Merge remote-tracking branch 'origin/topic/jsiwek/gh-684-fix-rpc-pars…

…ing' * origin/topic/jsiwek/gh-684-fix-rpc-parsing: GH-684: Fix parsing of RPC calls with non-AUTH_UNIX flavors Addresses GH-684
zeek · Nov 21, 2019 · e5db1f0 · e5db1f0
2 parents 5dafa72 + 37a478a
commit e5db1f0
Show file tree

Hide file tree

Showing 8 changed files with 125 additions and 50 deletions.
diff --git a/CHANGES b/CHANGES
@@ -1,4 +1,11 @@
 
+3.1.0-dev.286 | 2019-11-21 08:47:32 -0800
+
+  * GH-684: Fix parsing of RPC calls with non-AUTH_UNIX flavors
+
+    The parsing logic that should be specific to the AUTH_UNIX credential
+    flavor was previously applied unconditionally to other flavors. (Jon Siwek, Corelight)
+
 3.1.0-dev.284 | 2019-11-21 08:29:36 -0800
 
   * Fix ZEEK_PROFILER_FILE file format/parsing

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-3.1.0-dev.284
+3.1.0-dev.286
diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc
@@ -29,6 +29,9 @@ RPC_CallInfo::RPC_CallInfo(uint32_t arg_xid, const u_char*& buf, int& n, double
 	{
 	v = nullptr;
 	xid = arg_xid;
+	stamp = 0;
+	uid = 0;
+	gid = 0;
 
 	start_time = arg_start_time;
 	last_time = arg_last_time;
@@ -42,7 +45,8 @@ RPC_CallInfo::RPC_CallInfo(uint32_t arg_xid, const u_char*& buf, int& n, double
 	vers = extract_XDR_uint32(buf, n);
 	proc = extract_XDR_uint32(buf, n);
 	cred_flavor = extract_XDR_uint32(buf, n);
-	int cred_opaque_n, machinename_n;
+
+	int cred_opaque_n;
 	const u_char* cred_opaque = extract_XDR_opaque(buf, n, cred_opaque_n);
 
 	if ( ! cred_opaque )
@@ -51,32 +55,39 @@ RPC_CallInfo::RPC_CallInfo(uint32_t arg_xid, const u_char*& buf, int& n, double
 		return;
 		}
 
-	stamp = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	verf_flavor = skip_XDR_opaque_auth(buf, n);
 
-	const u_char* tmp = extract_XDR_opaque(cred_opaque, cred_opaque_n, machinename_n);
+	if ( ! buf )
+		return;
 
-	if ( ! tmp )
+	if ( cred_flavor == RPC_AUTH_UNIX )
 		{
-		buf = nullptr;
-		return;
-		}
+		stamp = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+		int machinename_n;
+		constexpr auto max_machinename_len = 255;
+		auto mnp = extract_XDR_opaque(cred_opaque, cred_opaque_n, machinename_n, max_machinename_len);
 
-	machinename = std::string(reinterpret_cast<const char*>(tmp), machinename_n);
+		if ( ! mnp )
+			{
+			buf = nullptr;
+			return;
+			}
 
-	uid = extract_XDR_uint32(cred_opaque, cred_opaque_n);
-	gid = extract_XDR_uint32(cred_opaque, cred_opaque_n);
-	size_t number_of_gids = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+		machinename = std::string(reinterpret_cast<const char*>(mnp), machinename_n);
+		uid = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+		gid = extract_XDR_uint32(cred_opaque, cred_opaque_n);
 
-	if ( number_of_gids > 64 )
-		{
-		buf = nullptr;
-		return;
-		}
+		size_t number_of_gids = extract_XDR_uint32(cred_opaque, cred_opaque_n);
 
-	for ( auto i = 0u; i < number_of_gids; ++i )
-		auxgids.push_back(extract_XDR_uint32(cred_opaque, cred_opaque_n));
+		if ( number_of_gids > 64 )
+			{
+			buf = nullptr;
+			return;
+			}
 
-	verf_flavor = skip_XDR_opaque_auth(buf, n);
+		for ( auto i = 0u; i < number_of_gids; ++i )
+			auxgids.push_back(extract_XDR_uint32(cred_opaque, cred_opaque_n));
+		}
 
 	header_len = call_n - n;
 

diff --git a/testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout
@@ -1,2 +1,2 @@
-mount_proc_mnt: [id=[orig_h=10.111.131.18, orig_p=765/udp, resp_h=10.111.131.132, resp_p=20048/udp], orig=[size=144, state=1, num_pkts=2, num_bytes_ip=200, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=84, state=1, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.621984, duration=0.000553, service={\x0a\x0a}, history=Dd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, successful=T]\x0a\x09[rpc_stat=RPC_SUCCESS, mnt_stat=MOUNT3::MNT3_OK, req_start=1514568131.62212, req_dur=0.0, req_len=96, rep_start=1514568131.622537, rep_dur=0.0, rep_len=52, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09[dirname=/pddevbal801]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, auth_flavors=[MOUNT3::AUTH_UNIX]]\x0a
-mount_proc_umnt: [id=[orig_h=10.111.131.18, orig_p=1016/udp, resp_h=10.111.131.132, resp_p=20048/udp], orig=[size=92, state=1, num_pkts=1, num_bytes_ip=120, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=24, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.665918, duration=0.000266, service={\x0a\x0a}, history=Dd, uid=CtPZjS20MLrsMUOJi2, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, successful=T]\x0a\x09[rpc_stat=RPC_SUCCESS, mnt_stat=MOUNT3::MNT3_OK, req_start=1514568131.665918, req_dur=0.0, req_len=84, rep_start=1514568131.666184, rep_dur=0.0, rep_len=16, rpc_uid=0, rpc_gid=0, rpc_stamp=1514568131, rpc_machine_name=pddevbal802, rpc_auxgids=[0]]\x0a\x09[dirname=/pddevbal801]\x0a
+mount_proc_mnt: [id=[orig_h=10.111.131.18, orig_p=765/udp, resp_h=10.111.131.132, resp_p=20048/udp], orig=[size=144, state=1, num_pkts=2, num_bytes_ip=200, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=84, state=1, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.621984, duration=0.000553, service={\x0a\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, successful=T]\x0a\x09[rpc_stat=RPC_SUCCESS, mnt_stat=MOUNT3::MNT3_OK, req_start=1514568131.62212, req_dur=0.0, req_len=96, rep_start=1514568131.622537, rep_dur=0.0, rep_len=52, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09[dirname=/pddevbal801]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, auth_flavors=[MOUNT3::AUTH_UNIX]]\x0a
+mount_proc_umnt: [id=[orig_h=10.111.131.18, orig_p=1016/udp, resp_h=10.111.131.132, resp_p=20048/udp], orig=[size=92, state=1, num_pkts=1, num_bytes_ip=120, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=24, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.665918, duration=0.000266, service={\x0a\x0a}, history=Dd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, successful=T]\x0a\x09[rpc_stat=RPC_SUCCESS, mnt_stat=MOUNT3::MNT3_OK, req_start=1514568131.665918, req_dur=0.0, req_len=84, rep_start=1514568131.666184, rep_dur=0.0, rep_len=16, rpc_uid=0, rpc_gid=0, rpc_stamp=1514568131, rpc_machine_name=pddevbal802, rpc_auxgids=[0]]\x0a\x09[dirname=/pddevbal801]\x0a