From: Sascha Steinbiss Date: Thu, 22 Sep 2022 13:13:05 +0000 (+0200) Subject: decode-ipv4: adjust validation to RFC X-Git-Tag: suricata-7.0.0-beta1~153 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8438ee48aad01e9204a8c07ac3a85f5719f09fc1;p=thirdparty%2Fsuricata.git decode-ipv4: adjust validation to RFC RFC1108 only specifies a minimum field length of 3, not a fixed length of 11. --- diff --git a/src/decode-ipv4.c b/src/decode-ipv4.c index 71c41d5a96..2c3d781de4 100644 --- a/src/decode-ipv4.c +++ b/src/decode-ipv4.c @@ -67,7 +67,7 @@ static int IPV4OptValidateGeneric(Packet *p, const IPV4Opt *o) /* See: RFC 1108 */ case IPV4_OPT_SEC: case IPV4_OPT_ESEC: - if (o->len != IPV4_OPT_SEC_LEN) { + if (unlikely(o->len < IPV4_OPT_SEC_MIN)) { ENGINE_SET_INVALID_EVENT(p, IPV4_OPT_INVALID_LEN); return -1; } @@ -907,10 +907,8 @@ static int DecodeIPV4OptionsSECTest01(void) /** \test IPV4 with SEC option (invalid length). */ static int DecodeIPV4OptionsSECTest02(void) { - uint8_t raw_opts[] = { - IPV4_OPT_SEC, 0x0a, 0xf1, 0x35, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; + uint8_t raw_opts[] = { IPV4_OPT_SEC, 0x02, 0xf1, 0x35, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00 }; Packet *p = PacketGetFromAlloc(); FAIL_IF(unlikely(p == NULL)); diff --git a/src/decode-ipv4.h b/src/decode-ipv4.h index 3b20eb8fc7..6d69634798 100644 --- a/src/decode-ipv4.h +++ b/src/decode-ipv4.h @@ -44,11 +44,11 @@ #define IPV4_OPT_RTRALT 0x94 /**< Option: Router Alert */ /** IP Option Lengths (fixed) */ -#define IPV4_OPT_SEC_LEN 11 /**< SEC Option Fixed Length */ #define IPV4_OPT_SID_LEN 4 /**< SID Option Fixed Length */ #define IPV4_OPT_RTRALT_LEN 4 /**< RTRALT Option Fixed Length */ /** IP Option Lengths (variable) */ +#define IPV4_OPT_SEC_MIN 3 /**< SEC, ESEC Option Min Length */ #define IPV4_OPT_ROUTE_MIN 3 /**< RR, SRR, LTRR Option Min Length */ #define IPV4_OPT_QS_MIN 8 /**< QS Option Min Length */ #define IPV4_OPT_TS_MIN 5 /**< TS Option Min Length */