{ DECODE_ICMPV6_NODE_INFO_BAD_CODE,
"ICMPv6 node info query/response packet with a code greater than 2" },
{ DECODE_ICMP6_NOT_IP6, "ICMPv6 not encapsulated in IPv6" },
+ { DECODE_ICMP6_OPT_ZERO_LENGTH, "ICMPv6 option length field is set to 0" },
{ 0, nullptr }
};
private:
bool valid_checksum_from_daq(const RawData&);
+ template<typename OptionType>
+ inline void validate_ndp_option(CodecData &codec, const OptionType* const icmp_pkt,
+ const uint16_t min_len, const uint16_t dsize);
};
} // anonymous namespace
return true;
}
+template <typename NDPType>
+void Icmp6Codec::validate_ndp_option(CodecData &codec, const NDPType* const icmp_pkt,
+ const uint16_t min_len, const uint16_t dsize)
+{
+ const uint16_t real_size = dsize + icmp::ICMP6_HEADER_MIN_LEN;
+ bool option_field_not_exists = real_size == min_len;
+ if (option_field_not_exists)
+ return;
+
+ assert(real_size > min_len - icmp::ICMP6_HEADER_MIN_LEN);
+ // Based on RFC2461, for types 133-137, "option" field depends on version
+ // of implementation, so there's no unified format for all types.
+ assert(icmp_pkt->type >= 133 && icmp_pkt->type <= 137);
+
+ const uint8_t* const icmp_pkt_ptr = (const uint8_t* const)icmp_pkt;
+ const uint8_t* curr_option_ptr = (const uint8_t* const)&icmp_pkt->options_start;
+
+ while (real_size > curr_option_ptr - icmp_pkt_ptr )
+ {
+ assert(curr_option_ptr > icmp_pkt_ptr);
+ bool field_incomplete = real_size == curr_option_ptr - icmp_pkt_ptr + 1;
+ if (field_incomplete)
+ return; // FIXIT-L good candidate for new builtin rule
+
+ const icmp::NDPOptionFormatBasic* curr_option = (const icmp::NDPOptionFormatBasic*)curr_option_ptr;
+
+ // Right now, only option types explicitly specified in RFC4861 are supported
+ if (curr_option->type == 0 || curr_option->type > 5)
+ return; // FIXIT-L good candidate for non-supported option field
+
+ if (curr_option->length == 0)
+ {
+ codec_event(codec, DECODE_ICMP6_OPT_ZERO_LENGTH);
+ return;
+ }
+
+ curr_option_ptr += curr_option->length * 8;
+ }
+}
+
bool Icmp6Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort)
{
if (raw.len < icmp::ICMP6_HEADER_MIN_LEN)
}
break;
+ case icmp::Icmp6Types::ROUTER_SOLICITATION:
+ if (dsize >= (ICMPv6_RS_MIN_LEN - icmp::ICMP6_HEADER_MIN_LEN))
+ {
+ const icmp::ICMP6RouterSolicitation* rs = (const icmp::ICMP6RouterSolicitation*)raw.data;
+
+ if (rs->code != 0)
+ codec_event(codec, DECODE_ICMPV6_SOLICITATION_BAD_CODE);
+
+ if (ntohl(rs->reserved) != 0)
+ codec_event(codec, DECODE_ICMPV6_SOLICITATION_BAD_RESERVED);
+
+ validate_ndp_option(codec, rs, ICMPv6_RS_MIN_LEN, dsize);
+ }
+ else
+ {
+ codec_event(codec, DECODE_ICMP_DGRAM_LT_ICMPHDR);
+ return false;
+ }
+ break;
+
case icmp::Icmp6Types::ROUTER_ADVERTISEMENT:
- if (dsize >= (sizeof(icmp::ICMP6RouterAdvertisement) - icmp::ICMP6_HEADER_MIN_LEN))
+ if (dsize >= (ICMPv6_RA_MIN_LEN - icmp::ICMP6_HEADER_MIN_LEN))
{
const icmp::ICMP6RouterAdvertisement* ra = (const icmp::ICMP6RouterAdvertisement*)raw.data;
if (ntohl(ra->reachable_time) > 3600000)
codec_event(codec, DECODE_ICMPV6_ADVERT_BAD_REACHABLE);
+
+ validate_ndp_option(codec, ra, ICMPv6_RA_MIN_LEN, dsize);
}
else
{
}
break;
- case icmp::Icmp6Types::ROUTER_SOLICITATION:
- if (dsize >= (sizeof(icmp::ICMP6RouterSolicitation) - icmp::ICMP6_HEADER_MIN_LEN))
+ case icmp::Icmp6Types::NEIGHBOR_SOLICITATION:
+ if (dsize >= (ICMPv6_NS_MIN_LEN - icmp::ICMP6_HEADER_MIN_LEN))
{
- const icmp::ICMP6RouterSolicitation* rs = (const icmp::ICMP6RouterSolicitation*)raw.data;
- if (rs->code != 0)
- codec_event(codec, DECODE_ICMPV6_SOLICITATION_BAD_CODE);
+ const icmp::ICMP6NeighborSolicitation* ns = (const icmp::ICMP6NeighborSolicitation*)raw.data;
- if (ntohl(rs->reserved) != 0)
- codec_event(codec, DECODE_ICMPV6_SOLICITATION_BAD_RESERVED);
+ validate_ndp_option(codec, ns, ICMPv6_NS_MIN_LEN, dsize);
+ }
+ else
+ {
+ codec_event(codec, DECODE_ICMP_DGRAM_LT_ICMPHDR);
+ return false;
+ }
+ break;
+
+ case icmp::Icmp6Types::NEIGHBOR_ADVERTISEMENT:
+ if (dsize >= (ICMPv6_NA_MIN_LEN - icmp::ICMP6_HEADER_MIN_LEN))
+ {
+ const icmp::ICMP6NeighborAdvertisement* na = (const icmp::ICMP6NeighborAdvertisement*)raw.data;
+
+ validate_ndp_option(codec, na, ICMPv6_NA_MIN_LEN, dsize);
+ }
+ else
+ {
+ codec_event(codec, DECODE_ICMP_DGRAM_LT_ICMPHDR);
+ return false;
+ }
+ break;
+
+ case icmp::Icmp6Types::REDIRECT6:
+ if (dsize >= (ICMPv6_RD_MIN_LEN - icmp::ICMP6_HEADER_MIN_LEN))
+ {
+ const icmp::ICMP6Redirect* rd = (const icmp::ICMP6Redirect*)raw.data;
+
+ validate_ndp_option(codec, rd, ICMPv6_RD_MIN_LEN, dsize);
}
else
{
case icmp::Icmp6Types::MULTICAST_LISTENER_QUERY:
case icmp::Icmp6Types::MULTICAST_LISTENER_REPORT:
case icmp::Icmp6Types::MULTICAST_LISTENER_DONE:
- case icmp::Icmp6Types::NEIGHBOR_SOLICITATION:
- case icmp::Icmp6Types::NEIGHBOR_ADVERTISEMENT:
- case icmp::Icmp6Types::REDIRECT6:
case icmp::Icmp6Types::INVERSE_NEIGHBOR_DISCOVERY_SOLICITATION:
case icmp::Icmp6Types::INVERSE_NEIGHBOR_DISCOVERY_ADVERTISEMENT:
case icmp::Icmp6Types::VERSION_2_MULTICAST_LISTENER_REPORT:
#define ICMPv6_NS_MIN_LEN 24
#define ICMPv6_NA_MIN_LEN 24
-#define ICMPv6_RS_MIN_LEN 24
+#define ICMPv6_RS_MIN_LEN 8
#define ICMPv6_RA_MIN_LEN 16
+#define ICMPv6_RD_MIN_LEN 40
#define ICMPV6_OPTION_SOURCE_LINKLAYER_ADDRESS 1
#define ICMPV6_OPTION_TARGET_LINKLAYER_ADDRESS 2
#define ICMPV6_OPTION_REDIRECT_HEADER 4
#define ICMPV6_OPTION_MTU 5
-//enum class Icmp6Types : std::uint8_t
enum Icmp6Types : std::uint8_t
{
DESTINATION_UNREACHABLE = 1,
uint32_t mtu;
};
+struct NDPOptionFormatBasic
+{
+ uint8_t type;
+ uint8_t length;
+ // everything from this point depends on protocol,
+ // so should be implemented in a different structure
+};
+
struct ICMP6RouterAdvertisement
{
uint8_t type;
uint16_t lifetime;
uint32_t reachable_time;
uint32_t retrans_time;
+ NDPOptionFormatBasic* options_start;
};
struct ICMP6RouterSolicitation
uint8_t code;
uint16_t csum;
uint32_t reserved;
+ NDPOptionFormatBasic* options_start;
};
struct ICMP6NodeInfo
uint16_t flags;
uint64_t nonce;
};
+
+struct ICMP6NeighborSolicitation
+{
+ uint8_t type;
+ uint8_t code;
+ uint16_t csum;
+ uint32_t reserved;
+ uint64_t target_address_1;
+ uint64_t target_address_2;
+ NDPOptionFormatBasic* options_start;
+};
+
+struct ICMP6NeighborAdvertisement
+{
+ uint8_t type;
+ uint8_t code;
+ uint16_t csum;
+ uint32_t flags; // flags (3 bit) + reserved bytes
+ uint64_t target_address_1;
+ uint64_t target_address_2;
+ NDPOptionFormatBasic* options_start;
+};
+
+struct ICMP6Redirect
+{
+ uint8_t type;
+ uint8_t code;
+ uint16_t csum;
+ uint32_t reserved;
+ uint64_t target_address_1;
+ uint64_t target_address_2;
+ uint64_t dst_address_1;
+ uint64_t dst_address_2;
+ NDPOptionFormatBasic* options_start;
+};
+
} // namespace icmp
} // namespace snort
projects / thirdparty / snort3.git / commitdiff
