suricata
app-layer-dcerpc.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Kirby Kuehl <kkuehl@gmail.com>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  *
24  * \file DCE/RPC parser and decoder
25  *
26  * \todo Remove all the unnecessary per byte incremental loops with a full one
27  * time jump, i.e.
28  *
29  * input[0], input_len
30  * for (i = 0; i < x; i++)
31  * input++;
32  *
33  * with
34  *
35  * input += x;
36  *
37  * You'll be surprised at how many such cases we have here. We also need
38  * to do the same for htp parser. Should speed up the engine drastically.
39  */
40 
41 #include "suricata-common.h"
42 #include "suricata.h"
43 
44 #include "debug.h"
45 #include "decode.h"
46 #include "threads.h"
47 
48 #include "util-print.h"
49 #include "util-pool.h"
50 #include "util-debug.h"
51 
52 #include "flow-util.h"
53 
54 #include "detect-engine-state.h"
55 
56 #include "stream-tcp-private.h"
57 #include "stream-tcp-reassemble.h"
58 #include "stream-tcp.h"
59 #include "stream.h"
60 
61 #include "app-layer-protos.h"
62 #include "app-layer-parser.h"
63 #include "app-layer.h"
64 
65 #include "util-spm.h"
66 #include "util-unittest.h"
67 
68 #include "app-layer-dcerpc.h"
69 
70 enum {
76  /* must be last */
78 };
79 
80 void DCERPCUuidListFree(DCERPCUuidEntryList *list);
81 
82 /* \brief hexdump function from libdnet, used for debugging only */
83 void hexdump(/*Flow *f,*/ const void *buf, size_t len)
84 {
85  /* dumps len bytes of *buf to stdout. Looks like:
86  * [0000] 75 6E 6B 6E 6F 77 6E 20
87  * 30 FF 00 00 00 00 39 00 unknown 0.....9.
88  * (in a single line of course)
89  */
90 
91  const unsigned char *p = buf;
92  unsigned char c;
93  size_t n;
94  char bytestr[4] = {0};
95  char addrstr[17] = {0};
96  char hexstr[ 16*3 + 5] = {0};
97  char charstr[16*1 + 5] = {0};
98  for (n=1; n<=len; n++) {
99  if (n%16 == 1) {
100  /* store address for this line */
101 #if __WORDSIZE == 64
102  snprintf(addrstr, sizeof(addrstr), "%.4"PRIx64,
103  ((uint64_t)p-(uint64_t)buf) );
104 #else
105  snprintf(addrstr, sizeof(addrstr), "%.4"PRIx32,
106  ((uint32_t)p-(uint32_t)buf) );
107 #endif
108  }
109 
110  c = *p;
111  if (isalnum(c) == 0) {
112  c = '.';
113  }
114 
115  /* store hex str (for left side) */
116  snprintf(bytestr, sizeof(bytestr), "%02X ", *p);
117  strlcat(hexstr, bytestr, sizeof(hexstr)-strlen(hexstr)-1);
118 
119  /* store char str (for right side) */
120  snprintf(bytestr, sizeof(bytestr), "%c", c);
121  strlcat(charstr, bytestr, sizeof(charstr)-strlen(charstr)-1);
122 
123  if(n%16 == 0) {
124  /* line completed */
125  printf("[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr);
126  hexstr[0] = 0;
127  charstr[0] = 0;
128  } else if(n%8 == 0) {
129  /* half line: add whitespaces */
130  strlcat(hexstr, " ", sizeof(hexstr)-strlen(hexstr)-1);
131  strlcat(charstr, " ", sizeof(charstr)-strlen(charstr)-1);
132  }
133  p++; /* next byte */
134  }
135 
136  if (strlen(hexstr) > 0) {
137  /* print rest of buffer if not empty */
138  printf("[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr);
139  }
140 }
141 
142 /**
143  * \brief printUUID function used to print UUID, Major and Minor Version Number
144  * and if it was Accepted or Rejected in the BIND_ACK.
145  */
146 void printUUID(const char *type, DCERPCUuidEntry *uuid)
147 {
148  uint8_t i = 0;
149  if (uuid == NULL) {
150  return;
151  }
152  printf("%s UUID [%2u] %s ", type, uuid->ctxid,
153  (uuid->result == 0) ? "Accepted" : "Rejected");
154  for (i = 0; i < 16; i++) {
155  printf("%02x", uuid->uuid[i]);
156  }
157  printf(" Major Version 0x%04x Minor Version 0x%04x\n", uuid->version,
158  uuid->versionminor);
159 }
160 
161 /**
162  * \brief DCERPCParseSecondaryAddr reads secondaryaddrlen bytes from the BIND_ACK
163  * DCERPC call.
164  */
165 static uint32_t DCERPCParseSecondaryAddr(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
166 {
167  SCEnter();
168  const uint8_t *p = input;
169  while (dcerpc->dcerpcbindbindack.secondaryaddrlenleft-- && input_len--) {
170  SCLogDebug("0x%02x ", *p);
171  p++;
172  }
173  dcerpc->bytesprocessed += (p - input);
174  SCReturnUInt((uint32_t)(p - input));
175 }
176 
177 static uint32_t PaddingParser(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
178 {
179  SCEnter();
180  const uint8_t *p = input;
181  while (dcerpc->padleft-- && input_len--) {
182  SCLogDebug("0x%02x ", *p);
183  p++;
184  }
185  dcerpc->bytesprocessed += (p - input);
186  SCReturnUInt((uint32_t)(p - input));
187 }
188 
189 static uint32_t DCERPCGetCTXItems(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
190 {
191  SCEnter();
192  const uint8_t *p = input;
193  if (input_len) {
194  switch (dcerpc->dcerpcbindbindack.ctxbytesprocessed) {
195  case 0:
196  if (input_len >= 4) {
197  dcerpc->dcerpcbindbindack.numctxitems = *p;
200  dcerpc->bytesprocessed += 4;
201  SCReturnUInt(4U);
202  } else {
203  dcerpc->dcerpcbindbindack.numctxitems = *(p++);
205  if (!(--input_len))
206  break;
207  }
208  /* fall through */
209  case 1:
210  p++;
211  if (!(--input_len))
212  break;
213  /* fall through */
214  case 2:
215  p++;
216  if (!(--input_len))
217  break;
218  /* fall through */
219  case 3:
220  p++;
221  input_len--;
222  break;
223  }
224  }
225  dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input);
226  dcerpc->bytesprocessed += (p - input);
227  SCReturnUInt((uint32_t)(p - input));
228 }
229 
230 /**
231  * \brief DCERPCParseBINDCTXItem is called for each CTXItem found the DCERPC BIND call.
232  * each UUID is added to a TAILQ.
233  */
234 
235 static uint32_t DCERPCParseBINDCTXItem(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
236 {
237  SCEnter();
238  const uint8_t *p = input;
239 
240  if (input_len) {
241  switch (dcerpc->dcerpcbindbindack.ctxbytesprocessed) {
242  case 0:
243  if (input_len >= 44) {
244  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
245  dcerpc->dcerpcbindbindack.ctxid = *(p);
246  dcerpc->dcerpcbindbindack.ctxid |= *(p + 1) << 8;
247  dcerpc->dcerpcbindbindack.uuid[3] = *(p + 4);
248  dcerpc->dcerpcbindbindack.uuid[2] = *(p + 5);
249  dcerpc->dcerpcbindbindack.uuid[1] = *(p + 6);
250  dcerpc->dcerpcbindbindack.uuid[0] = *(p + 7);
251  dcerpc->dcerpcbindbindack.uuid[5] = *(p + 8);
252  dcerpc->dcerpcbindbindack.uuid[4] = *(p + 9);
253  dcerpc->dcerpcbindbindack.uuid[7] = *(p + 10);
254  dcerpc->dcerpcbindbindack.uuid[6] = *(p + 11);
255  dcerpc->dcerpcbindbindack.uuid[8] = *(p + 12);
256  dcerpc->dcerpcbindbindack.uuid[9] = *(p + 13);
257  dcerpc->dcerpcbindbindack.uuid[10] = *(p + 14);
258  dcerpc->dcerpcbindbindack.uuid[11] = *(p + 15);
259  dcerpc->dcerpcbindbindack.uuid[12] = *(p + 16);
260  dcerpc->dcerpcbindbindack.uuid[13] = *(p + 17);
261  dcerpc->dcerpcbindbindack.uuid[14] = *(p + 18);
262  dcerpc->dcerpcbindbindack.uuid[15] = *(p + 19);
263  dcerpc->dcerpcbindbindack.version = *(p + 20);
264  dcerpc->dcerpcbindbindack.version |= *(p + 21) << 8;
265  dcerpc->dcerpcbindbindack.versionminor = *(p + 22);
266  dcerpc->dcerpcbindbindack.versionminor |= *(p + 23) << 8;
267  } else { /* Big Endian */
268  dcerpc->dcerpcbindbindack.ctxid = *(p) << 8;
269  dcerpc->dcerpcbindbindack.ctxid |= *(p + 1);
270  dcerpc->dcerpcbindbindack.uuid[0] = *(p + 4);
271  dcerpc->dcerpcbindbindack.uuid[1] = *(p + 5);
272  dcerpc->dcerpcbindbindack.uuid[2] = *(p + 6);
273  dcerpc->dcerpcbindbindack.uuid[3] = *(p + 7);
274  dcerpc->dcerpcbindbindack.uuid[4] = *(p + 8);
275  dcerpc->dcerpcbindbindack.uuid[5] = *(p + 9);
276  dcerpc->dcerpcbindbindack.uuid[6] = *(p + 10);
277  dcerpc->dcerpcbindbindack.uuid[7] = *(p + 11);
278  dcerpc->dcerpcbindbindack.uuid[8] = *(p + 12);
279  dcerpc->dcerpcbindbindack.uuid[9] = *(p + 13);
280  dcerpc->dcerpcbindbindack.uuid[10] = *(p + 14);
281  dcerpc->dcerpcbindbindack.uuid[11] = *(p + 15);
282  dcerpc->dcerpcbindbindack.uuid[12] = *(p + 16);
283  dcerpc->dcerpcbindbindack.uuid[13] = *(p + 17);
284  dcerpc->dcerpcbindbindack.uuid[14] = *(p + 18);
285  dcerpc->dcerpcbindbindack.uuid[15] = *(p + 19);
286  dcerpc->dcerpcbindbindack.version = *(p + 20) << 8;
287  dcerpc->dcerpcbindbindack.version |= *(p + 21);
288  dcerpc->dcerpcbindbindack.versionminor = *(p + 22) << 8;
289  dcerpc->dcerpcbindbindack.versionminor |= *(p + 23);
290  }
291  //if (dcerpc->dcerpcbindbindack.ctxid == dcerpc->dcerpcbindbindack.numctxitems
292  // - dcerpc->dcerpcbindbindack.numctxitemsleft) {
293 
295  if (dcerpc->dcerpcbindbindack.uuid_entry == NULL) {
296  SCLogDebug("UUID Entry is NULL");
297  SCReturnUInt(0);
298  }
299 
301 
302  memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid,
303  dcerpc->dcerpcbindbindack.uuid,
304  sizeof(dcerpc->dcerpcbindbindack.uuid));
305 
309 
310  /* store the first frag flag in the uuid as pfc_flags will
311  * be overwritten by new packets. */
312  if (dcerpc->dcerpchdr.pfc_flags & PFC_FIRST_FRAG) {
314  }
315 
318  next);
319 
320 #ifdef UNITTESTS
321  if (RunmodeIsUnittests()) {
322  printUUID("BIND", dcerpc->dcerpcbindbindack.uuid_entry);
323  }
324 #endif
326  dcerpc->bytesprocessed += (44);
327  dcerpc->dcerpcbindbindack.ctxbytesprocessed += (44);
328  SCReturnUInt(44U);
329 
330  //} else {
331  // SCLogDebug("ctxitem %u, expected %u\n", dcerpc->dcerpcbindbindack.ctxid,
332  // dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft);
333  // SCReturnUInt(0);
334  //}
335  } else {
336  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
337  dcerpc->dcerpcbindbindack.ctxid = *(p++);
338  } else {
339  dcerpc->dcerpcbindbindack.ctxid = *(p++) << 8;
340  }
341  if (!(--input_len))
342  break;
343  }
344  /* fall through */
345  case 1:
346  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
347  dcerpc->dcerpcbindbindack.ctxid |= *(p++) << 8;
348  } else {
349  dcerpc->dcerpcbindbindack.ctxid |= *(p++);
350  }
351  if (!(--input_len))
352  break;
353  /* fall through */
354  case 2:
355  /* num transact items */
356  p++;
357  if (!(--input_len))
358  break;
359  /* fall through */
360  case 3:
361  /* reserved */
362  p++;
363  if (!(--input_len))
364  break;
365  /* fall through */
366  case 4:
367  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
368  dcerpc->dcerpcbindbindack.uuid[3] = *(p++);
369  } else {
370  dcerpc->dcerpcbindbindack.uuid[0] = *(p++);
371  }
372  if (!(--input_len))
373  break;
374  /* fall through */
375  case 5:
376  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
377  dcerpc->dcerpcbindbindack.uuid[2] = *(p++);
378  } else {
379  dcerpc->dcerpcbindbindack.uuid[1] = *(p++);
380  }
381  if (!(--input_len))
382  break;
383  /* fall through */
384  case 6:
385  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
386  dcerpc->dcerpcbindbindack.uuid[1] = *(p++);
387  } else {
388  dcerpc->dcerpcbindbindack.uuid[2] = *(p++);
389  }
390  if (!(--input_len))
391  break;
392  /* fall through */
393  case 7:
394  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
395  dcerpc->dcerpcbindbindack.uuid[0] = *(p++);
396  } else {
397  dcerpc->dcerpcbindbindack.uuid[3] = *(p++);
398  }
399  if (!(--input_len))
400  break;
401  /* fall through */
402  case 8:
403  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
404  dcerpc->dcerpcbindbindack.uuid[5] = *(p++);
405  } else {
406  dcerpc->dcerpcbindbindack.uuid[4] = *(p++);
407  }
408  if (!(--input_len))
409  break;
410  /* fall through */
411  case 9:
412  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
413  dcerpc->dcerpcbindbindack.uuid[4] = *(p++);
414  } else {
415  dcerpc->dcerpcbindbindack.uuid[5] = *(p++);
416  }
417  if (!(--input_len))
418  break;
419  /* fall through */
420  case 10:
421  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
422  dcerpc->dcerpcbindbindack.uuid[7] = *(p++);
423  } else {
424  dcerpc->dcerpcbindbindack.uuid[6] = *(p++);
425  }
426  if (!(--input_len))
427  break;
428  /* fall through */
429  case 11:
430  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
431  dcerpc->dcerpcbindbindack.uuid[6] = *(p++);
432  } else {
433  dcerpc->dcerpcbindbindack.uuid[7] = *(p++);
434  }
435  if (!(--input_len))
436  break;
437  /* fall through */
438  case 12:
439  /* The following bytes are in the same order for both big and little endian */
440  dcerpc->dcerpcbindbindack.uuid[8] = *(p++);
441  if (!(--input_len))
442  break;
443  /* fall through */
444  case 13:
445  dcerpc->dcerpcbindbindack.uuid[9] = *(p++);
446  if (!(--input_len))
447  break;
448  /* fall through */
449  case 14:
450  dcerpc->dcerpcbindbindack.uuid[10] = *(p++);
451  if (!(--input_len))
452  break;
453  /* fall through */
454  case 15:
455  dcerpc->dcerpcbindbindack.uuid[11] = *(p++);
456  if (!(--input_len))
457  break;
458  /* fall through */
459  case 16:
460  dcerpc->dcerpcbindbindack.uuid[12] = *(p++);
461  if (!(--input_len))
462  break;
463  /* fall through */
464  case 17:
465  dcerpc->dcerpcbindbindack.uuid[13] = *(p++);
466  if (!(--input_len))
467  break;
468  /* fall through */
469  case 18:
470  dcerpc->dcerpcbindbindack.uuid[14] = *(p++);
471  if (!(--input_len))
472  break;
473  /* fall through */
474  case 19:
475  dcerpc->dcerpcbindbindack.uuid[15] = *(p++);
476  if (!(--input_len))
477  break;
478  /* fall through */
479  case 20:
480  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
481  dcerpc->dcerpcbindbindack.version = *(p++);
482  } else {
483  dcerpc->dcerpcbindbindack.version = *(p++) << 8;
484  }
485  if (!(--input_len))
486  break;
487  /* fall through */
488  case 21:
489  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
490  dcerpc->dcerpcbindbindack.version |= *(p++) << 8;
491  } else {
492  dcerpc->dcerpcbindbindack.version |= *(p++);
493  }
494  if (!(--input_len))
495  break;
496  /* fall through */
497  case 22:
498  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
499  dcerpc->dcerpcbindbindack.versionminor = *(p++);
500  } else {
501  dcerpc->dcerpcbindbindack.versionminor = *(p++) << 8;
502  }
503  if (!(--input_len))
504  break;
505  /* fall through */
506  case 23:
507  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
508  dcerpc->dcerpcbindbindack.versionminor |= *(p++) << 8;
509  } else {
510  dcerpc->dcerpcbindbindack.versionminor |= *(p++);
511  }
512  if (!(--input_len))
513  break;
514  /* fall through */
515  case 24:
516  p++;
517  if (!(--input_len))
518  break;
519  /* fall through */
520  case 25:
521  p++;
522  if (!(--input_len))
523  break;
524  /* fall through */
525  case 26:
526  p++;
527  if (!(--input_len))
528  break;
529  /* fall through */
530  case 27:
531  p++;
532  if (!(--input_len))
533  break;
534  /* fall through */
535  case 28:
536  p++;
537  if (!(--input_len))
538  break;
539  /* fall through */
540  case 29:
541  p++;
542  if (!(--input_len))
543  break;
544  /* fall through */
545  case 30:
546  p++;
547  if (!(--input_len))
548  break;
549  /* fall through */
550  case 31:
551  p++;
552  if (!(--input_len))
553  break;
554  /* fall through */
555  case 32:
556  p++;
557  if (!(--input_len))
558  break;
559  /* fall through */
560  case 33:
561  p++;
562  if (!(--input_len))
563  break;
564  /* fall through */
565  case 34:
566  p++;
567  if (!(--input_len))
568  break;
569  /* fall through */
570  case 35:
571  p++;
572  if (!(--input_len))
573  break;
574  /* fall through */
575  case 36:
576  p++;
577  if (!(--input_len))
578  break;
579  /* fall through */
580  case 37:
581  p++;
582  if (!(--input_len))
583  break;
584  /* fall through */
585  case 38:
586  p++;
587  if (!(--input_len))
588  break;
589  /* fall through */
590  case 39:
591  p++;
592  if (!(--input_len))
593  break;
594  /* fall through */
595  case 40:
596  p++;
597  if (!(--input_len))
598  break;
599  /* fall through */
600  case 41:
601  p++;
602  if (!(--input_len))
603  break;
604  /* fall through */
605  case 42:
606  p++;
607  if (!(--input_len))
608  break;
609  /* fall through */
610  case 43:
611  p++;
612  --input_len;
613  //if (dcerpc->dcerpcbindbindack.ctxid == dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft) {
615  SCCalloc(1, sizeof(DCERPCUuidEntry));
616  if (dcerpc->dcerpcbindbindack.uuid_entry == NULL) {
617  SCLogDebug("UUID Entry is NULL\n");
618  SCReturnUInt(0);
619  }
620 
623  memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid,
624  dcerpc->dcerpcbindbindack.uuid,
625  sizeof(dcerpc->dcerpcbindbindack.uuid));
629 
630  /* store the first frag flag in the uuid as pfc_flags will
631  * be overwritten by new packets. */
632  if (dcerpc->dcerpchdr.pfc_flags & PFC_FIRST_FRAG) {
634  }
635 
638  next);
639 #ifdef UNITTESTS
640  if (RunmodeIsUnittests()) {
641  printUUID("BINDACK", dcerpc->dcerpcbindbindack.uuid_entry);
642  }
643 #endif
645  dcerpc->bytesprocessed += (p - input);
646  dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input);
647  SCReturnUInt((uint32_t)(p - input));
648 
649  //} else {
650  // SCLogDebug("ctxitem %u, expected %u\n", dcerpc->dcerpcbindbindack.ctxid,
651  // dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft);
652  // SCReturnUInt(0);
653  //}
654  break;
655  }
656  }
657  dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input);
658  dcerpc->bytesprocessed += (p - input);
659  SCReturnUInt((uint32_t)(p - input));
660 }
661 
662 /**
663  * \brief DCERPCParseBINDACKCTXItem is called for each CTXItem found in
664  * the BIND_ACK call. The result (Accepted or Rejected) is added to the
665  * correct UUID from the BIND call.
666  */
667 static uint32_t DCERPCParseBINDACKCTXItem(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
668 {
669  SCEnter();
670  const uint8_t *p = input;
671  DCERPCUuidEntry *uuid_entry;
672 
673  if (input_len) {
674  switch (dcerpc->dcerpcbindbindack.ctxbytesprocessed) {
675  case 0:
676  if (input_len >= 24) {
677  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
678  dcerpc->dcerpcbindbindack.result = *p;
679  dcerpc->dcerpcbindbindack.result |= *(p + 1) << 8;
680  } else {
681  dcerpc->dcerpcbindbindack.result = *p << 8;
682  dcerpc->dcerpcbindbindack.result |= *(p + 1);
683  }
684  TAILQ_FOREACH(uuid_entry, &dcerpc->dcerpcbindbindack.uuid_list, next) {
685  if (uuid_entry->internal_id == dcerpc->dcerpcbindbindack.uuid_internal_id) {
686  uuid_entry->result = dcerpc->dcerpcbindbindack.result;
687 #ifdef UNITTESTS
688  if (RunmodeIsUnittests()) {
689  printUUID("BIND_ACK", uuid_entry);
690  }
691 #endif
692  if (uuid_entry->result != 0)
693  break;
694 
696  SCCalloc(1, sizeof(DCERPCUuidEntry));
697  if (dcerpc->dcerpcbindbindack.uuid_entry != NULL) {
698  memcpy(dcerpc->dcerpcbindbindack.uuid_entry,
699  uuid_entry,
700  sizeof(DCERPCUuidEntry));
703  next);
704  }
705  break;
706  }
707  }
710  dcerpc->bytesprocessed += (24);
711  dcerpc->dcerpcbindbindack.ctxbytesprocessed += (24);
712  SCReturnUInt(24U);
713  } else {
714  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
715  dcerpc->dcerpcbindbindack.result = *(p++);
716  } else {
717  dcerpc->dcerpcbindbindack.result = *(p++) << 8;
718  }
719  if (!(--input_len))
720  break;
721  }
722  /* fall through */
723  case 1:
724  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
725  dcerpc->dcerpcbindbindack.result |= *(p++) << 8;
726  } else {
727  dcerpc->dcerpcbindbindack.result |= *(p++);
728  }
729  if (!(--input_len))
730  break;
731  /* fall through */
732  case 2:
733  /* num transact items */
734  p++;
735  if (!(--input_len))
736  break;
737  /* fall through */
738  case 3:
739  /* reserved */
740  p++;
741  if (!(--input_len))
742  break;
743  /* fall through */
744  case 4:
745  p++;
746  if (!(--input_len))
747  break;
748  /* fall through */
749  case 5:
750  p++;
751  if (!(--input_len))
752  break;
753  /* fall through */
754  case 6:
755  p++;
756  if (!(--input_len))
757  break;
758  /* fall through */
759  case 7:
760  p++;
761  if (!(--input_len))
762  break;
763  /* fall through */
764  case 8:
765  p++;
766  if (!(--input_len))
767  break;
768  /* fall through */
769  case 9:
770  p++;
771  if (!(--input_len))
772  break;
773  /* fall through */
774  case 10:
775  p++;
776  if (!(--input_len))
777  break;
778  /* fall through */
779  case 11:
780  p++;
781  if (!(--input_len))
782  break;
783  /* fall through */
784  case 12:
785  p++;
786  if (!(--input_len))
787  break;
788  /* fall through */
789  case 13:
790  p++;
791  if (!(--input_len))
792  break;
793  /* fall through */
794  case 14:
795  p++;
796  if (!(--input_len))
797  break;
798  /* fall through */
799  case 15:
800  p++;
801  if (!(--input_len))
802  break;
803  /* fall through */
804  case 16:
805  p++;
806  if (!(--input_len))
807  break;
808  /* fall through */
809  case 17:
810  p++;
811  if (!(--input_len))
812  break;
813  /* fall through */
814  case 18:
815  p++;
816  if (!(--input_len))
817  break;
818  /* fall through */
819  case 19:
820  p++;
821  if (!(--input_len))
822  break;
823  /* fall through */
824  case 20:
825  p++;
826  if (!(--input_len))
827  break;
828  /* fall through */
829  case 21:
830  p++;
831  if (!(--input_len))
832  break;
833  /* fall through */
834  case 22:
835  p++;
836  if (!(--input_len))
837  break;
838  /* fall through */
839  case 23:
840  TAILQ_FOREACH(uuid_entry, &dcerpc->dcerpcbindbindack.uuid_list, next) {
841  if (uuid_entry->internal_id == dcerpc->dcerpcbindbindack.uuid_internal_id) {
842  uuid_entry->result = dcerpc->dcerpcbindbindack.result;
843 #ifdef UNITTESTS
844  if (RunmodeIsUnittests()) {
845  printUUID("BIND_ACK", uuid_entry);
846  }
847 #endif
848  if (uuid_entry->result != 0)
849  break;
850 
852  SCCalloc(1, sizeof(DCERPCUuidEntry));
853  if (dcerpc->dcerpcbindbindack.uuid_entry != NULL) {
854  memcpy(dcerpc->dcerpcbindbindack.uuid_entry,
855  uuid_entry,
856  sizeof(DCERPCUuidEntry));
859  next);
860  }
861  break;
862  }
863  }
866  p++;
867  --input_len;
868  break;
869 
870  }
871  }
872  dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input);
873  dcerpc->bytesprocessed += (p - input);
874  SCReturnUInt((uint32_t)(p - input));
875 }
876 
877 static uint32_t DCERPCParseBIND(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
878 {
879  SCEnter();
880  const uint8_t *p = input;
881  if (input_len) {
882  switch (dcerpc->bytesprocessed) {
883  case 16:
884  dcerpc->dcerpcbindbindack.numctxitems = 0;
885  if (input_len >= 12) {
887  if (dcerpc->dcerpchdr.type == BIND) {
889  }
891  dcerpc->dcerpcbindbindack.numctxitems = *(p + 8);
893  dcerpc->bytesprocessed += 12;
894  SCReturnUInt(12U);
895  } else {
896  /* max_xmit_frag */
897  p++;
898  if (!(--input_len))
899  break;
900  }
901  /* fall through */
902  case 17:
903  /* max_xmit_frag */
904  p++;
905  if (!(--input_len))
906  break;
907  /* fall through */
908  case 18:
909  /* max_recv_frag */
910  p++;
911  if (!(--input_len))
912  break;
913  /* fall through */
914  case 19:
915  /* max_recv_frag */
916  p++;
917  if (!(--input_len))
918  break;
919  /* fall through */
920  case 20:
921  /* assoc_group_id */
922  p++;
923  if (!(--input_len))
924  break;
925  /* fall through */
926  case 21:
927  /* assoc_group_id */
928  p++;
929  if (!(--input_len))
930  break;
931  /* fall through */
932  case 22:
933  /* assoc_group_id */
934  p++;
935  if (!(--input_len))
936  break;
937  /* fall through */
938  case 23:
939  /* assoc_group_id */
940  p++;
941  if (!(--input_len))
942  break;
943  /* fall through */
944  case 24:
946  if (dcerpc->dcerpchdr.type == BIND) {
948  }
950  dcerpc->dcerpcbindbindack.numctxitems = *(p++);
952  if (!(--input_len))
953  break;
954  /* fall through */
955  case 25:
956  /* pad byte 1 */
957  p++;
958  if (!(--input_len))
959  break;
960  /* fall through */
961  case 26:
962  /* pad byte 2 */
963  p++;
964  if (!(--input_len))
965  break;
966  /* fall through */
967  case 27:
968  /* pad byte 3 */
969  p++;
970  --input_len;
971  break;
972  /* fall through */
973  default:
974  dcerpc->bytesprocessed++;
975  SCReturnUInt(1);
976  break;
977  }
978  }
979  dcerpc->bytesprocessed += (p - input);
980  SCReturnUInt((uint32_t)(p - input));
981 }
982 
983 static uint32_t DCERPCParseBINDACK(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
984 {
985  SCEnter();
986  const uint8_t *p = input;
987 
988  switch (dcerpc->bytesprocessed) {
989  case 16:
991  dcerpc->dcerpcbindbindack.numctxitems = 0;
992  if (input_len >= 10) {
993  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
994  dcerpc->dcerpcbindbindack.secondaryaddrlen = *(p + 8);
995  dcerpc->dcerpcbindbindack.secondaryaddrlen |= *(p + 9) << 8;
996  } else {
997  dcerpc->dcerpcbindbindack.secondaryaddrlen = *(p + 8) << 8;
998  dcerpc->dcerpcbindbindack.secondaryaddrlen |= *(p + 9);
999  }
1001  dcerpc->bytesprocessed += 10;
1002  SCReturnUInt(10U);
1003  } else {
1004  /* max_xmit_frag */
1005  p++;
1006  if (!(--input_len))
1007  break;
1008  }
1009  /* fall through */
1010  case 17:
1011  /* max_xmit_frag */
1012  p++;
1013  if (!(--input_len))
1014  break;
1015  /* fall through */
1016  case 18:
1017  /* max_recv_frag */
1018  p++;
1019  if (!(--input_len))
1020  break;
1021  /* fall through */
1022  case 19:
1023  /* max_recv_frag */
1024  p++;
1025  if (!(--input_len))
1026  break;
1027  /* fall through */
1028  case 20:
1029  /* assoc_group_id */
1030  p++;
1031  if (!(--input_len))
1032  break;
1033  /* fall through */
1034  case 21:
1035  /* assoc_group_id */
1036  p++;
1037  if (!(--input_len))
1038  break;
1039  /* fall through */
1040  case 22:
1041  /* assoc_group_id */
1042  p++;
1043  if (!(--input_len))
1044  break;
1045  /* fall through */
1046  case 23:
1047  /* assoc_group_id */
1048  p++;
1049  if (!(--input_len))
1050  break;
1051  /* fall through */
1052  case 24:
1053  dcerpc->dcerpcbindbindack.secondaryaddrlen = *(p++) << 8;
1054  if (!(--input_len))
1055  break;
1056  /* fall through */
1057  case 25:
1058  dcerpc->dcerpcbindbindack.secondaryaddrlen |= *(p++);
1059  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
1061  }
1063  SCLogDebug("secondaryaddrlen %u 0x%04x\n", dcerpc->dcerpcbindbindack.secondaryaddrlen,
1065  --input_len;
1066  break;
1067  default:
1068  dcerpc->bytesprocessed++;
1069  SCReturnUInt(1);
1070  break;
1071  }
1072  dcerpc->bytesprocessed += (p - input);
1073  SCReturnUInt((uint32_t)(p - input));
1074 }
1075 
1076 static uint32_t DCERPCParseREQUEST(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
1077 {
1078  SCEnter();
1079  const uint8_t *p = input;
1080 
1081  switch (dcerpc->bytesprocessed) {
1082  case 16:
1083  dcerpc->dcerpcbindbindack.numctxitems = 0;
1084  if (input_len >= 8) {
1085  if (dcerpc->dcerpchdr.type == REQUEST) {
1086  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
1087  dcerpc->dcerpcrequest.ctxid = *(p + 4);
1088  dcerpc->dcerpcrequest.ctxid |= *(p + 5) << 8;
1089  dcerpc->dcerpcrequest.opnum = *(p + 6);
1090  dcerpc->dcerpcrequest.opnum |= *(p + 7) << 8;
1091  } else {
1092  dcerpc->dcerpcrequest.ctxid = *(p + 4) << 8;
1093  dcerpc->dcerpcrequest.ctxid |= *(p + 5);
1094  dcerpc->dcerpcrequest.opnum = *(p + 6) << 8;
1095  dcerpc->dcerpcrequest.opnum |= *(p + 7);
1096  }
1097  dcerpc->dcerpcrequest.first_request_seen = 1;
1098  }
1099  dcerpc->bytesprocessed += 8;
1100  SCReturnUInt(8U);
1101  } else {
1102  /* alloc hint 1 */
1103  p++;
1104  if (!(--input_len))
1105  break;
1106  }
1107  /* fall through */
1108  case 17:
1109  /* alloc hint 2 */
1110  p++;
1111  if (!(--input_len))
1112  break;
1113  /* fall through */
1114  case 18:
1115  /* alloc hint 3 */
1116  p++;
1117  if (!(--input_len))
1118  break;
1119  /* fall through */
1120  case 19:
1121  /* alloc hint 4 */
1122  p++;
1123  if (!(--input_len))
1124  break;
1125  /* fall through */
1126  case 20:
1127  /* context id 1 */
1128  dcerpc->dcerpcrequest.ctxid = *(p++);
1129  if (!(--input_len))
1130  break;
1131  /* fall through */
1132  case 21:
1133  /* context id 2 */
1134  dcerpc->dcerpcrequest.ctxid |= *(p++) << 8;
1135  if (!(dcerpc->dcerpchdr.packed_drep[0] & 0x10)) {
1136  dcerpc->dcerpcrequest.ctxid = SCByteSwap16(dcerpc->dcerpcrequest.ctxid);
1137  }
1138  dcerpc->dcerpcrequest.first_request_seen = 1;
1139  if (!(--input_len))
1140  break;
1141  /* fall through */
1142  case 22:
1143  if (dcerpc->dcerpchdr.type == REQUEST) {
1144  dcerpc->dcerpcrequest.opnum = *(p++);
1145  } else {
1146  p++;
1147  }
1148  if (!(--input_len))
1149  break;
1150  /* fall through */
1151  case 23:
1152  if (dcerpc->dcerpchdr.type == REQUEST) {
1153  dcerpc->dcerpcrequest.opnum |= *(p++) << 8;
1154  if (!(dcerpc->dcerpchdr.packed_drep[0] & 0x10)) {
1155  dcerpc->dcerpcrequest.opnum = SCByteSwap16(dcerpc->dcerpcrequest.opnum);
1156  }
1157  } else {
1158  p++;
1159  }
1160  --input_len;
1161  break;
1162  default:
1163  dcerpc->bytesprocessed++;
1164  SCReturnUInt(1);
1165  break;
1166  }
1167  dcerpc->bytesprocessed += (p - input);
1168  SCReturnUInt((uint32_t)(p - input));
1169 }
1170 
1171 /** \internal
1172  * \retval stub_len or 0 in case of error */
1173 static uint32_t StubDataParser(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
1174 {
1175  SCEnter();
1176  uint8_t **stub_data_buffer = NULL;
1177  uint32_t *stub_data_buffer_len = NULL;
1178 
1179  SCLogDebug("input_len %u", input_len);
1180 
1181  /* request PDU. Retrieve the request stub buffer */
1182  if (dcerpc->dcerpchdr.type == REQUEST) {
1183  stub_data_buffer = &dcerpc->dcerpcrequest.stub_data_buffer;
1184  stub_data_buffer_len = &dcerpc->dcerpcrequest.stub_data_buffer_len;
1185 
1186  SCLogDebug("REQUEST stub_data_buffer_len %u", *stub_data_buffer_len);
1187 
1188  /* response PDU. Retrieve the response stub buffer */
1189  } else {
1190  stub_data_buffer = &dcerpc->dcerpcresponse.stub_data_buffer;
1191  stub_data_buffer_len = &dcerpc->dcerpcresponse.stub_data_buffer_len;
1192 
1193  SCLogDebug("RESPONSE stub_data_buffer_len %u", *stub_data_buffer_len);
1194  }
1195  if (*stub_data_buffer_len > (1024 * 1024)) {
1196  SCFree(*stub_data_buffer);
1197  *stub_data_buffer = NULL;
1198  SCReturnUInt(0);
1199  }
1200 
1201  uint32_t stub_len = MIN(dcerpc->padleft, input_len);
1202  if (stub_len == 0) {
1203  SCReturnInt(0);
1204  }
1205  SCLogDebug("stub_len %u input_len %u", stub_len, input_len);
1206 
1207  const uint8_t f = dcerpc->dcerpchdr.pfc_flags & (PFC_FIRST_FRAG|PFC_LAST_FRAG);
1208  SCLogDebug("f %02x, FIRST %s LAST %s", f,
1209  f & PFC_FIRST_FRAG ? "true" : "false",
1210  f & PFC_LAST_FRAG ? "true" : "false");
1211  if (stub_len == dcerpc->padleft && ((f == 0) || (f & PFC_LAST_FRAG))) {
1212  if (dcerpc->dcerpchdr.type == REQUEST) {
1213  dcerpc->dcerpcrequest.stub_data_buffer_reset = true;
1214  SCLogDebug("REQUEST reset stub");
1215  } else {
1216  dcerpc->dcerpcresponse.stub_data_buffer_reset = true;
1217  SCLogDebug("RESPONSE reset stub");
1218  }
1219  }
1220 
1221  void *ptmp = SCRealloc(*stub_data_buffer, *stub_data_buffer_len + stub_len);
1222  if (ptmp == NULL) {
1223  SCFree(*stub_data_buffer);
1224  *stub_data_buffer = NULL;
1225  SCReturnUInt(0);
1226  }
1227  *stub_data_buffer = ptmp;
1228 
1229  memcpy(*stub_data_buffer + *stub_data_buffer_len, input, stub_len);
1230 
1231  /* length of the buffered stub */
1232  *stub_data_buffer_len += stub_len;
1233  /* To see the total reassembled stubdata */
1234  //hexdump(*stub_data_buffer, *stub_data_buffer_len);
1235 
1236  dcerpc->padleft -= stub_len;
1237  dcerpc->bytesprocessed += stub_len;
1238 
1239  SCLogDebug("padleft %u bytesprocessed %u", dcerpc->padleft, dcerpc->bytesprocessed);
1240 
1241 #ifdef DEBUG
1242  if (SCLogDebugEnabled()) {
1243  uint32_t i = 0;
1244  for (i = 0; i < stub_len; i++) {
1245  SCLogDebug("0x%02x ", input[i]);
1246  }
1247  }
1248 #endif
1249  SCReturnUInt((uint32_t)stub_len);
1250 }
1251 
1252 /**
1253  * \brief DCERPCParseHeader parses the 16 byte DCERPC header
1254  * A fast path for normal decoding is used when there is enough bytes
1255  * present to parse the entire header. A slow path is used to parse
1256  * fragmented packets.
1257  * \retval -1 if DCERPC Header does not validate
1258  * \retval Number of bytes processed
1259  */
1260 static int DCERPCParseHeader(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
1261 {
1262  SCEnter();
1263  const uint8_t *p = input;
1264 
1265  if (input_len) {
1266  SCLogDebug("dcerpc->bytesprocessed %u", dcerpc->bytesprocessed);
1267  switch (dcerpc->bytesprocessed) {
1268  case 0:
1269  if (input_len >= DCERPC_HDR_LEN) {
1270  dcerpc->dcerpchdr.rpc_vers = *p;
1271  dcerpc->dcerpchdr.rpc_vers_minor = *(p + 1);
1272  if ((dcerpc->dcerpchdr.rpc_vers != 5) ||
1273  ((dcerpc->dcerpchdr.rpc_vers_minor != 0) &&
1274  (dcerpc->dcerpchdr.rpc_vers_minor != 1))) {
1275  SCLogDebug("DCERPC Header did not validate");
1276  SCReturnInt(-1);
1277  }
1278  dcerpc->dcerpchdr.type = *(p + 2);
1279  SCLogDebug("dcerpc->dcerpchdr.type %02x",
1280  dcerpc->dcerpchdr.type);
1281  dcerpc->dcerpchdr.pfc_flags = *(p + 3);
1282  dcerpc->dcerpchdr.packed_drep[0] = *(p + 4);
1283  dcerpc->dcerpchdr.packed_drep[1] = *(p + 5);
1284  dcerpc->dcerpchdr.packed_drep[2] = *(p + 6);
1285  dcerpc->dcerpchdr.packed_drep[3] = *(p + 7);
1286  if (dcerpc->dcerpchdr.packed_drep[0] & 0x10) {
1287  dcerpc->dcerpchdr.frag_length = *(p + 8);
1288  dcerpc->dcerpchdr.frag_length |= *(p + 9) << 8;
1289  dcerpc->dcerpchdr.auth_length = *(p + 10);
1290  dcerpc->dcerpchdr.auth_length |= *(p + 11) << 8;
1291  dcerpc->dcerpchdr.call_id = (uint32_t) *(p + 12) << 24;
1292  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p + 13) << 16;
1293  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p + 14) << 8;
1294  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p + 15);
1295  } else {
1296  dcerpc->dcerpchdr.frag_length = *(p + 8) << 8;
1297  dcerpc->dcerpchdr.frag_length |= *(p + 9);
1298  dcerpc->dcerpchdr.auth_length = *(p + 10) << 8;
1299  dcerpc->dcerpchdr.auth_length |= *(p + 11);
1300  dcerpc->dcerpchdr.call_id = (uint32_t) *(p + 12);
1301  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p + 13) << 8;
1302  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p + 14) << 16;
1303  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p + 15) << 24;
1304  }
1305  dcerpc->bytesprocessed = DCERPC_HDR_LEN;
1306  SCReturnInt(16);
1307  break;
1308  } else {
1309  dcerpc->dcerpchdr.rpc_vers = *(p++);
1310  if (!(--input_len))
1311  break;
1312  }
1313  /* fall through */
1314  case 1:
1315  dcerpc->dcerpchdr.rpc_vers_minor = *(p++);
1316  if ((dcerpc->dcerpchdr.rpc_vers != 5) ||
1317  ((dcerpc->dcerpchdr.rpc_vers_minor != 0) &&
1318  (dcerpc->dcerpchdr.rpc_vers_minor != 1))) {
1319  SCLogDebug("DCERPC Header did not validate");
1320  SCReturnInt(-1);
1321  }
1322  if (!(--input_len))
1323  break;
1324  /* fall through */
1325  case 2:
1326  dcerpc->dcerpchdr.type = *(p++);
1327  SCLogDebug("dcerpc->dcerpchdr.type %02x",
1328  dcerpc->dcerpchdr.type);
1329  if (!(--input_len))
1330  break;
1331  /* fall through */
1332  case 3:
1333  dcerpc->dcerpchdr.pfc_flags = *(p++);
1334  if (!(--input_len))
1335  break;
1336  /* fall through */
1337  case 4:
1338  dcerpc->dcerpchdr.packed_drep[0] = *(p++);
1339  if (!(--input_len))
1340  break;
1341  /* fall through */
1342  case 5:
1343  dcerpc->dcerpchdr.packed_drep[1] = *(p++);
1344  if (!(--input_len))
1345  break;
1346  /* fall through */
1347  case 6:
1348  dcerpc->dcerpchdr.packed_drep[2] = *(p++);
1349  if (!(--input_len))
1350  break;
1351  /* fall through */
1352  case 7:
1353  dcerpc->dcerpchdr.packed_drep[3] = *(p++);
1354  if (!(--input_len))
1355  break;
1356  /* fall through */
1357  case 8:
1358  dcerpc->dcerpchdr.frag_length = *(p++);
1359  if (!(--input_len))
1360  break;
1361  /* fall through */
1362  case 9:
1363  dcerpc->dcerpchdr.frag_length |= *(p++) << 8;
1364  if (!(--input_len))
1365  break;
1366  /* fall through */
1367  case 10:
1368  dcerpc->dcerpchdr.auth_length = *(p++);
1369  if (!(--input_len))
1370  break;
1371  /* fall through */
1372  case 11:
1373  dcerpc->dcerpchdr.auth_length |= *(p++) << 8;
1374  if (!(--input_len))
1375  break;
1376  /* fall through */
1377  case 12:
1378  dcerpc->dcerpchdr.call_id = (uint32_t) *(p++);
1379  if (!(--input_len))
1380  break;
1381  /* fall through */
1382  case 13:
1383  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p++) << 8;
1384  if (!(--input_len))
1385  break;
1386  /* fall through */
1387  case 14:
1388  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p++) << 16;
1389  if (!(--input_len))
1390  break;
1391  /* fall through */
1392  case 15:
1393  dcerpc->dcerpchdr.call_id |= (uint32_t) *(p++) << 24;
1394  if (!(dcerpc->dcerpchdr.packed_drep[0] & 0x10)) {
1397  dcerpc->dcerpchdr.call_id = SCByteSwap32(dcerpc->dcerpchdr.call_id);
1398  }
1399  --input_len;
1400  break;
1401  default:
1402  dcerpc->bytesprocessed++;
1403  SCReturnInt(1);
1404  }
1405  }
1406  dcerpc->bytesprocessed += (p - input);
1407  SCReturnInt((p - input));
1408 }
1409 
1410 static inline void DCERPCResetParsingState(DCERPC *dcerpc)
1411 {
1412  dcerpc->bytesprocessed = 0;
1414 
1415  return;
1416 }
1417 
1418 static inline void DCERPCResetStub(DCERPC *dcerpc)
1419 {
1420  if (dcerpc->dcerpchdr.type == REQUEST) {
1421  SCLogDebug("REQUEST resetting stub");
1422  dcerpc->dcerpcrequest.stub_data_buffer_len = 0;
1423  dcerpc->dcerpcrequest.stub_data_buffer_reset = false;
1424  } else if (dcerpc->dcerpchdr.type == RESPONSE) {
1425  SCLogDebug("RESPONSE resetting stub");
1427  dcerpc->dcerpcresponse.stub_data_buffer_reset = false;
1428  }
1429 
1430  return;
1431 }
1432 
1433 static inline int DCERPCThrowOutExtraData(DCERPC *dcerpc, const uint8_t *input,
1434  uint16_t input_len)
1435 {
1436  int parsed = 0;
1437  /* the function always assumes that
1438  * dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length */
1439  if (input_len > (dcerpc->dcerpchdr.frag_length - dcerpc->bytesprocessed)) {
1440  parsed = dcerpc->dcerpchdr.frag_length - dcerpc->bytesprocessed;
1441  } else {
1442  parsed = input_len;
1443  }
1444  dcerpc->bytesprocessed += parsed;
1445 
1446  return parsed;
1447 }
1448 
1449 /**
1450  * \todo - Currently the parser is very generic. Enable target based
1451  * reassembly.
1452  * - Disable reiniting tailq for mid and last bind/alter_context pdus.
1453  * - Use a PM to search for subsequent 05 00 when we see an inconsistent
1454  * pdu. This should be done for each platform based on how it handles
1455  * a condition where it has receives a segment with 2 pdus, while the
1456  * first pdu in the segment is corrupt.
1457  */
1458 int32_t DCERPCParser(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
1459 {
1460  SCEnter();
1461 
1462  uint32_t retval = 0;
1463  uint32_t parsed = 0;
1464  int hdrretval = 0;
1465 
1466  /* temporary use. we will get rid of this later, once we have ironed out
1467  * all the endless loops cases */
1468  int counter = 0;
1469 
1470  while (input_len) {
1471  /* in case we have any corner cases remainging, we have this */
1472  if (counter++ == 30) {
1473  SCLogDebug("Somehow seem to be stuck inside the dce "
1474  "parser for quite sometime. Let's get out of here.");
1475  DCERPCResetParsingState(dcerpc);
1476  SCReturnInt(0);
1477  }
1478 
1479  while (dcerpc->bytesprocessed < DCERPC_HDR_LEN && input_len) {
1480  hdrretval = DCERPCParseHeader(dcerpc, input + parsed, input_len);
1481  if (hdrretval == -1 || hdrretval > (int32_t)input_len) {
1482  SCLogDebug("Error parsing dce header. Discarding "
1483  "PDU and reseting parsing state to parse next PDU");
1484  /* error parsing pdu header. Let's clear the dce state */
1485  DCERPCResetParsingState(dcerpc);
1486  SCReturnInt(0);
1487  } else {
1488  parsed += hdrretval;
1489  input_len -= hdrretval;
1490  }
1491  }
1492  SCLogDebug("Done with DCERPCParseHeader bytesprocessed %u/%u left %u",
1493  dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len);
1494 #if 0
1495  printf("Done with DCERPCParseHeader bytesprocessed %u/%u input_len left %u\n",
1496  dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len);
1497  printf("\nDCERPC Version:\t%u\n", dcerpc->dcerpchdr.rpc_vers);
1498  printf("DCERPC Version Minor:\t%u\n", dcerpc->dcerpchdr.rpc_vers_minor);
1499  printf("DCERPC Type:\t%u\n", dcerpc->dcerpchdr.type);
1500  printf("DCERPC Flags:\t0x%02x\n", dcerpc->dcerpchdr.pfc_flags);
1501  printf("DCERPC Packed Drep:\t%02x %02x %02x %02x\n",
1502  dcerpc->dcerpchdr.packed_drep[0], dcerpc->dcerpchdr.packed_drep[1],
1503  dcerpc->dcerpchdr.packed_drep[2], dcerpc->dcerpchdr.packed_drep[3]);
1504  printf("DCERPC Frag Length:\t0x%04x %u\n",
1505  dcerpc->dcerpchdr.frag_length, dcerpc->dcerpchdr.frag_length);
1506  printf("DCERPC Auth Length:\t0x%04x\n", dcerpc->dcerpchdr.auth_length);
1507  printf("DCERPC Call Id:\t0x%08x\n", dcerpc->dcerpchdr.call_id);
1508 #endif
1509 
1510  /* check if we have parsed the entire input passed in the header parser.
1511  * If we have, time to leave */
1512  if (input_len == 0) {
1513  if (dcerpc->bytesprocessed < 10) {
1514 
1515  } else {
1516  if (dcerpc->bytesprocessed >= dcerpc->dcerpchdr.frag_length) {
1517  SCLogDebug("Weird DCE PDU");
1518  DCERPCResetParsingState(dcerpc);
1519  }
1520  }
1521  SCReturnInt(parsed);
1522  }
1523  switch (dcerpc->dcerpchdr.type) {
1524  case BIND:
1525  case ALTER_CONTEXT:
1526  while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 12
1527  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length
1528  && input_len) {
1529  retval = DCERPCParseBIND(dcerpc, input + parsed, input_len);
1530  if (retval && retval <= input_len) {
1531  parsed += retval;
1532  input_len -= retval;
1533  } else if (input_len) {
1534  SCLogDebug("Error Parsing DCERPC %s PDU",
1535  (dcerpc->dcerpchdr.type == BIND) ?
1536  "BIND" : "ALTER_CONTEXT");
1537  parsed = 0;
1538  (void)parsed; /* for scan-build */
1539  input_len = 0;
1540  (void)input_len; /* for scan-build */
1541  DCERPCResetParsingState(dcerpc);
1542  SCReturnInt(0);
1543  }
1544  }
1545  SCLogDebug("Done with DCERPCParseBIND bytesprocessed %u/%u numctxitems %u",
1546  dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length,
1547  dcerpc->dcerpcbindbindack.numctxitems);
1548  while (dcerpc->dcerpcbindbindack.numctxitemsleft && dcerpc->bytesprocessed
1549  < dcerpc->dcerpchdr.frag_length && input_len) {
1550  retval = DCERPCParseBINDCTXItem(dcerpc, input + parsed, input_len);
1551  if (retval && retval <= input_len) {
1552  if (dcerpc->dcerpcbindbindack.ctxbytesprocessed == 44) {
1554  }
1555  parsed += retval;
1556  input_len -= retval;
1557  SCLogDebug("BIND processed %u/%u ctxitems %u/%u input_len left %u\n",
1558  dcerpc->bytesprocessed,
1559  dcerpc->dcerpchdr.frag_length,
1561  dcerpc->dcerpcbindbindack.numctxitems, input_len);
1562  } else if (input_len) {
1563  //parsed -= input_len;
1564  SCLogDebug("Error Parsing CTX Item %u\n", parsed);
1565  parsed = 0;
1566  (void)parsed; /* for scan-build */
1567  input_len = 0;
1568  (void)input_len; /* for scan-build */
1569  dcerpc->dcerpcbindbindack.numctxitemsleft = 0;
1570  DCERPCResetParsingState(dcerpc);
1571  SCReturnInt(0);
1572  }
1573  }
1574  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1575  DCERPCResetParsingState(dcerpc);
1576  } else if (dcerpc->bytesprocessed > dcerpc->dcerpchdr.frag_length) {
1577  DCERPCResetParsingState(dcerpc);
1578  SCReturnInt(0);
1579  } else {
1580  /* temporary fix */
1581  if (input_len) {
1582  retval = DCERPCThrowOutExtraData(dcerpc, input + parsed,
1583  input_len);
1584  if (retval && retval <= input_len) {
1585  input_len -= retval;
1586  parsed += retval;
1587  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1588  DCERPCResetParsingState(dcerpc);
1589  }
1590  } else {
1591  SCLogDebug("Error Parsing DCERPC");
1592  parsed = 0;
1593  (void)parsed; /* for scan-build */
1594  input_len = 0;
1595  (void)input_len; /* for scan-build */
1596  DCERPCResetParsingState(dcerpc);
1597  SCReturnInt(0);
1598  }
1599  }
1600  }
1601  break;
1602 
1603  case BIND_ACK:
1604  case ALTER_CONTEXT_RESP:
1605  while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 9
1606  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length
1607  && input_len) {
1608  retval = DCERPCParseBINDACK(dcerpc, input + parsed, input_len);
1609  if (retval && retval <= input_len) {
1610  parsed += retval;
1611  input_len -= retval;
1612  SCLogDebug("DCERPCParseBINDACK processed %u/%u input_len left %u",
1613  dcerpc->bytesprocessed,
1614  dcerpc->dcerpchdr.frag_length, input_len);
1615  } else if (input_len) {
1616  SCLogDebug("Error parsing %s\n",
1617  (dcerpc->dcerpchdr.type == BIND_ACK) ?
1618  "BIND_ACK" : "ALTER_CONTEXT_RESP");
1619  parsed = 0;
1620  (void)parsed; /* for scan-build */
1621  input_len = 0;
1622  (void)input_len; /* for scan-build */
1623  DCERPCResetParsingState(dcerpc);
1624  SCReturnInt(0);
1625  }
1626  }
1627 
1628  while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 10
1630  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length && input_len) {
1631  retval = DCERPCParseSecondaryAddr(dcerpc, input + parsed, input_len);
1632  if (retval && retval <= input_len) {
1633  parsed += retval;
1634  input_len -= retval;
1635  SCLogDebug("DCERPCParseSecondaryAddr %u/%u left %u secondaryaddr len(%u)",
1636  dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len,
1638  } else if (input_len) {
1639  SCLogDebug("Error parsing Secondary Address");
1640  parsed = 0;
1641  (void)parsed; /* for scan-build */
1642  input_len = 0;
1643  (void)input_len; /* for scan-build */
1644  DCERPCResetParsingState(dcerpc);
1645  SCReturnInt(0);
1646  }
1647  }
1648 
1649  if (dcerpc->bytesprocessed == DCERPC_HDR_LEN + 10
1650  + dcerpc->dcerpcbindbindack.secondaryaddrlen) {
1651  if (dcerpc->bytesprocessed % 4) {
1652  dcerpc->pad = (4 - dcerpc->bytesprocessed % 4);
1653  dcerpc->padleft = dcerpc->pad;
1654  }
1655  }
1656 
1657  while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 10
1658  + dcerpc->dcerpcbindbindack.secondaryaddrlen + dcerpc->pad
1659  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length && input_len) {
1660  retval = PaddingParser(dcerpc, input + parsed, input_len);
1661  if (retval && retval <= input_len) {
1662  parsed += retval;
1663  input_len -= retval;
1664  SCLogDebug("PaddingParser %u/%u left %u pad(%u)",
1665  dcerpc->bytesprocessed, dcerpc->dcerpchdr.frag_length, input_len,
1666  dcerpc->pad);
1667  } else if (input_len) {
1668  SCLogDebug("Error parsing DCERPC Padding");
1669  parsed = 0;
1670  (void)parsed; /* for scan-build */
1671  input_len = 0;
1672  (void)input_len; /* for scan-build */
1673  DCERPCResetParsingState(dcerpc);
1674  SCReturnInt(0);
1675  }
1676  }
1677 
1678  while (dcerpc->bytesprocessed >= DCERPC_HDR_LEN + 10 + dcerpc->pad
1680  < DCERPC_HDR_LEN + 14 + dcerpc->pad + dcerpc->dcerpcbindbindack.secondaryaddrlen
1681  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length && input_len) {
1682  retval = DCERPCGetCTXItems(dcerpc, input + parsed, input_len);
1683  if (retval && retval <= input_len) {
1684  parsed += retval;
1685  input_len -= retval;
1686  SCLogDebug("DCERPCGetCTXItems %u/%u (%u)", dcerpc->bytesprocessed,
1688  } else if (input_len) {
1689  SCLogDebug("Error parsing CTX Items");
1690  parsed = 0;
1691  (void)parsed; /* for scan-build */
1692  input_len = 0;
1693  (void)input_len; /* for scan-build */
1694  DCERPCResetParsingState(dcerpc);
1695  SCReturnInt(0);
1696  }
1697  }
1698 
1699  if (dcerpc->bytesprocessed == DCERPC_HDR_LEN + 14 + dcerpc->pad
1700  + dcerpc->dcerpcbindbindack.secondaryaddrlen) {
1702  }
1703 
1704  while (dcerpc->dcerpcbindbindack.numctxitemsleft && dcerpc->bytesprocessed
1705  < dcerpc->dcerpchdr.frag_length && input_len) {
1706  retval = DCERPCParseBINDACKCTXItem(dcerpc, input + parsed, input_len);
1707  if (retval && retval <= input_len) {
1708  if (dcerpc->dcerpcbindbindack.ctxbytesprocessed == 24) {
1710  }
1711  parsed += retval;
1712  input_len -= retval;
1713  } else if (input_len) {
1714  SCLogDebug("Error parsing CTX Items");
1715  parsed = 0;
1716  (void)parsed; /* for scan-build */
1717  input_len = 0;
1718  (void)input_len; /* for scan-build */
1719  dcerpc->dcerpcbindbindack.numctxitemsleft = 0;
1720  DCERPCResetParsingState(dcerpc);
1721  SCReturnInt(0);
1722  }
1723  }
1724  SCLogDebug("BINDACK processed %u/%u input_len left %u",
1725  dcerpc->bytesprocessed,
1726  dcerpc->dcerpchdr.frag_length, input_len);
1727 
1728  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1729  /* response and request done */
1730  if (dcerpc->dcerpchdr.type == BIND_ACK) {
1731  /* update transaction id */
1732  dcerpc->transaction_id++;
1733  SCLogDebug("transaction_id updated to %"PRIu16,
1734  dcerpc->transaction_id);
1735  }
1736  DCERPCResetParsingState(dcerpc);
1737  } else if (dcerpc->bytesprocessed > dcerpc->dcerpchdr.frag_length) {
1738  DCERPCResetParsingState(dcerpc);
1739  SCReturnInt(0);
1740  } else {
1741  /* temporary fix */
1742  if (input_len) {
1743  retval = DCERPCThrowOutExtraData(dcerpc, input + parsed,
1744  input_len);
1745  if (retval && retval <= input_len) {
1746  input_len -= retval;
1747  parsed += retval;
1748  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1749  DCERPCResetParsingState(dcerpc);
1750  }
1751  } else {
1752  SCLogDebug("Error Parsing DCERPC");
1753  parsed = 0;
1754  (void)parsed; /* for scan-build */
1755  input_len = 0;
1756  (void)input_len; /* for scan-build */
1757  DCERPCResetParsingState(dcerpc);
1758  SCReturnInt(0);
1759  }
1760  }
1761  }
1762  break;
1763 
1764  case REQUEST:
1765  case RESPONSE:
1766  SCLogDebug("parsing DCERPC %s",
1767  (dcerpc->dcerpchdr.type == REQUEST) ? "REQUEST" : "RESPONSE");
1768  if ((dcerpc->dcerpchdr.type == REQUEST &&
1770  (dcerpc->dcerpchdr.type == RESPONSE &&
1772  {
1773  DCERPCResetStub(dcerpc);
1774  }
1775 
1776  while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 8
1777  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length
1778  && input_len) {
1779  retval = DCERPCParseREQUEST(dcerpc, input + parsed, input_len);
1780  if (retval && retval <= input_len) {
1781  parsed += retval;
1782  input_len -= retval;
1783  dcerpc->padleft = dcerpc->dcerpchdr.frag_length - dcerpc->bytesprocessed;
1784  } else if (input_len) {
1785  SCLogDebug("Error parsing DCERPC %s",
1786  (dcerpc->dcerpchdr.type == REQUEST) ? "REQUEST" : "RESPONSE");
1787  parsed = 0;
1788  (void)parsed; /* for scan-build */
1789  dcerpc->padleft = 0;
1790  input_len = 0;
1791  (void)input_len; /* for scan-build */
1792  DCERPCResetParsingState(dcerpc);
1793  SCReturnInt(0);
1794  }
1795  }
1796 
1797  while (dcerpc->bytesprocessed >= DCERPC_HDR_LEN + 8
1798  && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length
1799  && dcerpc->padleft && input_len) {
1800  retval = StubDataParser(dcerpc, input + parsed, input_len);
1801  if (retval && retval <= input_len) {
1802  parsed += retval;
1803  input_len -= retval;
1804  } else if (input_len) {
1805  SCLogDebug("Error parsing DCERPC Stub Data");
1806  parsed = 0;
1807  (void)parsed; /* for scan-build */
1808  input_len = 0;
1809  (void)input_len; /* for scan-build */
1810  DCERPCResetParsingState(dcerpc);
1811  SCReturnInt(0);
1812  }
1813  }
1814 
1815  if (dcerpc->dcerpchdr.type == REQUEST) {
1816  SCLogDebug("REQUEST processed %u frag length %u opnum %u input_len %u", dcerpc->bytesprocessed,
1817  dcerpc->dcerpchdr.frag_length, dcerpc->dcerpcrequest.opnum, input_len);
1818  } else {
1819  SCLogDebug("RESPONSE processed %u frag length %u opnum %u input_len %u", dcerpc->bytesprocessed,
1820  dcerpc->dcerpchdr.frag_length, dcerpc->dcerpcrequest.opnum, input_len);
1821  }
1822 
1823  /* don't see how we could break the parser for request pdus, by
1824  * pusing bytesprocessed beyond frag_length. Let's have the
1825  * check anyways */
1826  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1827  DCERPCResetParsingState(dcerpc);
1828  } else if (dcerpc->bytesprocessed > dcerpc->dcerpchdr.frag_length) {
1829  DCERPCResetParsingState(dcerpc);
1830  SCReturnInt(0);
1831  } else {
1832  /* temporary fix */
1833  if (input_len) {
1834  retval = DCERPCThrowOutExtraData(dcerpc, input + parsed,
1835  input_len);
1836  if (retval && retval <= input_len) {
1837  input_len -= retval;
1838  parsed += retval;
1839  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1840  DCERPCResetParsingState(dcerpc);
1841  }
1842  } else {
1843  SCLogDebug("Error Parsing DCERPC");
1844  parsed = 0;
1845  (void)parsed; /* for scan-build */
1846  input_len = 0;
1847  (void)input_len; /* for scan-build */
1848  DCERPCResetParsingState(dcerpc);
1849  SCReturnInt(0);
1850  }
1851  }
1852  }
1853 
1854  /* response and request done */
1855  if (dcerpc->dcerpchdr.type == RESPONSE) {
1856  /* update transaction id */
1857  dcerpc->transaction_id++;
1858  SCLogDebug("transaction_id updated to %"PRIu16,
1859  dcerpc->transaction_id);
1860  }
1861  break;
1862 
1863  default:
1864  SCLogDebug("DCERPC Type 0x%02x not implemented yet", dcerpc->dcerpchdr.type);
1865  retval = DCERPCThrowOutExtraData(dcerpc, input + parsed,
1866  input_len);
1867  if (retval && retval <= input_len) {
1868  input_len -= retval;
1869  parsed += retval;
1870  if (dcerpc->bytesprocessed == dcerpc->dcerpchdr.frag_length) {
1871  DCERPCResetParsingState(dcerpc);
1872  }
1873  } else {
1874  SCLogDebug("Error Parsing DCERPC");
1875  parsed = 0;
1876  (void)parsed; /* for scan-build */
1877  input_len = 0;
1878  (void)input_len; /* for scan-build */
1879  DCERPCResetParsingState(dcerpc);
1880  SCReturnInt(0);
1881  }
1882  break;
1883  }
1884  }
1885 
1886  SCReturnInt(parsed);
1887 }
1888 
1889 static int DCERPCParse(Flow *f, void *dcerpc_state,
1890  AppLayerParserState *pstate,
1891  const uint8_t *input, uint32_t input_len,
1892  void *local_data, int dir)
1893 {
1894  SCEnter();
1895 
1896  int32_t retval = 0;
1897  DCERPCState *sstate = (DCERPCState *) dcerpc_state;
1898 
1899  if (input == NULL && AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF)) {
1900  SCReturnInt(1);
1901  } else if (input == NULL || input_len == 0) {
1902  SCReturnInt(-1);
1903  }
1904 
1905  if (sstate->dcerpc.bytesprocessed != 0 && sstate->data_needed_for_dir != dir) {
1906  SCReturnInt(-1);
1907  }
1908 
1909  retval = DCERPCParser(&sstate->dcerpc, input, input_len);
1910  if (retval == -1) {
1911  SCReturnInt(0);
1912  }
1913 
1914  sstate->data_needed_for_dir = dir;
1915 
1916  if (pstate == NULL)
1917  SCReturnInt(-1);
1918 
1919  SCReturnInt(1);
1920 }
1921 
1922 static int DCERPCParseRequest(Flow *f, void *dcerpc_state,
1923  AppLayerParserState *pstate,
1924  const uint8_t *input, uint32_t input_len,
1925  void *local_data, const uint8_t flags)
1926 {
1927  return DCERPCParse(f, dcerpc_state, pstate, input, input_len,
1928  local_data, 0);
1929 }
1930 
1931 static int DCERPCParseResponse(Flow *f, void *dcerpc_state,
1932  AppLayerParserState *pstate,
1933  const uint8_t *input, uint32_t input_len,
1934  void *local_data, const uint8_t flags)
1935 {
1936  return DCERPCParse(f, dcerpc_state, pstate, input, input_len,
1937  local_data, 1);
1938 }
1939 
1940 void DCERPCInit(DCERPC *dcerpc)
1941 {
1942  dcerpc->transaction_id = 1;
1943 
1946 }
1947 
1948 static void *DCERPCStateAlloc(void)
1949 {
1950  SCEnter();
1951 
1952  DCERPCState *s = SCCalloc(1, sizeof(DCERPCState));
1953  if (unlikely(s == NULL)) {
1954  SCReturnPtr(NULL, "void");
1955  }
1956 
1957  DCERPCInit(&s->dcerpc);
1958 
1959  SCReturnPtr((void *)s, "void");
1960 }
1961 
1962 void DCERPCUuidListFree(DCERPCUuidEntryList *list)
1963 {
1964  DCERPCUuidEntry *entry;
1965 
1966  while ((entry = TAILQ_FIRST(list))) {
1967  TAILQ_REMOVE(list, entry, next);
1968  SCFree(entry);
1969  }
1970 }
1971 
1972 void DCERPCCleanup(DCERPC *dcerpc)
1973 {
1976 
1977  if (dcerpc->dcerpcrequest.stub_data_buffer != NULL) {
1979  dcerpc->dcerpcrequest.stub_data_buffer = NULL;
1980  dcerpc->dcerpcrequest.stub_data_buffer_len = 0;
1981  }
1982  if (dcerpc->dcerpcresponse.stub_data_buffer != NULL) {
1984  dcerpc->dcerpcresponse.stub_data_buffer = NULL;
1986  }
1987 }
1988 
1989 static void DCERPCStateFree(void *s)
1990 {
1991  DCERPCState *sstate = (DCERPCState *) s;
1992 
1993  DCERPCCleanup(&sstate->dcerpc);
1994 
1995  if (sstate->de_state != NULL) {
1997  }
1998 
1999  SCFree(s);
2000 }
2001 
2002 static int DCERPCSetTxDetectState(void *vtx, DetectEngineState *de_state)
2003 {
2004  DCERPCState *dce_state = (DCERPCState *)vtx;
2005  dce_state->de_state = de_state;
2006  return 0;
2007 }
2008 
2009 static DetectEngineState *DCERPCGetTxDetectState(void *vtx)
2010 {
2011  DCERPCState *dce_state = (DCERPCState *)vtx;
2012  return dce_state->de_state;
2013 }
2014 
2015 static void DCERPCStateTransactionFree(void *state, uint64_t tx_id)
2016 {
2017  /* do nothing */
2018 }
2019 
2020 static void *DCERPCGetTx(void *state, uint64_t tx_id)
2021 {
2022  DCERPCState *dce_state = (DCERPCState *)state;
2023  return dce_state;
2024 }
2025 
2026 static uint64_t DCERPCGetTxCnt(void *state)
2027 {
2028  /* single tx */
2029  return 1;
2030 }
2031 
2032 static int DCERPCGetAlstateProgressCompletionStatus(uint8_t direction)
2033 {
2034  return 1;
2035 }
2036 
2037 static int DCERPCGetAlstateProgress(void *tx, uint8_t direction)
2038 {
2039  return 0;
2040 }
2041 
2042 static void DCERPCSetTxDetectFlags(void *vtx, uint8_t dir, uint64_t flags)
2043 {
2044  DCERPCState *dcerpc_state = (DCERPCState *)vtx;
2045  if (dir & STREAM_TOSERVER) {
2046  dcerpc_state->detect_flags_ts = flags;
2047  } else {
2048  dcerpc_state->detect_flags_tc = flags;
2049  }
2050 }
2051 
2052 static uint64_t DCERPCGetTxDetectFlags(void *vtx, uint8_t dir)
2053 {
2054  DCERPCState *dcerpc_state = (DCERPCState *)vtx;
2055  if (dir & STREAM_TOSERVER) {
2056  return dcerpc_state->detect_flags_ts;
2057  } else {
2058  return dcerpc_state->detect_flags_tc;
2059  }
2060 }
2061 
2062 static int DCERPCRegisterPatternsForProtocolDetection(void)
2063 {
2065  "|05 00|", 2, 0, STREAM_TOSERVER) < 0)
2066  {
2067  return -1;
2068  }
2070  "|05 00|", 2, 0, STREAM_TOCLIENT) < 0)
2071  {
2072  return -1;
2073  }
2074 
2075  return 0;
2076 }
2077 
2079 {
2080  const char *proto_name = "dcerpc";
2081 
2082  if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) {
2084  if (DCERPCRegisterPatternsForProtocolDetection() < 0)
2085  return;
2086  } else {
2087  SCLogInfo("Protocol detection and parser disabled for %s protocol.",
2088  proto_name);
2089  return;
2090  }
2091 
2092  if (AppLayerParserConfParserEnabled("tcp", proto_name)) {
2094  DCERPCParseRequest);
2096  DCERPCParseResponse);
2097  AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCStateAlloc,
2098  DCERPCStateFree);
2100 
2101 
2102  AppLayerParserRegisterTxFreeFunc(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCStateTransactionFree);
2103 
2105  DCERPCGetTxDetectState, DCERPCSetTxDetectState);
2106 
2107  AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCGetTx);
2108 
2109  AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCGetTxCnt);
2110 
2111  AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_DCERPC, DCERPCGetAlstateProgress);
2112 
2114  DCERPCGetAlstateProgressCompletionStatus);
2116  DCERPCGetTxDetectFlags, DCERPCSetTxDetectFlags);
2117  } else {
2118  SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
2119  "still on.", proto_name);
2120  }
2121 #ifdef UNITTESTS
2123 #endif
2124 
2125  return;
2126 }
2127 
2128 /* UNITTESTS */
2129 #ifdef UNITTESTS
2130 /** \test DCERPC Header Parsing and BIND / BIND_ACK multiple UUID handling
2131 */
2132 
2133 /* set this to 1 to see problem */
2134 
2135 static int DCERPCParserTest01(void)
2136 {
2137  int result = 1;
2138  Flow f;
2139  uint8_t dcerpcbind[] = {
2140  0x05, 0x00,
2141  0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x3c, 0x04,
2142  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd0, 0x16,
2143  0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00,
2144  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x2c, 0xd0,
2145  0x28, 0xda, 0x76, 0x91, 0xf6, 0x6e, 0xcb, 0x0f,
2146  0xbf, 0x85, 0xcd, 0x9b, 0xf6, 0x39, 0x01, 0x00,
2147  0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2148  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2149  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00,
2150  0x01, 0x00, 0x2c, 0x75, 0xce, 0x7e, 0x82, 0x3b,
2151  0x06, 0xac, 0x1b, 0xf0, 0xf5, 0xb7, 0xa7, 0xf7,
2152  0x28, 0xaf, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d,
2153  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2154  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2155  0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xe3, 0xb2,
2156  0x10, 0xd1, 0xd0, 0x0c, 0xcc, 0x3d, 0x2f, 0x80,
2157  0x20, 0x7c, 0xef, 0xe7, 0x09, 0xe0, 0x04, 0x00,
2158  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2159  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2160  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00,
2161  0x01, 0x00, 0xde, 0x85, 0x70, 0xc4, 0x02, 0x7c,
2162  0x60, 0x23, 0x67, 0x0c, 0x22, 0xbf, 0x18, 0x36,
2163  0x79, 0x17, 0x01, 0x00, 0x02, 0x00, 0x04, 0x5d,
2164  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2165  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2166  0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x41, 0x65,
2167  0x29, 0x51, 0xaa, 0xe7, 0x7b, 0xa8, 0xf2, 0x37,
2168  0x0b, 0xd0, 0x3f, 0xb3, 0x36, 0xed, 0x05, 0x00,
2169  0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2170  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2171  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00,
2172  0x01, 0x00, 0x14, 0x96, 0x80, 0x01, 0x2e, 0x78,
2173  0xfb, 0x5d, 0xb4, 0x3c, 0x14, 0xb3, 0x3d, 0xaa,
2174  0x02, 0xfb, 0x06, 0x00, 0x00, 0x00, 0x04, 0x5d,
2175  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2176  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2177  0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 0x3b, 0x04,
2178  0x68, 0x3e, 0x63, 0xfe, 0x9f, 0xd8, 0x64, 0x55,
2179  0xcd, 0xe7, 0x39, 0xaf, 0x98, 0x9f, 0x03, 0x00,
2180  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2181  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2182  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00,
2183  0x01, 0x00, 0x16, 0x7a, 0x4f, 0x1b, 0xdb, 0x25,
2184  0x92, 0x55, 0xdd, 0xae, 0x9e, 0x5b, 0x3e, 0x93,
2185  0x66, 0x93, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d,
2186  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2187  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2188  0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0xe8, 0xa4,
2189  0x8a, 0xcf, 0x95, 0x6c, 0xc7, 0x8f, 0x14, 0xcc,
2190  0x56, 0xfc, 0x7b, 0x5f, 0x4f, 0xe8, 0x04, 0x00,
2191  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2192  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2193  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x09, 0x00,
2194  0x01, 0x00, 0xd8, 0xda, 0xfb, 0xbc, 0xa2, 0x55,
2195  0x6f, 0x5d, 0xc0, 0x2d, 0x88, 0x6f, 0x00, 0x17,
2196  0x52, 0x8d, 0x06, 0x00, 0x03, 0x00, 0x04, 0x5d,
2197  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2198  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2199  0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x3f, 0x17,
2200  0x55, 0x0c, 0xf4, 0x23, 0x3c, 0xca, 0xe6, 0xa0,
2201  0xaa, 0xcc, 0xb5, 0xe3, 0xf9, 0xce, 0x04, 0x00,
2202  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2203  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2204  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00,
2205  0x01, 0x00, 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1,
2206  0xd0, 0x11, 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9,
2207  0x2e, 0xf5, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d,
2208  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2209  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2210  0x00, 0x00, 0x0c, 0x00, 0x01, 0x00, 0xc9, 0x9f,
2211  0x3e, 0x6e, 0x82, 0x0a, 0x2b, 0x28, 0x37, 0x78,
2212  0xe1, 0x13, 0x70, 0x05, 0x38, 0x4d, 0x01, 0x00,
2213  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2214  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2215  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x00,
2216  0x01, 0x00, 0x11, 0xaa, 0x4b, 0x15, 0xdf, 0xa6,
2217  0x86, 0x3f, 0xfb, 0xe0, 0x09, 0xb7, 0xf8, 0x56,
2218  0xd2, 0x3f, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d,
2219  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2220  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2221  0x00, 0x00, 0x0e, 0x00, 0x01, 0x00, 0xee, 0x99,
2222  0xc4, 0x25, 0x11, 0xe4, 0x95, 0x62, 0x29, 0xfa,
2223  0xfd, 0x26, 0x57, 0x02, 0xf1, 0xce, 0x03, 0x00,
2224  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2225  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2226  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x00,
2227  0x01, 0x00, 0xba, 0x81, 0x9e, 0x1a, 0xdf, 0x2b,
2228  0xba, 0xe4, 0xd3, 0x17, 0x41, 0x60, 0x6d, 0x2d,
2229  0x9e, 0x28, 0x03, 0x00, 0x03, 0x00, 0x04, 0x5d,
2230  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2231  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2232  0x00, 0x00, 0x10, 0x00, 0x01, 0x00, 0xa0, 0x24,
2233  0x03, 0x9a, 0xa9, 0x99, 0xfb, 0xbe, 0x49, 0x11,
2234  0xad, 0x77, 0x30, 0xaa, 0xbc, 0xb6, 0x02, 0x00,
2235  0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2236  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2237  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x11, 0x00,
2238  0x01, 0x00, 0x32, 0x04, 0x7e, 0xae, 0xec, 0x28,
2239  0xd1, 0x55, 0x83, 0x4e, 0xc3, 0x47, 0x5d, 0x1d,
2240  0xc6, 0x65, 0x02, 0x00, 0x03, 0x00, 0x04, 0x5d,
2241  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2242  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2243  0x00, 0x00, 0x12, 0x00, 0x01, 0x00, 0xc6, 0xa4,
2244  0x81, 0x48, 0x66, 0x2a, 0x74, 0x7d, 0x56, 0x6e,
2245  0xc5, 0x1d, 0x19, 0xf2, 0xb5, 0xb6, 0x03, 0x00,
2246  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2247  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2248  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x13, 0x00,
2249  0x01, 0x00, 0xcb, 0xae, 0xb3, 0xc0, 0x0c, 0xf4,
2250  0xa4, 0x5e, 0x91, 0x72, 0xdd, 0x53, 0x24, 0x70,
2251  0x89, 0x02, 0x05, 0x00, 0x03, 0x00, 0x04, 0x5d,
2252  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2253  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2254  0x00, 0x00, 0x14, 0x00, 0x01, 0x00, 0xb8, 0xd0,
2255  0xa0, 0x1a, 0x5e, 0x7a, 0x2d, 0xfe, 0x35, 0xc6,
2256  0x7d, 0x08, 0x0d, 0x33, 0x73, 0x18, 0x02, 0x00,
2257  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2258  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2259  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x15, 0x00,
2260  0x01, 0x00, 0x21, 0xd3, 0xaa, 0x09, 0x03, 0xa7,
2261  0x0b, 0xc2, 0x06, 0x45, 0xd9, 0x6c, 0x75, 0xc2,
2262  0x15, 0xa8, 0x01, 0x00, 0x03, 0x00, 0x04, 0x5d,
2263  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2264  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2265  0x00, 0x00, 0x16, 0x00, 0x01, 0x00, 0xe1, 0xbd,
2266  0x59, 0xfc, 0xbc, 0xa9, 0x95, 0xc2, 0x68, 0x79,
2267  0xf3, 0x75, 0xe0, 0xae, 0x6c, 0xe5, 0x04, 0x00,
2268  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2269  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2270  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x17, 0x00,
2271  0x01, 0x00, 0x06, 0x52, 0xb4, 0x71, 0x70, 0x15,
2272  0x4e, 0xf5, 0x7f, 0x08, 0x86, 0x14, 0xe6, 0x17,
2273  0xd5, 0x97, 0x04, 0x00, 0x00, 0x00, 0x04, 0x5d,
2274  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2275  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2276  0x00, 0x00};
2277 
2278  uint8_t dcerpcbindack[] = {
2279  0x05, 0x00, 0x0c, 0x03,
2280  0x10, 0x00, 0x00, 0x00, 0x6c, 0x02, 0x00, 0x00,
2281  0x00, 0x00, 0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10,
2282  0xce, 0x47, 0x00, 0x00, 0x0c, 0x00, 0x5c, 0x50,
2283  0x49, 0x50, 0x45, 0x5c, 0x6c, 0x73, 0x61, 0x73,
2284  0x73, 0x00, 0xf6, 0x6e, 0x18, 0x00, 0x00, 0x00,
2285  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2286  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2287  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2288  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2289  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2290  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2291  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2292  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2293  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2294  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2295  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2296  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2297  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2298  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2299  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2300  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2301  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2302  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2303  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2304  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2305  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2306  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2307  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2308  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2309  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2310  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2311  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2312  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2313  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2314  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2315  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2316  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2317  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2318  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2319  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2320  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2321  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2322  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2323  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2324  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2325  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2326  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2327  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2328  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2329  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2330  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2331  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2332  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2333  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2334  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2335  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2336  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2337  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2338  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2339  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2340  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2341  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2342  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2343  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2344  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2345  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2346  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2347  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2348  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2349  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2350  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2351  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2352  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2353  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2354  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2355  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2356  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
2357 
2358  uint8_t dcerpcrequest[] = {
2359  0x05, 0x00, 0x00, 0x00, 0x10,
2360  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
2361  0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x0b,
2362  0x00, 0x09, 0x00, 0x45, 0x00, 0x2c, 0x00, 0x4d,
2363  0x00, 0x73, 0x00, 0x53, 0x00, 0x59, 0x00, 0x2a,
2364  0x00, 0x4a, 0x00, 0x7a, 0x00, 0x3e, 0x00, 0x58,
2365  0x00, 0x21, 0x00, 0x4a, 0x00, 0x30, 0x00, 0x41,
2366  0x00, 0x4b, 0x00, 0x4b, 0x00, 0x3c, 0x00, 0x48,
2367  0x00, 0x24, 0x00, 0x38, 0x00, 0x54, 0x00, 0x60,
2368  0x00, 0x2d, 0x00, 0x29, 0x00, 0x64, 0x00, 0x5b,
2369  0x00, 0x77, 0x00, 0x3a, 0x00, 0x4c, 0x00, 0x24,
2370  0x00, 0x23, 0x00, 0x66, 0x00, 0x43, 0x00, 0x68,
2371  0x00, 0x22, 0x00, 0x55, 0x00, 0x29, 0x00, 0x2c,
2372  0x00, 0x4f, 0x00, 0x5a, 0x00, 0x50, 0x00, 0x61,
2373  0x00, 0x2a, 0x00, 0x6f, 0x00, 0x2f, 0x00, 0x4d,
2374  0x00, 0x68, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x67,
2375  0x00, 0x68, 0x00, 0x68, 0x00, 0x49, 0x00, 0x45,
2376  0x00, 0x4c, 0x00, 0x72, 0x00, 0x53, 0x00, 0x4c,
2377  0x00, 0x25, 0x00, 0x4d, 0x00, 0x67, 0x00, 0x2e,
2378  0x00, 0x4f, 0x00, 0x64, 0x00, 0x61, 0x00, 0x73,
2379  0x00, 0x24, 0x00, 0x46, 0x00, 0x35, 0x00, 0x2e,
2380  0x00, 0x45, 0x00, 0x6f, 0x00, 0x40, 0x00, 0x41,
2381  0x00, 0x33, 0x00, 0x38, 0x00, 0x47, 0x00, 0x71,
2382  0x00, 0x5a, 0x00, 0x37, 0x00, 0x7a, 0x00, 0x35,
2383  0x00, 0x6b, 0x00, 0x3c, 0x00, 0x26, 0x00, 0x37,
2384  0x00, 0x69, 0x00, 0x75, 0x00, 0x36, 0x00, 0x37,
2385  0x00, 0x47, 0x00, 0x21, 0x00, 0x2d, 0x00, 0x69,
2386  0x00, 0x37, 0x00, 0x78, 0x00, 0x5f, 0x00, 0x72,
2387  0x00, 0x4b, 0x00, 0x5c, 0x00, 0x74, 0x00, 0x3e,
2388  0x00, 0x52, 0x00, 0x7a, 0x00, 0x49, 0x00, 0x31,
2389  0x00, 0x5a, 0x00, 0x7b, 0x00, 0x29, 0x00, 0x3b,
2390  0x00, 0x78, 0x00, 0x3b, 0x00, 0x55, 0x00, 0x3e,
2391  0x00, 0x35, 0x00, 0x2b, 0x00, 0x4e, 0x00, 0x4f,
2392  0x00, 0x59, 0x00, 0x38, 0x00, 0x2a, 0x00, 0x59,
2393  0x00, 0x6b, 0x00, 0x42, 0x00, 0x4c, 0x00, 0x3e,
2394  0x00, 0x6a, 0x00, 0x49, 0x00, 0x2c, 0x00, 0x79,
2395  0x00, 0x6e, 0x00, 0x35, 0x00, 0x4f, 0x00, 0x49,
2396  0x00, 0x55, 0x00, 0x35, 0x00, 0x61, 0x00, 0x72,
2397  0x00, 0x77, 0x00, 0x38, 0x00, 0x32, 0x00, 0x24,
2398  0x00, 0x46, 0x00, 0x32, 0x00, 0x32, 0x00, 0x27,
2399  0x00, 0x64, 0x00, 0x5a, 0x00, 0x77, 0x00, 0x2e,
2400  0x00, 0x37, 0x00, 0x77, 0x00, 0x2e, 0x00, 0x28,
2401  0x00, 0x63, 0x00, 0x4f, 0x00, 0x67, 0x00, 0x64,
2402  0x00, 0x39, 0x00, 0x37, 0x00, 0x31, 0x00, 0x30,
2403  0x00, 0x28, 0x00, 0x2e, 0x00, 0x6f, 0x00, 0x3e,
2404  0x00, 0x59, 0x00, 0x28, 0x00, 0x67, 0x00, 0x52,
2405  0x00, 0x35, 0x00, 0x5a, 0x00, 0x7c, 0x00, 0x56,
2406  0x00, 0x6a, 0x00, 0x5c, 0x00, 0x3c, 0x00, 0x30,
2407  0x00, 0x59, 0x00, 0x5c, 0x00, 0x5e, 0x00, 0x38,
2408  0x00, 0x54, 0x00, 0x5c, 0x00, 0x5b, 0x00, 0x42,
2409  0x00, 0x62, 0x00, 0x70, 0x00, 0x34, 0x00, 0x5c,
2410  0x00, 0x57, 0x00, 0x7a, 0x00, 0x4b, 0x00, 0x2f,
2411  0x00, 0x6b, 0x00, 0x6a, 0x00, 0x4f, 0x00, 0x41,
2412  0x00, 0x33, 0x00, 0x52, 0x00, 0x36, 0x00, 0x27,
2413  0x00, 0x30, 0x00, 0x6d, 0x00, 0x4a, 0x00, 0x30,
2414  0x00, 0x78, 0x00, 0x46, 0x00, 0x65, 0x00, 0x4e,
2415  0x00, 0x29, 0x00, 0x66, 0x00, 0x3f, 0x00, 0x72,
2416  0x00, 0x71, 0x00, 0x75, 0x00, 0x4c, 0x00, 0x2b,
2417  0x00, 0x5c, 0x00, 0x46, 0x00, 0x52, 0x00, 0x7b,
2418  0x00, 0x5c, 0x00, 0x69, 0x00, 0x66, 0x00, 0x56,
2419  0x00, 0x31, 0x00, 0x2d, 0x00, 0x72, 0x00, 0x61,
2420  0x00, 0x68, 0x00, 0x28, 0x00, 0x7d, 0x00, 0x58,
2421  0x00, 0x2a, 0x00, 0x7b, 0x00, 0x28, 0x00, 0x5b,
2422  0x00, 0x54, 0x00, 0x3a, 0x00, 0x26, 0x00, 0x52,
2423  0x00, 0x44, 0x00, 0x60, 0x00, 0x50, 0x00, 0x65,
2424  0x00, 0x48, 0x00, 0x7d, 0x00, 0x2a, 0x00, 0x74,
2425  0x00, 0x49, 0x00, 0x7b, 0x00, 0x21, 0x00, 0x61,
2426  0x00, 0x52, 0x00, 0x43, 0x00, 0x5f, 0x00, 0x5a,
2427  0x00, 0x74, 0x00, 0x5c, 0x00, 0x62, 0x00, 0x68,
2428  0x00, 0x6c, 0x00, 0x6c, 0x00, 0x2b, 0x00, 0x6f,
2429  0x00, 0x7c, 0x00, 0x42, 0x00, 0x67, 0x00, 0x32,
2430  0x00, 0x58, 0x00, 0x35, 0x00, 0x30, 0x00, 0x2f,
2431  0x00, 0x2d, 0x00, 0x60, 0x00, 0x62, 0x00, 0x51,
2432  0x00, 0x2a, 0x00, 0x30, 0x00, 0x31, 0x00, 0x48,
2433  0x00, 0x5b, 0x00, 0x5b, 0x00, 0x5d, 0x00, 0x25,
2434  0x00, 0x58, 0x00, 0x4a, 0x00, 0x76, 0x00, 0x32,
2435  0x00, 0x62, 0x00, 0x27, 0x00, 0x42, 0x00, 0x40,
2436  0x00, 0x53, 0x00, 0x7c, 0x00, 0x7d, 0x00, 0x50,
2437  0x00, 0x3d, 0x00, 0x40, 0x00, 0x76, 0x00, 0x38,
2438  0x00, 0x58, 0x00, 0x39, 0x00, 0x63, 0x00, 0x3c,
2439  0x00, 0x5b, 0x00, 0x23, 0x00, 0x53, 0x00, 0x7a,
2440  0x00, 0x54, 0x00, 0x74, 0x00, 0x61, 0x00, 0x76,
2441  0x00, 0x4a, 0x00, 0x3e, 0x00, 0x33, 0x00, 0x75,
2442  0x00, 0x66, 0x00, 0x2d, 0x00, 0x48, 0x00, 0x33,
2443  0x00, 0x71, 0x00, 0x76, 0x00, 0x48, 0x00, 0x71,
2444  0x00, 0x41, 0x00, 0x6f, 0x00, 0x2a, 0x00, 0x67,
2445  0x00, 0x70, 0x00, 0x21, 0x00, 0x70, 0x00, 0x4b,
2446  0x00, 0x52, 0x00, 0x58, 0x00, 0x68, 0x00, 0x23,
2447  0x00, 0x39, 0x00, 0x46, 0x00, 0x4d, 0x00, 0x51,
2448  0x00, 0x57, 0x00, 0x3a, 0x00, 0x79, 0x00, 0x7b,
2449  0x00, 0x6c, 0x00, 0x55, 0x00, 0x33, 0x00, 0x65,
2450  0x00, 0x49, 0x00, 0x72, 0x00, 0x30, 0x00, 0x4f,
2451  0x00, 0x41, 0x00, 0x6e, 0x00, 0x31, 0x00, 0x4a,
2452  0x00, 0x60, 0x00, 0x79, 0x00, 0x70, 0x00, 0x4f,
2453  0x00, 0x58, 0x00, 0x75, 0x00, 0x44, 0x00, 0x59,
2454  0x00, 0x58, 0x00, 0x46, 0x00, 0x3d, 0x00, 0x46,
2455  0x00, 0x74, 0x00, 0x51, 0x00, 0x57, 0x00, 0x6e,
2456  0x00, 0x2d, 0x00, 0x47, 0x00, 0x23, 0x00, 0x45,
2457  0x00, 0x60, 0x00, 0x4c, 0x00, 0x72, 0x00, 0x4e,
2458  0x00, 0x74, 0x00, 0x40, 0x00, 0x76, 0x00, 0x75,
2459  0x00, 0x74, 0x00, 0x56, 0x00, 0x44, 0x00, 0x29,
2460  0x00, 0x62, 0x00, 0x58, 0x00, 0x31, 0x00, 0x78,
2461  0x00, 0x32, 0x00, 0x52, 0x00, 0x4a, 0x00, 0x6b,
2462  0x00, 0x55, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x6f,
2463  0x00, 0x4a, 0x00, 0x54, 0x00, 0x7d, 0x00, 0x68,
2464  0x00, 0x3f, 0x00, 0x28, 0x00, 0x21, 0x00, 0x53,
2465  0x00, 0x48, 0x00, 0x5a, 0x00, 0x34, 0x00, 0x36,
2466  0x00, 0x35, 0x00, 0x64, 0x00, 0x4e, 0x00, 0x75,
2467  0x00, 0x69, 0x00, 0x23, 0x00, 0x75, 0x00, 0x55,
2468  0x00, 0x43, 0x00, 0x75, 0x00, 0x2f, 0x00, 0x73,
2469  0x00, 0x62, 0x00, 0x6f, 0x00, 0x37, 0x00, 0x4e,
2470  0x00, 0x25, 0x00, 0x25, 0x00, 0x21, 0x00, 0x3d,
2471  0x00, 0x3c, 0x00, 0x71, 0x00, 0x3e, 0x00, 0x3f,
2472  0x00, 0x30, 0x00, 0x36, 0x00, 0x62, 0x00, 0x63,
2473  0x00, 0x53, 0x00, 0x54, 0x00, 0x5d, 0x00, 0x61,
2474  0x00, 0x4c, 0x00, 0x28, 0x00, 0x2b, 0x00, 0x4c,
2475  0x00, 0x4e, 0x00, 0x66, 0x00, 0x5f, 0x00, 0x4b,
2476  0x00, 0x43, 0x00, 0x75, 0x00, 0x45, 0x00, 0x37,
2477  0x00, 0x28, 0x00, 0x56, 0x00, 0x36, 0x00, 0x6a,
2478  0x00, 0x3e, 0x00, 0x64, 0x00, 0x34, 0x00, 0x6a,
2479  0x00, 0x7d, 0x00, 0x4a, 0x00, 0x66, 0x00, 0x7a,
2480  0x00, 0x3e, 0x00, 0x75, 0x00, 0x38, 0x00, 0x7b,
2481  0x00, 0x42, 0x00, 0x76, 0x00, 0x29, 0x00, 0x4c,
2482  0x00, 0x65, 0x00, 0x2e, 0x00, 0x32, 0x00, 0x4b,
2483  0x00, 0x2b, 0x00, 0x51, 0x00, 0x47, 0x00, 0x22,
2484  0x00, 0x48, 0x00, 0x3d, 0x00, 0x49, 0x00, 0x44,
2485  0x00, 0x5d, 0x00, 0x59, 0x00, 0x63, 0x00, 0x5c,
2486  0x00, 0x24, 0x00, 0x35, 0x00, 0x34, 0x00, 0x70,
2487  0x00, 0x69, 0x00};
2488  uint32_t requestlen = sizeof(dcerpcrequest);
2489 
2490  uint32_t bindlen = sizeof(dcerpcbind);
2491  uint32_t bindacklen = sizeof(dcerpcbindack);
2492  TcpSession ssn;
2493  DCERPCUuidEntry *uuid_entry;
2495 
2496  memset(&f, 0, sizeof(f));
2497  memset(&ssn, 0, sizeof(ssn));
2498 
2499  FLOW_INITIALIZE(&f);
2500  f.protoctx = (void *)&ssn;
2501  f.proto = IPPROTO_TCP;
2502  f.alproto = ALPROTO_DCERPC;
2503 
2505 
2506  FLOWLOCK_WRLOCK(&f);
2507  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
2508  STREAM_TOSERVER | STREAM_START, dcerpcbind,
2509  bindlen);
2510  if (r != 0) {
2511  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
2512  result = 0;
2513  FLOWLOCK_UNLOCK(&f);
2514  goto end;
2515  }
2516  FLOWLOCK_UNLOCK(&f);
2517 
2518  DCERPCState *dcerpc_state = f.alstate;
2519  if (dcerpc_state == NULL) {
2520  printf("no dcerpc state: ");
2521  result = 0;
2522  goto end;
2523  }
2524 
2525  if (dcerpc_state->dcerpc.dcerpchdr.rpc_vers != 5) {
2526  printf("expected dcerpc version 0x05, got 0x%02x : ",
2527  dcerpc_state->dcerpc.dcerpchdr.rpc_vers);
2528  result = 0;
2529  goto end;
2530  }
2531 
2532  if (dcerpc_state->dcerpc.dcerpchdr.type != BIND) {
2533  printf("expected dcerpc type 0x%02x , got 0x%02x : ", BIND, dcerpc_state->dcerpc.dcerpchdr.type);
2534  result = 0;
2535  goto end;
2536  }
2537 
2538  if (dcerpc_state->dcerpc.dcerpchdr.frag_length != 1084) {
2539  printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1084, dcerpc_state->dcerpc.dcerpchdr.frag_length);
2540  result = 0;
2541  goto end;
2542  }
2543 
2544  FLOWLOCK_WRLOCK(&f);
2545  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
2546  STREAM_TOCLIENT, dcerpcbindack, bindacklen);
2547  if (r != 0) {
2548  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
2549  result = 0;
2550  FLOWLOCK_UNLOCK(&f);
2551  goto end;
2552  }
2553  FLOWLOCK_UNLOCK(&f);
2554  if (dcerpc_state->dcerpc.dcerpchdr.type != BIND_ACK) {
2555  printf("expected dcerpc type 0x%02x , got 0x%02x : ", BIND_ACK, dcerpc_state->dcerpc.dcerpchdr.type);
2556  result = 0;
2557  goto end;
2558  }
2559 
2560  if (dcerpc_state->dcerpc.dcerpchdr.frag_length != 620) {
2561  printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 620, dcerpc_state->dcerpc.dcerpchdr.frag_length);
2562  result = 0;
2563  goto end;
2564  }
2565  TAILQ_FOREACH(uuid_entry, &dcerpc_state->dcerpc.dcerpcbindbindack.uuid_list, next) {
2566  printUUID("BIND_ACK", uuid_entry);
2567  }
2568 
2569  FLOWLOCK_WRLOCK(&f);
2570  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
2571  STREAM_TOSERVER | STREAM_EOF, dcerpcrequest,
2572  requestlen);
2573  if (r != 0) {
2574  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
2575  result = 0;
2576  FLOWLOCK_UNLOCK(&f);
2577  goto end;
2578  }
2579  FLOWLOCK_UNLOCK(&f);
2580  if (dcerpc_state->dcerpc.dcerpchdr.type != REQUEST) {
2581  printf("expected dcerpc type 0x%02x , got 0x%02x : ", REQUEST, dcerpc_state->dcerpc.dcerpchdr.type);
2582  result = 0;
2583  goto end;
2584  }
2585 end:
2586  if (alp_tctx != NULL)
2587  AppLayerParserThreadCtxFree(alp_tctx);
2589  FLOW_DESTROY(&f);
2590  return result;
2591 }
2592 
2593 /** \test DCERPC Request decoding and opnum parsing.
2594 */
2595 static int DCERPCParserTest02(void)
2596 {
2597  int result = 1;
2598  Flow f;
2599  uint8_t dcerpcrequest[] = {
2600  0x05, 0x00, 0x00, 0x00, 0x10,
2601  0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
2602  0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x0b,
2603  0x00, 0x09, 0x00, 0x45, 0x00, 0x2c, 0x00, 0x4d,
2604  0x00, 0x73, 0x00, 0x53, 0x00, 0x59, 0x00, 0x2a,
2605  0x00, 0x4a, 0x00, 0x7a, 0x00, 0x3e, 0x00, 0x58,
2606  0x00, 0x21, 0x00, 0x4a, 0x00, 0x30, 0x00, 0x41,
2607  0x00, 0x4b, 0x00, 0x4b, 0x00, 0x3c, 0x00, 0x48,
2608  0x00, 0x24, 0x00, 0x38, 0x00, 0x54, 0x00, 0x60,
2609  0x00, 0x2d, 0x00, 0x29, 0x00, 0x64, 0x00, 0x5b,
2610  0x00, 0x77, 0x00, 0x3a, 0x00, 0x4c, 0x00, 0x24,
2611  0x00, 0x23, 0x00, 0x66, 0x00, 0x43, 0x00, 0x68,
2612  0x00, 0x22, 0x00, 0x55, 0x00, 0x29, 0x00, 0x2c,
2613  0x00, 0x4f, 0x00, 0x5a, 0x00, 0x50, 0x00, 0x61,
2614  0x00, 0x2a, 0x00, 0x6f, 0x00, 0x2f, 0x00, 0x4d,
2615  0x00, 0x68, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x67,
2616  0x00, 0x68, 0x00, 0x68, 0x00, 0x49, 0x00, 0x45,
2617  0x00, 0x4c, 0x00, 0x72, 0x00, 0x53, 0x00, 0x4c,
2618  0x00, 0x25, 0x00, 0x4d, 0x00, 0x67, 0x00, 0x2e,
2619  0x00, 0x4f, 0x00, 0x64, 0x00, 0x61, 0x00, 0x73,
2620  0x00, 0x24, 0x00, 0x46, 0x00, 0x35, 0x00, 0x2e,
2621  0x00, 0x45, 0x00, 0x6f, 0x00, 0x40, 0x00, 0x41,
2622  0x00, 0x33, 0x00, 0x38, 0x00, 0x47, 0x00, 0x71,
2623  0x00, 0x5a, 0x00, 0x37, 0x00, 0x7a, 0x00, 0x35,
2624  0x00, 0x6b, 0x00, 0x3c, 0x00, 0x26, 0x00, 0x37,
2625  0x00, 0x69, 0x00, 0x75, 0x00, 0x36, 0x00, 0x37,
2626  0x00, 0x47, 0x00, 0x21, 0x00, 0x2d, 0x00, 0x69,
2627  0x00, 0x37, 0x00, 0x78, 0x00, 0x5f, 0x00, 0x72,
2628  0x00, 0x4b, 0x00, 0x5c, 0x00, 0x74, 0x00, 0x3e,
2629  0x00, 0x52, 0x00, 0x7a, 0x00, 0x49, 0x00, 0x31,
2630  0x00, 0x5a, 0x00, 0x7b, 0x00, 0x29, 0x00, 0x3b,
2631  0x00, 0x78, 0x00, 0x3b, 0x00, 0x55, 0x00, 0x3e,
2632  0x00, 0x35, 0x00, 0x2b, 0x00, 0x4e, 0x00, 0x4f,
2633  0x00, 0x59, 0x00, 0x38, 0x00, 0x2a, 0x00, 0x59,
2634  0x00, 0x6b, 0x00, 0x42, 0x00, 0x4c, 0x00, 0x3e,
2635  0x00, 0x6a, 0x00, 0x49, 0x00, 0x2c, 0x00, 0x79,
2636  0x00, 0x6e, 0x00, 0x35, 0x00, 0x4f, 0x00, 0x49,
2637  0x00, 0x55, 0x00, 0x35, 0x00, 0x61, 0x00, 0x72,
2638  0x00, 0x77, 0x00, 0x38, 0x00, 0x32, 0x00, 0x24,
2639  0x00, 0x46, 0x00, 0x32, 0x00, 0x32, 0x00, 0x27,
2640  0x00, 0x64, 0x00, 0x5a, 0x00, 0x77, 0x00, 0x2e,
2641  0x00, 0x37, 0x00, 0x77, 0x00, 0x2e, 0x00, 0x28,
2642  0x00, 0x63, 0x00, 0x4f, 0x00, 0x67, 0x00, 0x64,
2643  0x00, 0x39, 0x00, 0x37, 0x00, 0x31, 0x00, 0x30,
2644  0x00, 0x28, 0x00, 0x2e, 0x00, 0x6f, 0x00, 0x3e,
2645  0x00, 0x59, 0x00, 0x28, 0x00, 0x67, 0x00, 0x52,
2646  0x00, 0x35, 0x00, 0x5a, 0x00, 0x7c, 0x00, 0x56,
2647  0x00, 0x6a, 0x00, 0x5c, 0x00, 0x3c, 0x00, 0x30,
2648  0x00, 0x59, 0x00, 0x5c, 0x00, 0x5e, 0x00, 0x38,
2649  0x00, 0x54, 0x00, 0x5c, 0x00, 0x5b, 0x00, 0x42,
2650  0x00, 0x62, 0x00, 0x70, 0x00, 0x34, 0x00, 0x5c,
2651  0x00, 0x57, 0x00, 0x7a, 0x00, 0x4b, 0x00, 0x2f,
2652  0x00, 0x6b, 0x00, 0x6a, 0x00, 0x4f, 0x00, 0x41,
2653  0x00, 0x33, 0x00, 0x52, 0x00, 0x36, 0x00, 0x27,
2654  0x00, 0x30, 0x00, 0x6d, 0x00, 0x4a, 0x00, 0x30,
2655  0x00, 0x78, 0x00, 0x46, 0x00, 0x65, 0x00, 0x4e,
2656  0x00, 0x29, 0x00, 0x66, 0x00, 0x3f, 0x00, 0x72,
2657  0x00, 0x71, 0x00, 0x75, 0x00, 0x4c, 0x00, 0x2b,
2658  0x00, 0x5c, 0x00, 0x46, 0x00, 0x52, 0x00, 0x7b,
2659  0x00, 0x5c, 0x00, 0x69, 0x00, 0x66, 0x00, 0x56,
2660  0x00, 0x31, 0x00, 0x2d, 0x00, 0x72, 0x00, 0x61,
2661  0x00, 0x68, 0x00, 0x28, 0x00, 0x7d, 0x00, 0x58,
2662  0x00, 0x2a, 0x00, 0x7b, 0x00, 0x28, 0x00, 0x5b,
2663  0x00, 0x54, 0x00, 0x3a, 0x00, 0x26, 0x00, 0x52,
2664  0x00, 0x44, 0x00, 0x60, 0x00, 0x50, 0x00, 0x65,
2665  0x00, 0x48, 0x00, 0x7d, 0x00, 0x2a, 0x00, 0x74,
2666  0x00, 0x49, 0x00, 0x7b, 0x00, 0x21, 0x00, 0x61,
2667  0x00, 0x52, 0x00, 0x43, 0x00, 0x5f, 0x00, 0x5a,
2668  0x00, 0x74, 0x00, 0x5c, 0x00, 0x62, 0x00, 0x68,
2669  0x00, 0x6c, 0x00, 0x6c, 0x00, 0x2b, 0x00, 0x6f,
2670  0x00, 0x7c, 0x00, 0x42, 0x00, 0x67, 0x00, 0x32,
2671  0x00, 0x58, 0x00, 0x35, 0x00, 0x30, 0x00, 0x2f,
2672  0x00, 0x2d, 0x00, 0x60, 0x00, 0x62, 0x00, 0x51,
2673  0x00, 0x2a, 0x00, 0x30, 0x00, 0x31, 0x00, 0x48,
2674  0x00, 0x5b, 0x00, 0x5b, 0x00, 0x5d, 0x00, 0x25,
2675  0x00, 0x58, 0x00, 0x4a, 0x00, 0x76, 0x00, 0x32,
2676  0x00, 0x62, 0x00, 0x27, 0x00, 0x42, 0x00, 0x40,
2677  0x00, 0x53, 0x00, 0x7c, 0x00, 0x7d, 0x00, 0x50,
2678  0x00, 0x3d, 0x00, 0x40, 0x00, 0x76, 0x00, 0x38,
2679  0x00, 0x58, 0x00, 0x39, 0x00, 0x63, 0x00, 0x3c,
2680  0x00, 0x5b, 0x00, 0x23, 0x00, 0x53, 0x00, 0x7a,
2681  0x00, 0x54, 0x00, 0x74, 0x00, 0x61, 0x00, 0x76,
2682  0x00, 0x4a, 0x00, 0x3e, 0x00, 0x33, 0x00, 0x75,
2683  0x00, 0x66, 0x00, 0x2d, 0x00, 0x48, 0x00, 0x33,
2684  0x00, 0x71, 0x00, 0x76, 0x00, 0x48, 0x00, 0x71,
2685  0x00, 0x41, 0x00, 0x6f, 0x00, 0x2a, 0x00, 0x67,
2686  0x00, 0x70, 0x00, 0x21, 0x00, 0x70, 0x00, 0x4b,
2687  0x00, 0x52, 0x00, 0x58, 0x00, 0x68, 0x00, 0x23,
2688  0x00, 0x39, 0x00, 0x46, 0x00, 0x4d, 0x00, 0x51,
2689  0x00, 0x57, 0x00, 0x3a, 0x00, 0x79, 0x00, 0x7b,
2690  0x00, 0x6c, 0x00, 0x55, 0x00, 0x33, 0x00, 0x65,
2691  0x00, 0x49, 0x00, 0x72, 0x00, 0x30, 0x00, 0x4f,
2692  0x00, 0x41, 0x00, 0x6e, 0x00, 0x31, 0x00, 0x4a,
2693  0x00, 0x60, 0x00, 0x79, 0x00, 0x70, 0x00, 0x4f,
2694  0x00, 0x58, 0x00, 0x75, 0x00, 0x44, 0x00, 0x59,
2695  0x00, 0x58, 0x00, 0x46, 0x00, 0x3d, 0x00, 0x46,
2696  0x00, 0x74, 0x00, 0x51, 0x00, 0x57, 0x00, 0x6e,
2697  0x00, 0x2d, 0x00, 0x47, 0x00, 0x23, 0x00, 0x45,
2698  0x00, 0x60, 0x00, 0x4c, 0x00, 0x72, 0x00, 0x4e,
2699  0x00, 0x74, 0x00, 0x40, 0x00, 0x76, 0x00, 0x75,
2700  0x00, 0x74, 0x00, 0x56, 0x00, 0x44, 0x00, 0x29,
2701  0x00, 0x62, 0x00, 0x58, 0x00, 0x31, 0x00, 0x78,
2702  0x00, 0x32, 0x00, 0x52, 0x00, 0x4a, 0x00, 0x6b,
2703  0x00, 0x55, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x6f,
2704  0x00, 0x4a, 0x00, 0x54, 0x00, 0x7d, 0x00, 0x68,
2705  0x00, 0x3f, 0x00, 0x28, 0x00, 0x21, 0x00, 0x53,
2706  0x00, 0x48, 0x00, 0x5a, 0x00, 0x34, 0x00, 0x36,
2707  0x00, 0x35, 0x00, 0x64, 0x00, 0x4e, 0x00, 0x75,
2708  0x00, 0x69, 0x00, 0x23, 0x00, 0x75, 0x00, 0x55,
2709  0x00, 0x43, 0x00, 0x75, 0x00, 0x2f, 0x00, 0x73,
2710  0x00, 0x62, 0x00, 0x6f, 0x00, 0x37, 0x00, 0x4e,
2711  0x00, 0x25, 0x00, 0x25, 0x00, 0x21, 0x00, 0x3d,
2712  0x00, 0x3c, 0x00, 0x71, 0x00, 0x3e, 0x00, 0x3f,
2713  0x00, 0x30, 0x00, 0x36, 0x00, 0x62, 0x00, 0x63,
2714  0x00, 0x53, 0x00, 0x54, 0x00, 0x5d, 0x00, 0x61,
2715  0x00, 0x4c, 0x00, 0x28, 0x00, 0x2b, 0x00, 0x4c,
2716  0x00, 0x4e, 0x00, 0x66, 0x00, 0x5f, 0x00, 0x4b,
2717  0x00, 0x43, 0x00, 0x75, 0x00, 0x45, 0x00, 0x37,
2718  0x00, 0x28, 0x00, 0x56, 0x00, 0x36, 0x00, 0x6a,
2719  0x00, 0x3e, 0x00, 0x64, 0x00, 0x34, 0x00, 0x6a,
2720  0x00, 0x7d, 0x00, 0x4a, 0x00, 0x66, 0x00, 0x7a,
2721  0x00, 0x3e, 0x00, 0x75, 0x00, 0x38, 0x00, 0x7b,
2722  0x00, 0x42, 0x00, 0x76, 0x00, 0x29, 0x00, 0x4c,
2723  0x00, 0x65, 0x00, 0x2e, 0x00, 0x32, 0x00, 0x4b,
2724  0x00, 0x2b, 0x00, 0x51, 0x00, 0x47, 0x00, 0x22,
2725  0x00, 0x48, 0x00, 0x3d, 0x00, 0x49, 0x00, 0x44,
2726  0x00, 0x5d, 0x00, 0x59, 0x00, 0x63, 0x00, 0x5c,
2727  0x00, 0x24, 0x00, 0x35, 0x00, 0x34, 0x00, 0x70,
2728  0x00, 0x69, 0x00};
2729  uint32_t requestlen = sizeof(dcerpcrequest);
2730 
2731  TcpSession ssn;
2733 
2734  memset(&f, 0, sizeof(f));
2735  memset(&ssn, 0, sizeof(ssn));
2736 
2737  FLOW_INITIALIZE(&f);
2738  f.protoctx = (void *)&ssn;
2739  f.proto = IPPROTO_TCP;
2740  f.alproto = ALPROTO_DCERPC;
2741 
2743 
2744  FLOWLOCK_WRLOCK(&f);
2745  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
2747  dcerpcrequest,
2748  requestlen);
2749  if (r != 0) {
2750  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
2751  result = 0;
2752  FLOWLOCK_UNLOCK(&f);
2753  goto end;
2754  }
2755  FLOWLOCK_UNLOCK(&f);
2756 
2757  DCERPCState *dcerpc_state = f.alstate;
2758  if (dcerpc_state == NULL) {
2759  printf("no dcerpc state: ");
2760  result = 0;
2761  goto end;
2762  }
2763 
2764  if (dcerpc_state->dcerpc.dcerpchdr.rpc_vers != 5) {
2765  printf("expected dcerpc version 0x05, got 0x%02x : ",
2766  dcerpc_state->dcerpc.dcerpchdr.rpc_vers);
2767  result = 0;
2768  goto end;
2769  }
2770 
2771  if (dcerpc_state->dcerpc.dcerpchdr.type != REQUEST) {
2772  printf("expected dcerpc type 0x%02x , got 0x%02x : ", REQUEST, dcerpc_state->dcerpc.dcerpchdr.type);
2773  result = 0;
2774  goto end;
2775  }
2776 
2777  if (dcerpc_state->dcerpc.dcerpchdr.frag_length != 1024) {
2778  printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1024, dcerpc_state->dcerpc.dcerpchdr.frag_length);
2779  result = 0;
2780  goto end;
2781  }
2782 
2783  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 9) {
2784  printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 9, dcerpc_state->dcerpc.dcerpcrequest.opnum);
2785  result = 0;
2786  goto end;
2787  }
2788 
2789 end:
2790  if (alp_tctx != NULL)
2791  AppLayerParserThreadCtxFree(alp_tctx);
2793  FLOW_DESTROY(&f);
2794  return result;
2795 }
2796 
2797 /** \test Test endianness handling
2798 */
2799 static int DCERPCParserTest03(void)
2800 {
2801  int result = 1;
2802  Flow f;
2803  uint8_t dcerpcrequest[] = {
2804  0x05, 0x00, 0x00, 0x00, 0x01,
2805  0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
2806  0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x00,
2807  0x0b, 0x00, 0x09, 0x45, 0x00, 0x2c, 0x00, 0x4d,
2808  0x00, 0x73, 0x00, 0x53, 0x00, 0x59, 0x00, 0x2a,
2809  0x00, 0x4a, 0x00, 0x7a, 0x00, 0x3e, 0x00, 0x58,
2810  0x00, 0x21, 0x00, 0x4a, 0x00, 0x30, 0x00, 0x41,
2811  0x00, 0x4b, 0x00, 0x4b, 0x00, 0x3c, 0x00, 0x48,
2812  0x00, 0x24, 0x00, 0x38, 0x00, 0x54, 0x00, 0x60,
2813  0x00, 0x2d, 0x00, 0x29, 0x00, 0x64, 0x00, 0x5b,
2814  0x00, 0x77, 0x00, 0x3a, 0x00, 0x4c, 0x00, 0x24,
2815  0x00, 0x23, 0x00, 0x66, 0x00, 0x43, 0x00, 0x68,
2816  0x00, 0x22, 0x00, 0x55, 0x00, 0x29, 0x00, 0x2c,
2817  0x00, 0x4f, 0x00, 0x5a, 0x00, 0x50, 0x00, 0x61,
2818  0x00, 0x2a, 0x00, 0x6f, 0x00, 0x2f, 0x00, 0x4d,
2819  0x00, 0x68, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x67,
2820  0x00, 0x68, 0x00, 0x68, 0x00, 0x49, 0x00, 0x45,
2821  0x00, 0x4c, 0x00, 0x72, 0x00, 0x53, 0x00, 0x4c,
2822  0x00, 0x25, 0x00, 0x4d, 0x00, 0x67, 0x00, 0x2e,
2823  0x00, 0x4f, 0x00, 0x64, 0x00, 0x61, 0x00, 0x73,
2824  0x00, 0x24, 0x00, 0x46, 0x00, 0x35, 0x00, 0x2e,
2825  0x00, 0x45, 0x00, 0x6f, 0x00, 0x40, 0x00, 0x41,
2826  0x00, 0x33, 0x00, 0x38, 0x00, 0x47, 0x00, 0x71,
2827  0x00, 0x5a, 0x00, 0x37, 0x00, 0x7a, 0x00, 0x35,
2828  0x00, 0x6b, 0x00, 0x3c, 0x00, 0x26, 0x00, 0x37,
2829  0x00, 0x69, 0x00, 0x75, 0x00, 0x36, 0x00, 0x37,
2830  0x00, 0x47, 0x00, 0x21, 0x00, 0x2d, 0x00, 0x69,
2831  0x00, 0x37, 0x00, 0x78, 0x00, 0x5f, 0x00, 0x72,
2832  0x00, 0x4b, 0x00, 0x5c, 0x00, 0x74, 0x00, 0x3e,
2833  0x00, 0x52, 0x00, 0x7a, 0x00, 0x49, 0x00, 0x31,
2834  0x00, 0x5a, 0x00, 0x7b, 0x00, 0x29, 0x00, 0x3b,
2835  0x00, 0x78, 0x00, 0x3b, 0x00, 0x55, 0x00, 0x3e,
2836  0x00, 0x35, 0x00, 0x2b, 0x00, 0x4e, 0x00, 0x4f,
2837  0x00, 0x59, 0x00, 0x38, 0x00, 0x2a, 0x00, 0x59,
2838  0x00, 0x6b, 0x00, 0x42, 0x00, 0x4c, 0x00, 0x3e,
2839  0x00, 0x6a, 0x00, 0x49, 0x00, 0x2c, 0x00, 0x79,
2840  0x00, 0x6e, 0x00, 0x35, 0x00, 0x4f, 0x00, 0x49,
2841  0x00, 0x55, 0x00, 0x35, 0x00, 0x61, 0x00, 0x72,
2842  0x00, 0x77, 0x00, 0x38, 0x00, 0x32, 0x00, 0x24,
2843  0x00, 0x46, 0x00, 0x32, 0x00, 0x32, 0x00, 0x27,
2844  0x00, 0x64, 0x00, 0x5a, 0x00, 0x77, 0x00, 0x2e,
2845  0x00, 0x37, 0x00, 0x77, 0x00, 0x2e, 0x00, 0x28,
2846  0x00, 0x63, 0x00, 0x4f, 0x00, 0x67, 0x00, 0x64,
2847  0x00, 0x39, 0x00, 0x37, 0x00, 0x31, 0x00, 0x30,
2848  0x00, 0x28, 0x00, 0x2e, 0x00, 0x6f, 0x00, 0x3e,
2849  0x00, 0x59, 0x00, 0x28, 0x00, 0x67, 0x00, 0x52,
2850  0x00, 0x35, 0x00, 0x5a, 0x00, 0x7c, 0x00, 0x56,
2851  0x00, 0x6a, 0x00, 0x5c, 0x00, 0x3c, 0x00, 0x30,
2852  0x00, 0x59, 0x00, 0x5c, 0x00, 0x5e, 0x00, 0x38,
2853  0x00, 0x54, 0x00, 0x5c, 0x00, 0x5b, 0x00, 0x42,
2854  0x00, 0x62, 0x00, 0x70, 0x00, 0x34, 0x00, 0x5c,
2855  0x00, 0x57, 0x00, 0x7a, 0x00, 0x4b, 0x00, 0x2f,
2856  0x00, 0x6b, 0x00, 0x6a, 0x00, 0x4f, 0x00, 0x41,
2857  0x00, 0x33, 0x00, 0x52, 0x00, 0x36, 0x00, 0x27,
2858  0x00, 0x30, 0x00, 0x6d, 0x00, 0x4a, 0x00, 0x30,
2859  0x00, 0x78, 0x00, 0x46, 0x00, 0x65, 0x00, 0x4e,
2860  0x00, 0x29, 0x00, 0x66, 0x00, 0x3f, 0x00, 0x72,
2861  0x00, 0x71, 0x00, 0x75, 0x00, 0x4c, 0x00, 0x2b,
2862  0x00, 0x5c, 0x00, 0x46, 0x00, 0x52, 0x00, 0x7b,
2863  0x00, 0x5c, 0x00, 0x69, 0x00, 0x66, 0x00, 0x56,
2864  0x00, 0x31, 0x00, 0x2d, 0x00, 0x72, 0x00, 0x61,
2865  0x00, 0x68, 0x00, 0x28, 0x00, 0x7d, 0x00, 0x58,
2866  0x00, 0x2a, 0x00, 0x7b, 0x00, 0x28, 0x00, 0x5b,
2867  0x00, 0x54, 0x00, 0x3a, 0x00, 0x26, 0x00, 0x52,
2868  0x00, 0x44, 0x00, 0x60, 0x00, 0x50, 0x00, 0x65,
2869  0x00, 0x48, 0x00, 0x7d, 0x00, 0x2a, 0x00, 0x74,
2870  0x00, 0x49, 0x00, 0x7b, 0x00, 0x21, 0x00, 0x61,
2871  0x00, 0x52, 0x00, 0x43, 0x00, 0x5f, 0x00, 0x5a,
2872  0x00, 0x74, 0x00, 0x5c, 0x00, 0x62, 0x00, 0x68,
2873  0x00, 0x6c, 0x00, 0x6c, 0x00, 0x2b, 0x00, 0x6f,
2874  0x00, 0x7c, 0x00, 0x42, 0x00, 0x67, 0x00, 0x32,
2875  0x00, 0x58, 0x00, 0x35, 0x00, 0x30, 0x00, 0x2f,
2876  0x00, 0x2d, 0x00, 0x60, 0x00, 0x62, 0x00, 0x51,
2877  0x00, 0x2a, 0x00, 0x30, 0x00, 0x31, 0x00, 0x48,
2878  0x00, 0x5b, 0x00, 0x5b, 0x00, 0x5d, 0x00, 0x25,
2879  0x00, 0x58, 0x00, 0x4a, 0x00, 0x76, 0x00, 0x32,
2880  0x00, 0x62, 0x00, 0x27, 0x00, 0x42, 0x00, 0x40,
2881  0x00, 0x53, 0x00, 0x7c, 0x00, 0x7d, 0x00, 0x50,
2882  0x00, 0x3d, 0x00, 0x40, 0x00, 0x76, 0x00, 0x38,
2883  0x00, 0x58, 0x00, 0x39, 0x00, 0x63, 0x00, 0x3c,
2884  0x00, 0x5b, 0x00, 0x23, 0x00, 0x53, 0x00, 0x7a,
2885  0x00, 0x54, 0x00, 0x74, 0x00, 0x61, 0x00, 0x76,
2886  0x00, 0x4a, 0x00, 0x3e, 0x00, 0x33, 0x00, 0x75,
2887  0x00, 0x66, 0x00, 0x2d, 0x00, 0x48, 0x00, 0x33,
2888  0x00, 0x71, 0x00, 0x76, 0x00, 0x48, 0x00, 0x71,
2889  0x00, 0x41, 0x00, 0x6f, 0x00, 0x2a, 0x00, 0x67,
2890  0x00, 0x70, 0x00, 0x21, 0x00, 0x70, 0x00, 0x4b,
2891  0x00, 0x52, 0x00, 0x58, 0x00, 0x68, 0x00, 0x23,
2892  0x00, 0x39, 0x00, 0x46, 0x00, 0x4d, 0x00, 0x51,
2893  0x00, 0x57, 0x00, 0x3a, 0x00, 0x79, 0x00, 0x7b,
2894  0x00, 0x6c, 0x00, 0x55, 0x00, 0x33, 0x00, 0x65,
2895  0x00, 0x49, 0x00, 0x72, 0x00, 0x30, 0x00, 0x4f,
2896  0x00, 0x41, 0x00, 0x6e, 0x00, 0x31, 0x00, 0x4a,
2897  0x00, 0x60, 0x00, 0x79, 0x00, 0x70, 0x00, 0x4f,
2898  0x00, 0x58, 0x00, 0x75, 0x00, 0x44, 0x00, 0x59,
2899  0x00, 0x58, 0x00, 0x46, 0x00, 0x3d, 0x00, 0x46,
2900  0x00, 0x74, 0x00, 0x51, 0x00, 0x57, 0x00, 0x6e,
2901  0x00, 0x2d, 0x00, 0x47, 0x00, 0x23, 0x00, 0x45,
2902  0x00, 0x60, 0x00, 0x4c, 0x00, 0x72, 0x00, 0x4e,
2903  0x00, 0x74, 0x00, 0x40, 0x00, 0x76, 0x00, 0x75,
2904  0x00, 0x74, 0x00, 0x56, 0x00, 0x44, 0x00, 0x29,
2905  0x00, 0x62, 0x00, 0x58, 0x00, 0x31, 0x00, 0x78,
2906  0x00, 0x32, 0x00, 0x52, 0x00, 0x4a, 0x00, 0x6b,
2907  0x00, 0x55, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x6f,
2908  0x00, 0x4a, 0x00, 0x54, 0x00, 0x7d, 0x00, 0x68,
2909  0x00, 0x3f, 0x00, 0x28, 0x00, 0x21, 0x00, 0x53,
2910  0x00, 0x48, 0x00, 0x5a, 0x00, 0x34, 0x00, 0x36,
2911  0x00, 0x35, 0x00, 0x64, 0x00, 0x4e, 0x00, 0x75,
2912  0x00, 0x69, 0x00, 0x23, 0x00, 0x75, 0x00, 0x55,
2913  0x00, 0x43, 0x00, 0x75, 0x00, 0x2f, 0x00, 0x73,
2914  0x00, 0x62, 0x00, 0x6f, 0x00, 0x37, 0x00, 0x4e,
2915  0x00, 0x25, 0x00, 0x25, 0x00, 0x21, 0x00, 0x3d,
2916  0x00, 0x3c, 0x00, 0x71, 0x00, 0x3e, 0x00, 0x3f,
2917  0x00, 0x30, 0x00, 0x36, 0x00, 0x62, 0x00, 0x63,
2918  0x00, 0x53, 0x00, 0x54, 0x00, 0x5d, 0x00, 0x61,
2919  0x00, 0x4c, 0x00, 0x28, 0x00, 0x2b, 0x00, 0x4c,
2920  0x00, 0x4e, 0x00, 0x66, 0x00, 0x5f, 0x00, 0x4b,
2921  0x00, 0x43, 0x00, 0x75, 0x00, 0x45, 0x00, 0x37,
2922  0x00, 0x28, 0x00, 0x56, 0x00, 0x36, 0x00, 0x6a,
2923  0x00, 0x3e, 0x00, 0x64, 0x00, 0x34, 0x00, 0x6a,
2924  0x00, 0x7d, 0x00, 0x4a, 0x00, 0x66, 0x00, 0x7a,
2925  0x00, 0x3e, 0x00, 0x75, 0x00, 0x38, 0x00, 0x7b,
2926  0x00, 0x42, 0x00, 0x76, 0x00, 0x29, 0x00, 0x4c,
2927  0x00, 0x65, 0x00, 0x2e, 0x00, 0x32, 0x00, 0x4b,
2928  0x00, 0x2b, 0x00, 0x51, 0x00, 0x47, 0x00, 0x22,
2929  0x00, 0x48, 0x00, 0x3d, 0x00, 0x49, 0x00, 0x44,
2930  0x00, 0x5d, 0x00, 0x59, 0x00, 0x63, 0x00, 0x5c,
2931  0x00, 0x24, 0x00, 0x35, 0x00, 0x34, 0x00, 0x70,
2932  0x00, 0x69, 0x00};
2933  uint32_t requestlen = sizeof(dcerpcrequest);
2934 
2935  TcpSession ssn;
2937 
2938  memset(&f, 0, sizeof(f));
2939  memset(&ssn, 0, sizeof(ssn));
2940 
2941  FLOW_INITIALIZE(&f);
2942  f.protoctx = (void *)&ssn;
2943  f.proto = IPPROTO_TCP;
2944  f.alproto = ALPROTO_DCERPC;
2945 
2947 
2948  FLOWLOCK_WRLOCK(&f);
2949  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
2951  dcerpcrequest,
2952  requestlen);
2953  if (r != 0) {
2954  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
2955  result = 0;
2956  FLOWLOCK_UNLOCK(&f);
2957  goto end;
2958  }
2959  FLOWLOCK_UNLOCK(&f);
2960 
2961  DCERPCState *dcerpc_state = f.alstate;
2962  if (dcerpc_state == NULL) {
2963  printf("no dcerpc state: ");
2964  result = 0;
2965  goto end;
2966  }
2967 
2968  if (dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] != 0x01) {
2969  printf("expected dcerpc data representation 0x01, got 0x%02x : ",
2970  dcerpc_state->dcerpc.dcerpchdr.packed_drep[0]);
2971  result = 0;
2972  goto end;
2973  }
2974 
2975  if (dcerpc_state->dcerpc.dcerpchdr.frag_length != 1024) {
2976  printf("expected dcerpc frag_length 0x%02x , got 0x%02x : ", 1024, dcerpc_state->dcerpc.dcerpchdr.frag_length);
2977  result = 0;
2978  goto end;
2979  }
2980 
2981  if (dcerpc_state->dcerpc.dcerpcrequest.opnum != 9) {
2982  printf("expected dcerpc opnum 0x%02x , got 0x%02x : ", 9, dcerpc_state->dcerpc.dcerpcrequest.opnum);
2983  result = 0;
2984  goto end;
2985  }
2986 end:
2987  if (alp_tctx != NULL)
2988  AppLayerParserThreadCtxFree(alp_tctx);
2990  FLOW_DESTROY(&f);
2991  return result;
2992 }
2993 
2994 /**
2995  * \test General test.
2996  */
2997 static int DCERPCParserTest05(void)
2998 {
2999  int result = 1;
3000  Flow f;
3001  int r = 0;
3002  uint8_t bind1[] = {
3003  0x05, 0x00, 0x0b, 0x01, 0x10, 0x00, 0x00, 0x00,
3004  0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3005  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
3006  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
3007  0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
3008  0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
3009  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3010  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3011  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
3012  };
3013  uint32_t bind1_len = sizeof(bind1);
3014 
3015  uint8_t bind2[] = {
3016  0x05, 0x00, 0x0b, 0x02, 0x10, 0x00, 0x00, 0x00,
3017  0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3018  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
3019  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
3020  0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
3021  0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x67,
3022  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3023  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3024  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
3025  };
3026  uint32_t bind2_len = sizeof(bind2);
3027 
3028  TcpSession ssn;
3030 
3031  memset(&f, 0, sizeof(f));
3032  memset(&ssn, 0, sizeof(ssn));
3033 
3034  FLOW_INITIALIZE(&f);
3035  f.protoctx = (void *)&ssn;
3036  f.proto = IPPROTO_TCP;
3037  f.alproto = ALPROTO_DCERPC;
3038 
3040 
3041  FLOWLOCK_WRLOCK(&f);
3042  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3043  STREAM_TOSERVER | STREAM_START, bind1, bind1_len);
3044  if (r != 0) {
3045  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3046  result = 0;
3047  FLOWLOCK_UNLOCK(&f);
3048  goto end;
3049  }
3050  FLOWLOCK_UNLOCK(&f);
3051 
3052  DCERPCState *dcerpc_state = f.alstate;
3053  if (dcerpc_state == NULL) {
3054  printf("no dcerpc state: ");
3055  result = 0;
3056  goto end;
3057  }
3058 
3059  DCERPCUuidEntry *item = NULL;
3060  int m = 0;
3061  TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.uuid_list, next) {
3062  printf("%d ", m);
3063  printUUID("BIND",item);
3064  m++;
3065  }
3066 
3067  FLOWLOCK_WRLOCK(&f);
3068  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3069  STREAM_TOSERVER, bind2, bind2_len);
3070  if (r != 0) {
3071  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3072  result = 0;
3073  FLOWLOCK_UNLOCK(&f);
3074  goto end;
3075  }
3076  FLOWLOCK_UNLOCK(&f);
3077 
3078  item = NULL;
3079  m = 0;
3080  TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.uuid_list, next) {
3081  printf("%d ", m);
3082  printUUID("BIND",item);
3083  m++;
3084  }
3085 
3086  /* we will need this test later for fragged bind pdus. keep it */
3087  result = 1;
3088 
3089 end:
3090  if (alp_tctx != NULL)
3091  AppLayerParserThreadCtxFree(alp_tctx);
3093  FLOW_DESTROY(&f);
3094  return result;
3095 }
3096 
3097 /**
3098  * \test DCERPC fragmented bind PDU(one PDU which is frag'ed)
3099  */
3100 static int DCERPCParserTest06(void)
3101 {
3102  int result = 1;
3103  Flow f;
3104  int r = 0;
3105  uint8_t bind1[] = {
3106  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
3107  0xdc, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3108  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
3109  0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
3110  0xc7, 0x70, 0x0d, 0x3e, 0x71, 0x37, 0x39, 0x0d,
3111  0x3a, 0x4f, 0xd3, 0xdc, 0xca, 0x49, 0xe8, 0xa3,
3112  0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3113  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3114  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3115  0x01, 0x00, 0x01, 0x00, 0x84, 0xb6, 0x55, 0x75,
3116  0xdb, 0x9e, 0xba, 0x54, 0x56, 0xd3, 0x45, 0x10,
3117  0xb7, 0x7a, 0x2a, 0xe2, 0x04, 0x00, 0x01, 0x00,
3118  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3119  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3120  0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
3121  0x6e, 0x39, 0x21, 0x24, 0x70, 0x6f, 0x41, 0x57,
3122  0x54, 0x70, 0xb8, 0xc3, 0x5e, 0x89, 0x3b, 0x43,
3123  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3124  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3125  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3126  0x03, 0x00, 0x01, 0x00, 0x39, 0x6a, 0x86, 0x5d,
3127  0x24, 0x0f, 0xd2, 0xf7, 0xb6, 0xce, 0x95, 0x9c,
3128  0x54, 0x1d, 0x3a, 0xdb, 0x02, 0x00, 0x01, 0x00,
3129  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3130  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3131  0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00,
3132  0x12, 0xa5, 0xdd, 0xc5, 0x55, 0xce, 0xc3, 0x46,
3133  0xbd, 0xa0, 0x94, 0x39, 0x3c, 0x0d, 0x9b, 0x5b,
3134  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3135  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3136  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3137  0x05, 0x00, 0x01, 0x00, 0x87, 0x1c, 0x8b, 0x6e,
3138  0x11, 0xa8, 0x67, 0x98, 0xd4, 0x5d, 0xf6, 0x8a,
3139  0x2f, 0x33, 0x24, 0x7b, 0x05, 0x00, 0x03, 0x00,
3140  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3141  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3142  0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00,
3143  0x9b, 0x82, 0x13, 0xd1, 0x28, 0xe0, 0x63, 0xf3,
3144  0x62, 0xee, 0x76, 0x73, 0xf9, 0xac, 0x3d, 0x2e,
3145  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3146  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3147  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3148  0x07, 0x00, 0x01, 0x00, 0xa9, 0xd4, 0x73, 0xf2,
3149  0xed, 0xad, 0xe8, 0x82, 0xf8, 0xcf, 0x9d, 0x9f,
3150  0x66, 0xe6, 0x43, 0x37, 0x02, 0x00, 0x01, 0x00,
3151  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3152  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3153  0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00,
3154  0x06, 0x2b, 0x85, 0x38, 0x4f, 0x73, 0x96, 0xb1,
3155  0x73, 0xe1, 0x59, 0xbe, 0x9d, 0xe2, 0x6c, 0x07,
3156  0x05, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3157  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3158  0x2b, 0x10, 0x48, 0x60};
3159  uint32_t bind1_len = sizeof(bind1);
3160 
3161  uint8_t bind2[] = {
3162  0x02, 0x00, 0x00, 0x00, 0x09, 0x00, 0x01, 0x00,
3163  0xbf, 0xfa, 0xbb, 0xa4, 0x9e, 0x5c, 0x80, 0x61,
3164  0xb5, 0x8b, 0x79, 0x69, 0xa6, 0x32, 0x88, 0x77,
3165  0x01, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3166  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3167  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3168  0x0a, 0x00, 0x01, 0x00, 0x39, 0xa8, 0x2c, 0x39,
3169  0x73, 0x50, 0x06, 0x8d, 0xf2, 0x37, 0x1e, 0x1e,
3170  0xa8, 0x8f, 0x46, 0x98, 0x02, 0x00, 0x02, 0x00,
3171  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3172  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3173  0x02, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x01, 0x00,
3174  0x91, 0x13, 0xd0, 0xa7, 0xef, 0xc4, 0xa7, 0x96,
3175  0x0c, 0x4a, 0x0d, 0x29, 0x80, 0xd3, 0xfe, 0xbf,
3176  0x00, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3177  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3178  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3179  0x0c, 0x00, 0x01, 0x00, 0xcc, 0x2b, 0x55, 0x1d,
3180  0xd4, 0xa4, 0x0d, 0xfb, 0xcb, 0x6f, 0x86, 0x36,
3181  0xa6, 0x57, 0xc3, 0x21, 0x02, 0x00, 0x01, 0x00,
3182  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3183  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3184  0x02, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x01, 0x00,
3185  0x43, 0x7b, 0x07, 0xee, 0x85, 0xa8, 0xb9, 0x3a,
3186  0x0f, 0xf9, 0x83, 0x70, 0xe6, 0x0b, 0x4f, 0x33,
3187  0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3188  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3189  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3190  0x0e, 0x00, 0x01, 0x00, 0x9c, 0x6a, 0x15, 0x8c,
3191  0xd6, 0x9c, 0xa6, 0xc3, 0xb2, 0x9e, 0x62, 0x9f,
3192  0x3d, 0x8e, 0x47, 0x73, 0x02, 0x00, 0x02, 0x00,
3193  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3194  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3195  0x02, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x01, 0x00,
3196  0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01,
3197  0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88,
3198  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3199  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3200  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
3201  };
3202  uint32_t bind2_len = sizeof(bind2);
3203 
3204  TcpSession ssn;
3206 
3207  memset(&f, 0, sizeof(f));
3208  memset(&ssn, 0, sizeof(ssn));
3209 
3210  FLOW_INITIALIZE(&f);
3211  f.protoctx = (void *)&ssn;
3212  f.proto = IPPROTO_TCP;
3213  f.alproto = ALPROTO_DCERPC;
3214 
3216 
3217  FLOWLOCK_WRLOCK(&f);
3218  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3219  STREAM_TOSERVER | STREAM_START, bind1, bind1_len);
3220  if (r != 0) {
3221  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3222  result = 0;
3223  FLOWLOCK_UNLOCK(&f);
3224  goto end;
3225  }
3226  FLOWLOCK_UNLOCK(&f);
3227 
3228  DCERPCState *dcerpc_state = f.alstate;
3229  if (dcerpc_state == NULL) {
3230  printf("no dcerpc state: ");
3231  result = 0;
3232  goto end;
3233  }
3234 
3235  result &= (dcerpc_state->dcerpc.bytesprocessed == 420);
3236  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.ctxbytesprocessed == 40);
3237  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.numctxitems == 16);
3238  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.numctxitemsleft == 8);
3239 
3240  FLOWLOCK_WRLOCK(&f);
3241  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3242  STREAM_TOSERVER, bind2, bind2_len);
3243  if (r != 0) {
3244  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3245  result = 0;
3246  FLOWLOCK_UNLOCK(&f);
3247  goto end;
3248  }
3249  FLOWLOCK_UNLOCK(&f);
3250 
3251  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3252  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.ctxbytesprocessed == 0);
3253  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.numctxitems == 16);
3254  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.numctxitemsleft == 0);
3255 
3256 end:
3257  if (alp_tctx != NULL)
3258  AppLayerParserThreadCtxFree(alp_tctx);
3260  FLOW_DESTROY(&f);
3261  return result;
3262 }
3263 
3264 /**
3265  * \test DCERPC fragmented bind PDU(one PDU which is frag'ed).
3266  */
3267 static int DCERPCParserTest07(void)
3268 {
3269  uint8_t request1[] = {
3270  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
3271  0x2C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
3272  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
3273  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3274  0x09, 0x0A, 0x0B, 0x0C
3275  };
3276  uint32_t request1_len = sizeof(request1);
3277 
3278  uint8_t request2[] = {
3279  0x0D, 0x0E
3280  };
3281  uint32_t request2_len = sizeof(request2);
3282 
3283  uint8_t request3[] = {
3284  0x0F, 0x10, 0x11, 0x12, 0x13, 0x14
3285  };
3286  uint32_t request3_len = sizeof(request3);
3287 
3288  Flow f;
3289  int r = 0;
3290  TcpSession ssn;
3292  memset(&f, 0, sizeof(f));
3293  memset(&ssn, 0, sizeof(ssn));
3294  FLOW_INITIALIZE(&f);
3295  f.protoctx = (void *)&ssn;
3296  f.proto = IPPROTO_TCP;
3297  f.alproto = ALPROTO_DCERPC;
3299 
3300  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3301  STREAM_TOSERVER | STREAM_START, request1,
3302  request1_len);
3303  FAIL_IF(r != 0);
3304 
3305  DCERPCState *dcerpc_state = f.alstate;
3306  FAIL_IF_NULL(dcerpc_state);
3307 
3308  FAIL_IF_NOT(dcerpc_state->dcerpc.bytesprocessed == 36);
3309  FAIL_IF_NOT(dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL);
3311 
3312  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3313  STREAM_TOSERVER, request2, request2_len);
3314  FAIL_IF(r != 0);
3315 
3316  FAIL_IF_NOT(dcerpc_state->dcerpc.bytesprocessed == 38);
3317  FAIL_IF_NOT(dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL);
3319 
3320  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3321  STREAM_TOSERVER, request3, request3_len);
3322  FAIL_IF(r != 0);
3323 
3324  FAIL_IF_NOT(dcerpc_state->dcerpc.bytesprocessed == 0);
3325  FAIL_IF_NOT(dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL);
3327 
3328  AppLayerParserThreadCtxFree(alp_tctx);
3330  FLOW_DESTROY(&f);
3331  PASS;
3332 }
3333 
3334 /**
3335  * \test DCERPC fragmented bind PDU(one PDU which is frag'ed).
3336  */
3337 static int DCERPCParserTest08(void)
3338 {
3339  int result = 1;
3340  Flow f;
3341  int r = 0;
3342  uint8_t request[] = {
3343  0x05, 0x02, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
3344  0x2C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
3345  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
3346  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3347  0x09, 0x0A, 0x0B, 0x0C,
3348  };
3349  uint32_t request_len = sizeof(request);
3350 
3351  TcpSession ssn;
3353 
3354  memset(&f, 0, sizeof(f));
3355  memset(&ssn, 0, sizeof(ssn));
3356 
3357  FLOW_INITIALIZE(&f);
3358  f.protoctx = (void *)&ssn;
3359  f.proto = IPPROTO_TCP;
3360  f.alproto = ALPROTO_DCERPC;
3361 
3363 
3364  FLOWLOCK_WRLOCK(&f);
3365  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3366  STREAM_TOSERVER | STREAM_START, request,
3367  request_len);
3368  if (r != 0) {
3369  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3370  result = 0;
3371  FLOWLOCK_UNLOCK(&f);
3372  goto end;
3373  }
3374  FLOWLOCK_UNLOCK(&f);
3375 
3376  DCERPCState *dcerpc_state = f.alstate;
3377  if (dcerpc_state == NULL) {
3378  printf("no dcerpc state: ");
3379  result = 0;
3380  goto end;
3381  }
3382 
3383  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3384  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL &&
3385  dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 0);
3386 
3387 end:
3388  if (alp_tctx != NULL)
3389  AppLayerParserThreadCtxFree(alp_tctx);
3391  FLOW_DESTROY(&f);
3392  return result;
3393 }
3394 
3395 /**
3396  * \test DCERPC fragmented bind PDU(one PDU which is frag'ed).
3397  */
3398 static int DCERPCParserTest09(void)
3399 {
3400  int result = 1;
3401  Flow f;
3402  int r = 0;
3403  uint8_t request[] = {
3404  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
3405  0x2C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
3406  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
3407  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3408  0x09, 0x0A, 0x0B, 0x0C,
3409  };
3410  uint32_t request_len = sizeof(request);
3411 
3412  TcpSession ssn;
3414 
3415  memset(&f, 0, sizeof(f));
3416  memset(&ssn, 0, sizeof(ssn));
3417 
3418  FLOW_INITIALIZE(&f);
3419  f.protoctx = (void *)&ssn;
3420  f.proto = IPPROTO_TCP;
3421  f.alproto = ALPROTO_DCERPC;
3422 
3424 
3425  FLOWLOCK_WRLOCK(&f);
3426  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3427  STREAM_TOSERVER | STREAM_START, request,
3428  request_len);
3429  if (r != 0) {
3430  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3431  result = 0;
3432  FLOWLOCK_UNLOCK(&f);
3433  goto end;
3434  }
3435  FLOWLOCK_UNLOCK(&f);
3436 
3437  DCERPCState *dcerpc_state = f.alstate;
3438  if (dcerpc_state == NULL) {
3439  printf("no dcerpc state: ");
3440  result = 0;
3441  goto end;
3442  }
3443 
3444  result &= (dcerpc_state->dcerpc.bytesprocessed == 36);
3445  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
3446  dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 12);
3447 
3448 end:
3449  if (alp_tctx != NULL)
3450  AppLayerParserThreadCtxFree(alp_tctx);
3452  FLOW_DESTROY(&f);
3453  return result;
3454 }
3455 
3456 /**
3457  * \test DCERPC fragmented PDU.
3458  */
3459 static int DCERPCParserTest10(void)
3460 {
3461  int result = 1;
3462  Flow f;
3463  int r = 0;
3464 
3465  uint8_t fault[] = {
3466  0x05, 0x00, 0x03, 0x03, 0x10, 0x00, 0x00, 0x00,
3467  0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3468  0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00,
3469  0xf7, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
3470  };
3471  uint32_t fault_len = sizeof(fault);
3472 
3473  uint8_t request1[] = {
3474  0x05, 0x00
3475  };
3476  uint32_t request1_len = sizeof(request1);
3477 
3478  uint8_t request2[] = {
3479  0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x24, 0x00,
3480  0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0c, 0x00,
3481  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02,
3482  0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A,
3483  0x0B, 0x0C
3484  };
3485  uint32_t request2_len = sizeof(request2);
3486 
3487  TcpSession ssn;
3489 
3490  memset(&f, 0, sizeof(f));
3491  memset(&ssn, 0, sizeof(ssn));
3492 
3493  FLOW_INITIALIZE(&f);
3494  f.protoctx = (void *)&ssn;
3495  f.proto = IPPROTO_TCP;
3496  f.alproto = ALPROTO_DCERPC;
3497 
3499 
3500  FLOWLOCK_WRLOCK(&f);
3501  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3502  STREAM_TOSERVER | STREAM_START, fault, fault_len);
3503  if (r != 0) {
3504  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3505  result = 0;
3506  FLOWLOCK_UNLOCK(&f);
3507  goto end;
3508  }
3509  FLOWLOCK_UNLOCK(&f);
3510 
3511  DCERPCState *dcerpc_state = f.alstate;
3512  if (dcerpc_state == NULL) {
3513  printf("no dcerpc state: ");
3514  result = 0;
3515  goto end;
3516  }
3517 
3518  FLOWLOCK_WRLOCK(&f);
3519  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3520  STREAM_TOSERVER, request1, request1_len);
3521  if (r != 0) {
3522  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3523  result = 0;
3524  FLOWLOCK_UNLOCK(&f);
3525  goto end;
3526  }
3527  FLOWLOCK_UNLOCK(&f);
3528 
3529  result &= (dcerpc_state->dcerpc.bytesprocessed == 2);
3530  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL);
3531 
3532  FLOWLOCK_WRLOCK(&f);
3533  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3534  STREAM_TOSERVER, request2, request2_len);
3535  if (r != 0) {
3536  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3537  result = 0;
3538  FLOWLOCK_UNLOCK(&f);
3539  goto end;
3540  }
3541  FLOWLOCK_UNLOCK(&f);
3542 
3543  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3544  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
3545  dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 12);
3546 
3547 end:
3548  if (alp_tctx != NULL)
3549  AppLayerParserThreadCtxFree(alp_tctx);
3551  FLOW_DESTROY(&f);
3552  return result;
3553 }
3554 
3555 /**
3556  * \test DCERPC fragmented PDU.
3557  */
3558 static int DCERPCParserTest11(void)
3559 {
3560  int result = 1;
3561  Flow f;
3562  int r = 0;
3563 
3564  uint8_t request1[] = {
3565  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
3566  0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
3567  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
3568  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3569  0x09, 0x0A, 0x0B, 0x0C
3570  };
3571  uint32_t request1_len = sizeof(request1);
3572 
3573  uint8_t request2[] = {
3574  0x05, 0x00
3575  };
3576  uint32_t request2_len = sizeof(request2);
3577 
3578  uint8_t request3[] = {
3579  0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x26, 0x00,
3580  0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0c, 0x00,
3581  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02,
3582  0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A,
3583  0x0B, 0x0C, 0xFF, 0xFF
3584  };
3585  uint32_t request3_len = sizeof(request3);
3586 
3587  TcpSession ssn;
3589 
3590  memset(&f, 0, sizeof(f));
3591  memset(&ssn, 0, sizeof(ssn));
3592 
3593  FLOW_INITIALIZE(&f);
3594  f.protoctx = (void *)&ssn;
3595  f.proto = IPPROTO_TCP;
3596  f.alproto = ALPROTO_DCERPC;
3597 
3599 
3600  FLOWLOCK_WRLOCK(&f);
3601  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3602  STREAM_TOSERVER, request1, request1_len);
3603  if (r != 0) {
3604  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3605  result = 0;
3606  FLOWLOCK_UNLOCK(&f);
3607  goto end;
3608  }
3609  FLOWLOCK_UNLOCK(&f);
3610 
3611  DCERPCState *dcerpc_state = f.alstate;
3612  if (dcerpc_state == NULL) {
3613  printf("no dcerpc state: ");
3614  result = 0;
3615  goto end;
3616  }
3617 
3618  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3619  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
3620  dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 12);
3621 
3622  FLOWLOCK_WRLOCK(&f);
3623  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3624  STREAM_TOSERVER, request2, request2_len);
3625  if (r != 0) {
3626  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3627  result = 0;
3628  FLOWLOCK_UNLOCK(&f);
3629  goto end;
3630  }
3631  FLOWLOCK_UNLOCK(&f);
3632 
3633  result &= (dcerpc_state->dcerpc.bytesprocessed == 2);
3634 
3635  FLOWLOCK_WRLOCK(&f);
3636  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3637  STREAM_TOSERVER, request3, request3_len);
3638  if (r != 0) {
3639  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3640  result = 0;
3641  FLOWLOCK_UNLOCK(&f);
3642  goto end;
3643  }
3644  FLOWLOCK_UNLOCK(&f);
3645 
3646  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3647  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
3648  dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 14);
3649 
3650 end:
3651  if (alp_tctx != NULL)
3652  AppLayerParserThreadCtxFree(alp_tctx);
3654  FLOW_DESTROY(&f);
3655  return result;
3656 }
3657 
3658 /**
3659  * \test DCERPC fragmented PDU.
3660  */
3661 static int DCERPCParserTest12(void)
3662 {
3663  int result = 1;
3664  Flow f;
3665  int r = 0;
3666 
3667  uint8_t bind_ack1[] = {
3668  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
3669  0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3670  0xb8, 0x10, 0xb8, 0x10, 0x48, 0x1a, 0x00, 0x00,
3671  };
3672  uint32_t bind_ack1_len = sizeof(bind_ack1);
3673 
3674  uint8_t bind_ack2[] = {
3675  0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
3676  0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00,
3677  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3678  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3679  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3680  0x02, 0x00, 0x00, 0x00
3681  };
3682  uint32_t bind_ack2_len = sizeof(bind_ack2);
3683 
3684  TcpSession ssn;
3686 
3687  memset(&f, 0, sizeof(f));
3688  memset(&ssn, 0, sizeof(ssn));
3689 
3690  FLOW_INITIALIZE(&f);
3691  f.protoctx = (void *)&ssn;
3692  f.proto = IPPROTO_TCP;
3693  f.alproto = ALPROTO_DCERPC;
3694 
3696 
3697  FLOWLOCK_WRLOCK(&f);
3698  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3699  STREAM_TOCLIENT, bind_ack1, bind_ack1_len);
3700  if (r != 0) {
3701  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3702  result = 0;
3703  FLOWLOCK_UNLOCK(&f);
3704  goto end;
3705  }
3706  FLOWLOCK_UNLOCK(&f);
3707 
3708  DCERPCState *dcerpc_state = f.alstate;
3709  if (dcerpc_state == NULL) {
3710  printf("no dcerpc state: ");
3711  result = 0;
3712  goto end;
3713  }
3714 
3715  result &= (dcerpc_state->dcerpc.bytesprocessed == 24);
3716 
3717  FLOWLOCK_WRLOCK(&f);
3718  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3719  STREAM_TOCLIENT, bind_ack2, bind_ack2_len);
3720  if (r != 0) {
3721  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3722  result = 0;
3723  FLOWLOCK_UNLOCK(&f);
3724  goto end;
3725  }
3726  FLOWLOCK_UNLOCK(&f);
3727 
3728  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3729 
3730 end:
3731  if (alp_tctx != NULL)
3732  AppLayerParserThreadCtxFree(alp_tctx);
3734  FLOW_DESTROY(&f);
3735  return result;
3736 }
3737 
3738 /**
3739  * \test Check if the parser accepts bind pdus that have context ids starting
3740  * from a non-zero value.
3741  */
3742 static int DCERPCParserTest13(void)
3743 {
3744  int result = 1;
3745  Flow f;
3746  int r = 0;
3747 
3748  uint8_t bindbuf[] = {
3749  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
3750  0x48, 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00,
3751  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
3752  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
3753  0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3754  0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
3755  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3756  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3757  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
3758  };
3759  uint32_t bindbuf_len = sizeof(bindbuf);
3760 
3761  TcpSession ssn;
3763 
3764  memset(&f, 0, sizeof(f));
3765  memset(&ssn, 0, sizeof(ssn));
3766 
3767  FLOW_INITIALIZE(&f);
3768  f.protoctx = (void *)&ssn;
3769  f.proto = IPPROTO_TCP;
3770  f.alproto = ALPROTO_DCERPC;
3771 
3773 
3774  FLOWLOCK_WRLOCK(&f);
3775  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3776  STREAM_TOSERVER, bindbuf, bindbuf_len);
3777  if (r != 0) {
3778  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3779  result = 0;
3780  FLOWLOCK_UNLOCK(&f);
3781  goto end;
3782  }
3783  FLOWLOCK_UNLOCK(&f);
3784 
3785  DCERPCState *dcerpc_state = f.alstate;
3786  if (dcerpc_state == NULL) {
3787  printf("no dcerpc state: ");
3788  result = 0;
3789  goto end;
3790  }
3791 
3792  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
3793  result &= (dcerpc_state->dcerpc.dcerpcbindbindack.numctxitems == 1);
3794  if (result == 0)
3795  goto end;
3796 
3797  result = 0;
3798  uint8_t ctx_uuid_from_pcap[16] = {
3799  0x00, 0x00, 0x01, 0xa0, 0x00, 0x00, 0x00, 0x00,
3800  0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46};
3801  DCERPCUuidEntry *item = NULL;
3802  int internal_id = 0;
3803  TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.uuid_list, next) {
3804  int i = 0;
3805  /* check the interface uuid */
3806  for (i = 0; i < 16; i++) {
3807  if (ctx_uuid_from_pcap[i] != item->uuid[i]) {
3808  result = 0;
3809  goto end;
3810  }
3811  }
3812  result = 1;
3813  result &= (item->internal_id == internal_id++);
3814  }
3815 
3816 end:
3817  if (alp_tctx != NULL)
3818  AppLayerParserThreadCtxFree(alp_tctx);
3820  FLOW_DESTROY(&f);
3821  return result;
3822 }
3823 
3824 /**
3825  * \test Check for another endless loop with bind pdus.
3826  */
3827 static int DCERPCParserTest14(void)
3828 {
3829  int result = 1;
3830  Flow f;
3831  int r = 0;
3832 
3833  uint8_t bindbuf[] = {
3834  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
3835  0x4A, 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00,
3836  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
3837  0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
3838  0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3839  0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
3840  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3841  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3842  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3843  0x02, 0x00, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3844  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3845  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3846  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3847  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
3848  0x01, 0x02, 0x03, 0x04, 0xFF /* ka boom - endless loop */
3849  };
3850  uint32_t bindbuf_len = sizeof(bindbuf);
3851 
3852  TcpSession ssn;
3854 
3855  memset(&f, 0, sizeof(f));
3856  memset(&ssn, 0, sizeof(ssn));
3857 
3858  FLOW_INITIALIZE(&f);
3859  f.protoctx = (void *)&ssn;
3860  f.proto = IPPROTO_TCP;
3861  f.alproto = ALPROTO_DCERPC;
3862 
3864 
3865  FLOWLOCK_WRLOCK(&f);
3866  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3867  STREAM_TOSERVER, bindbuf, bindbuf_len);
3868  if (r != 0) {
3869  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3870  result = 0;
3871  FLOWLOCK_UNLOCK(&f);
3872  goto end;
3873  }
3874  FLOWLOCK_UNLOCK(&f);
3875 
3876  DCERPCState *dcerpc_state = f.alstate;
3877  if (dcerpc_state == NULL) {
3878  printf("no dcerpc state: ");
3879  result = 0;
3880  goto end;
3881  }
3882 
3883 end:
3884  if (alp_tctx != NULL)
3885  AppLayerParserThreadCtxFree(alp_tctx);
3887  FLOW_DESTROY(&f);
3888  return result;
3889 }
3890 
3891 /**
3892  * \test Check for another endless loop for bind_ack pdus.
3893  */
3894 static int DCERPCParserTest15(void)
3895 {
3896  int result = 1;
3897  Flow f;
3898  int r = 0;
3899 
3900  uint8_t bind_ack[] = {
3901  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
3902  0x3e, 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00,
3903  0xd0, 0x16, 0xd0, 0x16, 0xfd, 0x04, 0x01, 0x00,
3904  0x04, 0x00, 0x31, 0x33, 0x35, 0x00, 0x00, 0x00,
3905  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3906  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3907  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3908  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3909  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3910  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3911  0x01, 0x02, 0x03, 0x04, 0xFF
3912  };
3913  uint32_t bind_ack_len = sizeof(bind_ack);
3914 
3915  TcpSession ssn;
3917 
3918  memset(&f, 0, sizeof(f));
3919  memset(&ssn, 0, sizeof(ssn));
3920 
3921  FLOW_INITIALIZE(&f);
3922  f.protoctx = (void *)&ssn;
3923  f.proto = IPPROTO_TCP;
3924  f.alproto = ALPROTO_DCERPC;
3925 
3927 
3928  FLOWLOCK_WRLOCK(&f);
3929  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3930  STREAM_TOCLIENT, bind_ack, bind_ack_len);
3931  if (r != 0) {
3932  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
3933  result = 0;
3934  FLOWLOCK_UNLOCK(&f);
3935  goto end;
3936  }
3937  FLOWLOCK_UNLOCK(&f);
3938 
3939  DCERPCState *dcerpc_state = f.alstate;
3940  if (dcerpc_state == NULL) {
3941  printf("no dcerpc state: ");
3942  result = 0;
3943  goto end;
3944  }
3945 
3946 end:
3947  if (alp_tctx != NULL)
3948  AppLayerParserThreadCtxFree(alp_tctx);
3950  FLOW_DESTROY(&f);
3951  return result;
3952 }
3953 
3954 /**
3955  * \test Check for correct internal ids for bind_acks.
3956  */
3957 static int DCERPCParserTest16(void)
3958 {
3959  int result = 1;
3960  Flow f;
3961  int r = 0;
3962 
3963  uint8_t bind1[] = {
3964  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
3965  0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3966  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
3967  0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
3968  0x50, 0x08, 0x43, 0x95, 0x43, 0x5a, 0x8b, 0xb2,
3969  0xf4, 0xc5, 0xb9, 0xee, 0x67, 0x55, 0x7c, 0x19,
3970  0x00, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3971  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3972  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3973  0x01, 0x00, 0x01, 0x00, 0xda, 0xc2, 0xbc, 0x9b,
3974  0x35, 0x2e, 0xd4, 0xc9, 0x1f, 0x85, 0x01, 0xe6,
3975  0x4e, 0x5a, 0x5e, 0xd4, 0x04, 0x00, 0x03, 0x00,
3976  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3977  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3978  0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
3979  0xb2, 0x97, 0xcc, 0x14, 0x6f, 0x70, 0x0d, 0xa5,
3980  0x33, 0xd7, 0xf4, 0xe3, 0x8e, 0xb2, 0x2a, 0x1e,
3981  0x05, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3982  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3983  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3984  0x03, 0x00, 0x01, 0x00, 0x96, 0x4e, 0xa6, 0xf6,
3985  0xb2, 0x4b, 0xae, 0xb3, 0x21, 0xf4, 0x97, 0x7c,
3986  0xcd, 0xa7, 0x08, 0xb0, 0x00, 0x00, 0x00, 0x00,
3987  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3988  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
3989  0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00,
3990  0xbc, 0xc0, 0xf7, 0x71, 0x3f, 0x71, 0x54, 0x44,
3991  0x22, 0xa8, 0x55, 0x0f, 0x98, 0x83, 0x1f, 0xfe,
3992  0x04, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
3993  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
3994  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
3995  0x05, 0x00, 0x01, 0x00, 0xbe, 0x52, 0xf2, 0x58,
3996  0x4a, 0xc3, 0xb5, 0xd0, 0xba, 0xac, 0xda, 0xf0,
3997  0x12, 0x99, 0x38, 0x6e, 0x04, 0x00, 0x02, 0x00,
3998  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
3999  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4000  0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00,
4001  0xdb, 0xfa, 0x73, 0x01, 0xb3, 0x81, 0x01, 0xd4,
4002  0x7f, 0xa0, 0x36, 0xb1, 0x97, 0xae, 0x29, 0x7f,
4003  0x01, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4004  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4005  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4006  0x07, 0x00, 0x01, 0x00, 0x89, 0xbe, 0x41, 0x1d,
4007  0x38, 0x75, 0xf5, 0xb5, 0xad, 0x27, 0x73, 0xf1,
4008  0xb0, 0x7a, 0x28, 0x82, 0x05, 0x00, 0x02, 0x00,
4009  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4010  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4011  0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00,
4012  0xf6, 0x87, 0x09, 0x93, 0xb8, 0xa8, 0x20, 0xc4,
4013  0xb8, 0x63, 0xe6, 0x95, 0xed, 0x59, 0xee, 0x3f,
4014  0x05, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4015  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4016  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4017  0x09, 0x00, 0x01, 0x00, 0x92, 0x77, 0x92, 0x68,
4018  0x3e, 0xa4, 0xbc, 0x3f, 0x44, 0x33, 0x0e, 0xb8,
4019  0x33, 0x0a, 0x2f, 0xdf, 0x01, 0x00, 0x02, 0x00,
4020  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4021  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4022  0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00,
4023  0xa1, 0x03, 0xd2, 0xa9, 0xd2, 0x16, 0xc9, 0x89,
4024  0x67, 0x18, 0x3e, 0xb1, 0xee, 0x6b, 0xf9, 0x18,
4025  0x02, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4026  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4027  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4028  0x0b, 0x00, 0x01, 0x00, 0x2f, 0x09, 0x5e, 0x74,
4029  0xec, 0xa0, 0xbb, 0xc1, 0x60, 0x18, 0xf1, 0x93,
4030  0x04, 0x17, 0x11, 0xf9, 0x01, 0x00, 0x03, 0x00,
4031  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4032  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4033  0x02, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00,
4034  0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01,
4035  0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88,
4036  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4037  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4038  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
4039  };
4040  uint32_t bind1_len = sizeof(bind1);
4041 
4042  uint8_t bind_ack1[] = {
4043  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
4044  0x64, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4045  0xb8, 0x10, 0xb8, 0x10, 0xc1, 0x2b, 0x00, 0x00,
4046  0x0e, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
4047  0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x00,
4048  0x0d, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4049  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4050  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4051  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4052  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4053  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4054  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4055  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4056  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4057  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4058  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4059  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4060  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4061  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4062  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4063  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4064  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4065  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4066  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4067  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4068  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4069  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4070  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4071  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4072  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4073  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4074  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4075  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4076  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4077  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4078  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4079  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4080  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4081  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4082  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4083  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4084  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4085  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4086  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4087  0x02, 0x00, 0x00, 0x00
4088  };
4089  uint32_t bind_ack1_len = sizeof(bind_ack1);
4090 
4091  uint8_t bind2[] = {
4092  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
4093  0xdc, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4094  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
4095  0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
4096  0xc7, 0x70, 0x0d, 0x3e, 0x71, 0x37, 0x39, 0x0d,
4097  0x3a, 0x4f, 0xd3, 0xdc, 0xca, 0x49, 0xe8, 0xa3,
4098  0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4099  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4100  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4101  0x01, 0x00, 0x01, 0x00, 0x84, 0xb6, 0x55, 0x75,
4102  0xdb, 0x9e, 0xba, 0x54, 0x56, 0xd3, 0x45, 0x10,
4103  0xb7, 0x7a, 0x2a, 0xe2, 0x04, 0x00, 0x01, 0x00,
4104  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4105  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4106  0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4107  0x6e, 0x39, 0x21, 0x24, 0x70, 0x6f, 0x41, 0x57,
4108  0x54, 0x70, 0xb8, 0xc3, 0x5e, 0x89, 0x3b, 0x43,
4109  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4110  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4111  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4112  0x03, 0x00, 0x01, 0x00, 0x39, 0x6a, 0x86, 0x5d,
4113  0x24, 0x0f, 0xd2, 0xf7, 0xb6, 0xce, 0x95, 0x9c,
4114  0x54, 0x1d, 0x3a, 0xdb, 0x02, 0x00, 0x01, 0x00,
4115  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4116  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4117  0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00,
4118  0x12, 0xa5, 0xdd, 0xc5, 0x55, 0xce, 0xc3, 0x46,
4119  0xbd, 0xa0, 0x94, 0x39, 0x3c, 0x0d, 0x9b, 0x5b,
4120  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4121  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4122  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4123  0x05, 0x00, 0x01, 0x00, 0x87, 0x1c, 0x8b, 0x6e,
4124  0x11, 0xa8, 0x67, 0x98, 0xd4, 0x5d, 0xf6, 0x8a,
4125  0x2f, 0x33, 0x24, 0x7b, 0x05, 0x00, 0x03, 0x00,
4126  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4127  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4128  0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00,
4129  0x9b, 0x82, 0x13, 0xd1, 0x28, 0xe0, 0x63, 0xf3,
4130  0x62, 0xee, 0x76, 0x73, 0xf9, 0xac, 0x3d, 0x2e,
4131  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4132  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4133  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4134  0x07, 0x00, 0x01, 0x00, 0xa9, 0xd4, 0x73, 0xf2,
4135  0xed, 0xad, 0xe8, 0x82, 0xf8, 0xcf, 0x9d, 0x9f,
4136  0x66, 0xe6, 0x43, 0x37, 0x02, 0x00, 0x01, 0x00,
4137  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4138  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4139  0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00,
4140  0x06, 0x2b, 0x85, 0x38, 0x4f, 0x73, 0x96, 0xb1,
4141  0x73, 0xe1, 0x59, 0xbe, 0x9d, 0xe2, 0x6c, 0x07,
4142  0x05, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4143  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4144  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4145  0x09, 0x00, 0x01, 0x00, 0xbf, 0xfa, 0xbb, 0xa4,
4146  0x9e, 0x5c, 0x80, 0x61, 0xb5, 0x8b, 0x79, 0x69,
4147  0xa6, 0x32, 0x88, 0x77, 0x01, 0x00, 0x01, 0x00,
4148  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4149  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4150  0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00,
4151  0x39, 0xa8, 0x2c, 0x39, 0x73, 0x50, 0x06, 0x8d,
4152  0xf2, 0x37, 0x1e, 0x1e, 0xa8, 0x8f, 0x46, 0x98,
4153  0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4154  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4155  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4156  0x0b, 0x00, 0x01, 0x00, 0x91, 0x13, 0xd0, 0xa7,
4157  0xef, 0xc4, 0xa7, 0x96, 0x0c, 0x4a, 0x0d, 0x29,
4158  0x80, 0xd3, 0xfe, 0xbf, 0x00, 0x00, 0x01, 0x00,
4159  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4160  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4161  0x02, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00,
4162  0xcc, 0x2b, 0x55, 0x1d, 0xd4, 0xa4, 0x0d, 0xfb,
4163  0xcb, 0x6f, 0x86, 0x36, 0xa6, 0x57, 0xc3, 0x21,
4164  0x02, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4165  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4166  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4167  0x0d, 0x00, 0x01, 0x00, 0x43, 0x7b, 0x07, 0xee,
4168  0x85, 0xa8, 0xb9, 0x3a, 0x0f, 0xf9, 0x83, 0x70,
4169  0xe6, 0x0b, 0x4f, 0x33, 0x02, 0x00, 0x02, 0x00,
4170  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4171  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4172  0x02, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x01, 0x00,
4173  0x9c, 0x6a, 0x15, 0x8c, 0xd6, 0x9c, 0xa6, 0xc3,
4174  0xb2, 0x9e, 0x62, 0x9f, 0x3d, 0x8e, 0x47, 0x73,
4175  0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4176  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4177  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4178  0x0f, 0x00, 0x01, 0x00, 0xc8, 0x4f, 0x32, 0x4b,
4179  0x70, 0x16, 0xd3, 0x01, 0x12, 0x78, 0x5a, 0x47,
4180  0xbf, 0x6e, 0xe1, 0x88, 0x03, 0x00, 0x00, 0x00,
4181  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4182  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4183  0x02, 0x00, 0x00, 0x00
4184  };
4185  uint32_t bind2_len = sizeof(bind2);
4186 
4187  uint8_t bind_ack2[] = {
4188  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
4189  0xac, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4190  0xb8, 0x10, 0xb8, 0x10, 0xc2, 0x2b, 0x00, 0x00,
4191  0x0e, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c,
4192  0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x00,
4193  0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4194  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4195  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4196  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4197  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4198  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4199  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4200  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4201  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4202  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4203  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4204  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4205  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4206  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4207  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4208  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4209  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4210  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4211  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4212  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4213  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4214  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4215  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4216  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4217  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4218  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4219  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4220  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4221  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4222  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4223  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4224  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4225  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4226  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4227  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4228  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4229  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4230  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4231  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4232  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4233  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4234  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4235  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4236  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4237  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4238  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4239  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4240  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4241  0x02, 0x00, 0x00, 0x00
4242  };
4243  uint32_t bind_ack2_len = sizeof(bind_ack2);
4244 
4245  uint8_t bind3[] = {
4246  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
4247  0x2c, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4248  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
4249  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
4250  0xa4, 0x7f, 0x8e, 0xc6, 0xef, 0x56, 0x9b, 0x63,
4251  0x92, 0xfa, 0x08, 0xb3, 0x35, 0xe2, 0xa5, 0x81,
4252  0x00, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4253  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4254  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4255  0x01, 0x00, 0x01, 0x00, 0x9f, 0xfc, 0x78, 0xd2,
4256  0x5f, 0x16, 0x0b, 0xbc, 0xc6, 0xdb, 0x5d, 0xef,
4257  0xde, 0x54, 0xa2, 0x6f, 0x04, 0x00, 0x01, 0x00,
4258  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4259  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4260  0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4261  0x78, 0xb8, 0x96, 0xc7, 0x2f, 0xda, 0x11, 0x6b,
4262  0xd1, 0x28, 0x68, 0xe1, 0xd6, 0x71, 0xac, 0x9d,
4263  0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4264  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4265  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4266  0x03, 0x00, 0x01, 0x00, 0xcf, 0xf4, 0xd7, 0x37,
4267  0x03, 0xda, 0xcc, 0xe3, 0x3e, 0x34, 0x7f, 0x67,
4268  0x99, 0x91, 0x41, 0x3d, 0x01, 0x00, 0x02, 0x00,
4269  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4270  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4271  0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00,
4272  0x48, 0xeb, 0x32, 0xf0, 0x27, 0xd5, 0x9d, 0xd0,
4273  0x1e, 0xc6, 0x48, 0x46, 0x97, 0xe9, 0xdb, 0x09,
4274  0x05, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4275  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4276  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4277  0x05, 0x00, 0x01, 0x00, 0x82, 0xec, 0x0d, 0x08,
4278  0xf2, 0x8f, 0x22, 0x57, 0x42, 0x9b, 0xce, 0xa8,
4279  0x74, 0x16, 0xc6, 0xec, 0x00, 0x00, 0x01, 0x00,
4280  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4281  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4282  0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00,
4283  0x2e, 0x00, 0x70, 0x44, 0xee, 0xc9, 0x30, 0x6b,
4284  0xf4, 0x34, 0x1e, 0x3d, 0x35, 0x0f, 0xf7, 0xf7,
4285  0x00, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4286  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4287  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4288  0x07, 0x00, 0x01, 0x00, 0x59, 0x04, 0x39, 0x3f,
4289  0x59, 0x87, 0x14, 0x0e, 0x76, 0x8d, 0x17, 0xc2,
4290  0x47, 0xfa, 0x67, 0x7f, 0x04, 0x00, 0x02, 0x00,
4291  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4292  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4293  0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00,
4294  0x30, 0xd6, 0xed, 0x2e, 0x57, 0xfa, 0xf4, 0x72,
4295  0x6c, 0x10, 0x0d, 0xe5, 0x51, 0x7f, 0xd0, 0x39,
4296  0x02, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4297  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4298  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4299  0x09, 0x00, 0x01, 0x00, 0xea, 0x8b, 0x84, 0x4d,
4300  0x44, 0x43, 0xc1, 0x94, 0x75, 0xe2, 0x81, 0x48,
4301  0xd8, 0x77, 0xd9, 0xce, 0x05, 0x00, 0x00, 0x00,
4302  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4303  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4304  0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00,
4305  0x89, 0x4f, 0xe7, 0x95, 0xa3, 0xc1, 0x62, 0x36,
4306  0x26, 0x9e, 0x67, 0xdb, 0x2c, 0x52, 0x89, 0xd3,
4307  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4308  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4309  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4310  0x0b, 0x00, 0x01, 0x00, 0x78, 0x56, 0x34, 0x12,
4311  0x34, 0x12, 0xcd, 0xab, 0xef, 0x00, 0x01, 0x23,
4312  0x45, 0x67, 0x89, 0xab, 0x01, 0x00, 0x00, 0x00,
4313  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4314  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4315  0x02, 0x00, 0x00, 0x00
4316  };
4317  uint32_t bind3_len = sizeof(bind3);
4318 
4319  uint8_t bind_ack3[] = {
4320  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
4321  0x4c, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4322  0xb8, 0x10, 0xb8, 0x10, 0x1a, 0x33, 0x00, 0x00,
4323  0x0e, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
4324  0x73, 0x70, 0x6f, 0x6f, 0x6c, 0x73, 0x73, 0x00,
4325  0x0c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4326  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4327  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4328  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4329  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4330  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4331  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4332  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4333  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4334  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4335  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4336  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4337  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4338  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4339  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4340  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4341  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4342  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4343  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4344  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4345  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4346  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4347  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4348  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4349  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4350  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4351  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4352  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4353  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4354  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4355  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
4356  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4357  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4358  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4359  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4360  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4361  0x02, 0x00, 0x00, 0x00
4362  };
4363  uint32_t bind_ack3_len = sizeof(bind_ack3);
4364 
4365  TcpSession ssn;
4366  DCERPCUuidEntry *item = NULL;
4367  int count = 0;
4369 
4370  uint8_t accepted_uuids[3][16] = {
4371  {0x4b, 0x32, 0x4f, 0xc8, 0x16, 0x70, 0x01, 0xd3,
4372  0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88},
4373  {0x4b, 0x32, 0x4f, 0xc8, 0x16, 0x70, 0x01, 0xd3,
4374  0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88},
4375  {0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0xab, 0xcd,
4376  0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab}
4377  };
4378 
4379  uint16_t accepted_ctxids[3] = {12, 15, 11};
4380 
4381  memset(&f, 0, sizeof(f));
4382  memset(&ssn, 0, sizeof(ssn));
4383 
4384  FLOW_INITIALIZE(&f);
4385  f.protoctx = (void *)&ssn;
4386  f.proto = IPPROTO_TCP;
4387  f.alproto = ALPROTO_DCERPC;
4388 
4390 
4391  FLOWLOCK_WRLOCK(&f);
4392  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4393  STREAM_TOSERVER, bind1, bind1_len);
4394  if (r != 0) {
4395  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4396  result = 0;
4397  FLOWLOCK_UNLOCK(&f);
4398  goto end;
4399  }
4400  FLOWLOCK_UNLOCK(&f);
4401 
4402  DCERPCState *dcerpc_state = f.alstate;
4403  if (dcerpc_state == NULL) {
4404  printf("no dcerpc state: ");
4405  result = 0;
4406  goto end;
4407  }
4408 
4409  FLOWLOCK_WRLOCK(&f);
4410  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4411  STREAM_TOCLIENT, bind_ack1, bind_ack1_len);
4412  if (r != 0) {
4413  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4414  result = 0;
4415  FLOWLOCK_UNLOCK(&f);
4416  goto end;
4417  }
4418  FLOWLOCK_UNLOCK(&f);
4419 
4420  count = 0;
4422  int i = 0;
4423  /* check the interface uuid */
4424  for (i = 0; i < 16; i++) {
4425  if (accepted_uuids[0][i] != item->uuid[i]) {
4426  result = 0;
4427  goto end;
4428  }
4429  }
4430  if (accepted_ctxids[0] != item->ctxid) {
4431  result = 0;
4432  goto end;
4433  }
4434  count++;
4435  }
4436  if (count != 1) {
4437  result = 0;
4438  goto end;
4439  }
4440 
4441  FLOWLOCK_WRLOCK(&f);
4442  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4443  STREAM_TOSERVER, bind2, bind2_len);
4444  if (r != 0) {
4445  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4446  result = 0;
4447  FLOWLOCK_UNLOCK(&f);
4448  goto end;
4449  }
4450  FLOWLOCK_UNLOCK(&f);
4451 
4452  count = 0;
4454  count++;
4455  }
4456  if (count != 0) {
4457  result = 0;
4458  goto end;
4459  }
4460 
4461  FLOWLOCK_WRLOCK(&f);
4462  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4463  STREAM_TOCLIENT, bind_ack2, bind_ack2_len);
4464  if (r != 0) {
4465  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4466  result = 0;
4467  FLOWLOCK_UNLOCK(&f);
4468  goto end;
4469  }
4470  FLOWLOCK_UNLOCK(&f);
4471 
4472  count = 0;
4474  int i = 0;
4475  /* check the interface uuid */
4476  for (i = 0; i < 16; i++) {
4477  if (accepted_uuids[1][i] != item->uuid[i]) {
4478  result = 0;
4479  goto end;
4480  }
4481  }
4482  if (accepted_ctxids[1] != item->ctxid) {
4483  result = 0;
4484  goto end;
4485  }
4486  count++;
4487  }
4488  if (count != 1) {
4489  result = 0;
4490  goto end;
4491  }
4492 
4493  FLOWLOCK_WRLOCK(&f);
4494  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4495  STREAM_TOSERVER, bind3, bind3_len);
4496  if (r != 0) {
4497  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4498  result = 0;
4499  FLOWLOCK_UNLOCK(&f);
4500  goto end;
4501  }
4502  FLOWLOCK_UNLOCK(&f);
4503 
4504  count = 0;
4506  count++;
4507  }
4508  if (count != 0) {
4509  result = 0;
4510  goto end;
4511  }
4512 
4513  FLOWLOCK_WRLOCK(&f);
4514  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4515  STREAM_TOCLIENT, bind_ack3, bind_ack3_len);
4516  if (r != 0) {
4517  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4518  result = 0;
4519  FLOWLOCK_UNLOCK(&f);
4520  goto end;
4521  }
4522  FLOWLOCK_UNLOCK(&f);
4523 
4524  count = 0;
4526  int i = 0;
4527  /* check the interface uuid */
4528  for (i = 0; i < 16; i++) {
4529  if (accepted_uuids[2][i] != item->uuid[i]) {
4530  result = 0;
4531  goto end;
4532  }
4533  }
4534  if (accepted_ctxids[2] != item->ctxid) {
4535  result = 0;
4536  goto end;
4537  }
4538  count++;
4539  }
4540  if (count != 1) {
4541  result = 0;
4542  goto end;
4543  }
4544 
4545 end:
4546  if (alp_tctx != NULL)
4547  AppLayerParserThreadCtxFree(alp_tctx);
4549  FLOW_DESTROY(&f);
4550  return result;
4551 }
4552 
4553 
4554 /**
4555  * \test Check for correct internal ids for bind_acks + alter_contexts
4556  */
4557 static int DCERPCParserTest17(void)
4558 {
4559  int result = 1;
4560  Flow f;
4561  int r = 0;
4562 
4563  uint8_t bindbuf[] = {
4564  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
4565  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
4566  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
4567  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
4568  0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11,
4569  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
4570  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4571  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4572  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
4573  };
4574  uint32_t bindbuf_len = sizeof(bindbuf);
4575 
4576  uint8_t bind_ack[] = {
4577  0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00,
4578  0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
4579  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
4580  0x0d, 0x00, 0x5c, 0x70, 0x69, 0x70, 0x65, 0x5c,
4581  0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00,
4582  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4583  0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
4584  0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
4585  0x02, 0x00, 0x00, 0x00
4586  };
4587  uint32_t bind_ack_len = sizeof(bind_ack);
4588 
4589  uint8_t alter_context[] = {
4590  0x05, 0x00, 0x0e, 0x03, 0x10, 0x00, 0x00, 0x00,
4591  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
4592  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
4593  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
4594  0xd0, 0x4c, 0x67, 0x57, 0x00, 0x52, 0xce, 0x11,
4595  0xa8, 0x97, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d,
4596  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4597  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4598  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
4599  };
4600  uint32_t alter_context_len = sizeof(alter_context);
4601 
4602  uint8_t alter_context_resp[] = {
4603  0x05, 0x00, 0x0f, 0x03, 0x10, 0x00, 0x00, 0x00,
4604  0x38, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
4605  0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00,
4606  0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00,
4607  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4608  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4609  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
4610  };
4611  uint32_t alter_context_resp_len = sizeof(alter_context_resp);
4612 
4613 
4614  TcpSession ssn;
4615  DCERPCUuidEntry *item = NULL;
4616  int count = 0;
4618 
4619  uint8_t accepted_uuids[2][16] = {
4620  {0x57, 0x67, 0x4c, 0xd0, 0x52, 0x00, 0x11, 0xce,
4621  0xa8, 0x97, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d},
4622  {0x34, 0x2c, 0xfd, 0x40, 0x3c, 0x6c, 0x11, 0xce,
4623  0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d},
4624  };
4625 
4626  uint16_t accepted_ctxids[2] = {1, 0};
4627 
4628  memset(&f, 0, sizeof(f));
4629  memset(&ssn, 0, sizeof(ssn));
4630 
4631  FLOW_INITIALIZE(&f);
4632  f.protoctx = (void *)&ssn;
4633  f.proto = IPPROTO_TCP;
4634  f.alproto = ALPROTO_DCERPC;
4635 
4637 
4638  FLOWLOCK_WRLOCK(&f);
4639  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4640  STREAM_TOSERVER, bindbuf, bindbuf_len);
4641  if (r != 0) {
4642  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4643  result = 0;
4644  FLOWLOCK_UNLOCK(&f);
4645  goto end;
4646  }
4647  FLOWLOCK_UNLOCK(&f);
4648 
4649  DCERPCState *dcerpc_state = f.alstate;
4650  if (dcerpc_state == NULL) {
4651  printf("no dcerpc state: ");
4652  result = 0;
4653  goto end;
4654  }
4655 
4656  FLOWLOCK_WRLOCK(&f);
4657  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4658  STREAM_TOCLIENT, bind_ack, bind_ack_len);
4659  if (r != 0) {
4660  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4661  result = 0;
4662  FLOWLOCK_UNLOCK(&f);
4663  goto end;
4664  }
4665  FLOWLOCK_UNLOCK(&f);
4666 
4667  count = 0;
4669  int i = 0;
4670  /* check the interface uuid */
4671  for (i = 0; i < 16; i++) {
4672  if (accepted_uuids[1][i] != item->uuid[i]) {
4673  result = 0;
4674  goto end;
4675  }
4676  }
4677  if (accepted_ctxids[1] != item->ctxid) {
4678  result = 0;
4679  goto end;
4680  }
4681  count++;
4682  }
4683  if (count != 1) {
4684  result = 0;
4685  goto end;
4686  }
4687 
4688  FLOWLOCK_WRLOCK(&f);
4689  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4690  STREAM_TOSERVER, alter_context, alter_context_len);
4691  if (r != 0) {
4692  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4693  result = 0;
4694  FLOWLOCK_UNLOCK(&f);
4695  goto end;
4696  }
4697  FLOWLOCK_UNLOCK(&f);
4698 
4699  count = 0;
4701  count++;
4702  }
4703  if (count != 1) {
4704  result = 0;
4705  goto end;
4706  }
4707 
4708  FLOWLOCK_WRLOCK(&f);
4709  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4710  STREAM_TOCLIENT, alter_context_resp,
4711  alter_context_resp_len);
4712  if (r != 0) {
4713  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4714  result = 0;
4715  FLOWLOCK_UNLOCK(&f);
4716  goto end;
4717  }
4718  FLOWLOCK_UNLOCK(&f);
4719 
4720  count = 0;
4722  int i = 0;
4723  /* check the interface uuid */
4724  for (i = 0; i < 16; i++) {
4725  if (accepted_uuids[count][i] != item->uuid[i]) {
4726  result = 0;
4727  goto end;
4728  }
4729  }
4730  if (accepted_ctxids[count] != item->ctxid) {
4731  result = 0;
4732  goto end;
4733  }
4734  count++;
4735  }
4736  if (count != 2) {
4737  result = 0;
4738  goto end;
4739  }
4740 
4741 end:
4742  if (alp_tctx != NULL)
4743  AppLayerParserThreadCtxFree(alp_tctx);
4745  FLOW_DESTROY(&f);
4746  return result;
4747 }
4748 
4749 /**
4750  * \test DCERPC fragmented PDU.
4751  */
4752 static int DCERPCParserTest18(void)
4753 {
4754  int result = 1;
4755  Flow f;
4756  int r = 0;
4757 
4758  uint8_t request1[] = {
4759  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
4760  0x26, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
4761  0x0c, 0x00,
4762  };
4763  uint32_t request1_len = sizeof(request1);
4764 
4765  uint8_t request2[] = {
4766  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02,
4767  0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A,
4768  0x0B, 0x0C, 0xFF, 0xFF
4769  };
4770  uint32_t request2_len = sizeof(request2);
4771 
4772  TcpSession ssn;
4774 
4775  memset(&f, 0, sizeof(f));
4776  memset(&ssn, 0, sizeof(ssn));
4777 
4778  FLOW_INITIALIZE(&f);
4779  f.protoctx = (void *)&ssn;
4780  f.proto = IPPROTO_TCP;
4781  f.alproto = ALPROTO_DCERPC;
4782 
4784 
4785  FLOWLOCK_WRLOCK(&f);
4786  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4787  STREAM_TOSERVER, request1, request1_len);
4788  if (r != 0) {
4789  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4790  result = 0;
4791  FLOWLOCK_UNLOCK(&f);
4792  goto end;
4793  }
4794  FLOWLOCK_UNLOCK(&f);
4795 
4796  DCERPCState *dcerpc_state = f.alstate;
4797  if (dcerpc_state == NULL) {
4798  printf("no dcerpc state: ");
4799  result = 0;
4800  goto end;
4801  }
4802 
4803  result &= (dcerpc_state->dcerpc.bytesprocessed == 18);
4804  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL);
4805 
4806  FLOWLOCK_WRLOCK(&f);
4807  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
4808  STREAM_TOSERVER, request2, request2_len);
4809  if (r != 0) {
4810  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
4811  result = 0;
4812  FLOWLOCK_UNLOCK(&f);
4813  goto end;
4814  }
4815  FLOWLOCK_UNLOCK(&f);
4816 
4817  result &= (dcerpc_state->dcerpc.bytesprocessed == 0);
4818  result &= (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL &&
4819  dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer_len == 14);
4820  result &= (dcerpc_state->dcerpc.dcerpcrequest.opnum == 2);
4821 
4822 end:
4823  if (alp_tctx != NULL)
4824  AppLayerParserThreadCtxFree(alp_tctx);
4826  FLOW_DESTROY(&f);
4827  return result;
4828 }
4829 
4830 static int DCERPCParserTest19(void)
4831 {
4832  int result = 0;
4833  Flow f;
4834  uint8_t dcerpcbind[] = {
4835  0x05, 0x00,
4836  0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x3c, 0x04,
4837  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd0, 0x16,
4838  0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00,
4839  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x2c, 0xd0,
4840  0x28, 0xda, 0x76, 0x91, 0xf6, 0x6e, 0xcb, 0x0f,
4841  0xbf, 0x85, 0xcd, 0x9b, 0xf6, 0x39, 0x01, 0x00,
4842  0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4843  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4844  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00,
4845  0x01, 0x00, 0x2c, 0x75, 0xce, 0x7e, 0x82, 0x3b,
4846  0x06, 0xac, 0x1b, 0xf0, 0xf5, 0xb7, 0xa7, 0xf7,
4847  0x28, 0xaf, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d,
4848  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4849  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4850  0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xe3, 0xb2,
4851  0x10, 0xd1, 0xd0, 0x0c, 0xcc, 0x3d, 0x2f, 0x80,
4852  0x20, 0x7c, 0xef, 0xe7, 0x09, 0xe0, 0x04, 0x00,
4853  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4854  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4855  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00,
4856  0x01, 0x00, 0xde, 0x85, 0x70, 0xc4, 0x02, 0x7c,
4857  0x60, 0x23, 0x67, 0x0c, 0x22, 0xbf, 0x18, 0x36,
4858  0x79, 0x17, 0x01, 0x00, 0x02, 0x00, 0x04, 0x5d,
4859  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4860  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4861  0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x41, 0x65,
4862  0x29, 0x51, 0xaa, 0xe7, 0x7b, 0xa8, 0xf2, 0x37,
4863  0x0b, 0xd0, 0x3f, 0xb3, 0x36, 0xed, 0x05, 0x00,
4864  0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4865  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4866  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00,
4867  0x01, 0x00, 0x14, 0x96, 0x80, 0x01, 0x2e, 0x78,
4868  0xfb, 0x5d, 0xb4, 0x3c, 0x14, 0xb3, 0x3d, 0xaa,
4869  0x02, 0xfb, 0x06, 0x00, 0x00, 0x00, 0x04, 0x5d,
4870  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4871  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4872  0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 0x3b, 0x04,
4873  0x68, 0x3e, 0x63, 0xfe, 0x9f, 0xd8, 0x64, 0x55,
4874  0xcd, 0xe7, 0x39, 0xaf, 0x98, 0x9f, 0x03, 0x00,
4875  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4876  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4877  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00,
4878  0x01, 0x00, 0x16, 0x7a, 0x4f, 0x1b, 0xdb, 0x25,
4879  0x92, 0x55, 0xdd, 0xae, 0x9e, 0x5b, 0x3e, 0x93,
4880  0x66, 0x93, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d,
4881  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4882  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4883  0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0xe8, 0xa4,
4884  0x8a, 0xcf, 0x95, 0x6c, 0xc7, 0x8f, 0x14, 0xcc,
4885  0x56, 0xfc, 0x7b, 0x5f, 0x4f, 0xe8, 0x04, 0x00,
4886  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4887  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4888  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x09, 0x00,
4889  0x01, 0x00, 0xd8, 0xda, 0xfb, 0xbc, 0xa2, 0x55,
4890  0x6f, 0x5d, 0xc0, 0x2d, 0x88, 0x6f, 0x00, 0x17,
4891  0x52, 0x8d, 0x06, 0x00, 0x03, 0x00, 0x04, 0x5d,
4892  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4893  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4894  0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x3f, 0x17,
4895  0x55, 0x0c, 0xf4, 0x23, 0x3c, 0xca, 0xe6, 0xa0,
4896  0xaa, 0xcc, 0xb5, 0xe3, 0xf9, 0xce, 0x04, 0x00,
4897  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4898  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4899  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00,
4900  0x01, 0x00, 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1,
4901  0xd0, 0x11, 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9,
4902  0x2e, 0xf5, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d,
4903  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4904  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4905  0x00, 0x00, 0x0c, 0x00, 0x01, 0x00, 0xc9, 0x9f,
4906  0x3e, 0x6e, 0x82, 0x0a, 0x2b, 0x28, 0x37, 0x78,
4907  0xe1, 0x13, 0x70, 0x05, 0x38, 0x4d, 0x01, 0x00,
4908  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4909  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4910  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x00,
4911  0x01, 0x00, 0x11, 0xaa, 0x4b, 0x15, 0xdf, 0xa6,
4912  0x86, 0x3f, 0xfb, 0xe0, 0x09, 0xb7, 0xf8, 0x56,
4913  0xd2, 0x3f, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d,
4914  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4915  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4916  0x00, 0x00, 0x0e, 0x00, 0x01, 0x00, 0xee, 0x99,
4917  0xc4, 0x25, 0x11, 0xe4, 0x95, 0x62, 0x29, 0xfa,
4918  0xfd, 0x26, 0x57, 0x02, 0xf1, 0xce, 0x03, 0x00,
4919  0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4920  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4921  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x00,
4922  0x01, 0x00, 0xba, 0x81, 0x9e, 0x1a, 0xdf, 0x2b,
4923  0xba, 0xe4, 0xd3, 0x17, 0x41, 0x60, 0x6d, 0x2d,
4924  0x9e, 0x28, 0x03, 0x00, 0x03, 0x00, 0x04, 0x5d,
4925  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4926  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4927  0x00, 0x00, 0x10, 0x00, 0x01, 0x00, 0xa0, 0x24,
4928  0x03, 0x9a, 0xa9, 0x99, 0xfb, 0xbe, 0x49, 0x11,
4929  0xad, 0x77, 0x30, 0xaa, 0xbc, 0xb6, 0x02, 0x00,
4930  0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4931  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4932  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x11, 0x00,
4933  0x01, 0x00, 0x32, 0x04, 0x7e, 0xae, 0xec, 0x28,
4934  0xd1, 0x55, 0x83, 0x4e, 0xc3, 0x47, 0x5d, 0x1d,
4935  0xc6, 0x65, 0x02, 0x00, 0x03, 0x00, 0x04, 0x5d,
4936  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4937  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4938  0x00, 0x00, 0x12, 0x00, 0x01, 0x00, 0xc6, 0xa4,
4939  0x81, 0x48, 0x66, 0x2a, 0x74, 0x7d, 0x56, 0x6e,
4940  0xc5, 0x1d, 0x19, 0xf2, 0xb5, 0xb6, 0x03, 0x00,
4941  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4942  0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
4943  0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x13, 0x00,
4944  0x01, 0x00, 0xcb, 0xae, 0xb3, 0xc0, 0x0c, 0xf4,
4945  0xa4, 0x5e, 0x91, 0x72, 0xdd, 0x53, 0x24, 0x70,
4946  0x89, 0x02, 0x05, 0x00, 0x03, 0x00, 0x04, 0x5d,
4947  0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
4948  0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
4949  0x00, 0x00, 0x14, 0x00, 0x01, 0x00, 0xb8, 0xd0,
4950  0xa0, 0x1a, 0x5e, 0x7a, 0x2d, 0xfe, 0x35, 0xc6,
4951  0x7d, 0x08, 0x0d, 0x33, 0x73, 0x18, 0x02, 0x00,
4952  0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
4953  };
4954 
4955  uint8_t dcerpcbindack[] = {
4956  0x05, 0x00, 0x0c, 0x03,
4957  0x10, 0x00, 0x00, 0x00, 0x6c, 0x02, 0x00, 0x00,
4958  0x00, 0x00, 0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10,
4959  0xce, 0x47, 0x00, 0x00, 0x0c, 0x00, 0x5c, 0x50,
4960  0x49, 0x50, 0x45, 0x5c, 0x6c, 0x73, 0x61, 0x73,
4961  0x73, 0x00, 0xf6, 0x6e, 0x18, 0x00, 0x00, 0x00,
4962  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4963  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4964  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4965  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4966  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4967  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4968  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4969  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4970  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4971  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4972  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4973  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4974  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4975  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4976  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4977  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4978  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4979  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4980  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4981  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4982  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4983  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4984  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4985  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4986  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4987  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4988  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4989  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4990  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4991  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4992  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4993  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4994  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4995  0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
4996  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
4997  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
4998  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
4999  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5000  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5001  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5002  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5003  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5004  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5005  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5006  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5007  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5008  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5009  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5010  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5011  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5012  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5013  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5014  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5015  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5016  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5017  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5018  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5019  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5020  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5021  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5022  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5023  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5024  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5025  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5026  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5027  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5028  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5029  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5030  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5031  0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
5032  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5033  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
5034 
5035  uint32_t bindlen = sizeof(dcerpcbind);
5036  uint32_t bindacklen = sizeof(dcerpcbindack);
5037  TcpSession ssn;
5039 
5040  memset(&f, 0, sizeof(f));
5041  memset(&ssn, 0, sizeof(ssn));
5042 
5043  FLOW_INITIALIZE(&f);
5044  f.protoctx = (void *)&ssn;
5045  f.proto = IPPROTO_TCP;
5046  f.alproto = ALPROTO_DCERPC;
5047 
5049 
5050  FLOWLOCK_WRLOCK(&f);
5051  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
5052  STREAM_TOSERVER | STREAM_START, dcerpcbind,
5053  bindlen);
5054  if (r != 0) {
5055  printf("dcerpc header check returned %" PRId32 ", expected 0: ", r);
5056  FLOWLOCK_UNLOCK(&f);
5057  goto end;
5058  }
5059  FLOWLOCK_UNLOCK(&f);
5060 
5061  DCERPCState *dcerpc_state = f.alstate;
5062  if (dcerpc_state == NULL) {
5063  printf("no dcerpc state: ");
5064  goto end;
5065  }
5066 
5067  if (dcerpc_state->dcerpc.bytesprocessed == 0) {
5068  printf("request - dce parser bytesprocessed should not be 0.\n");
5069  goto end;
5070  }
5071 
5072  FLOWLOCK_WRLOCK(&f);
5073  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
5074  STREAM_TOCLIENT, dcerpcbindack, bindacklen);
5075  if (r == 0) {
5076  printf("dce parser didn't return fail\n");
5077  FLOWLOCK_UNLOCK(&f);
5078  goto end;
5079  }
5080  FLOWLOCK_UNLOCK(&f);
5081 
5082  result = 1;
5083 end:
5084  if (alp_tctx != NULL)
5085  AppLayerParserThreadCtxFree(alp_tctx);
5087  FLOW_DESTROY(&f);
5088  return result;
5089 }
5090 
5091 #endif /* UNITTESTS */
5092 
5094 {
5095 #ifdef UNITTESTS
5096  UtRegisterTest("DCERPCParserTest01", DCERPCParserTest01);
5097  UtRegisterTest("DCERPCParserTest02", DCERPCParserTest02);
5098  UtRegisterTest("DCERPCParserTest03", DCERPCParserTest03);
5099  UtRegisterTest("DCERPCParserTest05", DCERPCParserTest05);
5100  UtRegisterTest("DCERPCParserTest06", DCERPCParserTest06);
5101  UtRegisterTest("DCERPCParserTest07", DCERPCParserTest07);
5102  UtRegisterTest("DCERPCParserTest08", DCERPCParserTest08);
5103  UtRegisterTest("DCERPCParserTest09", DCERPCParserTest09);
5104  UtRegisterTest("DCERPCParserTest10", DCERPCParserTest10);
5105  UtRegisterTest("DCERPCParserTest11", DCERPCParserTest11);
5106  UtRegisterTest("DCERPCParserTest12", DCERPCParserTest12);
5107  UtRegisterTest("DCERPCParserTest13", DCERPCParserTest13);
5108  UtRegisterTest("DCERPCParserTest14", DCERPCParserTest14);
5109  UtRegisterTest("DCERPCParserTest15", DCERPCParserTest15);
5110  UtRegisterTest("DCERPCParserTest16", DCERPCParserTest16);
5111  UtRegisterTest("DCERPCParserTest17", DCERPCParserTest17);
5112  UtRegisterTest("DCERPCParserTest18", DCERPCParserTest18);
5113  UtRegisterTest("DCERPCParserTest19", DCERPCParserTest19);
5114 #endif /* UNITTESTS */
5115 
5116  return;
5117 }
DCERPCRequest dcerpcrequest
uint16_t flags
uint64_t detect_flags_tc
#define SCLogDebug(...)
Definition: util-debug.h:335
#define TAILQ_FIRST(head)
Definition: queue.h:339
uint16_t bytesprocessed
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
struct HtpBodyChunk_ * next
DetectEngineState * de_state
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
int32_t DCERPCParser(DCERPC *dcerpc, const uint8_t *input, uint32_t input_len)
uint8_t proto
Definition: flow.h:344
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
DCERPCUuidEntry * uuid_entry
#define PASS
Pass the test.
#define unlikely(expr)
Definition: util-optimize.h:35
DCERPCResponse dcerpcresponse
uint8_t data_needed_for_dir
int AppLayerProtoDetectConfProtoDetectionEnabled(const char *ipproto, const char *alproto)
Given a protocol name, checks if proto detection is enabled in the conf file.
void AppLayerParserRegisterDetectFlagsFuncs(uint8_t ipproto, AppProto alproto, uint64_t(*GetTxDetectFlags)(void *tx, uint8_t dir), void(*SetTxDetectFlags)(void *tx, uint8_t dir, uint64_t))
int AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint8_t flag)
void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto, uint8_t direction)
void AppLayerParserRegisterDetectStateFuncs(uint8_t ipproto, AppProto alproto, DetectEngineState *(*GetTxDetectState)(void *tx), int(*SetTxDetectState)(void *tx, DetectEngineState *))
#define ALTER_CONTEXT
#define BIND
#define DCERPC_UUID_ENTRY_FLAG_FF
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
#define MIN(x, y)
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define SCReturnUInt(x)
Definition: util-debug.h:343
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
void DCERPCUuidListFree(DCERPCUuidEntryList *list)
#define TRUE
DCERPCUuidEntryList uuid_list
void * protoctx
Definition: flow.h:400
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
Definition: util-debug.c:624
uint16_t transaction_id
void DCERPCParserRegisterTests(void)
void printUUID(const char *type, DCERPCUuidEntry *uuid)
printUUID function used to print UUID, Major and Minor Version Number and if it was Accepted or Rejec...
void * alstate
Definition: flow.h:438
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests and when...
#define SCCalloc(nm, a)
Definition: util-mem.h:253
int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, uint8_t direction, AppLayerParserFPtr Parser)
Register app layer parser for the protocol.
void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, void *(StateGetTx)(void *alstate, uint64_t tx_id))
#define ALTER_CONTEXT_RESP
#define TAILQ_INIT(head)
Definition: queue.h:370
Data structures and function prototypes for keeping state for the detection engine.
uint8_t type
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
#define STREAM_EOF
Definition: stream.h:30
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:412
#define SCEnter(...)
Definition: util-debug.h:337
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:364
#define REQUEST
#define PFC_FIRST_FRAG
#define STREAM_TOCLIENT
Definition: stream.h:32
DCERPCBindBindAck dcerpcbindbindack
#define SCByteSwap32(x)
Definition: util-byte.h:70
void AppLayerParserRegisterGetStateProgressCompletionStatus(AppProto alproto, int(*StateGetProgressCompletionStatus)(uint8_t direction))
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
void DetectEngineStateFree(DetectEngineState *state)
Frees a DetectEngineState object.
int RunmodeIsUnittests(void)
Definition: suricata.c:267
#define SCReturnInt(x)
Definition: util-debug.h:341
#define SCRealloc(x, a)
Definition: util-mem.h:238
void RegisterDCERPCParsers(void)
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
void AppLayerProtoDetectRegisterProtocol(AppProto alproto, const char *alproto_name)
Registers a protocol for protocol detection phase.
#define SCFree(a)
Definition: util-mem.h:322
#define TAILQ_INSERT_HEAD(head, elm, field)
Definition: queue.h:375
int AppLayerProtoDetectPMRegisterPatternCS(uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction)
Registers a case-sensitive pattern for protocol detection.
uint16_t tx_id
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
#define RESPONSE
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
#define DCERPC_HDR_LEN
#define STREAM_START
Definition: stream.h:29
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
SCMutex m
Definition: flow-hash.h:105
#define APP_LAYER_PARSER_EOF
DCERPCUuidEntryList accepted_uuid_list
#define PFC_LAST_FRAG
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
void hexdump(const void *buf, size_t len)
void DCERPCCleanup(DCERPC *dcerpc)
void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, uint64_t(*StateGetTxCnt)(void *alstate))
void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void), void(*StateFree)(void *))
uint8_t len
AppProto alproto
application level protocol
Definition: flow.h:409
void DCERPCInit(DCERPC *dcerpc)
uint64_t detect_flags_ts
Flow data structure.
Definition: flow.h:325
#define SCByteSwap16(x)
Definition: util-byte.h:69
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
#define BIND_ACK
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))