/******************************************************************** * Function: DCE2_HttpProcessProxy() * * Wrapper arount main processing point for an RPC over HTTP * session. Checks and sets session setup state for a proxy. * * Arguments: * DCE2_HttpSsnData * * Pointer to an RPC over HTTP session data structure. * * Returns: None * ********************************************************************/ void DCE2_HttpProcessProxy(DCE2_HttpSsnData *hsd) { const SFSnortPacket *p = hsd->sd.wire_pkt; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Processing RPC over HTTP proxy packet.\n")); dce2_stats.http_proxy_pkts++; if (hsd->state == DCE2_HTTP_STATE__NONE) { if (DCE2_SsnFromClient(p)) hsd->state = DCE2_HTTP_STATE__INIT_CLIENT; } DCE2_HttpProcess(hsd); }
/******************************************************************** * Function: DCE2_ClProcess() * * Main entry point for connectionless DCE/RPC processing. Gets * the activity tracker associated with this session and passes * along to client or server handling. * * Arguments: * DCE2_SsnData * * Pointer to the session data structure. * DCE2_ClTracker * * Pointer to the connectionless tracker structure. * * Returns: None * ********************************************************************/ void DCE2_ClProcess(DCE2_SsnData *sd, DCE2_ClTracker *clt) { DceRpcClHdr *cl_hdr; DCE2_ClActTracker *at; const uint8_t *data_ptr = sd->wire_pkt->payload; uint16_t data_len = sd->wire_pkt->payload_size; PROFILE_VARS; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Cl processing ...\n")); dce2_stats.cl_pkts++; if (data_len < sizeof(DceRpcClHdr)) { if (!DCE2_SsnAutodetected(sd)) DCE2_Alert(sd, DCE2_EVENT__CL_DATA_LT_HDR, data_len, sizeof(DceRpcClHdr)); return; } cl_hdr = (DceRpcClHdr *)data_ptr; DCE2_MOVE(data_ptr, data_len, sizeof(DceRpcClHdr)); if (DCE2_ClHdrChecks(sd, cl_hdr) != DCE2_RET__SUCCESS) return; PREPROC_PROFILE_START(dce2_pstat_cl_acts); at = DCE2_ClGetActTracker(clt, cl_hdr); PREPROC_PROFILE_END(dce2_pstat_cl_acts); if (at == NULL) return; if (DCE2_SsnFromClient(sd->wire_pkt)) { switch (DceRpcClPduType(cl_hdr)) { case DCERPC_PDU_TYPE__REQUEST: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Request\n")); dce2_stats.cl_request++; DCE2_ClRequest(sd, at, cl_hdr, data_ptr, data_len); break; case DCERPC_PDU_TYPE__ACK: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Ack\n")); dce2_stats.cl_ack++; break; case DCERPC_PDU_TYPE__CL_CANCEL: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Cancel\n")); dce2_stats.cl_cancel++; break; case DCERPC_PDU_TYPE__FACK: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Fack\n")); dce2_stats.cl_cli_fack++; break; case DCERPC_PDU_TYPE__PING: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Ping\n")); dce2_stats.cl_ping++; break; case DCERPC_PDU_TYPE__RESPONSE: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Response from client. Changing stream direction.")); _dpd.streamAPI->update_direction(sd->wire_pkt->stream_session, SSN_DIR_FROM_RESPONDER, GET_SRC_IP(((SFSnortPacket *)sd->wire_pkt)), sd->wire_pkt->src_port); break; default: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Other pdu type\n")); dce2_stats.cl_other_req++; break; } } else { switch (DceRpcClPduType(cl_hdr)) { case DCERPC_PDU_TYPE__RESPONSE: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Response\n")); dce2_stats.cl_response++; break; case DCERPC_PDU_TYPE__REJECT: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Reject\n")); dce2_stats.cl_reject++; if (DceRpcClSeqNum(cl_hdr) == at->seq_num) { DCE2_ClResetFragTracker(&at->frag_tracker); at->seq_num_invalid = 1; } break; case DCERPC_PDU_TYPE__CANCEL_ACK: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Cancel Ack\n")); dce2_stats.cl_cancel_ack++; break; case DCERPC_PDU_TYPE__FACK: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Fack\n")); dce2_stats.cl_srv_fack++; break; case DCERPC_PDU_TYPE__FAULT: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Fault\n")); dce2_stats.cl_fault++; break; case DCERPC_PDU_TYPE__NOCALL: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "No call\n")); dce2_stats.cl_nocall++; break; case DCERPC_PDU_TYPE__WORKING: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Working\n")); dce2_stats.cl_working++; break; default: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Other pdu type\n")); dce2_stats.cl_other_resp++; break; } } }
/********************************************************************* * Function: * * Purpose: * * Arguments: * * Returns: * *********************************************************************/ DCE2_Ret DCE2_AddDataToRpkt(SFSnortPacket *rpkt, DCE2_RpktType rtype, const uint8_t *data, uint32_t data_len) { int hdr_overhead = 0; const uint8_t *pkt_data_end; const uint8_t *payload_end; DCE2_Ret status; if ((rpkt == NULL) || (data == NULL) || (data_len == 0)) return DCE2_RET__ERROR; if (rpkt->payload == NULL) return DCE2_RET__ERROR; /* This is a check to make sure we don't overwrite header data */ switch (rtype) { case DCE2_RPKT_TYPE__SMB_CO_SEG: if (DCE2_SsnFromClient(rpkt)) hdr_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI; else hdr_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV; break; case DCE2_RPKT_TYPE__SMB_CO_FRAG: if (DCE2_SsnFromClient(rpkt)) hdr_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI + DCE2_MOCK_HDR_LEN__CO_CLI; else hdr_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV + DCE2_MOCK_HDR_LEN__CO_SRV; break; case DCE2_RPKT_TYPE__TCP_CO_FRAG: if (DCE2_SsnFromClient(rpkt)) hdr_overhead = DCE2_MOCK_HDR_LEN__CO_CLI; else hdr_overhead = DCE2_MOCK_HDR_LEN__CO_SRV; break; case DCE2_RPKT_TYPE__UDP_CL_FRAG: hdr_overhead = DCE2_MOCK_HDR_LEN__CL; break; default: break; } if (rpkt->payload_size < hdr_overhead) return DCE2_RET__ERROR; pkt_data_end = rpkt->pkt_data + rpkt->max_payload; payload_end = rpkt->payload + rpkt->payload_size; if ((payload_end + data_len) > pkt_data_end) data_len = pkt_data_end - payload_end; status = DCE2_Memcpy((void *)payload_end, (void *)data, (size_t)data_len, (void *)payload_end, (void *)pkt_data_end); if (status != DCE2_RET__SUCCESS) { DCE2_Log(DCE2_LOG_TYPE__ERROR, "%s(%d) Failed to copy data into reassembly packet.", __FILE__, __LINE__); return DCE2_RET__ERROR; } rpkt->payload_size += (uint16_t)data_len; // there is room for optimization here since the update was done // earlier - that my be eliminated, but only in this case one // approach is to move the updates to push pkt - but don't want // to update non-dce2 pseudo pkts; perhaps a flag check there // will suffice. _dpd.encodeUpdate(rpkt); if (rpkt->family == AF_INET) { rpkt->ip4h->ip_len = rpkt->ip4_header->data_length; } else { IP6RawHdr* ip6h = (IP6RawHdr*)rpkt->raw_ip6_header; if ( ip6h ) rpkt->ip6h->len = ip6h->ip6_payload_len; } return DCE2_RET__SUCCESS; }
/********************************************************************* * Function: * * Purpose: * * Arguments: * * Returns: * *********************************************************************/ static DCE2_SsnData * DCE2_NewSession(SFSnortPacket *p, tSfPolicyId policy_id) { DCE2_SsnData *sd = NULL; DCE2_TransType trans; const DCE2_ServerConfig *sc = DCE2_ScGetConfig(p); int autodetected = 0; PROFILE_VARS; PREPROC_PROFILE_START(dce2_pstat_new_session); DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Creating new session: ")); trans = DCE2_GetTransport(p, sc, &autodetected); switch (trans) { case DCE2_TRANS_TYPE__SMB: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "SMB transport ... ")); sd = (DCE2_SsnData *)DCE2_SmbSsnInit(p); break; case DCE2_TRANS_TYPE__TCP: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "TCP transport ... ")); sd = (DCE2_SsnData *)DCE2_TcpSsnInit(); break; case DCE2_TRANS_TYPE__UDP: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "UDP transport ... ")); sd = (DCE2_SsnData *)DCE2_UdpSsnInit(); break; case DCE2_TRANS_TYPE__HTTP_PROXY: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "RPC over HTTP proxy transport ... ")); sd = (DCE2_SsnData *)DCE2_HttpProxySsnInit(); break; case DCE2_TRANS_TYPE__HTTP_SERVER: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "RPC over HTTP server transport ... ")); sd = (DCE2_SsnData *)DCE2_HttpServerSsnInit(); break; case DCE2_TRANS_TYPE__NONE: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Not configured to " "look at this traffic or unable to autodetect - not inspecting.\n")); PREPROC_PROFILE_END(dce2_pstat_new_session); return NULL; default: DCE2_Log(DCE2_LOG_TYPE__ERROR, "%s(%d) Invalid transport type: %d", __FILE__, __LINE__, trans); PREPROC_PROFILE_END(dce2_pstat_new_session); return NULL; } if (sd == NULL) { PREPROC_PROFILE_END(dce2_pstat_new_session); return NULL; } DCE2_SsnSetAppData(p, (void *)sd, DCE2_SsnFree); dce2_stats.sessions++; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Created (%p)\n", (void *)sd)); sd->trans = trans; sd->server_policy = DCE2_ScPolicy(sc); sd->client_policy = DCE2_POLICY__WINXP; // Default to Windows XP sd->sconfig = sc; sd->wire_pkt = p; sd->policy_id = policy_id; sd->config = dce2_config; ((DCE2_Config *)sfPolicyUserDataGet(sd->config, policy_id))->ref_count++; if (autodetected) { dce2_stats.sessions_autodetected++; #ifdef DEBUG if (DCE2_SsnFromServer(p)) dce2_stats.autoports[p->src_port][trans]++; else dce2_stats.autoports[p->dst_port][trans]++; #endif DCE2_SsnSetAutodetected(sd, p); } /* If we've determined a transport, make sure we're doing * reassembly on the session */ if (IsTCP(p)) { int rs_dir = DCE2_SsnGetReassembly(p); if (!_dpd.isPafEnabled() && (rs_dir != SSN_DIR_BOTH)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Setting client/server reassembly to FOOTPRINT for this session.\n")); DCE2_SsnSetReassembly(p); } if (!DCE2_SsnIsRebuilt(p)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet\n")); if (DCE2_SsnIsStreamInsert(p)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); PREPROC_PROFILE_END(dce2_pstat_new_session); return NULL; } else if ((DCE2_SsnFromClient(p) && (rs_dir == SSN_DIR_FROM_SERVER)) || (DCE2_SsnFromServer(p) && (rs_dir == SSN_DIR_FROM_CLIENT)) || (rs_dir == SSN_DIR_BOTH)) { /* Reassembly was already set for this session, but stream * decided not to use the packet so it's probably not good */ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-stream inserted packet - not inspecting\n")); PREPROC_PROFILE_END(dce2_pstat_new_session); return NULL; } } } PREPROC_PROFILE_END(dce2_pstat_new_session); return sd; }
/********************************************************************* * Function: DCE2_GetRpkt() * * Purpose: * * Arguments: * SFSnortPacket * - pointer to packet off wire * const uint8_t * - pointer to data to attach to reassembly packet * uint16_t - length of data * * Returns: * SFSnortPacket * - pointer to reassembly packet * *********************************************************************/ SFSnortPacket * DCE2_GetRpkt(const SFSnortPacket *wire_pkt, DCE2_RpktType rpkt_type, const uint8_t *data, uint32_t data_len) { DCE2_Ret status; SFSnortPacket *rpkt; uint16_t payload_len = 0; uint16_t data_overhead = 0; rpkt = dce2_rpkt[rpkt_type]; switch (rpkt_type) { case DCE2_RPKT_TYPE__SMB_SEG: _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_SMB_SEG); break; case DCE2_RPKT_TYPE__SMB_TRANS: // TBD these memset()s could be encapsulated by the various // init functions which should also return the data_overhead. // Better still pass in rpkt and let the init function update // payload, etc. Also, some memsets could probably be avoided // by explicitly setting the unitialized header fields. _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_SMB_TRANS); if (DCE2_SsnFromClient(wire_pkt)) { data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI; memset((void*)rpkt->payload, 0, data_overhead); DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT); } else { data_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV; memset((void*)rpkt->payload, 0, data_overhead); DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER); } break; case DCE2_RPKT_TYPE__SMB_CO_SEG: _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_SEG); if (DCE2_SsnFromClient(wire_pkt)) { data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI; memset((void*)rpkt->payload, 0, data_overhead); DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT); } else { data_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV; memset((void*)rpkt->payload, 0, data_overhead); DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER); } break; case DCE2_RPKT_TYPE__SMB_CO_FRAG: _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_FRAG); if (DCE2_SsnFromClient(wire_pkt)) { data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI + DCE2_MOCK_HDR_LEN__CO_CLI; memset((void*)rpkt->payload, 0, data_overhead); DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT); DCE2_CoInitRdata((uint8_t *)rpkt->payload + DCE2_MOCK_HDR_LEN__SMB_CLI, FLAG_FROM_CLIENT); } else { data_overhead = DCE2_MOCK_HDR_LEN__SMB_SRV + DCE2_MOCK_HDR_LEN__CO_SRV; memset((void*)rpkt->payload, 0, data_overhead); DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER); DCE2_CoInitRdata((uint8_t *)rpkt->payload + DCE2_MOCK_HDR_LEN__SMB_SRV, FLAG_FROM_SERVER); } break; case DCE2_RPKT_TYPE__TCP_CO_SEG: _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_SEG); break; case DCE2_RPKT_TYPE__TCP_CO_FRAG: _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_FRAG); if (DCE2_SsnFromClient(wire_pkt)) { data_overhead = DCE2_MOCK_HDR_LEN__CO_CLI; memset((void*)rpkt->payload, 0, data_overhead); DCE2_CoInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT); } else { data_overhead = DCE2_MOCK_HDR_LEN__CO_SRV; memset((void*)rpkt->payload, 0, data_overhead); DCE2_CoInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER); } break; case DCE2_RPKT_TYPE__UDP_CL_FRAG: _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_FRAG); data_overhead = DCE2_MOCK_HDR_LEN__CL; memset((void*)rpkt->payload, 0, data_overhead); DCE2_ClInitRdata((uint8_t *)rpkt->payload); break; default: DCE2_Log(DCE2_LOG_TYPE__ERROR, "%s(%d) Invalid reassembly packet type: %d", __FILE__, __LINE__, rpkt_type); return NULL; } payload_len = rpkt->max_payload; if ((data_overhead + data_len) > payload_len) data_len -= (data_overhead + data_len) - payload_len; status = DCE2_Memcpy( (void *)(rpkt->payload + data_overhead), (void *)data, (size_t)data_len, (void *)rpkt->payload, (void *)((uint8_t *)rpkt->payload + payload_len)); if (status != DCE2_RET__SUCCESS) { DCE2_Log(DCE2_LOG_TYPE__ERROR, "%s(%d) Failed to copy data into reassembly packet.", __FILE__, __LINE__); return NULL; } rpkt->payload_size = (uint16_t)(data_overhead + data_len); _dpd.encodeUpdate(rpkt); if (wire_pkt->family == AF_INET) { rpkt->ip4h->ip_len = rpkt->ip4_header->data_length; } else { IP6RawHdr* ip6h = (IP6RawHdr*)rpkt->raw_ip6_header; if ( ip6h ) rpkt->ip6h->len = ip6h->ip6_payload_len; } rpkt->flags |= FLAG_STREAM_EST; if (DCE2_SsnFromClient(wire_pkt)) rpkt->flags |= FLAG_FROM_CLIENT; else rpkt->flags |= FLAG_FROM_SERVER; rpkt->stream_session = wire_pkt->stream_session; return rpkt; }
/******************************************************************** * Function: DCE2_SetSsnState() * * Purpose: * Checks for missing packets and overlapping data on session * * Arguments: * DCE2_SsnData * - session data pointer * SFSnortPacket * - packet structure * * Returns: * DCE2_RET__SUCCESS * DCE2_RET__ERROR * ********************************************************************/ static DCE2_Ret DCE2_SetSsnState(DCE2_SsnData *sd, SFSnortPacket *p) { uint32_t pkt_seq = ntohl(p->tcp_header->sequence); PROFILE_VARS; PREPROC_PROFILE_START(dce2_pstat_session_state); DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Payload size: %u\n", p->payload_size)); if (DCE2_SsnFromClient(p) && !DCE2_SsnSeenClient(sd)) { uint32_t pkt_ack = ntohl(p->tcp_header->acknowledgement); if (DCE2_SsnSeenServer(sd) && SEQ_LT(sd->cli_seq, pkt_seq) && (sd->trans != DCE2_TRANS_TYPE__HTTP_SERVER)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Missing packets on session - aborting session inspection\n")); DCE2_SetNoInspect(sd); PREPROC_PROFILE_END(dce2_pstat_session_state); return DCE2_RET__ERROR; } DCE2_SsnSetSeenClient(sd); sd->cli_seq = pkt_seq; sd->cli_nseq = pkt_seq + p->payload_size; if (!DCE2_SsnSeenServer(sd)) sd->srv_seq = sd->srv_nseq = pkt_ack; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial client => seq: %u, " "next seq: %u\n", sd->cli_seq, sd->cli_nseq)); } else if (DCE2_SsnFromServer(p) && !DCE2_SsnSeenServer(sd)) { uint32_t pkt_ack = ntohl(p->tcp_header->acknowledgement); if ((DCE2_SsnSeenClient(sd) && SEQ_LT(sd->srv_seq, pkt_seq)) || (!DCE2_SsnSeenClient(sd) && (sd->trans != DCE2_TRANS_TYPE__HTTP_SERVER))) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Missing packets on session - aborting session inspection\n")); PREPROC_PROFILE_END(dce2_pstat_session_state); DCE2_SetNoInspect(sd); return DCE2_RET__ERROR; } DCE2_SsnSetSeenServer(sd); sd->srv_seq = pkt_seq; sd->srv_nseq = pkt_seq + p->payload_size; if (!DCE2_SsnSeenClient(sd)) sd->cli_seq = sd->cli_nseq = pkt_ack; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial server => seq: %u, " "next seq: %u\n", sd->srv_seq, sd->srv_nseq)); } else { uint32_t *ssn_seq; uint32_t *ssn_nseq; if (DCE2_SsnFromClient(p)) { ssn_seq = &sd->cli_seq; ssn_nseq = &sd->cli_nseq; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Client last => seq: %u, " "next seq: %u\n", sd->cli_seq, sd->cli_nseq)); DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, " "next seq: %u\n", pkt_seq, pkt_seq + p->payload_size)); } else { ssn_seq = &sd->srv_seq; ssn_nseq = &sd->srv_nseq; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Server last => seq: %u, " "next seq: %u\n", sd->srv_seq, sd->srv_nseq)); DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, " "next seq: %u\n", pkt_seq, pkt_seq + p->payload_size)); } if (*ssn_nseq != pkt_seq) { if (SEQ_LT(*ssn_nseq, pkt_seq)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Next expected sequence number (%u) is less than " "this sequence number (%u).\n", *ssn_nseq, pkt_seq)); DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Missing packets on session - aborting session inspection\n")); DCE2_SetNoInspect(sd); PREPROC_PROFILE_END(dce2_pstat_session_state); return DCE2_RET__ERROR; } else { /* Got some kind of overlap. This shouldn't happen since we're doing * reassembly on both sides and not looking at non-reassembled packets * Actually this can happen if the stream seg list is empty */ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Overlap => seq: %u, " "next seq: %u - aborting session inspection\n", pkt_seq, pkt_seq + p->payload_size)); DCE2_SetNoInspect(sd); PREPROC_PROFILE_END(dce2_pstat_session_state); return DCE2_RET__ERROR; } } *ssn_seq = pkt_seq; *ssn_nseq = pkt_seq + p->payload_size; } PREPROC_PROFILE_END(dce2_pstat_session_state); return DCE2_RET__SUCCESS; }