Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/johanna/gh-1829'

Browse source 
* origin/topic/johanna/gh-1829:
  Add documentation for GH-1829
  Packets with TSO: address review feedback.
  Accept packets that use tcp segment offloading.

Fixes GH-1829
This commit is contained in:
Johanna Amann 2021-11-23 10:09:51 +00:00
commit 48ee7db3c1
11 changed files with 64 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/packet_analysis/protocol/ip/IP.cc
View file

@ -81,8 +81,13 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
// TCP segmentation offloading can zero out the ip_len field.
Weird("ip_hdr_len_zero", packet);
// Cope with the zero'd out ip_len field by using the caplen.
total_len = packet->cap_len - hdr_size;
if ( detail::ignore_checksums )
// Cope with the zero'd out ip_len field by using the caplen.
total_len = packet->cap_len - hdr_size;
else
// If this is caused by segmentation offloading, the checksum will
// also be incorrect. If checksum validation is enabled - jus tbail here.
return false;
}
if ( packet->len < total_len + hdr_size )
@ -236,7 +241,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
packet->proto = proto;
// Double check the lengths one more time before forwarding this on.
if ( packet->ip_hdr->TotalLen() < packet->ip_hdr->HdrLen() )
if ( total_len < packet->ip_hdr->HdrLen() )
{
Weird("bogus_IP_header_lengths", packet);
return false;

4
src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
View file

@ -119,7 +119,9 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
bool IPBasedAnalyzer::CheckHeaderTrunc(size_t min_hdr_len, size_t remaining, Packet* packet)
{
if ( packet->ip_hdr->PayloadLen() < min_hdr_len )
// If segment offloading or similar is enabled, the payload len will return 0.
// Thus, let's ignore that case.
if ( packet->ip_hdr->PayloadLen() && packet->ip_hdr->PayloadLen() < min_hdr_len )
{
Weird("truncated_header", packet);
return false;

4
src/packet_analysis/protocol/tcp/TCP.cc
View file

@ -96,6 +96,10 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
{
const u_char* data = pkt->ip_hdr->Payload();
int len = pkt->ip_hdr->PayloadLen();
// If the header length is zero, tcp checksum offloading is probably enabled
// In this case, let's fix up the length.
if ( pkt->ip_hdr->TotalLen() == 0 )
len = remaining;
auto* adapter = static_cast<TCPSessionAdapter*>(c->GetSessionAdapter());
const struct tcphdr* tp = ExtractTCP_Header(data, len, remaining, adapter);