suricata
decode-ethernet.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * Decode Ethernet
31  */
32 
33 #include "suricata-common.h"
34 #include "decode.h"
35 #include "decode-ethernet.h"
36 #include "decode-events.h"
37 
38 #include "util-validate.h"
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 
42 int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
43  const uint8_t *pkt, uint32_t len)
44 {
45  DEBUG_VALIDATE_BUG_ON(pkt == NULL);
46 
47  StatsIncr(tv, dtv->counter_eth);
48 
49  if (unlikely(len < ETHERNET_HEADER_LEN)) {
50  ENGINE_SET_INVALID_EVENT(p, ETHERNET_PKT_TOO_SMALL);
51  return TM_ECODE_FAILED;
52  }
53 
54  if (!PacketIncreaseCheckLayers(p)) {
55  return TM_ECODE_FAILED;
56  }
57  p->ethh = (EthernetHdr *)pkt;
58 
59  SCLogDebug("p %p pkt %p ether type %04x", p, pkt, SCNtohs(p->ethh->eth_type));
60 
61  DecodeNetworkLayer(tv, dtv, SCNtohs(p->ethh->eth_type), p,
62  pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN);
63 
64  return TM_ECODE_OK;
65 }
66 
67 #ifdef UNITTESTS
68 /** DecodeEthernettest01
69  * \brief Valid Ethernet packet
70  * \retval 0 Expected test value
71  */
72 static int DecodeEthernetTest01 (void)
73 {
74  /* ICMP packet wrapped in PPPOE */
75  uint8_t raw_eth[] = {
76  0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
77  0x94, 0x56, 0x00, 0x01, 0x88, 0x64, 0x11, 0x00,
78  0x00, 0x01, 0x00, 0x68, 0x00, 0x21, 0x45, 0xc0,
79  0x00, 0x64, 0x00, 0x1e, 0x00, 0x00, 0xff, 0x01,
80  0xa7, 0x78, 0x0a, 0x00, 0x00, 0x02, 0x0a, 0x00,
81  0x00, 0x01, 0x08, 0x00, 0x4a, 0x61, 0x00, 0x06,
82  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f,
83  0x3b, 0xd4, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
84  0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
85  0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
86  0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
87  0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
88  0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
89  0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
90  0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
91  0xab, 0xcd };
92 
93  Packet *p = SCMalloc(SIZE_OF_PACKET);
94  if (unlikely(p == NULL))
95  return 0;
96  ThreadVars tv;
97  DecodeThreadVars dtv;
98 
99  memset(&dtv, 0, sizeof(DecodeThreadVars));
100  memset(&tv, 0, sizeof(ThreadVars));
101  memset(p, 0, SIZE_OF_PACKET);
102 
103  DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth));
104 
105  SCFree(p);
106  return 1;
107 }
108 
109 /**
110  * Test a DCE ethernet frame that is too small.
111  */
112 static int DecodeEthernetTestDceTooSmall(void)
113 {
114  uint8_t raw_eth[] = {
115  0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
116  0x94, 0x56, 0x00, 0x01, 0x89, 0x03,
117  };
118 
119  Packet *p = SCMalloc(SIZE_OF_PACKET);
120  FAIL_IF_NULL(p);
121  ThreadVars tv;
122  DecodeThreadVars dtv;
123 
124  memset(&dtv, 0, sizeof(DecodeThreadVars));
125  memset(&tv, 0, sizeof(ThreadVars));
126  memset(p, 0, SIZE_OF_PACKET);
127 
128  DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth));
129 
130  FAIL_IF_NOT(ENGINE_ISSET_EVENT(p, DCE_PKT_TOO_SMALL));
131 
132  SCFree(p);
133  PASS;
134 }
135 
136 /**
137  * Test that a DCE ethernet frame, followed by data that is too small
138  * for an ethernet header.
139  *
140  * Redmine issue:
141  * https://redmine.openinfosecfoundation.org/issues/2887
142  */
143 static int DecodeEthernetTestDceNextTooSmall(void)
144 {
145  uint8_t raw_eth[] = {
146  0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
147  0x94, 0x56, 0x00, 0x01, 0x89, 0x03, //0x88, 0x64,
148 
149  0x00, 0x00,
150 
151  0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
152  0x94, 0x56, 0x00, 0x01,
153  };
154 
155  Packet *p = SCMalloc(SIZE_OF_PACKET);
156  FAIL_IF_NULL(p);
157  ThreadVars tv;
158  DecodeThreadVars dtv;
159 
160  memset(&dtv, 0, sizeof(DecodeThreadVars));
161  memset(&tv, 0, sizeof(ThreadVars));
162  memset(p, 0, SIZE_OF_PACKET);
163 
164  DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth));
165 
166  FAIL_IF_NOT(ENGINE_ISSET_EVENT(p, DCE_PKT_TOO_SMALL));
167 
168  SCFree(p);
169  PASS;
170 }
171 
172 #endif /* UNITTESTS */
173 
174 
175 /**
176  * \brief Registers Ethernet unit tests
177  * \todo More Ethernet tests
178  */
179 void DecodeEthernetRegisterTests(void)
180 {
181 #ifdef UNITTESTS
182  UtRegisterTest("DecodeEthernetTest01", DecodeEthernetTest01);
183  UtRegisterTest("DecodeEthernetTestDceNextTooSmall",
184  DecodeEthernetTestDceNextTooSmall);
185  UtRegisterTest("DecodeEthernetTestDceTooSmall",
186  DecodeEthernetTestDceTooSmall);
187 #endif /* UNITTESTS */
188 }
189 /**
190  * @}
191  */
decode-ethernet.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DecodeThreadVars_::counter_eth
uint16_t counter_eth
Definition: decode.h:652
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ENGINE_ISSET_EVENT
#define ENGINE_ISSET_EVENT(p, e)
Definition: decode.h:1051
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
DecodeEthernetRegisterTests
void DecodeEthernetRegisterTests(void)
Registers Ethernet unit tests.
Definition: decode-ethernet.c:179
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
Packet_::ethh
EthernetHdr * ethh
Definition: decode.h:502
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:634
Packet_
Definition: decode.h:414
ETHERNET_HEADER_LEN
#define ETHERNET_HEADER_LEN
Definition: decode-ethernet.h:27
decode-events.h
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:395
suricata-common.h
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
util-validate.h
DCE_PKT_TOO_SMALL
@ DCE_PKT_TOO_SMALL
Definition: decode-events.h:206
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:638
ENGINE_SET_INVALID_EVENT
#define ENGINE_SET_INVALID_EVENT(p, e)
Definition: decode.h:1044
ETHERNET_PKT_TOO_SMALL
@ ETHERNET_PKT_TOO_SMALL
Definition: decode-events.h:111
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42