diff --git a/src/Discard.cc b/src/Discard.cc index 3738706f26..8e73dc83c5 100644 --- a/src/Discard.cc +++ b/src/Discard.cc @@ -35,7 +35,7 @@ bool Discarder::IsActive() return check_ip || check_tcp || check_udp || check_icmp; } -bool Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen) +bool Discarder::NextPacket(const std::unique_ptr& ip, int len, int caplen) { bool discard_packet = false; diff --git a/src/Discard.h b/src/Discard.h index 977f2fa724..3009088d17 100644 --- a/src/Discard.h +++ b/src/Discard.h @@ -3,6 +3,7 @@ #pragma once #include // for u_char +#include #include "IntrusivePtr.h" @@ -22,7 +23,7 @@ public: bool IsActive(); - bool NextPacket(const IP_Hdr* ip, int len, int caplen); + bool NextPacket(const std::unique_ptr& ip, int len, int caplen); protected: Val* BuildData(const u_char* data, int hdrlen, int len, int caplen); diff --git a/src/Frag.cc b/src/Frag.cc index 90476546f6..b2a7fd7aaa 100644 --- a/src/Frag.cc +++ b/src/Frag.cc @@ -30,7 +30,7 @@ void FragTimer::Dispatch(double t, bool /* is_expire */) } FragReassembler::FragReassembler(NetSessions* arg_s, - const IP_Hdr* ip, const u_char* pkt, + const std::unique_ptr& ip, const u_char* pkt, const FragReassemblerKey& k, double t) : Reassembler(0, REASSEM_FRAG) { @@ -73,7 +73,8 @@ FragReassembler::~FragReassembler() delete [] proto_hdr; } -void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt) +void FragReassembler::AddFragment(double t, const std::unique_ptr& ip, + const u_char* pkt) { const struct ip* ip4 = ip->IP4_Hdr(); @@ -85,19 +86,19 @@ void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt) // don't check TOS, there's at least one stack that actually // uses different values, and it's hard to see an associated // attack. - s->Weird("fragment_protocol_inconsistency", ip); + s->Weird("fragment_protocol_inconsistency", ip.get()); } else { if ( ip->NextProto() != next_proto || ip->HdrLen() - 8 != proto_hdr_len ) - s->Weird("fragment_protocol_inconsistency", ip); + s->Weird("fragment_protocol_inconsistency", ip.get()); // TODO: more detailed unfrag header consistency checks? } if ( ip->DF() ) // Linux MTU discovery for UDP can do this, for example. - s->Weird("fragment_with_DF", ip); + s->Weird("fragment_with_DF", ip.get()); uint16_t offset = ip->FragOffset(); uint32_t len = ip->TotalLen(); @@ -105,7 +106,7 @@ void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt) if ( len < hdr_len ) { - s->Weird("fragment_protocol_inconsistency", ip); + s->Weird("fragment_protocol_inconsistency", ip.get()); return; } @@ -123,7 +124,7 @@ void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt) else if ( upper_seq != frag_size ) { - s->Weird("fragment_size_inconsistency", ip); + s->Weird("fragment_size_inconsistency", ip.get()); if ( upper_seq > frag_size ) frag_size = upper_seq; @@ -131,10 +132,10 @@ void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt) } else if ( len < MIN_ACCEPTABLE_FRAG_SIZE ) - s->Weird("excessively_small_fragment", ip); + s->Weird("excessively_small_fragment", ip.get()); if ( upper_seq > MAX_ACCEPTABLE_FRAG_SIZE ) - s->Weird("excessively_large_fragment", ip); + s->Weird("excessively_large_fragment", ip.get()); if ( frag_size && upper_seq > frag_size ) { @@ -143,7 +144,7 @@ void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt) // larger than the size we derived from a previously-seen // "last fragment". - s->Weird("fragment_size_inconsistency", ip); + s->Weird("fragment_size_inconsistency", ip.get()); frag_size = upper_seq; } @@ -286,8 +287,7 @@ void FragReassembler::BlockInserted(DataBlockMap::const_iterator /* it */) memcpy(&pkt[b.seq], b.block, b.upper - b.seq); } - delete reassembled_pkt; - reassembled_pkt = nullptr; + reassembled_pkt.reset(); unsigned int version = ((const struct ip*)pkt_start)->ip_v; @@ -295,7 +295,7 @@ void FragReassembler::BlockInserted(DataBlockMap::const_iterator /* it */) { struct ip* reassem4 = (struct ip*) pkt_start; reassem4->ip_len = htons(frag_size + proto_hdr_len); - reassembled_pkt = new IP_Hdr(reassem4, true); + reassembled_pkt = std::make_unique(reassem4, true); reassembled_pkt->reassembled = true; DeleteTimer(); } @@ -305,7 +305,7 @@ void FragReassembler::BlockInserted(DataBlockMap::const_iterator /* it */) struct ip6_hdr* reassem6 = (struct ip6_hdr*) pkt_start; reassem6->ip6_plen = htons(frag_size + proto_hdr_len - 40); const IPv6_Hdr_Chain* chain = new IPv6_Hdr_Chain(reassem6, next_proto, n); - reassembled_pkt = new IP_Hdr(reassem6, true, n, chain); + reassembled_pkt = std::make_unique(reassem6, true, n, chain); reassembled_pkt->reassembled = true; DeleteTimer(); } @@ -342,7 +342,8 @@ FragmentManager::~FragmentManager() Clear(); } -FragReassembler* FragmentManager::NextFragment(double t, const IP_Hdr* ip, const u_char* pkt) +FragReassembler* FragmentManager::NextFragment(double t, const std::unique_ptr& ip, + const u_char* pkt) { uint32_t frag_id = ip->ID(); FragReassemblerKey key = std::make_tuple(ip->SrcAddr(), ip->DstAddr(), frag_id); diff --git a/src/Frag.h b/src/Frag.h index 1fb373f1cc..62158982b7 100644 --- a/src/Frag.h +++ b/src/Frag.h @@ -22,17 +22,17 @@ using FragReassemblerKey = std::tuple; class FragReassembler : public Reassembler { public: - FragReassembler(NetSessions* s, const IP_Hdr* ip, const u_char* pkt, + FragReassembler(NetSessions* s, const std::unique_ptr& ip, const u_char* pkt, const FragReassemblerKey& k, double t); ~FragReassembler() override; - void AddFragment(double t, const IP_Hdr* ip, const u_char* pkt); + void AddFragment(double t, const std::unique_ptr& ip, const u_char* pkt); void Expire(double t); void DeleteTimer(); void ClearTimer() { expire_timer = nullptr; } - IP_Hdr* ReassembledPkt() { return reassembled_pkt; } + std::unique_ptr ReassembledPkt() { return std::move(reassembled_pkt); } const FragReassemblerKey& Key() const { return key; } protected: @@ -41,7 +41,7 @@ protected: void Weird(const char* name) const; u_char* proto_hdr; - IP_Hdr* reassembled_pkt; + std::unique_ptr reassembled_pkt; NetSessions* s; uint64_t frag_size; // size of fully reassembled fragment FragReassemblerKey key; @@ -73,7 +73,8 @@ public: FragmentManager() = default; ~FragmentManager(); - FragReassembler* NextFragment(double t, const IP_Hdr* ip, const u_char* pkt); + FragReassembler* NextFragment(double t, const std::unique_ptr& ip, + const u_char* pkt); void Clear(); void Remove(detail::FragReassembler* f); diff --git a/src/PacketFilter.cc b/src/PacketFilter.cc index 43e13bd32b..d2b24c8ecc 100644 --- a/src/PacketFilter.cc +++ b/src/PacketFilter.cc @@ -80,7 +80,7 @@ bool PacketFilter::RemoveDst(Val* dst) return f != nullptr; } -bool PacketFilter::Match(const IP_Hdr* ip, int len, int caplen) +bool PacketFilter::Match(const std::unique_ptr& ip, int len, int caplen) { Filter* f = (Filter*) src_filter.Lookup(ip->SrcAddr(), 128); if ( f ) diff --git a/src/PacketFilter.h b/src/PacketFilter.h index edf58a1280..22f8e47b47 100644 --- a/src/PacketFilter.h +++ b/src/PacketFilter.h @@ -2,6 +2,7 @@ #pragma once +#include #include "IPAddr.h" #include "PrefixTable.h" @@ -31,7 +32,7 @@ public: bool RemoveDst(Val* dst); // Returns true if packet matches a drop filter - bool Match(const IP_Hdr* ip, int len, int caplen); + bool Match(const std::unique_ptr& ip, int len, int caplen); private: struct Filter { diff --git a/src/Sessions.cc b/src/Sessions.cc index 8cf4a12712..1b92eafca4 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -81,8 +81,10 @@ void NetSessions::NextPacket(double t, Packet* pkt) packet_mgr->ProcessPacket(pkt); } -void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr) +void NetSessions::DoNextPacket(double t, const Packet* pkt) { + const std::unique_ptr& ip_hdr = pkt->ip_hdr; + uint32_t caplen = pkt->cap_len - pkt->hdr_size; uint32_t len = ip_hdr->TotalLen(); uint16_t ip_hdr_len = ip_hdr->HdrLen(); @@ -218,7 +220,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr conn->EnqueueEvent(new_packet, nullptr, conn->ConnVal(), pkt_hdr_val ? std::move(pkt_hdr_val) : ip_hdr->ToPktHdrVal()); - conn->NextPacket(t, is_orig, ip_hdr, len, caplen, data, + conn->NextPacket(t, is_orig, ip_hdr.get(), len, caplen, data, record_packet, record_content, pkt); // We skip this block for reassembled packets because the pointer diff --git a/src/Sessions.h b/src/Sessions.h index 0ef23b550e..762dafb0e7 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -96,7 +96,7 @@ public: * method is called by the packet analysis manager when after it has processed * an IP-based packet, and shouldn't be called directly from other places. */ - void DoNextPacket(double t, const Packet *pkt, const IP_Hdr* ip_hdr); + void DoNextPacket(double t, const Packet *pkt); /** * Returns a wrapper IP_Hdr object if \a pkt appears to be a valid IPv4 diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index b652c14f48..91b03d421d 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -63,8 +63,7 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen, l3_checksummed = false; encap.reset(); - delete ip_hdr; - ip_hdr = nullptr; + ip_hdr.reset(); proto = -1; tunnel_type = BifEnum::Tunnel::IP; @@ -83,8 +82,6 @@ Packet::~Packet() { if ( copy ) delete [] data; - - delete ip_hdr; } const IP_Hdr Packet::IP() const diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index 57182c4f47..0207fdfd5b 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -16,11 +16,11 @@ typedef struct timeval pkt_timeval; #include "pcap.h" // For DLT_ constants #include "zeek/NetVar.h" // For BifEnum::Tunnel #include "zeek/TunnelEncapsulation.h" +#include "zeek/IP.h" ZEEK_FORWARD_DECLARE_NAMESPACED(ODesc, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek); -ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek); namespace zeek { @@ -231,7 +231,7 @@ public: * The IP header for this packet. This is filled in by the IP analyzer * during processing if the packet contains an IP header. */ - IP_Hdr* ip_hdr = nullptr; + std::unique_ptr ip_hdr = nullptr; /** * The protocol of the packet. This is used by the tunnel analyzers to diff --git a/src/packet_analysis/protocol/gre/GRE.cc b/src/packet_analysis/protocol/gre/GRE.cc index 2d4b61f32d..c8bfddaf01 100644 --- a/src/packet_analysis/protocol/gre/GRE.cc +++ b/src/packet_analysis/protocol/gre/GRE.cc @@ -48,11 +48,9 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) return false; } - IP_Hdr* ip_hdr = packet->ip_hdr; - if ( ! BifConst::Tunnel::enable_gre ) { - sessions->Weird("GRE_tunnel", ip_hdr, packet->encap); + sessions->Weird("GRE_tunnel", packet->ip_hdr.get(), packet->encap); return false; } @@ -70,7 +68,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( gre_version != 0 && gre_version != 1 ) { - sessions->Weird("unknown_gre_version", ip_hdr, packet->encap, + sessions->Weird("unknown_gre_version", packet->ip_hdr.get(), packet->encap, util::fmt("%d", gre_version)); return false; } @@ -88,7 +86,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } else { - sessions->Weird("truncated_GRE", ip_hdr, packet->encap); + sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap); return false; } } @@ -105,7 +103,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } else { - sessions->Weird("truncated_GRE", ip_hdr, packet->encap); + sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap); return false; } } @@ -128,7 +126,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) erspan_len += 8; else { - sessions->Weird("truncated_GRE", ip_hdr, packet->encap); + sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap); return false; } } @@ -137,7 +135,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } else { - sessions->Weird("truncated_GRE", ip_hdr, packet->encap); + sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap); return false; } } @@ -148,7 +146,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( proto_typ != 0x880b ) { // Enhanced GRE payload must be PPP. - sessions->Weird("egre_protocol_type", ip_hdr, packet->encap, + sessions->Weird("egre_protocol_type", packet->ip_hdr.get(), packet->encap, util::fmt("%d", proto_typ)); return false; } @@ -159,20 +157,20 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // RFC 2784 deprecates the variable length routing field // specified by RFC 1701. It could be parsed here, but easiest // to just skip for now. - sessions->Weird("gre_routing", ip_hdr, packet->encap); + sessions->Weird("gre_routing", packet->ip_hdr.get(), packet->encap); return false; } if ( flags_ver & 0x0078 ) { // Expect last 4 bits of flags are reserved, undefined. - sessions->Weird("unknown_gre_flags", ip_hdr, packet->encap); + sessions->Weird("unknown_gre_flags", packet->ip_hdr.get(), packet->encap); return false; } if ( len < gre_len + ppp_len + eth_len + erspan_len ) { - sessions->Weird("truncated_GRE", ip_hdr, packet->encap); + sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap); return false; } @@ -182,7 +180,8 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 ) { - sessions->Weird("non_ip_packet_in_encap", ip_hdr, packet->encap); + sessions->Weird("non_ip_packet_in_encap", packet->ip_hdr.get(), + packet->encap); return false; } diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc index a4393fb6fb..de9fe3ae10 100644 --- a/src/packet_analysis/protocol/ip/IP.cc +++ b/src/packet_analysis/protocol/ip/IP.cc @@ -49,10 +49,9 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) uint32_t protocol = ip->ip_v; // This is a unique pointer because of the mass of early returns from this method. - IP_Hdr* ip_hdr = nullptr; if ( protocol == 4 ) { - ip_hdr = new IP_Hdr(ip, false); + packet->ip_hdr = std::make_unique(ip, false); packet->l3_proto = L3_IPV4; } else if ( protocol == 6 ) @@ -63,7 +62,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) return false; } - ip_hdr = new IP_Hdr((const struct ip6_hdr*) data, false, len); + packet->ip_hdr = std::make_unique((const struct ip6_hdr*) data, false, len); packet->l3_proto = L3_IPV6; } else @@ -72,14 +71,10 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) return false; } - // Store this with the packet, since it's potentially used in other places - // and it makes sense to not have to parse it out a second time. - packet->ip_hdr = ip_hdr; - - const struct ip* ip4 = ip_hdr->IP4_Hdr(); + const struct ip* ip4 = packet->ip_hdr->IP4_Hdr(); // total_len is the length of the packet minus all of the headers so far, including IP - uint32_t total_len = ip_hdr->TotalLen(); + uint32_t total_len = packet->ip_hdr->TotalLen(); if ( total_len == 0 ) { // TCP segmentation offloading can zero out the ip_len field. @@ -97,20 +92,20 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // For both of these it is safe to pass ip_hdr because the presence // is guaranteed for the functions that pass data to us. - uint16_t ip_hdr_len = ip_hdr->HdrLen(); + uint16_t ip_hdr_len = packet->ip_hdr->HdrLen(); if ( ip_hdr_len > total_len ) { - sessions->Weird("invalid_IP_header_size", ip_hdr, packet->encap); + sessions->Weird("invalid_IP_header_size", packet->ip_hdr.get(), packet->encap); return false; } if ( ip_hdr_len > len ) { - sessions->Weird("internally_truncated_header", ip_hdr, packet->encap); + sessions->Weird("internally_truncated_header", packet->ip_hdr.get(), packet->encap); return false; } - if ( ip_hdr->IP4_Hdr() ) + if ( packet->ip_hdr->IP4_Hdr() ) { if ( ip_hdr_len < sizeof(struct ip) ) { @@ -129,7 +124,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // Ignore if packet matches packet filter. detail::PacketFilter* packet_filter = sessions->GetPacketFilter(false); - if ( packet_filter && packet_filter->Match(ip_hdr, total_len, len) ) + if ( packet_filter && packet_filter->Match(packet->ip_hdr, total_len, len) ) return false; if ( ! packet->l2_checksummed && ! detail::ignore_checksums && ip4 && @@ -139,30 +134,31 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) return false; } - if ( discarder && discarder->NextPacket(ip_hdr, total_len, len) ) + if ( discarder && discarder->NextPacket(packet->ip_hdr, total_len, len) ) return false; detail::FragReassembler* f = nullptr; - if ( ip_hdr->IsFragment() ) + if ( packet->ip_hdr->IsFragment() ) { packet->dump_packet = true; // always record fragments if ( len < total_len ) { - sessions->Weird("incompletely_captured_fragment", ip_hdr, packet->encap); + sessions->Weird("incompletely_captured_fragment", packet->ip_hdr.get(), packet->encap); // Don't try to reassemble, that's doomed. // Discard all except the first fragment (which // is useful in analyzing header-only traces) - if ( ip_hdr->FragOffset() != 0 ) + if ( packet->ip_hdr->FragOffset() != 0 ) return false; } else { - f = detail::fragment_mgr->NextFragment(run_state::processing_start_time, ip_hdr, + f = detail::fragment_mgr->NextFragment(run_state::processing_start_time, packet->ip_hdr, packet->data + packet->hdr_size); - IP_Hdr* ih = f->ReassembledPkt(); + std::unique_ptr ih = f->ReassembledPkt(); + if ( ! ih ) // It didn't reassemble into anything yet. return true; @@ -171,17 +167,15 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // Switch the stored ip header over to the one from the // fragmented packet. - delete ip_hdr; - ip_hdr = ih; + packet->ip_hdr = std::move(ih); - len = total_len = ip_hdr->TotalLen(); - ip_hdr_len = ip_hdr->HdrLen(); + len = total_len = packet->ip_hdr->TotalLen(); + ip_hdr_len = packet->ip_hdr->HdrLen(); packet->cap_len = total_len + packet->hdr_size; - packet->ip_hdr = ih; if ( ip_hdr_len > total_len ) { - sessions->Weird("invalid_IP_header_size", ip_hdr, packet->encap); + sessions->Weird("invalid_IP_header_size", packet->ip_hdr.get(), packet->encap); return false; } } @@ -191,11 +185,11 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // We stop building the chain when seeing IPPROTO_ESP so if it's // there, it's always the last. - if ( ip_hdr->LastHeader() == IPPROTO_ESP ) + if ( packet->ip_hdr->LastHeader() == IPPROTO_ESP ) { packet->dump_packet = true; if ( esp_packet ) - event_mgr.Enqueue(esp_packet, ip_hdr->ToPktHdrVal()); + event_mgr.Enqueue(esp_packet, packet->ip_hdr->ToPktHdrVal()); // Can't do more since upper-layer payloads are going to be encrypted. return true; @@ -204,20 +198,20 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) #ifdef ENABLE_MOBILE_IPV6 // We stop building the chain when seeing IPPROTO_MOBILITY so it's always // last if present. - if ( ip_hdr->LastHeader() == IPPROTO_MOBILITY ) + if ( packet->ip_hdr->LastHeader() == IPPROTO_MOBILITY ) { dump_this_packet = true; - if ( ! ignore_checksums && mobility_header_checksum(ip_hdr) != 0xffff ) + if ( ! ignore_checksums && mobility_header_checksum(packet->ip_hdr) != 0xffff ) { sessions->Weird("bad_MH_checksum", packet, packet->encap); return false; } if ( mobile_ipv6_message ) - event_mgr.Enqueue(mobile_ipv6_message, ip_hdr->ToPktHdrVal()); + event_mgr.Enqueue(mobile_ipv6_message, packet->ip_hdr->ToPktHdrVal()); - if ( ip_hdr->NextProto() != IPPROTO_NONE ) + if ( packet->ip_hdr->NextProto() != IPPROTO_NONE ) sessions->Weird("mobility_piggyback", packet, packet->encap); return true; @@ -226,7 +220,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // Set the data pointer to match the payload from the IP header. This makes sure that it's also pointing // at the reassembled data for a fragmented packet. - data = ip_hdr->Payload(); + data = packet->ip_hdr->Payload(); len -= ip_hdr_len; // Session analysis assumes that the header size stored in the packet does not include the IP header @@ -236,7 +230,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // change, but for now we leave it as it is. bool return_val = true; - int proto = ip_hdr->NextProto(); + int proto = packet->ip_hdr->NextProto(); packet->proto = proto; @@ -247,7 +241,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) case IPPROTO_ICMPV6: DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.", GetAnalyzerName(), proto); - sessions->DoNextPacket(run_state::processing_start_time, packet, ip_hdr); + sessions->DoNextPacket(run_state::processing_start_time, packet); break; case IPPROTO_NONE: // If the packet is encapsulated in Teredo, then it was a bubble and diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc index da4d94d59b..8b298dfda1 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc @@ -26,18 +26,16 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa return false; } - IP_Hdr* ip_hdr = packet->ip_hdr; - if ( ! BifConst::Tunnel::enable_ip ) { - sessions->Weird("IP_tunnel", ip_hdr, packet->encap); + sessions->Weird("IP_tunnel", packet->ip_hdr.get(), packet->encap); return false; } if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { - sessions->Weird("exceeded_tunnel_max_depth", ip_hdr, packet->encap); + sessions->Weird("exceeded_tunnel_max_depth", packet->ip_hdr.get(), packet->encap); return false; } @@ -53,11 +51,11 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa // Check for a valid inner packet first. int result = sessions->ParseIPPacket(len, data, proto, inner); if ( result == -2 ) - sessions->Weird("invalid_inner_IP_version", ip_hdr, packet->encap); + sessions->Weird("invalid_inner_IP_version", packet->ip_hdr.get(), packet->encap); else if ( result < 0 ) - sessions->Weird("truncated_inner_IP", ip_hdr, packet->encap); + sessions->Weird("truncated_inner_IP", packet->ip_hdr.get(), packet->encap); else if ( result > 0 ) - sessions->Weird("inner_IP_payload_length_mismatch", ip_hdr, packet->encap); + sessions->Weird("inner_IP_payload_length_mismatch", packet->ip_hdr.get(), packet->encap); if ( result != 0 ) { @@ -70,16 +68,16 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa // by the pair of IP addresses, so that we can always associate the // same UID with it. IPPair tunnel_idx; - if ( ip_hdr->SrcAddr() < ip_hdr->DstAddr() ) - tunnel_idx = IPPair(ip_hdr->SrcAddr(), ip_hdr->DstAddr()); + if ( packet->ip_hdr->SrcAddr() < packet->ip_hdr->DstAddr() ) + tunnel_idx = IPPair(packet->ip_hdr->SrcAddr(), packet->ip_hdr->DstAddr()); else - tunnel_idx = IPPair(ip_hdr->DstAddr(), ip_hdr->SrcAddr()); + tunnel_idx = IPPair(packet->ip_hdr->DstAddr(), packet->ip_hdr->SrcAddr()); IPTunnelMap::iterator tunnel_it = ip_tunnels.find(tunnel_idx); if ( tunnel_it == ip_tunnels.end() ) { - EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), + EncapsulatingConn ec(packet->ip_hdr->SrcAddr(), packet->ip_hdr->DstAddr(), tunnel_type); ip_tunnels[tunnel_idx] = TunnelActivity(ec, run_state::network_time); zeek::detail::timer_mgr->Add(new detail::IPTunnelTimer(run_state::network_time, tunnel_idx, this));