]>
Commit | Line | Data |
---|---|---|
9449739d JI |
1 | /* Copyright (C) 2017 Open Information Security Foundation |
2 | * | |
3 | * You can copy, redistribute or modify this Program under the terms of | |
4 | * the GNU General Public License version 2 as published by the Free | |
5 | * Software Foundation. | |
6 | * | |
7 | * This program is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | * | |
12 | * You should have received a copy of the GNU General Public License | |
13 | * version 2 along with this program; if not, write to the Free Software | |
14 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | |
15 | * 02110-1301, USA. | |
16 | */ | |
17 | ||
73388042 JI |
18 | extern crate libc; |
19 | extern crate nom; | |
20 | ||
21 | use std; | |
22 | use std::mem::transmute; | |
23 | ||
24 | use log::*; | |
c54fc7f9 | 25 | use applayer::LoggerFlags; |
73388042 JI |
26 | use core; |
27 | use dns::parser; | |
28 | ||
ba1a67e2 JI |
29 | /// DNS record types. |
30 | pub const DNS_RECORD_TYPE_A : u16 = 1; | |
31 | pub const DNS_RECORD_TYPE_NS : u16 = 2; | |
32 | pub const DNS_RECORD_TYPE_MD : u16 = 3; // Obsolete | |
33 | pub const DNS_RECORD_TYPE_MF : u16 = 4; // Obsolete | |
34 | pub const DNS_RECORD_TYPE_CNAME : u16 = 5; | |
35 | pub const DNS_RECORD_TYPE_SOA : u16 = 6; | |
36 | pub const DNS_RECORD_TYPE_MB : u16 = 7; // Experimental | |
37 | pub const DNS_RECORD_TYPE_MG : u16 = 8; // Experimental | |
38 | pub const DNS_RECORD_TYPE_MR : u16 = 9; // Experimental | |
39 | pub const DNS_RECORD_TYPE_NULL : u16 = 10; // Experimental | |
40 | pub const DNS_RECORD_TYPE_WKS : u16 = 11; | |
41 | pub const DNS_RECORD_TYPE_PTR : u16 = 12; | |
42 | pub const DNS_RECORD_TYPE_HINFO : u16 = 13; | |
43 | pub const DNS_RECORD_TYPE_MINFO : u16 = 14; | |
44 | pub const DNS_RECORD_TYPE_MX : u16 = 15; | |
45 | pub const DNS_RECORD_TYPE_TXT : u16 = 16; | |
46 | pub const DNS_RECORD_TYPE_RP : u16 = 17; | |
47 | pub const DNS_RECORD_TYPE_AFSDB : u16 = 18; | |
48 | pub const DNS_RECORD_TYPE_X25 : u16 = 19; | |
49 | pub const DNS_RECORD_TYPE_ISDN : u16 = 20; | |
50 | pub const DNS_RECORD_TYPE_RT : u16 = 21; | |
51 | pub const DNS_RECORD_TYPE_NSAP : u16 = 22; | |
52 | pub const DNS_RECORD_TYPE_NSAPPTR : u16 = 23; | |
53 | pub const DNS_RECORD_TYPE_SIG : u16 = 24; | |
54 | pub const DNS_RECORD_TYPE_KEY : u16 = 25; | |
55 | pub const DNS_RECORD_TYPE_PX : u16 = 26; | |
56 | pub const DNS_RECORD_TYPE_GPOS : u16 = 27; | |
57 | pub const DNS_RECORD_TYPE_AAAA : u16 = 28; | |
58 | pub const DNS_RECORD_TYPE_LOC : u16 = 29; | |
5a8537fe | 59 | pub const DNS_RECORD_TYPE_NXT : u16 = 30; // Obsolete |
ba1a67e2 JI |
60 | pub const DNS_RECORD_TYPE_SRV : u16 = 33; |
61 | pub const DNS_RECORD_TYPE_ATMA : u16 = 34; | |
62 | pub const DNS_RECORD_TYPE_NAPTR : u16 = 35; | |
63 | pub const DNS_RECORD_TYPE_KX : u16 = 36; | |
64 | pub const DNS_RECORD_TYPE_CERT : u16 = 37; | |
65 | pub const DNS_RECORD_TYPE_A6 : u16 = 38; // Obsolete | |
66 | pub const DNS_RECORD_TYPE_DNAME : u16 = 39; | |
67 | pub const DNS_RECORD_TYPE_OPT : u16 = 41; | |
68 | pub const DNS_RECORD_TYPE_APL : u16 = 42; | |
69 | pub const DNS_RECORD_TYPE_DS : u16 = 43; | |
70 | pub const DNS_RECORD_TYPE_SSHFP : u16 = 44; | |
71 | pub const DNS_RECORD_TYPE_IPSECKEY : u16 = 45; | |
72 | pub const DNS_RECORD_TYPE_RRSIG : u16 = 46; | |
73 | pub const DNS_RECORD_TYPE_NSEC : u16 = 47; | |
74 | pub const DNS_RECORD_TYPE_DNSKEY : u16 = 48; | |
75 | pub const DNS_RECORD_TYPE_DHCID : u16 = 49; | |
76 | pub const DNS_RECORD_TYPE_NSEC3 : u16 = 50; | |
77 | pub const DNS_RECORD_TYPE_NSEC3PARAM : u16 = 51; | |
78 | pub const DNS_RECORD_TYPE_TLSA : u16 = 52; | |
79 | pub const DNS_RECORD_TYPE_HIP : u16 = 55; | |
80 | pub const DNS_RECORD_TYPE_CDS : u16 = 59; | |
81 | pub const DNS_RECORD_TYPE_CDNSKEY : u16 = 60; | |
82 | pub const DNS_RECORD_TYPE_SPF : u16 = 99; // Obsolete | |
83 | pub const DNS_RECORD_TYPE_TKEY : u16 = 249; | |
84 | pub const DNS_RECORD_TYPE_TSIG : u16 = 250; | |
85 | pub const DNS_RECORD_TYPE_MAILA : u16 = 254; // Obsolete | |
86 | pub const DNS_RECORD_TYPE_ANY : u16 = 255; | |
87 | pub const DNS_RECORD_TYPE_URI : u16 = 256; | |
88 | ||
73388042 JI |
89 | /// DNS error codes. |
90 | pub const DNS_RCODE_NOERROR: u16 = 0; | |
91 | pub const DNS_RCODE_FORMERR: u16 = 1; | |
5a8537fe | 92 | pub const DNS_RCODE_SERVFAIL: u16 = 2; |
73388042 | 93 | pub const DNS_RCODE_NXDOMAIN: u16 = 3; |
5a8537fe JI |
94 | pub const DNS_RCODE_NOTIMP: u16 = 4; |
95 | pub const DNS_RCODE_REFUSED: u16 = 5; | |
96 | pub const DNS_RCODE_YXDOMAIN: u16 = 6; | |
97 | pub const DNS_RCODE_YXRRSET: u16 = 7; | |
98 | pub const DNS_RCODE_NXRRSET: u16 = 8; | |
99 | pub const DNS_RCODE_NOTAUTH: u16 = 9; | |
100 | pub const DNS_RCODE_NOTZONE: u16 = 10; | |
101 | // Support for OPT RR from RFC6891 will be needed to | |
102 | // parse RCODE values over 15 | |
103 | pub const DNS_RCODE_BADVERS: u16 = 16; | |
104 | pub const DNS_RCODE_BADSIG: u16 = 16; | |
105 | pub const DNS_RCODE_BADKEY: u16 = 17; | |
106 | pub const DNS_RCODE_BADTIME: u16 = 18; | |
107 | pub const DNS_RCODE_BADMODE: u16 = 19; | |
108 | pub const DNS_RCODE_BADNAME: u16 = 20; | |
109 | pub const DNS_RCODE_BADALG: u16 = 21; | |
110 | pub const DNS_RCODE_BADTRUNC: u16 = 22; | |
111 | ||
73388042 JI |
112 | |
113 | /// The maximum number of transactions to keep in the queue pending | |
114 | /// processing before they are aggressively purged. Due to the | |
115 | /// stateless nature of this parser this is rarely needed, especially | |
116 | /// when one call to parse a request parses and a single request, and | |
117 | /// likewise for responses. | |
118 | /// | |
119 | /// Where this matters is when one TCP buffer contains multiple | |
120 | /// requests are responses and one call into the parser creates | |
121 | /// multiple transactions. In this case we have to hold onto | |
122 | /// transactions longer than until handling the next transaction so it | |
123 | /// gets logged. | |
124 | const MAX_TRANSACTIONS: usize = 32; | |
125 | ||
126 | #[repr(u32)] | |
127 | pub enum DNSEvent { | |
128 | UnsolicitedResponse = 0, | |
129 | MalformedData, | |
130 | NotRequest, | |
131 | NotResponse, | |
132 | ZFlagSet, | |
133 | Flooded, | |
134 | StateMemCapReached, | |
135 | } | |
136 | ||
9449739d JI |
137 | #[derive(Debug,PartialEq)] |
138 | pub struct DNSHeader { | |
139 | pub tx_id: u16, | |
140 | pub flags: u16, | |
141 | pub questions: u16, | |
142 | pub answer_rr: u16, | |
143 | pub authority_rr: u16, | |
144 | pub additional_rr: u16, | |
145 | } | |
146 | ||
147 | #[derive(Debug)] | |
148 | pub struct DNSQueryEntry { | |
149 | pub name: Vec<u8>, | |
150 | pub rrtype: u16, | |
151 | pub rrclass: u16, | |
152 | } | |
153 | ||
154 | #[derive(Debug,PartialEq)] | |
155 | pub struct DNSAnswerEntry { | |
156 | pub name: Vec<u8>, | |
157 | pub rrtype: u16, | |
158 | pub rrclass: u16, | |
159 | pub ttl: u32, | |
9449739d JI |
160 | pub data: Vec<u8>, |
161 | } | |
162 | ||
163 | #[derive(Debug)] | |
164 | pub struct DNSRequest { | |
165 | pub header: DNSHeader, | |
166 | pub queries: Vec<DNSQueryEntry>, | |
167 | } | |
168 | ||
169 | #[derive(Debug)] | |
170 | pub struct DNSResponse { | |
171 | pub header: DNSHeader, | |
172 | pub queries: Vec<DNSQueryEntry>, | |
173 | pub answers: Vec<DNSAnswerEntry>, | |
174 | pub authorities: Vec<DNSAnswerEntry>, | |
175 | } | |
73388042 JI |
176 | |
177 | #[derive(Debug)] | |
178 | pub struct DNSTransaction { | |
179 | pub id: u64, | |
180 | pub request: Option<DNSRequest>, | |
181 | pub response: Option<DNSResponse>, | |
98eca552 VJ |
182 | detect_flags_ts: u64, |
183 | detect_flags_tc: u64, | |
c54fc7f9 | 184 | pub logged: LoggerFlags, |
73388042 JI |
185 | pub de_state: Option<*mut core::DetectEngineState>, |
186 | pub events: *mut core::AppLayerDecoderEvents, | |
187 | } | |
188 | ||
189 | impl DNSTransaction { | |
190 | ||
191 | pub fn new() -> DNSTransaction { | |
192 | return DNSTransaction{ | |
193 | id: 0, | |
194 | request: None, | |
195 | response: None, | |
98eca552 VJ |
196 | detect_flags_ts: 0, |
197 | detect_flags_tc: 0, | |
c54fc7f9 | 198 | logged: LoggerFlags::new(), |
73388042 JI |
199 | de_state: None, |
200 | events: std::ptr::null_mut(), | |
201 | } | |
202 | } | |
203 | ||
204 | pub fn free(&mut self) { | |
205 | if self.events != std::ptr::null_mut() { | |
206 | core::sc_app_layer_decoder_events_free_events(&mut self.events); | |
207 | } | |
f815027c VJ |
208 | match self.de_state { |
209 | Some(state) => { | |
210 | core::sc_detect_engine_state_free(state); | |
211 | } | |
212 | None => { }, | |
213 | } | |
73388042 JI |
214 | } |
215 | ||
216 | /// Get the DNS transactions ID (not the internal tracking ID). | |
217 | pub fn tx_id(&self) -> u16 { | |
b7a58680 | 218 | if let &Some(ref request) = &self.request { |
73388042 JI |
219 | return request.header.tx_id; |
220 | } | |
b7a58680 | 221 | if let &Some(ref response) = &self.response { |
73388042 JI |
222 | return response.header.tx_id; |
223 | } | |
224 | ||
225 | // Shouldn't happen. | |
226 | return 0; | |
227 | } | |
228 | ||
229 | /// Get the reply code of the transaction. Note that this will | |
230 | /// also return 0 if there is no reply. | |
231 | pub fn rcode(&self) -> u16 { | |
b7a58680 | 232 | if let &Some(ref response) = &self.response { |
73388042 JI |
233 | return response.header.flags & 0x000f; |
234 | } | |
235 | return 0; | |
236 | } | |
237 | ||
238 | } | |
239 | ||
240 | impl Drop for DNSTransaction { | |
241 | fn drop(&mut self) { | |
242 | self.free(); | |
243 | } | |
244 | } | |
245 | ||
246 | pub struct DNSState { | |
247 | // Internal transaction ID. | |
248 | pub tx_id: u64, | |
249 | ||
250 | // Transactions. | |
251 | pub transactions: Vec<DNSTransaction>, | |
252 | ||
73388042 JI |
253 | pub events: u16, |
254 | ||
255 | pub request_buffer: Vec<u8>, | |
256 | pub response_buffer: Vec<u8>, | |
70808a4f JI |
257 | |
258 | gap: bool, | |
73388042 JI |
259 | } |
260 | ||
261 | impl DNSState { | |
262 | ||
263 | pub fn new() -> DNSState { | |
264 | return DNSState{ | |
265 | tx_id: 0, | |
266 | transactions: Vec::new(), | |
73388042 JI |
267 | events: 0, |
268 | request_buffer: Vec::new(), | |
269 | response_buffer: Vec::new(), | |
70808a4f | 270 | gap: false, |
73388042 JI |
271 | }; |
272 | } | |
273 | ||
274 | /// Allocate a new state with capacites in the buffers for | |
275 | /// potentially buffering as might be needed in TCP. | |
276 | pub fn new_tcp() -> DNSState { | |
277 | return DNSState{ | |
278 | tx_id: 0, | |
279 | transactions: Vec::new(), | |
73388042 JI |
280 | events: 0, |
281 | request_buffer: Vec::with_capacity(0xffff), | |
282 | response_buffer: Vec::with_capacity(0xffff), | |
70808a4f | 283 | gap: false, |
73388042 JI |
284 | }; |
285 | } | |
286 | ||
73388042 JI |
287 | pub fn new_tx(&mut self) -> DNSTransaction { |
288 | let mut tx = DNSTransaction::new(); | |
289 | self.tx_id += 1; | |
290 | tx.id = self.tx_id; | |
291 | return tx; | |
292 | } | |
293 | ||
294 | pub fn free_tx(&mut self, tx_id: u64) { | |
73388042 JI |
295 | let len = self.transactions.len(); |
296 | let mut found = false; | |
297 | let mut index = 0; | |
298 | for i in 0..len { | |
299 | let tx = &self.transactions[i]; | |
300 | if tx.id == tx_id + 1 { | |
301 | found = true; | |
302 | index = i; | |
303 | break; | |
304 | } | |
305 | } | |
306 | if found { | |
f815027c | 307 | self.transactions.remove(index); |
73388042 JI |
308 | } |
309 | } | |
310 | ||
311 | // Purges all transactions except one. This is a stateless parser | |
312 | // so we don't need to hang onto old transactions. | |
313 | // | |
314 | // This is to actually handle an edge case where a DNS flood | |
315 | // occurs in a single direction with no response packets. In such | |
316 | // a case the functions to free a transaction are never called by | |
317 | // the app-layer as they require bidirectional traffic. | |
318 | pub fn purge(&mut self, tx_id: u64) { | |
319 | while self.transactions.len() > MAX_TRANSACTIONS { | |
320 | if self.transactions[0].id == tx_id + 1 { | |
321 | return; | |
322 | } | |
323 | SCLogDebug!("Purging DNS TX with ID {}", self.transactions[0].id); | |
f815027c | 324 | self.transactions.remove(0); |
73388042 JI |
325 | } |
326 | } | |
327 | ||
328 | pub fn get_tx(&mut self, tx_id: u64) -> Option<&DNSTransaction> { | |
329 | SCLogDebug!("get_tx: tx_id={}", tx_id); | |
330 | self.purge(tx_id); | |
331 | for tx in &mut self.transactions { | |
332 | if tx.id == tx_id + 1 { | |
333 | SCLogDebug!("Found DNS TX with ID {}", tx_id); | |
334 | return Some(tx); | |
335 | } | |
336 | } | |
337 | SCLogDebug!("Failed to find DNS TX with ID {}", tx_id); | |
338 | return None; | |
339 | } | |
340 | ||
341 | /// Set an event. The event is set on the most recent transaction. | |
342 | pub fn set_event(&mut self, event: DNSEvent) { | |
343 | let len = self.transactions.len(); | |
344 | if len == 0 { | |
345 | return; | |
346 | } | |
347 | ||
e023ce9a | 348 | let tx = &mut self.transactions[len - 1]; |
73388042 JI |
349 | core::sc_app_layer_decoder_events_set_event_raw(&mut tx.events, |
350 | event as u8); | |
351 | self.events += 1; | |
352 | } | |
353 | ||
354 | pub fn parse_request(&mut self, input: &[u8]) -> bool { | |
355 | match parser::dns_parse_request(input) { | |
356 | nom::IResult::Done(_, request) => { | |
357 | if request.header.flags & 0x8000 != 0 { | |
358 | SCLogDebug!("DNS message is not a request"); | |
359 | self.set_event(DNSEvent::NotRequest); | |
360 | return false; | |
361 | } | |
362 | ||
363 | if request.header.flags & 0x0040 != 0 { | |
364 | SCLogDebug!("Z-flag set on DNS response"); | |
365 | self.set_event(DNSEvent::ZFlagSet); | |
366 | return false; | |
367 | } | |
368 | ||
369 | let mut tx = self.new_tx(); | |
370 | tx.request = Some(request); | |
371 | self.transactions.push(tx); | |
372 | return true; | |
373 | } | |
374 | nom::IResult::Incomplete(_) => { | |
375 | // Insufficient data. | |
376 | SCLogDebug!("Insufficient data while parsing DNS request"); | |
377 | self.set_event(DNSEvent::MalformedData); | |
378 | return false; | |
379 | } | |
380 | nom::IResult::Error(_) => { | |
381 | // Error, probably malformed data. | |
382 | SCLogDebug!("An error occurred while parsing DNS request"); | |
383 | self.set_event(DNSEvent::MalformedData); | |
384 | return false; | |
385 | } | |
386 | } | |
387 | } | |
388 | ||
389 | pub fn parse_response(&mut self, input: &[u8]) -> bool { | |
390 | match parser::dns_parse_response(input) { | |
391 | nom::IResult::Done(_, response) => { | |
392 | ||
393 | SCLogDebug!("Response header flags: {}", response.header.flags); | |
394 | ||
395 | if response.header.flags & 0x8000 == 0 { | |
396 | SCLogDebug!("DNS message is not a response"); | |
397 | self.set_event(DNSEvent::NotResponse); | |
398 | } | |
399 | ||
400 | if response.header.flags & 0x0040 != 0 { | |
401 | SCLogDebug!("Z-flag set on DNS response"); | |
402 | self.set_event(DNSEvent::ZFlagSet); | |
403 | return false; | |
404 | } | |
405 | ||
406 | let mut tx = self.new_tx(); | |
407 | tx.response = Some(response); | |
408 | self.transactions.push(tx); | |
409 | return true; | |
410 | } | |
411 | nom::IResult::Incomplete(_) => { | |
412 | // Insufficient data. | |
413 | SCLogDebug!("Insufficient data while parsing DNS response"); | |
414 | self.set_event(DNSEvent::MalformedData); | |
415 | return false; | |
416 | } | |
417 | nom::IResult::Error(_) => { | |
418 | // Error, probably malformed data. | |
419 | SCLogDebug!("An error occurred while parsing DNS response"); | |
420 | self.set_event(DNSEvent::MalformedData); | |
421 | return false; | |
422 | } | |
423 | } | |
424 | } | |
425 | ||
426 | /// TCP variation of response request parser to handle the length | |
427 | /// prefix as well as buffering. | |
428 | /// | |
429 | /// Always buffer and read from the buffer. Should optimize to skip | |
430 | /// the buffer if not needed. | |
ecc63481 JI |
431 | /// |
432 | /// Returns the number of messages parsed. | |
73388042 | 433 | pub fn parse_request_tcp(&mut self, input: &[u8]) -> i8 { |
70808a4f JI |
434 | if self.gap { |
435 | if probe_tcp(input) { | |
436 | self.gap = false; | |
437 | } else { | |
438 | return 0 | |
439 | } | |
440 | } | |
441 | ||
73388042 JI |
442 | self.request_buffer.extend_from_slice(input); |
443 | ||
ecc63481 | 444 | let mut count = 0; |
73388042 JI |
445 | while self.request_buffer.len() > 0 { |
446 | let size = match nom::be_u16(&self.request_buffer) { | |
ecc63481 JI |
447 | nom::IResult::Done(_, len) => len, |
448 | _ => 0 | |
449 | } as usize; | |
73388042 JI |
450 | SCLogDebug!("Have {} bytes, need {} to parse", |
451 | self.request_buffer.len(), size); | |
ecc63481 | 452 | if size > 0 && self.request_buffer.len() >= size + 2 { |
73388042 JI |
453 | let msg: Vec<u8> = self.request_buffer.drain(0..(size + 2)) |
454 | .collect(); | |
455 | if self.parse_request(&msg[2..]) { | |
ecc63481 | 456 | count += 1 |
73388042 | 457 | } |
ecc63481 JI |
458 | } else { |
459 | SCLogDebug!("Not enough DNS traffic to parse."); | |
460 | break; | |
73388042 | 461 | } |
73388042 | 462 | } |
ecc63481 | 463 | return count; |
73388042 JI |
464 | } |
465 | ||
466 | /// TCP variation of the response parser to handle the length | |
467 | /// prefix as well as buffering. | |
468 | /// | |
469 | /// Always buffer and read from the buffer. Should optimize to skip | |
470 | /// the buffer if not needed. | |
ecc63481 JI |
471 | /// |
472 | /// Returns the number of messages parsed. | |
73388042 | 473 | pub fn parse_response_tcp(&mut self, input: &[u8]) -> i8 { |
70808a4f JI |
474 | if self.gap { |
475 | if probe_tcp(input) { | |
476 | self.gap = false; | |
477 | } else { | |
478 | return 0 | |
479 | } | |
480 | } | |
481 | ||
73388042 | 482 | self.response_buffer.extend_from_slice(input); |
ecc63481 JI |
483 | |
484 | let mut count = 0; | |
485 | while self.response_buffer.len() > 0 { | |
486 | let size = match nom::be_u16(&self.response_buffer) { | |
487 | nom::IResult::Done(_, len) => len, | |
488 | _ => 0 | |
489 | } as usize; | |
490 | if size > 0 && self.response_buffer.len() >= size + 2 { | |
491 | let msg: Vec<u8> = self.response_buffer.drain(0..(size + 2)) | |
492 | .collect(); | |
493 | if self.parse_response(&msg[2..]) { | |
494 | count += 1; | |
495 | } | |
496 | } else { | |
497 | break; | |
73388042 | 498 | } |
73388042 | 499 | } |
ecc63481 | 500 | return count; |
70808a4f JI |
501 | } |
502 | ||
503 | /// A gap has been seen in the request direction. Set the gap flag | |
504 | /// to clear any buffered data. | |
505 | pub fn request_gap(&mut self, gap: u32) { | |
506 | if gap > 0 { | |
507 | self.request_buffer.clear(); | |
508 | self.gap = true; | |
509 | } | |
510 | } | |
511 | ||
512 | /// A gap has been seen in the response direction. Set the gap | |
513 | /// flag to clear any buffered data. | |
514 | pub fn response_gap(&mut self, gap: u32) { | |
515 | if gap > 0 { | |
516 | self.response_buffer.clear(); | |
517 | self.gap = true; | |
518 | } | |
73388042 JI |
519 | } |
520 | } | |
521 | ||
70808a4f JI |
522 | /// Probe input to see if it looks like DNS. |
523 | fn probe(input: &[u8]) -> bool { | |
524 | match parser::dns_parse_request(input) { | |
525 | nom::IResult::Done(_, _) => true, | |
526 | _ => false | |
527 | } | |
528 | } | |
529 | ||
530 | /// Probe TCP input to see if it looks like DNS. | |
531 | pub fn probe_tcp(input: &[u8]) -> bool { | |
532 | match nom::be_u16(input) { | |
3063851d JI |
533 | nom::IResult::Done(rem, _) => { |
534 | return probe(rem); | |
70808a4f JI |
535 | }, |
536 | _ => {} | |
537 | } | |
538 | return false; | |
539 | } | |
540 | ||
73388042 JI |
541 | /// Returns *mut DNSState |
542 | #[no_mangle] | |
543 | pub extern "C" fn rs_dns_state_new() -> *mut libc::c_void { | |
544 | let state = DNSState::new(); | |
545 | let boxed = Box::new(state); | |
546 | return unsafe{transmute(boxed)}; | |
547 | } | |
548 | ||
549 | /// Returns *mut DNSState | |
550 | #[no_mangle] | |
551 | pub extern "C" fn rs_dns_state_tcp_new() -> *mut libc::c_void { | |
552 | let state = DNSState::new_tcp(); | |
553 | let boxed = Box::new(state); | |
554 | return unsafe{transmute(boxed)}; | |
555 | } | |
556 | ||
557 | /// Params: | |
558 | /// - state: *mut DNSState as void pointer | |
559 | #[no_mangle] | |
560 | pub extern "C" fn rs_dns_state_free(state: *mut libc::c_void) { | |
561 | // Just unbox... | |
562 | let _drop: Box<DNSState> = unsafe{transmute(state)}; | |
563 | } | |
564 | ||
565 | #[no_mangle] | |
566 | pub extern "C" fn rs_dns_state_tx_free(state: &mut DNSState, | |
567 | tx_id: libc::uint64_t) | |
568 | { | |
569 | state.free_tx(tx_id); | |
570 | } | |
571 | ||
572 | /// C binding parse a DNS request. Returns 1 on success, -1 on failure. | |
573 | #[no_mangle] | |
574 | pub extern "C" fn rs_dns_parse_request(_flow: *mut core::Flow, | |
575 | state: &mut DNSState, | |
576 | _pstate: *mut libc::c_void, | |
577 | input: *mut libc::uint8_t, | |
578 | input_len: libc::uint32_t, | |
579 | _data: *mut libc::c_void) | |
580 | -> libc::int8_t { | |
581 | let buf = unsafe{std::slice::from_raw_parts(input, input_len as usize)}; | |
582 | if state.parse_request(buf) { | |
583 | 1 | |
584 | } else { | |
585 | -1 | |
586 | } | |
587 | } | |
588 | ||
589 | #[no_mangle] | |
590 | pub extern "C" fn rs_dns_parse_response(_flow: *mut core::Flow, | |
591 | state: &mut DNSState, | |
592 | _pstate: *mut libc::c_void, | |
593 | input: *mut libc::uint8_t, | |
594 | input_len: libc::uint32_t, | |
595 | _data: *mut libc::c_void) | |
596 | -> libc::int8_t { | |
597 | let buf = unsafe{std::slice::from_raw_parts(input, input_len as usize)}; | |
598 | if state.parse_response(buf) { | |
599 | 1 | |
600 | } else { | |
601 | -1 | |
602 | } | |
603 | } | |
604 | ||
605 | /// C binding parse a DNS request. Returns 1 on success, -1 on failure. | |
606 | #[no_mangle] | |
607 | pub extern "C" fn rs_dns_parse_request_tcp(_flow: *mut core::Flow, | |
608 | state: &mut DNSState, | |
609 | _pstate: *mut libc::c_void, | |
610 | input: *mut libc::uint8_t, | |
611 | input_len: libc::uint32_t, | |
612 | _data: *mut libc::c_void) | |
613 | -> libc::int8_t { | |
70808a4f JI |
614 | if input_len > 0 { |
615 | if input != std::ptr::null_mut() { | |
616 | let buf = unsafe{ | |
617 | std::slice::from_raw_parts(input, input_len as usize)}; | |
618 | return state.parse_request_tcp(buf); | |
619 | } | |
620 | state.request_gap(input_len); | |
621 | } | |
622 | return 0; | |
73388042 JI |
623 | } |
624 | ||
625 | #[no_mangle] | |
626 | pub extern "C" fn rs_dns_parse_response_tcp(_flow: *mut core::Flow, | |
627 | state: &mut DNSState, | |
628 | _pstate: *mut libc::c_void, | |
629 | input: *mut libc::uint8_t, | |
630 | input_len: libc::uint32_t, | |
631 | _data: *mut libc::c_void) | |
632 | -> libc::int8_t { | |
70808a4f JI |
633 | if input_len > 0 { |
634 | if input != std::ptr::null_mut() { | |
635 | let buf = unsafe{ | |
636 | std::slice::from_raw_parts(input, input_len as usize)}; | |
637 | return state.parse_response_tcp(buf); | |
638 | } | |
639 | state.response_gap(input_len); | |
640 | } | |
641 | return 0; | |
73388042 JI |
642 | } |
643 | ||
644 | #[no_mangle] | |
645 | pub extern "C" fn rs_dns_state_progress_completion_status( | |
646 | _direction: libc::uint8_t) | |
647 | -> libc::c_int | |
648 | { | |
649 | SCLogDebug!("rs_dns_state_progress_completion_status"); | |
650 | return 1; | |
651 | } | |
652 | ||
653 | #[no_mangle] | |
654 | pub extern "C" fn rs_dns_tx_get_alstate_progress(_tx: &mut DNSTransaction, | |
655 | _direction: libc::uint8_t) | |
656 | -> libc::uint8_t | |
657 | { | |
658 | // This is a stateless parser, just the existence of a transaction | |
659 | // means its complete. | |
660 | SCLogDebug!("rs_dns_tx_get_alstate_progress"); | |
661 | return 1; | |
662 | } | |
663 | ||
98eca552 VJ |
664 | #[no_mangle] |
665 | pub extern "C" fn rs_dns_tx_set_detect_flags(tx: &mut DNSTransaction, | |
666 | dir: libc::uint8_t, | |
667 | flags: libc::uint64_t) | |
668 | { | |
669 | if dir & core::STREAM_TOSERVER != 0 { | |
670 | tx.detect_flags_ts = flags as u64; | |
671 | } else { | |
672 | tx.detect_flags_tc = flags as u64; | |
673 | } | |
674 | } | |
675 | ||
676 | #[no_mangle] | |
677 | pub extern "C" fn rs_dns_tx_get_detect_flags(tx: &mut DNSTransaction, | |
678 | dir: libc::uint8_t) | |
679 | -> libc::uint64_t | |
680 | { | |
681 | if dir & core::STREAM_TOSERVER != 0 { | |
682 | return tx.detect_flags_ts as libc::uint64_t; | |
683 | } else { | |
684 | return tx.detect_flags_tc as libc::uint64_t; | |
685 | } | |
686 | } | |
687 | ||
73388042 JI |
688 | #[no_mangle] |
689 | pub extern "C" fn rs_dns_tx_set_logged(_state: &mut DNSState, | |
690 | tx: &mut DNSTransaction, | |
bca0cd71 | 691 | logged: libc::uint32_t) |
73388042 | 692 | { |
bca0cd71 | 693 | tx.logged.set(logged); |
73388042 JI |
694 | } |
695 | ||
696 | #[no_mangle] | |
697 | pub extern "C" fn rs_dns_tx_get_logged(_state: &mut DNSState, | |
bca0cd71 VJ |
698 | tx: &mut DNSTransaction) |
699 | -> u32 | |
73388042 | 700 | { |
bca0cd71 | 701 | return tx.logged.get(); |
73388042 JI |
702 | } |
703 | ||
704 | #[no_mangle] | |
705 | pub extern "C" fn rs_dns_state_get_tx_count(state: &mut DNSState) | |
706 | -> libc::uint64_t | |
707 | { | |
708 | SCLogDebug!("rs_dns_state_get_tx_count: returning {}", state.tx_id); | |
709 | return state.tx_id; | |
710 | } | |
711 | ||
712 | #[no_mangle] | |
713 | pub extern "C" fn rs_dns_state_get_tx(state: &mut DNSState, | |
714 | tx_id: libc::uint64_t) | |
715 | -> *mut DNSTransaction | |
716 | { | |
717 | match state.get_tx(tx_id) { | |
718 | Some(tx) => { | |
719 | return unsafe{transmute(tx)}; | |
720 | } | |
721 | None => { | |
722 | return std::ptr::null_mut(); | |
723 | } | |
724 | } | |
725 | } | |
726 | ||
73388042 JI |
727 | #[no_mangle] |
728 | pub extern "C" fn rs_dns_state_set_tx_detect_state( | |
73388042 JI |
729 | tx: &mut DNSTransaction, |
730 | de_state: &mut core::DetectEngineState) | |
731 | { | |
73388042 JI |
732 | tx.de_state = Some(de_state); |
733 | } | |
734 | ||
735 | #[no_mangle] | |
736 | pub extern "C" fn rs_dns_state_get_tx_detect_state( | |
737 | tx: &mut DNSTransaction) | |
738 | -> *mut core::DetectEngineState | |
739 | { | |
740 | match tx.de_state { | |
741 | Some(ds) => { | |
742 | return ds; | |
743 | }, | |
744 | None => { | |
745 | return std::ptr::null_mut(); | |
746 | } | |
747 | } | |
748 | } | |
749 | ||
73388042 JI |
750 | #[no_mangle] |
751 | pub extern "C" fn rs_dns_state_get_events(state: &mut DNSState, | |
752 | tx_id: libc::uint64_t) | |
753 | -> *mut core::AppLayerDecoderEvents | |
754 | { | |
755 | match state.get_tx(tx_id) { | |
756 | Some(tx) => { | |
757 | return tx.events; | |
758 | } | |
759 | _ => { | |
760 | return std::ptr::null_mut(); | |
761 | } | |
762 | } | |
763 | } | |
764 | ||
765 | #[no_mangle] | |
766 | pub extern "C" fn rs_dns_tx_get_query_name(tx: &mut DNSTransaction, | |
767 | i: libc::uint16_t, | |
768 | buf: *mut *const libc::uint8_t, | |
769 | len: *mut libc::uint32_t) | |
770 | -> libc::uint8_t | |
771 | { | |
b7a58680 | 772 | if let &Some(ref request) = &tx.request { |
73388042 JI |
773 | if (i as usize) < request.queries.len() { |
774 | let query = &request.queries[i as usize]; | |
775 | if query.name.len() > 0 { | |
776 | unsafe { | |
777 | *len = query.name.len() as libc::uint32_t; | |
778 | *buf = query.name.as_ptr(); | |
779 | } | |
780 | return 1; | |
781 | } | |
782 | } | |
783 | } | |
784 | return 0; | |
785 | } | |
786 | ||
787 | /// Get the DNS transaction ID of a transaction. | |
788 | // | |
789 | /// extern uint16_t rs_dns_tx_get_tx_id(RSDNSTransaction *); | |
790 | #[no_mangle] | |
791 | pub extern "C" fn rs_dns_tx_get_tx_id(tx: &mut DNSTransaction) -> libc::uint16_t | |
792 | { | |
793 | return tx.tx_id() | |
794 | } | |
795 | ||
796 | /// Get the DNS response flags for a transaction. | |
797 | /// | |
798 | /// extern uint16_t rs_dns_tx_get_response_flags(RSDNSTransaction *); | |
799 | #[no_mangle] | |
800 | pub extern "C" fn rs_dns_tx_get_response_flags(tx: &mut DNSTransaction) | |
801 | -> libc::uint16_t | |
802 | { | |
803 | return tx.rcode(); | |
804 | } | |
805 | ||
806 | #[no_mangle] | |
807 | pub extern "C" fn rs_dns_tx_get_query_rrtype(tx: &mut DNSTransaction, | |
808 | i: libc::uint16_t, | |
809 | rrtype: *mut libc::uint16_t) | |
810 | -> libc::uint8_t | |
811 | { | |
b7a58680 | 812 | if let &Some(ref request) = &tx.request { |
73388042 JI |
813 | if (i as usize) < request.queries.len() { |
814 | let query = &request.queries[i as usize]; | |
815 | if query.name.len() > 0 { | |
816 | unsafe { | |
817 | *rrtype = query.rrtype; | |
818 | } | |
819 | return 1; | |
820 | } | |
821 | } | |
822 | } | |
823 | return 0; | |
824 | } | |
825 | ||
826 | #[no_mangle] | |
827 | pub extern "C" fn rs_dns_probe(input: *const libc::uint8_t, len: libc::uint32_t) | |
828 | -> libc::uint8_t | |
829 | { | |
830 | let slice: &[u8] = unsafe { | |
831 | std::slice::from_raw_parts(input as *mut u8, len as usize) | |
832 | }; | |
70808a4f JI |
833 | if probe(slice) { |
834 | return 1; | |
73388042 | 835 | } |
70808a4f | 836 | return 0; |
73388042 JI |
837 | } |
838 | ||
839 | #[no_mangle] | |
840 | pub extern "C" fn rs_dns_probe_tcp(input: *const libc::uint8_t, | |
841 | len: libc::uint32_t) | |
842 | -> libc::uint8_t | |
843 | { | |
844 | let slice: &[u8] = unsafe { | |
845 | std::slice::from_raw_parts(input as *mut u8, len as usize) | |
846 | }; | |
70808a4f JI |
847 | if probe_tcp(slice) { |
848 | return 1; | |
73388042 JI |
849 | } |
850 | return 0; | |
851 | } | |
852 | ||
853 | #[cfg(test)] | |
854 | mod tests { | |
855 | ||
ecc63481 JI |
856 | use dns::dns::DNSState; |
857 | ||
858 | #[test] | |
859 | fn test_dns_parse_request_tcp_valid() { | |
860 | // A UDP DNS request with the DNS payload starting at byte 42. | |
861 | // From pcap: https://github.com/jasonish/suricata-verify/blob/7cc0e1bd0a5249b52e6e87d82d57c0b6aaf75fce/dns-udp-dig-a-www-suricata-ids-org/dig-a-www.suricata-ids.org.pcap | |
862 | let buf: &[u8] = &[ | |
863 | 0x00, 0x15, 0x17, 0x0d, 0x06, 0xf7, 0xd8, 0xcb, /* ........ */ | |
864 | 0x8a, 0xed, 0xa1, 0x46, 0x08, 0x00, 0x45, 0x00, /* ...F..E. */ | |
865 | 0x00, 0x4d, 0x23, 0x11, 0x00, 0x00, 0x40, 0x11, /* .M#...@. */ | |
866 | 0x41, 0x64, 0x0a, 0x10, 0x01, 0x0b, 0x0a, 0x10, /* Ad...... */ | |
867 | 0x01, 0x01, 0xa3, 0x4d, 0x00, 0x35, 0x00, 0x39, /* ...M.5.9 */ | |
868 | 0xb2, 0xb3, 0x8d, 0x32, 0x01, 0x20, 0x00, 0x01, /* ...2. .. */ | |
869 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x77, /* .......w */ | |
870 | 0x77, 0x77, 0x0c, 0x73, 0x75, 0x72, 0x69, 0x63, /* ww.suric */ | |
871 | 0x61, 0x74, 0x61, 0x2d, 0x69, 0x64, 0x73, 0x03, /* ata-ids. */ | |
872 | 0x6f, 0x72, 0x67, 0x00, 0x00, 0x01, 0x00, 0x01, /* org..... */ | |
873 | 0x00, 0x00, 0x29, 0x10, 0x00, 0x00, 0x00, 0x00, /* ..)..... */ | |
874 | 0x00, 0x00, 0x00 /* ... */ | |
875 | ]; | |
876 | ||
877 | // The DNS payload starts at offset 42. | |
878 | let dns_payload = &buf[42..]; | |
879 | ||
880 | // Make a TCP DNS request payload. | |
881 | let mut request = Vec::new(); | |
882 | request.push(((dns_payload.len() as u16) >> 8) as u8); | |
883 | request.push(((dns_payload.len() as u16) & 0xff) as u8); | |
884 | request.extend(dns_payload); | |
885 | ||
886 | let mut state = DNSState::new(); | |
887 | assert_eq!(1, state.parse_request_tcp(&request)); | |
888 | } | |
889 | ||
73388042 | 890 | #[test] |
ecc63481 JI |
891 | fn test_dns_parse_request_tcp_short_payload() { |
892 | // A UDP DNS request with the DNS payload starting at byte 42. | |
893 | // From pcap: https://github.com/jasonish/suricata-verify/blob/7cc0e1bd0a5249b52e6e87d82d57c0b6aaf75fce/dns-udp-dig-a-www-suricata-ids-org/dig-a-www.suricata-ids.org.pcap | |
73388042 | 894 | let buf: &[u8] = &[ |
ecc63481 JI |
895 | 0x00, 0x15, 0x17, 0x0d, 0x06, 0xf7, 0xd8, 0xcb, /* ........ */ |
896 | 0x8a, 0xed, 0xa1, 0x46, 0x08, 0x00, 0x45, 0x00, /* ...F..E. */ | |
897 | 0x00, 0x4d, 0x23, 0x11, 0x00, 0x00, 0x40, 0x11, /* .M#...@. */ | |
898 | 0x41, 0x64, 0x0a, 0x10, 0x01, 0x0b, 0x0a, 0x10, /* Ad...... */ | |
899 | 0x01, 0x01, 0xa3, 0x4d, 0x00, 0x35, 0x00, 0x39, /* ...M.5.9 */ | |
900 | 0xb2, 0xb3, 0x8d, 0x32, 0x01, 0x20, 0x00, 0x01, /* ...2. .. */ | |
901 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x77, /* .......w */ | |
902 | 0x77, 0x77, 0x0c, 0x73, 0x75, 0x72, 0x69, 0x63, /* ww.suric */ | |
903 | 0x61, 0x74, 0x61, 0x2d, 0x69, 0x64, 0x73, 0x03, /* ata-ids. */ | |
904 | 0x6f, 0x72, 0x67, 0x00, 0x00, 0x01, 0x00, 0x01, /* org..... */ | |
905 | 0x00, 0x00, 0x29, 0x10, 0x00, 0x00, 0x00, 0x00, /* ..)..... */ | |
906 | 0x00, 0x00, 0x00 /* ... */ | |
73388042 | 907 | ]; |
ecc63481 JI |
908 | |
909 | // The DNS payload starts at offset 42. | |
910 | let dns_payload = &buf[42..]; | |
911 | ||
912 | // Make a TCP DNS request payload but with the length 1 larger | |
913 | // than the available data. | |
914 | let mut request = Vec::new(); | |
915 | request.push(((dns_payload.len() as u16) >> 8) as u8); | |
d83707be | 916 | request.push(((dns_payload.len() as u16) & 0xff) as u8 + 1); |
ecc63481 JI |
917 | request.extend(dns_payload); |
918 | ||
919 | let mut state = DNSState::new(); | |
920 | assert_eq!(0, state.parse_request_tcp(&request)); | |
921 | } | |
922 | ||
923 | #[test] | |
924 | fn test_dns_parse_response_tcp_valid() { | |
925 | // A UDP DNS response with the DNS payload starting at byte 42. | |
926 | // From pcap: https://github.com/jasonish/suricata-verify/blob/7cc0e1bd0a5249b52e6e87d82d57c0b6aaf75fce/dns-udp-dig-a-www-suricata-ids-org/dig-a-www.suricata-ids.org.pcap | |
927 | let buf: &[u8] = &[ | |
928 | 0xd8, 0xcb, 0x8a, 0xed, 0xa1, 0x46, 0x00, 0x15, /* .....F.. */ | |
929 | 0x17, 0x0d, 0x06, 0xf7, 0x08, 0x00, 0x45, 0x00, /* ......E. */ | |
930 | 0x00, 0x80, 0x65, 0x4e, 0x40, 0x00, 0x40, 0x11, /* ..eN@.@. */ | |
931 | 0xbe, 0xf3, 0x0a, 0x10, 0x01, 0x01, 0x0a, 0x10, /* ........ */ | |
932 | 0x01, 0x0b, 0x00, 0x35, 0xa3, 0x4d, 0x00, 0x6c, /* ...5.M.l */ | |
933 | 0x8d, 0x8c, 0x8d, 0x32, 0x81, 0xa0, 0x00, 0x01, /* ...2.... */ | |
934 | 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x03, 0x77, /* .......w */ | |
935 | 0x77, 0x77, 0x0c, 0x73, 0x75, 0x72, 0x69, 0x63, /* ww.suric */ | |
936 | 0x61, 0x74, 0x61, 0x2d, 0x69, 0x64, 0x73, 0x03, /* ata-ids. */ | |
937 | 0x6f, 0x72, 0x67, 0x00, 0x00, 0x01, 0x00, 0x01, /* org..... */ | |
938 | 0xc0, 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x00, /* ........ */ | |
939 | 0x0d, 0xd8, 0x00, 0x12, 0x0c, 0x73, 0x75, 0x72, /* .....sur */ | |
940 | 0x69, 0x63, 0x61, 0x74, 0x61, 0x2d, 0x69, 0x64, /* icata-id */ | |
941 | 0x73, 0x03, 0x6f, 0x72, 0x67, 0x00, 0xc0, 0x32, /* s.org..2 */ | |
942 | 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0xf4, /* ........ */ | |
943 | 0x00, 0x04, 0xc0, 0x00, 0x4e, 0x18, 0xc0, 0x32, /* ....N..2 */ | |
944 | 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0xf4, /* ........ */ | |
945 | 0x00, 0x04, 0xc0, 0x00, 0x4e, 0x19 /* ....N. */ | |
946 | ]; | |
947 | ||
948 | // The DNS payload starts at offset 42. | |
949 | let dns_payload = &buf[42..]; | |
950 | ||
951 | // Make a TCP DNS response payload. | |
952 | let mut request = Vec::new(); | |
953 | request.push(((dns_payload.len() as u16) >> 8) as u8); | |
954 | request.push(((dns_payload.len() as u16) & 0xff) as u8); | |
955 | request.extend(dns_payload); | |
956 | ||
957 | let mut state = DNSState::new(); | |
958 | assert_eq!(1, state.parse_response_tcp(&request)); | |
959 | } | |
960 | ||
961 | // Test that a TCP DNS payload won't be parsed if there is not | |
962 | // enough data. | |
963 | #[test] | |
964 | fn test_dns_parse_response_tcp_short_payload() { | |
965 | // A UDP DNS response with the DNS payload starting at byte 42. | |
966 | // From pcap: https://github.com/jasonish/suricata-verify/blob/7cc0e1bd0a5249b52e6e87d82d57c0b6aaf75fce/dns-udp-dig-a-www-suricata-ids-org/dig-a-www.suricata-ids.org.pcap | |
967 | let buf: &[u8] = &[ | |
968 | 0xd8, 0xcb, 0x8a, 0xed, 0xa1, 0x46, 0x00, 0x15, /* .....F.. */ | |
969 | 0x17, 0x0d, 0x06, 0xf7, 0x08, 0x00, 0x45, 0x00, /* ......E. */ | |
970 | 0x00, 0x80, 0x65, 0x4e, 0x40, 0x00, 0x40, 0x11, /* ..eN@.@. */ | |
971 | 0xbe, 0xf3, 0x0a, 0x10, 0x01, 0x01, 0x0a, 0x10, /* ........ */ | |
972 | 0x01, 0x0b, 0x00, 0x35, 0xa3, 0x4d, 0x00, 0x6c, /* ...5.M.l */ | |
973 | 0x8d, 0x8c, 0x8d, 0x32, 0x81, 0xa0, 0x00, 0x01, /* ...2.... */ | |
974 | 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x03, 0x77, /* .......w */ | |
975 | 0x77, 0x77, 0x0c, 0x73, 0x75, 0x72, 0x69, 0x63, /* ww.suric */ | |
976 | 0x61, 0x74, 0x61, 0x2d, 0x69, 0x64, 0x73, 0x03, /* ata-ids. */ | |
977 | 0x6f, 0x72, 0x67, 0x00, 0x00, 0x01, 0x00, 0x01, /* org..... */ | |
978 | 0xc0, 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x00, /* ........ */ | |
979 | 0x0d, 0xd8, 0x00, 0x12, 0x0c, 0x73, 0x75, 0x72, /* .....sur */ | |
980 | 0x69, 0x63, 0x61, 0x74, 0x61, 0x2d, 0x69, 0x64, /* icata-id */ | |
981 | 0x73, 0x03, 0x6f, 0x72, 0x67, 0x00, 0xc0, 0x32, /* s.org..2 */ | |
982 | 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0xf4, /* ........ */ | |
983 | 0x00, 0x04, 0xc0, 0x00, 0x4e, 0x18, 0xc0, 0x32, /* ....N..2 */ | |
984 | 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0xf4, /* ........ */ | |
985 | 0x00, 0x04, 0xc0, 0x00, 0x4e, 0x19 /* ....N. */ | |
986 | ]; | |
987 | ||
988 | // The DNS payload starts at offset 42. | |
989 | let dns_payload = &buf[42..]; | |
990 | ||
991 | // Make a TCP DNS response payload, but make the length 1 byte | |
992 | // larger than the actual size. | |
993 | let mut request = Vec::new(); | |
994 | request.push(((dns_payload.len() as u16) >> 8) as u8); | |
995 | request.push((((dns_payload.len() as u16) & 0xff) + 1) as u8); | |
996 | request.extend(dns_payload); | |
997 | ||
998 | let mut state = DNSState::new(); | |
999 | assert_eq!(0, state.parse_response_tcp(&request)); | |
73388042 JI |
1000 | } |
1001 | } |