Fix short IPv4 packets not getting detected in the decoder. Set decode event on short ipv6 packets.

17 years ago · 4ec31e0445
parent 265038a75a
commit 4ec31e0445
6 changed files with 39 additions and 19 deletions
--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -8,9 +8,11 @@ enum {
    IPV4_PKT_TOO_SMALL = 1,       /* pkt smaller than minimum header size */
    IPV4_HLEN_TOO_SMALL,
    IPV4_IPLEN_SMALLER_THAN_HLEN,
+    IPV4_TRUNC_PKT,

    /* IPV6 EVENTS */
    IPV6_PKT_TOO_SMALL,
+    IPV6_TRUNC_PKT,
    IPV6_TRUNC_EXTHDR,
    IPV6_EXTHDR_DUPL_FH,
    IPV6_EXTHDR_DUPL_RH,
@ -47,6 +49,7 @@ enum {
    PPPIPV4_PKT_TOO_SMALL,
    PPPIPV6_PKT_TOO_SMALL,
    PPP_WRONG_TYPE,
+    PPP_UNSUP_PROTO,

    /* PPPOE EVENTS */
    PPPOE_PKT_TOO_SMALL,
--- a/src/decode-ipv4.c
+++ b/src/decode-ipv4.c
@ -36,6 +36,11 @@ static int DecodeIPV4Packet(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len
        return -1;
    }

+    if (len < IPV4_GET_IPLEN(p)) {
+        DECODER_SET_EVENT(p,IPV4_TRUNC_PKT);
+        return -1;
+    }
+
    /* save the options len */
    p->ip4vars.ip_opts_len = IPV4_GET_HLEN(p) - IPV4_HEADER_LEN;
    if (p->ip4vars.ip_opts_len > 0) {
--- a/src/decode-ipv6.c
+++ b/src/decode-ipv6.c
@ -72,7 +72,7 @@ DecodeIPV6ExtHdrs(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len)

                IPV6_EXTHDR_SET_RH(p, pkt);
                IPV6_EXTHDR_RH(p)->ip6rh_len = hdrextlen;
-/* XXX move into own function and load on demand */
+/** \todo move into own function and load on demand */
                if (IPV6_EXTHDR_RH(p)->ip6rh_type == 0) {
                    uint8_t i;

@ -83,7 +83,7 @@ DecodeIPV6ExtHdrs(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len)
                     * sized */
                    for (i = 0; i < (n/8) && i < sizeof(IPV6_EXTHDR_RH(p)->ip6rh0_addr)/sizeof(struct in6_addr); ++i) {
                        /* the address header fields are 16 bytes in size */
-/* XXX do this without memcpy since it's expensive */
+/** \todo do this without memcpy since it's expensive */
                        memcpy(&IPV6_EXTHDR_RH(p)->ip6rh0_addr[i], pkt+(i*16)+8, sizeof(IPV6_EXTHDR_RH(p)->ip6rh0_addr[i]));
                    }
                    IPV6_EXTHDR_RH(p)->ip6rh0_num_addrs = i;
@ -177,7 +177,7 @@ DecodeIPV6ExtHdrs(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len)
                    plen -= hdrextlen;
                    break;
                }
-/* XXX move into own function to loaded on demand */
+/** \todo move into own function to loaded on demand */
                uint16_t offset = 0;
                while(offset < optslen)
                {
@ -350,6 +350,7 @@ static int DecodeIPV6Packet (ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t le

    if (len < (IPV6_HEADER_LEN + IPV6_GET_PLEN(p)))
    {
+        DECODER_SET_EVENT(p,IPV6_TRUNC_PKT);
        return -1;
    }

--- a/src/decode-ppp.c
+++ b/src/decode-ppp.c
@ -1,5 +1,5 @@
-/* Copyright (c) 2009 Open Infosec Foundation
- *  Written by Breno Silva Pinto <breno.silva@gmail.com> */
+/** Copyright (c) 2009 Open Information Security Foundation
+ *  \author Breno Silva Pinto <breno.silva@gmail.com> */

 #include "eidps-common.h"

@ -58,6 +58,7 @@ void DecodePPP(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue
        case PPP_PAP:
        case PPP_LQM:
        case PPP_CHAP:
+            DECODER_SET_EVENT(p,PPP_UNSUP_PROTO);
            break;

        case PPP_VJ_UCOMP:
@ -154,12 +155,12 @@ static int DecodePPPtest02 (void)   {
    return 0;
 }

-/*  DecodePPPtest03
- *  Decode right PPP packet
- *  Expected test value: 1
+/** DecodePPPtest03
+ *  \brief Decode good PPP packet, additionally the IPv4 packet inside is
+ *         4 bytes short.
+ *  \retval 0 Test failed
+ *  \retval 1 Test succeeded
 */
-
-
 static int DecodePPPtest03 (void)   {
    uint8_t raw_ppp[] = { 0xff, 0x03, 0x00, 0x21, 0x45, 0xc0, 0x00, 0x2c, 0x4d,
                           0xed, 0x00, 0x00, 0xff, 0x06, 0xd5, 0x17, 0xbf, 0x01,
@ -194,6 +195,9 @@ static int DecodePPPtest03 (void)   {
        return 0;
    }

+    if (!(DECODER_ISSET_EVENT(&p,IPV4_TRUNC_PKT))) {
+        return 0;
+    }
    /* Function must return here */

    return 1;
@ -227,6 +231,10 @@ static int DecodePPPtest04 (void)   {
        return 0;
    }

+    if (!(DECODER_ISSET_EVENT(&p,IPV4_TRUNC_PKT))) {
+        return 0;
+    }
+
    /* Function must returns here */

    return 1;
--- a/src/decode-ppp.h
+++ b/src/decode-ppp.h
@ -1,17 +1,15 @@
-/* Copyright (c) 2009 Open Infosec Foundation
- *  Written by Breno Silva Pinto <breno.silva@gmail.com> */
+/** Copyright (c) 2009 Open Infomation Security Foundation
+ *  \author Breno Silva Pinto <breno.silva@gmail.com> */

 #ifndef __DECODE_PPP_H__
 #define __DECODE_PPP_H__

-/* Point to Point Protocol RFC1331 - Supported tyes */
-
+/** Point to Point Protocol RFC1331 - Supported tyes */
 #define PPP_IP         0x0021       /* Internet Protocol */
 #define PPP_IPV6       0x0057       /* Internet Protocol version 6 */
 #define PPP_VJ_UCOMP   0x002f       /* VJ uncompressed TCP/IP */

-/* Unsupported PPP types (libpcap source reference) */
-
+/** Unsupported PPP types (libpcap source reference) */
 #define PPP_IPX        0x002b       /* Novell IPX Protocol */
 #define PPP_VJ_COMP    0x002d       /* VJ compressed TCP/IP */
 #define PPP_IPX        0x002b       /* Novell IPX Protocol */
@ -42,12 +40,14 @@
 #define PPP_LQM        0xc025       /* Link Quality Monitoring */
 #define PPP_CHAP       0xc223       /* Challenge Handshake Authentication Protocol */

+/** PPP Packet header */
 typedef struct PPPHdr_ {
    uint8_t address;
    uint8_t control;
    uint16_t protocol;
 } PPPHdr;

+/** PPP Packet header length */
 #define PPP_HEADER_LEN 4

 void DecodePPPRegisterTests(void);
--- a/src/detect-decode-event.h
+++ b/src/detect-decode-event.h
@ -25,7 +25,9 @@ struct DetectDecodeEvents_ {
    { "ipv4.pkt_too_small", IPV4_PKT_TOO_SMALL, },
    { "ipv4.hlen_too_small", IPV4_HLEN_TOO_SMALL, },
    { "ipv4.iplen_smaller_than_hlen", IPV4_IPLEN_SMALLER_THAN_HLEN, },
+    { "ipv4.trunc_pkt", IPV4_TRUNC_PKT, },
    { "ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, },
+    { "ipv6.trunc_pkt", IPV6_TRUNC_PKT, },
    { "ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, },
    { "ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, },
    { "ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, },
@ -48,7 +50,8 @@ struct DetectDecodeEvents_ {
    { "ppp.ju_pkt_too_small", PPPVJU_PKT_TOO_SMALL, },
    { "ppp.ip4_pkt_too_small", PPPIPV4_PKT_TOO_SMALL, },
    { "ppp.ip6_pkt_too_small", PPPIPV6_PKT_TOO_SMALL, },
-    { "ppp.wrong_type", PPP_WRONG_TYPE, },
+    { "ppp.wrong_type", PPP_WRONG_TYPE, }, /** unknown & invalid protocol */
+    { "ppp.unsup_proto", PPP_UNSUP_PROTO, }, /** unsupported but valid protocol */
    { NULL, 0 },
 };
 #endif /* DETECT_EVENTS */