Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 01:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Set data to ip header's payload instead of advancing the pointer

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-09-25 16:44:27 -07:00
parent afdc08085f
commit d0cc30eccd
1 changed files with 3 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/packet_analysis/protocol/ip/IP.cc
View file

@ -175,13 +175,6 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
ip_hdr_len = ip_hdr->HdrLen(); ip_hdr_len = ip_hdr->HdrLen();
packet->cap_len = total_len + packet->hdr_size; packet->cap_len = total_len + packet->hdr_size;
// TODO: in the old code, the data pointer is updated to point at the IP header's
// payload, so it contains all of the data when it's processed. This isn't a big
// deal for when we pass it down into the session analyzers, since that does the
// same itself. should it be updated here for the case where a fragmented packet
// is actually tunneled? is that a thing that can happen? Does updating the data
// pointer without also updating the one in packet cause any problems?
if ( ip_hdr_len > total_len ) if ( ip_hdr_len > total_len )
{ {
sessions->Weird("invalid_IP_header_size", ip_hdr.get(), encapsulation); sessions->Weird("invalid_IP_header_size", ip_hdr.get(), encapsulation);
@ -227,8 +220,9 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
} }
#endif #endif
// Advance the data pointer past the IP header based on the header length // Set the data pointer to match the payload from the IP header. This makes sure that it's also pointing
data += ip_hdr_len; // at the reassembled data for a fragmented packet.
data = ip_hdr->Payload();
len -= ip_hdr_len; len -= ip_hdr_len;
bool return_val = true; bool return_val = true;