From: Victor Julien <victor@inliniac.net>
Date: Wed, 16 Dec 2015 09:45:05 +0000 (+0100)
Subject: icmpv4: improve dest unreachable logic
X-Git-Tag: suricata-3.0RC3~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe445367bda6da335eddd6d320b48e01493af94d;p=thirdparty%2Fsuricata.git

icmpv4: improve dest unreachable logic

When a ICMPv4 destination unreachable packet contains an embedded packet
this packet is parsed. When it's found to be invalid, the whole ICMP
packet is tagged as invalid.

In some cases the unreachable packet would still be used.

This patch fixes this by checking the packet is invalid flag as well
in the ICMPV4_DEST_UNREACH_IS_VALID macro.
---

diff --git a/src/decode-icmpv4.h b/src/decode-icmpv4.h
index f8cb97f4f0..02184dfd34 100644
--- a/src/decode-icmpv4.h
+++ b/src/decode-icmpv4.h
@@ -259,7 +259,9 @@ typedef struct ICMPV4Vars_
  *
  *  \warning use only _after_ the decoder has processed the packet
  */
-#define ICMPV4_DEST_UNREACH_IS_VALID(p) (((p)->icmpv4h != NULL) && \
+#define ICMPV4_DEST_UNREACH_IS_VALID(p) ( \
+    (!((p)->flags & PKT_IS_INVALID)) && \
+    ((p)->icmpv4h != NULL) && \
     (ICMPV4_GET_TYPE((p)) == ICMP_DEST_UNREACH) && \
     (ICMPV4_GET_EMB_IPV4((p)) != NULL) && \
     ((ICMPV4_GET_EMB_TCP((p)) != NULL) || \