static int proto_dns_process(struct proto *proto, struct packet *p, struct proto_process_stack *stack, unsigned int stack_index) {
struct proto_process_stack *s = &stack[stack_index];
struct proto_process_stack *s_next = &stack[stack_index + 1];
if (s->plen < sizeof(struct dns_header))
return PROTO_INVALID;
struct dns_header *dhdr = s->pload;
uint16_t qdcount = 0, ancount = 0, nscount = 0, arcount = 0;
qdcount = ntohs(dhdr->qdcount);
ancount = ntohs(dhdr->ancount);
nscount = ntohs(dhdr->nscount);
arcount = ntohs(dhdr->arcount);
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_dns_field_id], ntohs(dhdr->id));
PTYPE_BOOL_SETVAL(s->pkt_info->fields_value[proto_dns_field_response], dhdr->qr);
PTYPE_UINT8_SETVAL(s->pkt_info->fields_value[proto_dns_field_rcode], dhdr->rcode);
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_dns_field_qdcount], qdcount);
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_dns_field_ancount], ancount);
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_dns_field_nscount], nscount);
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_dns_field_arcount], arcount);
if (qdcount != 1)
return PROTO_INVALID;
s_next->plen = s->plen - sizeof(struct dns_header);
s_next->pload = s->pload + sizeof(struct dns_header);
return PROTO_OK;
}
static int proto_vlan_process(void *proto_priv, struct packet *p, struct proto_process_stack *stack, unsigned int stack_index) {
struct proto_process_stack *s = &stack[stack_index];
if (s->plen < PROTO_VLAN_HEADER_SIZE)
return PROTO_INVALID;
uint16_t tci = ntohs(*(uint16_t*)s->pload);
uint16_t *ether_type = s->pload + sizeof(uint16_t);
uint16_t de = (tci & PROTO_VLAN_DE_MASK) >> PROTO_VLAN_DE_SHIFT;
uint16_t pcp = (tci & PROTO_VLAN_PCP_MASK) >> PROTO_VLAN_PCP_SHIFT;
uint16_t vid = tci & PROTO_VLAN_VID_MASK;
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_vlan_field_vid], vid);
PTYPE_BOOL_SETVAL(s->pkt_info->fields_value[proto_vlan_field_de], de);
PTYPE_UINT8_SETVAL(s->pkt_info->fields_value[proto_vlan_field_pcp], pcp);
struct proto_process_stack *s_next = &stack[stack_index + 1];
s_next->pload = s->pload + PROTO_VLAN_HEADER_SIZE;
s_next->plen = s->plen - PROTO_VLAN_HEADER_SIZE;
s_next->proto = proto_get_by_number(s->proto, ntohs(*ether_type));
return PROTO_OK;
}
static int analyzer_smtp_event_process_begin(struct event *evt, void *obj, struct proto_process_stack *stack, unsigned int stack_index) {
struct analyzer *analyzer = obj;
struct analyzer_smtp_priv *apriv = analyzer->priv;
struct proto_process_stack *s = &stack[stack_index];
if (!s->ce)
return POM_ERR;
// Only process stuff if we have the DATA event or if we already have an event
struct event_reg *evt_reg = event_get_reg(evt);
struct data *evt_data = event_get_data(evt);
struct analyzer_smtp_ce_priv *cpriv = conntrack_get_priv(s->ce, analyzer);
// It's expected that an SMTP connection will always contain at least one message
// So we always create the cpriv and event, no matter what
if (!cpriv) {
cpriv = malloc(sizeof(struct analyzer_smtp_ce_priv));
if (!cpriv) {
pom_oom(sizeof(struct analyzer_smtp_ce_priv));
return POM_ERR;
}
memset(cpriv, 0, sizeof(struct analyzer_smtp_ce_priv));
if (conntrack_add_priv(s->ce, analyzer, cpriv, analyzer_smtp_ce_priv_cleanup) != POM_OK) {
free(cpriv);
return POM_ERR;
}
}
if (!cpriv->evt_msg) {
cpriv->evt_msg = event_alloc(apriv->evt_msg);
if (!cpriv->evt_msg)
return POM_ERR;
}
struct data *msg_data = event_get_data(cpriv->evt_msg);
if (evt_reg == apriv->evt_cmd) {
if (!cpriv->common_data_fetched)
analyzer_smtp_event_fetch_common_data(cpriv, stack, stack_index, POM_DIR_REVERSE(s->direction));
// Process commands
// A message was being transmitted and we recevied a new command
if (event_is_started(cpriv->evt_msg)) {
event_process_end(cpriv->evt_msg);
cpriv->evt_msg = NULL;
}
char *cmd = PTYPE_STRING_GETVAL(evt_data[proto_smtp_cmd_name].value);
if (!cmd)
return POM_OK;
char *arg = PTYPE_STRING_GETVAL(evt_data[proto_smtp_cmd_arg].value);
if (arg) {
while (*arg == ' ')
arg++;
}
if (!strcasecmp(cmd, "MAIL")) {
if (strncasecmp(arg, "FROM:", strlen("FROM:"))) {
pomlog(POMLOG_DEBUG "Unparseable MAIL command");
return POM_OK;
}
arg += strlen("FROM:");
while (*arg == ' ')
arg++;
if (*arg == '<')
arg++;
size_t len;
char *end = strchr(arg, '>');
if (end)
len = end - arg;
else
len = strlen(arg);
PTYPE_STRING_SETVAL_N(msg_data[analyzer_smtp_msg_from].value, arg, len);
data_set(msg_data[analyzer_smtp_msg_from]);
cpriv->last_cmd = analyzer_smtp_last_cmd_mail_from;
} else if (!strcasecmp(cmd, "RCPT")) {
if (strncasecmp(arg, "TO:", strlen("TO:"))) {
pomlog(POMLOG_DEBUG "Unparseable RCPT command");
return POM_OK;
}
arg += strlen("TO:");
while (*arg == ' ')
arg++;
if (*arg == '<')
arg++;
size_t len;
char *end = strchr(arg, '>');
if (end)
len = end - arg;
else
len = strlen(arg);
struct ptype *to = ptype_alloc("string");
if (!to)
return POM_ERR;
PTYPE_STRING_SETVAL_N(to, arg, len);
if (data_item_add_ptype(msg_data, analyzer_smtp_msg_to, strdup("to"), to) != POM_OK) {
ptype_cleanup(to);
return POM_ERR;
}
cpriv->last_cmd = analyzer_smtp_last_cmd_rcpt_to;
} else if (!strcasecmp(cmd, "DATA")) {
cpriv->last_cmd = analyzer_smtp_last_cmd_data;
if (!event_is_started(cpriv->evt_msg)) {
analyzer_smtp_event_fill_common_data(cpriv, msg_data);
event_process_begin(cpriv->evt_msg, stack, stack_index, event_get_timestamp(evt));
} else {
pomlog(POMLOG_DEBUG "Message event already started !");
}
} else if (!strcasecmp(cmd, "RSET")) {
// Cleanup the event
event_cleanup(cpriv->evt_msg);
cpriv->evt_msg = NULL;
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
} else if (!strcasecmp(cmd, "HELO") || !strcasecmp(cmd, "EHLO")) {
if (cpriv->client_hello) {
pomlog(POMLOG_DEBUG "We already have a client hello !");
free(cpriv->client_hello);
}
cpriv->client_hello = strdup(arg);
if (!cpriv->client_hello) {
pom_oom(strlen(arg) + 1);
return POM_ERR;
}
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
} else if (!strcasecmp(cmd, "AUTH")) {
if (!strncasecmp(arg, "PLAIN", strlen("PLAIN"))) {
arg += strlen("PLAIN");
while (*arg == ' ')
arg++;
if (cpriv->evt_auth) {
event_process_end(cpriv->evt_auth);
cpriv->evt_auth = NULL;
}
if (strlen(arg)) {
if (analyzer_smtp_parse_auth_plain(apriv, cpriv, arg) == POM_OK) {
event_process_begin(cpriv->evt_auth, stack, stack_index, event_get_timestamp(evt));
cpriv->last_cmd = analyzer_smtp_last_cmd_auth_plain_creds;
}
} else {
cpriv->last_cmd = analyzer_smtp_last_cmd_auth_plain;
}
} else if (!strncasecmp(arg, "LOGIN", strlen("LOGIN"))) {
arg += strlen("LOGIN");
while (*arg == ' ')
arg++;
if (cpriv->evt_auth) {
event_process_end(cpriv->evt_auth);
cpriv->evt_auth = NULL;
}
cpriv->evt_auth = event_alloc(apriv->evt_auth);
if (!cpriv->evt_auth)
return POM_ERR;
struct data *auth_data = event_get_data(cpriv->evt_auth);
analyzer_smtp_event_fill_common_data(cpriv, auth_data);
// Set the authentication type
PTYPE_STRING_SETVAL(auth_data[analyzer_smtp_auth_type].value, "LOGIN");
data_set(auth_data[analyzer_smtp_auth_type]);
if (strlen(arg)) {
char *username = NULL;
size_t out_len = 0;
struct ptype *username_pt = NULL;
if (decoder_decode_simple("base64", arg, strlen(arg), &username, &out_len) == POM_OK) {
username_pt = ptype_alloc("string");
if (username_pt) {
PTYPE_STRING_SETVAL_P(username_pt, username);
if (data_item_add_ptype(auth_data, analyzer_smtp_auth_params, strdup("username"), username_pt) != POM_OK) {
ptype_cleanup(username_pt);
event_cleanup(cpriv->evt_auth);
cpriv->evt_auth = NULL;
username_pt = NULL;
}
} else {
free(username);
}
}
if (!username_pt) {
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
event_process_begin(cpriv->evt_auth, stack, stack_index, event_get_timestamp(evt));
}
} else {
cpriv->last_cmd = analyzer_smtp_last_cmd_auth_login;
}
}
} else if (cpriv->last_cmd == analyzer_smtp_last_cmd_auth_plain) {
// We are expecting the credentials right now
if (analyzer_smtp_parse_auth_plain(apriv, cpriv, cmd) == POM_OK) {
event_process_begin(cpriv->evt_auth, stack, stack_index, event_get_timestamp(evt));
cpriv->last_cmd = analyzer_smtp_last_cmd_auth_plain_creds;
} else {
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
}
} else if (cpriv->last_cmd == analyzer_smtp_last_cmd_auth_login) {
char *username = NULL;
size_t out_len = 0;
struct ptype *username_pt = NULL;
if (decoder_decode_simple("base64", cmd, strlen(cmd), &username, &out_len) == POM_OK) {
username_pt = ptype_alloc("string");
if (username_pt) {
PTYPE_STRING_SETVAL_P(username_pt, username);
struct data *auth_data = event_get_data(cpriv->evt_auth);
if (data_item_add_ptype(auth_data, analyzer_smtp_auth_params, strdup("username"), username_pt) != POM_OK) {
ptype_cleanup(username_pt);
event_process_end(cpriv->evt_auth);
cpriv->evt_auth = NULL;
username_pt = NULL;
}
} else {
free(username);
}
}
if (!username_pt) {
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
} else {
event_process_begin(cpriv->evt_auth, stack, stack_index, event_get_timestamp(evt));
cpriv->last_cmd = analyzer_smtp_last_cmd_auth_login_user;
}
} else if (cpriv->last_cmd == analyzer_smtp_last_cmd_auth_login_user) {
char *password = NULL;
size_t out_len = 0;
struct ptype *password_pt = NULL;
if (decoder_decode_simple("base64", cmd, strlen(cmd), &password, &out_len) == POM_OK) {
password_pt = ptype_alloc("string");
if (password_pt) {
PTYPE_STRING_SETVAL_P(password_pt, password);
struct data *auth_data = event_get_data(cpriv->evt_auth);
if (data_item_add_ptype(auth_data, analyzer_smtp_auth_params, strdup("password"), password_pt) != POM_OK) {
ptype_cleanup(password_pt);
event_process_end(cpriv->evt_auth);
cpriv->evt_auth = NULL;
password_pt = NULL;
}
} else {
free(password);
}
}
if (!password_pt) {
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
} else {
cpriv->last_cmd = analyzer_smtp_last_cmd_auth_login_pass;
}
} else {
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
}
} else if (evt_reg == apriv->evt_reply) {
if (!cpriv->common_data_fetched)
analyzer_smtp_event_fetch_common_data(cpriv, stack, stack_index, s->direction);
// Process replies
uint16_t code = *PTYPE_UINT16_GETVAL(evt_data[proto_smtp_reply_code].value);
switch (cpriv->last_cmd) {
default:
case analyzer_smtp_last_cmd_other:
if (code == 220 && evt_data[proto_smtp_reply_text].items && evt_data[proto_smtp_reply_text].items->value) {
// STARTTLS returns 220 as well so ignore extra code 220
if (!cpriv->server_hello) {
char *helo = PTYPE_STRING_GETVAL(evt_data[proto_smtp_reply_text].items->value);
cpriv->server_hello = strdup(helo);
if (!cpriv->server_hello) {
pom_oom(strlen(helo) + 1);
return POM_ERR;
}
}
}
break;
case analyzer_smtp_last_cmd_mail_from:
if (code != 250) {
// FROM is invalid
data_unset(msg_data[analyzer_smtp_msg_from]);
}
break;
case analyzer_smtp_last_cmd_rcpt_to:
// For now just don't do anything
// It's best to keep a destination in there even if it's invalid or denied
break;
case analyzer_smtp_last_cmd_data:
if (code == 354) {
// The message is starting, keep last_cmd intact
return POM_OK;
}
// Message is over (if ever transmited)
if (event_is_started(cpriv->evt_msg)) {
struct data *msg_data = event_get_data(cpriv->evt_msg);
PTYPE_UINT16_SETVAL(msg_data[analyzer_smtp_msg_result].value, code);
data_set(msg_data[analyzer_smtp_msg_result]);
event_process_end(cpriv->evt_msg);
cpriv->evt_msg = NULL;
}
break;
case analyzer_smtp_last_cmd_auth_plain:
case analyzer_smtp_last_cmd_auth_login:
case analyzer_smtp_last_cmd_auth_login_user:
// Check if authentication phase can continue
if (code == 334) {
// Don't reset cpriv->last_cmd
return POM_OK;
} else {
struct data *evt_data = event_get_data(cpriv->evt_auth);
PTYPE_BOOL_SETVAL(evt_data[analyzer_smtp_auth_success].value, 0);
data_set(evt_data[analyzer_smtp_auth_success]);
event_process_end(cpriv->evt_auth);
cpriv->evt_auth = NULL;
}
break;
case analyzer_smtp_last_cmd_auth_plain_creds:
case analyzer_smtp_last_cmd_auth_login_pass: {
// We just processed the credentials
struct data *auth_data = event_get_data(cpriv->evt_auth);
char success = 0;
if (code == 235)
success = 1;
PTYPE_BOOL_SETVAL(auth_data[analyzer_smtp_auth_success].value, success);
data_set(auth_data[analyzer_smtp_auth_success]);
event_process_end(cpriv->evt_auth);
cpriv->evt_auth = NULL;
break;
}
}
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
}
return POM_OK;
}
int analyzer_ppp_pap_finalize(struct analyzer_ppp_pap_priv *apriv, struct analyzer_ppp_pap_ce_priv *cpriv) {
if (!cpriv->evt_request)
return POM_OK;
struct event *evt = NULL;
struct data *evt_data = NULL;
struct data *evt_req_data = event_get_data(cpriv->evt_request);
evt = event_alloc(apriv->evt_auth);
if (!evt)
return POM_ERR;
evt_data = event_get_data(evt);
if (ptype_copy(evt_data[analyzer_ppp_pap_auth_peer_id].value, evt_req_data[evt_ppp_pap_request_peer_id].value) != POM_OK) {
event_cleanup(evt);
return POM_ERR;
}
data_set(evt_data[analyzer_ppp_pap_auth_peer_id]);
if (ptype_copy(evt_data[analyzer_ppp_pap_auth_password].value, evt_req_data[evt_ppp_pap_request_password].value) != POM_OK) {
event_cleanup(evt);
return POM_ERR;
}
data_set(evt_data[analyzer_ppp_pap_auth_password]);
if (cpriv->client) {
evt_data[analyzer_ppp_pap_auth_client].value = cpriv->client;
data_set(evt_data[analyzer_ppp_pap_auth_client]);
data_do_clean(evt_data[analyzer_ppp_pap_auth_client]);
cpriv->client = NULL;
}
if (cpriv->server) {
evt_data[analyzer_ppp_pap_auth_server].value = cpriv->server;
data_set(evt_data[analyzer_ppp_pap_auth_server]);
data_do_clean(evt_data[analyzer_ppp_pap_auth_server]);
cpriv->server = NULL;
}
if (cpriv->vlan) {
evt_data[analyzer_ppp_pap_auth_vlan].value = cpriv->vlan;
data_set(evt_data[analyzer_ppp_pap_auth_vlan]);
data_do_clean(evt_data[analyzer_ppp_pap_auth_vlan]);
cpriv->vlan = NULL;
}
if (cpriv->top_proto) {
PTYPE_STRING_SETVAL(evt_data[analyzer_ppp_pap_auth_top_proto].value, cpriv->top_proto);
data_set(evt_data[analyzer_ppp_pap_auth_top_proto]);
}
if (ptype_copy(evt_data[analyzer_ppp_pap_auth_identifier].value, evt_req_data[evt_ppp_pap_request_identifier].value) != POM_OK) {
event_cleanup(evt);
return POM_ERR;
}
data_set(evt_data[analyzer_ppp_pap_auth_identifier]);
if (cpriv->evt_ack_nack) {
struct data *evt_ack_data = event_get_data(cpriv->evt_ack_nack);
uint8_t code = *PTYPE_UINT8_GETVAL(evt_ack_data[evt_ppp_pap_ack_nack_code].value);
if (code == 2) {
PTYPE_BOOL_SETVAL(evt_data[analyzer_ppp_pap_auth_success].value, 1);
} else {
PTYPE_BOOL_SETVAL(evt_data[analyzer_ppp_pap_auth_success].value, 0);
}
data_set(evt_data[analyzer_ppp_pap_auth_success]);
event_refcount_dec(cpriv->evt_ack_nack);
cpriv->evt_ack_nack = NULL;
}
ptime ts = event_get_timestamp(cpriv->evt_request);
event_refcount_dec(cpriv->evt_request);
cpriv->evt_request = NULL;
return event_process(evt, NULL, 0, ts);
}
static int proto_eap_process(void *proto_priv, struct packet *p, struct proto_process_stack *stack, unsigned int stack_index) {
struct proto_process_stack *s = &stack[stack_index];
if (sizeof(struct eap_header) > s->plen)
return PROTO_INVALID;
struct proto_eap_priv *priv = proto_priv;
struct eap_header *hdr = s->pload;
PTYPE_UINT8_SETVAL(s->pkt_info->fields_value[proto_eap_field_code], hdr->code);
PTYPE_UINT8_SETVAL(s->pkt_info->fields_value[proto_eap_field_identifier], hdr->identifier);
if (hdr->code < 1 || hdr->code > 4)
return PROTO_INVALID;
uint16_t len = ntohs(hdr->length);
if (len > s->plen)
return PROTO_INVALID;
// Keep only the payload lenght
len -= sizeof(struct eap_header);
if (conntrack_get(stack, stack_index) != POM_OK)
return PROTO_ERR;
if (conntrack_delayed_cleanup(s->ce, *PTYPE_UINT32_GETVAL(priv->p_timeout), p->ts) != POM_OK) {
conntrack_unlock(s->ce);
return PROTO_ERR;
}
conntrack_unlock(s->ce);
if (hdr->code == 3 || hdr->code == 4) {
// Content length is 0 for success and failure
if (len != 4)
return PROTO_INVALID;
len = 0;
if (!event_has_listener(priv->evt_success_failure))
return PROTO_OK;
struct event *evt = event_alloc(priv->evt_success_failure);
if (!evt)
return PROTO_ERR;
struct data *evt_data = event_get_data(evt);
PTYPE_UINT8_SETVAL(evt_data[evt_eap_common_identifier].value, hdr->identifier);
data_set(evt_data[evt_eap_common_identifier]);
PTYPE_BOOL_SETVAL(evt_data[evt_eap_success_failure_success].value, (hdr->code == 3 ? 1 : 0));
data_set(evt_data[evt_eap_success_failure_success]);
return event_process(evt, stack, stack_index, p->ts);
}
// At this point, code is either 1 or 2 (request/response)
void *pload = s->pload + sizeof(struct eap_header);
uint8_t type = 0;
// There is at least 1 byte of data for request/response
if (len < 1)
return PROTO_INVALID;
len--;
type = *(uint8_t*)pload;
pload++;
struct event *evt = NULL;
struct data *evt_data = NULL;
switch (type) {
case 1: // Identity
if (!event_has_listener(priv->evt_identity))
break;
evt = event_alloc(priv->evt_identity);
if (!evt)
return PROTO_ERR;
if (len) {
evt_data = event_get_data(evt);
PTYPE_STRING_SETVAL_N(evt_data[evt_eap_identity_identity].value, pload, len);
data_set(evt_data[evt_eap_identity_identity]);
}
break;
case 4: // MD5-Challenge
if (!event_has_listener(priv->evt_md5_challenge))
break;
if (len < 17)
return PROTO_INVALID;
uint8_t value_size = *(uint8_t*)pload;
if (value_size != 16)
return PROTO_INVALID;
pload++;
len--;
evt = event_alloc(priv->evt_md5_challenge);
if (!evt)
return PROTO_ERR;
evt_data = event_get_data(evt);
PTYPE_BYTES_SETLEN(evt_data[evt_eap_md5_challenge_value].value, 16);
PTYPE_BYTES_SETVAL(evt_data[evt_eap_md5_challenge_value].value, pload);
data_set(evt_data[evt_eap_md5_challenge_value]);
if (len > 16) {
PTYPE_STRING_SETVAL_N(evt_data[evt_eap_md5_challenge_name].value, pload + 16, len - 16);
data_set(evt_data[evt_eap_md5_challenge_name]);
}
break;
}
if (evt) {
if (!evt_data)
evt_data = event_get_data(evt);
PTYPE_UINT8_SETVAL(evt_data[evt_eap_common_identifier].value, hdr->identifier);
data_set(evt_data[evt_eap_common_identifier]);
PTYPE_UINT8_SETVAL(evt_data[evt_eap_common_code].value, hdr->code);
data_set(evt_data[evt_eap_common_code]);
if (event_process(evt, stack, stack_index, p->ts) != POM_OK)
return PROTO_ERR;
}
return PROTO_OK;
}
static int analyzer_tftp_pkt_process(void *obj, struct packet *p, struct proto_process_stack *stack, unsigned int stack_index) {
struct analyzer_tftp_priv *priv = obj;
struct proto_process_stack *s = &stack[stack_index];
struct proto_process_stack *s_prev = &stack[stack_index - 1];
uint16_t opcode = *PTYPE_UINT16_GETVAL(s_prev->pkt_info->fields_value[proto_tftp_field_opcode]);
// Get the session
struct conntrack_session *session = conntrack_session_get(s_prev->ce);
if (!session)
return POM_ERR;
struct analyzer_tftp_session_priv *spriv = conntrack_session_get_priv(session, obj);
if (!spriv) {
// Add session priv if it is not done yet
spriv = malloc(sizeof(struct analyzer_tftp_session_priv));
if (!spriv) {
pom_oom(sizeof(struct analyzer_tftp_session_priv));
goto err;
}
memset(spriv, 0, sizeof(struct analyzer_tftp_session_priv));
if (conntrack_session_add_priv(session, obj, spriv, analyzer_tftp_session_priv_cleanup) != POM_OK) {
free(spriv);
goto err;
}
}
void *pload = s->pload;
uint32_t plen = s->plen;
switch (opcode) {
case tftp_rrq:
case tftp_wrq: {
if (plen < 3)
return POM_OK; // Invalid packet
// Find the filename
// The below should always be valid as proto_tftp already checked this
char *filename = pload;
char *mode = memchr(filename, 0, plen - 1) + 1;
struct analyzer_tftp_file *fq = malloc(sizeof(struct analyzer_tftp_file));
if (!fq) {
pom_oom(sizeof(struct analyzer_tftp_file));
goto err;
}
memset(fq, 0, sizeof(struct analyzer_tftp_file));
// Get the port on which we expect this file
// No need to check the IP as we got the session biding
struct proto_process_stack *s_l4 = &stack[stack_index - 2];
unsigned int i;
for (i = 0; !fq->port ; i++) {
struct proto_reg_info *pinfo = proto_get_info(s_l4->proto);
char *name = pinfo->pkt_fields[i].name;
if (!name) {
pomlog(POMLOG_ERR "Source port not found in RRQ/WRQ packets");
goto err;
}
if (!strcmp(name, "sport")) {
fq->port = *PTYPE_UINT16_GETVAL(s_l4->pkt_info->fields_value[i]);
break;
}
}
fq->evt = event_alloc(priv->evt_file);
if (!fq->evt) {
free(fq);
goto err;
}
struct data *evt_data = event_get_data(fq->evt);
PTYPE_STRING_SETVAL(evt_data[analyzer_tftp_file_filename].value, filename);
data_set(evt_data[analyzer_tftp_file_filename]);
PTYPE_STRING_SETVAL(evt_data[analyzer_tftp_file_mode].value, mode);
data_set(evt_data[analyzer_tftp_file_mode]);
PTYPE_BOOL_SETVAL(evt_data[analyzer_tftp_file_write].value, opcode == tftp_wrq);
data_set(evt_data[analyzer_tftp_file_write]);
fq->next = spriv->files;
if (fq->next)
fq->next->prev = fq;
spriv->files = fq;
conntrack_session_unlock(session);
event_process_begin(fq->evt, stack, stack_index, p->ts);
break;
}
case tftp_data: {
if (plen < sizeof(uint16_t))
return POM_OK; // Invalid packet
struct analyzer_tftp_file *f = conntrack_get_priv(s_prev->ce, obj);
struct data *evt_data = NULL;
if (!f) {
// The file is not yet associated to this connection
// Find it in the queue
struct proto_process_stack *s_l4 = &stack[stack_index - 2];
unsigned int i;
uint16_t sport = 0, dport = 0;
for (i = 0; !sport || !dport ; i++) {
struct proto_reg_info *pinfo = proto_get_info(s_l4->proto);
char *name = pinfo->pkt_fields[i].name;
if (!name) {
pomlog(POMLOG_ERR "Source port not found in data packets");
goto err;
}
if (!strcmp(name, "sport"))
sport = *PTYPE_UINT16_GETVAL(s_l4->pkt_info->fields_value[i]);
if (!strcmp(name, "dport"))
dport = *PTYPE_UINT16_GETVAL(s_l4->pkt_info->fields_value[i]);
}
// Find the file in the session list
for (f = spriv->files; ; f = f->next) {
evt_data = event_get_data(f->evt);
if (*PTYPE_BOOL_GETVAL(evt_data[analyzer_tftp_file_write].value)) {
if (f->port == sport)
break;
} else {
if (f->port == dport)
break;
}
}
if (!f) {
pomlog(POMLOG_DEBUG "File not found in queued file request.");
conntrack_session_unlock(session);
return POM_OK;
}
// Remove the file from the queue and assign it to the conntrack
if (f->prev)
f->prev->next = f->next;
else
spriv->files = f->next;
if (f->next)
f->next->prev = f->prev;
f->prev = NULL;
f->next = NULL;
// Create the payload buffer
f->pload = pload_alloc(f->evt, PLOAD_FLAG_NEED_MAGIC);
if (!f->pload)
goto err;
conntrack_add_priv(s_prev->ce, obj, f, analyzer_tftp_conntrack_priv_cleanup);
} else {
evt_data = event_get_data(f->evt);
}
conntrack_session_unlock(session);
if (!f->pload) {
pomlog(POMLOG_DEBUG "Ignoring extra packet");
return POM_OK;
}
// Discard the block ID
pload += sizeof(uint16_t);
plen -= sizeof(uint16_t);
if (pload_append(f->pload, pload, plen) != POM_OK)
goto err;
uint32_t *size = PTYPE_UINT32_GETVAL(evt_data[analyzer_tftp_file_size].value);
*size += plen;
if (plen < ANALYZER_TFTP_BLK_SIZE) {
// Got last packet !
data_set(evt_data[analyzer_tftp_file_size]);
int res = pload_end(f->pload);
res += event_process_end(f->evt);
f->evt = NULL;
f->pload = NULL;
if (res)
goto err;
}
break;
}
case tftp_error: {
conntrack_session_unlock(session);
struct analyzer_tftp_file *f = conntrack_get_priv(s_prev->ce, obj);
if (f && f->pload) {
int res = pload_end(f->pload);
res += event_process_end(f->evt);
f->pload = NULL;
f->evt = NULL;
if (res)
goto err;
}
break;
}
default:
conntrack_session_unlock(session);
break;
}
return POM_OK;
err:
conntrack_session_unlock(session);
return POM_ERR;
}
