Coverage Report

Created: 2026-06-30 07:20

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/suricata7/rust/src/dcerpc/dcerpc.rs
Line
Count
Source
1
/* Copyright (C) 2020-2022 Open Information Security Foundation
2
 *
3
 * You can copy, redistribute or modify this Program under the terms of
4
 * the GNU General Public License version 2 as published by the Free
5
 * Software Foundation.
6
 *
7
 * This program is distributed in the hope that it will be useful,
8
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10
 * GNU General Public License for more details.
11
 *
12
 * You should have received a copy of the GNU General Public License
13
 * version 2 along with this program; if not, write to the Free Software
14
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
 * 02110-1301, USA.
16
 */
17
18
use crate::applayer::{self, *};
19
use crate::core::{self, *};
20
use crate::dcerpc::parser;
21
use nom7::error::{Error, ErrorKind};
22
use nom7::number::Endianness;
23
use nom7::{Err, IResult, Needed};
24
use std;
25
use std::cmp;
26
use std::ffi::CString;
27
use std::collections::VecDeque;
28
use crate::conf::{conf_get, get_memval};
29
30
pub static mut DCERPC_MAX_STUB_SIZE: u32 = 1048576;
31
32
// Constant DCERPC UDP Header length
33
pub const DCERPC_HDR_LEN: u16 = 16;
34
// FIRST flag set on the packet
35
pub const DCERPC_UUID_ENTRY_FLAG_FF: u16 = 0x0001;
36
37
// Flag bits in connection-oriented PDU header
38
39
// Value to indicate first fragment
40
pub const PFC_FIRST_FRAG: u8 = 0x01;
41
// Value to indicate last fragment
42
pub const PFC_LAST_FRAG: u8 = 0x02;
43
// Cancel was pending at sender
44
pub const PFC_PENDING_CANCEL: u8 = 0x04;
45
pub const PFC_RESERVED_1: u8 = 0x08;
46
// supports concurrent multiplexing of a single connection.
47
pub const PFC_CONC_MPX: u8 = 0x10;
48
// only meaningful on `fault' packet; if true, guaranteed
49
//  call did not execute.
50
pub const PFC_DID_NOT_EXECUTE: u8 = 0x20;
51
// `maybe' call semantics requested
52
pub const PFC_MAYBE: u8 = 0x40;
53
// if true, a non-nil object UUID was specified in the handle, and
54
//  is present in the optional object field. If false, the object field
55
// is omitted.
56
pub const PFC_OBJECT_UUID: u8 = 0x80;
57
58
// Flag bits in first flag field in connectionless PDU header.
59
pub const PFCL1_RESERVED_01: u8 = 0x01; // Reserved for use by implementations
60
pub const PFCL1_LASTFRAG: u8 = 0x02; // If set, the PDU is the last fragment
61
                                     // of a multi-PDU transmission
62
pub const PFCL1_FRAG: u8 = 0x04; // If set, the PDU is a fragment
63
                                 // of a multi-PDU transmission
64
pub const PFCL1_NOFACK: u8 = 0x08; // If set, the receiver is not requested
65
                                   // to send a `fack' PDU for the fragment
66
pub const PFCL1_MAYBE: u8 = 0x10; // If set, the PDU is for a `maybe' request
67
pub const PFCL1_IDEMPOTENT: u8 = 0x20; // If set, the PDU is for
68
                                       // an idempotent request
69
pub const PFCL1_BROADCAST: u8 = 0x40; // If set, the PDU is for
70
                                      // a broadcast request
71
pub const PFCL1_RESERVED_80: u8 = 0x80; // Reserved for use by implementations
72
73
// Flag bits in second flag field in connectionless PDU header.
74
pub const PFCL2_RESERVED_01: u8 = 0x01; // Reserved for use by implementations
75
pub const PFCL2_CANCEL_PENDING: u8 = 0x02; // Cancel pending at the call end
76
pub const PFCL2_RESERVED_04: u8 = 0x04; // Reserved for future use
77
pub const PFCL2_RESERVED_08: u8 = 0x08; // Reserved for future use
78
pub const PFCL2_RESERVED_10: u8 = 0x10; // Reserved for future use
79
pub const PFCL2_RESERVED_20: u8 = 0x20; // Reserved for future use
80
pub const PFCL2_RESERVED_40: u8 = 0x40; // Reserved for future use
81
pub const PFCL2_RESERVED_80: u8 = 0x80; // Reserved for future use
82
83
pub const REASON_NOT_SPECIFIED: u8 = 0;
84
pub const TEMPORARY_CONGESTION: u8 = 1;
85
pub const LOCAL_LIMIT_EXCEEDED: u8 = 2;
86
pub const CALLED_PADDR_UNKNOWN: u8 = 3; /* not used */
87
pub const PROTOCOL_VERSION_NOT_SUPPORTED: u8 = 4;
88
pub const DEFAULT_CONTEXT_NOT_SUPPORTED: u8 = 5; /* not used */
89
pub const USER_DATA_NOT_READABLE: u8 = 6; /* not used */
90
pub const NO_PSAP_AVAILABLE: u8 = 7; /* not used */
91
92
// DCERPC Header packet types
93
pub const DCERPC_TYPE_REQUEST: u8 = 0;
94
pub const DCERPC_TYPE_PING: u8 = 1;
95
pub const DCERPC_TYPE_RESPONSE: u8 = 2;
96
pub const DCERPC_TYPE_FAULT: u8 = 3;
97
pub const DCERPC_TYPE_WORKING: u8 = 4;
98
pub const DCERPC_TYPE_NOCALL: u8 = 5;
99
pub const DCERPC_TYPE_REJECT: u8 = 6;
100
pub const DCERPC_TYPE_ACK: u8 = 7;
101
pub const DCERPC_TYPE_CL_CANCEL: u8 = 8;
102
pub const DCERPC_TYPE_FACK: u8 = 9;
103
pub const DCERPC_TYPE_CANCEL_ACK: u8 = 10;
104
pub const DCERPC_TYPE_BIND: u8 = 11;
105
pub const DCERPC_TYPE_BINDACK: u8 = 12;
106
pub const DCERPC_TYPE_BINDNAK: u8 = 13;
107
pub const DCERPC_TYPE_ALTER_CONTEXT: u8 = 14;
108
pub const DCERPC_TYPE_ALTER_CONTEXT_RESP: u8 = 15;
109
pub const DCERPC_TYPE_AUTH3: u8 = 16;
110
pub const DCERPC_TYPE_SHUTDOWN: u8 = 17;
111
pub const DCERPC_TYPE_CO_CANCEL: u8 = 18;
112
pub const DCERPC_TYPE_ORPHANED: u8 = 19;
113
pub const DCERPC_TYPE_RTS: u8 = 20;
114
pub const DCERPC_TYPE_UNKNOWN: u8 = 99;
115
116
pub(super) static mut DCERPC_MAX_TX: usize = 1024;
117
118
pub static mut ALPROTO_DCERPC: AppProto = ALPROTO_UNKNOWN;
119
120
6.73k
pub fn dcerpc_type_string(t: u8) -> String {
121
6.73k
    match t {
122
3.09k
        DCERPC_TYPE_REQUEST => "REQUEST",
123
0
        DCERPC_TYPE_PING => "PING",
124
3.04k
        DCERPC_TYPE_RESPONSE => "RESPONSE",
125
0
        DCERPC_TYPE_FAULT => "FAULT",
126
0
        DCERPC_TYPE_WORKING => "WORKING",
127
0
        DCERPC_TYPE_NOCALL => "NOCALL",
128
0
        DCERPC_TYPE_REJECT => "REJECT",
129
0
        DCERPC_TYPE_ACK => "ACK",
130
0
        DCERPC_TYPE_CL_CANCEL => "CL_CANCEL",
131
0
        DCERPC_TYPE_FACK => "FACK",
132
0
        DCERPC_TYPE_CANCEL_ACK => "CANCEL_ACK",
133
288
        DCERPC_TYPE_BIND => "BIND",
134
252
        DCERPC_TYPE_BINDACK => "BINDACK",
135
0
        DCERPC_TYPE_BINDNAK => "BINDNAK",
136
0
        DCERPC_TYPE_ALTER_CONTEXT => "ALTER_CONTEXT",
137
0
        DCERPC_TYPE_ALTER_CONTEXT_RESP => "ALTER_CONTEXT_RESP",
138
0
        DCERPC_TYPE_AUTH3 => "AUTH3",
139
0
        DCERPC_TYPE_SHUTDOWN => "SHUTDOWN",
140
0
        DCERPC_TYPE_CO_CANCEL => "CO_CANCEL",
141
0
        DCERPC_TYPE_ORPHANED => "ORPHANED",
142
0
        DCERPC_TYPE_RTS => "RTS",
143
13
        DCERPC_TYPE_UNKNOWN => "UNKNOWN",
144
        _ => {
145
44
            return (t).to_string();
146
        }
147
    }
148
6.69k
    .to_string()
149
6.73k
}
150
151
42.8k
pub fn get_resp_type_for_req(t: u8) -> u8 {
152
42.8k
    match t {
153
42.8k
        DCERPC_TYPE_REQUEST => DCERPC_TYPE_RESPONSE,
154
0
        DCERPC_TYPE_BIND => DCERPC_TYPE_BINDACK,
155
0
        DCERPC_TYPE_ALTER_CONTEXT => DCERPC_TYPE_ALTER_CONTEXT_RESP,
156
0
        _ => DCERPC_TYPE_UNKNOWN,
157
    }
158
42.8k
}
159
160
880k
pub fn get_req_type_for_resp(t: u8) -> u8 {
161
880k
    match t {
162
184k
        DCERPC_TYPE_RESPONSE => DCERPC_TYPE_REQUEST,
163
113k
        DCERPC_TYPE_BINDACK => DCERPC_TYPE_BIND,
164
582k
        DCERPC_TYPE_ALTER_CONTEXT_RESP => DCERPC_TYPE_ALTER_CONTEXT,
165
0
        _ => DCERPC_TYPE_UNKNOWN,
166
    }
167
880k
}
168
#[inline(always)]
169
329k
pub fn cfg_max_stub_size() -> u32 {
170
329k
    unsafe { DCERPC_MAX_STUB_SIZE }
171
329k
}
172
173
174
#[derive(Default, Debug)]
175
pub struct DCERPCTransaction {
176
    pub id: u64, // internal transaction ID
177
    pub ctxid: u16,
178
    pub opnum: u16,
179
    pub first_request_seen: u8,
180
    pub call_id: u32, // ID to match any request-response pair
181
    pub frag_cnt_ts: u16,
182
    pub frag_cnt_tc: u16,
183
    pub endianness: u8,
184
    pub stub_data_buffer_ts: Vec<u8>,
185
    pub stub_data_buffer_tc: Vec<u8>,
186
    pub stub_data_buffer_reset_ts: bool,
187
    pub stub_data_buffer_reset_tc: bool,
188
    pub req_done: bool,
189
    pub resp_done: bool,
190
    pub req_lost: bool,
191
    pub resp_lost: bool,
192
    pub req_cmd: u8,
193
    pub resp_cmd: u8,
194
    pub activityuuid: Vec<u8>,
195
    pub seqnum: u32,
196
    pub tx_data: AppLayerTxData,
197
}
198
199
impl Transaction for DCERPCTransaction {
200
698M
    fn id(&self) -> u64 {
201
        // need +1 to match state.tx_id
202
698M
        self.id + 1
203
698M
    }
204
}
205
206
impl DCERPCTransaction {
207
399k
    pub fn new() -> Self {
208
399k
        return Self {
209
399k
            stub_data_buffer_ts: Vec::new(),
210
399k
            stub_data_buffer_tc: Vec::new(),
211
399k
            req_cmd: DCERPC_TYPE_REQUEST,
212
399k
            resp_cmd: DCERPC_TYPE_RESPONSE,
213
399k
            activityuuid: Vec::new(),
214
399k
            tx_data: AppLayerTxData::new(),
215
399k
            ..Default::default()
216
399k
        }
217
399k
    }
218
219
53
    pub fn get_req_ctxid(&self) -> u16 {
220
53
        self.ctxid
221
53
    }
222
223
2.05k
    pub fn get_first_req_seen(&self) -> u8 {
224
2.05k
        self.first_request_seen
225
2.05k
    }
226
227
1.85k
    pub fn get_req_opnum(&self) -> u16 {
228
1.85k
        self.opnum
229
1.85k
    }
230
231
194
    pub fn get_endianness(&self) -> u8 {
232
194
        self.endianness
233
194
    }
234
}
235
236
#[derive(Debug)]
237
pub struct DCERPCRequest {
238
    pub ctxid: u16,
239
    pub opnum: u16,
240
    pub first_request_seen: u8,
241
}
242
243
#[derive(Default, Debug, Clone)]
244
pub struct DCERPCUuidEntry {
245
    pub ctxid: u16,
246
    pub internal_id: u16,
247
    pub result: u16,
248
    pub uuid: Vec<u8>,
249
    pub version: u16,
250
    pub versionminor: u16,
251
    pub flags: u16,
252
}
253
254
impl DCERPCUuidEntry {
255
56.9k
    pub fn new() -> Self {
256
56.9k
        Default::default()
257
56.9k
    }
258
}
259
260
#[derive(Debug, PartialEq, Eq)]
261
pub struct Uuid {
262
    pub time_low: Vec<u8>,
263
    pub time_mid: Vec<u8>,
264
    pub time_hi_and_version: Vec<u8>,
265
    pub clock_seq_hi_and_reserved: u8,
266
    pub clock_seq_low: u8,
267
    pub node: Vec<u8>,
268
}
269
270
#[derive(Debug)]
271
pub struct DCERPCHdr {
272
    pub rpc_vers: u8,
273
    pub rpc_vers_minor: u8,
274
    pub hdrtype: u8,
275
    pub pfc_flags: u8,
276
    pub packed_drep: Vec<u8>,
277
    pub frag_length: u16,
278
    pub auth_length: u16,
279
    pub call_id: u32,
280
}
281
282
#[derive(Debug)]
283
pub struct DCERPCBind {
284
    pub numctxitems: u8,
285
    pub uuid_list: Vec<DCERPCUuidEntry>,
286
}
287
288
#[derive(Debug)]
289
pub struct BindCtxItem {
290
    pub ctxid: u16,
291
    pub uuid: Vec<u8>,
292
    pub version: u16,
293
    pub versionminor: u16,
294
}
295
296
#[derive(Debug, PartialEq, Eq)]
297
pub struct DCERPCBindAckResult {
298
    pub ack_result: u16,
299
    pub ack_reason: u16,
300
    pub transfer_syntax: Vec<u8>,
301
    pub syntax_version: u32,
302
}
303
304
#[derive(Debug)]
305
pub struct DCERPCBindAck {
306
    pub accepted_uuid_list: Vec<DCERPCUuidEntry>,
307
    pub sec_addr_len: u16,
308
    pub numctxitems: u8,
309
    pub ctxitems: Vec<DCERPCBindAckResult>,
310
}
311
312
#[derive(Default, Debug)]
313
pub struct DCERPCState {
314
    pub header: Option<DCERPCHdr>,
315
    pub bind: Option<DCERPCBind>,
316
    pub bindack: Option<DCERPCBindAck>,
317
    pub transactions: VecDeque<DCERPCTransaction>,
318
    tx_index_completed: usize,
319
    pub buffer_ts: Vec<u8>,
320
    pub buffer_tc: Vec<u8>,
321
    pub pad: u8,
322
    pub padleft: u16,
323
    pub bytes_consumed: i32,
324
    pub tx_id: u64,
325
    pub query_completed: bool,
326
    pub data_needed_for_dir: Direction,
327
    pub prev_dir: Direction,
328
    pub ts_gap: bool,
329
    pub tc_gap: bool,
330
    pub ts_ssn_gap: bool,
331
    pub tc_ssn_gap: bool,
332
    pub ts_ssn_trunc: bool, /// true if Truncated in this direction
333
    pub tc_ssn_trunc: bool,
334
    pub flow: Option<*const core::Flow>,
335
    state_data: AppLayerStateData,
336
}
337
338
impl State<DCERPCTransaction> for DCERPCState {
339
161M
    fn get_transaction_count(&self) -> usize {
340
161M
        self.transactions.len()
341
161M
    }
342
343
322M
    fn get_transaction_by_index(&self, index: usize) -> Option<&DCERPCTransaction> {
344
322M
        self.transactions.get(index)
345
322M
    }
346
}
347
348
impl DCERPCState {
349
3.75k
    pub fn new() -> Self {
350
3.75k
        return Self {
351
3.75k
            data_needed_for_dir: Direction::ToServer,
352
3.75k
            prev_dir: Direction::ToServer,
353
3.75k
            ..Default::default()
354
3.75k
        }
355
3.75k
    }
356
357
276k
    fn create_tx(&mut self, call_id: u32) -> DCERPCTransaction {
358
276k
        let mut tx = DCERPCTransaction::new();
359
276k
        let endianness = self.get_hdr_drep_0() & 0x10;
360
276k
        tx.id = self.tx_id;
361
276k
        tx.call_id = call_id;
362
276k
        tx.endianness = endianness;
363
276k
        self.tx_id += 1;
364
276k
        tx.req_done = self.ts_ssn_trunc;
365
276k
        tx.resp_done = self.tc_ssn_trunc;
366
276k
        if self.transactions.len() > unsafe { DCERPC_MAX_TX } {
367
88.1k
            let mut index = self.tx_index_completed;
368
88.1k
            for tx_old in &mut self.transactions.range_mut(self.tx_index_completed..) {
369
88.1k
                index += 1;
370
88.1k
                if !tx_old.req_done || !tx_old.resp_done {
371
88.1k
                    tx_old.tx_data.updated_tc = true;
372
88.1k
                    tx_old.tx_data.updated_ts = true;
373
88.1k
                    tx_old.req_done = true;
374
88.1k
                    tx_old.resp_done = true;
375
88.1k
                    break;
376
0
                }
377
            }
378
88.1k
            self.tx_index_completed = index;
379
188k
        }
380
276k
        tx
381
276k
    }
382
383
129k
    pub fn free_tx(&mut self, tx_id: u64) {
384
        SCLogDebug!("Freeing TX with ID {} TX.ID {}", tx_id, tx_id+1);
385
129k
        let len = self.transactions.len();
386
129k
        let mut found = false;
387
129k
        let mut index = 0;
388
1.37M
        for i in 0..len {
389
1.37M
            let tx = &self.transactions[i];
390
1.37M
            if tx.id == tx_id { //+ 1 {
391
129k
                found = true;
392
129k
                index = i;
393
                SCLogDebug!("tx {} progress {}/{}", tx.id, tx.req_done, tx.resp_done);
394
129k
                break;
395
1.24M
            }
396
        }
397
129k
        if found {
398
129k
            SCLogDebug!("freeing TX with ID {} TX.ID {} at index {} left: {} max id: {}",
399
129k
                            tx_id, tx_id+1, index, self.transactions.len(), self.tx_id);
400
129k
            self.tx_index_completed = 0;
401
129k
            self.transactions.remove(index);
402
129k
        }
403
129k
    }
404
405
367k
    fn get_hdr_drep_0(&self) -> u8 {
406
367k
        if let Some(ref hdr) = &self.header {
407
367k
            return hdr.packed_drep[0];
408
0
        }
409
0
        0
410
367k
    }
411
412
90.7k
    fn get_endianness(&self) -> Endianness {
413
90.7k
        let drep_0 = self.get_hdr_drep_0();
414
90.7k
        if drep_0 & 0x10 == 0 {
415
82.7k
            return Endianness::Big;
416
7.91k
        }
417
7.91k
        Endianness::Little
418
90.7k
    }
419
420
519k
    fn get_hdr_fraglen(&self) -> Option<u16> {
421
519k
        debug_validate_bug_on!(self.header.is_none());
422
519k
        if let Some(ref hdr) = self.header {
423
519k
            return Some(hdr.frag_length);
424
0
        }
425
        // Shouldn't happen
426
0
        None
427
519k
    }
428
429
286k
    fn get_hdr_pfcflags(&self) -> Option<u8> {
430
286k
        debug_validate_bug_on!(self.header.is_none());
431
286k
        if let Some(ref hdr) = self.header {
432
286k
            return Some(hdr.pfc_flags);
433
0
        }
434
        // Shouldn't happen
435
0
        None
436
286k
    }
437
438
1.11M
    pub fn get_hdr_type(&self) -> Option<u8> {
439
1.11M
        debug_validate_bug_on!(self.header.is_none());
440
1.11M
        if let Some(ref hdr) = self.header {
441
1.11M
            return Some(hdr.hdrtype);
442
0
        }
443
        // Shouldn't happen
444
0
        None
445
1.11M
    }
446
447
614k
    pub fn get_hdr_call_id(&self) -> Option<u32> {
448
614k
        debug_validate_bug_on!(self.header.is_none());
449
614k
        if let Some(ref hdr) = self.header {
450
614k
            return Some(hdr.call_id);
451
0
        }
452
        // Shouldn't happen
453
0
        None
454
614k
    }
455
456
312k
    pub fn clean_buffer(&mut self, direction: Direction) {
457
312k
        match direction {
458
162k
            Direction::ToServer => {
459
162k
                self.buffer_ts.clear();
460
162k
                self.ts_gap = false;
461
162k
            }
462
150k
            Direction::ToClient => {
463
150k
                self.buffer_tc.clear();
464
150k
                self.tc_gap = false;
465
150k
            }
466
        }
467
312k
        self.bytes_consumed = 0;
468
312k
    }
469
470
312k
    pub fn reset_direction(&mut self, direction: Direction) {
471
312k
        if direction == Direction::ToServer {
472
162k
            self.data_needed_for_dir = Direction::ToClient;
473
162k
        } else {
474
150k
            self.data_needed_for_dir = Direction::ToServer;
475
150k
        }
476
312k
    }
477
478
    /// Get transaction as per the given transaction ID. Transaction ID with
479
    /// which the lookup is supposed to be done as per the calls from AppLayer
480
    /// parser in C. This requires an internal transaction ID to be maintained.
481
    ///
482
    /// Arguments:
483
    /// * `tx_id`: internal transaction ID to track transactions
484
    ///
485
    /// Return value:
486
    /// Option mutable reference to DCERPCTransaction
487
524
    pub fn get_tx(&mut self, tx_id: u64) -> Option<&mut DCERPCTransaction> {
488
614
        for tx in &mut self.transactions {
489
538
            let found = tx.id == tx_id;
490
538
            if found {
491
448
                return Some(tx);
492
90
            }
493
        }
494
76
        None
495
524
    }
496
497
    /// Find the transaction as per call ID defined in header. If the tx is not
498
    /// found, create one.
499
    ///
500
    /// Arguments:
501
    /// * `call_id`: call_id param derived from TCP Header
502
    /// * `dir`: description: direction of the flow
503
    ///
504
    /// Return value:
505
    /// Option mutable reference to DCERPCTransaction
506
503k
    pub fn get_tx_by_call_id(&mut self, call_id: u32, dir: Direction) -> Option<&mut DCERPCTransaction> {
507
503k
        let cmd = self.get_hdr_type().unwrap_or(0);
508
254M
        for tx in &mut self.transactions {
509
254M
            let found = tx.call_id == call_id;
510
254M
            if found {
511
223M
                match dir {
512
                    Direction::ToServer => {
513
13.1M
                        if tx.req_done || tx.req_lost {
514
13.1M
                            continue;
515
42.8k
                        }
516
42.8k
                        let resp_cmd = get_resp_type_for_req(cmd);
517
42.8k
                        if resp_cmd != tx.resp_cmd {
518
4.14k
                            continue;
519
38.7k
                        }
520
                    }
521
                    Direction::ToClient => {
522
210M
                        if tx.resp_done || tx.resp_lost {
523
209M
                            continue;
524
880k
                        }
525
880k
                        let req_cmd = get_req_type_for_resp(cmd);
526
880k
                        if req_cmd != tx.req_cmd {
527
674k
                            continue;
528
206k
                        }
529
                    }
530
                }
531
244k
                tx.tx_data.updated_tc = true;
532
244k
                tx.tx_data.updated_ts = true;
533
244k
                return Some(tx);
534
31.2M
            }
535
        }
536
259k
        None
537
503k
    }
538
539
0
    pub fn parse_data_gap(&mut self, direction: Direction) -> AppLayerResult {
540
0
        match direction {
541
0
            Direction::ToServer => {
542
0
                self.ts_gap = true;
543
0
                self.ts_ssn_gap = true;
544
0
            },
545
0
            Direction::ToClient => {
546
0
                self.tc_gap = true;
547
0
                self.tc_ssn_gap = true;
548
0
            },
549
        }
550
0
        AppLayerResult::ok()
551
0
    }
552
553
312k
    pub fn post_gap_housekeeping(&mut self, dir: Direction) {
554
        SCLogDebug!("ts ssn gap: {:?}, tc ssn gap: {:?}, dir: {:?}", self.ts_ssn_gap, self.tc_ssn_gap, dir);
555
312k
        if self.ts_ssn_gap && dir == Direction::ToServer {
556
0
            for tx in &mut self.transactions {
557
0
                if tx.id >= self.tx_id {
558
                    SCLogDebug!("post_gap_housekeeping: done");
559
0
                    break;
560
0
                }
561
0
                if !tx.req_done {
562
0
                    tx.req_lost = true;
563
0
                }
564
0
                tx.req_done = true;
565
0
                if let Some(flow) = self.flow {
566
0
                    sc_app_layer_parser_trigger_raw_stream_reassembly(flow, dir as i32);
567
0
                }
568
            }
569
312k
        } else if self.tc_ssn_gap && dir == Direction::ToClient {
570
0
            for tx in &mut self.transactions {
571
0
                if tx.id >= self.tx_id {
572
                    SCLogDebug!("post_gap_housekeeping: done");
573
0
                    break;
574
0
                }
575
0
                if !tx.req_done {
576
0
                    tx.req_lost = true;
577
0
                }
578
0
                if !tx.resp_done {
579
0
                    tx.resp_lost = true;
580
0
                }
581
0
                tx.req_done = true;
582
0
                tx.resp_done = true;
583
0
                if let Some(flow) = self.flow {
584
0
                    sc_app_layer_parser_trigger_raw_stream_reassembly(flow, dir as i32);
585
0
                }
586
            }
587
312k
        }
588
312k
    }
589
590
349
    pub fn search_dcerpc_record<'a>(&mut self, i: &'a[u8]) -> IResult<&'a[u8], &'a[u8]> {
591
349
        let mut d = i;
592
946
        while d.len() >= 2 {
593
941
            if d[0] == 0x05 && d[1] == 0x00 {
594
344
                return Ok((&d[2..], d));
595
597
            }
596
597
            d = &d[1..];
597
        }
598
5
        Err(Err::Incomplete(Needed::new(2_usize - d.len())))
599
349
    }
600
601
    /// Makes a call to the nom parser for parsing DCERPC Header.
602
    ///
603
    /// Arguments:
604
    /// * `input`: bytes from the beginning of the buffer.
605
    ///
606
    /// Return value:
607
    /// * Success: Number of bytes successfully parsed.
608
    /// * Failure:
609
    ///   * -1 in case of Incomplete data or Eof.
610
    ///   * -2 in case of Error while parsing.
611
349k
    pub fn process_header(&mut self, input: &[u8]) -> i32 {
612
349k
        match parser::parse_dcerpc_header(input) {
613
343k
            Ok((leftover_bytes, header)) => {
614
343k
                if header.rpc_vers != 5
615
333k
                    || (header.rpc_vers_minor != 0 && header.rpc_vers_minor != 1)
616
                {
617
                    SCLogDebug!(
618
                        "DCERPC Header did not validate. Major version: {:?} Minor version: {:?}",
619
                        header.rpc_vers,
620
                        header.rpc_vers_minor
621
                    );
622
30.2k
                    return -1;
623
313k
                }
624
313k
                self.header = Some(header);
625
313k
                (input.len() - leftover_bytes.len()) as i32
626
            }
627
            Err(Err::Incomplete(_)) => {
628
                // Insufficient data.
629
                SCLogDebug!("Insufficient data while parsing DCERPC header");
630
675
                -1
631
            }
632
            Err(Err::Error(Error{code:ErrorKind::Eof, ..})) => {
633
                SCLogDebug!("EoF reached while parsing DCERPC header");
634
4.64k
                -1
635
            }
636
            Err(_) => {
637
                // Error, probably malformed data.
638
                SCLogDebug!("An error occurred while parsing DCERPC header");
639
0
                -2
640
            }
641
        }
642
349k
    }
643
644
57.2k
    pub fn handle_bindctxitem(&mut self, input: &[u8], uuid_internal_id: u16) -> i32 {
645
57.2k
        let endianness = self.get_endianness();
646
57.2k
        match parser::parse_bindctx_item(input, endianness) {
647
56.9k
            Ok((leftover_bytes, ctxitem)) => {
648
56.9k
                let mut uuidentry = DCERPCUuidEntry::new();
649
56.9k
                uuidentry.uuid = ctxitem.uuid;
650
56.9k
                uuidentry.internal_id = uuid_internal_id;
651
56.9k
                uuidentry.ctxid = ctxitem.ctxid;
652
56.9k
                uuidentry.version = ctxitem.version;
653
56.9k
                uuidentry.versionminor = ctxitem.versionminor;
654
56.9k
                let pfcflags = self.get_hdr_pfcflags().unwrap_or(0);
655
                // Store the first frag flag in the uuid as pfc_flags will
656
                // be overwritten by new packets
657
56.9k
                if pfcflags & PFC_FIRST_FRAG > 0 {
658
7.83k
                    uuidentry.flags |= DCERPC_UUID_ENTRY_FLAG_FF;
659
49.1k
                }
660
56.9k
                if let Some(ref mut bind) = self.bind {
661
56.9k
                    SCLogDebug!("DCERPC BIND CtxItem: Pushing uuid: {:?}", uuidentry);
662
56.9k
                    bind.uuid_list.push(uuidentry);
663
56.9k
                }
664
56.9k
                (input.len() - leftover_bytes.len()) as i32
665
            }
666
            Err(Err::Incomplete(_)) => {
667
                // Insufficient data.
668
                SCLogDebug!("Insufficient data while parsing DCERPC BIND CTXItem");
669
141
                -1
670
            }
671
            Err(_) => {
672
                // Error, probably malformed data.
673
                SCLogDebug!("An error occurred while parsing DCERPC BIND CTXItem");
674
128
                -1
675
            }
676
        }
677
57.2k
    }
678
679
38.7k
    pub fn process_bind_pdu(&mut self, input: &[u8]) -> i32 {
680
38.7k
        let mut retval = 0;
681
38.7k
        let mut idx = 12; // Bytes consumed if parser returns OK would be 12
682
38.7k
        match parser::parse_dcerpc_bind(input) {
683
38.6k
            Ok((leftover_bytes, header)) => {
684
38.6k
                let numctxitems = header.numctxitems;
685
38.6k
                self.bind = Some(header);
686
57.2k
                for i in 0..numctxitems {
687
57.2k
                    retval = self.handle_bindctxitem(&input[idx as usize..], i as u16);
688
57.2k
                    if retval == -1 {
689
269
                        return -1;
690
56.9k
                    }
691
56.9k
                    idx += retval;
692
                }
693
38.3k
                let call_id = self.get_hdr_call_id().unwrap_or(0);
694
38.3k
                let mut tx = self.create_tx(call_id);
695
38.3k
                tx.req_cmd = self.get_hdr_type().unwrap_or(0);
696
38.3k
                tx.req_done = true;
697
38.3k
                if let Some(flow) = self.flow {
698
38.3k
                    sc_app_layer_parser_trigger_raw_stream_reassembly(flow, Direction::ToServer as i32);
699
38.3k
                }
700
38.3k
                tx.frag_cnt_ts = 1;
701
38.3k
                self.transactions.push_back(tx);
702
                // Bytes parsed with `parse_dcerpc_bind` + (bytes parsed per bindctxitem [44] * number
703
                // of bindctxitems)
704
38.3k
                (input.len() - leftover_bytes.len()) as i32 + retval * numctxitems as i32
705
            }
706
            Err(Err::Incomplete(_)) => {
707
                // Insufficient data.
708
                SCLogDebug!("Insufficient data while parsing DCERPC BIND header");
709
15
                -1
710
            }
711
            Err(_) => {
712
                // Error, probably malformed data.
713
                SCLogDebug!("An error occurred while parsing DCERPC BIND header");
714
31
                -1
715
            }
716
        }
717
38.7k
    }
718
719
69.9k
    pub fn process_bindack_pdu(&mut self, input: &[u8]) -> i32 {
720
69.9k
        match parser::parse_dcerpc_bindack(input) {
721
69.6k
            Ok((leftover_bytes, mut back)) => {
722
69.6k
                if let Some(ref mut bind) = self.bind {
723
86.0k
                    for (uuid_internal_id, r) in back.ctxitems.iter().enumerate() {
724
746k
                        for uuid in bind.uuid_list.iter_mut() {
725
746k
                            if uuid.internal_id == uuid_internal_id as u16 {
726
33.7k
                                uuid.result = r.ack_result;
727
33.7k
                                if uuid.result != 0 {
728
5.95k
                                    break;
729
27.8k
                                }
730
27.8k
                                back.accepted_uuid_list.push(uuid.clone());
731
                                SCLogDebug!("DCERPC BINDACK accepted UUID: {:?}", uuid);
732
713k
                            }
733
                        }
734
                    }
735
67.1k
                    self.bindack = Some(back);
736
2.51k
                }
737
69.6k
                (input.len() - leftover_bytes.len()) as i32
738
            }
739
            Err(Err::Incomplete(_)) => {
740
                // Insufficient data.
741
                SCLogDebug!("Insufficient data while parsing DCERPC BINDACK");
742
174
                -1
743
            }
744
            Err(_) => {
745
                // Error, probably malformed data.
746
                SCLogDebug!("An error occurred while parsing DCERPC BINDACK");
747
146
                -1
748
            }
749
        }
750
69.9k
    }
751
752
229k
    pub fn handle_stub_data(&mut self, input: &[u8], input_len: usize, dir: Direction) -> u16 {
753
        let retval;
754
229k
        let hdrpfcflags = self.get_hdr_pfcflags().unwrap_or(0);
755
229k
        let padleft = self.padleft;
756
229k
        let call_id = self.get_hdr_call_id().unwrap_or(0);
757
229k
        let hdrtype = self.get_hdr_type();
758
        let tx;
759
229k
        if let Some(transaction) = self.get_tx_by_call_id(call_id, dir) {
760
208k
            tx = transaction;
761
208k
        } else {
762
            SCLogDebug!("No transaction found matching the call ID: {:?}", call_id);
763
20.9k
            return 0;
764
        }
765
766
        // Update the stub params based on the packet type
767
208k
        match hdrtype {
768
208k
            Some(x) => match x {
769
                DCERPC_TYPE_REQUEST => {
770
34.3k
                    retval = evaluate_stub_params(
771
34.3k
                        input,
772
34.3k
                        input_len,
773
34.3k
                        hdrpfcflags,
774
34.3k
                        padleft,
775
34.3k
                        &mut tx.stub_data_buffer_ts,
776
34.3k
                        &mut tx.stub_data_buffer_reset_ts,
777
34.3k
                    );
778
34.3k
                    tx.req_done = true;
779
34.3k
                    tx.frag_cnt_ts = 1;
780
34.3k
                    if let Some(flow) = self.flow {
781
34.3k
                        sc_app_layer_parser_trigger_raw_stream_reassembly(flow, Direction::ToServer as i32);
782
34.3k
                    }
783
                }
784
                DCERPC_TYPE_RESPONSE => {
785
174k
                    retval = evaluate_stub_params(
786
174k
                        input,
787
174k
                        input_len,
788
174k
                        hdrpfcflags,
789
174k
                        padleft,
790
174k
                        &mut tx.stub_data_buffer_tc,
791
174k
                        &mut tx.stub_data_buffer_reset_tc,
792
174k
                    );
793
174k
                    tx.resp_done = true;
794
174k
                    tx.frag_cnt_tc = 1;
795
174k
                    if let Some(flow) = self.flow {
796
174k
                        sc_app_layer_parser_trigger_raw_stream_reassembly(flow, Direction::ToClient as i32);
797
174k
                    }
798
                }
799
                _ => {
800
                    SCLogDebug!("Unrecognized packet type");
801
0
                    return 0;
802
                }
803
            },
804
            None => {
805
0
                return 0;
806
            }
807
        }
808
        // Update the remaining fragment length
809
208k
        self.padleft -= retval;
810
811
208k
        retval
812
229k
    }
813
814
    /// Handles stub data for both request and response.
815
    ///
816
    /// Arguments:
817
    /// * `input`: bytes left *after* parsing header.
818
    /// * `bytes_consumed`: bytes consumed *after* parsing header.
819
    /// * `dir`: direction whose stub is supposed to be handled.
820
    ///
821
    /// Return value:
822
    /// * Success: Number of bytes successfully parsed.
823
    /// * Failure: -1 in case fragment length defined by header mismatches the data.
824
204k
    pub fn handle_common_stub(&mut self, input: &[u8], bytes_consumed: usize, dir: Direction) -> i32 {
825
204k
        let fraglen = self.get_hdr_fraglen().unwrap_or(0);
826
204k
        if (fraglen as usize) < bytes_consumed + (DCERPC_HDR_LEN as usize) {
827
216
            return -1;
828
204k
        }
829
        // Above check makes sure padleft stays in u16 limits
830
204k
        self.padleft = fraglen - DCERPC_HDR_LEN - bytes_consumed as u16;
831
204k
        let mut input_left = input.len() - bytes_consumed;
832
204k
        let mut parsed = bytes_consumed as i32;
833
434k
        while input_left > 0 && parsed < fraglen as i32 {
834
229k
            let retval = self.handle_stub_data(&input[parsed as usize..], input_left, dir);
835
229k
            if retval > 0 && retval as usize <= input_left {
836
187k
                parsed += retval as i32;
837
187k
                input_left -= <u16 as std::convert::Into<usize>>::into(retval);
838
187k
            } else if input_left > 0 {
839
41.9k
                SCLogDebug!(
840
41.9k
                    "Error parsing DCERPC {} stub data",
841
41.9k
                    if dir == Direction::ToServer {
842
41.9k
                        "request"
843
41.9k
                    } else {
844
41.9k
                        "response"
845
41.9k
                    }
846
41.9k
                );
847
41.9k
                parsed -= input_left as i32;
848
41.9k
                input_left = 0;
849
41.9k
            }
850
        }
851
204k
        parsed
852
204k
    }
853
854
33.4k
    pub fn process_request_pdu(&mut self, input: &[u8]) -> i32 {
855
33.4k
        let endianness = self.get_endianness();
856
33.4k
        match parser::parse_dcerpc_request(input, endianness) {
857
33.4k
            Ok((leftover_input, request)) => {
858
33.4k
                let call_id = self.get_hdr_call_id().unwrap_or(0);
859
33.4k
                let hdr_type = self.get_hdr_type().unwrap_or(0);
860
33.4k
                let mut transaction = self.get_tx_by_call_id(call_id, Direction::ToServer);
861
33.4k
                match transaction {
862
4.40k
                    Some(ref mut tx) => {
863
4.40k
                        tx.req_cmd = hdr_type;
864
4.40k
                        tx.ctxid = request.ctxid;
865
4.40k
                        tx.opnum = request.opnum;
866
4.40k
                        tx.first_request_seen = request.first_request_seen;
867
4.40k
                    }
868
29.0k
                    None => {
869
29.0k
                        let mut tx = self.create_tx(call_id);
870
29.0k
                        tx.req_cmd = hdr_type;
871
29.0k
                        tx.ctxid = request.ctxid;
872
29.0k
                        tx.opnum = request.opnum;
873
29.0k
                        tx.first_request_seen = request.first_request_seen;
874
29.0k
                        self.transactions.push_back(tx);
875
29.0k
                    }
876
                }
877
33.4k
                let parsed = self.handle_common_stub(
878
33.4k
                    input,
879
33.4k
                    input.len() - leftover_input.len(),
880
33.4k
                    Direction::ToServer,
881
                );
882
33.4k
                parsed
883
            }
884
            Err(Err::Incomplete(_)) => {
885
                // Insufficient data.
886
                SCLogDebug!("Insufficient data while parsing DCERPC REQUEST");
887
20
                -1
888
            }
889
            Err(_) => {
890
                // Error, probably malformed data.
891
                SCLogDebug!("An error occurred while parsing DCERPC REQUEST");
892
14
                -1
893
            }
894
        }
895
33.4k
    }
896
897
350k
    pub fn handle_input_data(&mut self, input: &[u8], direction: Direction) -> AppLayerResult {
898
        let mut parsed;
899
        let retval;
900
350k
        let mut cur_i = input;
901
350k
        let input_len = cur_i.len();
902
        let mut v: Vec<u8>;
903
        // Set any query's completion status to false in the beginning
904
350k
        self.query_completed = false;
905
906
        // Skip the record since this means that its in the middle of a known length record
907
350k
        if (self.ts_gap && direction == Direction::ToServer) || (self.tc_gap && direction == Direction::ToClient) {
908
            SCLogDebug!("Trying to catch up after GAP (input {})", cur_i.len());
909
349
            match self.search_dcerpc_record(cur_i) {
910
344
                Ok((_, pg)) => {
911
                    SCLogDebug!("DCERPC record found");
912
344
                    let offset = cur_i.len() - pg.len();
913
344
                    cur_i = &cur_i[offset..];
914
344
                    match direction {
915
196
                        Direction::ToServer => {
916
196
                            self.ts_gap = false;
917
196
                        },
918
148
                        Direction::ToClient => {
919
148
                            self.tc_gap = false;
920
148
                        }
921
                    }
922
                },
923
                _ => {
924
5
                    let mut consumed = cur_i.len();
925
                    // At least 2 bytes are required to know if a new record is beginning
926
5
                    if consumed < 2 {
927
0
                        consumed = 0;
928
5
                    } else {
929
5
                        consumed -= 1;
930
5
                    }
931
                    SCLogDebug!("DCERPC record NOT found");
932
5
                    return AppLayerResult::incomplete(consumed as u32, 2);
933
                },
934
            }
935
350k
        }
936
937
        // Overwrite the dcerpc_state data in case of multiple complete queries in the
938
        // same direction
939
350k
        if self.prev_dir == direction {
940
36.9k
            self.data_needed_for_dir = direction;
941
313k
        }
942
943
350k
        let mut buffer = match direction {
944
            Direction::ToServer => {
945
178k
                if self.buffer_ts.len() + input_len > 1024 * 1024 {
946
                    SCLogDebug!("DCERPC TOSERVER stream: Buffer Overflow");
947
0
                    return AppLayerResult::err();
948
178k
                }
949
178k
                v = std::mem::take(&mut self.buffer_ts);
950
178k
                v.extend_from_slice(cur_i);
951
178k
                v
952
            }
953
            Direction::ToClient => {
954
172k
                if self.buffer_tc.len() + input_len > 1024 * 1024 {
955
                    SCLogDebug!("DCERPC TOCLIENT stream: Buffer Overflow");
956
0
                    return AppLayerResult::err();
957
172k
                }
958
172k
                v = std::mem::take(&mut self.buffer_tc);
959
172k
                v.extend_from_slice(cur_i);
960
172k
                v
961
            }
962
        };
963
964
350k
        if self.data_needed_for_dir != direction && !buffer.is_empty() {
965
308
            return AppLayerResult::err();
966
350k
        }
967
968
        // Set data_needed_for_dir in the same direction in case there is an issue with upcoming parsing
969
350k
        self.data_needed_for_dir = direction;
970
971
        // Check if header data was complete. In case of EoF or incomplete data, wait for more
972
        // data else return error
973
350k
        if self.bytes_consumed < DCERPC_HDR_LEN.into() && input_len > 0 {
974
349k
            parsed = self.process_header(buffer.as_slice());
975
349k
            if parsed == -1 {
976
35.6k
                match direction {
977
14.0k
                    Direction::ToServer => {
978
14.0k
                        self.buffer_ts = std::mem::take(&mut buffer);
979
14.0k
                    }
980
21.5k
                    Direction::ToClient => {
981
21.5k
                        self.buffer_tc = std::mem::take(&mut buffer);
982
21.5k
                    }
983
                }
984
35.6k
                return AppLayerResult::ok();
985
313k
            }
986
313k
            if parsed == -2 {
987
0
                return AppLayerResult::err();
988
313k
            }
989
313k
            self.bytes_consumed += parsed;
990
1.03k
        }
991
992
314k
        let fraglen = self.get_hdr_fraglen().unwrap_or(0);
993
994
314k
        if (buffer.len()) < fraglen as usize {
995
            SCLogDebug!("Possibly fragmented data, waiting for more..");
996
1.19k
                match direction {
997
870
                    Direction::ToServer => {
998
870
                        self.buffer_ts = std::mem::take(&mut buffer);
999
870
                    }
1000
325
                    Direction::ToClient => {
1001
325
                        self.buffer_tc = std::mem::take(&mut buffer);
1002
325
                    }
1003
                }
1004
1.19k
            return AppLayerResult::ok();
1005
313k
        } else {
1006
313k
            self.query_completed = true;
1007
313k
        }
1008
313k
        parsed = self.bytes_consumed;
1009
1010
313k
        let current_call_id = self.get_hdr_call_id().unwrap_or(0);
1011
1012
313k
        match self.get_hdr_type() {
1013
313k
            Some(x) => match x {
1014
                DCERPC_TYPE_BIND | DCERPC_TYPE_ALTER_CONTEXT => {
1015
38.7k
                    retval = self.process_bind_pdu(&buffer[parsed as usize..]);
1016
38.7k
                    if retval == -1 {
1017
315
                        return AppLayerResult::err();
1018
38.3k
                    }
1019
                }
1020
                DCERPC_TYPE_BINDACK | DCERPC_TYPE_ALTER_CONTEXT_RESP => {
1021
69.9k
                    retval = self.process_bindack_pdu(&buffer[parsed as usize..]);
1022
69.9k
                    if retval == -1 {
1023
320
                        return AppLayerResult::err();
1024
69.6k
                    }
1025
69.6k
                    let tx = if let Some(tx) = self.get_tx_by_call_id(current_call_id, Direction::ToClient) {
1026
21.7k
                        tx.resp_cmd = x;
1027
21.7k
                        tx
1028
                    } else {
1029
47.9k
                        let mut tx = self.create_tx(current_call_id);
1030
47.9k
                        tx.resp_cmd = x;
1031
47.9k
                        self.transactions.push_back(tx);
1032
47.9k
                        self.transactions.back_mut().unwrap()
1033
                    };
1034
69.6k
                    tx.resp_done = true;
1035
69.6k
                    tx.frag_cnt_tc = 1;
1036
69.6k
                    if let Some(flow) = self.flow {
1037
69.6k
                        sc_app_layer_parser_trigger_raw_stream_reassembly(flow, Direction::ToClient as i32);
1038
69.6k
                    }
1039
                }
1040
                DCERPC_TYPE_REQUEST => {
1041
33.4k
                    retval = self.process_request_pdu(&buffer[parsed as usize..]);
1042
33.4k
                    if retval < 0 {
1043
295
                        return AppLayerResult::err();
1044
33.1k
                    }
1045
                    // In case the response came first, the transaction would complete later when
1046
                    // the corresponding request also comes through
1047
                }
1048
                DCERPC_TYPE_RESPONSE => {
1049
171k
                    let transaction = self.get_tx_by_call_id(current_call_id, Direction::ToClient);
1050
171k
                    match transaction {
1051
10.0k
                        Some(tx) => {
1052
10.0k
                            tx.resp_cmd = x;
1053
10.0k
                        }
1054
161k
                        None => {
1055
161k
                            let mut tx = self.create_tx(current_call_id);
1056
161k
                            tx.resp_cmd = x;
1057
161k
                            self.transactions.push_back(tx);
1058
161k
                        }
1059
                    };
1060
171k
                    retval = self.handle_common_stub(
1061
171k
                        &buffer[parsed as usize..],
1062
171k
                        0,
1063
171k
                        Direction::ToClient,
1064
171k
                    );
1065
171k
                    if retval < 0 {
1066
256
                        return AppLayerResult::err();
1067
171k
                    }
1068
                }
1069
                _ => {
1070
                    SCLogDebug!("Unrecognized packet type: {:?}", x);
1071
31
                    self.clean_buffer(direction);
1072
31
                    return AppLayerResult::err();
1073
                }
1074
            },
1075
            None => {
1076
0
                return AppLayerResult::err();
1077
            }
1078
        }
1079
312k
        self.bytes_consumed += retval;
1080
1081
        // If the query has been completed, clean the buffer and reset the direction
1082
312k
        if self.query_completed {
1083
312k
            self.clean_buffer(direction);
1084
312k
            self.reset_direction(direction);
1085
312k
        }
1086
312k
        self.post_gap_housekeeping(direction);
1087
312k
        self.prev_dir = direction;
1088
312k
        return AppLayerResult::ok();
1089
350k
    }
1090
}
1091
1092
208k
fn evaluate_stub_params(
1093
208k
    input: &[u8], input_len: usize, hdrflags: u8, lenleft: u16,
1094
208k
    stub_data_buffer: &mut Vec<u8>,stub_data_buffer_reset: &mut bool,
1095
208k
) -> u16 {
1096
    
1097
208k
    let fragtype = hdrflags & (PFC_FIRST_FRAG | PFC_LAST_FRAG);
1098
    // min of usize and u16 is a valid u16
1099
208k
    let stub_len: u16 = cmp::min(lenleft as usize, input_len) as u16;
1100
208k
    if stub_len == 0 {
1101
21.0k
        return 0;
1102
187k
    }
1103
187k
    if stub_len == lenleft && (fragtype == 0 || (fragtype & PFC_LAST_FRAG > 0)) {
1104
176k
        *stub_data_buffer_reset = true;
1105
176k
    }
1106
1107
187k
    let input_slice = &input[..stub_len as usize];
1108
187k
    let max_size = cfg_max_stub_size() as usize;
1109
187k
    if (stub_data_buffer.len() + input_slice.len()) < max_size {
1110
187k
        stub_data_buffer.extend_from_slice(input_slice);
1111
187k
    } else if stub_data_buffer.len() < max_size {
1112
0
        stub_data_buffer.extend_from_slice(&input_slice[..max_size - stub_data_buffer.len()]);
1113
0
    }
1114
1115
187k
    stub_len
1116
208k
}
1117
1118
#[no_mangle]
1119
0
pub extern "C" fn rs_parse_dcerpc_request_gap(
1120
0
    state: &mut DCERPCState,
1121
0
    _input_len: u32,
1122
0
) -> AppLayerResult {
1123
0
    state.parse_data_gap(Direction::ToServer)
1124
0
}
1125
1126
#[no_mangle]
1127
0
pub extern "C" fn rs_parse_dcerpc_response_gap(
1128
0
    state: &mut DCERPCState,
1129
0
    _input_len: u32,
1130
0
) -> AppLayerResult {
1131
0
    state.parse_data_gap(Direction::ToClient)
1132
0
}
1133
1134
#[no_mangle]
1135
178k
pub unsafe extern "C" fn rs_dcerpc_parse_request(
1136
178k
    flow: *const core::Flow, state: *mut std::os::raw::c_void, _pstate: *mut std::os::raw::c_void,
1137
178k
    stream_slice: StreamSlice,
1138
178k
    _data: *const std::os::raw::c_void,
1139
178k
) -> AppLayerResult {
1140
178k
    let state = cast_pointer!(state, DCERPCState);
1141
178k
    let flags = stream_slice.flags();
1142
1143
    SCLogDebug!("Handling request: input_len {} flags {:x} EOF {}",
1144
            stream_slice.len(), flags, flags & core::STREAM_EOF != 0);
1145
178k
    if flags & core::STREAM_EOF != 0 && stream_slice.is_empty() {
1146
21
        return AppLayerResult::ok();
1147
178k
    }
1148
    /* START with MIDSTREAM set: record might be starting the middle. */
1149
178k
    if flags & (core::STREAM_START|core::STREAM_MIDSTREAM) == (core::STREAM_START|core::STREAM_MIDSTREAM) {
1150
196
        state.ts_gap = true;
1151
177k
    }
1152
178k
    if !stream_slice.is_gap() {
1153
178k
        state.flow = Some(flow);
1154
178k
        return state.handle_input_data(stream_slice.as_slice(), Direction::ToServer);
1155
24
    }
1156
24
    AppLayerResult::err()
1157
178k
}
1158
1159
#[no_mangle]
1160
172k
pub unsafe extern "C" fn rs_dcerpc_parse_response(
1161
172k
    flow: *const core::Flow, state: *mut std::os::raw::c_void, _pstate: *mut std::os::raw::c_void,
1162
172k
    stream_slice: StreamSlice,
1163
172k
    _data: *const std::os::raw::c_void,
1164
172k
) -> AppLayerResult {
1165
172k
    let state = cast_pointer!(state, DCERPCState);
1166
172k
    let flags = stream_slice.flags();
1167
1168
172k
    if flags & core::STREAM_EOF != 0 && stream_slice.is_empty() {
1169
2
        return AppLayerResult::ok();
1170
172k
    }
1171
    /* START with MIDSTREAM set: record might be starting the middle. */
1172
172k
    if flags & (core::STREAM_START|core::STREAM_MIDSTREAM) == (core::STREAM_START|core::STREAM_MIDSTREAM) {
1173
154
        state.tc_gap = true;
1174
172k
    }
1175
172k
    if !stream_slice.is_gap() {
1176
172k
        state.flow = Some(flow);
1177
172k
        return state.handle_input_data(stream_slice.as_slice(), Direction::ToClient);
1178
19
    }
1179
19
    AppLayerResult::err()
1180
172k
}
1181
1182
#[no_mangle]
1183
3.75k
pub extern "C" fn rs_dcerpc_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: core::AppProto) -> *mut std::os::raw::c_void {
1184
3.75k
    let state = DCERPCState::new();
1185
3.75k
    let boxed = Box::new(state);
1186
3.75k
    return Box::into_raw(boxed) as *mut _;
1187
3.75k
}
1188
1189
#[no_mangle]
1190
3.75k
pub extern "C" fn rs_dcerpc_state_free(state: *mut std::os::raw::c_void) {
1191
3.75k
    std::mem::drop(unsafe { Box::from_raw(state as *mut DCERPCState)} );
1192
3.75k
}
1193
1194
#[no_mangle]
1195
129k
pub unsafe extern "C" fn rs_dcerpc_state_transaction_free(state: *mut std::os::raw::c_void, tx_id: u64) {
1196
129k
    let dce_state = cast_pointer!(state, DCERPCState);
1197
    SCLogDebug!("freeing tx {}", tx_id);
1198
129k
    dce_state.free_tx(tx_id);
1199
129k
}
1200
1201
#[no_mangle]
1202
0
pub unsafe extern "C" fn rs_dcerpc_state_trunc(state: *mut std::os::raw::c_void, direction: u8) {
1203
0
    let dce_state = cast_pointer!(state, DCERPCState);
1204
0
    match direction.into() {
1205
        Direction::ToServer =>  {
1206
0
            dce_state.ts_ssn_trunc = true;
1207
0
            for tx in &mut dce_state.transactions {
1208
0
                tx.req_done = true;
1209
0
                if let Some(flow) = dce_state.flow {
1210
0
                    sc_app_layer_parser_trigger_raw_stream_reassembly(flow, Direction::ToServer as i32);
1211
0
                }
1212
            }
1213
            SCLogDebug!("dce_state.ts_ssn_trunc = true; txs {}", dce_state.transactions.len());
1214
        }
1215
        Direction::ToClient => {
1216
0
            dce_state.tc_ssn_trunc = true;
1217
0
            for tx in &mut dce_state.transactions {
1218
0
                tx.resp_done = true;
1219
0
                if let Some(flow) = dce_state.flow {
1220
0
                    sc_app_layer_parser_trigger_raw_stream_reassembly(flow, Direction::ToClient as i32);
1221
0
                }
1222
            }
1223
            SCLogDebug!("dce_state.tc_ssn_trunc = true; txs {}", dce_state.transactions.len());
1224
        }
1225
    }
1226
0
}
1227
1228
#[no_mangle]
1229
524
pub unsafe extern "C" fn rs_dcerpc_get_tx(
1230
524
    vtx: *mut std::os::raw::c_void, tx_id: u64,
1231
524
) -> *mut std::os::raw::c_void {
1232
524
    let dce_state = cast_pointer!(vtx, DCERPCState);
1233
524
    match dce_state.get_tx(tx_id) {
1234
448
        Some(tx) => tx as *const _ as *mut _,
1235
76
        None => std::ptr::null_mut(),
1236
    }
1237
524
}
1238
1239
#[no_mangle]
1240
1.05M
pub unsafe extern "C" fn rs_dcerpc_get_tx_cnt(vtx: *mut std::os::raw::c_void) -> u64 {
1241
1.05M
    let dce_state = cast_pointer!(vtx, DCERPCState);
1242
1.05M
    dce_state.tx_id
1243
1.05M
}
1244
1245
#[no_mangle]
1246
442M
pub unsafe extern "C" fn rs_dcerpc_get_alstate_progress(tx: *mut std::os::raw::c_void, direction: u8
1247
442M
                                                 )-> std::os::raw::c_int {
1248
442M
    let tx = cast_pointer!(tx, DCERPCTransaction);
1249
442M
    if direction == Direction::ToServer.into() && tx.req_done {
1250
        SCLogDebug!("tx {} TOSERVER progress 1 => {:?}", tx.call_id, tx);
1251
186k
        return 1;
1252
442M
    } else if direction == Direction::ToClient.into() && tx.resp_done {
1253
        SCLogDebug!("tx {} TOCLIENT progress 1 => {:?}", tx.call_id, tx);
1254
209M
        return 1;
1255
232M
    }
1256
    SCLogDebug!("tx {} direction {} progress 0", tx.call_id, direction);
1257
232M
    return 0;
1258
442M
}
1259
1260
#[no_mangle]
1261
161M
pub unsafe extern "C" fn rs_dcerpc_get_tx_data(
1262
161M
    tx: *mut std::os::raw::c_void)
1263
161M
    -> *mut AppLayerTxData
1264
{
1265
161M
    let tx = cast_pointer!(tx, DCERPCTransaction);
1266
161M
    return &mut tx.tx_data;
1267
161M
}
1268
1269
#[no_mangle]
1270
194
pub unsafe extern "C" fn rs_dcerpc_get_stub_data(
1271
194
    tx: &mut DCERPCTransaction, buf: *mut *const u8, len: *mut u32, endianness: *mut u8, dir: u8,
1272
194
) {
1273
194
    match dir.into() {
1274
67
        Direction::ToServer => {
1275
67
            *len = tx.stub_data_buffer_ts.len() as u32;
1276
67
            *buf = tx.stub_data_buffer_ts.as_ptr();
1277
67
            SCLogDebug!("DCERPC Request stub buffer: Setting buffer to: {:?}", *buf);
1278
67
        }
1279
127
        Direction::ToClient => {
1280
127
            *len = tx.stub_data_buffer_tc.len() as u32;
1281
127
            *buf = tx.stub_data_buffer_tc.as_ptr();
1282
127
            SCLogDebug!("DCERPC Response stub buffer: Setting buffer to: {:?}", *buf);
1283
127
        }
1284
    }
1285
194
    *endianness = tx.get_endianness();
1286
194
}
1287
1288
/// Probe input to see if it looks like DCERPC.
1289
8.30k
fn probe(input: &[u8]) -> (bool, bool) {
1290
8.30k
    match parser::parse_dcerpc_header(input) {
1291
2.23k
        Ok((_, hdr)) => {
1292
2.23k
            let is_request = hdr.hdrtype == 0x00 || hdr.hdrtype == 0x0e;
1293
2.23k
            let is_dcerpc = hdr.rpc_vers == 0x05 &&
1294
2.23k
                hdr.rpc_vers_minor == 0x00 &&
1295
2.23k
                hdr.packed_drep[0] & 0xee == 0 &&
1296
915
                hdr.packed_drep[1] <= 3;
1297
2.23k
            return (is_dcerpc, is_request);
1298
        },
1299
6.07k
        Err(_) => (false, false),
1300
    }
1301
8.30k
}
1302
1303
8.30k
pub unsafe extern "C" fn rs_dcerpc_probe_tcp(_f: *const core::Flow, direction: u8, input: *const u8,
1304
8.30k
                                      len: u32, rdir: *mut u8) -> AppProto
1305
{
1306
    SCLogDebug!("Probing packet for DCERPC");
1307
8.30k
    if len == 0 || input.is_null() {
1308
0
        return core::ALPROTO_UNKNOWN;
1309
8.30k
    }
1310
8.30k
    let slice: &[u8] = std::slice::from_raw_parts(input as *mut u8, len as usize);
1311
    //is_incomplete is checked by caller
1312
8.30k
    let (is_dcerpc, is_request, ) = probe(slice);
1313
8.30k
    if is_dcerpc {
1314
825
        let dir = if is_request {
1315
284
            Direction::ToServer
1316
        } else {
1317
541
            Direction::ToClient
1318
        };
1319
825
        if (direction & DIR_BOTH) != dir as u8 {
1320
339
            *rdir = dir as u8;
1321
486
        }
1322
825
        return ALPROTO_DCERPC;
1323
7.48k
    }
1324
7.48k
    return core::ALPROTO_FAILED;
1325
8.30k
}
1326
1327
34
fn register_pattern_probe() -> i8 {
1328
    unsafe {
1329
34
        if AppLayerProtoDetectPMRegisterPatternCSwPP(IPPROTO_TCP, ALPROTO_DCERPC,
1330
34
                                                     b"|05 00|\0".as_ptr() as *const std::os::raw::c_char, 2, 0,
1331
34
                                                     Direction::ToServer.into(), rs_dcerpc_probe_tcp, 0, 0) < 0 {
1332
            SCLogDebug!("TOSERVER => AppLayerProtoDetectPMRegisterPatternCSwPP FAILED");
1333
0
            return -1;
1334
34
        }
1335
34
        if AppLayerProtoDetectPMRegisterPatternCSwPP(IPPROTO_TCP, ALPROTO_DCERPC,
1336
34
                                                     b"|05 00|\0".as_ptr() as *const std::os::raw::c_char, 2, 0,
1337
34
                                                     Direction::ToClient.into(), rs_dcerpc_probe_tcp, 0, 0) < 0 {
1338
            SCLogDebug!("TOCLIENT => AppLayerProtoDetectPMRegisterPatternCSwPP FAILED");
1339
0
            return -1;
1340
34
        }
1341
    }
1342
1343
34
    0
1344
34
}
1345
1346
export_state_data_get!(rs_dcerpc_get_state_data, DCERPCState);
1347
1348
// Parser name as a C style string.
1349
pub const PARSER_NAME: &[u8] = b"dcerpc\0";
1350
1351
#[no_mangle]
1352
34
pub unsafe extern "C" fn rs_dcerpc_register_parser() {
1353
34
    let parser = RustParser {
1354
34
        name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char,
1355
34
        default_port: std::ptr::null(),
1356
34
        ipproto: IPPROTO_TCP,
1357
34
        probe_ts: None,
1358
34
        probe_tc: None,
1359
34
        min_depth: 0,
1360
34
        max_depth: 16,
1361
34
        state_new: rs_dcerpc_state_new,
1362
34
        state_free: rs_dcerpc_state_free,
1363
34
        tx_free: rs_dcerpc_state_transaction_free,
1364
34
        parse_ts: rs_dcerpc_parse_request,
1365
34
        parse_tc: rs_dcerpc_parse_response,
1366
34
        get_tx_count: rs_dcerpc_get_tx_cnt,
1367
34
        get_tx: rs_dcerpc_get_tx,
1368
34
        tx_comp_st_ts: 1,
1369
34
        tx_comp_st_tc: 1,
1370
34
        tx_get_progress: rs_dcerpc_get_alstate_progress,
1371
34
        get_eventinfo: None,
1372
34
        get_eventinfo_byid : None,
1373
34
        localstorage_new: None,
1374
34
        localstorage_free: None,
1375
34
        get_tx_files: None,
1376
34
        get_tx_iterator: Some(applayer::state_get_tx_iterator::<DCERPCState, DCERPCTransaction>),
1377
34
        get_tx_data: rs_dcerpc_get_tx_data,
1378
34
        get_state_data: rs_dcerpc_get_state_data,
1379
34
        apply_tx_config: None,
1380
34
        flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
1381
34
        truncate: None,
1382
34
        get_frame_id_by_name: None,
1383
34
        get_frame_name_by_id: None,
1384
34
    };
1385
1386
34
    let ip_proto_str = CString::new("tcp").unwrap();
1387
1388
34
    if AppLayerProtoDetectConfProtoDetectionEnabled(
1389
34
        ip_proto_str.as_ptr(),
1390
34
        parser.name,
1391
34
    ) != 0
1392
    {
1393
34
        let alproto = AppLayerRegisterProtocolDetection(&parser, 1);
1394
34
        ALPROTO_DCERPC = alproto;
1395
34
        if register_pattern_probe() < 0 {
1396
0
            return;
1397
34
        }
1398
34
        if AppLayerParserConfParserEnabled(
1399
34
            ip_proto_str.as_ptr(),
1400
34
            parser.name,
1401
34
        ) != 0
1402
34
        {
1403
34
            let _ = AppLayerRegisterParser(&parser, alproto);
1404
34
        }
1405
34
        if let Some(val) = conf_get("app-layer.protocols.dcerpc.max-tx") {
1406
0
            if let Ok(v) = val.parse::<usize>() {
1407
0
                DCERPC_MAX_TX = v;
1408
0
            } else {
1409
0
                SCLogError!("Invalid value for smb.max-tx");
1410
            }
1411
34
        }
1412
        SCLogDebug!("Rust DCERPC parser registered.");
1413
34
        let retval = conf_get("app-layer.protocols.dcerpc.max-stub-size");
1414
34
        if let Some(val) = retval {
1415
0
            match get_memval(val) {
1416
0
                Ok(retval) => {
1417
0
                    if retval > 0 {
1418
0
                        DCERPC_MAX_STUB_SIZE = retval as u32;
1419
0
                    } else {
1420
0
                        SCLogError!("Invalid max-stub-size value");
1421
                    }
1422
                }
1423
                Err(_) => {
1424
0
                    SCLogError!("Invalid max-stub-size value");
1425
                }
1426
            }
1427
34
        }
1428
0
    } else {
1429
0
        SCLogDebug!("Protocol detector and parser disabled for DCERPC.");
1430
0
    }
1431
34
}
1432
1433
#[cfg(test)]
1434
mod tests {
1435
    use crate::applayer::AppLayerResult;
1436
    use crate::core::*;
1437
    use crate::dcerpc::dcerpc::DCERPCState;
1438
    use std::cmp;
1439
1440
    #[test]
1441
    fn test_process_header() {
1442
        let request: &[u8] = &[
1443
            0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
1444
            0x00, 0x00,
1445
        ];
1446
        let mut dcerpc_state = DCERPCState::new();
1447
        assert_eq!(16, dcerpc_state.process_header(request));
1448
    }
1449
1450
    #[test]
1451
    fn test_process_bind_pdu() {
1452
        let header: &[u8] = &[
1453
            0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
1454
            0x00, 0x00,
1455
        ];
1456
        let bind: &[u8] = &[
1457
            0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00,
1458
            0x01, 0x00, 0x2c, 0xd0, 0x28, 0xda, 0x76, 0x91, 0xf6, 0x6e, 0xcb, 0x0f, 0xbf, 0x85,
1459
            0xcd, 0x9b, 0xf6, 0x39, 0x01, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
1460
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1461
            0x01, 0x00, 0x01, 0x00, 0x2c, 0x75, 0xce, 0x7e, 0x82, 0x3b, 0x06, 0xac, 0x1b, 0xf0,
1462
            0xf5, 0xb7, 0xa7, 0xf7, 0x28, 0xaf, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1463
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1464
            0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xe3, 0xb2, 0x10, 0xd1, 0xd0, 0x0c, 0xcc, 0x3d,
1465
            0x2f, 0x80, 0x20, 0x7c, 0xef, 0xe7, 0x09, 0xe0, 0x04, 0x00, 0x00, 0x00, 0x04, 0x5d,
1466
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1467
            0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 0xde, 0x85, 0x70, 0xc4, 0x02, 0x7c,
1468
            0x60, 0x23, 0x67, 0x0c, 0x22, 0xbf, 0x18, 0x36, 0x79, 0x17, 0x01, 0x00, 0x02, 0x00,
1469
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
1470
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x41, 0x65, 0x29, 0x51,
1471
            0xaa, 0xe7, 0x7b, 0xa8, 0xf2, 0x37, 0x0b, 0xd0, 0x3f, 0xb3, 0x36, 0xed, 0x05, 0x00,
1472
            0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1473
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x01, 0x00, 0x14, 0x96,
1474
            0x80, 0x01, 0x2e, 0x78, 0xfb, 0x5d, 0xb4, 0x3c, 0x14, 0xb3, 0x3d, 0xaa, 0x02, 0xfb,
1475
            0x06, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
1476
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00,
1477
            0x3b, 0x04, 0x68, 0x3e, 0x63, 0xfe, 0x9f, 0xd8, 0x64, 0x55, 0xcd, 0xe7, 0x39, 0xaf,
1478
            0x98, 0x9f, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1479
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00,
1480
            0x01, 0x00, 0x16, 0x7a, 0x4f, 0x1b, 0xdb, 0x25, 0x92, 0x55, 0xdd, 0xae, 0x9e, 0x5b,
1481
            0x3e, 0x93, 0x66, 0x93, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
1482
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1483
            0x08, 0x00, 0x01, 0x00, 0xe8, 0xa4, 0x8a, 0xcf, 0x95, 0x6c, 0xc7, 0x8f, 0x14, 0xcc,
1484
            0x56, 0xfc, 0x7b, 0x5f, 0x4f, 0xe8, 0x04, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1485
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1486
            0x00, 0x00, 0x09, 0x00, 0x01, 0x00, 0xd8, 0xda, 0xfb, 0xbc, 0xa2, 0x55, 0x6f, 0x5d,
1487
            0xc0, 0x2d, 0x88, 0x6f, 0x00, 0x17, 0x52, 0x8d, 0x06, 0x00, 0x03, 0x00, 0x04, 0x5d,
1488
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1489
            0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x3f, 0x17, 0x55, 0x0c, 0xf4, 0x23,
1490
            0x3c, 0xca, 0xe6, 0xa0, 0xaa, 0xcc, 0xb5, 0xe3, 0xf9, 0xce, 0x04, 0x00, 0x00, 0x00,
1491
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
1492
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x01, 0x00, 0x6a, 0x28, 0x19, 0x39,
1493
            0x0c, 0xb1, 0xd0, 0x11, 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, 0x00, 0x00,
1494
            0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1495
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00, 0xc9, 0x9f,
1496
            0x3e, 0x6e, 0x82, 0x0a, 0x2b, 0x28, 0x37, 0x78, 0xe1, 0x13, 0x70, 0x05, 0x38, 0x4d,
1497
            0x01, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
1498
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x01, 0x00,
1499
            0x11, 0xaa, 0x4b, 0x15, 0xdf, 0xa6, 0x86, 0x3f, 0xfb, 0xe0, 0x09, 0xb7, 0xf8, 0x56,
1500
            0xd2, 0x3f, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1501
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0e, 0x00,
1502
            0x01, 0x00, 0xee, 0x99, 0xc4, 0x25, 0x11, 0xe4, 0x95, 0x62, 0x29, 0xfa, 0xfd, 0x26,
1503
            0x57, 0x02, 0xf1, 0xce, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
1504
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1505
            0x0f, 0x00, 0x01, 0x00, 0xba, 0x81, 0x9e, 0x1a, 0xdf, 0x2b, 0xba, 0xe4, 0xd3, 0x17,
1506
            0x41, 0x60, 0x6d, 0x2d, 0x9e, 0x28, 0x03, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1507
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1508
            0x00, 0x00, 0x10, 0x00, 0x01, 0x00, 0xa0, 0x24, 0x03, 0x9a, 0xa9, 0x99, 0xfb, 0xbe,
1509
            0x49, 0x11, 0xad, 0x77, 0x30, 0xaa, 0xbc, 0xb6, 0x02, 0x00, 0x03, 0x00, 0x04, 0x5d,
1510
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1511
            0x02, 0x00, 0x00, 0x00, 0x11, 0x00, 0x01, 0x00, 0x32, 0x04, 0x7e, 0xae, 0xec, 0x28,
1512
            0xd1, 0x55, 0x83, 0x4e, 0xc3, 0x47, 0x5d, 0x1d, 0xc6, 0x65, 0x02, 0x00, 0x03, 0x00,
1513
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
1514
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x12, 0x00, 0x01, 0x00, 0xc6, 0xa4, 0x81, 0x48,
1515
            0x66, 0x2a, 0x74, 0x7d, 0x56, 0x6e, 0xc5, 0x1d, 0x19, 0xf2, 0xb5, 0xb6, 0x03, 0x00,
1516
            0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1517
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x13, 0x00, 0x01, 0x00, 0xcb, 0xae,
1518
            0xb3, 0xc0, 0x0c, 0xf4, 0xa4, 0x5e, 0x91, 0x72, 0xdd, 0x53, 0x24, 0x70, 0x89, 0x02,
1519
            0x05, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
1520
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x14, 0x00, 0x01, 0x00,
1521
            0xb8, 0xd0, 0xa0, 0x1a, 0x5e, 0x7a, 0x2d, 0xfe, 0x35, 0xc6, 0x7d, 0x08, 0x0d, 0x33,
1522
            0x73, 0x18, 0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1523
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x15, 0x00,
1524
            0x01, 0x00, 0x21, 0xd3, 0xaa, 0x09, 0x03, 0xa7, 0x0b, 0xc2, 0x06, 0x45, 0xd9, 0x6c,
1525
            0x75, 0xc2, 0x15, 0xa8, 0x01, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
1526
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1527
            0x16, 0x00, 0x01, 0x00, 0xe1, 0xbd, 0x59, 0xfc, 0xbc, 0xa9, 0x95, 0xc2, 0x68, 0x79,
1528
            0xf3, 0x75, 0xe0, 0xae, 0x6c, 0xe5, 0x04, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1529
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1530
            0x00, 0x00, 0x17, 0x00, 0x01, 0x00, 0x06, 0x52, 0xb4, 0x71, 0x70, 0x15, 0x4e, 0xf5,
1531
            0x7f, 0x08, 0x86, 0x14, 0xe6, 0x17, 0xd5, 0x97, 0x04, 0x00, 0x00, 0x00, 0x04, 0x5d,
1532
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1533
            0x02, 0x00, 0x00, 0x00,
1534
        ];
1535
        let mut dcerpc_state = DCERPCState::new();
1536
        assert_eq!(16, dcerpc_state.process_header(header));
1537
        assert_eq!(1068, dcerpc_state.process_bind_pdu(bind));
1538
    }
1539
1540
    #[test]
1541
    fn test_handle_bindctxitem() {
1542
        let header: &[u8] = &[
1543
            0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
1544
            0x00, 0x00,
1545
        ];
1546
        let bind: &[u8] = &[
1547
            0x00, 0x00, 0x01, 0x00, 0x2c, 0xd0, 0x28, 0xda, 0x76, 0x91, 0xf6, 0x6e, 0xcb, 0x0f,
1548
            0xbf, 0x85, 0xcd, 0x9b, 0xf6, 0x39, 0x01, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1549
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1550
            0x00, 0x00,
1551
        ];
1552
        let mut dcerpc_state = DCERPCState::new();
1553
        assert_eq!(16, dcerpc_state.process_header(header));
1554
        assert_eq!(44, dcerpc_state.handle_bindctxitem(bind, 0));
1555
    }
1556
1557
    #[test]
1558
    fn test_process_bindack_pdu() {
1559
        let bind: &[u8] = &[
1560
            0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x3c, 0x04, 0x00, 0x00, 0x00, 0x00,
1561
            0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
1562
            0x00, 0x00, 0x01, 0x00, 0x2c, 0xd0, 0x28, 0xda, 0x76, 0x91, 0xf6, 0x6e, 0xcb, 0x0f,
1563
            0xbf, 0x85, 0xcd, 0x9b, 0xf6, 0x39, 0x01, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1564
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1565
            0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x2c, 0x75, 0xce, 0x7e, 0x82, 0x3b, 0x06, 0xac,
1566
            0x1b, 0xf0, 0xf5, 0xb7, 0xa7, 0xf7, 0x28, 0xaf, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d,
1567
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1568
            0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xe3, 0xb2, 0x10, 0xd1, 0xd0, 0x0c,
1569
            0xcc, 0x3d, 0x2f, 0x80, 0x20, 0x7c, 0xef, 0xe7, 0x09, 0xe0, 0x04, 0x00, 0x00, 0x00,
1570
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
1571
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 0xde, 0x85, 0x70, 0xc4,
1572
            0x02, 0x7c, 0x60, 0x23, 0x67, 0x0c, 0x22, 0xbf, 0x18, 0x36, 0x79, 0x17, 0x01, 0x00,
1573
            0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1574
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x41, 0x65,
1575
            0x29, 0x51, 0xaa, 0xe7, 0x7b, 0xa8, 0xf2, 0x37, 0x0b, 0xd0, 0x3f, 0xb3, 0x36, 0xed,
1576
            0x05, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
1577
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x01, 0x00,
1578
            0x14, 0x96, 0x80, 0x01, 0x2e, 0x78, 0xfb, 0x5d, 0xb4, 0x3c, 0x14, 0xb3, 0x3d, 0xaa,
1579
            0x02, 0xfb, 0x06, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1580
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00,
1581
            0x01, 0x00, 0x3b, 0x04, 0x68, 0x3e, 0x63, 0xfe, 0x9f, 0xd8, 0x64, 0x55, 0xcd, 0xe7,
1582
            0x39, 0xaf, 0x98, 0x9f, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
1583
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1584
            0x07, 0x00, 0x01, 0x00, 0x16, 0x7a, 0x4f, 0x1b, 0xdb, 0x25, 0x92, 0x55, 0xdd, 0xae,
1585
            0x9e, 0x5b, 0x3e, 0x93, 0x66, 0x93, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1586
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1587
            0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0xe8, 0xa4, 0x8a, 0xcf, 0x95, 0x6c, 0xc7, 0x8f,
1588
            0x14, 0xcc, 0x56, 0xfc, 0x7b, 0x5f, 0x4f, 0xe8, 0x04, 0x00, 0x00, 0x00, 0x04, 0x5d,
1589
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1590
            0x02, 0x00, 0x00, 0x00, 0x09, 0x00, 0x01, 0x00, 0xd8, 0xda, 0xfb, 0xbc, 0xa2, 0x55,
1591
            0x6f, 0x5d, 0xc0, 0x2d, 0x88, 0x6f, 0x00, 0x17, 0x52, 0x8d, 0x06, 0x00, 0x03, 0x00,
1592
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
1593
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x3f, 0x17, 0x55, 0x0c,
1594
            0xf4, 0x23, 0x3c, 0xca, 0xe6, 0xa0, 0xaa, 0xcc, 0xb5, 0xe3, 0xf9, 0xce, 0x04, 0x00,
1595
            0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1596
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x01, 0x00, 0x6a, 0x28,
1597
            0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5,
1598
            0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
1599
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00,
1600
            0xc9, 0x9f, 0x3e, 0x6e, 0x82, 0x0a, 0x2b, 0x28, 0x37, 0x78, 0xe1, 0x13, 0x70, 0x05,
1601
            0x38, 0x4d, 0x01, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1602
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x00,
1603
            0x01, 0x00, 0x11, 0xaa, 0x4b, 0x15, 0xdf, 0xa6, 0x86, 0x3f, 0xfb, 0xe0, 0x09, 0xb7,
1604
            0xf8, 0x56, 0xd2, 0x3f, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
1605
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1606
            0x0e, 0x00, 0x01, 0x00, 0xee, 0x99, 0xc4, 0x25, 0x11, 0xe4, 0x95, 0x62, 0x29, 0xfa,
1607
            0xfd, 0x26, 0x57, 0x02, 0xf1, 0xce, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1608
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1609
            0x00, 0x00, 0x0f, 0x00, 0x01, 0x00, 0xba, 0x81, 0x9e, 0x1a, 0xdf, 0x2b, 0xba, 0xe4,
1610
            0xd3, 0x17, 0x41, 0x60, 0x6d, 0x2d, 0x9e, 0x28, 0x03, 0x00, 0x03, 0x00, 0x04, 0x5d,
1611
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1612
            0x02, 0x00, 0x00, 0x00, 0x10, 0x00, 0x01, 0x00, 0xa0, 0x24, 0x03, 0x9a, 0xa9, 0x99,
1613
            0xfb, 0xbe, 0x49, 0x11, 0xad, 0x77, 0x30, 0xaa, 0xbc, 0xb6, 0x02, 0x00, 0x03, 0x00,
1614
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
1615
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x11, 0x00, 0x01, 0x00, 0x32, 0x04, 0x7e, 0xae,
1616
            0xec, 0x28, 0xd1, 0x55, 0x83, 0x4e, 0xc3, 0x47, 0x5d, 0x1d, 0xc6, 0x65, 0x02, 0x00,
1617
            0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1618
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x12, 0x00, 0x01, 0x00, 0xc6, 0xa4,
1619
            0x81, 0x48, 0x66, 0x2a, 0x74, 0x7d, 0x56, 0x6e, 0xc5, 0x1d, 0x19, 0xf2, 0xb5, 0xb6,
1620
            0x03, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
1621
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x13, 0x00, 0x01, 0x00,
1622
            0xcb, 0xae, 0xb3, 0xc0, 0x0c, 0xf4, 0xa4, 0x5e, 0x91, 0x72, 0xdd, 0x53, 0x24, 0x70,
1623
            0x89, 0x02, 0x05, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1624
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x14, 0x00,
1625
            0x01, 0x00, 0xb8, 0xd0, 0xa0, 0x1a, 0x5e, 0x7a, 0x2d, 0xfe, 0x35, 0xc6, 0x7d, 0x08,
1626
            0x0d, 0x33, 0x73, 0x18, 0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
1627
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1628
            0x15, 0x00, 0x01, 0x00, 0x21, 0xd3, 0xaa, 0x09, 0x03, 0xa7, 0x0b, 0xc2, 0x06, 0x45,
1629
            0xd9, 0x6c, 0x75, 0xc2, 0x15, 0xa8, 0x01, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1630
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1631
            0x00, 0x00, 0x16, 0x00, 0x01, 0x00, 0xe1, 0xbd, 0x59, 0xfc, 0xbc, 0xa9, 0x95, 0xc2,
1632
            0x68, 0x79, 0xf3, 0x75, 0xe0, 0xae, 0x6c, 0xe5, 0x04, 0x00, 0x02, 0x00, 0x04, 0x5d,
1633
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1634
            0x02, 0x00, 0x00, 0x00, 0x17, 0x00, 0x01, 0x00, 0x06, 0x52, 0xb4, 0x71, 0x70, 0x15,
1635
            0x4e, 0xf5, 0x7f, 0x08, 0x86, 0x14, 0xe6, 0x17, 0xd5, 0x97, 0x04, 0x00, 0x00, 0x00,
1636
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
1637
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1638
        ];
1639
        let bindack: &[u8] = &[
1640
            0xb8, 0x10, 0xb8, 0x10, 0xce, 0x47, 0x00, 0x00, 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50,
1641
            0x45, 0x5c, 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0xf6, 0x6e, 0x18, 0x00, 0x00, 0x00,
1642
            0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1643
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
1644
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1645
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
1646
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1647
            0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1648
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1649
            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1650
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00,
1651
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1652
            0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1653
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1654
            0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1655
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
1656
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1657
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
1658
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1659
            0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1660
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1661
            0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1662
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00,
1663
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1664
            0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1665
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1666
            0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1667
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
1668
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1669
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
1670
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1671
            0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1672
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
1673
            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1674
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00,
1675
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1676
            0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1677
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1678
            0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1679
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
1680
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1681
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
1682
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1683
            0x00, 0x00,
1684
        ];
1685
        let mut dcerpc_state = DCERPCState::new();
1686
        assert_eq!(16, dcerpc_state.process_header(bind));
1687
        assert_eq!(1068, dcerpc_state.process_bind_pdu(&bind[16..]));
1688
        assert_eq!(604, dcerpc_state.process_bindack_pdu(bindack));
1689
        if let Some(back) = dcerpc_state.bindack {
1690
            assert_eq!(1, back.accepted_uuid_list.len());
1691
            assert_eq!(
1692
                vec!(57, 25, 40, 106, 177, 12, 17, 208, 155, 168, 0, 192, 79, 217, 46, 245),
1693
                back.accepted_uuid_list[0].uuid
1694
            );
1695
            assert_eq!(11, back.accepted_uuid_list[0].internal_id);
1696
        }
1697
    }
1698
1699
    #[test]
1700
    pub fn test_process_request_pdu() {
1701
        let request: &[u8] = &[
1702
            0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
1703
            0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x0b, 0x00, 0x09, 0x00, 0x45, 0x00, 0x2c, 0x00,
1704
            0x4d, 0x00, 0x73, 0x00, 0x53, 0x00, 0x59, 0x00, 0x2a, 0x00, 0x4a, 0x00, 0x7a, 0x00,
1705
            0x3e, 0x00, 0x58, 0x00, 0x21, 0x00, 0x4a, 0x00, 0x30, 0x00, 0x41, 0x00, 0x4b, 0x00,
1706
            0x4b, 0x00, 0x3c, 0x00, 0x48, 0x00, 0x24, 0x00, 0x38, 0x00, 0x54, 0x00, 0x60, 0x00,
1707
            0x2d, 0x00, 0x29, 0x00, 0x64, 0x00, 0x5b, 0x00, 0x77, 0x00, 0x3a, 0x00, 0x4c, 0x00,
1708
            0x24, 0x00, 0x23, 0x00, 0x66, 0x00, 0x43, 0x00, 0x68, 0x00, 0x22, 0x00, 0x55, 0x00,
1709
            0x29, 0x00, 0x2c, 0x00, 0x4f, 0x00, 0x5a, 0x00, 0x50, 0x00, 0x61, 0x00, 0x2a, 0x00,
1710
            0x6f, 0x00, 0x2f, 0x00, 0x4d, 0x00, 0x68, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x67, 0x00,
1711
            0x68, 0x00, 0x68, 0x00, 0x49, 0x00, 0x45, 0x00, 0x4c, 0x00, 0x72, 0x00, 0x53, 0x00,
1712
            0x4c, 0x00, 0x25, 0x00, 0x4d, 0x00, 0x67, 0x00, 0x2e, 0x00, 0x4f, 0x00, 0x64, 0x00,
1713
            0x61, 0x00, 0x73, 0x00, 0x24, 0x00, 0x46, 0x00, 0x35, 0x00, 0x2e, 0x00, 0x45, 0x00,
1714
            0x6f, 0x00, 0x40, 0x00, 0x41, 0x00, 0x33, 0x00, 0x38, 0x00, 0x47, 0x00, 0x71, 0x00,
1715
            0x5a, 0x00, 0x37, 0x00, 0x7a, 0x00, 0x35, 0x00, 0x6b, 0x00, 0x3c, 0x00, 0x26, 0x00,
1716
            0x37, 0x00, 0x69, 0x00, 0x75, 0x00, 0x36, 0x00, 0x37, 0x00, 0x47, 0x00, 0x21, 0x00,
1717
            0x2d, 0x00, 0x69, 0x00, 0x37, 0x00, 0x78, 0x00, 0x5f, 0x00, 0x72, 0x00, 0x4b, 0x00,
1718
            0x5c, 0x00, 0x74, 0x00, 0x3e, 0x00, 0x52, 0x00, 0x7a, 0x00, 0x49, 0x00, 0x31, 0x00,
1719
            0x5a, 0x00, 0x7b, 0x00, 0x29, 0x00, 0x3b, 0x00, 0x78, 0x00, 0x3b, 0x00, 0x55, 0x00,
1720
            0x3e, 0x00, 0x35, 0x00, 0x2b, 0x00, 0x4e, 0x00, 0x4f, 0x00, 0x59, 0x00, 0x38, 0x00,
1721
            0x2a, 0x00, 0x59, 0x00, 0x6b, 0x00, 0x42, 0x00, 0x4c, 0x00, 0x3e, 0x00, 0x6a, 0x00,
1722
            0x49, 0x00, 0x2c, 0x00, 0x79, 0x00, 0x6e, 0x00, 0x35, 0x00, 0x4f, 0x00, 0x49, 0x00,
1723
            0x55, 0x00, 0x35, 0x00, 0x61, 0x00, 0x72, 0x00, 0x77, 0x00, 0x38, 0x00, 0x32, 0x00,
1724
            0x24, 0x00, 0x46, 0x00, 0x32, 0x00, 0x32, 0x00, 0x27, 0x00, 0x64, 0x00, 0x5a, 0x00,
1725
            0x77, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x77, 0x00, 0x2e, 0x00, 0x28, 0x00, 0x63, 0x00,
1726
            0x4f, 0x00, 0x67, 0x00, 0x64, 0x00, 0x39, 0x00, 0x37, 0x00, 0x31, 0x00, 0x30, 0x00,
1727
            0x28, 0x00, 0x2e, 0x00, 0x6f, 0x00, 0x3e, 0x00, 0x59, 0x00, 0x28, 0x00, 0x67, 0x00,
1728
            0x52, 0x00, 0x35, 0x00, 0x5a, 0x00, 0x7c, 0x00, 0x56, 0x00, 0x6a, 0x00, 0x5c, 0x00,
1729
            0x3c, 0x00, 0x30, 0x00, 0x59, 0x00, 0x5c, 0x00, 0x5e, 0x00, 0x38, 0x00, 0x54, 0x00,
1730
            0x5c, 0x00, 0x5b, 0x00, 0x42, 0x00, 0x62, 0x00, 0x70, 0x00, 0x34, 0x00, 0x5c, 0x00,
1731
            0x57, 0x00, 0x7a, 0x00, 0x4b, 0x00, 0x2f, 0x00, 0x6b, 0x00, 0x6a, 0x00, 0x4f, 0x00,
1732
            0x41, 0x00, 0x33, 0x00, 0x52, 0x00, 0x36, 0x00, 0x27, 0x00, 0x30, 0x00, 0x6d, 0x00,
1733
            0x4a, 0x00, 0x30, 0x00, 0x78, 0x00, 0x46, 0x00, 0x65, 0x00, 0x4e, 0x00, 0x29, 0x00,
1734
            0x66, 0x00, 0x3f, 0x00, 0x72, 0x00, 0x71, 0x00, 0x75, 0x00, 0x4c, 0x00, 0x2b, 0x00,
1735
            0x5c, 0x00, 0x46, 0x00, 0x52, 0x00, 0x7b, 0x00, 0x5c, 0x00, 0x69, 0x00, 0x66, 0x00,
1736
            0x56, 0x00, 0x31, 0x00, 0x2d, 0x00, 0x72, 0x00, 0x61, 0x00, 0x68, 0x00, 0x28, 0x00,
1737
            0x7d, 0x00, 0x58, 0x00, 0x2a, 0x00, 0x7b, 0x00, 0x28, 0x00, 0x5b, 0x00, 0x54, 0x00,
1738
            0x3a, 0x00, 0x26, 0x00, 0x52, 0x00, 0x44, 0x00, 0x60, 0x00, 0x50, 0x00, 0x65, 0x00,
1739
            0x48, 0x00, 0x7d, 0x00, 0x2a, 0x00, 0x74, 0x00, 0x49, 0x00, 0x7b, 0x00, 0x21, 0x00,
1740
            0x61, 0x00, 0x52, 0x00, 0x43, 0x00, 0x5f, 0x00, 0x5a, 0x00, 0x74, 0x00, 0x5c, 0x00,
1741
            0x62, 0x00, 0x68, 0x00, 0x6c, 0x00, 0x6c, 0x00, 0x2b, 0x00, 0x6f, 0x00, 0x7c, 0x00,
1742
            0x42, 0x00, 0x67, 0x00, 0x32, 0x00, 0x58, 0x00, 0x35, 0x00, 0x30, 0x00, 0x2f, 0x00,
1743
            0x2d, 0x00, 0x60, 0x00, 0x62, 0x00, 0x51, 0x00, 0x2a, 0x00, 0x30, 0x00, 0x31, 0x00,
1744
            0x48, 0x00, 0x5b, 0x00, 0x5b, 0x00, 0x5d, 0x00, 0x25, 0x00, 0x58, 0x00, 0x4a, 0x00,
1745
            0x76, 0x00, 0x32, 0x00, 0x62, 0x00, 0x27, 0x00, 0x42, 0x00, 0x40, 0x00, 0x53, 0x00,
1746
            0x7c, 0x00, 0x7d, 0x00, 0x50, 0x00, 0x3d, 0x00, 0x40, 0x00, 0x76, 0x00, 0x38, 0x00,
1747
            0x58, 0x00, 0x39, 0x00, 0x63, 0x00, 0x3c, 0x00, 0x5b, 0x00, 0x23, 0x00, 0x53, 0x00,
1748
            0x7a, 0x00, 0x54, 0x00, 0x74, 0x00, 0x61, 0x00, 0x76, 0x00, 0x4a, 0x00, 0x3e, 0x00,
1749
            0x33, 0x00, 0x75, 0x00, 0x66, 0x00, 0x2d, 0x00, 0x48, 0x00, 0x33, 0x00, 0x71, 0x00,
1750
            0x76, 0x00, 0x48, 0x00, 0x71, 0x00, 0x41, 0x00, 0x6f, 0x00, 0x2a, 0x00, 0x67, 0x00,
1751
            0x70, 0x00, 0x21, 0x00, 0x70, 0x00, 0x4b, 0x00, 0x52, 0x00, 0x58, 0x00, 0x68, 0x00,
1752
            0x23, 0x00, 0x39, 0x00, 0x46, 0x00, 0x4d, 0x00, 0x51, 0x00, 0x57, 0x00, 0x3a, 0x00,
1753
            0x79, 0x00, 0x7b, 0x00, 0x6c, 0x00, 0x55, 0x00, 0x33, 0x00, 0x65, 0x00, 0x49, 0x00,
1754
            0x72, 0x00, 0x30, 0x00, 0x4f, 0x00, 0x41, 0x00, 0x6e, 0x00, 0x31, 0x00, 0x4a, 0x00,
1755
            0x60, 0x00, 0x79, 0x00, 0x70, 0x00, 0x4f, 0x00, 0x58, 0x00, 0x75, 0x00, 0x44, 0x00,
1756
            0x59, 0x00, 0x58, 0x00, 0x46, 0x00, 0x3d, 0x00, 0x46, 0x00, 0x74, 0x00, 0x51, 0x00,
1757
            0x57, 0x00, 0x6e, 0x00, 0x2d, 0x00, 0x47, 0x00, 0x23, 0x00, 0x45, 0x00, 0x60, 0x00,
1758
            0x4c, 0x00, 0x72, 0x00, 0x4e, 0x00, 0x74, 0x00, 0x40, 0x00, 0x76, 0x00, 0x75, 0x00,
1759
            0x74, 0x00, 0x56, 0x00, 0x44, 0x00, 0x29, 0x00, 0x62, 0x00, 0x58, 0x00, 0x31, 0x00,
1760
            0x78, 0x00, 0x32, 0x00, 0x52, 0x00, 0x4a, 0x00, 0x6b, 0x00, 0x55, 0x00, 0x72, 0x00,
1761
            0x6f, 0x00, 0x6f, 0x00, 0x4a, 0x00, 0x54, 0x00, 0x7d, 0x00, 0x68, 0x00, 0x3f, 0x00,
1762
            0x28, 0x00, 0x21, 0x00, 0x53, 0x00, 0x48, 0x00, 0x5a, 0x00, 0x34, 0x00, 0x36, 0x00,
1763
            0x35, 0x00, 0x64, 0x00, 0x4e, 0x00, 0x75, 0x00, 0x69, 0x00, 0x23, 0x00, 0x75, 0x00,
1764
            0x55, 0x00, 0x43, 0x00, 0x75, 0x00, 0x2f, 0x00, 0x73, 0x00, 0x62, 0x00, 0x6f, 0x00,
1765
            0x37, 0x00, 0x4e, 0x00, 0x25, 0x00, 0x25, 0x00, 0x21, 0x00, 0x3d, 0x00, 0x3c, 0x00,
1766
            0x71, 0x00, 0x3e, 0x00, 0x3f, 0x00, 0x30, 0x00, 0x36, 0x00, 0x62, 0x00, 0x63, 0x00,
1767
            0x53, 0x00, 0x54, 0x00, 0x5d, 0x00, 0x61, 0x00, 0x4c, 0x00, 0x28, 0x00, 0x2b, 0x00,
1768
            0x4c, 0x00, 0x4e, 0x00, 0x66, 0x00, 0x5f, 0x00, 0x4b, 0x00, 0x43, 0x00, 0x75, 0x00,
1769
            0x45, 0x00, 0x37, 0x00, 0x28, 0x00, 0x56, 0x00, 0x36, 0x00, 0x6a, 0x00, 0x3e, 0x00,
1770
            0x64, 0x00, 0x34, 0x00, 0x6a, 0x00, 0x7d, 0x00, 0x4a, 0x00, 0x66, 0x00, 0x7a, 0x00,
1771
            0x3e, 0x00, 0x75, 0x00, 0x38, 0x00, 0x7b, 0x00, 0x42, 0x00, 0x76, 0x00, 0x29, 0x00,
1772
            0x4c, 0x00, 0x65, 0x00, 0x2e, 0x00, 0x32, 0x00, 0x4b, 0x00, 0x2b, 0x00, 0x51, 0x00,
1773
            0x47, 0x00, 0x22, 0x00, 0x48, 0x00, 0x3d, 0x00, 0x49, 0x00, 0x44, 0x00, 0x5d, 0x00,
1774
            0x59, 0x00, 0x63, 0x00, 0x5c, 0x00, 0x24, 0x00, 0x35, 0x00, 0x34, 0x00, 0x70, 0x00,
1775
            0x69, 0x00,
1776
        ];
1777
        let mut dcerpc_state = DCERPCState::new();
1778
        assert_eq!(16, dcerpc_state.process_header(request));
1779
        assert_eq!(1008, dcerpc_state.process_request_pdu(&request[16..]));
1780
    }
1781
1782
    #[test]
1783
    pub fn test_parse_dcerpc() {
1784
        let request: &[u8] = &[
1785
            0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
1786
            0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x0b, 0x00, 0x09, 0x00, 0x45, 0x00, 0x2c, 0x00,
1787
            0x4d, 0x00, 0x73, 0x00, 0x53, 0x00, 0x59, 0x00, 0x2a, 0x00, 0x4a, 0x00, 0x7a, 0x00,
1788
            0x3e, 0x00, 0x58, 0x00, 0x21, 0x00, 0x4a, 0x00, 0x30, 0x00, 0x41, 0x00, 0x4b, 0x00,
1789
            0x4b, 0x00, 0x3c, 0x00, 0x48, 0x00, 0x24, 0x00, 0x38, 0x00, 0x54, 0x00, 0x60, 0x00,
1790
            0x2d, 0x00, 0x29, 0x00, 0x64, 0x00, 0x5b, 0x00, 0x77, 0x00, 0x3a, 0x00, 0x4c, 0x00,
1791
            0x24, 0x00, 0x23, 0x00, 0x66, 0x00, 0x43, 0x00, 0x68, 0x00, 0x22, 0x00, 0x55, 0x00,
1792
            0x29, 0x00, 0x2c, 0x00, 0x4f, 0x00, 0x5a, 0x00, 0x50, 0x00, 0x61, 0x00, 0x2a, 0x00,
1793
            0x6f, 0x00, 0x2f, 0x00, 0x4d, 0x00, 0x68, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x67, 0x00,
1794
            0x68, 0x00, 0x68, 0x00, 0x49, 0x00, 0x45, 0x00, 0x4c, 0x00, 0x72, 0x00, 0x53, 0x00,
1795
            0x4c, 0x00, 0x25, 0x00, 0x4d, 0x00, 0x67, 0x00, 0x2e, 0x00, 0x4f, 0x00, 0x64, 0x00,
1796
            0x61, 0x00, 0x73, 0x00, 0x24, 0x00, 0x46, 0x00, 0x35, 0x00, 0x2e, 0x00, 0x45, 0x00,
1797
            0x6f, 0x00, 0x40, 0x00, 0x41, 0x00, 0x33, 0x00, 0x38, 0x00, 0x47, 0x00, 0x71, 0x00,
1798
            0x5a, 0x00, 0x37, 0x00, 0x7a, 0x00, 0x35, 0x00, 0x6b, 0x00, 0x3c, 0x00, 0x26, 0x00,
1799
            0x37, 0x00, 0x69, 0x00, 0x75, 0x00, 0x36, 0x00, 0x37, 0x00, 0x47, 0x00, 0x21, 0x00,
1800
            0x2d, 0x00, 0x69, 0x00, 0x37, 0x00, 0x78, 0x00, 0x5f, 0x00, 0x72, 0x00, 0x4b, 0x00,
1801
            0x5c, 0x00, 0x74, 0x00, 0x3e, 0x00, 0x52, 0x00, 0x7a, 0x00, 0x49, 0x00, 0x31, 0x00,
1802
            0x5a, 0x00, 0x7b, 0x00, 0x29, 0x00, 0x3b, 0x00, 0x78, 0x00, 0x3b, 0x00, 0x55, 0x00,
1803
            0x3e, 0x00, 0x35, 0x00, 0x2b, 0x00, 0x4e, 0x00, 0x4f, 0x00, 0x59, 0x00, 0x38, 0x00,
1804
            0x2a, 0x00, 0x59, 0x00, 0x6b, 0x00, 0x42, 0x00, 0x4c, 0x00, 0x3e, 0x00, 0x6a, 0x00,
1805
            0x49, 0x00, 0x2c, 0x00, 0x79, 0x00, 0x6e, 0x00, 0x35, 0x00, 0x4f, 0x00, 0x49, 0x00,
1806
            0x55, 0x00, 0x35, 0x00, 0x61, 0x00, 0x72, 0x00, 0x77, 0x00, 0x38, 0x00, 0x32, 0x00,
1807
            0x24, 0x00, 0x46, 0x00, 0x32, 0x00, 0x32, 0x00, 0x27, 0x00, 0x64, 0x00, 0x5a, 0x00,
1808
            0x77, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x77, 0x00, 0x2e, 0x00, 0x28, 0x00, 0x63, 0x00,
1809
            0x4f, 0x00, 0x67, 0x00, 0x64, 0x00, 0x39, 0x00, 0x37, 0x00, 0x31, 0x00, 0x30, 0x00,
1810
            0x28, 0x00, 0x2e, 0x00, 0x6f, 0x00, 0x3e, 0x00, 0x59, 0x00, 0x28, 0x00, 0x67, 0x00,
1811
            0x52, 0x00, 0x35, 0x00, 0x5a, 0x00, 0x7c, 0x00, 0x56, 0x00, 0x6a, 0x00, 0x5c, 0x00,
1812
            0x3c, 0x00, 0x30, 0x00, 0x59, 0x00, 0x5c, 0x00, 0x5e, 0x00, 0x38, 0x00, 0x54, 0x00,
1813
            0x5c, 0x00, 0x5b, 0x00, 0x42, 0x00, 0x62, 0x00, 0x70, 0x00, 0x34, 0x00, 0x5c, 0x00,
1814
            0x57, 0x00, 0x7a, 0x00, 0x4b, 0x00, 0x2f, 0x00, 0x6b, 0x00, 0x6a, 0x00, 0x4f, 0x00,
1815
            0x41, 0x00, 0x33, 0x00, 0x52, 0x00, 0x36, 0x00, 0x27, 0x00, 0x30, 0x00, 0x6d, 0x00,
1816
            0x4a, 0x00, 0x30, 0x00, 0x78, 0x00, 0x46, 0x00, 0x65, 0x00, 0x4e, 0x00, 0x29, 0x00,
1817
            0x66, 0x00, 0x3f, 0x00, 0x72, 0x00, 0x71, 0x00, 0x75, 0x00, 0x4c, 0x00, 0x2b, 0x00,
1818
            0x5c, 0x00, 0x46, 0x00, 0x52, 0x00, 0x7b, 0x00, 0x5c, 0x00, 0x69, 0x00, 0x66, 0x00,
1819
            0x56, 0x00, 0x31, 0x00, 0x2d, 0x00, 0x72, 0x00, 0x61, 0x00, 0x68, 0x00, 0x28, 0x00,
1820
            0x7d, 0x00, 0x58, 0x00, 0x2a, 0x00, 0x7b, 0x00, 0x28, 0x00, 0x5b, 0x00, 0x54, 0x00,
1821
            0x3a, 0x00, 0x26, 0x00, 0x52, 0x00, 0x44, 0x00, 0x60, 0x00, 0x50, 0x00, 0x65, 0x00,
1822
            0x48, 0x00, 0x7d, 0x00, 0x2a, 0x00, 0x74, 0x00, 0x49, 0x00, 0x7b, 0x00, 0x21, 0x00,
1823
            0x61, 0x00, 0x52, 0x00, 0x43, 0x00, 0x5f, 0x00, 0x5a, 0x00, 0x74, 0x00, 0x5c, 0x00,
1824
            0x62, 0x00, 0x68, 0x00, 0x6c, 0x00, 0x6c, 0x00, 0x2b, 0x00, 0x6f, 0x00, 0x7c, 0x00,
1825
            0x42, 0x00, 0x67, 0x00, 0x32, 0x00, 0x58, 0x00, 0x35, 0x00, 0x30, 0x00, 0x2f, 0x00,
1826
            0x2d, 0x00, 0x60, 0x00, 0x62, 0x00, 0x51, 0x00, 0x2a, 0x00, 0x30, 0x00, 0x31, 0x00,
1827
            0x48, 0x00, 0x5b, 0x00, 0x5b, 0x00, 0x5d, 0x00, 0x25, 0x00, 0x58, 0x00, 0x4a, 0x00,
1828
            0x76, 0x00, 0x32, 0x00, 0x62, 0x00, 0x27, 0x00, 0x42, 0x00, 0x40, 0x00, 0x53, 0x00,
1829
            0x7c, 0x00, 0x7d, 0x00, 0x50, 0x00, 0x3d, 0x00, 0x40, 0x00, 0x76, 0x00, 0x38, 0x00,
1830
            0x58, 0x00, 0x39, 0x00, 0x63, 0x00, 0x3c, 0x00, 0x5b, 0x00, 0x23, 0x00, 0x53, 0x00,
1831
            0x7a, 0x00, 0x54, 0x00, 0x74, 0x00, 0x61, 0x00, 0x76, 0x00, 0x4a, 0x00, 0x3e, 0x00,
1832
            0x33, 0x00, 0x75, 0x00, 0x66, 0x00, 0x2d, 0x00, 0x48, 0x00, 0x33, 0x00, 0x71, 0x00,
1833
            0x76, 0x00, 0x48, 0x00, 0x71, 0x00, 0x41, 0x00, 0x6f, 0x00, 0x2a, 0x00, 0x67, 0x00,
1834
            0x70, 0x00, 0x21, 0x00, 0x70, 0x00, 0x4b, 0x00, 0x52, 0x00, 0x58, 0x00, 0x68, 0x00,
1835
            0x23, 0x00, 0x39, 0x00, 0x46, 0x00, 0x4d, 0x00, 0x51, 0x00, 0x57, 0x00, 0x3a, 0x00,
1836
            0x79, 0x00, 0x7b, 0x00, 0x6c, 0x00, 0x55, 0x00, 0x33, 0x00, 0x65, 0x00, 0x49, 0x00,
1837
            0x72, 0x00, 0x30, 0x00, 0x4f, 0x00, 0x41, 0x00, 0x6e, 0x00, 0x31, 0x00, 0x4a, 0x00,
1838
            0x60, 0x00, 0x79, 0x00, 0x70, 0x00, 0x4f, 0x00, 0x58, 0x00, 0x75, 0x00, 0x44, 0x00,
1839
            0x59, 0x00, 0x58, 0x00, 0x46, 0x00, 0x3d, 0x00, 0x46, 0x00, 0x74, 0x00, 0x51, 0x00,
1840
            0x57, 0x00, 0x6e, 0x00, 0x2d, 0x00, 0x47, 0x00, 0x23, 0x00, 0x45, 0x00, 0x60, 0x00,
1841
            0x4c, 0x00, 0x72, 0x00, 0x4e, 0x00, 0x74, 0x00, 0x40, 0x00, 0x76, 0x00, 0x75, 0x00,
1842
            0x74, 0x00, 0x56, 0x00, 0x44, 0x00, 0x29, 0x00, 0x62, 0x00, 0x58, 0x00, 0x31, 0x00,
1843
            0x78, 0x00, 0x32, 0x00, 0x52, 0x00, 0x4a, 0x00, 0x6b, 0x00, 0x55, 0x00, 0x72, 0x00,
1844
            0x6f, 0x00, 0x6f, 0x00, 0x4a, 0x00, 0x54, 0x00, 0x7d, 0x00, 0x68, 0x00, 0x3f, 0x00,
1845
            0x28, 0x00, 0x21, 0x00, 0x53, 0x00, 0x48, 0x00, 0x5a, 0x00, 0x34, 0x00, 0x36, 0x00,
1846
            0x35, 0x00, 0x64, 0x00, 0x4e, 0x00, 0x75, 0x00, 0x69, 0x00, 0x23, 0x00, 0x75, 0x00,
1847
            0x55, 0x00, 0x43, 0x00, 0x75, 0x00, 0x2f, 0x00, 0x73, 0x00, 0x62, 0x00, 0x6f, 0x00,
1848
            0x37, 0x00, 0x4e, 0x00, 0x25, 0x00, 0x25, 0x00, 0x21, 0x00, 0x3d, 0x00, 0x3c, 0x00,
1849
            0x71, 0x00, 0x3e, 0x00, 0x3f, 0x00, 0x30, 0x00, 0x36, 0x00, 0x62, 0x00, 0x63, 0x00,
1850
            0x53, 0x00, 0x54, 0x00, 0x5d, 0x00, 0x61, 0x00, 0x4c, 0x00, 0x28, 0x00, 0x2b, 0x00,
1851
            0x4c, 0x00, 0x4e, 0x00, 0x66, 0x00, 0x5f, 0x00, 0x4b, 0x00, 0x43, 0x00, 0x75, 0x00,
1852
            0x45, 0x00, 0x37, 0x00, 0x28, 0x00, 0x56, 0x00, 0x36, 0x00, 0x6a, 0x00, 0x3e, 0x00,
1853
            0x64, 0x00, 0x34, 0x00, 0x6a, 0x00, 0x7d, 0x00, 0x4a, 0x00, 0x66, 0x00, 0x7a, 0x00,
1854
            0x3e, 0x00, 0x75, 0x00, 0x38, 0x00, 0x7b, 0x00, 0x42, 0x00, 0x76, 0x00, 0x29, 0x00,
1855
            0x4c, 0x00, 0x65, 0x00, 0x2e, 0x00, 0x32, 0x00, 0x4b, 0x00, 0x2b, 0x00, 0x51, 0x00,
1856
            0x47, 0x00, 0x22, 0x00, 0x48, 0x00, 0x3d, 0x00, 0x49, 0x00, 0x44, 0x00, 0x5d, 0x00,
1857
            0x59, 0x00, 0x63, 0x00, 0x5c, 0x00, 0x24, 0x00, 0x35, 0x00, 0x34, 0x00, 0x70, 0x00,
1858
            0x69, 0x00,
1859
        ];
1860
        let mut dcerpc_state = DCERPCState::new();
1861
        assert_eq!(
1862
            AppLayerResult::ok(),
1863
            dcerpc_state.handle_input_data(request, Direction::ToServer)
1864
        );
1865
        if let Some(hdr) = dcerpc_state.header {
1866
            assert_eq!(0, hdr.hdrtype);
1867
            assert_eq!(5, hdr.rpc_vers);
1868
            assert_eq!(1024, hdr.frag_length);
1869
        }
1870
        let tx = &dcerpc_state.transactions[0];
1871
        assert_eq!(11, tx.ctxid);
1872
        assert_eq!(9, tx.opnum);
1873
        assert_eq!(1, tx.first_request_seen);
1874
        assert_eq!(1000, tx.stub_data_buffer_ts.len());
1875
        assert!(tx.stub_data_buffer_reset_ts);
1876
    }
1877
1878
    #[test]
1879
    pub fn test_parse_bind_pdu() {
1880
        let bind1: &[u8] = &[
1881
            0x05, 0x00, 0x0b, 0x01, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00,
1882
            0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1883
            0x00, 0x00, 0x01, 0x00, 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e,
1884
            0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1885
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1886
            0x00, 0x00,
1887
        ];
1888
        let bind2: &[u8] = &[
1889
            0x05, 0x00, 0x0b, 0x02, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00,
1890
            0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
1891
            0x01, 0x00, 0x01, 0x00, 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e,
1892
            0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x67, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1893
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1894
            0x00, 0x00,
1895
        ];
1896
        let mut dcerpc_state = DCERPCState::new();
1897
        assert_eq!(
1898
            AppLayerResult::ok(),
1899
            dcerpc_state.handle_input_data(bind1, Direction::ToServer)
1900
        );
1901
        assert_eq!(
1902
            AppLayerResult::ok(), // TODO ASK if this is correct?
1903
            dcerpc_state.handle_input_data(bind2, Direction::ToServer)
1904
        );
1905
    }
1906
1907
    #[test]
1908
    pub fn test_parse_bind_frag_1() {
1909
        let bind1: &[u8] = &[
1910
            0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0xdc, 0x02, 0x00, 0x00, 0x00, 0x00,
1911
            0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
1912
            0x00, 0x00, 0x01, 0x00, 0xc7, 0x70, 0x0d, 0x3e, 0x71, 0x37, 0x39, 0x0d, 0x3a, 0x4f,
1913
            0xd3, 0xdc, 0xca, 0x49, 0xe8, 0xa3, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1914
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1915
            0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x84, 0xb6, 0x55, 0x75, 0xdb, 0x9e, 0xba, 0x54,
1916
            0x56, 0xd3, 0x45, 0x10, 0xb7, 0x7a, 0x2a, 0xe2, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d,
1917
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1918
            0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x6e, 0x39, 0x21, 0x24, 0x70, 0x6f,
1919
            0x41, 0x57, 0x54, 0x70, 0xb8, 0xc3, 0x5e, 0x89, 0x3b, 0x43, 0x03, 0x00, 0x00, 0x00,
1920
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
1921
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 0x39, 0x6a, 0x86, 0x5d,
1922
            0x24, 0x0f, 0xd2, 0xf7, 0xb6, 0xce, 0x95, 0x9c, 0x54, 0x1d, 0x3a, 0xdb, 0x02, 0x00,
1923
            0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1924
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x12, 0xa5,
1925
            0xdd, 0xc5, 0x55, 0xce, 0xc3, 0x46, 0xbd, 0xa0, 0x94, 0x39, 0x3c, 0x0d, 0x9b, 0x5b,
1926
            0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
1927
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x01, 0x00,
1928
            0x87, 0x1c, 0x8b, 0x6e, 0x11, 0xa8, 0x67, 0x98, 0xd4, 0x5d, 0xf6, 0x8a, 0x2f, 0x33,
1929
            0x24, 0x7b, 0x05, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1930
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00,
1931
            0x01, 0x00, 0x9b, 0x82, 0x13, 0xd1, 0x28, 0xe0, 0x63, 0xf3, 0x62, 0xee, 0x76, 0x73,
1932
            0xf9, 0xac, 0x3d, 0x2e, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
1933
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1934
            0x07, 0x00, 0x01, 0x00, 0xa9, 0xd4, 0x73, 0xf2, 0xed, 0xad, 0xe8, 0x82, 0xf8, 0xcf,
1935
            0x9d, 0x9f, 0x66, 0xe6, 0x43, 0x37, 0x02, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1936
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1937
            0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x06, 0x2b, 0x85, 0x38, 0x4f, 0x73, 0x96, 0xb1,
1938
            0x73, 0xe1, 0x59, 0xbe, 0x9d, 0xe2, 0x6c, 0x07, 0x05, 0x00, 0x01, 0x00, 0x04, 0x5d,
1939
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1940
        ];
1941
        let bind2: &[u8] = &[
1942
            0x02, 0x00, 0x00, 0x00, 0x09, 0x00, 0x01, 0x00, 0xbf, 0xfa, 0xbb, 0xa4, 0x9e, 0x5c,
1943
            0x80, 0x61, 0xb5, 0x8b, 0x79, 0x69, 0xa6, 0x32, 0x88, 0x77, 0x01, 0x00, 0x01, 0x00,
1944
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
1945
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x39, 0xa8, 0x2c, 0x39,
1946
            0x73, 0x50, 0x06, 0x8d, 0xf2, 0x37, 0x1e, 0x1e, 0xa8, 0x8f, 0x46, 0x98, 0x02, 0x00,
1947
            0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
1948
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x01, 0x00, 0x91, 0x13,
1949
            0xd0, 0xa7, 0xef, 0xc4, 0xa7, 0x96, 0x0c, 0x4a, 0x0d, 0x29, 0x80, 0xd3, 0xfe, 0xbf,
1950
            0x00, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
1951
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00,
1952
            0xcc, 0x2b, 0x55, 0x1d, 0xd4, 0xa4, 0x0d, 0xfb, 0xcb, 0x6f, 0x86, 0x36, 0xa6, 0x57,
1953
            0xc3, 0x21, 0x02, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
1954
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x00,
1955
            0x01, 0x00, 0x43, 0x7b, 0x07, 0xee, 0x85, 0xa8, 0xb9, 0x3a, 0x0f, 0xf9, 0x83, 0x70,
1956
            0xe6, 0x0b, 0x4f, 0x33, 0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
1957
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
1958
            0x0e, 0x00, 0x01, 0x00, 0x9c, 0x6a, 0x15, 0x8c, 0xd6, 0x9c, 0xa6, 0xc3, 0xb2, 0x9e,
1959
            0x62, 0x9f, 0x3d, 0x8e, 0x47, 0x73, 0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
1960
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
1961
            0x00, 0x00, 0x0f, 0x00, 0x01, 0x00, 0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01,
1962
            0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d,
1963
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
1964
            0x02, 0x00, 0x00, 0x00,
1965
        ];
1966
        let mut dcerpc_state = DCERPCState::new();
1967
        assert_eq!(
1968
            AppLayerResult::ok(),
1969
            dcerpc_state.handle_input_data(bind1, Direction::ToServer)
1970
        );
1971
        assert_eq!(
1972
            AppLayerResult::ok(),
1973
            dcerpc_state.handle_input_data(bind2, Direction::ToServer)
1974
        );
1975
        if let Some(ref bind) = dcerpc_state.bind {
1976
            assert_eq!(16, bind.numctxitems);
1977
            assert_eq!(0, dcerpc_state.bytes_consumed); // because the buffer is cleared after a query is complete
1978
        }
1979
    }
1980
1981
    #[test]
1982
    pub fn test_parse_bind_frag_2() {
1983
        let request1: &[u8] = &[
1984
            0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x01, 0x00,
1985
            0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02, 0x03, 0x04,
1986
            0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C,
1987
        ];
1988
        let request2: &[u8] = &[0x0D, 0x0E];
1989
        let request3: &[u8] = &[0x0F, 0x10, 0x11, 0x12, 0x13, 0x14];
1990
        let mut dcerpc_state = DCERPCState::new();
1991
        assert_eq!(
1992
            AppLayerResult::ok(),
1993
            dcerpc_state.handle_input_data(request1, Direction::ToServer)
1994
        );
1995
        assert_eq!(
1996
            AppLayerResult::ok(),
1997
            dcerpc_state.handle_input_data(request2, Direction::ToServer)
1998
        );
1999
        assert_eq!(
2000
            AppLayerResult::ok(),
2001
            dcerpc_state.handle_input_data(request3, Direction::ToServer)
2002
        );
2003
        let tx = &dcerpc_state.transactions[0];
2004
        assert_eq!(20, tx.stub_data_buffer_ts.len());
2005
    }
2006
2007
    #[test]
2008
    pub fn test_parse_bind_frag_3() {
2009
        let request1: &[u8] = &[
2010
            0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x01, 0x00,
2011
            0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02, 0x03, 0x04,
2012
            0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C,
2013
        ];
2014
        let mut dcerpc_state = DCERPCState::new();
2015
        assert_eq!(
2016
            AppLayerResult::ok(),
2017
            dcerpc_state.handle_input_data(request1, Direction::ToServer)
2018
        );
2019
    }
2020
2021
    #[test]
2022
    pub fn test_parse_bind_frag_4() {
2023
        let request1: &[u8] = &[
2024
            0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x01, 0x00,
2025
            0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02, 0x03, 0x04,
2026
            0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C,
2027
        ];
2028
        let mut dcerpc_state = DCERPCState::new();
2029
        assert_eq!(
2030
            AppLayerResult::ok(),
2031
            dcerpc_state.handle_input_data(request1, Direction::ToServer)
2032
        );
2033
    }
2034
2035
    #[test]
2036
    pub fn test_parse_dcerpc_frag_1() {
2037
        let fault: &[u8] = &[
2038
            0x05, 0x00, 0x03, 0x03, 0x10, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00,
2039
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0xf7, 0x06, 0x00, 0x00,
2040
            0x00, 0x00, 0x00, 0x00,
2041
        ];
2042
        let request1: &[u8] = &[0x05, 0x00];
2043
        let request2: &[u8] = &[
2044
            0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2045
            0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
2046
            0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C,
2047
        ];
2048
        let mut dcerpc_state = DCERPCState::new();
2049
        assert_eq!(
2050
            AppLayerResult::err(),
2051
            dcerpc_state.handle_input_data(fault, Direction::ToServer)
2052
        );
2053
        assert_eq!(
2054
            AppLayerResult::ok(),
2055
            dcerpc_state.handle_input_data(request1, Direction::ToServer)
2056
        );
2057
        assert_eq!(
2058
            AppLayerResult::ok(),
2059
            dcerpc_state.handle_input_data(request2, Direction::ToServer)
2060
        );
2061
        let tx = &dcerpc_state.transactions[0];
2062
        assert_eq!(12, tx.stub_data_buffer_ts.len());
2063
    }
2064
2065
    #[test]
2066
    pub fn test_parse_dcerpc_frag_2() {
2067
        let request1: &[u8] = &[
2068
            0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00,
2069
            0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02, 0x03, 0x04,
2070
            0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C,
2071
        ];
2072
        let request2: &[u8] = &[0x05, 0x00];
2073
        let request3: &[u8] = &[
2074
            0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2075
            0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
2076
            0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C,
2077
        ];
2078
        let mut dcerpc_state = DCERPCState::new();
2079
        assert_eq!(
2080
            AppLayerResult::ok(),
2081
            dcerpc_state.handle_input_data(request1, Direction::ToServer)
2082
        );
2083
        assert_eq!(
2084
            AppLayerResult::ok(),
2085
            dcerpc_state.handle_input_data(request2, Direction::ToServer)
2086
        );
2087
        assert_eq!(
2088
            AppLayerResult::ok(),
2089
            dcerpc_state.handle_input_data(request3, Direction::ToServer)
2090
        );
2091
    }
2092
2093
    #[test]
2094
    pub fn test_parse_dcerpc_back_frag() {
2095
        let bind_ack1: &[u8] = &[
2096
            0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00,
2097
            0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10, 0x48, 0x1a, 0x00, 0x00,
2098
        ];
2099
        let bind_ack2: &[u8] = &[
2100
            0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00,
2101
            0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2102
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2103
            0x00, 0x00,
2104
        ];
2105
        let mut dcerpc_state = DCERPCState::new();
2106
        dcerpc_state.data_needed_for_dir = Direction::ToClient;
2107
        assert_eq!(
2108
            AppLayerResult::ok(),
2109
            dcerpc_state.handle_input_data(bind_ack1, Direction::ToClient)
2110
        );
2111
        assert_eq!(
2112
            AppLayerResult::ok(),
2113
            dcerpc_state.handle_input_data(bind_ack2, Direction::ToClient)
2114
        );
2115
    }
2116
2117
    #[test]
2118
    // Check if the parser accepts bind pdus that have context ids starting
2119
    // from a non-zero value.
2120
    pub fn test_parse_bind_pdu_ctx_id_non_zero() {
2121
        let bindbuf: &[u8] = &[
2122
            0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x7f, 0x00,
2123
            0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2124
            0x01, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,
2125
            0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2126
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2127
            0x00, 0x00,
2128
        ];
2129
        let mut dcerpc_state = DCERPCState::new();
2130
        let expected_uuid: &[u8] = &[
2131
            0x00, 0x00, 0x01, 0xa0, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00,
2132
            0x00, 0x46,
2133
        ];
2134
        assert_eq!(
2135
            AppLayerResult::ok(),
2136
            dcerpc_state.handle_input_data(bindbuf, Direction::ToServer)
2137
        );
2138
        if let Some(ref bind) = dcerpc_state.bind {
2139
            let bind_uuid = &bind.uuid_list[0].uuid;
2140
            assert_eq!(1, bind.uuid_list.len());
2141
            assert_eq!(
2142
                cmp::Ordering::Equal,
2143
                bind_uuid
2144
                    .iter()
2145
                    .zip(expected_uuid)
2146
                    .map(|(x, y)| x.cmp(y))
2147
                    .find(|&ord| ord != cmp::Ordering::Equal)
2148
                    .unwrap_or_else(|| bind_uuid.len().cmp(&expected_uuid.len()))
2149
            );
2150
        }
2151
    }
2152
2153
    #[test]
2154
    // Check for endless loop with bind PDUs (Imported from C code)
2155
    pub fn test_parse_bind_pdu_infinite_loop() {
2156
        let bindbuf: &[u8] = &[
2157
            0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x7f, 0x00,
2158
            0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
2159
            0x01, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,
2160
            0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2161
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2162
            0x00, 0x00, 0x02, 0x00, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x01, 0x02, 0x03, 0x04,
2163
            0x05, 0x06, 0x07, 0x08, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x01, 0x02,
2164
            0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
2165
            0x01, 0x02, 0x03, 0x04, 0xFF, /* ka boom - endless loop */
2166
        ];
2167
        let mut dcerpc_state = DCERPCState::new();
2168
        assert_eq!(
2169
            AppLayerResult::ok(),
2170
            dcerpc_state.handle_input_data(bindbuf, Direction::ToServer)
2171
        );
2172
    }
2173
2174
    #[test]
2175
    // Check for endless loop with bind_ack PDUs (Imported from C code)
2176
    pub fn test_parse_bindack_pdu_infinite_loop() {
2177
        let bind_ack: &[u8] = &[
2178
            0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, 0x3e, 0x00, 0x00, 0x00, 0x7f, 0x00,
2179
            0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0xfd, 0x04, 0x01, 0x00, 0x04, 0x00, 0x31, 0x33,
2180
            0x35, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d,
2181
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2182
            0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2183
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x01, 0x02, 0x03, 0x04,
2184
            0xFF,
2185
        ];
2186
        let mut dcerpc_state = DCERPCState::new();
2187
        dcerpc_state.data_needed_for_dir = Direction::ToClient;
2188
        assert_eq!(
2189
            AppLayerResult::ok(),
2190
            dcerpc_state.handle_input_data(bind_ack, Direction::ToClient)
2191
        );
2192
    }
2193
2194
    #[test]
2195
    // Check for correct internal ids for bind_acks
2196
    pub fn test_parse_bindack_internal_ids() {
2197
        let bind1: &[u8] = &[
2198
            0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x58, 0x02, 0x00, 0x00, 0x00, 0x00,
2199
            0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00,
2200
            0x00, 0x00, 0x01, 0x00, 0x50, 0x08, 0x43, 0x95, 0x43, 0x5a, 0x8b, 0xb2, 0xf4, 0xc5,
2201
            0xb9, 0xee, 0x67, 0x55, 0x7c, 0x19, 0x00, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2202
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2203
            0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0xda, 0xc2, 0xbc, 0x9b, 0x35, 0x2e, 0xd4, 0xc9,
2204
            0x1f, 0x85, 0x01, 0xe6, 0x4e, 0x5a, 0x5e, 0xd4, 0x04, 0x00, 0x03, 0x00, 0x04, 0x5d,
2205
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2206
            0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xb2, 0x97, 0xcc, 0x14, 0x6f, 0x70,
2207
            0x0d, 0xa5, 0x33, 0xd7, 0xf4, 0xe3, 0x8e, 0xb2, 0x2a, 0x1e, 0x05, 0x00, 0x02, 0x00,
2208
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2209
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 0x96, 0x4e, 0xa6, 0xf6,
2210
            0xb2, 0x4b, 0xae, 0xb3, 0x21, 0xf4, 0x97, 0x7c, 0xcd, 0xa7, 0x08, 0xb0, 0x00, 0x00,
2211
            0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2212
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0xbc, 0xc0,
2213
            0xf7, 0x71, 0x3f, 0x71, 0x54, 0x44, 0x22, 0xa8, 0x55, 0x0f, 0x98, 0x83, 0x1f, 0xfe,
2214
            0x04, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2215
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x01, 0x00,
2216
            0xbe, 0x52, 0xf2, 0x58, 0x4a, 0xc3, 0xb5, 0xd0, 0xba, 0xac, 0xda, 0xf0, 0x12, 0x99,
2217
            0x38, 0x6e, 0x04, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
2218
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00,
2219
            0x01, 0x00, 0xdb, 0xfa, 0x73, 0x01, 0xb3, 0x81, 0x01, 0xd4, 0x7f, 0xa0, 0x36, 0xb1,
2220
            0x97, 0xae, 0x29, 0x7f, 0x01, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2221
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2222
            0x07, 0x00, 0x01, 0x00, 0x89, 0xbe, 0x41, 0x1d, 0x38, 0x75, 0xf5, 0xb5, 0xad, 0x27,
2223
            0x73, 0xf1, 0xb0, 0x7a, 0x28, 0x82, 0x05, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2224
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2225
            0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0xf6, 0x87, 0x09, 0x93, 0xb8, 0xa8, 0x20, 0xc4,
2226
            0xb8, 0x63, 0xe6, 0x95, 0xed, 0x59, 0xee, 0x3f, 0x05, 0x00, 0x03, 0x00, 0x04, 0x5d,
2227
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2228
            0x02, 0x00, 0x00, 0x00, 0x09, 0x00, 0x01, 0x00, 0x92, 0x77, 0x92, 0x68, 0x3e, 0xa4,
2229
            0xbc, 0x3f, 0x44, 0x33, 0x0e, 0xb8, 0x33, 0x0a, 0x2f, 0xdf, 0x01, 0x00, 0x02, 0x00,
2230
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2231
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0xa1, 0x03, 0xd2, 0xa9,
2232
            0xd2, 0x16, 0xc9, 0x89, 0x67, 0x18, 0x3e, 0xb1, 0xee, 0x6b, 0xf9, 0x18, 0x02, 0x00,
2233
            0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2234
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x01, 0x00, 0x2f, 0x09,
2235
            0x5e, 0x74, 0xec, 0xa0, 0xbb, 0xc1, 0x60, 0x18, 0xf1, 0x93, 0x04, 0x17, 0x11, 0xf9,
2236
            0x01, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2237
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00,
2238
            0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01, 0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e,
2239
            0xe1, 0x88, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
2240
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2241
        ];
2242
        let bind_ack1: &[u8] = &[
2243
            0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, 0x64, 0x01, 0x00, 0x00, 0x00, 0x00,
2244
            0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10, 0xc1, 0x2b, 0x00, 0x00, 0x0e, 0x00, 0x5c, 0x50,
2245
            0x49, 0x50, 0x45, 0x5c, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x00, 0x0d, 0x00,
2246
            0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2247
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
2248
            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2249
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00,
2250
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2251
            0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2252
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2253
            0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2254
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
2255
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2256
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2257
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2258
            0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2259
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
2260
            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2261
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00,
2262
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2263
            0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2264
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2265
            0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2266
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2267
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2268
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2269
        ];
2270
        let bind2: &[u8] = &[
2271
            0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0xdc, 0x02, 0x00, 0x00, 0x00, 0x00,
2272
            0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
2273
            0x00, 0x00, 0x01, 0x00, 0xc7, 0x70, 0x0d, 0x3e, 0x71, 0x37, 0x39, 0x0d, 0x3a, 0x4f,
2274
            0xd3, 0xdc, 0xca, 0x49, 0xe8, 0xa3, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2275
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2276
            0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x84, 0xb6, 0x55, 0x75, 0xdb, 0x9e, 0xba, 0x54,
2277
            0x56, 0xd3, 0x45, 0x10, 0xb7, 0x7a, 0x2a, 0xe2, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d,
2278
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2279
            0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x6e, 0x39, 0x21, 0x24, 0x70, 0x6f,
2280
            0x41, 0x57, 0x54, 0x70, 0xb8, 0xc3, 0x5e, 0x89, 0x3b, 0x43, 0x03, 0x00, 0x00, 0x00,
2281
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2282
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 0x39, 0x6a, 0x86, 0x5d,
2283
            0x24, 0x0f, 0xd2, 0xf7, 0xb6, 0xce, 0x95, 0x9c, 0x54, 0x1d, 0x3a, 0xdb, 0x02, 0x00,
2284
            0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2285
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x12, 0xa5,
2286
            0xdd, 0xc5, 0x55, 0xce, 0xc3, 0x46, 0xbd, 0xa0, 0x94, 0x39, 0x3c, 0x0d, 0x9b, 0x5b,
2287
            0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2288
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x01, 0x00,
2289
            0x87, 0x1c, 0x8b, 0x6e, 0x11, 0xa8, 0x67, 0x98, 0xd4, 0x5d, 0xf6, 0x8a, 0x2f, 0x33,
2290
            0x24, 0x7b, 0x05, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
2291
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00,
2292
            0x01, 0x00, 0x9b, 0x82, 0x13, 0xd1, 0x28, 0xe0, 0x63, 0xf3, 0x62, 0xee, 0x76, 0x73,
2293
            0xf9, 0xac, 0x3d, 0x2e, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2294
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2295
            0x07, 0x00, 0x01, 0x00, 0xa9, 0xd4, 0x73, 0xf2, 0xed, 0xad, 0xe8, 0x82, 0xf8, 0xcf,
2296
            0x9d, 0x9f, 0x66, 0xe6, 0x43, 0x37, 0x02, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2297
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2298
            0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x06, 0x2b, 0x85, 0x38, 0x4f, 0x73, 0x96, 0xb1,
2299
            0x73, 0xe1, 0x59, 0xbe, 0x9d, 0xe2, 0x6c, 0x07, 0x05, 0x00, 0x01, 0x00, 0x04, 0x5d,
2300
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2301
            0x02, 0x00, 0x00, 0x00, 0x09, 0x00, 0x01, 0x00, 0xbf, 0xfa, 0xbb, 0xa4, 0x9e, 0x5c,
2302
            0x80, 0x61, 0xb5, 0x8b, 0x79, 0x69, 0xa6, 0x32, 0x88, 0x77, 0x01, 0x00, 0x01, 0x00,
2303
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2304
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x39, 0xa8, 0x2c, 0x39,
2305
            0x73, 0x50, 0x06, 0x8d, 0xf2, 0x37, 0x1e, 0x1e, 0xa8, 0x8f, 0x46, 0x98, 0x02, 0x00,
2306
            0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2307
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x01, 0x00, 0x91, 0x13,
2308
            0xd0, 0xa7, 0xef, 0xc4, 0xa7, 0x96, 0x0c, 0x4a, 0x0d, 0x29, 0x80, 0xd3, 0xfe, 0xbf,
2309
            0x00, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2310
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00,
2311
            0xcc, 0x2b, 0x55, 0x1d, 0xd4, 0xa4, 0x0d, 0xfb, 0xcb, 0x6f, 0x86, 0x36, 0xa6, 0x57,
2312
            0xc3, 0x21, 0x02, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
2313
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x00,
2314
            0x01, 0x00, 0x43, 0x7b, 0x07, 0xee, 0x85, 0xa8, 0xb9, 0x3a, 0x0f, 0xf9, 0x83, 0x70,
2315
            0xe6, 0x0b, 0x4f, 0x33, 0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2316
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2317
            0x0e, 0x00, 0x01, 0x00, 0x9c, 0x6a, 0x15, 0x8c, 0xd6, 0x9c, 0xa6, 0xc3, 0xb2, 0x9e,
2318
            0x62, 0x9f, 0x3d, 0x8e, 0x47, 0x73, 0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2319
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2320
            0x00, 0x00, 0x0f, 0x00, 0x01, 0x00, 0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01,
2321
            0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d,
2322
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2323
            0x02, 0x00, 0x00, 0x00,
2324
        ];
2325
        let bind_ack2: &[u8] = &[
2326
            0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, 0xac, 0x01, 0x00, 0x00, 0x00, 0x00,
2327
            0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10, 0xc2, 0x2b, 0x00, 0x00, 0x0e, 0x00, 0x5c, 0x50,
2328
            0x49, 0x50, 0x45, 0x5c, 0x62, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x00, 0x10, 0x00,
2329
            0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2330
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
2331
            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2332
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00,
2333
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2334
            0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2335
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2336
            0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2337
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
2338
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2339
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2340
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2341
            0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2342
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
2343
            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2344
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00,
2345
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2346
            0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2347
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2348
            0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2349
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
2350
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2351
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2352
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2353
            0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2354
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2355
            0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2356
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2357
        ];
2358
        let bind3: &[u8] = &[
2359
            0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x2c, 0x02, 0x00, 0x00, 0x00, 0x00,
2360
            0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00,
2361
            0x00, 0x00, 0x01, 0x00, 0xa4, 0x7f, 0x8e, 0xc6, 0xef, 0x56, 0x9b, 0x63, 0x92, 0xfa,
2362
            0x08, 0xb3, 0x35, 0xe2, 0xa5, 0x81, 0x00, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2363
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2364
            0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x9f, 0xfc, 0x78, 0xd2, 0x5f, 0x16, 0x0b, 0xbc,
2365
            0xc6, 0xdb, 0x5d, 0xef, 0xde, 0x54, 0xa2, 0x6f, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d,
2366
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2367
            0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x78, 0xb8, 0x96, 0xc7, 0x2f, 0xda,
2368
            0x11, 0x6b, 0xd1, 0x28, 0x68, 0xe1, 0xd6, 0x71, 0xac, 0x9d, 0x03, 0x00, 0x00, 0x00,
2369
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2370
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 0xcf, 0xf4, 0xd7, 0x37,
2371
            0x03, 0xda, 0xcc, 0xe3, 0x3e, 0x34, 0x7f, 0x67, 0x99, 0x91, 0x41, 0x3d, 0x01, 0x00,
2372
            0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2373
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x48, 0xeb,
2374
            0x32, 0xf0, 0x27, 0xd5, 0x9d, 0xd0, 0x1e, 0xc6, 0x48, 0x46, 0x97, 0xe9, 0xdb, 0x09,
2375
            0x05, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2376
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x01, 0x00,
2377
            0x82, 0xec, 0x0d, 0x08, 0xf2, 0x8f, 0x22, 0x57, 0x42, 0x9b, 0xce, 0xa8, 0x74, 0x16,
2378
            0xc6, 0xec, 0x00, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
2379
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00,
2380
            0x01, 0x00, 0x2e, 0x00, 0x70, 0x44, 0xee, 0xc9, 0x30, 0x6b, 0xf4, 0x34, 0x1e, 0x3d,
2381
            0x35, 0x0f, 0xf7, 0xf7, 0x00, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2382
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2383
            0x07, 0x00, 0x01, 0x00, 0x59, 0x04, 0x39, 0x3f, 0x59, 0x87, 0x14, 0x0e, 0x76, 0x8d,
2384
            0x17, 0xc2, 0x47, 0xfa, 0x67, 0x7f, 0x04, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2385
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2386
            0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x30, 0xd6, 0xed, 0x2e, 0x57, 0xfa, 0xf4, 0x72,
2387
            0x6c, 0x10, 0x0d, 0xe5, 0x51, 0x7f, 0xd0, 0x39, 0x02, 0x00, 0x01, 0x00, 0x04, 0x5d,
2388
            0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
2389
            0x02, 0x00, 0x00, 0x00, 0x09, 0x00, 0x01, 0x00, 0xea, 0x8b, 0x84, 0x4d, 0x44, 0x43,
2390
            0xc1, 0x94, 0x75, 0xe2, 0x81, 0x48, 0xd8, 0x77, 0xd9, 0xce, 0x05, 0x00, 0x00, 0x00,
2391
            0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10,
2392
            0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x89, 0x4f, 0xe7, 0x95,
2393
            0xa3, 0xc1, 0x62, 0x36, 0x26, 0x9e, 0x67, 0xdb, 0x2c, 0x52, 0x89, 0xd3, 0x01, 0x00,
2394
            0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
2395
            0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x01, 0x00, 0x78, 0x56,
2396
            0x34, 0x12, 0x34, 0x12, 0xcd, 0xab, 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab,
2397
            0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2398
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2399
        ];
2400
        let bind_ack3: &[u8] = &[
2401
            0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, 0x4c, 0x01, 0x00, 0x00, 0x00, 0x00,
2402
            0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10, 0x1a, 0x33, 0x00, 0x00, 0x0e, 0x00, 0x5c, 0x70,
2403
            0x69, 0x70, 0x65, 0x5c, 0x73, 0x70, 0x6f, 0x6f, 0x6c, 0x73, 0x73, 0x00, 0x0c, 0x00,
2404
            0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2405
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
2406
            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2407
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00,
2408
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2409
            0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2410
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2411
            0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2412
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
2413
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2414
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
2415
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2416
            0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2417
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
2418
            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2419
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00,
2420
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2421
            0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2422
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2423
            0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8,
2424
            0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2425
        ];
2426
        let mut dcerpc_state = DCERPCState::new();
2427
        let expected_uuid1 = vec![
2428
            0x4b, 0x32, 0x4f, 0xc8, 0x16, 0x70, 0x01, 0xd3, 0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e,
2429
            0xe1, 0x88,
2430
        ];
2431
        let expected_uuid2 = vec![
2432
            0x4b, 0x32, 0x4f, 0xc8, 0x16, 0x70, 0x01, 0xd3, 0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e,
2433
            0xe1, 0x88,
2434
        ];
2435
        let expected_uuid3 = vec![
2436
            0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0xab, 0xcd, 0xef, 0x00, 0x01, 0x23, 0x45, 0x67,
2437
            0x89, 0xab,
2438
        ];
2439
        assert_eq!(
2440
            AppLayerResult::ok(),
2441
            dcerpc_state.handle_input_data(bind1, Direction::ToServer)
2442
        );
2443
        assert_eq!(
2444
            AppLayerResult::ok(),
2445
            dcerpc_state.handle_input_data(bind_ack1, Direction::ToClient)
2446
        );
2447
        if let Some(ref back) = dcerpc_state.bindack {
2448
            assert_eq!(1, back.accepted_uuid_list.len());
2449
            assert_eq!(12, back.accepted_uuid_list[0].ctxid);
2450
            assert_eq!(expected_uuid1, back.accepted_uuid_list[0].uuid);
2451
        }
2452
        assert_eq!(
2453
            AppLayerResult::ok(),
2454
            dcerpc_state.handle_input_data(bind2, Direction::ToServer)
2455
        );
2456
        assert_eq!(
2457
            AppLayerResult::ok(),
2458
            dcerpc_state.handle_input_data(bind_ack2, Direction::ToClient)
2459
        );
2460
        if let Some(ref back) = dcerpc_state.bindack {
2461
            assert_eq!(1, back.accepted_uuid_list.len());
2462
            assert_eq!(15, back.accepted_uuid_list[0].ctxid);
2463
            assert_eq!(expected_uuid2, back.accepted_uuid_list[0].uuid);
2464
        }
2465
        assert_eq!(
2466
            AppLayerResult::ok(),
2467
            dcerpc_state.handle_input_data(bind3, Direction::ToServer)
2468
        );
2469
        assert_eq!(
2470
            AppLayerResult::ok(),
2471
            dcerpc_state.handle_input_data(bind_ack3, Direction::ToClient)
2472
        );
2473
        if let Some(ref back) = dcerpc_state.bindack {
2474
            assert_eq!(1, back.accepted_uuid_list.len());
2475
            dcerpc_state.data_needed_for_dir = Direction::ToServer;
2476
            assert_eq!(11, back.accepted_uuid_list[0].ctxid);
2477
            assert_eq!(expected_uuid3, back.accepted_uuid_list[0].uuid);
2478
        }
2479
    }
2480
2481
    #[test]
2482
    pub fn test_bind_acks_alter_contexts_internal_ids() {
2483
        let bind: &[u8] = &[
2484
            0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x01, 0x00,
2485
            0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2486
            0x00, 0x00, 0x01, 0x00, 0x40, 0xfd, 0x2c, 0x34, 0x6c, 0x3c, 0xce, 0x11, 0xa8, 0x93,
2487
            0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2488
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2489
            0x00, 0x00,
2490
        ];
2491
        let bindack: &[u8] = &[
2492
            0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x01, 0x00,
2493
            0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00, 0x0d, 0x00, 0x5c, 0x70,
2494
            0x69, 0x70, 0x65, 0x5c, 0x6c, 0x6c, 0x73, 0x72, 0x70, 0x63, 0x00, 0x00, 0x01, 0x00,
2495
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
2496
            0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2497
        ];
2498
        let alter_context: &[u8] = &[
2499
            0x05, 0x00, 0x0e, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x01, 0x00,
2500
            0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
2501
            0x01, 0x00, 0x01, 0x00, 0xd0, 0x4c, 0x67, 0x57, 0x00, 0x52, 0xce, 0x11, 0xa8, 0x97,
2502
            0x08, 0x00, 0x2b, 0x2e, 0x9c, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
2503
            0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,
2504
            0x00, 0x00,
2505
        ];
2506
        let alter_context_resp: &[u8] = &[
2507
            0x05, 0x00, 0x0f, 0x03, 0x10, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x01, 0x00,
2508
            0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10, 0x7d, 0xd8, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00,
2509
            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,
2510
            0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
2511
        ];
2512
2513
        let mut dcerpc_state = DCERPCState::new();
2514
        let expected_uuid1 = vec![
2515
            0x34, 0x2c, 0xfd, 0x40, 0x3c, 0x6c, 0x11, 0xce, 0xa8, 0x93, 0x08, 0x00, 0x2b, 0x2e,
2516
            0x9c, 0x6d,
2517
        ];
2518
        let expected_uuid2 = vec![
2519
            0x57, 0x67, 0x4c, 0xd0, 0x52, 0x00, 0x11, 0xce, 0xa8, 0x97, 0x08, 0x00, 0x2b, 0x2e,
2520
            0x9c, 0x6d,
2521
        ];
2522
        assert_eq!(
2523
            AppLayerResult::ok(),
2524
            dcerpc_state.handle_input_data(bind, Direction::ToServer)
2525
        );
2526
        assert_eq!(
2527
            AppLayerResult::ok(),
2528
            dcerpc_state.handle_input_data(bindack, Direction::ToClient)
2529
        );
2530
        if let Some(ref back) = dcerpc_state.bindack {
2531
            assert_eq!(1, back.accepted_uuid_list.len());
2532
            assert_eq!(0, back.accepted_uuid_list[0].ctxid);
2533
            assert_eq!(expected_uuid1, back.accepted_uuid_list[0].uuid);
2534
        }
2535
        assert_eq!(
2536
            AppLayerResult::ok(),
2537
            dcerpc_state.handle_input_data(alter_context, Direction::ToServer)
2538
        );
2539
        assert_eq!(
2540
            AppLayerResult::ok(),
2541
            dcerpc_state.handle_input_data(alter_context_resp, Direction::ToClient)
2542
        );
2543
        if let Some(ref back) = dcerpc_state.bindack {
2544
            assert_eq!(1, back.accepted_uuid_list.len());
2545
            assert_eq!(1, back.accepted_uuid_list[0].ctxid);
2546
            assert_eq!(expected_uuid2, back.accepted_uuid_list[0].uuid);
2547
        }
2548
    }
2549
2550
    #[test]
2551
    pub fn test_parse_dcerpc_frag_3() {
2552
        let request1: &[u8] = &[
2553
            0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x01, 0x00,
2554
            0x00, 0x00, 0x0c, 0x00,
2555
        ];
2556
        let request2: &[u8] = &[
2557
            0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
2558
            0x09, 0x0A, 0x0B, 0x0C, 0xFF, 0xFF,
2559
        ];
2560
        let mut dcerpc_state = DCERPCState::new();
2561
        assert_eq!(
2562
            AppLayerResult::ok(),
2563
            dcerpc_state.handle_input_data(request1, Direction::ToServer)
2564
        );
2565
        assert_eq!(
2566
            AppLayerResult::ok(),
2567
            dcerpc_state.handle_input_data(request2, Direction::ToServer)
2568
        );
2569
        let tx = &dcerpc_state.transactions[0];
2570
        assert_eq!(2, tx.opnum);
2571
        assert_eq!(0, tx.ctxid);
2572
        assert_eq!(14, tx.stub_data_buffer_ts.len());
2573
    }
2574
}