dcerpc.c

著名的入侵检测系统snort的最新版本的源码

                            _dcerpc->dcerpc_req_buf_size = (u_int16_t) _dpd.altBufferLen;

                        _dcerpc->dcerpc_req_buf = DCERPC_FragAlloc(_dcerpc->dcerpc_req_buf, old_buf_size,
                                                                            &_dcerpc->dcerpc_req_buf_size);

                        if ( _dcerpc->dcerpc_req_buf_size == old_buf_size )
                        {
                            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Memcap reached, suspending DCE/RPC fragmentation reassembly.\n"););

                            _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION;
                        }

                        if ( !_dcerpc->dcerpc_req_buf )
                            DynamicPreprocessorFatalMessage("Failed to reallocate space for DCE/RPC fragmented request\n");

                    }

                    if ( _dcerpc->dcerpc_req_buf_len < _dcerpc->dcerpc_req_buf_size )
                    {                   
                        if ( _dcerpc->dcerpc_req_buf_len + dcerpc_len > _dcerpc->dcerpc_req_buf_size )
                        {
                            dcerpc_len = _dcerpc->dcerpc_req_buf_size - _dcerpc->dcerpc_req_buf_len;
                        }

                        ret = SafeMemcpy(_dcerpc->dcerpc_req_buf + _dcerpc->dcerpc_req_buf_len,
                                         data + sizeof(DCERPC_REQ), dcerpc_len,
                                         _dcerpc->dcerpc_req_buf, _dcerpc->dcerpc_req_buf + _dcerpc->dcerpc_req_buf_size);

                        if (ret == 0)
                        {
                            DCERPC_FragFree(_dcerpc->dcerpc_req_buf, 0);
                            _dcerpc->dcerpc_req_buf_len = 0;
                            _dcerpc->dcerpc_req_buf_size = 0;
                            _dcerpc->dcerpc_req_buf = NULL;
                            _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION;

                            return 0;
                        }

                        _dcerpc->dcerpc_req_buf_len += dcerpc_len;

                        if ( _debug_print )
                            PrintBuffer("DCE/RPC fragment", data + sizeof(DCERPC_REQ), dcerpc_len);
                    }
                }
            }
            else
            {
                /* Check for DCE/RPC fragmentation */
                if ( (dcerpc_hdr->flags & DCERPC_FIRST_FRAG) && !(dcerpc_hdr->flags & DCERPC_LAST_FRAG) )
                {
                    u_int16_t  alloc_size = DCERPC_FRAG_ALLOC;

                    _dcerpc->dcerpc_req_buf_len = frag_length - sizeof(DCERPC_REQ);

                    if ( _dcerpc->dcerpc_req_buf_len > (data_size - sizeof(DCERPC_REQ)) )
                    {
                        _dcerpc->dcerpc_req_buf_len = data_size - sizeof(DCERPC_REQ);
                    }

                    if ( _dcerpc->dcerpc_req_buf_len > DCERPC_FRAG_ALLOC )
                    {
                        alloc_size = _dcerpc->dcerpc_req_buf_len;
                    }
                    _dcerpc->dcerpc_req_buf = (u_int8_t *) DCERPC_FragAlloc(NULL, 0, &alloc_size);

                    if ( alloc_size == 0 )
                    {
                        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Memcap reached, ignoring DCE/RPC fragmentation reassembly.\n"););

                        DCERPC_FragFree(_dcerpc->dcerpc_req_buf, 0);
                        _dcerpc->dcerpc_req_buf_len = 0;
                        _dcerpc->dcerpc_req_buf_size = 0;
                        _dcerpc->dcerpc_req_buf = NULL;
                        _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION;

                        return 0;
                    }

                    if ( !_dcerpc->dcerpc_req_buf )
                        DynamicPreprocessorFatalMessage("Failed to allocate space for first DCE/RPC fragmented request\n");


                    if ( _dcerpc->dcerpc_req_buf_len > alloc_size )
                    {
                        _dcerpc->dcerpc_req_buf_len = alloc_size;
                    }

                    _dcerpc->dcerpc_req_buf_size = alloc_size;

                    ret = SafeMemcpy(_dcerpc->dcerpc_req_buf, data + sizeof(DCERPC_REQ), _dcerpc->dcerpc_req_buf_len,
                                     _dcerpc->dcerpc_req_buf, _dcerpc->dcerpc_req_buf + _dcerpc->dcerpc_req_buf_size);

                    if (ret == 0)
                    {
                        DCERPC_FragFree(_dcerpc->dcerpc_req_buf, 0);
                        _dcerpc->dcerpc_req_buf_len = 0;
                        _dcerpc->dcerpc_req_buf_size = 0;
                        _dcerpc->dcerpc_req_buf = NULL;
                        _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION;

                        return 0;
                    }

                    _dcerpc->fragmentation |= RPC_FRAGMENTATION;

                    if ( _debug_print )
                        PrintBuffer("DCE/RPC fragment", data + sizeof(DCERPC_REQ), _dcerpc->dcerpc_req_buf_len);                
                }
                else
                {
                    return 0;
                }
            }
        }
      
        /* Check for last frag */
        if ( (_dcerpc->fragmentation & RPC_FRAGMENTATION) && dcerpc_hdr->flags & DCERPC_LAST_FRAG )
        {
            return 1;
        }
    }

    return 0;
}

void ReassembleDCERPCRequest(const u_int8_t *smb_hdr, u_int16_t smb_hdr_len, const u_int8_t *data)
{
    DCERPC_REQ      fake_req;
    unsigned int    dcerpc_req_len = sizeof(DCERPC_REQ);
    int             ret;

    /* Make sure we have room to fit into alternate buffer */
    if ( (smb_hdr_len + dcerpc_req_len + _dcerpc->dcerpc_req_buf_len) > (u_int16_t) _dpd.altBufferLen )
    {
        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Reassembled DCE/RPC packet greater than %d bytes, skipping.", _dpd.altBufferLen));
        return;
    }
   
    /* Mock up header */
    ret = SafeMemcpy(&fake_req, data, dcerpc_req_len, &fake_req, (u_int8_t *)&fake_req + dcerpc_req_len);
    
    if (ret == 0)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC header, skipping DCERPC reassembly."));
        goto dcerpc_frag_free;
    }

    fake_req.dcerpc_hdr.frag_length = dcerpc_req_len + _dcerpc->dcerpc_req_buf_len;
    fake_req.dcerpc_hdr.flags &= ~DCERPC_FIRST_FRAG;
    fake_req.dcerpc_hdr.flags &= ~DCERPC_LAST_FRAG;
    fake_req.alloc_hint = _dcerpc->dcerpc_req_buf_len;

    /* Copy headers into buffer */
    _dcerpc_pkt->normalized_payload_size = 0;

    if ( smb_hdr )
    {
        ret = SafeMemcpy(_dpd.altBuffer, _dcerpc_pkt->payload, sizeof(NBT_HDR),
                                                    _dpd.altBuffer, _dpd.altBuffer + _dpd.altBufferLen);
        if ( ret == 0 )
        {
            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC header, skipping DCERPC reassembly."));
            goto dcerpc_frag_free;
        }
        _dcerpc_pkt->normalized_payload_size = sizeof(NBT_HDR);
        ret = SafeMemcpy(_dpd.altBuffer + _dcerpc_pkt->normalized_payload_size, smb_hdr, smb_hdr_len,
                                                    _dpd.altBuffer, _dpd.altBuffer + _dpd.altBufferLen);
        if ( ret == 0 )
        {
            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC header, skipping DCERPC reassembly."));
            goto dcerpc_frag_free;
        }
        _dcerpc_pkt->normalized_payload_size += smb_hdr_len;
    }

    ret = SafeMemcpy(_dpd.altBuffer + _dcerpc_pkt->normalized_payload_size, &fake_req, dcerpc_req_len,
                                                    _dpd.altBuffer, _dpd.altBuffer + _dpd.altBufferLen);
    if ( ret == 0 )
    {
        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC header, skipping DCERPC reassembly."));
        goto dcerpc_frag_free;
    }
    _dcerpc_pkt->normalized_payload_size += dcerpc_req_len;

    /* Copy data into buffer */
    ret = SafeMemcpy(_dpd.altBuffer + _dcerpc_pkt->normalized_payload_size, _dcerpc->dcerpc_req_buf, _dcerpc->dcerpc_req_buf_len,
                                                    _dpd.altBuffer, _dpd.altBuffer + _dpd.altBufferLen);
    if ( ret == 0 )
    {
        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC data, skipping DCERPC reassembly."));
        goto dcerpc_frag_free;
    }
    _dcerpc_pkt->normalized_payload_size += _dcerpc->dcerpc_req_buf_len;

    _dcerpc_pkt->flags |= FLAG_ALT_DECODE;

    if ( _debug_print )
        PrintBuffer("DCE/RPC reassembled fragment", (u_int8_t *)_dpd.altBuffer, _dcerpc_pkt->normalized_payload_size);

dcerpc_frag_free:    
    /* Get ready for next write */
    DCERPC_FragFree(_dcerpc->dcerpc_req_buf, _dcerpc->dcerpc_req_buf_size);
    _dcerpc->dcerpc_req_buf = NULL;
    _dcerpc->dcerpc_req_buf_len = 0;
    _dcerpc->dcerpc_req_buf_size = 0;
    _dcerpc->fragmentation &= ~RPC_FRAGMENTATION;
    _dcerpc->fragmentation &= ~SUSPEND_FRAGMENTATION;
}