"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/analyzer/protocol/dns/DNS.cc" between
zeek-3.2.2.tar.gz and zeek-3.2.4.tar.gz

About: Zeek (formerly Bro) is a flexible network analysis framework focusing on network security monitoring. Feature release.

DNS.cc  (zeek-3.2.2):DNS.cc  (zeek-3.2.4)
skipping to change at line 728 skipping to change at line 728
break; break;
} }
len -= option_len; len -= option_len;
// TODO: Implement additional option codes // TODO: Implement additional option codes
switch ( option_code ) switch ( option_code )
{ {
case TYPE_ECS: case TYPE_ECS:
{ {
// must be 4 bytes + variable number of octets fo r address // must be 4 bytes + variable number of octets fo r address
if ( option_len <= 4 ) { if ( option_len <= 4 )
{
analyzer->Weird("EDNS_ECS_invalid_option_
len");
data += option_len;
break; break;
} }
EDNS_ECS opt{}; EDNS_ECS opt{};
uint16_t ecs_family = ExtractShort(data, option_l en); uint16_t ecs_family = ExtractShort(data, option_l en);
uint16_t source_scope = ExtractShort(data, option _len); uint16_t source_scope = ExtractShort(data, option _len);
opt.ecs_src_pfx_len = (source_scope >> 8) & 0xff; opt.ecs_src_pfx_len = (source_scope >> 8) & 0xff;
opt.ecs_scp_pfx_len = source_scope & 0xff; opt.ecs_scp_pfx_len = source_scope & 0xff;
// ADDRESS, variable number of octets, contains e ither an IPv4 or // ADDRESS, variable number of octets, contains e ither an IPv4 or
// IPv6 address, depending on FAMILY, which MUST be truncated to the // IPv6 address, depending on FAMILY, which MUST be truncated to the
// number of bits indicated by the SOURCE PREFIX- LENGTH field, // number of bits indicated by the SOURCE PREFIX- LENGTH field,
// padding with 0 bits to pad to the end of the l ast octet needed. // padding with 0 bits to pad to the end of the l ast octet needed.
if ( ecs_family == L3_IPV4 ) if ( ecs_family == L3_IPV4 )
{ {
if ( opt.ecs_src_pfx_len > 32 )
{
analyzer->Weird("EDNS_ECS_invalid
_addr_v4_prefix",
fmt("%" PRIu16 "
bits", opt.ecs_src_pfx_len));
data += option_len;
break;
}
if ( opt.ecs_src_pfx_len > option_len * 8
)
{
analyzer->Weird("EDNS_ECS_invalid
_addr_v4",
fmt("need %" PRIu
16 " bits, have %d bits",
opt.ecs_src_p
fx_len, option_len * 8));
data += option_len;
break;
}
opt.ecs_family = zeek::make_intrusive<zee k::StringVal>("v4"); opt.ecs_family = zeek::make_intrusive<zee k::StringVal>("v4");
uint32_t addr = 0; uint32_t addr = 0;
for (uint16_t shift_factor = 3; option_le uint16_t shift_factor = 3;
n > 0; option_len--) int bits_left = opt.ecs_src_pfx_len;
while ( bits_left > 0 )
{ {
addr |= data[0] << (shift_factor * 8); addr |= data[0] << (shift_factor * 8);
data++; data++;
shift_factor--; shift_factor--;
option_len--;
bits_left -= 8;
} }
addr = htonl(addr); addr = htonl(addr);
opt.ecs_addr = zeek::make_intrusive<zeek: :AddrVal>(addr); opt.ecs_addr = zeek::make_intrusive<zeek: :AddrVal>(addr);
} }
else if ( ecs_family == L3_IPV6 ) else if ( ecs_family == L3_IPV6 )
{ {
if ( opt.ecs_src_pfx_len > 128 )
{
analyzer->Weird("EDNS_ECS_invalid
_addr_v6_prefix",
fmt("%" PRIu16 "
bits", opt.ecs_src_pfx_len));
data += option_len;
break;
}
if ( opt.ecs_src_pfx_len > option_len * 8
)
{
analyzer->Weird("EDNS_ECS_invalid
_addr_v6",
fmt("need %" PRIu
16 " bits, have %d bits",
opt.ecs_src_p
fx_len, option_len * 8));
data += option_len;
break;
}
opt.ecs_family = zeek::make_intrusive<zee k::StringVal>("v6"); opt.ecs_family = zeek::make_intrusive<zee k::StringVal>("v6");
uint32_t addr[4] = { 0 }; uint32_t addr[4] = { 0 };
for (uint16_t i = 0, shift_factor = 15; o uint16_t shift_factor = 15;
ption_len > 0; option_len--) int bits_left = opt.ecs_src_pfx_len;
int i = 0;
while ( bits_left > 0 )
{ {
addr[i / 4] |= data[0] << ((shift _factor % 4) * 8); addr[i / 4] |= data[0] << ((shift _factor % 4) * 8);
data++; data++;
i++; i++;
shift_factor--; shift_factor--;
option_len--;
bits_left -= 8;
} }
for (uint8_t i = 0; i < 4; i++) for (uint8_t i = 0; i < 4; i++)
{ {
addr[i] = htonl(addr[i]); addr[i] = htonl(addr[i]);
} }
opt.ecs_addr = zeek::make_intrusive<zeek: :AddrVal>(addr); opt.ecs_addr = zeek::make_intrusive<zeek: :AddrVal>(addr);
} }
else else
{ {
// non ipv4/ipv6 family address // non ipv4/ipv6 family address
data += option_len; data += option_len;
break; break;
} }
analyzer->EnqueueConnEvent(dns_EDNS_ecs, analyzer->EnqueueConnEvent(dns_EDNS_ecs,
analyzer->ConnVal(), analyzer->ConnVal(),
msg->BuildHdrVal(), msg->BuildHdrVal(),
msg->BuildEDNS_ECS_Val(&opt) msg->BuildEDNS_ECS_Val(&opt)
); );
data += option_len;
break; break;
} }
default: default:
{ {
data += option_len; data += option_len;
break; break;
} }
} }
} }
 End of changes. 10 change blocks. 
6 lines changed or deleted 67 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)