diff --git a/NEWS b/NEWS index 94709df750..2a4a5a219c 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,11 @@ Zeek 5.1.0 Breaking Changes ---------------- +- The ``Packet::{l2,l3}_checksummed`` variables were reworked to correctly match + the network layers that they apply to. A new ``Packet::l4_checksummed`` + variable was added to cover the transport layer. See this GitHub issue for + more detail: https://github.com/zeek/zeek/issues/2183. + New Functionality ----------------- diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 78b0684650..61108381b8 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -61,6 +61,8 @@ void Packet::Init(int arg_link_type, pkt_timeval* arg_ts, uint32_t arg_caplen, u l3_proto = L3_UNKNOWN; l3_checksummed = false; + l4_checksummed = false; + encap.reset(); ip_hdr.reset(); diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index dd8a7430c7..b0db0a2b12 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -186,18 +186,28 @@ public: */ bool is_orig = false; + // Note: The following checksummed variables only apply to packets + // received via a packet source, and not to packets contained inside + // tunnels, etc. + /** - * Indicates whether the layer 2 checksum was validated by the - * hardware/kernel before being received by zeek. + * Indicates whether the data link layer/layer 2 checksum was validated + * the hardware/kernel before being received by zeek. */ bool l2_checksummed = false; /** - * Indicates whether the layer 3 checksum was validated by the - * hardware/kernel before being received by zeek. + * Indicates whether the network layer/layer 3 checksum was validated by + * the hardware/kernel before being received by zeek. */ bool l3_checksummed = false; + /** + * Indicates whether the transport layer/layer 4 checksum was validated + * by the hardware/kernel before being received by zeek. + */ + bool l4_checksummed = false; + /** * Indicates whether this packet should be recorded. */ diff --git a/src/packet_analysis/protocol/icmp/ICMP.cc b/src/packet_analysis/protocol/icmp/ICMP.cc index d71af5edd4..2749020f71 100644 --- a/src/packet_analysis/protocol/icmp/ICMP.cc +++ b/src/packet_analysis/protocol/icmp/ICMP.cc @@ -347,7 +347,7 @@ zeek::RecordValPtr ICMPAnalyzer::ExtractICMP4Context(int len, const u_char*& dat { bad_hdr_len = 0; ip_len = ip_hdr->TotalLen(); - bad_checksum = ! run_state::current_pkt->l3_checksummed && + bad_checksum = ! run_state::current_pkt->l4_checksummed && (detail::in_cksum(reinterpret_cast(ip_hdr->IP4_Hdr()), ip_hdr_len) != 0xffff); diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc index ef244f622c..067746dfa6 100644 --- a/src/packet_analysis/protocol/ip/IP.cc +++ b/src/packet_analysis/protocol/ip/IP.cc @@ -142,7 +142,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( packet_filter && packet_filter->Match(packet->ip_hdr, total_len, len) ) return false; - if ( ! packet->l2_checksummed && ! detail::ignore_checksums && ip4 && + if ( ! packet->l3_checksummed && ! detail::ignore_checksums && ip4 && ! IPBasedAnalyzer::GetIgnoreChecksumsNets()->Contains(packet->ip_hdr->IPHeaderSrcAddr()) && detail::in_cksum(reinterpret_cast(ip4), ip_hdr_len) != 0xffff ) { diff --git a/src/packet_analysis/protocol/tcp/TCP.cc b/src/packet_analysis/protocol/tcp/TCP.cc index d60a18bea7..fea5acd6a1 100644 --- a/src/packet_analysis/protocol/tcp/TCP.cc +++ b/src/packet_analysis/protocol/tcp/TCP.cc @@ -163,7 +163,7 @@ bool TCPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const struct tcphdr* tp, analyzer::tcp::TCP_Endpoint* endpoint, int len, int caplen, TCPSessionAdapter* adapter) { - if ( ! run_state::current_pkt->l3_checksummed && ! detail::ignore_checksums && + if ( ! run_state::current_pkt->l4_checksummed && ! detail::ignore_checksums && ! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) && caplen >= len && ! endpoint->ValidChecksum(tp, len, ip->IP4_Hdr()) ) { diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc index f7362fbc41..a2025a71d4 100644 --- a/src/packet_analysis/protocol/udp/UDP.cc +++ b/src/packet_analysis/protocol/udp/UDP.cc @@ -106,7 +106,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai int chksum = up->uh_sum; - auto validate_checksum = ! run_state::current_pkt->l3_checksummed && + auto validate_checksum = ! run_state::current_pkt->l4_checksummed && ! zeek::detail::ignore_checksums && ! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) && remaining >= len;