From 5ffc8f9b066a96846a413f2ce02907f2530cf068 Mon Sep 17 00:00:00 2001 From: Jian Wan Date: Tue, 30 Apr 2019 15:53:31 +1000 Subject: [PATCH 1/5] check the answered ip --- src/fieldset.c | 14 ++++++++++++++ src/fieldset.h | 2 ++ src/probe_modules/module_dns.c | 7 +++++++ 3 files changed, 23 insertions(+) diff --git a/src/fieldset.c b/src/fieldset.c index 1b9ec10c6..b745ab546 100644 --- a/src/fieldset.c +++ b/src/fieldset.c @@ -109,6 +109,16 @@ static void fs_modify_word(fieldset_t *fs, const char *name, int type, fs_add_word(fs, name, type, free_, len, value); } +static int fs_find_word(fieldset_t *fs, const char *name) +{ + for (int i = 0; i < fs->len; i++) { + if (!strcmp(fs->fields[i].name, name)) { + return i; + } + } + return -1; +} + static char *sanitize_utf8(const char *buf) { const char *ptr = buf; @@ -277,6 +287,10 @@ void fs_modify_string(fieldset_t *fs, const char *name, char *value, int free_) fs_modify_word(fs, name, FS_STRING, free_, strlen(value), val); } +int fs_find_by_name(fieldset_t *fs, const char *name) { + return fs_find_word(fs, name); +} + void fs_modify_uint64(fieldset_t *fs, const char *name, uint64_t value) { field_val_t val = {.num = value}; diff --git a/src/fieldset.h b/src/fieldset.h index b23b5394d..2c325cd72 100644 --- a/src/fieldset.h +++ b/src/fieldset.h @@ -131,6 +131,8 @@ void fs_modify_string(fieldset_t *fs, const char *name, char *value, int free_); void fs_modify_binary(fieldset_t *fs, const char *name, size_t len, void *value, int free_); +int fs_find_by_name(fieldset_t *fs, const char *name); + uint64_t fs_get_uint64_by_index(fieldset_t *fs, int index); void fs_free(fieldset_t *fs); diff --git a/src/probe_modules/module_dns.c b/src/probe_modules/module_dns.c index e13e6f59f..1453ce93a 100644 --- a/src/probe_modules/module_dns.c +++ b/src/probe_modules/module_dns.c @@ -104,6 +104,7 @@ void generate_default_domain() { time_t t; srand((unsigned) time(&t)); const char *chosen = candidate_domains[rand() % (sizeof(candidate_domains) / sizeof(candidate_domains[0]))]; + memset(default_domain, 0, sizeof(default_domain)); strncpy(default_domain, chosen, sizeof(default_domain) - 1); log_info("dns", "generate_default_domain: %s", default_domain); } @@ -1041,6 +1042,12 @@ void dns_process_packet(const u_char *packet, uint32_t len, fieldset_t *fs, } // Did we parse OK? fs_add_uint64(fs, "dns_parse_err", err); + + // Check the validity + int fai = fs_find_by_name(fs, "dns_answers"); + fieldset_t *answer_fs = (fieldset_t *)fs_get_string_by_index(fs, fai); + int ani = fs_find_by_name(answer_fs, "rdata"); + is_valid = !strcmp(fs_get_string_by_index(ani), "1.2.3.4"); } // Now the raw stuff. fs_add_binary(fs, "raw_data", (udp_len - sizeof(struct udphdr)), From ed0683b45653e99ccec9e9b5f1ea463b7b330f67 Mon Sep 17 00:00:00 2001 From: Jian Wan Date: Tue, 30 Apr 2019 15:55:34 +1000 Subject: [PATCH 2/5] fix build --- src/probe_modules/module_dns.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/probe_modules/module_dns.c b/src/probe_modules/module_dns.c index 1453ce93a..b3dafb585 100644 --- a/src/probe_modules/module_dns.c +++ b/src/probe_modules/module_dns.c @@ -1047,7 +1047,7 @@ void dns_process_packet(const u_char *packet, uint32_t len, fieldset_t *fs, int fai = fs_find_by_name(fs, "dns_answers"); fieldset_t *answer_fs = (fieldset_t *)fs_get_string_by_index(fs, fai); int ani = fs_find_by_name(answer_fs, "rdata"); - is_valid = !strcmp(fs_get_string_by_index(ani), "1.2.3.4"); + is_valid = !strcmp(fs_get_string_by_index(answer_fs, ani), "1.2.3.4"); } // Now the raw stuff. fs_add_binary(fs, "raw_data", (udp_len - sizeof(struct udphdr)), From ff7208529a1e259b3e41caca3e997827ba8e8ce5 Mon Sep 17 00:00:00 2001 From: Jian Wan Date: Tue, 30 Apr 2019 16:06:17 +1000 Subject: [PATCH 3/5] find the addr --- src/probe_modules/module_dns.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/probe_modules/module_dns.c b/src/probe_modules/module_dns.c index b3dafb585..b408fd058 100644 --- a/src/probe_modules/module_dns.c +++ b/src/probe_modules/module_dns.c @@ -1046,7 +1046,10 @@ void dns_process_packet(const u_char *packet, uint32_t len, fieldset_t *fs, // Check the validity int fai = fs_find_by_name(fs, "dns_answers"); fieldset_t *answer_fs = (fieldset_t *)fs_get_string_by_index(fs, fai); - int ani = fs_find_by_name(answer_fs, "rdata"); + int ani = fs_find_by_name(answer_fs, NULL); + fieldset_t *answer_fs_child = (fieldset_t *)fs_get_string_by_index(answer_fs, ani); + int ani2 = fs_find_by_name(answer_fs_child, "rdata"); + fprintf(stdout, "find answer: %s\n", fs_get_string_by_index(answer_fs_child, ani2)); is_valid = !strcmp(fs_get_string_by_index(answer_fs, ani), "1.2.3.4"); } // Now the raw stuff. From cbd37df222ceb9a08b8dced4051cdddac16c1d0f Mon Sep 17 00:00:00 2001 From: Jian Wan Date: Tue, 30 Apr 2019 16:09:57 +1000 Subject: [PATCH 4/5] use rdata_fs --- src/probe_modules/module_dns.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/probe_modules/module_dns.c b/src/probe_modules/module_dns.c index b408fd058..cb7f14290 100644 --- a/src/probe_modules/module_dns.c +++ b/src/probe_modules/module_dns.c @@ -572,7 +572,7 @@ static bool process_response_answer(char **data, uint16_t *data_len, fs_add_binary(afs, "rdata", rdlength, rdata, 0); } // Now we're adding the new fs to the list. - fs_add_fieldset(list, NULL, afs); + fs_add_fieldset(list, "rdata_fs", afs); // Now update the pointers. *data = *data + bytes_consumed + sizeof(dns_answer_tail) + rdlength; *data_len = @@ -1046,7 +1046,7 @@ void dns_process_packet(const u_char *packet, uint32_t len, fieldset_t *fs, // Check the validity int fai = fs_find_by_name(fs, "dns_answers"); fieldset_t *answer_fs = (fieldset_t *)fs_get_string_by_index(fs, fai); - int ani = fs_find_by_name(answer_fs, NULL); + int ani = fs_find_by_name(answer_fs, "rdata_fs"); fieldset_t *answer_fs_child = (fieldset_t *)fs_get_string_by_index(answer_fs, ani); int ani2 = fs_find_by_name(answer_fs_child, "rdata"); fprintf(stdout, "find answer: %s\n", fs_get_string_by_index(answer_fs_child, ani2)); From d317073a9fb15a7a2b17f0001abf6123be307688 Mon Sep 17 00:00:00 2001 From: Jian Wan Date: Tue, 30 Apr 2019 02:25:17 -0400 Subject: [PATCH 5/5] fix coredump --- src/probe_modules/module_dns.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/probe_modules/module_dns.c b/src/probe_modules/module_dns.c index cb7f14290..cd00ed2c9 100644 --- a/src/probe_modules/module_dns.c +++ b/src/probe_modules/module_dns.c @@ -1045,12 +1045,16 @@ void dns_process_packet(const u_char *packet, uint32_t len, fieldset_t *fs, // Check the validity int fai = fs_find_by_name(fs, "dns_answers"); - fieldset_t *answer_fs = (fieldset_t *)fs_get_string_by_index(fs, fai); - int ani = fs_find_by_name(answer_fs, "rdata_fs"); - fieldset_t *answer_fs_child = (fieldset_t *)fs_get_string_by_index(answer_fs, ani); - int ani2 = fs_find_by_name(answer_fs_child, "rdata"); - fprintf(stdout, "find answer: %s\n", fs_get_string_by_index(answer_fs_child, ani2)); - is_valid = !strcmp(fs_get_string_by_index(answer_fs, ani), "1.2.3.4"); + if (fai != -1) { + fieldset_t *answer_fs = (fieldset_t *)fs_get_string_by_index(fs, fai); + int ani = fs_find_by_name(answer_fs, "rdata_fs"); + if (ani != -1) { + fieldset_t *answer_fs_child = (fieldset_t *)fs_get_string_by_index(answer_fs, ani); + int ani2 = fs_find_by_name(answer_fs_child, "rdata"); + fprintf(stdout, "find answer: %s\n", fs_get_string_by_index(answer_fs_child, ani2)); + is_valid = !strcmp(fs_get_string_by_index(answer_fs, ani), "1.2.3.4"); + } + } } // Now the raw stuff. fs_add_binary(fs, "raw_data", (udp_len - sizeof(struct udphdr)),