PPPoE: don't forward more bytes than header indicates

This changes the PPPoE parser so that it doesn't forward extra bytes that might be appended after the payload. Instead, it raises a weird if the payload size doesn't match the size indicated by the header. This is in line with what other protocol parsers (like UDP) are doing. Two tests needed to be updated - with this change, the traffic in pppoe-over-qinq.pcap is now valid TLS. A new trace was introduced for the confirmation-violation-info test. Addresses GH-4602
2025-10-17 05:58:20 +00:00 · 2025-07-02 16:21:19 +01:00 · 2025-07-02 16:21:19 +01:00 · 1fed0ed58d
commit 1fed0ed58d
parent d42d467965
6 changed files with 20 additions and 9 deletions
--- a/src/packet_analysis/protocol/pppoe/PPPoE.cc
+++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc
@ -12,8 +12,19 @@ bool PPPoEAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe
        return false;
    }

-    // Extract protocol identifier
+    size_t payload_length = (data[4] << 8u) + data[5];
    uint32_t protocol = (data[6] << 8u) + data[7];
+
+    // PPPoE header is six bytes. The protocol identifier is not part of the header
+    if ( payload_length != len - 6 ) {
+        if ( payload_length < len - 6 )
+            Weird("pppoe_extra_data_after_payload", packet);
+        else
+            Weird("pppoe_truncated_payload");
+    }
+
+    payload_length = payload_length >= 2 ? payload_length - 2 : 0;
+
    // Skip the PPPoE session and PPP header
-    return ForwardPacket(len - 8, data + 8, packet, protocol);
+    return ForwardPacket(std::min(payload_length, len - 8), data + 8, packet, protocol);
 }