44 static int ENIPExtractUint8(uint8_t *res,
const uint8_t *input, uint16_t *
offset, uint32_t input_len)
47 if (input_len <
sizeof(uint8_t) || *
offset > (input_len -
sizeof(uint8_t)))
49 SCLogDebug(
"ENIPExtractUint8: Parsing beyond payload length");
54 *
offset +=
sizeof(uint8_t);
64 static int ENIPExtractUint16(uint16_t *res,
const uint8_t *input, uint16_t *
offset, uint32_t input_len)
67 if (input_len <
sizeof(uint16_t) || *
offset > (input_len -
sizeof(uint16_t))) {
68 SCLogDebug(
"ENIPExtractUint16: Parsing beyond payload length");
73 (
const uint8_t *)(input + *
offset)) == -1) {
77 *
offset +=
sizeof(uint16_t);
87 static int ENIPExtractUint32(uint32_t *res,
const uint8_t *input, uint16_t *
offset, uint32_t input_len)
90 if (input_len <
sizeof(uint32_t) || *
offset > (input_len -
sizeof(uint32_t)))
92 SCLogDebug(
"ENIPExtractUint32: Parsing beyond payload length");
97 (
const uint8_t *)(input + *
offset)) == -1) {
101 *
offset +=
sizeof(uint32_t);
111 static int ENIPExtractUint64(uint64_t *res,
const uint8_t *input, uint16_t *
offset, uint32_t input_len)
114 if (input_len <
sizeof(uint64_t) || *
offset > (input_len -
sizeof(uint64_t)))
116 SCLogDebug(
"ENIPExtractUint64: Parsing beyond payload length");
121 (
const uint8_t *)(input + *
offset)) == -1) {
125 *
offset +=
sizeof(uint64_t);
159 static void CIPServiceFree(
void *s)
207 if (ENIPExtractUint16(&cmd, input, &
offset, input_len) != 1)
211 if (ENIPExtractUint16(&
len, input, &
offset, input_len) != 1)
215 if (ENIPExtractUint32(&session, input, &
offset, input_len) != 1)
219 if (ENIPExtractUint32(&status, input, &
offset, input_len) != 1)
223 if (ENIPExtractUint64(&context, input, &
offset, input_len) != 1)
227 if (ENIPExtractUint32(&option, input, &
offset, input_len) != 1)
257 SCLogDebug(
"DecodeENIP - UNREGISTER_SESSION");
261 "DecodeENIP - SEND_RR_DATA - parse Common Packet Format");
267 "DecodeENIP - SEND UNIT DATA - parse Common Packet Format");
278 SCLogDebug(
"DecodeENIP - UNSUPPORTED COMMAND 0x%x",
300 SCLogDebug(
"DecodeCommonPacketFormat: Malformed ENIP packet");
307 if (ENIPExtractUint32(&handle, input, &
offset, input_len) != 1)
311 if (ENIPExtractUint16(&timeout, input, &
offset, input_len) != 1)
315 if (ENIPExtractUint16(&count, input, &
offset, input_len) != 1)
323 uint16_t address_type;
324 uint16_t address_length;
325 uint32_t address_connectionid = 0;
326 uint32_t address_sequence = 0;
328 if (ENIPExtractUint16(&address_type, input, &
offset, input_len) != 1)
332 if (ENIPExtractUint16(&address_length, input, &
offset, input_len) != 1)
340 if (ENIPExtractUint32(&address_connectionid, input, &
offset, input_len) != 1)
346 if (ENIPExtractUint32(&address_connectionid, input, &
offset, input_len) != 1)
350 if (ENIPExtractUint32(&address_sequence, input, &
offset, input_len) != 1)
362 uint16_t data_length;
363 uint16_t data_sequence_count;
365 if (ENIPExtractUint16(&data_type, input, &
offset, input_len) != 1)
369 if (ENIPExtractUint16(&data_length, input, &
offset, input_len) != 1)
379 if (ENIPExtractUint16(&data_sequence_count, input, &
offset, input_len) != 1)
389 "DecodeCommonPacketFormat - CONNECTED DATA ITEM - parse CIP");
393 SCLogDebug(
"DecodeCommonPacketFormat - UNCONNECTED DATA ITEM");
397 SCLogDebug(
"DecodeCommonPacketFormat - UNKNOWN TYPE 0x%x",
425 if (
offset > (input_len -
sizeof(uint8_t)))
427 SCLogDebug(
"DecodeCIP: Parsing beyond payload length");
432 service = *(input +
offset);
465 SCLogDebug(
"DecodeCIPRequest - Malformed CIP Data");
470 uint8_t path_size = 0;
472 if (ENIPExtractUint8(&service, input, &
offset, input_len) != 1)
476 if (ENIPExtractUint8(&path_size, input, &
offset, input_len) != 1)
483 SCLogDebug(
"DecodeCIPRequest - INVALID CIP SERVICE 0x%x", service);
490 SCLogDebug(
"DecodeCIPRequest: Maximum services reached");
498 SCLogDebug(
"DecodeCIPRequest: Unable to create CIP service");
503 node->
request.path_size = path_size;
510 offset += path_size *
sizeof(uint16_t);
516 SCLogDebug(
"DecodeCIPRequest - CIP_RESERVED");
519 SCLogDebug(
"DecodeCIPRequest - CIP_GET_ATTR_ALL");
522 SCLogDebug(
"DecodeCIPRequest - CIP_GET_ATTR_LIST");
525 SCLogDebug(
"DecodeCIPRequest - CIP_SET_ATTR_LIST");
547 SCLogDebug(
"DecodeCIPRequest - CIP_APPLY_ATTR");
550 SCLogDebug(
"DecodeCIPRequest - CIP_KICK_TIMER");
553 SCLogDebug(
"DecodeCIPRequest - CIP_OPEN_CONNECTION");
556 SCLogDebug(
"DecodeCIPRequest - CIP_CHANGE_START");
559 SCLogDebug(
"DecodeCIPRequest - CIP_GET_STATUS");
562 SCLogDebug(
"DecodeCIPRequest - CIP SERVICE 0x%x", service);
583 if (node->
request.path_size < 1)
589 int bytes_remain = node->
request.path_size;
594 uint8_t req_path_instance8;
595 uint8_t req_path_attr8;
598 uint16_t req_path_class16;
599 uint16_t req_path_instance16;
605 while (bytes_remain > 0)
608 if (ENIPExtractUint8(&segment, input, &
offset, input_len) != 1)
615 uint8_t req_path_class8 = 0;
616 if (ENIPExtractUint8(&req_path_class8, input, &
offset, input_len) != 1) {
619 class = (uint16_t) req_path_class8;
620 SCLogDebug(
"DecodeCIPRequestPathPDU: 8bit class 0x%x",
class);
625 seg->segment = segment;
633 if (ENIPExtractUint8(&req_path_instance8, input, &
offset, input_len) != 1)
641 if (ENIPExtractUint8(&req_path_attr8, input, &
offset, input_len) != 1)
651 seg->segment = segment;
658 if (ENIPExtractUint8(&reserved, input, &
offset, input_len) != 1)
662 if (ENIPExtractUint16(&req_path_class16, input, &
offset, input_len) != 1)
666 class = req_path_class16;
667 SCLogDebug(
"DecodeCIPRequestPath: 16bit class 0x%x",
class);
672 seg->segment = segment;
675 if (bytes_remain >= 2)
677 bytes_remain = bytes_remain - 2;
684 if (ENIPExtractUint8(&reserved, input, &
offset, input_len) != 1)
688 if (ENIPExtractUint16(&req_path_instance16, input, &
offset, input_len) != 1)
693 if (bytes_remain >= 2)
695 bytes_remain = bytes_remain - 2;
703 "DecodeCIPRequestPath: UNKNOWN SEGMENT 0x%x service 0x%x",
712 uint16_t attr_list_count;
716 if (ENIPExtractUint16(&attr_list_count, input, &
offset, input_len) != 1)
720 SCLogDebug(
"DecodeCIPRequestPathPDU: attribute list count %d",
722 for (
int i = 0; i < attr_list_count; i++)
724 if (ENIPExtractUint16(&attribute, input, &
offset, input_len) != 1)
728 SCLogDebug(
"DecodeCIPRequestPathPDU: attribute %d", attribute);
757 SCLogDebug(
"DecodeCIPResponse - Malformed CIP Data");
765 if (ENIPExtractUint8(&service, input, &
offset, input_len) != 1)
769 if (ENIPExtractUint8(&reserved, input, &
offset, input_len) != 1)
773 if (ENIPExtractUint16(&status, input, &
offset, input_len) != 1)
781 SCLogDebug(
"CIP service 0x%x status 0x%x", service, status);
786 SCLogDebug(
"DecodeCIPRequest: Maximum services reached");
794 SCLogDebug(
"DecodeCIPRequest: Unable to create CIP service");
808 SCLogDebug(
"DecodeCIPResponse - CIP_RESERVED");
811 SCLogDebug(
"DecodeCIPResponse - CIP_GET_ATTR_ALL");
814 SCLogDebug(
"DecodeCIPResponse - CIP_GET_ATTR_LIST");
817 SCLogDebug(
"DecodeCIPResponse - CIP_SET_ATTR_LIST");
839 SCLogDebug(
"DecodeCIPResponse - CIP_APPLY_ATTR");
842 SCLogDebug(
"DecodeCIPResponse - CIP_KICK_TIMER");
845 SCLogDebug(
"DecodeCIPResponse - CIP_OPEN_CONNECTION");
848 SCLogDebug(
"DecodeCIPResponse - CIP_CHANGE_START");
851 SCLogDebug(
"DecodeCIPResponse - CIP_GET_STATUS");
854 SCLogDebug(
"DecodeCIPResponse - CIP SERVICE 0x%x", service);
873 if (
offset >= (input_len -
sizeof(uint16_t)))
875 SCLogDebug(
"DecodeCIPRequestMSPPDU: Parsing beyond payload length");
879 uint16_t temp_offset =
offset;
880 uint16_t num_services;
882 (
const uint8_t *)(input + temp_offset)) == -1) {
886 temp_offset +=
sizeof(uint16_t);
889 for (
int svc = 1; svc < num_services + 1; svc++)
891 if (temp_offset >= (input_len -
sizeof(uint16_t)))
893 SCLogDebug(
"DecodeCIPRequestMSPPDU: Parsing beyond payload length");
899 (
const uint8_t *)(input + temp_offset)) == -1) {
902 temp_offset +=
sizeof(uint16_t);
926 if (
offset >= (input_len -
sizeof(uint16_t)))
928 SCLogDebug(
"DecodeCIPResponseMSPPDU: Parsing beyond payload length");
932 uint16_t temp_offset =
offset;
933 uint16_t num_services;
935 (
const uint8_t *)(input + temp_offset)) == -1) {
938 temp_offset +=
sizeof(uint16_t);
941 for (
int svc = 0; svc < num_services; svc++) {
942 if (temp_offset >= (input_len -
sizeof(uint16_t)))
944 SCLogDebug(
"DecodeCIPResponseMSP: Parsing beyond payload length");
950 (
const uint8_t *)(input + temp_offset)) == -1) {
953 temp_offset +=
sizeof(uint16_t);