From: George Koikara (gkoikara) <gkoikara@cisco.com>
Date: Wed, 11 Dec 2019 08:45:08 +0000 (+0000)
Subject: Merge pull request #1878 in SNORT/snort3 from ~APOORAJ/snort3:gtp_teid to master
X-Git-Tag: 3.0.0-267~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3083c7968c89bf8f96dde3f62b152f650a625a24;p=thirdparty%2Fsnort3.git

Merge pull request #1878 in SNORT/snort3 from ~APOORAJ/snort3:gtp_teid to master

Squashed commit of the following:

commit 65363ab96ffd788f42836c407e6143952a69e825
Author: Apoorv Raj <apooraj@cisco.com>
Date:   Tue Dec 3 23:42:37 2019 -0500

    gtp:alerts should be raised for missing TEID in gtp msg
---

diff --git a/src/service_inspectors/gtp/gtp_module.cc b/src/service_inspectors/gtp/gtp_module.cc
index 927268e90..f6a24f0e4 100644
--- a/src/service_inspectors/gtp/gtp_module.cc
+++ b/src/service_inspectors/gtp/gtp_module.cc
@@ -38,6 +38,7 @@ THREAD_LOCAL ProfileStats gtp_inspect_prof;
 #define GTP_EVENT_BAD_MSG_LEN_STR        "message length is invalid"
 #define GTP_EVENT_BAD_IE_LEN_STR         "information element length is invalid"
 #define GTP_EVENT_OUT_OF_ORDER_IE_STR    "information elements are out of order"
+#define GTP_EVENT_MISSING_TEID_STR       "TEID is missing"
 
 //-------------------------------------------------------------------------
 // stats
@@ -70,6 +71,7 @@ static const RuleMap gtp_rules[] =
     { GTP_EVENT_BAD_MSG_LEN, GTP_EVENT_BAD_MSG_LEN_STR },
     { GTP_EVENT_BAD_IE_LEN, GTP_EVENT_BAD_IE_LEN_STR },
     { GTP_EVENT_OUT_OF_ORDER_IE, GTP_EVENT_OUT_OF_ORDER_IE_STR },
+    { GTP_EVENT_MISSING_TEID, GTP_EVENT_MISSING_TEID_STR },
 
     { 0, nullptr }
 };
diff --git a/src/service_inspectors/gtp/gtp_module.h b/src/service_inspectors/gtp/gtp_module.h
index e567359d6..2a1569466 100644
--- a/src/service_inspectors/gtp/gtp_module.h
+++ b/src/service_inspectors/gtp/gtp_module.h
@@ -29,6 +29,7 @@
 #define GTP_EVENT_BAD_MSG_LEN        (1)
 #define GTP_EVENT_BAD_IE_LEN         (2)
 #define GTP_EVENT_OUT_OF_ORDER_IE    (3)
+#define GTP_EVENT_MISSING_TEID       (4)
 
 #define GTP_NAME "gtp_inspect"
 #define GTP_HELP "gtp control channel inspection"
diff --git a/src/service_inspectors/gtp/gtp_parser.cc b/src/service_inspectors/gtp/gtp_parser.cc
index 8c9571d54..50b491deb 100644
--- a/src/service_inspectors/gtp/gtp_parser.cc
+++ b/src/service_inspectors/gtp/gtp_parser.cc
@@ -54,14 +54,6 @@ struct GTP_C_Hdr
     uint16_t length;            /* length */
 };
 
-struct GTP_C_Hdr_v0
-{
-    GTP_C_Hdr hdr;
-    uint16_t sequence_num;
-    uint16_t flow_lable;
-    uint64_t tid;
-};
-
 /* GTP Information element Header  */
 struct GTP_IE_Hdr
 {
@@ -280,8 +272,16 @@ static int gtp_parse_v0(GTPMsg* msg, const uint8_t* buff, uint16_t gtp_len)
 static int gtp_parse_v1(GTPMsg* msg, const uint8_t* buff, uint16_t gtp_len)
 {
     const GTP_C_Hdr* hdr;
+    const uint32_t* teid;
 
     hdr = (const GTP_C_Hdr*)buff;
+    /*TEID value at 5-8 octets*/
+    teid = (const uint32_t*)(buff + 4);
+
+    if ((msg->msg_type > 3) && (*teid == 0))
+    {
+        alert(GTP_EVENT_MISSING_TEID);
+    }
 
     /*Check the length based on optional fields and extension header*/
     if (hdr->flag & 0x07)
@@ -368,8 +368,16 @@ static int gtp_parse_v1(GTPMsg* msg, const uint8_t* buff, uint16_t gtp_len)
 static int gtp_parse_v2(GTPMsg* msg, const uint8_t* buff, uint16_t gtp_len)
 {
     const GTP_C_Hdr* hdr;
+    const uint32_t* teid;
 
     hdr = (const GTP_C_Hdr*)buff;
+    /*TEID value at 5-8 octet*/
+    teid = (const uint32_t*)(buff + 4);
+
+    if ((msg->msg_type > 3) && (hdr->flag & 0x08) && (*teid == 0))
+    {
+        alert(GTP_EVENT_MISSING_TEID);
+    }
 
     if (hdr->flag & 0x8)
         msg->header_len = GTP_HEADER_LEN_EPC_V2;