Fix for bug 180 (check proto specified at the IP hdr)

15 years ago · 70bda6506d
parent f7ab84ca83
commit 70bda6506d
3 changed files with 9 additions and 4 deletions
--- a/src/decode.h
+++ b/src/decode.h
@ -191,6 +191,10 @@ typedef uint16_t Port;

 #define IPH_IS_VALID(p) (PKT_IS_IPV4((p)) || PKT_IS_IPV6((p)))

+/* Retrieve proto regardless of IP version */
+#define IP_GET_IPPROTO(p) \
+    (PKT_IS_IPV4(p)? IPV4_GET_IPPROTO(p) : (PKT_IS_IPV6(p)? IPV6_GET_NH(p) : 0))
+
 /* structure to store the sids/gids/etc the detection engine
 * found in this packet */
 typedef struct PacketAlert_ {
--- a/src/detect-engine-iponly.c
+++ b/src/detect-engine-iponly.c
@ -976,7 +976,8 @@ void IPOnlyMatchPacket(DetectEngineCtx *de_ctx,
                    Signature *s = de_ctx->sig_array[u * 8 + i];

                    /* Need to check the protocol first */
-                    if (!(s->proto.proto[(p->proto/8)] & (1 << (p->proto % 8))))
+                    if (!(s->proto.proto[(IP_GET_IPPROTO(p)/8)] & (1 << (IP_GET_IPPROTO(p) % 8))))
+
                        continue;

                    SCLogDebug("Signum %"PRIu16" match (sid: %"PRIu16", msg: %s)",
--- a/src/detect.c
+++ b/src/detect.c
@ -567,7 +567,7 @@ SigGroupHead *SigMatchSignaturesGetSgh(DetectEngineCtx *de_ctx, DetectEngineThre
    SCLogDebug("f %d", f);

    /* find the right mpm instance */
-    DetectAddress *ag = DetectAddressLookupInHead(de_ctx->flow_gh[f].src_gh[p->proto], &p->src);
+    DetectAddress *ag = DetectAddressLookupInHead(de_ctx->flow_gh[f].src_gh[IP_GET_IPPROTO(p)], &p->src);
    if (ag != NULL) {
        /* source group found, lets try a dst group */
        ag = DetectAddressLookupInHead(ag->dst_gh, &p->dst);
@ -723,7 +723,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh

        /* Get the stored sgh from the flow (if any). Make sure we're not using
         * the sgh for icmp error packets part of the same stream. */
-        if (p->proto == p->flow->proto) { /* filter out icmp */
+        if (IP_GET_IPPROTO(p) == p->flow->proto) { /* filter out icmp */
            if (p->flowflags & FLOW_PKT_TOSERVER && p->flow->flags & FLOW_SGH_TOSERVER) {
                sgh = p->flow->sgh_toserver;
                use_flow_sgh = TRUE;
@ -864,7 +864,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
        s = det_ctx->match_array[idx];
        SCLogDebug("inspecting signature id %"PRIu32"", s->id);

-        if (DetectProtoContainsProto(&s->proto, p->proto) == 0) {
+        if (DetectProtoContainsProto(&s->proto, IP_GET_IPPROTO(p)) == 0) {
            SCLogDebug("proto didn't match");
            goto next;
        }