ipv6: improve handling of packets with duplicate (or more) ipv6 extension headers.

diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c
index a29540fa8a522b2bd1a5ecd0f216678dd224e0b6..9e49d570972894477317c59bc28829e0cfd49827 100644 (file)
--- a/src/decode-ipv6.c
+++ b/src/decode-ipv6.c
@@ -89,6 +89,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
                 SCReturn;
 
             case IPPROTO_ROUTING:
+                IPV6_SET_L4PROTO(p,nh);
                 hdrextlen = 8 + (*(pkt+1) * 8);  /* 8 bytes + length in 8 octet units */
 
                 SCLogDebug("hdrextlen %"PRIu8, hdrextlen);
@@ -149,6 +150,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
                 IPV6OptJumbo *jumbo = NULL;
                 uint8_t optslen = 0;
 
+                IPV6_SET_L4PROTO(p,nh);
                 hdrextlen =  (*(pkt+1) + 1) << 3;
                 if (hdrextlen > plen) {
                     ENGINE_SET_EVENT(p, IPV6_TRUNC_EXTHDR);
@@ -274,6 +276,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
             }
 
             case IPPROTO_FRAGMENT:
+                IPV6_SET_L4PROTO(p,nh);
                 /* store the offset of this extension into the packet
                  * past the ipv6 header. We use it in defrag for creating
                  * a defragmented packet without the frag header */
@@ -326,6 +329,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
 
             case IPPROTO_ESP:
             {
+                IPV6_SET_L4PROTO(p,nh);
                 hdrextlen = sizeof(IPV6EspHdr);
                 if (hdrextlen > plen) {
                     ENGINE_SET_EVENT(p, IPV6_TRUNC_EXTHDR);
@@ -355,6 +359,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
             }
             case IPPROTO_AH:
             {
+                IPV6_SET_L4PROTO(p,nh);
                 /* we need the header as a minimum */
                 hdrextlen = sizeof(IPV6AuthHdr);
                 /* the payload len field is the number of extra 4 byte fields */

diff --git a/src/decode-ipv6.h b/src/decode-ipv6.h
index 6f7502220dd07482819ebf2e9559740098a4013a..61d2c37a48a54e67a431cb6b2d4acf3d3b8b727b 100644 (file)
--- a/src/decode-ipv6.h
+++ b/src/decode-ipv6.h
@@ -93,8 +93,8 @@ typedef struct IPV6Hdr_
     ((p)->ip6vars.l4proto)
 
 /** \brief get the highest proto/next header field we know */
-#define IPV6_GET_UPPER_PROTO(p)         (p)->ip6eh.ip6_exthdrs_cnt ? \
-    (p)->ip6eh.ip6_exthdrs[(p)->ip6eh.ip6_exthdrs_cnt - 1].next : IPV6_GET_NH((p))
+//#define IPV6_GET_UPPER_PROTO(p)         (p)->ip6eh.ip6_exthdrs_cnt ?
+//    (p)->ip6eh.ip6_exthdrs[(p)->ip6eh.ip6_exthdrs_cnt - 1].next : IPV6_GET_NH((p))
 
 /* helper structure with parsed ipv6 info */
 typedef struct IPV6Vars_

diff --git a/src/decode.h b/src/decode.h
index 42e3770569faffca3372d5f39d6d4a238f61c6d5..274c1391e37d9af4959283ce6a890eef4d4464a0 100644 (file)
--- a/src/decode.h
+++ b/src/decode.h
@@ -222,7 +222,8 @@ typedef uint16_t Port;
 
 /* Retrieve proto regardless of IP version */
 #define IP_GET_IPPROTO(p) \
-    (PKT_IS_IPV4((p))? IPV4_GET_IPPROTO((p)) : (PKT_IS_IPV6((p))? IPV6_GET_UPPER_PROTO((p)) : 0))
+    (p->proto ? p->proto : \
+    (PKT_IS_IPV4((p))? IPV4_GET_IPPROTO((p)) : (PKT_IS_IPV6((p))? IPV6_GET_L4PROTO((p)) : 0)))
 
 /* structure to store the sids/gids/etc the detection engine
  * found in this packet */

diff --git a/src/detect.c b/src/detect.c
index f2c0e1800229cf7097f87f0bdeed784b0f9b6e8c..88bd2544f91513aabfdc03e8e1d54ca3b30460cc 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1012,6 +1012,7 @@ SigGroupHead *SigMatchSignaturesGetSgh(DetectEngineCtx *de_ctx, DetectEngineThre
         f = 1;
 
     SCLogDebug("f %d", f);
+    SCLogDebug("IP_GET_IPPROTO(p) %u", IP_GET_IPPROTO(p));
 
     /* find the right mpm instance */
     DetectAddress *ag = DetectAddressLookupInHead(de_ctx->flow_gh[f].src_gh[IP_GET_IPPROTO(p)], &p->src);
@@ -6600,7 +6601,7 @@ end:
     return result;
 }
 
-int SigTest27NegativeTCPV4Keyword(void)
+static int SigTest27NegativeTCPV4Keyword(void)
 {
     uint8_t raw_ipv4[] = {
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -6672,9 +6673,9 @@ int SigTest27NegativeTCPV4Keyword(void)
     de_ctx->flags |= DE_QUIET;
 
     de_ctx->sig_list = SigInit(de_ctx,
-                               "alert tcp any any -> any any "
-                               "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
-                               "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
+            "alert tcp any any -> any any "
+            "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
+            "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
     if (de_ctx->sig_list == NULL) {
         goto end;
     }
@@ -6682,7 +6683,7 @@ int SigTest27NegativeTCPV4Keyword(void)
     de_ctx->sig_list->next = SigInit(de_ctx,
                                      "alert tcp any any -> any any "
                                      "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
-                                     "msg:\"tcpv4-csum keyword check(1)\"; "
+                                     "msg:\"tcpv4-csum keyword check(2)\"; "
                                      "sid:2;)");
     if (de_ctx->sig_list->next == NULL) {
         goto end;
@@ -6692,12 +6693,14 @@ int SigTest27NegativeTCPV4Keyword(void)
     DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
 
     SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-    if (PacketAlertCheck(p1, 1)) {
+    if (!PacketAlertCheck(p1, 1)) {
+        printf("sig 1 didn't match on p1: ");
         goto end;
     }
 
     SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
     if (PacketAlertCheck(p2, 2)) {
+        printf("sig 2 matched on p2: ");
         goto end;
     }
 
@@ -6820,12 +6823,16 @@ int SigTest28TCPV6Keyword(void)
     DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
 
     SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-    if (!(PacketAlertCheck(p1, 1)))
+    if (!(PacketAlertCheck(p1, 1))) {
+        printf("sid 1 didn't match on p1: ");
         goto end;
+    }
 
     SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-    if (!(PacketAlertCheck(p2, 2)))
+    if (!(PacketAlertCheck(p2, 2))) {
+        printf("sid 2 didn't match on p2: ");
         goto end;
+    }
 
     result = 1;
 end: