decode-udp: Allow shorter UDP packets than the remaining payload length

If the packet is shorter than IP payload length we no longer flag it as an
invalid UDP packet. UDP packet can be therefore shorter than IP payload.
Keyword "udp.hlen_invalid" became outdated as we no longer flag short UDP
packets as invalid. The keyword's evaluation remains the same.

Inspired by commit: d18e52ed93e996bc0335d4a100b2ac7f12b3848d

Redmine ticket: #5793

diff --git a/src/decode-udp.c b/src/decode-udp.c
index a1477172b9a7b0083d5414d0d0d48a2da985e7e8..2464364e64602090f49d01f8282bfb5c60b2c1dd 100644 (file)
--- a/src/decode-udp.c
+++ b/src/decode-udp.c
@@ -57,8 +57,8 @@ static int DecodeUDPPacket(ThreadVars *t, Packet *p, const uint8_t *pkt, uint16_
     }
 
     if (unlikely(len != UDP_GET_LEN(p))) {
+        // packet can still be valid, keeping for consistency with decoder.udp.hlen_invalid event
         ENGINE_SET_INVALID_EVENT(p, UDP_HLEN_INVALID);
-        return -1;
     }
 
     SET_UDP_SRC_PORT(p,&p->sp);

diff --git a/src/detect-engine-event.c b/src/detect-engine-event.c
index 1f9fc2a8ba13e95fbb7ef07511d4485b159b3f35..029a71f06a41593db2e31ec1cd807203dd9697db 100644 (file)
--- a/src/detect-engine-event.c
+++ b/src/detect-engine-event.c
@@ -110,6 +110,14 @@ static int DetectEngineEventMatch (DetectEngineThreadCtx *det_ctx,
     SCReturnInt(0);
 }
 
+static bool OutdatedEvent(const char *raw)
+{
+    if (strcmp(raw, "decoder.udp.hlen_invalid") == 0) {
+        return true;
+    }
+    return false;
+}
+
 /**
  * \brief This function is used to parse decoder events options passed via decode-event: keyword
  *
@@ -163,6 +171,12 @@ static DetectEngineEventData *DetectEngineEventParse (const char *rawstr)
     if (de->event == STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA) {
         StreamTcpReassembleConfigEnableOverlapCheck();
     }
+
+    if (OutdatedEvent(rawstr)) {
+        SCLogWarning(
+                SC_WARN_DEPRECATED, "decode-event keyword no longer supports event \"%s\"", rawstr);
+    }
+
     return de;
 
 error: