From 16f6cafd9a6b63a0ba43a283d1a57d73e045acdc Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 13 Feb 2023 16:42:11 -0700
Subject: [PATCH] Add validation of session to start of AYIYA/VXLAN/Geneve
 analysis

This mimics how the Teredo analyzer is already doing it, including
sending a weird if the session is invalid and bailing out if the
protocol was already violated.
---
 src/packet_analysis/protocol/ayiya/AYIYA.cc   | 11 +++++++++++
 src/packet_analysis/protocol/geneve/Geneve.cc | 11 +++++++++++
 src/packet_analysis/protocol/vxlan/VXLAN.cc   | 11 +++++++++++
 3 files changed, 33 insertions(+)

diff --git a/src/packet_analysis/protocol/ayiya/AYIYA.cc b/src/packet_analysis/protocol/ayiya/AYIYA.cc
index 203f354dc2..70b46c3df2 100644
--- a/src/packet_analysis/protocol/ayiya/AYIYA.cc
+++ b/src/packet_analysis/protocol/ayiya/AYIYA.cc
@@ -13,6 +13,17 @@ bool AYIYAAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe
 	if ( ! BifConst::Tunnel::enable_ayiya )
 		return false;
 
+	// AYIYA always comes from a TCP or UDP connection, which means that session
+	// should always be valid and always be a connection. Return a weird if we
+	// didn't have a session stored.
+	if ( ! packet->session )
+		{
+		Analyzer::Weird("ayiya_missing_connection");
+		return false;
+		}
+	else if ( AnalyzerViolated(packet->session) )
+		return false;
+
 	if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
 		{
 		Weird("exceeded_tunnel_max_depth", packet);
diff --git a/src/packet_analysis/protocol/geneve/Geneve.cc b/src/packet_analysis/protocol/geneve/Geneve.cc
index 8dac14533b..c74711c0cb 100644
--- a/src/packet_analysis/protocol/geneve/Geneve.cc
+++ b/src/packet_analysis/protocol/geneve/Geneve.cc
@@ -11,6 +11,17 @@ GeneveAnalyzer::GeneveAnalyzer() : zeek::packet_analysis::Analyzer("Geneve") { }
 
 bool GeneveAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	{
+	// Geneve always comes from a UDP connection, which means that session should always
+	// be valid and always be a connection. Return a weird if we didn't have a session
+	// stored.
+	if ( ! packet->session )
+		{
+		Analyzer::Weird("geneve_missing_connection");
+		return false;
+		}
+	else if ( AnalyzerViolated(packet->session) )
+		return false;
+
 	if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
 		{
 		Weird("exceeded_tunnel_max_depth", packet);
diff --git a/src/packet_analysis/protocol/vxlan/VXLAN.cc b/src/packet_analysis/protocol/vxlan/VXLAN.cc
index 2c063b329d..227df039c6 100644
--- a/src/packet_analysis/protocol/vxlan/VXLAN.cc
+++ b/src/packet_analysis/protocol/vxlan/VXLAN.cc
@@ -11,6 +11,17 @@ VXLAN_Analyzer::VXLAN_Analyzer() : zeek::packet_analysis::Analyzer("VXLAN") { }
 
 bool VXLAN_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	{
+	// VXLAN always comes from a UDP connection, which means that session should always
+	// be valid and always be a connection. Return a weird if we didn't have a session
+	// stored.
+	if ( ! packet->session )
+		{
+		Analyzer::Weird("vxlan_missing_connection");
+		return false;
+		}
+	else if ( AnalyzerViolated(packet->session) )
+		return false;
+
 	if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
 		{
 		Weird("exceeded_tunnel_max_depth", packet);