suricata
decode-ethernet.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2021 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \ingroup decode
20 *
21 * @{
22 */
23
24
25/**
26 * \file
27 *
28 * \author Victor Julien <victor@inliniac.net>
29 *
30 * Decode Ethernet
31 */
32
33#include "suricata-common.h"
34#include "decode.h"
35#include "decode-ethernet.h"
36#include "decode-events.h"
37
38#include "util-validate.h"
39#include "util-unittest.h"
40#include "util-debug.h"
41
42int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
43 const uint8_t *pkt, uint32_t len)
44{
45 DEBUG_VALIDATE_BUG_ON(pkt == NULL);
46
47 StatsIncr(tv, dtv->counter_eth);
48
49 if (unlikely(len < ETHERNET_HEADER_LEN)) {
50 ENGINE_SET_INVALID_EVENT(p, ETHERNET_PKT_TOO_SMALL);
51 return TM_ECODE_FAILED;
52 }
53
54 if (!PacketIncreaseCheckLayers(p)) {
55 return TM_ECODE_FAILED;
56 }
57 EthernetHdr *ethh = PacketSetEthernet(p, pkt);
58
59 SCLogDebug("p %p pkt %p ether type %04x", p, pkt, SCNtohs(ethh->eth_type));
60
61 DecodeNetworkLayer(tv, dtv, SCNtohs(ethh->eth_type), p, pkt + ETHERNET_HEADER_LEN,
62 len - ETHERNET_HEADER_LEN);
63
64 return TM_ECODE_OK;
65}
66
67#ifdef UNITTESTS
68/** DecodeEthernettest01
69 * \brief Valid Ethernet packet
70 * \retval 0 Expected test value
71 */
72static int DecodeEthernetTest01 (void)
73{
74 /* ICMP packet wrapped in PPPOE */
75 uint8_t raw_eth[] = {
76 0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
77 0x94, 0x56, 0x00, 0x01, 0x88, 0x64, 0x11, 0x00,
78 0x00, 0x01, 0x00, 0x68, 0x00, 0x21, 0x45, 0xc0,
79 0x00, 0x64, 0x00, 0x1e, 0x00, 0x00, 0xff, 0x01,
80 0xa7, 0x78, 0x0a, 0x00, 0x00, 0x02, 0x0a, 0x00,
81 0x00, 0x01, 0x08, 0x00, 0x4a, 0x61, 0x00, 0x06,
82 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f,
83 0x3b, 0xd4, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
84 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
85 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
86 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
87 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
88 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
89 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
90 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
91 0xab, 0xcd };
92
93 Packet *p = PacketGetFromAlloc();
94 if (unlikely(p == NULL))
95 return 0;
96 ThreadVars tv;
97 DecodeThreadVars dtv;
98
99 memset(&dtv, 0, sizeof(DecodeThreadVars));
100 memset(&tv, 0, sizeof(ThreadVars));
101
102 DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth));
103
104 SCFree(p);
105 return 1;
106}
107
108/**
109 * Test a DCE ethernet frame that is too small.
110 */
111static int DecodeEthernetTestDceTooSmall(void)
112{
113 uint8_t raw_eth[] = {
114 0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
115 0x94, 0x56, 0x00, 0x01, 0x89, 0x03,
116 };
117
118 Packet *p = PacketGetFromAlloc();
119 FAIL_IF_NULL(p);
120 ThreadVars tv;
121 DecodeThreadVars dtv;
122
123 memset(&dtv, 0, sizeof(DecodeThreadVars));
124 memset(&tv, 0, sizeof(ThreadVars));
125
126 DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth));
127
128 FAIL_IF_NOT(ENGINE_ISSET_EVENT(p, DCE_PKT_TOO_SMALL));
129
130 SCFree(p);
131 PASS;
132}
133
134/**
135 * Test that a DCE ethernet frame, followed by data that is too small
136 * for an ethernet header.
137 *
138 * Redmine issue:
139 * https://redmine.openinfosecfoundation.org/issues/2887
140 */
141static int DecodeEthernetTestDceNextTooSmall(void)
142{
143 uint8_t raw_eth[] = {
144 0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
145 0x94, 0x56, 0x00, 0x01, 0x89, 0x03, //0x88, 0x64,
146
147 0x00, 0x00,
148
149 0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
150 0x94, 0x56, 0x00, 0x01,
151 };
152
153 Packet *p = PacketGetFromAlloc();
154 FAIL_IF_NULL(p);
155 ThreadVars tv;
156 DecodeThreadVars dtv;
157
158 memset(&dtv, 0, sizeof(DecodeThreadVars));
159 memset(&tv, 0, sizeof(ThreadVars));
160
161 DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth));
162
163 FAIL_IF_NOT(ENGINE_ISSET_EVENT(p, DCE_PKT_TOO_SMALL));
164
165 SCFree(p);
166 PASS;
167}
168
169#endif /* UNITTESTS */
170
171
172/**
173 * \brief Registers Ethernet unit tests
174 * \todo More Ethernet tests
175 */
176void DecodeEthernetRegisterTests(void)
177{
178#ifdef UNITTESTS
179 UtRegisterTest("DecodeEthernetTest01", DecodeEthernetTest01);
180 UtRegisterTest("DecodeEthernetTestDceNextTooSmall",
181 DecodeEthernetTestDceNextTooSmall);
182 UtRegisterTest("DecodeEthernetTestDceTooSmall",
183 DecodeEthernetTestDceTooSmall);
184#endif /* UNITTESTS */
185}
186/**
187 * @}
188 */
len
uint8_t len
Definition app-layer-dnp3.h:2
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition counters.c:166
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition decode-ethernet.c:42
DecodeEthernetRegisterTests
void DecodeEthernetRegisterTests(void)
Registers Ethernet unit tests.
Definition decode-ethernet.c:176
ETHERNET_HEADER_LEN
#define ETHERNET_HEADER_LEN
Definition decode-ethernet.h:27
ETHERNET_PKT_TOO_SMALL
@ ETHERNET_PKT_TOO_SMALL
Definition decode-events.h:118
DCE_PKT_TOO_SMALL
@ DCE_PKT_TOO_SMALL
Definition decode-events.h:214
ENGINE_SET_INVALID_EVENT
#define ENGINE_SET_INVALID_EVENT(p, e)
Definition decode.h:1194
ENGINE_ISSET_EVENT
#define ENGINE_ISSET_EVENT(p, e)
Definition decode.h:1199
dtv
DecodeThreadVars * dtv
Definition fuzz_decodepcapfile.c:33
tv
ThreadVars * tv
Definition fuzz_decodepcapfile.c:32
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition util-unittest.h:82
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition decode.c:258
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition decode.h:963
DecodeThreadVars_::counter_eth
uint16_t counter_eth
Definition decode.h:977
Packet_
Definition decode.h:501
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
SCNtohs
#define SCNtohs(x)
Definition suricata-common.h:431
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition tm-threads-common.h:82
TM_ECODE_OK
@ TM_ECODE_OK
Definition tm-threads-common.h:81
SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275
SCFree
#define SCFree(p)
Definition util-mem.h:61
unlikely
#define unlikely(expr)
Definition util-optimize.h:35
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition util-validate.h:102