44 static int ENIPExtractUint8(uint8_t *
res,
const uint8_t *input, uint16_t *
offset, uint32_t input_len)
47 if (input_len <
sizeof(uint8_t) || *
offset > (input_len -
sizeof(uint8_t)))
49 SCLogDebug(
"ENIPExtractUint8: Parsing beyond payload length");
54 *
offset +=
sizeof(uint8_t);
64 static int ENIPExtractUint16(uint16_t *
res,
const uint8_t *input, uint16_t *
offset, uint32_t input_len)
67 if (input_len <
sizeof(uint16_t) || *
offset > (input_len -
sizeof(uint16_t)))
69 SCLogDebug(
"ENIPExtractUint16: Parsing beyond payload length");
74 (
const uint8_t *) (input + *
offset));
75 *
offset +=
sizeof(uint16_t);
85 static int ENIPExtractUint32(uint32_t *
res,
const uint8_t *input, uint16_t *
offset, uint32_t input_len)
88 if (input_len <
sizeof(uint32_t) || *
offset > (input_len -
sizeof(uint32_t)))
90 SCLogDebug(
"ENIPExtractUint32: Parsing beyond payload length");
95 (
const uint8_t *) (input + *
offset));
96 *
offset +=
sizeof(uint32_t);
106 static int ENIPExtractUint64(uint64_t *
res,
const uint8_t *input, uint16_t *
offset, uint32_t input_len)
109 if (input_len <
sizeof(uint64_t) || *
offset > (input_len -
sizeof(uint64_t)))
111 SCLogDebug(
"ENIPExtractUint64: Parsing beyond payload length");
116 (
const uint8_t *) (input + *
offset));
117 *
offset +=
sizeof(uint64_t);
151 static void CIPServiceFree(
void *s)
199 if (ENIPExtractUint16(&cmd, input, &
offset, input_len) != 1)
203 if (ENIPExtractUint16(&
len, input, &
offset, input_len) != 1)
207 if (ENIPExtractUint32(&session, input, &
offset, input_len) != 1)
211 if (ENIPExtractUint32(&status, input, &
offset, input_len) != 1)
215 if (ENIPExtractUint64(&context, input, &
offset, input_len) != 1)
219 if (ENIPExtractUint32(&option, input, &
offset, input_len) != 1)
249 SCLogDebug(
"DecodeENIP - UNREGISTER_SESSION");
253 "DecodeENIP - SEND_RR_DATA - parse Common Packet Format");
259 "DecodeENIP - SEND UNIT DATA - parse Common Packet Format");
270 SCLogDebug(
"DecodeENIP - UNSUPPORTED COMMAND 0x%x",
292 SCLogDebug(
"DecodeCommonPacketFormat: Malformed ENIP packet");
299 if (ENIPExtractUint32(&handle, input, &
offset, input_len) != 1)
303 if (ENIPExtractUint16(&timeout, input, &
offset, input_len) != 1)
307 if (ENIPExtractUint16(&count, input, &
offset, input_len) != 1)
315 uint16_t address_type;
316 uint16_t address_length;
317 uint32_t address_connectionid = 0;
318 uint32_t address_sequence = 0;
320 if (ENIPExtractUint16(&address_type, input, &
offset, input_len) != 1)
324 if (ENIPExtractUint16(&address_length, input, &
offset, input_len) != 1)
332 if (ENIPExtractUint32(&address_connectionid, input, &
offset, input_len) != 1)
338 if (ENIPExtractUint32(&address_connectionid, input, &
offset, input_len) != 1)
342 if (ENIPExtractUint32(&address_sequence, input, &
offset, input_len) != 1)
354 uint16_t data_length;
355 uint16_t data_sequence_count;
357 if (ENIPExtractUint16(&data_type, input, &
offset, input_len) != 1)
361 if (ENIPExtractUint16(&data_length, input, &
offset, input_len) != 1)
371 if (ENIPExtractUint16(&data_sequence_count, input, &
offset, input_len) != 1)
382 "DecodeCommonPacketFormat - CONNECTED DATA ITEM - parse CIP");
386 SCLogDebug(
"DecodeCommonPacketFormat - UNCONNECTED DATA ITEM");
390 SCLogDebug(
"DecodeCommonPacketFormat - UNKNOWN TYPE 0x%x",
418 if (
offset > (input_len -
sizeof(uint8_t)))
420 SCLogDebug(
"DecodeCIP: Parsing beyond payload length");
425 service = *(input +
offset);
458 SCLogDebug(
"DecodeCIPRequest - Malformed CIP Data");
463 uint8_t path_size = 0;
465 if (ENIPExtractUint8(&service, input, &
offset, input_len) != 1)
469 if (ENIPExtractUint8(&path_size, input, &
offset, input_len) != 1)
476 SCLogDebug(
"DecodeCIPRequest - INVALID CIP SERVICE 0x%x", service);
483 SCLogDebug(
"DecodeCIPRequest: Maximum services reached");
491 SCLogDebug(
"DecodeCIPRequest: Unable to create CIP service");
496 node->
request.path_size = path_size;
503 offset += path_size *
sizeof(uint16_t);
509 SCLogDebug(
"DecodeCIPRequest - CIP_RESERVED");
512 SCLogDebug(
"DecodeCIPRequest - CIP_GET_ATTR_ALL");
515 SCLogDebug(
"DecodeCIPRequest - CIP_GET_ATTR_LIST");
518 SCLogDebug(
"DecodeCIPRequest - CIP_SET_ATTR_LIST");
540 SCLogDebug(
"DecodeCIPRequest - CIP_APPLY_ATTR");
543 SCLogDebug(
"DecodeCIPRequest - CIP_KICK_TIMER");
546 SCLogDebug(
"DecodeCIPRequest - CIP_OPEN_CONNECTION");
549 SCLogDebug(
"DecodeCIPRequest - CIP_CHANGE_START");
552 SCLogDebug(
"DecodeCIPRequest - CIP_GET_STATUS");
555 SCLogDebug(
"DecodeCIPRequest - CIP SERVICE 0x%x", service);
577 if (node->
request.path_size < 1)
583 int bytes_remain = node->
request.path_size;
588 uint8_t req_path_instance8;
589 uint8_t req_path_attr8;
592 uint16_t req_path_class16;
593 uint16_t req_path_instance16;
599 while (bytes_remain > 0)
602 if (ENIPExtractUint8(&segment, input, &
offset, input_len) != 1)
609 uint8_t req_path_class8 = 0;
610 if (ENIPExtractUint8(&req_path_class8, input, &
offset, input_len) != 1) {
613 class = (uint16_t) req_path_class8;
614 SCLogDebug(
"DecodeCIPRequestPathPDU: 8bit class 0x%x",
class);
619 seg->segment = segment;
627 if (ENIPExtractUint8(&req_path_instance8, input, &
offset, input_len) != 1)
635 if (ENIPExtractUint8(&req_path_attr8, input, &
offset, input_len) != 1)
645 seg->segment = segment;
652 if (ENIPExtractUint8(&reserved, input, &
offset, input_len) != 1)
656 if (ENIPExtractUint16(&req_path_class16, input, &
offset, input_len) != 1)
660 class = req_path_class16;
661 SCLogDebug(
"DecodeCIPRequestPath: 16bit class 0x%x",
class);
666 seg->segment = segment;
669 if (bytes_remain >= 2)
671 bytes_remain = bytes_remain - 2;
678 if (ENIPExtractUint8(&reserved, input, &
offset, input_len) != 1)
682 if (ENIPExtractUint16(&req_path_instance16, input, &
offset, input_len) != 1)
687 if (bytes_remain >= 2)
689 bytes_remain = bytes_remain - 2;
697 "DecodeCIPRequestPath: UNKNOWN SEGMENT 0x%x service 0x%x",
706 uint16_t attr_list_count;
710 if (ENIPExtractUint16(&attr_list_count, input, &
offset, input_len) != 1)
714 SCLogDebug(
"DecodeCIPRequestPathPDU: attribute list count %d",
716 for (
int i = 0; i < attr_list_count; i++)
718 if (ENIPExtractUint16(&attribute, input, &
offset, input_len) != 1)
722 SCLogDebug(
"DecodeCIPRequestPathPDU: attribute %d", attribute);
751 SCLogDebug(
"DecodeCIPResponse - Malformed CIP Data");
759 if (ENIPExtractUint8(&service, input, &
offset, input_len) != 1)
763 if (ENIPExtractUint8(&reserved, input, &
offset, input_len) != 1)
767 if (ENIPExtractUint16(&status, input, &
offset, input_len) != 1)
775 SCLogDebug(
"CIP service 0x%x status 0x%x", service, status);
780 SCLogDebug(
"DecodeCIPRequest: Maximum services reached");
788 SCLogDebug(
"DecodeCIPRequest: Unable to create CIP service");
802 SCLogDebug(
"DecodeCIPResponse - CIP_RESERVED");
805 SCLogDebug(
"DecodeCIPResponse - CIP_GET_ATTR_ALL");
808 SCLogDebug(
"DecodeCIPResponse - CIP_GET_ATTR_LIST");
811 SCLogDebug(
"DecodeCIPResponse - CIP_SET_ATTR_LIST");
833 SCLogDebug(
"DecodeCIPResponse - CIP_APPLY_ATTR");
836 SCLogDebug(
"DecodeCIPResponse - CIP_KICK_TIMER");
839 SCLogDebug(
"DecodeCIPResponse - CIP_OPEN_CONNECTION");
842 SCLogDebug(
"DecodeCIPResponse - CIP_CHANGE_START");
845 SCLogDebug(
"DecodeCIPResponse - CIP_GET_STATUS");
848 SCLogDebug(
"DecodeCIPResponse - CIP SERVICE 0x%x", service);
867 if (
offset >= (input_len -
sizeof(uint16_t)))
869 SCLogDebug(
"DecodeCIPRequestMSPPDU: Parsing beyond payload length");
873 uint16_t temp_offset =
offset;
874 uint16_t num_services;
876 (
const uint8_t *) (input + temp_offset));
877 temp_offset +=
sizeof(uint16_t);
880 for (
int svc = 1; svc < num_services + 1; svc++)
882 if (temp_offset >= (input_len -
sizeof(uint16_t)))
884 SCLogDebug(
"DecodeCIPRequestMSPPDU: Parsing beyond payload length");
890 (
const uint8_t *) (input + temp_offset));
891 temp_offset +=
sizeof(uint16_t);
915 if (
offset >= (input_len -
sizeof(uint16_t)))
917 SCLogDebug(
"DecodeCIPResponseMSPPDU: Parsing beyond payload length");
921 uint16_t temp_offset =
offset;
922 uint16_t num_services;
924 (
const uint8_t *) (input + temp_offset));
925 temp_offset +=
sizeof(uint16_t);
928 for (
int svc = 0; svc < num_services; svc++)
930 if (temp_offset >= (input_len -
sizeof(uint16_t)))
932 SCLogDebug(
"DecodeCIPResponseMSP: Parsing beyond payload length");
938 (
const uint8_t *) (input + temp_offset));
939 temp_offset +=
sizeof(uint16_t);