44 static int ENIPExtractUint8(uint8_t *res,
const uint8_t *input, uint16_t *
offset, uint32_t input_len)
47 if (input_len <
sizeof(uint8_t) || *
offset > (input_len -
sizeof(uint8_t)))
49 SCLogDebug(
"ENIPExtractUint8: Parsing beyond payload length");
54 *
offset +=
sizeof(uint8_t);
64 static int ENIPExtractUint16(uint16_t *res,
const uint8_t *input, uint16_t *
offset, uint32_t input_len)
67 if (input_len <
sizeof(uint16_t) || *
offset > (input_len -
sizeof(uint16_t))) {
68 SCLogDebug(
"ENIPExtractUint16: Parsing beyond payload length");
73 (
const uint8_t *)(input + *
offset)) == -1) {
77 *
offset +=
sizeof(uint16_t);
87 static int ENIPExtractUint32(uint32_t *res,
const uint8_t *input, uint16_t *
offset, uint32_t input_len)
90 if (input_len <
sizeof(uint32_t) || *
offset > (input_len -
sizeof(uint32_t)))
92 SCLogDebug(
"ENIPExtractUint32: Parsing beyond payload length");
97 (
const uint8_t *)(input + *
offset)) == -1) {
101 *
offset +=
sizeof(uint32_t);
111 static int ENIPExtractUint64(uint64_t *res,
const uint8_t *input, uint16_t *
offset, uint32_t input_len)
114 if (input_len <
sizeof(uint64_t) || *
offset > (input_len -
sizeof(uint64_t)))
116 SCLogDebug(
"ENIPExtractUint64: Parsing beyond payload length");
121 (
const uint8_t *)(input + *
offset)) == -1) {
125 *
offset +=
sizeof(uint64_t);
157 static void CIPServiceFree(
void *s)
205 if (ENIPExtractUint16(&cmd, input, &
offset, input_len) != 1)
209 if (ENIPExtractUint16(&
len, input, &
offset, input_len) != 1)
213 if (ENIPExtractUint32(&session, input, &
offset, input_len) != 1)
217 if (ENIPExtractUint32(&status, input, &
offset, input_len) != 1)
221 if (ENIPExtractUint64(&context, input, &
offset, input_len) != 1)
225 if (ENIPExtractUint32(&option, input, &
offset, input_len) != 1)
255 SCLogDebug(
"DecodeENIP - UNREGISTER_SESSION");
259 "DecodeENIP - SEND_RR_DATA - parse Common Packet Format");
265 "DecodeENIP - SEND UNIT DATA - parse Common Packet Format");
276 SCLogDebug(
"DecodeENIP - UNSUPPORTED COMMAND 0x%x",
298 SCLogDebug(
"DecodeCommonPacketFormat: Malformed ENIP packet");
305 if (ENIPExtractUint32(&handle, input, &
offset, input_len) != 1)
309 if (ENIPExtractUint16(&timeout, input, &
offset, input_len) != 1)
313 if (ENIPExtractUint16(&count, input, &
offset, input_len) != 1)
321 uint16_t address_type;
322 uint16_t address_length;
323 uint32_t address_connectionid = 0;
324 uint32_t address_sequence = 0;
326 if (ENIPExtractUint16(&address_type, input, &
offset, input_len) != 1)
330 if (ENIPExtractUint16(&address_length, input, &
offset, input_len) != 1)
338 if (ENIPExtractUint32(&address_connectionid, input, &
offset, input_len) != 1)
344 if (ENIPExtractUint32(&address_connectionid, input, &
offset, input_len) != 1)
348 if (ENIPExtractUint32(&address_sequence, input, &
offset, input_len) != 1)
360 uint16_t data_length;
361 uint16_t data_sequence_count;
363 if (ENIPExtractUint16(&data_type, input, &
offset, input_len) != 1)
367 if (ENIPExtractUint16(&data_length, input, &
offset, input_len) != 1)
377 if (ENIPExtractUint16(&data_sequence_count, input, &
offset, input_len) != 1)
387 "DecodeCommonPacketFormat - CONNECTED DATA ITEM - parse CIP");
391 SCLogDebug(
"DecodeCommonPacketFormat - UNCONNECTED DATA ITEM");
395 SCLogDebug(
"DecodeCommonPacketFormat - UNKNOWN TYPE 0x%x",
423 if (
offset > (input_len -
sizeof(uint8_t)))
425 SCLogDebug(
"DecodeCIP: Parsing beyond payload length");
430 service = *(input +
offset);
463 SCLogDebug(
"DecodeCIPRequest - Malformed CIP Data");
468 uint8_t path_size = 0;
470 if (ENIPExtractUint8(&service, input, &
offset, input_len) != 1)
474 if (ENIPExtractUint8(&path_size, input, &
offset, input_len) != 1)
481 SCLogDebug(
"DecodeCIPRequest - INVALID CIP SERVICE 0x%x", service);
488 SCLogDebug(
"DecodeCIPRequest: Maximum services reached");
496 SCLogDebug(
"DecodeCIPRequest: Unable to create CIP service");
501 node->
request.path_size = path_size;
508 offset += path_size *
sizeof(uint16_t);
514 SCLogDebug(
"DecodeCIPRequest - CIP_RESERVED");
517 SCLogDebug(
"DecodeCIPRequest - CIP_GET_ATTR_ALL");
520 SCLogDebug(
"DecodeCIPRequest - CIP_GET_ATTR_LIST");
523 SCLogDebug(
"DecodeCIPRequest - CIP_SET_ATTR_LIST");
545 SCLogDebug(
"DecodeCIPRequest - CIP_APPLY_ATTR");
548 SCLogDebug(
"DecodeCIPRequest - CIP_KICK_TIMER");
551 SCLogDebug(
"DecodeCIPRequest - CIP_OPEN_CONNECTION");
554 SCLogDebug(
"DecodeCIPRequest - CIP_CHANGE_START");
557 SCLogDebug(
"DecodeCIPRequest - CIP_GET_STATUS");
560 SCLogDebug(
"DecodeCIPRequest - CIP SERVICE 0x%x", service);
581 if (node->
request.path_size < 1)
587 int bytes_remain = node->
request.path_size;
592 uint8_t req_path_instance8;
593 uint8_t req_path_attr8;
596 uint16_t req_path_class16;
597 uint16_t req_path_instance16;
603 while (bytes_remain > 0)
606 if (ENIPExtractUint8(&segment, input, &
offset, input_len) != 1)
613 uint8_t req_path_class8 = 0;
614 if (ENIPExtractUint8(&req_path_class8, input, &
offset, input_len) != 1) {
617 class = (uint16_t) req_path_class8;
618 SCLogDebug(
"DecodeCIPRequestPathPDU: 8bit class 0x%x",
class);
623 seg->segment = segment;
631 if (ENIPExtractUint8(&req_path_instance8, input, &
offset, input_len) != 1)
639 if (ENIPExtractUint8(&req_path_attr8, input, &
offset, input_len) != 1)
649 seg->segment = segment;
656 if (ENIPExtractUint8(&reserved, input, &
offset, input_len) != 1)
660 if (ENIPExtractUint16(&req_path_class16, input, &
offset, input_len) != 1)
664 class = req_path_class16;
665 SCLogDebug(
"DecodeCIPRequestPath: 16bit class 0x%x",
class);
670 seg->segment = segment;
673 if (bytes_remain >= 2)
675 bytes_remain = bytes_remain - 2;
682 if (ENIPExtractUint8(&reserved, input, &
offset, input_len) != 1)
686 if (ENIPExtractUint16(&req_path_instance16, input, &
offset, input_len) != 1)
691 if (bytes_remain >= 2)
693 bytes_remain = bytes_remain - 2;
701 "DecodeCIPRequestPath: UNKNOWN SEGMENT 0x%x service 0x%x",
710 uint16_t attr_list_count;
714 if (ENIPExtractUint16(&attr_list_count, input, &
offset, input_len) != 1)
718 SCLogDebug(
"DecodeCIPRequestPathPDU: attribute list count %d",
720 for (
int i = 0; i < attr_list_count; i++)
722 if (ENIPExtractUint16(&attribute, input, &
offset, input_len) != 1)
726 SCLogDebug(
"DecodeCIPRequestPathPDU: attribute %d", attribute);
755 SCLogDebug(
"DecodeCIPResponse - Malformed CIP Data");
763 if (ENIPExtractUint8(&service, input, &
offset, input_len) != 1)
767 if (ENIPExtractUint8(&reserved, input, &
offset, input_len) != 1)
771 if (ENIPExtractUint16(&status, input, &
offset, input_len) != 1)
779 SCLogDebug(
"CIP service 0x%x status 0x%x", service, status);
784 SCLogDebug(
"DecodeCIPRequest: Maximum services reached");
792 SCLogDebug(
"DecodeCIPRequest: Unable to create CIP service");
806 SCLogDebug(
"DecodeCIPResponse - CIP_RESERVED");
809 SCLogDebug(
"DecodeCIPResponse - CIP_GET_ATTR_ALL");
812 SCLogDebug(
"DecodeCIPResponse - CIP_GET_ATTR_LIST");
815 SCLogDebug(
"DecodeCIPResponse - CIP_SET_ATTR_LIST");
837 SCLogDebug(
"DecodeCIPResponse - CIP_APPLY_ATTR");
840 SCLogDebug(
"DecodeCIPResponse - CIP_KICK_TIMER");
843 SCLogDebug(
"DecodeCIPResponse - CIP_OPEN_CONNECTION");
846 SCLogDebug(
"DecodeCIPResponse - CIP_CHANGE_START");
849 SCLogDebug(
"DecodeCIPResponse - CIP_GET_STATUS");
852 SCLogDebug(
"DecodeCIPResponse - CIP SERVICE 0x%x", service);
871 if (
offset >= (input_len -
sizeof(uint16_t)))
873 SCLogDebug(
"DecodeCIPRequestMSPPDU: Parsing beyond payload length");
877 uint16_t temp_offset =
offset;
878 uint16_t num_services;
880 (
const uint8_t *)(input + temp_offset)) == -1) {
884 temp_offset +=
sizeof(uint16_t);
887 for (
int svc = 1; svc < num_services + 1; svc++)
889 if (temp_offset >= (input_len -
sizeof(uint16_t)))
891 SCLogDebug(
"DecodeCIPRequestMSPPDU: Parsing beyond payload length");
897 (
const uint8_t *)(input + temp_offset)) == -1) {
900 temp_offset +=
sizeof(uint16_t);
924 if (
offset >= (input_len -
sizeof(uint16_t)))
926 SCLogDebug(
"DecodeCIPResponseMSPPDU: Parsing beyond payload length");
930 uint16_t temp_offset =
offset;
931 uint16_t num_services;
933 (
const uint8_t *)(input + temp_offset)) == -1) {
936 temp_offset +=
sizeof(uint16_t);
939 for (
int svc = 0; svc < num_services; svc++) {
940 if (temp_offset >= (input_len -
sizeof(uint16_t)))
942 SCLogDebug(
"DecodeCIPResponseMSP: Parsing beyond payload length");
948 (
const uint8_t *)(input + temp_offset)) == -1) {
951 temp_offset +=
sizeof(uint16_t);