Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix forwarding of tunnelled packets.

Browse source 
This fixes a bug for AYIYA, Geneve and VXLAN forwarding encapsulated
content only if it's longer than their header. A new weird is introduced
to indicate empty tunnels.
This commit is contained in:
Jan Grashoefer 2023-03-30 22:07:41 +02:00
parent 69b6443ddb
commit 073a8a6082
3 changed files with 33 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/packet_analysis/protocol/ayiya/AYIYA.cc
View file

@ -63,19 +63,22 @@ bool AYIYAAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe
len -= hdr_size; len -= hdr_size;
data += hdr_size; data += hdr_size;
// We've successfully parsed the AYIYA part, so we might as well confirm this.
AnalyzerConfirmation(packet->session);
if ( len == 0 )
{
// A AYIYA header that isn't followed by a tunnelled packet seems weird.
Weird("ayiya_empty_packet", packet);
return false;
}
int encap_index = 0; int encap_index = 0;
auto inner_packet = packet_analysis::IPTunnel::build_inner_packet( auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::AYIYA, packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::AYIYA,
GetAnalyzerTag()); GetAnalyzerTag());
AnalyzerConfirmation(packet->session);
// Skip the header and pass on to the next analyzer. It's possible for AYIYA to
// just be a header and nothing after it, so check for that case.
if ( len > hdr_size )
return ForwardPacket(len, data, inner_packet.get(), next_header); return ForwardPacket(len, data, inner_packet.get(), next_header);
return true;
} }
bool AYIYAAnalyzer::DetectProtocol(size_t len, const uint8_t* data, Packet* packet) bool AYIYAAnalyzer::DetectProtocol(size_t len, const uint8_t* data, Packet* packet)

19
src/packet_analysis/protocol/geneve/Geneve.cc
View file

@ -70,21 +70,24 @@ bool GeneveAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack
len -= hdr_size; len -= hdr_size;
data += hdr_size; data += hdr_size;
// We've successfully parsed everything, so we might as well confirm this. // We've successfully parsed the Geneve part, so we might as well confirm this.
AnalyzerConfirmation(packet->session); AnalyzerConfirmation(packet->session);
if ( len == 0 )
{
// A Geneve header that isn't followed by a tunnelled packet seems weird.
Weird("geneve_empty_packet", packet);
return false;
}
int encap_index = 0; int encap_index = 0;
auto inner_packet = packet_analysis::IPTunnel::build_inner_packet( auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::GENEVE, packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::GENEVE,
GetAnalyzerTag()); GetAnalyzerTag());
// Skip the header and pass on to the next analyzer. It's possible for Geneve to bool analysis_succeeded = ForwardPacket(len, data, inner_packet.get(), next_header);
// just be a header and nothing after it, so check for that case.
bool fwd_ret_val = true;
if ( len > hdr_size )
fwd_ret_val = ForwardPacket(len, data, inner_packet.get(), next_header);
if ( fwd_ret_val && geneve_packet ) if ( analysis_succeeded && geneve_packet )
{ {
EncapsulatingConn* ec = inner_packet->encap->At(encap_index); EncapsulatingConn* ec = inner_packet->encap->At(encap_index);
if ( ec && ec->ip_hdr ) if ( ec && ec->ip_hdr )
@ -92,5 +95,5 @@ bool GeneveAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack
ec->ip_hdr->ToPktHdrVal(), val_mgr->Count(vni)); ec->ip_hdr->ToPktHdrVal(), val_mgr->Count(vni));
} }
return fwd_ret_val; return analysis_succeeded;
} }

17
src/packet_analysis/protocol/vxlan/VXLAN.cc
View file

@ -47,19 +47,24 @@ bool VXLAN_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack
len -= hdr_size; len -= hdr_size;
data += hdr_size; data += hdr_size;
// We've successfully parsed everything, so we might as well confirm this. // We've successfully parsed the VXLAN part, so we might as well confirm this.
AnalyzerConfirmation(packet->session); AnalyzerConfirmation(packet->session);
if ( len == 0 )
{
// A VXLAN header that isn't followed by a tunnelled packet seems weird.
Weird("vxlan_empty_packet", packet);
return false;
}
int encap_index = 0; int encap_index = 0;
auto inner_packet = packet_analysis::IPTunnel::build_inner_packet( auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::VXLAN, packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::VXLAN,
GetAnalyzerTag()); GetAnalyzerTag());
bool fwd_ret_val = true; bool analysis_succeeded = ForwardPacket(len, data, inner_packet.get());
if ( len > hdr_size )
fwd_ret_val = ForwardPacket(len, data, inner_packet.get());
if ( fwd_ret_val && vxlan_packet ) if ( analysis_succeeded && vxlan_packet )
{ {
EncapsulatingConn* ec = inner_packet->encap->At(encap_index); EncapsulatingConn* ec = inner_packet->encap->At(encap_index);
if ( ec && ec->ip_hdr ) if ( ec && ec->ip_hdr )
@ -67,5 +72,5 @@ bool VXLAN_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack
ec->ip_hdr->ToPktHdrVal(), val_mgr->Count(vni)); ec->ip_hdr->ToPktHdrVal(), val_mgr->Count(vni));
} }
return fwd_ret_val; return analysis_succeeded;
} }