$NetBSD: patch-aa,v 1.2 1998/08/07 11:10:57 agc Exp $

*** sn_defines.h	Fri Apr 18 11:33:58 1997
--- sn_defines.h	Thu Jul 24 16:02:16 1997
***************
*** 80,90 ****
  #define SYN 2
  #define FIN 1
  
! #define NO_IP   0
! #define NO_IP_4 1000
! #define ICMP    1                       /* Protocol Numbers */
! #define TCP     6
! #define UDP     17
  
  #define ICMP_HEADLENGTH 4               /* fixed ICMP header length */
  #define UDP_HEADLENGTH  8               /* fixed UDP header length */
--- 80,91 ----
  #define SYN 2
  #define FIN 1
  
! #define NO_IP   	0
! #define NO_IP_4 	1000
! #define CORRUPT_IP	1001
! #define ICMP    	1                       /* Protocol Numbers */
! #define TCP     	6
! #define UDP     	17
  
  #define ICMP_HEADLENGTH 4               /* fixed ICMP header length */
  #define UDP_HEADLENGTH  8               /* fixed UDP header length */
*** sn_packets.c	Fri Apr 18 11:33:58 1997
--- sn_packets.c	Thu Aug 22 19:18:51 1985
***************
*** 43,48 ****
--- 43,49 ----
  	struct UDP_header UDPhead;
  
  	int i;
+  	short int dummy; /* 2 bytes, important */
  
  	memcpy(&IPhead,(sp+PROTO_HEAD),sizeof(struct IP_header));
                                                    /* IP header Conversion */
***************
*** 51,56 ****
--- 52,58 ----
  	unwrapped->TCP_len = 0;         	/* Reset structure NEEDED!!! */
  	unwrapped->UDP_len = 0;
  	unwrapped->DATA_len = 0;
+ 	unwrapped->FRAG_nf = 0;
          
  	if(NO_CHKSUM == 0)
  		{
***************
*** 75,106 ****
  					/* restore orig buffer      */
          			 	/* general programming rule */
  		}
  	if(IPhead.protocol == TCP )		             /* TCP */
  		{
! 		memcpy(&TCPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)),
  						sizeof(struct TCP_header));
! 		unwrapped->TCP_len = ntohs(TCPhead.offset_flag) & 0xF000;
! 		unwrapped->TCP_len >>= 10; 
! 		unwrapped->DATA_len = ntohs(IPhead.length) -
  				(unwrapped->IP_len) - (unwrapped->TCP_len); 
  		return TCP;
  		}
  	if(IPhead.protocol == ICMP )		             /* ICMP */
  		{
! 		memcpy(&ICMPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)),
  						sizeof(struct ICMP_header));
! 		unwrapped->ICMP_len = ICMP_HEADLENGTH;
! 		unwrapped->DATA_len = ntohs(IPhead.length) -
  				(unwrapped->IP_len) - (unwrapped->ICMP_len); 
! 		return ICMP; 
  		}
  	if(IPhead.protocol == UDP )		               /* UDP */
  		{
! 		memcpy(&UDPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)),
  						sizeof(struct UDP_header));
! 		unwrapped->UDP_len = UDP_HEADLENGTH;
! 		unwrapped->DATA_len = ntohs(IPhead.length) -
  				(unwrapped->IP_len) - (unwrapped->UDP_len); 
  		return UDP; 
  		}
  	return -1; 
--- 77,150 ----
  					/* restore orig buffer      */
          			 	/* general programming rule */
  		}
+ 
+ #ifdef DEBUG_ONSCREEN
+ 	printf("IPheadlen: %d   total length: %d\n", unwrapped->IP_len,
+ 						    ntohs(IPhead.length)); 
+ #endif
+ 
+         dummy=ntohs(IPhead.flag_offset); dummy<<=3;
+         if( dummy!=0 )                            /* we have offset */
+ 		{
+ 		unwrapped->FRAG_nf = 1;
+                 }
+ 
  	if(IPhead.protocol == TCP )		             /* TCP */
  		{
!                 if(unwrapped->FRAG_nf == 0)
!                   {  
! 		  if( (ntohs(IPhead.length)-(unwrapped->IP_len))<20 )
! 		    {return CORRUPT_IP;};
! 
! 		  memcpy(&TCPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)),
  						sizeof(struct TCP_header));
! 		  unwrapped->TCP_len = ntohs(TCPhead.offset_flag) & 0xF000;
! 		  unwrapped->TCP_len >>= 10; 
! 		  unwrapped->DATA_len = ntohs(IPhead.length) -
  				(unwrapped->IP_len) - (unwrapped->TCP_len); 
+                   }
+                 else
+                   {
+ 		  unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len);
+                   }
  		return TCP;
  		}
  	if(IPhead.protocol == ICMP )		             /* ICMP */
  		{
!                 if(unwrapped->FRAG_nf == 0)
!                   {  
! 		  if( (ntohs(IPhead.length)-(unwrapped->IP_len))<4 )
! 		    {return CORRUPT_IP;};
! 
! 		  memcpy(&ICMPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)),
  						sizeof(struct ICMP_header));
! 		  unwrapped->ICMP_len = ICMP_HEADLENGTH;
! 		  unwrapped->DATA_len = ntohs(IPhead.length) -
  				(unwrapped->IP_len) - (unwrapped->ICMP_len); 
! 		  return ICMP;
! 		  }
!                 else
!                   {
!                   return -1; /* don't handle fragmented ICMP */
!                   } 
  		}
  	if(IPhead.protocol == UDP )		               /* UDP */
  		{
!                 if(unwrapped->FRAG_nf == 0)
!                   {  
! 		  if( (ntohs(IPhead.length)-(unwrapped->IP_len))<8 )
! 		    {return CORRUPT_IP;};
! 
!   		  memcpy(&UDPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)),
  						sizeof(struct UDP_header));
! 		  unwrapped->UDP_len = UDP_HEADLENGTH;
! 		  unwrapped->DATA_len = ntohs(IPhead.length) -
  				(unwrapped->IP_len) - (unwrapped->UDP_len); 
+ 		  }
+                 else
+ 		  {
+ 		  unwrapped->DATA_len = ntohs(IPhead.length)-(unwrapped->IP_len); 
+ 		  }
  		return UDP; 
  		}
  	return -1; 
*** sn_packetstructs.h	Fri Apr 18 11:33:58 1997
--- sn_packetstructs.h	Thu Jul 24 16:17:20 1997
***************
*** 44,51 ****
  	unsigned short length, checksum;
  };
  
! struct unwrap                                           /* some extra info */
  {
  	int IP_len, TCP_len, ICMP_len, UDP_len;         /* header lengths */ 
  	int DATA_len;
  };
--- 44,52 ----
  	unsigned short length, checksum;
  };
  
! struct unwrap                                          /* some extra info */
  {
  	int IP_len, TCP_len, ICMP_len, UDP_len;         /* header lengths */ 
  	int DATA_len;
+ 	char FRAG_nf;                           /* not the first fragment */
  };
*** sniffit.0.3.5.c	Fri Apr 18 11:33:58 1997
--- sniffit.0.3.5.c	Thu Aug 22 19:19:49 1985
***************
*** 411,421 ****
--- 411,427 ----
  	proto=unwrap_packet(sp, info); 
  	if(proto == NO_IP)	return DONT_EXAMINE; /* no use in trying */
  	if(proto == NO_IP_4)	return DONT_EXAMINE; /* no use in trying */
+ 	if(proto == CORRUPT_IP)	
+ 	  {printf("Suspicious Packet detected... (Split header)\n");
+ 	   return DONT_EXAMINE;}
  
          memcpy(&iphead,(sp+PROTO_HEAD),sizeof(struct IP_header));
  	so=(unsigned char *)&(iphead.source);
         	dest=(unsigned char *)&(iphead.destination);
  
+ 	if(info->FRAG_nf!=0)
+ 	  {printf("Fragment Skipped...\n"); return DONT_EXAMINE; };
+ 
  	if((proto==TCP)&&(PROTOCOLS&F_TCP)) 
  		{
  #ifdef DEBUG_ONSCREEN
***************
*** 1220,1225 ****
--- 1226,1235 ----
  	proto=unwrap_packet(sp, info);
  	if(proto == NO_IP)	return DONT_EXAMINE; /* no use in trying */
  	if(proto == NO_IP_4)	return DONT_EXAMINE; /* no use in trying */
+ 	if(proto == CORRUPT_IP)	return DONT_EXAMINE; /* no use in trying */
+ 
+ 	if(info->FRAG_nf!=0)
+ 	  {return DONT_EXAMINE; };
  
  	(*IP_nr_of_packets)++;
  	if(proto==ICMP)  
