ipv6: improve handling of packets with duplicate (or more) ipv6 extension headers.

14 years ago · 98c30be2db
parent d378b76c04
commit 98c30be2db
4 changed files with 24 additions and 11 deletions
--- a/src/decode-ipv6.c
+++ b/src/decode-ipv6.c
@ -89,6 +89,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
                SCReturn;

            case IPPROTO_ROUTING:
+                IPV6_SET_L4PROTO(p,nh);
                hdrextlen = 8 + (*(pkt+1) * 8);  /* 8 bytes + length in 8 octet units */

                SCLogDebug("hdrextlen %"PRIu8, hdrextlen);
@ -149,6 +150,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
                IPV6OptJumbo *jumbo = NULL;
                uint8_t optslen = 0;

+                IPV6_SET_L4PROTO(p,nh);
                hdrextlen =  (*(pkt+1) + 1) << 3;
                if (hdrextlen > plen) {
                    ENGINE_SET_EVENT(p, IPV6_TRUNC_EXTHDR);
@ -274,6 +276,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
            }

            case IPPROTO_FRAGMENT:
+                IPV6_SET_L4PROTO(p,nh);
                /* store the offset of this extension into the packet
                 * past the ipv6 header. We use it in defrag for creating
                 * a defragmented packet without the frag header */
@ -326,6 +329,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt

            case IPPROTO_ESP:
            {
+                IPV6_SET_L4PROTO(p,nh);
                hdrextlen = sizeof(IPV6EspHdr);
                if (hdrextlen > plen) {
                    ENGINE_SET_EVENT(p, IPV6_TRUNC_EXTHDR);
@ -355,6 +359,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
            }
            case IPPROTO_AH:
            {
+                IPV6_SET_L4PROTO(p,nh);
                /* we need the header as a minimum */
                hdrextlen = sizeof(IPV6AuthHdr);
                /* the payload len field is the number of extra 4 byte fields */
--- a/src/decode-ipv6.h
+++ b/src/decode-ipv6.h
@ -93,8 +93,8 @@ typedef struct IPV6Hdr_
    ((p)->ip6vars.l4proto)

 /** \brief get the highest proto/next header field we know */
-#define IPV6_GET_UPPER_PROTO(p)         (p)->ip6eh.ip6_exthdrs_cnt ? \
-    (p)->ip6eh.ip6_exthdrs[(p)->ip6eh.ip6_exthdrs_cnt - 1].next : IPV6_GET_NH((p))
+//#define IPV6_GET_UPPER_PROTO(p)         (p)->ip6eh.ip6_exthdrs_cnt ?
+//    (p)->ip6eh.ip6_exthdrs[(p)->ip6eh.ip6_exthdrs_cnt - 1].next : IPV6_GET_NH((p))

 /* helper structure with parsed ipv6 info */
 typedef struct IPV6Vars_
--- a/src/decode.h
+++ b/src/decode.h
@ -222,7 +222,8 @@ typedef uint16_t Port;

 /* Retrieve proto regardless of IP version */
 #define IP_GET_IPPROTO(p) \
-    (PKT_IS_IPV4((p))? IPV4_GET_IPPROTO((p)) : (PKT_IS_IPV6((p))? IPV6_GET_UPPER_PROTO((p)) : 0))
+    (p->proto ? p->proto : \
+    (PKT_IS_IPV4((p))? IPV4_GET_IPPROTO((p)) : (PKT_IS_IPV6((p))? IPV6_GET_L4PROTO((p)) : 0)))

 /* structure to store the sids/gids/etc the detection engine
 * found in this packet */
--- a/src/detect.c
+++ b/src/detect.c
@ -1012,6 +1012,7 @@ SigGroupHead *SigMatchSignaturesGetSgh(DetectEngineCtx *de_ctx, DetectEngineThre
        f = 1;

    SCLogDebug("f %d", f);
+    SCLogDebug("IP_GET_IPPROTO(p) %u", IP_GET_IPPROTO(p));

    /* find the right mpm instance */
    DetectAddress *ag = DetectAddressLookupInHead(de_ctx->flow_gh[f].src_gh[IP_GET_IPPROTO(p)], &p->src);
@ -6600,7 +6601,7 @@ end:
    return result;
 }

-int SigTest27NegativeTCPV4Keyword(void)
+static int SigTest27NegativeTCPV4Keyword(void)
 {
    uint8_t raw_ipv4[] = {
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@ -6682,7 +6683,7 @@ int SigTest27NegativeTCPV4Keyword(void)
    de_ctx->sig_list->next = SigInit(de_ctx,
                                     "alert tcp any any -> any any "
                                     "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
-                                     "msg:\"tcpv4-csum keyword check(1)\"; "
+                                     "msg:\"tcpv4-csum keyword check(2)\"; "
                                     "sid:2;)");
    if (de_ctx->sig_list->next == NULL) {
        goto end;
@ -6692,12 +6693,14 @@ int SigTest27NegativeTCPV4Keyword(void)
    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-    if (PacketAlertCheck(p1, 1)) {
+    if (!PacketAlertCheck(p1, 1)) {
+        printf("sig 1 didn't match on p1: ");
        goto end;
    }

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
    if (PacketAlertCheck(p2, 2)) {
+        printf("sig 2 matched on p2: ");
        goto end;
    }

@ -6820,12 +6823,16 @@ int SigTest28TCPV6Keyword(void)
    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
-    if (!(PacketAlertCheck(p1, 1)))
+    if (!(PacketAlertCheck(p1, 1))) {
+        printf("sid 1 didn't match on p1: ");
        goto end;
+    }

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
-    if (!(PacketAlertCheck(p2, 2)))
+    if (!(PacketAlertCheck(p2, 2))) {
+        printf("sid 2 didn't match on p2: ");
        goto end;
+    }

    result = 1;
 end: