suricata
decode-raw.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author William Metcalf <william.metcalf@gmail.com>
29  *
30  * Decode RAW
31  */
32 
33 #include "suricata-common.h"
34 #include "decode-raw.h"
35 #include "decode.h"
36 #include "decode-events.h"
37 
38 #include "util-validate.h"
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 
42 int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
43  const uint8_t *pkt, uint32_t len)
44 {
45  DEBUG_VALIDATE_BUG_ON(pkt == NULL);
46 
47  StatsIncr(tv, dtv->counter_raw);
48 
49  /* If it is ipv4 or ipv6 it should at least be the size of ipv4 */
50  if (unlikely(len < IPV4_HEADER_LEN)) {
51  ENGINE_SET_INVALID_EVENT(p, IPV4_PKT_TOO_SMALL);
52  return TM_ECODE_FAILED;
53  }
54 
55 
56 
57  if (IP_GET_RAW_VER(pkt) == 4) {
58  if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
59  return TM_ECODE_FAILED;
60  }
61  SCLogDebug("IPV4 Packet");
62  DecodeIPV4(tv, dtv, p, GET_PKT_DATA(p), (uint16_t)(GET_PKT_LEN(p)));
63  } else if (IP_GET_RAW_VER(pkt) == 6) {
64  if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
65  return TM_ECODE_FAILED;
66  }
67  SCLogDebug("IPV6 Packet");
68  DecodeIPV6(tv, dtv, p, GET_PKT_DATA(p), (uint16_t)(GET_PKT_LEN(p)));
69  } else {
70  SCLogDebug("Unknown ip version %d", IP_GET_RAW_VER(pkt));
71  ENGINE_SET_EVENT(p,IPRAW_INVALID_IPV);
72  }
73  return TM_ECODE_OK;
74 }
75 
76 #ifdef UNITTESTS
77 #include "util-unittest-helper.h"
78 #include "packet.h"
79 
80 /** DecodeRawtest01
81  * \brief Valid Raw packet
82  * \retval 0 Expected test value
83  */
84 static int DecodeRawTest01 (void)
85 {
86 
87  /* IPV6/TCP/no eth header */
88  uint8_t raw_ip[] = {
89  0x60, 0x00, 0x00, 0x00, 0x00, 0x28, 0x06, 0x40,
90  0x20, 0x01, 0x06, 0x18, 0x04, 0x00, 0x00, 0x00,
91  0x00, 0x00, 0x00, 0x00, 0x51, 0x99, 0xcc, 0x70,
92  0x20, 0x01, 0x06, 0x18, 0x00, 0x01, 0x80, 0x00,
93  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
94  0x8c, 0x9b, 0x00, 0x50, 0x6a, 0xe7, 0x07, 0x36,
95  0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0x16, 0x30,
96  0x29, 0x9c, 0x00, 0x00, 0x02, 0x04, 0x05, 0x8c,
97  0x04, 0x02, 0x08, 0x0a, 0x00, 0xdd, 0x1a, 0x39,
98  0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x02 };
99  Packet *p = PacketGetFromAlloc();
100  if (unlikely(p == NULL))
101  return 0;
102  ThreadVars tv;
103  DecodeThreadVars dtv;
104 
105  memset(&dtv, 0, sizeof(DecodeThreadVars));
106  memset(&tv, 0, sizeof(ThreadVars));
107 
108  if (PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1) {
109  SCFree(p);
110  return 0;
111  }
112 
113  FlowInitConfig(FLOW_QUIET);
114 
115  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p));
116  FAIL_IF_NOT(PacketIsIPv6(p));
117 
118  PacketRecycle(p);
119  FlowShutdown();
120  SCFree(p);
121  return 1;
122 
123 }
124 /** DecodeRawtest02
125  * \brief Valid Raw packet
126  * \retval 0 Expected test value
127  */
128 static int DecodeRawTest02 (void)
129 {
130 
131  /* IPV4/TCP/no eth header */
132  uint8_t raw_ip[] = {
133  0x45, 0x00, 0x00, 0x30, 0x00, 0xad, 0x40, 0x00,
134  0x7f, 0x06, 0xac, 0xc5, 0xc0, 0xa8, 0x67, 0x02,
135  0xc0, 0xa8, 0x66, 0x02, 0x0b, 0xc7, 0x00, 0x50,
136  0x1d, 0xb3, 0x12, 0x37, 0x00, 0x00, 0x00, 0x00,
137  0x70, 0x02, 0x40, 0x00, 0xb8, 0xc8, 0x00, 0x00,
138  0x02, 0x04, 0x05, 0xb4, 0x01, 0x01, 0x04, 0x02 };
139 
140  Packet *p = PacketGetFromAlloc();
141  if (unlikely(p == NULL))
142  return 0;
143  ThreadVars tv;
144  DecodeThreadVars dtv;
145 
146  memset(&dtv, 0, sizeof(DecodeThreadVars));
147  memset(&tv, 0, sizeof(ThreadVars));
148 
149  if (PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1) {
150  SCFree(p);
151  return 0;
152  }
153 
154  FlowInitConfig(FLOW_QUIET);
155 
156  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p));
157  FAIL_IF_NOT(PacketIsIPv4(p));
158 
159  PacketRecycle(p);
160  FlowShutdown();
161  SCFree(p);
162  return 1;
163 }
164 /** DecodeRawtest03
165  * \brief Valid Raw packet
166  * \retval 0 Expected test value
167  */
168 static int DecodeRawTest03 (void)
169 {
170 
171  /* IPV13 */
172  uint8_t raw_ip[] = {
173  0xdf, 0x00, 0x00, 0x3d, 0x49, 0x42, 0x40, 0x00,
174  0x40, 0x06, 0xcf, 0x8a, 0x0a, 0x1f, 0x03, 0xaf,
175  0x0a, 0x1f, 0x0a, 0x02, 0xa5, 0xe7, 0xde, 0xad,
176  0x00, 0x0c, 0xe2, 0x0e, 0x8b, 0xfe, 0x0c, 0xe7,
177  0x80, 0x18, 0x00, 0xb7, 0xaf, 0xeb, 0x00, 0x00,
178  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xab, 0x4f,
179  0x34, 0x40, 0x67, 0x31, 0x3b, 0x63, 0x61, 0x74,
180  0x20, 0x6b, 0x65, 0x79, 0x3b };
181 
182  Packet *p = PacketGetFromAlloc();
183  if (unlikely(p == NULL))
184  return 0;
185  ThreadVars tv;
186  DecodeThreadVars dtv;
187 
188  memset(&dtv, 0, sizeof(DecodeThreadVars));
189  memset(&tv, 0, sizeof(ThreadVars));
190 
191  if (PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1) {
192  SCFree(p);
193  return 0;
194  }
195 
196  FlowInitConfig(FLOW_QUIET);
197 
198  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p));
199  if (!ENGINE_ISSET_EVENT(p,IPRAW_INVALID_IPV)) {
200  printf("expected IPRAW_INVALID_IPV to be set but it wasn't: ");
201  FlowShutdown();
202  SCFree(p);
203  return 0;
204  }
205  PacketRecycle(p);
206  FlowShutdown();
207  SCFree(p);
208  return 1;
209 }
210 
211 #endif /* UNITTESTS */
212 
213 /**
214  * \brief Registers Raw unit tests
215  * \todo More Raw tests
216  */
217 void DecodeRawRegisterTests(void)
218 {
219 #ifdef UNITTESTS
220  UtRegisterTest("DecodeRawTest01", DecodeRawTest01);
221  UtRegisterTest("DecodeRawTest02", DecodeRawTest02);
222  UtRegisterTest("DecodeRawTest03", DecodeRawTest03);
223 #endif /* UNITTESTS */
224 }
225 /**
226  * @}
227  */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:1188
decode-raw.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:377
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ENGINE_ISSET_EVENT
#define ENGINE_ISSET_EVENT(p, e)
Definition: decode.h:1201
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:151
DecodeThreadVars_::counter_raw
uint16_t counter_raw
Definition: decode.h:994
IP_GET_RAW_VER
#define IP_GET_RAW_VER(pkt)
Definition: decode.h:232
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
IPV4_PKT_TOO_SMALL
@ IPV4_PKT_TOO_SMALL
Definition: decode-events.h:34
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:547
decode.h
util-debug.h
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:209
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
Packet_
Definition: decode.h:501
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:549
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:208
decode-events.h
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
suricata-common.h
IPRAW_INVALID_IPV
@ IPRAW_INVALID_IPV
Definition: decode-events.h:167
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:691
IPV4_HEADER_LEN
#define IPV4_HEADER_LEN
Definition: decode-ipv4.h:28
packet.h
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-validate.h
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:258
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:963
ENGINE_SET_INVALID_EVENT
#define ENGINE_SET_INVALID_EVENT(p, e)
Definition: decode.h:1196
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
DecodeRaw
int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-raw.c:42
DecodeIPV4
int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv4.c:515
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
DecodeRawRegisterTests
void DecodeRawRegisterTests(void)
Registers Raw unit tests.
Definition: decode-raw.c:217