"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.0.3-1/src/codecs/cd_token_ring/cd_token_ring.cc" (23 Sep 2020, 7186 Bytes) of package /linux/misc/snort3_extra-3.0.3-1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "cd_token_ring.cc" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 1.0.0-beta2_vs_3.0.3-1.

    1 //--------------------------------------------------------------------------
    2 // Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
    3 // Copyright (C) 2002-2013 Sourcefire, Inc.
    4 // Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
    5 //
    6 // This program is free software; you can redistribute it and/or modify it
    7 // under the terms of the GNU General Public License Version 2 as published
    8 // by the Free Software Foundation.  You may not use, modify or distribute
    9 // this program under any other version of the GNU General Public License.
   10 //
   11 // This program is distributed in the hope that it will be useful, but
   12 // WITHOUT ANY WARRANTY; without even the implied warranty of
   13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   14 // General Public License for more details.
   15 //
   16 // You should have received a copy of the GNU General Public License along
   17 // with this program; if not, write to the Free Software Foundation, Inc.,
   18 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   19 //--------------------------------------------------------------------------
   20 // token_ring.h author Josh Rosenbaum <jrosenba@cisco.com>
   21 
   22 #include <daq_dlt.h>
   23 
   24 #include "codecs/codec_module.h"
   25 #include "framework/codec.h"
   26 #include "protocols/token_ring.h"
   27 
   28 using namespace snort;
   29 
   30 namespace
   31 {
   32 #define TR_NAME "token_ring"
   33 #define TR_HELP "support for token ring decoding"
   34 
   35 static const RuleMap tkr_rules[] =
   36 {
   37     { DECODE_BAD_TRH, "bad Token Ring header" },
   38     { DECODE_BAD_TR_ETHLLC, "bad Token Ring ETHLLC header" },
   39     { DECODE_BAD_TR_MR_LEN, "bad Token Ring MRLEN header" },
   40     { DECODE_BAD_TRHMR, "bad Token Ring MR header" },
   41     { 0, nullptr }
   42 };
   43 
   44 class TrCodecModule : public BaseCodecModule
   45 {
   46 public:
   47     TrCodecModule() : BaseCodecModule(TR_NAME, TR_HELP) { }
   48 
   49     const RuleMap* get_rules() const override
   50     { return tkr_rules; }
   51 };
   52 
   53 class TrCodec : public Codec
   54 {
   55 public:
   56     TrCodec() : Codec(TR_NAME) { }
   57 
   58     void get_data_link_type(std::vector<int>&) override;
   59     bool decode(const RawData&, CodecData&, DecodeData&) override;
   60 };
   61 
   62 // THESE ARE NEVER USED!!
   63 #define MINIMAL_TOKENRING_HEADER_LEN    22
   64 #define TR_HLEN                         MINIMAL_TOKENRING_HEADER_LEN
   65 #define TOKENRING_LLC_LEN                8
   66 // DELETE FIN
   67 
   68 #define TR_ALEN             6        /* octets in an Ethernet header */
   69 
   70 #define AC                  0x10
   71 #define LLC_FRAME           0x40
   72 
   73 #define TRMTU                      2000    /* 2000 bytes            */
   74 #define TR_RII                     0x80
   75 #define TR_RCF_DIR_BIT             0x80
   76 #define TR_RCF_LEN_MASK            0x1f00
   77 #define TR_RCF_BROADCAST           0x8000    /* all-routes broadcast   */
   78 #define TR_RCF_LIMITED_BROADCAST   0xC000    /* single-route broadcast */
   79 #define TR_RCF_FRAME2K             0x20
   80 #define TR_RCF_BROADCAST_MASK      0xC000
   81 } // namespace
   82 
   83 void TrCodec::get_data_link_type(std::vector<int>& v)
   84 {
   85     v.push_back(DLT_IEEE802);
   86 }
   87 
   88 //void DecodeTRPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt)
   89 bool TrCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
   90 {
   91     const uint32_t cap_len = raw.len;
   92     uint32_t dataoff;      /* data offset is variable here */
   93 
   94     if (cap_len < sizeof(token_ring::Trh_hdr))
   95     {
   96         codec_event(codec, DECODE_BAD_TRH);
   97         return false;
   98     }
   99 
  100     /* lay the tokenring header structure over the packet data */
  101     //const token_ring::Trh_hdr *trh = reinterpret_cast<const token_ring::Trh_hdr *>(raw_pkt);
  102 
  103     /*
  104      * according to rfc 1042:
  105      *
  106      *   The presence of a Routing Information Field is indicated by the Most
  107      *   Significant Bit (MSB) of the source address, called the Routing
  108      *   Information Indicator (RII).  If the RII equals zero, a RIF is
  109      *   not present.  If the RII equals 1, the RIF is present.
  110      *   ..
  111      *   However the MSB is already zeroed by this moment, so there's no
  112      *   real way to figure out whether RIF is presented in packet, so we are
  113      *   doing some tricks to find IPARP signature..
  114      */
  115 
  116     /*
  117      * first I assume that we have single-ring network with no RIF
  118      * information presented in frame
  119      */
  120     if (cap_len < (sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc)))
  121     {
  122         codec_event(codec, DECODE_BAD_TR_ETHLLC);
  123         return false;
  124     }
  125 
  126     const token_ring::Trh_llc* trhllc =
  127         reinterpret_cast<const token_ring::Trh_llc*>(raw.data + sizeof(token_ring::Trh_hdr));
  128 
  129     if (trhllc->dsap != IPARP_SAP && trhllc->ssap != IPARP_SAP)
  130     {
  131         /*
  132          * DSAP != SSAP != 0xAA .. either we are having frame which doesn't
  133          * carry IP datagrams or has RIF information present. We assume
  134          * the latter ...
  135          */
  136 
  137         if (cap_len < (sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc) +
  138             sizeof(token_ring::Trh_mr)))
  139         {
  140             codec_event(codec, DECODE_BAD_TRHMR);
  141             return false;
  142         }
  143 
  144         const token_ring::Trh_mr* const trhmr =
  145             reinterpret_cast<const token_ring::Trh_mr*>(raw.data + sizeof(token_ring::Trh_hdr));
  146 
  147         if (cap_len < (sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc) +
  148             sizeof(token_ring::Trh_mr) + TRH_MR_LEN(trhmr)))
  149         {
  150             codec_event(codec, DECODE_BAD_TR_MR_LEN);
  151             return false;
  152         }
  153 
  154         dataoff = sizeof(token_ring::Trh_hdr) + TRH_MR_LEN(trhmr) + sizeof(token_ring::Trh_llc);
  155     }
  156     else
  157     {
  158         dataoff = sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc);
  159     }
  160 
  161     /*
  162      * ideally we would need to check both SSAP, DSAP, and protoid fields: IP
  163      * datagrams and ARP requests and replies are transmitted in standard
  164      * 802.2 LLC Type 1 Unnumbered Information format, control code 3, with
  165      * the DSAP and the SSAP fields of the 802.2 header set to 170, the
  166      * assigned global SAP value for SNAP [6].  The 24-bit Organization Code
  167      * in the SNAP is zero, and the remaining 16 bits are the EtherType from
  168      * Assigned Numbers [7] (IP = 2048, ARP = 2054). .. but we would check
  169      * SSAP and DSAP and assume this would be enough to trust.
  170      */
  171     if (trhllc->dsap != IPARP_SAP && trhllc->ssap != IPARP_SAP)
  172     {
  173         return false;
  174     }
  175 
  176     codec.lyr_len = dataoff;
  177     codec.next_prot_id = trhllc->ethertype();
  178     codec.codec_flags |= CODEC_ETHER_NEXT;
  179     return true;
  180 }
  181 
  182 //-------------------------------------------------------------------------
  183 // api
  184 //-------------------------------------------------------------------------
  185 
  186 static Module* mod_ctor()
  187 { return new TrCodecModule; }
  188 
  189 static void mod_dtor(Module* m)
  190 { delete m; }
  191 
  192 static Codec* ctor(Module*)
  193 { return new TrCodec(); }
  194 
  195 static void dtor(Codec* cd)
  196 { delete cd; }
  197 
  198 static const CodecApi tr_api =
  199 {
  200     {
  201         PT_CODEC,
  202         sizeof(CodecApi),
  203         CDAPI_VERSION,
  204         0,
  205         API_RESERVED,
  206         API_OPTIONS,
  207         TR_NAME,
  208         TR_HELP,
  209         mod_ctor,
  210         mod_dtor
  211     },
  212     nullptr, // pinit
  213     nullptr, // pterm
  214     nullptr, // tinit
  215     nullptr, // tterm
  216     ctor,
  217     dtor,
  218 };
  219 
  220 SO_PUBLIC const BaseApi* snort_plugins[] =
  221 {
  222     &tr_api.base,
  223     nullptr
  224 };
  225