Coverage Report

Created: 2026-06-30 07:20

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/suricata7/src/detect-tcpmss.c
Line
Count
Source
1
/* Copyright (C) 2007-2020 Open Information Security Foundation
2
 *
3
 * You can copy, redistribute or modify this Program under the terms of
4
 * the GNU General Public License version 2 as published by the Free
5
 * Software Foundation.
6
 *
7
 * This program is distributed in the hope that it will be useful,
8
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10
 * GNU General Public License for more details.
11
 *
12
 * You should have received a copy of the GNU General Public License
13
 * version 2 along with this program; if not, write to the Free Software
14
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
 * 02110-1301, USA.
16
 */
17
18
/**
19
 * \file
20
 *
21
 * \author Victor Julien <victor@inliniac.net>
22
 *
23
 */
24
25
#include "suricata-common.h"
26
27
#include "detect.h"
28
#include "detect-parse.h"
29
#include "detect-engine-prefilter-common.h"
30
#include "detect-engine-uint.h"
31
#include "util-byte.h"
32
33
#include "detect-tcpmss.h"
34
35
36
/* prototypes */
37
static int DetectTcpmssMatch (DetectEngineThreadCtx *, Packet *,
38
        const Signature *, const SigMatchCtx *);
39
static int DetectTcpmssSetup (DetectEngineCtx *, Signature *, const char *);
40
void DetectTcpmssFree (DetectEngineCtx *, void *);
41
#ifdef UNITTESTS
42
void DetectTcpmssRegisterTests (void);
43
#endif
44
static int PrefilterSetupTcpmss(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
45
static bool PrefilterTcpmssIsPrefilterable(const Signature *s);
46
47
/**
48
 * \brief Registration function for tcpmss: keyword
49
 */
50
51
void DetectTcpmssRegister(void)
52
34
{
53
34
    sigmatch_table[DETECT_TCPMSS].name = "tcp.mss";
54
34
    sigmatch_table[DETECT_TCPMSS].desc = "match on TCP MSS option field";
55
34
    sigmatch_table[DETECT_TCPMSS].url = "/rules/header-keywords.html#tcpmss";
56
34
    sigmatch_table[DETECT_TCPMSS].Match = DetectTcpmssMatch;
57
34
    sigmatch_table[DETECT_TCPMSS].Setup = DetectTcpmssSetup;
58
34
    sigmatch_table[DETECT_TCPMSS].Free = DetectTcpmssFree;
59
34
    sigmatch_table[DETECT_TCPMSS].SupportsPrefilter = PrefilterTcpmssIsPrefilterable;
60
34
    sigmatch_table[DETECT_TCPMSS].SetupPrefilter = PrefilterSetupTcpmss;
61
62
34
    return;
63
34
}
64
65
/**
66
 * \brief This function is used to match TCPMSS rule option on a packet with those passed via
67
 * tcpmss:
68
 *
69
 * \param det_ctx pointer to the pattern matcher thread
70
 * \param p pointer to the current packet
71
 * \param ctx pointer to the sigmatch that we will cast into DetectU16Data
72
 *
73
 * \retval 0 no match
74
 * \retval 1 match
75
 */
76
static int DetectTcpmssMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
77
        const Signature *s, const SigMatchCtx *ctx)
78
15.1k
{
79
80
15.1k
    if (!(PKT_IS_TCP(p)) || PKT_IS_PSEUDOPKT(p))
81
1.64k
        return 0;
82
83
13.4k
    if (!(TCP_HAS_MSS(p)))
84
11.3k
        return 0;
85
86
2.07k
    uint16_t ptcpmss = TCP_GET_MSS(p);
87
88
2.07k
    const DetectU16Data *tcpmssd = (const DetectU16Data *)ctx;
89
2.07k
    return DetectU16Match(ptcpmss, tcpmssd);
90
13.4k
}
91
92
/**
93
 * \brief this function is used to attach the parsed tcpmss data into the current signature
94
 *
95
 * \param de_ctx pointer to the Detection Engine Context
96
 * \param s pointer to the Current Signature
97
 * \param tcpmssstr pointer to the user provided tcpmss options
98
 *
99
 * \retval 0 on Success
100
 * \retval -1 on Failure
101
 */
102
static int DetectTcpmssSetup (DetectEngineCtx *de_ctx, Signature *s, const char *tcpmssstr)
103
2.59k
{
104
2.59k
    DetectU16Data *tcpmssd = DetectU16Parse(tcpmssstr);
105
2.59k
    if (tcpmssd == NULL)
106
285
        return -1;
107
108
2.30k
    SigMatch *sm = SigMatchAlloc();
109
2.30k
    if (sm == NULL) {
110
0
        DetectTcpmssFree(de_ctx, tcpmssd);
111
0
        return -1;
112
0
    }
113
114
2.30k
    sm->type = DETECT_TCPMSS;
115
2.30k
    sm->ctx = (SigMatchCtx *)tcpmssd;
116
117
2.30k
    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
118
2.30k
    s->flags |= SIG_FLAG_REQUIRE_PACKET;
119
120
2.30k
    return 0;
121
2.30k
}
122
123
/**
124
 * \brief this function will free memory associated with DetectU16Data
125
 *
126
 * \param ptr pointer to DetectU16Data
127
 */
128
void DetectTcpmssFree(DetectEngineCtx *de_ctx, void *ptr)
129
2.30k
{
130
2.30k
    rs_detect_u16_free(ptr);
131
2.30k
}
132
133
/* prefilter code */
134
135
static void
136
PrefilterPacketTcpmssMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
137
1.22k
{
138
1.22k
    if (!(PKT_IS_TCP(p)) || PKT_IS_PSEUDOPKT(p))
139
68
        return;
140
141
1.15k
    if (!(TCP_HAS_MSS(p)))
142
1.06k
        return;
143
144
87
    uint16_t ptcpmss = TCP_GET_MSS(p);
145
146
    /* during setup Suricata will automatically see if there is another
147
     * check that can be added: alproto, sport or dport */
148
87
    const PrefilterPacketHeaderCtx *ctx = pectx;
149
87
    if (!PrefilterPacketHeaderExtraMatch(ctx, p))
150
0
        return;
151
152
87
    DetectU16Data du16;
153
87
    du16.mode = ctx->v1.u8[0];
154
87
    du16.arg1 = ctx->v1.u16[1];
155
87
    du16.arg2 = ctx->v1.u16[2];
156
    /* if we match, add all the sigs that use this prefilter. This means
157
     * that these will be inspected further */
158
87
    if (DetectU16Match(ptcpmss, &du16)) {
159
0
        SCLogDebug("packet matches tcpmss/hl %u", ptcpmss);
160
0
        PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
161
0
    }
162
87
}
163
164
static int PrefilterSetupTcpmss(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
165
422
{
166
422
    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_TCPMSS, PrefilterPacketU16Set,
167
422
            PrefilterPacketU16Compare, PrefilterPacketTcpmssMatch);
168
422
}
169
170
static bool PrefilterTcpmssIsPrefilterable(const Signature *s)
171
0
{
172
0
    const SigMatch *sm;
173
0
    for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
174
0
        switch (sm->type) {
175
0
            case DETECT_TCPMSS:
176
0
                return true;
177
0
        }
178
0
    }
179
0
    return false;
180
0
}