Fix null dereference in eve-log

Eve-log would call GET_VLAN_ID on the packets vlan header if p->vlan_idx
was bigger than 0. GET_VLAN_ID would then unconditionally dereference
p->vlanh[0] or [1]. However, there are a number of cases in which these
pointers are not set. Defrag pseudo packets, AF_PACKET and in the future
PF_RING, do set the id's, but not the header pointers.

This patch adds 2 new macro's which are wrappers around a function:

VLAN_GET_ID1 and VLAN_GET_ID2 get the id's by calling DecodeVLANGetId.

This function will return the correct id.

Bug #1120.

diff --git a/src/decode-vlan.c b/src/decode-vlan.c
index b3decaef2d699902dab26c52a8f121e380dd60cc..6675918c87a14e5d59a01d66ffa47caf87e4f747 100644 (file)
--- a/src/decode-vlan.c
+++ b/src/decode-vlan.c
@@ -126,6 +126,19 @@ int DecodeVLAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u
     return TM_ECODE_OK;
 }
 
+uint16_t DecodeVLANGetId(const Packet *p, uint8_t layer)
+{
+    if (unlikely(layer > 1))
+        return 0;
+
+    if (p->vlanh[layer] == NULL && (p->vlan_idx >= (layer + 1))) {
+        return p->vlan_id[layer];
+    } else {
+        return GET_VLAN_ID(p->vlanh[layer]);
+    }
+    return 0;
+}
+
 #ifdef UNITTESTS
 /** \todo Must GRE+VLAN and Multi-Vlan packets to
  * create more tests

diff --git a/src/decode-vlan.h b/src/decode-vlan.h
index 631a2b820930ba301889b1db87f8a219e6f207a8..bf9135ec5742f00064ba27fc50e9d22bda80b857 100644 (file)
--- a/src/decode-vlan.h
+++ b/src/decode-vlan.h
@@ -24,6 +24,8 @@
 #ifndef __DECODE_VLAN_H__
 #define __DECODE_VLAN_H__
 
+uint16_t DecodeVLANGetId(const struct Packet_ *, uint8_t layer);
+
 /** Vlan type */
 #define ETHERNET_TYPE_VLAN          0x8100
 
@@ -33,6 +35,9 @@
 #define GET_VLAN_ID(vlanh)          ((uint16_t)(ntohs((vlanh)->vlan_cfi) & 0x0FFF))
 #define GET_VLAN_PROTO(vlanh)       ((ntohs((vlanh)->protocol)))
 
+#define VLAN_GET_ID1(p)             DecodeVLANGetId((p), 0)
+#define VLAN_GET_ID2(p)             DecodeVLANGetId((p), 1)
+
 /** Vlan header struct */
 typedef struct VLANHdr_ {
     uint16_t vlan_cfi;

diff --git a/src/output-json.c b/src/output-json.c
index e0b2257746161cf8e00e77281d093406a807bc01..e91f008c608daec351810356f3903354163d28e3 100644 (file)
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -225,15 +225,15 @@ json_t *CreateJSONHeader(Packet *p, int direction_sensitive, char *event_type)
         switch (p->vlan_idx) {
             case 1:
                 json_object_set_new(js, "vlan",
-                                    json_integer(ntohs(GET_VLAN_ID(p->vlanh[0]))));
+                                    json_integer(ntohs(VLAN_GET_ID1(p))));
                 break;
             case 2:
                 js_vlan = json_array();
                 if (unlikely(js != NULL)) {
                     json_array_append_new(js_vlan,
-                                    json_integer(ntohs(GET_VLAN_ID(p->vlanh[0]))));
+                                    json_integer(ntohs(VLAN_GET_ID1(p))));
                     json_array_append_new(js_vlan,
-                                    json_integer(ntohs(GET_VLAN_ID(p->vlanh[1]))));
+                                    json_integer(ntohs(VLAN_GET_ID2(p))));
                     json_object_set_new(js, "vlan", js_vlan);
                 }
                 break;