From: Victor Julien <vjulien@oisf.net>
Date: Sat, 23 Mar 2024 19:17:54 +0000 (+0100)
Subject: defrag: fix wrong datalink being logged
X-Git-Tag: suricata-8.0.0-beta1~1491
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49c67b2bb1baa84b7105bca82afe6909be890855;p=thirdparty%2Fsuricata.git

defrag: fix wrong datalink being logged

Eve's packet_info.linktype should correctly indicated what the `packet`
field contains. Until now it was using DLT_RAW even if Ethernet or other
L2+ headers were present.

This commit records the datalink of the packet creating the first
fragment, which can include the L2+ header data.

Bug: #6887.
---

diff --git a/src/decode.c b/src/decode.c
index 9fa3991157..0f4c84eba5 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -468,7 +468,6 @@ Packet *PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, u
     }
     p->recursion_level = parent->recursion_level; /* NOT incremented */
     p->ts = parent->ts;
-    p->datalink = DLT_RAW;
     p->tenant_id = parent->tenant_id;
     memcpy(&p->vlan_id[0], &parent->vlan_id[0], sizeof(p->vlan_id));
     p->vlan_idx = parent->vlan_idx;
diff --git a/src/defrag.c b/src/defrag.c
index 0d54754200..5c79d4d993 100644
--- a/src/defrag.c
+++ b/src/defrag.c
@@ -288,6 +288,7 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p)
     }
     PKT_SET_SRC(rp, PKT_SRC_DEFRAG);
     rp->flags |= PKT_REBUILT_FRAGMENT;
+    rp->datalink = tracker->datalink;
 
     int fragmentable_offset = 0;
     uint16_t fragmentable_len = 0;
@@ -430,6 +431,7 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p)
     }
     PKT_SET_SRC(rp, PKT_SRC_DEFRAG);
     rp->flags |= PKT_REBUILT_FRAGMENT;
+    rp->datalink = tracker->datalink;
 
     uint16_t unfragmentable_len = 0;
     int fragmentable_offset = 0;
@@ -861,6 +863,9 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragTracker *tracker,
 #ifdef DEBUG
     new->pcap_cnt = pcap_cnt;
 #endif
+    if (frag_offset == 0) {
+        tracker->datalink = p->datalink;
+    }
 
     IP_FRAGMENTS_RB_INSERT(&tracker->fragment_tree, new);
 
diff --git a/src/defrag.h b/src/defrag.h
index e9a15923ae..8c2a663641 100644
--- a/src/defrag.h
+++ b/src/defrag.h
@@ -106,6 +106,7 @@ typedef struct DefragTracker_ {
     Address src_addr; /**< Source address for this tracker. */
     Address dst_addr; /**< Destination address for this tracker. */
 
+    int datalink;           /**< datalink for reassembled packet, set by first fragment */
     SCTime_t timeout;       /**< When this tracker will timeout. */
     uint32_t host_timeout;  /**< Host timeout, statically assigned from the yaml */