From: Victor Julien Date: Fri, 13 Apr 2012 14:52:32 +0000 (+0200) Subject: ipv6: improve handling of packets with duplicate (or more) ipv6 extension headers. X-Git-Tag: suricata-1.3beta2~83 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98c30be2db5ecafd26f29303f95409cc8379b95f;p=thirdparty%2Fsuricata.git ipv6: improve handling of packets with duplicate (or more) ipv6 extension headers. --- diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c index a29540fa8a..9e49d57097 100644 --- a/src/decode-ipv6.c +++ b/src/decode-ipv6.c @@ -89,6 +89,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt SCReturn; case IPPROTO_ROUTING: + IPV6_SET_L4PROTO(p,nh); hdrextlen = 8 + (*(pkt+1) * 8); /* 8 bytes + length in 8 octet units */ SCLogDebug("hdrextlen %"PRIu8, hdrextlen); @@ -149,6 +150,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt IPV6OptJumbo *jumbo = NULL; uint8_t optslen = 0; + IPV6_SET_L4PROTO(p,nh); hdrextlen = (*(pkt+1) + 1) << 3; if (hdrextlen > plen) { ENGINE_SET_EVENT(p, IPV6_TRUNC_EXTHDR); @@ -274,6 +276,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt } case IPPROTO_FRAGMENT: + IPV6_SET_L4PROTO(p,nh); /* store the offset of this extension into the packet * past the ipv6 header. We use it in defrag for creating * a defragmented packet without the frag header */ @@ -326,6 +329,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt case IPPROTO_ESP: { + IPV6_SET_L4PROTO(p,nh); hdrextlen = sizeof(IPV6EspHdr); if (hdrextlen > plen) { ENGINE_SET_EVENT(p, IPV6_TRUNC_EXTHDR); @@ -355,6 +359,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt } case IPPROTO_AH: { + IPV6_SET_L4PROTO(p,nh); /* we need the header as a minimum */ hdrextlen = sizeof(IPV6AuthHdr); /* the payload len field is the number of extra 4 byte fields */ diff --git a/src/decode-ipv6.h b/src/decode-ipv6.h index 6f7502220d..61d2c37a48 100644 --- a/src/decode-ipv6.h +++ b/src/decode-ipv6.h @@ -93,8 +93,8 @@ typedef struct IPV6Hdr_ ((p)->ip6vars.l4proto) /** \brief get the highest proto/next header field we know */ -#define IPV6_GET_UPPER_PROTO(p) (p)->ip6eh.ip6_exthdrs_cnt ? \ - (p)->ip6eh.ip6_exthdrs[(p)->ip6eh.ip6_exthdrs_cnt - 1].next : IPV6_GET_NH((p)) +//#define IPV6_GET_UPPER_PROTO(p) (p)->ip6eh.ip6_exthdrs_cnt ? +// (p)->ip6eh.ip6_exthdrs[(p)->ip6eh.ip6_exthdrs_cnt - 1].next : IPV6_GET_NH((p)) /* helper structure with parsed ipv6 info */ typedef struct IPV6Vars_ diff --git a/src/decode.h b/src/decode.h index 42e3770569..274c1391e3 100644 --- a/src/decode.h +++ b/src/decode.h @@ -222,7 +222,8 @@ typedef uint16_t Port; /* Retrieve proto regardless of IP version */ #define IP_GET_IPPROTO(p) \ - (PKT_IS_IPV4((p))? IPV4_GET_IPPROTO((p)) : (PKT_IS_IPV6((p))? IPV6_GET_UPPER_PROTO((p)) : 0)) + (p->proto ? p->proto : \ + (PKT_IS_IPV4((p))? IPV4_GET_IPPROTO((p)) : (PKT_IS_IPV6((p))? IPV6_GET_L4PROTO((p)) : 0))) /* structure to store the sids/gids/etc the detection engine * found in this packet */ diff --git a/src/detect.c b/src/detect.c index f2c0e18002..88bd2544f9 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1012,6 +1012,7 @@ SigGroupHead *SigMatchSignaturesGetSgh(DetectEngineCtx *de_ctx, DetectEngineThre f = 1; SCLogDebug("f %d", f); + SCLogDebug("IP_GET_IPPROTO(p) %u", IP_GET_IPPROTO(p)); /* find the right mpm instance */ DetectAddress *ag = DetectAddressLookupInHead(de_ctx->flow_gh[f].src_gh[IP_GET_IPPROTO(p)], &p->src); @@ -6600,7 +6601,7 @@ end: return result; } -int SigTest27NegativeTCPV4Keyword(void) +static int SigTest27NegativeTCPV4Keyword(void) { uint8_t raw_ipv4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -6672,9 +6673,9 @@ int SigTest27NegativeTCPV4Keyword(void) de_ctx->flags |= DE_QUIET; de_ctx->sig_list = SigInit(de_ctx, - "alert tcp any any -> any any " - "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; " - "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)"); + "alert tcp any any -> any any " + "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; " + "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)"); if (de_ctx->sig_list == NULL) { goto end; } @@ -6682,7 +6683,7 @@ int SigTest27NegativeTCPV4Keyword(void) de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any " "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; " - "msg:\"tcpv4-csum keyword check(1)\"; " + "msg:\"tcpv4-csum keyword check(2)\"; " "sid:2;)"); if (de_ctx->sig_list->next == NULL) { goto end; @@ -6692,12 +6693,14 @@ int SigTest27NegativeTCPV4Keyword(void) DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx); SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); - if (PacketAlertCheck(p1, 1)) { + if (!PacketAlertCheck(p1, 1)) { + printf("sig 1 didn't match on p1: "); goto end; } SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); if (PacketAlertCheck(p2, 2)) { + printf("sig 2 matched on p2: "); goto end; } @@ -6820,12 +6823,16 @@ int SigTest28TCPV6Keyword(void) DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx); SigMatchSignatures(&th_v, de_ctx, det_ctx, p1); - if (!(PacketAlertCheck(p1, 1))) + if (!(PacketAlertCheck(p1, 1))) { + printf("sid 1 didn't match on p1: "); goto end; + } SigMatchSignatures(&th_v, de_ctx, det_ctx, p2); - if (!(PacketAlertCheck(p2, 2))) + if (!(PacketAlertCheck(p2, 2))) { + printf("sid 2 didn't match on p2: "); goto end; + } result = 1; end: