From 1c10c4278d68b88e9dcb020845aaf58aba90292c Mon Sep 17 00:00:00 2001 From: Muhammad Iqbal Alaydrus Date: Fri, 26 Jan 2024 16:56:21 +0700 Subject: [PATCH 1/3] protection against uint64 overflow - some flow might have startime/endtime larger than uptime --- producer/proto/producer_nf.go | 8 ++++---- producer/proto/producer_test.go | 24 +++++++++++++++++++++--- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/producer/proto/producer_nf.go b/producer/proto/producer_nf.go index d57925cc..79a8f87b 100644 --- a/producer/proto/producer_nf.go +++ b/producer/proto/producer_nf.go @@ -544,15 +544,15 @@ func ConvertNetFlowDataSet(flowMessage *ProtoProducerMessage, version uint16, ba if err := DecodeUNumber(v, &timeFirstSwitched); err != nil { return err } - timeDiff := (uptime - timeFirstSwitched) - flowMessage.TimeFlowStartNs = baseTimeNs - uint64(timeDiff)*1000000000 + timeDiff := (int64(uptime) - int64(timeFirstSwitched)) + flowMessage.TimeFlowStartNs = uint64(int64(baseTime)*1000-timeDiff) * 1000000 case netflow.NFV9_FIELD_LAST_SWITCHED: var timeLastSwitched uint32 if err := DecodeUNumber(v, &timeLastSwitched); err != nil { return err } - timeDiff := (uptime - timeLastSwitched) - flowMessage.TimeFlowEndNs = baseTimeNs - uint64(timeDiff)*1000000000 + timeDiff := (int64(uptime) - int64(timeLastSwitched)) + flowMessage.TimeFlowEndNs = uint64(int64(baseTime)*1000-timeDiff) * 1000000 } } else if version == 10 { switch df.Type { diff --git a/producer/proto/producer_test.go b/producer/proto/producer_test.go index dc4d56b8..e6de30a6 100644 --- a/producer/proto/producer_test.go +++ b/producer/proto/producer_test.go @@ -18,6 +18,16 @@ func TestProcessMessageNetFlow(t *testing.T) { Type: netflow.NFV9_FIELD_IPV4_SRC_ADDR, Value: []byte{10, 0, 0, 1}, }, + netflow.DataField{ + Type: netflow.NFV9_FIELD_FIRST_SWITCHED, + // 218432176 + Value: []byte{0x0d, 0x05, 0x02, 0xb0}, + }, + netflow.DataField{ + Type: netflow.NFV9_FIELD_LAST_SWITCHED, + // 218432192 + Value: []byte{0x0d, 0x05, 0x02, 0xc0}, + }, }, }, } @@ -28,11 +38,19 @@ func TestProcessMessageNetFlow(t *testing.T) { } pktnf9 := netflow.NFv9Packet{ - FlowSets: dfs, + SystemUptime: 218432000, + UnixSeconds: 1705732882, + FlowSets: dfs, } testsr := &SingleSamplingRateSystem{1} - _, err := ProcessMessageNetFlowV9Config(&pktnf9, testsr, nil) - assert.Nil(t, err) + msgs, err := ProcessMessageNetFlowV9Config(&pktnf9, testsr, nil) + if assert.Nil(t, err) && assert.Len(t, msgs, 1) { + msg, ok := msgs[0].(*ProtoProducerMessage) + if assert.True(t, ok) { + assert.Equal(t, msg.TimeFlowStartNs, uint64(1705732882176000000)) + assert.Equal(t, msg.TimeFlowEndNs, uint64(1705732882192000000)) + } + } pktipfix := netflow.IPFIXPacket{ FlowSets: dfs, From 41e41c6c3e487baea43613a4d7d8ac923346eee9 Mon Sep 17 00:00:00 2001 From: Muhammad Iqbal Alaydrus Date: Fri, 26 Jan 2024 20:24:30 +0700 Subject: [PATCH 2/3] fix mpls label decoding --- producer/proto/producer_nf.go | 8 ++++++-- producer/proto/producer_test.go | 11 +++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/producer/proto/producer_nf.go b/producer/proto/producer_nf.go index 79a8f87b..2a48c83b 100644 --- a/producer/proto/producer_nf.go +++ b/producer/proto/producer_nf.go @@ -518,7 +518,9 @@ func ConvertNetFlowDataSet(flowMessage *ProtoProducerMessage, version uint16, ba return err } if len(flowMessage.MplsLabel) < 2 { - flowMessage.MplsLabel = make([]uint32, 2) + tmpLabels := make([]uint32, 2) + copy(tmpLabels, flowMessage.MplsLabel) + flowMessage.MplsLabel = tmpLabels } flowMessage.MplsLabel[1] = uint32(mplsLabel >> 4) case netflow.IPFIX_FIELD_mplsLabelStackSection3: @@ -527,7 +529,9 @@ func ConvertNetFlowDataSet(flowMessage *ProtoProducerMessage, version uint16, ba return err } if len(flowMessage.MplsLabel) < 3 { - flowMessage.MplsLabel = make([]uint32, 3) + tmpLabels := make([]uint32, 3) + copy(tmpLabels, flowMessage.MplsLabel) + flowMessage.MplsLabel = tmpLabels } flowMessage.MplsLabel[2] = uint32(mplsLabel >> 4) case netflow.IPFIX_FIELD_mplsTopLabelIPv4Address: diff --git a/producer/proto/producer_test.go b/producer/proto/producer_test.go index e6de30a6..38b82628 100644 --- a/producer/proto/producer_test.go +++ b/producer/proto/producer_test.go @@ -28,6 +28,16 @@ func TestProcessMessageNetFlow(t *testing.T) { // 218432192 Value: []byte{0x0d, 0x05, 0x02, 0xc0}, }, + netflow.DataField{ + Type: netflow.NFV9_FIELD_MPLS_LABEL_1, + // 24041 + Value: []byte{0x05, 0xde, 0x94}, + }, + netflow.DataField{ + Type: netflow.NFV9_FIELD_MPLS_LABEL_2, + // 211992 + Value: []byte{0x33, 0xc1, 0x85}, + }, }, }, } @@ -49,6 +59,7 @@ func TestProcessMessageNetFlow(t *testing.T) { if assert.True(t, ok) { assert.Equal(t, msg.TimeFlowStartNs, uint64(1705732882176000000)) assert.Equal(t, msg.TimeFlowEndNs, uint64(1705732882192000000)) + assert.Equal(t, msg.MplsLabel, []uint32{24041, 211992}) } } From a002158b79b1b6ef8e8c5c8f4e60f96c72a2c59c Mon Sep 17 00:00:00 2001 From: Muhammad Iqbal Alaydrus Date: Fri, 26 Jan 2024 20:29:40 +0700 Subject: [PATCH 3/3] update mpls label test case to cover 3 stacks --- producer/proto/producer_test.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/producer/proto/producer_test.go b/producer/proto/producer_test.go index 38b82628..9db883e8 100644 --- a/producer/proto/producer_test.go +++ b/producer/proto/producer_test.go @@ -38,6 +38,11 @@ func TestProcessMessageNetFlow(t *testing.T) { // 211992 Value: []byte{0x33, 0xc1, 0x85}, }, + netflow.DataField{ + Type: netflow.NFV9_FIELD_MPLS_LABEL_3, + // 48675 + Value: []byte{0x0b, 0xe2, 0x35}, + }, }, }, } @@ -59,7 +64,7 @@ func TestProcessMessageNetFlow(t *testing.T) { if assert.True(t, ok) { assert.Equal(t, msg.TimeFlowStartNs, uint64(1705732882176000000)) assert.Equal(t, msg.TimeFlowEndNs, uint64(1705732882192000000)) - assert.Equal(t, msg.MplsLabel, []uint32{24041, 211992}) + assert.Equal(t, msg.MplsLabel, []uint32{24041, 211992, 48675}) } }