BIT-1798: fix PPTP GRE tunnel decapsulation

2025-10-02 06:38:20 +00:00 · 2018-08-14 16:45:09 -05:00 · 2018-08-14 16:45:09 -05:00 · 0e6913fba0
commit 0e6913fba0
parent 5821c16490
8 changed files with 42 additions and 3 deletions
--- a/4
+++ b/4
@ -1,4 +1,8 @@
 2.5-841 | 2018-08-14 16:45:09 -0500
  * BIT-1798: fix PPTP GRE tunnel decapsulation (Jon Siwek, Corelight)
 2.5-840 | 2018-08-13 17:40:06 -0500
  * Fix SumStats::observe key normalization logic
--- a/2
+++ b/2
@ -1 +1 @@
-2.5-840
+2.5-841
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -532,7 +532,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		// If a carried packet has ethernet, this will help skip it.
 		unsigned int eth_len = 0;
 		unsigned int gre_len = gre_header_len(flags_ver);
-		unsigned int ppp_len = gre_version == 1 ? 1 : 0;
+		unsigned int ppp_len = gre_version == 1 ? 4 : 0;
 		if ( gre_version != 0 && gre_version != 1 )
 			{
@ -598,7 +598,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		if ( gre_version == 1 )
 			{
-			int ppp_proto = *((uint8*)(data + gre_len));
+			uint16 ppp_proto = ntohs(*((uint16*)(data + gre_len + 2)));
 			if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 )
 				{
--- a/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log
@ -0,0 +1,10 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	conn
 #open	2018-08-14-21-42-31
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1417577703.821897	C4J4Th3PJpwUYZZ6gc	172.16.44.3	40768	8.8.8.8	53	udp	dns	0.213894	71	146	SF	-	-	0	Dd	1	99	1	174	ClEkJM2Vm5giqnMf4h
 #close	2018-08-14-21-42-31
--- a/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log
+++ b/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log
@ -0,0 +1,10 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	dns
 #open	2018-08-14-21-42-31
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
 1417577703.821897	C4J4Th3PJpwUYZZ6gc	172.16.44.3	40768	8.8.8.8	53	udp	42540	-	xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678	1	C_INTERNET	28	AAAA	3	NXDOMAIN	F	F	T	F	0	-	-	F
 #close	2018-08-14-21-42-31
--- a/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log
@ -0,0 +1,11 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	tunnel
 #open	2018-08-14-21-42-31
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
 1417577703.821897	CHhAvVGS1DHFjwGM9	2402:f000:1:8e01::5555	0	2607:fcd0:100:2300::b108:2a6b	0	Tunnel::IP	Tunnel::DISCOVER
 1417577703.821897	ClEkJM2Vm5giqnMf4h	16.0.0.200	0	192.52.166.154	0	Tunnel::GRE	Tunnel::DISCOVER
 #close	2018-08-14-21-42-31
--- a/testing/btest/Traces/tunnels/gre-pptp.pcap
+++ b/testing/btest/Traces/tunnels/gre-pptp.pcap
--- a/testing/btest/core/tunnels/gre-pptp.test
+++ b/testing/btest/core/tunnels/gre-pptp.test
@ -0,0 +1,4 @@
 # @TEST-EXEC: bro -r $TRACES/tunnels/gre-pptp.pcap
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff tunnel.log
 # @TEST-EXEC: btest-diff dns.log