ipv6: properly deal with packets containing a FH header that has offset 0 and no...

author Victor Julien <victor@inliniac.net>

Fri, 30 Mar 2012 10:43:15 +0000 (12:43 +0200)

committer Victor Julien <victor@inliniac.net>

Fri, 30 Mar 2012 10:43:15 +0000 (12:43 +0200)
author Victor Julien <victor@inliniac.net>
Fri, 30 Mar 2012 10:43:15 +0000 (12:43 +0200)
committer Victor Julien <victor@inliniac.net>
Fri, 30 Mar 2012 10:43:15 +0000 (12:43 +0200)
diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules

index fa16921fe079edf8375e9a1a23752f30a4fb1ed0..58f7d02d281e45f836bb5e3a1a499f8f94671036 100644 (file)
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@@ -16,6 +16,7 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv6 packet too small"; decode-ev
  alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated packet"; decode-event:ipv6.trunc_pkt; sid:2200013; rev:1;)
  alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; sid:2200014; rev:1;)
  alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; sid:2200015; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; sid:2200080; rev:1;)
  alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Routing extension header"; decode-event:ipv6.exthdr_dupl_rh; sid:2200016; rev:1;)
  alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Hop-By-Hop Options extension header"; decode-event:ipv6.exthdr_dupl_hh; sid:2200017; rev:1;)
  alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Destination Options extension header"; decode-event:ipv6.exthdr_dupl_dh; sid:2200018; rev:1;)
@@ -82,3 +83,6 @@ alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum"; icmpv4-cs
  alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum"; tcpv6-csum:invalid; sid:2200077; rev:1;)
  alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum"; udpv6-csum:invalid; sid:2200078; rev:1;)
  alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; icmpv6-csum:invalid; sid:2200079; rev:1;)
+
+# next sid is 2200081
+
diff --git a/src/decode-events.h b/src/decode-events.h

index bff13ae32004bc6f8dfb4f037ee973fe2bb6d9ce..237e068ebbf4309c424e4c88598b26db69e0b6de 100644 (file)
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -61,6 +61,7 @@ enum {
      IPV6_TRUNC_PKT,                 /**< truncated ipv6 packet */
      IPV6_TRUNC_EXTHDR,              /**< truncated ipv6 extension header */
      IPV6_EXTHDR_DUPL_FH,            /**< duplicated "fragment" header in ipv6 extension headers */
+    IPV6_EXTHDR_USELESS_FH,         /**< useless FH: offset 0 + no more fragments */
      IPV6_EXTHDR_DUPL_RH,            /**< duplicated "routing" header in ipv6 extension headers */
      IPV6_EXTHDR_DUPL_HH,            /**< duplicated "hop-by-hop" header in ipv6 extension headers */
      IPV6_EXTHDR_DUPL_DH,            /**< duplicated "destination" header in ipv6 extension headers */
diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c

index e7c49f723d0921cbba842a4efec788a8281a854f..a3c04d0f9d0adb4d6ffcf78af141067e99a485b6 100644 (file)
--- a/src/decode-ipv6.c
+++ b/src/decode-ipv6.c
@@ -309,6 +309,19 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
                  /* set the header ptr first */
                  IPV6_EXTHDR_SET_FH(p, pkt);
  
+                /* if FH has offset 0 and no more fragments are coming, we
+                 * parse this packet further right away, no defrag will be
+                 * needed. It is a useless FH then though, so we do set an
+                 * decoder event. */
+                if (IPV6_EXTHDR_GET_FH_FLAG(p) == 0 && IPV6_EXTHDR_GET_FH_OFFSET(p) == 0) {
+                    ENGINE_SET_EVENT(p, IPV6_EXTHDR_USELESS_FH);
+
+                    nh = *pkt;
+                    pkt += hdrextlen;
+                    plen -= hdrextlen;
+                    break;
+                }
+
                  /* the rest is parsed upon reassembly */
                  SCReturn;
  
diff --git a/src/detect-engine-event.h b/src/detect-engine-event.h

index f6f3e77f452e6a463b498dff8b3c89568a2e4a0a..7cfc71e40034b44f0b810444106af7e5a9d1c786 100644 (file)
--- a/src/detect-engine-event.h
+++ b/src/detect-engine-event.h
@@ -56,6 +56,7 @@ struct DetectEngineEvents_ {
      { "ipv6.trunc_pkt", IPV6_TRUNC_PKT, },
      { "ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, },
      { "ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, },
+    { "ipv6.exthdr_useless_fh", IPV6_EXTHDR_USELESS_FH, },
      { "ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, },
      { "ipv6.exthdr_dupl_hh", IPV6_EXTHDR_DUPL_HH, },
      { "ipv6.exthdr_dupl_dh", IPV6_EXTHDR_DUPL_DH, },
author	Victor Julien <victor@inliniac.net>
	Fri, 30 Mar 2012 10:43:15 +0000 (12:43 +0200)
committer	Victor Julien <victor@inliniac.net>
	Fri, 30 Mar 2012 10:43:15 +0000 (12:43 +0200)
rules/decoder-events.rules		patch \| blob \| blame \| history
src/decode-events.h		patch \| blob \| blame \| history
src/decode-ipv6.c		patch \| blob \| blame \| history
src/detect-engine-event.h		patch \| blob \| blame \| history