ebpf,dns: initialized structs

On the previus commit we just disabled dns uprobes for armhf/i386 to avoid loading errors. A better fix is to initialized the structs used. On armhf still fails after loading it, when attaching to the uprobes (offsets?), and on i386 it doesn't seem to send anything to userspace (more analysis needed). - Increased the number of IPs associated with a domain that are delivered to userspace. (getfedora.org returns 30 ipv4+ipv6). - Fixed getting the aliases of a domain when using gethostbyname(). (cherry picked from commit 27509d6)
evilsocket · Jan 26, 2024 · 9a6dfe7 · 9a6dfe7
1 parent 0a8827d
commit 9a6dfe7
Showing 1 changed file with 7 additions and 20 deletions.
diff --git a/ebpf_prog/opensnitch-dns.c b/ebpf_prog/opensnitch-dns.c
@@ -33,8 +33,9 @@
 
 //-----------------------------------
 
+// random values
 #define MAX_ALIASES 5
-#define MAX_IPS 5
+#define MAX_IPS 30
 
 struct nameLookupEvent {
     u32 addr_type;
@@ -104,8 +105,6 @@ int uretprobe__gethostbyname(struct pt_regs *ctx) {
     char **ips = {0};
     bpf_probe_read(&ips, sizeof(ips), &host->h_addr_list);
 
-#if !defined(__i386__) && !defined(__arm__)
-
 #pragma clang loop unroll(full)
     for (int i = 0; i < MAX_IPS; i++) {
         char *ip={0};
@@ -134,7 +133,7 @@ int uretprobe__gethostbyname(struct pt_regs *ctx) {
 #pragma clang loop unroll(full)
         for (int j = 0; j < MAX_ALIASES; j++) {
             char *alias = {0};
-            bpf_probe_read(&alias, sizeof(alias), &aliases[i]);
+            bpf_probe_read(&alias, sizeof(alias), &aliases[j]);
 
             if (alias == NULL) {
                 return 0;
@@ -145,8 +144,6 @@ int uretprobe__gethostbyname(struct pt_regs *ctx) {
         }
     }
 
-#endif
-
     return 0;
 }
 
@@ -188,15 +185,11 @@ int ret_addrinfo(struct pt_regs *ctx) {
     }
 
     struct addrinfo **res_p={0};
-    __builtin_memset(&res_p, 0, sizeof(res_p));
     bpf_probe_read(&res_p, sizeof(res_p), &addrinfo_args->addrinfo_ptr);
 
-#if !defined(__i386__) && !defined(__arm__)
-
 #pragma clang loop unroll(full)
     for (int i = 0; i < MAX_IPS; i++) {
-        struct addrinfo *res = {0};
-       __builtin_memset(&res, 0, sizeof(res));
+        struct addrinfo *res={0};
         bpf_probe_read(&res, sizeof(res), res_p);
         if (res == NULL) {
             goto out;
@@ -206,38 +199,32 @@ int ret_addrinfo(struct pt_regs *ctx) {
 
         if (data.addr_type == AF_INET) {
             struct sockaddr_in *ipv4={0};
-            __builtin_memset(&ipv4, 0, sizeof(ipv4));
             bpf_probe_read(&ipv4, sizeof(ipv4), &res->ai_addr);
             // Only copy the 4 relevant bytes
             bpf_probe_read_user(&data.ip, 4, &ipv4->sin_addr);
         } else if(data.addr_type == AF_INET6) {
             struct sockaddr_in6 *ipv6={0};
-            __builtin_memset(&ipv6, 0, sizeof(ipv6));
             bpf_probe_read(&ipv6, sizeof(ipv6), &res->ai_addr);
 
             bpf_probe_read_user(&data.ip, sizeof(data.ip), &ipv6->sin6_addr);
         } else {
-			goto out;
-		}
+            goto out;
+        }
 
         bpf_probe_read_kernel_str(&data.host, sizeof(data.host),
                                   &addrinfo_args->node);
 
         bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data,
                               sizeof(data));
 
-
         struct addrinfo * next={0};
-        __builtin_memset(&next, 0, sizeof(next));
         bpf_probe_read(&next, sizeof(next), &res->ai_next);
         if (next == NULL){
             goto out;
         }
-		res_p = &next;
+        res_p = &next;
     }
 
-#endif
-
 out:
     bpf_map_delete_elem(&addrinfo_args_hash, &tid);