dce2_cl.c

snort2.8.4版本

        DCE2_ClFragReassemble(sd, at, cl_hdr);
        return;
    }

    if (DCE2_ListIsEmpty(ft->frags))
    {
        /* If this is the first fragment we've received, set interface uuid */
        DCE2_CopyUuid(&ft->iface, DceRpcClIface(cl_hdr), DceRpcClByteOrder(cl_hdr));
        ft->iface_vers = DceRpcClIfaceVers(cl_hdr);
    }

    if (DceRpcClLastFrag(cl_hdr))
    {
        /* Set number of expected frags on last frag */
        ft->num_expected_frags = DceRpcClFragNum(cl_hdr) + 1;
    }
    else if (DceRpcClFirstFrag(cl_hdr))
    {
        /* Set opum and byte order on first frag */
        ft->opnum = DceRpcClOpnum(cl_hdr);
        ft->data_byte_order = DceRpcClByteOrder(cl_hdr);
    }

    /* Insert frag node into the list */
    status = DCE2_ListInsert(ft->frags, (void *)(uintptr_t)fn->frag_number, (void *)fn);
    if (status != DCE2_RET__SUCCESS)
    {
        DCE2_Free((void *)fn->frag_data, frag_len, DCE2_MEM_TYPE__CL_FRAG);
        DCE2_Free((void *)fn, sizeof(DCE2_ClFragNode), DCE2_MEM_TYPE__CL_FRAG);
        DCE2_ClFragReassemble(sd, at, cl_hdr);
        return;
    }

    /* Fragment number field in header is uint16_t */
    if ((ft->num_expected_frags != DCE2_SENTINEL) &&
        (uint16_t)ft->frags->num_nodes == (uint16_t)ft->num_expected_frags)
    {
        /* We got all of the frags - reassemble */
        DCE2_ClFragReassemble(sd, at, cl_hdr);
        at->seq_num_invalid = 1;
    }
    else
    {
        /* Cache relevant values for rule option processing */
        if (DceRpcClFirstFrag(cl_hdr))
            sd->ropts.first_frag = 1;
        else
            sd->ropts.first_frag = 0;

        DCE2_CopyUuid(&sd->ropts.iface, &ft->iface, DCERPC_BO_FLAG__NONE);
        sd->ropts.iface_vers = ft->iface_vers;
        sd->ropts.hdr_byte_order = DceRpcClByteOrder(cl_hdr);

        if (ft->data_byte_order != DCE2_SENTINEL)
            sd->ropts.data_byte_order = ft->data_byte_order;
        else
            sd->ropts.data_byte_order = DceRpcClByteOrder(cl_hdr);

        if (ft->opnum != DCE2_SENTINEL)
            sd->ropts.opnum = ft->opnum;
        else
            sd->ropts.opnum = DceRpcClOpnum(cl_hdr);

        sd->ropts.stub_data = (uint8_t *)cl_hdr + sizeof(DceRpcClHdr);

        DCE2_Detect(sd);
    }
}

/********************************************************************
 * Function: DCE2_ClFragCompare()
 *
 * Callback to fragment list for sorting the nodes in the list
 * by fragment number.  Values passed in are the fragment numbers.
 *
 * Arguments:
 *  const void *
 *      First fragment number to compare.
 *  const void *
 *      Second fragment number to compare.
 *
 * Returns:
 *  int
 *       1 if first value is greater than second value
 *      -1 if first value is less than second value
 *       0 if first value equals second value
 *
 ********************************************************************/
static int DCE2_ClFragCompare(const void *a, const void *b)
{
    int x = (int)(uintptr_t)a;
    int y = (int)(uintptr_t)b;

    if (x > y)
        return 1;
    if (x < y)
        return -1;

    return 0;
}

/********************************************************************
 * Function: DCE2_ClFragReassemble()
 *
 * Reassembles fragments into reassembly buffer and copies to
 * reassembly packet.
 *
 * Arguments:
 *  DCE2_SsnData *
 *      Pointer to the session data structure.
 *  DCE2_ClActTracker *
 *      Pointer to the connectionless activity tracker.
 *  DceRpcClHdr *
 *      Pointer to the connectionless header in the packet.
 *
 * Returns: None
 *
 ********************************************************************/
static void DCE2_ClFragReassemble(DCE2_SsnData *sd, DCE2_ClActTracker *at, const DceRpcClHdr *cl_hdr)
{
    DCE2_ClFragTracker *ft = &at->frag_tracker;
    DCE2_ClFragNode *fnode;
    uint8_t *rdata = dce2_cl_rbuf;
    uint16_t rlen = sizeof(dce2_cl_rbuf);
    uint32_t stub_len = 0;
    const uint8_t *stub_data = NULL;
    SFSnortPacket *rpkt = NULL;

    for (fnode = (DCE2_ClFragNode *)DCE2_ListFirst(ft->frags);
         fnode != NULL;
         fnode = (DCE2_ClFragNode *)DCE2_ListNext(ft->frags))
    {
        if (fnode->frag_len > rlen)
        {
            DCE2_Log("%s(%d) => Size of fragments exceeds reassembly buffer size.\n",
                     __FILE__, __LINE__);
            break;
        }

        if (DCE2_Memcpy(rdata, fnode->frag_data, fnode->frag_len, rdata, rdata + rlen) != DCE2_RET__SUCCESS)
        {
            DCE2_Log("%s(%d) => Failed to copy data into fragment reassembly buffer\n",
                     __FILE__, __LINE__);
            break;
        }

        DCE2_MOVE(rdata, rlen, fnode->frag_len);
        stub_len += fnode->frag_len;
    }

    switch (sd->trans)
    {
        case DCE2_TRANS_TYPE__UDP:
            rpkt = DCE2_GetRpkt(sd->wire_pkt, DCE2_RPKT_TYPE__UDP_CL_FRAG, dce2_cl_rbuf, stub_len);
            if (rpkt == NULL)
            {
                DCE2_Log("%s(%d) => Failed to create reassembly packet\n",
                         __FILE__, __LINE__);
                return;
            }

            DCE2_ClSetRdata(at, cl_hdr, (uint8_t *)rpkt->payload,
                            (uint16_t)(rpkt->payload_size - DCE2_MOCK_HDR_LEN__CL));

            stub_data = rpkt->payload + DCE2_MOCK_HDR_LEN__CL;

            break;

        default:
            DCE2_Log("%s(%d) => Invalid transport type\n", __FILE__, __LINE__);
            return;
    }

    if (DCE2_PushPkt(rpkt) != DCE2_RET__SUCCESS)
    {
        DCE2_Log("%s(%d) => Failed to push packet onto packet stack\n", __FILE__, __LINE__);
        return;
    }

    /* Cache relevant values for rule option processing */
    sd->ropts.first_frag = 1;
    DCE2_CopyUuid(&sd->ropts.iface, &ft->iface, DCERPC_BO_FLAG__NONE);
    sd->ropts.iface_vers = ft->iface_vers;
    sd->ropts.hdr_byte_order = DceRpcClByteOrder(cl_hdr);

    if (ft->data_byte_order != DCE2_SENTINEL)
        sd->ropts.data_byte_order = ft->data_byte_order;
    else
        sd->ropts.data_byte_order = DceRpcClByteOrder(cl_hdr);

    if (ft->opnum != DCE2_SENTINEL)
        sd->ropts.opnum = ft->opnum;
    else
        sd->ropts.opnum = DceRpcClOpnum(cl_hdr);

    sd->ropts.stub_data = stub_data;

    DCE2_Detect(sd);
    DCE2_PopPkt();

    dce2_stats.cl_reassembled++;
}

/********************************************************************
 * Function: DCE2_ClResetFragTracker()
 *
 * Destroys the fragment tracker's fragment list and resets opnum,
 * byte order and number of expected frags to a sentinel.
 *
 * Arguments:
 *  DCE2_ClFragTracker *
 *      Pointer to the fragment tracker to reset.
 *
 * Returns: None
 *
 ********************************************************************/
static void DCE2_ClResetFragTracker(DCE2_ClFragTracker *ft)
{
    if (ft == NULL)
        return;

    if (ft->frags != NULL)
    {
        DCE2_ListDestroy(ft->frags);
        ft->frags = NULL;
    }

    ft->opnum = DCE2_SENTINEL;
    ft->data_byte_order = DCE2_SENTINEL;
    ft->num_expected_frags = DCE2_SENTINEL;
}

/********************************************************************
 * Function: DCE2_ClCleanTracker()
 *
 * Destroys all the activity tracker list, which cleans out and 
 * frees all data associated with each activity tracker in the
 * list.
 *
 * Arguments:
 *  DCE2_ClTracker *
 *      Pointer to connectionless tracker.
 *
 * Returns: None
 *
 ********************************************************************/
void DCE2_ClCleanTracker(DCE2_ClTracker *clt)
{
    if (clt == NULL)
        return;

    /* Destroy activity trackers list - this will have the
     * effect of freeing everything inside of it */
    DCE2_ListDestroy(clt->act_trackers);
    clt->act_trackers = NULL;
}

/********************************************************************
 * Function: DCE2_ClActDataFree()
 *
 * Callback to activity tracker list for freeing activity trackers.
 *
 * Arguments:
 *  void *
 *      Activity tracker to free.
 *
 * Returns: None
 *
 ********************************************************************/
static void DCE2_ClActDataFree(void *data)
{
    DCE2_ClActTracker *at = (DCE2_ClActTracker *)data;
    
    if (at == NULL)
        return;

    DCE2_ListDestroy(at->frag_tracker.frags);
    at->frag_tracker.frags = NULL;
    DCE2_Free((void *)at, sizeof(DCE2_ClActTracker), DCE2_MEM_TYPE__CL_ACT);
}

/********************************************************************
 * Function: DCE2_ClActKeyFree()
 *
 * Callback to activity tracker list for freeing the key (this is
 * the activity UUID).  Since key is dynamically allocated, we need
 * to free it.
 *
 * Arguments:
 *  void *
 *      The activity UUID to free.
 *
 * Returns: None
 *
 ********************************************************************/
static void DCE2_ClActKeyFree(void *key)
{
    if (key == NULL)
        return;

    DCE2_Free(key, sizeof(Uuid), DCE2_MEM_TYPE__CL_ACT);
}

/********************************************************************
 * Function: DCE2_ClFragDataFree()
 *
 * Callback to fragment list for freeing data kept in list.  Need
 * to free the frag node and the data attached to it.
 *
 * Arguments:
 *  void *
 *      Pointer to fragment data (a frag node).
 *
 * Returns: None
 *
 ********************************************************************/
static void DCE2_ClFragDataFree(void *data)
{
    DCE2_ClFragNode *fn = (DCE2_ClFragNode *)data;

    if (fn == NULL)
        return;

    if (fn->frag_data != NULL)
        DCE2_Free((void *)fn->frag_data, fn->frag_len, DCE2_MEM_TYPE__CL_FRAG);

    DCE2_Free((void *)fn, sizeof(DCE2_ClFragNode), DCE2_MEM_TYPE__CL_FRAG);
}