Frederic Raynal
2004-11-01 19:11:41 UTC
Hi,
I add a new feature in the current devel libnet : automatic header
length computation.
Remeber the old :
udp = libnet_build_udp(
src_prt, /* source port */
dst_prt, /* destination port */
LIBNET_UDP_H + payload_s, /* packet length */
0, /* checksum */
payload, /* payload */
payload_s, /* payload size */
l, /* libnet handle */
udp);
opt = libnet_build_ip_opt_sec(
IP_OPT_SEC, /* type */
LIBNET_IP_OPT_SEC_H, /* len */
IP_OPT_SEC_TOPSECRET, /* security */
i, /* compartment */
0, /* restriction */
"FHP", /* tcc */
l, /* libnet handle */
opt);
ip = libnet_build_ipv4(
LIBNET_IPV4_H + LIBNET_ALIGN_SIZE(LIBNET_IP_OPT_SEC_H) +
LIBNET_UDP_H + payload_s, /* length */ [1]
0, /* TOS */
242, /* IP ID */
0, /* IP Frag */
64, /* TTL */
IPPROTO_UDP, /* proto */
0, /* checksum */
src_ip.addr_ip,
dst_ip.addr_ip,
NULL, /* payload */
0,
l,
ip);
[1] When we compute the size for the IP length, we must consider the
payload, the UDP layer, the options _aligned_ (there can be some
padding added so that options are aligned), and the IP layer itself !
But now, how amazing, forget about all that ;-)
Each time there is a length to specify, you dont care anymore.
The length will be embedded in the header : put the value you want
(non zero), and it will appear with that value in the packet. Put a
0, and it will be set to the proper value.
This length argument is just something to be put in the header.
However, the underlying structures also need this information (for
instance to know where to put things properly in the packet). That is
kept hidden in an internal structure (pbuf_t).
That way, it is possible to build a packet with a certain amount of
bytes, but which pretends to have less or more ... very practical for
fuzzing.
Like for the checksum, that behavior can be controled with
libnet_toggle_bit(), which replaces libnet_toggle_checksum() : you
need now to specify the bit to set/clear between
LIBNET_PACKET_IGNORE_HLEN and LIBNET_PACKET_IGNORE_CSUM (note that
there is also such a fucntion at pbuf level).
I must confess that I do not have played that much with these bits, so
it may be buggy.
In a previous version, I have made changes so thay is _should_ work on
CPU with strict alignment. I still haven't tested that on a real
processor. That is quite high in my TODO.
Comments, feedback, bug reports, beers and so on are welcome :)
Fred Raynal
http://www.security-labs.org/libnetng/
I add a new feature in the current devel libnet : automatic header
length computation.
Remeber the old :
udp = libnet_build_udp(
src_prt, /* source port */
dst_prt, /* destination port */
LIBNET_UDP_H + payload_s, /* packet length */
0, /* checksum */
payload, /* payload */
payload_s, /* payload size */
l, /* libnet handle */
udp);
opt = libnet_build_ip_opt_sec(
IP_OPT_SEC, /* type */
LIBNET_IP_OPT_SEC_H, /* len */
IP_OPT_SEC_TOPSECRET, /* security */
i, /* compartment */
0, /* restriction */
"FHP", /* tcc */
l, /* libnet handle */
opt);
ip = libnet_build_ipv4(
LIBNET_IPV4_H + LIBNET_ALIGN_SIZE(LIBNET_IP_OPT_SEC_H) +
LIBNET_UDP_H + payload_s, /* length */ [1]
0, /* TOS */
242, /* IP ID */
0, /* IP Frag */
64, /* TTL */
IPPROTO_UDP, /* proto */
0, /* checksum */
src_ip.addr_ip,
dst_ip.addr_ip,
NULL, /* payload */
0,
l,
ip);
[1] When we compute the size for the IP length, we must consider the
payload, the UDP layer, the options _aligned_ (there can be some
padding added so that options are aligned), and the IP layer itself !
But now, how amazing, forget about all that ;-)
Each time there is a length to specify, you dont care anymore.
The length will be embedded in the header : put the value you want
(non zero), and it will appear with that value in the packet. Put a
0, and it will be set to the proper value.
This length argument is just something to be put in the header.
However, the underlying structures also need this information (for
instance to know where to put things properly in the packet). That is
kept hidden in an internal structure (pbuf_t).
That way, it is possible to build a packet with a certain amount of
bytes, but which pretends to have less or more ... very practical for
fuzzing.
Like for the checksum, that behavior can be controled with
libnet_toggle_bit(), which replaces libnet_toggle_checksum() : you
need now to specify the bit to set/clear between
LIBNET_PACKET_IGNORE_HLEN and LIBNET_PACKET_IGNORE_CSUM (note that
there is also such a fucntion at pbuf level).
I must confess that I do not have played that much with these bits, so
it may be buggy.
In a previous version, I have made changes so thay is _should_ work on
CPU with strict alignment. I still haven't tested that on a real
processor. That is quite high in my TODO.
Comments, feedback, bug reports, beers and so on are welcome :)
Fred Raynal
http://www.security-labs.org/libnetng/