mirror of
				https://github.com/tailscale/tailscale.git
				synced 2025-10-24 22:02:04 +02:00 
			
		
		
		
	The first packet fragment guard had an additional guard clause that was incorrectly comparing a length in bytes to a length in octets, and was also comparing what should have been an entire IPv4 through transport header length to a subprotocol payload length. The subprotocol header size guards were otherwise protecting against short transport headers, as is the conservative non-first fragment minimum offset size. Add an explicit disallowing of fragmentation for TSMP for the avoidance of doubt. Updates #cleanup Updates #5727 Signed-off-by: James Tucker <james@tailscale.com>
		
			
				
	
	
		
			755 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			755 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright (c) Tailscale Inc & AUTHORS
 | |
| // SPDX-License-Identifier: BSD-3-Clause
 | |
| 
 | |
| package packet
 | |
| 
 | |
| import (
 | |
| 	"bytes"
 | |
| 	"encoding/hex"
 | |
| 	"net/netip"
 | |
| 	"reflect"
 | |
| 	"strings"
 | |
| 	"testing"
 | |
| 	"unicode"
 | |
| 
 | |
| 	"tailscale.com/tstest"
 | |
| 	"tailscale.com/types/ipproto"
 | |
| 	"tailscale.com/util/must"
 | |
| )
 | |
| 
 | |
| const (
 | |
| 	Unknown  = ipproto.Unknown
 | |
| 	TCP      = ipproto.TCP
 | |
| 	UDP      = ipproto.UDP
 | |
| 	SCTP     = ipproto.SCTP
 | |
| 	IGMP     = ipproto.IGMP
 | |
| 	ICMPv4   = ipproto.ICMPv4
 | |
| 	ICMPv6   = ipproto.ICMPv6
 | |
| 	TSMP     = ipproto.TSMP
 | |
| 	Fragment = ipproto.Fragment
 | |
| )
 | |
| 
 | |
| func mustIPPort(s string) netip.AddrPort {
 | |
| 	ipp, err := netip.ParseAddrPort(s)
 | |
| 	if err != nil {
 | |
| 		panic(err)
 | |
| 	}
 | |
| 	return ipp
 | |
| }
 | |
| 
 | |
| var icmp4RequestBuffer = []byte{
 | |
| 	// IP header up to checksum
 | |
| 	0x45, 0x00, 0x00, 0x27, 0xde, 0xad, 0x00, 0x00, 0x40, 0x01, 0x8c, 0x15,
 | |
| 	// source IP
 | |
| 	0x01, 0x02, 0x03, 0x04,
 | |
| 	// destination IP
 | |
| 	0x05, 0x06, 0x07, 0x08,
 | |
| 	// ICMP header
 | |
| 	0x08, 0x00, 0x7d, 0x22,
 | |
| 	// "request_payload"
 | |
| 	0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
 | |
| }
 | |
| 
 | |
| var icmp4RequestDecode = Parsed{
 | |
| 	b:       icmp4RequestBuffer,
 | |
| 	subofs:  20,
 | |
| 	dataofs: 24,
 | |
| 	length:  len(icmp4RequestBuffer),
 | |
| 
 | |
| 	IPVersion: 4,
 | |
| 	IPProto:   ICMPv4,
 | |
| 	Src:       mustIPPort("1.2.3.4:0"),
 | |
| 	Dst:       mustIPPort("5.6.7.8:0"),
 | |
| }
 | |
| 
 | |
| var icmp4ReplyBuffer = []byte{
 | |
| 	0x45, 0x00, 0x00, 0x25, 0x21, 0x52, 0x00, 0x00, 0x40, 0x01, 0x49, 0x73,
 | |
| 	// source IP
 | |
| 	0x05, 0x06, 0x07, 0x08,
 | |
| 	// destination IP
 | |
| 	0x01, 0x02, 0x03, 0x04,
 | |
| 	// ICMP header
 | |
| 	0x00, 0x00, 0xe6, 0x9e,
 | |
| 	// "reply_payload"
 | |
| 	0x72, 0x65, 0x70, 0x6c, 0x79, 0x5f, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
 | |
| }
 | |
| 
 | |
| // ICMPv6 Router Solicitation
 | |
| var icmp6PacketBuffer = []byte{
 | |
| 	0x60, 0x00, 0x00, 0x00, 0x00, 0x08, 0x3a, 0xff,
 | |
| 	0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 | |
| 	0xfb, 0x57, 0x1d, 0xea, 0x9c, 0x39, 0x8f, 0xb7,
 | |
| 	0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 | |
| 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
 | |
| 	0x85, 0x00, 0x38, 0x04, 0x00, 0x00, 0x00, 0x00,
 | |
| }
 | |
| 
 | |
| var icmp6PacketDecode = Parsed{
 | |
| 	b:         icmp6PacketBuffer,
 | |
| 	subofs:    40,
 | |
| 	dataofs:   44,
 | |
| 	length:    len(icmp6PacketBuffer),
 | |
| 	IPVersion: 6,
 | |
| 	IPProto:   ICMPv6,
 | |
| 	Src:       mustIPPort("[fe80::fb57:1dea:9c39:8fb7]:0"),
 | |
| 	Dst:       mustIPPort("[ff02::2]:0"),
 | |
| }
 | |
| 
 | |
| // This is a malformed IPv4 packet.
 | |
| // Namely, the string "tcp_payload" follows the first byte of the IPv4 header.
 | |
| var unknownPacketBuffer = []byte{
 | |
| 	0x45, 0x74, 0x63, 0x70, 0x5f, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
 | |
| }
 | |
| 
 | |
| var unknownPacketDecode = Parsed{
 | |
| 	b:         unknownPacketBuffer,
 | |
| 	IPVersion: 0,
 | |
| 	IPProto:   Unknown,
 | |
| }
 | |
| 
 | |
| var tcp4PacketBuffer = []byte{
 | |
| 	// IP header up to checksum
 | |
| 	0x45, 0x00, 0x00, 0x37, 0xde, 0xad, 0x00, 0x00, 0x40, 0x06, 0x49, 0x5f,
 | |
| 	// source IP
 | |
| 	0x01, 0x02, 0x03, 0x04,
 | |
| 	// destination IP
 | |
| 	0x05, 0x06, 0x07, 0x08,
 | |
| 	// TCP header with SYN, ACK set
 | |
| 	0x00, 0x7b, 0x02, 0x37, 0x00, 0x00, 0x12, 0x34, 0x00, 0x00, 0x00, 0x00,
 | |
| 	0x50, 0x12, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
 | |
| 	// "request_payload"
 | |
| 	0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
 | |
| }
 | |
| 
 | |
| var tcp4PacketDecode = Parsed{
 | |
| 	b:       tcp4PacketBuffer,
 | |
| 	subofs:  20,
 | |
| 	dataofs: 40,
 | |
| 	length:  len(tcp4PacketBuffer),
 | |
| 
 | |
| 	IPVersion: 4,
 | |
| 	IPProto:   TCP,
 | |
| 	Src:       mustIPPort("1.2.3.4:123"),
 | |
| 	Dst:       mustIPPort("5.6.7.8:567"),
 | |
| 	TCPFlags:  TCPSynAck,
 | |
| }
 | |
| 
 | |
| var tcp6RequestBuffer = []byte{
 | |
| 	// IPv6 header up to hop limit
 | |
| 	0x60, 0x06, 0xef, 0xcc, 0x00, 0x28, 0x06, 0x40,
 | |
| 	// Src addr
 | |
| 	0x20, 0x01, 0x05, 0x59, 0xbc, 0x13, 0x54, 0x00, 0x17, 0x49, 0x46, 0x28, 0x39, 0x34, 0x0e, 0x1b,
 | |
| 	// Dst addr
 | |
| 	0x26, 0x07, 0xf8, 0xb0, 0x40, 0x0a, 0x08, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x0e,
 | |
| 	// TCP SYN segment, no payload
 | |
| 	0xa4, 0x60, 0x00, 0x50, 0xf3, 0x82, 0xa1, 0x25, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0xfd, 0x20,
 | |
| 	0xb1, 0xc6, 0x00, 0x00, 0x02, 0x04, 0x05, 0xa0, 0x04, 0x02, 0x08, 0x0a, 0xca, 0x76, 0xa6, 0x8e,
 | |
| 	0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x07,
 | |
| }
 | |
| 
 | |
| var tcp6RequestDecode = Parsed{
 | |
| 	b:       tcp6RequestBuffer,
 | |
| 	subofs:  40,
 | |
| 	dataofs: len(tcp6RequestBuffer),
 | |
| 	length:  len(tcp6RequestBuffer),
 | |
| 
 | |
| 	IPVersion: 6,
 | |
| 	IPProto:   TCP,
 | |
| 	Src:       mustIPPort("[2001:559:bc13:5400:1749:4628:3934:e1b]:42080"),
 | |
| 	Dst:       mustIPPort("[2607:f8b0:400a:809::200e]:80"),
 | |
| 	TCPFlags:  TCPSyn,
 | |
| }
 | |
| 
 | |
| var udp4RequestBuffer = []byte{
 | |
| 	// IP header up to checksum
 | |
| 	0x45, 0x00, 0x00, 0x2b, 0xde, 0xad, 0x00, 0x00, 0x40, 0x11, 0x8c, 0x01,
 | |
| 	// source IP
 | |
| 	0x01, 0x02, 0x03, 0x04,
 | |
| 	// destination IP
 | |
| 	0x05, 0x06, 0x07, 0x08,
 | |
| 	// UDP header
 | |
| 	0x00, 0x7b, 0x02, 0x37, 0x00, 0x17, 0x72, 0x1d,
 | |
| 	// "request_payload"
 | |
| 	0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
 | |
| }
 | |
| 
 | |
| var udp4RequestDecode = Parsed{
 | |
| 	b:       udp4RequestBuffer,
 | |
| 	subofs:  20,
 | |
| 	dataofs: 28,
 | |
| 	length:  len(udp4RequestBuffer),
 | |
| 
 | |
| 	IPVersion: 4,
 | |
| 	IPProto:   UDP,
 | |
| 	Src:       mustIPPort("1.2.3.4:123"),
 | |
| 	Dst:       mustIPPort("5.6.7.8:567"),
 | |
| }
 | |
| 
 | |
| var invalid4RequestBuffer = []byte{
 | |
| 	// IP header up to checksum. IHL field points beyond end of packet.
 | |
| 	0x4a, 0x00, 0x00, 0x14, 0xde, 0xad, 0x00, 0x00, 0x40, 0x11, 0x8c, 0x01,
 | |
| 	// source IP
 | |
| 	0x01, 0x02, 0x03, 0x04,
 | |
| 	// destination IP
 | |
| 	0x05, 0x06, 0x07, 0x08,
 | |
| }
 | |
| 
 | |
| // Regression check for the IHL field pointing beyond the end of the
 | |
| // packet.
 | |
| var invalid4RequestDecode = Parsed{
 | |
| 	b:      invalid4RequestBuffer,
 | |
| 	subofs: 40,
 | |
| 	length: len(invalid4RequestBuffer),
 | |
| 
 | |
| 	IPVersion: 4,
 | |
| 	IPProto:   Unknown,
 | |
| 	Src:       mustIPPort("1.2.3.4:0"),
 | |
| 	Dst:       mustIPPort("5.6.7.8:0"),
 | |
| }
 | |
| 
 | |
| var udp6RequestBuffer = []byte{
 | |
| 	// IPv6 header up to hop limit
 | |
| 	0x60, 0x0e, 0xc9, 0x67, 0x00, 0x29, 0x11, 0x40,
 | |
| 	// Src addr
 | |
| 	0x20, 0x01, 0x05, 0x59, 0xbc, 0x13, 0x54, 0x00, 0x17, 0x49, 0x46, 0x28, 0x39, 0x34, 0x0e, 0x1b,
 | |
| 	// Dst addr
 | |
| 	0x26, 0x07, 0xf8, 0xb0, 0x40, 0x0a, 0x08, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x0e,
 | |
| 	// UDP header
 | |
| 	0xd4, 0x04, 0x01, 0xbb, 0x00, 0x29, 0x96, 0x84,
 | |
| 	// Payload
 | |
| 	0x5c, 0x06, 0xae, 0x85, 0x02, 0xf5, 0xdb, 0x90, 0xe0, 0xe0, 0x93, 0xed, 0x9a, 0xd9, 0x92, 0x69, 0xbe, 0x36, 0x8a, 0x7d, 0xd7, 0xce, 0xd0, 0x8a, 0xf2, 0x51, 0x95, 0xff, 0xb6, 0x92, 0x70, 0x10, 0xd7,
 | |
| }
 | |
| 
 | |
| var udp6RequestDecode = Parsed{
 | |
| 	b:       udp6RequestBuffer,
 | |
| 	subofs:  40,
 | |
| 	dataofs: 48,
 | |
| 	length:  len(udp6RequestBuffer),
 | |
| 
 | |
| 	IPVersion: 6,
 | |
| 	IPProto:   UDP,
 | |
| 	Src:       mustIPPort("[2001:559:bc13:5400:1749:4628:3934:e1b]:54276"),
 | |
| 	Dst:       mustIPPort("[2607:f8b0:400a:809::200e]:443"),
 | |
| }
 | |
| 
 | |
| var udp4ReplyBuffer = []byte{
 | |
| 	// IP header up to checksum
 | |
| 	0x45, 0x00, 0x00, 0x29, 0x21, 0x52, 0x00, 0x00, 0x40, 0x11, 0x49, 0x5f,
 | |
| 	// source IP
 | |
| 	0x05, 0x06, 0x07, 0x08,
 | |
| 	// destination IP
 | |
| 	0x01, 0x02, 0x03, 0x04,
 | |
| 	// UDP header
 | |
| 	0x02, 0x37, 0x00, 0x7b, 0x00, 0x15, 0xd3, 0x9d,
 | |
| 	// "reply_payload"
 | |
| 	0x72, 0x65, 0x70, 0x6c, 0x79, 0x5f, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
 | |
| }
 | |
| 
 | |
| // First TCP fragment of a packet with leading 24 bytes of 'a's
 | |
| var tcp4MediumFragmentBuffer = []byte{
 | |
| 	// IP header up to checksum
 | |
| 	0x45, 0x20, 0x00, 0x4c, 0x2c, 0x62, 0x20, 0x00, 0x22, 0x06, 0x3a, 0x0f,
 | |
| 	// source IP
 | |
| 	0x01, 0x02, 0x03, 0x04,
 | |
| 	// destination IP
 | |
| 	0x05, 0x06, 0x07, 0x08,
 | |
| 	// TCP header
 | |
| 	0x00, 0x50, 0xf3, 0x8c, 0x58, 0xad, 0x60, 0x94, 0x25, 0xe4, 0x23, 0xa8, 0x80,
 | |
| 	0x10, 0x01, 0xfd, 0xc6, 0x6e, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xff, 0x60,
 | |
| 	0xfb, 0xfe, 0xba, 0x31, 0x78, 0x6a,
 | |
| 	// data
 | |
| 	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,
 | |
| 	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,
 | |
| }
 | |
| 
 | |
| var tcp4MediumFragmentDecode = Parsed{
 | |
| 	b:       tcp4MediumFragmentBuffer,
 | |
| 	subofs:  20,
 | |
| 	dataofs: 52,
 | |
| 	length:  len(tcp4MediumFragmentBuffer),
 | |
| 
 | |
| 	IPVersion: 4,
 | |
| 	IPProto:   TCP,
 | |
| 	Src:       mustIPPort("1.2.3.4:80"),
 | |
| 	Dst:       mustIPPort("5.6.7.8:62348"),
 | |
| 	TCPFlags:  0x10,
 | |
| }
 | |
| 
 | |
| var tcp4ShortFragmentBuffer = []byte{
 | |
| 	// IP header up to checksum
 | |
| 	0x45, 0x20, 0x00, 0x1e, 0x2c, 0x62, 0x20, 0x00, 0x22, 0x06, 0x3c, 0x4f,
 | |
| 	// source IP
 | |
| 	0x01, 0x02, 0x03, 0x04,
 | |
| 	// destination IP
 | |
| 	0x05, 0x06, 0x07, 0x08,
 | |
| 	// partial TCP header
 | |
| 	0x00, 0x50, 0xf3, 0x8c, 0x58, 0xad, 0x60, 0x94, 0x00, 0x00,
 | |
| }
 | |
| 
 | |
| var tcp4ShortFragmentDecode = Parsed{
 | |
| 	b:       tcp4ShortFragmentBuffer,
 | |
| 	subofs:  20,
 | |
| 	dataofs: 0,
 | |
| 	length:  len(tcp4ShortFragmentBuffer),
 | |
| 	// short fragments are rejected (marked unknown) to avoid header attacks as described in RFC 1858
 | |
| 	IPProto:   ipproto.Unknown,
 | |
| 	IPVersion: 4,
 | |
| 	Src:       mustIPPort("1.2.3.4:0"),
 | |
| 	Dst:       mustIPPort("5.6.7.8:0"),
 | |
| }
 | |
| 
 | |
| var igmpPacketBuffer = []byte{
 | |
| 	// IP header up to checksum
 | |
| 	0x46, 0xc0, 0x00, 0x20, 0x00, 0x00, 0x40, 0x00, 0x01, 0x02, 0x41, 0x22,
 | |
| 	// source IP
 | |
| 	0xc0, 0xa8, 0x01, 0x52,
 | |
| 	// destination IP
 | |
| 	0xe0, 0x00, 0x00, 0xfb,
 | |
| 	// IGMP Membership Report
 | |
| 	0x94, 0x04, 0x00, 0x00, 0x16, 0x00, 0x09, 0x04, 0xe0, 0x00, 0x00, 0xfb,
 | |
| 	//0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 | |
| }
 | |
| 
 | |
| var igmpPacketDecode = Parsed{
 | |
| 	b:      igmpPacketBuffer,
 | |
| 	subofs: 24,
 | |
| 	length: len(igmpPacketBuffer),
 | |
| 
 | |
| 	IPVersion: 4,
 | |
| 	IPProto:   IGMP,
 | |
| 	Src:       mustIPPort("192.168.1.82:0"),
 | |
| 	Dst:       mustIPPort("224.0.0.251:0"),
 | |
| }
 | |
| 
 | |
| var ipv4TSMPBuffer = []byte{
 | |
| 	// IPv4 header:
 | |
| 	0x45, 0x00,
 | |
| 	0x00, 0x1b, // 20 + 7 bytes total
 | |
| 	0x00, 0x00, // ID
 | |
| 	0x00, 0x00, // Fragment
 | |
| 	0x40, // TTL
 | |
| 	byte(TSMP),
 | |
| 	0x5f, 0xc3, // header checksum (wrong here)
 | |
| 	// source IP:
 | |
| 	0x64, 0x5e, 0x0c, 0x0e,
 | |
| 	// dest IP:
 | |
| 	0x64, 0x4a, 0x46, 0x03,
 | |
| 	byte(TSMPTypeRejectedConn),
 | |
| 	byte(TCP),
 | |
| 	byte(RejectedDueToACLs),
 | |
| 	0x00, 123, // src port
 | |
| 	0x00, 80, // dst port
 | |
| }
 | |
| 
 | |
| var ipv4TSMPDecode = Parsed{
 | |
| 	b:         ipv4TSMPBuffer,
 | |
| 	subofs:    20,
 | |
| 	dataofs:   20,
 | |
| 	length:    27,
 | |
| 	IPVersion: 4,
 | |
| 	IPProto:   TSMP,
 | |
| 	Src:       mustIPPort("100.94.12.14:0"),
 | |
| 	Dst:       mustIPPort("100.74.70.3:0"),
 | |
| }
 | |
| 
 | |
| // IPv4 SCTP
 | |
| var sctpBuffer = []byte{
 | |
| 	// IPv4 header:
 | |
| 	0x45, 0x00,
 | |
| 	0x00, 0x20, // 20 + 12 bytes total
 | |
| 	0x00, 0x00, // ID
 | |
| 	0x00, 0x00, // Fragment
 | |
| 	0x40, // TTL
 | |
| 	byte(SCTP),
 | |
| 	// Checksum, unchecked:
 | |
| 	1, 2,
 | |
| 	// source IP:
 | |
| 	0x64, 0x5e, 0x0c, 0x0e,
 | |
| 	// dest IP:
 | |
| 	0x64, 0x4a, 0x46, 0x03,
 | |
| 	// Src Port, Dest Port:
 | |
| 	0x00, 0x7b, 0x01, 0xc8,
 | |
| 	// Verification tag:
 | |
| 	1, 2, 3, 4,
 | |
| 	// Checksum: (unchecked)
 | |
| 	5, 6, 7, 8,
 | |
| }
 | |
| 
 | |
| var sctpDecode = Parsed{
 | |
| 	b:         sctpBuffer,
 | |
| 	subofs:    20,
 | |
| 	length:    20 + 12,
 | |
| 	IPVersion: 4,
 | |
| 	IPProto:   SCTP,
 | |
| 	Src:       mustIPPort("100.94.12.14:123"),
 | |
| 	Dst:       mustIPPort("100.74.70.3:456"),
 | |
| }
 | |
| 
 | |
| var ipv4ShortFirstFragmentBuffer = []byte{
 | |
| 	// IP header (20 bytes)
 | |
| 	0x45, 0x00, 0x00, 0x4f, // Total length 79 bytes
 | |
| 	0x00, 0x01, 0x20, 0x00, // ID, Flags (MoreFragments set, offset 0)
 | |
| 	0x40, 0x06, 0x00, 0x00, // TTL, Protocol (TCP), Checksum
 | |
| 	0x01, 0x02, 0x03, 0x04, // Source IP
 | |
| 	0x05, 0x06, 0x07, 0x08, // Destination IP
 | |
| 	// TCP header (20 bytes), but packet is truncated to 59 bytes of TCP data
 | |
| 	// (total 79 bytes, 20 for IP)
 | |
| 	0x00, 0x7b, 0x02, 0x37, 0x00, 0x00, 0x12, 0x34, 0x00, 0x00, 0x00, 0x00,
 | |
| 	0x50, 0x12, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
 | |
| 	// Payload (39 bytes)
 | |
| 	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,
 | |
| 	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,
 | |
| 	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,
 | |
| }
 | |
| 
 | |
| var ipv4ShortFirstFragmentDecode = Parsed{
 | |
| 	b:         ipv4ShortFirstFragmentBuffer,
 | |
| 	subofs:    20,
 | |
| 	dataofs:   40,
 | |
| 	length:    len(ipv4ShortFirstFragmentBuffer),
 | |
| 	IPVersion: 4,
 | |
| 	IPProto:   ipproto.TCP,
 | |
| 	Src:       mustIPPort("1.2.3.4:123"),
 | |
| 	Dst:       mustIPPort("5.6.7.8:567"),
 | |
| 	TCPFlags:  0x12, // SYN + ACK
 | |
| }
 | |
| 
 | |
| var ipv4SmallOffsetFragmentBuffer = []byte{
 | |
| 	// IP header (20 bytes)
 | |
| 	0x45, 0x00, 0x00, 0x28, // Total length 40 bytes
 | |
| 	0x00, 0x01, 0x20, 0x08, // ID, Flags (MoreFragments set, offset 8 bytes (0x08 / 8 = 1))
 | |
| 	0x40, 0x06, 0x00, 0x00, // TTL, Protocol (TCP), Checksum
 | |
| 	0x01, 0x02, 0x03, 0x04, // Source IP
 | |
| 	0x05, 0x06, 0x07, 0x08, // Destination IP
 | |
| 	// Payload (20 bytes) - this would be part of the TCP header in a real scenario
 | |
| 	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,
 | |
| 	0x61, 0x61, 0x61, 0x61,
 | |
| }
 | |
| 
 | |
| var ipv4SmallOffsetFragmentDecode = Parsed{
 | |
| 	b:         ipv4SmallOffsetFragmentBuffer,
 | |
| 	subofs:    20, // subofs will still be set based on IHL
 | |
| 	dataofs:   0,  // It's unknown, so dataofs should be 0
 | |
| 	length:    len(ipv4SmallOffsetFragmentBuffer),
 | |
| 	IPVersion: 4,
 | |
| 	IPProto:   ipproto.Unknown, // Expected to be Unknown
 | |
| 	Src:       mustIPPort("1.2.3.4:0"),
 | |
| 	Dst:       mustIPPort("5.6.7.8:0"),
 | |
| }
 | |
| 
 | |
| // First fragment packet missing exactly one byte of the TCP header
 | |
| var ipv4OneByteShortTCPHeaderBuffer = []byte{
 | |
| 	// IP header (20 bytes)
 | |
| 	0x45, 0x00, 0x00, 0x27, // Total length 51 bytes (20 IP + 19 TCP)
 | |
| 	0x00, 0x01, 0x20, 0x00, // ID, Flags (MoreFragments set, offset 0)
 | |
| 	0x40, 0x06, 0x00, 0x00, // TTL, Protocol (TCP), Checksum
 | |
| 	0x01, 0x02, 0x03, 0x04, // Source IP
 | |
| 	0x05, 0x06, 0x07, 0x08, // Destination IP
 | |
| 	// TCP header - only 19 bytes (one byte short of the required 20)
 | |
| 	0x00, 0x7b, 0x02, 0x37, // Source port, Destination port
 | |
| 	0x00, 0x00, 0x12, 0x34, // Sequence number
 | |
| 	0x00, 0x00, 0x00, 0x00, // Acknowledgment number
 | |
| 	0x50, 0x12, 0x01, 0x00, // Data offset, flags, window size
 | |
| 	0x00, 0x00, 0x00, // Checksum (missing the last byte of urgent pointer)
 | |
| }
 | |
| 
 | |
| // IPv4 packet with maximum header length (60 bytes = 15 words) and a TCP header that's
 | |
| // one byte short of being complete
 | |
| var ipv4MaxHeaderShortTCPBuffer = []byte{
 | |
| 	// IP header with max options (60 bytes)
 | |
| 	0x4F, 0x00, 0x00, 0x4F, // Version (4) + IHL (15), ToS, Total length 79 bytes (60 IP + 19 TCP)
 | |
| 	0x00, 0x01, 0x20, 0x00, // ID, Flags (MoreFragments set, offset 0)
 | |
| 	0x40, 0x06, 0x00, 0x00, // TTL, Protocol (TCP), Checksum
 | |
| 	0x01, 0x02, 0x03, 0x04, // Source IP
 | |
| 	0x05, 0x06, 0x07, 0x08, // Destination IP
 | |
| 	// IPv4 options (40 bytes)
 | |
| 	0x01, 0x01, 0x01, 0x01, // 4 NOP options (padding)
 | |
| 	0x01, 0x01, 0x01, 0x01, // 4 NOP options (padding)
 | |
| 	0x01, 0x01, 0x01, 0x01, // 4 NOP options (padding)
 | |
| 	0x01, 0x01, 0x01, 0x01, // 4 NOP options (padding)
 | |
| 	0x01, 0x01, 0x01, 0x01, // 4 NOP options (padding)
 | |
| 	0x01, 0x01, 0x01, 0x01, // 4 NOP options (padding)
 | |
| 	0x01, 0x01, 0x01, 0x01, // 4 NOP options (padding)
 | |
| 	0x01, 0x01, 0x01, 0x01, // 4 NOP options (padding)
 | |
| 	0x01, 0x01, 0x01, 0x01, // 4 NOP options (padding)
 | |
| 	0x01, 0x01, 0x01, 0x01, // 4 NOP options (padding)
 | |
| 	// TCP header - only 19 bytes (one byte short of the required 20)
 | |
| 	0x00, 0x7b, 0x02, 0x37, // Source port, Destination port
 | |
| 	0x00, 0x00, 0x12, 0x34, // Sequence number
 | |
| 	0x00, 0x00, 0x00, 0x00, // Acknowledgment number
 | |
| 	0x50, 0x12, 0x01, 0x00, // Data offset, flags, window size
 | |
| 	0x00, 0x00, 0x00, // Checksum (missing the last byte of urgent pointer)
 | |
| }
 | |
| 
 | |
| var ipv4MaxHeaderShortTCPDecode = Parsed{
 | |
| 	b:         ipv4MaxHeaderShortTCPBuffer,
 | |
| 	subofs:    60, // 60 bytes for full IPv4 header with max options
 | |
| 	dataofs:   0,  // It's unknown, so dataofs should be 0
 | |
| 	length:    len(ipv4MaxHeaderShortTCPBuffer),
 | |
| 	IPVersion: 4,
 | |
| 	IPProto:   ipproto.Unknown, // Expected to be Unknown
 | |
| 	Src:       mustIPPort("1.2.3.4:0"),
 | |
| 	Dst:       mustIPPort("5.6.7.8:0"),
 | |
| }
 | |
| 
 | |
| var ipv4OneByteShortTCPHeaderDecode = Parsed{
 | |
| 	b:         ipv4OneByteShortTCPHeaderBuffer,
 | |
| 	subofs:    20,
 | |
| 	dataofs:   0, // It's unknown, so dataofs should be 0
 | |
| 	length:    len(ipv4OneByteShortTCPHeaderBuffer),
 | |
| 	IPVersion: 4,
 | |
| 	IPProto:   ipproto.Unknown, // Expected to be Unknown
 | |
| 	Src:       mustIPPort("1.2.3.4:0"),
 | |
| 	Dst:       mustIPPort("5.6.7.8:0"),
 | |
| }
 | |
| 
 | |
| func TestParsedString(t *testing.T) {
 | |
| 	tests := []struct {
 | |
| 		name    string
 | |
| 		qdecode Parsed
 | |
| 		want    string
 | |
| 	}{
 | |
| 		{"tcp4", tcp4PacketDecode, "TCP{1.2.3.4:123 > 5.6.7.8:567}"},
 | |
| 		{"tcp6", tcp6RequestDecode, "TCP{[2001:559:bc13:5400:1749:4628:3934:e1b]:42080 > [2607:f8b0:400a:809::200e]:80}"},
 | |
| 		{"udp4", udp4RequestDecode, "UDP{1.2.3.4:123 > 5.6.7.8:567}"},
 | |
| 		{"udp6", udp6RequestDecode, "UDP{[2001:559:bc13:5400:1749:4628:3934:e1b]:54276 > [2607:f8b0:400a:809::200e]:443}"},
 | |
| 		{"icmp4", icmp4RequestDecode, "ICMPv4{1.2.3.4:0 > 5.6.7.8:0}"},
 | |
| 		{"icmp6", icmp6PacketDecode, "ICMPv6{[fe80::fb57:1dea:9c39:8fb7]:0 > [ff02::2]:0}"},
 | |
| 		{"igmp", igmpPacketDecode, "IGMP{192.168.1.82:0 > 224.0.0.251:0}"},
 | |
| 		{"unknown", unknownPacketDecode, "Unknown{???}"},
 | |
| 		{"ipv4_tsmp", ipv4TSMPDecode, "TSMP{100.94.12.14:0 > 100.74.70.3:0}"},
 | |
| 		{"sctp", sctpDecode, "SCTP{100.94.12.14:123 > 100.74.70.3:456}"},
 | |
| 	}
 | |
| 
 | |
| 	for _, tt := range tests {
 | |
| 		t.Run(tt.name, func(t *testing.T) {
 | |
| 			got := tt.qdecode.String()
 | |
| 			if got != tt.want {
 | |
| 				t.Errorf("got %q; want %q", got, tt.want)
 | |
| 			}
 | |
| 		})
 | |
| 	}
 | |
| 
 | |
| 	err := tstest.MinAllocsPerRun(t, 1, func() {
 | |
| 		sinkString = tests[0].qdecode.String()
 | |
| 	})
 | |
| 	if err != nil {
 | |
| 		t.Error(err)
 | |
| 	}
 | |
| }
 | |
| 
 | |
| // mustHexDecode is like hex.DecodeString, but panics on error
 | |
| // and ignores whitespace in s.
 | |
| func mustHexDecode(s string) []byte {
 | |
| 	return must.Get(hex.DecodeString(strings.Map(func(r rune) rune {
 | |
| 		if unicode.IsSpace(r) {
 | |
| 			return -1
 | |
| 		}
 | |
| 		return r
 | |
| 	}, s)))
 | |
| }
 | |
| 
 | |
| func TestDecode(t *testing.T) {
 | |
| 	tests := []struct {
 | |
| 		name string
 | |
| 		buf  []byte
 | |
| 		want Parsed
 | |
| 	}{
 | |
| 		{"icmp4", icmp4RequestBuffer, icmp4RequestDecode},
 | |
| 		{"icmp6", icmp6PacketBuffer, icmp6PacketDecode},
 | |
| 		{"tcp4", tcp4PacketBuffer, tcp4PacketDecode},
 | |
| 		{"tcp6", tcp6RequestBuffer, tcp6RequestDecode},
 | |
| 		{"udp4", udp4RequestBuffer, udp4RequestDecode},
 | |
| 		{"udp6", udp6RequestBuffer, udp6RequestDecode},
 | |
| 		{"igmp", igmpPacketBuffer, igmpPacketDecode},
 | |
| 		{"unknown", unknownPacketBuffer, unknownPacketDecode},
 | |
| 		{"invalid4", invalid4RequestBuffer, invalid4RequestDecode},
 | |
| 		{"ipv4_tsmp", ipv4TSMPBuffer, ipv4TSMPDecode},
 | |
| 		{"ipv4_sctp", sctpBuffer, sctpDecode},
 | |
| 		{"ipv4_frag", tcp4MediumFragmentBuffer, tcp4MediumFragmentDecode},
 | |
| 		{"ipv4_fragtooshort", tcp4ShortFragmentBuffer, tcp4ShortFragmentDecode},
 | |
| 		{"ipv4_short_first_fragment", ipv4ShortFirstFragmentBuffer, ipv4ShortFirstFragmentDecode},
 | |
| 		{"ipv4_small_offset_fragment", ipv4SmallOffsetFragmentBuffer, ipv4SmallOffsetFragmentDecode},
 | |
| 		{"ipv4_one_byte_short_tcp_header", ipv4OneByteShortTCPHeaderBuffer, ipv4OneByteShortTCPHeaderDecode},
 | |
| 		{"ipv4_max_header_short_tcp", ipv4MaxHeaderShortTCPBuffer, ipv4MaxHeaderShortTCPDecode},
 | |
| 
 | |
| 		{"ip97", mustHexDecode("4500 0019 d186 4000 4061 751d 644a 4603 6449 e549 6865 6c6c 6f"), Parsed{
 | |
| 			IPVersion: 4,
 | |
| 			IPProto:   97,
 | |
| 			Src:       netip.MustParseAddrPort("100.74.70.3:0"),
 | |
| 			Dst:       netip.MustParseAddrPort("100.73.229.73:0"),
 | |
| 			b:         mustHexDecode("4500 0019 d186 4000 4061 751d 644a 4603 6449 e549 6865 6c6c 6f"),
 | |
| 			length:    25,
 | |
| 			subofs:    20,
 | |
| 		}},
 | |
| 
 | |
| 		// This packet purports to use protocol 0xFF, which is verboten and
 | |
| 		// used internally as a sentinel value for fragments. So test that
 | |
| 		// we map packets using 0xFF to Unknown (0) instead.
 | |
| 		{"bogus_proto_ff", mustHexDecode("4500 0019 d186 4000 40" + "FF" /* bogus FF */ + " 751d 644a 4603 6449 e549 6865 6c6c 6f"), Parsed{
 | |
| 			IPVersion: 4,
 | |
| 			IPProto:   ipproto.Unknown, // 0, not bogus 0xFF
 | |
| 			Src:       netip.MustParseAddrPort("100.74.70.3:0"),
 | |
| 			Dst:       netip.MustParseAddrPort("100.73.229.73:0"),
 | |
| 			b:         mustHexDecode("4500 0019 d186 4000 40" + "FF" /* bogus FF */ + " 751d 644a 4603 6449 e549 6865 6c6c 6f"),
 | |
| 			length:    25,
 | |
| 			subofs:    20,
 | |
| 		}},
 | |
| 	}
 | |
| 
 | |
| 	for _, tt := range tests {
 | |
| 		t.Run(tt.name, func(t *testing.T) {
 | |
| 			var got Parsed
 | |
| 			got.Decode(tt.buf)
 | |
| 			if !reflect.DeepEqual(got, tt.want) {
 | |
| 				t.Errorf("mismatch\n got: %s %#v\nwant: %s %#v", got.String(), got, tt.want.String(), tt.want)
 | |
| 			}
 | |
| 		})
 | |
| 	}
 | |
| 
 | |
| 	err := tstest.MinAllocsPerRun(t, 0, func() {
 | |
| 		var got Parsed
 | |
| 		got.Decode(tests[0].buf)
 | |
| 	})
 | |
| 	if err != nil {
 | |
| 		t.Error(err)
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func BenchmarkDecode(b *testing.B) {
 | |
| 	benches := []struct {
 | |
| 		name string
 | |
| 		buf  []byte
 | |
| 	}{
 | |
| 		{"tcp4", tcp4PacketBuffer},
 | |
| 		{"tcp6", tcp6RequestBuffer},
 | |
| 		{"udp4", udp4RequestBuffer},
 | |
| 		{"udp6", udp6RequestBuffer},
 | |
| 		{"icmp4", icmp4RequestBuffer},
 | |
| 		{"icmp6", icmp6PacketBuffer},
 | |
| 		{"igmp", igmpPacketBuffer},
 | |
| 		{"unknown", unknownPacketBuffer},
 | |
| 	}
 | |
| 
 | |
| 	for _, bench := range benches {
 | |
| 		b.Run(bench.name, func(b *testing.B) {
 | |
| 			b.ReportAllocs()
 | |
| 			for range b.N {
 | |
| 				var p Parsed
 | |
| 				p.Decode(bench.buf)
 | |
| 			}
 | |
| 		})
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func TestMarshalRequest(t *testing.T) {
 | |
| 	// Too small to hold our packets, but only barely.
 | |
| 	var small [20]byte
 | |
| 	var large [64]byte
 | |
| 
 | |
| 	icmpHeader := icmp4RequestDecode.ICMP4Header()
 | |
| 	udpHeader := udp4RequestDecode.UDP4Header()
 | |
| 	tests := []struct {
 | |
| 		name   string
 | |
| 		header Header
 | |
| 		want   []byte
 | |
| 	}{
 | |
| 		{"icmp", &icmpHeader, icmp4RequestBuffer},
 | |
| 		{"udp", &udpHeader, udp4RequestBuffer},
 | |
| 	}
 | |
| 
 | |
| 	for _, tt := range tests {
 | |
| 		t.Run(tt.name, func(t *testing.T) {
 | |
| 			err := tt.header.Marshal(small[:])
 | |
| 			if err != errSmallBuffer {
 | |
| 				t.Errorf("got err: nil; want: %s", errSmallBuffer)
 | |
| 			}
 | |
| 
 | |
| 			dataOffset := tt.header.Len()
 | |
| 			dataLength := copy(large[dataOffset:], []byte("request_payload"))
 | |
| 			end := dataOffset + dataLength
 | |
| 			err = tt.header.Marshal(large[:end])
 | |
| 
 | |
| 			if err != nil {
 | |
| 				t.Errorf("got err: %s; want nil", err)
 | |
| 			}
 | |
| 
 | |
| 			if !bytes.Equal(large[:end], tt.want) {
 | |
| 				t.Errorf("got %x; want %x", large[:end], tt.want)
 | |
| 			}
 | |
| 		})
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func TestMarshalResponse(t *testing.T) {
 | |
| 	var buf [64]byte
 | |
| 
 | |
| 	icmpHeader := icmp4RequestDecode.ICMP4Header()
 | |
| 	udpHeader := udp4RequestDecode.UDP4Header()
 | |
| 
 | |
| 	type HeaderToResponser interface {
 | |
| 		Header
 | |
| 		// ToResponse transforms the header into one for a response packet.
 | |
| 		// For instance, this swaps the source and destination IPs.
 | |
| 		ToResponse()
 | |
| 	}
 | |
| 
 | |
| 	tests := []struct {
 | |
| 		name   string
 | |
| 		header HeaderToResponser
 | |
| 		want   []byte
 | |
| 	}{
 | |
| 		{"icmp", &icmpHeader, icmp4ReplyBuffer},
 | |
| 		{"udp", &udpHeader, udp4ReplyBuffer},
 | |
| 	}
 | |
| 
 | |
| 	for _, tt := range tests {
 | |
| 		t.Run(tt.name, func(t *testing.T) {
 | |
| 			tt.header.ToResponse()
 | |
| 
 | |
| 			dataOffset := tt.header.Len()
 | |
| 			dataLength := copy(buf[dataOffset:], []byte("reply_payload"))
 | |
| 			end := dataOffset + dataLength
 | |
| 			err := tt.header.Marshal(buf[:end])
 | |
| 
 | |
| 			if err != nil {
 | |
| 				t.Errorf("got err: %s; want nil", err)
 | |
| 			}
 | |
| 
 | |
| 			if !bytes.Equal(buf[:end], tt.want) {
 | |
| 				t.Errorf("got %x; want %x", buf[:end], tt.want)
 | |
| 			}
 | |
| 		})
 | |
| 	}
 | |
| }
 | |
| 
 | |
| var sinkString string
 | |
| 
 | |
| func BenchmarkString(b *testing.B) {
 | |
| 	benches := []struct {
 | |
| 		name string
 | |
| 		buf  []byte
 | |
| 	}{
 | |
| 		{"tcp4", tcp4PacketBuffer},
 | |
| 		{"tcp6", tcp6RequestBuffer},
 | |
| 		{"udp4", udp4RequestBuffer},
 | |
| 		{"udp6", udp6RequestBuffer},
 | |
| 		{"icmp4", icmp4RequestBuffer},
 | |
| 		{"icmp6", icmp6PacketBuffer},
 | |
| 		{"igmp", igmpPacketBuffer},
 | |
| 		{"unknown", unknownPacketBuffer},
 | |
| 	}
 | |
| 
 | |
| 	for _, bench := range benches {
 | |
| 		b.Run(bench.name, func(b *testing.B) {
 | |
| 			b.ReportAllocs()
 | |
| 			var p Parsed
 | |
| 			p.Decode(bench.buf)
 | |
| 			b.ResetTimer()
 | |
| 			for range b.N {
 | |
| 				sinkString = p.String()
 | |
| 			}
 | |
| 		})
 | |
| 	}
 | |
| }
 |