Merge pull request #2246 in SNORT/snort3 from ~ZHIJLIU/snort3:nested_tunnel to master

Squashed commit of the following:

commit 497806c24b5e398140cf61dcff13901fd3443ffb
Author: Louis Zhijun Liu <zhijliu@cisco.com>
Date:   Sun Jun 7 21:12:17 2020 -0700

    codecs: add tunnel bypass logic based on DAQ payload_offset

diff --git a/src/protocols/packet_manager.cc b/src/protocols/packet_manager.cc
index e70caf14072dceaff789e28ec888bfbdd35f51e7..16d2a96b003df713edd3b2f7f8bdd4046e6960fd 100644 (file)
--- a/src/protocols/packet_manager.cc
+++ b/src/protocols/packet_manager.cc
@@ -23,6 +23,7 @@
 
 #include "packet_manager.h"
 
+#include <daq.h>
 #include <mutex>
 
 #include "codecs/codec_module.h"
@@ -113,6 +114,18 @@ void PacketManager::pop_teredo(Packet* p, RawData& raw)
     raw.len += lyr_len;
 }
 
+static inline bool payload_offset_from_daq_mismatch(const uint8_t* pkt, const RawData& raw)
+{
+    const DAQ_PktDecodeData_t* pdd =
+        (const DAQ_PktDecodeData_t*) daq_msg_get_meta(raw.daq_msg, DAQ_PKT_META_DECODE_DATA);
+    if ( !pdd || (pdd->payload_offset == DAQ_PKT_DECODE_OFFSET_INVALID) )
+        return false;
+    // compare payload offset from DAQ with decoded data offset 
+    if ( raw.data - pkt != pdd->payload_offset )
+        return true;
+    return false;
+}
+
 //-------------------------------------------------------------------------
 // Initialization and setup
 //-------------------------------------------------------------------------
@@ -307,6 +320,9 @@ void PacketManager::decode(
         }
     }
 
+    if ( payload_offset_from_daq_mismatch(pkt, raw) )
+        p->active->set_tunnel_bypass();
+
     // set any final Packet fields
     p->data = raw.data;
     p->dsize = (uint16_t)raw.len;