From 222e3ad3ea82ee212717d103e1bfc718f11256eb Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 3 Oct 2019 17:55:07 -0700 Subject: [PATCH] Fix tcp_option event It was not being raised in all the cases it should have been due to an incorrect/unnecessary truncation check. --- src/analyzer/protocol/tcp/TCP.cc | 3 +-- testing/btest/Baseline/core.tcp.options/out | 16 ++++++++++++++++ testing/btest/Traces/tcp/options.pcap | Bin 0 -> 484 bytes testing/btest/core/tcp/options.zeek | 7 +++++++ 4 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 testing/btest/Baseline/core.tcp.options/out create mode 100644 testing/btest/Traces/tcp/options.pcap create mode 100644 testing/btest/core/tcp/options.zeek diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index 54d1563efc..a03c36b2a1 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -1186,8 +1186,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, GeneratePacketEvent(rel_seq, rel_ack, data, len, caplen, is_orig, flags); - if ( tcp_option && tcp_hdr_len > sizeof(*tp) && - tcp_hdr_len <= uint32_t(caplen) ) + if ( tcp_option && tcp_hdr_len > sizeof(*tp) ) ParseTCPOptions(tp, TCPOptionEvent, this, is_orig, 0); if ( DEBUG_tcp_data_sent ) diff --git a/testing/btest/Baseline/core.tcp.options/out b/testing/btest/Baseline/core.tcp.options/out new file mode 100644 index 0000000000..9c8ef6956c --- /dev/null +++ b/testing/btest/Baseline/core.tcp.options/out @@ -0,0 +1,16 @@ +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 2, 4 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 4, 2 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 8, 10 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 1, 1 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 3, 3 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], F, 2, 4 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], F, 4, 2 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], F, 8, 10 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], F, 1, 1 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], F, 3, 3 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 1, 1 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 1, 1 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 8, 10 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 1, 1 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 1, 1 +[orig_h=192.168.1.102, orig_p=36861/tcp, resp_h=193.1.193.64, resp_p=80/tcp], T, 8, 10 diff --git a/testing/btest/Traces/tcp/options.pcap b/testing/btest/Traces/tcp/options.pcap new file mode 100644 index 0000000000000000000000000000000000000000..d1ebd885b0e10ffa075cbf938f6a81a176b40b00 GIT binary patch literal 484 zcmca|c+)~A1{MYw`2U}Qff2~@>SOUP+0Ve>2V{dVgXH7qvC0hGx0555aWJ?tFxadV za$s;^^Nl>Pf-&tN<3Wf1zYGEQC;t5nQoMjk?1GjI0|OHa>lPL!4zBf(K~Bp9Ml<3nuOZ zo1OwPU6R3OI>-i~>FgkrjI|0qze}Ja*HV81pTmyQSkrCwP zP)U%r2*^~Q?^sQhV2BA{hH9$2Ylwn=ZenJhu8E~y za!O`enu142NPxbfo&hhHM}BdMl|o9AUQT{;Vvb&NPGW9inOH oPys|--$2jONY9X$%Q-(UFEzO&Gd~X`m0z67%f-uO^2p&10LBK7ga7~l literal 0 HcmV?d00001 diff --git a/testing/btest/core/tcp/options.zeek b/testing/btest/core/tcp/options.zeek new file mode 100644 index 0000000000..6a52f3bda2 --- /dev/null +++ b/testing/btest/core/tcp/options.zeek @@ -0,0 +1,7 @@ +# @TEST-EXEC: zeek -b -r $TRACES/tcp/options.pcap %INPUT > out +# @TEST-EXEC: btest-diff out + +event tcp_option(c: connection, is_orig: bool, opt: count, optlen: count) + { + print c$id, is_orig, opt, optlen; + }