
2397  0x00, 0x31, 0x00, 0x2d, 0x00, 0x72, 0x00, 0x61,
2398  0x00, 0x68, 0x00, 0x28, 0x00, 0x7d, 0x00, 0x58,
2399  0x00, 0x2a, 0x00, 0x7b, 0x00, 0x28, 0x00, 0x5b,
2400  0x00, 0x54, 0x00, 0x3a, 0x00, 0x26, 0x00, 0x52,
2401  0x00, 0x44, 0x00, 0x60, 0x00, 0x50, 0x00, 0x65,
2402  0x00, 0x48, 0x00, 0x7d, 0x00, 0x2a, 0x00, 0x74,
2403  0x00, 0x49, 0x00, 0x7b, 0x00, 0x21, 0x00, 0x61,
2404  0x00, 0x52, 0x00, 0x43, 0x00, 0x5f, 0x00, 0x5a,
2405  0x00, 0x74, 0x00, 0x5c, 0x00, 0x62, 0x00, 0x68,
2406  0x00, 0x6c, 0x00, 0x6c, 0x00, 0x2b, 0x00, 0x6f,
2407  0x00, 0x7c, 0x00, 0x42, 0x00, 0x67, 0x00, 0x32,
2408  0x00, 0x58, 0x00, 0x35, 0x00, 0x30, 0x00, 0x2f,
2409  0x00, 0x2d, 0x00, 0x60, 0x00, 0x62, 0x00, 0x51,
2410  0x00, 0x2a, 0x00, 0x30, 0x00, 0x31, 0x00, 0x48,
2411  0x00, 0x5b, 0x00, 0x5b, 0x00, 0x5d, 0x00, 0x25,
2412  0x00, 0x58, 0x00, 0x4a, 0x00, 0x76, 0x00, 0x32,
2413  0x00, 0x62, 0x00, 0x27, 0x00, 0x42, 0x00, 0x40,
2414  0x00, 0x53, 0x00, 0x7c, 0x00, 0x7d, 0x00, 0x50,
2415  0x00, 0x3d, 0x00, 0x40, 0x00, 0x76, 0x00, 0x38,
2416  0x00, 0x58, 0x00, 0x39, 0x00, 0x63, 0x00, 0x3c,
2417  0x00, 0x5b, 0x00, 0x23, 0x00, 0x53, 0x00, 0x7a,
2418  0x00, 0x54, 0x00, 0x74, 0x00, 0x61, 0x00, 0x76,
2419  0x00, 0x4a, 0x00, 0x3e, 0x00, 0x33, 0x00, 0x75,
2420  0x00, 0x66, 0x00, 0x2d, 0x00, 0x48, 0x00, 0x33,
2421  0x00, 0x71, 0x00, 0x76, 0x00, 0x48, 0x00, 0x71,
2422  0x00, 0x41, 0x00, 0x6f, 0x00, 0x2a, 0x00, 0x67,
2423  0x00, 0x70, 0x00, 0x21, 0x00, 0x70, 0x00, 0x4b,
2424  0x00, 0x52, 0x00, 0x58, 0x00, 0x68, 0x00, 0x23,
2425  0x00, 0x39, 0x00, 0x46, 0x00, 0x4d, 0x00, 0x51,
2426  0x00, 0x57, 0x00, 0x3a, 0x00, 0x79, 0x00, 0x7b,
2427  0x00, 0x6c, 0x00, 0x55, 0x00, 0x33, 0x00, 0x65,
2428  0x00, 0x49, 0x00, 0x72, 0x00, 0x30, 0x00, 0x4f,
2429  0x00, 0x41, 0x00, 0x6e, 0x00, 0x31, 0x00, 0x4a,
2430  0x00, 0x60, 0x00, 0x79, 0x00, 0x70, 0x00, 0x4f,
2431  0x00, 0x58, 0x00, 0x75, 0x00, 0x44, 0x00, 0x59,
2432  0x00, 0x58, 0x00, 0x46, 0x00, 0x3d, 0x00, 0x46,
2433  0x00, 0x74, 0x00, 0x51, 0x00, 0x57, 0x00, 0x6e,
2434  0x00, 0x2d, 0x00, 0x47, 0x00, 0x23, 0x00, 0x45,
2435  0x00, 0x60, 0x00, 0x4c, 0x00, 0x72, 0x00, 0x4e,
2436  0x00, 0x74, 0x00, 0x40, 0x00, 0x76, 0x00, 0x75,
2437  0x00, 0x74, 0x00, 0x56, 0x00, 0x44, 0x00, 0x29,
2438  0x00, 0x62, 0x00, 0x58, 0x00, 0x31, 0x00, 0x78,
2439  0x00, 0x32, 0x00, 0x52, 0x00, 0x4a, 0x00, 0x6b,
2440  0x00, 0x55, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x6f,
2441  0x00, 0x4a, 0x00, 0x54, 0x00, 0x7d, 0x00, 0x68,
2442  0x00, 0x3f, 0x00, 0x28, 0x00, 0x21, 0x00, 0x53,
2443  0x00, 0x48, 0x00, 0x5a, 0x00, 0x34, 0x00, 0x36,
2444  0x00, 0x35, 0x00, 0x64, 0x00, 0x4e, 0x00, 0x75,
2445  0x00, 0x69, 0x00, 0x23, 0x00, 0x75, 0x00, 0x55,
2446  0x00, 0x43, 0x00, 0x75, 0x00, 0x2f, 0x00, 0x73,
2447  0x00, 0x62, 0x00, 0x6f, 0x00, 0x37, 0x00, 0x4e,
2448  0x00, 0x25, 0x00, 0x25, 0x00, 0x21, 0x00, 0x3d,
2449  0x00, 0x3c, 0x00, 0x71, 0x00, 0x3e, 0x00, 0x3f,
2450  0x00, 0x30, 0x00, 0x36, 0x00, 0x62, 0x00, 0x63,
2451  0x00, 0x53, 0x00, 0x54, 0x00, 0x5d, 0x00, 0x61,
2452  0x00, 0x4c, 0x00, 0x28, 0x00, 0x2b, 0x00, 0x4c,
2453  0x00, 0x4e, 0x00, 0x66, 0x00, 0x5f, 0x00, 0x4b,
2454  0x00, 0x43, 0x00, 0x75, 0x00, 0x45, 0x00, 0x37,
2455  0x00, 0x28, 0x00, 0x56, 0x00, 0x36, 0x00, 0x6a,
2456  0x00, 0x3e, 0x00, 0x64, 0x00, 0x34, 0x00, 0x6a,
2457  0x00, 0x7d, 0x00, 0x4a, 0x00, 0x66, 0x00, 0x7a,
2458  0x00, 0x3e, 0x00, 0x75, 0x00, 0x38, 0x00, 0x7b,
2459  0x00, 0x42, 0x00, 0x76, 0x00, 0x29, 0x00, 0x4c,
2460  0x00, 0x65, 0x00, 0x2e, 0x00, 0x32, 0x00, 0x4b,
2461  0x00, 0x2b, 0x00, 0x51, 0x00, 0x47, 0x00, 0x22,
2462  0x00, 0x48, 0x00, 0x3d, 0x00, 0x49, 0x00, 0x44,
2463  0x00, 0x5d, 0x00, 0x59, 0x00, 0x63, 0x00, 0x5c,
2464  0x00, 0x24, 0x00, 0x35, 0x00, 0x34, 0x00, 0x70,
2465  0x00, 0x69, 0x00};
2466  uint32_t requestlen = sizeof(dcerpcrequest);
2467 
2468  uint32_t bindlen = sizeof(dcerpcbind);
2469  uint32_t bindacklen = sizeof(dcerpcbindack);
2470  TcpSession ssn;
2471  DCERPCUuidEntry *uuid_entry;
2473 
2474  memset(&f, 0, sizeof(f));
2475  memset(&ssn, 0, sizeof(ssn));
2476 
2477  FLOW_INITIALIZE(&f);
2478  f.protoctx = (void *)&ssn;
2479  f.proto = IPPROTO_TCP;
2480  f.alproto = ALPROTO_DCERPC;
2481 
2483 
2484  FLOWLOCK_WRLOCK(&f);
2485  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
2486  STREAM_TOSERVER | STREAM_START, dcerpcbind,
2487  bindlen);
2488  if (r != 0) {
2489  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
2490  result = 0;
2491  FLOWLOCK_UNLOCK(&f);
2492  goto end;
2493  }
2494  FLOWLOCK_UNLOCK(&f);
2495 
2496  DCERPCState *dcerpc_state = f.alstate;
2497  if (dcerpc_state == NULL) {
2498  printf("no dcerpc state: ");
2499  result = 0;
2500  goto end;
2501  }
2502 
2503  if (dcerpc_state->dcerpc.dcerpchdr.rpc_vers != 5) {
2504  printf("expected dcerpc version 0x05, got 0x%02x : ",
2505  dcerpc_state->dcerpc.dcerpchdr.rpc_vers);
2506  result = 0;
2507  goto end;
2508  }
2509 
2510  if (dcerpc_state->dcerpc.dcerpchdr.type != BIND) {
2511  printf("expected dcerpc type 0x%02x , got 0x%02x : ", BIND, dcerpc_state->dcerpc.dcerpchdr.type);
2512  result = 0;
2513  goto end;
2514  }
2515 
2516  if (dcerpc_state->dcerpc.dcerpchdr.frag_length != 1084) {
2517  printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1084, dcerpc_state->dcerpc.dcerpchdr.frag_length);
2518  result = 0;
2519  goto end;
2520  }
2521 
2522  FLOWLOCK_WRLOCK(&f);
2523  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
2524  STREAM_TOCLIENT, dcerpcbindack, bindacklen);
2525  if (r != 0) {
2526  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
2527  result = 0;
2528  FLOWLOCK_UNLOCK(&f);
2529  goto end;
2530  }
2531  FLOWLOCK_UNLOCK(&f);
2532  if (dcerpc_state->dcerpc.dcerpchdr.type != BIND_ACK) {
2533  printf("expected dcerpc type 0x%02x , got 0x%02x : ", BIND_ACK, dcerpc_state->dcerpc.dcerpchdr.type);
2534  result = 0;
2535  goto end;
2536  }
2537 
2538  if (dcerpc_state->dcerpc.dcerpchdr.frag_length != 620) {
2539  printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 620, dcerpc_state->dcerpc.dcerpchdr.frag_length);
2540  result = 0;
2541  goto end;
2542  }
2543  TAILQ_FOREACH(uuid_entry, &dcerpc_state->dcerpc.dcerpcbindbindack.uuid_list, next) {
2544  printUUID("BIND_ACK", uuid_entry);
2545  }
2546 
2547  FLOWLOCK_WRLOCK(&f);
2548  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
2549  STREAM_TOSERVER | STREAM_EOF, dcerpcrequest,
2550  requestlen);
2551  if (r != 0) {
2552  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
2553  result = 0;
2554  FLOWLOCK_UNLOCK(&f);
2555  goto end;
2556  }
2557  FLOWLOCK_UNLOCK(&f);
2558  if (dcerpc_state->dcerpc.dcerpchdr.type != REQUEST) {
2559  printf("expected dcerpc type 0x%02x , got 0x%02x : ", REQUEST, dcerpc_state->dcerpc.dcerpchdr.type);
2560  result = 0;
2561  goto end;
2562  }
2563 end:
2564  if (alp_tctx != NULL)
2565  AppLayerParserThreadCtxFree(alp_tctx);
2567  FLOW_DESTROY(&f);
2568  return result;
2569 }
2570 
2571 /** \test DCERPC Request decoding and opnum parsing.
2572 */
2573 static int DCERPCParserTest02(void)
2574 {
2575  int result = 1;
2576  Flow f;
2577  uint8_t dcerpcrequest[] = {
2578  0x05, 0x00, 0x00, 0x00, 0x10,
2579  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
2580  0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x0b,
2581  0x00, 0x09, 0x00, 0x45, 0x00, 0x2c, 0x00, 0x4d,
2582  0x00, 0x73, 0x00, 0x53, 0x00, 0x59, 0x00, 0x2a,
2583  0x00, 0x4a, 0x00, 0x7a, 0x00, 0x3e, 0x00, 0x58,
2584  0x00, 0x21, 0x00, 0x4a, 0x00, 0x30, 0x00, 0x41,
2585  0x00, 0x4b, 0x00, 0x4b, 0x00, 0x3c, 0x00, 0x48,
2586  0x00, 0x24, 0x00, 0x38, 0x00, 0x54, 0x00, 0x60,
2587  0x00, 0x2d, 0x00, 0x29, 0x00, 0x64, 0x00, 0x5b,
2588  0x00, 0x77, 0x00, 0x3a, 0x00, 0x4c, 0x00, 0x24,
2589  0x00, 0x23, 0x00, 0x66, 0x00, 0x43, 0x00, 0x68,
2590  0x00, 0x22, 0x00, 0x55, 0x00, 0x29, 0x00, 0x2c,
2591  0x00, 0x4f, 0x00, 0x5a, 0x00, 0x50, 0x00, 0x61,
2592  0x00, 0x2a, 0x00, 0x6f, 0x00, 0x2f, 0x00, 0x4d,
2593  0x00, 0x68, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x67,
2594  0x00, 0x68, 0x00, 0x68, 0x00, 0x49, 0x00, 0x45,
2595  0x00, 0x4c, 0x00, 0x72, 0x00, 0x53, 0x00, 0x4c,
2596  0x00, 0x25, 0x00, 0x4d, 0x00, 0x67, 0x00, 0x2e,
2597  0x00, 0x4f, 0x00, 0x64, 0x00, 0x61, 0x00, 0x73,
2598  0x00, 0x24, 0x00, 0x46, 0x00, 0x35, 0x00, 0x2e,
2599  0x00, 0x45, 0x00, 0x6f, 0x00, 0x40, 0x00, 0x41,
2600  0x00, 0x33, 0x00, 0x38, 0x00, 0x47, 0x00, 0x71,
2601  0x00, 0x5a, 0x00, 0x37, 0x00, 0x7a, 0x00, 0x35,
2602  0x00, 0x6b, 0x00, 0x3c, 0x00, 0x26, 0x00, 0x37,
2603  0x00, 0x69, 0x00, 0x75, 0x00, 0x36, 0x00, 0x37,
2604  0x00, 0x47, 0x00, 0x21, 0x00, 0x2d, 0x00, 0x69,
2605  0x00, 0x37, 0x00, 0x78, 0x00, 0x5f, 0x00, 0x72,
2606  0x00, 0x4b, 0x00, 0x5c, 0x00, 0x74, 0x00, 0x3e,
2607  0x00, 0x52, 0x00, 0x7a, 0x00, 0x49, 0x00, 0x31,
2608  0x00, 0x5a, 0x00, 0x7b, 0x00, 0x29, 0x00, 0x3b,
2609  0x00, 0x78, 0x00, 0x3b, 0x00, 0x55, 0x00, 0x3e,
2610  0x00, 0x35, 0x00, 0x2b, 0x00, 0x4e, 0x00, 0x4f,
2611  0x00, 0x59, 0x00, 0x38, 0x00, 0x2a, 0x00, 0x59,
2612  0x00, 0x6b, 0x00, 0x42, 0x00, 0x4c, 0x00, 0x3e,
2613  0x00, 0x6a, 0x00, 0x49, 0x00, 0x2c, 0x00, 0x79,
2614  0x00, 0x6e, 0x00, 0x35, 0x00, 0x4f, 0x00, 0x49,
2615  0x00, 0x55, 0x00, 0x35, 0x00, 0x61, 0x00, 0x72,
2616  0x00, 0x77, 0x00, 0x38, 0x00, 0x32, 0x00, 0x24,
2617  0x00, 0x46, 0x00, 0x32, 0x00, 0x32, 0x00, 0x27,
2618  0x00, 0x64, 0x00, 0x5a, 0x00, 0x77, 0x00, 0x2e,
2619  0x00, 0x37, 0x00, 0x77, 0x00, 0x2e, 0x00, 0x28,
2620  0x00, 0x63, 0x00, 0x4f, 0x00, 0x67, 0x00, 0x64,
2621  0x00, 0x39, 0x00, 0x37, 0x00, 0x31, 0x00, 0x30,
2622  0x00, 0x28, 0x00, 0x2e, 0x00, 0x6f, 0x00, 0x3e,
2623  0x00, 0x59, 0x00, 0x28, 0x00, 0x67, 0x00, 0x52,
2624  0x00, 0x35, 0x00, 0x5a, 0x00, 0x7c, 0x00, 0x56,
2625  0x00, 0x6a, 0x00, 0x5c, 0x00, 0x3c, 0x00, 0x30,
2626  0x00, 0x59, 0x00, 0x5c, 0x00, 0x5e, 0x00, 0x38,
2627  0x00, 0x54, 0x00, 0x5c, 0x00, 0x5b, 0x00, 0x42,
2628  0x00, 0x62, 0x00, 0x70, 0x00, 0x34, 0x00, 0x5c,
2629  0x00, 0x57, 0x00, 0x7a, 0x00, 0x4b, 0x00, 0x2f,
2630  0x00, 0x6b, 0x00, 0x6a, 0x00, 0x4f, 0x00, 0x41,
2631  0x00, 0x33, 0x00, 0x52, 0x00, 0x36, 0x00, 0x27,
2632  0x00, 0x30, 0x00, 0x6d, 0x00, 0x4a, 0x00, 0x30,
2633  0x00, 0x78, 0x00, 0x46, 0x00, 0x65, 0x00, 0x4e,
2634  0x00, 0x29, 0x00, 0x66, 0x00, 0x3f, 0x00, 0x72,
2635  0x00, 0x71, 0x00, 0x75, 0x00, 0x4c, 0x00, 0x2b,
2636  0x00, 0x5c, 0x00, 0x46, 0x00, 0x52, 0x00, 0x7b,
2637  0x00, 0x5c, 0x00, 0x69, 0x00, 0x66, 0x00, 0x56,
2638  0x00, 0x31, 0x00, 0x2d, 0x00, 0x72, 0x00, 0x61,
2639  0x00, 0x68, 0x00, 0x28, 0x00, 0x7d, 0x00, 0x58,
2640  0x00, 0x2a, 0x00, 0x7b, 0x00, 0x28, 0x00, 0x5b,
2641  0x00, 0x54, 0x00, 0x3a, 0x00, 0x26, 0x00, 0x52,
2642  0x00, 0x44, 0x00, 0x60, 0x00, 0x50, 0x00, 0x65,
2643  0x00, 0x48, 0x00, 0x7d, 0x00, 0x2a, 0x00, 0x74,
2644  0x00, 0x49, 0x00, 0x7b, 0x00, 0x21, 0x00, 0x61,
2645  0x00, 0x52, 0x00, 0x43, 0x00, 0x5f, 0x00, 0x5a,
2646  0x00, 0x74, 0x00, 0x5c, 0x00, 0x62, 0x00, 0x68,
2647  0x00, 0x6c, 0x00, 0x6c, 0x00, 0x2b, 0x00, 0x6f,
2648  0x00, 0x7c, 0x00, 0x42, 0x00, 0x67, 0x00, 0x32,
2649  0x00, 0x58, 0x00, 0x35, 0x00, 0x30, 0x00, 0x2f,
2650  0x00, 0x2d, 0x00, 0x60, 0x00, 0x62, 0x00, 0x51,
2651  0x00, 0x2a, 0x00, 0x30, 0x00, 0x31, 0x00, 0x48,
2652  0x00, 0x5b, 0x00, 0x5b, 0x00, 0x5d, 0x00, 0x25,
2653  0x00, 0x58, 0x00, 0x4a, 0x00, 0x76, 0x00, 0x32,
2654  0x00, 0x62, 0x00, 0x27, 0x00, 0x42, 0x00, 0x40,
2655  0x00, 0x53, 0x00, 0x7c, 0x00, 0x7d, 0x00, 0x50,
2656  0x00, 0x3d, 0x00, 0x40, 0x00, 0x76, 0x00, 0x38,
2657  0x00, 0x58, 0x00, 0x39, 0x00, 0x63, 0x00, 0x3c,
2658  0x00, 0x5b, 0x00, 0x23, 0x00, 0x53, 0x00, 0x7a,
2659  0x00, 0x54, 0x00, 0x74, 0x00, 0x61, 0x00, 0x76,
2660  0x00, 0x4a, 0x00, 0x3e, 0x00, 0x33, 0x00, 0x75,
2661  0x00, 0x66, 0x00, 0x2d, 0x00, 0x48, 0x00, 0x33,
2662  0x00, 0x71, 0x00, 0x76, 0x00, 0x48, 0x00, 0x71,
2663  0x00, 0x41, 0x00, 0x6f, 0x00, 0x2a, 0x00, 0x67,
2664  0x00, 0x70, 0x00, 0x21, 0x00, 0x70, 0x00, 0x4b,
2665  0x00, 0x52, 0x00, 0x58, 0x00, 0x68, 0x00, 0x23,
2666  0x00, 0x39, 0x00, 0x46, 0x00, 0x4d, 0x00, 0x51,
2667  0x00, 0x57, 0x00, 0x3a, 0x00, 0x79, 0x00, 0x7b,
2668  0x00, 0x6c, 0x00, 0x55, 0x00, 0x33, 0x00, 0x65,
2669  0x00, 0x49, 0x00, 0x72, 0x00, 0x30, 0x00, 0x4f,
2670  0x00, 0x41, 0x00, 0x6e, 0x00, 0x31, 0x00, 0x4a,
2671  0x00, 0x60, 0x00, 0x79, 0x00, 0x70, 0x00, 0x4f,
2672  0x00, 0x58, 0x00, 0x75, 0x00, 0x44, 0x00, 0x59,
2673  0x00, 0x58, 0x00, 0x46, 0x00, 0x3d, 0x00, 0x46,
2674  0x00, 0x74, 0x00, 0x51, 0x00, 0x57, 0x00, 0x6e,
2675  0x00, 0x2d, 0x00, 0x47, 0x00, 0x23, 0x00, 0x45,
2676  0x00, 0x60, 0x00, 0x4c, 0x00, 0x72, 0x00, 0x4e,
2677  0x00, 0x74, 0x00, 0x40, 0x00, 0x76, 0x00, 0x75,
2678  0x00, 0x74, 0x00, 0x56, 0x00, 0x44, 0x00, 0x29,
2679  0x00, 0x62, 0x00, 0x58, 0x00, 0x31, 0x00, 0x78,
2680  0x00, 0x32, 0x00, 0x52, 0x00, 0x4a, 0x00, 0x6b,
2681  0x00, 0x55, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x6f,
2682  0x00, 0x4a, 0x00, 0x54, 0x00, 0x7d, 0x00, 0x68,
2683  0x00, 0x3f, 0x00, 0x28, 0x00, 0x21, 0x00, 0x53,
2684  0x00, 0x48, 0x00, 0x5a, 0x00, 0x34, 0x00, 0x36,
2685  0x00, 0x35, 0x00, 0x64, 0x00, 0x4e, 0x00, 0x75,
2686  0x00, 0x69, 0x00, 0x23, 0x00, 0x75, 0x00, 0x55,
2687  0x00, 0x43, 0x00, 0x75, 0x00, 0x2f, 0x00, 0x73,
2688  0x00, 0x62, 0x00, 0x6f, 0x00, 0x37, 0x00, 0x4e,
2689  0x00, 0x25, 0x00, 0x25, 0x00, 0x21, 0x00, 0x3d,
2690  0x00, 0x3c, 0x00, 0x71, 0x00, 0x3e, 0x00, 0x3f,
2691  0x00, 0x30, 0x00, 0x36, 0x00, 0x62, 0x00, 0x63,
2692  0x00, 0x53, 0x00, 0x54, 0x00, 0x5d, 0x00, 0x61,
2693  0x00, 0x4c, 0x00, 0x28, 0x00, 0x2b, 0x00, 0x4c,
2694  0x00, 0x4e, 0x00, 0x66, 0x00, 0x5f, 0x00, 0x4b,
2695  0x00, 0x43, 0x00, 0x75, 0x00, 0x45, 0x00, 0x37,
2696  0x00, 0x28, 0x00, 0x56, 0x00, 0x36, 0x00, 0x6a,
2697  0x00, 0x3e, 0x00, 0x64, 0x00, 0x34, 0x00, 0x6a,
2698  0x00, 0x7d, 0x00, 0x4a, 0x00, 0x66, 0x00, 0x7a,
2699  0x00, 0x3e, 0x00, 0x75, 0x00, 0x38, 0x00, 0x7b,
2700  0x00, 0x42, 0x00, 0x76, 0x00, 0x29, 0x00, 0x4c,
2701  0x00, 0x65, 0x00, 0x2e, 0x00, 0x32, 0x00, 0x4b,
2702  0x00, 0x2b, 0x00, 0x51, 0x00, 0x47, 0x00, 0x22,
2703  0x00, 0x48, 0x00, 0x3d, 0x00, 0x49, 0x00, 0x44,
2704  0x00, 0x5d, 0x00, 0x59, 0x00, 0x63, 0x00, 0x5c,
2705  0x00, 0x24, 0x00, 0x35, 0x00, 0x34, 0x00, 0x70,
2706  0x00, 0x69, 0x00};
2707  uint32_t requestlen = sizeof(dcerpcrequest);
2708 
2709  TcpSession ssn;
2711 
2712  memset(&f, 0, sizeof(f));
2713  memset(&ssn, 0, sizeof(ssn));
2714 
2715  FLOW_INITIALIZE(&f);
2716  f.protoctx = (void *)&ssn;
2717  f.proto = IPPROTO_TCP;
2718  f.alproto = ALPROTO_DCERPC;
2719 
2721 
2722  FLOWLOCK_WRLOCK(&f);
2723  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
2725  dcerpcrequest,
2726  requestlen);
2727  if (r != 0) {
2728  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
2729  result = 0;
2730  FLOWLOCK_UNLOCK(&f);
2731  goto end;
2732  }
2733  FLOWLOCK_UNLOCK(&f);
2734 
2735  DCERPCState *dcerpc_state = f.alstate;
2736  if (dcerpc_state == NULL) {
2737  printf("no dcerpc state: ");
2738  result = 0;
2739  goto end;
2740  }
2741 
2742  if (dcerpc_state->dcerpc.dcerpchdr.rpc_vers != 5) {
2743  printf("expected dcerpc version 0x05, got 0x%02x : ",
2744  dcerpc_state->dcerpc.dcerpchdr.rpc_vers);
2745  result = 0;
2746  goto end;
2747  }
2748 
2749  if (dcerpc_state->dcerpc.dcerpchdr.type != REQUEST) {
2750  printf("expected dcerpc type 0x%02x , got 0x%02x : ", REQUEST, dcerpc_state->dcerpc.dcerpchdr.type);
2751  result = 0;
2752  goto end;
2753  }
2754 
2755  if (dcerpc_state->dcerpc.dcerpchdr.frag_length != 1024) {
2756  printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1024, dcerpc_state->dcerpc.dcerpchdr.frag_length);
2757  result = 0;
2758  goto end;
2759  }
2760 
2761  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 9) {
2762  printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 9, dcerpc_state->dcerpc.dcerpcrequest.opnum);
2763  result = 0;
2764  goto end;
2765  }
2766 
2767 end:
2768  if (alp_tctx != NULL)
2769  AppLayerParserThreadCtxFree(alp_tctx);
2771  FLOW_DESTROY(&f);
2772  return result;
2773 }
2774 
2775 /** \test Test endianness handling
2776 */
2777 static int DCERPCParserTest03(void)
2778 {
2779  int result = 1;
2780  Flow f;
2781  uint8_t dcerpcrequest[] = {
2782  0x05, 0x00, 0x00, 0x00, 0x01,
2783  0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
2784  0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x00,
2785  0x0b, 0x00, 0x09, 0x45, 0x00, 0x2c, 0x00, 0x4d,
2786  0x00, 0x73, 0x00, 0x53, 0x00, 0x59, 0x00, 0x2a,
2787  0x00, 0x4a, 0x00, 0x7a, 0x00, 0x3e, 0x00, 0x58,
2788  0x00, 0x21, 0x00, 0x4a, 0x00, 0x30, 0x00, 0x41,
2789  0x00, 0x4b, 0x00, 0x4b, 0x00, 0x3c, 0x00, 0x48,
2790  0x00, 0x24, 0x00, 0x38, 0x00, 0x54, 0x00, 0x60,
2791  0x00, 0x2d, 0x00, 0x29, 0x00, 0x64, 0x00, 0x5b,
2792  0x00, 0x77, 0x00, 0x3a, 0x00, 0x4c, 0x00, 0x24,
2793  0x00, 0x23, 0x00, 0x66, 0x00, 0x43, 0x00, 0x68,
2794  0x00, 0x22, 0x00, 0x55, 0x00, 0x29, 0x00, 0x2c,
2795  0x00, 0x4f, 0x00, 0x5a, 0x00, 0x50, 0x00, 0x61,
2796  0x00, 0x2a, 0x00, 0x6f, 0x00, 0x2f, 0x00, 0x4d,
2797  0x00, 0x68, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x67,
2798  0x00, 0x68, 0x00, 0x68, 0x00, 0x49, 0x00, 0x45,
2799  0x00, 0x4c, 0x00, 0x72, 0x00, 0x53, 0x00, 0x4c,
2800  0x00, 0x25, 0x00, 0x4d, 0x00, 0x67, 0x00, 0x2e,
2801  0x00, 0x4f, 0x00, 0x64, 0x00, 0x61, 0x00, 0x73,
2802  0x00, 0x24, 0x00, 0x46, 0x00, 0x35, 0x00, 0x2e,
2803  0x00, 0x45, 0x00, 0x6f, 0x00, 0x40, 0x00, 0x41,
2804  0x00, 0x33, 0x00, 0x38, 0x00, 0x47, 0x00, 0x71,
2805  0x00, 0x5a, 0x00, 0x37, 0x00, 0x7a, 0x00, 0x35,
2806  0x00, 0x6b, 0x00, 0x3c, 0x00, 0x26, 0x00, 0x37,
2807  0x00, 0x69, 0x00, 0x75, 0x00, 0x36, 0x00, 0x37,
2808  0x00, 0x47, 0x00, 0x21, 0x00, 0x2d, 0x00, 0x69,
2809  0x00, 0x37, 0x00, 0x78, 0x00, 0x5f, 0x00, 0x72,
2810  0x00, 0x4b, 0x00, 0x5c, 0x00, 0x74, 0x00, 0x3e,
2811  0x00, 0x52, 0x00, 0x7a, 0x00, 0x49, 0x00, 0x31,
2812  0x00, 0x5a, 0x00, 0x7b, 0x00, 0x29, 0x00, 0x3b,
2813  0x00, 0x78, 0x00, 0x3b, 0x00, 0x55, 0x00, 0x3e,
2814  0x00, 0x35, 0x00, 0x2b, 0x00, 0x4e, 0x00, 0x4f,
2815  0x00, 0x59, 0x00, 0x38, 0x00, 0x2a, 0x00, 0x59,
2816  0x00, 0x6b, 0x00, 0x42, 0x00, 0x4c, 0x00, 0x3e,
2817  0x00, 0x6a, 0x00, 0x49, 0x00, 0x2c, 0x00, 0x79,
2818  0x00, 0x6e, 0x00, 0x35, 0x00, 0x4f, 0x00, 0x49,
2819  0x00, 0x55, 0x00, 0x35, 0x00, 0x61, 0x00, 0x72,
2820  0x00, 0x77, 0x00, 0x38, 0x00, 0x32, 0x00, 0x24,
2821  0x00, 0x46, 0x00, 0x32, 0x00, 0x32, 0x00, 0x27,
2822  0x00, 0x64, 0x00, 0x5a, 0x00, 0x77, 0x00, 0x2e,
2823  0x00, 0x37, 0x00, 0x77, 0x00, 0x2e, 0x00, 0x28,
2824  0x00, 0x63, 0x00, 0x4f, 0x00, 0x67, 0x00, 0x64,
2825  0x00, 0x39, 0x00, 0x37, 0x00, 0x31, 0x00, 0x30,
2826  0x00, 0x28, 0x00, 0x2e, 0x00, 0x6f, 0x00, 0x3e,
2827  0x00, 0x59, 0x00, 0x28, 0x00, 0x67, 0x00, 0x52,
2828  0x00, 0x35, 0x00, 0x5a, 0x00, 0x7c, 0x00, 0x56,
2829  0x00, 0x6a, 0x00, 0x5c, 0x00, 0x3c, 0x00, 0x30,
2830  0x00, 0x59, 0x00, 0x5c, 0x00, 0x5e, 0x00, 0x38,
2831  0x00, 0x54, 0x00, 0x5c, 0x00, 0x5b, 0x00, 0x42,
2832  0x00, 0x62, 0x00, 0x70, 0x00, 0x34, 0x00, 0x5c,
2833  0x00, 0x57, 0x00, 0x7a, 0x00, 0x4b, 0x00, 0x2f,
2834  0x00, 0x6b, 0x00, 0x6a, 0x00, 0x4f, 0x00, 0x41,
2835  0x00, 0x33, 0x00, 0x52, 0x00, 0x36, 0x00, 0x27,
2836  0x00, 0x30, 0x00, 0x6d, 0x00, 0x4a, 0x00, 0x30,
2837  0x00, 0x78, 0x00, 0x46, 0x00, 0x65, 0x00, 0x4e,
2838  0x00, 0x29, 0x00, 0x66, 0x00, 0x3f, 0x00, 0x72,
2839  0x00, 0x71, 0x00, 0x75, 0x00, 0x4c, 0x00, 0x2b,
2840  0x00, 0x5c, 0x00, 0x46, 0x00, 0x52, 0x00, 0x7b,
2841  0x00, 0x5c, 0x00, 0x69, 0x00, 0x66, 0x00, 0x56,
2842  0x00, 0x31, 0x00, 0x2d, 0x00, 0x72, 0x00, 0x61,
2843  0x00, 0x68, 0x00, 0x28, 0x00, 0x7d, 0x00, 0x58,
2844  0x00, 0x2a, 0x00, 0x7b, 0x00, 0x28, 0x00, 0x5b,
2845  0x00, 0x54, 0x00, 0x3a, 0x00, 0x26, 0x00, 0x52,
2846  0x00, 0x44, 0x00, 0x60, 0x00, 0x50, 0x00, 0x65,
2847  0x00, 0x48, 0x00, 0x7d, 0x00, 0x2a, 0x00, 0x74,
2848  0x00, 0x49, 0x00, 0x7b, 0x00, 0x21, 0x00, 0x61,
2849  0x00, 0x52, 0x00, 0x43, 0x00, 0x5f, 0x00, 0x5a,
2850  0x00, 0x74, 0x00, 0x5c, 0x00, 0x62, 0x00, 0x68,
2851  0x00, 0x6c, 0x00, 0x6c, 0x00, 0x2b, 0x00, 0x6f,
2852  0x00, 0x7c, 0x00, 0x42, 0x00, 0x67, 0x00, 0x32,
2853  0x00, 0x58, 0x00, 0x35, 0x00, 0x30, 0x00, 0x2f,
2854  0x00, 0x2d, 0x00, 0x60, 0x00, 0x62, 0x00, 0x51,
2855  0x00, 0x2a, 0x00, 0x30, 0x00, 0x31, 0x00, 0x48,
2856  0x00, 0x5b, 0x00, 0x5b, 0x00, 0x5d, 0x00, 0x25,
2857  0x00, 0x58, 0x00, 0x4a, 0x00, 0x76, 0x00, 0x32,
2858  0x00, 0x62, 0x00, 0x27, 0x00, 0x42, 0x00, 0x40,
2859  0x00, 0x53, 0x00, 0x7c, 0x00, 0x7d, 0x00, 0x50,
2860  0x00, 0x3d, 0x00, 0x40, 0x00, 0x76, 0x00, 0x38,
2861  0x00, 0x58, 0x00, 0x39, 0x00, 0x63, 0x00, 0x3c,
2862  0x00, 0x5b, 0x00, 0x23, 0x00, 0x53, 0x00, 0x7a,
2863  0x00, 0x54, 0x00, 0x74, 0x00, 0x61, 0x00, 0x76,
2864  0x00, 0x4a, 0x00, 0x3e, 0x00, 0x33, 0x00, 0x75,
2865  0x00, 0x66, 0x00, 0x2d, 0x00, 0x48, 0x00, 0x33,
2866  0x00, 0x71, 0x00, 0x76, 0x00, 0x48, 0x00, 0x71,
2867  0x00, 0x41, 0x00, 0x6f, 0x00, 0x2a, 0x00, 0x67,
2868  0x00, 0x70, 0x00, 0x21, 0x00, 0x70, 0x00, 0x4b,
2869  0x00, 0x52, 0x00, 0x58, 0x00, 0x68, 0x00, 0x23,
2870  0x00, 0x39, 0x00, 0x46, 0x00, 0x4d, 0x00, 0x51,
2871  0x00, 0x57, 0x00, 0x3a, 0x00, 0x79, 0x00, 0x7b,
2872  0x00, 0x6c, 0x00, 0x55, 0x00, 0x33, 0x00, 0x65,
2873  0x00, 0x49, 0x00, 0x72, 0x00, 0x30, 0x00, 0x4f,
2874  0x00, 0x41, 0x00, 0x6e, 0x00, 0x31, 0x00, 0x4a,
2875  0x00, 0x60, 0x00, 0x79, 0x00, 0x70, 0x00, 0x4f,
2876  0x00, 0x58, 0x00, 0x75, 0x00, 0x44, 0x00, 0x59,
2877  0x00, 0x58, 0x00, 0x46, 0x00, 0x3d, 0x00, 0x46,
2878  0x00, 0x74, 0x00, 0x51, 0x00, 0x57, 0x00, 0x6e,
2879  0x00, 0x2d, 0x00, 0x47, 0x00, 0x23, 0x00, 0x45,
2880  0x00, 0x60, 0x00, 0x4c, 0x00, 0x72, 0x00, 0x4e,
2881  0x00, 0x74, 0x00, 0x40, 0x00, 0x76, 0x00, 0x75,
2882  0x00, 0x74, 0x00, 0x56, 0x00, 0x44, 0x00, 0x29,
2883  0x00, 0x62, 0x00, 0x58, 0x00, 0x31, 0x00, 0x78,
2884  0x00, 0x32, 0x00, 0x52, 0x00, 0x4a, 0x00, 0x6b,
2885  0x00, 0x55, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x6f,
2886  0x00, 0x4a, 0x00, 0x54, 0x00, 0x7d, 0x00, 0x68,
2887  0x00, 0x3f, 0x00, 0x28, 0x00, 0x21, 0x00, 0x53,
2888  0x00, 0x48, 0x00, 0x5a, 0x00, 0x34, 0x00, 0x36,
2889  0x00, 0x35, 0x00, 0x64, 0x00, 0x4e, 0x00, 0x75,
2890  0x00, 0x69, 0x00, 0x23, 0x00, 0x75, 0x00, 0x55,
2891  0x00, 0x43, 0x00, 0x75, 0x00, 0x2f, 0x00, 0x73,
2892  0x00, 0x62, 0x00, 0x6f, 0x00, 0x37, 0x00, 0x4e,
2893  0x00, 0x25, 0x00, 0x25, 0x00, 0x21, 0x00, 0x3d,
2894  0x00, 0x3c, 0x00, 0x71, 0x00, 0x3e, 0x00, 0x3f,
2895  0x00, 0x30, 0x00, 0x36, 0x00, 0x62, 0x00, 0x63,
2896  0x00, 0x53, 0x00, 0x54, 0x00, 0x5d, 0x00, 0x61,
2897  0x00, 0x4c, 0x00, 0x28, 0x00, 0x2b, 0x00, 0x4c,
2898  0x00, 0x4e, 0x00, 0x66, 0x00, 0x5f, 0x00, 0x4b,
2899  0x00, 0x43, 0x00, 0x75, 0x00, 0x45, 0x00, 0x37,
2900  0x00, 0x28, 0x00, 0x56, 0x00, 0x36, 0x00, 0x6a,
2901  0x00, 0x3e, 0x00, 0x64, 0x00, 0x34, 0x00, 0x6a,
2902  0x00, 0x7d, 0x00, 0x4a, 0x00, 0x66, 0x00, 0x7a,
2903  0x00, 0x3e, 0x00, 0x75, 0x00, 0x38, 0x00, 0x7b,
2904  0x00, 0x42, 0x00, 0x76, 0x00, 0x29, 0x00, 0x4c,
2905  0x00, 0x65, 0x00, 0x2e, 0x00, 0x32, 0x00, 0x4b,
2906  0x00, 0x2b, 0x00, 0x51, 0x00, 0x47, 0x00, 0x22,
2907  0x00, 0x48, 0x00, 0x3d, 0x00, 0x49, 0x00, 0x44,
2908  0x00, 0x5d, 0x00, 0x59, 0x00, 0x63, 0x00, 0x5c,
2909  0x00, 0x24, 0x00, 0x35, 0x00, 0x34, 0x00, 0x70,
2910  0x00, 0x69, 0x00};
2911  uint32_t requestlen = sizeof(dcerpcrequest);
2912 
2913  TcpSession ssn;
2915 
2916  memset(&f, 0, sizeof(f));
2917  memset(&ssn, 0, sizeof(ssn));
2918 
2919  FLOW_INITIALIZE(&f);
2920  f.protoctx = (void *)&ssn;
2921  f.proto = IPPROTO_TCP;
2922  f.alproto = ALPROTO_DCERPC;
2923 
2925 
2926  FLOWLOCK_WRLOCK(&f);
2927  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
2929  dcerpcrequest,
2930  requestlen);
2931  if (r != 0) {
2932  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
2933  result = 0;
2934  FLOWLOCK_UNLOCK(&f);
2935  goto end;
2936  }
2937  FLOWLOCK_UNLOCK(&f);
2938 
2939  DCERPCState *dcerpc_state = f.alstate;
2940  if (dcerpc_state == NULL) {
2941  printf("no dcerpc state: ");
2942  result = 0;
2943  goto end;
2944  }
2945 
2946  if (dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] != 0x01) {
2947  printf("expected dcerpc data representation 0x01, got 0x%02x : ",
2948  dcerpc_state->dcerpc.dcerpchdr.packed_drep[0]);
2949  result = 0;
2950  goto end;
2951  }
2952 
2953  if (dcerpc_state->dcerpc.dcerpchdr.frag_length != 1024) {
2954  printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1024, dcerpc_state->dcerpc.dcerpchdr.frag_length);
2955  result = 0;
2956  goto end;
2957  }
2958 
2959  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 9) {
2960  printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 9, dcerpc_state->dcerpc.dcerpcrequest.opnum);
2961  result = 0;
2962  goto end;
2963  }
2964 end:
2965  if (alp_tctx != NULL)
2966  AppLayerParserThreadCtxFree(alp_tctx);
2968  FLOW_DESTROY(&f);
2969  return result;
2970 }
2971 
2972 /**
2973  * \test General test.
2974  */
2975 static int DCERPCParserTest05(void)
2976 {
2977  int result = 1;
2978  Flow f;
2979  int r = 0;
2980  uint8_t bind1[] = {
2981  0x05, 0x00, 0x0b, 0x01, 0x10, 0x00, 0x00, 0x00,
2982  0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2983  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
2984  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
2985  0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
2986  0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
2987  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2988  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2989  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
2990  };
2991  uint32_t bind1_len = sizeof(bind1);
2992 
2993  uint8_t bind2[] = {
2994  0x05, 0x00, 0x0b, 0x02, 0x10, 0x00, 0x00, 0x00,
2995  0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2996  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
2997  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
2998  0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
2999  0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x67,
3000  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3001  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3002  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
3003  };
3004  uint32_t bind2_len = sizeof(bind2);
3005 
3006  TcpSession ssn;
3008 
3009  memset(&f, 0, sizeof(f));
3010  memset(&ssn, 0, sizeof(ssn));
3011 
3012  FLOW_INITIALIZE(&f);
3013  f.protoctx = (void *)&ssn;
3014  f.proto = IPPROTO_TCP;
3015  f.alproto = ALPROTO_DCERPC;
3016 
3018 
3019  FLOWLOCK_WRLOCK(&f);
3020  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3021  STREAM_TOSERVER | STREAM_START, bind1, bind1_len);
3022  if (r != 0) {
3023  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3024  result = 0;
3025  FLOWLOCK_UNLOCK(&f);
3026  goto end;
3027  }
3028  FLOWLOCK_UNLOCK(&f);
3029 
3030  DCERPCState *dcerpc_state = f.alstate;
3031  if (dcerpc_state == NULL) {
3032  printf("no dcerpc state: ");
3033  result = 0;
3034  goto end;
3035  }
3036 
3037  DCERPCUuidEntry *item = NULL;
3038  int m = 0;
3039  TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.uuid_list, next) {
3040  printf("%d ", m);
3041  printUUID("BIND",item);
3042  m++;
3043  }
3044 
3045  FLOWLOCK_WRLOCK(&f);
3046  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3047  STREAM_TOSERVER, bind2, bind2_len);
3048  if (r != 0) {
3049  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3050  result = 0;
3051  FLOWLOCK_UNLOCK(&f);
3052  goto end;
3053  }
3054  FLOWLOCK_UNLOCK(&f);
3055 
3056  item = NULL;
3057  m = 0;
3058  TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.uuid_list, next) {
3059  printf("%d ", m);
3060  printUUID("BIND",item);
3061  m++;
3062  }
3063 
3064  /* we will need this test later for fragged bind pdus. keep it */
3065  result = 1;
3066 
3067 end:
3068  if (alp_tctx != NULL)
3069  AppLayerParserThreadCtxFree(alp_tctx);
3071  FLOW_DESTROY(&f);
3072  return result;
3073 }
3074 
3075 /**
3076  * \test DCERPC fragmented bind PDU(one PDU which is frag'ed)
3077  */
3078 static int DCERPCParserTest06(void)
3079 {
3080  int result = 1;
3081  Flow f;
3082  int r = 0;
3083  uint8_t bind1[] = {
3084  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
3085  0xdc, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3086  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
3087  0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
3088  0xc7, 0x70, 0x0d, 0x3e, 0x71, 0x37, 0x39, 0x0d,
3089  0x3a, 0x4f, 0xd3, 0xdc, 0xca, 0x49, 0xe8, 0xa3,
3090  0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3091  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3092  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3093  0x01, 0x00, 0x01, 0x00, 0x84, 0xb6, 0x55, 0x75,
3094  0xdb, 0x9e, 0xba, 0x54, 0x56, 0xd3, 0x45, 0x10,
3095  0xb7, 0x7a, 0x2a, 0xe2, 0x04, 0x00, 0x01, 0x00,
3096  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3097  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3098  0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
3099  0x6e, 0x39, 0x21, 0x24, 0x70, 0x6f, 0x41, 0x57,
3100  0x54, 0x70, 0xb8, 0xc3, 0x5e, 0x89, 0x3b, 0x43,
3101  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3102  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3103  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3104  0x03, 0x00, 0x01, 0x00, 0x39, 0x6a, 0x86, 0x5d,
3105  0x24, 0x0f, 0xd2, 0xf7, 0xb6, 0xce, 0x95, 0x9c,
3106  0x54, 0x1d, 0x3a, 0xdb, 0x02, 0x00, 0x01, 0x00,
3107  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3108  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3109  0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00,
3110  0x12, 0xa5, 0xdd, 0xc5, 0x55, 0xce, 0xc3, 0x46,
3111  0xbd, 0xa0, 0x94, 0x39, 0x3c, 0x0d, 0x9b, 0x5b,
3112  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3113  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3114  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3115  0x05, 0x00, 0x01, 0x00, 0x87, 0x1c, 0x8b, 0x6e,
3116  0x11, 0xa8, 0x67, 0x98, 0xd4, 0x5d, 0xf6, 0x8a,
3117  0x2f, 0x33, 0x24, 0x7b, 0x05, 0x00, 0x03, 0x00,
3118  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3119  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3120  0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00,
3121  0x9b, 0x82, 0x13, 0xd1, 0x28, 0xe0, 0x63, 0xf3,
3122  0x62, 0xee, 0x76, 0x73, 0xf9, 0xac, 0x3d, 0x2e,
3123  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3124  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3125  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3126  0x07, 0x00, 0x01, 0x00, 0xa9, 0xd4, 0x73, 0xf2,
3127  0xed, 0xad, 0xe8, 0x82, 0xf8, 0xcf, 0x9d, 0x9f,
3128  0x66, 0xe6, 0x43, 0x37, 0x02, 0x00, 0x01, 0x00,
3129  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3130  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3131  0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00,
3132  0x06, 0x2b, 0x85, 0x38, 0x4f, 0x73, 0x96, 0xb1,
3133  0x73, 0xe1, 0x59, 0xbe, 0x9d, 0xe2, 0x6c, 0x07,
3134  0x05, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3135  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3136  0x2b, 0x10, 0x48, 0x60};
3137  uint32_t bind1_len = sizeof(bind1);
3138 
3139  uint8_t bind2[] = {
3140  0x02, 0x00, 0x00, 0x00, 0x09, 0x00, 0x01, 0x00,
3141  0xbf, 0xfa, 0xbb, 0xa4, 0x9e, 0x5c, 0x80, 0x61,
3142  0xb5, 0x8b, 0x79, 0x69, 0xa6, 0x32, 0x88, 0x77,
3143  0x01, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3144  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3145  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3146  0x0a, 0x00, 0x01, 0x00, 0x39, 0xa8, 0x2c, 0x39,
3147  0x73, 0x50, 0x06, 0x8d, 0xf2, 0x37, 0x1e, 0x1e,
3148  0xa8, 0x8f, 0x46, 0x98, 0x02, 0x00, 0x02, 0x00,
3149  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3150  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3151  0x02, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x01, 0x00,
3152  0x91, 0x13, 0xd0, 0xa7, 0xef, 0xc4, 0xa7, 0x96,
3153  0x0c, 0x4a, 0x0d, 0x29, 0x80, 0xd3, 0xfe, 0xbf,
3154  0x00, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3155  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3156  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3157  0x0c, 0x00, 0x01, 0x00, 0xcc, 0x2b, 0x55, 0x1d,
3158  0xd4, 0xa4, 0x0d, 0xfb, 0xcb, 0x6f, 0x86, 0x36,
3159  0xa6, 0x57, 0xc3, 0x21, 0x02, 0x00, 0x01, 0x00,
3160  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3161  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3162  0x02, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x01, 0x00,
3163  0x43, 0x7b, 0x07, 0xee, 0x85, 0xa8, 0xb9, 0x3a,
3164  0x0f, 0xf9, 0x83, 0x70, 0xe6, 0x0b, 0x4f, 0x33,
3165  0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3166  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3167  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3168  0x0e, 0x00, 0x01, 0x00, 0x9c, 0x6a, 0x15, 0x8c,
3169  0xd6, 0x9c, 0xa6, 0xc3, 0xb2, 0x9e, 0x62, 0x9f,
3170  0x3d, 0x8e, 0x47, 0x73, 0x02, 0x00, 0x02, 0x00,
3171  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3172  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3173  0x02, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x01, 0x00,
3174  0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01,
3175  0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88,
3176  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3177  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3178  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
3179  };
3180  uint32_t bind2_len = sizeof(bind2);
3181 
3182  TcpSession ssn;
3184 
3185  memset(&f, 0, sizeof(f));
3186  memset(&ssn, 0, sizeof(ssn));
3187 
3188  FLOW_INITIALIZE(&f);
3189  f.protoctx = (void *)&ssn;
3190  f.proto = IPPROTO_TCP;
3191  f.alproto = ALPROTO_DCERPC;
3192 
3194 
3195  FLOWLOCK_WRLOCK(&f);
3196  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3197  STREAM_TOSERVER | STREAM_START, bind1, bind1_len);
3198  if (r != 0) {
3199  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3200  result = 0;
3201  FLOWLOCK_UNLOCK(&f);
3202  goto end;
3203  }
3204  FLOWLOCK_UNLOCK(&f);
3205 
3206  DCERPCState *dcerpc_state = f.alstate;
3207  if (dcerpc_state == NULL) {
3208  printf("no dcerpc state: ");
3209  result = 0;
3210  goto end;
3211  }
3212 
3213  result &= (dcerpc_state->dcerpc.bytesprocessed == 420);
3214  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.ctxbytesprocessed == 40);
3215  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.numctxitems == 16);
3216  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.numctxitemsleft == 8);
3217 
3218  FLOWLOCK_WRLOCK(&f);
3219  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3220  STREAM_TOSERVER, bind2, bind2_len);
3221  if (r != 0) {
3222  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3223  result = 0;
3224  FLOWLOCK_UNLOCK(&f);
3225  goto end;
3226  }
3227  FLOWLOCK_UNLOCK(&f);
3228 
3229  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3230  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.ctxbytesprocessed == 0);
3231  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.numctxitems == 16);
3232  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.numctxitemsleft == 0);
3233 
3234 end:
3235  if (alp_tctx != NULL)
3236  AppLayerParserThreadCtxFree(alp_tctx);
3238  FLOW_DESTROY(&f);
3239  return result;
3240 }
3241 
3242 /**
3243  * \test DCERPC fragmented bind PDU(one PDU which is frag'ed).
3244  */
3245 static int DCERPCParserTest07(void)
3246 {
3247  uint8_t request1[] = {
3248  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
3249  0x2C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
3250  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
3251  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3252  0x09, 0x0A, 0x0B, 0x0C
3253  };
3254  uint32_t request1_len = sizeof(request1);
3255 
3256  uint8_t request2[] = {
3257  0x0D, 0x0E
3258  };
3259  uint32_t request2_len = sizeof(request2);
3260 
3261  uint8_t request3[] = {
3262  0x0F, 0x10, 0x11, 0x12, 0x13, 0x14
3263  };
3264  uint32_t request3_len = sizeof(request3);
3265 
3266  Flow f;
3267  int r = 0;
3268  TcpSession ssn;
3270  memset(&f, 0, sizeof(f));
3271  memset(&ssn, 0, sizeof(ssn));
3272  FLOW_INITIALIZE(&f);
3273  f.protoctx = (void *)&ssn;
3274  f.proto = IPPROTO_TCP;
3275  f.alproto = ALPROTO_DCERPC;
3277 
3278  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3279  STREAM_TOSERVER | STREAM_START, request1,
3280  request1_len);
3281  FAIL_IF(r != 0);
3282 
3283  DCERPCState *dcerpc_state = f.alstate;
3284  FAIL_IF_NULL(dcerpc_state);
3285 
3286  FAIL_IF_NOT(dcerpc_state->dcerpc.bytesprocessed == 36);
3287  FAIL_IF_NOT(dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL);
3289 
3290  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3291  STREAM_TOSERVER, request2, request2_len);
3292  FAIL_IF(r != 0);
3293 
3294  FAIL_IF_NOT(dcerpc_state->dcerpc.bytesprocessed == 38);
3295  FAIL_IF_NOT(dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL);
3297 
3298  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3299  STREAM_TOSERVER, request3, request3_len);
3300  FAIL_IF(r != 0);
3301 
3302  FAIL_IF_NOT(dcerpc_state->dcerpc.bytesprocessed == 0);
3303  FAIL_IF_NOT(dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL);
3305 
3306  AppLayerParserThreadCtxFree(alp_tctx);
3308  FLOW_DESTROY(&f);
3309  PASS;
3310 }
3311 
3312 /**
3313  * \test DCERPC fragmented bind PDU(one PDU which is frag'ed).
3314  */
3315 static int DCERPCParserTest08(void)
3316 {
3317  int result = 1;
3318  Flow f;
3319  int r = 0;
3320  uint8_t request[] = {
3321  0x05, 0x02, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
3322  0x2C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
3323  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
3324  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3325  0x09, 0x0A, 0x0B, 0x0C,
3326  };
3327  uint32_t request_len = sizeof(request);
3328 
3329  TcpSession ssn;
3331 
3332  memset(&f, 0, sizeof(f));
3333  memset(&ssn, 0, sizeof(ssn));
3334 
3335  FLOW_INITIALIZE(&f);
3336  f.protoctx = (void *)&ssn;
3337  f.proto = IPPROTO_TCP;
3338  f.alproto = ALPROTO_DCERPC;
3339 
3341 
3342  FLOWLOCK_WRLOCK(&f);
3343  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3344  STREAM_TOSERVER | STREAM_START, request,
3345  request_len);
3346  if (r != 0) {
3347  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3348  result = 0;
3349  FLOWLOCK_UNLOCK(&f);
3350  goto end;
3351  }
3352  FLOWLOCK_UNLOCK(&f);
3353 
3354  DCERPCState *dcerpc_state = f.alstate;
3355  if (dcerpc_state == NULL) {
3356  printf("no dcerpc state: ");
3357  result = 0;
3358  goto end;
3359  }
3360 
3361  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3362  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL &&
3363  dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 0);
3364 
3365 end:
3366  if (alp_tctx != NULL)
3367  AppLayerParserThreadCtxFree(alp_tctx);
3369  FLOW_DESTROY(&f);
3370  return result;
3371 }
3372 
3373 /**
3374  * \test DCERPC fragmented bind PDU(one PDU which is frag'ed).
3375  */
3376 static int DCERPCParserTest09(void)
3377 {
3378  int result = 1;
3379  Flow f;
3380  int r = 0;
3381  uint8_t request[] = {
3382  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
3383  0x2C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
3384  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
3385  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3386  0x09, 0x0A, 0x0B, 0x0C,
3387  };
3388  uint32_t request_len = sizeof(request);
3389 
3390  TcpSession ssn;
3392 
3393  memset(&f, 0, sizeof(f));
3394  memset(&ssn, 0, sizeof(ssn));
3395 
3396  FLOW_INITIALIZE(&f);
3397  f.protoctx = (void *)&ssn;
3398  f.proto = IPPROTO_TCP;
3399  f.alproto = ALPROTO_DCERPC;
3400 
3402 
3403  FLOWLOCK_WRLOCK(&f);
3404  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3405  STREAM_TOSERVER | STREAM_START, request,
3406  request_len);
3407  if (r != 0) {
3408  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3409  result = 0;
3410  FLOWLOCK_UNLOCK(&f);
3411  goto end;
3412  }
3413  FLOWLOCK_UNLOCK(&f);
3414 
3415  DCERPCState *dcerpc_state = f.alstate;
3416  if (dcerpc_state == NULL) {
3417  printf("no dcerpc state: ");
3418  result = 0;
3419  goto end;
3420  }
3421 
3422  result &= (dcerpc_state->dcerpc.bytesprocessed == 36);
3423  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
3424  dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 12);
3425 
3426 end:
3427  if (alp_tctx != NULL)
3428  AppLayerParserThreadCtxFree(alp_tctx);
3430  FLOW_DESTROY(&f);
3431  return result;
3432 }
3433 
3434 /**
3435  * \test DCERPC fragmented PDU.
3436  */
3437 static int DCERPCParserTest10(void)
3438 {
3439  int result = 1;
3440  Flow f;
3441  int r = 0;
3442 
3443  uint8_t fault[] = {
3444  0x05, 0x00, 0x03, 0x03, 0x10, 0x00, 0x00, 0x00,
3445  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3446  0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00,
3447  0xf7, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
3448  };
3449  uint32_t fault_len = sizeof(fault);
3450 
3451  uint8_t request1[] = {
3452  0x05, 0x00
3453  };
3454  uint32_t request1_len = sizeof(request1);
3455 
3456  uint8_t request2[] = {
3457  0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x24, 0x00,
3458  0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0c, 0x00,
3459  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02,
3460  0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A,
3461  0x0B, 0x0C
3462  };
3463  uint32_t request2_len = sizeof(request2);
3464 
3465  TcpSession ssn;
3467 
3468  memset(&f, 0, sizeof(f));
3469  memset(&ssn, 0, sizeof(ssn));
3470 
3471  FLOW_INITIALIZE(&f);
3472  f.protoctx = (void *)&ssn;
3473  f.proto = IPPROTO_TCP;
3474  f.alproto = ALPROTO_DCERPC;
3475 
3477 
3478  FLOWLOCK_WRLOCK(&f);
3479  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3480  STREAM_TOSERVER | STREAM_START, fault, fault_len);
3481  if (r != 0) {
3482  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3483  result = 0;
3484  FLOWLOCK_UNLOCK(&f);
3485  goto end;
3486  }
3487  FLOWLOCK_UNLOCK(&f);
3488 
3489  DCERPCState *dcerpc_state = f.alstate;
3490  if (dcerpc_state == NULL) {
3491  printf("no dcerpc state: ");
3492  result = 0;
3493  goto end;
3494  }
3495 
3496  FLOWLOCK_WRLOCK(&f);
3497  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3498  STREAM_TOSERVER, request1, request1_len);
3499  if (r != 0) {
3500  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3501  result = 0;
3502  FLOWLOCK_UNLOCK(&f);
3503  goto end;
3504  }
3505  FLOWLOCK_UNLOCK(&f);
3506 
3507  result &= (dcerpc_state->dcerpc.bytesprocessed == 2);
3508  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL);
3509 
3510  FLOWLOCK_WRLOCK(&f);
3511  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3512  STREAM_TOSERVER, request2, request2_len);
3513  if (r != 0) {
3514  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3515  result = 0;
3516  FLOWLOCK_UNLOCK(&f);
3517  goto end;
3518  }
3519  FLOWLOCK_UNLOCK(&f);
3520 
3521  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3522  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
3523  dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 12);
3524 
3525 end:
3526  if (alp_tctx != NULL)
3527  AppLayerParserThreadCtxFree(alp_tctx);
3529  FLOW_DESTROY(&f);
3530  return result;
3531 }
3532 
3533 /**
3534  * \test DCERPC fragmented PDU.
3535  */
3536 static int DCERPCParserTest11(void)
3537 {
3538  int result = 1;
3539  Flow f;
3540  int r = 0;
3541 
3542  uint8_t request1[] = {
3543  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
3544  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
3545  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
3546  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3547  0x09, 0x0A, 0x0B, 0x0C
3548  };
3549  uint32_t request1_len = sizeof(request1);
3550 
3551  uint8_t request2[] = {
3552  0x05, 0x00
3553  };
3554  uint32_t request2_len = sizeof(request2);
3555 
3556  uint8_t request3[] = {
3557  0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x26, 0x00,
3558  0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0c, 0x00,
3559  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02,
3560  0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A,
3561  0x0B, 0x0C, 0xFF, 0xFF
3562  };
3563  uint32_t request3_len = sizeof(request3);
3564 
3565  TcpSession ssn;
3567 
3568  memset(&f, 0, sizeof(f));
3569  memset(&ssn, 0, sizeof(ssn));
3570 
3571  FLOW_INITIALIZE(&f);
3572  f.protoctx = (void *)&ssn;
3573  f.proto = IPPROTO_TCP;
3574  f.alproto = ALPROTO_DCERPC;
3575 
3577 
3578  FLOWLOCK_WRLOCK(&f);
3579  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3580  STREAM_TOSERVER, request1, request1_len);
3581  if (r != 0) {
3582  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3583  result = 0;
3584  FLOWLOCK_UNLOCK(&f);
3585  goto end;
3586  }
3587  FLOWLOCK_UNLOCK(&f);
3588 
3589  DCERPCState *dcerpc_state = f.alstate;
3590  if (dcerpc_state == NULL) {
3591  printf("no dcerpc state: ");
3592  result = 0;
3593  goto end;
3594  }
3595 
3596  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3597  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
3598  dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 12);
3599 
3600  FLOWLOCK_WRLOCK(&f);
3601  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3602  STREAM_TOSERVER, request2, request2_len);
3603  if (r != 0) {
3604  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3605  result = 0;
3606  FLOWLOCK_UNLOCK(&f);
3607  goto end;
3608  }
3609  FLOWLOCK_UNLOCK(&f);
3610 
3611  result &= (dcerpc_state->dcerpc.bytesprocessed == 2);
3612 
3613  FLOWLOCK_WRLOCK(&f);
3614  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3615  STREAM_TOSERVER, request3, request3_len);
3616  if (r != 0) {
3617  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3618  result = 0;
3619  FLOWLOCK_UNLOCK(&f);
3620  goto end;
3621  }
3622  FLOWLOCK_UNLOCK(&f);
3623 
3624  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3625  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
3626  dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 14);
3627 
3628 end:
3629  if (alp_tctx != NULL)
3630  AppLayerParserThreadCtxFree(alp_tctx);
3632  FLOW_DESTROY(&f);
3633  return result;
3634 }
3635 
3636 /**
3637  * \test DCERPC fragmented PDU.
3638  */
3639 static int DCERPCParserTest12(void)
3640 {
3641  int result = 1;
3642  Flow f;
3643  int r = 0;
3644 
3645  uint8_t bind_ack1[] = {
3646  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
3647  0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3648  0xb8, 0x10, 0xb8, 0x10, 0x48, 0x1a, 0x00, 0x00,
3649  };
3650  uint32_t bind_ack1_len = sizeof(bind_ack1);
3651 
3652  uint8_t bind_ack2[] = {
3653  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
3654  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
3655  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3656  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3657  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3658  0x02, 0x00, 0x00, 0x00
3659  };
3660  uint32_t bind_ack2_len = sizeof(bind_ack2);
3661 
3662  TcpSession ssn;
3664 
3665  memset(&f, 0, sizeof(f));
3666  memset(&ssn, 0, sizeof(ssn));
3667 
3668  FLOW_INITIALIZE(&f);
3669  f.protoctx = (void *)&ssn;
3670  f.proto = IPPROTO_TCP;
3671  f.alproto = ALPROTO_DCERPC;
3672 
3674 
3675  FLOWLOCK_WRLOCK(&f);
3676  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3677  STREAM_TOCLIENT, bind_ack1, bind_ack1_len);
3678  if (r != 0) {
3679  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3680  result = 0;
3681  FLOWLOCK_UNLOCK(&f);
3682  goto end;
3683  }
3684  FLOWLOCK_UNLOCK(&f);
3685 
3686  DCERPCState *dcerpc_state = f.alstate;
3687  if (dcerpc_state == NULL) {
3688  printf("no dcerpc state: ");
3689  result = 0;
3690  goto end;
3691  }
3692 
3693  result &= (dcerpc_state->dcerpc.bytesprocessed == 24);
3694 
3695  FLOWLOCK_WRLOCK(&f);
3696  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3697  STREAM_TOCLIENT, bind_ack2, bind_ack2_len);
3698  if (r != 0) {
3699  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3700  result = 0;
3701  FLOWLOCK_UNLOCK(&f);
3702  goto end;
3703  }
3704  FLOWLOCK_UNLOCK(&f);
3705 
3706  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3707 
3708 end:
3709  if (alp_tctx != NULL)
3710  AppLayerParserThreadCtxFree(alp_tctx);
3712  FLOW_DESTROY(&f);
3713  return result;
3714 }
3715 
3716 /**
3717  * \test Check if the parser accepts bind pdus that have context ids starting
3718  * from a non-zero value.
3719  */
3720 static int DCERPCParserTest13(void)
3721 {
3722  int result = 1;
3723  Flow f;
3724  int r = 0;
3725 
3726  uint8_t bindbuf[] = {
3727  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
3728  0x48, 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00,
3729  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
3730  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
3731  0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3732  0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
3733  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3734  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3735  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
3736  };
3737  uint32_t bindbuf_len = sizeof(bindbuf);
3738 
3739  TcpSession ssn;
3741 
3742  memset(&f, 0, sizeof(f));
3743  memset(&ssn, 0, sizeof(ssn));
3744 
3745  FLOW_INITIALIZE(&f);
3746  f.protoctx = (void *)&ssn;
3747  f.proto = IPPROTO_TCP;
3748  f.alproto = ALPROTO_DCERPC;
3749 
3751 
3752  FLOWLOCK_WRLOCK(&f);
3753  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3754  STREAM_TOSERVER, bindbuf, bindbuf_len);
3755  if (r != 0) {
3756  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3757  result = 0;
3758  FLOWLOCK_UNLOCK(&f);
3759  goto end;
3760  }
3761  FLOWLOCK_UNLOCK(&f);
3762 
3763  DCERPCState *dcerpc_state = f.alstate;
3764  if (dcerpc_state == NULL) {
3765  printf("no dcerpc state: ");
3766  result = 0;
3767  goto end;
3768  }
3769 
3770  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3771  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.numctxitems == 1);
3772  if (result == 0)
3773  goto end;
3774 
3775  result = 0;
3776  uint8_t ctx_uuid_from_pcap[16] = {
3777  0x00, 0x00, 0x01, 0xa0, 0x00, 0x00, 0x00, 0x00,
3778  0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46};
3779  DCERPCUuidEntry *item = NULL;
3780  int internal_id = 0;
3781  TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.uuid_list, next) {
3782  int i = 0;
3783  /* check the interface uuid */
3784  for (i = 0; i < 16; i++) {
3785  if (ctx_uuid_from_pcap[i] != item->uuid[i]) {
3786  result = 0;
3787  goto end;
3788  }
3789  }
3790  result = 1;
3791  result &= (item->internal_id == internal_id++);
3792  }
3793 
3794 end:
3795  if (alp_tctx != NULL)
3796  AppLayerParserThreadCtxFree(alp_tctx);
3798  FLOW_DESTROY(&f);
3799  return result;
3800 }
3801 
3802 /**
3803  * \test Check for another endless loop with bind pdus.
3804  */
3805 static int DCERPCParserTest14(void)
3806 {
3807  int result = 1;
3808  Flow f;
3809  int r = 0;
3810 
3811  uint8_t bindbuf[] = {
3812  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
3813  0x4A, 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00,
3814  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
3815  0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
3816  0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3817  0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
3818  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3819  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3820  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3821  0x02, 0x00, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3822  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3823  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3824  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3825  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3826  0x01, 0x02, 0x03, 0x04, 0xFF /* ka boom - endless loop */
3827  };
3828  uint32_t bindbuf_len = sizeof(bindbuf);
3829 
3830  TcpSession ssn;
3832 
3833  memset(&f, 0, sizeof(f));
3834  memset(&ssn, 0, sizeof(ssn));
3835 
3836  FLOW_INITIALIZE(&f);
3837  f.protoctx = (void *)&ssn;
3838  f.proto = IPPROTO_TCP;
3839  f.alproto = ALPROTO_DCERPC;
3840 
3842 
3843  FLOWLOCK_WRLOCK(&f);
3844  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3845  STREAM_TOSERVER, bindbuf, bindbuf_len);
3846  if (r != 0) {
3847  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3848  result = 0;
3849  FLOWLOCK_UNLOCK(&f);
3850  goto end;
3851  }
3852  FLOWLOCK_UNLOCK(&f);
3853 
3854  DCERPCState *dcerpc_state = f.alstate;
3855  if (dcerpc_state == NULL) {
3856  printf("no dcerpc state: ");
3857  result = 0;
3858  goto end;
3859  }
3860 
3861 end:
3862  if (alp_tctx != NULL)
3863  AppLayerParserThreadCtxFree(alp_tctx);
3865  FLOW_DESTROY(&f);
3866  return result;
3867 }
3868 
3869 /**
3870  * \test Check for another endless loop for bind_ack pdus.
3871  */
3872 static int DCERPCParserTest15(void)
3873 {
3874  int result = 1;
3875  Flow f;
3876  int r = 0;
3877 
3878  uint8_t bind_ack[] = {
3879  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
3880  0x3e, 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00,
3881  0xd0, 0x16, 0xd0, 0x16, 0xfd, 0x04, 0x01, 0x00,
3882  0x04, 0x00, 0x31, 0x33, 0x35, 0x00, 0x00, 0x00,
3883  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3884  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3885  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3886  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3887  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3888  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3889  0x01, 0x02, 0x03, 0x04, 0xFF
3890  };
3891  uint32_t bind_ack_len = sizeof(bind_ack);
3892 
3893  TcpSession ssn;
3895 
3896  memset(&f, 0, sizeof(f));
3897  memset(&ssn, 0, sizeof(ssn));
3898 
3899  FLOW_INITIALIZE(&f);
3900  f.protoctx = (void *)&ssn;
3901  f.proto = IPPROTO_TCP;
3902  f.alproto = ALPROTO_DCERPC;
3903 
3905 
3906  FLOWLOCK_WRLOCK(&f);
3907  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3908  STREAM_TOCLIENT, bind_ack, bind_ack_len);
3909  if (r != 0) {
3910  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3911  result = 0;
3912  FLOWLOCK_UNLOCK(&f);
3913  goto end;
3914  }
3915  FLOWLOCK_UNLOCK(&f);
3916 
3917  DCERPCState *dcerpc_state = f.alstate;
3918  if (dcerpc_state == NULL) {
3919  printf("no dcerpc state: ");
3920  result = 0;
3921  goto end;
3922  }
3923 
3924 end:
3925  if (alp_tctx != NULL)
3926  AppLayerParserThreadCtxFree(alp_tctx);
3928  FLOW_DESTROY(&f);
3929  return result;
3930 }
3931 
3932 /**
3933  * \test Check for correct internal ids for bind_acks.
3934  */
3935 static int DCERPCParserTest16(void)
3936 {
3937  int result = 1;
3938  Flow f;
3939  int r = 0;
3940 
3941  uint8_t bind1[] = {
3942  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
3943  0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3944  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
3945  0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
3946  0x50, 0x08, 0x43, 0x95, 0x43, 0x5a, 0x8b, 0xb2,
3947  0xf4, 0xc5, 0xb9, 0xee, 0x67, 0x55, 0x7c, 0x19,
3948  0x00, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3949  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3950  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3951  0x01, 0x00, 0x01, 0x00, 0xda, 0xc2, 0xbc, 0x9b,
3952  0x35, 0x2e, 0xd4, 0xc9, 0x1f, 0x85, 0x01, 0xe6,
3953  0x4e, 0x5a, 0x5e, 0xd4, 0x04, 0x00, 0x03, 0x00,
3954  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3955  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3956  0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
3957  0xb2, 0x97, 0xcc, 0x14, 0x6f, 0x70, 0x0d, 0xa5,
3958  0x33, 0xd7, 0xf4, 0xe3, 0x8e, 0xb2, 0x2a, 0x1e,
3959  0x05, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3960  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3961  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3962  0x03, 0x00, 0x01, 0x00, 0x96, 0x4e, 0xa6, 0xf6,
3963  0xb2, 0x4b, 0xae, 0xb3, 0x21, 0xf4, 0x97, 0x7c,
3964  0xcd, 0xa7, 0x08, 0xb0, 0x00, 0x00, 0x00, 0x00,
3965  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3966  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3967  0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00,
3968  0xbc, 0xc0, 0xf7, 0x71, 0x3f, 0x71, 0x54, 0x44,
3969  0x22, 0xa8, 0x55, 0x0f, 0x98, 0x83, 0x1f, 0xfe,
3970  0x04, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3971  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3972  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3973  0x05, 0x00, 0x01, 0x00, 0xbe, 0x52, 0xf2, 0x58,
3974  0x4a, 0xc3, 0xb5, 0xd0, 0xba, 0xac, 0xda, 0xf0,
3975  0x12, 0x99, 0x38, 0x6e, 0x04, 0x00, 0x02, 0x00,
3976  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3977  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3978  0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00,
3979  0xdb, 0xfa, 0x73, 0x01, 0xb3, 0x81, 0x01, 0xd4,
3980  0x7f, 0xa0, 0x36, 0xb1, 0x97, 0xae, 0x29, 0x7f,
3981  0x01, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3982  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3983  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3984  0x07, 0x00, 0x01, 0x00, 0x89, 0xbe, 0x41, 0x1d,
3985  0x38, 0x75, 0xf5, 0xb5, 0xad, 0x27, 0x73, 0xf1,
3986  0xb0, 0x7a, 0x28, 0x82, 0x05, 0x00, 0x02, 0x00,
3987  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3988  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3989  0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00,
3990  0xf6, 0x87, 0x09, 0x93, 0xb8, 0xa8, 0x20, 0xc4,
3991  0xb8, 0x63, 0xe6, 0x95, 0xed, 0x59, 0xee, 0x3f,
3992  0x05, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3993  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3994  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3995  0x09, 0x00, 0x01, 0x00, 0x92, 0x77, 0x92, 0x68,
3996  0x3e, 0xa4, 0xbc, 0x3f, 0x44, 0x33, 0x0e, 0xb8,
3997  0x33, 0x0a, 0x2f, 0xdf, 0x01, 0x00, 0x02, 0x00,
3998  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3999  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4000  0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00,
4001  0xa1, 0x03, 0xd2, 0xa9, 0xd2, 0x16, 0xc9, 0x89,
4002  0x67, 0x18, 0x3e, 0xb1, 0xee, 0x6b, 0xf9, 0x18,
4003  0x02, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4004  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4005  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4006  0x0b, 0x00, 0x01, 0x00, 0x2f, 0x09, 0x5e, 0x74,
4007  0xec, 0xa0, 0xbb, 0xc1, 0x60, 0x18, 0xf1, 0x93,
4008  0x04, 0x17, 0x11, 0xf9, 0x01, 0x00, 0x03, 0x00,
4009  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4010  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4011  0x02, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00,
4012  0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01,
4013  0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88,
4014  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4015  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4016  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
4017  };
4018  uint32_t bind1_len = sizeof(bind1);
4019 
4020  uint8_t bind_ack1[] = {
4021  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
4022  0x64, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4023  0xb8, 0x10, 0xb8, 0x10, 0xc1, 0x2b, 0x00, 0x00,
4024  0x0e, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
4025  0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x00,
4026  0x0d, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4027  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4028  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4029  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4030  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4031  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4032  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4033  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4034  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4035  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4036  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4037  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4038  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4039  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4040  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4041  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4042  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4043  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4044  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4045  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4046  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4047  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4048  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4049  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4050  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4051  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4052  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4053  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4054  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4055  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4056  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4057  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4058  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4059  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4060  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4061  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4062  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4063  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4064  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4065  0x02, 0x00, 0x00, 0x00
4066  };
4067  uint32_t bind_ack1_len = sizeof(bind_ack1);
4068 
4069  uint8_t bind2[] = {
4070  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
4071  0xdc, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4072  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
4073  0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
4074  0xc7, 0x70, 0x0d, 0x3e, 0x71, 0x37, 0x39, 0x0d,
4075  0x3a, 0x4f, 0xd3, 0xdc, 0xca, 0x49, 0xe8, 0xa3,
4076  0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4077  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4078  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4079  0x01, 0x00, 0x01, 0x00, 0x84, 0xb6, 0x55, 0x75,
4080  0xdb, 0x9e, 0xba, 0x54, 0x56, 0xd3, 0x45, 0x10,
4081  0xb7, 0x7a, 0x2a, 0xe2, 0x04, 0x00, 0x01, 0x00,
4082  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4083  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4084  0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4085  0x6e, 0x39, 0x21, 0x24, 0x70, 0x6f, 0x41, 0x57,
4086  0x54, 0x70, 0xb8, 0xc3, 0x5e, 0x89, 0x3b, 0x43,
4087  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4088  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4089  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4090  0x03, 0x00, 0x01, 0x00, 0x39, 0x6a, 0x86, 0x5d,
4091  0x24, 0x0f, 0xd2, 0xf7, 0xb6, 0xce, 0x95, 0x9c,
4092  0x54, 0x1d, 0x3a, 0xdb, 0x02, 0x00, 0x01, 0x00,
4093  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4094  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4095  0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00,
4096  0x12, 0xa5, 0xdd, 0xc5, 0x55, 0xce, 0xc3, 0x46,
4097  0xbd, 0xa0, 0x94, 0x39, 0x3c, 0x0d, 0x9b, 0x5b,
4098  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4099  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4100  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4101  0x05, 0x00, 0x01, 0x00, 0x87, 0x1c, 0x8b, 0x6e,
4102  0x11, 0xa8, 0x67, 0x98, 0xd4, 0x5d, 0xf6, 0x8a,
4103  0x2f, 0x33, 0x24, 0x7b, 0x05, 0x00, 0x03, 0x00,
4104  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4105  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4106  0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00,
4107  0x9b, 0x82, 0x13, 0xd1, 0x28, 0xe0, 0x63, 0xf3,
4108  0x62, 0xee, 0x76, 0x73, 0xf9, 0xac, 0x3d, 0x2e,
4109  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4110  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4111  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4112  0x07, 0x00, 0x01, 0x00, 0xa9, 0xd4, 0x73, 0xf2,
4113  0xed, 0xad, 0xe8, 0x82, 0xf8, 0xcf, 0x9d, 0x9f,
4114  0x66, 0xe6, 0x43, 0x37, 0x02, 0x00, 0x01, 0x00,
4115  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4116  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4117  0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00,
4118  0x06, 0x2b, 0x85, 0x38, 0x4f, 0x73, 0x96, 0xb1,
4119  0x73, 0xe1, 0x59, 0xbe, 0x9d, 0xe2, 0x6c, 0x07,
4120  0x05, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4121  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4122  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4123  0x09, 0x00, 0x01, 0x00, 0xbf, 0xfa, 0xbb, 0xa4,
4124  0x9e, 0x5c, 0x80, 0x61, 0xb5, 0x8b, 0x79, 0x69,
4125  0xa6, 0x32, 0x88, 0x77, 0x01, 0x00, 0x01, 0x00,
4126  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4127  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4128  0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00,
4129  0x39, 0xa8, 0x2c, 0x39, 0x73, 0x50, 0x06, 0x8d,
4130  0xf2, 0x37, 0x1e, 0x1e, 0xa8, 0x8f, 0x46, 0x98,
4131  0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4132  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4133  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4134  0x0b, 0x00, 0x01, 0x00, 0x91, 0x13, 0xd0, 0xa7,
4135  0xef, 0xc4, 0xa7, 0x96, 0x0c, 0x4a, 0x0d, 0x29,
4136  0x80, 0xd3, 0xfe, 0xbf, 0x00, 0x00, 0x01, 0x00,
4137  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4138  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4139  0x02, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00,
4140  0xcc, 0x2b, 0x55, 0x1d, 0xd4, 0xa4, 0x0d, 0xfb,
4141  0xcb, 0x6f, 0x86, 0x36, 0xa6, 0x57, 0xc3, 0x21,
4142  0x02, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4143  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4144  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4145  0x0d, 0x00, 0x01, 0x00, 0x43, 0x7b, 0x07, 0xee,
4146  0x85, 0xa8, 0xb9, 0x3a, 0x0f, 0xf9, 0x83, 0x70,
4147  0xe6, 0x0b, 0x4f, 0x33, 0x02, 0x00, 0x02, 0x00,
4148  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4149  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4150  0x02, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x01, 0x00,
4151  0x9c, 0x6a, 0x15, 0x8c, 0xd6, 0x9c, 0xa6, 0xc3,
4152  0xb2, 0x9e, 0x62, 0x9f, 0x3d, 0x8e, 0x47, 0x73,
4153  0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4154  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4155  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4156  0x0f, 0x00, 0x01, 0x00, 0xc8, 0x4f, 0x32, 0x4b,
4157  0x70, 0x16, 0xd3, 0x01, 0x12, 0x78, 0x5a, 0x47,
4158  0xbf, 0x6e, 0xe1, 0x88, 0x03, 0x00, 0x00, 0x00,
4159  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4160  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4161  0x02, 0x00, 0x00, 0x00
4162  };
4163  uint32_t bind2_len = sizeof(bind2);
4164 
4165  uint8_t bind_ack2[] = {
4166  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
4167  0xac, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4168  0xb8, 0x10, 0xb8, 0x10, 0xc2, 0x2b, 0x00, 0x00,
4169  0x0e, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
4170  0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x00,
4171  0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4172  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4173  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4174  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4175  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4176  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4177  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4178  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4179  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4180  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4181  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4182  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4183  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4184  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4185  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4186  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4187  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4188  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4189  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4190  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4191  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4192  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4193  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4194  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4195  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4196  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4197  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4198  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4199  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4200  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4201  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4202  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4203  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4204  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4205  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4206  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4207  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4208  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4209  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4210  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4211  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4212  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4213  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4214  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4215  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4216  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4217  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4218  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4219  0x02, 0x00, 0x00, 0x00
4220  };
4221  uint32_t bind_ack2_len = sizeof(bind_ack2);
4222 
4223  uint8_t bind3[] = {
4224  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
4225  0x2c, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4226  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
4227  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
4228  0xa4, 0x7f, 0x8e, 0xc6, 0xef, 0x56, 0x9b, 0x63,
4229  0x92, 0xfa, 0x08, 0xb3, 0x35, 0xe2, 0xa5, 0x81,
4230  0x00, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4231  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4232  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4233  0x01, 0x00, 0x01, 0x00, 0x9f, 0xfc, 0x78, 0xd2,
4234  0x5f, 0x16, 0x0b, 0xbc, 0xc6, 0xdb, 0x5d, 0xef,
4235  0xde, 0x54, 0xa2, 0x6f, 0x04, 0x00, 0x01, 0x00,
4236  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4237  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4238  0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4239  0x78, 0xb8, 0x96, 0xc7, 0x2f, 0xda, 0x11, 0x6b,
4240  0xd1, 0x28, 0x68, 0xe1, 0xd6, 0x71, 0xac, 0x9d,
4241  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4242  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4243  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4244  0x03, 0x00, 0x01, 0x00, 0xcf, 0xf4, 0xd7, 0x37,
4245  0x03, 0xda, 0xcc, 0xe3, 0x3e, 0x34, 0x7f, 0x67,
4246  0x99, 0x91, 0x41, 0x3d, 0x01, 0x00, 0x02, 0x00,
4247  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4248  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4249  0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00,
4250  0x48, 0xeb, 0x32, 0xf0, 0x27, 0xd5, 0x9d, 0xd0,
4251  0x1e, 0xc6, 0x48, 0x46, 0x97, 0xe9, 0xdb, 0x09,
4252  0x05, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4253  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4254  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4255  0x05, 0x00, 0x01, 0x00, 0x82, 0xec, 0x0d, 0x08,
4256  0xf2, 0x8f, 0x22, 0x57, 0x42, 0x9b, 0xce, 0xa8,
4257  0x74, 0x16, 0xc6, 0xec, 0x00, 0x00, 0x01, 0x00,
4258  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4259  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4260  0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00,
4261  0x2e, 0x00, 0x70, 0x44, 0xee, 0xc9, 0x30, 0x6b,
4262  0xf4, 0x34, 0x1e, 0x3d, 0x35, 0x0f, 0xf7, 0xf7,
4263  0x00, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4264  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4265  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4266  0x07, 0x00, 0x01, 0x00, 0x59, 0x04, 0x39, 0x3f,
4267  0x59, 0x87, 0x14, 0x0e, 0x76, 0x8d, 0x17, 0xc2,
4268  0x47, 0xfa, 0x67, 0x7f, 0x04, 0x00, 0x02, 0x00,
4269  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4270  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4271  0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00,
4272  0x30, 0xd6, 0xed, 0x2e, 0x57, 0xfa, 0xf4, 0x72,
4273  0x6c, 0x10, 0x0d, 0xe5, 0x51, 0x7f, 0xd0, 0x39,
4274  0x02, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4275  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4276  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4277  0x09, 0x00, 0x01, 0x00, 0xea, 0x8b, 0x84, 0x4d,
4278  0x44, 0x43, 0xc1, 0x94, 0x75, 0xe2, 0x81, 0x48,
4279  0xd8, 0x77, 0xd9, 0xce, 0x05, 0x00, 0x00, 0x00,
4280  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4281  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4282  0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00,
4283  0x89, 0x4f, 0xe7, 0x95, 0xa3, 0xc1, 0x62, 0x36,
4284  0x26, 0x9e, 0x67, 0xdb, 0x2c, 0x52, 0x89, 0xd3,
4285  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4286  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4287  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4288  0x0b, 0x00, 0x01, 0x00, 0x78, 0x56, 0x34, 0x12,
4289  0x34, 0x12, 0xcd, 0xab, 0xef, 0x00, 0x01, 0x23,
4290  0x45, 0x67, 0x89, 0xab, 0x01, 0x00, 0x00, 0x00,
4291  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4292  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4293  0x02, 0x00, 0x00, 0x00
4294  };
4295  uint32_t bind3_len = sizeof(bind3);
4296 
4297  uint8_t bind_ack3[] = {
4298  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
4299  0x4c, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4300  0xb8, 0x10, 0xb8, 0x10, 0x1a, 0x33, 0x00, 0x00,
4301  0x0e, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
4302  0x73, 0x70, 0x6f, 0x6f, 0x6c, 0x73, 0x73, 0x00,
4303  0x0c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4304  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4305  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4306  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4307  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4308  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4309  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4310  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4311  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4312  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4313  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4314  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4315  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4316  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4317  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4318  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4319  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4320  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4321  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4322  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4323  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4324  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4325  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4326  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4327  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4328  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4329  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4330  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4331  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4332  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4333  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4334  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4335  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4336  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4337  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4338  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4339  0x02, 0x00, 0x00, 0x00
4340  };
4341  uint32_t bind_ack3_len = sizeof(bind_ack3);
4342 
4343  TcpSession ssn;
4344  DCERPCUuidEntry *item = NULL;
4345  int count = 0;
4347 
4348  uint8_t accepted_uuids[3][16] = {
4349  {0x4b, 0x32, 0x4f, 0xc8, 0x16, 0x70, 0x01, 0xd3,
4350  0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88},
4351  {0x4b, 0x32, 0x4f, 0xc8, 0x16, 0x70, 0x01, 0xd3,
4352  0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88},
4353  {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0xab, 0xcd,
4354  0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab}
4355  };
4356 
4357  uint16_t accepted_ctxids[3] = {12, 15, 11};
4358 
4359  memset(&f, 0, sizeof(f));
4360  memset(&ssn, 0, sizeof(ssn));
4361 
4362  FLOW_INITIALIZE(&f);
4363  f.protoctx = (void *)&ssn;
4364  f.proto = IPPROTO_TCP;
4365  f.alproto = ALPROTO_DCERPC;
4366 
4368 
4369  FLOWLOCK_WRLOCK(&f);
4370  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4371  STREAM_TOSERVER, bind1, bind1_len);
4372  if (r != 0) {
4373  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4374  result = 0;
4375  FLOWLOCK_UNLOCK(&f);
4376  goto end;
4377  }
4378  FLOWLOCK_UNLOCK(&f);
4379 
4380  DCERPCState *dcerpc_state = f.alstate;
4381  if (dcerpc_state == NULL) {
4382  printf("no dcerpc state: ");
4383  result = 0;
4384  goto end;
4385  }
4386 
4387  FLOWLOCK_WRLOCK(&f);
4388  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4389  STREAM_TOCLIENT, bind_ack1, bind_ack1_len);
4390  if (r != 0) {
4391  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4392  result = 0;
4393  FLOWLOCK_UNLOCK(&f);
4394  goto end;
4395  }
4396  FLOWLOCK_UNLOCK(&f);
4397 
4398  count = 0;
4400  int i = 0;
4401  /* check the interface uuid */
4402  for (i = 0; i < 16; i++) {
4403  if (accepted_uuids[0][i] != item->uuid[i]) {
4404  result = 0;
4405  goto end;
4406  }
4407  }
4408  if (accepted_ctxids[0] != item->ctxid) {
4409  result = 0;
4410  goto end;
4411  }
4412  count++;
4413  }
4414  if (count != 1) {
4415  result = 0;
4416  goto end;
4417  }
4418 
4419  FLOWLOCK_WRLOCK(&f);
4420  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4421  STREAM_TOSERVER, bind2, bind2_len);
4422  if (r != 0) {
4423  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4424  result = 0;
4425  FLOWLOCK_UNLOCK(&f);
4426  goto end;
4427  }
4428  FLOWLOCK_UNLOCK(&f);
4429 
4430  count = 0;
4432  count++;
4433  }
4434  if (count != 0) {
4435  result = 0;
4436  goto end;
4437  }
4438 
4439  FLOWLOCK_WRLOCK(&f);
4440  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4441  STREAM_TOCLIENT, bind_ack2, bind_ack2_len);
4442  if (r != 0) {
4443  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4444  result = 0;
4445  FLOWLOCK_UNLOCK(&f);
4446  goto end;
4447  }
4448  FLOWLOCK_UNLOCK(&f);
4449 
4450  count = 0;
4452  int i = 0;
4453  /* check the interface uuid */
4454  for (i = 0; i < 16; i++) {
4455  if (accepted_uuids[1][i] != item->uuid[i]) {
4456  result = 0;
4457  goto end;
4458  }
4459  }
4460  if (accepted_ctxids[1] != item->ctxid) {
4461  result = 0;
4462  goto end;
4463  }
4464  count++;
4465  }
4466  if (count != 1) {
4467  result = 0;
4468  goto end;
4469  }
4470 
4471  FLOWLOCK_WRLOCK(&f);
4472  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4473  STREAM_TOSERVER, bind3, bind3_len);
4474  if (r != 0) {
4475  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4476  result = 0;
4477  FLOWLOCK_UNLOCK(&f);
4478  goto end;
4479  }
4480  FLOWLOCK_UNLOCK(&f);
4481 
4482  count = 0;
4484  count++;
4485  }
4486  if (count != 0) {
4487  result = 0;
4488  goto end;
4489  }
4490 
4491  FLOWLOCK_WRLOCK(&f);
4492  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4493  STREAM_TOCLIENT, bind_ack3, bind_ack3_len);
4494  if (r != 0) {
4495  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4496  result = 0;
4497  FLOWLOCK_UNLOCK(&f);
4498  goto end;
4499  }
4500  FLOWLOCK_UNLOCK(&f);
4501 
4502  count = 0;
4504  int i = 0;
4505  /* check the interface uuid */
4506  for (i = 0; i < 16; i++) {
4507  if (accepted_uuids[2][i] != item->uuid[i]) {
4508  result = 0;
4509  goto end;
4510  }
4511  }
4512  if (accepted_ctxids[2] != item->ctxid) {
4513  result = 0;
4514  goto end;
4515  }
4516  count++;
4517  }
4518  if (count != 1) {
4519  result = 0;
4520  goto end;
4521  }
4522 
4523 end:
4524  if (alp_tctx != NULL)
4525  AppLayerParserThreadCtxFree(alp_tctx);
4527  FLOW_DESTROY(&f);
4528  return result;
4529 }
4530 
4531 
4532 /**
4533  * \test Check for correct internal ids for bind_acks + alter_contexts
4534  */
4535 static int DCERPCParserTest17(void)
4536 {
4537  int result = 1;
4538  Flow f;
4539  int r = 0;
4540 
4541  uint8_t bindbuf[] = {
4542  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
4543  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
4544  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
4545  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
4546  0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
4547  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
4548  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4549  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4550  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
4551  };
4552  uint32_t bindbuf_len = sizeof(bindbuf);
4553 
4554  uint8_t bind_ack[] = {
4555  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
4556  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
4557  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
4558  0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
4559  0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
4560  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4561  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4562  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4563  0x02, 0x00, 0x00, 0x00
4564  };
4565  uint32_t bind_ack_len = sizeof(bind_ack);
4566 
4567  uint8_t alter_context[] = {
4568  0x05, 0x00, 0x0e, 0x03, 0x10, 0x00, 0x00, 0x00,
4569  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
4570  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
4571  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
4572  0xd0, 0x4c, 0x67, 0x57, 0x00, 0x52, 0xce, 0x11,
4573  0xa8, 0x97, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
4574  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4575  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4576  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
4577  };
4578  uint32_t alter_context_len = sizeof(alter_context);
4579 
4580  uint8_t alter_context_resp[] = {
4581  0x05, 0x00, 0x0f, 0x03, 0x10, 0x00, 0x00, 0x00,
4582  0x38, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
4583  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
4584  0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
4585  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4586  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4587  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
4588  };
4589  uint32_t alter_context_resp_len = sizeof(alter_context_resp);
4590 
4591 
4592  TcpSession ssn;
4593  DCERPCUuidEntry *item = NULL;
4594  int count = 0;
4596 
4597  uint8_t accepted_uuids[2][16] = {
4598  {0x57, 0x67, 0x4c, 0xd0, 0x52, 0x00, 0x11, 0xce,
4599  0xa8, 0x97, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d},
4600  {0x34, 0x2c, 0xfd, 0x40, 0x3c, 0x6c, 0x11, 0xce,
4601  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d},
4602  };
4603 
4604  uint16_t accepted_ctxids[2] = {1, 0};
4605 
4606  memset(&f, 0, sizeof(f));
4607  memset(&ssn, 0, sizeof(ssn));
4608 
4609  FLOW_INITIALIZE(&f);
4610  f.protoctx = (void *)&ssn;
4611  f.proto = IPPROTO_TCP;
4612  f.alproto = ALPROTO_DCERPC;
4613 
4615 
4616  FLOWLOCK_WRLOCK(&f);
4617  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4618  STREAM_TOSERVER, bindbuf, bindbuf_len);
4619  if (r != 0) {
4620  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4621  result = 0;
4622  FLOWLOCK_UNLOCK(&f);
4623  goto end;
4624  }
4625  FLOWLOCK_UNLOCK(&f);
4626 
4627  DCERPCState *dcerpc_state = f.alstate;
4628  if (dcerpc_state == NULL) {
4629  printf("no dcerpc state: ");
4630  result = 0;
4631  goto end;
4632  }
4633 
4634  FLOWLOCK_WRLOCK(&f);
4635  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4636  STREAM_TOCLIENT, bind_ack, bind_ack_len);
4637  if (r != 0) {
4638  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4639  result = 0;
4640  FLOWLOCK_UNLOCK(&f);
4641  goto end;
4642  }
4643  FLOWLOCK_UNLOCK(&f);
4644 
4645  count = 0;
4647  int i = 0;
4648  /* check the interface uuid */
4649  for (i = 0; i < 16; i++) {
4650  if (accepted_uuids[1][i] != item->uuid[i]) {
4651  result = 0;
4652  goto end;
4653  }
4654  }
4655  if (accepted_ctxids[1] != item->ctxid) {
4656  result = 0;
4657  goto end;
4658  }
4659  count++;
4660  }
4661  if (count != 1) {
4662  result = 0;
4663  goto end;
4664  }
4665 
4666  FLOWLOCK_WRLOCK(&f);
4667  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4668  STREAM_TOSERVER, alter_context, alter_context_len);
4669  if (r != 0) {
4670  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4671  result = 0;
4672  FLOWLOCK_UNLOCK(&f);
4673  goto end;
4674  }
4675  FLOWLOCK_UNLOCK(&f);
4676 
4677  count = 0;
4679  count++;
4680  }
4681  if (count != 1) {
4682  result = 0;
4683  goto end;
4684  }
4685 
4686  FLOWLOCK_WRLOCK(&f);
4687  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4688  STREAM_TOCLIENT, alter_context_resp,
4689  alter_context_resp_len);
4690  if (r != 0) {
4691  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4692  result = 0;
4693  FLOWLOCK_UNLOCK(&f);
4694  goto end;
4695  }
4696  FLOWLOCK_UNLOCK(&f);
4697 
4698  count = 0;
4700  int i = 0;
4701  /* check the interface uuid */
4702  for (i = 0; i < 16; i++) {
4703  if (accepted_uuids[count][i] != item->uuid[i]) {
4704  result = 0;
4705  goto end;
4706  }
4707  }
4708  if (accepted_ctxids[count] != item->ctxid) {
4709  result = 0;
4710  goto end;
4711  }
4712  count++;
4713  }
4714  if (count != 2) {
4715  result = 0;
4716  goto end;
4717  }
4718 
4719 end:
4720  if (alp_tctx != NULL)
4721  AppLayerParserThreadCtxFree(alp_tctx);
4723  FLOW_DESTROY(&f);
4724  return result;
4725 }
4726 
4727 /**
4728  * \test DCERPC fragmented PDU.
4729  */
4730 static int DCERPCParserTest18(void)
4731 {
4732  int result = 1;
4733  Flow f;
4734  int r = 0;
4735 
4736  uint8_t request1[] = {
4737  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
4738  0x26, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
4739  0x0c, 0x00,
4740  };
4741  uint32_t request1_len = sizeof(request1);
4742 
4743  uint8_t request2[] = {
4744  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02,
4745  0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A,
4746  0x0B, 0x0C, 0xFF, 0xFF
4747  };
4748  uint32_t request2_len = sizeof(request2);
4749 
4750  TcpSession ssn;
4752 
4753  memset(&f, 0, sizeof(f));
4754  memset(&ssn, 0, sizeof(ssn));
4755 
4756  FLOW_INITIALIZE(&f);
4757  f.protoctx = (void *)&ssn;
4758  f.proto = IPPROTO_TCP;
4759  f.alproto = ALPROTO_DCERPC;
4760 
4762 
4763  FLOWLOCK_WRLOCK(&f);
4764  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4765  STREAM_TOSERVER, request1, request1_len);
4766  if (r != 0) {
4767  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4768  result = 0;
4769  FLOWLOCK_UNLOCK(&f);
4770  goto end;
4771  }
4772  FLOWLOCK_UNLOCK(&f);
4773 
4774  DCERPCState *dcerpc_state = f.alstate;
4775  if (dcerpc_state == NULL) {
4776  printf("no dcerpc state: ");
4777  result = 0;
4778  goto end;
4779  }
4780 
4781  result &= (dcerpc_state->dcerpc.bytesprocessed == 18);
4782  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL);
4783 
4784  FLOWLOCK_WRLOCK(&f);
4785  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4786  STREAM_TOSERVER, request2, request2_len);
4787  if (r != 0) {
4788  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4789  result = 0;
4790  FLOWLOCK_UNLOCK(&f);
4791  goto end;
4792  }
4793  FLOWLOCK_UNLOCK(&f);
4794 
4795  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
4796  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
4797  dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 14);
4798  result &= (dcerpc_state->dcerpc.dcerpcrequest.opnum == 2);
4799 
4800 end:
4801  if (alp_tctx != NULL)
4802  AppLayerParserThreadCtxFree(alp_tctx);
4804  FLOW_DESTROY(&f);
4805  return result;
4806 }
4807 
4808 static int DCERPCParserTest19(void)
4809 {
4810  int result = 0;
4811  Flow f;
4812  uint8_t dcerpcbind[] = {
4813  0x05, 0x00,
4814  0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x3c, 0x04,
4815  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd0, 0x16,
4816  0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00,
4817  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x2c, 0xd0,
4818  0x28, 0xda, 0x76, 0x91, 0xf6, 0x6e, 0xcb, 0x0f,
4819  0xbf, 0x85, 0xcd, 0x9b, 0xf6, 0x39, 0x01, 0x00,
4820  0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4821  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4822  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00,
4823  0x01, 0x00, 0x2c, 0x75, 0xce, 0x7e, 0x82, 0x3b,
4824  0x06, 0xac, 0x1b, 0xf0, 0xf5, 0xb7, 0xa7, 0xf7,
4825  0x28, 0xaf, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d,
4826  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4827  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4828  0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xe3, 0xb2,
4829  0x10, 0xd1, 0xd0, 0x0c, 0xcc, 0x3d, 0x2f, 0x80,
4830  0x20, 0x7c, 0xef, 0xe7, 0x09, 0xe0, 0x04, 0x00,
4831  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4832  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4833  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00,
4834  0x01, 0x00, 0xde, 0x85, 0x70, 0xc4, 0x02, 0x7c,
4835  0x60, 0x23, 0x67, 0x0c, 0x22, 0xbf, 0x18, 0x36,
4836  0x79, 0x17, 0x01, 0x00, 0x02, 0x00, 0x04, 0x5d,
4837  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4838  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4839  0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x41, 0x65,
4840  0x29, 0x51, 0xaa, 0xe7, 0x7b, 0xa8, 0xf2, 0x37,
4841  0x0b, 0xd0, 0x3f, 0xb3, 0x36, 0xed, 0x05, 0x00,
4842  0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4843  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4844  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00,
4845  0x01, 0x00, 0x14, 0x96, 0x80, 0x01, 0x2e, 0x78,
4846  0xfb, 0x5d, 0xb4, 0x3c, 0x14, 0xb3, 0x3d, 0xaa,
4847  0x02, 0xfb, 0x06, 0x00, 0x00, 0x00, 0x04, 0x5d,
4848  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4849  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4850  0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 0x3b, 0x04,
4851  0x68, 0x3e, 0x63, 0xfe, 0x9f, 0xd8, 0x64, 0x55,
4852  0xcd, 0xe7, 0x39, 0xaf, 0x98, 0x9f, 0x03, 0x00,
4853  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4854  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4855  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00,
4856  0x01, 0x00, 0x16, 0x7a, 0x4f, 0x1b, 0xdb, 0x25,
4857  0x92, 0x55, 0xdd, 0xae, 0x9e, 0x5b, 0x3e, 0x93,
4858  0x66, 0x93, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d,
4859  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4860  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4861  0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0xe8, 0xa4,
4862  0x8a, 0xcf, 0x95, 0x6c, 0xc7, 0x8f, 0x14, 0xcc,
4863  0x56, 0xfc, 0x7b, 0x5f, 0x4f, 0xe8, 0x04, 0x00,
4864  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4865  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4866  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x09, 0x00,
4867  0x01, 0x00, 0xd8, 0xda, 0xfb, 0xbc, 0xa2, 0x55,
4868  0x6f, 0x5d, 0xc0, 0x2d, 0x88, 0x6f, 0x00, 0x17,
4869  0x52, 0x8d, 0x06, 0x00, 0x03, 0x00, 0x04, 0x5d,
4870  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4871  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4872  0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x3f, 0x17,
4873  0x55, 0x0c, 0xf4, 0x23, 0x3c, 0xca, 0xe6, 0xa0,
4874  0xaa, 0xcc, 0xb5, 0xe3, 0xf9, 0xce, 0x04, 0x00,
4875  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4876  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4877  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00,
4878  0x01, 0x00, 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1,
4879  0xd0, 0x11, 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9,
4880  0x2e, 0xf5, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d,
4881  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4882  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4883  0x00, 0x00, 0x0c, 0x00, 0x01, 0x00, 0xc9, 0x9f,
4884  0x3e, 0x6e, 0x82, 0x0a, 0x2b, 0x28, 0x37, 0x78,
4885  0xe1, 0x13, 0x70, 0x05, 0x38, 0x4d, 0x01, 0x00,
4886  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4887  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4888  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x00,
4889  0x01, 0x00, 0x11, 0xaa, 0x4b, 0x15, 0xdf, 0xa6,
4890  0x86, 0x3f, 0xfb, 0xe0, 0x09, 0xb7, 0xf8, 0x56,
4891  0xd2, 0x3f, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d,
4892  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4893  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4894  0x00, 0x00, 0x0e, 0x00, 0x01, 0x00, 0xee, 0x99,
4895  0xc4, 0x25, 0x11, 0xe4, 0x95, 0x62, 0x29, 0xfa,
4896  0xfd, 0x26, 0x57, 0x02, 0xf1, 0xce, 0x03, 0x00,
4897  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4898  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4899  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x00,
4900  0x01, 0x00, 0xba, 0x81, 0x9e, 0x1a, 0xdf, 0x2b,
4901  0xba, 0xe4, 0xd3, 0x17, 0x41, 0x60, 0x6d, 0x2d,
4902  0x9e, 0x28, 0x03, 0x00, 0x03, 0x00, 0x04, 0x5d,
4903  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4904  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4905  0x00, 0x00, 0x10, 0x00, 0x01, 0x00, 0xa0, 0x24,
4906  0x03, 0x9a, 0xa9, 0x99, 0xfb, 0xbe, 0x49, 0x11,
4907  0xad, 0x77, 0x30, 0xaa, 0xbc, 0xb6, 0x02, 0x00,
4908  0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4909  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4910  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x11, 0x00,
4911  0x01, 0x00, 0x32, 0x04, 0x7e, 0xae, 0xec, 0x28,
4912  0xd1, 0x55, 0x83, 0x4e, 0xc3, 0x47, 0x5d, 0x1d,
4913  0xc6, 0x65, 0x02, 0x00, 0x03, 0x00, 0x04, 0x5d,
4914  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4915  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4916  0x00, 0x00, 0x12, 0x00, 0x01, 0x00, 0xc6, 0xa4,
4917  0x81, 0x48, 0x66, 0x2a, 0x74, 0x7d, 0x56, 0x6e,
4918  0xc5, 0x1d, 0x19, 0xf2, 0xb5, 0xb6, 0x03, 0x00,
4919  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4920  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4921  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x13, 0x00,
4922  0x01, 0x00, 0xcb, 0xae, 0xb3, 0xc0, 0x0c, 0xf4,
4923  0xa4, 0x5e, 0x91, 0x72, 0xdd, 0x53, 0x24, 0x70,
4924  0x89, 0x02, 0x05, 0x00, 0x03, 0x00, 0x04, 0x5d,
4925  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4926  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4927  0x00, 0x00, 0x14, 0x00, 0x01, 0x00, 0xb8, 0xd0,
4928  0xa0, 0x1a, 0x5e, 0x7a, 0x2d, 0xfe, 0x35, 0xc6,
4929  0x7d, 0x08, 0x0d, 0x33, 0x73, 0x18, 0x02, 0x00,
4930  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4931  };
4932 
4933  uint8_t dcerpcbindack[] = {
4934  0x05, 0x00, 0x0c, 0x03,
4935  0x10, 0x00, 0x00, 0x00, 0x6c, 0x02, 0x00, 0x00,
4936  0x00, 0x00, 0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10,
4937  0xce, 0x47, 0x00, 0x00, 0x0c, 0x00, 0x5c, 0x50,
4938  0x49, 0x50, 0x45, 0x5c, 0x6c, 0x73, 0x61, 0x73,
4939  0x73, 0x00, 0xf6, 0x6e, 0x18, 0x00, 0x00, 0x00,
4940  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4941  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4942  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4943  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4944  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4945  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4946  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4947  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4948  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4949  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4950  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4951  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4952  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4953  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4954  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4955  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4956  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4957  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4958  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4959  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4960  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4961  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4962  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4963  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4964  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4965  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4966  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4967  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4968  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4969  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4970  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4971  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4972  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4973  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4974  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4975  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4976  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4977  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4978  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4979  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4980  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4981  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4982  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4983  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4984  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4985  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4986  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4987  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4988  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4989  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4990  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4991  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4992  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4993  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4994  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4995  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4996  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4997  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4998  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4999  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5000  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5001  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5002  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5003  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5004  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5005  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5006  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5007  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5008  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5009  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5010  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5011  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
5012 
5013  uint32_t bindlen = sizeof(dcerpcbind);
5014  uint32_t bindacklen = sizeof(dcerpcbindack);
5015  TcpSession ssn;
5017 
5018  memset(&f, 0, sizeof(f));
5019  memset(&ssn, 0, sizeof(ssn));
5020 
5021  FLOW_INITIALIZE(&f);
5022  f.protoctx = (void *)&ssn;
5023  f.proto = IPPROTO_TCP;
5024  f.alproto = ALPROTO_DCERPC;
5025 
5027 
5028  FLOWLOCK_WRLOCK(&f);
5029  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
5030  STREAM_TOSERVER | STREAM_START, dcerpcbind,
5031  bindlen);
5032  if (r != 0) {
5033  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
5034  FLOWLOCK_UNLOCK(&f);
5035  goto end;
5036  }
5037  FLOWLOCK_UNLOCK(&f);
5038 
5039  DCERPCState *dcerpc_state = f.alstate;
5040  if (dcerpc_state == NULL) {
5041  printf("no dcerpc state: ");
5042  goto end;
5043  }
5044 
5045  if (dcerpc_state->dcerpc.bytesprocessed == 0) {
5046  printf("request - dce parser bytesprocessed should not be 0.\n");
5047  goto end;
5048  }
5049 
5050  FLOWLOCK_WRLOCK(&f);
5051  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
5052  STREAM_TOCLIENT, dcerpcbindack, bindacklen);
5053  if (r == 0) {
5054  printf("dce parser didn't return fail\n");
5055  FLOWLOCK_UNLOCK(&f);
5056  goto end;
5057  }
5058  FLOWLOCK_UNLOCK(&f);
5059 
5060  result = 1;
5061 end:
5062  if (alp_tctx != NULL)
5063  AppLayerParserThreadCtxFree(alp_tctx);
5065  FLOW_DESTROY(&f);
5066  return result;
5067 }
5068 
5069 #endif /* UNITTESTS */
5070 
5072 {
5073 #ifdef UNITTESTS
5074  UtRegisterTest("DCERPCParserTest01", DCERPCParserTest01);
5075  UtRegisterTest("DCERPCParserTest02", DCERPCParserTest02);
5076  UtRegisterTest("DCERPCParserTest03", DCERPCParserTest03);
5077  UtRegisterTest("DCERPCParserTest05", DCERPCParserTest05);
5078  UtRegisterTest("DCERPCParserTest06", DCERPCParserTest06);
5079  UtRegisterTest("DCERPCParserTest07", DCERPCParserTest07);
5080  UtRegisterTest("DCERPCParserTest08", DCERPCParserTest08);
5081  UtRegisterTest("DCERPCParserTest09", DCERPCParserTest09);
5082  UtRegisterTest("DCERPCParserTest10", DCERPCParserTest10);
5083  UtRegisterTest("DCERPCParserTest11", DCERPCParserTest11);
5084  UtRegisterTest("DCERPCParserTest12", DCERPCParserTest12);
5085  UtRegisterTest("DCERPCParserTest13", DCERPCParserTest13);
5086  UtRegisterTest("DCERPCParserTest14", DCERPCParserTest14);
5087  UtRegisterTest("DCERPCParserTest15", DCERPCParserTest15);
5088  UtRegisterTest("DCERPCParserTest16", DCERPCParserTest16);
5089  UtRegisterTest("DCERPCParserTest17", DCERPCParserTest17);
5090  UtRegisterTest("DCERPCParserTest18", DCERPCParserTest18);
5091  UtRegisterTest("DCERPCParserTest19", DCERPCParserTest19);
5092 #endif /* UNITTESTS */
5093 
5094  return;
5095 }
DCERPCRequest dcerpcrequest
uint16_t flags
#define SCLogDebug(...)
Definition: util-debug.h:335
#define TAILQ_FIRST(head)
Definition: queue.h:339
uint16_t bytesprocessed
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
struct HtpBodyChunk_ * next
DetectEngineState * de_state
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
uint8_t proto
Definition: flow.h:344
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
DCERPCUuidEntry * uuid_entry
#define PASS
Pass the test.
#define unlikely(expr)
Definition: util-optimize.h:35
DCERPCResponse dcerpcresponse
uint8_t data_needed_for_dir
int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
int AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint8_t flag)
void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto, uint8_t direction)
void AppLayerParserRegisterDetectStateFuncs(uint8_t ipproto, AppProto alproto, DetectEngineState *(*GetTxDetectState)(void *tx), int(*SetTxDetectState)(void *tx, DetectEngineState *))
#define ALTER_CONTEXT
int32_t DCERPCParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
#define BIND
#define DCERPC_UUID_ENTRY_FLAG_FF
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
#define MIN(x, y)
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define SCReturnUInt(x)
Definition: util-debug.h:343
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
void DCERPCUuidListFree(DCERPCUuidEntryList *list)
#define TRUE
DCERPCUuidEntryList uuid_list
void * protoctx
Definition: flow.h:400
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
Definition: util-debug.c:631
uint16_t transaction_id
void DCERPCParserRegisterTests(void)
void printUUID(const char *type, DCERPCUuidEntry *uuid)
printUUID function used to print UUID, Major and Minor Version Number and if it was Accepted or Rejec...
void * alstate
Definition: flow.h:438
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests and when...
#define SCCalloc(nm, a)
Definition: util-mem.h:197
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
#define ALTER_CONTEXT_RESP
#define TAILQ_INIT(head)
Definition: queue.h:370
Data structures and function prototypes for keeping state for the detection engine.
uint8_t type
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
#define STREAM_EOF
Definition: stream.h:30
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:412
#define SCEnter(...)
Definition: util-debug.h:337
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
#define REQUEST
#define PFC_FIRST_FRAG
#define STREAM_TOCLIENT
Definition: stream.h:32
DCERPCBindBindAck dcerpcbindbindack
#define SCByteSwap32(x)
Definition: util-byte.h:70
void AppLayerParserRegisterGetStateProgressCompletionStatus(AppProto alproto, int(*StateGetProgressCompletionStatus)(uint8_t direction))
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
void DetectEngineStateFree(DetectEngineState *state)
Frees a DetectEngineState object.
int RunmodeIsUnittests(void)
Definition: suricata.c:261
#define SCReturnInt(x)
Definition: util-debug.h:341
#define SCRealloc(x, a)
Definition: util-mem.h:182
void RegisterDCERPCParsers(void)
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
#define SCFree(a)
Definition: util-mem.h:228
#define TAILQ_INSERT_HEAD(head, elm, field)
Definition: queue.h:375
int AppLayerProtoDetectPMRegisterPatternCS(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-sensitive pattern for protocol detection.
uint16_t tx_id
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
#define RESPONSE
#define DCERPC_HDR_LEN
#define STREAM_START
Definition: stream.h:29
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
SCMutex m
Definition: flow-hash.h:105
#define APP_LAYER_PARSER_EOF
DCERPCUuidEntryList accepted_uuid_list
#define PFC_LAST_FRAG
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
void hexdump(const void *buf, size_t len)
void DCERPCCleanup(DCERPC *dcerpc)
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void), void(*StateFree)(void *))
uint8_t len
AppProto alproto
application level protocol
Definition: flow.h:409
void DCERPCInit(DCERPC *dcerpc)
Flow data structure.
Definition: flow.h:325
#define SCByteSwap16(x)
Definition: util-byte.h:69
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
#define BIND_ACK
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))