suricata
decode-arp.c
Go to the documentation of this file.
1 /* Copyright (C) 2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  *
20  * \author Giuseppe Longo <giuseppe@glongo.it>
21  *
22  */
23 
24 #include "suricata-common.h"
25 #include "decode.h"
26 #include "decode-arp.h"
27 #include "decode-events.h"
28 
29 int DecodeARP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
30 {
31  StatsIncr(tv, dtv->counter_arp);
32 
33  if (unlikely(len < ARP_HEADER_MIN_LEN)) {
34  ENGINE_SET_INVALID_EVENT(p, ARP_PKT_TOO_SMALL);
35  return TM_ECODE_FAILED;
36  }
37 
38  if (!PacketIncreaseCheckLayers(p)) {
39  return TM_ECODE_FAILED;
40  }
41 
42  const ARPHdr *arph = PacketSetARP(p, pkt);
43  if (unlikely(arph == NULL))
44  return TM_ECODE_FAILED;
45 
46  if (SCNtohs(arph->hw_type) != ARP_HW_TYPE_ETHERNET) {
47  ENGINE_SET_INVALID_EVENT(p, ARP_UNSUPPORTED_HARDWARE);
48  PacketClearL3(p);
49  return TM_ECODE_FAILED;
50  }
51 
52  if (SCNtohs(arph->proto_type) != ETHERNET_TYPE_IP) {
53  ENGINE_SET_INVALID_EVENT(p, ARP_UNSUPPORTED_PROTOCOL);
54  PacketClearL3(p);
55  return TM_ECODE_FAILED;
56  }
57 
58  if (unlikely(len < ARP_HEADER_LEN)) {
59  ENGINE_SET_INVALID_EVENT(p, ARP_INVALID_PKT);
60  PacketClearL3(p);
61  return TM_ECODE_FAILED;
62  }
63 
64  if (arph->hw_size != ARP_HW_SIZE) {
65  ENGINE_SET_INVALID_EVENT(p, ARP_INVALID_HARDWARE_SIZE);
66  PacketClearL3(p);
67  return TM_ECODE_FAILED;
68  }
69 
70  if (arph->proto_size != ARP_PROTO_SIZE) {
71  ENGINE_SET_INVALID_EVENT(p, ARP_INVALID_PROTOCOL_SIZE);
72  PacketClearL3(p);
73  return TM_ECODE_FAILED;
74  }
75 
76  switch (SCNtohs(arph->opcode)) {
77  case 1:
78  case 2:
79  case 3:
80  case 4:
81  break;
82  default:
83  ENGINE_SET_INVALID_EVENT(p, ARP_UNSUPPORTED_OPCODE);
84  PacketClearL3(p);
85  return TM_ECODE_FAILED;
86  }
87 
88  return TM_ECODE_OK;
89 }
len
uint8_t len
Definition: app-layer-dnp3.h:2
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ARP_HW_SIZE
#define ARP_HW_SIZE
Definition: decode-arp.h:30
ARP_HW_TYPE_ETHERNET
#define ARP_HW_TYPE_ETHERNET
Definition: decode-arp.h:28
ARP_PKT_TOO_SMALL
@ ARP_PKT_TOO_SMALL
Definition: decode-events.h:301
DecodeARP
int DecodeARP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-arp.c:29
DecodeThreadVars_::counter_arp
uint16_t counter_arp
Definition: decode.h:963
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:83
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:82
ARP_INVALID_PROTOCOL_SIZE
@ ARP_INVALID_PROTOCOL_SIZE
Definition: decode-events.h:306
ARP_PROTO_SIZE
#define ARP_PROTO_SIZE
Definition: decode-arp.h:31
decode.h
ARP_INVALID_PKT
@ ARP_INVALID_PKT
Definition: decode-events.h:304
ARP_UNSUPPORTED_HARDWARE
@ ARP_UNSUPPORTED_HARDWARE
Definition: decode-events.h:302
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
ARP_HEADER_MIN_LEN
#define ARP_HEADER_MIN_LEN
Definition: decode-arp.h:26
Packet_
Definition: decode.h:479
decode-events.h
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
ARP_UNSUPPORTED_PROTOCOL
@ ARP_UNSUPPORTED_PROTOCOL
Definition: decode-events.h:303
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:414
suricata-common.h
decode-arp.h
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
ARP_INVALID_HARDWARE_SIZE
@ ARP_INVALID_HARDWARE_SIZE
Definition: decode-events.h:305
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:938
ENGINE_SET_INVALID_EVENT
#define ENGINE_SET_INVALID_EVENT(p, e)
Definition: decode.h:1163
ARP_UNSUPPORTED_OPCODE
@ ARP_UNSUPPORTED_OPCODE
Definition: decode-events.h:307
ARP_HEADER_LEN
#define ARP_HEADER_LEN
Definition: decode-arp.h:27
ETHERNET_TYPE_IP
#define ETHERNET_TYPE_IP
Definition: decode-ethernet.h:34