static bool is_query_valid(struct cursor *cursor, uint64_t potential_size, uint8_t offset)
{
SLOG(LOG_DEBUG, " Check query valid of potential size %"PRIu64" and offset %"PRIu8, potential_size, offset);
// We check if last character is printable
uint64_t last_char_pos = MIN(cursor->cap_len, potential_size) - 1;
uint8_t last_char = cursor_peek_u8(cursor, last_char_pos);
if (!is_print(last_char)) {
SLOG(LOG_DEBUG, " Last char 0x%02x at pos %"PRIu64" is not printable", last_char, last_char_pos);
return false;
}
// We check if last character + 1 is not printable. If it is printable, size might be incorrect
// We assume chunked string if size >= 0x40
if (potential_size < MAX_OCI_CHUNK && potential_size < cursor->cap_len) {
if (cursor->cap_len - 1 > potential_size) {
char next_char = cursor_peek_u8(cursor, potential_size + 1);
if (is_print(next_char)) {
SLOG(LOG_DEBUG, " Char following last char 0x%02x is printable", next_char);
return false;
}
}
}
// We check if first characters are printable
if (PROTO_OK == is_range_print(cursor, MIN_QUERY_SIZE, offset)) {
return true;
}
return false;
}
static bool lookup_query(struct cursor *cursor)
{
#define MIN_QUERY_SIZE 10
#define QUERY_WITH_SIZE 12
while (cursor->cap_len > QUERY_WITH_SIZE) {
uint8_t c;
uint8_t potential_size = 0;
do {
c = cursor_peek_u8(cursor, 1);
potential_size = cursor_read_u8(cursor);
} while (cursor->cap_len > QUERY_WITH_SIZE && !isprint(c));
SLOG(LOG_DEBUG, "Found potential size 0x%02x and first printable %c", potential_size, c);
// Check on found size
if (potential_size < MIN_QUERY_SIZE || potential_size > cursor->cap_len) continue;
// We check if last character is printable
if (!isprint(cursor_peek_u8(cursor, potential_size - 1))) continue;
// We check if first characters are printable
if (PROTO_OK == is_range_print(cursor, MIN_QUERY_SIZE)) {
cursor_rollback(cursor, 1);
return true;
}
}
return false;
}
static enum proto_parse_status tns_parse_sql_query_oci(struct sql_proto_info *info, struct cursor *cursor)
{
SLOG(LOG_DEBUG, "Parsing an oci query");
uint8_t query_size = parse_query_header(cursor);
struct query_candidate candidate = {.num_candidate_size = 0};
if (query_size > 0) {
candidate.candidate_sizes[candidate.num_candidate_size++] = query_size;
}
bool has_query = lookup_query(cursor, &candidate);
info->u.query.sql[0] = '\0';
info->u.query.truncated = 0;
if (has_query) {
SLOG(LOG_DEBUG, "Found a query, parsing it");
if (candidate.is_chunked) {
cursor_read_chunked_string(cursor, info->u.query.sql, sizeof(info->u.query.sql), MAX_OCI_CHUNK);
} else {
cursor_read_fixed_string(cursor, info->u.query.sql, sizeof(info->u.query.sql), candidate.query_size);
}
}
SLOG(LOG_DEBUG, "Sql parsed: %s", info->u.query.sql);
info->set_values |= SQL_SQL;
// Drop the rest
if(cursor->cap_len > 0) cursor_drop(cursor, cursor->cap_len - 1);
return PROTO_OK;
}
/*
* | 1 byte | 1 + 0-8 bytes | 1 byte | 1 + 0-4 bytes | Lots of unknown bytes | variable |
* | Unk | Sql len | Unk | Num end fields | Unk | sql query |
*/
static enum proto_parse_status tns_parse_sql_query_jdbc(struct sql_proto_info *info, struct cursor *cursor)
{
SLOG(LOG_DEBUG, "Parsing a jdbc query");
enum proto_parse_status status = PROTO_OK;
DROP_FIX(cursor, 1);
uint_least64_t sql_len;
if (PROTO_OK != (status = cursor_read_variable_int(cursor, &sql_len))) return status;
SLOG(LOG_DEBUG, "Size sql %zu", sql_len);
DROP_FIX(cursor, 1);
DROP_VAR(cursor);
DROP_FIX(cursor, 2);
info->u.query.sql[0] = '\0';
info->u.query.truncated = 0; // TODO Handle truncated
if (sql_len > 0) {
// Some unknown bytes
while (cursor->cap_len > 1 && PROTO_OK != is_range_print(cursor, MIN(MIN_QUERY_SIZE, sql_len), 1)) {
// TODO drop to the first non printable
cursor_drop(cursor, 1);
}
CHECK(1);
if (sql_len > 0xff && 0xff == cursor_peek_u8(cursor, 0)) {
SLOG(LOG_DEBUG, "Looks like prefixed length chunks of size 0xff...");
status = cursor_read_chunked_string(cursor, info->u.query.sql, sizeof(info->u.query.sql), 0xff);
} else if (sql_len > MAX_OCI_CHUNK && MAX_OCI_CHUNK == cursor_peek_u8(cursor, 0)) {
SLOG(LOG_DEBUG, "Looks like prefixed length chunks of size 0x40...");
status = cursor_read_chunked_string(cursor, info->u.query.sql, sizeof(info->u.query.sql),
MAX_OCI_CHUNK);
} else {
// We don't care about the first non printable character
cursor_drop(cursor, 1);
CHECK(1);
// In rare occurrence where sql_len == first character, we check the byte after the expected query,
// if it's printable, the first character is probably the prefixed size.
if (cursor_peek_u8(cursor, 0) == sql_len && sql_len < cursor->cap_len && is_print(cursor_peek_u8(cursor, sql_len)))
cursor_drop(cursor, 1);
SLOG(LOG_DEBUG, "Looks like a fixed string of size %zu", sql_len);
int written_bytes = cursor_read_fixed_string(cursor, info->u.query.sql,
sizeof(info->u.query.sql), sql_len);
if (written_bytes < 0) return PROTO_TOO_SHORT;
}
if (status != PROTO_OK) return status;
}
SLOG(LOG_DEBUG, "Sql parsed: %s", info->u.query.sql);
info->set_values |= SQL_SQL;
return PROTO_OK;
}
