From: THARANI DHARAN GANESHKUMAR -X (tganeshk - XORIANT CORPORATION at Cisco) <tganeshk@cisco.com>
Date: Wed, 20 Sep 2023 07:31:52 +0000 (+0000)
Subject: Pull request #3980: codecs: Add IPv6 Reserved Address to GID:116 Rules
X-Git-Tag: 3.1.71.0~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6188c54697db0398091eb289cb007364d409b7b;p=thirdparty%2Fsnort3.git

Pull request #3980: codecs: Add IPv6 Reserved Address to GID:116 Rules

Merge in SNORT/snort3 from ~TGANESHK/snort3:ipv6_newrule to master

Squashed commit of the following:

commit af9ad67ce413fccf9514c93893abce2591e0868e
Author: THARANI DHARAN GANESHKUMAR -X (tganeshk - XORIANT CORPORATION at Cisco) <tganeshk@cisco.com>
Date:   Mon Aug 21 22:07:34 2023 +0530

    codecs: Add IPv6 Reserved Address to GID:116 Rules
---

diff --git a/doc/reference/builtin_stubs.txt b/doc/reference/builtin_stubs.txt
index 47b2af399..0ddc211f5 100644
--- a/doc/reference/builtin_stubs.txt
+++ b/doc/reference/builtin_stubs.txt
@@ -725,6 +725,14 @@ An ICMPv6 packet was received that was not encapsulated in IPv6.
 
 The IPv6 mobility header includes an invalid value for the payload protocol field.
 
+116:476
+
+The IPv6 packet has a reserved source address.
+
+116:477
+
+The IPv6 packet has a reserved destination address.
+
 119:1
 
 URI has percent encoding of an unreserved character. The ignore_unreserved option designates
diff --git a/src/codecs/codec_api.cc b/src/codecs/codec_api.cc
index 1a972f3b5..c2c2df7fb 100644
--- a/src/codecs/codec_api.cc
+++ b/src/codecs/codec_api.cc
@@ -29,6 +29,7 @@
 using namespace snort;
 
 extern const BaseApi* cd_ipv4[];    // static due to dependence on fpdetect
+extern const BaseApi* cd_ipv6[];    // static due to dependence on fpdetect
 extern const BaseApi* cd_hopopts[]; // static to ensure the symbols CheckIPV6HopOptions
                                     // and CheckIPv6ExtensionOrder the final executable.
 extern const BaseApi* cd_tcp[];     // static because only file that specific functions
@@ -53,7 +54,6 @@ extern const BaseApi* cd_icmp4[];
 extern const BaseApi* cd_icmp4_ip[];
 extern const BaseApi* cd_icmp6[];
 extern const BaseApi* cd_icmp6_ip[];
-extern const BaseApi* cd_ipv6[];
 extern const BaseApi* cd_igmp[];
 extern const BaseApi* cd_llc[];
 extern const BaseApi* cd_mobility[];
@@ -75,6 +75,7 @@ extern const BaseApi* cd_vxlan[];
 void load_codecs()
 {
     PluginManager::load_plugins(cd_ipv4);
+    PluginManager::load_plugins(cd_ipv6);
     PluginManager::load_plugins(cd_tcp);
     PluginManager::load_plugins(cd_hopopts);
 
@@ -97,7 +98,6 @@ void load_codecs()
     PluginManager::load_plugins(cd_icmp4_ip);
     PluginManager::load_plugins(cd_icmp6);
     PluginManager::load_plugins(cd_icmp6_ip);
-    PluginManager::load_plugins(cd_ipv6);
     PluginManager::load_plugins(cd_igmp);
     PluginManager::load_plugins(cd_llc);
     PluginManager::load_plugins(cd_mobility);
diff --git a/src/codecs/codec_module.h b/src/codecs/codec_module.h
index 8f2434d91..af17bdb3a 100644
--- a/src/codecs/codec_module.h
+++ b/src/codecs/codec_module.h
@@ -226,6 +226,8 @@ enum CodecSid : uint32_t
     DECODE_BAD_ETHER_TYPE,
     DECODE_ICMP6_NOT_IP6,
     DECODE_MIPV6_BAD_PAYLOAD_PROTO,
+    DECODE_IPV6_SRC_RESERVED,
+    DECODE_IPV6_DST_RESERVED,
     DECODE_INDEX_MAX
 };
 
diff --git a/src/codecs/ip/CMakeLists.txt b/src/codecs/ip/CMakeLists.txt
index bd7e6a264..de8a58d8a 100644
--- a/src/codecs/ip/CMakeLists.txt
+++ b/src/codecs/ip/CMakeLists.txt
@@ -10,7 +10,6 @@ if( STATIC_CODECS )
         cd_icmp4.cc
         cd_icmp6.cc
         cd_igmp.cc
-        cd_ipv6.cc
         cd_no_next.cc
         cd_mobility.cc
         cd_pgm.cc
@@ -30,7 +29,7 @@ else()
     add_dynamic_module(cd_icmp6 codecs cd_icmp6.cc checksum.h)
     add_dynamic_module(cd_igmp codecs cd_igmp.cc)
 #    add_dynamic_module(cd_ipv4 codecs cd_ipv4.cc checksum.h)
-    add_dynamic_module(cd_ipv6 codecs cd_ipv6.cc checksum.h)
+#    add_dynamic_module(cd_ipv6 codecs cd_ipv6.cc checksum.h)
     add_dynamic_module(cd_mobility codecs cd_mobility.cc)
     add_dynamic_module(cd_no_next codecs cd_no_next.cc)
     add_dynamic_module(cd_pgm codecs cd_pgm.cc checksum.h)
@@ -43,6 +42,7 @@ endif()
 
 add_library( ip_codecs OBJECT
     cd_ipv4.cc # Static due to its dependence on fpdetect
+    cd_ipv6.cc # Static due to its dependence on fpdetect
     cd_hop_opts.cc  #  Ensured the symbols CheckIPV6HopOptions && CheckIPv6ExtensionOrder are in the binary.
     cd_tcp.cc  # Only file to use some functions.  Must be included in binary.
     checksum.h
diff --git a/src/codecs/ip/cd_ipv6.cc b/src/codecs/ip/cd_ipv6.cc
index 07fb79d08..1886ab9e7 100644
--- a/src/codecs/ip/cd_ipv6.cc
+++ b/src/codecs/ip/cd_ipv6.cc
@@ -29,12 +29,15 @@
 #include "framework/codec.h"
 #include "log/text_log.h"
 #include "main/snort_config.h"
+#include "parser/parse_ip.h"
+#include "sfip/sf_ipvar.h"
 
 using namespace snort;
 
 #define CD_IPV6_NAME "ipv6"
 #define CD_IPV6_HELP_STR "support for Internet protocol v6"
 #define CD_IPV6_HELP ADD_DLT(CD_IPV6_HELP_STR, DLT_IPV6)
+static sfip_var_t* ReservedIpv6 = nullptr;
 
 namespace
 {
@@ -72,6 +75,8 @@ static const RuleMap ipv6_rules[] =
     { DECODE_IP6_EXCESS_EXT_HDR, "too many IPv6 extension headers" },
     { DECODE_MIPV6_BAD_PAYLOAD_PROTO,
       "IPv6 mobility header includes an invalid value for the 'payload protocol' field" },
+    { DECODE_IPV6_SRC_RESERVED, "IPv6 packet from reserved source address" },
+    { DECODE_IPV6_DST_RESERVED, "IPv6 packet to reserved dest address" },
     { 0, nullptr }
 };
 
@@ -277,6 +282,15 @@ void Ipv6Codec::IPV6MiscTests(const DecodeData& snort, const CodecData& codec)
     {
         codec_event(codec, DECODE_IPV6_DST_ZERO);
     }
+
+    if (codec.conf->is_address_anomaly_check_enabled())
+    {
+        if (sfvar_ip_in(ReservedIpv6, ip_src))
+            codec_event(codec, DECODE_IPV6_SRC_RESERVED);
+
+        if (sfvar_ip_in(ReservedIpv6, ip_dst))
+            codec_event(codec, DECODE_IPV6_DST_RESERVED);
+    }
 }
 
 void Ipv6Codec::CheckIPV6Multicast(const ip::IP6Hdr* const ip6h, const CodecData& codec)
@@ -661,6 +675,21 @@ static Module* mod_ctor()
 static void mod_dtor(Module* m)
 { delete m; }
 
+static void ipv6_codec_ginit()
+{
+    /* Check against reserved ipv6 addresses. These are listed at:
+       https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml   */
+    ReservedIpv6 = sfip_var_from_string(
+        "[0000::/8,0100::/8,0200::/7,0400::/6,0800::/5,1000::/4,4000::/3,6000::/3,8000::/3,"
+        "a000::/3,c000::/3,e000::/4,f000::/5,f800::/6,fe00::/9]", "ipv6");
+    assert(ReservedIpv6);
+}
+
+static void ipv6_codec_gterm()
+{
+    sfvar_free(ReservedIpv6);
+}
+
 static Codec* ctor(Module*)
 { return new Ipv6Codec(); }
 
@@ -681,8 +710,8 @@ static const CodecApi ipv6_api =
         mod_ctor,
         mod_dtor,
     },
-    nullptr, // pinit
-    nullptr, // pterm
+    ipv6_codec_ginit, // pinit
+    ipv6_codec_gterm, // pterm
     nullptr, // tinit
     nullptr, // tterm
     ctor, // ctor
diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc
index 56262fc3a..f296d9953 100755
--- a/src/service_inspectors/http_inspect/http_inspect.cc
+++ b/src/service_inspectors/http_inspect/http_inspect.cc
@@ -703,6 +703,11 @@ const uint8_t* HttpInspect::adjust_log_packet(Packet* p, uint16_t& length)
     else
         return nullptr;
 
+    // FIXIT-L IPV6 regression test fails with IPv6 anomaly check enabled and
+    // 'other_section' is NULL. Seems to be a bug in HNI. Needs investigation
+    if (!other_section)
+        return nullptr;
+    
     const Field& start_line = other_section->get_classic_buffer(id, 0, 0);
     if (start_line.length() > 0)
     {