From: Victor Julien <vjulien@oisf.net>
Date: Sat, 23 Mar 2024 19:17:54 +0000 (+0100)
Subject: defrag: fix wrong datalink being logged
X-Git-Tag: suricata-6.0.19~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f1412c90103b2788567334c046939521c2e01a0;p=thirdparty%2Fsuricata.git

defrag: fix wrong datalink being logged

Eve's packet_info.linktype should correctly indicated what the `packet`
field contains. Until now it was using DLT_RAW even if Ethernet or other
L2+ headers were present.

This commit records the datalink of the packet creating the first
fragment, which can include the L2+ header data.

Bug: #6887.
(cherry picked from commit 49c67b2bb1baa84b7105bca82afe6909be890855)
---

diff --git a/src/decode.c b/src/decode.c
index 45301f78d7..5eeb85a78f 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -408,7 +408,6 @@ Packet *PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, u
     p->recursion_level = parent->recursion_level; /* NOT incremented */
     p->ts.tv_sec = parent->ts.tv_sec;
     p->ts.tv_usec = parent->ts.tv_usec;
-    p->datalink = DLT_RAW;
     p->tenant_id = parent->tenant_id;
     /* tell new packet it's part of a tunnel */
     SET_TUNNEL_PKT(p);
diff --git a/src/defrag.c b/src/defrag.c
index 6b17f90738..d2fa4ffff4 100644
--- a/src/defrag.c
+++ b/src/defrag.c
@@ -295,6 +295,7 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p)
     }
     PKT_SET_SRC(rp, PKT_SRC_DEFRAG);
     rp->flags |= PKT_REBUILT_FRAGMENT;
+    rp->datalink = tracker->datalink;
 
     int fragmentable_offset = 0;
     int fragmentable_len = 0;
@@ -433,6 +434,7 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p)
     }
     PKT_SET_SRC(rp, PKT_SRC_DEFRAG);
     rp->flags |= PKT_REBUILT_FRAGMENT;
+    rp->datalink = tracker->datalink;
 
     int unfragmentable_len = 0;
     int fragmentable_offset = 0;
@@ -861,6 +863,9 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragTracker *tracker,
 #ifdef DEBUG
     new->pcap_cnt = pcap_cnt;
 #endif
+    if (frag_offset == 0) {
+        tracker->datalink = p->datalink;
+    }
 
     IP_FRAGMENTS_RB_INSERT(&tracker->fragment_tree, new);
 
diff --git a/src/defrag.h b/src/defrag.h
index 771616e4dd..7fd08262ff 100644
--- a/src/defrag.h
+++ b/src/defrag.h
@@ -105,6 +105,7 @@ typedef struct DefragTracker_ {
     Address dst_addr; /**< Destination address for this tracker. */
 
     struct timeval timeout; /**< When this tracker will timeout. */
+    int datalink;           /**< datalink for reassembled packet, set by first fragment */
     uint32_t host_timeout;  /**< Host timeout, statically assigned from the yaml */
 
     /** use cnt, reference counter */