Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
examples/http_filter: Add pointer offset accounting for variable ip h…
…eader len (#1868) This fix adds additional accounting logic to the http_filter examples ("simple" and "complete") that make sure to shift the pointer for the IP body/payload to the correct offset before accessing TCP header fields. This is done by taking into account the IP header length field. Previously, the IP header length field was used, but it was done later in processing, after TCP header values were extracted using the size of the BCC `proto.h` `struct ip_t` a static offset. Prior to this, it was possible to evade HTTP detection by injecting IP options data into the IP header that would spoof parts of the TCP header and shift the real one down, as done in the scapy snippet below: ```Python IP( dst=target[0], options=struct.pack(">BBHHHB",130,11,8080,0,0,0), )/TCP( ... ) ```
- Loading branch information