defrag: fix reconstruction

This patch is fixing an issue in defragmentation code. The
insertion of a fragment in the list of fragments is done with
respect to the offset of the fragment. But the code was using
the original offset of the fragment and not the one of the
new reconstructed fragment (which can be different in the
case of overlapping segment where the left part is trimmed).

This case could lead to some evasion techniques by causing
Suricata to analyse a different payload.

diff --git a/src/defrag.c b/src/defrag.c
index bd2c6e854b80bd57b6c1a6f5f2cf5316289ee712..f72435373b2be81a7d20b473372e0a6cd5717955 100644 (file)
--- a/src/defrag.c
+++ b/src/defrag.c
@@ -697,7 +697,7 @@ insert:
 
     Frag *frag;
     TAILQ_FOREACH(frag, &tracker->frags, next) {
-        if (frag_offset < frag->offset)
+        if (new->offset < frag->offset)
             break;
     }
     if (frag == NULL) {