Merge remote-tracking branch 'security/topic/timw/131-smb-fscontrol-o…

…verflow' * security/topic/timw/131-smb-fscontrol-overflow: Restore/rename field in SMB2::Fscontrol record type
zeek · Feb 1, 2023 · 0fd335f · 0fd335f
2 parents f33c697 + 84ac362
commit 0fd335f
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 2 deletions.
diff --git a/CHANGES b/CHANGES
@@ -1,3 +1,11 @@
+5.2.0-dev.604 | 2023-02-01 10:48:03 -0700
+
+  * Restore/rename field in SMB2::Fscontrol record type (Tim Wojtulewicz, Corelight)
+
+    b41a4bf06dc2f3a4218cfa0a95b536ec9d253917 removed a field from this record
+    because it had a duplicate name as another field. The field does need to
+    exist, but it needs the correct name.
+
 5.2.0-dev.602 | 2023-02-01 10:47:41 -0700
 
   * testing/http: http-11-request-then-cruft (Arne Welzel, Corelight)

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-5.2.0-dev.602
+5.2.0-dev.604
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
@@ -3603,8 +3603,10 @@ export {
 	type SMB2::Fscontrol: record {
 		## minimum amount of free disk space required to begin document filtering
 		free_space_start_filtering : int;
-		## minimum amount of free disk space required to continue document filtering
+		## minimum amount of free disk space required to continue filtering documents and merging word lists
 		free_space_threshold       : int;
+		## minimum amount of free disk space required to continue content filtering
+		free_space_stop_filtering  : int;
 		## default per-user disk quota
 		delete_quota_threshold     : count;
 		## default per-user disk limit

diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fscontrol/out b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-fscontrol/out
@@ -0,0 +1,3 @@
+[credit_charge=0, status=0, command=17, credits=2, flags=255, message_id=576460756581679103, process_id=213, tree_id=0, session_id=11555726885438752000, signature=\x01\x05\x05\x02\xa0`0^\xa000.\x06\x09*\x86]
+[persistent=6859950276847483450, volatile=7016448126591398502]
+[free_space_start_filtering=1869373806, free_space_threshold=1601467760, free_space_stop_filtering=1933860724, delete_quota_threshold=7308895133777551220, default_quota_limit=100, fs_control_flags=4278190080]
diff --git a/testing/btest/Traces/smb/smb2_fscontrol.pcap b/testing/btest/Traces/smb/smb2_fscontrol.pcap
diff --git a/testing/btest/scripts/base/protocols/smb/smb2-fscontrol.test b/testing/btest/scripts/base/protocols/smb/smb2-fscontrol.test
@@ -0,0 +1,11 @@
+# @TEST-EXEC: zeek -r $TRACES/smb/smb2_fscontrol.pcap %INPUT > out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/smb
+
+event smb2_file_fscontrol(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, fs_control: SMB2::Fscontrol)
+    {
+    print hdr;
+    print file_id;
+    print fs_control;
+    }