Fix null dereference in eve-log

Eve-log would call GET_VLAN_ID on the packets vlan header if p->vlan_idx was bigger than 0. GET_VLAN_ID would then unconditionally dereference p->vlanh[0] or [1]. However, there are a number of cases in which these pointers are not set. Defrag pseudo packets, AF_PACKET and in the future PF_RING, do set the id's, but not the header pointers. This patch adds 2 new macro's which are wrappers around a function: VLAN_GET_ID1 and VLAN_GET_ID2 get the id's by calling DecodeVLANGetId. This function will return the correct id. Bug #1120.
12 years ago · 872bb5664e
parent 684d787567
commit 872bb5664e
3 changed files with 21 additions and 3 deletions
--- a/src/decode-vlan.c
+++ b/src/decode-vlan.c
@ -126,6 +126,19 @@ int DecodeVLAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u
    return TM_ECODE_OK;
 }

+uint16_t DecodeVLANGetId(const Packet *p, uint8_t layer)
+{
+    if (unlikely(layer > 1))
+        return 0;
+
+    if (p->vlanh[layer] == NULL && (p->vlan_idx >= (layer + 1))) {
+        return p->vlan_id[layer];
+    } else {
+        return GET_VLAN_ID(p->vlanh[layer]);
+    }
+    return 0;
+}
+
 #ifdef UNITTESTS
 /** \todo Must GRE+VLAN and Multi-Vlan packets to
 * create more tests
--- a/src/decode-vlan.h
+++ b/src/decode-vlan.h
@ -24,6 +24,8 @@
 #ifndef __DECODE_VLAN_H__
 #define __DECODE_VLAN_H__

+uint16_t DecodeVLANGetId(const struct Packet_ *, uint8_t layer);
+
 /** Vlan type */
 #define ETHERNET_TYPE_VLAN          0x8100

@ -33,6 +35,9 @@
 #define GET_VLAN_ID(vlanh)          ((uint16_t)(ntohs((vlanh)->vlan_cfi) & 0x0FFF))
 #define GET_VLAN_PROTO(vlanh)       ((ntohs((vlanh)->protocol)))

+#define VLAN_GET_ID1(p)             DecodeVLANGetId((p), 0)
+#define VLAN_GET_ID2(p)             DecodeVLANGetId((p), 1)
+
 /** Vlan header struct */
 typedef struct VLANHdr_ {
    uint16_t vlan_cfi;
--- a/src/output-json.c
+++ b/src/output-json.c
@ -225,15 +225,15 @@ json_t *CreateJSONHeader(Packet *p, int direction_sensitive, char *event_type)
        switch (p->vlan_idx) {
            case 1:
                json_object_set_new(js, "vlan",
-                                    json_integer(ntohs(GET_VLAN_ID(p->vlanh[0]))));
+                                    json_integer(ntohs(VLAN_GET_ID1(p))));
                break;
            case 2:
                js_vlan = json_array();
                if (unlikely(js != NULL)) {
                    json_array_append_new(js_vlan,
-                                    json_integer(ntohs(GET_VLAN_ID(p->vlanh[0]))));
+                                    json_integer(ntohs(VLAN_GET_ID1(p))));
                    json_array_append_new(js_vlan,
-                                    json_integer(ntohs(GET_VLAN_ID(p->vlanh[1]))));
+                                    json_integer(ntohs(VLAN_GET_ID2(p))));
                    json_object_set_new(js, "vlan", js_vlan);
                }
                break;