From: Michael Altizer (mialtize) Date: Tue, 9 Mar 2021 21:49:57 +0000 (+0000) Subject: Merge pull request #2784 in SNORT/snort3 from ~MIALTIZE/snort3:frag_off to master X-Git-Tag: 3.1.2.0~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea808d592a0381b564ba626acfe8e3625af3f15d;p=thirdparty%2Fsnort3.git Merge pull request #2784 in SNORT/snort3 from ~MIALTIZE/snort3:frag_off to master Squashed commit of the following: commit 764273f3debc314962f1f935e5127cdd679fb5ed Author: Michael Altizer Date: Tue Mar 9 13:27:53 2021 -0500 ipv4: Correct the calculation for illegal fragment offset checks --- diff --git a/src/codecs/ip/cd_ipv4.cc b/src/codecs/ip/cd_ipv4.cc index 2d69f470c..a87263a20 100644 --- a/src/codecs/ip/cd_ipv4.cc +++ b/src/codecs/ip/cd_ipv4.cc @@ -308,15 +308,15 @@ bool Ipv4Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) /* mask off the high bits in the fragment offset field */ frag_off &= 0x1FFF; - // to get the real frag_off, we need to multiply by 8. However, since - // the actual frag_off is never used, we can comment this out -// frag_off = frag_off << 3; - - if ( (codec.codec_flags & CODEC_DF) && frag_off ) - codec_event(codec, DECODE_IP4_DF_OFFSET); + if ( frag_off ) + { + if ( codec.codec_flags & CODEC_DF ) + codec_event(codec, DECODE_IP4_DF_OFFSET); - if ( frag_off + ip_len > IP_MAXPACKET ) - codec_event(codec, DECODE_IP4_LEN_OFFSET); + // to get the real fragment offset, we need to multiply by 8 + if ( (frag_off << 3) + ip_len > IP_MAXPACKET ) + codec_event(codec, DECODE_IP4_LEN_OFFSET); + } if ( frag_off || (snort.decode_flags & DECODE_MF)) { @@ -327,9 +327,7 @@ bool Ipv4Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) snort.decode_flags |= DECODE_FRAG; } else - { snort.decode_flags &= ~DECODE_FRAG; - } if ( (snort.decode_flags & DECODE_MF) && (codec.codec_flags & CODEC_DF)) codec_event(codec, DECODE_BAD_FRAGBITS);