OpenVAS Scanner 23.32.3
nasl_packet_forgery_v6.h File Reference
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions

tree_cellforge_ip_v6_packet (lex_ctxt *)
 Forge an IPv6 packet.
tree_cellset_ip_v6_elements (lex_ctxt *)
 Set IPv6 header element.
tree_cellget_ip_v6_element (lex_ctxt *)
 Obtain IPv6 header element.
tree_celldump_ip_v6_packet (lex_ctxt *)
 Print IPv6 Header.
tree_cellinsert_ip_v6_options (lex_ctxt *)
 Adds an IPv6 option to the datagram.
tree_cellforge_tcp_v6_packet (lex_ctxt *)
 Forge TCP packet.
tree_cellget_tcp_v6_element (lex_ctxt *)
 Get TCP Header element.
tree_cellget_tcp_v6_option (lex_ctxt *)
 Get a TCP option from an IP datagram if present. Possible options are: TCPOPT_MAXSEG (2), values between 536 and 65535 TCPOPT_WINDOW (3), with values between 0 and 14 TCPOPT_SACK_PERMITTED (4), no value required. TCPOPT_TIMESTAMP (8), 8 bytes value for timestamp and echo timestamp, 4 bytes each one.
tree_cellset_tcp_v6_elements (lex_ctxt *)
 Set TCP Header element.
tree_cellinsert_tcp_v6_options (lex_ctxt *)
 Add options to a TCP segment header. Possible options are: TCPOPT_MAXSEG (2), values between 536 and 65535 TCPOPT_WINDOW (3), with values between 0 and 14 TCPOPT_SACK_PERMITTED (4), no value required. TCPOPT_TIMESTAMP (8), 8 bytes value for timestamp and echo timestamp, 4 bytes each one.
tree_celldump_tcp_v6_packet (lex_ctxt *)
 Dump TCP part of an IPv6 Datagram.
tree_cellforge_udp_v6_packet (lex_ctxt *)
tree_cellset_udp_v6_elements (lex_ctxt *)
tree_celldump_udp_v6_packet (lex_ctxt *)
tree_cellget_udp_v6_element (lex_ctxt *)
tree_cellforge_icmp_v6_packet (lex_ctxt *)
tree_cellget_icmp_v6_element (lex_ctxt *)
tree_celldump_icmp_v6_packet (lex_ctxt *)
 Dump the ICMP part of a IP Datagram.
tree_cellforge_igmp_v6_packet (lex_ctxt *)
tree_cellnasl_tcp_v6_ping (lex_ctxt *)
 Performs TCP Connect to test if host is alive.
tree_cellnasl_send_v6packet (lex_ctxt *)
 Send forged IPv6 Packets.

Function Documentation

◆ dump_icmp_v6_packet()

tree_cell * dump_icmp_v6_packet ( lex_ctxt * lexic)

Dump the ICMP part of a IP Datagram.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]...IP datagrams to dump the ICMP part from.

Definition at line 2053 of file nasl_packet_forgery_v6.c.

2054{
2055 int i = 0;
2056 u_char *pkt;
2057 while ((pkt = (u_char *) get_str_var_by_num (lexic, i++)) != NULL)
2058 {
2059 unsigned int j;
2060 unsigned int limit;
2061 char *c;
2062 struct ip6_hdr *ip6 = (struct ip6_hdr *) pkt;
2063 struct icmp6_hdr *icmp;
2064 icmp = (struct icmp6_hdr *) (pkt + 40);
2065 limit = get_var_size_by_num (lexic, i - 1);
2066 printf ("------\n");
2067 printf ("\ticmp6_id : %d\n", ntohs (icmp->icmp6_id));
2068 printf ("\ticmp6_code : %d\n", icmp->icmp6_code);
2069 printf ("\ticmp6_type : %u\n", icmp->icmp6_type);
2070 printf ("\ticmp6_seq : %u\n", ntohs (icmp->icmp6_seq));
2071 printf ("\ticmp6_cksum : %d\n", ntohs (icmp->icmp6_cksum));
2072 printf ("\tData : ");
2073 c = (char *) ((char *) icmp + sizeof (struct icmp6_hdr));
2074 if (UNFIX (ip6->ip6_plen) > (sizeof (struct icmp6_hdr)))
2075 for (j = 0;
2076 j < UNFIX (ip6->ip6_plen) - sizeof (struct icmp6_hdr) && j < limit;
2077 j++)
2078 printf ("%c", isprint (c[j]) ? c[j] : '.');
2079 printf ("\n");
2080 }
2081 return NULL;
2082}
get_var_size_by_num
int get_var_size_by_num(lex_ctxt *, int)
Definition nasl_var.c:1145
get_str_var_by_num
char * get_str_var_by_num(lex_ctxt *, int)
Definition nasl_var.c:1108
UNFIX
#define UNFIX(n)
Definition nasl_packet_forgery.c:40
UNFIX
#define UNFIX(n)
Definition nasl_packet_forgery_v6.c:63

References get_str_var_by_num(), get_var_size_by_num(), and UNFIX.

Here is the call graph for this function:

◆ dump_ip_v6_packet()

tree_cell * dump_ip_v6_packet ( lex_ctxt * lexic)

Print IPv6 Header.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]...IPv6 datagrams to dump.
Returns
Print and returns FAKE_CELL.

Definition at line 336 of file nasl_packet_forgery_v6.c.

337{
338 int i;
339 char addr[INET6_ADDRSTRLEN];
340
341 for (i = 0;; i++)
342 {
343 struct ip6_hdr *ip6 = (struct ip6_hdr *) get_str_var_by_num (lexic, i);
344
345 if (ip6 == NULL)
346 break;
347 else
348 {
349 printf ("------\n");
350 printf ("\tip6_v : %d\n", ntohl (ip6->ip6_flow) >> 28);
351 printf ("\tip6_tc : %d\n", (ntohl (ip6->ip6_flow) >> 20) & 0xff);
352 printf ("\tip6_fl : %d\n", ntohl (ip6->ip6_flow) & 0x3ffff);
353 printf ("\tip6_plen : %d\n", UNFIX (ip6->ip6_plen));
354 printf ("\tip6_hlim : %d\n", ip6->ip6_hlim);
355 switch (ip6->ip6_nxt)
356 {
357 case IPPROTO_TCP:
358 printf ("\tip6_nxt : IPPROTO_TCP (%d)\n", ip6->ip6_nxt);
359 break;
360 case IPPROTO_UDP:
361 printf ("\tip6_nxt : IPPROTO_UDP (%d)\n", ip6->ip6_nxt);
362 break;
363 case IPPROTO_ICMPV6:
364 printf ("\tip6_nxt : IPPROTO_ICMPV6 (%d)\n", ip6->ip6_nxt);
365 break;
366 default:
367 printf ("\tip6_nxt : %d\n", ip6->ip6_nxt);
368 break;
369 }
370 printf ("\tip6_src : %s\n",
371 inet_ntop (AF_INET6, &ip6->ip6_src, addr, sizeof (addr)));
372 printf ("\tip6_dst : %s\n",
373 inet_ntop (AF_INET6, &ip6->ip6_dst, addr, sizeof (addr)));
374 printf ("\n");
375 }
376 }
377
378 return FAKE_CELL;
379}
FAKE_CELL
#define FAKE_CELL
Definition nasl_tree.h:110

References FAKE_CELL, get_str_var_by_num(), and UNFIX.

Here is the call graph for this function:

◆ dump_tcp_v6_packet()

tree_cell * dump_tcp_v6_packet ( lex_ctxt * lexic)

Dump TCP part of an IPv6 Datagram.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]...IPv6 datagrams to dump.
Returns
Print and return FAKE_CELL.

Definition at line 1249 of file nasl_packet_forgery_v6.c.

1250{
1251 int i = 0;
1252 u_char *pkt;
1253 int options_len = 0;
1254
1255 while ((pkt = (u_char *) get_str_var_by_num (lexic, i++)) != NULL)
1256 {
1257 int a = 0;
1258 struct ip6_hdr *ip6 = (struct ip6_hdr *) pkt;
1259 struct tcphdr *tcp = (struct tcphdr *) (pkt + 40);
1260 unsigned int j;
1261 unsigned int limit;
1262 char *c;
1263
1264 limit = get_var_size_by_num (lexic, i - 1);
1265
1266 printf ("------\n");
1267 printf ("\tth_sport : %d\n", ntohs (tcp->th_sport));
1268 printf ("\tth_dport : %d\n", ntohs (tcp->th_dport));
1269 printf ("\tth_seq : %u\n", (unsigned int) ntohl (tcp->th_seq));
1270 printf ("\tth_ack : %u\n", (unsigned int) ntohl (tcp->th_ack));
1271 printf ("\tth_x2 : %d\n", tcp->th_x2);
1272 printf ("\tth_off : %d\n", tcp->th_off);
1273 printf ("\tth_flags : ");
1274 if (tcp->th_flags & TH_FIN)
1275 {
1276 printf ("TH_FIN");
1277 a++;
1278 }
1279 if (tcp->th_flags & TH_SYN)
1280 {
1281 if (a)
1282 printf ("|");
1283 printf ("TH_SYN");
1284 a++;
1285 }
1286 if (tcp->th_flags & TH_RST)
1287 {
1288 if (a)
1289 printf ("|");
1290 printf ("TH_RST");
1291 a++;
1292 }
1293 if (tcp->th_flags & TH_PUSH)
1294 {
1295 if (a)
1296 printf ("|");
1297 printf ("TH_PUSH");
1298 a++;
1299 }
1300 if (tcp->th_flags & TH_ACK)
1301 {
1302 if (a)
1303 printf ("|");
1304 printf ("TH_ACK");
1305 a++;
1306 }
1307 if (tcp->th_flags & TH_URG)
1308 {
1309 if (a)
1310 printf ("|");
1311 printf ("TH_URG");
1312 a++;
1313 }
1314 if (!a)
1315 printf ("0");
1316 else
1317 printf (" (%d)", tcp->th_flags);
1318 printf ("\n");
1319 printf ("\tth_win : %d\n", ntohs (tcp->th_win));
1320 printf ("\tth_sum : 0x%x\n", tcp->th_sum);
1321 printf ("\tth_urp : %d\n", tcp->th_urp);
1322
1323 options_len = sizeof (uint8_t) * 4 * (tcp->th_off - 5);
1324
1325 if (options_len > 5) // Options present
1326 {
1327 char *options;
1328 struct tcp_options *tcp_all_options;
1329
1330 options = (char *) g_malloc0 (options_len);
1331 memcpy (options, (char *) tcp + 20, options_len);
1332
1333 tcp_all_options = g_malloc0 (sizeof (struct tcp_options));
1334 get_tcp_options (options, tcp_all_options);
1335 if (tcp_all_options != NULL)
1336 {
1337 printf ("\tTCP Options:\n");
1338 printf ("\t\tTCPOPT_MAXSEG: %u\n",
1339 ntohs ((uint16_t) tcp_all_options->mss.mss));
1340 printf ("\t\tTCPOPT_WINDOW: %u\n",
1341 tcp_all_options->wscale.wscale);
1342 printf ("\t\tTCPOPT_SACK_PERMITTED: %u\n",
1343 tcp_all_options->sack_perm.kind ? 1 : 0);
1344 printf ("\t\tTCPOPT_TIMESTAMP TSval: %u\n",
1345 ntohl ((uint32_t) tcp_all_options->tstamp.tstamp));
1346 printf ("\t\tTCPOPT_TIMESTAMP TSecr: %u\n",
1347 ntohl ((uint32_t) tcp_all_options->tstamp.e_tstamp));
1348 }
1349 g_free (options);
1350 g_free (tcp_all_options);
1351 }
1352 printf ("\n\tData : ");
1353 c = (char *) ((char *) tcp + sizeof (struct tcphdr) + options_len);
1354 if (UNFIX (ip6->ip6_plen) > (sizeof (struct tcphdr) + options_len))
1355 for (j = 0;
1356 j < UNFIX (ip6->ip6_plen) - sizeof (struct tcphdr) - options_len
1357 && j < limit;
1358 j++)
1359 printf ("%c", isprint (c[j]) ? c[j] : '.');
1360 printf ("\n");
1361 printf ("\n");
1362 }
1363 return NULL;
1364}
get_tcp_options
static void get_tcp_options(char *options, struct tcp_options *tcp_all_options)
Extract all TCP option from an IP datagram.
Definition nasl_packet_forgery_v6.c:706
tcp_opt_mss::mss
uint16_t mss
Definition nasl_packet_forgery.c:495
tcp_opt_sack_perm::kind
uint8_t kind
Definition nasl_packet_forgery.c:507
tcp_opt_tstamp::tstamp
uint32_t tstamp
Definition nasl_packet_forgery.c:515
tcp_opt_tstamp::e_tstamp
uint32_t e_tstamp
Definition nasl_packet_forgery.c:516
tcp_opt_wscale::wscale
uint8_t wscale
Definition nasl_packet_forgery.c:502
tcp_options
Definition nasl_packet_forgery.c:520
tcp_options::wscale
struct tcp_opt_wscale wscale
Definition nasl_packet_forgery.c:522
tcp_options::mss
struct tcp_opt_mss mss
Definition nasl_packet_forgery.c:521
tcp_options::tstamp
struct tcp_opt_tstamp tstamp
Definition nasl_packet_forgery.c:524
tcp_options::sack_perm
struct tcp_opt_sack_perm sack_perm
Definition nasl_packet_forgery.c:523

References tcp_opt_tstamp::e_tstamp, get_str_var_by_num(), get_tcp_options(), get_var_size_by_num(), tcp_opt_sack_perm::kind, tcp_opt_mss::mss, tcp_options::mss, tcp_options::sack_perm, tcp_opt_tstamp::tstamp, tcp_options::tstamp, UNFIX, tcp_opt_wscale::wscale, and tcp_options::wscale.

Here is the call graph for this function:

◆ dump_udp_v6_packet()

tree_cell * dump_udp_v6_packet ( lex_ctxt * lexic)

Definition at line 1661 of file nasl_packet_forgery_v6.c.

1662{
1663 int i = 0;
1664 u_char *pkt;
1665 while ((pkt = (u_char *) get_str_var_by_num (lexic, i++)) != NULL)
1666 {
1667 struct udphdr *udp = (struct udphdr *) (pkt + sizeof (struct ip6_hdr));
1668 unsigned int j;
1669 char *c;
1670 unsigned int limit = get_var_size_by_num (lexic, i - 1);
1671 printf ("------\n");
1672 printf ("\tuh_sport : %d\n", ntohs (udp->uh_sport));
1673 printf ("\tuh_dport : %d\n", ntohs (udp->uh_dport));
1674 printf ("\tuh_sum : 0x%x\n", udp->uh_sum);
1675 printf ("\tuh_ulen : %d\n", ntohs (udp->uh_ulen));
1676 printf ("\tdata : ");
1677 c = (char *) udp;
1678 if (udp->uh_ulen > sizeof (struct udphdr))
1679 for (j = sizeof (struct udphdr); j < ntohs (udp->uh_ulen) && j < limit;
1680 j++)
1681 printf ("%c", isprint (c[j]) ? c[j] : '.');
1682
1683 printf ("\n");
1684 }
1685 return NULL;
1686}

References get_str_var_by_num(), and get_var_size_by_num().

Here is the call graph for this function:

◆ forge_icmp_v6_packet()

tree_cell * forge_icmp_v6_packet ( lex_ctxt * lexic)

Definition at line 1725 of file nasl_packet_forgery_v6.c.

1726{
1727 tree_cell *retc = NULL;
1728 struct ip6_hdr *ip6;
1729 struct ip6_hdr *ip6_icmp;
1730 int ip6_sz, size = 0, sz = 0;
1731 struct icmp6_hdr *icmp;
1732 struct nd_router_solicit *routersolicit = NULL;
1733 struct nd_router_advert *routeradvert = NULL;
1734 struct nd_neighbor_solicit *neighborsolicit = NULL;
1735 struct nd_neighbor_advert *neighboradvert = NULL;
1736
1737 char *data, *p;
1738 int len;
1739 u_char *pkt;
1740 int t;
1741 ip6 = (struct ip6_hdr *) get_str_var_by_name (lexic, "ip6");
1742 ip6_sz = get_var_size_by_name (lexic, "ip6");
1743
1744 if (ip6 != NULL)
1745 {
1746 retc = alloc_typed_cell (CONST_DATA);
1747 data = get_str_var_by_name (lexic, "data");
1748 len = data == NULL ? 0 : get_var_size_by_name (lexic, "data");
1749 t = get_int_var_by_name (lexic, "icmp_type", 0);
1750 if (40 > ip6_sz)
1751 return NULL;
1752
1753 /* ICMP header size is 8 */
1754 pkt = g_malloc0 (ip6_sz + 8 + len);
1755 ip6_icmp = (struct ip6_hdr *) pkt;
1756
1757 bcopy (ip6, ip6_icmp, ip6_sz);
1758 p = (char *) (pkt + ip6_sz);
1759 icmp = (struct icmp6_hdr *) p;
1760
1761 icmp->icmp6_code = get_int_var_by_name (lexic, "icmp_code", 0);
1762 icmp->icmp6_type = t;
1763
1764 switch (t)
1765 {
1766 case ICMP6_ECHO_REQUEST:
1767 {
1768 if (data != NULL)
1769 bcopy (data, &(p[8]), len);
1770 icmp->icmp6_id = get_int_var_by_name (lexic, "icmp_id", 0);
1771 icmp->icmp6_seq = get_int_var_by_name (lexic, "icmp_seq", 0);
1772 size = ip6_sz + 8 + len;
1773 sz = 8;
1774 }
1775 break;
1776 case ND_ROUTER_SOLICIT:
1777 {
1778 pkt =
1779 g_realloc (pkt, ip6_sz + sizeof (struct nd_router_solicit) + len);
1780 p = (char *) (pkt + ip6_sz);
1781 // Update ip6_icmp because it gets used again below
1782 ip6_icmp = (struct ip6_hdr *) pkt;
1783 routersolicit = (struct nd_router_solicit *) p;
1784 ((struct icmp6_hdr *) routersolicit)->icmp6_type = icmp->icmp6_type;
1785 ((struct icmp6_hdr *) routersolicit)->icmp6_code = icmp->icmp6_code;
1786 ((struct icmp6_hdr *) routersolicit)->icmp6_cksum =
1787 icmp->icmp6_cksum;
1788 size = ip6_sz + sizeof (struct nd_router_solicit) + len;
1789 sz = 4; /*type-1 byte, code-1byte, cksum-2bytes */
1790 }
1791 break;
1792 case ND_ROUTER_ADVERT:
1793 {
1794 pkt =
1795 g_realloc (pkt, ip6_sz + sizeof (struct nd_router_advert) + len);
1796 p = (char *) (pkt + ip6_sz);
1797 // Update ip6_icmp because it gets used again below
1798 ip6_icmp = (struct ip6_hdr *) pkt;
1799 // Let routeradvert point to routeradvert location in pkt
1800 routeradvert = (struct nd_router_advert *) p;
1801 // Set icmp6 header members
1802 ((struct icmp6_hdr *) routeradvert)->icmp6_type = icmp->icmp6_type;
1803 ((struct icmp6_hdr *) routeradvert)->icmp6_code = icmp->icmp6_code;
1804 ((struct icmp6_hdr *) routeradvert)->icmp6_cksum =
1805 icmp->icmp6_cksum;
1806 routeradvert->nd_ra_reachable =
1807 get_int_var_by_name (lexic, "reachable_time", 0);
1808 routeradvert->nd_ra_retransmit =
1809 get_int_var_by_name (lexic, "retransmit_timer", 0);
1810 routeradvert->nd_ra_curhoplimit = ip6_icmp->ip6_hlim;
1811 routeradvert->nd_ra_flags_reserved =
1812 get_int_var_by_name (lexic, "flags", 0);
1813 size = ip6_sz + sizeof (struct nd_router_advert) + len;
1814 sz = 5; /*type-1 byte, code-1byte, cksum-2bytes, current
1815 hoplimit-1byte */
1816 }
1817 break;
1818 case ND_NEIGHBOR_SOLICIT:
1819 {
1820 // Make room for nd_neighbor_solicit.nd_ns_target in packet
1821 pkt = g_realloc (pkt, ip6_sz + sizeof (struct nd_neighbor_solicit)
1822 + len);
1823 // Let p point to the start of nd_neighbor_solicit
1824 p = (char *) (pkt + ip6_sz);
1825 // Update ip6_icmp because it gets used again below
1826 ip6_icmp = (struct ip6_hdr *) pkt;
1827 // Fill in user date if provided
1828 if (data != NULL)
1829 memmove (&(p[8 + 16]), data, len);
1830 // Let neighborsolicit point to nd_neighbor_solicit location in pkt
1831 neighborsolicit = (struct nd_neighbor_solicit *) p;
1832 // Set icmp6 header members
1833 ((struct icmp6_hdr *) neighborsolicit)->icmp6_type =
1834 icmp->icmp6_type;
1835 ((struct icmp6_hdr *) neighborsolicit)->icmp6_code =
1836 icmp->icmp6_code;
1837 ((struct icmp6_hdr *) neighborsolicit)->icmp6_cksum =
1838 icmp->icmp6_cksum;
1839 // Set nd_ns_target
1840 memcpy (&neighborsolicit->nd_ns_target, &ip6_icmp->ip6_dst,
1841 sizeof (struct in6_addr)); /*dst ip should be link local */
1842 size = ip6_sz + sizeof (struct nd_neighbor_solicit) + len;
1843 sz = 4; /*type-1 byte, code-1byte, cksum-2bytes */
1844 }
1845 break;
1846 case ND_NEIGHBOR_ADVERT:
1847 {
1848 pkt = g_realloc (pkt,
1849 ip6_sz + sizeof (struct nd_neighbor_advert) + len);
1850 // Update ip6_icmp because it gets used again below
1851 ip6_icmp = (struct ip6_hdr *) pkt;
1852 p = (char *) (pkt + 40);
1853 neighboradvert = (struct nd_neighbor_advert *) p;
1854 // Set icmp6 header members
1855 ((struct icmp6_hdr *) neighboradvert)->icmp6_type =
1856 icmp->icmp6_type;
1857 ((struct icmp6_hdr *) neighboradvert)->icmp6_code =
1858 icmp->icmp6_code;
1859 ((struct icmp6_hdr *) neighboradvert)->icmp6_cksum =
1860 icmp->icmp6_cksum;
1861 neighboradvert->nd_na_flags_reserved =
1862 get_int_var_by_name (lexic, "flags", 0);
1863 if (neighboradvert->nd_na_flags_reserved & 0x00000020)
1864 memcpy (
1865 &neighboradvert->nd_na_target, &ip6_icmp->ip6_src,
1866 sizeof (struct in6_addr)); /*dst ip should be link local */
1867 else
1868 {
1869 if (get_var_size_by_name (lexic, "target") != 0)
1870 inet_pton (AF_INET6, get_str_var_by_name (lexic, "target"),
1871 &neighboradvert->nd_na_target);
1872 else
1873 {
1874 nasl_perror (lexic,
1875 "forge_icmp_v6_packet: missing 'target' "
1876 "parameter required for constructing response "
1877 "to a Neighbor Solicitation\n");
1878 g_free (ip6_icmp);
1879 return NULL;
1880 }
1881 }
1882 size = ip6_sz + sizeof (struct nd_neighbor_advert) + len;
1883 sz = 4; /*type-1 byte, code-1byte, cksum-2bytes */
1884 }
1885 break;
1886 default:
1887 {
1888 if (t < 0 || t > 255)
1889 {
1890 nasl_perror (lexic, "forge_icmp_v6_packet: illegal type %d\n",
1891 t);
1892 }
1893 else
1894 {
1895 if (data != NULL)
1896 bcopy (data, &(p[8]), len);
1897 icmp->icmp6_id = get_int_var_by_name (lexic, "icmp_id", 0);
1898 icmp->icmp6_seq = get_int_var_by_name (lexic, "icmp_seq", 0);
1899 size = ip6_sz + 8 + len;
1900 sz = 8;
1901 }
1902 }
1903 }
1904
1905 if (UNFIX (ip6_icmp->ip6_ctlun.ip6_un1.ip6_un1_plen) <= 40)
1906 {
1907 if (get_int_var_by_name (lexic, "update_ip_len", 1) != 0)
1908 {
1909 ip6_icmp->ip6_ctlun.ip6_un1.ip6_un1_plen = FIX (size - ip6_sz);
1910 }
1911 }
1912 if (get_int_var_by_name (lexic, "icmp_cksum", -1) == -1)
1913 {
1914 struct v6pseudo_icmp_hdr pseudohdr;
1915 char *icmpsumdata =
1916 g_malloc0 (sizeof (struct v6pseudo_icmp_hdr) + len + 1);
1917
1918 bzero (&pseudohdr, sizeof (struct v6pseudo_icmp_hdr));
1919 memcpy (&pseudohdr.s6addr, &ip6->ip6_src, sizeof (struct in6_addr));
1920 memcpy (&pseudohdr.d6addr, &ip6->ip6_dst, sizeof (struct in6_addr));
1921
1922 pseudohdr.proto = 0x3a; /*ICMPv6 */
1923 pseudohdr.len = htons (size - ip6_sz);
1924 bcopy ((char *) icmp, (char *) &pseudohdr.icmpheader, sz);
1925 bcopy ((char *) &pseudohdr, icmpsumdata, sizeof (pseudohdr));
1926 if (data != NULL)
1927 bcopy ((char *) data, icmpsumdata + sizeof (pseudohdr), len);
1928 icmp->icmp6_cksum =
1929 np_in_cksum ((unsigned short *) icmpsumdata, size);
1930 g_free (icmpsumdata);
1931 }
1932 else
1933 icmp->icmp6_cksum =
1934 htons (get_int_var_by_name (lexic, "icmp_cksum", 0));
1935 switch (t)
1936 {
1937 case ICMP6_ECHO_REQUEST:
1938 break;
1939 case ND_ROUTER_SOLICIT:
1940 {
1941 routersolicit->nd_rs_hdr.icmp6_cksum = icmp->icmp6_cksum;
1942 }
1943 break;
1944 case ND_ROUTER_ADVERT:
1945 {
1946 routeradvert->nd_ra_hdr.icmp6_cksum = icmp->icmp6_cksum;
1947 }
1948 break;
1949 case ND_NEIGHBOR_SOLICIT:
1950 {
1951 neighborsolicit->nd_ns_hdr.icmp6_cksum = icmp->icmp6_cksum;
1952 }
1953 break;
1954 case ND_NEIGHBOR_ADVERT:
1955 {
1956 neighboradvert->nd_na_hdr.icmp6_cksum = icmp->icmp6_cksum;
1957 }
1958 break;
1959 default:
1960 {
1961 }
1962 }
1963
1964 retc->x.str_val = (char *) pkt;
1965 retc->size = size;
1966 }
1967 else
1968 nasl_perror (lexic, "forge_icmp_v6_packet: missing 'ip6' parameter\n");
1969
1970 return retc;
1971}
nasl_perror
void nasl_perror(lex_ctxt *lexic, char *msg,...)
Definition nasl_debug.c:105
get_var_size_by_name
int get_var_size_by_name(lex_ctxt *, const char *)
Definition nasl_var.c:1138
get_str_var_by_name
char * get_str_var_by_name(lex_ctxt *, const char *)
Definition nasl_var.c:1118
get_int_var_by_name
long int get_int_var_by_name(lex_ctxt *, const char *, int)
Definition nasl_var.c:1101
len
uint8_t len
Definition nasl_packet_forgery.c:1
FIX
#define FIX(n)
Definition nasl_packet_forgery_v6.c:62
np_in_cksum
static int np_in_cksum(u_short *p, int n)
Definition nasl_packet_forgery_v6.c:73
alloc_typed_cell
tree_cell * alloc_typed_cell(int typ)
Definition nasl_tree.c:25
CONST_DATA
@ CONST_DATA
Definition nasl_tree.h:82
tree_cell
struct TC tree_cell
TC::size
int size
Definition nasl_tree.h:99
TC::x
union TC::@332262321161220155002104006201360276211317150140 x
TC::str_val
char * str_val
Definition nasl_tree.h:103
v6pseudo_icmp_hdr
Definition nasl_packet_forgery_v6.c:1694

References alloc_typed_cell(), CONST_DATA, FIX, get_int_var_by_name(), get_str_var_by_name(), get_var_size_by_name(), len, nasl_perror(), np_in_cksum(), TC::size, TC::str_val, UNFIX, and TC::x.

Here is the call graph for this function:

◆ forge_igmp_v6_packet()

tree_cell * forge_igmp_v6_packet ( lex_ctxt * lexic)

Definition at line 2110 of file nasl_packet_forgery_v6.c.

2111{
2112 struct ip6_hdr *ip6 = (struct ip6_hdr *) get_str_var_by_name (lexic, "ip6");
2113
2114 if (ip6 != NULL)
2115 {
2116 char *data = get_str_var_by_name (lexic, "data");
2117 int len = data ? get_var_size_by_name (lexic, "data") : 0;
2118 u_char *pkt = g_malloc0 (sizeof (struct igmp6_hdr) + 40 + len);
2119 struct ip6_hdr *ip6_igmp = (struct ip6_hdr *) pkt;
2120 struct igmp6_hdr *igmp;
2121 char *p;
2122 char *grp;
2123 tree_cell *retc;
2124 int ipsz = get_var_size_by_name (lexic, "ip6");
2125
2126 bcopy (ip6, ip6_igmp, ipsz);
2127
2128 if (UNFIX (ip6_igmp->ip6_ctlun.ip6_un1.ip6_un1_plen) <= 40)
2129 {
2130 int v = get_int_var_by_name (lexic, "update_ip6_len", 1);
2131 if (v != 0)
2132 {
2133 ip6_igmp->ip6_ctlun.ip6_un1.ip6_un1_plen =
2134 FIX (40 + sizeof (struct igmp6_hdr) + len);
2135 }
2136 }
2137 p = (char *) (pkt + 40);
2138 igmp = (struct igmp6_hdr *) p;
2139
2140 igmp->code = get_int_var_by_name (lexic, "code", 0);
2141 igmp->type = get_int_var_by_name (lexic, "type", 0);
2142 grp = get_str_var_by_name (lexic, "group");
2143
2144 if (grp != NULL)
2145 {
2146 inet_pton (AF_INET6, grp, &igmp->group);
2147 }
2148
2149 igmp->cksum = np_in_cksum ((u_short *) igmp, sizeof (struct igmp6_hdr));
2150 if (data != NULL)
2151 {
2152 char *ptmp = (char *) (pkt + 40 + sizeof (struct igmp6_hdr));
2153 bcopy (ptmp, data, len);
2154 }
2155 retc = alloc_typed_cell (CONST_DATA);
2156 retc->x.str_val = (char *) pkt;
2157 retc->size = 40 + sizeof (struct igmp6_hdr) + len;
2158 return retc;
2159 }
2160 else
2161 nasl_perror (lexic, "forge_igmp_v6_packet: missing 'ip6' parameter\n");
2162
2163 return NULL;
2164}
igmp6_hdr
Definition nasl_packet_forgery_v6.c:2090
igmp::group
struct in_addr group
Definition nasl_packet_forgery.c:1956
igmp::type
unsigned char type
Definition nasl_packet_forgery.c:1953
igmp::code
unsigned char code
Definition nasl_packet_forgery.c:1954
igmp::cksum
unsigned short cksum
Definition nasl_packet_forgery.c:1955

References alloc_typed_cell(), igmp::cksum, igmp::code, CONST_DATA, FIX, get_int_var_by_name(), get_str_var_by_name(), get_var_size_by_name(), igmp::group, len, nasl_perror(), np_in_cksum(), TC::size, TC::str_val, igmp::type, UNFIX, and TC::x.

Here is the call graph for this function:

◆ forge_ip_v6_packet()

tree_cell * forge_ip_v6_packet ( lex_ctxt * lexic)

Forge an IPv6 packet.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]dataData payload
[in]ip6_vVersion. 6 by default.
[in]ip6_tcTraffic class. 0 by default.
[in]ip6_flFlow label. 0 by default.
[in]ip6_pIP protocol. 0 by default.
[in]ip6_hlimHop limit. Max. 255. 64 by default.
[in]ip6_srcSource address.
[in]ip6_dstDestination address.
Returns
Forged IP packet.

Definition at line 118 of file nasl_packet_forgery_v6.c.

119{
120 tree_cell *retc;
121 struct ip6_hdr *pkt;
122 char *s;
123 struct script_infos *script_infos = lexic->script_infos;
124 struct in6_addr *dst_addr;
125 char *data;
126 int data_len;
127 int version;
128 int tc;
129 int fl;
130
131 dst_addr = plug_get_host_ip (script_infos);
132
133 if (dst_addr == NULL || (IN6_IS_ADDR_V4MAPPED (dst_addr) == 1))
134 return NULL;
135
136 data = get_str_var_by_name (lexic, "data");
137 data_len = get_var_size_by_name (lexic, "data");
138
139 retc = alloc_typed_cell (CONST_DATA);
140 retc->size = sizeof (struct ip6_hdr) + data_len;
141
142 pkt = (struct ip6_hdr *) g_malloc0 (sizeof (struct ip6_hdr) + data_len);
143 retc->x.str_val = (char *) pkt;
144
145 version = get_int_var_by_name (lexic, "ip6_v", 6);
146 tc = get_int_var_by_name (lexic, "ip6_tc", 0);
147 fl = get_int_var_by_name (lexic, "ip6_fl", 0);
148
149 pkt->ip6_flow = htonl (version << 28 | tc << 20 | fl);
150
151 pkt->ip6_plen = FIX (data_len); /* No extension headers ? */
152 pkt->ip6_nxt = get_int_var_by_name (lexic, "ip6_p", 0);
153 pkt->ip6_hlim = get_int_var_by_name (lexic, "ip6_hlim", 64);
154
155 /* source */
156 s = get_str_var_by_name (lexic, "ip6_src");
157 if (s != NULL)
158 inet_pton (AF_INET6, s, &pkt->ip6_src);
159 /* else this host address? */
160
161 s = get_str_var_by_name (lexic, "ip6_dst");
162 if (s != NULL)
163 inet_pton (AF_INET6, s, &pkt->ip6_dst);
164 else
165 pkt->ip6_dst = *dst_addr;
166
167 if (data != NULL)
168 {
169 bcopy (data, retc->x.str_val + sizeof (struct ip6_hdr), data_len);
170 }
171
172 /*
173 There is no checksum for ipv6. Only upper layer
174 calculates a checksum using pseudoheader
175 */
176 return retc;
177}
plug_get_host_ip
struct in6_addr * plug_get_host_ip(struct script_infos *args)
Definition plugutils.c:371
script_infos
Definition scanneraux.h:29
struct_lex_ctxt::script_infos
struct script_infos * script_infos
Definition nasl_lex_ctxt.h:33

References alloc_typed_cell(), CONST_DATA, FIX, get_int_var_by_name(), get_str_var_by_name(), get_var_size_by_name(), plug_get_host_ip(), struct_lex_ctxt::script_infos, TC::size, TC::str_val, and TC::x.

Here is the call graph for this function:

◆ forge_tcp_v6_packet()

tree_cell * forge_tcp_v6_packet ( lex_ctxt * lexic)

Forge TCP packet.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]ip6IPv6 packet.
[in]dataData.
[in]th_sportSource port. 0 by default.
[in]th_dportDestination port. 0 by default.
[in]th_seqSequence number. Random by default.
[in]th_ackAcknowledgement number. 0 by default.
[in]th_x20 by default.
[in]th_offData offset. 5 by default.
[in]th_flagsFlags. 0 by default.
[in]th_winWindow. 0 by default.
[in]th_sumChecksum. Is filled in automatically by default
[in]th_urpUrgent pointer. 0 by default.
Returns
tree_cell with the forged TCP packet containing IPv6 header.

Definition at line 530 of file nasl_packet_forgery_v6.c.

531{
532 tree_cell *retc;
533 char *data;
534 int len;
535 struct ip6_hdr *ip6, *tcp_packet;
536 struct tcphdr *tcp;
537 int ipsz;
538
539 ip6 = (struct ip6_hdr *) get_str_var_by_name (lexic, "ip6");
540 if (ip6 == NULL)
541 {
542 nasl_perror (lexic,
543 "forge_tcp_v6_packet: You must supply the 'ip6' argument\n");
544 return NULL;
545 }
546
547 ipsz = get_var_size_by_name (lexic, "ip6");
548
549 // Not considering IP Options.
550 if (ipsz != 40)
551 ipsz = 40;
552
553 data = get_str_var_by_name (lexic, "data");
554 len = data == NULL ? 0 : get_var_size_by_name (lexic, "data");
555
556 retc = alloc_typed_cell (CONST_DATA);
557 tcp_packet =
558 (struct ip6_hdr *) g_malloc0 (ipsz + sizeof (struct tcphdr) + len);
559 retc->x.str_val = (char *) tcp_packet;
560
561 bcopy (ip6, tcp_packet, ipsz);
562 /* Adjust length in ipv6 header */
563 tcp_packet->ip6_ctlun.ip6_un1.ip6_un1_plen =
564 FIX (sizeof (struct tcphdr) + len);
565 tcp = (struct tcphdr *) ((char *) tcp_packet + 40);
566
567 tcp->th_sport = ntohs (get_int_var_by_name (lexic, "th_sport", 0));
568 tcp->th_dport = ntohs (get_int_var_by_name (lexic, "th_dport", 0));
569 tcp->th_seq = htonl (get_int_var_by_name (lexic, "th_seq", rand ()));
570 tcp->th_ack = htonl (get_int_var_by_name (lexic, "th_ack", 0));
571 tcp->th_x2 = get_int_var_by_name (lexic, "th_x2", 0);
572 tcp->th_off = get_int_var_by_name (lexic, "th_off", 5);
573 tcp->th_flags = get_int_var_by_name (lexic, "th_flags", 0);
574 tcp->th_win = htons (get_int_var_by_name (lexic, "th_win", 0));
575 tcp->th_sum = get_int_var_by_name (lexic, "th_sum", 0);
576 tcp->th_urp = get_int_var_by_name (lexic, "th_urp", 0);
577
578 if (data != NULL)
579 bcopy (data, (char *) tcp + sizeof (struct tcphdr), len);
580
581 if (!tcp->th_sum)
582 {
583 struct v6pseudohdr pseudoheader;
584 char *tcpsumdata = g_malloc0 (sizeof (struct v6pseudohdr) + len + 1);
585
586 bzero (&pseudoheader, 38 + sizeof (struct tcphdr));
587 memcpy (&pseudoheader.s6addr, &ip6->ip6_src, sizeof (struct in6_addr));
588 memcpy (&pseudoheader.d6addr, &ip6->ip6_dst, sizeof (struct in6_addr));
589
590 pseudoheader.protocol = IPPROTO_TCP;
591 pseudoheader.length = htons (sizeof (struct tcphdr) + len);
592 bcopy ((char *) tcp, (char *) &pseudoheader.tcpheader,
593 sizeof (struct tcphdr));
594 /* fill tcpsumdata with data to checksum */
595 bcopy ((char *) &pseudoheader, tcpsumdata, sizeof (struct v6pseudohdr));
596 if (data != NULL)
597 bcopy ((char *) data, tcpsumdata + sizeof (struct v6pseudohdr), len);
598 tcp->th_sum = np_in_cksum ((unsigned short *) tcpsumdata,
599 38 + sizeof (struct tcphdr) + len);
600 g_free (tcpsumdata);
601 }
602
603 retc->size = ipsz + sizeof (struct tcphdr) + len;
604 return retc;
605}

References alloc_typed_cell(), CONST_DATA, v6pseudohdr::d6addr, FIX, get_int_var_by_name(), get_str_var_by_name(), get_var_size_by_name(), len, v6pseudohdr::length, nasl_perror(), np_in_cksum(), v6pseudohdr::protocol, v6pseudohdr::s6addr, TC::size, TC::str_val, v6pseudohdr::tcpheader, and TC::x.

Here is the call graph for this function:

◆ forge_udp_v6_packet()

tree_cell * forge_udp_v6_packet ( lex_ctxt * lexic)

Definition at line 1395 of file nasl_packet_forgery_v6.c.

1396{
1397 tree_cell *retc;
1398 struct ip6_hdr *ip6 = (struct ip6_hdr *) get_str_var_by_name (lexic, "ip6");
1399
1400 if (ip6 != NULL)
1401 {
1402 char *data = get_str_var_by_name (lexic, "data");
1403 int data_len = get_var_size_by_name (lexic, "data");
1404 u_char *pkt;
1405 struct ip6_hdr *udp_packet;
1406 struct udphdr *udp;
1407
1408 pkt = g_malloc0 (sizeof (struct udphdr) + 40 + data_len);
1409 udp_packet = (struct ip6_hdr *) pkt;
1410 udp = (struct udphdr *) (pkt + 40);
1411
1412 udp->uh_sum = get_int_var_by_name (lexic, "uh_sum", 0);
1413 bcopy ((char *) ip6, pkt, 40);
1414
1415 udp->uh_sport = htons (get_int_var_by_name (lexic, "uh_sport", 0));
1416 udp->uh_dport = htons (get_int_var_by_name (lexic, "uh_dport", 0));
1417 udp->uh_ulen = htons (get_int_var_by_name (
1418 lexic, "uh_ulen", data_len + sizeof (struct udphdr)));
1419
1420 if (data_len != 0 && data != NULL)
1421 bcopy (data, (pkt + 40 + sizeof (struct udphdr)), data_len);
1422
1423 if (!udp->uh_sum)
1424 {
1425 struct v6pseudo_udp_hdr pseudohdr;
1426 char *udpsumdata =
1427 g_malloc0 (sizeof (struct v6pseudo_udp_hdr) + data_len + 1);
1428
1429 bzero (&pseudohdr, sizeof (struct v6pseudo_udp_hdr));
1430 memcpy (&pseudohdr.s6addr, &ip6->ip6_src, sizeof (struct in6_addr));
1431 memcpy (&pseudohdr.d6addr, &ip6->ip6_dst, sizeof (struct in6_addr));
1432
1433 pseudohdr.proto = IPPROTO_UDP;
1434 pseudohdr.len = htons (sizeof (struct udphdr) + data_len);
1435 bcopy ((char *) udp, (char *) &pseudohdr.udpheader,
1436 sizeof (struct udphdr));
1437 bcopy ((char *) &pseudohdr, udpsumdata, sizeof (pseudohdr));
1438 if (data != NULL)
1439 {
1440 bcopy ((char *) data, udpsumdata + sizeof (pseudohdr), data_len);
1441 }
1442 udp->uh_sum = np_in_cksum ((unsigned short *) udpsumdata,
1443 38 + sizeof (struct udphdr) + data_len);
1444 g_free (udpsumdata);
1445 }
1446
1447 if (UNFIX (udp_packet->ip6_ctlun.ip6_un1.ip6_un1_plen) <= 40)
1448 {
1449 int v = get_int_var_by_name (lexic, "update_ip6_len", 1);
1450 if (v != 0)
1451 {
1452 udp_packet->ip6_ctlun.ip6_un1.ip6_un1_plen =
1453 FIX (ntohs (udp->uh_ulen));
1454 }
1455 }
1456
1457 retc = alloc_typed_cell (CONST_DATA);
1458 retc->x.str_val = (char *) pkt;
1459 retc->size = 8 + 40 + data_len;
1460
1461 return retc;
1462 }
1463 else
1464 nasl_perror (lexic, "forge_udp_v6_packet:'ip6' argument missing. \n");
1465
1466 return NULL;
1467}
v6pseudo_udp_hdr
Definition nasl_packet_forgery_v6.c:1372

References alloc_typed_cell(), CONST_DATA, FIX, get_int_var_by_name(), get_str_var_by_name(), get_var_size_by_name(), nasl_perror(), np_in_cksum(), TC::size, TC::str_val, UNFIX, and TC::x.

Here is the call graph for this function:

◆ get_icmp_v6_element()

tree_cell * get_icmp_v6_element ( lex_ctxt * lexic)

Definition at line 1984 of file nasl_packet_forgery_v6.c.

1985{
1986 struct icmp6_hdr *icmp;
1987 char *p;
1988
1989 if ((p = get_str_var_by_name (lexic, "icmp")) != NULL)
1990 {
1991 char *elem = get_str_var_by_name (lexic, "element");
1992 int value;
1993 tree_cell *retc;
1994
1995 icmp = (struct icmp6_hdr *) (p + 40);
1996
1997 if (elem == NULL)
1998 {
1999 nasl_perror (lexic, "%s: Missing 'element' argument\n", __func__);
2000 return NULL;
2001 }
2002
2003 else if (!strcmp (elem, "icmp_code"))
2004 value = icmp->icmp6_code;
2005 else if (!strcmp (elem, "icmp_type"))
2006 value = icmp->icmp6_type;
2007 else if (!strcmp (elem, "icmp_cksum"))
2008 value = ntohs (icmp->icmp6_cksum);
2009 else if (!strcmp (elem, "icmp_id"))
2010 value = ntohs (icmp->icmp6_id);
2011 else if (!strcmp (elem, "icmp_seq"))
2012 value = ntohs (icmp->icmp6_seq);
2013 else if (!strcmp (elem, "data"))
2014 {
2015 retc = alloc_typed_cell (CONST_DATA);
2016 retc->size = get_var_size_by_name (lexic, "icmp") - 40 - 8;
2017 if (retc->size > 0)
2018 {
2019 retc->x.str_val = g_malloc0 (retc->size + 1);
2020 memcpy (retc->x.str_val, &(p[40 + 8]), retc->size + 1);
2021 }
2022 else
2023 {
2024 retc->x.str_val = NULL;
2025 retc->size = 0;
2026 }
2027 return retc;
2028 }
2029 else
2030 {
2031 nasl_perror (lexic, "%s: '%s' not a valid 'element' argument\n",
2032 __func__, elem);
2033 return NULL;
2034 }
2035
2036 retc = alloc_typed_cell (CONST_INT);
2037 retc->x.i_val = value;
2038 return retc;
2039 }
2040 else
2041 nasl_perror (lexic, "%s: missing 'icmp' parameter\n", __func__);
2042
2043 return NULL;
2044}
CONST_INT
@ CONST_INT
Definition nasl_tree.h:79
TC::i_val
long int i_val
Definition nasl_tree.h:104

References alloc_typed_cell(), CONST_DATA, CONST_INT, get_str_var_by_name(), get_var_size_by_name(), TC::i_val, nasl_perror(), TC::size, TC::str_val, and TC::x.

Here is the call graph for this function:

◆ get_ip_v6_element()

tree_cell * get_ip_v6_element ( lex_ctxt * lexic)

Obtain IPv6 header element.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]ipv6IPv6 header. TODO: Once versions older than 20.08 are no longer in use the parameter name can be changed to 'ip6'.
[in]elementElement to extract from the header.
Returns
tree_cell with the IP header element.

Definition at line 190 of file nasl_packet_forgery_v6.c.

191{
192 tree_cell *retc;
193 char *element = get_str_var_by_name (lexic, "element");
194 char ret_ascii[INET6_ADDRSTRLEN];
195 int ret_int = 0;
196 int flag = 0;
197 struct ip6_hdr *ip6;
198
199 /* Parameter name 'ipv6' was renamed to 'ip6' for consistency.
200 * For backwards compatibility reasons we still need to consider the 'ipv6'
201 * argument.
202 */
203 ip6 = (struct ip6_hdr *) get_str_var_by_name (lexic, "ipv6");
204 if (ip6 == NULL)
205 {
206 ip6 = (struct ip6_hdr *) get_str_var_by_name (lexic, "ip6");
207 if (ip6 == NULL)
208 {
209 nasl_perror (lexic, "%s: no valid 'ip6' argument\n", __func__);
210 return NULL;
211 }
212 }
213
214 if (element == NULL)
215 {
216 nasl_perror (lexic, "%s: no valid 'element' argument\n", __func__);
217 return NULL;
218 }
219
220 if (!strcmp (element, "ip6_v"))
221 {
222 ret_int = ntohl (ip6->ip6_flow) >> 28;
223 flag++;
224 }
225 else if (!strcmp (element, "ip6_tc"))
226 {
227 ret_int = (ntohl (ip6->ip6_flow) >> 20) & 0xff;
228 flag++;
229 }
230 else if (!strcmp (element, "ip6_fl"))
231 {
232 ret_int = ntohl (ip6->ip6_flow) & 0x3ffff;
233 flag++;
234 }
235 else if (!strcmp (element, "ip6_plen"))
236 {
237 ret_int = UNFIX (ip6->ip6_plen);
238 flag++;
239 }
240 else if (!strcmp (element, "ip6_nxt"))
241 {
242 ret_int = (ip6->ip6_nxt);
243 flag++;
244 }
245 else if (!strcmp (element, "ip6_hlim"))
246 {
247 ret_int = (ip6->ip6_hlim);
248 flag++;
249 }
250
251 if (flag != 0)
252 {
253 retc = alloc_typed_cell (CONST_INT);
254 retc->x.i_val = ret_int;
255 return retc;
256 }
257
258 if (!strcmp (element, "ip6_src"))
259 {
260 inet_ntop (AF_INET6, &ip6->ip6_src, ret_ascii, sizeof (ret_ascii));
261 flag++;
262 }
263 else if (!strcmp (element, "ip6_dst"))
264 {
265 inet_ntop (AF_INET6, &ip6->ip6_dst, ret_ascii, sizeof (ret_ascii));
266 flag++;
267 }
268
269 if (flag == 0)
270 {
271 nasl_perror (lexic, "%s : unknown element '%s'\n", __func__, element);
272 return NULL;
273 }
274
275 retc = alloc_typed_cell (CONST_DATA);
276 retc->size = strlen (ret_ascii);
277 retc->x.str_val = g_strdup (ret_ascii);
278
279 return retc;
280}

References alloc_typed_cell(), CONST_DATA, CONST_INT, get_str_var_by_name(), TC::i_val, nasl_perror(), TC::size, TC::str_val, UNFIX, and TC::x.

Here is the call graph for this function:

◆ get_tcp_v6_element()

tree_cell * get_tcp_v6_element ( lex_ctxt * lexic)

Get TCP Header element.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]tcpIPv6 packet
[in]elementElement to extract from the header (see forge_tcp_v6_packet()).
Returns
tree_cell with the forged IP packet.

Definition at line 618 of file nasl_packet_forgery_v6.c.

619{
620 u_char *packet = (u_char *) get_str_var_by_name (lexic, "tcp");
621 struct ip6_hdr *ip6;
622 int ipsz;
623 struct tcphdr *tcp;
624 char *element;
625 int ret;
626 tree_cell *retc;
627
628 ipsz = get_var_size_by_name (lexic, "tcp");
629
630 if (packet == NULL)
631 {
632 nasl_perror (lexic, "get_tcp_v6_element: No valid 'tcp' argument\n");
633 return NULL;
634 }
635
636 ip6 = (struct ip6_hdr *) packet;
637
638 /* valid ipv6 header check */
639 if (UNFIX (ip6->ip6_plen) > ipsz)
640 return NULL; /* Invalid packet */
641
642 tcp = (struct tcphdr *) (packet + 40);
643
644 element = get_str_var_by_name (lexic, "element");
645 if (!element)
646 {
647 nasl_perror (lexic, "get_tcp_v6_element: No valid 'element' argument\n");
648 return NULL;
649 }
650
651 if (!strcmp (element, "th_sport"))
652 ret = ntohs (tcp->th_sport);
653 else if (!strcmp (element, "th_dsport"))
654 ret = ntohs (tcp->th_dport);
655 else if (!strcmp (element, "th_seq"))
656 ret = ntohl (tcp->th_seq);
657 else if (!strcmp (element, "th_ack"))
658 ret = ntohl (tcp->th_ack);
659 else if (!strcmp (element, "th_x2"))
660 ret = tcp->th_x2;
661 else if (!strcmp (element, "th_off"))
662 ret = tcp->th_off;
663 else if (!strcmp (element, "th_flags"))
664 ret = tcp->th_flags;
665 else if (!strcmp (element, "th_win"))
666 ret = ntohs (tcp->th_win);
667 else if (!strcmp (element, "th_sum"))
668 ret = tcp->th_sum;
669 else if (!strcmp (element, "th_urp"))
670 ret = tcp->th_urp;
671 else if (!strcmp (element, "data"))
672 {
673 retc = alloc_typed_cell (CONST_DATA);
674 retc->size = UNFIX (ip6->ip6_plen) - tcp->th_off * 4;
675 if (retc->size < 0 || retc->size > ipsz - 40 - tcp->th_off * 4)
676 {
677 nasl_perror (lexic,
678 "get_tcp_v6_element: Erroneous tcp header offset %d\n",
679 retc->size);
680 deref_cell (retc);
681 return NULL;
682 }
683 retc->x.str_val = g_malloc0 (retc->size);
684 bcopy ((char *) tcp + tcp->th_off * 4, retc->x.str_val, retc->size);
685 return retc;
686 }
687 else
688 {
689 nasl_perror (lexic, "get_tcp_v6_element: Unknown tcp field %s\n",
690 element);
691 return NULL;
692 }
693
694 retc = alloc_typed_cell (CONST_INT);
695 retc->x.i_val = ret;
696 return retc;
697}
deref_cell
void deref_cell(tree_cell *c)
Definition nasl_tree.c:178

References alloc_typed_cell(), CONST_DATA, CONST_INT, deref_cell(), get_str_var_by_name(), get_var_size_by_name(), TC::i_val, nasl_perror(), TC::size, TC::str_val, UNFIX, and TC::x.

Here is the call graph for this function:

◆ get_tcp_v6_option()

tree_cell * get_tcp_v6_option ( lex_ctxt * lexic)

Get a TCP option from an IP datagram if present. Possible options are: TCPOPT_MAXSEG (2), values between 536 and 65535 TCPOPT_WINDOW (3), with values between 0 and 14 TCPOPT_SACK_PERMITTED (4), no value required. TCPOPT_TIMESTAMP (8), 8 bytes value for timestamp and echo timestamp, 4 bytes each one.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]tcpThe full IP datagram (IP + TCP).
[in]optionOption to get.
Returns
Integer or array given the case.

Definition at line 775 of file nasl_packet_forgery_v6.c.

776{
777 u_char *packet = (u_char *) get_str_var_by_name (lexic, "tcp");
778 struct ip6_hdr *ip6;
779 int ipsz;
780 struct tcphdr *tcp;
781 char *options;
782 int opt;
783 tree_cell *retc;
784 nasl_array *arr;
785 anon_nasl_var v;
786
787 struct tcp_options *tcp_all_options = NULL;
788
789 if (packet == NULL)
790 {
791 nasl_perror (lexic, "%s: No valid 'tcp' argument passed.\n", __func__);
792 return NULL;
793 }
794
795 opt = get_int_var_by_name (lexic, "option", -1);
796 if (opt < 0)
797 {
798 nasl_perror (lexic,
799 "%s: No 'option' argument passed but required.\n."
800 "Usage: %s(tcp:<tcp>, option:<TCPOPT>)",
801 __func__, __func__);
802 return NULL;
803 }
804
805 ip6 = (struct ip6_hdr *) packet;
806
807 /* valid ipv6 header check */
808 ipsz = get_var_size_by_name (lexic, "tcp");
809 if (UNFIX (ip6->ip6_plen) > ipsz)
810 return NULL; /* Invalid packet */
811
812 tcp = (struct tcphdr *) (packet + 40);
813
814 if (tcp->th_off <= 5)
815 return NULL;
816
817 // Get options from the segment
818 options = (char *) g_malloc0 (sizeof (uint8_t) * 4 * (tcp->th_off - 5));
819 memcpy (options, (char *) tcp + 20, (tcp->th_off - 5) * 4);
820
821 tcp_all_options = g_malloc0 (sizeof (struct tcp_options));
822 get_tcp_options (options, tcp_all_options);
823 if (tcp_all_options == NULL)
824 {
825 nasl_perror (lexic, "%s: No TCP options found in passed TCP packet.\n",
826 __func__);
827
828 g_free (options);
829 return NULL;
830 }
831
832 opt = get_int_var_by_name (lexic, "option", -1);
833 retc = NULL;
834 switch (opt)
835 {
836 case TCPOPT_MAXSEG:
837 retc = alloc_typed_cell (CONST_INT);
838 retc->x.i_val = ntohs ((uint16_t) tcp_all_options->mss.mss);
839 break;
840 case TCPOPT_WINDOW:
841 retc = alloc_typed_cell (CONST_INT);
842 retc->x.i_val = tcp_all_options->wscale.wscale;
843 break;
844 case TCPOPT_SACK_PERMITTED:
845 retc = alloc_typed_cell (CONST_INT);
846 retc->x.i_val = tcp_all_options->sack_perm.kind ? 1 : 0;
847 break;
848 case TCPOPT_TIMESTAMP:
849 retc = alloc_typed_cell (DYN_ARRAY);
850 retc->x.ref_val = arr = g_malloc0 (sizeof (nasl_array));
851
852 memset (&v, 0, sizeof (v));
853 v.var_type = VAR2_INT;
854 v.v.v_int = ntohl ((uint32_t) tcp_all_options->tstamp.tstamp);
855 add_var_to_array (arr, "timestamp", &v);
856
857 memset (&v, 0, sizeof (v));
858 v.var_type = VAR2_INT;
859 v.v.v_int = ntohl ((uint32_t) tcp_all_options->tstamp.e_tstamp);
860 add_var_to_array (arr, "echo_timestamp", &v);
861 break;
862 default:
863 nasl_perror (lexic, "%s: Invalid TCP option passed.\n", __func__);
864 break;
865 }
866
867 g_free (tcp_all_options);
868 g_free (options);
869 return retc;
870}
DYN_ARRAY
@ DYN_ARRAY
Definition nasl_tree.h:90
add_var_to_array
int add_var_to_array(nasl_array *a, char *name, const anon_nasl_var *v)
Definition nasl_var.c:1277
anon_nasl_var
struct st_a_nasl_var anon_nasl_var
nasl_array
struct st_nasl_array nasl_array
VAR2_INT
@ VAR2_INT
Definition nasl_var.h:16
TC::ref_val
void * ref_val
Definition nasl_tree.h:105
st_a_nasl_var::var_type
int var_type
Definition nasl_var.h:41
st_a_nasl_var::v
union st_a_nasl_var::@154137074032032170165360023270032033276061363156 v
st_a_nasl_var::v_int
long int v_int
Definition nasl_var.h:48

References add_var_to_array(), alloc_typed_cell(), CONST_INT, DYN_ARRAY, tcp_opt_tstamp::e_tstamp, get_int_var_by_name(), get_str_var_by_name(), get_tcp_options(), get_var_size_by_name(), TC::i_val, tcp_opt_sack_perm::kind, tcp_opt_mss::mss, tcp_options::mss, nasl_perror(), TC::ref_val, tcp_options::sack_perm, tcp_opt_tstamp::tstamp, tcp_options::tstamp, UNFIX, st_a_nasl_var::v, st_a_nasl_var::v_int, VAR2_INT, st_a_nasl_var::var_type, tcp_opt_wscale::wscale, tcp_options::wscale, and TC::x.

Here is the call graph for this function:

◆ get_udp_v6_element()

tree_cell * get_udp_v6_element ( lex_ctxt * lexic)

Definition at line 1479 of file nasl_packet_forgery_v6.c.

1480{
1481 tree_cell *retc;
1482 char *udp;
1483 char *element;
1484 unsigned int ipsz;
1485 struct udphdr *udphdr;
1486 int ret;
1487
1488 udp = get_str_var_by_name (lexic, "udp");
1489 ipsz = get_var_size_by_name (lexic, "udp");
1490
1491 element = get_str_var_by_name (lexic, "element");
1492 if (udp == NULL || element == NULL)
1493 {
1494 nasl_perror (
1495 lexic, "get_udp_v6_element() usage :\n"
1496 "element = get_udp_v6_element(udp:<udp>,element:<element>\n");
1497 return NULL;
1498 }
1499
1500 if (40 + sizeof (struct udphdr) > ipsz)
1501 return NULL;
1502
1503 udphdr = (struct udphdr *) (udp + 40);
1504 if (!strcmp (element, "uh_sport"))
1505 ret = ntohs (udphdr->uh_sport);
1506 else if (!strcmp (element, "uh_dport"))
1507 ret = ntohs (udphdr->uh_dport);
1508 else if (!strcmp (element, "uh_ulen"))
1509 ret = ntohs (udphdr->uh_ulen);
1510 else if (!strcmp (element, "uh_sum"))
1511 ret = ntohs (udphdr->uh_sum);
1512 else if (!strcmp (element, "data"))
1513 {
1514 int sz;
1515 retc = alloc_typed_cell (CONST_DATA);
1516 sz = ntohs (udphdr->uh_ulen) - sizeof (struct udphdr);
1517
1518 if (ntohs (udphdr->uh_ulen) - 40 - sizeof (struct udphdr) > ipsz)
1519 sz = ipsz - 40 - sizeof (struct udphdr);
1520
1521 retc->x.str_val = g_malloc0 (sz);
1522 retc->size = sz;
1523 bcopy (udp + 40 + sizeof (struct udphdr), retc->x.str_val, sz);
1524 return retc;
1525 }
1526 else
1527 {
1528 nasl_perror (lexic, "%s is not a value of a udp packet\n", element);
1529 return NULL;
1530 }
1531
1532 retc = alloc_typed_cell (CONST_INT);
1533 retc->x.i_val = ret;
1534 return retc;
1535}

References alloc_typed_cell(), CONST_DATA, CONST_INT, get_str_var_by_name(), get_var_size_by_name(), TC::i_val, nasl_perror(), TC::size, TC::str_val, and TC::x.

Here is the call graph for this function:

◆ insert_ip_v6_options()

tree_cell * insert_ip_v6_options ( lex_ctxt * lexic)

Adds an IPv6 option to the datagram.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]ip6IPv6 packet.
[in]dataData payload.
[in]codeCode of option.
[in]lengthLength of value.
[in]valueValue of the option.
Returns
the modified datagram.

Definition at line 394 of file nasl_packet_forgery_v6.c.

395{
396 struct ip6_hdr *ip6 = (struct ip6_hdr *) get_str_var_by_name (lexic, "ip6");
397 int code = get_int_var_by_name (lexic, "code", 0);
398 int len = get_int_var_by_name (lexic, "length", 0);
399 char *value = get_str_var_by_name (lexic, "value");
400 int value_size = get_var_size_by_name (lexic, "value");
401 tree_cell *retc;
402 struct ip6_hdr *new_packet;
403 char *p;
404 int size = get_var_size_by_name (lexic, "ip6");
405 u_char uc_code, uc_len;
406 int pad_len;
407 char zero = '0';
408 int i;
409 int pl;
410
411 if (ip6 == NULL)
412 {
413 nasl_perror (lexic,
414 "Usage : %s(ip6:<ip6>, code:<code>, "
415 "length:<len>, value:<value>\n",
416 __func__);
417 return NULL;
418 }
419
420 pad_len = 4 - ((sizeof (uc_code) + sizeof (uc_len) + value_size) % 4);
421 if (pad_len == 4)
422 pad_len = 0;
423
424 pl = 40 < UNFIX (ip6->ip6_plen) ? 40 : UNFIX (ip6->ip6_plen);
425 new_packet = g_malloc0 (size + 4 + value_size + pad_len);
426 bcopy (ip6, new_packet, pl);
427
428 uc_code = (u_char) code;
429 uc_len = (u_char) len;
430
431 p = (char *) new_packet;
432 bcopy (&uc_code, p + pl, sizeof (uc_code));
433 bcopy (&uc_len, p + pl + sizeof (uc_code), sizeof (uc_len));
434 bcopy (value, p + pl + sizeof (uc_code) + sizeof (uc_len), value_size);
435
436 zero = 0;
437 for (i = 0; i < pad_len; i++)
438 {
439 bcopy (&zero,
440 p + pl + sizeof (uc_code) + sizeof (uc_len) + value_size + i, 1);
441 }
442
443 p = (char *) ip6;
444 bcopy (p + pl,
445 new_packet
446 + (sizeof (uc_code) + sizeof (uc_len) + value_size + pad_len) + pl,
447 size - pl);
448
449 new_packet->ip6_plen =
450 FIX (size + sizeof (uc_code) + sizeof (uc_len) + value_size + pad_len);
451
452 retc = alloc_typed_cell (CONST_DATA);
453 retc->size = size + value_size + sizeof (uc_code) + sizeof (uc_len) + pad_len;
454 retc->x.str_val = (char *) new_packet;
455
456 return retc;
457}
code
#define code
zero
u_char zero
Definition nasl_packet_forgery.c:2

◆ insert_tcp_v6_options()

tree_cell * insert_tcp_v6_options ( lex_ctxt * lexic)

Add options to a TCP segment header. Possible options are: TCPOPT_MAXSEG (2), values between 536 and 65535 TCPOPT_WINDOW (3), with values between 0 and 14 TCPOPT_SACK_PERMITTED (4), no value required. TCPOPT_TIMESTAMP (8), 8 bytes value for timestamp and echo timestamp, 4 bytes each one.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]tcpIP datagram.
[in]data(optional) TCP data payload.
[in]unnamedoption.
[in]Valuefor unnamed option if required.
Returns
The modified IP datagram.

Definition at line 999 of file nasl_packet_forgery_v6.c.

1000{
1001 char *pkt = get_str_var_by_name (lexic, "tcp");
1002 struct ip6_hdr *ip6 = (struct ip6_hdr *) pkt;
1003 int pktsz = get_var_size_by_name (lexic, "tcp");
1004 struct tcphdr *tcp;
1005 tree_cell *retc;
1006 char *data = get_str_var_by_name (lexic, "data");
1007 int data_len = get_var_size_by_name (lexic, "data");
1008 char *npkt;
1009 int tcp_opt, tcp_opt_val, tcp_opt_val2;
1010 int current_opt_len, total_opt_len, opt_size_allocated;
1011 char *opts, *ptr_opts_pos;
1012 uint8_t eol, nop;
1013 int i;
1014
1015 struct tcp_opt_mss *opt_mss;
1016 struct tcp_opt_wscale *opt_wscale;
1017 struct tcp_opt_sack_perm *opt_sack_perm;
1018 struct tcp_opt_tstamp *opt_tstamp;
1019
1020 if (pkt == NULL)
1021 {
1022 nasl_perror (
1023 lexic, "set_tcp_v6_elements: Invalid value for the argument 'tcp'\n");
1024 return NULL;
1025 }
1026 opts = g_malloc0 (sizeof (char) * 4);
1027 ptr_opts_pos = opts;
1028 opt_size_allocated = 4; // 4 bytes
1029 total_opt_len = 0;
1030 for (i = 0;; i++)
1031 {
1032 tcp_opt = get_int_var_by_num (lexic, i, -1);
1033 current_opt_len = total_opt_len;
1034
1035 if (tcp_opt == -1)
1036 break;
1037
1038 switch (tcp_opt)
1039 {
1040 case TCPOPT_MAXSEG:
1041 tcp_opt_val = get_int_var_by_num (lexic, i + 1, -1);
1042 i++;
1043 if (tcp_opt_val < (int) TCP_MSS_DESIRED || tcp_opt_val > 65535)
1044 {
1045 nasl_perror (lexic, "%s: Invalid value for TCP option MSS\n",
1046 __func__);
1047 break;
1048 }
1049 opt_mss = g_malloc0 (sizeof (struct tcp_opt_mss));
1050 total_opt_len += TCPOLEN_MAXSEG;
1051 opt_mss->kind = TCPOPT_MAXSEG;
1052 opt_mss->len = TCPOLEN_MAXSEG;
1053 opt_mss->mss = FIX (tcp_opt_val);
1054
1055 // Need reallocated memory because options requires it.
1056 if (total_opt_len > opt_size_allocated)
1057 {
1058 opt_size_allocated = ((total_opt_len / 4) + 1) * 4;
1059 opts = g_realloc (opts, sizeof (char) * opt_size_allocated);
1060 ptr_opts_pos = opts + current_opt_len;
1061 }
1062
1063 memcpy (ptr_opts_pos, (u_char *) opt_mss,
1064 sizeof (struct tcp_opt_mss));
1065 ptr_opts_pos = ptr_opts_pos + sizeof (struct tcp_opt_mss);
1066 g_free (opt_mss);
1067 break;
1068 case TCPOPT_WINDOW:
1069 tcp_opt_val = get_int_var_by_num (lexic, i + 1, -1);
1070 i++;
1071 if (tcp_opt_val < 0 || tcp_opt_val > 14)
1072 {
1073 nasl_perror (lexic, "%s: Invalid value for TCP option WScale\n",
1074 __func__);
1075 break;
1076 }
1077 opt_wscale = g_malloc0 (sizeof (struct tcp_opt_wscale));
1078 total_opt_len += TCPOLEN_WINDOW;
1079 opt_wscale->kind = TCPOPT_WINDOW;
1080 opt_wscale->len = TCPOLEN_WINDOW;
1081 opt_wscale->wscale = tcp_opt_val;
1082
1083 // Need reallocated memory because options requires it.
1084 if (total_opt_len > opt_size_allocated)
1085 {
1086 opt_size_allocated = ((total_opt_len / 4) + 1) * 4;
1087 opts = g_realloc (opts, sizeof (char) * opt_size_allocated);
1088 ptr_opts_pos = opts + current_opt_len;
1089 }
1090
1091 memcpy (ptr_opts_pos, (u_char *) opt_wscale,
1092 sizeof (struct tcp_opt_wscale));
1093 ptr_opts_pos = ptr_opts_pos + sizeof (struct tcp_opt_wscale);
1094 g_free (opt_wscale);
1095 break;
1096 case TCPOPT_SACK_PERMITTED:
1097 opt_sack_perm = g_malloc0 (sizeof (struct tcp_opt_sack_perm));
1098 total_opt_len += TCPOLEN_SACK_PERMITTED;
1099 opt_sack_perm->kind = TCPOPT_SACK_PERMITTED;
1100 opt_sack_perm->len = TCPOLEN_SACK_PERMITTED;
1101
1102 // Need reallocated memory because options requires it.
1103 if (total_opt_len > opt_size_allocated)
1104 {
1105 opt_size_allocated = ((total_opt_len / 4) + 1) * 4;
1106 opts = g_realloc (opts, sizeof (char) * opt_size_allocated);
1107 ptr_opts_pos = opts + current_opt_len;
1108 }
1109
1110 memcpy (ptr_opts_pos, (u_char *) opt_sack_perm,
1111 sizeof (struct tcp_opt_sack_perm));
1112 ptr_opts_pos = ptr_opts_pos + sizeof (struct tcp_opt_sack_perm);
1113 g_free (opt_sack_perm);
1114 break;
1115 case TCPOPT_TIMESTAMP:
1116 tcp_opt_val = get_int_var_by_num (lexic, i + 1, -1);
1117 tcp_opt_val2 = get_int_var_by_num (lexic, i + 2, -1);
1118 i = i + 2;
1119 if (tcp_opt_val < 0)
1120 nasl_perror (lexic, "%s: Invalid value for TCP option Timestamp\n",
1121 __func__);
1122 opt_tstamp = g_malloc0 (sizeof (struct tcp_opt_tstamp));
1123 total_opt_len += TCPOLEN_TIMESTAMP;
1124 opt_tstamp->kind = TCPOPT_TIMESTAMP;
1125 opt_tstamp->len = TCPOLEN_TIMESTAMP;
1126 opt_tstamp->tstamp = htonl (tcp_opt_val);
1127 opt_tstamp->e_tstamp = htonl (tcp_opt_val2);
1128
1129 // Need reallocated memory because options requires it.
1130 if (total_opt_len > opt_size_allocated)
1131 {
1132 opt_size_allocated = ((total_opt_len / 4) + 1) * 4;
1133 opts = g_realloc (opts, sizeof (char) * opt_size_allocated);
1134 ptr_opts_pos = opts + current_opt_len;
1135 }
1136
1137 memcpy (ptr_opts_pos, (u_char *) opt_tstamp,
1138 sizeof (struct tcp_opt_tstamp));
1139 ptr_opts_pos = ptr_opts_pos + sizeof (struct tcp_opt_tstamp);
1140 g_free (opt_tstamp);
1141 break;
1142 case TCPOPT_NOP:
1143 case TCPOPT_EOL:
1144 case TCPOPT_SACK: /* Experimental, not supported */
1145 default:
1146 nasl_perror (lexic, "%s: TCP option %d not supported\n", __func__,
1147 tcp_opt);
1148 break;
1149 }
1150 }
1151
1152 // Add NOP padding and End Of Option list kinds.
1153 current_opt_len = total_opt_len;
1154 eol = TCPOPT_EOL;
1155 nop = TCPOPT_NOP;
1156 if (total_opt_len % 4 == 0)
1157 {
1158 opt_size_allocated = opt_size_allocated + 4;
1159 opts = g_realloc (opts, sizeof (char) * opt_size_allocated);
1160 ptr_opts_pos = opts + total_opt_len;
1161 }
1162 if (current_opt_len < opt_size_allocated - 1)
1163 {
1164 // Add NOPs
1165 for (i = current_opt_len; i < opt_size_allocated - 1; i++)
1166 {
1167 memcpy (ptr_opts_pos, &nop, 1);
1168 total_opt_len++;
1169 ptr_opts_pos++;
1170 }
1171 }
1172 // Add EOL
1173 memcpy (ptr_opts_pos, &eol, 1);
1174
1175 tcp = (struct tcphdr *) (pkt + 40);
1176
1177 if (pktsz < UNFIX (ip6->ip6_plen))
1178 {
1179 g_free (opts);
1180 return NULL;
1181 }
1182
1183 if (data_len == 0)
1184 {
1185 data_len = UNFIX (ip6->ip6_plen) - (tcp->th_off * 4);
1186 data = (char *) ((char *) tcp + tcp->th_off * 4);
1187 }
1188
1189 // Alloc enough memory to hold the options
1190 npkt = g_malloc0 (40 + tcp->th_off * 4 + opt_size_allocated + data_len);
1191 memcpy (npkt, pkt, UNFIX (ip6->ip6_plen) + 40);
1192 ip6 = (struct ip6_hdr *) (npkt);
1193 tcp = (struct tcphdr *) (npkt + 40);
1194
1195 // copy options
1196 memcpy ((char *) tcp + tcp->th_off * 4, opts, opt_size_allocated);
1197 tcp->th_off = tcp->th_off + (opt_size_allocated / 4);
1198
1199 memcpy ((char *) tcp + tcp->th_off * 4, data, data_len);
1200
1201 ip6->ip6_plen = FIX (tcp->th_off * 4 + data_len);
1202
1203 struct v6pseudohdr pseudoheader;
1204 char *tcpsumdata =
1205 g_malloc0 (sizeof (struct v6pseudohdr) + opt_size_allocated + data_len + 1);
1206
1207 memset (&pseudoheader, 0, 38 + sizeof (struct tcphdr));
1208 memcpy (&pseudoheader.s6addr, &ip6->ip6_src, sizeof (struct in6_addr));
1209 memcpy (&pseudoheader.d6addr, &ip6->ip6_dst, sizeof (struct in6_addr));
1210
1211 pseudoheader.protocol = IPPROTO_TCP;
1212 pseudoheader.length =
1213 htons (sizeof (struct tcphdr) + opt_size_allocated + data_len);
1214
1215 // Set th_sum to Zero, necessary for the new checksum calculation
1216 tcp->th_sum = 0;
1217
1218 memcpy ((char *) &pseudoheader.tcpheader, (char *) tcp,
1219 sizeof (struct tcphdr));
1220
1221 /* fill tcpsumdata with data to checksum */
1222 memcpy (tcpsumdata, (char *) &pseudoheader, sizeof (struct v6pseudohdr));
1223 memcpy (tcpsumdata + sizeof (struct v6pseudohdr), (char *) opts,
1224 opt_size_allocated);
1225 if (data != NULL)
1226 memcpy (tcpsumdata + sizeof (struct v6pseudohdr) + opt_size_allocated,
1227 (char *) data, data_len);
1228 tcp->th_sum =
1229 np_in_cksum ((unsigned short *) tcpsumdata,
1230 38 + sizeof (struct tcphdr) + opt_size_allocated + data_len);
1231 g_free (opts);
1232 g_free (tcpsumdata);
1233
1234 retc = alloc_typed_cell (CONST_DATA);
1235 retc->size = 40 + (tcp->th_off * 4) + data_len;
1236 retc->x.str_val = npkt;
1237 return retc;
1238}
get_int_var_by_num
long int get_int_var_by_num(lex_ctxt *, int, int)
Definition nasl_var.c:1094
tcp_opt_mss
Definition nasl_packet_forgery.c:492
tcp_opt_mss::len
uint8_t len
Definition nasl_packet_forgery.c:494
tcp_opt_mss::kind
uint8_t kind
Definition nasl_packet_forgery.c:493
tcp_opt_sack_perm
Definition nasl_packet_forgery.c:506
tcp_opt_sack_perm::len
uint8_t len
Definition nasl_packet_forgery.c:508
tcp_opt_tstamp
Definition nasl_packet_forgery.c:512
tcp_opt_tstamp::kind
uint8_t kind
Definition nasl_packet_forgery.c:513
tcp_opt_tstamp::len
uint8_t len
Definition nasl_packet_forgery.c:514
tcp_opt_wscale
Definition nasl_packet_forgery.c:499
tcp_opt_wscale::kind
uint8_t kind
Definition nasl_packet_forgery.c:500
tcp_opt_wscale::len
uint8_t len
Definition nasl_packet_forgery.c:501

References alloc_typed_cell(), CONST_DATA, v6pseudohdr::d6addr, tcp_opt_tstamp::e_tstamp, FIX, get_int_var_by_num(), get_str_var_by_name(), get_var_size_by_name(), tcp_opt_mss::kind, tcp_opt_sack_perm::kind, tcp_opt_tstamp::kind, tcp_opt_wscale::kind, tcp_opt_mss::len, tcp_opt_sack_perm::len, tcp_opt_tstamp::len, tcp_opt_wscale::len, v6pseudohdr::length, tcp_opt_mss::mss, nasl_perror(), np_in_cksum(), v6pseudohdr::protocol, v6pseudohdr::s6addr, TC::size, TC::str_val, v6pseudohdr::tcpheader, tcp_opt_tstamp::tstamp, UNFIX, tcp_opt_wscale::wscale, and TC::x.

Here is the call graph for this function:

◆ nasl_send_v6packet()

tree_cell * nasl_send_v6packet ( lex_ctxt * lexic)

Send forged IPv6 Packets.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]...IPv6 packets to send.
[in]lengthLength of each packet by default.
[in]pcap_activeTRUE by default. Otherwise, NASL does not listen for the answers.
[in]pcap_filterBPF filter.
[in]pcap_timeoutCapture timeout. 5 by default.
[in]allow_multicastDefault 0.
Returns
tree_cell with the response to the sent packet.

Definition at line 2323 of file nasl_packet_forgery_v6.c.

2324{
2325 tree_cell *retc = FAKE_CELL;
2326 int bpf = -1;
2327 u_char *answer;
2328 int answer_sz;
2329 struct sockaddr_in6 sockaddr;
2330 char *ip = NULL;
2331 struct ip6_hdr *sip = NULL;
2332 int vi = 0, b = 0, len = 0;
2333 int soc;
2334 int use_pcap = get_int_var_by_name (lexic, "pcap_active", 1);
2335 int to = get_int_var_by_name (lexic, "pcap_timeout", 5);
2336 char *filter = get_str_var_by_name (lexic, "pcap_filter");
2337 int dfl_len = get_int_var_by_name (lexic, "length", -1);
2338 struct script_infos *script_infos = lexic->script_infos;
2339 struct in6_addr *dstip = plug_get_host_ip (script_infos);
2340 int opt_on = 1;
2341 char name[INET6_ADDRSTRLEN];
2342 int allow_multicast = 0;
2343
2344 if (dstip == NULL || (IN6_IS_ADDR_V4MAPPED (dstip) == 1))
2345 return NULL;
2346 soc = socket (AF_INET6, SOCK_RAW, IPPROTO_RAW);
2347 if (soc < 0)
2348 return NULL;
2349
2350 if (setsockopt (soc, IPPROTO_IPV6, IP_HDRINCL, (char *) &opt_on,
2351 sizeof (opt_on))
2352 < 0)
2353 perror ("setsockopt");
2354 while ((ip = get_str_var_by_num (lexic, vi)) != NULL)
2355 {
2356 allow_multicast = get_int_var_by_name (lexic, "allow_multicast", 0);
2357 int sz = get_var_size_by_num (lexic, vi);
2358 vi++;
2359
2360 if ((unsigned int) sz < sizeof (struct ip6_hdr))
2361 {
2362 nasl_perror (lexic, "send_v6packet: packet is too short\n");
2363 continue;
2364 }
2365
2366 sip = (struct ip6_hdr *) ip;
2367 if (use_pcap != 0 && bpf < 0)
2368 bpf = init_v6_capture_device (sip->ip6_dst, sip->ip6_src, filter);
2369
2370 bzero (&sockaddr, sizeof (struct sockaddr_in6));
2371 sockaddr.sin6_family = AF_INET6;
2372 sockaddr.sin6_addr = sip->ip6_dst;
2373
2374 if (allow_multicast)
2375 {
2376 struct sockaddr_in6 multicast;
2377
2378 if (setsockopt (soc, SOL_SOCKET, SO_BROADCAST, &opt_on,
2379 sizeof (opt_on))
2380 < 0)
2381 perror ("setsockopt ");
2382
2383 bzero (&multicast, sizeof (struct sockaddr_in6));
2384 sockaddr.sin6_family = AF_INET6;
2385 inet_pton (AF_INET6, "ff02::1", &(multicast.sin6_addr));
2386
2387 if (!IN6_ARE_ADDR_EQUAL (&sockaddr.sin6_addr, &multicast.sin6_addr))
2388 allow_multicast = 0;
2389 }
2390
2391 if (dstip != NULL && !IN6_ARE_ADDR_EQUAL (&sockaddr.sin6_addr, dstip)
2392 && !allow_multicast)
2393 {
2394 char txt1[64], txt2[64];
2395 strncpy (
2396 txt1,
2397 inet_ntop (AF_INET6, &sockaddr.sin6_addr, name, INET6_ADDRSTRLEN),
2398 sizeof (txt1));
2399 txt1[sizeof (txt1) - 1] = '\0';
2400 strncpy (txt2, inet_ntop (AF_INET6, dstip, name, INET6_ADDRSTRLEN),
2401 sizeof (txt2));
2402 txt2[sizeof (txt2) - 1] = '\0';
2403 nasl_perror (lexic,
2404 "send_v6packet: malicious or buggy script is trying to "
2405 "send packet to %s instead of designated target %s\n",
2406 txt1, txt2);
2407 if (bpf >= 0)
2408 bpf_close (bpf);
2409 close (soc);
2410 return NULL;
2411 }
2412
2413 if (dfl_len > 0 && dfl_len < sz)
2414 len = dfl_len;
2415 else
2416 len = sz;
2417
2418 b = sendto (soc, (u_char *) ip, len, 0, (struct sockaddr *) &sockaddr,
2419 sizeof (struct sockaddr_in6));
2420 /* if(b < 0) perror("sendto "); */
2421 if (b >= 0 && use_pcap != 0 && bpf >= 0)
2422 {
2423 if (v6_islocalhost (&sip->ip6_dst))
2424 {
2425 answer = (u_char *) capture_next_v6_packet (bpf, to, &answer_sz);
2426 while (
2427 answer != NULL
2428 && (!memcmp (answer, (char *) ip, sizeof (struct ip6_hdr))))
2429 {
2430 g_free (answer);
2431 answer =
2432 (u_char *) capture_next_v6_packet (bpf, to, &answer_sz);
2433 }
2434 }
2435 else
2436 {
2437 answer = (u_char *) capture_next_v6_packet (bpf, to, &answer_sz);
2438 }
2439 if (answer)
2440 {
2441 retc = alloc_typed_cell (CONST_DATA);
2442 retc->x.str_val = (char *) answer;
2443 retc->size = answer_sz;
2444 break;
2445 }
2446 }
2447 }
2448 if (bpf >= 0)
2449 bpf_close (bpf);
2450 close (soc);
2451 return retc;
2452}
bpf_close
void bpf_close(int bpf)
Definition bpf_share.c:164
capture_next_v6_packet
struct ip6_hdr * capture_next_v6_packet(int bpf, int timeout, int *sz)
Definition capture_packet.c:271
init_v6_capture_device
int init_v6_capture_device(struct in6_addr src, struct in6_addr dest, char *filter)
Definition capture_packet.c:215
name
const char * name
Definition nasl_init.c:439
v6_islocalhost
int v6_islocalhost(struct in6_addr *addr)
Tests whether a packet sent to IP is LIKELY to route through the kernel localhost interface.
Definition pcap.c:234

References alloc_typed_cell(), bpf_close(), capture_next_v6_packet(), CONST_DATA, FAKE_CELL, get_int_var_by_name(), get_str_var_by_name(), get_str_var_by_num(), get_var_size_by_num(), init_v6_capture_device(), len, name, nasl_perror(), plug_get_host_ip(), struct_lex_ctxt::script_infos, TC::size, TC::str_val, v6_islocalhost(), and TC::x.

Here is the call graph for this function:

◆ nasl_tcp_v6_ping()

tree_cell * nasl_tcp_v6_ping ( lex_ctxt * lexic)

Performs TCP Connect to test if host is alive.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]portPort to ping. Internal list of common ports is used as default.
Returns
tree_cell > 0 if host is alive, 0 otherwise.

Definition at line 2177 of file nasl_packet_forgery_v6.c.

2178{
2179 int port;
2180 u_char packet[sizeof (struct ip6_hdr) + sizeof (struct tcphdr)];
2181 int soc;
2182 struct ip6_hdr *ip = (struct ip6_hdr *) packet;
2183 struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof (struct ip6_hdr));
2184 struct script_infos *script_infos = lexic->script_infos;
2185 struct in6_addr *destination = plug_get_host_ip (script_infos);
2186 struct in6_addr source;
2187 struct sockaddr_in6 soca;
2188 int flag = 0;
2189 unsigned int i = 0;
2190 int bpf;
2191 char filter[255];
2192 tree_cell *retc;
2193 int opt = 1;
2194 struct timeval tv;
2195 int len;
2196
2197#define rnd_tcp_port() (rand () % 65535 + 1024)
2198 int sports[] = {0, 0, 0, 0, 0, 1023, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2199 0, 0, 0, 0, 0, 53, 0, 0, 20, 0, 25, 0, 0, 0};
2200 int ports[] = {139, 135, 445, 80, 22, 515, 23, 21, 6000, 1025,
2201 25, 111, 1028, 9100, 1029, 79, 497, 548, 5000, 1917,
2202 53, 161, 9001, 65535, 443, 113, 993, 8080, 0};
2203 char addr[INET6_ADDRSTRLEN];
2204
2205 if (!destination || (IN6_IS_ADDR_V4MAPPED (destination) == 1))
2206 return NULL;
2207
2208 for (i = 0; i < sizeof (sports) / sizeof (int); i++)
2209 {
2210 if (sports[i] == 0)
2211 sports[i] = rnd_tcp_port ();
2212 }
2213
2214 soc = socket (AF_INET6, SOCK_RAW, IPPROTO_RAW);
2215 if (soc < 0)
2216 return NULL;
2217
2218 if (setsockopt (soc, IPPROTO_IPV6, IP_HDRINCL, (char *) &opt, sizeof (opt))
2219 < 0)
2220 perror ("setsockopt");
2221
2222 port = get_int_var_by_name (lexic, "port", -1);
2223 if (port == -1)
2224 port = plug_get_host_open_port (script_infos);
2225 if (v6_islocalhost (destination) > 0)
2226 source = *destination;
2227 else
2228 {
2229 bzero (&source, sizeof (source));
2230 v6_routethrough (destination, &source);
2231 }
2232
2233 snprintf (filter, sizeof (filter), "ip6 and src host %s",
2234 inet_ntop (AF_INET6, destination, addr, sizeof (addr)));
2235 bpf = init_v6_capture_device (*destination, source, filter);
2236
2237 if (v6_islocalhost (destination) != 0)
2238 flag++;
2239 else
2240 {
2241 unsigned int num_ports = sizeof (sports) / sizeof (int);
2242 for (i = 0; i < num_ports && !flag; i++)
2243 {
2244 bzero (packet, sizeof (packet));
2245 /* IPv6 */
2246 int version = 0x60, tc = 0, fl = 0;
2247 ip->ip6_ctlun.ip6_un1.ip6_un1_flow = version | tc | fl;
2248 ip->ip6_nxt = 0x06, ip->ip6_hlim = 0x40, ip->ip6_src = source;
2249 ip->ip6_dst = *destination;
2250 ip->ip6_ctlun.ip6_un1.ip6_un1_plen = FIX (sizeof (struct tcphdr));
2251
2252 /* TCP */
2253 tcp->th_sport = port ? htons (rnd_tcp_port ()) : htons (sports[i]);
2254 tcp->th_flags = TH_SYN;
2255 tcp->th_dport = port ? htons (port) : htons (ports[i]);
2256 tcp->th_seq = rand ();
2257 tcp->th_ack = 0;
2258 tcp->th_x2 = 0;
2259 tcp->th_off = 5;
2260 tcp->th_win = htons (512);
2261 tcp->th_urp = 0;
2262 tcp->th_sum = 0;
2263
2264 /* CKsum */
2265 {
2266 struct v6pseudohdr pseudoheader;
2267
2268 bzero (&pseudoheader, 38 + sizeof (struct tcphdr));
2269 memcpy (&pseudoheader.s6addr, &ip->ip6_src,
2270 sizeof (struct in6_addr));
2271 memcpy (&pseudoheader.d6addr, &ip->ip6_dst,
2272 sizeof (struct in6_addr));
2273
2274 pseudoheader.protocol = IPPROTO_TCP;
2275 pseudoheader.length = htons (sizeof (struct tcphdr));
2276 bcopy ((char *) tcp, (char *) &pseudoheader.tcpheader,
2277 sizeof (struct tcphdr));
2278 tcp->th_sum = np_in_cksum ((unsigned short *) &pseudoheader,
2279 38 + sizeof (struct tcphdr));
2280 }
2281
2282 bzero (&soca, sizeof (soca));
2283 soca.sin6_family = AF_INET6;
2284 soca.sin6_addr = ip->ip6_dst;
2285 if (sendto (soc, (const void *) ip,
2286 sizeof (struct tcphdr) + sizeof (struct ip6_hdr), 0,
2287 (struct sockaddr *) &soca, sizeof (struct sockaddr_in6))
2288 < 0)
2289 {
2290 close (soc);
2291 return NULL;
2292 }
2293 tv.tv_sec = 0;
2294 tv.tv_usec = 100000;
2295 if (bpf >= 0 && bpf_next_tv (bpf, &len, &tv))
2296 flag++;
2297 }
2298 }
2299
2300 retc = alloc_typed_cell (CONST_INT);
2301 retc->x.i_val = flag;
2302 if (bpf >= 0)
2303 bpf_close (bpf);
2304 close (soc);
2305 return retc;
2306}
bpf_next_tv
u_char * bpf_next_tv(int bpf, int *caplen, struct timeval *tv)
Definition bpf_share.c:119
timeval
static struct timeval timeval(unsigned long val)
Definition nasl_builtin_synscan.c:94
rnd_tcp_port
#define rnd_tcp_port()
rnd_tcp_port
#define rnd_tcp_port()
v6_routethrough
char * v6_routethrough(struct in6_addr *dest, struct in6_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
Definition pcap.c:851
plug_get_host_open_port
unsigned int plug_get_host_open_port(struct script_infos *desc)
Definition plugutils.c:1323

References alloc_typed_cell(), bpf_close(), bpf_next_tv(), CONST_INT, v6pseudohdr::d6addr, FIX, get_int_var_by_name(), TC::i_val, init_v6_capture_device(), len, v6pseudohdr::length, np_in_cksum(), plug_get_host_ip(), plug_get_host_open_port(), v6pseudohdr::protocol, rnd_tcp_port, v6pseudohdr::s6addr, struct_lex_ctxt::script_infos, v6pseudohdr::tcpheader, timeval(), v6_islocalhost(), v6_routethrough(), and TC::x.

Referenced by nasl_tcp_ping().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ set_ip_v6_elements()

tree_cell * set_ip_v6_elements ( lex_ctxt * lexic)

Set IPv6 header element.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]ip6IP v6 header.
[in]ip6_plenPayload length.
[in]ip6_hlimHop limit. Max. 255
[in]ip6_nxtNext packet.
[in]ip6_srcSource address
Returns
tree_cell with the forged IP packet.

Definition at line 295 of file nasl_packet_forgery_v6.c.

296{
297 struct ip6_hdr *o_pkt = (struct ip6_hdr *) get_str_var_by_name (lexic, "ip6");
298 int size = get_var_size_by_name (lexic, "ip6");
299 tree_cell *retc;
300 struct ip6_hdr *pkt;
301 char *s;
302
303 if (o_pkt == NULL)
304 {
305 nasl_perror (lexic, "%s: missing <ip6> field\n", __func__);
306 return NULL;
307 }
308
309 pkt = (struct ip6_hdr *) g_malloc0 (size);
310 bcopy (o_pkt, pkt, size);
311
312 pkt->ip6_plen = get_int_var_by_name (lexic, "ip6_plen", pkt->ip6_plen);
313 pkt->ip6_nxt = get_int_var_by_name (lexic, "ip6_nxt", pkt->ip6_nxt);
314 pkt->ip6_hlim = get_int_var_by_name (lexic, "ip6_hlim", pkt->ip6_hlim);
315
316 s = get_str_var_by_name (lexic, "ip6_src");
317 if (s != NULL)
318 inet_pton (AF_INET6, s, &pkt->ip6_src);
319
320 retc = alloc_typed_cell (CONST_DATA);
321 retc->size = size;
322 retc->x.str_val = (char *) pkt;
323
324 return retc;
325}

References alloc_typed_cell(), CONST_DATA, get_int_var_by_name(), get_str_var_by_name(), get_var_size_by_name(), nasl_perror(), TC::size, TC::str_val, and TC::x.

Here is the call graph for this function:

◆ set_tcp_v6_elements()

tree_cell * set_tcp_v6_elements ( lex_ctxt * lexic)

Set TCP Header element.

Parameters
[in]lexicLexical context of NASL interpreter.
[in]tcpIPv6 packet to modify.
[in]dataData.
[in]th_sportSource port.
[in]th_dportDestination port.
[in]th_seqSequence number.
[in]th_ackAcknowledgement number.
[in]th_x2
[in]th_offData offset.
[in]th_flagsFlags.
[in]th_winWindow.
[in]th_sumChecksum.
[in]th_urpUrgent pointer.
[in]update_ip_lenFlag (TRUE by default). If set, NASL will recompute the size field of the IP datagram.
Returns
tree_cell with the modified IPv6 datagram.

Definition at line 894 of file nasl_packet_forgery_v6.c.

895{
896 char *pkt = get_str_var_by_name (lexic, "tcp");
897 struct ip6_hdr *ip6 = (struct ip6_hdr *) pkt;
898 int pktsz = get_var_size_by_name (lexic, "tcp");
899 struct tcphdr *tcp;
900 tree_cell *retc;
901 char *data = get_str_var_by_name (lexic, "data");
902 int data_len = get_var_size_by_name (lexic, "data");
903 char *npkt;
904
905 if (pkt == NULL)
906 {
907 nasl_perror (
908 lexic, "set_tcp_v6_elements: Invalid value for the argument 'tcp'\n");
909 return NULL;
910 }
911
912 tcp = (struct tcphdr *) (pkt + 40);
913
914 if (pktsz < UNFIX (ip6->ip6_plen))
915 return NULL;
916
917 if (data_len == 0)
918 {
919 data_len = UNFIX (ip6->ip6_plen) - (tcp->th_off * 4);
920 data = (char *) ((char *) tcp + tcp->th_off * 4);
921 }
922
923 npkt = g_malloc0 (40 + tcp->th_off * 4 + data_len);
924 bcopy (pkt, npkt, UNFIX (ip6->ip6_plen) + 40);
925
926 ip6 = (struct ip6_hdr *) (npkt);
927 tcp = (struct tcphdr *) (npkt + 40);
928
929 tcp->th_sport =
930 htons (get_int_var_by_name (lexic, "th_sport", ntohs (tcp->th_sport)));
931 tcp->th_dport =
932 htons (get_int_var_by_name (lexic, "th_dport", ntohs (tcp->th_dport)));
933 tcp->th_seq =
934 htonl (get_int_var_by_name (lexic, "th_seq", ntohl (tcp->th_seq)));
935 tcp->th_ack =
936 htonl (get_int_var_by_name (lexic, "th_ack", ntohl (tcp->th_ack)));
937 tcp->th_x2 = get_int_var_by_name (lexic, "th_x2", tcp->th_x2);
938 tcp->th_off = get_int_var_by_name (lexic, "th_off", tcp->th_off);
939 tcp->th_flags = get_int_var_by_name (lexic, "th_flags", tcp->th_flags);
940 tcp->th_win =
941 htons (get_int_var_by_name (lexic, "th_win", ntohs (tcp->th_win)));
942 tcp->th_sum = get_int_var_by_name (lexic, "th_sum", 0);
943 tcp->th_urp = get_int_var_by_name (lexic, "th_urp", tcp->th_urp);
944
945 bcopy (data, (char *) tcp + tcp->th_off * 4, data_len);
946
947 if (get_int_var_by_name (lexic, "update_ip_len", 1) != 0)
948 {
949 ip6->ip6_plen = FIX (tcp->th_off * 4 + data_len);
950 }
951
952 if (tcp->th_sum == 0)
953 {
954 struct v6pseudohdr pseudoheader;
955 char *tcpsumdata = g_malloc0 (sizeof (struct v6pseudohdr) + data_len + 1);
956
957 bzero (&pseudoheader, 38 + sizeof (struct tcphdr));
958 memcpy (&pseudoheader.s6addr, &ip6->ip6_src, sizeof (struct in6_addr));
959 memcpy (&pseudoheader.d6addr, &ip6->ip6_dst, sizeof (struct in6_addr));
960
961 pseudoheader.protocol = IPPROTO_TCP;
962 pseudoheader.length = htons (sizeof (struct tcphdr) + data_len);
963 bcopy ((char *) tcp, (char *) &pseudoheader.tcpheader,
964 sizeof (struct tcphdr));
965 /* fill tcpsumdata with data to checksum */
966 bcopy ((char *) &pseudoheader, tcpsumdata, sizeof (struct v6pseudohdr));
967 if (data != NULL)
968 bcopy ((char *) data, tcpsumdata + sizeof (struct v6pseudohdr),
969 data_len);
970 tcp->th_sum = np_in_cksum ((unsigned short *) tcpsumdata,
971 38 + sizeof (struct tcphdr) + data_len);
972 g_free (tcpsumdata);
973 }
974
975 retc = alloc_typed_cell (CONST_DATA);
976 retc->size = 40 + (tcp->th_off * 4) + data_len;
977 retc->x.str_val = npkt;
978 return retc;
979}

References alloc_typed_cell(), CONST_DATA, v6pseudohdr::d6addr, FIX, get_int_var_by_name(), get_str_var_by_name(), get_var_size_by_name(), v6pseudohdr::length, nasl_perror(), np_in_cksum(), v6pseudohdr::protocol, v6pseudohdr::s6addr, TC::size, TC::str_val, v6pseudohdr::tcpheader, UNFIX, and TC::x.

Here is the call graph for this function:

◆ set_udp_v6_elements()

tree_cell * set_udp_v6_elements ( lex_ctxt * lexic)

Definition at line 1551 of file nasl_packet_forgery_v6.c.

1552{
1553 struct ip6_hdr *ip6 = (struct ip6_hdr *) get_str_var_by_name (lexic, "udp");
1554 unsigned int sz = get_var_size_by_name (lexic, "udp");
1555 char *data = get_str_var_by_name (lexic, "data");
1556 int data_len = get_var_size_by_name (lexic, "data");
1557
1558 if (ip6 != NULL)
1559 {
1560 char *pkt;
1561 struct udphdr *udp;
1562 tree_cell *retc;
1563 int old_len;
1564
1565 if (40 + sizeof (struct udphdr) > sz)
1566 {
1567 return NULL;
1568 }
1569 if (data != NULL)
1570 {
1571 sz = 40 + sizeof (struct udphdr) + data_len;
1572 pkt = g_malloc0 (sz);
1573 bcopy (ip6, pkt, 40 + sizeof (struct udphdr));
1574 }
1575 else
1576 {
1577 pkt = g_malloc0 (sz);
1578 bcopy (ip6, pkt, sz);
1579 }
1580
1581 ip6 = (struct ip6_hdr *) pkt;
1582 if (data != NULL)
1583 {
1584 ip6->ip6_ctlun.ip6_un1.ip6_un1_plen = FIX (sz - 40);
1585 }
1586 udp = (struct udphdr *) (pkt + 40);
1587
1588 udp->uh_sport =
1589 htons (get_int_var_by_name (lexic, "uh_sport", ntohs (udp->uh_sport)));
1590 udp->uh_dport =
1591 htons (get_int_var_by_name (lexic, "uh_dport", ntohs (udp->uh_dport)));
1592
1593 old_len = ntohs (udp->uh_ulen);
1594 udp->uh_ulen =
1595 htons (get_int_var_by_name (lexic, "uh_ulen", ntohs (udp->uh_ulen)));
1596 udp->uh_sum = get_int_var_by_name (lexic, "uh_sum", 0);
1597
1598 if (data != NULL)
1599 {
1600 bcopy (data, pkt + 40 + sizeof (struct udphdr), data_len);
1601 udp->uh_ulen = htons (sizeof (struct udphdr) + data_len);
1602 }
1603
1604 if (!udp->uh_sum)
1605 {
1606 struct v6pseudo_udp_hdr pseudohdr;
1607 int len = old_len - sizeof (struct udphdr);
1608 char *udpsumdata;
1609 char *ptr = NULL;
1610
1611 if (data != NULL)
1612 {
1613 len = data_len;
1614 }
1615
1616 if (len > 0)
1617 {
1618 ptr = (char *) udp + sizeof (struct udphdr);
1619 }
1620
1621 udpsumdata = g_malloc0 (sizeof (struct v6pseudo_udp_hdr) + len + 1);
1622 bzero (&pseudohdr, sizeof (struct v6pseudo_udp_hdr));
1623
1624 pseudohdr.proto = IPPROTO_UDP;
1625 pseudohdr.len = htons (sizeof (struct udphdr) + data_len);
1626 bcopy ((char *) udp, (char *) &pseudohdr.udpheader,
1627 sizeof (struct udphdr));
1628 memcpy (&pseudohdr.s6addr, &ip6->ip6_src, sizeof (struct in6_addr));
1629 memcpy (&pseudohdr.d6addr, &ip6->ip6_dst, sizeof (struct in6_addr));
1630 bcopy ((char *) &pseudohdr, udpsumdata, sizeof (pseudohdr));
1631 if (ptr != NULL)
1632 {
1633 bcopy ((char *) ptr, udpsumdata + sizeof (pseudohdr), data_len);
1634 }
1635 udp->uh_sum = np_in_cksum ((unsigned short *) udpsumdata,
1636 38 + sizeof (struct udphdr)
1637 + ((len % 2) ? len + 1 : len));
1638 g_free (udpsumdata);
1639 }
1640 retc = alloc_typed_cell (CONST_DATA);
1641 retc->size = sz;
1642 retc->x.str_val = pkt;
1643 return retc;
1644 }
1645 else
1646 nasl_perror (lexic,
1647 "set_udp_v6_elements: You must supply the 'udp' argument !\n");
1648
1649 return NULL;
1650}

References alloc_typed_cell(), CONST_DATA, FIX, get_int_var_by_name(), get_str_var_by_name(), get_var_size_by_name(), len, nasl_perror(), np_in_cksum(), TC::size, TC::str_val, and TC::x.

Here is the call graph for this function: