/********************************************************************
* Function: DCE2_HttpProcessProxy()
*
* Wrapper arount main processing point for an RPC over HTTP
* session. Checks and sets session setup state for a proxy.
*
* Arguments:
* DCE2_HttpSsnData *
* Pointer to an RPC over HTTP session data structure.
*
* Returns: None
*
********************************************************************/
void DCE2_HttpProcessProxy(DCE2_HttpSsnData *hsd)
{
const SFSnortPacket *p = hsd->sd.wire_pkt;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Processing RPC over HTTP proxy packet.\n"));
dce2_stats.http_proxy_pkts++;
if (hsd->state == DCE2_HTTP_STATE__NONE)
{
if (DCE2_SsnFromClient(p))
hsd->state = DCE2_HTTP_STATE__INIT_CLIENT;
}
DCE2_HttpProcess(hsd);
}
/********************************************************************
* Function: DCE2_ClProcess()
*
* Main entry point for connectionless DCE/RPC processing. Gets
* the activity tracker associated with this session and passes
* along to client or server handling.
*
* Arguments:
* DCE2_SsnData *
* Pointer to the session data structure.
* DCE2_ClTracker *
* Pointer to the connectionless tracker structure.
*
* Returns: None
*
********************************************************************/
void DCE2_ClProcess(DCE2_SsnData *sd, DCE2_ClTracker *clt)
{
DceRpcClHdr *cl_hdr;
DCE2_ClActTracker *at;
const uint8_t *data_ptr = sd->wire_pkt->payload;
uint16_t data_len = sd->wire_pkt->payload_size;
PROFILE_VARS;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Cl processing ...\n"));
dce2_stats.cl_pkts++;
if (data_len < sizeof(DceRpcClHdr))
{
if (!DCE2_SsnAutodetected(sd))
DCE2_Alert(sd, DCE2_EVENT__CL_DATA_LT_HDR, data_len, sizeof(DceRpcClHdr));
return;
}
cl_hdr = (DceRpcClHdr *)data_ptr;
DCE2_MOVE(data_ptr, data_len, sizeof(DceRpcClHdr));
if (DCE2_ClHdrChecks(sd, cl_hdr) != DCE2_RET__SUCCESS)
return;
PREPROC_PROFILE_START(dce2_pstat_cl_acts);
at = DCE2_ClGetActTracker(clt, cl_hdr);
PREPROC_PROFILE_END(dce2_pstat_cl_acts);
if (at == NULL)
return;
if (DCE2_SsnFromClient(sd->wire_pkt))
{
switch (DceRpcClPduType(cl_hdr))
{
case DCERPC_PDU_TYPE__REQUEST:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Request\n"));
dce2_stats.cl_request++;
DCE2_ClRequest(sd, at, cl_hdr, data_ptr, data_len);
break;
case DCERPC_PDU_TYPE__ACK:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Ack\n"));
dce2_stats.cl_ack++;
break;
case DCERPC_PDU_TYPE__CL_CANCEL:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Cancel\n"));
dce2_stats.cl_cancel++;
break;
case DCERPC_PDU_TYPE__FACK:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Fack\n"));
dce2_stats.cl_cli_fack++;
break;
case DCERPC_PDU_TYPE__PING:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Ping\n"));
dce2_stats.cl_ping++;
break;
case DCERPC_PDU_TYPE__RESPONSE:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Response from client. Changing stream direction."));
_dpd.streamAPI->update_direction(sd->wire_pkt->stream_session, SSN_DIR_FROM_RESPONDER,
GET_SRC_IP(((SFSnortPacket *)sd->wire_pkt)),
sd->wire_pkt->src_port);
break;
default:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Other pdu type\n"));
dce2_stats.cl_other_req++;
break;
}
}
else
{
switch (DceRpcClPduType(cl_hdr))
{
case DCERPC_PDU_TYPE__RESPONSE:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Response\n"));
dce2_stats.cl_response++;
break;
case DCERPC_PDU_TYPE__REJECT:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Reject\n"));
dce2_stats.cl_reject++;
if (DceRpcClSeqNum(cl_hdr) == at->seq_num)
{
DCE2_ClResetFragTracker(&at->frag_tracker);
at->seq_num_invalid = 1;
}
break;
case DCERPC_PDU_TYPE__CANCEL_ACK:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Cancel Ack\n"));
dce2_stats.cl_cancel_ack++;
break;
case DCERPC_PDU_TYPE__FACK:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Fack\n"));
dce2_stats.cl_srv_fack++;
break;
case DCERPC_PDU_TYPE__FAULT:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Fault\n"));
dce2_stats.cl_fault++;
break;
case DCERPC_PDU_TYPE__NOCALL:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "No call\n"));
dce2_stats.cl_nocall++;
break;
case DCERPC_PDU_TYPE__WORKING:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Working\n"));
dce2_stats.cl_working++;
break;
default:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Other pdu type\n"));
dce2_stats.cl_other_resp++;
break;
}
}
}
/*********************************************************************
* Function:
*
* Purpose:
*
* Arguments:
*
* Returns:
*
*********************************************************************/
DCE2_Ret DCE2_AddDataToRpkt(SFSnortPacket *rpkt, DCE2_RpktType rtype,
const uint8_t *data, uint32_t data_len)
{
int hdr_overhead = 0;
const uint8_t *pkt_data_end;
const uint8_t *payload_end;
DCE2_Ret status;
if ((rpkt == NULL) || (data == NULL) || (data_len == 0))
return DCE2_RET__ERROR;
if (rpkt->payload == NULL)
return DCE2_RET__ERROR;
/* This is a check to make sure we don't overwrite header data */
switch (rtype)
{
case DCE2_RPKT_TYPE__SMB_CO_SEG:
if (DCE2_SsnFromClient(rpkt))
hdr_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI;
else
hdr_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV;
break;
case DCE2_RPKT_TYPE__SMB_CO_FRAG:
if (DCE2_SsnFromClient(rpkt))
hdr_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI + DCE2_MOCK_HDR_LEN__CO_CLI;
else
hdr_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV + DCE2_MOCK_HDR_LEN__CO_SRV;
break;
case DCE2_RPKT_TYPE__TCP_CO_FRAG:
if (DCE2_SsnFromClient(rpkt))
hdr_overhead = DCE2_MOCK_HDR_LEN__CO_CLI;
else
hdr_overhead = DCE2_MOCK_HDR_LEN__CO_SRV;
break;
case DCE2_RPKT_TYPE__UDP_CL_FRAG:
hdr_overhead = DCE2_MOCK_HDR_LEN__CL;
break;
default:
break;
}
if (rpkt->payload_size < hdr_overhead)
return DCE2_RET__ERROR;
pkt_data_end = rpkt->pkt_data + rpkt->max_payload;
payload_end = rpkt->payload + rpkt->payload_size;
if ((payload_end + data_len) > pkt_data_end)
data_len = pkt_data_end - payload_end;
status = DCE2_Memcpy((void *)payload_end, (void *)data, (size_t)data_len,
(void *)payload_end, (void *)pkt_data_end);
if (status != DCE2_RET__SUCCESS)
{
DCE2_Log(DCE2_LOG_TYPE__ERROR,
"%s(%d) Failed to copy data into reassembly packet.",
__FILE__, __LINE__);
return DCE2_RET__ERROR;
}
rpkt->payload_size += (uint16_t)data_len;
// there is room for optimization here since the update was done
// earlier - that my be eliminated, but only in this case one
// approach is to move the updates to push pkt - but don't want
// to update non-dce2 pseudo pkts; perhaps a flag check there
// will suffice.
_dpd.encodeUpdate(rpkt);
if (rpkt->family == AF_INET)
{
rpkt->ip4h->ip_len = rpkt->ip4_header->data_length;
}
else
{
IP6RawHdr* ip6h = (IP6RawHdr*)rpkt->raw_ip6_header;
if ( ip6h ) rpkt->ip6h->len = ip6h->ip6_payload_len;
}
return DCE2_RET__SUCCESS;
}
/*********************************************************************
* Function:
*
* Purpose:
*
* Arguments:
*
* Returns:
*
*********************************************************************/
static DCE2_SsnData * DCE2_NewSession(SFSnortPacket *p, tSfPolicyId policy_id)
{
DCE2_SsnData *sd = NULL;
DCE2_TransType trans;
const DCE2_ServerConfig *sc = DCE2_ScGetConfig(p);
int autodetected = 0;
PROFILE_VARS;
PREPROC_PROFILE_START(dce2_pstat_new_session);
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Creating new session: "));
trans = DCE2_GetTransport(p, sc, &autodetected);
switch (trans)
{
case DCE2_TRANS_TYPE__SMB:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "SMB transport ... "));
sd = (DCE2_SsnData *)DCE2_SmbSsnInit(p);
break;
case DCE2_TRANS_TYPE__TCP:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "TCP transport ... "));
sd = (DCE2_SsnData *)DCE2_TcpSsnInit();
break;
case DCE2_TRANS_TYPE__UDP:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "UDP transport ... "));
sd = (DCE2_SsnData *)DCE2_UdpSsnInit();
break;
case DCE2_TRANS_TYPE__HTTP_PROXY:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "RPC over HTTP proxy transport ... "));
sd = (DCE2_SsnData *)DCE2_HttpProxySsnInit();
break;
case DCE2_TRANS_TYPE__HTTP_SERVER:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "RPC over HTTP server transport ... "));
sd = (DCE2_SsnData *)DCE2_HttpServerSsnInit();
break;
case DCE2_TRANS_TYPE__NONE:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Not configured to "
"look at this traffic or unable to autodetect - not inspecting.\n"));
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
default:
DCE2_Log(DCE2_LOG_TYPE__ERROR,
"%s(%d) Invalid transport type: %d",
__FILE__, __LINE__, trans);
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
}
if (sd == NULL)
{
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
}
DCE2_SsnSetAppData(p, (void *)sd, DCE2_SsnFree);
dce2_stats.sessions++;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Created (%p)\n", (void *)sd));
sd->trans = trans;
sd->server_policy = DCE2_ScPolicy(sc);
sd->client_policy = DCE2_POLICY__WINXP; // Default to Windows XP
sd->sconfig = sc;
sd->wire_pkt = p;
sd->policy_id = policy_id;
sd->config = dce2_config;
((DCE2_Config *)sfPolicyUserDataGet(sd->config, policy_id))->ref_count++;
if (autodetected)
{
dce2_stats.sessions_autodetected++;
#ifdef DEBUG
if (DCE2_SsnFromServer(p))
dce2_stats.autoports[p->src_port][trans]++;
else
dce2_stats.autoports[p->dst_port][trans]++;
#endif
DCE2_SsnSetAutodetected(sd, p);
}
/* If we've determined a transport, make sure we're doing
* reassembly on the session */
if (IsTCP(p))
{
int rs_dir = DCE2_SsnGetReassembly(p);
if (!_dpd.isPafEnabled() && (rs_dir != SSN_DIR_BOTH))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN,
"Setting client/server reassembly to FOOTPRINT for this session.\n"));
DCE2_SsnSetReassembly(p);
}
if (!DCE2_SsnIsRebuilt(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet\n"));
if (DCE2_SsnIsStreamInsert(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n"));
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
}
else if ((DCE2_SsnFromClient(p) && (rs_dir == SSN_DIR_FROM_SERVER))
|| (DCE2_SsnFromServer(p) && (rs_dir == SSN_DIR_FROM_CLIENT))
|| (rs_dir == SSN_DIR_BOTH))
{
/* Reassembly was already set for this session, but stream
* decided not to use the packet so it's probably not good */
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-stream inserted packet - not inspecting\n"));
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
}
}
}
PREPROC_PROFILE_END(dce2_pstat_new_session);
return sd;
}
/*********************************************************************
* Function: DCE2_GetRpkt()
*
* Purpose:
*
* Arguments:
* SFSnortPacket * - pointer to packet off wire
* const uint8_t * - pointer to data to attach to reassembly packet
* uint16_t - length of data
*
* Returns:
* SFSnortPacket * - pointer to reassembly packet
*
*********************************************************************/
SFSnortPacket * DCE2_GetRpkt(const SFSnortPacket *wire_pkt, DCE2_RpktType rpkt_type,
const uint8_t *data, uint32_t data_len)
{
DCE2_Ret status;
SFSnortPacket *rpkt;
uint16_t payload_len = 0;
uint16_t data_overhead = 0;
rpkt = dce2_rpkt[rpkt_type];
switch (rpkt_type)
{
case DCE2_RPKT_TYPE__SMB_SEG:
_dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_SMB_SEG);
break;
case DCE2_RPKT_TYPE__SMB_TRANS:
// TBD these memset()s could be encapsulated by the various
// init functions which should also return the data_overhead.
// Better still pass in rpkt and let the init function update
// payload, etc. Also, some memsets could probably be avoided
// by explicitly setting the unitialized header fields.
_dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_SMB_TRANS);
if (DCE2_SsnFromClient(wire_pkt))
{
data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI;
memset((void*)rpkt->payload, 0, data_overhead);
DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT);
}
else
{
data_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV;
memset((void*)rpkt->payload, 0, data_overhead);
DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER);
}
break;
case DCE2_RPKT_TYPE__SMB_CO_SEG:
_dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_SEG);
if (DCE2_SsnFromClient(wire_pkt))
{
data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI;
memset((void*)rpkt->payload, 0, data_overhead);
DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT);
}
else
{
data_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV;
memset((void*)rpkt->payload, 0, data_overhead);
DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER);
}
break;
case DCE2_RPKT_TYPE__SMB_CO_FRAG:
_dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_FRAG);
if (DCE2_SsnFromClient(wire_pkt))
{
data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI + DCE2_MOCK_HDR_LEN__CO_CLI;
memset((void*)rpkt->payload, 0, data_overhead);
DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT);
DCE2_CoInitRdata((uint8_t *)rpkt->payload +
DCE2_MOCK_HDR_LEN__SMB_CLI, FLAG_FROM_CLIENT);
}
else
{
data_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV + DCE2_MOCK_HDR_LEN__CO_SRV;
memset((void*)rpkt->payload, 0, data_overhead);
DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER);
DCE2_CoInitRdata((uint8_t *)rpkt->payload +
DCE2_MOCK_HDR_LEN__SMB_SRV, FLAG_FROM_SERVER);
}
break;
case DCE2_RPKT_TYPE__TCP_CO_SEG:
_dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_SEG);
break;
case DCE2_RPKT_TYPE__TCP_CO_FRAG:
_dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_FRAG);
if (DCE2_SsnFromClient(wire_pkt))
{
data_overhead = DCE2_MOCK_HDR_LEN__CO_CLI;
memset((void*)rpkt->payload, 0, data_overhead);
DCE2_CoInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT);
}
else
{
data_overhead = DCE2_MOCK_HDR_LEN__CO_SRV;
memset((void*)rpkt->payload, 0, data_overhead);
DCE2_CoInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER);
}
break;
case DCE2_RPKT_TYPE__UDP_CL_FRAG:
_dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_FRAG);
data_overhead = DCE2_MOCK_HDR_LEN__CL;
memset((void*)rpkt->payload, 0, data_overhead);
DCE2_ClInitRdata((uint8_t *)rpkt->payload);
break;
default:
DCE2_Log(DCE2_LOG_TYPE__ERROR,
"%s(%d) Invalid reassembly packet type: %d",
__FILE__, __LINE__, rpkt_type);
return NULL;
}
payload_len = rpkt->max_payload;
if ((data_overhead + data_len) > payload_len)
data_len -= (data_overhead + data_len) - payload_len;
status = DCE2_Memcpy(
(void *)(rpkt->payload + data_overhead),
(void *)data, (size_t)data_len, (void *)rpkt->payload,
(void *)((uint8_t *)rpkt->payload + payload_len));
if (status != DCE2_RET__SUCCESS)
{
DCE2_Log(DCE2_LOG_TYPE__ERROR,
"%s(%d) Failed to copy data into reassembly packet.",
__FILE__, __LINE__);
return NULL;
}
rpkt->payload_size = (uint16_t)(data_overhead + data_len);
_dpd.encodeUpdate(rpkt);
if (wire_pkt->family == AF_INET)
{
rpkt->ip4h->ip_len = rpkt->ip4_header->data_length;
}
else
{
IP6RawHdr* ip6h = (IP6RawHdr*)rpkt->raw_ip6_header;
if ( ip6h ) rpkt->ip6h->len = ip6h->ip6_payload_len;
}
rpkt->flags |= FLAG_STREAM_EST;
if (DCE2_SsnFromClient(wire_pkt))
rpkt->flags |= FLAG_FROM_CLIENT;
else
rpkt->flags |= FLAG_FROM_SERVER;
rpkt->stream_session = wire_pkt->stream_session;
return rpkt;
}
/********************************************************************
* Function: DCE2_SetSsnState()
*
* Purpose:
* Checks for missing packets and overlapping data on session
*
* Arguments:
* DCE2_SsnData * - session data pointer
* SFSnortPacket * - packet structure
*
* Returns:
* DCE2_RET__SUCCESS
* DCE2_RET__ERROR
*
********************************************************************/
static DCE2_Ret DCE2_SetSsnState(DCE2_SsnData *sd, SFSnortPacket *p)
{
uint32_t pkt_seq = ntohl(p->tcp_header->sequence);
PROFILE_VARS;
PREPROC_PROFILE_START(dce2_pstat_session_state);
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Payload size: %u\n", p->payload_size));
if (DCE2_SsnFromClient(p) && !DCE2_SsnSeenClient(sd))
{
uint32_t pkt_ack = ntohl(p->tcp_header->acknowledgement);
if (DCE2_SsnSeenServer(sd) && SEQ_LT(sd->cli_seq, pkt_seq)
&& (sd->trans != DCE2_TRANS_TYPE__HTTP_SERVER))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN,
"Missing packets on session - aborting session inspection\n"));
DCE2_SetNoInspect(sd);
PREPROC_PROFILE_END(dce2_pstat_session_state);
return DCE2_RET__ERROR;
}
DCE2_SsnSetSeenClient(sd);
sd->cli_seq = pkt_seq;
sd->cli_nseq = pkt_seq + p->payload_size;
if (!DCE2_SsnSeenServer(sd))
sd->srv_seq = sd->srv_nseq = pkt_ack;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial client => seq: %u, "
"next seq: %u\n", sd->cli_seq, sd->cli_nseq));
}
else if (DCE2_SsnFromServer(p) && !DCE2_SsnSeenServer(sd))
{
uint32_t pkt_ack = ntohl(p->tcp_header->acknowledgement);
if ((DCE2_SsnSeenClient(sd) && SEQ_LT(sd->srv_seq, pkt_seq))
|| (!DCE2_SsnSeenClient(sd) && (sd->trans != DCE2_TRANS_TYPE__HTTP_SERVER)))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN,
"Missing packets on session - aborting session inspection\n"));
PREPROC_PROFILE_END(dce2_pstat_session_state);
DCE2_SetNoInspect(sd);
return DCE2_RET__ERROR;
}
DCE2_SsnSetSeenServer(sd);
sd->srv_seq = pkt_seq;
sd->srv_nseq = pkt_seq + p->payload_size;
if (!DCE2_SsnSeenClient(sd))
sd->cli_seq = sd->cli_nseq = pkt_ack;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial server => seq: %u, "
"next seq: %u\n", sd->srv_seq, sd->srv_nseq));
}
else
{
uint32_t *ssn_seq;
uint32_t *ssn_nseq;
if (DCE2_SsnFromClient(p))
{
ssn_seq = &sd->cli_seq;
ssn_nseq = &sd->cli_nseq;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Client last => seq: %u, "
"next seq: %u\n", sd->cli_seq, sd->cli_nseq));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, "
"next seq: %u\n", pkt_seq, pkt_seq + p->payload_size));
}
else
{
ssn_seq = &sd->srv_seq;
ssn_nseq = &sd->srv_nseq;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Server last => seq: %u, "
"next seq: %u\n", sd->srv_seq, sd->srv_nseq));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, "
"next seq: %u\n", pkt_seq, pkt_seq + p->payload_size));
}
if (*ssn_nseq != pkt_seq)
{
if (SEQ_LT(*ssn_nseq, pkt_seq))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Next expected sequence number (%u) is less than "
"this sequence number (%u).\n", *ssn_nseq, pkt_seq));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN,
"Missing packets on session - aborting session inspection\n"));
DCE2_SetNoInspect(sd);
PREPROC_PROFILE_END(dce2_pstat_session_state);
return DCE2_RET__ERROR;
}
else
{
/* Got some kind of overlap. This shouldn't happen since we're doing
* reassembly on both sides and not looking at non-reassembled packets
* Actually this can happen if the stream seg list is empty */
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Overlap => seq: %u, "
"next seq: %u - aborting session inspection\n",
pkt_seq, pkt_seq + p->payload_size));
DCE2_SetNoInspect(sd);
PREPROC_PROFILE_END(dce2_pstat_session_state);
return DCE2_RET__ERROR;
}
}
*ssn_seq = pkt_seq;
*ssn_nseq = pkt_seq + p->payload_size;
}
PREPROC_PROFILE_END(dce2_pstat_session_state);
return DCE2_RET__SUCCESS;
}
