$NetBSD: patch-aa,v 1.2 1998/08/07 11:10:57 agc Exp $ *** sn_defines.h Fri Apr 18 11:33:58 1997 --- sn_defines.h Thu Jul 24 16:02:16 1997 *************** *** 80,90 **** #define SYN 2 #define FIN 1 ! #define NO_IP 0 ! #define NO_IP_4 1000 ! #define ICMP 1 /* Protocol Numbers */ ! #define TCP 6 ! #define UDP 17 #define ICMP_HEADLENGTH 4 /* fixed ICMP header length */ #define UDP_HEADLENGTH 8 /* fixed UDP header length */ --- 80,91 ---- #define SYN 2 #define FIN 1 ! #define NO_IP 0 ! #define NO_IP_4 1000 ! #define CORRUPT_IP 1001 ! #define ICMP 1 /* Protocol Numbers */ ! #define TCP 6 ! #define UDP 17 #define ICMP_HEADLENGTH 4 /* fixed ICMP header length */ #define UDP_HEADLENGTH 8 /* fixed UDP header length */ *** sn_packets.c Fri Apr 18 11:33:58 1997 --- sn_packets.c Thu Aug 22 19:18:51 1985 *************** *** 43,48 **** --- 43,49 ---- struct UDP_header UDPhead; int i; + short int dummy; /* 2 bytes, important */ memcpy(&IPhead,(sp+PROTO_HEAD),sizeof(struct IP_header)); /* IP header Conversion */ *************** *** 51,56 **** --- 52,58 ---- unwrapped->TCP_len = 0; /* Reset structure NEEDED!!! */ unwrapped->UDP_len = 0; unwrapped->DATA_len = 0; + unwrapped->FRAG_nf = 0; if(NO_CHKSUM == 0) { *************** *** 75,106 **** /* restore orig buffer */ /* general programming rule */ } if(IPhead.protocol == TCP ) /* TCP */ { ! memcpy(&TCPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)), sizeof(struct TCP_header)); ! unwrapped->TCP_len = ntohs(TCPhead.offset_flag) & 0xF000; ! unwrapped->TCP_len >>= 10; ! unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len) - (unwrapped->TCP_len); return TCP; } if(IPhead.protocol == ICMP ) /* ICMP */ { ! memcpy(&ICMPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)), sizeof(struct ICMP_header)); ! unwrapped->ICMP_len = ICMP_HEADLENGTH; ! unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len) - (unwrapped->ICMP_len); ! return ICMP; } if(IPhead.protocol == UDP ) /* UDP */ { ! memcpy(&UDPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)), sizeof(struct UDP_header)); ! unwrapped->UDP_len = UDP_HEADLENGTH; ! unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len) - (unwrapped->UDP_len); return UDP; } return -1; --- 77,150 ---- /* restore orig buffer */ /* general programming rule */ } + + #ifdef DEBUG_ONSCREEN + printf("IPheadlen: %d total length: %d\n", unwrapped->IP_len, + ntohs(IPhead.length)); + #endif + + dummy=ntohs(IPhead.flag_offset); dummy<<=3; + if( dummy!=0 ) /* we have offset */ + { + unwrapped->FRAG_nf = 1; + } + if(IPhead.protocol == TCP ) /* TCP */ { ! if(unwrapped->FRAG_nf == 0) ! { ! if( (ntohs(IPhead.length)-(unwrapped->IP_len))<20 ) ! {return CORRUPT_IP;}; ! ! memcpy(&TCPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)), sizeof(struct TCP_header)); ! unwrapped->TCP_len = ntohs(TCPhead.offset_flag) & 0xF000; ! unwrapped->TCP_len >>= 10; ! unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len) - (unwrapped->TCP_len); + } + else + { + unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len); + } return TCP; } if(IPhead.protocol == ICMP ) /* ICMP */ { ! if(unwrapped->FRAG_nf == 0) ! { ! if( (ntohs(IPhead.length)-(unwrapped->IP_len))<4 ) ! {return CORRUPT_IP;}; ! ! memcpy(&ICMPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)), sizeof(struct ICMP_header)); ! unwrapped->ICMP_len = ICMP_HEADLENGTH; ! unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len) - (unwrapped->ICMP_len); ! return ICMP; ! } ! else ! { ! return -1; /* don't handle fragmented ICMP */ ! } } if(IPhead.protocol == UDP ) /* UDP */ { ! if(unwrapped->FRAG_nf == 0) ! { ! if( (ntohs(IPhead.length)-(unwrapped->IP_len))<8 ) ! {return CORRUPT_IP;}; ! ! memcpy(&UDPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)), sizeof(struct UDP_header)); ! unwrapped->UDP_len = UDP_HEADLENGTH; ! unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len) - (unwrapped->UDP_len); + } + else + { + unwrapped->DATA_len = ntohs(IPhead.length)-(unwrapped->IP_len); + } return UDP; } return -1; *** sn_packetstructs.h Fri Apr 18 11:33:58 1997 --- sn_packetstructs.h Thu Jul 24 16:17:20 1997 *************** *** 44,51 **** unsigned short length, checksum; }; ! struct unwrap /* some extra info */ { int IP_len, TCP_len, ICMP_len, UDP_len; /* header lengths */ int DATA_len; }; --- 44,52 ---- unsigned short length, checksum; }; ! struct unwrap /* some extra info */ { int IP_len, TCP_len, ICMP_len, UDP_len; /* header lengths */ int DATA_len; + char FRAG_nf; /* not the first fragment */ }; *** sniffit.0.3.5.c Fri Apr 18 11:33:58 1997 --- sniffit.0.3.5.c Thu Aug 22 19:19:49 1985 *************** *** 411,421 **** --- 411,427 ---- proto=unwrap_packet(sp, info); if(proto == NO_IP) return DONT_EXAMINE; /* no use in trying */ if(proto == NO_IP_4) return DONT_EXAMINE; /* no use in trying */ + if(proto == CORRUPT_IP) + {printf("Suspicious Packet detected... (Split header)\n"); + return DONT_EXAMINE;} memcpy(&iphead,(sp+PROTO_HEAD),sizeof(struct IP_header)); so=(unsigned char *)&(iphead.source); dest=(unsigned char *)&(iphead.destination); + if(info->FRAG_nf!=0) + {printf("Fragment Skipped...\n"); return DONT_EXAMINE; }; + if((proto==TCP)&&(PROTOCOLS&F_TCP)) { #ifdef DEBUG_ONSCREEN *************** *** 1220,1225 **** --- 1226,1235 ---- proto=unwrap_packet(sp, info); if(proto == NO_IP) return DONT_EXAMINE; /* no use in trying */ if(proto == NO_IP_4) return DONT_EXAMINE; /* no use in trying */ + if(proto == CORRUPT_IP) return DONT_EXAMINE; /* no use in trying */ + + if(info->FRAG_nf!=0) + {return DONT_EXAMINE; }; (*IP_nr_of_packets)++; if(proto==ICMP)