1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18 /**
19 * \ingroup decode
20 *
21 * @{
22 */
23
24
25 /**
26 * \file
27 *
28 * \author Victor Julien <victor@inliniac.net>
29 *
30 * Decode Ethernet
31 */
32
33 #include "suricata-common.h"
34 #include "decode.h"
35 #include "decode-ethernet.h"
36 #include "decode-events.h"
37
38 #include "util-unittest.h"
39 #include "util-debug.h"
40
DecodeEthernet(ThreadVars * tv,DecodeThreadVars * dtv,Packet * p,const uint8_t * pkt,uint32_t len)41 int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
42 const uint8_t *pkt, uint32_t len)
43 {
44 StatsIncr(tv, dtv->counter_eth);
45
46 if (unlikely(len < ETHERNET_HEADER_LEN)) {
47 ENGINE_SET_INVALID_EVENT(p, ETHERNET_PKT_TOO_SMALL);
48 return TM_ECODE_FAILED;
49 }
50
51 if (!PacketIncreaseCheckLayers(p)) {
52 return TM_ECODE_FAILED;
53 }
54 p->ethh = (EthernetHdr *)pkt;
55 if (unlikely(p->ethh == NULL))
56 return TM_ECODE_FAILED;
57
58 SCLogDebug("p %p pkt %p ether type %04x", p, pkt, SCNtohs(p->ethh->eth_type));
59
60 DecodeNetworkLayer(tv, dtv, SCNtohs(p->ethh->eth_type), p,
61 pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN);
62
63 return TM_ECODE_OK;
64 }
65
66 #ifdef UNITTESTS
67 /** DecodeEthernettest01
68 * \brief Valid Ethernet packet
69 * \retval 0 Expected test value
70 */
DecodeEthernetTest01(void)71 static int DecodeEthernetTest01 (void)
72 {
73 /* ICMP packet wrapped in PPPOE */
74 uint8_t raw_eth[] = {
75 0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
76 0x94, 0x56, 0x00, 0x01, 0x88, 0x64, 0x11, 0x00,
77 0x00, 0x01, 0x00, 0x68, 0x00, 0x21, 0x45, 0xc0,
78 0x00, 0x64, 0x00, 0x1e, 0x00, 0x00, 0xff, 0x01,
79 0xa7, 0x78, 0x0a, 0x00, 0x00, 0x02, 0x0a, 0x00,
80 0x00, 0x01, 0x08, 0x00, 0x4a, 0x61, 0x00, 0x06,
81 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f,
82 0x3b, 0xd4, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
83 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
84 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
85 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
86 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
87 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
88 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
89 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
90 0xab, 0xcd };
91
92 Packet *p = SCMalloc(SIZE_OF_PACKET);
93 if (unlikely(p == NULL))
94 return 0;
95 ThreadVars tv;
96 DecodeThreadVars dtv;
97
98 memset(&dtv, 0, sizeof(DecodeThreadVars));
99 memset(&tv, 0, sizeof(ThreadVars));
100 memset(p, 0, SIZE_OF_PACKET);
101
102 DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth));
103
104 SCFree(p);
105 return 1;
106 }
107
108 /**
109 * Test a DCE ethernet frame that is too small.
110 */
DecodeEthernetTestDceTooSmall(void)111 static int DecodeEthernetTestDceTooSmall(void)
112 {
113 uint8_t raw_eth[] = {
114 0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
115 0x94, 0x56, 0x00, 0x01, 0x89, 0x03,
116 };
117
118 Packet *p = SCMalloc(SIZE_OF_PACKET);
119 FAIL_IF_NULL(p);
120 ThreadVars tv;
121 DecodeThreadVars dtv;
122
123 memset(&dtv, 0, sizeof(DecodeThreadVars));
124 memset(&tv, 0, sizeof(ThreadVars));
125 memset(p, 0, SIZE_OF_PACKET);
126
127 DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth));
128
129 FAIL_IF_NOT(ENGINE_ISSET_EVENT(p, DCE_PKT_TOO_SMALL));
130
131 SCFree(p);
132 PASS;
133 }
134
135 /**
136 * Test that a DCE ethernet frame, followed by data that is too small
137 * for an ethernet header.
138 *
139 * Redmine issue:
140 * https://redmine.openinfosecfoundation.org/issues/2887
141 */
DecodeEthernetTestDceNextTooSmall(void)142 static int DecodeEthernetTestDceNextTooSmall(void)
143 {
144 uint8_t raw_eth[] = {
145 0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
146 0x94, 0x56, 0x00, 0x01, 0x89, 0x03, //0x88, 0x64,
147
148 0x00, 0x00,
149
150 0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
151 0x94, 0x56, 0x00, 0x01,
152 };
153
154 Packet *p = SCMalloc(SIZE_OF_PACKET);
155 FAIL_IF_NULL(p);
156 ThreadVars tv;
157 DecodeThreadVars dtv;
158
159 memset(&dtv, 0, sizeof(DecodeThreadVars));
160 memset(&tv, 0, sizeof(ThreadVars));
161 memset(p, 0, SIZE_OF_PACKET);
162
163 DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth));
164
165 FAIL_IF_NOT(ENGINE_ISSET_EVENT(p, DCE_PKT_TOO_SMALL));
166
167 SCFree(p);
168 PASS;
169 }
170
171 #endif /* UNITTESTS */
172
173
174 /**
175 * \brief Registers Ethernet unit tests
176 * \todo More Ethernet tests
177 */
DecodeEthernetRegisterTests(void)178 void DecodeEthernetRegisterTests(void)
179 {
180 #ifdef UNITTESTS
181 UtRegisterTest("DecodeEthernetTest01", DecodeEthernetTest01);
182 UtRegisterTest("DecodeEthernetTestDceNextTooSmall",
183 DecodeEthernetTestDceNextTooSmall);
184 UtRegisterTest("DecodeEthernetTestDceTooSmall",
185 DecodeEthernetTestDceTooSmall);
186 #endif /* UNITTESTS */
187 }
188 /**
189 * @}
190 */
191