/src/ndpi/src/lib/protocols/dcerpc.c

Source (jump to first uncovered line)
/*
 * dcerpc.c
 *
 * Copyright (C) 2011-18 by ntop.org
 *
 * This file is part of nDPI, an open source deep packet inspection
 * library based on the OpenDPI and PACE technology by ipoque GmbH
 *
 * nDPI is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * nDPI is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
 *
 */

#include "ndpi_protocol_ids.h"

#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DCERPC

#include "ndpi_api.h"
#include "ndpi_private.h"
#include <stdbool.h>

static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct
               *ndpi_struct, struct ndpi_flow_struct *flow)
{
  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DCERPC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
}

static bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet)
{
  if((packet->tcp != NULL)
     && (packet->payload_packet_len >= 64)
     && (packet->payload[0] == 0x05) /* version 5 */
     && (packet->payload[2] < 16) /* Packet type */
     && (((packet->payload[9]<<8) | packet->payload[8]) == packet->payload_packet_len) /* Packet Length */
     ) {
    return true;
  }
  return false;
}

static bool is_connectionless_dcerpc(struct ndpi_packet_struct *packet)
{
  u_int16_t fragment_len;
  
  if (packet->udp == NULL)
    return false;
  if (packet->payload_packet_len < 80)
    return false;
  if (packet->payload[0] != 0x04) /* type must be equal to 4 */
    return false;
  if (packet->payload[1] > 10) /* must be <= CANCEL ACK or it's not connectionless DCE/RPC */
    return false;
  if (packet->payload[3] & 0xFC) /* flags2: bit 3:8 are reserved for future use and must be set to 0 */
    return false;
  if (packet->payload[4] & 0xEE) /* neither big endian nor little endian */
    return false;
  if (packet->payload[5] > 3) /* invalid floating point type */
    return false;

  if(packet->payload[4] == 0x10)
    fragment_len = (packet->payload[75] << 8) + packet->payload[74]; /* Big endian */
  else
    fragment_len = (packet->payload[74] << 8) + packet->payload[75]; /* Little endian */

  if(packet->payload_packet_len != (fragment_len+76 /* offset */ + 4 /* rest of the packet */))
    return false; /* Too short or too long, bot RPC */
  
  return true;
}

static void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &ndpi_struct->packet;

  NDPI_LOG_DBG(ndpi_struct, "search DCERPC\n");
  if (is_connection_oriented_dcerpc(packet) || is_connectionless_dcerpc(packet)) {
    NDPI_LOG_INFO(ndpi_struct, "found DCERPC\n");
    ndpi_int_dcerpc_add_connection(ndpi_struct, flow);
    return;
  }

  if(packet->payload_packet_len>1)
    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
}


void init_dcerpc_dissector(struct ndpi_detection_module_struct *ndpi_struct)
{
  register_dissector("DCERPC", ndpi_struct,
                     ndpi_search_dcerpc,
                     NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
                     1, NDPI_PROTOCOL_DCERPC);
}

Line	Count	Source (jump to first uncovered line)
1		/*
2		* dcerpc.c
3		*
4		* Copyright (C) 2011-18 by ntop.org
5		*
6		* This file is part of nDPI, an open source deep packet inspection
7		* library based on the OpenDPI and PACE technology by ipoque GmbH
8		*
9		* nDPI is free software: you can redistribute it and/or modify
10		* it under the terms of the GNU Lesser General Public License as published by
11		* the Free Software Foundation, either version 3 of the License, or
12		* (at your option) any later version.
13		*
14		* nDPI is distributed in the hope that it will be useful,
15		* but WITHOUT ANY WARRANTY; without even the implied warranty of
16		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17		* GNU Lesser General Public License for more details.
18		*
19		* You should have received a copy of the GNU Lesser General Public License
20		* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
21		*
22		*/
23
24		#include "ndpi_protocol_ids.h"
25
26		#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DCERPC
27
28		#include "ndpi_api.h"
29		#include "ndpi_private.h"
30		#include <stdbool.h>
31
32		static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct
33		ndpi_struct, struct ndpi_flow_struct flow)
34	0	{
35	0	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DCERPC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
36	0	}
37
38		static bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet)
39	0	{
40	0	if((packet->tcp != NULL)
41	0	&& (packet->payload_packet_len >= 64)
42	0	&& (packet->payload[0] == 0x05) /* version 5 */
43	0	&& (packet->payload[2] < 16) /* Packet type */
44	0	&& (((packet->payload[9]<<8) \| packet->payload[8]) == packet->payload_packet_len) /* Packet Length */
45	0	) {
46	0	return true;
47	0	}
48	0	return false;
49	0	}
50
51		static bool is_connectionless_dcerpc(struct ndpi_packet_struct *packet)
52	0	{
53	0	u_int16_t fragment_len;
54
55	0	if (packet->udp == NULL)
56	0	return false;
57	0	if (packet->payload_packet_len < 80)
58	0	return false;
59	0	if (packet->payload[0] != 0x04) /* type must be equal to 4 */
60	0	return false;
61	0	if (packet->payload[1] > 10) /* must be <= CANCEL ACK or it's not connectionless DCE/RPC */
62	0	return false;
63	0	if (packet->payload[3] & 0xFC) /* flags2: bit 3:8 are reserved for future use and must be set to 0 */
64	0	return false;
65	0	if (packet->payload[4] & 0xEE) /* neither big endian nor little endian */
66	0	return false;
67	0	if (packet->payload[5] > 3) /* invalid floating point type */
68	0	return false;
69
70	0	if(packet->payload[4] == 0x10)
71	0	fragment_len = (packet->payload[75] << 8) + packet->payload[74]; /* Big endian */
72	0	else
73	0	fragment_len = (packet->payload[74] << 8) + packet->payload[75]; /* Little endian */
74
75	0	if(packet->payload_packet_len != (fragment_len+76 /* offset / + 4 / rest of the packet */))
76	0	return false; /* Too short or too long, bot RPC */
77
78	0	return true;
79	0	}
80
81		static void ndpi_search_dcerpc(struct ndpi_detection_module_struct ndpi_struct, struct ndpi_flow_struct flow)
82	0	{
83	0	struct ndpi_packet_struct *packet = &ndpi_struct->packet;
84
85	0	NDPI_LOG_DBG(ndpi_struct, "search DCERPC\n");
86	0	if (is_connection_oriented_dcerpc(packet) \|\| is_connectionless_dcerpc(packet)) {
87	0	NDPI_LOG_INFO(ndpi_struct, "found DCERPC\n");
88	0	ndpi_int_dcerpc_add_connection(ndpi_struct, flow);
89	0	return;
90	0	}
91
92	0	if(packet->payload_packet_len>1)
93	0	NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
94	0	}
95
96
97		void init_dcerpc_dissector(struct ndpi_detection_module_struct *ndpi_struct)
98	0	{
99	0	register_dissector("DCERPC", ndpi_struct,
100	0	ndpi_search_dcerpc,
101	0	NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
102	0	1, NDPI_PROTOCOL_DCERPC);
103	0	}

Coverage Report

Created: 2025-08-26 06:57