Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 17:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Use shared_ptr for encapsulation data instead of raw pointer

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-10-12 13:15:52 -07:00
parent a7d4364334
commit 41dcd0cde0
16 changed files with 103 additions and 115 deletions
Download patch file Download diff file Expand all files Collapse all files

24
src/packet_analysis/protocol/gre/GRE.cc
View file

@ -42,8 +42,6 @@ GREAnalyzer::GREAnalyzer()
bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
EncapsulationStack* encapsulation = packet->encap;
if ( ! packet->ip_hdr )
{
reporter->InternalError("GREAnalyzer: ip_hdr not found in packet keystore");
@ -54,7 +52,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( ! BifConst::Tunnel::enable_gre )
{
sessions->Weird("GRE_tunnel", ip_hdr, encapsulation);
sessions->Weird("GRE_tunnel", ip_hdr, packet->encap);
return false;
}
@ -72,7 +70,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( gre_version != 0 && gre_version != 1 )
{
sessions->Weird("unknown_gre_version", ip_hdr, encapsulation,
sessions->Weird("unknown_gre_version", ip_hdr, packet->encap,
util::fmt("%d", gre_version));
return false;
}
@ -90,7 +88,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
}
else
{
sessions->Weird("truncated_GRE", ip_hdr, encapsulation);
sessions->Weird("truncated_GRE", ip_hdr, packet->encap);
return false;
}
}
@ -107,7 +105,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
}
else
{
sessions->Weird("truncated_GRE", ip_hdr, encapsulation);
sessions->Weird("truncated_GRE", ip_hdr, packet->encap);
return false;
}
}
@ -130,7 +128,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
erspan_len += 8;
else
{
sessions->Weird("truncated_GRE", ip_hdr, encapsulation);
sessions->Weird("truncated_GRE", ip_hdr, packet->encap);
return false;
}
}
@ -139,7 +137,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
}
else
{
sessions->Weird("truncated_GRE", ip_hdr, encapsulation);
sessions->Weird("truncated_GRE", ip_hdr, packet->encap);
return false;
}
}
@ -150,7 +148,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( proto_typ != 0x880b )
{
// Enhanced GRE payload must be PPP.
sessions->Weird("egre_protocol_type", ip_hdr, encapsulation,
sessions->Weird("egre_protocol_type", ip_hdr, packet->encap,
util::fmt("%d", proto_typ));
return false;
}
@ -161,20 +159,20 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
// RFC 2784 deprecates the variable length routing field
// specified by RFC 1701. It could be parsed here, but easiest
// to just skip for now.
sessions->Weird("gre_routing", ip_hdr, encapsulation);
sessions->Weird("gre_routing", ip_hdr, packet->encap);
return false;
}
if ( flags_ver & 0x0078 )
{
// Expect last 4 bits of flags are reserved, undefined.
sessions->Weird("unknown_gre_flags", ip_hdr, encapsulation);
sessions->Weird("unknown_gre_flags", ip_hdr, packet->encap);
return false;
}
if ( len < gre_len + ppp_len + eth_len + erspan_len )
{
sessions->Weird("truncated_GRE", ip_hdr, encapsulation);
sessions->Weird("truncated_GRE", ip_hdr, packet->encap);
return false;
}
@ -184,7 +182,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 )
{
sessions->Weird("non_ip_packet_in_encap", ip_hdr, encapsulation);
sessions->Weird("non_ip_packet_in_encap", ip_hdr, packet->encap);
return false;
}

29
src/packet_analysis/protocol/ip/IP.cc
View file

@ -30,8 +30,6 @@ IPAnalyzer::~IPAnalyzer()
bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
EncapsulationStack* encapsulation = packet->encap;
// Check to make sure we have enough data left for an IP header to be here. Note we only
// check ipv4 here. We'll check ipv6 later once we determine we have an ipv6 header.
if ( len < sizeof(struct ip) )
@ -85,7 +83,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( total_len == 0 )
{
// TCP segmentation offloading can zero out the ip_len field.
packet->Weird("ip_hdr_len_zero", encapsulation);
packet->Weird("ip_hdr_len_zero", packet->encap);
// Cope with the zero'd out ip_len field by using the caplen.
total_len = packet->cap_len - packet->hdr_size;
@ -93,7 +91,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( packet->len < total_len + packet->hdr_size )
{
packet->Weird("truncated_IPv6", encapsulation);
packet->Weird("truncated_IPv6", packet->encap);
return false;
}
@ -102,13 +100,13 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
uint16_t ip_hdr_len = ip_hdr->HdrLen();
if ( ip_hdr_len > total_len )
{
sessions->Weird("invalid_IP_header_size", ip_hdr, encapsulation);
sessions->Weird("invalid_IP_header_size", ip_hdr, packet->encap);
return false;
}
if ( ip_hdr_len > len )
{
sessions->Weird("internally_truncated_header", ip_hdr, encapsulation);
sessions->Weird("internally_truncated_header", ip_hdr, packet->encap);
return false;
}
@ -137,7 +135,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( ! packet->l2_checksummed && ! detail::ignore_checksums && ip4 &&
detail::in_cksum(reinterpret_cast<const uint8_t*>(ip4), ip_hdr_len) != 0xffff )
{
sessions->Weird("bad_IP_checksum", packet, encapsulation);
sessions->Weird("bad_IP_checksum", packet, packet->encap);
return false;
}
@ -152,7 +150,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( len < total_len )
{
sessions->Weird("incompletely_captured_fragment", ip_hdr, encapsulation);
sessions->Weird("incompletely_captured_fragment", ip_hdr, packet->encap);
// Don't try to reassemble, that's doomed.
// Discard all except the first fragment (which
@ -162,7 +160,8 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
}
else
{
f = detail::fragment_mgr->NextFragment(run_state::processing_start_time, ip_hdr, packet->data + packet->hdr_size);
f = detail::fragment_mgr->NextFragment(run_state::processing_start_time, ip_hdr,
packet->data + packet->hdr_size);
IP_Hdr* ih = f->ReassembledPkt();
if ( ! ih )
// It didn't reassemble into anything yet.
@ -182,7 +181,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( ip_hdr_len > total_len )
{
sessions->Weird("invalid_IP_header_size", ip_hdr, encapsulation);
sessions->Weird("invalid_IP_header_size", ip_hdr, packet->encap);
return false;
}
}
@ -211,7 +210,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( ! ignore_checksums && mobility_header_checksum(ip_hdr) != 0xffff )
{
sessions->Weird("bad_MH_checksum", packet, encapsulation);
sessions->Weird("bad_MH_checksum", packet, packet->encap);
return false;
}
@ -219,7 +218,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
event_mgr.Enqueue(mobile_ipv6_message, ip_hdr->ToPktHdrVal());
if ( ip_hdr->NextProto() != IPPROTO_NONE )
sessions->Weird("mobility_piggyback", packet, encapsulation);
sessions->Weird("mobility_piggyback", packet, packet->encap);
return true;
}
@ -248,14 +247,14 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
case IPPROTO_ICMPV6:
DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.",
GetAnalyzerName(), proto);
sessions->DoNextPacket(run_state::processing_start_time, packet, ip_hdr, encapsulation);
sessions->DoNextPacket(run_state::processing_start_time, packet, ip_hdr);
break;
case IPPROTO_NONE:
// If the packet is encapsulated in Teredo, then it was a bubble and
// the Teredo analyzer may have raised an event for that, else we're
// not sure the reason for the No Next header in the packet.
if ( ! ( encapsulation &&
encapsulation->LastType() == BifEnum::Tunnel::TEREDO ) )
if ( ! ( packet->encap &&
packet->encap->LastType() == BifEnum::Tunnel::TEREDO ) )
{
sessions->Weird("ipv6_no_next", packet);
return_val = false;

34
src/packet_analysis/protocol/iptunnel/IPTunnel.cc
View file

@ -20,8 +20,6 @@ IPTunnelAnalyzer::IPTunnelAnalyzer()
bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
EncapsulationStack* encapsulation = packet->encap;
if ( ! packet->ip_hdr )
{
reporter->InternalError("IPTunnelAnalyzer: ip_hdr not found in packet keystore");
@ -32,14 +30,14 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
if ( ! BifConst::Tunnel::enable_ip )
{
sessions->Weird("IP_tunnel", ip_hdr, encapsulation);
sessions->Weird("IP_tunnel", ip_hdr, packet->encap);
return false;
}
if ( encapsulation &&
encapsulation->Depth() >= BifConst::Tunnel::max_depth )
if ( packet->encap &&
packet->encap->Depth() >= BifConst::Tunnel::max_depth )
{
sessions->Weird("exceeded_tunnel_max_depth", ip_hdr, encapsulation);
sessions->Weird("exceeded_tunnel_max_depth", ip_hdr, packet->encap);
return false;
}
@ -55,11 +53,11 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
// Check for a valid inner packet first.
int result = sessions->ParseIPPacket(len, data, proto, inner);
if ( result == -2 )
sessions->Weird("invalid_inner_IP_version", ip_hdr, encapsulation);
sessions->Weird("invalid_inner_IP_version", ip_hdr, packet->encap);
else if ( result < 0 )
sessions->Weird("truncated_inner_IP", ip_hdr, encapsulation);
sessions->Weird("truncated_inner_IP", ip_hdr, packet->encap);
else if ( result > 0 )
sessions->Weird("inner_IP_payload_length_mismatch", ip_hdr, encapsulation);
sessions->Weird("inner_IP_payload_length_mismatch", ip_hdr, packet->encap);
if ( result != 0 )
{
@ -91,9 +89,9 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
if ( gre_version == 0 )
ProcessEncapsulatedPacket(run_state::processing_start_time, packet, len, len, data, gre_link_type,
encapsulation, ip_tunnels[tunnel_idx].first);
packet->encap, ip_tunnels[tunnel_idx].first);
else
ProcessEncapsulatedPacket(run_state::processing_start_time, packet, inner, encapsulation,
ProcessEncapsulatedPacket(run_state::processing_start_time, packet, inner, packet->encap,
ip_tunnels[tunnel_idx].first);
return true;
@ -103,7 +101,8 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
* Handles a packet that contains an IP header directly after the tunnel header.
*/
bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
const IP_Hdr* inner, const EncapsulationStack* prev,
const IP_Hdr* inner,
std::shared_ptr<EncapsulationStack> prev,
const EncapsulatingConn& ec)
{
uint32_t caplen, len;
@ -128,8 +127,7 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
else
data = (const u_char*) inner->IP6_Hdr();
EncapsulationStack* outer = prev ?
new EncapsulationStack(*prev) : new EncapsulationStack();
auto outer = prev ? prev : std::make_shared<EncapsulationStack>();
outer->Add(ec);
// Construct fake packet for DoNextPacket
@ -141,7 +139,6 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
bool return_val = ForwardPacket(len, data, &p);
delete inner;
delete outer;
return return_val;
}
@ -152,7 +149,7 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
uint32_t caplen, uint32_t len,
const u_char* data, int link_type,
const EncapsulationStack* prev,
std::shared_ptr<EncapsulationStack> prev,
const EncapsulatingConn& ec)
{
pkt_timeval ts;
@ -166,8 +163,7 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
((run_state::network_time - (double)ts.tv_sec) * 1000000);
}
EncapsulationStack* outer = prev ?
new EncapsulationStack(*prev) : new EncapsulationStack();
auto outer = prev ? prev : std::make_shared<EncapsulationStack>();
outer->Add(ec);
// Construct fake packet for DoNextPacket
@ -179,8 +175,6 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
// to the packet manager.
bool return_val = packet_mgr->ProcessInnerPacket(&p);
delete outer;
return return_val;
}

5
src/packet_analysis/protocol/iptunnel/IPTunnel.h
View file

@ -40,7 +40,8 @@ public:
* @param ec The most-recently found depth of encapsulation.
*/
bool ProcessEncapsulatedPacket(double t, const Packet *pkt,
const IP_Hdr* inner, const EncapsulationStack* prev,
const IP_Hdr* inner,
std::shared_ptr<EncapsulationStack> prev,
const EncapsulatingConn& ec);
/**
@ -62,7 +63,7 @@ public:
bool ProcessEncapsulatedPacket(double t, const Packet* pkt,
uint32_t caplen, uint32_t len,
const u_char* data, int link_type,
const EncapsulationStack* prev,
std::shared_ptr<EncapsulationStack> prev,
const EncapsulatingConn& ec);
protected: