Treat SPI field in ESP/SA configuration as string only if wildcards are used.

Otherwise convert the SPI field to a number, which allows more user flexibility in SPI format. Bug: 12567 Change-Id: I646f0aeeeec4ca4302eb7d5172af9218e88b289f Reviewed-on: https://code.wireshark.org/review/16248 Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2016-07-02 16:08:58 -04:00 · 2016-07-02 16:08:58 -04:00 · 1e8ed70e13
parent 3f8049099e
commit 1e8ed70e13
1 changed files with 21 additions and 15 deletions
--- a/epan/dissectors/packet-ipsec.c
+++ b/epan/dissectors/packet-ipsec.c
@ -964,11 +964,11 @@ filter_address_match(gchar *addr, gchar *filter, gint typ)
   Description : check the matching of a spi with a filter
   Return : Return TRUE if the filter matches the spi.
   Params:
-      - gchar *spi : the spi to check
+      - guint spi : the spi to check
      - gchar *filter : the filter
 */
 static gboolean
-filter_spi_match(gchar *spi, gchar *filter)
+filter_spi_match(guint spi, gchar *filter)
 {
  guint i;
  guint filter_len = (guint)strlen(filter);
@ -976,22 +976,31 @@ filter_spi_match(gchar *spi, gchar *filter)
  /* "*" matches against anything */
  if((filter_len == 1) && (filter[0] == IPSEC_SA_WILDCARDS_ANY))
    return TRUE;
-  /* Otherwise lengths need to match exactly... */
-  else if(strlen(spi) != filter_len)
-    return FALSE;

-  /* ... which means '*' can only appear in the last position of the filter? */
-  /* Start at 2, don't compare "0x" each time */
-  for(i = 2; filter[i]; i++)
-    if((filter[i] != IPSEC_SA_WILDCARDS_ANY) && (filter[i] != spi[i]))
+  /* If the filter has a wildcard, treat SPI as a string */
+  if (strchr(filter, IPSEC_SA_WILDCARDS_ANY) != NULL) {
+    gchar spi_string[IPSEC_SPI_LEN_MAX];
+
+    g_snprintf(spi_string, IPSEC_SPI_LEN_MAX,"0x%08x", spi);
+
+    /* Lengths need to match exactly... */
+    if(strlen(spi_string) != filter_len)
      return FALSE;

+    /* ... which means '*' can only appear in the last position of the filter? */
+    /* Start at 2, don't compare "0x" each time */
+    for(i = 2; filter[i]; i++)
+      if((filter[i] != IPSEC_SA_WILDCARDS_ANY) && (filter[i] != spi_string[i]))
+        return FALSE;
+  } else if (strtoul(filter, NULL, 0) != spi) {
+    return FALSE;
+  }
  return TRUE;
 }


 /*
-   Name : static goolean get_esp_sa(g_esp_sa_database *sad, gint protocol_typ, gchar *src,  gchar *dst,  gint spi,
+   Name : static goolean get_esp_sa(g_esp_sa_database *sad, gint protocol_typ, gchar *src,  gchar *dst,  guint spi,
           gint *encryption_algo,
           gint *authentication_algo,
           gchar **encryption_key,
@ -1022,7 +1031,7 @@ filter_spi_match(gchar *spi, gchar *filter)

 */
 static gboolean
-get_esp_sa(gint protocol_typ, gchar *src,  gchar *dst,  gint spi,
+get_esp_sa(gint protocol_typ, gchar *src,  gchar *dst,  guint spi,
           gint *encryption_algo,
           gint *authentication_algo,
           gchar **encryption_key,
@ -1035,9 +1044,6 @@ get_esp_sa(gint protocol_typ, gchar *src,  gchar *dst,  gint spi,
 {
  gboolean found = FALSE;
  guint i, j;
-  gchar spi_string[IPSEC_SPI_LEN_MAX];
-
-  g_snprintf(spi_string, IPSEC_SPI_LEN_MAX,"0x%08x", spi);

  *cipher_hd = NULL;
  *cipher_hd_created = NULL;
@ -1059,7 +1065,7 @@ get_esp_sa(gint protocol_typ, gchar *src,  gchar *dst,  gint spi,
    if((protocol_typ == record->protocol)
       && filter_address_match(src, record->srcIP, protocol_typ)
       && filter_address_match(dst, record->dstIP, protocol_typ)
-       && filter_spi_match(spi_string, record->spi))
+       && filter_spi_match(spi, record->spi))
    {
      found = TRUE;