"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/stream/tcp/tcp_reassembler.cc" between
snort3-3.1.31.0.tar.gz and snort3-3.1.32.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

tcp_reassembler.cc  (snort3-3.1.31.0):tcp_reassembler.cc  (snort3-3.1.32.0)
skipping to change at line 28 skipping to change at line 28
// tcp_reassembler.cc author davis mcpherson <davmcphe@cisco.com> // tcp_reassembler.cc author davis mcpherson <davmcphe@cisco.com>
// Created on: Jul 31, 2015 // Created on: Jul 31, 2015
#ifdef HAVE_CONFIG_H #ifdef HAVE_CONFIG_H
#include "config.h" #include "config.h"
#endif #endif
#include "tcp_reassembler.h" #include "tcp_reassembler.h"
#include <cassert>
#include "detection/detection_engine.h" #include "detection/detection_engine.h"
#include "log/log.h" #include "log/log.h"
#include "main/analyzer.h" #include "main/analyzer.h"
#include "memory/memory_cap.h" #include "memory/memory_cap.h"
#include "packet_io/active.h" #include "packet_io/active.h"
#include "profiler/profiler.h" #include "profiler/profiler.h"
#include "protocols/packet_manager.h" #include "protocols/packet_manager.h"
#include "time/packet_time.h" #include "time/packet_time.h"
#include "tcp_module.h" #include "tcp_module.h"
skipping to change at line 481 skipping to change at line 483
if ( sb.data || !trs.sos.seglist.cur_rseg ) if ( sb.data || !trs.sos.seglist.cur_rseg )
break; break;
} }
if ( trs.paf_state.paf == StreamSplitter::SKIP ) if ( trs.paf_state.paf == StreamSplitter::SKIP )
update_skipped_bytes(remaining_bytes, trs); update_skipped_bytes(remaining_bytes, trs);
return total_flushed; return total_flushed;
} }
static inline bool both_splitters_aborted(Flow* flow)
{
uint32_t both_splitters_yoinked = (SSNFLAG_ABORT_CLIENT | SSNFLAG_ABORT_SERV
ER);
return (flow->get_session_flags() & both_splitters_yoinked) == both_splitter
s_yoinked;
}
// FIXIT-L consolidate encode format, update, and this into new function? // FIXIT-L consolidate encode format, update, and this into new function?
void TcpReassembler::prep_pdu( void TcpReassembler::prep_pdu(
TcpReassemblerState&, Flow* flow, Packet* p, uint32_t pkt_flags, Packet* pdu ) TcpReassemblerState&, Flow* flow, Packet* p, uint32_t pkt_flags, Packet* pdu )
{ {
pdu->ptrs.set_pkt_type(PktType::PDU); pdu->ptrs.set_pkt_type(PktType::PDU);
pdu->proto_bits |= PROTO_BIT__TCP; pdu->proto_bits |= PROTO_BIT__TCP;
pdu->packet_flags |= (pkt_flags & PKT_PDU_FULL); pdu->packet_flags |= (pkt_flags & PKT_PDU_FULL);
pdu->flow = flow; pdu->flow = flow;
if (p == pdu) if (p == pdu)
skipping to change at line 511 skipping to change at line 519
{ {
pdu->packet_flags |= PKT_FROM_CLIENT; pdu->packet_flags |= PKT_FROM_CLIENT;
pdu->ptrs.ip_api.set(flow->client_ip, flow->server_ip); pdu->ptrs.ip_api.set(flow->client_ip, flow->server_ip);
pdu->ptrs.sp = flow->client_port; pdu->ptrs.sp = flow->client_port;
pdu->ptrs.dp = flow->server_port; pdu->ptrs.dp = flow->server_port;
} }
} }
else if (!p->packet_flags || (pkt_flags & p->packet_flags)) else if (!p->packet_flags || (pkt_flags & p->packet_flags))
{ {
// forward // forward
pdu->packet_flags |= (p->packet_flags pdu->packet_flags |= (p->packet_flags & (PKT_FROM_CLIENT | PKT_FROM_SERV
& (PKT_FROM_CLIENT | PKT_FROM_SERVER)); ER));
pdu->ptrs.ip_api.set(*p->ptrs.ip_api.get_src(), pdu->ptrs.ip_api.set(*p->ptrs.ip_api.get_src(), *p->ptrs.ip_api.get_dst(
*p->ptrs.ip_api.get_dst()); ));
pdu->ptrs.sp = p->ptrs.sp; pdu->ptrs.sp = p->ptrs.sp;
pdu->ptrs.dp = p->ptrs.dp; pdu->ptrs.dp = p->ptrs.dp;
} }
else else
{ {
// reverse // reverse
if (p->is_from_client()) if (p->is_from_client())
pdu->packet_flags |= PKT_FROM_SERVER; pdu->packet_flags |= PKT_FROM_SERVER;
else else
pdu->packet_flags |= PKT_FROM_CLIENT; pdu->packet_flags |= PKT_FROM_CLIENT;
pdu->ptrs.ip_api.set(*p->ptrs.ip_api.get_dst(), pdu->ptrs.ip_api.set(*p->ptrs.ip_api.get_dst(), *p->ptrs.ip_api.get_src(
*p->ptrs.ip_api.get_src()); ));
pdu->ptrs.dp = p->ptrs.sp; pdu->ptrs.dp = p->ptrs.sp;
pdu->ptrs.sp = p->ptrs.dp; pdu->ptrs.sp = p->ptrs.dp;
} }
} }
Packet* TcpReassembler::initialize_pdu( Packet* TcpReassembler::initialize_pdu(
TcpReassemblerState& trs, Packet* p, uint32_t pkt_flags, struct timeval tv) TcpReassemblerState& trs, Packet* p, uint32_t pkt_flags, struct timeval tv)
{ {
// partial flushes already set the pdu for http_inspect splitter processing // partial flushes already set the pdu for http_inspect splitter processing
Packet* pdu = p->was_set() ? p : DetectionEngine::set_next_packet(p); Packet* pdu = p->was_set() ? p : DetectionEngine::set_next_packet(p);
skipping to change at line 622 skipping to change at line 627
const StreamBuffer sb = trs.tracker->get_splitter()->reassemble( const StreamBuffer sb = trs.tracker->get_splitter()->reassemble(
trs.sos.session->flow, 0, 0, nullptr, 0, (PKT_PDU_HEAD | PKT_PDU_TAIL), bytes_copied); trs.sos.session->flow, 0, 0, nullptr, 0, (PKT_PDU_HEAD | PKT_PDU_TAIL), bytes_copied);
if ( sb.data ) if ( sb.data )
{ {
Packet* pdu = initialize_pdu(trs, p, pkt_flags, p->pkth->ts); Packet* pdu = initialize_pdu(trs, p, pkt_flags, p->pkth->ts);
/* setup the pseudopacket payload */ /* setup the pseudopacket payload */
pdu->data = sb.data; pdu->data = sb.data;
pdu->dsize = sb.length; pdu->dsize = sb.length;
pdu->packet_flags |= (PKT_REBUILT_STREAM | PKT_STREAM_EST | PKT_PDU_HEAD | PKT_PDU_TAIL); pdu->packet_flags |= (PKT_REBUILT_STREAM | PKT_STREAM_EST | PKT_PDU_HEAD | PKT_PDU_TAIL);
trs.flush_count++;
trs.flush_count++;
show_rebuilt_packet(trs, pdu); show_rebuilt_packet(trs, pdu);
Analyzer::get_local_analyzer()->inspect_rebuilt(pdu); Analyzer::get_local_analyzer()->inspect_rebuilt(pdu);
} }
return bytes_copied; return bytes_copied;
} }
// get the footprint for the current trs.sos.seglist, the difference // get the footprint for the current trs.sos.seglist, the difference
// between our base sequence and the last ack'd sequence we received // between our base sequence and the last ack'd sequence we received
skipping to change at line 929 skipping to change at line 934
break; break;
} }
tsn = tsn->next; tsn = tsn->next;
} }
trs.sos.seglist.cur_sseg = tsn; trs.sos.seglist.cur_sseg = tsn;
return ret_val; return ret_val;
} }
static inline bool both_splitters_aborted(Flow* flow)
{
uint32_t both_splitters_yoinked = (SSNFLAG_ABORT_CLIENT | SSNFLAG_ABORT_SERV
ER);
return (flow->get_session_flags() & both_splitters_yoinked) == both_splitter
s_yoinked;
}
static inline void fallback(TcpStreamTracker& trk, bool server_side, uint16_t ma x) static inline void fallback(TcpStreamTracker& trk, bool server_side, uint16_t ma x)
{ {
trk.set_splitter(new AtomSplitter(!server_side, max)); #ifndef NDEBUG
StreamSplitter* splitter = trk.get_splitter();
assert(splitter);
// FIXIT-L: consolidate these 3
bool to_server = splitter->to_server();
assert(splitter && server_side == to_server && server_side == !trk.client_tr
acker);
#endif
trk.set_splitter(new AtomSplitter(server_side, max));
tcpStats.partial_fallbacks++; tcpStats.partial_fallbacks++;
} }
void TcpReassembler::fallback(TcpStreamTracker& tracker, bool server_side) void TcpReassembler::fallback(TcpStreamTracker& tracker, bool server_side)
{ {
uint16_t max = tracker.session->tcp_config->paf_max; uint16_t max = tracker.session->tcp_config->paf_max;
::fallback(tracker, server_side, max); ::fallback(tracker, server_side, max);
Flow* flow = tracker.session->flow; Flow* flow = tracker.session->flow;
if ( server_side ) if ( server_side )
skipping to change at line 1191 skipping to change at line 1199
int32_t flush_amt; int32_t flush_amt;
uint32_t flags; uint32_t flags;
do do
{ {
flags = get_reverse_packet_dir(trs, p); flags = get_reverse_packet_dir(trs, p);
flush_amt = scan_data_post_ack(trs, &flags, p); flush_amt = scan_data_post_ack(trs, &flags, p);
if ( flush_amt <= 0 or trs.paf_state.paf == StreamSplitter::SKIP ) if ( flush_amt <= 0 or trs.paf_state.paf == StreamSplitter::SKIP )
break; break;
if ( trs.paf_state.paf == StreamSplitter::ABORT )
trs.tracker->splitter_finish(p->flow);
// for consistency with other cases, should return total // for consistency with other cases, should return total
// but that breaks flushing pipelined pdus // but that breaks flushing pipelined pdus
flushed += flush_to_seq(trs, flush_amt, p, flags); flushed += flush_to_seq(trs, flush_amt, p, flags);
assert( flushed ); assert( flushed );
// ideally we would purge just once after this loop but that throws off base // ideally we would purge just once after this loop but that throws off base
if ( trs.sos.seglist.head ) if ( trs.sos.seglist.head )
purge_to_seq(trs, trs.sos.seglist_base_seq); purge_to_seq(trs, trs.sos.seglist_base_seq);
} }
while ( trs.sos.seglist.head and !p->flow->is_inspection_disabled() ); while ( trs.sos.seglist.head and !p->flow->is_inspection_disabled() );
 End of changes. 9 change blocks. 
19 lines changed or deleted 28 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)