suricata
decode-raw.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author William Metcalf <william.metcalf@gmail.com>
29  *
30  * Decode RAW
31  */
32 
33 #include "suricata-common.h"
34 #include "decode-raw.h"
35 #include "decode.h"
36 #include "decode-events.h"
37 
38 #include "util-validate.h"
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 
42 int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
43  const uint8_t *pkt, uint32_t len)
44 {
45  DEBUG_VALIDATE_BUG_ON(pkt == NULL);
46 
47  StatsIncr(tv, dtv->counter_raw);
48 
49  /* If it is ipv4 or ipv6 it should at least be the size of ipv4 */
50  if (unlikely(len < IPV4_HEADER_LEN)) {
51  ENGINE_SET_INVALID_EVENT(p, IPV4_PKT_TOO_SMALL);
52  return TM_ECODE_FAILED;
53  }
54 
55 
56 
57  if (IP_GET_RAW_VER(pkt) == 4) {
58  if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
59  return TM_ECODE_FAILED;
60  }
61  SCLogDebug("IPV4 Packet");
62  DecodeIPV4(tv, dtv, p, GET_PKT_DATA(p), (uint16_t)(GET_PKT_LEN(p)));
63  } else if (IP_GET_RAW_VER(pkt) == 6) {
64  if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
65  return TM_ECODE_FAILED;
66  }
67  SCLogDebug("IPV6 Packet");
68  DecodeIPV6(tv, dtv, p, GET_PKT_DATA(p), (uint16_t)(GET_PKT_LEN(p)));
69  } else {
70  SCLogDebug("Unknown ip version %d", IP_GET_RAW_VER(pkt));
71  ENGINE_SET_EVENT(p,IPRAW_INVALID_IPV);
72  }
73  return TM_ECODE_OK;
74 }
75 
76 #ifdef UNITTESTS
77 #include "util-unittest-helper.h"
78 #include "packet.h"
79 
80 /** DecodeRawtest01
81  * \brief Valid Raw packet
82  * \retval 0 Expected test value
83  */
84 static int DecodeRawTest01 (void)
85 {
86  /* IPV6/TCP/no eth header */
87  uint8_t raw_ip[] = {
88  0x60, 0x00, 0x00, 0x00, 0x00, 0x28, 0x06, 0x40,
89  0x20, 0x01, 0x06, 0x18, 0x04, 0x00, 0x00, 0x00,
90  0x00, 0x00, 0x00, 0x00, 0x51, 0x99, 0xcc, 0x70,
91  0x20, 0x01, 0x06, 0x18, 0x00, 0x01, 0x80, 0x00,
92  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
93  0x8c, 0x9b, 0x00, 0x50, 0x6a, 0xe7, 0x07, 0x36,
94  0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0x16, 0x30,
95  0x29, 0x9c, 0x00, 0x00, 0x02, 0x04, 0x05, 0x8c,
96  0x04, 0x02, 0x08, 0x0a, 0x00, 0xdd, 0x1a, 0x39,
97  0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x02 };
98  Packet *p = PacketGetFromAlloc();
99  FAIL_IF_NULL(p);
100  ThreadVars tv;
101  DecodeThreadVars dtv;
102 
103  memset(&dtv, 0, sizeof(DecodeThreadVars));
104  memset(&tv, 0, sizeof(ThreadVars));
105 
106  FAIL_IF(PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1);
107 
108  FlowInitConfig(FLOW_QUIET);
109 
110  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p));
111  FAIL_IF_NOT(PacketIsIPv6(p));
112 
113  PacketFree(p);
114  FlowShutdown();
115  PASS;
116 }
117 
118 /** DecodeRawtest02
119  * \brief Valid Raw packet
120  * \retval 0 Expected test value
121  */
122 static int DecodeRawTest02 (void)
123 {
124  /* IPV4/TCP/no eth header */
125  uint8_t raw_ip[] = {
126  0x45, 0x00, 0x00, 0x30, 0x00, 0xad, 0x40, 0x00,
127  0x7f, 0x06, 0xac, 0xc5, 0xc0, 0xa8, 0x67, 0x02,
128  0xc0, 0xa8, 0x66, 0x02, 0x0b, 0xc7, 0x00, 0x50,
129  0x1d, 0xb3, 0x12, 0x37, 0x00, 0x00, 0x00, 0x00,
130  0x70, 0x02, 0x40, 0x00, 0xb8, 0xc8, 0x00, 0x00,
131  0x02, 0x04, 0x05, 0xb4, 0x01, 0x01, 0x04, 0x02 };
132 
133  Packet *p = PacketGetFromAlloc();
134  FAIL_IF_NULL(p);
135  ThreadVars tv;
136  DecodeThreadVars dtv;
137 
138  memset(&dtv, 0, sizeof(DecodeThreadVars));
139  memset(&tv, 0, sizeof(ThreadVars));
140 
141  FAIL_IF(PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1);
142 
143  FlowInitConfig(FLOW_QUIET);
144 
145  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p));
146  FAIL_IF_NOT(PacketIsIPv4(p));
147 
148  PacketFree(p);
149  FlowShutdown();
150  PASS;
151 }
152 
153 /** DecodeRawtest03
154  * \brief Valid Raw packet
155  * \retval 0 Expected test value
156  */
157 static int DecodeRawTest03 (void)
158 {
159  /* IPV13 */
160  uint8_t raw_ip[] = { 0xdf, 0x00, 0x00, 0x3d, 0x49, 0x42, 0x40, 0x00, 0x40, 0x06, 0xcf, 0x8a,
161  0x0a, 0x1f, 0x03, 0xaf, 0x0a, 0x1f, 0x0a, 0x02, 0xa5, 0xe7, 0xde, 0xad, 0x00, 0x0c, 0xe2,
162  0x0e, 0x8b, 0xfe, 0x0c, 0xe7, 0x80, 0x18, 0x00, 0xb7, 0xaf, 0xeb, 0x00, 0x00, 0x01, 0x01,
163  0x08, 0x0a, 0x00, 0x08, 0xab, 0x4f, 0x34, 0x40, 0x67, 0x31, 0x3b, 0x63, 0x61, 0x74, 0x20,
164  0x6b, 0x65, 0x79, 0x3b };
165  Packet *p = PacketGetFromAlloc();
166  FAIL_IF_NULL(p);
167  ThreadVars tv;
168  DecodeThreadVars dtv;
169 
170  memset(&dtv, 0, sizeof(DecodeThreadVars));
171  memset(&tv, 0, sizeof(ThreadVars));
172 
173  FAIL_IF(PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1);
174 
175  FlowInitConfig(FLOW_QUIET);
176 
177  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p));
178  FAIL_IF(!ENGINE_ISSET_EVENT(p, IPRAW_INVALID_IPV));
179  PacketFree(p);
180  FlowShutdown();
181  PASS;
182 }
183 
184 #endif /* UNITTESTS */
185 
186 /**
187  * \brief Registers Raw unit tests
188  * \todo More Raw tests
189  */
190 void DecodeRawRegisterTests(void)
191 {
192 #ifdef UNITTESTS
193  UtRegisterTest("DecodeRawTest01", DecodeRawTest01);
194  UtRegisterTest("DecodeRawTest02", DecodeRawTest02);
195  UtRegisterTest("DecodeRawTest03", DecodeRawTest03);
196 #endif /* UNITTESTS */
197 }
198 /**
199  * @}
200  */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:1188
decode-raw.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:377
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ENGINE_ISSET_EVENT
#define ENGINE_ISSET_EVENT(p, e)
Definition: decode.h:1201
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
DecodeThreadVars_::counter_raw
uint16_t counter_raw
Definition: decode.h:994
IP_GET_RAW_VER
#define IP_GET_RAW_VER(pkt)
Definition: decode.h:232
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
IPV4_PKT_TOO_SMALL
@ IPV4_PKT_TOO_SMALL
Definition: decode-events.h:34
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:547
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:209
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:219
Packet_
Definition: decode.h:501
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:549
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:208
decode-events.h
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
IPRAW_INVALID_IPV
@ IPRAW_INVALID_IPV
Definition: decode-events.h:167
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:691
IPV4_HEADER_LEN
#define IPV4_HEADER_LEN
Definition: decode-ipv4.h:28
packet.h
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-validate.h
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:258
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:963
ENGINE_SET_INVALID_EVENT
#define ENGINE_SET_INVALID_EVENT(p, e)
Definition: decode.h:1196
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
DecodeRaw
int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-raw.c:42
DecodeIPV4
int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv4.c:515
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
DecodeRawRegisterTests
void DecodeRawRegisterTests(void)
Registers Raw unit tests.
Definition: decode-raw.c:190