QUIC: changed copy whole packet payload to copy only header

Author: lukacan

process/quic.cpp

@@ -771,6 +771,26 @@ bool QUICPlugin::quic_decrypt_header()
    first_byte ^= mask[0] & 0x0f;
    uint8_t pkn_len = (first_byte & 0x03) + 1;
 
+   // after de-obfuscating pkn, we know exactly pkn length so we can correctly adjust start of payload
+   DEBUG_MSG("PPKN LEN %d\n",pkn_len);
+   payload     = payload + pkn_len;
+   payload_len = payload_len - pkn_len;
+   DEBUG_MSG("PAYLOAD LEN %d\n",payload_len);
+
+
+   // SET HEADER LENGTH, if header length is set incorrectly AEAD will calculate wrong tag, so decryption will fail
+   header_len = payload - header;
+
+   if(header_len > MAX_HEADER_LEN)
+   {
+      DEBUG_MSG("Header length too long\n");
+      return false;
+   }
+
+   memcpy(tmp_header_mem,header, header_len);
+   header = tmp_header_mem;
+
+
    // set deobfuscated first byte
    header[0] = first_byte;
 
@@ -784,17 +804,6 @@ bool QUICPlugin::quic_decrypt_header()
       packet_number |= (full_pkn[i] ^ mask[1 + i]) << (8 * (pkn_len - 1 - i));
    }
 
-
-   // after de-obfuscating pkn, we know exactly pkn length so we can correctly adjust start of payload
-   DEBUG_MSG("PPKN LEN %d\n",pkn_len);
-   payload     = payload + pkn_len;
-   payload_len = payload_len - pkn_len;
-
-   DEBUG_MSG("PAYLOAD LEN %d\n",payload_len);
-
-   // SET HEADER LENGTH, if header length is set incorrectly AEAD will calculate wrong tag, so decryption will fail
-   header_len = payload - header;
-
    // set decrypted packet number
    for (unsigned i = 0; i < pkn_len; i++) {
       header[header_len - 1 - i] = (uint8_t) (packet_number >> (8 * i));
@@ -1114,17 +1123,16 @@ bool QUICPlugin::quic_parse_data(const Packet &pkt,RecordExtQUIC * rec)
       return false;
    }
 
-
-   memcpy(tmp_packet_mem,pkt.payload,sizeof(uint8_t) * pkt.payload_len);   
-   uint8_t *tmp_pointer       = tmp_packet_mem;
+  
+   uint8_t *tmp_pointer       = pkt.payload;
 
    uint64_t offset = 0;
-   const uint8_t *payload_end = (uint8_t *) tmp_packet_mem + pkt.payload_len;
+   const uint8_t *payload_end = (uint8_t *) pkt.payload + pkt.payload_len;
 
 
 
    // set header pointer to the start of header
-   header = tmp_packet_mem;
+   header = pkt.payload;
 
 
 
@@ -1189,7 +1197,7 @@ bool QUICPlugin::quic_parse_data(const Packet &pkt,RecordExtQUIC * rec)
       return false;
    }
 
-   // after this offset should point after the token
+   // after this, offset should point after the token
    offset += token_length;
 
    if ((tmp_pointer + offset) > payload_end) {
@@ -1269,7 +1277,7 @@ bool QUICPlugin::process_quic(RecordExtQUIC *quic_data, const Packet &pkt)
    //buffer for reassembled payload
    memset(assembled_payload,0,CURRENT_BUFFER_SIZE);
    // buffer for raw data (quic content copied here)
-   memset(tmp_packet_mem,0,CURRENT_BUFFER_SIZE);
+   memset(tmp_header_mem,0,MAX_HEADER_LEN);
 
    // check if packet contains LONG HEADER and is of type INITIAL
    if (pkt.ip_proto != 17 || !quic_check_initial(pkt.payload[0])) {

process/quic.hpp

@@ -98,6 +98,11 @@ UR_FIELDS(
 
 
 #define CURRENT_BUFFER_SIZE     1500
+// first byte (1) + version (4) + dcid length (1) + dcid (20) + scid length (1) + scid (20) + 
+// token length (variable so max is 8) + token (idk) + length (max 8) + pkt number (4)  
+// cant figure out if token length has any boundaries, teoretically 8 byte version of token length
+// means 2^64 as max length
+#define MAX_HEADER_LEN          1 + 4 + 1 + 20 + 1 + 20 + 8 + 100 + 8 + 4
 
 
 // Frame types which can occure in Initial packets
@@ -303,7 +308,9 @@ class QUICPlugin : public ProcessPlugin
    uint8_t assembled_payload[CURRENT_BUFFER_SIZE];
 
 
-   uint8_t tmp_packet_mem[CURRENT_BUFFER_SIZE];
+
+   uint8_t tmp_header_mem[MAX_HEADER_LEN];
+
    uint8_t *final_payload;