Skip to content

dcerpc: mimic gap behavior for invalid data#14805

Closed
inashivb wants to merge 1 commit intoOISF:mainfrom
inashivb:dcerpc-invalid-data-handling/v5
Closed

dcerpc: mimic gap behavior for invalid data#14805
inashivb wants to merge 1 commit intoOISF:mainfrom
inashivb:dcerpc-invalid-data-handling/v5

Conversation

@inashivb
Copy link
Member

@inashivb inashivb commented Feb 13, 2026

Previous PR: #14803

Changes since v4:

  • fixed direction check

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7251

SV_BRANCH=OISF/suricata-verify#2904

Note: QA deviations on dcerpc stats are expected but need one review.

@inashivb
dcerpc: mimic gap behavior for invalid data
88e0028 
If invalid data is sent to the parser then instead of rejecting it at
the first few bytes that do not conform to the header standards, mimic
gap behavior and try to skip a few bytes until a possibly good DCERPC
record is found.

Ticket: 7251
@inashivb inashivb requested a review from jasonish as a code owner February 13, 2026 10:52
@codecov
Copy link

codecov bot commented Feb 13, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 97.29730% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 82.16%. Comparing base (e69c801) to head (88e0028).
⚠️ Report is 32 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14805      +/-   ##
==========================================
+ Coverage   82.15%   82.16%   +0.01%     
==========================================
  Files        1003     1003              
  Lines      263691   263705      +14     
==========================================
+ Hits       216626   216678      +52     
+ Misses      47065    47027      -38
Flag Coverage Δ
fuzzcorpus 60.18% <97.29%> (-0.01%) ⬇️
livemode 18.73% <0.00%> (-0.01%) ⬇️
netns 18.92% <0.00%> (+0.03%) ⬆️
pcap 44.67% <94.59%> (+0.02%) ⬆️
suricata-verify 65.46% <94.59%> (-0.01%) ⬇️
unittests 59.23% <45.94%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@inashivb
Copy link
Member Author

inashivb commented Feb 13, 2026

Codecov Report

❌ Patch coverage is 97.29730% with 1 line in your changes missing coverage. Please review. ✅ Project coverage is 82.16%. Comparing base (e69c801) to head (88e0028).
Additional details and impacted files

🚀 New features to boost your workflow:

Now that looks correct to me. :)

@suricata-qa
Copy link

suricata-qa commented Feb 13, 2026

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.app_layer.error.dcerpc_tcp.parser 10319 3100 30.04%
.app_layer.tx.dcerpc_tcp 4180 6294 150.57%

Pipeline = 29572

victorjulien
victorjulien requested changes Feb 13, 2026
View reviewed changes
Copy link
Member

@victorjulien victorjulien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see inline

catenacyber
catenacyber reviewed Feb 16, 2026
View reviewed changes
rust/src/dcerpc/dcerpc.rs

let _hdr = Frame::new(flow, &stream_slice, &cur_i[consumed as usize..], DCERPC_HDR_LEN as i64, DCERPCFrameType::Hdr as u8, None);
let _pdu = Frame::new(flow, &stream_slice, &cur_i[consumed as usize..], fraglen as i64, DCERPCFrameType::Pdu as u8, None);
let _hdr = Frame::new(flow, &stream_slice, cur_i, DCERPC_HDR_LEN as i64, DCERPCFrameType::Hdr as u8, None);
Copy link
Contributor

@catenacyber catenacyber Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you reverting fc9da1c which was incorrect as found by oss-fuzz
Am I understanding this correctly ?

Copy link
Member Author

@inashivb inashivb Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you reverting fc9da1c which was incorrect as found by oss-fuzz Am I understanding this correctly ?

No, I'm not reverting it. I'm creating the slice in the beginning now so it'll be wrong to index here at consumed. L816: https://github.com/OISF/suricata/pull/14805/files#diff-bb348f48dcbb4845f97a114f74772ee4849098c3254221826e5e0a61cbe35830R816

Copy link
Contributor

@catenacyber catenacyber Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was already done at line 716
cur_i = &cur_i[offset..];
(with the line after being consumed = offset as u32; which is why fc9da1c is wrong)

Copy link
Member Author

@inashivb inashivb Feb 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you're right. I'm surprised fuzzers didn't catch that. Behavior in this PR looks correct to me. wdyt?

Edit: I think I misunderstood what you are saying in this thread. Are you referring to fuzzers finding the crash in #14766 and that being fixed here? Then, yes. I did not realize that the crash found by the fuzzers was not because of the new code.

@inashivb inashivb mentioned this pull request Feb 18, 2026
Closed
@inashivb inashivb closed this Feb 18, 2026
@inashivb inashivb deleted the dcerpc-invalid-data-handling/v5 branch February 18, 2026 06:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@catenacyber catenacyber catenacyber left review comments

@victorjulien victorjulien victorjulien requested changes

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@inashivb @suricata-qa @victorjulien @catenacyber