diff --git a/src/decode-events.h b/src/decode-events.h index 6685c45f91..93800bbe64 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -8,9 +8,11 @@ enum { IPV4_PKT_TOO_SMALL = 1, /* pkt smaller than minimum header size */ IPV4_HLEN_TOO_SMALL, IPV4_IPLEN_SMALLER_THAN_HLEN, + IPV4_TRUNC_PKT, /* IPV6 EVENTS */ IPV6_PKT_TOO_SMALL, + IPV6_TRUNC_PKT, IPV6_TRUNC_EXTHDR, IPV6_EXTHDR_DUPL_FH, IPV6_EXTHDR_DUPL_RH, @@ -47,6 +49,7 @@ enum { PPPIPV4_PKT_TOO_SMALL, PPPIPV6_PKT_TOO_SMALL, PPP_WRONG_TYPE, + PPP_UNSUP_PROTO, /* PPPOE EVENTS */ PPPOE_PKT_TOO_SMALL, diff --git a/src/decode-ipv4.c b/src/decode-ipv4.c index 6d4a5e3f05..97bf2dbee4 100644 --- a/src/decode-ipv4.c +++ b/src/decode-ipv4.c @@ -36,6 +36,11 @@ static int DecodeIPV4Packet(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len return -1; } + if (len < IPV4_GET_IPLEN(p)) { + DECODER_SET_EVENT(p,IPV4_TRUNC_PKT); + return -1; + } + /* save the options len */ p->ip4vars.ip_opts_len = IPV4_GET_HLEN(p) - IPV4_HEADER_LEN; if (p->ip4vars.ip_opts_len > 0) { diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c index 9fe74f9a06..63e19ac764 100644 --- a/src/decode-ipv6.c +++ b/src/decode-ipv6.c @@ -72,7 +72,7 @@ DecodeIPV6ExtHdrs(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len) IPV6_EXTHDR_SET_RH(p, pkt); IPV6_EXTHDR_RH(p)->ip6rh_len = hdrextlen; -/* XXX move into own function and load on demand */ +/** \todo move into own function and load on demand */ if (IPV6_EXTHDR_RH(p)->ip6rh_type == 0) { uint8_t i; @@ -83,7 +83,7 @@ DecodeIPV6ExtHdrs(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len) * sized */ for (i = 0; i < (n/8) && i < sizeof(IPV6_EXTHDR_RH(p)->ip6rh0_addr)/sizeof(struct in6_addr); ++i) { /* the address header fields are 16 bytes in size */ -/* XXX do this without memcpy since it's expensive */ +/** \todo do this without memcpy since it's expensive */ memcpy(&IPV6_EXTHDR_RH(p)->ip6rh0_addr[i], pkt+(i*16)+8, sizeof(IPV6_EXTHDR_RH(p)->ip6rh0_addr[i])); } IPV6_EXTHDR_RH(p)->ip6rh0_num_addrs = i; @@ -131,7 +131,7 @@ DecodeIPV6ExtHdrs(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len) plen -= hdrextlen; break; } - + IPV6_EXTHDR_SET_HH(p, pkt); hao = &IPV6_EXTHDR_HH_HAO(p); ra = &IPV6_EXTHDR_HH_RA(p); @@ -165,7 +165,7 @@ DecodeIPV6ExtHdrs(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len) break; } } - + if (optslen > plen) { /* since the packet is long enough (we checked * plen against hdrlen, the optlen must be malformed. */ @@ -177,7 +177,7 @@ DecodeIPV6ExtHdrs(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len) plen -= hdrextlen; break; } -/* XXX move into own function to loaded on demand */ +/** \todo move into own function to loaded on demand */ uint16_t offset = 0; while(offset < optslen) { @@ -350,6 +350,7 @@ static int DecodeIPV6Packet (ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t le if (len < (IPV6_HEADER_LEN + IPV6_GET_PLEN(p))) { + DECODER_SET_EVENT(p,IPV6_TRUNC_PKT); return -1; } diff --git a/src/decode-ppp.c b/src/decode-ppp.c index 10a46aa0be..d19fd0c7fa 100644 --- a/src/decode-ppp.c +++ b/src/decode-ppp.c @@ -1,5 +1,5 @@ -/* Copyright (c) 2009 Open Infosec Foundation - * Written by Breno Silva Pinto */ +/** Copyright (c) 2009 Open Information Security Foundation + * \author Breno Silva Pinto */ #include "eidps-common.h" @@ -58,6 +58,7 @@ void DecodePPP(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue case PPP_PAP: case PPP_LQM: case PPP_CHAP: + DECODER_SET_EVENT(p,PPP_UNSUP_PROTO); break; case PPP_VJ_UCOMP: @@ -154,12 +155,12 @@ static int DecodePPPtest02 (void) { return 0; } -/* DecodePPPtest03 - * Decode right PPP packet - * Expected test value: 1 +/** DecodePPPtest03 + * \brief Decode good PPP packet, additionally the IPv4 packet inside is + * 4 bytes short. + * \retval 0 Test failed + * \retval 1 Test succeeded */ - - static int DecodePPPtest03 (void) { uint8_t raw_ppp[] = { 0xff, 0x03, 0x00, 0x21, 0x45, 0xc0, 0x00, 0x2c, 0x4d, 0xed, 0x00, 0x00, 0xff, 0x06, 0xd5, 0x17, 0xbf, 0x01, @@ -194,6 +195,9 @@ static int DecodePPPtest03 (void) { return 0; } + if (!(DECODER_ISSET_EVENT(&p,IPV4_TRUNC_PKT))) { + return 0; + } /* Function must return here */ return 1; @@ -227,6 +231,10 @@ static int DecodePPPtest04 (void) { return 0; } + if (!(DECODER_ISSET_EVENT(&p,IPV4_TRUNC_PKT))) { + return 0; + } + /* Function must returns here */ return 1; diff --git a/src/decode-ppp.h b/src/decode-ppp.h index 28df489902..5d1c87fc16 100644 --- a/src/decode-ppp.h +++ b/src/decode-ppp.h @@ -1,17 +1,15 @@ -/* Copyright (c) 2009 Open Infosec Foundation - * Written by Breno Silva Pinto */ +/** Copyright (c) 2009 Open Infomation Security Foundation + * \author Breno Silva Pinto */ #ifndef __DECODE_PPP_H__ #define __DECODE_PPP_H__ -/* Point to Point Protocol RFC1331 - Supported tyes */ - +/** Point to Point Protocol RFC1331 - Supported tyes */ #define PPP_IP 0x0021 /* Internet Protocol */ #define PPP_IPV6 0x0057 /* Internet Protocol version 6 */ #define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */ -/* Unsupported PPP types (libpcap source reference) */ - +/** Unsupported PPP types (libpcap source reference) */ #define PPP_IPX 0x002b /* Novell IPX Protocol */ #define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */ #define PPP_IPX 0x002b /* Novell IPX Protocol */ @@ -42,12 +40,14 @@ #define PPP_LQM 0xc025 /* Link Quality Monitoring */ #define PPP_CHAP 0xc223 /* Challenge Handshake Authentication Protocol */ +/** PPP Packet header */ typedef struct PPPHdr_ { uint8_t address; uint8_t control; uint16_t protocol; } PPPHdr; +/** PPP Packet header length */ #define PPP_HEADER_LEN 4 void DecodePPPRegisterTests(void); diff --git a/src/detect-decode-event.h b/src/detect-decode-event.h index f939accbdc..9d7c354247 100644 --- a/src/detect-decode-event.h +++ b/src/detect-decode-event.h @@ -25,7 +25,9 @@ struct DetectDecodeEvents_ { { "ipv4.pkt_too_small", IPV4_PKT_TOO_SMALL, }, { "ipv4.hlen_too_small", IPV4_HLEN_TOO_SMALL, }, { "ipv4.iplen_smaller_than_hlen", IPV4_IPLEN_SMALLER_THAN_HLEN, }, + { "ipv4.trunc_pkt", IPV4_TRUNC_PKT, }, { "ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, }, + { "ipv6.trunc_pkt", IPV6_TRUNC_PKT, }, { "ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, }, { "ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, }, { "ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, }, @@ -48,7 +50,8 @@ struct DetectDecodeEvents_ { { "ppp.ju_pkt_too_small", PPPVJU_PKT_TOO_SMALL, }, { "ppp.ip4_pkt_too_small", PPPIPV4_PKT_TOO_SMALL, }, { "ppp.ip6_pkt_too_small", PPPIPV6_PKT_TOO_SMALL, }, - { "ppp.wrong_type", PPP_WRONG_TYPE, }, + { "ppp.wrong_type", PPP_WRONG_TYPE, }, /** unknown & invalid protocol */ + { "ppp.unsup_proto", PPP_UNSUP_PROTO, }, /** unsupported but valid protocol */ { NULL, 0 }, }; #endif /* DETECT_EVENTS */