]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8c19e5f)
ipv6: detect frag header reserved field non-zero
authorVictor Julien <victor@inliniac.net>
Mon, 28 Jul 2014 10:07:13 +0000 (12:07 +0200)
committerVictor Julien <victor@inliniac.net>
Wed, 6 Aug 2014 08:56:05 +0000 (10:56 +0200)
Frag Header length field is reserved, and should be set to 0.

    decode-event:ipv6.fh_non_zero_reserved_field;

rules/decoder-events.rules patch | blob | blame | history
src/decode-events.h patch | blob | blame | history
src/decode-ipv6.c patch | blob | blame | history
src/detect-engine-event.h patch | blob | blame | history

diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules
index e711c21e735757b6ef50f6e30ad06213b08e6d3a..0e7d2c68f64a157e4df8658c36775d51eaba73a7 100644 (file)
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@@ -39,6 +39,8 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS only padding"; decod
 alert ipv6 any any -> any any (msg:"SURICATA RH Type 0"; decode-event:ipv6.rh_type_0; sid:2200093; rev:1;)
 # padN option with zero length field
 alert ipv6 any any -> any any (msg:"SURICATA zero length padN option"; decode-event:ipv6.zero_len_padn; sid:2200094; rev:1;)
+# Frag Header 'length' field is reserved and should be 0
+alert ipv6 any any -> any any (msg:"SURICATA reserved field in Frag Header not zero"; decode-event:ipv6.fh_non_zero_reserved_field; sid:2200095; rev:1;)
 alert ipv6 any any -> any any (msg:"SURICATA IPv6 with ICMPv4 header"; decode-event:ipv6.icmpv4; sid:2200090; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 packet too small"; decode-event:icmpv4.pkt_too_small; sid:2200023; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown type"; decode-event:icmpv4.unknown_type; sid:2200024; rev:1;)
@@ -110,5 +112,5 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; d
 alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short"; decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;)
 
-# next sid is 2200095
+# next sid is 2200096
 
diff --git a/src/decode-events.h b/src/decode-events.h
index 998da633e9738330f772da827cc61ad0c53f6716..8c47af1799fd540ac9f2093f94fed063d3727c09 100644 (file)
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -81,6 +81,7 @@ enum {
 
     IPV6_EXTHDR_RH_TYPE_0,          /**< RH 0 is deprecated as per rfc5095 */
     IPV6_EXTHDR_ZERO_LEN_PADN,      /**< padN w/o data (0 len) */
+    IPV6_FH_NON_ZERO_RES_FIELD,     /**< reserved field not zero */
 
     IPV6_WITH_ICMPV4,               /**< IPv6 packet with ICMPv4 header */
 
diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c
index 95f3b9dd3e131c6f4b2d9a48125c4e9841d20c83..099a7bfbc9717be5ebd3119128a6c742501d1cef 100644 (file)
--- a/src/decode-ipv6.c
+++ b/src/decode-ipv6.c
@@ -412,6 +412,12 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
                     SCReturn;
                 }
 
+                /* for the frag header, the length field is reserved */
+                if (*(pkt + 1) != 0) {
+                    ENGINE_SET_EVENT(p, IPV6_FH_NON_ZERO_RES_FIELD);
+                    /* non fatal, lets try to continue */
+                }
+
                 if(p->IPV6_EH_CNT<IPV6_MAX_OPT)
                 {
                     p->IPV6_EXTHDRS[p->IPV6_EH_CNT].type = nh;
diff --git a/src/detect-engine-event.h b/src/detect-engine-event.h
index f4b3298c62d718106c88ed7cfea02cb4c8c30b93..8c550922532b98c617fb3b91471f937c03a44a67 100644 (file)
--- a/src/detect-engine-event.h
+++ b/src/detect-engine-event.h
@@ -91,6 +91,7 @@ struct DetectEngineEvents_ {
     { "ipv6.dstopts_only_padding", IPV6_DSTOPTS_ONLY_PADDING, },
     { "ipv6.rh_type_0", IPV6_EXTHDR_RH_TYPE_0, },
     { "ipv6.zero_len_padn", IPV6_EXTHDR_ZERO_LEN_PADN, },
+    { "ipv6.fh_non_zero_reserved_field", IPV6_FH_NON_ZERO_RES_FIELD, },
     { "ipv6.icmpv4", IPV6_WITH_ICMPV4, },
 
     /* TCP EVENTS */
Mirror of https://github.com/OISF/suricata.git