suricata
app-layer-smb.c
Go to the documentation of this file.
1 /* Copyright (C) 2017-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "suricata.h"
20 
21 #include "app-layer-protos.h"
22 #include "app-layer-detect-proto.h"
23 #include "app-layer-parser.h"
24 
25 #include "util-unittest.h"
26 
27 #include "rust.h"
28 #include "app-layer-smb.h"
29 #include "util-misc.h"
30 
31 
32 static StreamingBufferConfig sbcfg = STREAMING_BUFFER_CONFIG_INITIALIZER;
33 static SuricataFileContext sfc = { &sbcfg };
34 
35 #ifdef UNITTESTS
36 static void SMBParserRegisterTests(void);
37 #endif
38 
39 void RegisterSMBParsers(void)
40 {
41  rs_smb_init(&sfc);
42  rs_smb_register_parser();
43 
44 #ifdef UNITTESTS
45  AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_SMB, SMBParserRegisterTests);
46 #endif
47 
48  return;
49 }
50 
51 #ifdef UNITTESTS
52 #include "stream-tcp.h"
53 #include "util-unittest-helper.h"
54 
55 /** \test multi transactions and cleanup */
56 static int SMBParserTxCleanupTest(void)
57 {
58  uint64_t ret[4];
59  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
60  FAIL_IF_NULL(alp_tctx);
61 
62  StreamTcpInitConfig(true);
63  TcpSession ssn;
64  memset(&ssn, 0, sizeof(ssn));
65 
66  Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 445);
67  FAIL_IF_NULL(f);
68  f->protoctx = &ssn;
69  f->proto = IPPROTO_TCP;
70  f->alproto = ALPROTO_SMB;
71 
72  char req_str[] ="\x00\x00\x00\x79\xfe\x53\x4d\x42\x40\x00\x01\x00\x00\x00\x00\x00" \
73  "\x05\x00\xe0\x1e\x10\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00" \
74  "\x00\x00\x00\x00\x00\x00\x00\x00\x10\x72\xd2\x9f\x36\xc2\x08\x14" \
75  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
76  "\x00\x00\x00\x00\x39\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00" \
77  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00" \
78  "\x00\x00\x00\x00\x07\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" \
79  "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
80  req_str[28] = 0x01;
81  int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
82  STREAM_TOSERVER | STREAM_START, (uint8_t *)req_str, sizeof(req_str));
83  FAIL_IF_NOT(r == 0);
84  req_str[28]++;
85  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
86  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
87  FAIL_IF_NOT(r == 0);
88  req_str[28]++;
89  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
90  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
91  FAIL_IF_NOT(r == 0);
92  req_str[28]++;
93  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
94  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
95  FAIL_IF_NOT(r == 0);
96  req_str[28]++;
97  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
98  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
99  FAIL_IF_NOT(r == 0);
100  req_str[28]++;
101  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
102  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
103  FAIL_IF_NOT(r == 0);
104  req_str[28]++;
105  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
106  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
107  FAIL_IF_NOT(r == 0);
108  req_str[28]++;
109  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
110  STREAM_TOSERVER, (uint8_t *)req_str, sizeof(req_str));
111  FAIL_IF_NOT(r == 0);
112  req_str[28]++;
113 
114  AppLayerParserTransactionsCleanup(f, STREAM_TOSERVER);
115  UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
116  FAIL_IF_NOT(ret[0] == 0); // inspect_id[0]
117  FAIL_IF_NOT(ret[1] == 0); // inspect_id[1]
118  FAIL_IF_NOT(ret[2] == 0); // log_id
119  FAIL_IF_NOT(ret[3] == 0); // min_id
120 
121  char resp_str[] = "\x00\x00\x00\x98\xfe\x53\x4d\x42\x40\x00\x01\x00\x00\x00\x00\x00" \
122  "\x05\x00\x21\x00\x11\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00" \
123  "\x00\x00\x00\x00\x00\x00\x00\x00\x10\x72\xd2\x9f\x36\xc2\x08\x14" \
124  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
125  "\x00\x00\x00\x00\x59\x00\x00\x00\x01\x00\x00\x00\x48\x38\x40\xb3" \
126  "\x0f\xa8\xd3\x01\x84\x9a\x2b\x46\xf7\xa8\xd3\x01\x48\x38\x40\xb3" \
127  "\x0f\xa8\xd3\x01\x48\x38\x40\xb3\x0f\xa8\xd3\x01\x00\x00\x00\x00" \
128  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00" \
129  "\x00\x00\x00\x00\x9e\x8f\xb8\x91\x00\x00\x00\x00\x01\x5b\x11\xbb" \
130  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
131 
132  resp_str[28] = 0x01;
133  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
134  STREAM_TOCLIENT | STREAM_START, (uint8_t *)resp_str, sizeof(resp_str));
135  FAIL_IF_NOT(r == 0);
136  resp_str[28] = 0x04;
137  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
138  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
139  FAIL_IF_NOT(r == 0);
140  resp_str[28] = 0x05;
141  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
142  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
143  FAIL_IF_NOT(r == 0);
144  resp_str[28] = 0x06;
145  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
146  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
147  FAIL_IF_NOT(r == 0);
148  resp_str[28] = 0x08;
149  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
150  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
151  FAIL_IF_NOT(r == 0);
152  resp_str[28] = 0x02;
153  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
154  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
155  FAIL_IF_NOT(r == 0);
156  resp_str[28] = 0x07;
157  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
158  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
159  FAIL_IF_NOT(r == 0);
160  AppLayerParserTransactionsCleanup(f, STREAM_TOCLIENT);
161 
162  UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
163  FAIL_IF_NOT(ret[0] == 2); // inspect_id[0]
164  FAIL_IF_NOT(ret[1] == 2); // inspect_id[1]
165  FAIL_IF_NOT(ret[2] == 2); // log_id
166  FAIL_IF_NOT(ret[3] == 2); // min_id
167 
168  resp_str[28] = 0x03;
169  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
170  STREAM_TOCLIENT, (uint8_t *)resp_str, sizeof(resp_str));
171  FAIL_IF_NOT(r == 0);
172  AppLayerParserTransactionsCleanup(f, STREAM_TOCLIENT);
173 
174  UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
175  FAIL_IF_NOT(ret[0] == 8); // inspect_id[0]
176  FAIL_IF_NOT(ret[1] == 8); // inspect_id[1]
177  FAIL_IF_NOT(ret[2] == 8); // log_id
178  FAIL_IF_NOT(ret[3] == 8); // min_id
179 
180  req_str[28] = 0x09;
181  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
182  STREAM_TOSERVER | STREAM_EOF, (uint8_t *)req_str, sizeof(req_str));
183  FAIL_IF_NOT(r == 0);
184  AppLayerParserTransactionsCleanup(f, STREAM_TOSERVER);
185 
186  UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
187  FAIL_IF_NOT(ret[0] == 8); // inspect_id[0] not updated by ..Cleanup() until full tx is done
188  FAIL_IF_NOT(ret[1] == 8); // inspect_id[1]
189  FAIL_IF_NOT(ret[2] == 8); // log_id
190  FAIL_IF_NOT(ret[3] == 8); // min_id
191 
192  resp_str[28] = 0x09;
193  r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_SMB,
194  STREAM_TOCLIENT | STREAM_EOF, (uint8_t *)resp_str, sizeof(resp_str));
195  FAIL_IF_NOT(r == 0);
196  AppLayerParserTransactionsCleanup(f, STREAM_TOCLIENT);
197 
198  UTHAppLayerParserStateGetIds(f->alparser, &ret[0], &ret[1], &ret[2], &ret[3]);
199  FAIL_IF_NOT(ret[0] == 9); // inspect_id[0]
200  FAIL_IF_NOT(ret[1] == 9); // inspect_id[1]
201  FAIL_IF_NOT(ret[2] == 9); // log_id
202  FAIL_IF_NOT(ret[3] == 9); // min_id
203 
204  AppLayerParserThreadCtxFree(alp_tctx);
205  StreamTcpFreeConfig(true);
206  UTHFreeFlow(f);
207 
208  PASS;
209 }
210 
211 static void SMBParserRegisterTests(void)
212 {
213  UtRegisterTest("SMBParserTxCleanupTest", SMBParserTxCleanupTest);
214 }
215 
216 #endif /* UNITTESTS */
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
RegisterSMBParsers
void RegisterSMBParsers(void)
Definition: app-layer-smb.c:39
stream-tcp.h
AppLayerParserTransactionsCleanup
void AppLayerParserTransactionsCleanup(Flow *f, const uint8_t pkt_dir)
remove obsolete (inspected and logged) transactions
Definition: app-layer-parser.c:921
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:369
STREAMING_BUFFER_CONFIG_INITIALIZER
#define STREAMING_BUFFER_CONFIG_INITIALIZER
Definition: util-streaming-buffer.h:75
Flow_
Flow data structure.
Definition: flow.h:347
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:314
rust.h
Flow_::protoctx
void * protoctx
Definition: flow.h:437
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:471
app-layer-detect-proto.h
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:359
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:521
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
app-layer-parser.h
AppLayerParserRegisterProtocolUnittests
void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, void(*RegisterUnittests)(void))
Definition: app-layer-parser.c:1910
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:526
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:293
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:690
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1307
suricata-common.h
StreamingBufferConfig_
Definition: util-streaming-buffer.h:66
SuricataFileContext_
Definition: rust-context.h:69
UTHAppLayerParserStateGetIds
void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min)
Definition: app-layer-parser.c:216
app-layer-protos.h
suricata.h
app-layer-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:66
TcpSession_
Definition: stream-tcp-private.h:283
util-misc.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:446