9 files changed, 36 insertions, 20 deletions

diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c
index 6ae319ccf..c84196343 100644
--- a/src/lib/protocols/smb.c
+++ b/src/lib/protocols/smb.c
@@ -37,21 +37,29 @@ void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
     
     if(((packet->tcp->dest == fourfourfive) || (packet->tcp->source == fourfourfive))
        && packet->payload_packet_len > (32 + 4 + 4)
-       && ((uint32_t)packet->payload_packet_len - 4) == ntohl(get_u_int32_t(packet->payload, 0))
-       ) {
-      u_int8_t smbv1[] = { 0xff, 0x53, 0x4d, 0x42 };
+       && packet->payload[0] == 0x00) {
+      u_int32_t length;
 
-      NDPI_LOG_INFO(ndpi_struct, "found SMB\n");
+      length = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3];
+      /* If the message is split into multiple TCP segments, let's hope that
+         the first message we receive is the first segment */
+      if(length >= (uint32_t)packet->payload_packet_len - 4) {
+        u_int8_t smbv1[] = { 0xff, 0x53, 0x4d, 0x42 };
+        u_int8_t smbv2[] = { 0xfe, 0x53, 0x4d, 0x42 };
 
-      if(memcmp(&packet->payload[4], smbv1, sizeof(smbv1)) == 0) {
-	if(packet->payload[8] != 0x72) /* Skip Negotiate request */ {	  
-	  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI);
-	  ndpi_set_risk(ndpi_struct, flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1");
-	}
-      } else
-	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI);
-
-      return;
+        if(memcmp(&packet->payload[4], smbv1, sizeof(smbv1)) == 0) {
+          if(packet->payload[8] != 0x72) /* Skip Negotiate request */ {
+            NDPI_LOG_INFO(ndpi_struct, "found SMBv1\n");
+            ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI);
+            ndpi_set_risk(ndpi_struct, flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1");
+          }
+          return;
+        } else if(memcmp(&packet->payload[4], smbv2, sizeof(smbv2)) == 0) {
+          NDPI_LOG_INFO(ndpi_struct, "found SMBv23\n");
+          ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI);
+          return;
+        }
+      }
     }
   }
 
diff --git a/tests/pcap/smb_frags.pcap b/tests/pcap/smb_frags.pcap
new file mode 100644
index 000000000..4e9a1770e
--- /dev/null
+++ b/tests/pcap/smb_frags.pcap
diff --git a/tests/result/android.pcap.out b/tests/result/android.pcap.out
index a95c8f4c6..d8ded0a71 100644
--- a/tests/result/android.pcap.out
+++ b/tests/result/android.pcap.out
@@ -1,6 +1,6 @@
 Guessed flow protos:	7
 
-DPI Packets (TCP):	157	(5.61 pkts/flow)
+DPI Packets (TCP):	147	(5.25 pkts/flow)
 DPI Packets (UDP):	52	(1.68 pkts/flow)
 DPI Packets (other):	4	(1.00 pkts/flow)
 Confidence Match by IP      : 3 (flows)
diff --git a/tests/result/fuzz-2021-10-13.pcap.out b/tests/result/fuzz-2021-10-13.pcap.out
index b34c41b1c..4cab569cb 100644
--- a/tests/result/fuzz-2021-10-13.pcap.out
+++ b/tests/result/fuzz-2021-10-13.pcap.out
@@ -1,4 +1,4 @@
-Guessed flow protos:	0
+Guessed flow protos:	1
 
 DPI Packets (TCP):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out
index f99c8130b..afcd4f400 100644
--- a/tests/result/skype_no_unknown.pcap.out
+++ b/tests/result/skype_no_unknown.pcap.out
@@ -1,6 +1,6 @@
 Guessed flow protos:	72
 
-DPI Packets (TCP):	1168	(15.37 pkts/flow)
+DPI Packets (TCP):	1159	(15.25 pkts/flow)
 DPI Packets (UDP):	288	(1.55 pkts/flow)
 DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Unknown          : 45 (flows)
diff --git a/tests/result/smb_frags.pcap.out b/tests/result/smb_frags.pcap.out
new file mode 100644
index 000000000..b6826fbca
--- /dev/null
+++ b/tests/result/smb_frags.pcap.out
@@ -0,0 +1,8 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	5	(5.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+
+SMBv1	8	2763	1
+
+	1	TCP 10.202.211.125:54120 <-> 10.202.7.8:445 [VLAN: 1608][proto: 10.16/NetBIOS.SMBv1][ClearText][Confidence: DPI][cat: System/18][5 pkts/2009 bytes <-> 3 pkts/754 bytes][Goodput ratio: 82/71][0.58 sec][bytes ratio: 0.454 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/94 144/238 387/383 145/144][Pkt Len c2s/s2c min/avg/max/stddev: 70/78 402/251 1438/397 525/132][Risk: ** Known Proto on Non Std Port **** SMB Insecure Vers **** Unsafe Protocol **][Risk Score: 160][Risk Info: Found SMBv1 / Expected on port 139][PLAIN TEXT (defined.12)][Plen Bins: 0,20,0,0,0,0,20,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0]
diff --git a/tests/result/teams.pcap.out b/tests/result/teams.pcap.out
index 7a4c51573..48da11ef9 100644
--- a/tests/result/teams.pcap.out
+++ b/tests/result/teams.pcap.out
@@ -1,6 +1,6 @@
 Guessed flow protos:	4
 
-DPI Packets (TCP):	494	(11.76 pkts/flow)
+DPI Packets (TCP):	356	(8.48 pkts/flow)
 DPI Packets (UDP):	87	(2.17 pkts/flow)
 DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
diff --git a/tests/result/tls_invalid_reads.pcap.out b/tests/result/tls_invalid_reads.pcap.out
index 9d942c419..67e47b12b 100644
--- a/tests/result/tls_invalid_reads.pcap.out
+++ b/tests/result/tls_invalid_reads.pcap.out
@@ -1,6 +1,6 @@
-Guessed flow protos:	3
+Guessed flow protos:	2
 
-DPI Packets (TCP):	11	(3.67 pkts/flow)
+DPI Packets (TCP):	10	(3.33 pkts/flow)
 Confidence Match by IP      : 1 (flows)
 Confidence DPI              : 2 (flows)
 
diff --git a/tests/result/viber.pcap.out b/tests/result/viber.pcap.out
index 2cae4412b..a5cdfbea4 100644
--- a/tests/result/viber.pcap.out
+++ b/tests/result/viber.pcap.out
@@ -1,6 +1,6 @@
 Guessed flow protos:	5
 
-DPI Packets (TCP):	151	(11.62 pkts/flow)
+DPI Packets (TCP):	131	(10.08 pkts/flow)
 DPI Packets (UDP):	27	(1.93 pkts/flow)
 DPI Packets (other):	2	(1.00 pkts/flow)
 Confidence Match by IP      : 4 (flows)