From: Philippe Antoine Date: Mon, 19 Jul 2021 15:31:32 +0000 (+0200) Subject: ipv6: decoder event on invalid length X-Git-Tag: suricata-5.0.8~51 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87001775bb5cce0ce48e1cb8ed7d2fafcbc467ff;p=thirdparty%2Fsuricata.git ipv6: decoder event on invalid length From RFC 2460, section 4.5, each fragment, except the last one, must have a length which is a multiple of 8 (cherry picked from commit ca760e305cd74933b685b1bd5be795b24a7d94a7) --- diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules index 515e93325d..362bd62e4a 100644 --- a/rules/decoder-events.rules +++ b/rules/decoder-events.rules @@ -104,6 +104,7 @@ alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Packet size too large"; alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Fragmentation overlap"; decode-event:ipv4.frag_overlap; classtype:protocol-command-decode; sid:2200070; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;) alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;) # checksum rules alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum"; ipv4-csum:invalid; classtype:protocol-command-decode; sid:2200073; rev:2;) @@ -145,4 +146,4 @@ alert pkthdr any any -> any any (msg:"SURICATA DCE packet too small"; decode-eve alert pkthdr any any -> any any (msg:"SURICATA packet with too many layers"; decode-event:too_many_layers; classtype:protocol-command-decode; sid:2200116; rev:1;) -# next sid is 2200117 +# next sid is 2200120 diff --git a/src/decode-events.c b/src/decode-events.c index a900bc3b15..0a9cfab962 100644 --- a/src/decode-events.c +++ b/src/decode-events.c @@ -153,10 +153,26 @@ const struct DecodeEvents_ DEvents[] = { { "decoder.sctp.pkt_too_small", SCTP_PKT_TOO_SMALL, }, /* Fragmentation reasembly events. */ - { "decoder.ipv4.frag_pkt_too_large", IPV4_FRAG_PKT_TOO_LARGE, }, - { "decoder.ipv6.frag_pkt_too_large", IPV6_FRAG_PKT_TOO_LARGE, }, - { "decoder.ipv4.frag_overlap", IPV4_FRAG_OVERLAP, }, - { "decoder.ipv6.frag_overlap", IPV6_FRAG_OVERLAP, }, + { + "decoder.ipv4.frag_pkt_too_large", + IPV4_FRAG_PKT_TOO_LARGE, + }, + { + "decoder.ipv6.frag_pkt_too_large", + IPV6_FRAG_PKT_TOO_LARGE, + }, + { + "decoder.ipv4.frag_overlap", + IPV4_FRAG_OVERLAP, + }, + { + "decoder.ipv6.frag_overlap", + IPV6_FRAG_OVERLAP, + }, + { + "decoder.ipv6.frag_invalid_length", + IPV6_FRAG_INVALID_LENGTH, + }, /* Fragment ignored due to internal error */ { "decoder.ipv4.frag_ignored", IPV4_FRAG_IGNORED, }, { "decoder.ipv6.frag_ignored", IPV6_FRAG_IGNORED, }, diff --git a/src/decode-events.h b/src/decode-events.h index 088453315b..329860ffce 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -162,6 +162,7 @@ enum { IPV6_FRAG_PKT_TOO_LARGE, IPV4_FRAG_OVERLAP, IPV6_FRAG_OVERLAP, + IPV6_FRAG_INVALID_LENGTH, /* Fragment ignored due to internal error */ IPV4_FRAG_IGNORED, diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c index 8ddce2e10a..0f1243aab8 100644 --- a/src/decode-ipv6.c +++ b/src/decode-ipv6.c @@ -459,6 +459,12 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, plen -= hdrextlen; break; } + if (p->ip6eh.fh_more_frags_set != 0 && plen % 8 != 0) { + // cf https://datatracker.ietf.org/doc/html/rfc2460#section-4.5 + // each, except possibly the last ("rightmost") one, + // being an integer multiple of 8 octets long. + ENGINE_SET_EVENT(p, IPV6_FRAG_INVALID_LENGTH); + } /* the rest is parsed upon reassembly */ p->flags |= PKT_IS_FRAGMENT;