Merge remote-tracking branch 'origin/topic/bbannier/issue-1726'

* origin/topic/bbannier/issue-1726: Fix option length computation in Geneve analyzer.
2025-10-02 06:38:20 +00:00 · 2021-08-18 08:40:41 -07:00 · 2021-08-18 08:40:41 -07:00 · b28fc77054
commit b28fc77054
parent d60f85a868 28e8abbf19
6 changed files with 24 additions and 7 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
+4.2.0-dev.76 | 2021-08-18 08:40:41 -0700
+
+  * Fix option length computation in Geneve analyzer. (Benjamin Bannier, Corelight)
+
+    We previously computed the length of the Geneve options field
+    incorrectly which lead to us passing data at an incorrect offset to
+    inner analyzers. With this patch we now interpret the length field
+    correctly, according the the spec
+    https://datatracker.ietf.org/doc/html/rfc8926#section-3.4.
+
+    Closes #1726.
+
 4.2.0-dev.73 | 2021-08-12 09:57:59 -0700

  * GH-1713: Avoid unneeded reallocs in SerializationFormat::WriteData (Tim Wojtulewicz, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-4.2.0-dev.73
+4.2.0-dev.76
--- a/src/analyzer/protocol/geneve/Geneve.cc
+++ b/src/analyzer/protocol/geneve/Geneve.cc
@ -47,7 +47,7 @@ void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 	EncapsulatingConn inner(Conn(), BifEnum::Tunnel::GENEVE);
 	outer->Add(inner);

-	auto tunnel_opt_len = data[0] << 1;
+	uint8_t tunnel_opt_len = (data[0] & 0x3F) * 4;
 	auto vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);

 	if ( len < tunnel_header_len  + tunnel_opt_len )
--- a/testing/btest/Baseline/core.tunnels.geneve/conn.log
+++ b/testing/btest/Baseline/core.tunnels.geneve/conn.log
@ -7,7 +7,7 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	20.0.0.2	0	20.0.0.1	6081	udp	geneve	1.999999	318	0	S0	-	-	0	D	3	402	0	0	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	20.0.0.1	50901	20.0.0.2	6081	udp	-	1.999995	342	0	S0	-	-	0	D	3	426	0	0	-
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	30.0.0.2	0	30.0.0.1	8	icmp	-	1.999999	168	0	OTH	-	-	0	-	3	252	0	0	ClEkJM2Vm5giqnMf4h
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	20.0.0.2	0	20.0.0.1	6081	udp	geneve	1.999999	318	0	S0	-	-	0	D	3	402	0	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	20.0.0.1	50901	20.0.0.2	6081	udp	geneve	1.999995	342	0	S0	-	-	0	D	3	426	0	0	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	30.0.0.1	8	30.0.0.2	0	icmp	-	2.000182	168	168	OTH	-	-	0	-	3	252	3	252	CHhAvVGS1DHFjwGM9,C4J4Th3PJpwUYZZ6gc
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.tunnels.geneve/out
+++ b/testing/btest/Baseline/core.tunnels.geneve/out
@ -1,4 +1,7 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+geneve_packet, [orig_h=20.0.0.1, orig_p=50901/udp, resp_h=20.0.0.2, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=0, ttl=64, p=1, src=30.0.0.1, dst=30.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 0
 geneve_packet, [orig_h=20.0.0.2, orig_p=0/udp, resp_h=20.0.0.1, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=4503, ttl=64, p=1, src=30.0.0.2, dst=30.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 0
+geneve_packet, [orig_h=20.0.0.1, orig_p=50901/udp, resp_h=20.0.0.2, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=0, ttl=64, p=1, src=30.0.0.1, dst=30.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 0
 geneve_packet, [orig_h=20.0.0.2, orig_p=0/udp, resp_h=20.0.0.1, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=4504, ttl=64, p=1, src=30.0.0.2, dst=30.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 0
+geneve_packet, [orig_h=20.0.0.1, orig_p=50901/udp, resp_h=20.0.0.2, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=0, ttl=64, p=1, src=30.0.0.1, dst=30.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 0
 geneve_packet, [orig_h=20.0.0.2, orig_p=0/udp, resp_h=20.0.0.1, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=4505, ttl=64, p=1, src=30.0.0.2, dst=30.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 0
--- a/testing/btest/Baseline/core.tunnels.geneve/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.geneve/tunnel.log
@ -7,6 +7,8 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	20.0.0.2	0	20.0.0.1	6081	Tunnel::GENEVE	Tunnel::DISCOVER
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	20.0.0.2	0	20.0.0.1	6081	Tunnel::GENEVE	Tunnel::CLOSE
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	20.0.0.1	50901	20.0.0.2	6081	Tunnel::GENEVE	Tunnel::DISCOVER
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	20.0.0.2	0	20.0.0.1	6081	Tunnel::GENEVE	Tunnel::DISCOVER
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	20.0.0.2	0	20.0.0.1	6081	Tunnel::GENEVE	Tunnel::CLOSE
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	20.0.0.1	50901	20.0.0.2	6081	Tunnel::GENEVE	Tunnel::CLOSE
 #close XXXX-XX-XX-XX-XX-XX