From: Russ Combs Date: Thu, 20 Oct 2016 21:26:21 +0000 (-0400) Subject: support dynamic builds and other tweaks X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=02d3ec67b8b269a71750c8d508873caf86f9df2b;p=thirdparty%2Fsnort3.git support dynamic builds and other tweaks --- diff --git a/src/detection/context_switcher.cc b/src/detection/context_switcher.cc index a15162dab..ae5a50145 100644 --- a/src/detection/context_switcher.cc +++ b/src/detection/context_switcher.cc @@ -194,7 +194,7 @@ TEST_CASE("ContextSwitcher normal", "[ContextSwitcher]") IpsContextData* a = new ContextData(id); mgr.set_context_data(1, a); - IpsContext* p = mgr.interrupt(); + mgr.interrupt(); CHECK(mgr.idle_count() == max-2); CHECK(mgr.busy_count() == 2); @@ -246,7 +246,7 @@ TEST_CASE("ContextSwitcher abort", "[ContextSwitcher]") mgr.interrupt(); CHECK(mgr.idle_count() == max-3); - unsigned u = mgr.suspend(); + mgr.suspend(); CHECK(mgr.busy_count() == 2); CHECK(mgr.hold_count() == 1); diff --git a/src/detection/ips_context.cc b/src/detection/ips_context.cc index 78bc5f575..9a0fbf713 100644 --- a/src/detection/ips_context.cc +++ b/src/detection/ips_context.cc @@ -69,7 +69,7 @@ IpsContext::~IpsContext() sfeventq_free(equeue); - delete buf; + delete[] buf; delete pkth; delete packet; } diff --git a/src/detection/ips_context.h b/src/detection/ips_context.h index a216cf230..d97364162 100644 --- a/src/detection/ips_context.h +++ b/src/detection/ips_context.h @@ -30,11 +30,12 @@ // integration into Snort. #include +#include "main/snort_types.h" // required to get a decent decl of pkth #include "protocols/packet.h" -class IpsContextData +class SO_PUBLIC IpsContextData { public: virtual ~IpsContextData() { }; @@ -46,7 +47,7 @@ protected: IpsContextData() { } }; -class IpsContext +class SO_PUBLIC IpsContext { public: IpsContext(unsigned size); diff --git a/src/main/snort.cc b/src/main/snort.cc index f7a6cf4be..12c8e94f4 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -746,10 +746,9 @@ SF_EVENTQ* Snort::get_event_queue() Packet* Snort::set_detect_packet() { - // this approach is a hack until verified - // looks like we need to stay in the current context until - // rebuild is successful; any events while rebuilding will - // be logged against the current packet. + // we need to stay in the current context until rebuild is successful + // any events while rebuilding will be logged against the current packet + // FIXIT-H bypass the interrupt / complete const IpsContext* c = s_switcher->interrupt(); Packet* p = c->packet; s_switcher->complete(); diff --git a/src/main/snort.h b/src/main/snort.h index 5230e8f2e..fe7437245 100644 --- a/src/main/snort.h +++ b/src/main/snort.h @@ -27,13 +27,16 @@ #include "main/snort_types.h" +#include "main/snort_types.h" + class Flow; struct Packet; struct SnortConfig; typedef void (* MainHook_f)(Packet*); -class DetectionContext +// FIXIT-H this needs to move to detection +class SO_PUBLIC DetectionContext { public: DetectionContext(); @@ -42,7 +45,7 @@ public: Packet* get_packet(); }; -class Snort +class SO_PUBLIC Snort { public: static SnortConfig* get_reload_config(const char* fname); @@ -62,6 +65,8 @@ public: static void thread_rotate(); static void capture_packet(); + + // FIXIT-H these need to move to detection static Packet* set_detect_packet(); static Packet* get_detect_packet(); static void clear_detect_packet(); diff --git a/src/service_inspectors/dce_rpc/dce_co.cc b/src/service_inspectors/dce_rpc/dce_co.cc index 843fc3e3a..d641d52ef 100644 --- a/src/service_inspectors/dce_rpc/dce_co.cc +++ b/src/service_inspectors/dce_rpc/dce_co.cc @@ -1203,28 +1203,19 @@ static Packet* DCE2_CoGetRpkt(DCE2_SsnData* sd, DCE2_CoTracker* cot, if (*rtype == DCE2_RPKT_TYPE__NULL) return nullptr; - if (frag_data != nullptr) + if ( frag_data ) { rpkt = DCE2_GetRpkt(sd->wire_pkt, *rtype, frag_data, frag_len); - if (rpkt == nullptr) - { - DebugMessage(DEBUG_DCE_COMMON, "Failed to create reassembly buffer.\n"); - return nullptr; - } - if (seg_data != nullptr) + + if ( rpkt and seg_data ) { /* If this fails, we'll still have the frag data */ DCE2_AddDataToRpkt(rpkt, seg_data, seg_len); } } - else if (seg_data != nullptr) + else if ( seg_data ) { rpkt = DCE2_GetRpkt(sd->wire_pkt, *rtype, seg_data, seg_len); - if (rpkt == nullptr) - { - DebugMessage(DEBUG_DCE_COMMON, "Failed to create reassembly packet.\n"); - return nullptr; - } } return rpkt; @@ -2142,27 +2133,18 @@ static Packet* DCE2_CoGetSegRpkt(DCE2_SsnData* sd, switch (sd->trans) { case DCE2_TRANS_TYPE__SMB: - rpkt = DCE2_GetRpkt(sd->wire_pkt, DCE2_RPKT_TYPE__SMB_CO_SEG, - data_ptr, data_len); - if (rpkt == nullptr) - { - DebugMessage(DEBUG_DCE_COMMON, "Failed to create reassembly packet.\n"); + rpkt = DCE2_GetRpkt(sd->wire_pkt, DCE2_RPKT_TYPE__SMB_CO_SEG, data_ptr, data_len); + + if ( !rpkt ) return nullptr; - } + DCE2_SmbSetRdata((DCE2_SmbSsnData*)sd, (uint8_t*)rpkt->data, (uint16_t)(rpkt->dsize - smb_hdr_len)); break; case DCE2_TRANS_TYPE__TCP: // FIXIT-M add HTTP cases when it is ported - rpkt = DCE2_GetRpkt(sd->wire_pkt, DCE2_RPKT_TYPE__TCP_CO_SEG, - data_ptr, data_len); - if (rpkt == nullptr) - { - DebugMessage(DEBUG_DCE_COMMON, "Failed to create reassembly packet.\n"); - return nullptr; - } - + rpkt = DCE2_GetRpkt(sd->wire_pkt, DCE2_RPKT_TYPE__TCP_CO_SEG, data_ptr, data_len); break; default: diff --git a/src/service_inspectors/dce_rpc/dce_common.cc b/src/service_inspectors/dce_rpc/dce_common.cc index 8ede77530..60dd424c9 100644 --- a/src/service_inspectors/dce_rpc/dce_common.cc +++ b/src/service_inspectors/dce_rpc/dce_common.cc @@ -35,6 +35,7 @@ #include "dce_udp.h" THREAD_LOCAL int dce2_detected = 0; +static THREAD_LOCAL bool using_rpkt = false; static const char* dce2_get_policy_name(DCE2_Policy policy) { @@ -200,11 +201,14 @@ static void dce2_protocol_detect(DCE2_SsnData* sd, Packet* pkt) void DCE2_Detect(DCE2_SsnData* sd) { - DetectionContext dc; - Packet* top_pkt = dc.get_packet(); - - if ( !top_pkt->endianness ) + if ( using_rpkt ) + { + using_rpkt = false; + DetectionContext dc; + DCE2_Detect(sd); return; + } + Packet* top_pkt = Snort::get_detect_packet(); DCE2_PrintRoptions(&sd->ropts); DebugMessage(DEBUG_DCE_COMMON, "Payload:\n"); @@ -348,10 +352,7 @@ uint16_t DCE2_GetRpktMaxData(DCE2_SsnData* sd, DCE2_RpktType rtype) static void dce2_fill_rpkt_info(Packet* rpkt, Packet* p) { - DceEndianness* endianness = (DceEndianness*)rpkt->endianness; - rpkt->reset(); - rpkt->endianness = (Endianness*)endianness; - ((DceEndianness*)rpkt->endianness)->reset(); + rpkt->endianness = new DceEndianness(); rpkt->pkth = p->pkth; rpkt->ptrs = p->ptrs; rpkt->flow = p->flow; @@ -365,18 +366,16 @@ Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, const uint8_t* data, uint32_t data_len) { Packet* rpkt = Snort::set_detect_packet(); - rpkt->endianness = new DceEndianness(); + dce2_fill_rpkt_info(rpkt, p); uint16_t data_overhead = 0; switch (rpkt_type) { case DCE2_RPKT_TYPE__SMB_SEG: - dce2_fill_rpkt_info(rpkt, p); rpkt->pseudo_type = PSEUDO_PKT_SMB_SEG; break; case DCE2_RPKT_TYPE__SMB_TRANS: - dce2_fill_rpkt_info(rpkt, p); rpkt->pseudo_type = PSEUDO_PKT_SMB_TRANS; if (DCE2_SsnFromClient(p)) { @@ -393,7 +392,6 @@ Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, break; case DCE2_RPKT_TYPE__SMB_CO_SEG: - dce2_fill_rpkt_info(rpkt, p); rpkt->pseudo_type = PSEUDO_PKT_DCE_SEG; if (DCE2_SsnFromClient(p)) { @@ -410,7 +408,6 @@ Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, break; case DCE2_RPKT_TYPE__SMB_CO_FRAG: - dce2_fill_rpkt_info(rpkt, p); rpkt->pseudo_type = PSEUDO_PKT_DCE_FRAG; if (DCE2_SsnFromClient(p)) { @@ -431,7 +428,6 @@ Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, break; case DCE2_RPKT_TYPE__UDP_CL_FRAG: - dce2_fill_rpkt_info(rpkt, p); rpkt->pseudo_type = PSEUDO_PKT_DCE_FRAG; data_overhead = DCE2_MOCK_HDR_LEN__CL; memset((void*)rpkt->data, 0, data_overhead); @@ -440,8 +436,6 @@ Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, case DCE2_RPKT_TYPE__TCP_CO_SEG: case DCE2_RPKT_TYPE__TCP_CO_FRAG: - dce2_fill_rpkt_info(rpkt, p); - if (rpkt_type == DCE2_RPKT_TYPE__TCP_CO_FRAG) { rpkt->pseudo_type = PSEUDO_PKT_DCE_FRAG; @@ -466,6 +460,7 @@ Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, default: DebugFormat(DEBUG_DCE_COMMON, "Invalid reassembly packet type: %d\n",rpkt_type); + assert(false); return nullptr; } @@ -473,12 +468,18 @@ Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, data_len -= (data_overhead + data_len) - Packet::max_dsize; if (data_len > Packet::max_dsize - data_overhead) + { + DebugMessage(DEBUG_DCE_COMMON, "Failed to create reassembly packet.\n"); + delete rpkt->endianness; + rpkt->endianness = nullptr; return nullptr; + } memcpy_s((void*)(rpkt->data + data_overhead), Packet::max_dsize - data_overhead, data, data_len); rpkt->dsize = data_len + data_overhead; + using_rpkt = true; return rpkt; } diff --git a/src/service_inspectors/dce_rpc/dce_smb_utils.cc b/src/service_inspectors/dce_rpc/dce_smb_utils.cc index c563ee5d9..e446c65cf 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_utils.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_utils.cc @@ -1301,14 +1301,8 @@ Packet* DCE2_SmbGetRpkt(DCE2_SmbSsnData* ssd, Packet* rpkt = DCE2_GetRpkt(ssd->sd.wire_pkt, rtype, *data, *data_len); - if (rpkt == nullptr) - { - DebugFormat(DEBUG_DCE_SMB, - "%s(%d) Failed to create reassembly packet.", - __FILE__, __LINE__); - + if ( !rpkt ) return nullptr; - } *data = rpkt->data; *data_len = rpkt->dsize; diff --git a/src/service_inspectors/dce_rpc/dce_udp_processing.cc b/src/service_inspectors/dce_rpc/dce_udp_processing.cc index f78b69744..4a8dc7034 100644 --- a/src/service_inspectors/dce_rpc/dce_udp_processing.cc +++ b/src/service_inspectors/dce_rpc/dce_udp_processing.cc @@ -586,14 +586,11 @@ static void DCE2_ClFragReassemble( stub_len += fnode->frag_len; } - Packet* rpkt = DCE2_GetRpkt(sd->wire_pkt, DCE2_RPKT_TYPE__UDP_CL_FRAG, dce2_cl_rbuf, stub_len); - if (rpkt == nullptr) - { - DebugFormat(DEBUG_DCE_UDP, - "%s(%d) Failed to create reassembly packet.", - __FILE__, __LINE__); + Packet* rpkt = DCE2_GetRpkt( + sd->wire_pkt, DCE2_RPKT_TYPE__UDP_CL_FRAG, dce2_cl_rbuf, stub_len); + + if ( !rpkt ) return; - } DCE2_ClSetRdata(at, cl_hdr, (uint8_t*)rpkt->data, (uint16_t)(rpkt->dsize - DCE2_MOCK_HDR_LEN__CL)); diff --git a/src/stream/stream.cc b/src/stream/stream.cc index 9fc52a05a..31cc698da 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -23,6 +23,8 @@ #include "stream.h" +#include + #include "flow/flow_control.h" #include "flow/flow_key.h" #include "flow/ha.h" @@ -352,6 +354,9 @@ void Stream::purge_flows() // rebuilt packet is available) Snort::set_detect_packet(); DetectionContext dc; + // this is a hack to work around the above issue + DAQ_PktHdr_t* ph = (DAQ_PktHdr_t*)dc.get_packet()->pkth; + memset(ph, 0, sizeof(*ph)); flow_con->purge_flows(PktType::IP); flow_con->purge_flows(PktType::ICMP);