From: Pierre Chifflier <chifflier@wzdftpd.net>
Date: Thu, 13 Dec 2018 19:30:29 +0000 (+0100)
Subject: Krb5: make TCP probing function less strict, messages can be fragmented
X-Git-Tag: suricata-4.1.1~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3eade88bd870a27a65b6c84ecb21d438490ff27c;p=thirdparty%2Fsuricata.git

Krb5: make TCP probing function less strict, messages can be fragmented
---

diff --git a/rust/src/krb/krb5.rs b/rust/src/krb/krb5.rs
index 63a9b9d0e0..4d1a44f8ce 100644
--- a/rust/src/krb/krb5.rs
+++ b/rust/src/krb/krb5.rs
@@ -443,7 +443,8 @@ pub extern "C" fn rs_krb5_probing_parser_tcp(_flow: *const Flow, input:*const li
     if slice.len() <= 14 { return unsafe{ALPROTO_FAILED}; }
     match be_u32(slice) {
         IResult::Done(rem, record_mark) => {
-            if record_mark != rem.len() as u32 { return unsafe{ALPROTO_FAILED}; }
+            // protocol implementations forbid very large requests
+            if record_mark > 16384 { return unsafe{ALPROTO_FAILED}; }
             return rs_krb5_probing_parser(_flow, rem.as_ptr(), rem.len() as u32);
         },
         IResult::Incomplete(_) => {