From d18e52ed93e996bc0335d4a100b2ac7f12b3848d Mon Sep 17 00:00:00 2001
From: Lukas Sismis <lsismis@oisf.net>
Date: Fri, 18 Nov 2022 16:13:58 +0100
Subject: [PATCH] decode-udp:  Allow shorter UDP packets than the remaining
 payload length

If the packet is shorter than IP payload length we no longer flag it as an
invalid UDP packet. UDP packet can be therefore shorter than IP payload.
Keyword "udp.hlen_invalid" became outdated as we no longer flag short UDP
packets as invalid.

Redmine ticket: #5693
---
 rules/decoder-events.rules |  1 -
 src/decode-udp.c           |  5 -----
 src/detect-engine-event.c  | 18 ++++++++++++++++++
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules
index 61a316fbd8..026c49f694 100644
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@@ -67,7 +67,6 @@ alert pkthdr any any -> any any (msg:"SURICATA TCP option invalid length"; decod
 alert pkthdr any any -> any any (msg:"SURICATA TCP duplicated option"; decode-event:tcp.opt_duplicate; classtype:protocol-command-decode; sid:2200037; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA UDP packet too small"; decode-event:udp.pkt_too_small; classtype:protocol-command-decode; sid:2200038; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA UDP header length too small"; decode-event:udp.hlen_too_small; classtype:protocol-command-decode; sid:2200039; rev:2;)
-alert pkthdr any any -> any any (msg:"SURICATA UDP invalid header length"; decode-event:udp.hlen_invalid; classtype:protocol-command-decode; sid:2200040; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA SLL packet too small"; decode-event:sll.pkt_too_small; classtype:protocol-command-decode; sid:2200041; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA Ethernet packet too small"; decode-event:ethernet.pkt_too_small; classtype:protocol-command-decode; sid:2200042; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA PPP packet too small"; decode-event:ppp.pkt_too_small; classtype:protocol-command-decode; sid:2200043; rev:2;)
diff --git a/src/decode-udp.c b/src/decode-udp.c
index a1477172b9..13c665cdd8 100644
--- a/src/decode-udp.c
+++ b/src/decode-udp.c
@@ -56,11 +56,6 @@ static int DecodeUDPPacket(ThreadVars *t, Packet *p, const uint8_t *pkt, uint16_
         return -1;
     }
 
-    if (unlikely(len != UDP_GET_LEN(p))) {
-        ENGINE_SET_INVALID_EVENT(p, UDP_HLEN_INVALID);
-        return -1;
-    }
-
     SET_UDP_SRC_PORT(p,&p->sp);
     SET_UDP_DST_PORT(p,&p->dp);
 
diff --git a/src/detect-engine-event.c b/src/detect-engine-event.c
index 1c13ca39d6..9943a3b3cc 100644
--- a/src/detect-engine-event.c
+++ b/src/detect-engine-event.c
@@ -110,6 +110,14 @@ static int DetectEngineEventMatch (DetectEngineThreadCtx *det_ctx,
     SCReturnInt(0);
 }
 
+static bool OutdatedEvent(const char *raw)
+{
+    if (strcmp(raw, "decoder.udp.hlen_invalid") == 0) {
+        return true;
+    }
+    return false;
+}
+
 /**
  * \brief This function is used to parse decoder events options passed via decode-event: keyword
  *
@@ -161,6 +169,16 @@ static DetectEngineEventData *DetectEngineEventParse (const char *rawstr)
     if (de->event == STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA) {
         StreamTcpReassembleConfigEnableOverlapCheck();
     }
+
+    if (OutdatedEvent(rawstr)) {
+        if (SigMatchStrictEnabled(DETECT_DECODE_EVENT)) {
+            SCLogError("decode-event keyword no longer supports event \"%s\"", rawstr);
+            goto error;
+        } else {
+            SCLogWarning("decode-event keyword no longer supports event \"%s\"", rawstr);
+        }
+    }
+
     return de;
 
 error:
-- 
2.47.2