Project

General

Profile

Actions

Bug #6008

closed

smb: wrong offset when parse SMB_COM_WRITE_ANDX record

Added by b1 tg over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In function parse_smb1_write_andx_request_record, when wct == 12, offset should use 32-bits value rather than stay 0.

Bug location: https://github.com/OISF/suricata/blob/a94ca4462093c0b41f87a7d8433801a0abbb4390/rust/src/smb/smb1_records.rs#L110-L117

If WordCount is 0x0C, this field represents a 32-bit offset, measured in
bytes, of where the write SHOULD start relative to the beginning of the file. If WordCount
is 0xE, this field represents the lower 32 bits of a 64-bit offset.
[MS-CIFS].pdf (p.246) 2.2.4.43 SMB_COM_WRITE_ANDX (0x2F)
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CIFS/%5bMS-CIFS%5d.pdf

Files


Subtasks 1 (0 open1 closed)

Bug #6139: smb: wrong offset when parse SMB_COM_WRITE_ANDX record (6.0.x backport)ClosedPhilippe AntoineActions
Actions #2

Updated by b1 tg over 1 year ago

Add pcap for test windows behaviour on handling data_offset of smb1 write_andx_request

Actions #3

Updated by b1 tg over 1 year ago

Pcap to show padding bug:
In the origin packet, data_length bcc 20, if we use a proxy to change data_length to 17, Windows still accept it and write 17 bytes to file, but the original `parse_smb1_write_andx_request_record` will take 3 bytes padding to make record.data inconsistent with it in Windows.

Actions #4

Updated by Philippe Antoine over 1 year ago

  • Status changed from New to In Review
  • Target version changed from TBD to 7.0.0-rc2
Actions #5

Updated by Philippe Antoine over 1 year ago

  • Status changed from In Review to Resolved
Actions #6

Updated by Victor Julien over 1 year ago

  • Label Needs backport to 6.0 added
Actions #7

Updated by OISF Ticketbot over 1 year ago

  • Subtask #6139 added
Actions #8

Updated by OISF Ticketbot over 1 year ago

  • Label deleted (Needs backport to 6.0)
Actions #9

Updated by Philippe Antoine over 1 year ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF