dnscap/src/tcpstate.c

/*
 * Copyright (c) 2018-2023, OARC, Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. Neither the name of the copyright holder nor the names of its
 *    contributors may be used to endorse or promote products derived
 *    from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include "config.h"

#include "tcpstate.h"
#include "iaddr.h"
#include "log.h"
#include "tcpreasm.h"
#include "hashtbl.h"

#ifndef s6_addr32
#define s6_addr32 __u6_addr.__u6_addr32
#endif

#define MAX_TCP_IDLE_TIME 600
#define MAX_TCP_IDLE_COUNT 4096
#define TCP_GC_TIME 60

static hashtbl* _hash = 0;

tcpstate_ptr tcpstate_find(iaddr from, iaddr to, unsigned sport, unsigned dport, time_t t)
{
    static time_t next_gc = 0;
    tcpstate_ptr  tcpstate;

#ifndef __clang_analyzer__
    /* disabled during scan-build due to false-positives */
    if (t >= next_gc || tcpstate_count > MAX_TCP_IDLE_COUNT) {
        /* garbage collect stale states */
        while ((tcpstate = TAIL(tcpstates)) && tcpstate->last_use < t - MAX_TCP_IDLE_TIME) {
            tcpstate_discard(tcpstate, "gc stale");
        }
        next_gc = t + TCP_GC_TIME;
    }
#endif

    tcpstate_key key = {
        .saddr = &from,
        .daddr = &to,
        .sport = sport,
        .dport = dport
    };

    tcpstate = hash_find(&key, _hash);

    if (tcpstate != NULL) {
        tcpstate->last_use = t;
        if (tcpstate != HEAD(tcpstates)) {
            /* move to beginning of list */
            UNLINK(tcpstates, tcpstate, link);
            PREPEND(tcpstates, tcpstate, link);
        }
    }

    return tcpstate;
}

unsigned int tcpstate_hash(const tcpstate_key* key)
{
    uint32_t h = 0;

    switch (key->saddr->af) {
    case AF_INET:
        h = hashword(&key->saddr->u.a4.s_addr, 1, h);
        break;
    case AF_INET6:
        h = hashword(key->saddr->u.a6.s6_addr32, 4, h);
        break;
    }

    switch (key->daddr->af) {
    case AF_INET:
        h = hashword(&key->daddr->u.a4.s_addr, 1, h);
        break;
    case AF_INET6:
        h = hashword(key->daddr->u.a6.s6_addr32, 4, h);
        break;
    }

    uint32_t p = (key->sport << 16) | (key->dport & 0xffff);
    return hashword(&p, 1, h);
}

int tcpstate_cmp(const tcpstate_key* a, const tcpstate_key* b)
{
    if (ia_equalp(a->saddr, b->saddr) && ia_equalp(a->daddr, b->daddr) && a->sport == b->sport && a->dport == b->dport)
        return 0;
    return 1;
}

tcpstate_ptr _curr_tcpstate = 0;

tcpstate_ptr tcpstate_new(iaddr from, iaddr to, unsigned sport, unsigned dport)
{
    if (!_hash) {
        _hash = hash_create(65535, (hashkey_func)tcpstate_hash, (hashkeycmp_func)tcpstate_cmp, 0);
        assert(_hash);
    }
    tcpstate_ptr tcpstate = calloc(1, sizeof *tcpstate);
    if (tcpstate == NULL) {
        /* Out of memory; recycle the least recently used */
        logerr("warning: out of memory, "
               "discarding some TCP state early");
        tcpstate = TAIL(tcpstates);
        assert(tcpstate != NULL);
        UNLINK(tcpstates, tcpstate, link);
        if (tcpstate->reasm) {
            tcpreasm_free(tcpstate->reasm);
        }
        if (_curr_tcpstate == tcpstate) {
            _curr_tcpstate = 0;
        }
        hash_remove(&tcpstate->key, _hash);
        memset(tcpstate, 0, sizeof(*tcpstate));
    } else {
        tcpstate_count++;
    }
    tcpstate->saddr = from;
    tcpstate->daddr = to;
    tcpstate->sport = sport;
    tcpstate->dport = dport;
    INIT_LINK(tcpstate, link);
    PREPEND(tcpstates, tcpstate, link);

    tcpstate->key.saddr = &tcpstate->saddr;
    tcpstate->key.daddr = &tcpstate->daddr;
    tcpstate->key.sport = sport;
    tcpstate->key.dport = dport;
    hash_add(&tcpstate->key, tcpstate, _hash);

    return tcpstate;
}

tcpstate_ptr tcpstate_getcurr(void)
{
    return _curr_tcpstate;
}

/* Discard this packet.  If it's part of TCP stream, all subsequent pkts on
 * the same tcp stream will also be discarded. */
void tcpstate_discard(tcpstate_ptr tcpstate, const char* msg)
{
    if (dumptrace >= 3 && msg)
        fprintf(stderr, "discarding packet: %s\n", msg);
    if (tcpstate) {
        UNLINK(tcpstates, tcpstate, link);
        if (tcpstate->reasm) {
            tcpreasm_free(tcpstate->reasm);
        }
        hash_remove(&tcpstate->key, _hash);
        free(tcpstate);
        if (_curr_tcpstate == tcpstate) {
            _curr_tcpstate = 0;
        }
        tcpstate_count--;
    }
}

void tcpstate_reset(tcpstate_ptr tcpstate, const char* msg)
{
    if (options.allow_reset_tcpstate && tcpstate) {
        if (dumptrace >= 3 && msg)
            fprintf(stderr, "resetting tcpstate: %s\n", msg);

        tcpstate->start   = tcpstate->currseq;
        tcpstate->maxdiff = 0;
        tcpstate->dnslen  = 0;
        tcpstate->lastdns = tcpstate->currseq + tcpstate->currlen;

        if (tcpstate->reasm) {
            tcpreasm_reset(tcpstate->reasm);
            tcpstate->reasm->seq_start = tcpstate->start;
        }
    }
}

void tcpstate_free(tcpstate_ptr tcpstate)
{
    if (tcpstate) {
        UNLINK(tcpstates, tcpstate, link);
        if (tcpstate->reasm) {
            tcpreasm_free(tcpstate->reasm);
        }
        hash_remove(&tcpstate->key, _hash);
        free(tcpstate);
        if (_curr_tcpstate == tcpstate) {
            _curr_tcpstate = 0;
        }
        tcpstate_count--;
    }
}