suricata
decode-raw.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author William Metcalf <william.metcalf@gmail.com>
29  *
30  * Decode RAW
31  */
32 
33 #include "suricata-common.h"
34 #include "decode.h"
35 #include "decode-raw.h"
36 #include "decode-events.h"
37 
38 #include "util-validate.h"
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 
42 #include "pkt-var.h"
43 #include "util-profiling.h"
44 #include "host.h"
45 
46 
47 int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
48  const uint8_t *pkt, uint32_t len)
49 {
50  DEBUG_VALIDATE_BUG_ON(pkt == NULL);
51 
52  StatsIncr(tv, dtv->counter_raw);
53 
54  /* If it is ipv4 or ipv6 it should at least be the size of ipv4 */
55  if (unlikely(len < IPV4_HEADER_LEN)) {
56  ENGINE_SET_INVALID_EVENT(p, IPV4_PKT_TOO_SMALL);
57  return TM_ECODE_FAILED;
58  }
59 
60 
61 
62  if (IP_GET_RAW_VER(pkt) == 4) {
63  if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
64  return TM_ECODE_FAILED;
65  }
66  SCLogDebug("IPV4 Packet");
67  DecodeIPV4(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p));
68  } else if (IP_GET_RAW_VER(pkt) == 6) {
69  if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
70  return TM_ECODE_FAILED;
71  }
72  SCLogDebug("IPV6 Packet");
73  DecodeIPV6(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p));
74  } else {
75  SCLogDebug("Unknown ip version %d", IP_GET_RAW_VER(pkt));
76  ENGINE_SET_EVENT(p,IPRAW_INVALID_IPV);
77  }
78  return TM_ECODE_OK;
79 }
80 
81 #ifdef UNITTESTS
82 #include "flow.h"
83 #include "flow-util.h"
84 
85 /** DecodeRawtest01
86  * \brief Valid Raw packet
87  * \retval 0 Expected test value
88  */
89 static int DecodeRawTest01 (void)
90 {
91 
92  /* IPV6/TCP/no eth header */
93  uint8_t raw_ip[] = {
94  0x60, 0x00, 0x00, 0x00, 0x00, 0x28, 0x06, 0x40,
95  0x20, 0x01, 0x06, 0x18, 0x04, 0x00, 0x00, 0x00,
96  0x00, 0x00, 0x00, 0x00, 0x51, 0x99, 0xcc, 0x70,
97  0x20, 0x01, 0x06, 0x18, 0x00, 0x01, 0x80, 0x00,
98  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
99  0x8c, 0x9b, 0x00, 0x50, 0x6a, 0xe7, 0x07, 0x36,
100  0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0x16, 0x30,
101  0x29, 0x9c, 0x00, 0x00, 0x02, 0x04, 0x05, 0x8c,
102  0x04, 0x02, 0x08, 0x0a, 0x00, 0xdd, 0x1a, 0x39,
103  0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x02 };
104  Packet *p = PacketGetFromAlloc();
105  if (unlikely(p == NULL))
106  return 0;
107  ThreadVars tv;
108  DecodeThreadVars dtv;
109 
110  memset(&dtv, 0, sizeof(DecodeThreadVars));
111  memset(&tv, 0, sizeof(ThreadVars));
112 
113  if (PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1) {
114  SCFree(p);
115  return 0;
116  }
117 
118  FlowInitConfig(FLOW_QUIET);
119 
120  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p));
121  if (p->ip6h == NULL) {
122  printf("expected a valid ipv6 header but it was NULL: ");
123  FlowShutdown();
124  SCFree(p);
125  return 0;
126  }
127 
128  PACKET_RECYCLE(p);
129  FlowShutdown();
130  SCFree(p);
131  return 1;
132 
133 }
134 /** DecodeRawtest02
135  * \brief Valid Raw packet
136  * \retval 0 Expected test value
137  */
138 static int DecodeRawTest02 (void)
139 {
140 
141  /* IPV4/TCP/no eth header */
142  uint8_t raw_ip[] = {
143  0x45, 0x00, 0x00, 0x30, 0x00, 0xad, 0x40, 0x00,
144  0x7f, 0x06, 0xac, 0xc5, 0xc0, 0xa8, 0x67, 0x02,
145  0xc0, 0xa8, 0x66, 0x02, 0x0b, 0xc7, 0x00, 0x50,
146  0x1d, 0xb3, 0x12, 0x37, 0x00, 0x00, 0x00, 0x00,
147  0x70, 0x02, 0x40, 0x00, 0xb8, 0xc8, 0x00, 0x00,
148  0x02, 0x04, 0x05, 0xb4, 0x01, 0x01, 0x04, 0x02 };
149 
150  Packet *p = PacketGetFromAlloc();
151  if (unlikely(p == NULL))
152  return 0;
153  ThreadVars tv;
154  DecodeThreadVars dtv;
155 
156  memset(&dtv, 0, sizeof(DecodeThreadVars));
157  memset(&tv, 0, sizeof(ThreadVars));
158 
159  if (PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1) {
160  SCFree(p);
161  return 0;
162  }
163 
164  FlowInitConfig(FLOW_QUIET);
165 
166  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p));
167  if (p->ip4h == NULL) {
168  printf("expected a valid ipv4 header but it was NULL: ");
169  PACKET_RECYCLE(p);
170  FlowShutdown();
171  SCFree(p);
172  return 0;
173  }
174 
175  PACKET_RECYCLE(p);
176  FlowShutdown();
177  SCFree(p);
178  return 1;
179 }
180 /** DecodeRawtest03
181  * \brief Valid Raw packet
182  * \retval 0 Expected test value
183  */
184 static int DecodeRawTest03 (void)
185 {
186 
187  /* IPV13 */
188  uint8_t raw_ip[] = {
189  0xdf, 0x00, 0x00, 0x3d, 0x49, 0x42, 0x40, 0x00,
190  0x40, 0x06, 0xcf, 0x8a, 0x0a, 0x1f, 0x03, 0xaf,
191  0x0a, 0x1f, 0x0a, 0x02, 0xa5, 0xe7, 0xde, 0xad,
192  0x00, 0x0c, 0xe2, 0x0e, 0x8b, 0xfe, 0x0c, 0xe7,
193  0x80, 0x18, 0x00, 0xb7, 0xaf, 0xeb, 0x00, 0x00,
194  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xab, 0x4f,
195  0x34, 0x40, 0x67, 0x31, 0x3b, 0x63, 0x61, 0x74,
196  0x20, 0x6b, 0x65, 0x79, 0x3b };
197 
198  Packet *p = PacketGetFromAlloc();
199  if (unlikely(p == NULL))
200  return 0;
201  ThreadVars tv;
202  DecodeThreadVars dtv;
203 
204  memset(&dtv, 0, sizeof(DecodeThreadVars));
205  memset(&tv, 0, sizeof(ThreadVars));
206 
207  if (PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1) {
208  SCFree(p);
209  return 0;
210  }
211 
212  FlowInitConfig(FLOW_QUIET);
213 
214  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p));
215  if (!ENGINE_ISSET_EVENT(p,IPRAW_INVALID_IPV)) {
216  printf("expected IPRAW_INVALID_IPV to be set but it wasn't: ");
217  FlowShutdown();
218  SCFree(p);
219  return 0;
220  }
221  PACKET_RECYCLE(p);
222  FlowShutdown();
223  SCFree(p);
224  return 1;
225 }
226 
227 #endif /* UNITTESTS */
228 
229 /**
230  * \brief Registers Raw unit tests
231  * \todo More Raw tests
232  */
233 void DecodeRawRegisterTests(void)
234 {
235 #ifdef UNITTESTS
236  UtRegisterTest("DecodeRawTest01", DecodeRawTest01);
237  UtRegisterTest("DecodeRawTest02", DecodeRawTest02);
238  UtRegisterTest("DecodeRawTest03", DecodeRawTest03);
239 #endif /* UNITTESTS */
240 }
241 /**
242  * @}
243  */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:1036
host.h
decode-raw.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
flow-util.h
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:273
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ENGINE_ISSET_EVENT
#define ENGINE_ISSET_EVENT(p, e)
Definition: decode.h:1051
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DecodeThreadVars_::counter_raw
uint16_t counter_raw
Definition: decode.h:662
IP_GET_RAW_VER
#define IP_GET_RAW_VER(pkt)
Definition: decode.h:257
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
util-unittest.h
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:523
decode.h
util-debug.h
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:233
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
IPV4_PKT_TOO_SMALL
@ IPV4_PKT_TOO_SMALL
Definition: decode-events.h:31
util-profiling.h
IPRAW_INVALID_IPV
@ IPRAW_INVALID_IPV
Definition: decode-events.h:155
Packet_
Definition: decode.h:414
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:570
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:232
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:509
decode-events.h
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
suricata-common.h
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:651
IPV4_HEADER_LEN
#define IPV4_HEADER_LEN
Definition: decode-ipv4.h:28
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
util-validate.h
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:151
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:638
ENGINE_SET_INVALID_EVENT
#define ENGINE_SET_INVALID_EVENT(p, e)
Definition: decode.h:1044
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:42
DecodeRaw
int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-raw.c:47
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:511
flow.h
DecodeIPV4
int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv4.c:517
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
PACKET_RECYCLE
#define PACKET_RECYCLE(p)
Definition: decode.h:842
DecodeRawRegisterTests
void DecodeRawRegisterTests(void)
Registers Raw unit tests.
Definition: decode-raw.c:233