Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dcerpc incomplete 5699/v13 #12219

Closed
wants to merge 6 commits into from

Conversation

inashivb
Copy link
Member

@inashivb inashivb commented Dec 4, 2024

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/5699

Previous PR: #12025

SV_BRANCH=OISF/suricata-verify#2160

Changes since v12:

  • unit test AppLayerTest08 converted to s-v
  • rebased on top of latest master

TCP data can be presented to the protocol parser in any way e.g. one
byte at a time, single complete PDU, fragmented PDU, multiple PDUs at
once. A limit of 1MB can be easily reached in some of such scenarios.
Remove the check that rejects data that is more than 1MB.
to make it available for logging.
Instead of own internal mechanism of buffering in case of fragmented
data, use AppLayerResult::incomplete API to let the AppLayer Parser take
care of it. This makes the memory use more efficient.
Remove any unneeded variables and code with the introduction of this
API.

Ticket 5699
With the introduction of AppLayerResult::incomplete API, fragmented data
is no longer handled fully in the dcerpc code. Given that these code
paths are already covered by the following s-v tests, these tests can now be
safely removed.
- dce-gap-handling
- dcerpc-dce-iface-*

Ticket 5699
- remove unneeded variables
- remove unnecessary tracking of bytes in state
- modify calculations as indicated by failing tests
as it is now covered by the suricata-verify test
dcerpc-request-http-response.
Copy link

codecov bot commented Dec 4, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.14%. Comparing base (b58b886) to head (9d4ad50).
Report is 43 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master   #12219      +/-   ##
==========================================
- Coverage   83.18%   83.14%   -0.04%     
==========================================
  Files         912      912              
  Lines      257169   256787     -382     
==========================================
- Hits       213914   213505     -409     
- Misses      43255    43282      +27     
Flag Coverage Δ
fuzzcorpus 60.98% <100.00%> (-0.03%) ⬇️
livemode 19.41% <0.00%> (+<0.01%) ⬆️
pcap 44.37% <90.47%> (+<0.01%) ⬆️
suricata-verify 62.76% <95.23%> (-0.03%) ⬇️
unittests 59.12% <61.90%> (-0.07%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.app_layer.flow.dcerpc_tcp 40 106 265.0%

Pipeline 23666

@victorjulien
Copy link
Member

Do you have an explanation for the stat difference yet (#12025 (comment))

@inashivb
Copy link
Member Author

Do you have an explanation for the stat difference yet (#12025 (comment))

Yes. Upon analysis of pcaps, I found that my guess (intention reflected in #12227) was indeed correct.

The more flows are because we no longer return error from the parser (in which case the flow counter is not incremented) in case the input buffer exceeds 1MB so now even the bigger flows are accepted by the parser.

Why does then the PR #12227 have the same stat difference? Because I messed up the rebase and ultimately did remove the code that rejects input > 1MB https://github.com/OISF/suricata/pull/12227/files#diff-bb348f48dcbb4845f97a114f74772ee4849098c3254221826e5e0a61cbe35830L954 🤦🏽‍♀️ so 12227 is basically the same as this one.
I'll do another PR post release to show the diff.

@inashivb inashivb marked this pull request as draft December 20, 2024 07:48
@inashivb inashivb closed this Dec 23, 2024
@inashivb inashivb deleted the dcerpc-incomplete-5699/v13 branch December 23, 2024 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants