decode-udp: Allow shorter UDP packets than the remaining payload length

author Lukas Sismis <lsismis@oisf.net>

Fri, 18 Nov 2022 15:13:58 +0000 (16:13 +0100)

committer Victor Julien <vjulien@oisf.net>

Thu, 26 Jan 2023 05:59:14 +0000 (06:59 +0100)
author Lukas Sismis <lsismis@oisf.net>
Fri, 18 Nov 2022 15:13:58 +0000 (16:13 +0100)
committer Victor Julien <vjulien@oisf.net>
Thu, 26 Jan 2023 05:59:14 +0000 (06:59 +0100)
diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules

index 61a316fbd86e05d2b591343ef11808e662d3a512..026c49f694132c6524f52c10ca02f9358e933a5e 100644 (file)
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@@ -67,7 +67,6 @@ alert pkthdr any any -> any any (msg:"SURICATA TCP option invalid length"; decod
  alert pkthdr any any -> any any (msg:"SURICATA TCP duplicated option"; decode-event:tcp.opt_duplicate; classtype:protocol-command-decode; sid:2200037; rev:2;)
  alert pkthdr any any -> any any (msg:"SURICATA UDP packet too small"; decode-event:udp.pkt_too_small; classtype:protocol-command-decode; sid:2200038; rev:2;)
  alert pkthdr any any -> any any (msg:"SURICATA UDP header length too small"; decode-event:udp.hlen_too_small; classtype:protocol-command-decode; sid:2200039; rev:2;)
-alert pkthdr any any -> any any (msg:"SURICATA UDP invalid header length"; decode-event:udp.hlen_invalid; classtype:protocol-command-decode; sid:2200040; rev:2;)
  alert pkthdr any any -> any any (msg:"SURICATA SLL packet too small"; decode-event:sll.pkt_too_small; classtype:protocol-command-decode; sid:2200041; rev:2;)
  alert pkthdr any any -> any any (msg:"SURICATA Ethernet packet too small"; decode-event:ethernet.pkt_too_small; classtype:protocol-command-decode; sid:2200042; rev:2;)
  alert pkthdr any any -> any any (msg:"SURICATA PPP packet too small"; decode-event:ppp.pkt_too_small; classtype:protocol-command-decode; sid:2200043; rev:2;)
diff --git a/src/decode-udp.c b/src/decode-udp.c

index a1477172b9a7b0083d5414d0d0d48a2da985e7e8..13c665cdd8504b4f171fdc58c6becd25a01009d8 100644 (file)
--- a/src/decode-udp.c
+++ b/src/decode-udp.c
@@ -56,11 +56,6 @@ static int DecodeUDPPacket(ThreadVars *t, Packet *p, const uint8_t *pkt, uint16_
          return -1;
      }
  
-    if (unlikely(len != UDP_GET_LEN(p))) {
-        ENGINE_SET_INVALID_EVENT(p, UDP_HLEN_INVALID);
-        return -1;
-    }
-
      SET_UDP_SRC_PORT(p,&p->sp);
      SET_UDP_DST_PORT(p,&p->dp);
  
diff --git a/src/detect-engine-event.c b/src/detect-engine-event.c

index 1c13ca39d6299a9aefe8729edb76425011545750..9943a3b3cc4a5641c08a9a8d921f0101c586160f 100644 (file)
--- a/src/detect-engine-event.c
+++ b/src/detect-engine-event.c
@@ -110,6 +110,14 @@ static int DetectEngineEventMatch (DetectEngineThreadCtx *det_ctx,
      SCReturnInt(0);
  }
  
+static bool OutdatedEvent(const char *raw)
+{
+    if (strcmp(raw, "decoder.udp.hlen_invalid") == 0) {
+        return true;
+    }
+    return false;
+}
+
  /**
   * \brief This function is used to parse decoder events options passed via decode-event: keyword
   *
@@ -161,6 +169,16 @@ static DetectEngineEventData *DetectEngineEventParse (const char *rawstr)
      if (de->event == STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA) {
          StreamTcpReassembleConfigEnableOverlapCheck();
      }
+
+    if (OutdatedEvent(rawstr)) {
+        if (SigMatchStrictEnabled(DETECT_DECODE_EVENT)) {
+            SCLogError("decode-event keyword no longer supports event \"%s\"", rawstr);
+            goto error;
+        } else {
+            SCLogWarning("decode-event keyword no longer supports event \"%s\"", rawstr);
+        }
+    }
+
      return de;
  
  error:
author	Lukas Sismis <lsismis@oisf.net>
	Fri, 18 Nov 2022 15:13:58 +0000 (16:13 +0100)
committer	Victor Julien <vjulien@oisf.net>
	Thu, 26 Jan 2023 05:59:14 +0000 (06:59 +0100)
rules/decoder-events.rules		patch \| blob \| blame \| history
src/decode-udp.c		patch \| blob \| blame \| history
src/detect-engine-event.c		patch \| blob \| blame \| history