Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Move SessionManager::ParseIPPacket to IP analyzer's namespace

Browse source
This commit is contained in:
Tim Wojtulewicz 2021-04-09 15:46:19 -07:00
parent 0c3e3069d0
commit 3e1692676d
10 changed files with 78 additions and 91 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/analyzer/protocol/ayiya/AYIYA.cc
View file

@ -2,9 +2,9 @@
#include "zeek/analyzer/protocol/ayiya/AYIYA.h"
#include "zeek/session/Manager.h"
#include "zeek/Func.h"
#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
#include "zeek/packet_analysis/protocol/ip/IP.h"
namespace zeek::analyzer::ayiya {
@ -46,8 +46,8 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
caplen -= inner_packet_offset;
inner_packet_offset = -1;
IP_Hdr* inner = nullptr;
int result = session_mgr->ParseIPPacket(len, data, next_header, inner);
std::unique_ptr<IP_Hdr> inner;
int result = packet_analysis::IP::ParsePacket(len, data, next_header, inner);
if ( result == 0 )
{
@ -66,9 +66,6 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
else
ProtocolViolation("AYIYA payload length",
reinterpret_cast<const char*>(data), len);
if ( result != 0 )
delete inner;
}
} // namespace zeek::analyzer::ayiya

9
src/analyzer/protocol/gtpv1/GTPv1.cc
View file

@ -2,8 +2,8 @@
#include "zeek/analyzer/protocol/gtpv1/GTPv1.h"
#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
#include "zeek/packet_analysis/protocol/ip/IP.h"
#include "zeek/session/Manager.h"
#include "zeek/analyzer/protocol/gtpv1/events.bif.h"
namespace zeek::analyzer::gtpv1 {
@ -47,8 +47,8 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
caplen -= inner_packet_offset;
inner_packet_offset = -1;
IP_Hdr* inner = nullptr;
int result = session_mgr->ParseIPPacket(len, data, next_header, inner);
std::unique_ptr<IP_Hdr> inner = nullptr;
int result = packet_analysis::IP::ParsePacket(len, data, next_header, inner);
if ( result == 0 )
{
@ -77,9 +77,6 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
else
ProtocolViolation("GTPv1 payload length",
reinterpret_cast<const char*>(odata), olen);
if ( result != 0 )
delete inner;
}
} // namespace zeek::analyzer::gtpv1

10
src/analyzer/protocol/teredo/Teredo.cc
View file

@ -4,10 +4,10 @@
#include "zeek/Conn.h"
#include "zeek/IP.h"
#include "zeek/Reporter.h"
#include "zeek/session/Manager.h"
#include "zeek/ZeekString.h"
#include "zeek/RunState.h"
#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
#include "zeek/packet_analysis/protocol/ip/IP.h"
#include "zeek/analyzer/protocol/teredo/events.bif.h"
@ -94,7 +94,7 @@ bool TeredoEncapsulation::DoParse(const u_char* data, int& len,
return false;
}
RecordValPtr TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
RecordValPtr TeredoEncapsulation::BuildVal(const std::unique_ptr<IP_Hdr>& inner) const
{
static auto teredo_hdr_type = id::find_type<RecordType>("teredo_hdr");
static auto teredo_auth_type = id::find_type<RecordType>("teredo_auth");
@ -164,8 +164,8 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
return;
}
IP_Hdr* inner = nullptr;
int rslt = session_mgr->ParseIPPacket(len, te.InnerIP(), IPPROTO_IPV6, inner);
std::unique_ptr<IP_Hdr> inner = nullptr;
int rslt = packet_analysis::IP::ParsePacket(len, te.InnerIP(), IPPROTO_IPV6, inner);
if ( rslt > 0 )
{
@ -175,7 +175,6 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
Weird("Teredo_bubble_with_payload", true);
else
{
delete inner;
ProtocolViolation("Teredo payload length", (const char*) data, len);
return;
}
@ -193,7 +192,6 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
else
{
delete inner;
ProtocolViolation("Truncated Teredo or invalid inner IP version", (const char*) data, len);
return;
}

2
src/analyzer/protocol/teredo/Teredo.h
View file

@ -74,7 +74,7 @@ public:
const u_char* Authentication() const
{ return auth; }
RecordValPtr BuildVal(const IP_Hdr* inner) const;
RecordValPtr BuildVal(const std::unique_ptr<IP_Hdr>& inner) const;
protected:
bool DoParse(const u_char* data, int& len, bool found_orig, bool found_au);

38
src/packet_analysis/protocol/ip/IP.cc
View file

@ -10,6 +10,7 @@
#include "zeek/Frag.h"
#include "zeek/Event.h"
#include "zeek/TunnelEncapsulation.h"
#include "zeek/IPAddr.h"
using namespace zeek::packet_analysis::IP;
@ -260,3 +261,40 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return return_val;
}
int zeek::packet_analysis::IP::ParsePacket(int caplen, const u_char* const pkt, int proto,
std::unique_ptr<zeek::IP_Hdr>& inner)
{
if ( proto == IPPROTO_IPV6 )
{
if ( caplen < (int)sizeof(struct ip6_hdr) )
return -1;
const struct ip6_hdr* ip6 = (const struct ip6_hdr*) pkt;
inner = std::make_unique<zeek::IP_Hdr>(ip6, false, caplen);
if ( ( ip6->ip6_ctlun.ip6_un2_vfc & 0xF0 ) != 0x60 )
return -2;
}
else if ( proto == IPPROTO_IPV4 )
{
if ( caplen < (int)sizeof(struct ip) )
return -1;
const struct ip* ip4 = (const struct ip*) pkt;
inner = std::make_unique<zeek::IP_Hdr>(ip4, false);
if ( ip4->ip_v != 4 )
return -2;
}
else
{
zeek::reporter->InternalWarning("Bad IP protocol version in IP::ParsePacket");
return -1;
}
if ( (uint32_t)caplen != inner->TotalLen() )
return (uint32_t)caplen < inner->TotalLen() ? -1 : 1;
return 0;
}

24
src/packet_analysis/protocol/ip/IP.h
View file

@ -32,4 +32,28 @@ private:
zeek::detail::Discarder* discarder = nullptr;
};
/**
* Returns a wrapper IP_Hdr object if \a pkt appears to be a valid IPv4
* or IPv6 header based on whether it's long enough to contain such a header,
* if version given in the header matches the proto argument, and also checks
* that the payload length field of that header matches the actual
* length of \a pkt given by \a caplen.
*
* @param caplen The length of \a pkt in bytes.
* @param pkt The inner IP packet data.
* @param proto Either IPPROTO_IPV6 or IPPROTO_IPV4 to indicate which IP
* protocol \a pkt corresponds to.
* @param inner The inner IP packet wrapper pointer to be allocated/assigned
* if \a pkt looks like a valid IP packet or at least long enough
* to hold an IP header.
* @return 0 If the inner IP packet appeared valid, else -1 if \a caplen
* is greater than the supposed IP packet's payload length field, -2
* if the version of the inner header does not match proto or
* 1 if \a caplen is less than the supposed packet's payload length.
* In the -1 case, \a inner may still be non-null if \a caplen was
* long enough to be an IP header, and \a inner is always non-null
* for other return values.
*/
int ParsePacket(int caplen, const u_char* const pkt, int proto,
std::unique_ptr<IP_Hdr>& inner);
}

13
src/packet_analysis/protocol/iptunnel/IPTunnel.cc
View file

@ -4,10 +4,10 @@
#include <pcap.h> // For DLT_ constants
#include "zeek/session/Manager.h"
#include "zeek/RunState.h"
#include "zeek/IP.h"
#include "zeek/TunnelEncapsulation.h"
#include "zeek/packet_analysis/protocol/ip/IP.h"
namespace zeek::packet_analysis::IPTunnel {
@ -45,12 +45,12 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
BifEnum::Tunnel::Type tunnel_type = packet->tunnel_type;
int gre_link_type = packet->gre_link_type;
IP_Hdr* inner = nullptr;
std::unique_ptr<IP_Hdr> inner = nullptr;
if ( gre_version != 0 )
{
// Check for a valid inner packet first.
int result = session_mgr->ParseIPPacket(len, data, proto, inner);
int result = packet_analysis::IP::ParsePacket(len, data, proto, inner);
if ( result == -2 )
Weird("invalid_inner_IP_version", packet);
else if ( result < 0 )
@ -59,10 +59,7 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
Weird("inner_IP_payload_length_mismatch", packet);
if ( result != 0 )
{
delete inner;
return false;
}
}
// Look up to see if we've already seen this IP tunnel, identified
@ -100,7 +97,7 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
* Handles a packet that contains an IP header directly after the tunnel header.
*/
bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
const IP_Hdr* inner,
const std::unique_ptr<IP_Hdr>& inner,
std::shared_ptr<EncapsulationStack> prev,
const EncapsulatingConn& ec)
{
@ -138,8 +135,6 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
// Forward the packet back to the IP analyzer.
bool return_val = ForwardPacket(len, data, &p);
delete inner;
return return_val;
}

2
src/packet_analysis/protocol/iptunnel/IPTunnel.h
View file

@ -40,7 +40,7 @@ public:
* @param ec The most-recently found depth of encapsulation.
*/
bool ProcessEncapsulatedPacket(double t, const Packet *pkt,
const IP_Hdr* inner,
const std::unique_ptr<IP_Hdr>& inner,
std::shared_ptr<EncapsulationStack> prev,
const EncapsulatingConn& ec);

37
src/session/Manager.cc
View file

@ -264,43 +264,6 @@ void Manager::ProcessTransportLayer(double t, const Packet* pkt, size_t remainin
}
}
int Manager::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
IP_Hdr*& inner)
{
if ( proto == IPPROTO_IPV6 )
{
if ( caplen < (int)sizeof(struct ip6_hdr) )
return -1;
const struct ip6_hdr* ip6 = (const struct ip6_hdr*) pkt;
inner = new IP_Hdr(ip6, false, caplen);
if ( ( ip6->ip6_ctlun.ip6_un2_vfc & 0xF0 ) != 0x60 )
return -2;
}
else if ( proto == IPPROTO_IPV4 )
{
if ( caplen < (int)sizeof(struct ip) )
return -1;
const struct ip* ip4 = (const struct ip*) pkt;
inner = new IP_Hdr(ip4, false);
if ( ip4->ip_v != 4 )
return -2;
}
else
{
reporter->InternalWarning("Bad IP protocol version in ParseIPPacket");
return -1;
}
if ( (uint32_t)caplen != inner->TotalLen() )
return (uint32_t)caplen < inner->TotalLen() ? -1 : 1;
return 0;
}
bool Manager::CheckHeaderTrunc(int proto, uint32_t len, uint32_t caplen,
const Packet* p)
{

25
src/session/Manager.h
View file

@ -106,31 +106,6 @@ public:
*/
void ProcessTransportLayer(double t, const Packet *pkt, size_t len);
/**
* Returns a wrapper IP_Hdr object if \a pkt appears to be a valid IPv4
* or IPv6 header based on whether it's long enough to contain such a header,
* if version given in the header matches the proto argument, and also checks
* that the payload length field of that header matches the actual
* length of \a pkt given by \a caplen.
*
* @param caplen The length of \a pkt in bytes.
* @param pkt The inner IP packet data.
* @param proto Either IPPROTO_IPV6 or IPPROTO_IPV4 to indicate which IP
* protocol \a pkt corresponds to.
* @param inner The inner IP packet wrapper pointer to be allocated/assigned
* if \a pkt looks like a valid IP packet or at least long enough
* to hold an IP header.
* @return 0 If the inner IP packet appeared valid, else -1 if \a caplen
* is greater than the supposed IP packet's payload length field, -2
* if the version of the inner header does not match proto or
* 1 if \a caplen is less than the supposed packet's payload length.
* In the -1 case, \a inner may still be non-null if \a caplen was
* long enough to be an IP header, and \a inner is always non-null
* for other return values.
*/
int ParseIPPacket(int caplen, const u_char* const pkt, int proto,
IP_Hdr*& inner);
unsigned int SessionMemoryUsage();
unsigned int SessionMemoryUsageVals();