"Fossies" - the Fresh Open Source Software Archive

Member "snort-2.9.17/src/decode.c" (16 Oct 2020, 233312 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "decode.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.9.16.1_vs_2.9.17.

    1 /* $Id$ */
    2 
    3 /*
    4 ** Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
    5 ** Copyright (C) 2002-2013 Sourcefire, Inc.
    6 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
    7 **
    8 ** This program is free software; you can redistribute it and/or modify
    9 ** it under the terms of the GNU General Public License Version 2 as
   10 ** published by the Free Software Foundation.  You may not use, modify or
   11 ** distribute this program under any other version of the GNU General
   12 ** Public License.
   13 **
   14 ** This program is distributed in the hope that it will be useful,
   15 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
   16 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   17 ** GNU General Public License for more details.
   18 **
   19 ** You should have received a copy of the GNU General Public License
   20 ** along with this program; if not, write to the Free Software
   21 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   22 */
   23 
   24 #ifdef HAVE_CONFIG_H
   25 #include "config.h"
   26 #endif
   27 
   28 #ifdef HAVE_STRINGS_H
   29 #include <strings.h>
   30 #endif
   31 
   32 #include <string.h>
   33 #include <stdlib.h>
   34 
   35 #ifdef HAVE_DUMBNET_H
   36 #include <dumbnet.h>
   37 #else
   38 #include <dnet.h>
   39 #endif
   40 
   41 #include "decode.h"
   42 #include "snort.h"
   43 #include "snort_debug.h"
   44 #include "util.h"
   45 #include "detect.h"
   46 #include "checksum.h"
   47 #include "log.h"
   48 #include "generators.h"
   49 #include "event_queue.h"
   50 #include "active.h"
   51 #include "sfxhash.h"
   52 #include "snort_bounds.h"
   53 #include "strlcpyu.h"
   54 #include "sf_iph.h"
   55 #include "fpdetect.h"
   56 #include "profiler.h"
   57 #include "sfActionQueue.h"
   58 #include "mempool.h"
   59 #include "spp_normalize.h"
   60 #include "sfdaq.h"
   61 #include "sfrf.h"
   62 
   63 #ifdef REG_TEST
   64 #include "reg_test.h"
   65 #include <stdio.h>
   66 #endif
   67 
   68 extern tSfActionQueueId decoderActionQ;
   69 extern MemPool decoderAlertMemPool;
   70 
   71 static IpAddrSet *SynToMulticastDstIp = NULL;
   72 static IpAddrSet *MulticastReservedIp = NULL;
   73 #ifdef PERF_PROFILING
   74 PreprocStats decodePerfStats;
   75 #endif
   76 
   77 // Array to check if the decoder rules are enabled in at least one policy
   78 static uint8_t decodeRulesArray[DECODE_INDEX_MAX];
   79 
   80 //--------------------------------------------------------------------
   81 // decode.c::event support
   82 //--------------------------------------------------------------------
   83 
   84 #ifdef NORMALIZER
   85 static inline int ScNormalDrop (NormFlags nf)
   86 {
   87     return Normalize_GetMode(snort_conf, nf) == NORM_MODE_OFF;
   88 }
   89 #else
   90 #define ScNormalDrop(nf) 1
   91 #endif
   92 
   93 static inline void queueExecDrop(
   94     void (*callback)(void *), Packet* p)
   95 {
   96     int ret = sfActionQueueAdd( decoderActionQ, callback, (void*)p);
   97     if (ret == -1)
   98     {
   99         ErrorMessage("Could not add drop event to decoderActionQ\n");
  100     }
  101 }
  102 
  103 // no harm declaring the exec*Drop()s as inline, but since
  104 // the only use is via pointer, these won't get inlined.
  105 static inline void execDecoderDrop (void *data)
  106 {
  107     if ( ScDecoderAlerts() && ScDecoderDrops() )
  108     {
  109         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  110            "Dropping bad packet\n"););
  111         Active_DropSession((Packet*)data);
  112         if (pkt_trace_enabled)
  113             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  114                 "Snort: bad packet decode error, %s\n", getPktTraceActMsg()));
  115         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  116     }
  117 }
  118 
  119 static inline void execIpOptDrop (void *data)
  120 {
  121     if ( ScDecoderIpOptDrops() )
  122     {
  123         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  124            "Dropping bad packet (IP opts)\n"););
  125         Active_DropPacket((Packet*)data);
  126         if (pkt_trace_enabled)
  127             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  128                 "Snort: IP options decode error, %s\n", getPktTraceActMsg()));
  129         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  130     }
  131 }
  132 
  133 static inline void execMinTtlDrop (void *data)
  134 {
  135     if ( ScNormalDrop(NORM_IP4_TTL) &&
  136             ScDecoderAlerts() && ScDecoderDrops() )
  137     {
  138         Packet* p = (Packet*)data;
  139         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  140            "Dropping bad packet (IP4 min TTL)\n"););
  141         p->error_flags |= PKT_ERR_BAD_TTL;
  142         Active_DropPacket(p);
  143         if (pkt_trace_enabled)
  144             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  145                 "Snort: IP4 min TTL error, %s\n", getPktTraceActMsg()));
  146         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  147     }
  148 }
  149 
  150 static inline void execTtlDrop (void *data)
  151 {
  152     if ( ScNormalDrop(NORM_IP4_TTL) )
  153     {
  154         Packet* p = (Packet*)data;
  155         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  156            "Dropping bad packet (IP4 zero TTL)\n"););
  157         p->error_flags |= PKT_ERR_BAD_TTL;
  158         Active_DropPacket(p);
  159         if (pkt_trace_enabled)
  160             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  161                 "Snort: IP4 zero TTL error, %s\n", getPktTraceActMsg()));
  162         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  163     }
  164 }
  165 
  166 static inline void execHopDrop (void *data)
  167 {
  168     if ( ScNormalDrop(NORM_IP6_TTL) )
  169     {
  170         Packet* p = (Packet*)data;
  171         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  172            "Dropping bad packet (IP6 zero hop)\n"););
  173         p->error_flags |= PKT_ERR_BAD_TTL;
  174         Active_DropPacket(p);
  175         if (pkt_trace_enabled)
  176             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  177                 "Snort: IP6 zero hop error, %s\n", getPktTraceActMsg()));
  178         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  179     }
  180 }
  181 
  182 static inline void execIpv6MinTtlDrop (void *data)
  183 {
  184     if ( ScNormalDrop(NORM_IP6_TTL) &&
  185             ScDecoderAlerts() && ScDecoderDrops() )
  186     {
  187         Packet* p = (Packet*)data;
  188         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  189            "Dropping bad packet (IP6 hop limit)\n"););
  190         p->error_flags |= PKT_ERR_BAD_TTL;
  191         Active_DropPacket(p);
  192         if (pkt_trace_enabled)
  193             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  194                 "Snort: IP6 hop limit error, %s\n", getPktTraceActMsg()));
  195         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  196     }
  197 }
  198 
  199 static inline void execTcpOptDrop (void *data)
  200 {
  201     if ( ScDecoderTcpOptDrops() )
  202     {
  203         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  204            "Dropping bad packet (TCP opts)\n"););
  205         Active_DropPacket((Packet*)data);
  206         if (pkt_trace_enabled)
  207             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  208                 "Snort: TCP options decode error, %s\n", getPktTraceActMsg()));
  209         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  210     }
  211 }
  212 
  213 static inline void execTcpOptExpDrop (void *data)
  214 {
  215     if ( ScDecoderTcpOptExpDrops() )
  216     {
  217         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  218            "Dropping bad packet (TCP exp opts)\n"););
  219         Active_DropPacket((Packet*)data);
  220         if (pkt_trace_enabled)
  221             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  222                 "Snort: TCP experimental options decode error, %s\n", getPktTraceActMsg()));
  223         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  224     }
  225 }
  226 
  227 static inline void execTcpOptObsDrop (void *data)
  228 {
  229     if (  ScDecoderTcpOptObsDrops() )
  230     {
  231         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  232            "Dropping bad packet (TCP obs opts)\n"););
  233         Active_DropPacket((Packet*)data);
  234         if (pkt_trace_enabled)
  235             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  236                 "Snort: TCP obsolete options decode error, %s\n", getPktTraceActMsg()));
  237         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  238     }
  239 }
  240 
  241 static inline void execTcpOptTTcpDrop (void *data)
  242 {
  243     if ( ScDecoderTcpOptTTcpDrops() )
  244     {
  245         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  246             "Dropping bad packet (TTCP opts)\n"););
  247         Active_DropPacket((Packet*)data);
  248         if (pkt_trace_enabled)
  249             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  250                 "Snort: Test TCP (TTCP) options decode error, %s\n", getPktTraceActMsg()));
  251         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  252     }
  253 }
  254 
  255 static inline void execIpChksmDrop (void *data)
  256 {
  257     // TBD only set policy csum drop if policy inline
  258     // and delete this inline mode check
  259     if( ScNapInlineMode() && ScIpChecksumDrops() )
  260     {
  261         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  262             "Dropping bad packet (IP checksum)\n"););
  263         Active_NapDropPacket((Packet*)data);
  264         if (pkt_trace_enabled)
  265             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  266                 "Snort: IP checksum error, %s\n", getPktTraceActMsg()));
  267         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  268     }
  269 }
  270 
  271 static inline void execTcpChksmDrop (void *data)
  272 {
  273     if( ScNapInlineMode() && ScTcpChecksumDrops() )
  274     {
  275         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  276             "Dropping bad packet (TCP checksum)\n"););
  277         Active_NapDropPacket((Packet*)data);
  278         if (pkt_trace_enabled)
  279             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  280                 "Snort: TCP checksum error, %s\n", getPktTraceActMsg()));
  281         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  282     }
  283 }
  284 
  285 static inline void execUdpChksmDrop (void *data)
  286 {
  287     if( ScNapInlineMode() && ScUdpChecksumDrops() )
  288     {
  289         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  290             "Dropping bad packet (UDP checksum)\n"););
  291         Active_NapDropPacket((Packet*)data);
  292         if (pkt_trace_enabled)
  293             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  294                 "Snort: UDP checksum error, %s\n", getPktTraceActMsg()));
  295         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  296     }
  297 }
  298 
  299 static inline void execIcmpChksmDrop (void *data)
  300 {
  301     if( ScNapInlineMode() && ScIcmpChecksumDrops() )
  302     {
  303         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  304             "Dropping bad packet (ICMP checksum)\n"););
  305         Active_NapDropPacket((Packet*)data);
  306         if (pkt_trace_enabled)
  307             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  308                 "Snort: ICMP checksum error, %s\n", getPktTraceActMsg()));
  309         else addPktTraceData(VERDICT_REASON_SNORT, 0);
  310     }
  311 }
  312 
  313 void execDecoderEvent(void *data)
  314 {
  315     MemBucket *alertBucket = (MemBucket *)data;
  316     EventNode *en = (EventNode *)alertBucket->data;
  317     int add;
  318 
  319     switch (en->sid)
  320     {
  321         case DECODE_IPV4OPT_BADLEN:
  322         case DECODE_IPV4OPT_TRUNCATED:
  323             add = ScDecoderIpOptAlerts();
  324             break;
  325 
  326         case DECODE_TCPOPT_WSCALE_INVALID:
  327         case DECODE_TCPOPT_BADLEN:
  328         case DECODE_TCPOPT_TRUNCATED:
  329             add = ScDecoderTcpOptAlerts();
  330             break;
  331 
  332         case DECODE_TCPOPT_EXPERIMENT:
  333             add = ScDecoderTcpOptExpAlerts();
  334             break;
  335 
  336         case DECODE_TCPOPT_OBSOLETE:
  337             add = ScDecoderTcpOptObsAlerts();
  338             break;
  339 
  340         case DECODE_TCPOPT_TTCP:
  341             add = ScDecoderTcpOptTTcpAlerts();
  342             break;
  343 
  344         default:
  345             add = ScDecoderAlerts();
  346             break;
  347     }
  348 
  349     if ( add )
  350     {
  351         SnortEventqAdd(en->gid, en->sid, en->rev, en->classification,
  352             en->priority, en->msg, en->rule_info);
  353     }
  354     mempool_free(&decoderAlertMemPool, alertBucket);
  355 }
  356 
  357 void queueDecoderEvent(
  358     unsigned int gid,
  359     unsigned int sid,
  360     unsigned int rev,
  361     unsigned int classification,
  362     unsigned int pri,
  363     const char  *msg,
  364     void        *rule_info)
  365 {
  366     MemBucket *alertBucket;
  367     EventNode *en;
  368     int ret;
  369 
  370     alertBucket = (MemBucket *)mempool_alloc(&decoderAlertMemPool);
  371     if(!alertBucket)
  372         return;
  373 
  374     en = (EventNode *)alertBucket->data;
  375     en->gid = gid;
  376     en->sid = sid;
  377     en->rev = rev;
  378     en->classification = classification;
  379     en->priority = pri;
  380     en->msg = msg;
  381     en->rule_info = (OptTreeNode *) rule_info;
  382 
  383     ret = sfActionQueueAdd( decoderActionQ, execDecoderEvent, alertBucket);
  384     if (ret == -1)
  385     {
  386         ErrorMessage("Could not add event to decoderActionQ\n");
  387         mempool_free(&decoderAlertMemPool, alertBucket);
  388     }
  389 }
  390 
  391 static inline void DecoderEvent (
  392     Packet *p, int sid, const char *str, int event_flag, int drop_flag)
  393 {
  394     if ( ScLogVerbose() )
  395         ErrorMessage("%s\n", str);
  396 
  397     if (ScIdsMode() && event_flag)
  398     {
  399         queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1,
  400             DECODE_CLASS, 3, str, 0);
  401 
  402         if ( drop_flag )
  403         {
  404             queueExecDrop(execDecoderDrop, p);
  405             if (pkt_trace_enabled)
  406                 addPktTraceData(VERDICT_REASON_NO_BLOCK, snprintf(trace_line, MAX_TRACE_LINE,
  407                     "Snort: gid %u, sid %u, bad packet queued for decoder drop\n", GENERATOR_SNORT_DECODE, sid));
  408         }
  409     }
  410 }
  411 
  412 static inline void DecoderOptEvent (
  413     Packet *p, int sid, char *str, int event_flag, int drop_flag,
  414     void (*callback)(void*) )
  415 {
  416     if ( ScLogVerbose() )
  417         ErrorMessage("%s\n", str);
  418 
  419     if (ScIdsMode() && event_flag)
  420     {
  421         queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1,
  422             DECODE_CLASS, 3, str, 0);
  423 
  424         if ( drop_flag )
  425         {
  426             queueExecDrop(callback, p);
  427         }
  428     }
  429 }
  430 
  431 static inline void DecoderEventDrop (
  432     Packet *p, int sid, char *str, int event_flag, int drop_flag)
  433 {
  434     if ( ScLogVerbose() )
  435         ErrorMessage("%s\n", str);
  436 
  437     if (ScIdsMode() && event_flag)
  438     {
  439         queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1,
  440             DECODE_CLASS, 3, str, 0);
  441 
  442         if ( drop_flag )
  443         {
  444             Active_DropPacket(p);
  445             if (pkt_trace_enabled)
  446                 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
  447                     "Snort: decoder gid %u, sid %u, %s\n", GENERATOR_SNORT_DECODE, sid, getPktTraceActMsg()));
  448             else addPktTraceData(VERDICT_REASON_SNORT, 0);
  449         }
  450     }
  451 }
  452 
  453 void DecoderAlertEncapsulated(
  454     Packet *p, int type, const char *str, const uint8_t *pkt, uint32_t len)
  455 {
  456     DecoderEvent(p, type, str, 1, 1);
  457 
  458     p->data = pkt;
  459     p->dsize = (uint16_t)len;
  460 
  461     p->greh = NULL;
  462 }
  463 
  464 #define EVARGS(ID) DECODE_ ## ID, DECODE_ ## ID ## _STR
  465 
  466 static inline int Event_Enabled(int sid)
  467 {
  468     return ( decodeRulesArray[sid] );
  469 }
  470 
  471 //--------------------------------------------------------------------
  472 // decode.c::miscellaneous public methods and helper functions
  473 //--------------------------------------------------------------------
  474 
  475 #if defined(WORDS_MUSTALIGN) && !defined(__GNUC__)
  476 uint32_t EXTRACT_32BITS (u_char *p)
  477 {
  478   uint32_t __tmp;
  479 
  480   memmove(&__tmp, p, sizeof(uint32_t));
  481   return (uint32_t) ntohl(__tmp);
  482 }
  483 #endif /* WORDS_MUSTALIGN && !__GNUC__ */
  484 
  485 void InitSynToMulticastDstIp( struct _SnortConfig *sc )
  486 {
  487     // Multicast addresses pursuant to RFC 5771
  488     SynToMulticastDstIp = IpAddrSetParse(sc, "[224.0.0.0/4]");
  489 
  490     if( SynToMulticastDstIp == NULL )
  491     {
  492         FatalError("Could not initialize SynToMulticastDstIp\n");
  493     }
  494 }
  495 
  496 void InitMulticastReservedIp( struct _SnortConfig *sc )
  497 {
  498     // Reserved addresses within multicast address space (See RFC 5771)
  499     MulticastReservedIp = IpAddrSetParse(sc,
  500             "[224.1.0.0/16,224.5.0.0/16,224.6.0.0/15,224.8.0.0/13,224.16.0.0/12,"
  501              "224.32.0.0/11,224.64.0.0/10,224.128.0.0/9,225.0.0.0/8,226.0.0.0/7,"
  502              "228.0.0.0/6,234.0.0.0/7,236.0.0.0/7,238.0.0.0/8]");
  503 
  504     if( MulticastReservedIp == NULL )
  505     {
  506         FatalError("Could not initialize MulticastReservedIp\n");
  507     }
  508 }
  509 
  510 void SynToMulticastDstIpDestroy( void )
  511 {
  512     if( SynToMulticastDstIp )
  513     {
  514         IpAddrSetDestroy(SynToMulticastDstIp);
  515     }
  516 }
  517 
  518 void MulticastReservedIpDestroy( void )
  519 {
  520     if( MulticastReservedIp )
  521     {
  522         IpAddrSetDestroy(MulticastReservedIp);
  523     }
  524 }
  525 
  526 static inline void CheckIPv4_MinTTL(Packet *p, uint8_t ttl)
  527 {
  528 
  529     // this sequence of tests is best for the "normal" case where
  530     // the packet ttl is >= the configured min (the default is 1)
  531     if( ttl < ScMinTTL() )
  532     {
  533         if ( Event_Enabled(DECODE_ZERO_TTL) && (ttl == 0) )
  534         {
  535             DecoderOptEvent(p, DECODE_ZERO_TTL, DECODE_ZERO_TTL_STR,
  536                     1, 1, execTtlDrop);
  537         }
  538         else if ( Event_Enabled(DECODE_IP4_MIN_TTL) )
  539         {
  540             DecoderOptEvent(p, DECODE_IP4_MIN_TTL, DECODE_IP4_MIN_TTL_STR,
  541                     1, 1, execMinTtlDrop);
  542         }
  543     }
  544 }
  545 
  546 static inline void CheckIPv6_MinTTL(Packet *p, uint8_t hop_limit)
  547 {
  548     // this sequence of tests is best for the "normal" case where
  549     // the packet ttl is >= the configured min (the default is 1)
  550     if( hop_limit < ScMinTTL() )
  551     {
  552         if ( Event_Enabled(DECODE_IP6_ZERO_HOP_LIMIT) && (hop_limit == 0) )
  553         {
  554             DecoderOptEvent(p, DECODE_IP6_ZERO_HOP_LIMIT,
  555                    DECODE_IP6_ZERO_HOP_LIMIT_STR, 1, 1, execHopDrop);
  556         }
  557         else if ( Event_Enabled(DECODE_IPV6_MIN_TTL) )
  558         {
  559             DecoderOptEvent(p, DECODE_IPV6_MIN_TTL,
  560                     DECODE_IPV6_MIN_TTL_STR, 1, 1, execIpv6MinTtlDrop);
  561         }
  562     }
  563 }
  564 
  565 /* Decoding of ttl/hop_limit is based on the policy min_ttl */
  566 static inline void DecodeIP_MinTTL(Packet *p)
  567 {
  568     switch(p->outer_family)
  569     {
  570         case AF_INET:
  571             CheckIPv4_MinTTL( p, p->outer_ip4h.ip_ttl);
  572             return;
  573 
  574         case AF_INET6:
  575             CheckIPv6_MinTTL( p, p->outer_ip6h.hop_lmt);
  576             return;
  577 
  578         default:
  579             break;
  580     }
  581 
  582     switch(p->family)
  583     {
  584         case AF_INET:
  585             CheckIPv4_MinTTL( p, p->ip4h->ip_ttl);
  586             return;
  587 
  588         case AF_INET6:
  589             CheckIPv6_MinTTL( p, p->ip6h->hop_lmt);
  590             return;
  591 
  592         default:
  593             break;
  594     }
  595 
  596     return;
  597 }
  598 
  599 /* Any policy specific decoding should be done in this function which is called by ProcessPacket*/
  600 void DecodePolicySpecific(Packet *p)
  601 {
  602     DecodeIP_MinTTL(p);
  603 }
  604 
  605 /* This function enables or disables the decoder rule. value can only be 0 or 1*/
  606 void UpdateDecodeRulesArray(uint32_t sid, int value, int all_rules)
  607 {
  608     int i;
  609 
  610     if ( all_rules )
  611     {
  612         for( i = 0; i < DECODE_INDEX_MAX; i++ )
  613             decodeRulesArray[i] = ( value != 0 );
  614     }
  615     else if ( sid < DECODE_INDEX_MAX )
  616     {
  617         decodeRulesArray[sid] = ( value != 0 );
  618     }
  619 }
  620 
  621 static ThrottleInfo log_throttleInfo = {0, 60, 0, 100};
  622 
  623 // this must be called iff the layer is successfully decoded because, when
  624 // enabled, the normalizer assumes that the encoding is structurally sound
  625 static inline void PushLayer(PROTO_ID type, Packet* p, const uint8_t* hdr, uint32_t len)
  626 {
  627     if ( p->next_layer < LAYER_MAX )
  628     {
  629         Layer* lyr = p->layers + p->next_layer++;
  630         lyr->proto = type;
  631         lyr->start = (uint8_t*)hdr;
  632         lyr->length = (uint16_t)len;
  633     }
  634     else
  635     {
  636         LogThrottledByTimeCount(&log_throttleInfo,
  637                 "(snort_decoder) WARNING: Too many levels for decoding;"
  638                 "next proto is %u.\n", type);
  639         SnortEventqAdd(GENERATOR_SNORT_DECODE,
  640                 DECODE_DECODING_DEPTH_EXCEEDED,
  641                 1,
  642                 0,
  643                 1,
  644                 DECODE_DECODING_DEPTH_EXCEEDED_STR,
  645                 NULL);
  646         pc.alert_pkts++;
  647     }
  648 }
  649 
  650 //--------------------------------------------------------------------
  651 // decode.c::ARP
  652 //--------------------------------------------------------------------
  653 
  654 /*
  655  * Function: DecodeARP(uint8_t *, uint32_t, Packet *)
  656  *
  657  * Purpose: Decode ARP stuff
  658  *
  659  * Arguments: pkt => ptr to the packet data
  660  *            len => length from here to the end of the packet
  661  *            p   => pointer to decoded packet struct
  662  *
  663  * Returns: void function
  664  */
  665 void DecodeARP(const uint8_t * pkt, uint32_t len, Packet * p)
  666 {
  667     pc.arp++;
  668 
  669 #ifdef GRE
  670     if (p->greh != NULL)
  671         pc.gre_arp++;
  672 #endif
  673 
  674     p->ah = (EtherARP *) pkt;
  675 
  676     if(len < sizeof(EtherARP))
  677     {
  678         DecoderEvent(p, DECODE_ARP_TRUNCATED,
  679                         DECODE_ARP_TRUNCATED_STR, 1, 1);
  680 
  681         pc.discards++;
  682         return;
  683     }
  684 
  685     p->proto_bits |= PROTO_BIT__ARP;
  686     PushLayer(PROTO_ARP, p, pkt, sizeof(*p->ah));
  687 }
  688 
  689 //--------------------------------------------------------------------
  690 // decode.c::NULL and Loopback
  691 //--------------------------------------------------------------------
  692 
  693 /*
  694  * Function: DecodeNullPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*)
  695  *
  696  * Purpose: Decoding on loopback devices.
  697  *
  698  * Arguments: p => pointer to decoded packet struct
  699  *            user => Utility pointer, unused
  700  *            pkthdr => ptr to the packet header
  701  *            pkt => pointer to the real live packet data
  702  *
  703  * Returns: void function
  704  */
  705 void DecodeNullPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt)
  706 {
  707     uint32_t cap_len = pkthdr->caplen;
  708     PROFILE_VARS;
  709 
  710     PREPROC_PROFILE_START(decodePerfStats);
  711 
  712     pc.total_processed++;
  713 
  714     memset(p, 0, PKT_ZERO_LEN);
  715 
  716     p->pkth = pkthdr;
  717     p->pkt = pkt;
  718 
  719     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); );
  720 
  721     /* do a little validation */
  722     if(cap_len < NULL_HDRLEN)
  723     {
  724         if (ScLogVerbose())
  725         {
  726             ErrorMessage("NULL header length < captured len! (%d bytes)\n",
  727                     cap_len);
  728         }
  729 
  730         PREPROC_PROFILE_END(decodePerfStats);
  731         return;
  732     }
  733 
  734     DecodeIP(p->pkt + NULL_HDRLEN, cap_len - NULL_HDRLEN, p);
  735     PREPROC_PROFILE_END(decodePerfStats);
  736 }
  737 
  738 /*
  739  * Function: DecodeEthLoopback(uint8_t *, uint32_t)
  740  *
  741  * Purpose: Just like IPX, it's just for counting.
  742  *
  743  * Arguments: pkt => ptr to the packet data
  744  *            len => length from here to the end of the packet
  745  *
  746  * Returns: void function
  747  */
  748 void DecodeEthLoopback(const uint8_t *pkt, uint32_t len, Packet *p)
  749 {
  750     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "EthLoopback is not supported.\n"););
  751 
  752     pc.ethloopback++;
  753 
  754 #ifdef GRE
  755     if (p->greh != NULL)
  756         pc.gre_loopback++;
  757 #endif
  758 
  759     return;
  760 }
  761 
  762 //--------------------------------------------------------------------
  763 // decode.c::Ethernet
  764 //--------------------------------------------------------------------
  765 void DecodeEthTypes(Packet *p, const uint8_t *pkt, uint16_t ethtype, uint32_t cap_len, uint8_t linklen);
  766 
  767 void DecodeCiscoMeta(const uint8_t *pkt, uint32_t rem_len, Packet *p)
  768 {
  769     uint16_t real_len;
  770     uint16_t realeth;
  771     int16_t cmdh_rem_len;
  772     uint8_t i;
  773 
  774     if (rem_len < CISCO_META_PREHEADER_LEN)
  775     {
  776         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  777             "WARNING: Truncated Cisco Metadata header (%d bytes).\n", rem_len););
  778 
  779         if ( Event_Enabled(DECODE_CISCO_META_HDR_TRUNC) )
  780             DecoderEvent(p, EVARGS(CISCO_META_HDR_TRUNC), 1, 1);
  781 
  782         pc.discards++;
  783         return;
  784     }
  785 
  786     p->cmdh = (CiscoMetaHdr*)pkt;
  787     p->cmd_options = (CiscoMetaOpt*)(pkt + sizeof(CiscoMetaHdr));
  788     cmdh_rem_len = p->cmdh->length << 3;
  789 
  790     /* validate CMD tag header */
  791     if(rem_len < cmdh_rem_len || cmdh_rem_len == 0)
  792     {
  793         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  794             "WARNING: Truncated Cisco Metadata header (%d bytes).\n", rem_len););
  795 
  796         if ( Event_Enabled(DECODE_CISCO_META_HDR_TRUNC) )
  797             DecoderEvent(p, EVARGS(CISCO_META_HDR_TRUNC), 1, 1);
  798 
  799         pc.discards++;
  800         return;
  801     }
  802 
  803     /* validate options, lengths, and SGTs*/
  804     cmdh_rem_len -= sizeof(CiscoMetaHdr) + sizeof(uint16_t); //2 octects for ethertype
  805     if(cmdh_rem_len == 0)
  806         p->cmd_options = NULL;
  807 
  808     for(i = 0; cmdh_rem_len > 0; i++)
  809     {
  810         CiscoMetaOpt *opt;
  811         uint8_t len;
  812         uint16_t type;
  813 
  814         /* Top 3 bits (length) must be equal to 0 or 4 */
  815         /* Bottom 13 bits (type) must be 1 to indicate SGT*/
  816         opt = &p->cmd_options[i];
  817         len = ntohs(opt->opt_len_type) >> CISCO_META_OPT_LEN_SHIFT;
  818         type = ntohs(opt->opt_len_type) & CISCO_META_OPT_TYPE_MASK;
  819 
  820         /* 0 indicates 4 octets */
  821         if(len != 0 && len != 4)
  822         {
  823             DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  824                 "WARNING: Invalid Cisco Metadata option length (%u bytes).\n", (uint32_t)len););
  825 
  826             if ( Event_Enabled(DECODE_CISCO_META_HDR_OPT_LEN) )
  827                 DecoderEvent(p, EVARGS(CISCO_META_HDR_OPT_LEN), 1, 1);
  828 
  829             pc.discards++;
  830             return;
  831         }
  832 
  833         if(type != CISCO_META_OPT_TYPE_SGT)
  834         {
  835             DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  836                 "WARNING: Invalid Cisco Metadata option type (%u).\n", (uint32_t)len););
  837 
  838             if ( Event_Enabled(DECODE_CISCO_META_HDR_OPT_TYPE) )
  839                 DecoderEvent(p, EVARGS(CISCO_META_HDR_OPT_TYPE), 1, 1);
  840 
  841             pc.discards++;
  842             return;
  843         }
  844 
  845         /* Tag value 0xFFFF is invalid */
  846         if(opt->sgt == 0xFFFF)
  847         {
  848             DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  849                 "WARNING: Invalid Cisco Metadata SGT (0xFFFF).\n"););
  850 
  851             if ( Event_Enabled(DECODE_CISCO_META_HDR_SGT) )
  852                 DecoderEvent(p, EVARGS(CISCO_META_HDR_SGT), 1, 1);
  853 
  854             pc.discards++;
  855             return;
  856 
  857         }
  858         cmdh_rem_len -= sizeof(CiscoMetaOpt);
  859     }
  860 
  861     /* Move to next header */
  862     real_len = p->cmdh->length << 3;
  863     realeth = ntohs(*((uint16_t*) (pkt + real_len - sizeof(uint16_t)))); //The last 2 octets of the header will be the real ethtype
  864     PushLayer(PROTO_CISCO_META, p, pkt, real_len);
  865 
  866     //Decode the real ethtype
  867     DecodeEthTypes(p, pkt, realeth, rem_len, real_len);
  868 }
  869 
  870 /* Handles ethtypes. Used for ethtypes that chain to other ethtypes */
  871 void DecodeEthTypes(Packet *p, const uint8_t *pkt, uint16_t ethtype, uint32_t cap_len, uint8_t linklen)
  872 {
  873     /* grab out the network type */
  874     switch(ethtype)
  875     {
  876         case ETHERNET_TYPE_IP:
  877             DEBUG_WRAP(
  878                     DebugMessage(DEBUG_DECODE,
  879                         "IP datagram size calculated to be %lu bytes\n",
  880                         (unsigned long)(cap_len - linklen));
  881                     );
  882 
  883             DecodeIP(pkt + linklen,
  884                     cap_len - linklen, p);
  885 
  886             return;
  887 
  888         case ETHERNET_TYPE_ARP:
  889         case ETHERNET_TYPE_REVARP:
  890             DecodeARP(pkt + linklen,
  891                     cap_len - linklen, p);
  892             return;
  893 
  894         case ETHERNET_TYPE_IPV6:
  895             DecodeIPV6(pkt + linklen,
  896                     (cap_len - linklen), p);
  897             return;
  898 
  899         case ETHERNET_TYPE_PPPoE_DISC:
  900         case ETHERNET_TYPE_PPPoE_SESS:
  901             DecodePPPoEPkt(pkt + linklen,
  902                     (cap_len - linklen), p);
  903             return;
  904 
  905 #ifndef NO_NON_ETHER_DECODER
  906         case ETHERNET_TYPE_IPX:
  907             DecodeIPX(pkt + linklen,
  908                     (cap_len - linklen), p);
  909             return;
  910 #endif
  911 
  912         case ETHERNET_TYPE_LOOP:
  913             DecodeEthLoopback(pkt + linklen,
  914                     (cap_len - linklen), p);
  915             return;
  916 
  917         case ETHERNET_TYPE_8021Q:
  918         case ETHERNET_TYPE_8021AD:
  919         case ETHERNET_TYPE_QINQ_NS1:
  920         case ETHERNET_TYPE_QINQ_NS2:
  921             DecodeVlan(pkt + linklen,
  922                     cap_len - linklen, p);
  923             return;
  924 #ifdef MPLS
  925         case ETHERNET_TYPE_MPLS_MULTICAST:
  926             if(!ScMplsMulticast())
  927             {
  928                 //additional check for DecoderAlerts will be done now.
  929                 DecoderEvent(p, DECODE_BAD_MPLS, DECODE_MULTICAST_MPLS_STR, 1, 1);
  930             }
  931         case ETHERNET_TYPE_MPLS_UNICAST:
  932             DecodeMPLS(pkt + linklen,
  933                 cap_len - linklen, p);
  934             return;
  935 #endif
  936         case ETHERNET_TYPE_CISCO_META:
  937             DecodeCiscoMeta(pkt + linklen,
  938                 cap_len - linklen, p);
  939             return;
  940         default:
  941             // TBD add decoder drop event for unknown eth type
  942             pc.other++;
  943             return;
  944     }
  945 }
  946 
  947 /*
  948  * Function: DecodeEthPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*)
  949  *
  950  * Purpose: Decode those fun loving ethernet packets, one at a time!
  951  *
  952  * Arguments: p => pointer to the decoded packet struct
  953  *            user => Utility pointer (unused)
  954  *            pkthdr => ptr to the packet header
  955  *            pkt => pointer to the real live packet data
  956  *
  957  * Returns: void function
  958  */
  959 void DecodeEthPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt)
  960 {
  961     uint32_t cap_len = pkthdr->caplen;
  962     uint32_t rem_len = cap_len;
  963     uint8_t linklen = ETHERNET_HEADER_LEN;
  964     PROFILE_VARS;
  965 
  966     PREPROC_PROFILE_START(decodePerfStats);
  967     pc.eth++;
  968     pc.total_processed++;
  969 
  970     memset(p, 0, PKT_ZERO_LEN);
  971 
  972     p->pkth = pkthdr;
  973     p->pkt = pkt;
  974 
  975     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");
  976             DebugMessage(DEBUG_DECODE, "caplen: %lu    pktlen: %lu\n",
  977                 (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);
  978             );
  979 
  980     while(true)
  981     {
  982     /* do a little validation */
  983         if(rem_len < ETHERNET_HEADER_LEN)
  984         {
  985             DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
  986                 "WARNING: Truncated eth header (%d bytes).\n", rem_len););
  987 
  988             if ( Event_Enabled(DECODE_ETH_HDR_TRUNC) )
  989                 DecoderEvent(p, EVARGS(ETH_HDR_TRUNC), 1, 1);
  990 
  991             pc.discards++;
  992             pc.ethdisc++;
  993             PREPROC_PROFILE_END(decodePerfStats);
  994             return;
  995         }
  996 
  997         /* lay the ethernet structure over the packet data */
  998         p->eh = (EtherHdr *) pkt;
  999 
 1000         /* check if this is a FabricPath header */
 1001         if(ntohs(p->eh->ether_type) == ETHERNET_TYPE_FPATH)
 1002         {
 1003             /* do a little validation */
 1004             if(rem_len < FABRICPATH_HEADER_LEN)
 1005             {
 1006                 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 1007                     "WARNING: Truncated FabricPath header (%d bytes).\n", rem_len););
 1008 
 1009                 if ( Event_Enabled(DECODE_FPATH_HDR_TRUNC) )
 1010                     DecoderEvent(p, EVARGS(FPATH_HDR_TRUNC), 1, 1);
 1011 
 1012                 pc.discards++;
 1013                 PREPROC_PROFILE_END(decodePerfStats);
 1014                 return;
 1015             }
 1016             /* strip FabricPath header*/
 1017             PushLayer(PROTO_FPATH, p, pkt, FABRICPATH_HEADER_LEN);
 1018             pkt += FABRICPATH_HEADER_LEN;
 1019             linklen += FABRICPATH_HEADER_LEN;
 1020             rem_len -= FABRICPATH_HEADER_LEN;
 1021         }
 1022 
 1023 
 1024         else
 1025             break;
 1026     }
 1027     PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh));
 1028 
 1029     DEBUG_WRAP(
 1030             DebugMessage(DEBUG_DECODE, "%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X\n",
 1031                 p->eh->ether_src[0],
 1032                 p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3],
 1033                 p->eh->ether_src[4], p->eh->ether_src[5], p->eh->ether_dst[0],
 1034                 p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3],
 1035                 p->eh->ether_dst[4], p->eh->ether_dst[5]);
 1036             );
 1037     DEBUG_WRAP(
 1038             DebugMessage(DEBUG_DECODE, "type:0x%X len:0x%X\n",
 1039                 ntohs(p->eh->ether_type), p->pkth->pktlen)
 1040             );
 1041     DecodeEthTypes(p, p->pkt, ntohs(p->eh->ether_type), cap_len, linklen);
 1042     PREPROC_PROFILE_END(decodePerfStats);
 1043 }
 1044 
 1045 #ifdef GRE
 1046 /*
 1047  * Function: DecodeTransBridging(uint8_t *, const uint32_t, Packet)
 1048  *
 1049  * Purpose: Decode Transparent Ethernet Bridging
 1050  *
 1051  * Arguments: pkt => pointer to the real live packet data
 1052  *            len => length of remaining data in packet
 1053  *            p => pointer to the decoded packet struct
 1054  *
 1055  *
 1056  * Returns: void function
 1057  *
 1058  * Note: This is basically the code from DecodeEthPkt but the calling
 1059  * convention needed to be changed and the stuff at the beginning
 1060  * wasn't needed since we are already deep into the packet
 1061  */
 1062 void DecodeTransBridging(const uint8_t *pkt, const uint32_t len, Packet *p)
 1063 {
 1064     pc.gre_eth++;
 1065 
 1066     if(len < ETHERNET_HEADER_LEN)
 1067     {
 1068         DecoderAlertEncapsulated(p, DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR,
 1069                         DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR_STR,
 1070                         pkt, len);
 1071         return;
 1072     }
 1073 
 1074     /* The Packet struct's ethernet header will now point to the inner ethernet
 1075      * header of the packet
 1076      */
 1077     p->eh = (EtherHdr *)pkt;
 1078     PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh));
 1079 
 1080     switch (ntohs(p->eh->ether_type))
 1081     {
 1082         case ETHERNET_TYPE_IP:
 1083             DecodeIP(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p);
 1084             return;
 1085 
 1086         case ETHERNET_TYPE_ARP:
 1087         case ETHERNET_TYPE_REVARP:
 1088             DecodeARP(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p);
 1089             return;
 1090 
 1091         case ETHERNET_TYPE_IPV6:
 1092             DecodeIPV6(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p);
 1093             return;
 1094 
 1095 #ifndef NO_NON_ETHER_DECODER
 1096         case ETHERNET_TYPE_IPX:
 1097             DecodeIPX(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p);
 1098             return;
 1099 #endif
 1100 
 1101         case ETHERNET_TYPE_LOOP:
 1102             DecodeEthLoopback(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p);
 1103             return;
 1104 
 1105         case ETHERNET_TYPE_8021Q:
 1106             DecodeVlan(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p);
 1107             return;
 1108 
 1109         default:
 1110             // TBD add decoder drop event for unknown xbrdg/eth type
 1111             pc.other++;
 1112             p->data = pkt + ETHERNET_HEADER_LEN;
 1113             p->dsize = (uint16_t)(len - ETHERNET_HEADER_LEN);
 1114             return;
 1115     }
 1116 }
 1117 #endif  /* GRE */
 1118 
 1119 //--------------------------------------------------------------------
 1120 // decode.c::MPLS
 1121 //--------------------------------------------------------------------
 1122 
 1123 #ifdef MPLS
 1124 /*
 1125  * check if reserved labels are used properly
 1126  */
 1127 static int checkMplsHdr(uint32_t label, uint8_t exp, uint8_t bos, uint8_t ttl, Packet *p)
 1128 {
 1129     int iRet = 0;
 1130     switch(label)
 1131     {
 1132         case 0:
 1133         case 2:
 1134                /* check if this label is the bottom of the stack */
 1135                if(bos)
 1136                {
 1137                    if ( label == 0 )
 1138                        iRet = MPLS_PAYLOADTYPE_IPV4;
 1139                    else if ( label == 2 )
 1140                        iRet = MPLS_PAYLOADTYPE_IPV6;
 1141 
 1142 
 1143                    /* when label == 2, IPv6 is expected;
 1144                     * when label == 0, IPv4 is expected */
 1145                    if((label&&(ScMplsPayloadType() != MPLS_PAYLOADTYPE_IPV6))
 1146                        ||((!label)&&(ScMplsPayloadType() != MPLS_PAYLOADTYPE_IPV4)))
 1147                    {
 1148                         if( !label )
 1149                             DecoderEvent(p, DECODE_BAD_MPLS_LABEL0,
 1150                                             DECODE_BAD_MPLS_LABEL0_STR, 1, 1);
 1151                         else
 1152                             DecoderEvent(p, DECODE_BAD_MPLS_LABEL2,
 1153                                             DECODE_BAD_MPLS_LABEL2_STR, 1, 1);
 1154                    }
 1155                    break;
 1156                }
 1157 
 1158 #if 0
 1159                /* This is valid per RFC 4182.  Just pop this label off, ignore it
 1160                 * and move on to the next one.
 1161                 */
 1162                if( !label )
 1163                    DecoderEvent(p, DECODE_BAD_MPLS_LABEL0,
 1164                                    DECODE_BAD_MPLS_LABEL0_STR, 1, 1);
 1165                else
 1166                    DecoderEvent(p, DECODE_BAD_MPLS_LABEL2,
 1167                                    DECODE_BAD_MPLS_LABEL2_STR, 1, 1);
 1168 
 1169                pc.discards++;
 1170                p->iph = NULL;
 1171                p->family = NO_IP;
 1172                return(-1);
 1173 #endif
 1174                break;
 1175         case 1:
 1176                if(!bos) break;
 1177 
 1178                DecoderEvent(p, DECODE_BAD_MPLS_LABEL1,
 1179                                DECODE_BAD_MPLS_LABEL1_STR, 1, 1);
 1180 
 1181                pc.discards++;
 1182                p->iph = NULL;
 1183                p->family = NO_IP;
 1184                iRet = MPLS_PAYLOADTYPE_ERROR;
 1185                break;
 1186 
 1187         case 3:
 1188                DecoderEvent(p, DECODE_BAD_MPLS_LABEL3,
 1189                                DECODE_BAD_MPLS_LABEL3_STR, 1, 1);
 1190 
 1191                pc.discards++;
 1192                p->iph = NULL;
 1193                p->family = NO_IP;
 1194                iRet = MPLS_PAYLOADTYPE_ERROR;
 1195                break;
 1196         case 4:
 1197         case 5:
 1198         case 6:
 1199         case 7:
 1200         case 8:
 1201         case 9:
 1202         case 10:
 1203         case 11:
 1204         case 12:
 1205         case 13:
 1206         case 14:
 1207         case 15:
 1208                 DecoderEvent(p, DECODE_MPLS_RESERVED_LABEL,
 1209                                 DECODE_MPLS_RESERVEDLABEL_STR, 1, 1);
 1210                 break;
 1211         default:
 1212                 break;
 1213     }
 1214     if ( !iRet )
 1215     {
 1216         iRet = ScMplsPayloadType();
 1217     }
 1218     return iRet;
 1219 }
 1220 
 1221 void DecodeMPLS(const uint8_t* pkt, const uint32_t len, Packet* p)
 1222 {
 1223     uint32_t* tmpMplsHdr;
 1224     uint32_t mpls_h;
 1225     uint32_t label;
 1226     uint32_t mlen = 0;
 1227 
 1228     uint8_t exp;
 1229     uint8_t bos = 0;
 1230     uint8_t ttl;
 1231     uint8_t chainLen = 0;
 1232     uint32_t stack_len = len;
 1233 
 1234     int iRet = 0;
 1235 
 1236     pc.mpls++;
 1237     UpdateMPLSStats(&sfBase, len, Active_PacketWasDropped());
 1238     tmpMplsHdr = (uint32_t *) pkt;
 1239     p->mpls = NULL;
 1240 
 1241     while (!bos)
 1242     {
 1243         if(stack_len < MPLS_HEADER_LEN)
 1244         {
 1245             DecoderEvent(p, DECODE_BAD_MPLS, DECODE_BAD_MPLS_STR, 1, 1);
 1246 
 1247             pc.discards++;
 1248             p->iph = NULL;
 1249             p->family = NO_IP;
 1250             return;
 1251         }
 1252 
 1253         mpls_h  = ntohl(*tmpMplsHdr);
 1254         ttl = (uint8_t)(mpls_h & 0x000000FF);
 1255         mpls_h = mpls_h>>8;
 1256         bos = (uint8_t)(mpls_h & 0x00000001);
 1257         exp = (uint8_t)(mpls_h & 0x0000000E);
 1258         label = (mpls_h>>4) & 0x000FFFFF;
 1259 
 1260         if((label<NUM_RESERVED_LABELS)&&((iRet = checkMplsHdr(label, exp, bos, ttl, p)) < 0))
 1261             return;
 1262 
 1263         if( bos )
 1264         {
 1265             p->mplsHdr.label = label;
 1266             p->mplsHdr.exp = exp;
 1267             p->mplsHdr.bos = bos;
 1268             p->mplsHdr.ttl = ttl;
 1269             /**
 1270             p->mpls = &(p->mplsHdr);
 1271             **/
 1272             p->mpls = tmpMplsHdr;
 1273             if(!iRet)
 1274             {
 1275                 iRet = ScMplsPayloadType();
 1276             }
 1277         }
 1278         tmpMplsHdr++;
 1279         stack_len -= MPLS_HEADER_LEN;
 1280 
 1281         if ((ScMplsStackDepth() != -1) && (chainLen++ >= ScMplsStackDepth()))
 1282         {
 1283             DecoderEvent(p, DECODE_MPLS_LABEL_STACK,
 1284                             DECODE_MPLS_LABEL_STACK_STR, 1, 1);
 1285 
 1286             pc.discards++;
 1287             p->iph = NULL;
 1288             p->family = NO_IP;
 1289             return;
 1290         }
 1291     }   /* while bos not 1, peel off more labels */
 1292 
 1293     mlen = (uint8_t*)tmpMplsHdr - pkt;
 1294     PushLayer(PROTO_MPLS, p, pkt, mlen);
 1295     mlen = len - mlen;
 1296 
 1297     if ( ScTunnelBypassEnabled(TUNNEL_MPLS) )
 1298         Active_SetTunnelBypass();
 1299 
 1300 #ifdef MPLS_RFC4023_SUPPORT
 1301     /* Currently, this additional check for MPLS payload type presumes:
 1302      * Only IPv4 or IPv6 payloads are supported (based on code inspection).
 1303      *
 1304      * If MPLS payload type is Ethernet or PWE extensions, the following
 1305      * functions:
 1306      *
 1307      *    ScMplsPayloadCheck
 1308      *    checkMplsHdr and
 1309      *    ScMplsPayloadType
 1310      *
 1311      * must be revisited for performance and payload type checks as against,
 1312      * static assignment from SnortConfig: sc->mpls_payload_type
 1313      */
 1314     iRet = ScMplsPayloadCheck(*(uint8_t *)tmpMplsHdr, iRet);
 1315 #endif
 1316 
 1317     p->non_ip_pkt = 1;
 1318 
 1319     switch (iRet)
 1320     {
 1321         case MPLS_PAYLOADTYPE_IPV4:
 1322             DecodeIP((uint8_t *)tmpMplsHdr, mlen, p);
 1323             break;
 1324 
 1325         case MPLS_PAYLOADTYPE_IPV6:
 1326             DecodeIPV6((uint8_t *)tmpMplsHdr, mlen, p);
 1327             break;
 1328 
 1329         case MPLS_PAYLOADTYPE_ETHERNET:
 1330             DecodeEthOverMPLS((uint8_t *)tmpMplsHdr, mlen, p);
 1331             break;
 1332 
 1333         default:
 1334             break;
 1335     }
 1336     return;
 1337 }
 1338 
 1339 void DecodeEthOverMPLS(const uint8_t* pkt, const uint32_t len, Packet* p)
 1340 {
 1341     /* do a little validation */
 1342     if(len < ETHERNET_HEADER_LEN)
 1343     {
 1344         if (ScLogVerbose())
 1345         {
 1346             ErrorMessage("Captured data length < Ethernet header length!"
 1347                          " (%d bytes)\n", len);
 1348         }
 1349 
 1350         p->iph = NULL;
 1351         p->family = NO_IP;
 1352         // TBD add decoder drop event for eth over MPLS cap len issue
 1353         pc.discards++;
 1354         pc.ethdisc++;
 1355         return;
 1356     }
 1357 
 1358     /* lay the ethernet structure over the packet data */
 1359     p->eh = (EtherHdr *) pkt; // FIXTHIS squashes outer eth!
 1360     PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh));
 1361 
 1362     DEBUG_WRAP(
 1363             DebugMessage(DEBUG_DECODE, "%X   %X\n",
 1364                 *p->eh->ether_src, *p->eh->ether_dst);
 1365             );
 1366 
 1367     /* grab out the network type */
 1368     switch(ntohs(p->eh->ether_type))
 1369     {
 1370         case ETHERNET_TYPE_IP:
 1371             DEBUG_WRAP(
 1372                     DebugMessage(DEBUG_DECODE,
 1373                         "IP datagram size calculated to be %lu bytes\n",
 1374                         (unsigned long)(len - ETHERNET_HEADER_LEN));
 1375                     );
 1376 
 1377             DecodeIP(p->pkt + ETHERNET_HEADER_LEN,
 1378                     len - ETHERNET_HEADER_LEN, p);
 1379 
 1380             return;
 1381 
 1382         case ETHERNET_TYPE_ARP:
 1383         case ETHERNET_TYPE_REVARP:
 1384             DecodeARP(p->pkt + ETHERNET_HEADER_LEN,
 1385                     len - ETHERNET_HEADER_LEN, p);
 1386             return;
 1387 
 1388         case ETHERNET_TYPE_IPV6:
 1389             DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN,
 1390                     (len - ETHERNET_HEADER_LEN), p);
 1391             return;
 1392 
 1393         case ETHERNET_TYPE_PPPoE_DISC:
 1394         case ETHERNET_TYPE_PPPoE_SESS:
 1395             DecodePPPoEPkt(p->pkt + ETHERNET_HEADER_LEN,
 1396                     (len - ETHERNET_HEADER_LEN), p);
 1397             return;
 1398 
 1399 #ifndef NO_NON_ETHER_DECODER
 1400         case ETHERNET_TYPE_IPX:
 1401             DecodeIPX(p->pkt + ETHERNET_HEADER_LEN,
 1402                     (len - ETHERNET_HEADER_LEN), p);
 1403             return;
 1404 #endif
 1405 
 1406         case ETHERNET_TYPE_LOOP:
 1407             DecodeEthLoopback(p->pkt + ETHERNET_HEADER_LEN,
 1408                     (len - ETHERNET_HEADER_LEN), p);
 1409             return;
 1410 
 1411         case ETHERNET_TYPE_8021Q:
 1412             DecodeVlan(p->pkt + ETHERNET_HEADER_LEN,
 1413                     len - ETHERNET_HEADER_LEN, p);
 1414             return;
 1415 
 1416         default:
 1417             // TBD add decoder drop event for unknown mpls/eth type
 1418             pc.other++;
 1419             return;
 1420     }
 1421 
 1422     return;
 1423 }
 1424 
 1425 int isPrivateIP(uint32_t addr)
 1426 {
 1427     switch (addr & 0xff)
 1428     {
 1429         case 0x0a:
 1430             return 1;
 1431             break;
 1432         case 0xac:
 1433             if ((addr & 0xf000) == 0x1000)
 1434                 return 1;
 1435             break;
 1436         case 0xc0:
 1437             if (((addr & 0xff00) ) == 0xa800)
 1438                 return 1;
 1439             break;
 1440     }
 1441     return 0;
 1442 }
 1443 #endif  // MPLS
 1444 
 1445 //--------------------------------------------------------------------
 1446 // decode.c::VLAN
 1447 //--------------------------------------------------------------------
 1448 
 1449 #define LEN_VLAN_LLC_OTHER (sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther))
 1450 
 1451 void DecodeVlan(const uint8_t * pkt, const uint32_t len, Packet * p)
 1452 {
 1453     VlanTagHdr* vh;
 1454 
 1455     pc.vlan++;
 1456 
 1457 #ifdef GRE
 1458     if (p->greh != NULL)
 1459         pc.gre_vlan++;
 1460 #endif
 1461 
 1462     if(len < sizeof(VlanTagHdr))
 1463     {
 1464         DecoderEvent(p, DECODE_BAD_VLAN, DECODE_BAD_VLAN_STR, 1, 1);
 1465 
 1466         // TBD add decoder drop event for VLAN hdr len issue
 1467         pc.discards++;
 1468         p->iph = NULL;
 1469         p->family = NO_IP;
 1470         return;
 1471     }
 1472 
 1473     vh = (VlanTagHdr *) pkt;
 1474 #ifdef HAVE_DAQ_REAL_ADDRESSES
 1475     if (!(p->pkth->flags & DAQ_PKT_FLAG_IGNORE_VLAN))
 1476 #endif
 1477         p->vh = vh;
 1478 
 1479     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Vlan traffic:\n");
 1480                DebugMessage(DEBUG_DECODE, "   Priority: %d(0x%X)\n",
 1481                             VTH_PRIORITY(vh), VTH_PRIORITY(vh));
 1482                DebugMessage(DEBUG_DECODE, "   CFI: %d\n", VTH_CFI(vh));
 1483                DebugMessage(DEBUG_DECODE, "   Vlan ID: %d(0x%04X)\n",
 1484                             VTH_VLAN(vh), VTH_VLAN(vh));
 1485                DebugMessage(DEBUG_DECODE, "   Vlan Proto: 0x%04X\n",
 1486                             ntohs(vh->vth_proto));
 1487                );
 1488 
 1489     /* check to see if we've got an encapsulated LLC layer
 1490      * http://www.geocities.com/billalexander/ethernet.html
 1491      */
 1492     if(ntohs(vh->vth_proto) <= ETHERNET_MAX_LEN_ENCAP)
 1493     {
 1494         if(len < sizeof(VlanTagHdr) + sizeof(EthLlc))
 1495         {
 1496             DecoderEvent(p, DECODE_BAD_VLAN_ETHLLC,
 1497                             DECODE_BAD_VLAN_ETHLLC_STR, 1, 1);
 1498 
 1499             pc.discards++;
 1500             p->iph = NULL;
 1501             p->family = NO_IP;
 1502             return;
 1503         }
 1504 
 1505         p->ehllc = (EthLlc *) (pkt + sizeof(VlanTagHdr));
 1506 
 1507         DEBUG_WRAP(
 1508                 DebugMessage(DEBUG_DECODE, "LLC Header:\n");
 1509                 DebugMessage(DEBUG_DECODE, "   DSAP: 0x%X\n", p->ehllc->dsap);
 1510                 DebugMessage(DEBUG_DECODE, "   SSAP: 0x%X\n", p->ehllc->ssap);
 1511                 );
 1512 
 1513         if(p->ehllc->dsap == ETH_DSAP_IP && p->ehllc->ssap == ETH_SSAP_IP)
 1514         {
 1515             if ( len < LEN_VLAN_LLC_OTHER )
 1516             {
 1517                 DecoderEvent(p, DECODE_BAD_VLAN_OTHER,
 1518                                 DECODE_BAD_VLAN_OTHER_STR, 1, 1);
 1519 
 1520                 pc.discards++;
 1521                 p->iph = NULL;
 1522                 p->family = NO_IP;
 1523 
 1524                 return;
 1525             }
 1526 
 1527             p->ehllcother = (EthLlcOther *) (pkt + sizeof(VlanTagHdr) + sizeof(EthLlc));
 1528 
 1529             DEBUG_WRAP(
 1530                     DebugMessage(DEBUG_DECODE, "LLC Other Header:\n");
 1531                     DebugMessage(DEBUG_DECODE, "   CTRL: 0x%X\n",
 1532                         p->ehllcother->ctrl);
 1533                     DebugMessage(DEBUG_DECODE, "   ORG: 0x%02X%02X%02X\n",
 1534                         p->ehllcother->org_code[0], p->ehllcother->org_code[1],
 1535                         p->ehllcother->org_code[2]);
 1536                     DebugMessage(DEBUG_DECODE, "   PROTO: 0x%04X\n",
 1537                         ntohs(p->ehllcother->proto_id));
 1538                     );
 1539 
 1540             PushLayer(PROTO_VLAN, p, pkt, sizeof(*vh));
 1541 
 1542             switch(ntohs(p->ehllcother->proto_id))
 1543             {
 1544                 case ETHERNET_TYPE_IP:
 1545                     DecodeIP(p->pkt + LEN_VLAN_LLC_OTHER,
 1546                              len - LEN_VLAN_LLC_OTHER, p);
 1547                     return;
 1548 
 1549                 case ETHERNET_TYPE_ARP:
 1550                 case ETHERNET_TYPE_REVARP:
 1551                     DecodeARP(p->pkt + LEN_VLAN_LLC_OTHER,
 1552                               len - LEN_VLAN_LLC_OTHER, p);
 1553                     return;
 1554 
 1555                 case ETHERNET_TYPE_IPV6:
 1556                     DecodeIPV6(p->pkt + LEN_VLAN_LLC_OTHER,
 1557                                len - LEN_VLAN_LLC_OTHER, p);
 1558                     return;
 1559 
 1560                 case ETHERNET_TYPE_8021Q:
 1561                 case ETHERNET_TYPE_8021AD:
 1562                 case ETHERNET_TYPE_QINQ_NS1:
 1563                 case ETHERNET_TYPE_QINQ_NS2:
 1564                     pc.nested_vlan++;
 1565                     DecodeVlan(p->pkt + LEN_VLAN_LLC_OTHER,
 1566                                len - LEN_VLAN_LLC_OTHER, p);
 1567                     return;
 1568 
 1569                 case ETHERNET_TYPE_LOOP:
 1570                     DecodeEthLoopback(p->pkt + LEN_VLAN_LLC_OTHER,
 1571                                       len - LEN_VLAN_LLC_OTHER, p);
 1572                     return;
 1573 
 1574 #ifndef NO_NON_ETHER_DECODER
 1575                 case ETHERNET_TYPE_IPX:
 1576                     DecodeIPX(p->pkt + LEN_VLAN_LLC_OTHER,
 1577                               len - LEN_VLAN_LLC_OTHER, p);
 1578                     return;
 1579 #endif
 1580 
 1581                 case ETHERNET_TYPE_PPPoE_DISC:
 1582                 case ETHERNET_TYPE_PPPoE_SESS:
 1583                     DecodePPPoEPkt(p->pkt + LEN_VLAN_LLC_OTHER,
 1584                               len - LEN_VLAN_LLC_OTHER, p);
 1585                     return;
 1586 #ifdef MPLS
 1587                 case ETHERNET_TYPE_MPLS_MULTICAST:
 1588                     if(!ScMplsMulticast())
 1589                     {
 1590                         DecoderEvent(p, DECODE_BAD_MPLS,
 1591                                         DECODE_MULTICAST_MPLS_STR, 1, 1);
 1592                     }
 1593                 /* Fall through */
 1594                 case ETHERNET_TYPE_MPLS_UNICAST:
 1595                     DecodeMPLS(p->pkt + LEN_VLAN_LLC_OTHER,
 1596                         len - LEN_VLAN_LLC_OTHER, p);
 1597                     return;
 1598 #endif
 1599 
 1600                 default:
 1601                     // TBD add decoder drop event for unknown vlan/eth type
 1602                     pc.other++;
 1603                     return;
 1604             }
 1605         }
 1606     }
 1607     else
 1608     {
 1609         PushLayer(PROTO_VLAN, p, pkt, sizeof(*vh));
 1610 
 1611         switch(ntohs(vh->vth_proto))
 1612         {
 1613             case ETHERNET_TYPE_IP:
 1614                 DecodeIP(pkt + sizeof(VlanTagHdr),
 1615                          len - sizeof(VlanTagHdr), p);
 1616                 return;
 1617 
 1618             case ETHERNET_TYPE_ARP:
 1619             case ETHERNET_TYPE_REVARP:
 1620                 DecodeARP(pkt + sizeof(VlanTagHdr),
 1621                           len - sizeof(VlanTagHdr), p);
 1622                 return;
 1623 
 1624             case ETHERNET_TYPE_IPV6:
 1625                 DecodeIPV6(pkt +sizeof(VlanTagHdr),
 1626                            len - sizeof(VlanTagHdr), p);
 1627                 return;
 1628 
 1629             case ETHERNET_TYPE_8021Q:
 1630             case ETHERNET_TYPE_8021AD:
 1631             case ETHERNET_TYPE_QINQ_NS1:
 1632             case ETHERNET_TYPE_QINQ_NS2:
 1633                 pc.nested_vlan++;
 1634                 DecodeVlan(pkt + sizeof(VlanTagHdr),
 1635                            len - sizeof(VlanTagHdr), p);
 1636                 return;
 1637 
 1638             case ETHERNET_TYPE_LOOP:
 1639                 DecodeEthLoopback(pkt + sizeof(VlanTagHdr),
 1640                                   len - sizeof(VlanTagHdr), p);
 1641                 return;
 1642 
 1643 #ifndef NO_NON_ETHER_DECODER
 1644             case ETHERNET_TYPE_IPX:
 1645                 DecodeIPX(pkt + sizeof(VlanTagHdr),
 1646                            len - sizeof(VlanTagHdr), p);
 1647                 return;
 1648 #endif
 1649 
 1650             case ETHERNET_TYPE_PPPoE_DISC:
 1651             case ETHERNET_TYPE_PPPoE_SESS:
 1652                 DecodePPPoEPkt(pkt + sizeof(VlanTagHdr),
 1653                                len - sizeof(VlanTagHdr), p);
 1654                 return;
 1655 
 1656 #ifdef MPLS
 1657             case ETHERNET_TYPE_MPLS_MULTICAST:
 1658                 if(!ScMplsMulticast())
 1659                 {
 1660                     SnortEventqAdd(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS, 1, DECODE_CLASS, 3, DECODE_MULTICAST_MPLS_STR, 0);
 1661                 }
 1662             case ETHERNET_TYPE_MPLS_UNICAST:
 1663                 DecodeMPLS(pkt + sizeof(VlanTagHdr),
 1664                     len - sizeof(VlanTagHdr), p);
 1665                 return;
 1666 #endif
 1667             case ETHERNET_TYPE_CISCO_META:
 1668                 DecodeCiscoMeta(pkt + sizeof(VlanTagHdr),
 1669                    len - sizeof(VlanTagHdr), p);
 1670                 return;
 1671 
 1672             default:
 1673                 // TBD add decoder drop event for unknown vlan/eth type
 1674                 pc.other++;
 1675                 return;
 1676         }
 1677     }
 1678 
 1679     // TBD add decoder drop event for unknown vlan/llc type
 1680     pc.other++;
 1681     return;
 1682 }
 1683 
 1684 //--------------------------------------------------------------------
 1685 // decode.c::PPP related
 1686 //--------------------------------------------------------------------
 1687 
 1688 /*
 1689  * Function: DecodePPPoEPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*)
 1690  *
 1691  * Purpose: Decode those fun loving ethernet packets, one at a time!
 1692  *
 1693  * Arguments: p => pointer to the decoded packet struct
 1694  *            user => Utility pointer (unused)
 1695  *            pkthdr => ptr to the packet header
 1696  *            pkt => pointer to the real live packet data
 1697  *
 1698  * Returns: void function
 1699  *
 1700  * see http://www.faqs.org/rfcs/rfc2516.html
 1701  *
 1702  */
 1703 void DecodePPPoEPkt(const uint8_t* pkt, const uint32_t len, Packet* p)
 1704 {
 1705     //PPPoE_Tag *ppppoe_tag=0;
 1706     //PPPoE_Tag tag;  /* needed to avoid alignment problems */
 1707 
 1708     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "PPPoE with len: %lu\n",
 1709         (unsigned long)len););
 1710 
 1711     /* do a little validation */
 1712     if(len < PPPOE_HEADER_LEN)
 1713     {
 1714         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 1715             "Captured data length < PPPoE header length! "
 1716             "(%d bytes)\n", len););
 1717 
 1718         DecoderEvent(p, DECODE_BAD_PPPOE, DECODE_BAD_PPPOE_STR, 1, 1);
 1719 
 1720         return;
 1721     }
 1722 
 1723     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%X   %X\n",
 1724                 *p->eh->ether_src, *p->eh->ether_dst););
 1725 
 1726     /* lay the PPP over ethernet structure over the packet data */
 1727     p->pppoeh = (PPPoEHdr *)pkt;
 1728 
 1729     /* grab out the network type */
 1730     switch(ntohs(p->eh->ether_type))
 1731     {
 1732         case ETHERNET_TYPE_PPPoE_DISC:
 1733             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "(PPPOE Discovery) "););
 1734             break;
 1735 
 1736         case ETHERNET_TYPE_PPPoE_SESS:
 1737             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "(PPPOE Session) "););
 1738             break;
 1739 
 1740         default:
 1741             return;
 1742     }
 1743 
 1744 #ifdef DEBUG_MSGS
 1745     switch(p->pppoeh->code)
 1746     {
 1747         case PPPoE_CODE_PADI:
 1748             /* The Host sends the PADI packet with the DESTINATION_ADDR set
 1749              * to the broadcast address.  The CODE field is set to 0x09 and
 1750              * the SESSION_ID MUST be set to 0x0000.
 1751              *
 1752              * The PADI packet MUST contain exactly one TAG of TAG_TYPE
 1753              * Service-Name, indicating the service the Host is requesting,
 1754              * and any number of other TAG types.  An entire PADI packet
 1755              * (including the PPPoE header) MUST NOT exceed 1484 octets so
 1756              * as to leave sufficient room for a relay agent to add a
 1757              * Relay-Session-Id TAG.
 1758              */
 1759             DebugMessage(DEBUG_DECODE, "Active Discovery Initiation (PADI)\n");
 1760             break;
 1761 
 1762         case PPPoE_CODE_PADO:
 1763             /* When the Access Concentrator receives a PADI that it can
 1764              * serve, it replies by sending a PADO packet.  The
 1765              * DESTINATION_ADDR is the unicast address of the Host that
 1766              * sent the PADI.  The CODE field is set to 0x07 and the
 1767              * SESSION_ID MUST be set to 0x0000.
 1768              *
 1769              * The PADO packet MUST contain one AC-Name TAG containing the
 1770              * Access Concentrator's name, a Service-Name TAG identical to
 1771              * the one in the PADI, and any number of other Service-Name
 1772              * TAGs indicating other services that the Access Concentrator
 1773              * offers.  If the Access Concentrator can not serve the PADI
 1774              * it MUST NOT respond with a PADO.
 1775              */
 1776             DebugMessage(DEBUG_DECODE, "Active Discovery Offer (PADO)\n");
 1777             break;
 1778 
 1779         case PPPoE_CODE_PADR:
 1780             /* Since the PADI was broadcast, the Host may receive more than
 1781              * one PADO.  The Host looks through the PADO packets it receives
 1782              * and chooses one.  The choice can be based on the AC-Name or
 1783              * the Services offered.  The Host then sends one PADR packet
 1784              * to the Access Concentrator that it has chosen.  The
 1785              * DESTINATION_ADDR field is set to the unicast Ethernet address
 1786              * of the Access Concentrator that sent the PADO.  The CODE
 1787              * field is set to 0x19 and the SESSION_ID MUST be set to 0x0000.
 1788              *
 1789              * The PADR packet MUST contain exactly one TAG of TAG_TYPE
 1790              * Service-Name, indicating the service the Host is requesting,
 1791              * and any number of other TAG types.
 1792              */
 1793             DebugMessage(DEBUG_DECODE, "Active Discovery Request (PADR)\n");
 1794             break;
 1795 
 1796         case PPPoE_CODE_PADS:
 1797             /* When the Access Concentrator receives a PADR packet, it
 1798              * prepares to begin a PPP session.  It generates a unique
 1799              * SESSION_ID for the PPPoE session and replies to the Host with
 1800              * a PADS packet.  The DESTINATION_ADDR field is the unicast
 1801              * Ethernet address of the Host that sent the PADR.  The CODE
 1802              * field is set to 0x65 and the SESSION_ID MUST be set to the
 1803              * unique value generated for this PPPoE session.
 1804              *
 1805              * The PADS packet contains exactly one TAG of TAG_TYPE
 1806              * Service-Name, indicating the service under which Access
 1807              * Concentrator has accepted the PPPoE session, and any number
 1808              * of other TAG types.
 1809              *
 1810              * If the Access Concentrator does not like the Service-Name in
 1811              * the PADR, then it MUST reply with a PADS containing a TAG of
 1812              * TAG_TYPE Service-Name-Error (and any number of other TAG
 1813              * types).  In this case the SESSION_ID MUST be set to 0x0000.
 1814              */
 1815             DebugMessage(DEBUG_DECODE, "Active Discovery "
 1816                          "Session-confirmation (PADS)\n");
 1817             break;
 1818 
 1819         case PPPoE_CODE_PADT:
 1820             /* This packet may be sent anytime after a session is established
 1821              * to indicate that a PPPoE session has been terminated.  It may
 1822              * be sent by either the Host or the Access Concentrator.  The
 1823              * DESTINATION_ADDR field is a unicast Ethernet address, the
 1824              * CODE field is set to 0xa7 and the SESSION_ID MUST be set to
 1825              * indicate which session is to be terminated.  No TAGs are
 1826              * required.
 1827              *
 1828              * When a PADT is received, no further PPP traffic is allowed to
 1829              * be sent using that session.  Even normal PPP termination
 1830              * packets MUST NOT be sent after sending or receiving a PADT.
 1831              * A PPP peer SHOULD use the PPP protocol itself to bring down a
 1832              * PPPoE session, but the PADT MAY be used when PPP can not be
 1833              * used.
 1834              */
 1835             DebugMessage(DEBUG_DECODE, "Active Discovery Terminate (PADT)\n");
 1836             break;
 1837 
 1838         case PPPoE_CODE_SESS:
 1839             DebugMessage(DEBUG_DECODE, "Session Packet (SESS)\n");
 1840             break;
 1841 
 1842         default:
 1843             DebugMessage(DEBUG_DECODE, "(Unknown)\n");
 1844             break;
 1845     }
 1846 #endif
 1847 
 1848     if (ntohs(p->eh->ether_type) != ETHERNET_TYPE_PPPoE_DISC)
 1849     {
 1850         PushLayer(PROTO_PPPOE, p, pkt, PPPOE_HEADER_LEN);
 1851         p->non_ip_pkt = 1;
 1852         DecodePppPktEncapsulated(pkt + PPPOE_HEADER_LEN, len - PPPOE_HEADER_LEN, p);
 1853         return;
 1854     }
 1855     else
 1856     {
 1857         DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Returning early on PPPOE discovery packet\n"););
 1858         return;
 1859     }
 1860 
 1861 #if 0
 1862     ppppoe_tag = (PPPoE_Tag *)(pkt + sizeof(PPPoEHdr));
 1863 
 1864     while (ppppoe_tag < (PPPoE_Tag *)(pkt + len))
 1865     {
 1866         if (((char*)(ppppoe_tag)+(sizeof(PPPoE_Tag)-1)) > (char*)(pkt + len))
 1867         {
 1868             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Not enough data in packet for PPPOE Tag\n"););
 1869             break;
 1870         }
 1871 
 1872         /* no guarantee in PPPoE spec that ppppoe_tag is aligned at all... */
 1873         memcpy(&tag, ppppoe_tag, sizeof(tag));
 1874 
 1875         DEBUG_WRAP(
 1876                 DebugMessage(DEBUG_DECODE, "\tPPPoE tag:\ntype: %04x length: %04x ",
 1877                     ntohs(tag.type), ntohs(tag.length)););
 1878 
 1879 #ifdef DEBUG_MSGS
 1880         switch(ntohs(tag.type))
 1881         {
 1882             case PPPoE_TAG_END_OF_LIST:
 1883                 DebugMessage(DEBUG_DECODE, "(End of list)\n\t");
 1884                 break;
 1885             case PPPoE_TAG_SERVICE_NAME:
 1886                 DebugMessage(DEBUG_DECODE, "(Service name)\n\t");
 1887                 break;
 1888             case PPPoE_TAG_AC_NAME:
 1889                 DebugMessage(DEBUG_DECODE, "(AC Name)\n\t");
 1890                 break;
 1891             case PPPoE_TAG_HOST_UNIQ:
 1892                 DebugMessage(DEBUG_DECODE, "(Host Uniq)\n\t");
 1893                 break;
 1894             case PPPoE_TAG_AC_COOKIE:
 1895                 DebugMessage(DEBUG_DECODE, "(AC Cookie)\n\t");
 1896                 break;
 1897             case PPPoE_TAG_VENDOR_SPECIFIC:
 1898                 DebugMessage(DEBUG_DECODE, "(Vendor Specific)\n\t");
 1899                 break;
 1900             case PPPoE_TAG_RELAY_SESSION_ID:
 1901                 DebugMessage(DEBUG_DECODE, "(Relay Session ID)\n\t");
 1902                 break;
 1903             case PPPoE_TAG_SERVICE_NAME_ERROR:
 1904                 DebugMessage(DEBUG_DECODE, "(Service Name Error)\n\t");
 1905                 break;
 1906             case PPPoE_TAG_AC_SYSTEM_ERROR:
 1907                 DebugMessage(DEBUG_DECODE, "(AC System Error)\n\t");
 1908                 break;
 1909             case PPPoE_TAG_GENERIC_ERROR:
 1910                 DebugMessage(DEBUG_DECODE, "(Generic Error)\n\t");
 1911                 break;
 1912             default:
 1913                 DebugMessage(DEBUG_DECODE, "(Unknown)\n\t");
 1914                 break;
 1915         }
 1916 #endif
 1917 
 1918 #ifdef DEBUG_MSGS
 1919         if (ntohs(tag.length) > 0)
 1920         {
 1921             char *buf;
 1922             int i;
 1923 
 1924             switch (ntohs(tag.type))
 1925             {
 1926                 case PPPoE_TAG_SERVICE_NAME:
 1927                 case PPPoE_TAG_AC_NAME:
 1928                 case PPPoE_TAG_SERVICE_NAME_ERROR:
 1929                 case PPPoE_TAG_AC_SYSTEM_ERROR:
 1930                 case PPPoE_TAG_GENERIC_ERROR: * ascii data *
 1931                     buf = (char *)SnortAlloc(ntohs(tag.length) + 1);
 1932                     strlcpy(buf, (char *)(ppppoe_tag+1), ntohs(tag.length));
 1933                     DebugMessage(DEBUG_DECODE, "data (UTF-8): %s\n", buf);
 1934                     free(buf);
 1935                     break;
 1936 
 1937                 case PPPoE_TAG_HOST_UNIQ:
 1938                 case PPPoE_TAG_AC_COOKIE:
 1939                 case PPPoE_TAG_RELAY_SESSION_ID:
 1940                     DebugMessage(DEBUG_DECODE, "data (bin): ");
 1941                     for (i = 0; i < ntohs(tag.length); i++)
 1942                         DebugMessage(DEBUG_DECODE,
 1943                                 "%02x", *(((unsigned char *)ppppoe_tag) +
 1944                                     sizeof(PPPoE_Tag) + i));
 1945                     DebugMessage(DEBUG_DECODE, "\n");
 1946                     break;
 1947 
 1948                 default:
 1949                     DebugMessage(DEBUG_DECODE, "unrecognized data\n");
 1950                     break;
 1951             }
 1952         }
 1953 #endif
 1954 
 1955         ppppoe_tag = (PPPoE_Tag *)((char *)(ppppoe_tag+1)+ntohs(tag.length));
 1956     }
 1957 
 1958 #endif   /* #if 0 */
 1959 
 1960     return;
 1961 }
 1962 
 1963 /*
 1964  * Function: DecodePppPktEncapsulated(Packet *, const uint32_t len, uint8_t*)
 1965  *
 1966  * Purpose: Decode PPP traffic (RFC1661 framing).
 1967  *
 1968  * Arguments: p => pointer to decoded packet struct
 1969  *            len => length of data to process
 1970  *            pkt => pointer to the real live packet data
 1971  *
 1972  * Returns: void function
 1973  */
 1974 void DecodePppPktEncapsulated(const uint8_t* pkt, const uint32_t len, Packet* p)
 1975 {
 1976     static int had_vj = 0;
 1977     uint16_t protocol;
 1978     uint32_t hlen = 1; /* HEADER - try 1 then 2 */
 1979 
 1980     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "PPP Packet!\n"););
 1981 
 1982 #ifdef WORDS_MUSTALIGN
 1983     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet with PPP header.  "
 1984                             "PPP is only 1 or 2 bytes and will throw off "
 1985                             "alignment on this architecture when decoding IP, "
 1986                             "causing a bus error - stop decoding packet.\n"););
 1987 
 1988     p->data = pkt;
 1989     p->dsize = (uint16_t)len;
 1990     return;
 1991 #endif  /* WORDS_MUSTALIGN */
 1992 
 1993 #ifdef GRE
 1994     if (p->greh != NULL)
 1995         pc.gre_ppp++;
 1996 #endif  /* GRE */
 1997 
 1998     /* do a little validation:
 1999      *
 2000      */
 2001     if(len < 2)
 2002     {
 2003         if (ScLogVerbose())
 2004         {
 2005             ErrorMessage("Length not big enough for even a single "
 2006                          "header or a one byte payload\n");
 2007         }
 2008         return;
 2009     }
 2010 
 2011 
 2012     if(pkt[0] & 0x01)
 2013     {
 2014         /* Check for protocol compression rfc1661 section 5
 2015          *
 2016          */
 2017         hlen = 1;
 2018         protocol = pkt[0];
 2019     }
 2020     else
 2021     {
 2022         protocol = ntohs(*((uint16_t *)pkt));
 2023         hlen = 2;
 2024     }
 2025 
 2026     /*
 2027      * We only handle uncompressed packets. Handling VJ compression would mean
 2028      * to implement a PPP state machine.
 2029      */
 2030     switch (protocol)
 2031     {
 2032         case PPP_VJ_COMP:
 2033             if (!had_vj)
 2034                 ErrorMessage("PPP link seems to use VJ compression, "
 2035                         "cannot handle compressed packets!\n");
 2036             had_vj = 1;
 2037             break;
 2038         case PPP_VJ_UCOMP:
 2039             /* VJ compression modifies the protocol field. It must be set
 2040              * to tcp (only TCP packets can be VJ compressed) */
 2041             if(len < (hlen + IP_HEADER_LEN))
 2042             {
 2043                 if (ScLogVerbose())
 2044                     ErrorMessage("PPP VJ min packet length > captured len! "
 2045                                  "(%d bytes)\n", len);
 2046                 return;
 2047             }
 2048 
 2049             ((IPHdr *)(pkt + hlen))->ip_proto = IPPROTO_TCP;
 2050             /* fall through */
 2051 
 2052         case PPP_IP:
 2053             PushLayer(PROTO_PPP_ENCAP, p, pkt, hlen);
 2054             DecodeIP(pkt + hlen, len - hlen, p);
 2055             break;
 2056 
 2057         case PPP_IPV6:
 2058             PushLayer(PROTO_PPP_ENCAP, p, pkt, hlen);
 2059             DecodeIPV6(pkt + hlen, len - hlen, p);
 2060             break;
 2061 
 2062 #ifndef NO_NON_ETHER_DECODER
 2063         case PPP_IPX:
 2064             PushLayer(PROTO_PPP_ENCAP, p, pkt, hlen);
 2065             DecodeIPX(pkt + hlen, len - hlen, p);
 2066             break;
 2067 #endif
 2068     }
 2069 }
 2070 
 2071 //--------------------------------------------------------------------
 2072 // decode.c::Raw packets
 2073 //--------------------------------------------------------------------
 2074 
 2075 /*
 2076  * Function: DecodeRawPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*)
 2077  *
 2078  * Purpose: Decodes packets coming in raw on layer 2, like PPP.  Coded and
 2079  *          in by Jed Pickle (thanks Jed!) and modified for a few little tweaks
 2080  *          by me.
 2081  *
 2082  * Arguments: p => pointer to decoded packet struct
 2083  *            pkthdr => ptr to the packet header
 2084  *            pkt => pointer to the real live packet data
 2085  *
 2086  * Returns: void function
 2087  */
 2088 void DecodeRawPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt)
 2089 {
 2090     PROFILE_VARS;
 2091 
 2092     PREPROC_PROFILE_START(decodePerfStats);
 2093 
 2094     pc.total_processed++;
 2095 
 2096     memset(p, 0, PKT_ZERO_LEN);
 2097 
 2098     p->pkth = pkthdr;
 2099     p->pkt = pkt;
 2100 
 2101     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Raw IP4 Packet!\n"););
 2102 
 2103     DecodeIP(pkt, p->pkth->caplen, p);
 2104 
 2105     PREPROC_PROFILE_END(decodePerfStats);
 2106     return;
 2107 }
 2108 
 2109 // raw packets are predetermined to be ip4 (above) or ip6 (below) by the DLT
 2110 
 2111 void DecodeRawPkt6(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt)
 2112 {
 2113     PROFILE_VARS;
 2114     PREPROC_PROFILE_START(decodePerfStats);
 2115 
 2116     pc.total_processed++;
 2117     memset(p, 0, PKT_ZERO_LEN);
 2118 
 2119     p->pkth = pkthdr;
 2120     p->pkt = pkt;
 2121 
 2122     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Raw IP6 Packet!\n"););
 2123 
 2124     DecodeIPV6(pkt, p->pkth->caplen, p);
 2125 
 2126     PREPROC_PROFILE_END(decodePerfStats);
 2127     return;
 2128 }
 2129 
 2130 //--------------------------------------------------------------------
 2131 // decode.c::IP4 misc
 2132 //--------------------------------------------------------------------
 2133 
 2134 /*
 2135  * Some IP Header tests
 2136  * Land Attack(same src/dst ip)
 2137  * Loopback (src or dst in 127/8 block)
 2138  * Modified: 2/22/05-man for High Endian Architecture.
 2139  */
 2140 #define IP4_THIS_NET  0x00  // msb
 2141 #define IP4_MULTICAST 0x0E  // ms nibble
 2142 #define IP4_RESERVED  0x0F  // ms nibble
 2143 #define IP4_LOOPBACK  0x7F  // msb
 2144 #define IP4_BROADCAST 0xffffffff
 2145 
 2146 void IP4AddrTests (Packet* p)
 2147 {
 2148     uint8_t msb_src, msb_dst;
 2149 
 2150 #if !defined(SFLINUX) && defined(DAQ_CAPA_VRF)   
 2151     uint16_t sAsId;
 2152     uint16_t dAsId;
 2153 
 2154     sAsId = DAQ_GetSourceAddressSpaceID(p->pkth);
 2155     dAsId = DAQ_GetDestinationAddressSpaceID(p->pkth);
 2156 
 2157     // check all 32 bits ...
 2158     if((p->iph->ip_src.s_addr == p->iph->ip_dst.s_addr)
 2159             && (sAsId == dAsId))
 2160     {
 2161         DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST,
 2162                      DECODE_BAD_TRAFFIC_SAME_SRCDST_STR, 1, 1);
 2163         if( pkt_trace_enabled ) 
 2164         { 
 2165             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE, 
 2166                         "Packet is blocked since same source and destination")); 
 2167         } 
 2168     }
 2169 #else
 2170     if(p->iph->ip_src.s_addr == p->iph->ip_dst.s_addr)
 2171     {
 2172         DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST,
 2173                      DECODE_BAD_TRAFFIC_SAME_SRCDST_STR, 1, 1);
 2174     }
 2175 #endif
 2176 
 2177     // check all 32 bits ...
 2178     if ( Event_Enabled(DECODE_IP4_SRC_BROADCAST ) )
 2179         if ( p->iph->ip_src.s_addr == IP4_BROADCAST  )
 2180             DecoderEvent(p, EVARGS(IP4_SRC_BROADCAST), 1, 1);
 2181 
 2182     if ( Event_Enabled(DECODE_IP4_DST_BROADCAST ) )
 2183         if ( p->iph->ip_dst.s_addr == IP4_BROADCAST  )
 2184             DecoderEvent(p, EVARGS(IP4_DST_BROADCAST), 1, 1);
 2185 
 2186     /* Loopback traffic  - don't use htonl for speed reasons -
 2187      * s_addr is always in network order */
 2188 #ifdef WORDS_BIGENDIAN
 2189     msb_src = (p->iph->ip_src.s_addr >> 24);
 2190     msb_dst = (p->iph->ip_dst.s_addr >> 24);
 2191 #else
 2192     msb_src = (uint8_t)(p->iph->ip_src.s_addr & 0xff);
 2193     msb_dst = (uint8_t)(p->iph->ip_dst.s_addr & 0xff);
 2194 #endif
 2195     // check the msb ...
 2196     if ( msb_src == IP4_LOOPBACK || msb_dst == IP4_LOOPBACK )
 2197     {
 2198         DecoderEvent(p, DECODE_BAD_TRAFFIC_LOOPBACK,
 2199                         DECODE_BAD_TRAFFIC_LOOPBACK_STR, 1, 1);
 2200     }
 2201     // check the msb ...
 2202     if ( Event_Enabled(DECODE_IP4_SRC_THIS_NET ) )
 2203         if ( msb_src == IP4_THIS_NET  )
 2204             DecoderEvent(p, EVARGS(IP4_SRC_THIS_NET), 1, 1);
 2205 
 2206     if ( Event_Enabled(DECODE_IP4_DST_THIS_NET ) )
 2207         if ( msb_dst == IP4_THIS_NET  )
 2208             DecoderEvent(p, EVARGS(IP4_DST_THIS_NET), 1, 1);
 2209 
 2210     // check the 'msn' (most significant nibble) ...
 2211     msb_src >>= 4;
 2212     msb_dst >>= 4;
 2213 
 2214     if ( Event_Enabled(DECODE_IP4_SRC_MULTICAST) )
 2215         if ( msb_src == IP4_MULTICAST )
 2216             DecoderEvent(p, EVARGS(IP4_SRC_MULTICAST), 1, 1);
 2217 
 2218     if ( Event_Enabled(DECODE_IP4_SRC_RESERVED) )
 2219     {
 2220         if ( msb_src == IP4_RESERVED ||
 2221              IpAddrSetContains(MulticastReservedIp, GET_SRC_ADDR(p)) )
 2222         {
 2223             DecoderEvent(p, EVARGS(IP4_SRC_RESERVED), 1, 1);
 2224         }
 2225     }
 2226 
 2227     if ( Event_Enabled(DECODE_IP4_DST_RESERVED) )
 2228     {
 2229         if ( msb_dst == IP4_RESERVED ||
 2230              IpAddrSetContains(MulticastReservedIp, GET_DST_ADDR(p)) )
 2231         {
 2232             DecoderEvent(p, EVARGS(IP4_DST_RESERVED), 1, 1);
 2233         }
 2234     }
 2235 }
 2236 
 2237 static inline void ICMP4AddrTests (Packet* p)
 2238 {
 2239     uint8_t msb_dst;
 2240 
 2241     uint32_t dst = sfaddr_get_ip4_value(GET_DST_IP(p));
 2242 
 2243     // check all 32 bits; all set so byte order is irrelevant ...
 2244     if ( Event_Enabled(DECODE_ICMP4_DST_BROADCAST ) )
 2245         if ( dst == IP4_BROADCAST  )
 2246             DecoderEvent(p, EVARGS(ICMP4_DST_BROADCAST), 1, 1);
 2247 
 2248     /* - don't use htonl for speed reasons -
 2249      * s_addr is always in network order */
 2250 #ifdef WORDS_BIGENDIAN
 2251     msb_dst = (uint8_t)(dst >> 24);
 2252 #else
 2253     msb_dst = (uint8_t)(dst & 0xff);
 2254 #endif
 2255 
 2256     // check the 'msn' (most significant nibble) ...
 2257     msb_dst >>= 4;
 2258 
 2259     if ( Event_Enabled(DECODE_ICMP4_DST_MULTICAST) )
 2260         if ( msb_dst == IP4_MULTICAST )
 2261             DecoderEvent(p, EVARGS(ICMP4_DST_MULTICAST), 1, 1);
 2262 }
 2263 
 2264 static inline void ICMP4MiscTests (Packet *p)
 2265 {
 2266     if ( Event_Enabled(DECODE_ICMP_PING_NMAP) )
 2267     {
 2268         if ((p->dsize == 0) &&
 2269             (p->icmph->type == ICMP_ECHO))
 2270             DecoderEvent(p, EVARGS(ICMP_PING_NMAP), 1, 1);
 2271     }
 2272 
 2273     if ( Event_Enabled(DECODE_ICMP_ICMPENUM) )
 2274     {
 2275         if ((p->dsize == 0) &&
 2276             (p->icmph->s_icmp_seq == 666))
 2277             DecoderEvent(p, EVARGS(ICMP_ICMPENUM), 1, 1);
 2278     }
 2279 
 2280     if ( Event_Enabled(DECODE_ICMP_REDIRECT_HOST) )
 2281     {
 2282         if ((p->icmph->code == 1) &&
 2283             (p->icmph->type == ICMP_REDIRECT))
 2284             DecoderEvent(p, EVARGS(ICMP_REDIRECT_HOST), 1, 1);
 2285     }
 2286 
 2287     if ( Event_Enabled(DECODE_ICMP_REDIRECT_NET) )
 2288     {
 2289         if ((p->icmph->type == ICMP_REDIRECT) &&
 2290             (p->icmph->code == 0))
 2291             DecoderEvent(p, EVARGS(ICMP_REDIRECT_NET), 1, 1);
 2292     }
 2293 
 2294     if ( Event_Enabled(DECODE_ICMP_TRACEROUTE_IPOPTS) )
 2295     {
 2296         if (p->icmph->type == ICMP_ECHOREPLY)
 2297         {
 2298             int i;
 2299             for (i = 0; i < p->ip_option_count; i++)
 2300             {
 2301                 if (p->ip_options[i].code == IPOPT_RR)
 2302                     DecoderEvent(p, EVARGS(ICMP_TRACEROUTE_IPOPTS), 1, 1);
 2303             }
 2304         }
 2305     }
 2306 
 2307     if ( Event_Enabled(DECODE_ICMP_SOURCE_QUENCH) )
 2308     {
 2309         if ((p->icmph->type == ICMP_SOURCE_QUENCH) &&
 2310             (p->icmph->code == 0))
 2311             DecoderEvent(p, DECODE_ICMP_SOURCE_QUENCH,
 2312                          DECODE_ICMP_SOURCE_QUENCH_STR, 1, 1);
 2313     }
 2314 
 2315     if ( Event_Enabled(DECODE_ICMP_BROADSCAN_SMURF_SCANNER) )
 2316     {
 2317         if ((p->dsize == 4) &&
 2318             (p->icmph->type == ICMP_ECHO) &&
 2319             (p->icmph->s_icmp_seq == 0) &&
 2320             (p->icmph->code == 0))
 2321             DecoderEvent(p, EVARGS(ICMP_BROADSCAN_SMURF_SCANNER), 1, 1);
 2322     }
 2323 
 2324     if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED) )
 2325     {
 2326         if ((p->icmph->type == ICMP_DEST_UNREACH) &&
 2327             (p->icmph->code == 13))
 2328             DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_ADMIN_PROHIBITED), 1, 1);
 2329     }
 2330 
 2331     if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED) )
 2332     {
 2333         if ((p->icmph->type == ICMP_DEST_UNREACH) &&
 2334             (p->icmph->code == 10))
 2335             DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_DST_HOST_PROHIBITED), 1, 1);
 2336     }
 2337 
 2338     if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED) )
 2339     {
 2340         if ((p->icmph->type == ICMP_DEST_UNREACH) &&
 2341             (p->icmph->code == 9))
 2342             DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_DST_NET_PROHIBITED), 1, 1);
 2343     }
 2344 
 2345 }
 2346 
 2347 /* IPv4-layer decoder rules */
 2348 static inline void IPMiscTests(Packet *p)
 2349 {
 2350     if ( Event_Enabled(DECODE_ICMP_DOS_ATTEMPT) )
 2351     {
 2352         /* Yes, it's an ICMP-related vuln in IP options. */
 2353         uint8_t i, length, pointer;
 2354 
 2355         /* Alert on IP packets with either 0x07 (Record Route) or 0x44 (Timestamp)
 2356            options that are specially crafted. */
 2357         for (i = 0; i < p->ip_option_count; i++)
 2358         {
 2359             if (p->ip_options[i].data == NULL)
 2360                 continue;
 2361 
 2362             if (p->ip_options[i].code == IPOPT_RR)
 2363             {
 2364                 length = p->ip_options[i].len;
 2365                 if (length < 1)
 2366                     continue;
 2367 
 2368                 pointer = p->ip_options[i].data[0];
 2369 
 2370                 /* If the pointer goes past the end of the data, then the data
 2371                    is full. That's okay. */
 2372                 if (pointer >= length + 2)
 2373                     continue;
 2374                 /* If the remaining space in the option isn't a multiple of 4
 2375                    bytes, alert. */
 2376                 if (((length + 3) - pointer) % 4)
 2377                     DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1);
 2378             }
 2379             else if (p->ip_options[i].code == IPOPT_TS)
 2380             {
 2381                 length = p->ip_options[i].len;
 2382                 if (length < 2)
 2383                     continue;
 2384 
 2385                 pointer = p->ip_options[i].data[0];
 2386 
 2387                 /* If the pointer goes past the end of the data, then the data
 2388                    is full. That's okay. */
 2389                 if (pointer >= length + 2)
 2390                     continue;
 2391                 /* If the remaining space in the option isn't a multiple of 4
 2392                    bytes, alert. */
 2393                 if (((length + 3) - pointer) % 4)
 2394                     DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1);
 2395                 /* If there is a timestamp + address, we need a multiple of 8
 2396                    bytes instead. */
 2397                 if ((p->ip_options[i].data[1] & 0x01) && /* address flag */
 2398                    (((length + 3) - pointer) % 8))
 2399                     DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1);
 2400             }
 2401         }
 2402     }
 2403     if ( Event_Enabled(DECODE_IP_OPTION_SET) )
 2404     {
 2405         if (p->ip_option_count > 0)
 2406             DecoderEvent(p, EVARGS(IP_OPTION_SET), 1, 1);
 2407     }
 2408 
 2409     if ( Event_Enabled(DECODE_IP_RESERVED_FRAG_BIT) )
 2410     {
 2411         if (p->rf)
 2412             DecoderEvent(p, EVARGS(IP_RESERVED_FRAG_BIT), 1, 1);
 2413     }
 2414 }
 2415 
 2416 //--------------------------------------------------------------------
 2417 // decode.c::IP4 vulnerabilities
 2418 //--------------------------------------------------------------------
 2419 
 2420 /* This PGM NAK function started off as an SO rule, sid 8351. */
 2421 static inline int pgm_nak_detect (const uint8_t *data, uint16_t length) {
 2422     uint16_t data_left;
 2423     uint16_t  checksum;
 2424     const PGM_HEADER *header;
 2425 
 2426     if (NULL == data) {
 2427         return PGM_NAK_ERR;
 2428     }
 2429 
 2430     /* request must be bigger than 44 bytes to cause vuln */
 2431     if (length <= sizeof(PGM_HEADER) || (length % 4) != 0) {
 2432         return PGM_NAK_ERR;
 2433     }
 2434 
 2435     header = (PGM_HEADER *) data;
 2436 
 2437     if (8 != header->type) {
 2438         return PGM_NAK_ERR;
 2439     }
 2440 
 2441     if (2 != header->nak.opt.type) {
 2442         return PGM_NAK_ERR;
 2443     }
 2444 
 2445 
 2446     /*
 2447      * alert if the amount of data after the options is more than the length
 2448      * specified.
 2449      */
 2450 
 2451 
 2452     data_left = length - 36;
 2453     if (data_left > header->nak.opt.len) {
 2454 
 2455         /* checksum is expensive... do that only if the length is bad */
 2456         if (header->checksum != 0) {
 2457             checksum = in_chksum_ip((const unsigned short*)data, (int)length);
 2458             if (checksum != 0)
 2459                 return PGM_NAK_ERR;
 2460         }
 2461 
 2462         return PGM_NAK_VULN;
 2463     }
 2464 
 2465     return PGM_NAK_OK;
 2466 }
 2467 
 2468 static inline void CheckPGMVuln(Packet *p)
 2469 {
 2470     if ( pgm_nak_detect(p->data, p->dsize) == PGM_NAK_VULN )
 2471         DecoderEvent(p, EVARGS(PGM_NAK_OVERFLOW), 1, 1);
 2472 }
 2473 
 2474 /* This function is a port of an old .so rule, sid 3:8092. */
 2475 static inline void CheckIGMPVuln(Packet *p)
 2476 {
 2477     int i, alert = 0;
 2478 
 2479     if (p->dsize >= 1 && p->data[0] == 0x11)
 2480     {
 2481         if (p->ip_options_data != NULL) {
 2482             if (p->ip_options_len >= 2) {
 2483                 if (*(p->ip_options_data) == 0 && *(p->ip_options_data+1) == 0)
 2484                 {
 2485                     DecoderEvent(p, EVARGS(IGMP_OPTIONS_DOS), 1, 1);
 2486                     return;
 2487                 }
 2488             }
 2489         }
 2490 
 2491         for(i=0; i< (int) p->ip_option_count; i++) {
 2492             /* All IGMPv2 packets contain IP option code 148 (router alert).
 2493                This vulnerability only applies to IGMPv3, so return early. */
 2494             if (p->ip_options[i].code == 148) {
 2495                 return; /* No alert. */
 2496             }
 2497 
 2498             if (p->ip_options[i].len == 1) {
 2499                 alert++;
 2500             }
 2501         }
 2502 
 2503         if (alert > 0)
 2504             DecoderEvent(p, EVARGS(IGMP_OPTIONS_DOS), 1, 1);
 2505     }
 2506 }
 2507 
 2508 //--------------------------------------------------------------------
 2509 // decode.c::IP4 decoder
 2510 //--------------------------------------------------------------------
 2511 
 2512 /* Function: DecodeIPv4Proto
 2513  *
 2514  * Gernalized IPv4 next protocol decoder dispatching.
 2515  *
 2516  * Arguments: proto => IPPROTO value of the next protocol
 2517  *            pkt => ptr to the packet data
 2518  *            len => length from here to the end of the packet
 2519  *            p   => pointer to the packet decode struct
 2520  *
 2521  */
 2522 static inline void DecodeIPv4Proto(const uint8_t proto,
 2523     const uint8_t *pkt, const uint32_t len, Packet *p)
 2524 {
 2525     switch(proto)
 2526     {
 2527         case IPPROTO_TCP:
 2528             pc.tcp++;
 2529             DecodeTCP(pkt, len, p);
 2530             return;
 2531 
 2532         case IPPROTO_UDP:
 2533             pc.udp++;
 2534             DecodeUDP(pkt, len, p);
 2535             return;
 2536 
 2537         case IPPROTO_ICMP:
 2538             pc.icmp++;
 2539             DecodeICMP(pkt, len, p);
 2540             return;
 2541 
 2542 #ifdef MPLS_RFC4023_SUPPORT
 2543         case IPPROTO_MPLS: /*MPLS IN IP (protocol number 137 */
 2544             DecodeMPLS(pkt, len, p);
 2545             return;
 2546 #endif
 2547 
 2548 #ifdef GRE
 2549         case IPPROTO_IPV6:
 2550             if (len < 40)
 2551             {
 2552                 /* Insufficient size for IPv6 Header. */
 2553                 /* This could be an attempt to exploit Linux kernel
 2554                  * vulnerability, so log an alert */
 2555                 DecoderEvent(p, DECODE_IPV6_TUNNELED_IPV4_TRUNCATED,
 2556                             DECODE_IPV6_TUNNELED_IPV4_TRUNCATED_STR,
 2557                             1, 1);
 2558             }
 2559             pc.ip4ip6++;
 2560             if ( ScTunnelBypassEnabled(TUNNEL_6IN4) )
 2561                 Active_SetTunnelBypass();
 2562             DecodeIPV6(pkt, len, p);
 2563             return;
 2564 
 2565         case IPPROTO_GRE:
 2566             pc.gre++;
 2567             DecodeGRE(pkt, len, p);
 2568             return;
 2569 
 2570         case IPPROTO_IPIP:
 2571             pc.ip4ip4++;
 2572             if ( ScTunnelBypassEnabled(TUNNEL_4IN4) )
 2573                 Active_SetTunnelBypass();
 2574             DecodeIP(pkt, len, p);
 2575             return;
 2576 #endif
 2577 
 2578         case IPPROTO_ESP:
 2579             if (ScESPDecoding())
 2580                 DecodeESP(pkt, len, p);
 2581             return;
 2582 
 2583         case IPPROTO_AH:
 2584             DecodeAH(pkt, len, p);
 2585             return;
 2586 
 2587         case IPPROTO_SWIPE:
 2588         case IPPROTO_IP_MOBILITY:
 2589         case IPPROTO_SUN_ND:
 2590         case IPPROTO_PIM:
 2591             if ( Event_Enabled(DECODE_IP_BAD_PROTO) )
 2592                 DecoderEvent(p, EVARGS(IP_BAD_PROTO), 1, 1);
 2593             pc.other++;
 2594             p->data = pkt;
 2595             p->dsize = (uint16_t)len;
 2596             return;
 2597 
 2598         case IPPROTO_PGM:
 2599             pc.other++;
 2600             p->data = pkt;
 2601             p->dsize = (uint16_t)len;
 2602 
 2603             if ( Event_Enabled(DECODE_PGM_NAK_OVERFLOW) )
 2604                 CheckPGMVuln(p);
 2605             return;
 2606 
 2607         case IPPROTO_IGMP:
 2608             pc.other++;
 2609             p->data = pkt;
 2610             p->dsize = (uint16_t)len;
 2611 
 2612             if ( Event_Enabled(DECODE_IGMP_OPTIONS_DOS) )
 2613                 CheckIGMPVuln(p);
 2614             return;
 2615 
 2616         default:
 2617             if ( Event_Enabled(DECODE_IP_UNASSIGNED_PROTO) )
 2618             {
 2619                 if (GET_IPH_PROTO(p) >= MIN_UNASSIGNED_IP_PROTO)
 2620                     DecoderEvent(p, EVARGS(IP_UNASSIGNED_PROTO), 1, 1);
 2621             }
 2622             pc.other++;
 2623             p->data = pkt;
 2624             p->dsize = (uint16_t)len;
 2625             return;
 2626     }
 2627 }
 2628 
 2629 /*
 2630  * Function: DecodeIP(uint8_t *, const uint32_t, Packet *)
 2631  *
 2632  * Purpose: Decode the IP network layer
 2633  *
 2634  * Arguments: pkt => ptr to the packet data
 2635  *            len => length from here to the end of the packet
 2636  *            p   => pointer to the packet decode struct
 2637  *
 2638  * Returns: void function
 2639  */
 2640 void DecodeIP(const uint8_t * pkt, const uint32_t len, Packet * p)
 2641 {
 2642     uint32_t ip_len; /* length from the start of the ip hdr to the pkt end */
 2643     uint32_t hlen;   /* ip header length */
 2644 
 2645     pc.ip++;
 2646 
 2647 #ifdef GRE
 2648     if (p->greh != NULL)
 2649         pc.gre_ip++;
 2650 #endif
 2651 
 2652     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"););
 2653 
 2654     /* do a little validation */
 2655     if(len < IP_HEADER_LEN)
 2656     {
 2657         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 2658             "WARNING: Truncated IP4 header (%d bytes).\n", len););
 2659 
 2660         if ( Event_Enabled(DECODE_IP4_HDR_TRUNC) && ((p->packet_flags & PKT_UNSURE_ENCAP) == 0))
 2661             DecoderEvent(p, EVARGS(IP4_HDR_TRUNC), 1, 1);
 2662 
 2663         p->iph = NULL;
 2664         p->family = NO_IP;
 2665 
 2666         pc.discards++;
 2667         pc.ipdisc++;
 2668         return;
 2669     }
 2670 
 2671     if (p->family != NO_IP)
 2672     {
 2673         if (p->encapsulated)
 2674         {
 2675             DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION,
 2676                 DECODE_IP_MULTIPLE_ENCAPSULATION_STR, pkt, len);
 2677 
 2678             return;
 2679         }
 2680         else
 2681         {
 2682             p->encapsulated = 1;
 2683             p->outer_iph = p->iph;
 2684             p->outer_ip_data = p->ip_data;
 2685             p->outer_ip_dsize = p->ip_dsize;
 2686         }
 2687     }
 2688 
 2689     /* lay the IP struct over the raw data */
 2690     p->inner_iph = p->iph = (IPHdr *)pkt;
 2691 
 2692     /*
 2693      * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP.
 2694      * So we are just ignoring non IP datagrams
 2695      */
 2696     if(IP_VER((IPHdr*)pkt) != 4)
 2697     {
 2698         if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0)
 2699             DecoderEvent(p, DECODE_NOT_IPV4_DGRAM,
 2700                             DECODE_NOT_IPV4_DGRAM_STR, 1, 1);
 2701 
 2702         p->iph = NULL;
 2703         p->family = NO_IP;
 2704 
 2705         pc.discards++;
 2706         pc.ipdisc++;
 2707         return;
 2708     }
 2709 
 2710     sfiph_build(p, p->iph, AF_INET);
 2711 
 2712     /* get the IP datagram length */
 2713     ip_len = ntohs(p->iph->ip_len);
 2714 
 2715     /* get the IP header length */
 2716     hlen = IP_HLEN(p->iph) << 2;
 2717 
 2718     /* header length sanity check */
 2719     if(hlen < IP_HEADER_LEN)
 2720     {
 2721         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 2722             "Bogus IP header length of %i bytes\n", hlen););
 2723 
 2724         DecoderEvent(p, DECODE_IPV4_INVALID_HEADER_LEN,
 2725                         DECODE_IPV4_INVALID_HEADER_LEN_STR, 1, 1);
 2726 
 2727         p->iph = NULL;
 2728         p->family = NO_IP;
 2729 
 2730         pc.discards++;
 2731         pc.ipdisc++;
 2732         return;
 2733     }
 2734 
 2735     if (ip_len > len)
 2736     {
 2737         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 2738             "IP Len field is %d bytes bigger than captured length.\n"
 2739             "    (ip.len: %lu, cap.len: %lu)\n",
 2740             ip_len - len, ip_len, len););
 2741 
 2742         DecoderEventDrop(p, DECODE_IPV4_DGRAM_GT_CAPLEN,
 2743                             DECODE_IPV4_DGRAM_GT_CAPLEN_STR,
 2744                             ScDecoderOversizedAlerts(),
 2745                             ScDecoderOversizedDrops());
 2746 
 2747         p->iph = NULL;
 2748         p->family = NO_IP;
 2749 
 2750         pc.discards++;
 2751         pc.ipdisc++;
 2752         return;
 2753     }
 2754 #if 0
 2755     // There is no need to alert when (ip_len < len).
 2756     // Libpcap will capture more bytes than are part of the IP payload.
 2757     // These could be Ethernet trailers, ESP trailers, etc.
 2758     // This code is left in, commented, to keep us from re-writing it later.
 2759     else if (ip_len < len)
 2760     {
 2761         if (ScLogVerbose())
 2762             ErrorMessage("IP Len field is %d bytes "
 2763                     "smaller than captured length.\n"
 2764                     "    (ip.len: %lu, cap.len: %lu)\n",
 2765                     len - ip_len, ip_len, len);
 2766     }
 2767 #endif
 2768 
 2769     if(ip_len < hlen)
 2770     {
 2771         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 2772             "IP dgm len (%d bytes) < IP hdr "
 2773             "len (%d bytes), packet discarded\n", ip_len, hlen););
 2774 
 2775         DecoderEvent(p, DECODE_IPV4_DGRAM_LT_IPHDR,
 2776                         DECODE_IPV4_DGRAM_LT_IPHDR_STR, 1, 1);
 2777 
 2778         p->iph = NULL;
 2779         p->family = NO_IP;
 2780 
 2781         pc.discards++;
 2782         pc.ipdisc++;
 2783         return;
 2784     }
 2785 
 2786     /*
 2787      * IP Header tests: Land attack, and Loop back test
 2788      */
 2789     if(ScIdsMode())
 2790     {
 2791         IP4AddrTests(p);
 2792     }
 2793 
 2794 
 2795 #ifdef HAVE_DAQ_DECRYPTED_SSL
 2796     if (!(p->pkth->flags & DAQ_PKT_FLAG_DECRYPTED_SSL) && ScIpChecksums())
 2797 #else
 2798     if (ScIpChecksums())
 2799 #endif
 2800     {
 2801         /* routers drop packets with bad IP checksums, we don't really
 2802          * need to check them (should make this a command line/config
 2803          * option
 2804          */
 2805         int16_t csum = in_chksum_ip((const unsigned short *)p->iph, hlen);
 2806 
 2807         if(csum)
 2808         {
 2809             p->error_flags |= PKT_ERR_CKSUM_IP;
 2810             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad IP checksum\n"););
 2811 #ifdef REG_TEST
 2812             if (getRegTestFlags() & REG_TEST_FLAG_STREAM_DECODE)
 2813                 printf("Bad IP checksum | ");
 2814 #endif
 2815 
 2816             if ( ScIdsMode() )
 2817                 queueExecDrop(execIpChksmDrop, p);
 2818         }
 2819 #ifdef DEBUG_MSGS
 2820         else
 2821         {
 2822             DebugMessage(DEBUG_DECODE, "IP Checksum: OK\n");
 2823         }
 2824 #endif /* DEBUG */
 2825     }
 2826 
 2827     PushLayer(PROTO_IP4, p, pkt, hlen);
 2828 
 2829     /* test for IP options */
 2830     p->ip_options_len = (uint16_t)(hlen - IP_HEADER_LEN);
 2831 
 2832     if(p->ip_options_len > 0)
 2833     {
 2834         p->ip_options_data = pkt + IP_HEADER_LEN;
 2835         DecodeIPOptions((pkt + IP_HEADER_LEN), p->ip_options_len, p);
 2836     }
 2837     else
 2838     {
 2839 #ifdef GRE
 2840         /* If delivery header for GRE encapsulated packet is IP and it
 2841          * had options, the packet's ip options will be refering to this
 2842          * outer IP's options
 2843          * Zero these options so they aren't associated with this inner IP
 2844          * since p->iph will be pointing to this inner IP
 2845          */
 2846         if (p->encapsulated)
 2847         {
 2848             p->ip_options_data = NULL;
 2849             p->ip_options_len = 0;
 2850         }
 2851 #endif
 2852         p->ip_option_count = 0;
 2853     }
 2854 
 2855     /* set the real IP length for logging */
 2856     p->actual_ip_len = (uint16_t) ip_len;
 2857 
 2858     /* set the remaining packet length */
 2859     ip_len -= hlen;
 2860 
 2861     /* check for fragmented packets */
 2862     p->frag_offset = ntohs(p->iph->ip_off);
 2863 
 2864     /*
 2865      * get the values of the reserved, more
 2866      * fragments and don't fragment flags
 2867      */
 2868     p->rf = (uint8_t)((p->frag_offset & 0x8000) >> 15);
 2869     p->df = (uint8_t)((p->frag_offset & 0x4000) >> 14);
 2870     p->mf = (uint8_t)((p->frag_offset & 0x2000) >> 13);
 2871 
 2872     /* mask off the high bits in the fragment offset field */
 2873     p->frag_offset &= 0x1FFF;
 2874 
 2875     if ( Event_Enabled(DECODE_IP4_DF_OFFSET) )
 2876         if ( p->df && p->frag_offset )
 2877             DecoderEvent(p, EVARGS(IP4_DF_OFFSET), 1, 1);
 2878 
 2879     if ( Event_Enabled(DECODE_IP4_LEN_OFFSET) )
 2880         if ( p->frag_offset + p->actual_ip_len > IP_MAXPACKET )
 2881             DecoderEvent(p, EVARGS(IP4_LEN_OFFSET), 1, 1);
 2882 
 2883     if(p->frag_offset || p->mf)
 2884     {
 2885         if ( !ip_len && Event_Enabled(DECODE_ZERO_LENGTH_FRAG) )
 2886         {
 2887             DecoderEvent(p, DECODE_ZERO_LENGTH_FRAG,
 2888                 DECODE_ZERO_LENGTH_FRAG_STR, 1, 1);
 2889             p->frag_flag = 0;
 2890         }
 2891         else
 2892         {
 2893             /* set the packet fragment flag */
 2894             p->frag_flag = 1;
 2895             p->ip_frag_start = pkt + hlen;
 2896             p->ip_frag_len = (uint16_t)ip_len;
 2897             pc.frags++;
 2898         }
 2899     }
 2900     else
 2901     {
 2902         p->frag_flag = 0;
 2903     }
 2904 
 2905     if(Event_Enabled(DECODE_BAD_FRAGBITS))
 2906     {
 2907 
 2908         if( p->mf && p->df )
 2909         {
 2910             DecoderEvent(p, DECODE_BAD_FRAGBITS,
 2911                             DECODE_BAD_FRAGBITS_STR, 1, 1);
 2912         }
 2913     }
 2914 
 2915     /* Set some convienience pointers */
 2916     p->ip_data = pkt + hlen;
 2917     p->ip_dsize = (u_short) ip_len;
 2918 
 2919     if (ScIdsMode())
 2920     {
 2921         /* See if there are any ip_proto only rules that match */
 2922         fpEvalIpProtoOnlyRules(snort_conf->ip_proto_only_lists, p);
 2923         p->proto_bits |= PROTO_BIT__IP;
 2924     }
 2925 
 2926     IPMiscTests(p);
 2927 
 2928     /* if this packet isn't a fragment
 2929      * or if it is, its a UDP packet and offset is 0 */
 2930     if(!(p->frag_flag) ||
 2931             (p->frag_flag && (p->frag_offset == 0) &&
 2932             (p->iph->ip_proto == IPPROTO_UDP)))
 2933     {
 2934         DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP header length: %lu\n",
 2935                     (unsigned long)hlen););
 2936 
 2937         DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
 2938     }
 2939     else
 2940     {
 2941         /* set the payload pointer and payload size */
 2942         p->data = pkt + hlen;
 2943         p->dsize = (u_short) ip_len;
 2944     }
 2945 }
 2946 
 2947 //--------------------------------------------------------------------
 2948 // decode.c::ICMP
 2949 //--------------------------------------------------------------------
 2950 
 2951 /*
 2952  * Function: DecodeICMP(uint8_t *, const uint32_t, Packet *)
 2953  *
 2954  * Purpose: Decode the ICMP transport layer
 2955  *
 2956  * Arguments: pkt => ptr to the packet data
 2957  *            len => length from here to the end of the packet
 2958  *            p   => pointer to the decoded packet struct
 2959  *
 2960  * Returns: void function
 2961  */
 2962 void DecodeICMP(const uint8_t * pkt, const uint32_t len, Packet * p)
 2963 {
 2964     if(len < ICMP_HEADER_LEN)
 2965     {
 2966         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 2967             "WARNING: Truncated ICMP4 header (%d bytes).\n", len););
 2968 
 2969         if ( Event_Enabled(DECODE_ICMP4_HDR_TRUNC) )
 2970             DecoderEvent(p, EVARGS(ICMP4_HDR_TRUNC), 1, 1);
 2971 
 2972         p->icmph = NULL;
 2973         pc.discards++;
 2974         pc.icmpdisc++;
 2975 
 2976         return;
 2977     }
 2978 
 2979     /* set the header ptr first */
 2980     p->icmph = (ICMPHdr *) pkt;
 2981 
 2982     switch (p->icmph->type)
 2983     {
 2984             // fall through ...
 2985         case ICMP_SOURCE_QUENCH:
 2986         case ICMP_DEST_UNREACH:
 2987         case ICMP_REDIRECT:
 2988         case ICMP_TIME_EXCEEDED:
 2989         case ICMP_PARAMETERPROB:
 2990         case ICMP_ECHOREPLY:
 2991         case ICMP_ECHO:
 2992         case ICMP_ROUTER_ADVERTISE:
 2993         case ICMP_ROUTER_SOLICIT:
 2994         case ICMP_INFO_REQUEST:
 2995         case ICMP_INFO_REPLY:
 2996             if (len < 8)
 2997             {
 2998                 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 2999                     "Truncated ICMP header(%d bytes)\n", len););
 3000 
 3001                 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
 3002                                 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
 3003 
 3004                 p->icmph = NULL;
 3005                 pc.discards++;
 3006                 pc.icmpdisc++;
 3007 
 3008                 return;
 3009             }
 3010             break;
 3011 
 3012         case ICMP_TIMESTAMP:
 3013         case ICMP_TIMESTAMPREPLY:
 3014             if (len < 20)
 3015             {
 3016                 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 3017                     "Truncated ICMP header(%d bytes)\n", len););
 3018 
 3019                 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR,
 3020                                 DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR, 1, 1);
 3021 
 3022                 p->icmph = NULL;
 3023                 pc.discards++;
 3024                 pc.icmpdisc++;
 3025 
 3026                 return;
 3027             }
 3028             break;
 3029 
 3030         case ICMP_ADDRESS:
 3031         case ICMP_ADDRESSREPLY:
 3032             if (len < 12)
 3033             {
 3034                 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 3035                     "Truncated ICMP header(%d bytes)\n", len););
 3036 
 3037 
 3038                 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ADDRHDR,
 3039                                 DECODE_ICMP_DGRAM_LT_ADDRHDR_STR, 1, 1);
 3040 
 3041                 p->icmph = NULL;
 3042                 pc.discards++;
 3043                 pc.icmpdisc++;
 3044 
 3045                 return;
 3046             }
 3047             break;
 3048 
 3049         default:
 3050             if ( Event_Enabled(DECODE_ICMP4_TYPE_OTHER) )
 3051                 DecoderEvent(p, EVARGS(ICMP4_TYPE_OTHER), 1, 1);
 3052             break;
 3053     }
 3054 
 3055 
 3056     if (ScIcmpChecksums())
 3057     {
 3058         uint16_t csum = in_chksum_icmp((uint16_t *)p->icmph, len);
 3059 
 3060         if(csum)
 3061         {
 3062             p->error_flags |= PKT_ERR_CKSUM_ICMP;
 3063             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n"););
 3064 
 3065             if ( ScIdsMode() )
 3066                 queueExecDrop(execIcmpChksmDrop, p);
 3067         }
 3068         else
 3069         {
 3070             DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"ICMP Checksum: OK\n"););
 3071         }
 3072     }
 3073 
 3074     p->dsize = (u_short)(len - ICMP_HEADER_LEN);
 3075     p->data = pkt + ICMP_HEADER_LEN;
 3076 
 3077     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP type: %d   code: %d\n",
 3078                 p->icmph->type, p->icmph->code););
 3079 
 3080     switch(p->icmph->type)
 3081     {
 3082         case ICMP_ECHO:
 3083             ICMP4AddrTests(p);
 3084         // fall through ...
 3085 
 3086         case ICMP_ECHOREPLY:
 3087             /* setup the pkt id and seq numbers */
 3088             p->dsize -= sizeof(struct idseq);   /* add the size of the
 3089                                                  * echo ext to the data
 3090                                                  * ptr and subtract it
 3091                                                  * from the data size */
 3092             p->data += sizeof(struct idseq);
 3093             PushLayer(PROTO_ICMP4, p, pkt, ICMP_NORMAL_LEN);
 3094             break;
 3095 
 3096         case ICMP_DEST_UNREACH:
 3097             if ((p->icmph->code == ICMP_FRAG_NEEDED)
 3098                     && (ntohs(p->icmph->s_icmp_nextmtu) < 576))
 3099             {
 3100                 if ( Event_Enabled(DECODE_ICMP_PATH_MTU_DOS) )
 3101                     DecoderEvent(p, EVARGS(ICMP_PATH_MTU_DOS), 1, 1);
 3102             }
 3103 
 3104             /* Fall through */
 3105 
 3106         case ICMP_SOURCE_QUENCH:
 3107         case ICMP_REDIRECT:
 3108         case ICMP_TIME_EXCEEDED:
 3109         case ICMP_PARAMETERPROB:
 3110             /* account for extra 4 bytes in header */
 3111             p->dsize -= 4;
 3112             p->data += 4;
 3113 
 3114             PushLayer(PROTO_ICMP4, p, pkt, ICMP_NORMAL_LEN);
 3115             DecodeICMPEmbeddedIP(p->data, p->dsize, p);
 3116             break;
 3117 
 3118         default:
 3119             PushLayer(PROTO_ICMP4, p, pkt, ICMP_HEADER_LEN);
 3120             break;
 3121     }
 3122 
 3123     /* Run a bunch of ICMP decoder rules */
 3124     ICMP4MiscTests(p);
 3125 
 3126     p->proto_bits |= PROTO_BIT__ICMP;
 3127     p->proto_bits &= ~(PROTO_BIT__UDP | PROTO_BIT__TCP);
 3128 }
 3129 
 3130 /*
 3131  * Function: DecodeICMPEmbeddedIP(uint8_t *, const uint32_t, Packet *)
 3132  *
 3133  * Purpose: Decode the ICMP embedded IP header + 64 bits payload
 3134  *
 3135  * Arguments: pkt => ptr to the packet data
 3136  *            len => length from here to the end of the packet
 3137  *            p   => pointer to dummy packet decode struct
 3138  *
 3139  * Returns: void function
 3140  */
 3141 void DecodeICMPEmbeddedIP(const uint8_t *pkt, const uint32_t len, Packet *p)
 3142 {
 3143     uint32_t ip_len;       /* length from the start of the ip hdr to the
 3144                              * pkt end */
 3145     uint32_t hlen;             /* ip header length */
 3146     uint16_t orig_frag_offset;
 3147 
 3148     /* do a little validation */
 3149     if(len < IP_HEADER_LEN)
 3150     {
 3151         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 3152             "ICMP: IP short header (%d bytes)\n", len););
 3153 
 3154         DecoderEvent(p, DECODE_ICMP_ORIG_IP_TRUNCATED,
 3155                         DECODE_ICMP_ORIG_IP_TRUNCATED_STR, 1, 1);
 3156 
 3157         p->orig_family = NO_IP;
 3158         p->orig_iph = NULL;
 3159         return;
 3160     }
 3161 
 3162     /* lay the IP struct over the raw data */
 3163     sfiph_orig_build(p, pkt, AF_INET);
 3164     p->orig_iph = (IPHdr *) pkt;
 3165 
 3166     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeICMPEmbeddedIP: ip header"
 3167                     " starts at: %p, length is %lu\n", p->orig_iph,
 3168                     (unsigned long) len););
 3169     /*
 3170      * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP.
 3171      * So we are just ignoring non IP datagrams
 3172      */
 3173     if((GET_ORIG_IPH_VER(p) != 4) && !IS_IP6(p))
 3174     {
 3175         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 3176             "ICMP: not IPv4 datagram ([ver: 0x%x][len: 0x%x])\n",
 3177             GET_ORIG_IPH_VER(p), GET_ORIG_IPH_LEN(p)););
 3178 
 3179         DecoderEvent(p, DECODE_ICMP_ORIG_IP_VER_MISMATCH,
 3180                         DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR, 1, 1);
 3181 
 3182         p->orig_family = NO_IP;
 3183         p->orig_iph = NULL;
 3184         return;
 3185     }
 3186 
 3187     /* set the IP datagram length */
 3188     ip_len = ntohs(GET_ORIG_IPH_LEN(p));
 3189 
 3190     /* set the IP header length */
 3191     hlen = (p->orig_ip4h->ip_verhl & 0x0f) << 2;
 3192 
 3193     if(len < hlen)
 3194     {
 3195         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 3196             "ICMP: IP len (%d bytes) < IP hdr len (%d bytes), packet discarded\n",
 3197             ip_len, hlen););
 3198 
 3199         DecoderEvent(p, DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP,
 3200                         DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR, 1, 1);
 3201 
 3202         p->orig_family = NO_IP;
 3203         p->orig_iph = NULL;
 3204         return;
 3205     }
 3206 
 3207     /* set the remaining packet length */
 3208     ip_len = len - hlen;
 3209 
 3210     orig_frag_offset = ntohs(GET_ORIG_IPH_OFF(p));
 3211     orig_frag_offset &= 0x1FFF;
 3212 
 3213     if (orig_frag_offset == 0)
 3214     {
 3215         /* Original IP payload should be 64 bits */
 3216         if (ip_len < 8)
 3217         {
 3218             DecoderEvent(p, DECODE_ICMP_ORIG_PAYLOAD_LT_64,
 3219                             DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR, 1, 1);
 3220 
 3221             return;
 3222         }
 3223         /* ICMP error packets could contain as much of original payload
 3224          * as possible, but not exceed 576 bytes
 3225          */
 3226         else if (ntohs(GET_IPH_LEN(p)) > 576)
 3227         {
 3228             DecoderEvent(p, DECODE_ICMP_ORIG_PAYLOAD_GT_576,
 3229                             DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR, 1, 1);
 3230         }
 3231     }
 3232     else
 3233     {
 3234         /* RFC states that only first frag will get an ICMP response */
 3235         DecoderEvent(p, DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET,
 3236                         DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR, 1, 1);
 3237         return;
 3238     }
 3239 
 3240     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP Unreachable IP header length: "
 3241                             "%lu\n", (unsigned long)hlen););
 3242 
 3243     switch(GET_ORIG_IPH_PROTO(p))
 3244     {
 3245         case IPPROTO_TCP: /* decode the interesting part of the header */
 3246             p->orig_tcph = (TCPHdr *)(pkt + hlen);
 3247 
 3248             /* stuff more data into the printout data struct */
 3249             p->orig_sp = ntohs(p->orig_tcph->th_sport);
 3250             p->orig_dp = ntohs(p->orig_tcph->th_dport);
 3251 
 3252             break;
 3253 
 3254         case IPPROTO_UDP:
 3255             p->orig_udph = (UDPHdr *)(pkt + hlen);
 3256 
 3257             /* fill in the printout data structs */
 3258             p->orig_sp = ntohs(p->orig_udph->uh_sport);
 3259             p->orig_dp = ntohs(p->orig_udph->uh_dport);
 3260 
 3261             break;
 3262 
 3263         case IPPROTO_ICMP:
 3264             p->orig_icmph = (ICMPHdr *)(pkt + hlen);
 3265             break;
 3266     }
 3267 
 3268     return;
 3269 }
 3270 
 3271 /*
 3272  * Function: DecodeIPV6(uint8_t *, uint32_t)
 3273  *
 3274  * Purpose: Decoding IPv6 headers
 3275  *
 3276  * Arguments: pkt => ptr to the packet data
 3277  *            len => length from here to the end of the packet
 3278  *
 3279  * Returns: void function
 3280  */
 3281 
 3282 //--------------------------------------------------------------------
 3283 // decode.c::IP6 misc
 3284 //--------------------------------------------------------------------
 3285 
 3286 #define IP6_MULTICAST  0xFF  // first/most significant octet
 3287 #define IP6_MULTICAST_SCOPE_RESERVED    0x00
 3288 #define IP6_MULTICAST_SCOPE_INTERFACE   0x01
 3289 #define IP6_MULTICAST_SCOPE_LINK        0x02
 3290 #define IP6_MULTICAST_SCOPE_ADMIN       0x04
 3291 #define IP6_MULTICAST_SCOPE_SITE        0x05
 3292 #define IP6_MULTICAST_SCOPE_ORG         0x08
 3293 #define IP6_MULTICAST_SCOPE_GLOBAL      0x0E
 3294 
 3295 /* Check for multiple IPv6 Multicast-related alerts */
 3296 static void CheckIPV6Multicast(Packet *p)
 3297 {
 3298     IP6RawHdr* hdr6 = (IP6RawHdr*)p->iph;
 3299     uint8_t multicast_scope;
 3300     struct in6_addr* ip_dst;
 3301     uint32_t h_ip_dst;
 3302 
 3303     if ( hdr6->ip6_src.s6_addr[0] == IP6_MULTICAST )
 3304     {
 3305         DecoderEvent(p, DECODE_IPV6_SRC_MULTICAST,
 3306                      DECODE_IPV6_SRC_MULTICAST_STR, 1, 1);
 3307     }
 3308     ip_dst = &hdr6->ip6_dst;
 3309     if ( ip_dst->s6_addr[0] != IP6_MULTICAST )
 3310     {
 3311         return;
 3312     }
 3313 
 3314     multicast_scope = ip_dst->s6_addr[1] & 0x0F;
 3315     switch (multicast_scope)
 3316     {
 3317         case IP6_MULTICAST_SCOPE_RESERVED:
 3318         case IP6_MULTICAST_SCOPE_INTERFACE:
 3319         case IP6_MULTICAST_SCOPE_LINK:
 3320         case IP6_MULTICAST_SCOPE_ADMIN:
 3321         case IP6_MULTICAST_SCOPE_SITE:
 3322         case IP6_MULTICAST_SCOPE_ORG:
 3323         case IP6_MULTICAST_SCOPE_GLOBAL:
 3324             break;
 3325 
 3326         default:
 3327             DecoderEvent(p, DECODE_IPV6_BAD_MULTICAST_SCOPE,
 3328                          DECODE_IPV6_BAD_MULTICAST_SCOPE_STR, 1, 1);
 3329     }
 3330 
 3331     /* Check against assigned multicast addresses. These are listed at:
 3332        http://www.iana.org/assignments/ipv6-multicast-addresses/    */
 3333 
 3334     /* Multicast addresses only specify the first 16 and last 40 bits.
 3335        Others should be zero. */
 3336     if ((ip_dst->s6_addr16[1] != 0) ||
 3337         (ip_dst->s6_addr32[1] != 0) ||
 3338         (ip_dst->s6_addr16[4] != 0) ||
 3339         (ip_dst->s6_addr[10] != 0))
 3340     {
 3341         DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
 3342                      DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
 3343         return;
 3344     }
 3345 
 3346     if (ip_dst->s6_addr[1] == IP6_MULTICAST_SCOPE_INTERFACE)
 3347     {
 3348         // Node-local scope
 3349         if ((ip_dst->s6_addr16[1] != 0) ||
 3350             (ip_dst->s6_addr32[1] != 0) ||
 3351             (ip_dst->s6_addr32[2] != 0) ||
 3352             (ip_dst->s6_addr16[6] != 0))
 3353         {
 3354 
 3355             DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
 3356                          DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
 3357         }
 3358         else
 3359         {
 3360             switch (ntohl(ip_dst->s6_addr32[3]))
 3361             {
 3362                 case 0x00000001: // All Nodes
 3363                 case 0x00000002: // All Routers
 3364                 case 0x000000FB: // mDNSv6
 3365                     break;
 3366                 default:
 3367                     DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
 3368                                  DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
 3369             }
 3370         }
 3371     }
 3372     else if (ip_dst->s6_addr[1] == IP6_MULTICAST_SCOPE_LINK)
 3373     {
 3374         // Link-local scope
 3375         switch (ntohl(ip_dst->s6_addr32[3]))
 3376         {
 3377             case 0x00000001: // All Nodes
 3378             case 0x00000002: // All Routers
 3379             case 0x00000004: // DVMRP Routers
 3380             case 0x00000005: // OSPFIGP
 3381             case 0x00000006: // OSPFIGP Designated Routers
 3382             case 0x00000007: // ST Routers
 3383             case 0x00000008: // ST Hosts
 3384             case 0x00000009: // RIP Routers
 3385             case 0x0000000A: // EIGRP Routers
 3386             case 0x0000000B: // Mobile-Agents
 3387             case 0x0000000C: // SSDP
 3388             case 0x0000000D: // All PIMP Routers
 3389             case 0x0000000E: // RSVP-ENCAPSULATION
 3390             case 0x0000000F: // UPnP
 3391             case 0x00000012: // VRRP
 3392             case 0x00000016: // All MLDv2-capable routers
 3393             case 0x0000006A: // All-Snoopers
 3394             case 0x0000006B: // PTP-pdelay
 3395             case 0x0000006C: // Saratoga
 3396             case 0x0000006D: // LL-MANET-Routers
 3397             case 0x0000006E: // IGRS
 3398             case 0x0000006F: // iADT Discovery
 3399             case 0x000000FB: // mDNSv6
 3400             case 0x00010001: // Link Name
 3401             case 0x00010002: // All-dhcp-agents
 3402             case 0x00010003: // Link-local Multicast Name Resolution
 3403             case 0x00010004: // DTCP Announcement
 3404                 break;
 3405             default:
 3406                 if ((ip_dst->s6_addr[11] == 1) &&
 3407                     (ip_dst->s6_addr[12] == 0xFF))
 3408                 {
 3409                     break; // Solicited-Node Address
 3410                 }
 3411                 if ((ip_dst->s6_addr[11] == 2) &&
 3412                     (ip_dst->s6_addr[12] == 0xFF))
 3413                 {
 3414                     break; // Node Information Queries
 3415                 }
 3416                 DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
 3417                              DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
 3418         }
 3419     }
 3420     else if (ip_dst->s6_addr[1] == IP6_MULTICAST_SCOPE_SITE)
 3421     {
 3422         // Site-local scope
 3423         switch (ntohl(ip_dst->s6_addr32[3]))
 3424         {
 3425             case 0x00000002: // All Routers
 3426             case 0x000000FB: // mDNSv6
 3427             case 0x00010003: // All-dhcp-servers
 3428             case 0x00010004: // Deprecated
 3429             case 0x00010005: // SL-MANET-ROUTERS
 3430                 break;
 3431             default:
 3432                 DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
 3433                              DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
 3434         }
 3435     }
 3436     else if ((ip_dst->s6_addr[1] & 0xF0) == 0)
 3437     {
 3438         h_ip_dst = ntohl(ip_dst->s6_addr32[3]);
 3439 
 3440         // Variable scope
 3441         switch (h_ip_dst)
 3442         {
 3443             case 0x0000000C: // SSDP
 3444             case 0x000000FB: // mDNSv6
 3445             case 0x00000181: // PTP-primary
 3446             case 0x00000182: // PTP-alternate1
 3447             case 0x00000183: // PTP-alternate2
 3448             case 0x00000184: // PTP-alternate3
 3449             case 0x0000018C: // All ACs multicast address
 3450             case 0x00000201: // "rwho" Group (BSD)
 3451             case 0x00000202: // SUN RPC PMAPPROC_CALLIT
 3452             case 0x00000204: // All C1222 Nodes
 3453             case 0x00000300: // Mbus/IPv6
 3454             case 0x00027FFE: // SAPv1 Announcements
 3455             case 0x00027FFF: // SAPv0 Announcements
 3456                 break;
 3457             default:
 3458                 if ((h_ip_dst >= 0x00000100) &&
 3459                     (h_ip_dst <= 0x00000136))
 3460                 {
 3461                     break; // Several addresses assigned in a contiguous block
 3462                 }
 3463 
 3464                 if ((h_ip_dst >= 0x00000140) &&
 3465                     (h_ip_dst <= 0x0000014F))
 3466                 {
 3467                     break; // EPSON-disc-set
 3468                 }
 3469 
 3470                 if ((h_ip_dst >= 0x00020000) &&
 3471                     (h_ip_dst <= 0x00027FFD))
 3472                 {
 3473                     break; // Multimedia Conference Calls
 3474                 }
 3475 
 3476                 if ((h_ip_dst >= 0x00011000) &&
 3477                     (h_ip_dst <= 0x000113FF))
 3478                 {
 3479                     break; // Service Location, Version 2
 3480                 }
 3481 
 3482                 if ((h_ip_dst >= 0x00028000) &&
 3483                     (h_ip_dst <= 0x0002FFFF))
 3484                 {
 3485                     break; // SAP Dynamic Assignments
 3486                 }
 3487 
 3488                 DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
 3489                              DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
 3490         }
 3491     }
 3492     else if ((ip_dst->s6_addr[1] & 0xF0) == 0x30)
 3493     {
 3494         h_ip_dst = ntohl(ip_dst->s6_addr32[3]);
 3495 
 3496         // Source-Specific Multicast block
 3497         if ((h_ip_dst >= 0x40000001) &&
 3498             (h_ip_dst <= 0x7FFFFFFF))
 3499         {
 3500             return; // IETF consensus
 3501         }
 3502         else if ((h_ip_dst >= 0x80000000) &&
 3503             (h_ip_dst <= 0xFFFFFFFF))
 3504         {
 3505             return; // Dynamiclly allocated by hosts when needed
 3506         }
 3507         else
 3508         {
 3509             // Other addresses in this block are reserved.
 3510             DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
 3511                          DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
 3512         }
 3513     }
 3514     else
 3515     {
 3516         /* Addresses not listed above are reserved. */
 3517         DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
 3518                      DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
 3519     }
 3520 }
 3521 
 3522 /* Teredo packets need to have one of their IPs use either the Teredo prefix,
 3523    or a link-local prefix (in the case of Router Solicitation messages) */
 3524 static inline int CheckTeredoPrefix(IP6RawHdr *hdr)
 3525 {
 3526     /* Check if src address matches 2001::/32 */
 3527     if ((hdr->ip6_src.s6_addr[0] == 0x20) &&
 3528         (hdr->ip6_src.s6_addr[1] == 0x01) &&
 3529         (hdr->ip6_src.s6_addr[2] == 0x00) &&
 3530         (hdr->ip6_src.s6_addr[3] == 0x00))
 3531         return 1;
 3532 
 3533     /* Check if src address matches fe80::/64 */
 3534     if ((hdr->ip6_src.s6_addr[0] == 0xfe) &&
 3535         (hdr->ip6_src.s6_addr[1] == 0x80) &&
 3536         (hdr->ip6_src.s6_addr[2] == 0x00) &&
 3537         (hdr->ip6_src.s6_addr[3] == 0x00) &&
 3538         (hdr->ip6_src.s6_addr[4] == 0x00) &&
 3539         (hdr->ip6_src.s6_addr[5] == 0x00) &&
 3540         (hdr->ip6_src.s6_addr[6] == 0x00) &&
 3541         (hdr->ip6_src.s6_addr[7] == 0x00))
 3542         return 1;
 3543 
 3544     /* Check if dst address matches 2001::/32 */
 3545     if ((hdr->ip6_dst.s6_addr[0] == 0x20) &&
 3546         (hdr->ip6_dst.s6_addr[1] == 0x01) &&
 3547         (hdr->ip6_dst.s6_addr[2] == 0x00) &&
 3548         (hdr->ip6_dst.s6_addr[3] == 0x00))
 3549         return 1;
 3550 
 3551     /* Check if dst address matches fe80::/64 */
 3552     if ((hdr->ip6_dst.s6_addr[0] == 0xfe) &&
 3553         (hdr->ip6_dst.s6_addr[1] == 0x80) &&
 3554         (hdr->ip6_dst.s6_addr[2] == 0x00) &&
 3555         (hdr->ip6_dst.s6_addr[3] == 0x00) &&
 3556         (hdr->ip6_dst.s6_addr[4] == 0x00) &&
 3557         (hdr->ip6_dst.s6_addr[5] == 0x00) &&
 3558         (hdr->ip6_dst.s6_addr[6] == 0x00) &&
 3559         (hdr->ip6_dst.s6_addr[7] == 0x00))
 3560         return 1;
 3561 
 3562     /* No Teredo prefix found. */
 3563     return 0;
 3564 }
 3565 
 3566 /* Function: IPV6MiscTests(Packet *p)
 3567  *
 3568  * Purpose: A bunch of IPv6 decoder alerts
 3569  *
 3570  * Arguments: p => the Packet to check
 3571  *
 3572  * Returns: void function
 3573  */
 3574 static inline void IPV6MiscTests(Packet *p)
 3575 {
 3576     IP6RawHdr* hdr6 = (IP6RawHdr*)p->iph;
 3577     /*
 3578      * Some IP Header tests
 3579      * Land Attack(same src/dst ip)
 3580      * Loopback (src or dst in 127/8 block)
 3581      * Modified: 2/22/05-man for High Endian Architecture.
 3582      *
 3583      * some points in the code assume an IP of 0.0.0.0 matches anything, but
 3584      * that is not so here.  The sfip_compare makes that assumption for
 3585      * compatibility, but sfip_contains does not.  Hence, sfip_contains
 3586      * is used here in the interrim. */
 3587 #if !defined(SFLINUX) && defined(DAQ_CAPA_VRF)   
 3588     uint16_t sAsId;
 3589     uint16_t dAsId;
 3590 
 3591     sAsId = DAQ_GetSourceAddressSpaceID(p->pkth);
 3592     dAsId = DAQ_GetDestinationAddressSpaceID(p->pkth);
 3593 
 3594     if( sfip_fast_eq6((sfaddr_t*)&hdr6->ip6_src.s6_addr, (sfaddr_t*)&hdr6->ip6_dst.s6_addr)
 3595             && (sAsId == dAsId))
 3596     {
 3597         DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST,
 3598                      DECODE_BAD_TRAFFIC_SAME_SRCDST_STR,
 3599                      1, 1);
 3600         if( pkt_trace_enabled ) 
 3601         { 
 3602             addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE, 
 3603                         "Packet is blocked since same source and destination")); 
 3604         } 
 3605     }
 3606 #else
 3607     if( sfip_fast_eq6((sfaddr_t*)&hdr6->ip6_src.s6_addr, (sfaddr_t*)&hdr6->ip6_dst.s6_addr))
 3608     {
 3609         DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST,
 3610                      DECODE_BAD_TRAFFIC_SAME_SRCDST_STR,
 3611                      1, 1);
 3612     }
 3613 #endif
 3614     if(sfip_is_loopback((sfaddr_t*)&hdr6->ip6_src.s6_addr) || sfip_is_loopback((sfaddr_t*)&hdr6->ip6_dst.s6_addr))
 3615     {
 3616         DecoderEvent(p, DECODE_BAD_TRAFFIC_LOOPBACK,
 3617                      DECODE_BAD_TRAFFIC_LOOPBACK_STR,
 3618                      1,1);
 3619     }
 3620 
 3621     /* Other decoder alerts for IPv6 addresses
 3622        Added: 5/24/10 (Snort 2.9.0) */
 3623     if (!sfraw_is_set(&hdr6->ip6_dst))
 3624     {
 3625         DecoderEvent(p, DECODE_IPV6_DST_ZERO, DECODE_IPV6_DST_ZERO_STR, 1, 1);
 3626     }
 3627 
 3628     CheckIPV6Multicast(p);
 3629 
 3630     if ( Event_Enabled(DECODE_IPV6_ISATAP_SPOOF) )
 3631     {
 3632         /* Only check for IPv6 over IPv4 */
 3633         if (p->outer_iph && p->outer_iph->ip_proto == IPPROTO_IPV6)
 3634         {
 3635             uint32_t isatap_interface_id = ntohl(hdr6->ip6_src.s6_addr32[2]) & 0xFCFFFFFF;
 3636 
 3637             /* ISATAP uses address with prefix fe80:0000:0000:0000:0200:5efe or
 3638                fe80:0000:0000:0000:0000:5efe, followed by the IPv4 address. */
 3639             if (isatap_interface_id == 0x00005EFE)
 3640             {
 3641                 if (p->outer_iph->ip_src.s_addr != hdr6->ip6_src.s6_addr32[3])
 3642                     DecoderEvent(p, EVARGS(IPV6_ISATAP_SPOOF), 1, 1);
 3643             }
 3644         }
 3645     }
 3646 }
 3647 
 3648 //--------------------------------------------------------------------
 3649 // decode.c::IP6 extensions
 3650 //--------------------------------------------------------------------
 3651 
 3652 static inline int IPV6ExtensionOrder(uint8_t type)
 3653 {
 3654     switch (type)
 3655     {
 3656         case IPPROTO_HOPOPTS:   return 1;
 3657         case IPPROTO_DSTOPTS:   return 2;
 3658         case IPPROTO_ROUTING:   return 3;
 3659         case IPPROTO_FRAGMENT:  return 4;
 3660         case IPPROTO_AH:        return 5;
 3661         case IPPROTO_ESP:       return 6;
 3662         default:                return 7;
 3663     }
 3664 }
 3665 
 3666 /* Check for out-of-order IPv6 Extension Headers */
 3667 static inline void CheckIPv6ExtensionOrder(Packet *p)
 3668 {
 3669     int routing_seen = 0;
 3670     int current_type_order, next_type_order, i;
 3671 
 3672     if (Event_Enabled(DECODE_IPV6_UNORDERED_EXTENSIONS))
 3673     {
 3674         if (p->ip6_extension_count > 0)
 3675             current_type_order = IPV6ExtensionOrder(p->ip6_extensions[0].type);
 3676 
 3677         for (i = 1; i < (p->ip6_extension_count); i++)
 3678         {
 3679             next_type_order = IPV6ExtensionOrder(p->ip6_extensions[i].type);
 3680 
 3681             if (p->ip6_extensions[i].type == IPPROTO_ROUTING)
 3682                 routing_seen = 1;
 3683 
 3684             if (next_type_order <= current_type_order)
 3685             {
 3686                 /* A second "Destination Options" header is allowed iff:
 3687                    1) A routing header was already seen, and
 3688                    2) The second destination header is the last one before the upper layer.
 3689                 */
 3690                 if (!routing_seen ||
 3691                     !(p->ip6_extensions[i].type == IPPROTO_DSTOPTS) ||
 3692                     !(i+1 == p->ip6_extension_count))
 3693                 {
 3694                     DecoderEvent(p, EVARGS(IPV6_UNORDERED_EXTENSIONS), 1, 1);
 3695                 }
 3696             }
 3697 
 3698             current_type_order = next_type_order;
 3699         }
 3700     }
 3701 }
 3702 
 3703 void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p);
 3704 
 3705 static inline int CheckIPV6HopOptions(const uint8_t *pkt, uint32_t len, Packet *p)
 3706 {
 3707     IP6Extension *exthdr = (IP6Extension *)pkt;
 3708     uint32_t total_octets = (exthdr->ip6e_len * 8) + 8;
 3709     const uint8_t *hdr_end = pkt + total_octets;
 3710     uint8_t type, oplen;
 3711 
 3712     if (len < total_octets)
 3713     {
 3714         DecoderEvent(p, EVARGS(IPV6_TRUNCATED_EXT), 1, 1);
 3715         return -1;
 3716     }
 3717 
 3718     /* Skip to the options */
 3719     pkt += 2;
 3720 
 3721     /* Iterate through the options, check for bad ones */
 3722     while (pkt < hdr_end)
 3723     {
 3724         type = *pkt;
 3725         switch (type)
 3726         {
 3727             case IP6_OPT_PAD1:
 3728                 pkt++;
 3729                 break;
 3730             case IP6_OPT_PADN:
 3731             case IP6_OPT_JUMBO:
 3732             case IP6_OPT_RTALERT:
 3733             case IP6_OPT_TUNNEL_ENCAP:
 3734             case IP6_OPT_QUICK_START:
 3735             case IP6_OPT_CALIPSO:
 3736             case IP6_OPT_HOME_ADDRESS:
 3737             case IP6_OPT_ENDPOINT_IDENT:
 3738                 pkt++;
 3739                 if (pkt < hdr_end)
 3740                 {
 3741                     oplen = *pkt;
 3742                     if ((pkt + oplen + 1) > hdr_end)
 3743                     {
 3744                         DecoderEvent(p, EVARGS(IPV6_BAD_OPT_LEN), 1, 1);
 3745                         return -1;
 3746                     }
 3747                     pkt += oplen + 1;
 3748                 }
 3749                 break;
 3750             default:
 3751                 DecoderEvent(p, EVARGS(IPV6_BAD_OPT_TYPE), 1, 1);
 3752                 return -1;
 3753         }
 3754     }
 3755 
 3756     return 0;
 3757 }
 3758 
 3759 void DecodeIPV6Options(int type, const uint8_t *pkt, uint32_t len, Packet *p)
 3760 {
 3761     IP6Extension *exthdr;
 3762     uint32_t hdrlen = 0;
 3763 
 3764     /* This should only be called by DecodeIPV6 or DecodeIPV6Extensions
 3765      * so no validation performed.  Otherwise, uncomment the following: */
 3766     /* if(IPH_IS_VALID(p)) return */
 3767 
 3768     pc.ipv6opts++;
 3769 
 3770     /* Need at least two bytes, one for next header, one for len. */
 3771     /* But size is an integer multiple of 8 octets, so 8 is min.  */
 3772     if(len < sizeof(IP6Extension))
 3773     {
 3774         DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT,
 3775                      DECODE_IPV6_TRUNCATED_EXT_STR,
 3776                      1, 1);
 3777         return;
 3778     }
 3779 
 3780     if ( p->ip6_extension_count >= ScMaxIP6Extensions() )
 3781     {
 3782         DecoderEvent(p, DECODE_IP6_EXCESS_EXT_HDR,
 3783                      DECODE_IP6_EXCESS_EXT_HDR_STR,
 3784                      1, 1);
 3785         return;
 3786     }
 3787 
 3788     exthdr = (IP6Extension *)pkt;
 3789 
 3790     p->ip6_extensions[p->ip6_extension_count].type = type;
 3791     p->ip6_extensions[p->ip6_extension_count].data = pkt;
 3792 
 3793     // TBD add layers for other ip6 ext headers
 3794     switch (type)
 3795     {
 3796         case IPPROTO_HOPOPTS:
 3797             hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3);
 3798 
 3799             if ( CheckIPV6HopOptions(pkt, len, p) == 0 )
 3800                 PushLayer(PROTO_IP6_HOP_OPTS, p, pkt, hdrlen);
 3801             break;
 3802 
 3803         case IPPROTO_DSTOPTS:
 3804             if (exthdr->ip6e_nxt == IPPROTO_ROUTING)
 3805             {
 3806                 DecoderEvent(p, DECODE_IPV6_DSTOPTS_WITH_ROUTING,
 3807                              DECODE_IPV6_DSTOPTS_WITH_ROUTING_STR,
 3808                              1, 1);
 3809             }
 3810             hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3);
 3811 
 3812             if ( CheckIPV6HopOptions(pkt, len, p) == 0 )
 3813                 PushLayer(PROTO_IP6_DST_OPTS, p, pkt, hdrlen);
 3814             break;
 3815 
 3816         case IPPROTO_ROUTING:
 3817 
 3818             /* Routing type 0 extension headers are evil creatures. */
 3819             {
 3820                 IP6Route *rte = (IP6Route *)exthdr;
 3821 
 3822                 if (rte->ip6rte_type == 0)
 3823                 {
 3824                     DecoderEvent(p, DECODE_IPV6_ROUTE_ZERO,
 3825                          DECODE_IPV6_ROUTE_ZERO_STR, 1, 1);
 3826                 }
 3827             }
 3828 
 3829             if (exthdr->ip6e_nxt == IPPROTO_HOPOPTS)
 3830             {
 3831                 DecoderEvent(p, DECODE_IPV6_ROUTE_AND_HOPBYHOP,
 3832                              DECODE_IPV6_ROUTE_AND_HOPBYHOP_STR,
 3833                              1, 1);
 3834             }
 3835             if (exthdr->ip6e_nxt == IPPROTO_ROUTING)
 3836             {
 3837                 DecoderEvent(p, DECODE_IPV6_TWO_ROUTE_HEADERS,
 3838                              DECODE_IPV6_TWO_ROUTE_HEADERS_STR,
 3839                              1, 1);
 3840             }
 3841             hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3);
 3842             break;
 3843 
 3844         case IPPROTO_FRAGMENT:
 3845             if (len == sizeof(IP6Frag))
 3846             {
 3847                 DecoderEvent(p, DECODE_ZERO_LENGTH_FRAG,
 3848                     DECODE_ZERO_LENGTH_FRAG_STR, 1, 1);
 3849                 return;
 3850             }
 3851             else
 3852             {
 3853                 IP6Frag *ip6frag_hdr = (IP6Frag *)pkt;
 3854                 /* If this is an IP Fragment, set some data... */
 3855                 p->ip6_frag_index = p->ip6_extension_count;
 3856                 p->ip_frag_start = pkt + sizeof(IP6Frag);
 3857 
 3858                 p->df = 0;
 3859                 p->rf = IP6F_RES(ip6frag_hdr);
 3860                 p->mf = IP6F_MF(ip6frag_hdr);
 3861                 p->frag_offset = IP6F_OFFSET(ip6frag_hdr);
 3862 
 3863                 if ( p->frag_offset || p->mf )
 3864                 {
 3865                     p->frag_flag = 1;
 3866                     pc.frag6++;
 3867                 }
 3868                 else
 3869                 {
 3870                     DecoderEvent(p, DECODE_IPV6_BAD_FRAG_PKT,
 3871                         DECODE_IPV6_BAD_FRAG_PKT_STR , 1, 1);
 3872                 }
 3873                 if (
 3874                     !(p->frag_offset) &&
 3875                     Event_Enabled(DECODE_IPV6_UNORDERED_EXTENSIONS) )
 3876                 {
 3877                     // check header ordering of fragged (next) header
 3878                     if ( IPV6ExtensionOrder(ip6frag_hdr->ip6f_nxt) <
 3879                          IPV6ExtensionOrder(IPPROTO_FRAGMENT) )
 3880                         DecoderEvent(p, EVARGS(IPV6_UNORDERED_EXTENSIONS), 1, 1);
 3881                 }
 3882             }
 3883             hdrlen = sizeof(IP6Frag);
 3884             p->ip_frag_len = (uint16_t)(len - hdrlen);
 3885 
 3886             if ( p->frag_flag && ((p->frag_offset > 0) ||
 3887                  (exthdr->ip6e_nxt != IPPROTO_UDP)) )
 3888             {
 3889                 //check header order up thru frag header
 3890                 p->ip6_extension_count++;
 3891                 CheckIPv6ExtensionOrder(p);
 3892 
 3893                 /* For non-zero offset frags, we stop decoding after the
 3894                    Frag header. According to RFC 2460, the "Next Header"
 3895                    value may differ from that of the offset zero frag,
 3896                    but only the Next Header of the original frag is used. */
 3897                 // check DecodeIP(); we handle frags the same way here
 3898                 return;
 3899             }
 3900             break;
 3901 
 3902         case IPPROTO_AH:
 3903             /* Auth Headers work in both IPv4 & IPv6, and their lengths are
 3904                given in 4-octet increments instead of 8-octet increments. */
 3905             hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 2);
 3906 
 3907             if (hdrlen <= len)
 3908                 PushLayer(PROTO_AH, p, pkt, hdrlen);
 3909             break;
 3910 
 3911         default:
 3912             hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3);
 3913             break;
 3914     }
 3915 
 3916     p->ip6_extension_count++;
 3917 
 3918     if(hdrlen > len)
 3919     {
 3920         DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT,
 3921                      DECODE_IPV6_TRUNCATED_EXT_STR,
 3922                      1, 1);
 3923         return;
 3924     }
 3925 
 3926     if ( hdrlen > 0 )
 3927     {
 3928         DecodeIPV6Extensions(*pkt, pkt + hdrlen, len - hdrlen, p);
 3929     }
 3930 #ifdef DEBUG_MSGS
 3931     else
 3932     {
 3933         DebugMessage(DEBUG_DECODE, "WARNING - no next ip6 header decoded\n");
 3934     }
 3935 #endif
 3936 }
 3937 
 3938 void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p)
 3939 {
 3940     pc.ip6ext++;
 3941 
 3942 #ifdef GRE
 3943     if (p->greh != NULL)
 3944         pc.gre_ipv6ext++;
 3945 #endif
 3946 
 3947     /* XXX might this introduce an issue if the "next" field is invalid? */
 3948     p->ip6h->next = next;
 3949 
 3950     if (ScIdsMode())
 3951     {
 3952         /* See if there are any ip_proto only rules that match */
 3953         fpEvalIpProtoOnlyRules(snort_conf->ip_proto_only_lists, p);
 3954         p->proto_bits |= PROTO_BIT__IP;
 3955     }
 3956 
 3957     switch(next) {
 3958         case IPPROTO_TCP:
 3959             pc.tcp6++;
 3960             CheckIPv6ExtensionOrder(p);
 3961             DecodeTCP(pkt, len, p);
 3962             return;
 3963         case IPPROTO_UDP:
 3964             pc.udp6++;
 3965             CheckIPv6ExtensionOrder(p);
 3966             DecodeUDP(pkt, len, p);
 3967             return;
 3968         case IPPROTO_ICMPV6:
 3969             pc.icmp6++;
 3970             CheckIPv6ExtensionOrder(p);
 3971             DecodeICMP6(pkt , len, p);
 3972             return;
 3973         case IPPROTO_NONE:
 3974             CheckIPv6ExtensionOrder(p);
 3975             p->dsize = 0;
 3976             return;
 3977         case IPPROTO_HOPOPTS:
 3978         case IPPROTO_DSTOPTS:
 3979         case IPPROTO_ROUTING:
 3980         case IPPROTO_FRAGMENT:
 3981         case IPPROTO_AH:
 3982             DecodeIPV6Options(next, pkt, len, p);
 3983             // Anything special to do here?  just return?
 3984             return;
 3985 #ifdef MPLS_RFC4023_SUPPORT
 3986         case IPPROTO_MPLS:
 3987             DecodeMPLS(pkt, len, p);
 3988             return;
 3989 #endif
 3990 #ifdef GRE
 3991         case IPPROTO_GRE:
 3992             pc.gre++;
 3993             CheckIPv6ExtensionOrder(p);
 3994             DecodeGRE(pkt, len, p);
 3995             return;
 3996         case IPPROTO_IPIP:
 3997             pc.ip6ip4++;
 3998             if ( ScTunnelBypassEnabled(TUNNEL_4IN6) )
 3999                 Active_SetTunnelBypass();
 4000             CheckIPv6ExtensionOrder(p);
 4001             DecodeIP(pkt, len, p);
 4002             return;
 4003         case IPPROTO_IPV6:
 4004             pc.ip6ip6++;
 4005             if ( ScTunnelBypassEnabled(TUNNEL_6IN6) )
 4006                 Active_SetTunnelBypass();
 4007             CheckIPv6ExtensionOrder(p);
 4008             DecodeIPV6(pkt, len, p);
 4009             return;
 4010         case IPPROTO_ESP:
 4011             CheckIPv6ExtensionOrder(p);
 4012             if (ScESPDecoding())
 4013                 DecodeESP(pkt, len, p);
 4014             return;
 4015 #endif
 4016         default:
 4017             CheckIPv6ExtensionOrder(p);
 4018             // There may be valid headers after this unsupported one,
 4019             // need to decode this header, set "next" and continue
 4020             // looping.
 4021 
 4022             DecoderEvent(p, DECODE_IPV6_BAD_NEXT_HEADER,
 4023                          DECODE_IPV6_BAD_NEXT_HEADER_STR, 1, 1);
 4024 
 4025             pc.other++;
 4026             p->data = pkt;
 4027             p->dsize = (uint16_t)len;
 4028             break;
 4029     };
 4030 }
 4031 
 4032 //--------------------------------------------------------------------
 4033 // decode.c::IP6 decoder
 4034 //--------------------------------------------------------------------
 4035 
 4036 void DecodeIPV6(const uint8_t *pkt, uint32_t len, Packet *p)
 4037 {
 4038     IP6RawHdr *hdr;
 4039     uint32_t payload_len;
 4040 
 4041     pc.ipv6++;
 4042 
 4043 #ifdef GRE
 4044     if (p->greh != NULL)
 4045         pc.gre_ipv6++;
 4046 #endif
 4047 
 4048     hdr = (IP6RawHdr*)pkt;
 4049 
 4050     if(len < IP6_HDR_LEN)
 4051     {
 4052         if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0)
 4053             DecoderEvent(p, DECODE_IPV6_TRUNCATED, DECODE_IPV6_TRUNCATED_STR,
 4054                          1, 1);
 4055 
 4056         goto decodeipv6_fail;
 4057     }
 4058 
 4059     /* Verify version in IP6 Header agrees */
 4060     if(IPRAW_HDR_VER(hdr) != 6)
 4061     {
 4062         if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0)
 4063             DecoderEvent(p, DECODE_IPV6_IS_NOT, DECODE_IPV6_IS_NOT_STR,
 4064                          1, 1);
 4065 
 4066         goto decodeipv6_fail;
 4067     }
 4068 
 4069     if (p->family != NO_IP)
 4070     {
 4071         /* Snort currently supports only 2 IP layers. Any more will fail to be
 4072            decoded. */
 4073         if (p->encapsulated)
 4074         {
 4075 
 4076             DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION,
 4077                             DECODE_IP_MULTIPLE_ENCAPSULATION_STR,
 4078                             pkt, len);
 4079             goto decodeipv6_fail;
 4080         }
 4081         else
 4082         {
 4083             p->encapsulated = 1;
 4084         }
 4085     }
 4086     payload_len = ntohs(hdr->ip6plen) + IP6_HDR_LEN;
 4087 
 4088     if(payload_len != len)
 4089     {
 4090         if (payload_len > len)
 4091         {
 4092             if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0)
 4093                 DecoderEvent(p, DECODE_IPV6_DGRAM_GT_CAPLEN,
 4094                              DECODE_IPV6_DGRAM_GT_CAPLEN_STR,
 4095                              ScDecoderOversizedAlerts(), ScDecoderOversizedDrops());
 4096 
 4097             goto decodeipv6_fail;
 4098         }
 4099     }
 4100 
 4101     /* Teredo packets should always use the 2001:0000::/32 prefix, or in some
 4102        cases the link-local prefix fe80::/64.
 4103        Source: RFC 4380, section 2.6 & section 5.2.1
 4104 
 4105        Checking the addresses will save us from numerous false positives
 4106        when UDP clients use 3544 as their ephemeral port, or "Deep Teredo
 4107        Inspection" is turned on.
 4108 
 4109        If we ever start decoding more than 2 layers of IP in a packet, this
 4110        check against p->proto_bits will need to be refactored. */
 4111     if ((p->proto_bits & PROTO_BIT__TEREDO) && (CheckTeredoPrefix(hdr) == 0))
 4112     {
 4113         goto decodeipv6_fail;
 4114     }
 4115     if (p->encapsulated)
 4116     {
 4117        p->outer_iph = p->iph;
 4118        p->outer_ip_data = p->ip_data;
 4119        p->outer_ip_dsize = p->ip_dsize;
 4120     }
 4121     /* lay the IP struct over the raw data */
 4122     // this is ugly but necessary to keep the rest of the code happy
 4123     p->inner_iph = p->iph = (IPHdr *)pkt;
 4124 
 4125     /* Build Packet structure's version of the IP6 header */
 4126     sfiph_build(p, hdr, AF_INET6);
 4127 
 4128 #ifdef GRE
 4129     /* Remove outer IP options */
 4130     if (p->encapsulated)
 4131     {
 4132         p->ip_options_data = NULL;
 4133         p->ip_options_len = 0;
 4134     }
 4135 #endif
 4136     p->ip_option_count = 0;
 4137 
 4138     /* set the real IP length for logging */
 4139     p->actual_ip_len = ntohs(p->ip6h->len);
 4140     p->ip_data = pkt + IP6_HDR_LEN;
 4141     p->ip_dsize = ntohs(p->ip6h->len);
 4142 
 4143     PushLayer(PROTO_IP6, p, pkt, sizeof(*hdr));
 4144 
 4145     IPV6MiscTests(p);
 4146 
 4147     DecodeIPV6Extensions(GET_IPH_PROTO(p), pkt + IP6_HDR_LEN, ntohs(p->ip6h->len), p);
 4148     return;
 4149 
 4150 decodeipv6_fail:
 4151     /* If this was Teredo, back up and treat the packet as normal UDP. */
 4152     if (p->proto_bits & PROTO_BIT__TEREDO)
 4153     {
 4154         pc.ipv6--;
 4155         pc.teredo--;
 4156         p->proto_bits &= ~PROTO_BIT__TEREDO;
 4157 #ifdef GRE
 4158         if (p->greh != NULL)
 4159             pc.gre_ipv6--;
 4160 #endif
 4161         if ( ScTunnelBypassEnabled(TUNNEL_TEREDO) )
 4162             Active_ClearTunnelBypass();
 4163         return;
 4164     }
 4165 
 4166     pc.discards++;
 4167     pc.ipv6disc++;
 4168 }
 4169 
 4170 //--------------------------------------------------------------------
 4171 // decode.c::ICMP6
 4172 //--------------------------------------------------------------------
 4173 
 4174 void DecodeICMP6(const uint8_t *pkt, const uint32_t len, Packet *p)
 4175 {
 4176     if(len < ICMP6_MIN_HEADER_LEN)
 4177     {
 4178         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 4179             "WARNING: Truncated ICMP6 header (%d bytes).\n", len););
 4180 
 4181         if ( Event_Enabled(DECODE_ICMP6_HDR_TRUNC) )
 4182             DecoderEvent(p, EVARGS(ICMP6_HDR_TRUNC), 1, 1);
 4183 
 4184         pc.discards++;
 4185         return;
 4186     }
 4187 
 4188     p->icmp6h = (ICMP6Hdr*)pkt;
 4189     p->icmph = (ICMPHdr*)pkt; /* This is needed for icmp rules */
 4190 
 4191     /* Do checksums */
 4192     if (ScIcmpChecksums())
 4193     {
 4194         uint16_t csum;
 4195 
 4196         if(IS_IP4(p))
 4197         {
 4198             csum = in_chksum_icmp((uint16_t *)(p->icmp6h), len);
 4199         }
 4200         /* IPv6 traffic */
 4201         else
 4202         {
 4203             IP6RawHdr* hdr6 = (IP6RawHdr*)p->iph;
 4204             pseudoheader6 ph6;
 4205             COPY4(ph6.sip, hdr6->ip6_src.s6_addr32);
 4206             COPY4(ph6.dip, hdr6->ip6_dst.s6_addr32);
 4207             ph6.zero = 0;
 4208             ph6.protocol = GET_IPH_PROTO(p);
 4209             ph6.len = htons((u_short)len);
 4210 
 4211             csum = in_chksum_icmp6(&ph6, (uint16_t *)(p->icmp6h), len);
 4212         }
 4213         if(csum)
 4214         {
 4215             p->error_flags |= PKT_ERR_CKSUM_ICMP;
 4216             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n"););
 4217 
 4218             if ( ScIdsMode() )
 4219                 queueExecDrop(execIcmpChksmDrop, p);
 4220         }
 4221         else
 4222         {
 4223             DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"ICMP Checksum: OK\n"););
 4224         }
 4225     }
 4226 
 4227     p->dsize = (u_short)(len - ICMP6_MIN_HEADER_LEN);
 4228     p->data = pkt + ICMP6_MIN_HEADER_LEN;
 4229 
 4230     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP type: %d   code: %d\n",
 4231                 p->icmp6h->type, p->icmp6h->code););
 4232 
 4233     switch(p->icmp6h->type)
 4234     {
 4235         case ICMP6_ECHO:
 4236         case ICMP6_REPLY:
 4237             if (p->dsize >= sizeof(struct idseq))
 4238             {
 4239                 IP6RawHdr* hdr6 = (IP6RawHdr*)p->iph;
 4240 
 4241                 /* Set data pointer to that of the "echo message" */
 4242                 /* add the size of the echo ext to the data
 4243                  * ptr and subtract it from the data size */
 4244                 p->dsize -= sizeof(struct idseq);
 4245                 p->data += sizeof(struct idseq);
 4246 
 4247                 if ( Event_Enabled(DECODE_ICMP6_DST_MULTICAST) )
 4248                     if ( hdr6->ip6_dst.s6_addr[0] == IP6_MULTICAST )
 4249                         DecoderEvent(p, EVARGS(ICMP6_DST_MULTICAST), 1, 1);
 4250 
 4251                 PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN);
 4252             }
 4253             else
 4254             {
 4255                 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 4256                     "WARNING: Truncated ICMP Echo header (%d bytes).\n", len););
 4257 
 4258                 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
 4259                                 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
 4260 
 4261                 p->icmph = NULL;
 4262                 p->icmp6h = NULL;
 4263                 pc.discards++;
 4264                 pc.icmpdisc++;
 4265                 return;
 4266             }
 4267             break;
 4268 
 4269         case ICMP6_BIG:
 4270             if (p->dsize >= sizeof(ICMP6TooBig))
 4271             {
 4272                 ICMP6TooBig *too_big = (ICMP6TooBig *)pkt;
 4273                 /* Set data pointer past MTU */
 4274                 p->data += 4;
 4275                 p->dsize -= 4;
 4276 
 4277                 if (ntohl(too_big->mtu) < 1280)
 4278                 {
 4279                     DecoderEvent(p, DECODE_ICMPV6_TOO_BIG_BAD_MTU,
 4280                                  DECODE_ICMPV6_TOO_BIG_BAD_MTU_STR, 1, 1);
 4281                 }
 4282 
 4283                 PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN);
 4284                 DecodeICMPEmbeddedIP6(p->data, p->dsize, p);
 4285             }
 4286             else
 4287             {
 4288                 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 4289                     "WARNING: Truncated ICMP header (%d bytes).\n", len););
 4290 
 4291                 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
 4292                                 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
 4293 
 4294                 p->icmph = NULL;
 4295                 p->icmp6h = NULL;
 4296                 pc.discards++;
 4297                 pc.icmpdisc++;
 4298                 return;
 4299             }
 4300             break;
 4301 
 4302         case ICMP6_TIME:
 4303         case ICMP6_PARAMS:
 4304         case ICMP6_UNREACH:
 4305             if (p->dsize >= 4)
 4306             {
 4307                 /* Set data pointer past the 'unused/mtu/pointer block */
 4308                 p->data += 4;
 4309                 p->dsize -= 4;
 4310 
 4311                 if (p->icmp6h->type == ICMP6_UNREACH)
 4312                 {
 4313                     if (p->icmp6h->code == 2)
 4314                     {
 4315                         DecoderEvent(p, DECODE_ICMPV6_UNREACHABLE_NON_RFC_2463_CODE,
 4316                                 DECODE_ICMPV6_UNREACHABLE_NON_RFC_2463_CODE_STR, 1, 1);
 4317                     }
 4318                     else if (p->icmp6h->code > 6)
 4319                     {
 4320                         DecoderEvent(p, DECODE_ICMPV6_UNREACHABLE_NON_RFC_4443_CODE,
 4321                                 DECODE_ICMPV6_UNREACHABLE_NON_RFC_4443_CODE_STR, 1, 1);
 4322                     }
 4323                 }
 4324 
 4325                 PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN);
 4326                 DecodeICMPEmbeddedIP6(p->data, p->dsize, p);
 4327             }
 4328             else
 4329             {
 4330                 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 4331                     "WARNING: Truncated ICMP header (%d bytes).\n", len););
 4332 
 4333                 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
 4334                                 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
 4335 
 4336                 p->icmph = NULL;
 4337                 p->icmp6h = NULL;
 4338                 pc.discards++;
 4339                 pc.icmpdisc++;
 4340                 return;
 4341             }
 4342             break;
 4343 
 4344         case ICMP6_ADVERTISEMENT:
 4345             if (p->dsize >= (sizeof(ICMP6RouterAdvertisement) - ICMP6_MIN_HEADER_LEN))
 4346             {
 4347                 ICMP6RouterAdvertisement *ra = (ICMP6RouterAdvertisement *)pkt;
 4348                 if (p->icmp6h->code != 0)
 4349                 {
 4350                     DecoderEvent(p, DECODE_ICMPV6_ADVERT_BAD_CODE,
 4351                                  DECODE_ICMPV6_ADVERT_BAD_CODE_STR, 1, 1);
 4352                 }
 4353                 if (ntohl(ra->reachable_time) > 3600000)
 4354                 {
 4355                     DecoderEvent(p, DECODE_ICMPV6_ADVERT_BAD_REACHABLE,
 4356                                  DECODE_ICMPV6_ADVERT_BAD_REACHABLE_STR, 1, 1);
 4357                 }
 4358                 PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN);
 4359             }
 4360             else
 4361             {
 4362                 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 4363                     "WARNING: Truncated ICMP header (%d bytes).\n", len););
 4364 
 4365                 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
 4366                                 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
 4367 
 4368                 p->icmph = NULL;
 4369                 p->icmp6h = NULL;
 4370                 pc.discards++;
 4371                 pc.icmpdisc++;
 4372                 return;
 4373             }
 4374             break;
 4375 
 4376         case ICMP6_SOLICITATION:
 4377             if (p->dsize >= (sizeof(ICMP6RouterSolicitation) - ICMP6_MIN_HEADER_LEN))
 4378             {
 4379                 ICMP6RouterSolicitation *rs = (ICMP6RouterSolicitation *)pkt;
 4380                 if (rs->code != 0)
 4381                 {
 4382                     DecoderEvent(p, DECODE_ICMPV6_SOLICITATION_BAD_CODE,
 4383                                  DECODE_ICMPV6_SOLICITATION_BAD_CODE_STR, 1, 1);
 4384                 }
 4385                 if (ntohl(rs->reserved) != 0)
 4386                 {
 4387                     DecoderEvent(p, DECODE_ICMPV6_SOLICITATION_BAD_RESERVED,
 4388                                  DECODE_ICMPV6_SOLICITATION_BAD_RESERVED_STR, 1, 1);
 4389                 }
 4390                 PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN);
 4391             }
 4392             else
 4393             {
 4394                 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 4395                     "WARNING: Truncated ICMP header (%d bytes).\n", len););
 4396 
 4397                 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
 4398                                 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
 4399 
 4400                 p->icmph = NULL;
 4401                 p->icmp6h = NULL;
 4402                 pc.discards++;
 4403                 pc.icmpdisc++;
 4404                 return;
 4405             }
 4406             break;
 4407 
 4408         case ICMP6_NODE_INFO_QUERY:
 4409         case ICMP6_NODE_INFO_RESPONSE:
 4410             if (p->dsize >= (sizeof(ICMP6NodeInfo) - ICMP6_MIN_HEADER_LEN))
 4411             {
 4412                 ICMP6NodeInfo *ni = (ICMP6NodeInfo *)pkt;
 4413                 if (ni->code > 2)
 4414                 {
 4415                     DecoderEvent(p, DECODE_ICMPV6_NODE_INFO_BAD_CODE,
 4416                                  DECODE_ICMPV6_NODE_INFO_BAD_CODE_STR, 1, 1);
 4417                 }
 4418                 /* TODO: Add alert for INFO Response, code == 1 || code == 2)
 4419                  * and there is data.
 4420                  */
 4421             }
 4422             else
 4423             {
 4424                 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 4425                     "WARNING: Truncated ICMP header (%d bytes).\n", len););
 4426 
 4427                 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
 4428                                 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
 4429 
 4430                 p->icmph = NULL;
 4431                 p->icmp6h = NULL;
 4432                 pc.discards++;
 4433                 pc.icmpdisc++;
 4434                 return;
 4435             }
 4436             break;
 4437 
 4438         default:
 4439             if ( Event_Enabled(DECODE_ICMP6_TYPE_OTHER) )
 4440                 DecoderEvent(p, EVARGS(ICMP6_TYPE_OTHER), 1, 1);
 4441 
 4442             PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN);
 4443             break;
 4444     }
 4445 
 4446     p->proto_bits |= PROTO_BIT__ICMP;
 4447     p->proto_bits &= ~(PROTO_BIT__UDP | PROTO_BIT__TCP);
 4448 }
 4449 
 4450 /*
 4451  * Function: DecodeICMPEmbeddedIP6(uint8_t *, const uint32_t, Packet *)
 4452  *
 4453  * Purpose: Decode the ICMP embedded IP6 header + payload
 4454  *
 4455  * Arguments: pkt => ptr to the packet data
 4456  *            len => length from here to the end of the packet
 4457  *            p   => pointer to dummy packet decode struct
 4458  *
 4459  * Returns: void function
 4460  */
 4461 void DecodeICMPEmbeddedIP6(const uint8_t *pkt, const uint32_t len, Packet *p)
 4462 {
 4463 
 4464     /* lay the IP struct over the raw data */
 4465     IP6RawHdr* hdr = (IP6RawHdr*)pkt;
 4466     pc.embdip++;
 4467 
 4468     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeICMPEmbeddedIP6: ip header"
 4469                     " starts at: %p, length is %lu\n", hdr,
 4470                     (unsigned long) len););
 4471 
 4472     /* do a little validation */
 4473     if ( len < IP6_HDR_LEN )
 4474     {
 4475         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 4476             "ICMP6: IP short header (%d bytes)\n", len););
 4477 
 4478         DecoderEvent(p, DECODE_ICMP_ORIG_IP_TRUNCATED,
 4479                         DECODE_ICMP_ORIG_IP_TRUNCATED_STR, 1, 1);
 4480 
 4481         pc.discards++;
 4482         return;
 4483     }
 4484 
 4485     /*
 4486      * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP.
 4487      * So we are just ignoring non IP datagrams
 4488      */
 4489     if(IPRAW_HDR_VER(hdr) != 6)
 4490     {
 4491         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 4492             "ICMP: not IPv6 datagram ([ver: 0x%x][len: 0x%x])\n",
 4493             IPRAW_HDR_VER(hdr), len););
 4494 
 4495         DecoderEvent(p, DECODE_ICMP_ORIG_IP_VER_MISMATCH,
 4496                         DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR, 1, 1);
 4497 
 4498         pc.discards++;
 4499         return;
 4500     }
 4501    
 4502     sfiph_orig_build(p, pkt, AF_INET6);
 4503 
 4504 
 4505     // XXX NOT YET IMPLEMENTED - fragments inside ICMP payload
 4506 
 4507     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP6 Unreachable IP6 header length: "
 4508                             "%lu\n", (unsigned long)IP6_HDR_LEN););
 4509 
 4510     switch(GET_ORIG_IPH_PROTO(p))
 4511     {
 4512         case IPPROTO_TCP: /* decode the interesting part of the header */
 4513             p->orig_tcph = (TCPHdr *)(pkt + IP6_HDR_LEN);
 4514 
 4515             /* stuff more data into the printout data struct */
 4516             p->orig_sp = ntohs(p->orig_tcph->th_sport);
 4517             p->orig_dp = ntohs(p->orig_tcph->th_dport);
 4518 
 4519             break;
 4520 
 4521         case IPPROTO_UDP:
 4522             p->orig_udph = (UDPHdr *)(pkt + IP6_HDR_LEN);
 4523 
 4524             /* fill in the printout data structs */
 4525             p->orig_sp = ntohs(p->orig_udph->uh_sport);
 4526             p->orig_dp = ntohs(p->orig_udph->uh_dport);
 4527 
 4528             break;
 4529 
 4530         case IPPROTO_ICMP:
 4531             p->orig_icmph = (ICMPHdr *)(pkt + IP6_HDR_LEN);
 4532             break;
 4533     }
 4534 
 4535     return;
 4536 }
 4537 
 4538 //--------------------------------------------------------------------
 4539 // decode.c::Teredo
 4540 //--------------------------------------------------------------------
 4541 
 4542 /* Function: DecodeTeredo(uint8_t *, uint32_t, Packet *)
 4543  *
 4544  * Teredo is IPv6 layered over UDP, with optional "indicators" in between.
 4545  * Decode these (if present) and go to DecodeIPv6.
 4546  *
 4547  */
 4548 
 4549 void DecodeTeredo(const uint8_t *pkt, uint32_t len, Packet *p)
 4550 {
 4551     if (len < TEREDO_MIN_LEN)
 4552         return;
 4553 
 4554     /* Decode indicators. If both are present, Auth always comes before Origin. */
 4555     if (ntohs(*(uint16_t *)pkt) == TEREDO_INDICATOR_AUTH)
 4556     {
 4557         uint8_t client_id_length, auth_data_length;
 4558 
 4559         if (len < TEREDO_INDICATOR_AUTH_MIN_LEN)
 4560             return;
 4561 
 4562         client_id_length = *(pkt + 2);
 4563         auth_data_length = *(pkt + 3);
 4564 
 4565         if (len < (uint32_t)(TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length))
 4566             return;
 4567 
 4568         pkt += (TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length);
 4569         len -= (TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length);
 4570     }
 4571 
 4572     if (ntohs(*(uint16_t *)pkt) == TEREDO_INDICATOR_ORIGIN)
 4573     {
 4574         if (len < TEREDO_INDICATOR_ORIGIN_LEN)
 4575             return;
 4576 
 4577         pkt += TEREDO_INDICATOR_ORIGIN_LEN;
 4578         len -= TEREDO_INDICATOR_ORIGIN_LEN;
 4579     }
 4580 
 4581     /* If this is an IPv6 datagram, the first 4 bits will be the number 6. */
 4582     if (( (*pkt & 0xF0) >> 4) == 6)
 4583     {
 4584         p->proto_bits |= PROTO_BIT__TEREDO;
 4585         pc.teredo++;
 4586 
 4587         if ( ScTunnelBypassEnabled(TUNNEL_TEREDO) )
 4588             Active_SetTunnelBypass();
 4589 
 4590         if (ScDeepTeredoInspection() && (p->sp != TEREDO_PORT) && (p->dp != TEREDO_PORT))
 4591             p->packet_flags |= PKT_UNSURE_ENCAP;
 4592 
 4593         DecodeIPV6(pkt, len, p);
 4594 
 4595         p->packet_flags &= ~PKT_UNSURE_ENCAP;
 4596     }
 4597 
 4598     /* Otherwise, we treat this as normal UDP traffic. */
 4599     return;
 4600 }
 4601 
 4602 //--------------------------------------------------------------------
 4603 // decode.c::ESP
 4604 //--------------------------------------------------------------------
 4605 
 4606 /* Function: DecodeAH
 4607  *
 4608  * Purpose: Decode Authentication Header
 4609  *
 4610  * NOTE: This is for IPv4 Auth Headers, we leave IPv6 to do its own
 4611  * work.
 4612  *
 4613  */
 4614 void DecodeAH(const uint8_t *pkt, uint32_t len, Packet *p)
 4615 {
 4616     IP6Extension *ah = (IP6Extension *)pkt;
 4617     unsigned extlen;
 4618 
 4619     if ( len < sizeof(*ah) )
 4620     {
 4621         DecoderEvent(p, EVARGS(AUTH_HDR_TRUNC), 1, 1);
 4622         pc.discards++;
 4623         return;
 4624     }
 4625 
 4626     extlen = sizeof(*ah) + (ah->ip6e_len << 2);
 4627     if ( extlen > len )
 4628     {
 4629         DecoderEvent(p, EVARGS(AUTH_HDR_BAD_LEN), 1, 1);
 4630         pc.discards++;
 4631         return;
 4632     }
 4633 
 4634     PushLayer(PROTO_AH, p, pkt, extlen);
 4635     DecodeIPv4Proto(ah->ip6e_nxt, pkt+extlen, len-extlen, p);
 4636 }
 4637 
 4638 /*
 4639  * Function: DecodeESP(const uint8_t *, uint32_t, Packet *)
 4640  *
 4641  * Purpose: Attempt to decode Encapsulated Security Payload.
 4642  *          The contents are probably encrypted, but ESP is sometimes used
 4643  *          with "null" encryption, solely for Authentication.
 4644  *          This is more of a heuristic -- there is no ESP field that specifies
 4645  *          the encryption type (or lack thereof).
 4646  *
 4647  * Arguments: pkt => ptr to the packet data
 4648  *            len => length from here to the end of the packet
 4649  *            p   => ptr to the Packet struct being filled out
 4650  *
 4651  * Returns: void function
 4652  */
 4653 void DecodeESP(const uint8_t *pkt, uint32_t len, Packet *p)
 4654 {
 4655     const uint8_t *esp_payload;
 4656     uint8_t next_header;
 4657     uint8_t pad_length;
 4658     uint8_t save_layer = p->next_layer;
 4659 
 4660     /* The ESP header contains a crypto Initialization Vector (IV) and
 4661        a sequence number. Skip these. */
 4662     if (len < (ESP_HEADER_LEN + ESP_AUTH_DATA_LEN + ESP_TRAILER_LEN))
 4663     {
 4664         /* Truncated ESP traffic. Bail out here and inspect the rest as payload. */
 4665         DecoderEvent(p, EVARGS(ESP_HEADER_TRUNC), 1, 1);
 4666         p->data = pkt;
 4667         p->dsize = (uint16_t) len;
 4668         return;
 4669     }
 4670     esp_payload = pkt + ESP_HEADER_LEN;
 4671 
 4672     /* The Authentication Data at the end of the packet is variable-length.
 4673        RFC 2406 says that Encryption and Authentication algorithms MUST NOT
 4674        both be NULL, so we assume NULL Encryption and some other Authentication.
 4675 
 4676        The mandatory algorithms for Authentication are HMAC-MD5-96 and
 4677        HMAC-SHA-1-96, so we assume a 12-byte authentication data at the end. */
 4678     len -= (ESP_HEADER_LEN + ESP_AUTH_DATA_LEN + ESP_TRAILER_LEN);
 4679 
 4680     pad_length = *(esp_payload + len);
 4681     next_header = *(esp_payload + len + 1);
 4682 
 4683     /* Adjust the packet length to account for the padding.
 4684        If the padding length is too big, this is probably encrypted traffic. */
 4685     if (pad_length < len)
 4686     {
 4687         len -= (pad_length);
 4688     }
 4689     else
 4690     {
 4691         p->packet_flags |= PKT_TRUST;
 4692         p->data = esp_payload;
 4693         p->dsize = (u_short) len;
 4694         return;
 4695     }
 4696 
 4697     /* Attempt to decode the inner payload.
 4698        There is a small chance that an encrypted next_header would become a
 4699        different valid next_header. The PKT_UNSURE_ENCAP flag tells the next
 4700        decoder stage to silently ignore invalid headers. */
 4701 
 4702     p->packet_flags |= PKT_UNSURE_ENCAP;
 4703     switch (next_header)
 4704     {
 4705        case IPPROTO_IPIP:
 4706             DecodeIP(esp_payload, len, p);
 4707             p->packet_flags &= ~PKT_UNSURE_ENCAP;
 4708             break;
 4709 
 4710         case IPPROTO_IPV6:
 4711             DecodeIPV6(esp_payload, len, p);
 4712             p->packet_flags &= ~PKT_UNSURE_ENCAP;
 4713             break;
 4714 
 4715        case IPPROTO_TCP:
 4716             pc.tcp++;
 4717             DecodeTCP(esp_payload, len, p);
 4718             p->packet_flags &= ~PKT_UNSURE_ENCAP;
 4719             break;
 4720 
 4721         case IPPROTO_UDP:
 4722             pc.udp++;
 4723             DecodeUDP(esp_payload, len, p);
 4724             p->packet_flags &= ~PKT_UNSURE_ENCAP;
 4725             break;
 4726 
 4727         case IPPROTO_ICMP:
 4728             pc.icmp++;
 4729             DecodeICMP(esp_payload, len, p);
 4730             p->packet_flags &= ~PKT_UNSURE_ENCAP;
 4731             break;
 4732 
 4733 #ifdef GRE
 4734         case IPPROTO_GRE:
 4735             pc.gre++;
 4736             DecodeGRE(esp_payload, len, p);
 4737             p->packet_flags &= ~PKT_UNSURE_ENCAP;
 4738             break;
 4739 #endif
 4740 
 4741         default:
 4742             /* If we didn't get a valid next_header, this packet is probably
 4743                encrypted. Start data here and treat it as an IP datagram. */
 4744             p->data = esp_payload;
 4745             p->dsize = (u_short) len;
 4746             p->packet_flags &= ~PKT_UNSURE_ENCAP;
 4747             p->packet_flags |= PKT_TRUST;
 4748             return;
 4749     }
 4750 
 4751     /* If no protocol was added to the stack, than we assume its'
 4752      * encrypted. */
 4753     if (save_layer == p->next_layer)
 4754         p->packet_flags |= PKT_TRUST;
 4755 }
 4756 
 4757 #ifdef GRE
 4758 //--------------------------------------------------------------------
 4759 // decode.c::ERSPAN
 4760 //--------------------------------------------------------------------
 4761 
 4762 /*
 4763  * Function: DecodeERSPANType2(uint8_t *, uint32_t, Packet *)
 4764  *
 4765  * Purpose: Decode Encapsulated Remote Switch Packet Analysis Type 2
 4766  *          This will decode ERSPAN Type 2 Headers
 4767  *
 4768  * Arguments: pkt => ptr to the packet data
 4769  *            len => length from here to the end of the packet
 4770  *            p   => pointer to decoded packet struct
 4771  *
 4772  * Returns: void function
 4773  *
 4774  */
 4775 void DecodeERSPANType2(const uint8_t *pkt, const uint32_t len, Packet *p)
 4776 {
 4777     uint32_t hlen = sizeof(ERSpanType2Hdr);
 4778     uint32_t payload_len;
 4779     ERSpanType2Hdr *erSpan2Hdr = (ERSpanType2Hdr *)pkt;
 4780 
 4781     if (len < sizeof(ERSpanType2Hdr))
 4782     {
 4783         DecoderAlertEncapsulated(p, DECODE_ERSPAN2_DGRAM_LT_HDR,
 4784                         DECODE_ERSPAN2_DGRAM_LT_HDR_STR,
 4785                         pkt, len);
 4786         return;
 4787     }
 4788 
 4789     if (p->encapsulated)
 4790     {
 4791         /* discard packet - multiple encapsulation */
 4792         /* not sure if this is ever used but I am assuming it is not */
 4793         DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION,
 4794                         DECODE_IP_MULTIPLE_ENCAPSULATION_STR,
 4795                         pkt, len);
 4796         return;
 4797     }
 4798 
 4799     /* Check that this is in fact ERSpan Type 2.
 4800      */
 4801     if (ERSPAN_VERSION(erSpan2Hdr) != 0x01) /* Type 2 == version 0x01 */
 4802     {
 4803         DecoderAlertEncapsulated(p, DECODE_ERSPAN_HDR_VERSION_MISMATCH,
 4804                         DECODE_ERSPAN_HDR_VERSION_MISMATCH_STR,
 4805                         pkt, len);
 4806         return;
 4807     }
 4808 
 4809     PushLayer(PROTO_ERSPAN, p, pkt, hlen);
 4810     payload_len = len - hlen;
 4811 
 4812     DecodeTransBridging(pkt + hlen, payload_len, p);
 4813 }
 4814 
 4815 /*
 4816  * Function: DecodeERSPANType3(uint8_t *, uint32_t, Packet *)
 4817  *
 4818  * Purpose: Decode Encapsulated Remote Switch Packet Analysis Type 3
 4819  *          This will decode ERSPAN Type 3 Headers
 4820  *
 4821  * Arguments: pkt => ptr to the packet data
 4822  *            len => length from here to the end of the packet
 4823  *            p   => pointer to decoded packet struct
 4824  *
 4825  * Returns: void function
 4826  *
 4827  */
 4828 void DecodeERSPANType3(const uint8_t *pkt, const uint32_t len, Packet *p)
 4829 {
 4830     uint32_t hlen = sizeof(ERSpanType3Hdr);
 4831     uint32_t payload_len;
 4832     ERSpanType3Hdr *erSpan3Hdr = (ERSpanType3Hdr *)pkt;
 4833 
 4834     if (len < sizeof(ERSpanType3Hdr))
 4835     {
 4836         DecoderAlertEncapsulated(p, DECODE_ERSPAN3_DGRAM_LT_HDR,
 4837                         DECODE_ERSPAN3_DGRAM_LT_HDR_STR,
 4838                         pkt, len);
 4839         return;
 4840     }
 4841 
 4842     if (p->encapsulated)
 4843     {
 4844         /* discard packet - multiple encapsulation */
 4845         /* not sure if this is ever used but I am assuming it is not */
 4846         DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION,
 4847                         DECODE_IP_MULTIPLE_ENCAPSULATION_STR,
 4848                         pkt, len);
 4849         return;
 4850     }
 4851 
 4852     /* Check that this is in fact ERSpan Type 3.
 4853      */
 4854     if (ERSPAN_VERSION(erSpan3Hdr) != 0x02) /* Type 3 == version 0x02 */
 4855     {
 4856         DecoderAlertEncapsulated(p, DECODE_ERSPAN_HDR_VERSION_MISMATCH,
 4857                         DECODE_ERSPAN_HDR_VERSION_MISMATCH_STR,
 4858                         pkt, len);
 4859         return;
 4860     }
 4861 
 4862     PushLayer(PROTO_ERSPAN, p, pkt, hlen);
 4863     payload_len = len - hlen;
 4864 
 4865     DecodeTransBridging(pkt + hlen, payload_len, p);
 4866 }
 4867 
 4868 //--------------------------------------------------------------------
 4869 // decode.c::GRE
 4870 //--------------------------------------------------------------------
 4871 
 4872 /*
 4873  * Function: DecodeGRE(uint8_t *, uint32_t, Packet *)
 4874  *
 4875  * Purpose: Decode Generic Routing Encapsulation Protocol
 4876  *          This will decode normal GRE and PPTP GRE.
 4877  *
 4878  * Arguments: pkt => ptr to the packet data
 4879  *            len => length from here to the end of the packet
 4880  *            p   => pointer to decoded packet struct
 4881  *
 4882  * Returns: void function
 4883  *
 4884  * Notes: see RFCs 1701, 2784 and 2637
 4885  */
 4886 void DecodeGRE(const uint8_t *pkt, const uint32_t len, Packet *p)
 4887 {
 4888     uint32_t hlen;    /* GRE header length */
 4889     uint32_t payload_len;
 4890 
 4891     if (len < GRE_HEADER_LEN)
 4892     {
 4893         DecoderAlertEncapsulated(p, DECODE_GRE_DGRAM_LT_GREHDR,
 4894                         DECODE_GRE_DGRAM_LT_GREHDR_STR,
 4895                         pkt, len);
 4896         return;
 4897     }
 4898 
 4899     if (p->encapsulated)
 4900     {
 4901         /* discard packet - multiple GRE encapsulation */
 4902         /* not sure if this is ever used but I am assuming it is not */
 4903         DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION,
 4904                         DECODE_IP_MULTIPLE_ENCAPSULATION_STR,
 4905                         pkt, len);
 4906         return;
 4907     }
 4908 
 4909     /* Note: Since GRE doesn't have a field to indicate header length and
 4910      * can contain a few options, we need to walk through the header to
 4911      * figure out the length
 4912      */
 4913 
 4914     p->greh = (GREHdr *)pkt;
 4915     hlen = GRE_HEADER_LEN;
 4916 
 4917     switch (GRE_VERSION(p->greh))
 4918     {
 4919         case 0x00:
 4920             /* these must not be set */
 4921             if (GRE_RECUR(p->greh) || GRE_FLAGS(p->greh))
 4922             {
 4923                 DecoderAlertEncapsulated(p, DECODE_GRE_INVALID_HEADER,
 4924                                 DECODE_GRE_INVALID_HEADER_STR,
 4925                                 pkt, len);
 4926                 return;
 4927             }
 4928 
 4929             if (GRE_CHKSUM(p->greh) || GRE_ROUTE(p->greh))
 4930                 hlen += GRE_CHKSUM_LEN + GRE_OFFSET_LEN;
 4931 
 4932             if (GRE_KEY(p->greh))
 4933                 hlen += GRE_KEY_LEN;
 4934 
 4935             if (GRE_SEQ(p->greh))
 4936                 hlen += GRE_SEQ_LEN;
 4937 
 4938             /* if this flag is set, we need to walk through all of the
 4939              * Source Route Entries */
 4940             if (GRE_ROUTE(p->greh))
 4941             {
 4942                 uint16_t sre_addrfamily;
 4943                 uint8_t sre_offset;
 4944                 uint8_t sre_length;
 4945                 const uint8_t *sre_ptr;
 4946 
 4947                 sre_ptr = pkt + hlen;
 4948 
 4949                 while (1)
 4950                 {
 4951                     hlen += GRE_SRE_HEADER_LEN;
 4952                     if (hlen > len)
 4953                         break;
 4954 
 4955                     sre_addrfamily = ntohs(*((uint16_t *)sre_ptr));
 4956                     sre_ptr += sizeof(sre_addrfamily);
 4957 
 4958                     sre_offset = *((uint8_t *)sre_ptr);
 4959                     sre_ptr += sizeof(sre_offset);
 4960 
 4961                     sre_length = *((uint8_t *)sre_ptr);
 4962                     sre_ptr += sizeof(sre_length);
 4963 
 4964                     if ((sre_addrfamily == 0) && (sre_length == 0))
 4965                         break;
 4966 
 4967                     hlen += sre_length;
 4968                     sre_ptr += sre_length;
 4969                 }
 4970             }
 4971 
 4972             break;
 4973 
 4974         /* PPTP */
 4975         case 0x01:
 4976             /* these flags should never be present */
 4977             if (GRE_CHKSUM(p->greh) || GRE_ROUTE(p->greh) || GRE_SSR(p->greh) ||
 4978                 GRE_RECUR(p->greh) || GRE_V1_FLAGS(p->greh))
 4979             {
 4980                 DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER,
 4981                                 DECODE_GRE_V1_INVALID_HEADER_STR,
 4982                                 pkt, len);
 4983                 return;
 4984             }
 4985 
 4986             /* protocol must be 0x880B - PPP */
 4987             if (GRE_PROTO(p->greh) != GRE_TYPE_PPP)
 4988             {
 4989                 DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER,
 4990                                 DECODE_GRE_V1_INVALID_HEADER_STR,
 4991                                 pkt, len);
 4992                 return;
 4993             }
 4994 
 4995             /* this flag should always be present */
 4996             if (!(GRE_KEY(p->greh)))
 4997             {
 4998                 DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER,
 4999                                 DECODE_GRE_V1_INVALID_HEADER_STR,
 5000                                 pkt, len);
 5001                 return;
 5002             }
 5003 
 5004             hlen += GRE_KEY_LEN;
 5005 
 5006             if (GRE_SEQ(p->greh))
 5007                 hlen += GRE_SEQ_LEN;
 5008 
 5009             if (GRE_V1_ACK(p->greh))
 5010                 hlen += GRE_V1_ACK_LEN;
 5011 
 5012             break;
 5013 
 5014         default:
 5015             DecoderAlertEncapsulated(p, DECODE_GRE_INVALID_VERSION,
 5016                             DECODE_GRE_INVALID_VERSION_STR,
 5017                             pkt, len);
 5018             return;
 5019     }
 5020 
 5021     if (hlen > len)
 5022     {
 5023         DecoderAlertEncapsulated(p, DECODE_GRE_DGRAM_LT_GREHDR,
 5024                         DECODE_GRE_DGRAM_LT_GREHDR_STR,
 5025                         pkt, len);
 5026         return;
 5027     }
 5028 
 5029     PushLayer(PROTO_GRE, p, pkt, hlen);
 5030     payload_len = len - hlen;
 5031 
 5032     if ( ScTunnelBypassEnabled(TUNNEL_GRE) )
 5033         Active_SetTunnelBypass();
 5034 
 5035     /* Send to next protocol decoder */
 5036     /* As described in RFC 2784 the possible protocols are listed in
 5037      * RFC 1700 under "ETHER TYPES"
 5038      * See also "Current List of Protocol Types" in RFC 1701
 5039      */
 5040     switch (GRE_PROTO(p->greh))
 5041     {
 5042         case ETHERNET_TYPE_IP:
 5043             DecodeIP(pkt + hlen, payload_len, p);
 5044             return;
 5045 
 5046         case GRE_TYPE_TRANS_BRIDGING:
 5047             DecodeTransBridging(pkt + hlen, payload_len, p);
 5048             return;
 5049 
 5050         case ETHERNET_TYPE_ARP:
 5051         case ETHERNET_TYPE_REVARP:
 5052             /* clear outer IP headers */
 5053             p->iph = NULL;
 5054             p->family = NO_IP;
 5055             DecodeARP(pkt + hlen, payload_len, p);
 5056             return;
 5057 
 5058         case ETHERNET_TYPE_IPV6:
 5059             DecodeIPV6(pkt + hlen, payload_len, p);
 5060             return;
 5061 
 5062         case GRE_TYPE_PPP:
 5063             DecodePppPktEncapsulated(pkt + hlen, payload_len, p);
 5064             return;
 5065 
 5066         case ETHERNET_TYPE_ERSPAN_TYPE2:
 5067             DecodeERSPANType2(pkt + hlen, payload_len, p);
 5068             return;
 5069 
 5070         case ETHERNET_TYPE_ERSPAN_TYPE3:
 5071             DecodeERSPANType3(pkt + hlen, payload_len, p);
 5072             return;
 5073 
 5074 #ifndef NO_NON_ETHER_DECODER
 5075         case ETHERNET_TYPE_IPX:
 5076             DecodeIPX(pkt + hlen, payload_len, p);
 5077             return;
 5078 #endif
 5079 
 5080         case ETHERNET_TYPE_LOOP:
 5081             DecodeEthLoopback(pkt + hlen, payload_len, p);
 5082             return;
 5083 
 5084         /* not sure if this occurs, but 802.1q is an Ether type */
 5085         case ETHERNET_TYPE_8021Q:
 5086             DecodeVlan(pkt + hlen, payload_len, p);
 5087             return;
 5088 
 5089 #ifdef MPLS_RFC4023_SUPPORT
 5090         case ETHERNET_TYPE_MPLS_MULTICAST:
 5091             if(!ScMplsMulticast())
 5092             {
 5093                 DecoderEvent(p, DECODE_BAD_MPLS,
 5094                                 DECODE_MULTICAST_MPLS_STR, 1, 1);
 5095             }
 5096         /* Fall through */
 5097         case ETHERNET_TYPE_MPLS_UNICAST:
 5098             DecodeMPLS(p->pkt + LEN_VLAN_LLC_OTHER,
 5099                 len - LEN_VLAN_LLC_OTHER, p);
 5100             return;
 5101 #endif
 5102 
 5103         default:
 5104             // TBD add decoder drop event for unknown gre/eth type
 5105             pc.other++;
 5106             p->data = pkt + hlen;
 5107             p->dsize = (uint16_t)payload_len;
 5108             return;
 5109     }
 5110 }
 5111 #endif // GRE
 5112 
 5113 //--------------------------------------------------------------------
 5114 // decode.c::GTP
 5115 //--------------------------------------------------------------------
 5116 
 5117 /* Function: DecodeGTP(uint8_t *, uint32_t, Packet *)
 5118  *
 5119  * GTP (GPRS Tunneling Protocol) is layered over UDP.
 5120  * Decode these (if present) and go to DecodeIPv6/DecodeIP.
 5121  *
 5122  */
 5123 
 5124 void DecodeGTP(const uint8_t *pkt, uint32_t len, Packet *p)
 5125 {
 5126     uint32_t header_len;
 5127     uint8_t  next_hdr_type;
 5128     uint8_t  version;
 5129     uint8_t  ip_ver;
 5130     GTPHdr *hdr;
 5131 
 5132     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Start GTP decoding.\n"););
 5133 
 5134     hdr = (GTPHdr *) pkt;
 5135 
 5136     if (p->GTPencapsulated)
 5137     {
 5138         DecoderAlertEncapsulated(p, DECODE_GTP_MULTIPLE_ENCAPSULATION,
 5139                 DECODE_GTP_MULTIPLE_ENCAPSULATION_STR,
 5140                 pkt, len);
 5141         return;
 5142     }
 5143     else
 5144     {
 5145         p->GTPencapsulated = 1;
 5146     }
 5147     /*Check the length*/
 5148     if (len < GTP_MIN_LEN)
 5149        return;
 5150     /* We only care about PDU*/
 5151     if ( hdr->type != 255)
 5152        return;
 5153     /*Check whether this is GTP or GTP', Exit if GTP'*/
 5154     if (!(hdr->flag & 0x10))
 5155        return;
 5156 
 5157     /*The first 3 bits are version number*/
 5158     version = (hdr->flag & 0xE0) >> 5;
 5159     switch (version)
 5160     {
 5161     case 0: /*GTP v0*/
 5162         DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "GTP v0 packets.\n"););
 5163 
 5164         header_len = GTP_V0_HEADER_LEN;
 5165         /*Check header fields*/
 5166         if (len < header_len)
 5167         {
 5168             DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
 5169             return;
 5170         }
 5171 
 5172         p->proto_bits |= PROTO_BIT__GTP;
 5173 
 5174         /*Check the length field. */
 5175         if (len != ((unsigned int)ntohs(hdr->length) + header_len))
 5176         {
 5177             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Calculated length %d != %d in header.\n",
 5178                     len - header_len, ntohs(hdr->length)););
 5179             DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
 5180             return;
 5181         }
 5182 
 5183         break;
 5184     case 1: /*GTP v1*/
 5185         DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "GTP v1 packets.\n"););
 5186 
 5187         /*Check the length based on optional fields and extension header*/
 5188         if (hdr->flag & 0x07)
 5189         {
 5190 
 5191             header_len = GTP_V1_HEADER_LEN;
 5192 
 5193             /*Check optional fields*/
 5194             if (len < header_len)
 5195             {
 5196                 DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
 5197                 return;
 5198             }
 5199             next_hdr_type = *(pkt + header_len - 1);
 5200 
 5201             /*Check extension headers*/
 5202             while (next_hdr_type)
 5203             {
 5204                 uint16_t ext_hdr_len;
 5205                 /*check length before reading data*/
 5206                 if (len < header_len + 4)
 5207                 {
 5208                     DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
 5209                     return;
 5210                 }
 5211 
 5212                 ext_hdr_len = *(pkt + header_len);
 5213 
 5214                 if (!ext_hdr_len)
 5215                 {
 5216                     DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
 5217                     return;
 5218                 }
 5219                 /*Extension header length is a unit of 4 octets*/
 5220                 header_len += ext_hdr_len * 4;
 5221 
 5222                 /*check length before reading data*/
 5223                 if (len < header_len)
 5224                 {
 5225                     DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
 5226                     return;
 5227                 }
 5228                 next_hdr_type = *(pkt + header_len - 1);
 5229             }
 5230         }
 5231         else
 5232             header_len = GTP_MIN_LEN;
 5233 
 5234         p->proto_bits |= PROTO_BIT__GTP;
 5235 
 5236         /*Check the length field. */
 5237         if (len != ((unsigned int)ntohs(hdr->length) + GTP_MIN_LEN))
 5238         {
 5239             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Calculated length %d != %d in header.\n",
 5240                     len - GTP_MIN_LEN, ntohs(hdr->length)););
 5241             DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
 5242             return;
 5243         }
 5244 
 5245         break;
 5246     default:
 5247         DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Unknown protocol version.\n"););
 5248         return;
 5249 
 5250     }
 5251 
 5252     PushLayer(PROTO_GTP, p, pkt, header_len);
 5253 
 5254     if ( ScTunnelBypassEnabled(TUNNEL_GTP) )
 5255         Active_SetTunnelBypass();
 5256 
 5257     len -=  header_len;
 5258     if (len > 0)
 5259     {
 5260         ip_ver = *(pkt+header_len) & 0xF0;
 5261         if (ip_ver == 0x40)
 5262             DecodeIP(pkt+header_len, len, p);
 5263         else if (ip_ver == 0x60)
 5264             DecodeIPV6(pkt+header_len, len, p);
 5265         p->packet_flags &= ~PKT_UNSURE_ENCAP;
 5266     }
 5267 
 5268 }
 5269 
 5270 //--------------------------------------------------------------------
 5271 // decode.c::UDP
 5272 //--------------------------------------------------------------------
 5273 
 5274 /* UDP-layer decoder alerts */
 5275 static inline void UDPMiscTests(Packet *p)
 5276 {
 5277     if ( Event_Enabled(DECODE_UDP_LARGE_PACKET) )
 5278     {
 5279         if (p->dsize > 4000)
 5280             DecoderEvent(p, EVARGS(UDP_LARGE_PACKET), 1, 1);
 5281     }
 5282 
 5283     if ( Event_Enabled(DECODE_UDP_PORT_ZERO) )
 5284     {
 5285         if (p->udph->uh_sport == 0 || p->udph->uh_dport == 0)
 5286             DecoderEvent(p, EVARGS(UDP_PORT_ZERO), 1, 1);
 5287     }
 5288 }
 5289 
 5290 /*
 5291  * Function: DecodeUDP(uint8_t *, const uint32_t, Packet *)
 5292  *
 5293  * Purpose: Decode the UDP transport layer
 5294  *
 5295  * Arguments: pkt => ptr to the packet data
 5296  *            len => length from here to the end of the packet
 5297  *            p   => pointer to decoded packet struct
 5298  *
 5299  * Returns: void function
 5300  */
 5301 static inline void PopUdp (Packet* p)
 5302 {
 5303     p->udph = p->outer_udph;
 5304     p->outer_udph = NULL;
 5305     pc.discards++;
 5306     pc.udisc++;
 5307 
 5308     // required for detect.c to short-circuit preprocessing
 5309     if ( !p->dsize )
 5310         p->dsize = p->ip_dsize;
 5311 }
 5312 
 5313 void DecodeUDP(const uint8_t * pkt, const uint32_t len, Packet * p)
 5314 {
 5315     uint16_t uhlen;
 5316     u_char fragmented_udp_flag = 0;
 5317 
 5318     if (p->proto_bits & (PROTO_BIT__TEREDO | PROTO_BIT__GTP))
 5319         p->outer_udph = p->udph;
 5320 
 5321     if(len < sizeof(UDPHdr))
 5322     {
 5323         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 5324                 "Truncated UDP header (%d bytes)\n", len););
 5325 
 5326         DecoderEvent(p, DECODE_UDP_DGRAM_LT_UDPHDR,
 5327                         DECODE_UDP_DGRAM_LT_UDPHDR_STR, 1, 1);
 5328 
 5329         PopUdp(p);
 5330         return;
 5331     }
 5332 
 5333     /* set the ptr to the start of the UDP header */
 5334     p->inner_udph = p->udph = (UDPHdr *) pkt;
 5335 
 5336     if (!p->frag_flag)
 5337     {
 5338         uhlen = ntohs(p->udph->uh_len);
 5339     }
 5340     else
 5341     {
 5342         if(IS_IP6(p))
 5343         {
 5344             uint16_t ip_len = ntohs(GET_IPH_LEN(p));
 5345             /* subtract the distance from udp header to 1st ip6 extension */
 5346             /* This gives the length of the UDP "payload", when fragmented */
 5347             uhlen = ip_len - ((u_char *)p->udph - (u_char *)p->ip6_extensions[0].data);
 5348         }
 5349         else
 5350         {
 5351             uint16_t ip_len = ntohs(GET_IPH_LEN(p));
 5352             /* Don't forget, IP_HLEN is a word - multiply x 4 */
 5353             uhlen = ip_len - (GET_IPH_HLEN(p) * 4 );
 5354         }
 5355         fragmented_udp_flag = 1;
 5356     }
 5357 
 5358     /* verify that the header len is a valid value */
 5359     if(uhlen < UDP_HEADER_LEN)
 5360     {
 5361         DecoderEvent(p, DECODE_UDP_DGRAM_INVALID_LENGTH,
 5362                         DECODE_UDP_DGRAM_INVALID_LENGTH_STR, 1, 1);
 5363 
 5364         PopUdp(p);
 5365         return;
 5366     }
 5367 
 5368     /* make sure there are enough bytes as designated by length field */
 5369     if(uhlen > len)
 5370     {
 5371         DecoderEventDrop(p, DECODE_UDP_DGRAM_SHORT_PACKET,
 5372                          DECODE_UDP_DGRAM_SHORT_PACKET_STR,
 5373                          ScDecoderOversizedAlerts(),
 5374                          ScDecoderOversizedDrops());
 5375 
 5376         PopUdp(p);
 5377         return;
 5378     }
 5379     else if(uhlen < len)
 5380     {
 5381         DecoderEvent(p, DECODE_UDP_DGRAM_LONG_PACKET,
 5382                      DECODE_UDP_DGRAM_LONG_PACKET_STR, 1, 1);
 5383 
 5384         PopUdp(p);
 5385         return;
 5386     }
 5387 
 5388     if (ScUdpChecksums())
 5389     {
 5390         /* look at the UDP checksum to make sure we've got a good packet */
 5391         uint16_t csum;
 5392         if(IS_IP4(p))
 5393         {
 5394             pseudoheader ph;
 5395             ph.sip = p->iph->ip_src.s_addr;
 5396             ph.dip = p->iph->ip_dst.s_addr;
 5397             ph.zero = 0;
 5398             ph.protocol = GET_IPH_PROTO(p);
 5399             ph.len = p->udph->uh_len;
 5400             /* Don't do checksum calculation if
 5401              * 1) Fragmented, OR
 5402              * 2) UDP header chksum value is 0.
 5403              */
 5404             if( !fragmented_udp_flag && p->udph->uh_chk )
 5405             {
 5406                 csum = in_chksum_udp(&ph,
 5407                     (uint16_t *)(p->udph), uhlen);
 5408             }
 5409             else
 5410             {
 5411                 csum = 0;
 5412             }
 5413         }
 5414         else
 5415         {
 5416             IP6RawHdr* hdr6 = (IP6RawHdr*)p->iph;
 5417             pseudoheader6 ph6;
 5418             COPY4(ph6.sip, hdr6->ip6_src.s6_addr32);
 5419             COPY4(ph6.dip, hdr6->ip6_dst.s6_addr32);
 5420             ph6.zero = 0;
 5421             ph6.protocol = GET_IPH_PROTO(p);
 5422             ph6.len = htons((u_short)len);
 5423 
 5424             /* Alert on checksum value 0 for ipv6 packets */
 5425             if(!p->udph->uh_chk)
 5426             {
 5427                 csum = 1;
 5428                 DecoderEvent(p, DECODE_UDP_IPV6_ZERO_CHECKSUM,
 5429                                 DECODE_UDP_IPV6_ZERO_CHECKSUM_STR, 1, 1);
 5430             }
 5431             /* Don't do checksum calculation if
 5432              * 1) Fragmented
 5433              * (UDP checksum is not optional in IP6)
 5434              */
 5435             else if( !fragmented_udp_flag )
 5436             {
 5437                 csum = in_chksum_udp6(&ph6,
 5438                     (uint16_t *)(p->udph), uhlen);
 5439             }
 5440             else
 5441             {
 5442                 csum = 0;
 5443             }
 5444         }
 5445         if(csum)
 5446         {
 5447             /* Don't drop the packet if this was ESP or Teredo.
 5448                Just stop decoding. */
 5449             if (p->packet_flags & PKT_UNSURE_ENCAP)
 5450             {
 5451                 PopUdp(p);
 5452                 return;
 5453             }
 5454 
 5455             p->error_flags |= PKT_ERR_CKSUM_UDP;
 5456             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad UDP Checksum\n"););
 5457 
 5458             if ( ScIdsMode() )
 5459                 queueExecDrop(execUdpChksmDrop, p);
 5460         }
 5461         else
 5462         {
 5463             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "UDP Checksum: OK\n"););
 5464         }
 5465     }
 5466 
 5467     /* fill in the printout data structs */
 5468 #ifdef HAVE_DAQ_REAL_ADDRESSES
 5469     if (p->outer_iph || !(p->pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES))
 5470     {
 5471 #endif
 5472         p->sp = ntohs(p->udph->uh_sport);
 5473         p->dp = ntohs(p->udph->uh_dport);
 5474 #ifdef HAVE_DAQ_REAL_ADDRESSES
 5475     }
 5476     else
 5477     {
 5478         p->sp = ntohs(p->pkth->n_real_sPort);
 5479         p->dp = ntohs(p->pkth->n_real_dPort);
 5480     }
 5481 #endif
 5482 
 5483     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "UDP header starts at: %p\n", p->udph););
 5484 
 5485     PushLayer(PROTO_UDP, p, pkt, sizeof(*p->udph));
 5486 
 5487     p->data = (uint8_t *) (pkt + UDP_HEADER_LEN);
 5488 
 5489     /* length was validated up above */
 5490     p->dsize = uhlen - UDP_HEADER_LEN;
 5491 
 5492     p->proto_bits |= PROTO_BIT__UDP;
 5493 
 5494     /*  Drop packet if we ignore this port  */
 5495     if (ScIgnoreUdpPort(p->sp) || ScIgnoreUdpPort(p->dp))
 5496     {
 5497         /*  Ignore all preprocessors for this packet */
 5498         p->packet_flags |= PKT_IGNORE;
 5499         return;
 5500     }
 5501 
 5502     UDPMiscTests(p);
 5503 
 5504     if (p->sp == TEREDO_PORT ||
 5505         p->dp == TEREDO_PORT ||
 5506         ScDeepTeredoInspection())
 5507     {
 5508         if ( !p->frag_flag )
 5509             DecodeTeredo(pkt + sizeof(UDPHdr), len - sizeof(UDPHdr), p);
 5510     }
 5511     if (ScGTPDecoding() &&
 5512          (ScIsGTPPort(p->sp)||ScIsGTPPort(p->dp)))
 5513     {
 5514         if ( !p->frag_flag )
 5515             DecodeGTP(pkt + sizeof(UDPHdr), len - sizeof(UDPHdr), p);
 5516     }
 5517 
 5518 }
 5519 
 5520 //--------------------------------------------------------------------
 5521 // decode.c::TCP
 5522 //--------------------------------------------------------------------
 5523 
 5524 /* TCP-layer decoder alerts */
 5525 static inline void TCPMiscTests(Packet *p)
 5526 {
 5527     if ( Event_Enabled(DECODE_TCP_SHAFT_SYNFLOOD) )
 5528     {
 5529         if ( ((p->tcph->th_flags & TH_NORESERVED) == TH_SYN ) &&
 5530              (p->tcph->th_seq == htonl(674711609)) )
 5531             DecoderEvent(p, EVARGS(TCP_SHAFT_SYNFLOOD), 1, 1);
 5532     }
 5533 
 5534     if ( Event_Enabled(DECODE_TCP_PORT_ZERO) )
 5535     {
 5536         if (p->tcph->th_sport == 0 || p->tcph->th_dport == 0)
 5537             DecoderEvent(p, EVARGS(TCP_PORT_ZERO), 1, 1);
 5538     }
 5539 }
 5540 
 5541 /*
 5542  * Function: DecodeTCP(uint8_t *, const uint32_t, Packet *)
 5543  *
 5544  * Purpose: Decode the TCP transport layer
 5545  *
 5546  * Arguments: pkt => ptr to the packet data
 5547  *            len => length from here to the end of the packet
 5548  *            p   => Pointer to packet decode struct
 5549  *
 5550  * Returns: void function
 5551  */
 5552 void DecodeTCP(const uint8_t * pkt, const uint32_t len, Packet * p)
 5553 {
 5554     uint32_t hlen;            /* TCP header length */
 5555 
 5556     if(len < TCP_HEADER_LEN)
 5557     {
 5558         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 5559             "TCP packet (len = %d) cannot contain " "20 byte header\n", len););
 5560 
 5561         DecoderEvent(p, DECODE_TCP_DGRAM_LT_TCPHDR,
 5562                         DECODE_TCP_DGRAM_LT_TCPHDR_STR, 1, 1);
 5563 
 5564         p->tcph = NULL;
 5565         pc.discards++;
 5566         pc.tdisc++;
 5567 
 5568         return;
 5569     }
 5570 
 5571     /* lay TCP on top of the data cause there is enough of it! */
 5572     p->tcph = (TCPHdr *) pkt;
 5573 
 5574     /* multiply the payload offset value by 4 */
 5575     hlen = TCP_OFFSET(p->tcph) << 2;
 5576 
 5577     DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "TCP th_off is %d, passed len is %lu\n",
 5578                 TCP_OFFSET(p->tcph), (unsigned long)len););
 5579 
 5580     if(hlen < TCP_HEADER_LEN)
 5581     {
 5582         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 5583             "TCP Data Offset (%d) < hlen (%d) \n",
 5584             TCP_OFFSET(p->tcph), hlen););
 5585 
 5586         DecoderEvent(p, DECODE_TCP_INVALID_OFFSET,
 5587                         DECODE_TCP_INVALID_OFFSET_STR, 1, 1);
 5588 
 5589         p->tcph = NULL;
 5590         pc.discards++;
 5591         pc.tdisc++;
 5592 
 5593         return;
 5594     }
 5595 
 5596     if(hlen > len)
 5597     {
 5598         DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
 5599             "TCP Data Offset(%d) < longer than payload(%d)!\n",
 5600             TCP_OFFSET(p->tcph) << 2, len););
 5601 
 5602         DecoderEventDrop(p, DECODE_TCP_LARGE_OFFSET,
 5603                             DECODE_TCP_LARGE_OFFSET_STR,
 5604                             ScDecoderOversizedAlerts(),
 5605                             ScDecoderOversizedDrops());
 5606 
 5607         p->tcph = NULL;
 5608         pc.discards++;
 5609         pc.tdisc++;
 5610 
 5611         return;
 5612     }
 5613 
 5614     /* Checksum code moved in front of the other decoder alerts.
 5615        If it's a bad checksum (maybe due to encrypted ESP traffic), the other
 5616        alerts could be false positives. */
 5617 #ifdef HAVE_DAQ_DECRYPTED_SSL
 5618     if (!(p->pkth->flags & DAQ_PKT_FLAG_DECRYPTED_SSL) && ScTcpChecksums())
 5619 #else
 5620     if (ScTcpChecksums())
 5621 #endif
 5622     {
 5623         uint16_t csum;
 5624         if(IS_IP4(p))
 5625         {
 5626             pseudoheader ph;
 5627             ph.sip = p->iph->ip_src.s_addr;
 5628             ph.dip = p->iph->ip_dst.s_addr;
 5629             /* setup the pseudo header for checksum calculation */
 5630             ph.zero = 0;
 5631             ph.protocol = GET_IPH_PROTO(p);
 5632             ph.len = htons((u_short)len);
 5633 
 5634             /* if we're being "stateless" we probably don't care about the TCP
 5635              * checksum, but it's not bad to keep around for shits and giggles */
 5636             /* calculate the checksum */
 5637             csum = in_chksum_tcp(&ph, (uint16_t *)(p->tcph), len);
 5638         }