Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Improve ERSPAN Type III support

Browse source 
Added check for the optional sub-header in ERSPAN Type III as well
as additional truncation checks to the GRE parsing logic in general.
Also added a unit test for ERSPAN Type II.
This commit is contained in:
Jon Siwek 2019-01-17 18:03:10 -06:00
parent 995e67147a
commit 5618b21cca
7 changed files with 83 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

61
src/Sessions.cc
View file

@ -544,27 +544,66 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
if ( gre_version == 0 )
{
if ( proto_typ == 0x6558 && len > gre_len + 14 )
if ( proto_typ == 0x6558 )
{
// transparent ethernet bridging
eth_len = 14;
proto_typ = ntohs(*((uint16*)(data + gre_len + 12)));
if ( len > gre_len + 14 )
{
eth_len = 14;
proto_typ = ntohs(*((uint16*)(data + gre_len + eth_len - 2)));
}
else
{
Weird("truncated_GRE", ip_hdr, encapsulation);
return;
}
}
if ( proto_typ == 0x88be && len > gre_len + 14 + 8)
else if ( proto_typ == 0x88be )
{
// ERSPAN type II
erspan_len = 8;
eth_len = 14;
proto_typ = ntohs(*((uint16*)(data + gre_len + 20)));
if ( len > gre_len + 14 + 8 )
{
erspan_len = 8;
eth_len = 14;
proto_typ = ntohs(*((uint16*)(data + gre_len + erspan_len + eth_len - 2)));
}
else
{
Weird("truncated_GRE", ip_hdr, encapsulation);
return;
}
}
if ( proto_typ == 0x22eb && len > gre_len + 14 + 12)
else if ( proto_typ == 0x22eb )
{
// ERSPAN type III
erspan_len = 12;
eth_len = 14;
proto_typ = ntohs(*((uint16*)(data + gre_len + 24)));
if ( len > gre_len + 14 + 12 )
{
erspan_len = 12;
eth_len = 14;
auto flags = data + erspan_len - 1;
bool have_opt_header = ((*flags & 0x01) == 0x01);
if ( have_opt_header )
{
if ( len > gre_len + erspan_len + 8 + eth_len )
erspan_len += 8;
else
{
Weird("truncated_GRE", ip_hdr, encapsulation);
return;
}
}
proto_typ = ntohs(*((uint16*)(data + gre_len + erspan_len + eth_len - 2)));
}
else
{
Weird("truncated_GRE", ip_hdr, encapsulation);
return;
}
}
if ( proto_typ == 0x0800 )