suricata/smb/smb_records.rs
1/* Copyright (C) 2018 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18use crate::common::nom7::take_until_and_consume;
19use crate::smb::error::SmbError;
20use nom7::{Err, IResult};
21
22/// parse a UTF16 string that is null terminated. Normally by 2 null
23/// bytes, but at the end of the data it can also be a single null.
24/// Skip every second byte.
25pub fn smb_get_unicode_string(blob: &[u8]) -> IResult<&[u8], Vec<u8>, SmbError>
26{
27 SCLogDebug!("get_unicode_string: blob {} {:?}", blob.len(), blob);
28 let mut name : Vec<u8> = Vec::new();
29 let mut c = blob;
30 while !c.is_empty() {
31 if c.len() == 1 && c[0] == 0 {
32 let rem = &c[1..];
33 SCLogDebug!("get_unicode_string: name {:?}", name);
34 return Ok((rem, name))
35 } else if c.len() == 1 {
36 break;
37 } else if c[0] == 0 && c[1] == 0 {
38 let rem = &c[2..];
39 SCLogDebug!("get_unicode_string: name {:?}", name);
40 return Ok((rem, name))
41 }
42 name.push(c[0]);
43 c = &c[2..];
44 }
45 Err(Err::Error(SmbError::BadEncoding))
46}
47
48// parse an ASCII string that is null terminated
49pub fn smb_get_ascii_string(i: &[u8]) -> IResult<&[u8], Vec<u8>, SmbError> {
50 let (i, s) = take_until_and_consume(b"\x00")(i)?;
51 Ok((i, s.to_vec()))
52}
53