"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/detection-plugins/sp_byte_math.c" between
snort-2.9.16.1.tar.gz and snort-2.9.17.tar.gz

About: Snort is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

sp_byte_math.c  (snort-2.9.16.1):sp_byte_math.c  (snort-2.9.17)
skipping to change at line 123 skipping to change at line 123
static void ByteMathOverride(char *keyword, char *option, RuleOptOverrideFunc ro o_func); static void ByteMathOverride(char *keyword, char *option, RuleOptOverrideFunc ro o_func);
static void ByteMathOverrideFuncsFree(void); static void ByteMathOverrideFuncsFree(void);
static void ByteMathInit(struct _SnortConfig *, char *, OptTreeNode *, int); static void ByteMathInit(struct _SnortConfig *, char *, OptTreeNode *, int);
static ByteMathOverrideData * ByteMathParse(char *data, ByteMathData *idx, OptTr eeNode *otn); static ByteMathOverrideData * ByteMathParse(char *data, ByteMathData *idx, OptTr eeNode *otn);
static void ByteMathOverrideCleanup(int, void *); static void ByteMathOverrideCleanup(int, void *);
static char* ByteMath_tok_extract(char *,char *); static char* ByteMath_tok_extract(char *,char *);
void AddVarName_Bytemath(ByteMathData *); void AddVarName_Bytemath(ByteMathData *);
char *bytemath_variable_name = NULL; char *bytemath_variable_name = NULL;
uint32_t bytemath_variable; uint32_t bytemath_variable;
uint32_t common_var;
uint32_t find_value (char *token)
{
if (token == NULL)
return BYTE_EXTRACT_NO_VAR;
uint32_t match_e = 0 ,match_b = 0;
/* check byte_math already has the same name */
if ( bytemath_variable_name && (strcmp(bytemath_variable_name,token) == 0) )
match_b = BYTE_MATH_VAR_INDEX;
/* check byte_extract already has the same name */
match_e = GetVarByName(token);
/* if same name found in both pick the latest one else the matched one */
if ( (match_e != BYTE_EXTRACT_NO_VAR) && (match_b == BYTE_MATH_VAR_INDEX)
)
{
return COMMON_VAR_INDEX;
}
else if ( (match_e != BYTE_EXTRACT_NO_VAR) && (match_b != BYTE_MATH_VAR_IN
DEX) )
{
return match_e;
}
else if ( (match_e == BYTE_EXTRACT_NO_VAR) && (match_b == BYTE_MATH_VAR_IN
DEX) )
{
return BYTE_MATH_VAR_INDEX;
}
return BYTE_EXTRACT_NO_VAR;
}
uint32_t ByteMathHash(void *d) uint32_t ByteMathHash(void *d)
{ {
uint32_t a,b,c; uint32_t a,b,c;
ByteMathData *data = (ByteMathData *)d; ByteMathData *data = (ByteMathData *)d;
a = data->bytes_to_extract; a = data->bytes_to_extract;
b = data->rvalue; b = data->rvalue;
c = data->operator; c = data->operator;
skipping to change at line 427 skipping to change at line 457
ParseError("byte_math option has bad input: %s.", cptr); ParseError("byte_math option has bad input: %s.", cptr);
} }
if(idx->bytes_to_extract > PARSELEN || idx->bytes_to_extract == 0) if(idx->bytes_to_extract > PARSELEN || idx->bytes_to_extract == 0)
{ {
ParseError("byte_math option bytes_to_extract has invalid in put.valid range is 1 to 10 bytes\n"); ParseError("byte_math option bytes_to_extract has invalid in put.valid range is 1 to 10 bytes\n");
} }
i++; i++;
continue; continue;
} }
else
{
ParseError("byte_math option bytes_to_extract is already configur
ed once\n");
}
} }
else if (!strncmp(cptr,"oper",4)) else if (!strncmp(cptr,"oper",4))
{ {
if (!idx->operator) if (!idx->operator)
{ {
cptr=ByteMath_tok_extract(cptr,"oper"); cptr=ByteMath_tok_extract(cptr,"oper");
/* set the operator */ /* set the operator */
switch(*cptr) switch(*cptr)
{ {
skipping to change at line 562 skipping to change at line 588
{ {
ParseError("byte_math option offset is Already configured in rule onc e\n"); ParseError("byte_math option offset is Already configured in rule onc e\n");
} }
} }
else if (!strncmp(cptr,"result",6)) else if (!strncmp(cptr,"result",6))
{ {
if (!idx->result_var) if (!idx->result_var)
{ {
cptr=ByteMath_tok_extract(cptr,"result"); cptr=ByteMath_tok_extract(cptr,"result");
/* set result variable */ /* set result variable */
if ( GetVarByName(cptr) == BYTE_EXTRACT_NO_VAR ) idx->result_var = SnortStrdup(cptr);
{ if (!idx->result_var)
idx->result_var = SnortStrdup(cptr); ParseError("byte_Math::result_var malloc failure");
}
else
{
ParseError("byte_Math:: result variable name is already used in b
yte_extract rule \n");
}
if (!idx->result_var)
ParseError("byte_Math::result_var malloc failure");
if (idx->result_var && isdigit(idx->result_var[0])) if (idx->result_var && isdigit(idx->result_var[0]))
{ {
free(idx->result_var); free(idx->result_var);
ParseError("byte_Math rule option has a name which starts with a d igit. " ParseError("byte_Math rule option has a name which starts with a d igit. "
"Variable names must start with a letter."); "Variable names must start with a letter.");
} }
isvalidstr(idx->result_var,"byte_math"); isvalidstr(idx->result_var,"byte_math");
i++; i++;
continue; continue;
skipping to change at line 906 skipping to change at line 925
} }
} }
DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH,
"Grabbed %d bytes at offset %d rvalue = 0x%08X(%u) value = 0x%08X(%u)\n" , "Grabbed %d bytes at offset %d rvalue = 0x%08X(%u) value = 0x%08X(%u)\n" ,
payload_bytes_grabbed, btd->offset, btd->rvalue, btd->rvalue, value, val ue); ); payload_bytes_grabbed, btd->offset, btd->rvalue, btd->rvalue, value, val ue); );
switch(btd->operator) switch(btd->operator)
{ {
case BM_PLUS: if ((UINT_MAX - *value) < btd->rvalue) case BM_PLUS: if ((UINT_MAX - *value) < btd->rvalue)
{ {
LogMessage("Buffer Overflow\n"); LogMessage("%s-%d > %s-%d Buffer Overflow during ADDIT
ION\n",
inet_ntoa(GET_SRC_IP(p)),ntohs(p->tcph->th_
sport),
inet_ntoa(GET_DST_IP(p)),ntohs(p->tcph->th_
dport));
return DETECTION_OPTION_NO_MATCH; return DETECTION_OPTION_NO_MATCH;
} }
else else
{ {
*value += btd->rvalue; *value += btd->rvalue;
success = 1; success = 1;
break; break;
} }
case BM_MINUS: if (*value < btd->rvalue) case BM_MINUS: if (*value < btd->rvalue)
{ {
LogMessage("Buffer Underflow\n"); LogMessage("%s-%d > %s-%d Buffer Underflow during SUB
TRACTION\n",
inet_ntoa(GET_SRC_IP(p)),ntohs(p->tcph->th
_sport),
inet_ntoa(GET_DST_IP(p)),ntohs(p->tcph->th
_dport));
return DETECTION_OPTION_NO_MATCH; return DETECTION_OPTION_NO_MATCH;
} }
else else
{ {
*value -= btd->rvalue; *value -= btd->rvalue;
success = 1; success = 1;
break; break;
} }
case BM_MULTIPLY: *value *= btd->rvalue; case BM_MULTIPLY: if ( (*value) && ((UINT_MAX/(*value)) < btd->rvalue))
success = 1; {
break; LogMessage("%s-%d > %s-%d Buffer Overflow during M
ULTIPLY\n",
inet_ntoa(GET_SRC_IP(p)),ntohs(p->tcph
->th_sport),
inet_ntoa(GET_DST_IP(p)),ntohs(p->tcph
->th_dport));
return DETECTION_OPTION_NO_MATCH;
}
else
{
*value *= btd->rvalue;
success = 1;
break;
}
case BM_DIVIDE: *value = (*value/ btd->rvalue); case BM_DIVIDE: *value = (*value/ btd->rvalue);
success = 1; success = 1;
break; break;
case BM_LEFT_SHIFT: *value = (*value << btd->rvalue); case BM_LEFT_SHIFT: *value = (*value << btd->rvalue);
success = 1; success = 1;
break; break;
case BM_RIGHT_SHIFT: *value = (*value >> btd->rvalue); case BM_RIGHT_SHIFT: *value = (*value >> btd->rvalue);
success = 1; success = 1;
break; break;
} }
DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH,
"byte_math result final value = 0x%08X(%u)\n", "byte_math result final value = 0x%08X(%u)\n",
value, value); ); value, value); );
if (success) if (success)
{ {
rval = DETECTION_OPTION_MATCH; rval = DETECTION_OPTION_MATCH;
common_var = *value;
} }
/* if the test isn't successful, this function *must* return 0 */ /* if the test isn't successful, this function *must* return 0 */
PREPROC_PROFILE_END(byteMathPerfStats); PREPROC_PROFILE_END(byteMathPerfStats);
return rval; return rval;
} }
void ByteMathFree(void *d) void ByteMathFree(void *d)
{ {
ByteMathData *data = (ByteMathData *)d; ByteMathData *data = (ByteMathData *)d;
if (data) if (data && data->result_var)
{ {
free(data->result_var); free(data->result_var);
data->result_var=NULL; data->result_var=NULL;
} }
if ( bytemath_variable_name != NULL ) if ( bytemath_variable_name != NULL )
{ {
free( bytemath_variable_name ); free( bytemath_variable_name );
bytemath_variable_name = NULL; bytemath_variable_name = NULL;
} }
skipping to change at line 995 skipping to change at line 1029
if (bytemath_variable_name != NULL) if (bytemath_variable_name != NULL)
{ {
free(bytemath_variable_name); free(bytemath_variable_name);
bytemath_variable_name = NULL; bytemath_variable_name = NULL;
} }
} }
/* Given a variable name, retrieve its index. For use by other options.dynamic-p lugin support */ /* Given a variable name, retrieve its index. For use by other options.dynamic-p lugin support */
int8_t GetVarByName_check(char *name) int8_t GetVarByName_check(char *name)
{ {
return (find_value(name));
if (name == NULL)
return BYTE_EXTRACT_NO_VAR;
if (bytemath_variable_name && (!strcmp(bytemath_variable_name,name)))
{
return 0;
}
else
{
return (GetVarByName(name));
}
return BYTE_EXTRACT_NO_VAR;
} }
void AddVarName_Bytemath(ByteMathData *data) void AddVarName_Bytemath(ByteMathData *data)
{ {
if (bytemath_variable_name != NULL) if (bytemath_variable_name != NULL)
{ {
free(bytemath_variable_name); free(bytemath_variable_name);
bytemath_variable_name = NULL; bytemath_variable_name = NULL;
} }
bytemath_variable_name = SnortStrdup(data->result_var); bytemath_variable_name = SnortStrdup(data->result_var);
 End of changes. 9 change blocks. 
35 lines changed or deleted 67 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)