decode/pppoe: Don't mark expected PPP protos as unsupported

After upgrading from 7.0.6 to 7.0.8, regular ppp packets are getting
dropped when ppp rules in decoder-events.rules were set as drop.
This was caused by commit a8f35806 ("detect: fix decoder only events").
Previously these rules would not be alerted or dropped.

It turns out several PPP protocols in a switch statement were falling
into the PPP_UNSUP_PROTO case. This has always been the case, I assume
the intention was that they don't get further inspected for size and
other decode errors hence unsupported.
But really some of the protocols are fundamentally required for a PPP
connection to take place.

Change some types that we know should be allowed to pass this.

Ticket: 7651

diff --git a/src/decode-ppp.c b/src/decode-ppp.c
index ff17643145937f7e6df6c02a7818a5c823080035..7d502e290e218e09fc57c715b26f6af075ce430c 100644 (file)
--- a/src/decode-ppp.c
+++ b/src/decode-ppp.c
@@ -129,6 +129,18 @@ static int DecodePPPUncompressedProto(ThreadVars *tv, DecodeThreadVars *dtv, Pac
 
             return DecodeIPV6(tv, dtv, p, pkt + data_offset, (uint16_t)(len - data_offset));
 
+        case PPP_IPCP:
+        case PPP_IPV6CP:
+        case PPP_LCP:
+        case PPP_PAP:
+        case PPP_CHAP:
+        case PPP_CCP:
+        case PPP_LQM:
+        case PPP_CBCP:
+        case PPP_COMP_DGRAM:
+            /* Valid types to be in PPP but don't inspect validity. */
+            return TM_ECODE_OK;
+
         case PPP_VJ_COMP:
         case PPP_IPX:
         case PPP_OSI:
@@ -143,7 +155,6 @@ static int DecodePPPUncompressedProto(ThreadVars *tv, DecodeThreadVars *dtv, Pac
         case PPP_SNS:
         case PPP_MPLS_UCAST:
         case PPP_MPLS_MCAST:
-        case PPP_IPCP:
         case PPP_OSICP:
         case PPP_NSCP:
         case PPP_DECNETCP:
@@ -151,15 +162,7 @@ static int DecodePPPUncompressedProto(ThreadVars *tv, DecodeThreadVars *dtv, Pac
         case PPP_IPXCP:
         case PPP_STIICP:
         case PPP_VINESCP:
-        case PPP_IPV6CP:
         case PPP_MPLSCP:
-        case PPP_LCP:
-        case PPP_PAP:
-        case PPP_LQM:
-        case PPP_CHAP:
-        case PPP_CCP:
-        case PPP_CBCP:
-        case PPP_COMP_DGRAM:
             ENGINE_SET_EVENT(p, PPP_UNSUP_PROTO);
             return TM_ECODE_OK;
 

diff --git a/src/decode-pppoe.c b/src/decode-pppoe.c
index 53bf94ed449cc5e7f21ff64ff05b09a3c9d31b6e..bf138878465c019981302c515ae365c53fd7c088 100644 (file)
--- a/src/decode-pppoe.c
+++ b/src/decode-pppoe.c
@@ -179,7 +179,6 @@ int DecodePPPOESession(
             case PPP_SNS:
             case PPP_MPLS_UCAST:
             case PPP_MPLS_MCAST:
-            case PPP_IPCP:
             case PPP_OSICP:
             case PPP_NSCP:
             case PPP_DECNETCP:
@@ -187,13 +186,20 @@ int DecodePPPOESession(
             case PPP_IPXCP:
             case PPP_STIICP:
             case PPP_VINESCP:
-            case PPP_IPV6CP:
             case PPP_MPLSCP:
+                ENGINE_SET_EVENT(p, PPP_UNSUP_PROTO);
+                break;
+
+            case PPP_IPCP:
+            case PPP_IPV6CP:
             case PPP_LCP:
             case PPP_PAP:
-            case PPP_LQM:
             case PPP_CHAP:
-                ENGINE_SET_EVENT(p, PPP_UNSUP_PROTO);
+            case PPP_CCP:
+            case PPP_LQM:
+            case PPP_CBCP:
+            case PPP_COMP_DGRAM:
+                /* Valid types to be in PPP but don't inspect validity. */
                 break;
 
             case PPP_VJ_UCOMP: