ipv6: decoder event on invalid length

From RFC 2460, section 4.5,
each fragment, except the last one, must have a length
which is a multiple of 8

(cherry picked from commit ca760e305cd74933b685b1bd5be795b24a7d94a7)

diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules
index 965c9c137f7576f059467654a85a83467d701e4a..19ae61d6c4aba05f1c0134ffd8e9f8a35d8ae45d 100644 (file)
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@@ -106,6 +106,7 @@ alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Packet size too large";
 alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Fragmentation overlap"; decode-event:ipv4.frag_overlap; classtype:protocol-command-decode; sid:2200070; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;)
 alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;)
 
 # checksum rules
 alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum"; ipv4-csum:invalid; classtype:protocol-command-decode; sid:2200073; rev:2;)
@@ -149,5 +150,5 @@ alert pkthdr any any -> any any (msg:"SURICATA CHDLC packet too small"; decode-e
 
 alert pkthdr any any -> any any (msg:"SURICATA packet with too many layers"; decode-event:too_many_layers; classtype:protocol-command-decode; sid:2200116; rev:1;)
 
-# next sid is 2200119
+# next sid is 2200120
 

diff --git a/src/decode-events.c b/src/decode-events.c
index 45006db755393fbbac8b8bd44843291229e3aed9..f96c574fa84bad7977ae8c9654d0b9de65c3449d 100644 (file)
--- a/src/decode-events.c
+++ b/src/decode-events.c
@@ -452,6 +452,10 @@ const struct DecodeEvents_ DEvents[] = {
             "decoder.ipv6.frag_overlap",
             IPV6_FRAG_OVERLAP,
     },
+    {
+            "decoder.ipv6.frag_invalid_length",
+            IPV6_FRAG_INVALID_LENGTH,
+    },
     /* Fragment ignored due to internal error */
     {
             "decoder.ipv4.frag_ignored",

diff --git a/src/decode-events.h b/src/decode-events.h
index 07b3f7b0954373598e2eb161a00bdcb56719330b..886cedf3a69e9e7d09d11f4c38a3b0224c24ccd2 100644 (file)
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -166,6 +166,7 @@ enum {
     IPV6_FRAG_PKT_TOO_LARGE,
     IPV4_FRAG_OVERLAP,
     IPV6_FRAG_OVERLAP,
+    IPV6_FRAG_INVALID_LENGTH,
 
     /* Fragment ignored due to internal error */
     IPV4_FRAG_IGNORED,

diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c
index e953419e0f67c9c9fa3c5843210e62dbb7312c8f..fe27e471fc7bad477a3c9e49a08bd2093ef64732 100644 (file)
--- a/src/decode-ipv6.c
+++ b/src/decode-ipv6.c
@@ -454,6 +454,12 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
                     plen -= hdrextlen;
                     break;
                 }
+                if (p->ip6eh.fh_more_frags_set != 0 && plen % 8 != 0) {
+                    // cf https://datatracker.ietf.org/doc/html/rfc2460#section-4.5
+                    // each, except possibly the last ("rightmost") one,
+                    // being an integer multiple of 8 octets long.
+                    ENGINE_SET_EVENT(p, IPV6_FRAG_INVALID_LENGTH);
+                }
 
                 /* the rest is parsed upon reassembly */
                 p->flags |= PKT_IS_FRAGMENT;