aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c41e64d637'
${ noResults }
suricata/src/decode-tcp.c

573 lines
18 KiB
C
Raw Normal View History Unescape Escape

More PacketGetFromMalloc() to allocate packets.
12 years ago
/* Copyright (C) 2007-2013 Open Information Security Foundation
Import of GPLv2 Header 050410
15 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
doc: add decode group and related documentation.
14 years ago
/**
* \ingroup decode
*
* @{
*/
Import of GPLv2 Header 050410
15 years ago
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*
* Decode TCP
*/
Initial add of the files.
17 years ago
Rename to Suricata.
16 years ago
#include "suricata-common.h"
Initial add of the files.
17 years ago
#include "decode.h"
#include "decode-tcp.h"
#include "decode-events.h"
checksum calculation functions for ipv4, tcp, udpv4, icmpv4
16 years ago
#include "util-unittest.h"
Another round of logging api usage updates.
16 years ago
#include "util-debug.h"
Many small performance updates.
15 years ago
#include "util-optimize.h"
Initial add of the files.
17 years ago
#include "flow.h"
unittest: recycle packet before exit To avoid an issue with flow validation, we need to recycle the packet before cleaning the flow.
12 years ago
#include "util-profiling.h"
#include "pkt-var.h"
#include "host.h"
Initial add of the files.
17 years ago
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
#define SET_OPTS(dst, src) \
(dst).type = (src).type; \
(dst).len = (src).len; \
(dst).data = (src).data
const: constify decoder, app-layer, detect funcs
6 years ago
static void DecodeTCPOptions(Packet *p, const uint8_t *pkt, uint16_t pktlen)
Initial add of the files.
17 years ago
{
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
uint8_t tcp_opt_cnt = 0;
TCPOpt tcp_opts[TCP_OPTMAX];
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
uint16_t plen = pktlen;
Initial add of the files.
17 years ago
while (plen)
{
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
const uint8_t type = *pkt;
Initial add of the files.
17 years ago
/* single byte options */
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
if (type == TCP_OPT_EOL) {
Initial add of the files.
17 years ago
break;
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
} else if (type == TCP_OPT_NOP) {
Initial add of the files.
17 years ago
pkt++;
plen--;
/* multibyte options */
} else {
if (plen < 2) {
break;
}
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
const uint8_t olen = *(pkt+1);
Initial add of the files.
17 years ago
/* we already know that the total options len is valid,
* so here the len of the specific option must be bad.
* Also check for invalid lengths 0 and 1. */
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
if (unlikely(olen > plen || olen < 2)) {
Set packet invalid flag during decoding. This patch set a new value in pkt->flag to signal that a packet is invalid during decoding. The patch has been obtained via a coccinelle transformation.
13 years ago
ENGINE_SET_INVALID_EVENT(p, TCP_OPT_INVALID_LEN);
decode: Change return type of IPv4 and TCP options decode The return value from the options decoder in TCP and IPv4 is ignored. This commit changes the return type of the function to `void` and modifies existing return points to return without a value. When an error occurs, the packet state is being set to indicate whether it's valid or not and the existing return value is never used.
6 years ago
return;
Initial add of the files.
17 years ago
}
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
tcp_opts[tcp_opt_cnt].type = type;
tcp_opts[tcp_opt_cnt].len = olen;
tcp_opts[tcp_opt_cnt].data = (olen > 2) ? (pkt+2) : NULL;
Fix a ipv4 compiler warning. Improve TCP opt decoding error handling logic.
16 years ago
Initial add of the files.
17 years ago
/* we are parsing the most commonly used opts to prevent
* us from having to walk the opts list for these all the
* time. */
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
switch (type) {
Initial add of the files.
17 years ago
case TCP_OPT_WS:
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
if (olen != TCP_OPT_WS_LEN) {
Rename some decode event structure and macro. This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some other structures to ENGINE equivalent to take into account the fact the event list is now related to all engines and not only to decoder.
14 years ago
ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
Initial add of the files.
17 years ago
} else {
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
if (p->tcpvars.ws.type != 0) {
Rename some decode event structure and macro. This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some other structures to ENGINE equivalent to take into account the fact the event list is now related to all engines and not only to decoder.
14 years ago
ENGINE_SET_EVENT(p,TCP_OPT_DUPLICATE);
Initial add of the files.
17 years ago
} else {
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
SET_OPTS(p->tcpvars.ws, tcp_opts[tcp_opt_cnt]);
Initial add of the files.
17 years ago
}
}
break;
case TCP_OPT_MSS:
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
if (olen != TCP_OPT_MSS_LEN) {
Rename some decode event structure and macro. This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some other structures to ENGINE equivalent to take into account the fact the event list is now related to all engines and not only to decoder.
14 years ago
ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
Initial add of the files.
17 years ago
} else {
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
if (p->tcpvars.mss.type != 0) {
Rename some decode event structure and macro. This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some other structures to ENGINE equivalent to take into account the fact the event list is now related to all engines and not only to decoder.
14 years ago
ENGINE_SET_EVENT(p,TCP_OPT_DUPLICATE);
Initial add of the files.
17 years ago
} else {
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
SET_OPTS(p->tcpvars.mss, tcp_opts[tcp_opt_cnt]);
Initial add of the files.
17 years ago
}
}
break;
case TCP_OPT_SACKOK:
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
if (olen != TCP_OPT_SACKOK_LEN) {
Rename some decode event structure and macro. This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some other structures to ENGINE equivalent to take into account the fact the event list is now related to all engines and not only to decoder.
14 years ago
ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
Initial add of the files.
17 years ago
} else {
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
if (p->tcpvars.sackok.type != 0) {
Rename some decode event structure and macro. This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some other structures to ENGINE equivalent to take into account the fact the event list is now related to all engines and not only to decoder.
14 years ago
ENGINE_SET_EVENT(p,TCP_OPT_DUPLICATE);
Initial add of the files.
17 years ago
} else {
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
SET_OPTS(p->tcpvars.sackok, tcp_opts[tcp_opt_cnt]);
Initial add of the files.
17 years ago
}
}
break;
case TCP_OPT_TS:
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
if (olen != TCP_OPT_TS_LEN) {
Rename some decode event structure and macro. This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some other structures to ENGINE equivalent to take into account the fact the event list is now related to all engines and not only to decoder.
14 years ago
ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
Initial add of the files.
17 years ago
} else {
tcp: fix alignment issues with tcp timestamps
9 years ago
if (p->tcpvars.ts_set) {
Rename some decode event structure and macro. This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some other structures to ENGINE equivalent to take into account the fact the event list is now related to all engines and not only to decoder.
14 years ago
ENGINE_SET_EVENT(p,TCP_OPT_DUPLICATE);
Initial add of the files.
17 years ago
} else {
tcp: fix alignment issues with tcp timestamps
9 years ago
uint32_t values[2];
memcpy(&values, tcp_opts[tcp_opt_cnt].data, sizeof(values));
mingw: add SCNtohl and SCNtohs macro's On MinGW the result of ntohl needs to be casted to uint32_t and the result of ntohs to uint16_t. To avoid doing this everywhere add SCNtohl and SCNtohs macros.
8 years ago
p->tcpvars.ts_val = SCNtohl(values[0]);
p->tcpvars.ts_ecr = SCNtohl(values[1]);
tcp: fix alignment issues with tcp timestamps
9 years ago
p->tcpvars.ts_set = TRUE;
Initial add of the files.
17 years ago
}
}
break;
Add TCP packet SACK option decoding.
14 years ago
case TCP_OPT_SACK:
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
SCLogDebug("SACK option, len %u", olen);
tcp: don't set event on empty SACK opt TCP_OPT_INVALID_LEN was set if the opt len was 2. While useless an empty SACK is not uncommon. Seen on an iOS device talking to an Apple server. Bug #3254.
6 years ago
if ((olen != 2) &&
(olen < TCP_OPT_SACK_MIN_LEN ||
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
olen > TCP_OPT_SACK_MAX_LEN ||
tcp: don't set event on empty SACK opt TCP_OPT_INVALID_LEN was set if the opt len was 2. While useless an empty SACK is not uncommon. Seen on an iOS device talking to an Apple server. Bug #3254.
6 years ago
!((olen - 2) % 8 == 0)))
Add TCP packet SACK option decoding.
14 years ago
{
Rename some decode event structure and macro. This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some other structures to ENGINE equivalent to take into account the fact the event list is now related to all engines and not only to decoder.
14 years ago
ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
Add TCP packet SACK option decoding.
14 years ago
} else {
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
if (p->tcpvars.sack.type != 0) {
Rename some decode event structure and macro. This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some other structures to ENGINE equivalent to take into account the fact the event list is now related to all engines and not only to decoder.
14 years ago
ENGINE_SET_EVENT(p,TCP_OPT_DUPLICATE);
Add TCP packet SACK option decoding.
14 years ago
} else {
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
SET_OPTS(p->tcpvars.sack, tcp_opts[tcp_opt_cnt]);
Add TCP packet SACK option decoding.
14 years ago
}
}
break;
decode/tcp: TCP fast open option decoding Support both regular TFO and TFO as part of the experimental options support.
7 years ago
case TCP_OPT_TFO:
SCLogDebug("TFO option, len %u", olen);
decode/tcp: accept TCP fast open cookie request
6 years ago
if ((olen != 2) &&
(olen < TCP_OPT_TFO_MIN_LEN ||
decode/tcp: TCP fast open option decoding Support both regular TFO and TFO as part of the experimental options support.
7 years ago
olen > TCP_OPT_TFO_MAX_LEN ||
decode/tcp: accept TCP fast open cookie request
6 years ago
!((olen - 2) % 8 == 0)))
decode/tcp: TCP fast open option decoding Support both regular TFO and TFO as part of the experimental options support.
7 years ago
{
ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
} else {
if (p->tcpvars.tfo.type != 0) {
ENGINE_SET_EVENT(p,TCP_OPT_DUPLICATE);
} else {
SET_OPTS(p->tcpvars.tfo, tcp_opts[tcp_opt_cnt]);
}
}
break;
/* experimental options, could be TFO */
case TCP_OPT_EXP1:
case TCP_OPT_EXP2:
SCLogDebug("TCP EXP option, len %u", olen);
if (olen == 4 || olen == 12) {
uint16_t magic = SCNtohs(*(uint16_t *)tcp_opts[tcp_opt_cnt].data);
if (magic == 0xf989) {
if (p->tcpvars.tfo.type != 0) {
ENGINE_SET_EVENT(p,TCP_OPT_DUPLICATE);
} else {
SET_OPTS(p->tcpvars.tfo, tcp_opts[tcp_opt_cnt]);
p->tcpvars.tfo.type = TCP_OPT_TFO; // treat as regular TFO
}
}
} else {
ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
}
break;
Initial add of the files.
17 years ago
}
decode/tcp: rewrite options decoding to assist scan-build
7 years ago
pkt += olen;
plen -= olen;
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
tcp_opt_cnt++;
Initial add of the files.
17 years ago
}
Pass the DecodeThreadVars to all Decoder functions properly. Improve the error handling.
16 years ago
}
Initial add of the files.
17 years ago
}
const: constify decoder, app-layer, detect funcs
6 years ago
static int DecodeTCPPacket(ThreadVars *tv, Packet *p, const uint8_t *pkt, uint16_t len)
Initial add of the files.
17 years ago
{
Many small performance updates.
15 years ago
if (unlikely(len < TCP_HEADER_LEN)) {
Set packet invalid flag during decoding. This patch set a new value in pkt->flag to signal that a packet is invalid during decoding. The patch has been obtained via a coccinelle transformation.
13 years ago
ENGINE_SET_INVALID_EVENT(p, TCP_PKT_TOO_SMALL);
Initial add of the files.
17 years ago
return -1;
}
Pass the DecodeThreadVars to all Decoder functions properly. Improve the error handling.
16 years ago
p->tcph = (TCPHdr *)pkt;
Small optimizations to IPV4 and TCP header parsing.
14 years ago
uint8_t hlen = TCP_GET_HLEN(p);
if (unlikely(len < hlen)) {
Set packet invalid flag during decoding. This patch set a new value in pkt->flag to signal that a packet is invalid during decoding. The patch has been obtained via a coccinelle transformation.
13 years ago
ENGINE_SET_INVALID_EVENT(p, TCP_HLEN_TOO_SMALL);
Initial add of the files.
17 years ago
return -1;
}
Small optimizations to IPV4 and TCP header parsing.
14 years ago
uint8_t tcp_opt_len = hlen - TCP_HEADER_LEN;
if (unlikely(tcp_opt_len > TCP_OPTLENMAX)) {
Set packet invalid flag during decoding. This patch set a new value in pkt->flag to signal that a packet is invalid during decoding. The patch has been obtained via a coccinelle transformation.
13 years ago
ENGINE_SET_INVALID_EVENT(p, TCP_INVALID_OPTLEN);
Initial add of the files.
17 years ago
return -1;
}
Small optimizations to IPV4 and TCP header parsing.
14 years ago
if (likely(tcp_opt_len > 0)) {
DecodeTCPOptions(p, pkt + TCP_HEADER_LEN, tcp_opt_len);
Initial add of the files.
17 years ago
}
Small optimizations to IPV4 and TCP header parsing.
14 years ago
SET_TCP_SRC_PORT(p,&p->sp);
SET_TCP_DST_PORT(p,&p->dp);
Initial add of the files.
17 years ago
Set p->proto and add TCP, UDP, etc macros.
17 years ago
p->proto = IPPROTO_TCP;
const: constify decoder, app-layer, detect funcs
6 years ago
p->payload = (uint8_t *)pkt + hlen;
Small optimizations to IPV4 and TCP header parsing.
14 years ago
p->payload_len = len - hlen;
Initial add of the files.
17 years ago
return 0;
}
const: constify decoder, app-layer, detect funcs
6 years ago
int DecodeTCP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
threading: change local packet queue logic Previously each 'TmSlot' had it's own packet queue that was passed to the registered SlotFunc as an argument. This was used mostly for tunnel packets by the decoders and by defrag. This patch removes that in favor of a single queue in the ThreadVars: decode_pq. This is the non-locked version of the queue as this is only a temporary store for handling packets within a thread. This patch removes the PacketQueue pointer argument from the API. The new queue can be accessed directly through the ThreadVars pointer.
6 years ago
const uint8_t *pkt, uint16_t len)
Initial add of the files.
17 years ago
{
counters: s/SCPerfCounterIncr/StatsIncr/g
10 years ago
StatsIncr(tv, dtv->counter_tcp);
Implements counters for the decode module
16 years ago
const: constify decoder, app-layer, detect funcs
6 years ago
if (unlikely(DecodeTCPPacket(tv, p, pkt,len) < 0)) {
Make sure to only alloc a new pseudo packet once during ip defrag.
14 years ago
SCLogDebug("invalid TCP packet");
decode: cleanup packet properly on bad packets In case of bad IPv4, TCP or UDP, the per packet ip4vars/tcpvars/udpvar structures would not be cleaned up because the cleanup depends on the 'header' pointer being set, but the error handling would unset that. This could mean these structures were already filled with values before the error was detected. As packets were recycled, the next packet decoding would use this unclean structure. To make things worse these structures are part of unions. IPv4/IPv6 and TCP/ICMPv4/ICMPv6 share the same memory location. LibFuzzer+UBSAN found this both locally and in Oss-Fuzz: decode-ipv6.c:654:9: runtime error: load of value 6, which is not a valid value for type 'bool' #0 0x6146f0 in DecodeIPV6 /src/suricata/src/decode-ipv6.c:654:9 #1 0x617e96 in DecodeNull /src/suricata/src/decode-null.c:70:13 #2 0x9dd8a4 in DecodePcapFile /src/suricata/src/source-pcap-file.c:412:9 #3 0x4c8ed2 in LLVMFuzzerTestOneInput /src/suricata/src/tests/fuzz/fuzz_sigpcap.c:158:25 #4 0x457e51 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15 #5 0x457575 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3 #6 0x459917 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19 #7 0x45a6a5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5 #8 0x448728 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6 #9 0x472552 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10 #10 0x7ff0d097b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #11 0x41bde8 in _start (/out/fuzz_sigpcap+0x41bde8) Bug: #3496
5 years ago
CLEAR_TCP_PACKET(p);
decode: update API to return error In some cases, the decoding is not possible and some really invalid packet can be created. This is in particular the case of tunnel. In that case, it is more interesting to forget about the tunneled packet and only consider the original packet. DecodeTunnel function is maked as warn_unused_result because it is meaningful for the decoder to know if the underlying data were not correct. And in this case, only focus detection on the content.
12 years ago
return TM_ECODE_FAILED;
Pass the DecodeThreadVars to all Decoder functions properly. Improve the error handling.
16 years ago
}
Initial add of the files.
17 years ago
#ifdef DEBUG
decode/tcp: TCP fast open option decoding Support both regular TFO and TFO as part of the experimental options support.
7 years ago
SCLogDebug("TCP sp: %" PRIu32 " -> dp: %" PRIu32 " - HLEN: %" PRIu32 " LEN: %" PRIu32 " %s%s%s%s%s%s",
Small optimizations to IPV4 and TCP header parsing.
14 years ago
GET_TCP_SRC_PORT(p), GET_TCP_DST_PORT(p), TCP_GET_HLEN(p), len,
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
TCP_HAS_SACKOK(p) ? "SACKOK " : "", TCP_HAS_SACK(p) ? "SACK " : "",
TCP_HAS_WSCALE(p) ? "WS " : "", TCP_HAS_TS(p) ? "TS " : "",
decode/tcp: TCP fast open option decoding Support both regular TFO and TFO as part of the experimental options support.
7 years ago
TCP_HAS_MSS(p) ? "MSS " : "", TCP_HAS_TFO(p) ? "TFO " : "");
Initial add of the files.
17 years ago
#endif
flow: move flow handling into worker threads Instead of handling the packet update during flow lookup, handle it in the stream/detect threads. This lowers the load of the capture thread(s) in autofp mode. The decoders now set a flag in the packet if the packet needs a flow lookup. Then the workers will take care of this. The decoders also already calculate the raw flow hash value. This is so that this value can be used in flow balancing in autofp. Because the flow lookup/creation is now done in the worker threads, the flow balancing can no longer use the flow. It's not yet available. Autofp load balancing uses raw hash values instead. In the same line, move UDP AppLayer out of the DecodeUDP module, and also into the stream/detect threads. Handle TCP session reuse inside the flow engine itself. If a looked up flow matches the packet, but is a TCP stream starter, check if the ssn needs to be reused. If that is the case handle it within the lookup function. Simplies the locking and removes potential race conditions.
9 years ago
FlowSetupPacket(p);
Initial add of the files.
17 years ago
decode: update API to return error In some cases, the decoding is not possible and some really invalid packet can be created. This is in particular the case of tunnel. In that case, it is more interesting to forget about the tunneled packet and only consider the original packet. DecodeTunnel function is maked as warn_unused_result because it is meaningful for the decoder to know if the underlying data were not correct. And in this case, only focus detection on the content.
12 years ago
return TM_ECODE_OK;
Initial add of the files.
17 years ago
}
Regular expression for UnitTests Signed-off-by: Brian Rectanus <brectanu@gmail.com>
16 years ago
#ifdef UNITTESTS
checksum calculation functions for ipv4, tcp, udpv4, icmpv4
16 years ago
static int TCPCalculateValidChecksumtest01(void)
{
uint16_t csum = 0;
uint8_t raw_ipshdr[] = {
0x40, 0x8e, 0x7e, 0xb2, 0xc0, 0xa8, 0x01, 0x03};
uint8_t raw_tcp[] = {
0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0,
0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 02};
csum = *( ((uint16_t *)raw_tcp) + 8);
tcp/udp: rename checksum functions for better meaning The TCP/UDP checksum functions no longer just calculate the checksum, they can validate as well as calculate so use a more generic name.
8 years ago
FAIL_IF(TCPChecksum((uint16_t *)raw_ipshdr,
tcp/udp: fix checksum validation when 0xffff Issue: https://redmine.openinfosecfoundation.org/issues/2041 One approach to fixing this issue to just validate the checksum instead of regenerating it and comparing it. This method is used in some kernels and other network tools. When validating, the current checksum is passed in as an initial argument which will cause the final checksum to be 0 if OK. If generating a checksum, 0 is passed and the result is the generated checksum.
9 years ago
(uint16_t *)raw_tcp, sizeof(raw_tcp), csum) != 0);
PASS;
checksum calculation functions for ipv4, tcp, udpv4, icmpv4
16 years ago
}
static int TCPCalculateInvalidChecksumtest02(void)
{
uint16_t csum = 0;
uint8_t raw_ipshdr[] = {
0x40, 0x8e, 0x7e, 0xb2, 0xc0, 0xa8, 0x01, 0x03};
uint8_t raw_tcp[] = {
0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0,
0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 03};
csum = *( ((uint16_t *)raw_tcp) + 8);
tcp/udp: rename checksum functions for better meaning The TCP/UDP checksum functions no longer just calculate the checksum, they can validate as well as calculate so use a more generic name.
8 years ago
FAIL_IF(TCPChecksum((uint16_t *) raw_ipshdr,
tcp/udp: fix checksum validation when 0xffff Issue: https://redmine.openinfosecfoundation.org/issues/2041 One approach to fixing this issue to just validate the checksum instead of regenerating it and comparing it. This method is used in some kernels and other network tools. When validating, the current checksum is passed in as an initial argument which will cause the final checksum to be 0 if OK. If generating a checksum, 0 is passed and the result is the generated checksum.
9 years ago
(uint16_t *)raw_tcp, sizeof(raw_tcp), csum) == 0);
PASS;
checksum calculation functions for ipv4, tcp, udpv4, icmpv4
16 years ago
}
checksum calculation functions for icmpv6, udp over ipv6 and tcp over ipv6
16 years ago
static int TCPV6CalculateValidChecksumtest03(void)
{
uint16_t csum = 0;
static uint8_t raw_ipv6[] = {
0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe,
0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe,
0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a,
0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1,
0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08,
0xca, 0x5a, 0x00, 0x01, 0x69, 0x27};
csum = *( ((uint16_t *)(raw_ipv6 + 70)));
tcp/udp: rename checksum functions for better meaning The TCP/UDP checksum functions no longer just calculate the checksum, they can validate as well as calculate so use a more generic name.
8 years ago
FAIL_IF(TCPV6Checksum((uint16_t *)(raw_ipv6 + 14 + 8),
tcp/udp: fix checksum validation when 0xffff Issue: https://redmine.openinfosecfoundation.org/issues/2041 One approach to fixing this issue to just validate the checksum instead of regenerating it and comparing it. This method is used in some kernels and other network tools. When validating, the current checksum is passed in as an initial argument which will cause the final checksum to be 0 if OK. If generating a checksum, 0 is passed and the result is the generated checksum.
9 years ago
(uint16_t *)(raw_ipv6 + 54), 32, csum) != 0);
PASS;
checksum calculation functions for icmpv6, udp over ipv6 and tcp over ipv6
16 years ago
}
static int TCPV6CalculateInvalidChecksumtest04(void)
{
uint16_t csum = 0;
static uint8_t raw_ipv6[] = {
0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe,
0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe,
0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a,
0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1,
0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08,
0xca, 0x5a, 0x00, 0x01, 0x69, 0x28};
csum = *( ((uint16_t *)(raw_ipv6 + 70)));
tcp/udp: rename checksum functions for better meaning The TCP/UDP checksum functions no longer just calculate the checksum, they can validate as well as calculate so use a more generic name.
8 years ago
FAIL_IF(TCPV6Checksum((uint16_t *)(raw_ipv6 + 14 + 8),
tcp/udp: fix checksum validation when 0xffff Issue: https://redmine.openinfosecfoundation.org/issues/2041 One approach to fixing this issue to just validate the checksum instead of regenerating it and comparing it. This method is used in some kernels and other network tools. When validating, the current checksum is passed in as an initial argument which will cause the final checksum to be 0 if OK. If generating a checksum, 0 is passed and the result is the generated checksum.
9 years ago
(uint16_t *)(raw_ipv6 + 54), 32, csum) == 0);
PASS;
checksum calculation functions for icmpv6, udp over ipv6 and tcp over ipv6
16 years ago
}
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
/** \test Get the wscale of 2 */
static int TCPGetWscaleTest01(void)
{
int retval = 0;
static uint8_t raw_tcp[] = {0xda, 0xc1, 0x00, 0x50, 0xb6, 0x21, 0x7f, 0x58,
0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0x16, 0xd0,
0x8a, 0xaf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
0x04, 0x02, 0x08, 0x0a, 0x00, 0x62, 0x88, 0x28,
0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x02};
More PacketGetFromMalloc() to allocate packets.
12 years ago
Packet *p = PacketGetFromAlloc();
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(p == NULL))
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
return 0;
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
IPV4Hdr ip4h;
ThreadVars tv;
DecodeThreadVars dtv;
memset(&tv, 0, sizeof(ThreadVars));
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&ip4h, 0, sizeof(IPV4Hdr));
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->ip4h = &ip4h;
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
FlowInitConfig(FLOW_QUIET);
threading: change local packet queue logic Previously each 'TmSlot' had it's own packet queue that was passed to the registered SlotFunc as an argument. This was used mostly for tunnel packets by the decoders and by defrag. This patch removes that in favor of a single queue in the ThreadVars: decode_pq. This is the non-locked version of the queue as this is only a temporary store for handling packets within a thread. This patch removes the PacketQueue pointer argument from the API. The new queue can be accessed directly through the ThreadVars pointer.
6 years ago
DecodeTCP(&tv, &dtv, p, raw_tcp, sizeof(raw_tcp));
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
if (p->tcph == NULL) {
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
printf("tcp packet decode failed: ");
goto end;
}
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
uint8_t wscale = TCP_GET_WSCALE(p);
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
if (wscale != 2) {
printf("wscale %"PRIu8", expected 2: ", wscale);
goto end;
}
retval = 1;
end:
unittest: recycle packet before exit To avoid an issue with flow validation, we need to recycle the packet before cleaning the flow.
12 years ago
PACKET_RECYCLE(p);
FlowShutdown();
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
SCFree(p);
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
return retval;
}
/** \test Get the wscale of 15, so see if return 0 properly */
static int TCPGetWscaleTest02(void)
{
int retval = 0;
static uint8_t raw_tcp[] = {0xda, 0xc1, 0x00, 0x50, 0xb6, 0x21, 0x7f, 0x58,
0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0x16, 0xd0,
0x8a, 0xaf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
0x04, 0x02, 0x08, 0x0a, 0x00, 0x62, 0x88, 0x28,
0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x0f};
More PacketGetFromMalloc() to allocate packets.
12 years ago
Packet *p = PacketGetFromAlloc();
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(p == NULL))
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
return 0;
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
IPV4Hdr ip4h;
ThreadVars tv;
DecodeThreadVars dtv;
memset(&tv, 0, sizeof(ThreadVars));
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&ip4h, 0, sizeof(IPV4Hdr));
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->ip4h = &ip4h;
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
FlowInitConfig(FLOW_QUIET);
threading: change local packet queue logic Previously each 'TmSlot' had it's own packet queue that was passed to the registered SlotFunc as an argument. This was used mostly for tunnel packets by the decoders and by defrag. This patch removes that in favor of a single queue in the ThreadVars: decode_pq. This is the non-locked version of the queue as this is only a temporary store for handling packets within a thread. This patch removes the PacketQueue pointer argument from the API. The new queue can be accessed directly through the ThreadVars pointer.
6 years ago
DecodeTCP(&tv, &dtv, p, raw_tcp, sizeof(raw_tcp));
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
if (p->tcph == NULL) {
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
printf("tcp packet decode failed: ");
goto end;
}
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
uint8_t wscale = TCP_GET_WSCALE(p);
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
if (wscale != 0) {
printf("wscale %"PRIu8", expected 0: ", wscale);
goto end;
}
retval = 1;
end:
unittest: recycle packet before exit To avoid an issue with flow validation, we need to recycle the packet before cleaning the flow.
12 years ago
PACKET_RECYCLE(p);
FlowShutdown();
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
SCFree(p);
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
return retval;
}
/** \test Get the wscale, but it's missing, so see if return 0 properly */
static int TCPGetWscaleTest03(void)
{
int retval = 0;
static uint8_t raw_tcp[] = {0xda, 0xc1, 0x00, 0x50, 0xb6, 0x21, 0x7f, 0x59,
0xdd, 0xa3, 0x6f, 0xf8, 0x80, 0x10, 0x05, 0xb4,
0x7c, 0x70, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a,
0x00, 0x62, 0x88, 0x9e, 0x00, 0x00, 0x00, 0x00};
More PacketGetFromMalloc() to allocate packets.
12 years ago
Packet *p = PacketGetFromAlloc();
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(p == NULL))
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
return 0;
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
IPV4Hdr ip4h;
ThreadVars tv;
DecodeThreadVars dtv;
memset(&tv, 0, sizeof(ThreadVars));
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&ip4h, 0, sizeof(IPV4Hdr));
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->ip4h = &ip4h;
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
FlowInitConfig(FLOW_QUIET);
threading: change local packet queue logic Previously each 'TmSlot' had it's own packet queue that was passed to the registered SlotFunc as an argument. This was used mostly for tunnel packets by the decoders and by defrag. This patch removes that in favor of a single queue in the ThreadVars: decode_pq. This is the non-locked version of the queue as this is only a temporary store for handling packets within a thread. This patch removes the PacketQueue pointer argument from the API. The new queue can be accessed directly through the ThreadVars pointer.
6 years ago
DecodeTCP(&tv, &dtv, p, raw_tcp, sizeof(raw_tcp));
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
if (p->tcph == NULL) {
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
printf("tcp packet decode failed: ");
goto end;
}
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
uint8_t wscale = TCP_GET_WSCALE(p);
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
if (wscale != 0) {
printf("wscale %"PRIu8", expected 0: ", wscale);
goto end;
}
retval = 1;
end:
unittest: recycle packet before exit To avoid an issue with flow validation, we need to recycle the packet before cleaning the flow.
12 years ago
PACKET_RECYCLE(p);
FlowShutdown();
Supress usage of Packet declaration in tests. For convenience, a massive usage of 'Packet p;' declaration has been done in the tests function. Although this was completely legal, this is not possible anymore because of the new Packet allocation structure. This massive patch modifies all suricata files to use a SCMalloc allocated pointer to Packet instead. This patch has been done using coccinelle (http://coccinelle.lip6.fr) which is a semantic patching tool. This ensures that things like call to SCFree() should have not been forget because the semantic patch explicitly forces the call to SCFree(p) before each return. With this patch all unittests are running fine with a small and a big default packet size.
15 years ago
SCFree(p);
Add TCP_GET_WSCALE macro for easy access to wscale. Update StreamTcp to use it. Default to wscale 14 (max) in case of midstream as there seems to be no reliable way to predict wscale if we missed it.
16 years ago
return retval;
}
Add TCP packet SACK option decoding.
14 years ago
static int TCPGetSackTest01(void)
{
int retval = 0;
static uint8_t raw_tcp[] = {
0x00, 0x50, 0x06, 0xa6, 0xfa, 0x87, 0x0b, 0xf5,
0xf1, 0x59, 0x02, 0xe0, 0xa0, 0x10, 0x3e, 0xbc,
0x1d, 0xe7, 0x00, 0x00, 0x01, 0x01, 0x05, 0x12,
0xf1, 0x59, 0x13, 0xfc, 0xf1, 0x59, 0x1f, 0x64,
0xf1, 0x59, 0x08, 0x94, 0xf1, 0x59, 0x0e, 0x48 };
static uint8_t raw_tcp_sack[] = {
0xf1, 0x59, 0x13, 0xfc, 0xf1, 0x59, 0x1f, 0x64,
0xf1, 0x59, 0x08, 0x94, 0xf1, 0x59, 0x0e, 0x48 };
More PacketGetFromMalloc() to allocate packets.
12 years ago
Packet *p = PacketGetFromAlloc();
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(p == NULL))
Add TCP packet SACK option decoding.
14 years ago
return 0;
IPV4Hdr ip4h;
ThreadVars tv;
DecodeThreadVars dtv;
memset(&tv, 0, sizeof(ThreadVars));
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&ip4h, 0, sizeof(IPV4Hdr));
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->ip4h = &ip4h;
FlowInitConfig(FLOW_QUIET);
threading: change local packet queue logic Previously each 'TmSlot' had it's own packet queue that was passed to the registered SlotFunc as an argument. This was used mostly for tunnel packets by the decoders and by defrag. This patch removes that in favor of a single queue in the ThreadVars: decode_pq. This is the non-locked version of the queue as this is only a temporary store for handling packets within a thread. This patch removes the PacketQueue pointer argument from the API. The new queue can be accessed directly through the ThreadVars pointer.
6 years ago
DecodeTCP(&tv, &dtv, p, raw_tcp, sizeof(raw_tcp));
Add TCP packet SACK option decoding.
14 years ago
if (p->tcph == NULL) {
printf("tcp packet decode failed: ");
goto end;
}
tcp: reduce TCP options storage in packets Until now, the TCP options would all be stored in the Packet structure. The commonly used ones (wscale, ts, sack, sackok and mss*) then had a pointer to the position in the option array. Overall this option array was large. About 360 bytes on 64bit systems. Since no part of the engine would every access this array other than through the common short cuts, this was actually just wasteful. This patch changes the approach. It stores just the common ones in the packet. The rest is gone. This shrinks the packet structure with almost 300 bytes. * even though mss wasn't actually used
10 years ago
if (!TCP_HAS_SACK(p)) {
Add TCP packet SACK option decoding.
14 years ago
printf("tcp packet sack not decoded: ");
goto end;
}
int sack = TCP_GET_SACK_CNT(p);
if (sack != 2) {
printf("expected 2 sack records, got %u: ", TCP_GET_SACK_CNT(p));
goto end;
}
const: constify decoder, app-layer, detect funcs
6 years ago
const uint8_t *sackptr = TCP_GET_SACK_PTR(p);
Add TCP packet SACK option decoding.
14 years ago
if (sackptr == NULL) {
printf("no sack data: ");
goto end;
}
if (memcmp(sackptr, raw_tcp_sack, 16) != 0) {
printf("malformed sack data: ");
goto end;
}
retval = 1;
end:
unittest: recycle packet before exit To avoid an issue with flow validation, we need to recycle the packet before cleaning the flow.
12 years ago
PACKET_RECYCLE(p);
FlowShutdown();
Add TCP packet SACK option decoding.
14 years ago
SCFree(p);
return retval;
}
Regular expression for UnitTests Signed-off-by: Brian Rectanus <brectanu@gmail.com>
16 years ago
#endif /* UNITTESTS */
checksum calculation functions for icmpv6, udp over ipv6 and tcp over ipv6
16 years ago
checksum calculation functions for ipv4, tcp, udpv4, icmpv4
16 years ago
void DecodeTCPRegisterTests(void)
{
Regular expression for UnitTests Signed-off-by: Brian Rectanus <brectanu@gmail.com>
16 years ago
#ifdef UNITTESTS
checksum calculation functions for ipv4, tcp, udpv4, icmpv4
16 years ago
UtRegisterTest("TCPCalculateValidChecksumtest01",
tests: no longer necessary to provide successful return code 1 pass, 0 is fail.
9 years ago
TCPCalculateValidChecksumtest01);
checksum calculation functions for ipv4, tcp, udpv4, icmpv4
16 years ago
UtRegisterTest("TCPCalculateInvalidChecksumtest02",
tests: no longer necessary to provide successful return code 1 pass, 0 is fail.
9 years ago
TCPCalculateInvalidChecksumtest02);
checksum calculation functions for icmpv6, udp over ipv6 and tcp over ipv6
16 years ago
UtRegisterTest("TCPV6CalculateValidChecksumtest03",
tests: no longer necessary to provide successful return code 1 pass, 0 is fail.
9 years ago
TCPV6CalculateValidChecksumtest03);
checksum calculation functions for icmpv6, udp over ipv6 and tcp over ipv6
16 years ago
UtRegisterTest("TCPV6CalculateInvalidChecksumtest04",
tests: no longer necessary to provide successful return code 1 pass, 0 is fail.
9 years ago
TCPV6CalculateInvalidChecksumtest04);
UtRegisterTest("TCPGetWscaleTest01", TCPGetWscaleTest01);
UtRegisterTest("TCPGetWscaleTest02", TCPGetWscaleTest02);
UtRegisterTest("TCPGetWscaleTest03", TCPGetWscaleTest03);
UtRegisterTest("TCPGetSackTest01", TCPGetSackTest01);
Regular expression for UnitTests Signed-off-by: Brian Rectanus <brectanu@gmail.com>
16 years ago
#endif /* UNITTESTS */
checksum calculation functions for ipv4, tcp, udpv4, icmpv4
16 years ago
}
doc: add decode group and related documentation.
14 years ago
/**
* @}
*/