Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dcerpc incomplete 5699/v13 #12219

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Dcerpc incomplete 5699/v13 #12219

wants to merge 6 commits into from
+24 −472

Conversation

inashivb
Copy link
Member

@inashivb inashivb commented Dec 4, 2024

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/5699

Previous PR: #12025

SV_BRANCH=OISF/suricata-verify#2160

Changes since v12:

  • unit test AppLayerTest08 converted to s-v
  • rebased on top of latest master

@inashivb
dcerpc: do not assume an upper bound on data
dda0d6d 
TCP data can be presented to the protocol parser in any way e.g. one
byte at a time, single complete PDU, fragmented PDU, multiple PDUs at
once. A limit of 1MB can be easily reached in some of such scenarios.
Remove the check that rejects data that is more than 1MB.
@inashivb
dcerpc: save version info in tx
bd281b9 
to make it available for logging.
@inashivb
dcerpc: use AppLayerResult::incomplete API
60d9872 
Instead of own internal mechanism of buffering in case of fragmented
data, use AppLayerResult::incomplete API to let the AppLayer Parser take
care of it. This makes the memory use more efficient.
Remove any unneeded variables and code with the introduction of this
API.

Ticket 5699
@inashivb
dcerpc: remove fragmented data tests
3c475b4 
With the introduction of AppLayerResult::incomplete API, fragmented data
is no longer handled fully in the dcerpc code. Given that these code
paths are already covered by the following s-v tests, these tests can now be
safely removed.
- dce-gap-handling
- dcerpc-dce-iface-*

Ticket 5699
@inashivb
dcerpc: tidy up code
b046a6a 
- remove unneeded variables
- remove unnecessary tracking of bytes in state
- modify calculations as indicated by failing tests
@inashivb
applayer: remove complex unittest
9d4ad50 
as it is now covered by the suricata-verify test
dcerpc-request-http-response.
@codecov Codecov
Copy link

codecov bot commented Dec 4, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.14%. Comparing base (b58b886) to head (9d4ad50).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12219      +/-   ##
==========================================
- Coverage   83.18%   83.14%   -0.04%     
==========================================
  Files         912      912              
  Lines      257169   256787     -382     
==========================================
- Hits       213914   213505     -409     
- Misses      43255    43282      +27
Flag Coverage Δ
fuzzcorpus 60.98% <100.00%> (-0.03%) ⬇️
livemode 19.41% <0.00%> (+<0.01%) ⬆️
pcap 44.37% <90.47%> (+<0.01%) ⬆️
suricata-verify 62.76% <95.23%> (-0.03%) ⬇️
unittests 59.12% <61.90%> (-0.07%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.app_layer.flow.dcerpc_tcp 40 106 265.0%

Pipeline 23666

@victorjulien
Copy link
Member

Do you have an explanation for the stat difference yet (#12025 (comment))

@inashivb inashivb mentioned this pull request Dec 5, 2024
Closed
@inashivb
Copy link
Member Author

Do you have an explanation for the stat difference yet (#12025 (comment))

Yes. Upon analysis of pcaps, I found that my guess (intention reflected in #12227) was indeed correct.

The more flows are because we no longer return error from the parser (in which case the flow counter is not incremented) in case the input buffer exceeds 1MB so now even the bigger flows are accepted by the parser.

Why does then the PR #12227 have the same stat difference? Because I messed up the rebase and ultimately did remove the code that rejects input > 1MB https://github.com/OISF/suricata/pull/12227/files#diff-bb348f48dcbb4845f97a114f74772ee4849098c3254221826e5e0a61cbe35830L954 🤦🏽‍♀️ so 12227 is basically the same as this one.
I'll do another PR post release to show the diff.

@inashivb inashivb mentioned this pull request Dec 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@inashivb @suricata-qa @victorjulien