From: Shawn Turner (shaturne) <shaturne@cisco.com>
Date: Mon, 3 Oct 2016 17:13:18 +0000 (-0400)
Subject: Merge pull request #644 in SNORT/snort3 from sip_callid to master
X-Git-Tag: 3.0.0-233~244
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=932356c29f0d032fe2e15bcf7785428c70aad43f;p=thirdparty%2Fsnort3.git

Merge pull request #644 in SNORT/snort3 from sip_callid to master

Squashed commit of the following:

commit d9e16c7bc50521a41d7f5df96f51b7323e5297e7
Author: Bhagya Tholpady <bbantwal@cisco.com>
Date:   Wed Sep 28 12:43:02 2016 -0400

    sip changes to avoid using NAT ip when calculating callid
---

diff --git a/src/network_inspectors/binder/binder.cc b/src/network_inspectors/binder/binder.cc
index 31ab2899b..db0d2472f 100644
--- a/src/network_inspectors/binder/binder.cc
+++ b/src/network_inspectors/binder/binder.cc
@@ -100,11 +100,25 @@ bool Binding::check_addr(const Flow* flow) const
     if ( !when.nets )
         return true;
 
-    if ( sfvar_ip_in(when.nets, &flow->client_ip) )
-        return true;
+    switch ( when.role )
+    {
+        case BindWhen::BR_SERVER:
+            if ( sfvar_ip_in(when.nets, &flow->server_ip) )
+                return true;
+            break;
+        case BindWhen::BR_CLIENT:
+            if ( sfvar_ip_in(when.nets, &flow->client_ip) )
+                return true;
+            break;
+        case BindWhen::BR_EITHER:
+            if ( sfvar_ip_in(when.nets, &flow->client_ip) or
+                    sfvar_ip_in(when.nets, &flow->server_ip) )
+                return true;
+            break;
+        default:
+            break;
+    }
 
-    if ( sfvar_ip_in(when.nets, &flow->server_ip) )
-        return true;
 
     return false;
 }
@@ -140,7 +154,18 @@ bool Binding::check_vlan(const Flow* flow) const
 
 bool Binding::check_port(const Flow* flow) const
 {
-    return when.ports.test(flow->server_port);
+    switch ( when.role )
+    {
+        case BindWhen::BR_SERVER:
+            return when.ports.test(flow->server_port);
+        case BindWhen::BR_CLIENT:
+            return when.ports.test(flow->client_port);
+        case BindWhen::BR_EITHER:
+            return (when.ports.test(flow->client_port) or when.ports.test(flow->server_port) );
+        default:
+            break;
+    }
+    return false;
 }
 
 bool Binding::check_service(const Flow* flow) const
diff --git a/src/network_inspectors/binder/binding.h b/src/network_inspectors/binder/binding.h
index 69fef1642..c068d2c66 100644
--- a/src/network_inspectors/binder/binding.h
+++ b/src/network_inspectors/binder/binding.h
@@ -30,7 +30,7 @@ class Flow;
 struct BindWhen
 {
     enum Role
-    { BR_EITHER, BR_CLIENT, BR_SERVER, BR_MAX };
+    { BR_CLIENT, BR_SERVER, BR_EITHER, BR_MAX };
 
     unsigned id;
     unsigned protos;
diff --git a/src/service_inspectors/sip/sip_parser.cc b/src/service_inspectors/sip/sip_parser.cc
index e1abe93c6..1657bdc15 100644
--- a/src/service_inspectors/sip/sip_parser.cc
+++ b/src/service_inspectors/sip/sip_parser.cc
@@ -793,6 +793,30 @@ static int sip_parse_to(SIPMsg* msg, const char* start, const char* end, SIP_PRO
     return SIP_PARSE_SUCCESS;
 }
 
+static inline bool is_valid_ip(const char *start, int length)
+{
+    sfip_t ip;
+    char ipStr[INET6_ADDRSTRLEN];
+
+    /*Get the IP address*/
+    if(length > INET6_ADDRSTRLEN - 1)
+    {
+        length = INET6_ADDRSTRLEN - 1;
+    }
+    memcpy(ipStr, start, length);
+    ipStr[length] = '\0';
+
+    DebugFormat(DEBUG_SIP, "IP data: %s\n", ipStr);
+
+    if( (sfip_pton(ipStr, &ip)) != SFIP_SUCCESS)
+    {
+        DebugMessage(DEBUG_SIP, "Not valid IP! \n");
+        return false;
+    }
+
+    return true;
+}
+
 /********************************************************************
  * Function: sip_parse_call_id()
  *
@@ -810,11 +834,18 @@ static int sip_parse_to(SIPMsg* msg, const char* start, const char* end, SIP_PRO
 
 static int sip_parse_call_id(SIPMsg* msg, const char* start, const char* end, SIP_PROTO_CONF*)
 {
-    DEBUG_WRAP(int length = end -start; )
+    int length = end -start;
     DebugFormat(DEBUG_SIP, "Call-Id value: %.*s\n", length, start);
     msg->call_id = (char*)start;
+    /*ignore ip address in call id by adjusting length*/
+    char* at = (char*)memchr(start, '@', length);
+    if(at && (at < end) && is_valid_ip(at+1, (end-at-1)))
+    {
+        length = at - start;
+    }
+
     msg->callIdLen = end - start;
-    msg->dlgID.callIdHash =  strToHash(msg->call_id, msg->callIdLen);
+    msg->dlgID.callIdHash =  strToHash(msg->call_id, length);
     DebugFormat(DEBUG_SIP, "Call-Id length: %d, Hash: %u\n",
         msg->callIdLen, msg->dlgID.callIdHash);
 
diff --git a/src/sfip/sf_ipvar.cc b/src/sfip/sf_ipvar.cc
index 70798a3b0..8830e744c 100644
--- a/src/sfip/sf_ipvar.cc
+++ b/src/sfip/sf_ipvar.cc
@@ -961,6 +961,7 @@ static inline int _sfvar_ip_in6(sfip_var_t* var, const sfip_t* ip)
     return 0;
 }
 
+// FIXIT-L sfvar_ip_in, _sfvar_ip_in4 and _sfvar_ip_in6 should all return boool
 /* Returns SFIP_SUCCESS if ip is contained in 'var', SFIP_FAILURE otherwise
    If either argument is NULL, SFIP_ARG_ERR is returned. */
 int sfvar_ip_in(sfip_var_t* var, const sfip_t* ip)