From b5d11d1ace6f6234ebc3ae74b4e324bd701d00dd Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Thu, 15 Oct 2020 16:56:05 -0500 Subject: [PATCH 1/2] Change ICMP ND length to a uint16 --- src/analyzer/protocol/icmp/ICMP.cc | 2 +- .../scripts.base.protocols.icmp.dnssl/.stdout | 2 ++ testing/btest/Traces/icmp_nd_dnssl.trace | Bin 0 -> 716 bytes .../btest/scripts/base/protocols/icmp/dnssl.zeek | 14 ++++++++++++++ 4 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.icmp.dnssl/.stdout create mode 100644 testing/btest/Traces/icmp_nd_dnssl.trace create mode 100644 testing/btest/scripts/base/protocols/icmp/dnssl.zeek diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc index 3f3928f6ab..55788c5e98 100644 --- a/src/analyzer/protocol/icmp/ICMP.cc +++ b/src/analyzer/protocol/icmp/ICMP.cc @@ -764,7 +764,7 @@ VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data) } uint8_t type = *((const uint8_t*)data); - uint8_t length = *((const uint8_t*)(data + 1)); + uint16_t length = *((const uint16_t*)(data + 1)); if ( length == 0 ) { diff --git a/testing/btest/Baseline/scripts.base.protocols.icmp.dnssl/.stdout b/testing/btest/Baseline/scripts.base.protocols.icmp.dnssl/.stdout new file mode 100644 index 0000000000..ec1396d321 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.icmp.dnssl/.stdout @@ -0,0 +1,2 @@ +dnssl len 32 payload 254 +dnssl len 33 payload 262 diff --git a/testing/btest/Traces/icmp_nd_dnssl.trace b/testing/btest/Traces/icmp_nd_dnssl.trace new file mode 100644 index 0000000000000000000000000000000000000000..98cc0fe8254631f77b6c102d46e54c8e3f41ee82 GIT binary patch literal 716 zcmca|c+)~A1{MYw`2U}Qff2}wThbAKOMsWb4afmu0|P@NGZzTib~gd2f>FTgKNBMh z10xfMAxt-vZv^AFF`SfV;9%!~@#Pg582$snqw--7nA7s}ne&U%8JO~l;cQT-&fw!^ j@B@Y@2xAFV31UL^u?0$~Dndf_)vym#xCh}OiX6HC#n=Ze literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/icmp/dnssl.zeek b/testing/btest/scripts/base/protocols/icmp/dnssl.zeek new file mode 100644 index 0000000000..33a77adf67 --- /dev/null +++ b/testing/btest/scripts/base/protocols/icmp/dnssl.zeek @@ -0,0 +1,14 @@ +# @TEST-EXEC: zeek -b -C -r $TRACES/icmp_nd_dnssl.trace %INPUT +# @TEST-EXEC: btest-diff .stdout + +@load base/protocols/conn + +event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, + pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, + retrans_timer: interval, options: icmp6_nd_options ){ + for (i in options){ + if(options[i]$otype==31){ + print fmt("dnssl len %d payload %d",options[i]$len,|options[i]$payload|); + } + } +} From 11a311dfb90c55e79f9c8749a597ac58ad83b3ba Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Fri, 16 Oct 2020 09:03:48 -0500 Subject: [PATCH 2/2] Extract length as a uint8 --- src/analyzer/protocol/icmp/ICMP.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc index 55788c5e98..3c8fbe1a35 100644 --- a/src/analyzer/protocol/icmp/ICMP.cc +++ b/src/analyzer/protocol/icmp/ICMP.cc @@ -764,7 +764,7 @@ VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data) } uint8_t type = *((const uint8_t*)data); - uint16_t length = *((const uint16_t*)(data + 1)); + uint16_t length = *((const uint8_t*)(data + 1)); if ( length == 0 ) {