From c4d159d1ffb4bf8964a2bac83c02e612c6df9edc Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 25 May 2023 09:12:38 +0200 Subject: [PATCH] Address wire/capture length feedback --- src/packet_analysis/protocol/iptunnel/IPTunnel.cc | 6 +++++- src/packet_analysis/protocol/iptunnel/IPTunnel.h | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc index 4730e13f79..1bfb69b09d 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc @@ -182,7 +182,11 @@ std::unique_ptr build_inner_packet(Packet* outer_pkt, int* encap_index, assert(outer_pkt->len >= outer_pkt->cap_len - inner_cap_len); // Compute the wire length of the inner packet based on the wire length of - // the outer and the difference in cap len's. + // the outer and the difference in capture lengths. This ensures that for + // truncated packets the wire length of the inner packet stays intact. Wire + // length may be greater than data available for truncated packets. However, + // analyzers do validate lengths found in headers with the wire length + // of the packet and keeping it consistent avoids violations. uint32_t consumed_len = outer_pkt->cap_len - inner_cap_len; uint32_t inner_wire_len = outer_pkt->len - consumed_len; diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.h b/src/packet_analysis/protocol/iptunnel/IPTunnel.h index ec91ac605e..9b1fbe35bc 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.h +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.h @@ -83,13 +83,17 @@ protected: * builds a new packet object containing the encapsulated/tunneled packet, as well * as adding to the associated encapsulation stack for the tunnel. * + * The wire length (pkt->len) of the inner packet is computed based on the wire length + * of the outer packet and the differences in capture lengths. + * * @param outer_pkt The packet containing the encapsulation. This packet should contain * @param encap_index A return value for the current index into the encapsulation stack. * This is returned to allow analyzers to know what point in the stack they were operating * on as the packet analysis chain unwinds as it returns. * @param encap_stack Tracks the encapsulations as the new encapsulations are discovered * in the inner packets. - * @param len The byte length of the packet data containing in the inner packet. + * @param inner_cap_len The byte length of the packet data contained in the inner packet. + * Also used as capture length for the inner packet. * @param data A pointer to the first byte of the inner packet. * @param link_type The link type (DLT_*) for the outer packet. If not known, DLT_RAW can * be passed for this value.