aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

decode/udp: move udph into L4 packet data

Browse Source 
To recude Packet size.

Ticket: #6938.
pull/10971/head
Victor Julien 2 years ago committed by Victor Julien
parent 54362d44db
commit 28ac86096a
12 changed files with 72 additions and 58 deletions
Show Stats Download Patch File Download Diff File

18
src/decode-udp.c
Unescape Escape View File

@ -49,23 +49,23 @@ static int DecodeUDPPacket(ThreadVars *t, Packet *p, const uint8_t *pkt, uint16_
return -1; return -1;
} }
p->udph = (UDPHdr *)pkt; const UDPHdr *udph = PacketSetUDP(p, pkt);
if (unlikely(len < UDP_GET_LEN(p))) { if (unlikely(len < UDP_GET_RAW_LEN(udph))) {
ENGINE_SET_INVALID_EVENT(p, UDP_PKT_TOO_SMALL); ENGINE_SET_INVALID_EVENT(p, UDP_PKT_TOO_SMALL);
return -1; return -1;
} }
if (unlikely(UDP_GET_LEN(p) < UDP_HEADER_LEN)) { if (unlikely(UDP_GET_RAW_LEN(udph) < UDP_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, UDP_LEN_INVALID); ENGINE_SET_INVALID_EVENT(p, UDP_LEN_INVALID);
return -1; return -1;
} }
SET_UDP_SRC_PORT(p,&p->sp); p->sp = UDP_GET_RAW_SRC_PORT(udph);
SET_UDP_DST_PORT(p,&p->dp); p->dp = UDP_GET_RAW_DST_PORT(udph);
p->payload = (uint8_t *)pkt + UDP_HEADER_LEN; p->payload = (uint8_t *)pkt + UDP_HEADER_LEN;
p->payload_len = UDP_GET_LEN(p) - UDP_HEADER_LEN; p->payload_len = UDP_GET_RAW_LEN(udph) - UDP_HEADER_LEN;
p->proto = IPPROTO_UDP; p->proto = IPPROTO_UDP;
@ -78,12 +78,12 @@ int DecodeUDP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
StatsIncr(tv, dtv->counter_udp); StatsIncr(tv, dtv->counter_udp);
if (unlikely(DecodeUDPPacket(tv, p, pkt,len) < 0)) { if (unlikely(DecodeUDPPacket(tv, p, pkt,len) < 0)) {
CLEAR_UDP_PACKET(p); PacketClearL4(p);
return TM_ECODE_FAILED; return TM_ECODE_FAILED;
} }
SCLogDebug("UDP sp: %" PRIu32 " -> dp: %" PRIu32 " - HLEN: %" PRIu32 " LEN: %" PRIu32 "", SCLogDebug("UDP sp: %u -> dp: %u - HLEN: %" PRIu32 " LEN: %" PRIu32 "", p->sp, p->dp,
UDP_GET_SRC_PORT(p), UDP_GET_DST_PORT(p), UDP_HEADER_LEN, p->payload_len); UDP_HEADER_LEN, p->payload_len);
if (DecodeTeredoEnabledForPort(p->sp, p->dp) && if (DecodeTeredoEnabledForPort(p->sp, p->dp) &&
likely(DecodeTeredo(tv, dtv, p, p->payload, p->payload_len) == TM_ECODE_OK)) { likely(DecodeTeredo(tv, dtv, p, p->payload, p->payload_len) == TM_ECODE_OK)) {

5
src/decode-udp.h
Unescape Escape View File

@ -46,11 +46,6 @@ typedef struct UDPHdr_
uint16_t uh_sum; /* checksum */ uint16_t uh_sum; /* checksum */
} UDPHdr; } UDPHdr;
#define CLEAR_UDP_PACKET(p) \
do { \
(p)->udph = NULL; \
} while (0)
void DecodeUDPV4RegisterTests(void); void DecodeUDPV4RegisterTests(void);
/** ------ Inline function ------ */ /** ------ Inline function ------ */

19
src/decode.h
Unescape Escape View File

@ -439,6 +439,7 @@ struct PacketL3 {
enum PacketL4Types { enum PacketL4Types {
PACKET_L4_UNKNOWN = 0, PACKET_L4_UNKNOWN = 0,
PACKET_L4_UDP,
PACKET_L4_ICMPV4, PACKET_L4_ICMPV4,
PACKET_L4_ICMPV6, PACKET_L4_ICMPV6,
PACKET_L4_SCTP, PACKET_L4_SCTP,
@ -451,6 +452,7 @@ struct PacketL4 {
bool csum_set; bool csum_set;
uint16_t csum; uint16_t csum;
union L4Hdrs { union L4Hdrs {
UDPHdr *udph;
ICMPV4Hdr *icmpv4h; ICMPV4Hdr *icmpv4h;
ICMPV6Hdr *icmpv6h; ICMPV6Hdr *icmpv6h;
SCTPHdr *sctph; SCTPHdr *sctph;
@ -591,7 +593,6 @@ typedef struct Packet_
#define tcpvars l4vars.tcpvars #define tcpvars l4vars.tcpvars
TCPHdr *tcph; TCPHdr *tcph;
UDPHdr *udph;
/* ptr to the payload of the packet /* ptr to the payload of the packet
* with it's length. */ * with it's length. */
@ -797,9 +798,23 @@ static inline bool PacketIsTCP(const Packet *p)
return PKT_IS_TCP(p); return PKT_IS_TCP(p);
} }
static inline UDPHdr *PacketSetUDP(Packet *p, const uint8_t *buf)
{
DEBUG_VALIDATE_BUG_ON(p->l4.type != PACKET_L4_UNKNOWN);
p->l4.type = PACKET_L4_UDP;
p->l4.hdrs.udph = (UDPHdr *)buf;
return p->l4.hdrs.udph;
}
static inline const UDPHdr *PacketGetUDP(const Packet *p)
{
DEBUG_VALIDATE_BUG_ON(p->l4.type != PACKET_L4_UDP);
return p->l4.hdrs.udph;
}
static inline bool PacketIsUDP(const Packet *p) static inline bool PacketIsUDP(const Packet *p)
{ {
return PKT_IS_UDP(p); return p->l4.type == PACKET_L4_UDP;
} }
static inline ICMPV4Hdr *PacketSetICMPv4(Packet *p, const uint8_t *buf) static inline ICMPV4Hdr *PacketSetICMPv4(Packet *p, const uint8_t *buf)

16
src/detect-csum.c
Unescape Escape View File

@ -507,8 +507,11 @@ static int DetectUDPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
{ {
const DetectCsumData *cd = (const DetectCsumData *)ctx; const DetectCsumData *cd = (const DetectCsumData *)ctx;
if (!PacketIsIPv4(p) || !PacketIsUDP(p) || p->proto != IPPROTO_UDP || PKT_IS_PSEUDOPKT(p) || if (!PacketIsIPv4(p) || !PacketIsUDP(p) || p->proto != IPPROTO_UDP || PKT_IS_PSEUDOPKT(p))
p->udph->uh_sum == 0) return 0;
const UDPHdr *udph = PacketGetUDP(p);
if (udph->uh_sum == 0)
return 0; return 0;
if (p->flags & PKT_IGNORE_CHECKSUM) { if (p->flags & PKT_IGNORE_CHECKSUM) {
@ -517,8 +520,8 @@ static int DetectUDPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
if (!p->l4.csum_set) { if (!p->l4.csum_set) {
const IPV4Hdr *ip4h = PacketGetIPv4(p); const IPV4Hdr *ip4h = PacketGetIPv4(p);
p->l4.csum = UDPV4Checksum(ip4h->s_ip_addrs, (uint16_t *)p->udph, p->l4.csum = UDPV4Checksum(ip4h->s_ip_addrs, (uint16_t *)udph,
(p->payload_len + UDP_HEADER_LEN), p->udph->uh_sum); (p->payload_len + UDP_HEADER_LEN), udph->uh_sum);
p->l4.csum_set = true; p->l4.csum_set = true;
} }
if (p->l4.csum == 0 && cd->valid == 1) if (p->l4.csum == 0 && cd->valid == 1)
@ -606,8 +609,9 @@ static int DetectUDPV6CsumMatch(DetectEngineThreadCtx *det_ctx,
if (!p->l4.csum_set) { if (!p->l4.csum_set) {
const IPV6Hdr *ip6h = PacketGetIPv6(p); const IPV6Hdr *ip6h = PacketGetIPv6(p);
p->l4.csum = UDPV6Checksum(ip6h->s_ip6_addrs, (uint16_t *)p->udph, const UDPHdr *udph = PacketGetUDP(p);
(p->payload_len + UDP_HEADER_LEN), p->udph->uh_sum); p->l4.csum = UDPV6Checksum(ip6h->s_ip6_addrs, (uint16_t *)udph,
(p->payload_len + UDP_HEADER_LEN), udph->uh_sum);
p->l4.csum_set = true; p->l4.csum_set = true;
} }
if (p->l4.csum == 0 && cd->valid == 1) if (p->l4.csum == 0 && cd->valid == 1)

11
src/detect-udphdr.c
Unescape Escape View File

@ -102,17 +102,16 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
if (!PacketIsUDP(p)) { if (!PacketIsUDP(p)) {
return NULL; return NULL;
} }
if (((uint8_t *)p->udph + (ptrdiff_t)UDP_HEADER_LEN) > const UDPHdr *udph = PacketGetUDP(p);
((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p))) if (((uint8_t *)udph + (ptrdiff_t)UDP_HEADER_LEN) >
{ ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p))) {
SCLogDebug("data out of range: %p > %p", SCLogDebug("data out of range: %p > %p", ((uint8_t *)udph + (ptrdiff_t)UDP_HEADER_LEN),
((uint8_t *)p->udph + (ptrdiff_t)UDP_HEADER_LEN),
((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p))); ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)));
return NULL; return NULL;
} }
const uint32_t data_len = UDP_HEADER_LEN; const uint32_t data_len = UDP_HEADER_LEN;
const uint8_t *data = (const uint8_t *)p->udph; const uint8_t *data = (const uint8_t *)udph;
InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
InspectionBufferApplyTransforms(buffer, transforms); InspectionBufferApplyTransforms(buffer, transforms);

4
src/flow-util.c
Unescape Escape View File

@ -174,8 +174,8 @@ void FlowInit(Flow *f, const Packet *p)
SET_TCP_SRC_PORT(p,&f->sp); SET_TCP_SRC_PORT(p,&f->sp);
SET_TCP_DST_PORT(p,&f->dp); SET_TCP_DST_PORT(p,&f->dp);
} else if (PacketIsUDP(p)) { } else if (PacketIsUDP(p)) {
SET_UDP_SRC_PORT(p,&f->sp); f->sp = p->sp;
SET_UDP_DST_PORT(p,&f->dp); f->dp = p->dp;
} else if (PacketIsICMPv4(p)) { } else if (PacketIsICMPv4(p)) {
f->icmp_s.type = p->icmp_s.type; f->icmp_s.type = p->icmp_s.type;
f->icmp_s.code = p->icmp_s.code; f->icmp_s.code = p->icmp_s.code;

3
src/output-json-drop.c
Unescape Escape View File

@ -140,7 +140,8 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
break; break;
case IPPROTO_UDP: case IPPROTO_UDP:
if (PacketIsUDP(p)) { if (PacketIsUDP(p)) {
jb_set_uint(js, "udplen", UDP_GET_LEN(p)); const UDPHdr *udph = PacketGetUDP(p);
jb_set_uint(js, "udplen", UDP_GET_RAW_LEN(udph));
} }
break; break;
case IPPROTO_ICMP: case IPPROTO_ICMP:

3
src/packet.c
Unescape Escape View File

@ -118,9 +118,6 @@ void PacketReinit(Packet *p)
if (p->tcph != NULL) { if (p->tcph != NULL) {
CLEAR_TCP_PACKET(p); CLEAR_TCP_PACKET(p);
} }
if (p->udph != NULL) {
CLEAR_UDP_PACKET(p);
}
p->payload = NULL; p->payload = NULL;
p->payload_len = 0; p->payload_len = 0;
p->BypassPacketsFlow = NULL; p->BypassPacketsFlow = NULL;

16
src/tests/detect.c
Unescape Escape View File

@ -2400,7 +2400,7 @@ static int SigTest30UDPV4Keyword(void)
memset(&th_v, 0, sizeof(ThreadVars)); memset(&th_v, 0, sizeof(ThreadVars));
PacketSetIPV4(p1, raw_ipv4); PacketSetIPV4(p1, raw_ipv4);
p1->udph = (UDPHdr *)valid_raw_udp; PacketSetUDP(p1, valid_raw_udp);
p1->src.family = AF_INET; p1->src.family = AF_INET;
p1->dst.family = AF_INET; p1->dst.family = AF_INET;
p1->payload = buf; p1->payload = buf;
@ -2408,7 +2408,7 @@ static int SigTest30UDPV4Keyword(void)
p1->proto = IPPROTO_UDP; p1->proto = IPPROTO_UDP;
PacketSetIPV4(p2, raw_ipv4); PacketSetIPV4(p2, raw_ipv4);
p2->udph = (UDPHdr *)invalid_raw_udp; PacketSetUDP(p2, invalid_raw_udp);
p2->src.family = AF_INET; p2->src.family = AF_INET;
p2->dst.family = AF_INET; p2->dst.family = AF_INET;
p2->payload = buf; p2->payload = buf;
@ -2504,7 +2504,7 @@ static int SigTest31NegativeUDPV4Keyword(void)
memset(&th_v, 0, sizeof(ThreadVars)); memset(&th_v, 0, sizeof(ThreadVars));
PacketSetIPV4(p1, raw_ipv4); PacketSetIPV4(p1, raw_ipv4);
p1->udph = (UDPHdr *)valid_raw_udp; PacketSetUDP(p1, valid_raw_udp);
p1->src.family = AF_INET; p1->src.family = AF_INET;
p1->dst.family = AF_INET; p1->dst.family = AF_INET;
p1->payload = buf; p1->payload = buf;
@ -2512,7 +2512,7 @@ static int SigTest31NegativeUDPV4Keyword(void)
p1->proto = IPPROTO_UDP; p1->proto = IPPROTO_UDP;
PacketSetIPV4(p2, raw_ipv4); PacketSetIPV4(p2, raw_ipv4);
p2->udph = (UDPHdr *)invalid_raw_udp; PacketSetUDP(p2, invalid_raw_udp);
p2->src.family = AF_INET; p2->src.family = AF_INET;
p2->dst.family = AF_INET; p2->dst.family = AF_INET;
p2->payload = buf; p2->payload = buf;
@ -2613,7 +2613,7 @@ static int SigTest32UDPV6Keyword(void)
memset(&th_v, 0, sizeof(ThreadVars)); memset(&th_v, 0, sizeof(ThreadVars));
PacketSetIPV6(p1, valid_raw_ipv6 + 14); PacketSetIPV6(p1, valid_raw_ipv6 + 14);
p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54); PacketSetUDP(p1, valid_raw_ipv6 + 54);
p1->src.family = AF_INET; p1->src.family = AF_INET;
p1->dst.family = AF_INET; p1->dst.family = AF_INET;
p1->payload = buf; p1->payload = buf;
@ -2621,7 +2621,7 @@ static int SigTest32UDPV6Keyword(void)
p1->proto = IPPROTO_UDP; p1->proto = IPPROTO_UDP;
PacketSetIPV6(p2, invalid_raw_ipv6 + 14); PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54); PacketSetUDP(p2, invalid_raw_ipv6 + 54);
p2->src.family = AF_INET; p2->src.family = AF_INET;
p2->dst.family = AF_INET; p2->dst.family = AF_INET;
p2->payload = buf; p2->payload = buf;
@ -2710,7 +2710,7 @@ static int SigTest33NegativeUDPV6Keyword(void)
memset(&th_v, 0, sizeof(ThreadVars)); memset(&th_v, 0, sizeof(ThreadVars));
PacketSetIPV6(p1, valid_raw_ipv6 + 14); PacketSetIPV6(p1, valid_raw_ipv6 + 14);
p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54); PacketSetUDP(p1, valid_raw_ipv6 + 54);
p1->src.family = AF_INET; p1->src.family = AF_INET;
p1->dst.family = AF_INET; p1->dst.family = AF_INET;
p1->payload = buf; p1->payload = buf;
@ -2718,7 +2718,7 @@ static int SigTest33NegativeUDPV6Keyword(void)
p1->proto = IPPROTO_UDP; p1->proto = IPPROTO_UDP;
PacketSetIPV6(p2, invalid_raw_ipv6 + 14); PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54); PacketSetUDP(p2, invalid_raw_ipv6 + 54);
p2->src.family = AF_INET; p2->src.family = AF_INET;
p2->dst.family = AF_INET; p2->dst.family = AF_INET;
p2->payload = buf; p2->payload = buf;

12
src/util-checksum.c
Unescape Escape View File

@ -36,9 +36,9 @@ int ReCalculateChecksum(Packet *p)
p->tcph->th_sum = TCPChecksum( p->tcph->th_sum = TCPChecksum(
ip4h->s_ip_addrs, (uint16_t *)p->tcph, (p->payload_len + TCP_GET_HLEN(p)), 0); ip4h->s_ip_addrs, (uint16_t *)p->tcph, (p->payload_len + TCP_GET_HLEN(p)), 0);
} else if (PacketIsUDP(p)) { } else if (PacketIsUDP(p)) {
p->udph->uh_sum = 0; p->l4.hdrs.udph->uh_sum = 0;
p->udph->uh_sum = UDPV4Checksum( p->l4.hdrs.udph->uh_sum = UDPV4Checksum(ip4h->s_ip_addrs, (uint16_t *)p->l4.hdrs.udph,
ip4h->s_ip_addrs, (uint16_t *)p->udph, (p->payload_len + UDP_HEADER_LEN), 0); (p->payload_len + UDP_HEADER_LEN), 0);
} }
/* IPV4 */ /* IPV4 */
ip4h->ip_csum = 0; ip4h->ip_csum = 0;
@ -50,9 +50,9 @@ int ReCalculateChecksum(Packet *p)
p->tcph->th_sum = TCPV6Checksum( p->tcph->th_sum = TCPV6Checksum(
ip6h->s_ip6_addrs, (uint16_t *)p->tcph, (p->payload_len + TCP_GET_HLEN(p)), 0); ip6h->s_ip6_addrs, (uint16_t *)p->tcph, (p->payload_len + TCP_GET_HLEN(p)), 0);
} else if (PacketIsUDP(p)) { } else if (PacketIsUDP(p)) {
p->udph->uh_sum = 0; p->l4.hdrs.udph->uh_sum = 0;
p->udph->uh_sum = UDPV6Checksum( p->l4.hdrs.udph->uh_sum = UDPV6Checksum(ip6h->s_ip6_addrs, (uint16_t *)p->l4.hdrs.udph,
ip6h->s_ip6_addrs, (uint16_t *)p->udph, (p->payload_len + UDP_HEADER_LEN), 0); (p->payload_len + UDP_HEADER_LEN), 0);
} }
} }

21
src/util-unittest-helper.c
Unescape Escape View File

@ -292,15 +292,16 @@ Packet *UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len,
int hdr_offset = sizeof(IPV4Hdr); int hdr_offset = sizeof(IPV4Hdr);
switch (ipproto) { switch (ipproto) {
case IPPROTO_UDP: case IPPROTO_UDP: {
p->udph = (UDPHdr *)(GET_PKT_DATA(p) + sizeof(IPV4Hdr)); UDPHdr *udph = PacketSetUDP(p, (GET_PKT_DATA(p) + sizeof(IPV4Hdr)));
if (p->udph == NULL) if (udph == NULL)
goto error; goto error;
p->udph->uh_sport = sport; udph->uh_sport = sport;
p->udph->uh_dport = dport; udph->uh_dport = dport;
hdr_offset += sizeof(UDPHdr); hdr_offset += sizeof(UDPHdr);
break; break;
}
case IPPROTO_TCP: case IPPROTO_TCP:
p->tcph = (TCPHdr *)(GET_PKT_DATA(p) + sizeof(IPV4Hdr)); p->tcph = (TCPHdr *)(GET_PKT_DATA(p) + sizeof(IPV4Hdr));
if (p->tcph == NULL) if (p->tcph == NULL)
@ -926,14 +927,16 @@ static int CheckUTHTestPacket(Packet *p, uint8_t ipproto)
return 0; return 0;
switch(ipproto) { switch(ipproto) {
case IPPROTO_UDP: case IPPROTO_UDP: {
if (p->udph == NULL) const UDPHdr *udph = PacketGetUDP(p);
if (udph == NULL)
return 0; return 0;
if (p->udph->uh_sport != sport) if (udph->uh_sport != sport)
return 0; return 0;
if (p->udph->uh_dport != dport) if (udph->uh_dport != dport)
return 0; return 0;
break; break;
}
case IPPROTO_TCP: case IPPROTO_TCP:
if (p->tcph == NULL) if (p->tcph == NULL)
return 0; return 0;

2
src/util-validate.h
Unescape Escape View File

@ -75,7 +75,7 @@
if ((p)->proto == IPPROTO_TCP) { \ if ((p)->proto == IPPROTO_TCP) { \
BUG_ON((p)->tcph == NULL); \ BUG_ON((p)->tcph == NULL); \
} else if ((p)->proto == IPPROTO_UDP) { \ } else if ((p)->proto == IPPROTO_UDP) { \
BUG_ON((p)->udph == NULL); \ BUG_ON(PacketGetUDP((p)) == NULL); \
} else if ((p)->proto == IPPROTO_ICMP) { \ } else if ((p)->proto == IPPROTO_ICMP) { \
BUG_ON(PacketGetICMPv4((p)) == NULL); \ BUG_ON(PacketGetICMPv4((p)) == NULL); \
} else if ((p)->proto == IPPROTO_SCTP) { \ } else if ((p)->proto == IPPROTO_SCTP) { \

Write Preview
Loading…
Cancel
Save