From: Denis Ovsienko Date: Sun, 20 Dec 2020 03:55:12 +0000 (+0000) Subject: NSH: Modernize packet parsing style. X-Git-Tag: tcpdump-4.99-bp~14 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/f620cb78c2aa482033e5cd1ce1a7eba2d6ea9611 NSH: Modernize packet parsing style. Enable ND_LONGJMP_FROM_TCHECK. Remove a redundant ND_TCHECK_LEN() instance and make another one conditional. Report invalid packets as invalid with a reason, not truncated. Update the code from draft-ietf-sfc-nsh-01 to RFC 8300: remove the no longer existent C-bit, add the TTL field, adjust the MD Type field offset and size, apply correct mask to TLV length, redo TLV length in bytes instead of 4-byte words and mind the padding. Fetch and print one header at a time. Add and use two lookup tables for MD Type and Next Protocol. Add a version number check. Add a length check for MD Type 1. Update some error messages. Add a few encoding diagrams for clarity. Lose a few variables and reduce scope of the remaining variables. Update a few tests. --- diff --git a/print-nsh.c b/print-nsh.c index 17d62569..12a63cd6 100644 --- a/print-nsh.c +++ b/print-nsh.c @@ -23,7 +23,7 @@ /* \summary: Network Service Header (NSH) printer */ -/* specification: draft-ietf-sfc-nsh-01 */ +/* specification: RFC 8300 */ #ifdef HAVE_CONFIG_H #include @@ -31,131 +31,210 @@ #include "netdissect-stdinc.h" +#define ND_LONGJMP_FROM_TCHECK #include "netdissect.h" #include "extract.h" static const struct tok nsh_flags [] = { - { 0x20, "O" }, - { 0x10, "C" }, + { 0x2, "O" }, { 0, NULL } }; +/* + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * |Ver|O|U| TTL | Length |U|U|U|U|MD Type| Next Protocol | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ #define NSH_BASE_HDR_LEN 4 +#define NSH_VER(x) (((x) & 0xc0000000) >> 30) +#define NSH_FLAGS(x) (((x) & 0x30000000) >> 28) +#define NSH_TTL(x) (((x) & 0x0fc00000) >> 22) +#define NSH_LENGTH(x) (((x) & 0x003f0000) >> 16) +#define NSH_MD_TYPE(x) (((x) & 0x00000f00) >> 8) +#define NSH_NEXT_PROT(x) (((x) & 0x000000ff) >> 0) + #define NSH_SERVICE_PATH_HDR_LEN 4 #define NSH_HDR_WORD_SIZE 4U +#define MD_RSV 0x00 +#define MD_TYPE1 0x01 +#define MD_TYPE2 0x02 +#define MD_EXP 0x0F +static const struct tok md_str[] = { + { MD_RSV, "reserved" }, + { MD_TYPE1, "1" }, + { MD_TYPE2, "2" }, + { MD_EXP, "experimental" }, + { 0, NULL } +}; + +#define NP_IPV4 0x01 +#define NP_IPV6 0x02 +#define NP_ETH 0x03 +#define NP_NSH 0x04 +#define NP_MPLS 0x05 +#define NP_EXP1 0xFE +#define NP_EXP2 0xFF +static const struct tok np_str[] = { + { NP_IPV4, "IPv4" }, + { NP_IPV6, "IPv6" }, + { NP_ETH, "Ethernet" }, + { NP_NSH, "NSH" }, + { NP_MPLS, "MPLS" }, + { NP_EXP1, "Experiment 1" }, + { NP_EXP2, "Experiment 2" }, + { 0, NULL } +}; + void nsh_print(netdissect_options *ndo, const u_char *bp, u_int len) { - u_int n, vn; - uint8_t ver; - uint8_t flags; - u_int length; - uint8_t md_type; + uint32_t basehdr; + u_int ver, length, md_type; uint8_t next_protocol; - uint32_t service_path_id; - uint8_t service_index; - uint32_t ctx; - uint16_t tlv_class; - uint8_t tlv_type; - uint8_t tlv_len; + u_char past_headers = 0; u_int next_len; ndo->ndo_protocol = "nsh"; + /* + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Base Header | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Service Path Header | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | | + * ~ Context Header(s) ~ + * | | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + /* print Base Header and Service Path Header */ - if (len < NSH_BASE_HDR_LEN + NSH_SERVICE_PATH_HDR_LEN) - goto trunc; + if (len < NSH_BASE_HDR_LEN + NSH_SERVICE_PATH_HDR_LEN) { + ND_PRINT(" (packet length %u < %u)", + len, NSH_BASE_HDR_LEN + NSH_SERVICE_PATH_HDR_LEN); + goto invalid; + } - ND_TCHECK_LEN(bp, NSH_BASE_HDR_LEN + NSH_SERVICE_PATH_HDR_LEN); - - ver = (uint8_t)(GET_U_1(bp) >> 6); - flags = GET_U_1(bp); - bp += 1; - length = GET_U_1(bp); - bp += 1; - md_type = GET_U_1(bp); - bp += 1; - next_protocol = GET_U_1(bp); - bp += 1; - service_path_id = GET_BE_U_3(bp); - bp += 3; - service_index = GET_U_1(bp); - bp += 1; + basehdr = GET_BE_U_4(bp); + bp += 4; + ver = NSH_VER(basehdr); + length = NSH_LENGTH(basehdr); + md_type = NSH_MD_TYPE(basehdr); + next_protocol = NSH_NEXT_PROT(basehdr); ND_PRINT("NSH, "); if (ndo->ndo_vflag > 1) { ND_PRINT("ver %u, ", ver); } - ND_PRINT("flags [%s], ", bittok2str_nosep(nsh_flags, "none", flags)); + if (ver != 0) + return; + ND_PRINT("flags [%s], ", + bittok2str_nosep(nsh_flags, "none", NSH_FLAGS(basehdr))); if (ndo->ndo_vflag > 2) { + ND_PRINT("TTL %u, ", NSH_TTL(basehdr)); ND_PRINT("length %u, ", length); - ND_PRINT("md type 0x%x, ", md_type); + ND_PRINT("md type %s, ", tok2str(md_str, "unknown (0x%02x)", md_type)); } if (ndo->ndo_vflag > 1) { - ND_PRINT("next-protocol 0x%x, ", next_protocol); + ND_PRINT("next-protocol %s, ", + tok2str(np_str, "unknown (0x%02x)", next_protocol)); } - ND_PRINT("service-path-id 0x%06x, ", service_path_id); - ND_PRINT("service-index 0x%x", service_index); /* Make sure we have all the headers */ - if (len < length * NSH_HDR_WORD_SIZE) - goto trunc; + if (len < length * NSH_HDR_WORD_SIZE) { + ND_PRINT(" (too many headers for packet length %u)", len); + goto invalid; + } - ND_TCHECK_LEN(bp, length * NSH_HDR_WORD_SIZE); + /* + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Service Path Identifier (SPI) | Service Index | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * + */ + ND_PRINT("service-path-id 0x%06x, ", GET_BE_U_3(bp)); + bp += 3; + ND_PRINT("service-index 0x%x", GET_U_1(bp)); + bp += 1; /* * length includes the lengths of the Base and Service Path headers. * That means it must be at least 2. */ - if (length < 2) - goto trunc; + if (length < 2) { + ND_PRINT(" (less than two headers)"); + goto invalid; + } /* * Print, or skip, the Context Headers. * (length - 2) is the length of those headers. */ if (ndo->ndo_vflag > 2) { - if (md_type == 0x01) { + u_int n; + + if (md_type == MD_TYPE1) { + if (length != 6) { + ND_PRINT(" (invalid length for the MD type)"); + goto invalid; + } for (n = 0; n < length - 2; n++) { - ctx = GET_BE_U_4(bp); + ND_PRINT("\n Context[%02u]: 0x%08x", n, GET_BE_U_4(bp)); bp += NSH_HDR_WORD_SIZE; - ND_PRINT("\n Context[%02u]: 0x%08x", n, ctx); } + past_headers = 1; } - else if (md_type == 0x02) { + else if (md_type == MD_TYPE2) { n = 0; while (n < length - 2) { + uint16_t tlv_class; + uint8_t tlv_type, tlv_len, tlv_len_padded; + tlv_class = GET_BE_U_2(bp); bp += 2; tlv_type = GET_U_1(bp); bp += 1; - tlv_len = GET_U_1(bp); + tlv_len = GET_U_1(bp) & 0x7f; bp += 1; + tlv_len_padded = roundup2(tlv_len, NSH_HDR_WORD_SIZE); ND_PRINT("\n TLV Class %u, Type %u, Len %u", tlv_class, tlv_type, tlv_len); n += 1; - if (length - 2 < n + tlv_len) { - ND_PRINT(" ERROR: invalid-tlv-length"); - return; + if (length - 2 < n + tlv_len_padded / NSH_HDR_WORD_SIZE) { + ND_PRINT(" (length too big)"); + goto invalid; } - for (vn = 0; vn < tlv_len; vn++) { - ctx = GET_BE_U_4(bp); - bp += NSH_HDR_WORD_SIZE; - ND_PRINT("\n Value[%02u]: 0x%08x", vn, ctx); + if (tlv_len) { + const char *sep = "0x"; + u_int vn; + + ND_PRINT("\n Value: "); + for (vn = 0; vn < tlv_len; vn++) { + ND_PRINT("%s%02x", sep, GET_U_1(bp)); + bp += 1; + sep = ":"; + } + /* Cover any TLV padding. */ + ND_TCHECK_LEN(bp, tlv_len_padded - tlv_len); + bp += tlv_len_padded - tlv_len; + n += tlv_len_padded / NSH_HDR_WORD_SIZE; } - n += tlv_len; } - } - else { - ND_PRINT("ERROR: unknown-next-protocol"); - return; + past_headers = 1; } } - else { + if (! past_headers) { + ND_TCHECK_LEN(bp, (length - 2) * NSH_HDR_WORD_SIZE); bp += (length - 2) * NSH_HDR_WORD_SIZE; } ND_PRINT(ndo->ndo_vflag ? "\n " : ": "); @@ -163,13 +242,13 @@ nsh_print(netdissect_options *ndo, const u_char *bp, u_int len) /* print Next Protocol */ next_len = len - length * NSH_HDR_WORD_SIZE; switch (next_protocol) { - case 0x1: + case NP_IPV4: ip_print(ndo, bp, next_len); break; - case 0x2: + case NP_IPV6: ip6_print(ndo, bp, next_len); break; - case 0x3: + case NP_ETH: ether_print(ndo, bp, next_len, ND_BYTES_AVAILABLE_AFTER(bp), NULL, NULL); break; default: @@ -179,7 +258,7 @@ nsh_print(netdissect_options *ndo, const u_char *bp, u_int len) return; -trunc: - nd_print_trunc(ndo); +invalid: + nd_print_invalid(ndo); } diff --git a/tests/nsh-over-vxlan-gpe-v.out b/tests/nsh-over-vxlan-gpe-v.out index f19c25c5..7e98fa7a 100644 --- a/tests/nsh-over-vxlan-gpe-v.out +++ b/tests/nsh-over-vxlan-gpe-v.out @@ -1,5 +1,5 @@ 1 14:19:08.994912 IP (tos 0x0, ttl 64, id 16419, offset 0, flags [DF], proto UDP (17), length 92) 127.0.0.1.4790 > 127.0.0.1.4790: VXLAN-GPE, flags [IP], vni 16777215 - NSH, flags [OC], service-path-id 0xffffff, service-index 0xff + NSH, flags [O], service-path-id 0xffffff, service-index 0xff IP (tos 0x0, ttl 255, id 54321, offset 0, flags [none], proto UDP (17), length 32) 192.168.0.1.10000 > 192.168.0.2.20000: UDP, length 4 diff --git a/tests/nsh-over-vxlan-gpe-vv.out b/tests/nsh-over-vxlan-gpe-vv.out index 76d1c873..32e390b1 100644 --- a/tests/nsh-over-vxlan-gpe-vv.out +++ b/tests/nsh-over-vxlan-gpe-vv.out @@ -1,5 +1,5 @@ 1 14:19:08.994912 IP (tos 0x0, ttl 64, id 16419, offset 0, flags [DF], proto UDP (17), length 92) 127.0.0.1.4790 > 127.0.0.1.4790: [udp sum ok] VXLAN-GPE, flags [IP], vni 16777215 - NSH, ver 0, flags [OC], next-protocol 0x1, service-path-id 0xffffff, service-index 0xff + NSH, ver 0, flags [O], next-protocol IPv4, service-path-id 0xffffff, service-index 0xff IP (tos 0x0, ttl 255, id 54321, offset 0, flags [none], proto UDP (17), length 32) 192.168.0.1.10000 > 192.168.0.2.20000: [udp sum ok] UDP, length 4 diff --git a/tests/nsh-over-vxlan-gpe-vvv.out b/tests/nsh-over-vxlan-gpe-vvv.out index 5b13289d..95c904c7 100644 --- a/tests/nsh-over-vxlan-gpe-vvv.out +++ b/tests/nsh-over-vxlan-gpe-vvv.out @@ -1,9 +1,9 @@ 1 14:19:08.994912 IP (tos 0x0, ttl 64, id 16419, offset 0, flags [DF], proto UDP (17), length 92) 127.0.0.1.4790 > 127.0.0.1.4790: [udp sum ok] VXLAN-GPE, flags [IP], vni 16777215 - NSH, ver 0, flags [OC], length 6, md type 0x2, next-protocol 0x1, service-path-id 0xffffff, service-index 0xff + NSH, ver 0, flags [O], TTL 0, length 6, md type 2, next-protocol IPv4, service-path-id 0xffffff, service-index 0xff TLV Class 1, Type 2, Len 1 - Value[00]: 0x12345678 + Value: 0x12 TLV Class 2, Type 3, Len 1 - Value[00]: 0x12345678 + Value: 0x12 IP (tos 0x0, ttl 255, id 54321, offset 0, flags [none], proto UDP (17), length 32) 192.168.0.1.10000 > 192.168.0.2.20000: [udp sum ok] UDP, length 4 diff --git a/tests/nsh-over-vxlan-gpe.out b/tests/nsh-over-vxlan-gpe.out index 39ab500d..89696e4f 100644 --- a/tests/nsh-over-vxlan-gpe.out +++ b/tests/nsh-over-vxlan-gpe.out @@ -1 +1 @@ - 1 14:19:08.994912 IP 127.0.0.1.4790 > 127.0.0.1.4790: VXLAN-GPE, flags [IP], vni 16777215: NSH, flags [OC], service-path-id 0xffffff, service-index 0xff: IP 192.168.0.1.10000 > 192.168.0.2.20000: UDP, length 4 + 1 14:19:08.994912 IP 127.0.0.1.4790 > 127.0.0.1.4790: VXLAN-GPE, flags [IP], vni 16777215: NSH, flags [O], service-path-id 0xffffff, service-index 0xff: IP 192.168.0.1.10000 > 192.168.0.2.20000: UDP, length 4 diff --git a/tests/nsh-vvv.out b/tests/nsh-vvv.out index 87aa6f76..7a61c78e 100644 --- a/tests/nsh-vvv.out +++ b/tests/nsh-vvv.out @@ -1,4 +1,4 @@ - 1 23:13:40.394208 NSH, ver 0, flags [none], length 6, md type 0x1, next-protocol 0x1, service-path-id 0x000309, service-index 0x7 + 1 23:13:40.394208 NSH, ver 0, flags [none], TTL 0, length 6, md type 1, next-protocol IPv4, service-path-id 0x000309, service-index 0x7 Context[00]: 0x00000001 Context[01]: 0x00000002 Context[02]: 0x00000003