Commit Graph

87 Commits (de4e2221d8e9dc43f07c867caaad5e42f16a96b7)

Author SHA1 Message Date
Eric Leblond 97ca02f0c5 defrag: fix reconstruction
This patch is fixing an issue in defragmentation code. The
insertion of a fragment in the list of fragments is done with
respect to the offset of the fragment. But the code was using
the original offset of the fragment and not the one of the
new reconstructed fragment (which can be different in the
case of overlapping segment where the left part is trimmed).

This case could lead to some evasion techniques by causing
Suricata to analyse a different payload.
11 years ago
Jason Ish b8e13d4bd6 More concise API for setting config values that
can be overrided or not (final values).
12 years ago
Victor Julien 277fb61c1d defrag: clean up
Rename PacketDefragPktFinishSetup to PacketDefragPktSetupParent to
better refect it's function.
12 years ago
Eric Leblond 3fdf52239d defrag: don't modify packet if defrag fails
If defrag fails dur to an invalid decoding, we are not modifying
the origin packet anymore.
12 years ago
Giuseppe Longo f03278d132 feature #417: add support for configuration per host timeout value 12 years ago
Jason Ish 2953b3f640 Feature #901 - VLAN defrag support.
Take VLAN IDs into account when re-assembling fragments.

Prevents fragments that would otherwise match, but on different
VLANs from being reassembled with each other.
12 years ago
Victor Julien 3470b07ea5 Fix several compile and runtime warnings found by clang 3.2 with the -fsanitize=address option. 12 years ago
Victor Julien a698a7600d clang: fix warnings when debug is enabled 13 years ago
Anoop Saldanha b33986c887 Add a packet src for every packet generated inside suricata. 13 years ago
Eric Leblond e176be6fcc Use unlikely for error treatment.
When handling error case on SCMallog, SCCalloc or SCStrdup
we are in an unlikely case. This patch adds the unlikely()
expression to indicate this to gcc.

This patch has been obtained via coccinelle. The transformation
is the following:

@istested@
identifier x;
statement S1;
identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)";
@@

x = func(...)
... when != x
- if (x == NULL) S1
+ if (unlikely(x == NULL)) S1
13 years ago
Victor Julien 20d2db085e reintroduce pool free func for cases where block alloc is not used. 13 years ago
Victor Julien 7a044a99ee Defrag engine
Big rewrite of defrag engine to make it more scalable and fix some
locking logic flaws.

Now uses a hash of trackers similar to Flow and Host hashes.
13 years ago
Eric Leblond 937ba71491 defrag: don't return after a cleaning.
This patch changes the policy of the timeout function by cleaning
every timeouted trackers.
Previous code was only freeing the first tracker and this was resulting
in calling the timeout function continuously. One of my previous patch
has modified the function to avoid to run it more than twice a second.
But as it was not taken into account the fact only the first tracker was
freed, the result was that a lot of tracker could not be allocated.
13 years ago
Eric Leblond 619014a280 pool: rename Free function to Cleanup
This patch renames Free functions to Cleanup as the free is made
by the pool system.
13 years ago
Eric Leblond f241312a36 defrag: don't use message for repetitive error
When nothing can be fetch from the pool, this can repeat frequently.
Thus displaying a message in the log will not help. This patch
uses a counter instead of a log message. As this is a sort of memcap
this is conformed to what is done for other issues of the same type.
13 years ago
Victor Julien 829d975d63 Make sure defrag pool sizes are not initialized to 0, see #540. 13 years ago
Eric Leblond 4e6a4c65f6 defrag: be sure to output NULL tracker
Coverity 720337 pointed out a use after free. We can't be dependent
to HashListTableAdd outputting a NULL tracker.
13 years ago
Eric Leblond d3824bd1ab defrag: fix potential use after free.
Coverity pointed out that PoolReturn is almost like free and detected
a use after free when accessing to tracker->af (issue 720339).
This patch fixes this by storing the value in a local variable.
13 years ago
Eric Leblond 90052609ee defrag: avoid to run cleaning repetitively 13 years ago
Eric Leblond fa079c1da0 pool: realize a block allocation for preallocated item.
This patch required a evolution of Pool API as it is needed to
proceed to alloc or init separetely. The PoolInit has been changed
with a new Init function parameter.
13 years ago
Eric Leblond 09d893127e defrag: prealloc more frags. 13 years ago
Eric Leblond fd32159464 defrag: add some events relative to defragmentation 13 years ago
Eric Leblond d2aa0407c4 defrag: Fix unittest logic.
We've linked the size of hash with trackers. Thus calling DefragInit()
after setting the configuration variable is more logic.
13 years ago
Eric Leblond 0fd2c93c96 defrag: link hash size with number of frags.
We set defrag_hash_size by using the number of trackers. This is
effective to avoid collision.
13 years ago
Eric Leblond f328e18d59 defrag: fix some integer type warning. 13 years ago
Eric Leblond b1b4cd2729 defrag: really use 'max-frags' variable.
The 'max-frags' variable was not used and the 'trackers' variable was
not documented. This patch fixes the two issues.
13 years ago
Eric Leblond 4df509f87a defrag: use IP ID in hash
This patch fixes the collision issue observed on an intensive network
trafic. When there is fragmentation it is the case for all data
exchanged between two hosts. Thus using a hash func only involving
IP addresses (and protocol) was leading to a collision for all
exchanges between the hosts. At a larger scale, it was resulting in
a packet loss. By using the IP ID instead of the protocol family, we
introduce a real difference between the trackers.
13 years ago
Victor Julien 79691f675a defrag: don't increment recursion level for reassembled packets. Fixes defragged packets not seeing the same flow. 13 years ago
Victor Julien e237841a8e Fix compilation with profiling enabled. Minor unittest fixes. 14 years ago
Victor Julien cdba2f50d1 Various fixes and improvements based on feedback by Coverity analyzer. 14 years ago
Victor Julien 55da9787a4 Win32 compile fixes. 14 years ago
Eric Leblond 6bf15bac31 Fix various packet access.
The coccinelle based tests have detected invalid uses of access to
Packet data. This patch fixes the detected problems.
14 years ago
pilcrow ed69eeab14 Safer macro parenthesization and do/while use 14 years ago
Eric Leblond 7425bf5ca6 Rename some decode event structure and macro.
This patch renames DECODER_SET_EVENT, DECODER_ISSET_EVENT and some
other structures to ENGINE equivalent to take into account the fact
the event list is now related to all engines and not only to decoder.
14 years ago
Victor Julien 4025567a5a Fix a number of unittests not properly initializing a packet causing issues on some archs. 14 years ago
Gerardo Iglesias Galvan 305140d081 Silence coverity warning 14 years ago
Victor Julien e1d4e16645 Simplify packet decoding macro's. 14 years ago
Victor Julien b73939bcef Clean up & better check includes to allow Windows to build. 14 years ago
Anoop Saldanha 78bf2579aa move pseudo packet creation outside defragreassemble loop 14 years ago
Victor Julien 83c3f15812 Minor fixes in defrag engine, shrink DefragTracker_ structure. 14 years ago
Jason Ish 0385f72669 Use separate frag decoder events for IPv4 and IPv6. 14 years ago
Jason Ish de1c40c44f Set decoder event on fragment overlaps. 14 years ago
Jason Ish 7f5e120d60 Cleanup assignment of the default defrag policy. 14 years ago
Jason Ish 6da9c64a28 Set decoder event when re-assembled fragments would exceed max IP packet size. 14 years ago
Victor Julien 778b92ef40 Make sure to only alloc a new pseudo packet once during ip defrag. 14 years ago
Victor Julien 03ea563e93 Don't set ip{4,6} header on reassembled ip packet until we know for sure what buffer the packet is stored in. 14 years ago
Anoop Saldanha 5c880b04c9 fix ipv4 defrag + fix recursion level in defrag pseudo packet 15 years ago
Victor Julien 7ef00aaf19 Fix defrag4 setting the packet length on the wrong packet. 15 years ago
Eric Leblond 89558ab9a4 RFC: modify error treatment in PacketCopyData
Hello Victor
This patch modifies error treatment following our discussion on IRC.
It tries to follow the error treatment guideline I've been able to
read in the different files.
I will merge this patch in the original commit if the error treatment
seems ok for you.

BR,
Eric
15 years ago
Eric Leblond dd038c1906 Modify files to avoid direct pckt payload access
This patch implements the needed modification of payload access
in a Packet structure to support the abstraction introduced by
the extended data system.
15 years ago