diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c index 9702f4187..cccb3ecc4 100644 --- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c +++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c @@ -32,7 +32,7 @@ typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t /** * PA-TNC Error Attribute Type (see section 4.2.8 of RFC 5792) * - * 1 2 3 + * 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -50,7 +50,7 @@ typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t /** * All Error Types return the first 8 bytes of the erroneous PA-TNC message * - * 1 2 3 + * 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Version | Copy of Reserved | @@ -61,10 +61,19 @@ typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t #define PA_ERROR_MSG_INFO_SIZE 8 +/** + * "Invalid Parameter" Error Code + * 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Offset | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + /** * "Version Not Supported" Error Code * - * 1 2 3 + * 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Max Version | Min Version | Reserved | @@ -137,6 +146,11 @@ struct private_ietf_attr_pa_tnc_error_t { */ chunk_t attr_info; + /** + * PA-TNC error offset + */ + u_int32_t error_offset; + /** * Reference count */ @@ -187,6 +201,7 @@ METHOD(pa_tnc_attr_t, build, void, switch (this->error_code) { case PA_ERROR_INVALID_PARAMETER: + writer->write_uint32(writer, this->error_offset); break; case PA_ERROR_VERSION_NOT_SUPPORTED: writer->write_uint8 (writer, PA_TNC_VERSION); @@ -205,13 +220,16 @@ METHOD(pa_tnc_attr_t, build, void, } METHOD(pa_tnc_attr_t, process, status_t, - private_ietf_attr_pa_tnc_error_t *this) + private_ietf_attr_pa_tnc_error_t *this, u_int32_t *offset) { bio_reader_t *reader; u_int8_t reserved; if (this->value.len < PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE) { + DBG1(DBG_TNC, "insufficient data for PA-TNC error header and " + "error information"); + *offset = 0; return FAILED; } reader = bio_reader_create(this->value); @@ -223,6 +241,15 @@ METHOD(pa_tnc_attr_t, process, status_t, switch (this->error_code) { + case PA_ERROR_INVALID_PARAMETER: + if (!reader->read_uint32(reader, &this->error_offset)) + { + reader->destroy(reader); + DBG1(DBG_TNC, "insufficient data for error offset field"); + *offset = PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE; + return FAILED; + } + break; case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED: if (!reader->read_data(reader, PA_ERROR_ATTR_INFO_SIZE, &this->attr_info)) @@ -230,6 +257,7 @@ METHOD(pa_tnc_attr_t, process, status_t, reader->destroy(reader); DBG1(DBG_TNC, "insufficient data for unsupported attribute " "information"); + *offset = PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE; return FAILED; } this->attr_info = chunk_clone(this->attr_info); @@ -291,6 +319,12 @@ METHOD(ietf_attr_pa_tnc_error_t, set_attr_info, void, this->attr_info = chunk_clone(attr_info); } +METHOD(ietf_attr_pa_tnc_error_t, get_offset, u_int32_t, + private_ietf_attr_pa_tnc_error_t *this) +{ + return this->error_offset; +} + /** * Described in header. */ @@ -321,6 +355,7 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_t vendor_id, .get_msg_info = _get_msg_info, .get_attr_info = _get_attr_info, .set_attr_info = _set_attr_info, + .get_offset = _get_offset, }, .vendor_id = PEN_IETF, .type = IETF_ATTR_PA_TNC_ERROR, @@ -333,6 +368,51 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_t vendor_id, return &this->public.pa_tnc_attribute; } +/** + * Described in header. + */ +pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_with_offset(pen_t vendor_id, + u_int32_t error_code, + chunk_t msg_info, + u_int32_t error_offset) +{ + private_ietf_attr_pa_tnc_error_t *this; + + /* the first 8 bytes of the erroneous PA-TNC message are sent back */ + msg_info.len = PA_ERROR_MSG_INFO_SIZE; + + INIT(this, + .public = { + .pa_tnc_attribute = { + .get_vendor_id = _get_vendor_id, + .get_type = _get_type, + .get_value = _get_value, + .get_noskip_flag = _get_noskip_flag, + .set_noskip_flag = _set_noskip_flag, + .build = _build, + .process = _process, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_vendor_id = _get_error_vendor_id, + .get_error_code = _get_error_code, + .get_msg_info = _get_msg_info, + .get_attr_info = _get_attr_info, + .set_attr_info = _set_attr_info, + .get_offset = _get_offset, + }, + .vendor_id = PEN_IETF, + .type = IETF_ATTR_PA_TNC_ERROR, + .error_vendor_id = vendor_id, + .error_code = error_code, + .msg_info = chunk_clone(msg_info), + .error_offset = error_offset, + .ref = 1, + ); + + return &this->public.pa_tnc_attribute; +} + /** * Described in header. */ @@ -356,6 +436,7 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_from_data(chunk_t data) .get_msg_info = _get_msg_info, .get_attr_info = _get_attr_info, .set_attr_info = _set_attr_info, + .get_offset = _get_offset, }, .vendor_id = PEN_IETF, .type = IETF_ATTR_PA_TNC_ERROR, diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h index 7f0e0a90a..945e06c62 100644 --- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h +++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h @@ -88,6 +88,14 @@ struct ietf_attr_pa_tnc_error_t { * @param attr_info PA-TNC message info */ void (*set_attr_info)(ietf_attr_pa_tnc_error_t *this, chunk_t attr_info); + + /** + * Get the PA-TNC error offset + * + * @return PA-TNC error offset + */ + u_int32_t (*get_offset)(ietf_attr_pa_tnc_error_t *this); + }; /** @@ -102,6 +110,20 @@ pa_tnc_attr_t* ietf_attr_pa_tnc_error_create(pen_t vendor_id, u_int32_t error_code, chunk_t header); +/** + * Creates an ietf_attr_pa_tnc_error_t object from an error code with offset + * + * @param vendor_id PA-TNC error code vendor ID + * @param error_code PA-TNC error code + * @param header PA-TNC message header (first 8 bytes) + * @param error_offset PA-TNC error offset in bytes + * + */ +pa_tnc_attr_t* ietf_attr_pa_tnc_error_create_with_offset(pen_t vendor_id, + u_int32_t error_code, + chunk_t header, + u_int32_t error_offset); + /** * Creates an ietf_attr_pa_tnc_error_t object from received data * diff --git a/src/libimcv/ietf/ietf_attr_port_filter.c b/src/libimcv/ietf/ietf_attr_port_filter.c index 975aa46ac..c9b76dde5 100644 --- a/src/libimcv/ietf/ietf_attr_port_filter.c +++ b/src/libimcv/ietf/ietf_attr_port_filter.c @@ -137,7 +137,7 @@ METHOD(pa_tnc_attr_t, build, void, } METHOD(pa_tnc_attr_t, process, status_t, - private_ietf_attr_port_filter_t *this) + private_ietf_attr_port_filter_t *this, u_int32_t *offset) { bio_reader_t *reader; port_entry_t *entry; @@ -145,6 +145,9 @@ METHOD(pa_tnc_attr_t, process, status_t, if (this->value.len % PORT_FILTER_ENTRY_SIZE) { + DBG1(DBG_TNC, "ietf port filter attribute value is not a multiple of %d", + PORT_FILTER_ENTRY_SIZE); + *offset = 0; return FAILED; } reader = bio_reader_create(this->value); diff --git a/src/libimcv/ita/ita_attr_command.c b/src/libimcv/ita/ita_attr_command.c index 69eb7b055..dae8e9202 100644 --- a/src/libimcv/ita/ita_attr_command.c +++ b/src/libimcv/ita/ita_attr_command.c @@ -99,7 +99,7 @@ METHOD(pa_tnc_attr_t, build, void, } METHOD(pa_tnc_attr_t, process, status_t, - private_ita_attr_command_t *this) + private_ita_attr_command_t *this, u_int32_t *offset) { this->command = malloc(this->value.len + 1); memcpy(this->command, this->value.ptr, this->value.len); diff --git a/src/libimcv/pa_tnc/pa_tnc_attr.h b/src/libimcv/pa_tnc/pa_tnc_attr.h index 95a596ce0..45d83ae37 100644 --- a/src/libimcv/pa_tnc/pa_tnc_attr.h +++ b/src/libimcv/pa_tnc/pa_tnc_attr.h @@ -75,9 +75,10 @@ struct pa_tnc_attr_t { /** * Process the value of an PA-TNC attribute to extract its parameters * + * @param relative error offset within attribute body * @return result status */ - status_t (*process)(pa_tnc_attr_t *this); + status_t (*process)(pa_tnc_attr_t *this, u_int32_t *offset); /** * Get a new reference to the PA-TNC attribute diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c index eb6c648ca..1b243c692 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.c +++ b/src/libimcv/pa_tnc/pa_tnc_msg.c @@ -173,7 +173,7 @@ METHOD(pa_tnc_msg_t, process, status_t, bio_reader_t *reader; pa_tnc_attr_t *error; u_int8_t version; - u_int32_t reserved; + u_int32_t reserved, offset, attr_offset; /* process message header */ if (this->encoding.len < PA_TNC_HEADER_SIZE) @@ -196,6 +196,9 @@ METHOD(pa_tnc_msg_t, process, status_t, goto err; } + /* offset of the first PA-TNC attribute in the PA-TNC message */ + offset = PA_TNC_HEADER_SIZE; + /* pre-process PA-TNC attributes */ while (reader->remaining(reader) >= PA_TNC_ATTR_HEADER_SIZE) { @@ -229,17 +232,18 @@ METHOD(pa_tnc_msg_t, process, status_t, { DBG1(DBG_TNC, "%u bytes too small for PA-TNC attribute length", length); - error = ietf_attr_pa_tnc_error_create(PEN_IETF, - PA_ERROR_INVALID_PARAMETER, this->encoding); + error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF, + PA_ERROR_INVALID_PARAMETER, this->encoding, + offset + PA_TNC_ATTR_INFO_SIZE); goto err; } - length -= PA_TNC_ATTR_HEADER_SIZE; - if (!reader->read_data(reader, length , &value)) + if (!reader->read_data(reader, length - PA_TNC_ATTR_HEADER_SIZE, &value)) { DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute value"); - error = ietf_attr_pa_tnc_error_create(PEN_IETF, - PA_ERROR_INVALID_PARAMETER, this->encoding); + error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF, + PA_ERROR_INVALID_PARAMETER, this->encoding, + offset + PA_TNC_ATTR_INFO_SIZE); goto err; } DBG3(DBG_TNC, "%B", &value); @@ -259,17 +263,27 @@ METHOD(pa_tnc_msg_t, process, status_t, else { DBG1(DBG_TNC, "skipping unsupported PA-TNC attribute"); + offset += length; + continue; } } - if (attr->process(attr) != SUCCESS) + if (attr->process(attr, &attr_offset) != SUCCESS) { attr->destroy(attr); - error = ietf_attr_pa_tnc_error_create(PEN_IETF, - PA_ERROR_INVALID_PARAMETER, this->encoding); + if (vendor_id == PEN_IETF && type == IETF_ATTR_PA_TNC_ERROR) + { + /* error while processing a PA-TNC error attribute - abort */ + reader->destroy(reader); + return FAILED; + } + error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF, + PA_ERROR_INVALID_PARAMETER, this->encoding, + offset + PA_TNC_ATTR_HEADER_SIZE + attr_offset); goto err; } add_attribute(this, attr); + offset += length; } if (reader->remaining(reader) == 0) @@ -277,6 +291,9 @@ METHOD(pa_tnc_msg_t, process, status_t, reader->destroy(reader); return SUCCESS; } + DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute header"); + error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF, + PA_ERROR_INVALID_PARAMETER, this->encoding, offset); err: reader->destroy(reader); diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner.c b/src/libimcv/plugins/imc_scanner/imc_scanner.c index 6a5ba5e88..ecf758ba0 100644 --- a/src/libimcv/plugins/imc_scanner/imc_scanner.c +++ b/src/libimcv/plugins/imc_scanner/imc_scanner.c @@ -297,6 +297,7 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, ietf_attr_pa_tnc_error_t *error_attr; pa_tnc_error_code_t error_code; chunk_t msg_info, attr_info; + u_int32_t offset; if (attr->get_vendor_id(attr) != PEN_IETF && attr->get_type(attr) != IETF_ATTR_PA_TNC_ERROR) @@ -312,6 +313,10 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, switch (error_code) { + case PA_ERROR_INVALID_PARAMETER: + offset = error_attr->get_offset(error_attr); + DBG1(DBG_IMC, " occurred at offset of %u bytes", offset); + break; case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED: attr_info = error_attr->get_attr_info(error_attr); DBG1(DBG_IMC, " unsupported attribute %#B", &attr_info); diff --git a/src/libimcv/plugins/imc_test/imc_test.c b/src/libimcv/plugins/imc_test/imc_test.c index 8cbfa900b..06cc076db 100644 --- a/src/libimcv/plugins/imc_test/imc_test.c +++ b/src/libimcv/plugins/imc_test/imc_test.c @@ -219,6 +219,7 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, ietf_attr_pa_tnc_error_t *error_attr; pa_tnc_error_code_t error_code; chunk_t msg_info, attr_info; + u_int32_t offset; error_attr = (ietf_attr_pa_tnc_error_t*)attr; error_code = error_attr->get_error_code(error_attr); @@ -228,6 +229,10 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, pa_tnc_error_code_names, error_code, &msg_info); switch (error_code) { + case PA_ERROR_INVALID_PARAMETER: + offset = error_attr->get_offset(error_attr); + DBG1(DBG_IMC, " occurred at offset of %u bytes", offset); + break; case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED: attr_info = error_attr->get_attr_info(error_attr); DBG1(DBG_IMC, " unsupported attribute %#B", &attr_info); diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner.c b/src/libimcv/plugins/imv_scanner/imv_scanner.c index f9d061629..5561e6737 100644 --- a/src/libimcv/plugins/imv_scanner/imv_scanner.c +++ b/src/libimcv/plugins/imv_scanner/imv_scanner.c @@ -228,6 +228,7 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, ietf_attr_pa_tnc_error_t *error_attr; pa_tnc_error_code_t error_code; chunk_t msg_info, attr_info; + u_int32_t offset; error_attr = (ietf_attr_pa_tnc_error_t*)attr; error_code = error_attr->get_error_code(error_attr); @@ -237,6 +238,10 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, switch (error_code) { + case PA_ERROR_INVALID_PARAMETER: + offset = error_attr->get_offset(error_attr); + DBG1(DBG_IMV, " occurred at offset of %u bytes", offset); + break; case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED: attr_info = error_attr->get_attr_info(error_attr); DBG1(DBG_IMV, " unsupported attribute %#B", &attr_info); diff --git a/src/libimcv/plugins/imv_test/imv_test.c b/src/libimcv/plugins/imv_test/imv_test.c index 22163aefd..ecc5dd9dd 100644 --- a/src/libimcv/plugins/imv_test/imv_test.c +++ b/src/libimcv/plugins/imv_test/imv_test.c @@ -174,6 +174,7 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, ietf_attr_pa_tnc_error_t *error_attr; pa_tnc_error_code_t error_code; chunk_t msg_info, attr_info; + u_int32_t offset; error_attr = (ietf_attr_pa_tnc_error_t*)attr; error_code = error_attr->get_error_code(error_attr); @@ -183,6 +184,10 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, pa_tnc_error_code_names, error_code, &msg_info); switch (error_code) { + case PA_ERROR_INVALID_PARAMETER: + offset = error_attr->get_offset(error_attr); + DBG1(DBG_IMV, " occurred at offset of %u bytes", offset); + break; case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED: attr_info = error_attr->get_attr_info(error_attr); DBG1(DBG_IMV, " unsupported attribute %#B", &attr_info);