aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

decode: fix failure in layered tunnel

Browse Source 
If we have multiple layer of tunnel, the decoding of initial
Packet will recurse in DecodeTunnel function called in
PacketTunnelPktSetup. If we are not setting the pseudo
packet root before calling DecodeTunnel (as done in previous
code), then the tunnel root will no be correct for the lower
layer packets. This result in an counter problem and a suricata
failure after some time.
pull/681/head
Eric Leblond 11 years ago
parent e9a4871077
commit f76448c1e6
2 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File

16
src/decode.c
Unescape Escape View File

@ -250,12 +250,6 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
SCReturnPtr(NULL, "Packet");
}
/* set the root ptr to the lowest layer */
if (parent->root != NULL)
p->root = parent->root;
else
p->root = parent;
/* copy packet and set lenght, proto */
PacketCopyData(p, pkt, len);
p->recursion_level = parent->recursion_level + 1;
@ -263,6 +257,12 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
p->ts.tv_usec = parent->ts.tv_usec;
p->datalink = DLT_RAW;
/* set the root ptr to the lowest layer */
if (parent->root != NULL)
p->root = parent->root;
else
p->root = parent;
/* tell new packet it's part of a tunnel */
SET_TUNNEL_PKT(p);
@ -270,10 +270,14 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
GET_PKT_LEN(p), pq, proto);
if (unlikely(ret != TM_ECODE_OK)) {
/* Not a tunnel packet, just a pseudo packet */
p->root = NULL;
UNSET_TUNNEL_PKT(p);
TmqhOutputPacketpool(tv, p);
SCReturnPtr(NULL, "Packet");
}
/* tell parent packet it's part of a tunnel */
SET_TUNNEL_PKT(parent);

1
src/decode.h
Unescape Escape View File

@ -803,6 +803,7 @@ typedef struct DecodeThreadVars_
#define IS_TUNNEL_PKT(p) (((p)->flags & PKT_TUNNEL))
#define SET_TUNNEL_PKT(p) ((p)->flags |= PKT_TUNNEL)
#define UNSET_TUNNEL_PKT(p) ((p)->flags &= ~PKT_TUNNEL)
#define IS_TUNNEL_ROOT_PKT(p) (IS_TUNNEL_PKT(p) && (p)->root == NULL)
#define IS_TUNNEL_PKT_VERDICTED(p) (((p)->flags & PKT_TUNNEL_VERDICTED))

Write Preview
Loading…
Cancel
Save