Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Smb length fileop 5770 backport6 v1 #8590

Closed
wants to merge 2 commits into from
Closed

Smb length fileop 5770 backport6 v1 #8590

wants to merge 2 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5898
https://redmine.openinfosecfoundation.org/issues/5899

Describe changes:

suricata-verify-pr: 1110
OISF/suricata-verify#1110

These were not clean cherry-picks (like STREAM_TOSERVER stuff)

@catenacyber
smb: checks against nbss records length
aec7adb 
When Suricata handles files over SMB, it does not wait for the
NBSS record to be complete, and can stream the payload to the
file... But it did not check the consistency of the SMB record
length being read or written against the NBSS record length.

This could lead to an evasion where an attacker crafts a SMB
write with a too big Length field, and then sends its evil
payload, even if the server returned an error for the write request.

Ticket: OISF#5770
(cherry picked from commit c1b7bef)
@catenacyber
smb: handles records with trailing nbss data
5483cdd 
If a file (read/write) SMB record has padding/trailing data
after the buffer being read or written, and that Suricata falls
in one case where it skips the data, it should skip until
the very end of the NBSS record, meaning it should also skip the
padding/trailing data.

Otherwise, an attacker may smuggle some NBSS/SMB record in this
trailing data, that will be interpreted by Suricata, but not
by the SMB client/server, leading to evasions.

Ticket: OISF#5786
(cherry picked from commit 233ab11)
@catenacyber catenacyber mentioned this pull request Mar 13, 2023
Closed
@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPW1_stats_chk
.tcp.rst 81708 89975 110.12%

Pipeline 12730

@victorjulien victorjulien mentioned this pull request Mar 28, 2023
Merged
@victorjulien
Copy link
Member

Merged as part of #8636, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
3 participants
@catenacyber @suricata-qa @victorjulien