In case of fragments, don't consider ports. Bug #847.

diff --git a/src/decode-ipv4.c b/src/decode-ipv4.c
index c4dcd67bb6e89b0f8c75766c938e4873e4573d8d..76bed8e863e906e4490b0081b1750e119a2b875e 100644 (file)
--- a/src/decode-ipv4.c
+++ b/src/decode-ipv4.c
@@ -525,6 +525,7 @@ void DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
         p->ip4h = NULL;
         return;
     }
+    p->proto = IPV4_GET_IPPROTO(p);
 
     /* If a fragment, pass off for re-assembly. */
     if (unlikely(IPV4_GET_IPOFFSET(p) > 0 || IPV4_GET_MF(p) == 1)) {
@@ -534,6 +535,7 @@ void DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
             DecodeIPV4(tv, dtv, rp, (void *)rp->ip4h, IPV4_GET_IPLEN(rp), pq);
             PacketEnqueue(pq, rp);
         }
+        p->flags |= PKT_IS_FRAGMENT;
         return;
     }
 
@@ -599,9 +601,6 @@ void DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
                           IPV4_GET_IPLEN(p) -  IPV4_GET_HLEN(p), pq);
             }
             break;
-        default:
-            p->proto = IPV4_GET_IPPROTO(p);
-            break;
     }
 
     return;

diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c
index f0f0c64c59bc10ce3b5442c338db10e03c7619e8..9c2093f57f6d46860362980c1d994f8dffff976f 100644 (file)
--- a/src/decode-ipv6.c
+++ b/src/decode-ipv6.c
@@ -402,6 +402,7 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
                 }
 
                 /* the rest is parsed upon reassembly */
+                p->flags |= PKT_IS_FRAGMENT;
                 SCReturn;
 
             case IPPROTO_ESP:
@@ -583,9 +584,10 @@ void DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
             ENGINE_SET_EVENT(p,IPV6_WITH_ICMPV4);
             break;
         default:
-            p->proto = IPV6_GET_NH(p);
+            IPV6_SET_L4PROTO (p, IPV6_GET_NH(p));
             break;
     }
+    p->proto = IPV6_GET_L4PROTO (p);
 
     /* Pass to defragger if a fragment. */
     if (IPV6_EXTHDR_ISSET_FH(p)) {

diff --git a/src/decode.h b/src/decode.h
index b9cccd71ac28a9a64b16538fadd6f9c68dd65367..e5d74028ec4c11111a8da08f8b247699f37d15a6 100644 (file)
--- a/src/decode.h
+++ b/src/decode.h
@@ -903,6 +903,8 @@ void AddressDebugPrint(Address *);
 #define PKT_HOST_SRC_LOOKED_UP          (1<<17)
 #define PKT_HOST_DST_LOOKED_UP          (1<<18)
 
+#define PKT_IS_FRAGMENT                 (1<<19)     /**< Packet is a fragment */
+
 /** \brief return 1 if the packet is a pseudo packet */
 #define PKT_IS_PSEUDOPKT(p) ((p)->flags & PKT_PSEUDO_STREAM_END)
 

diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c
index e9c41087bafb2bd681cca099743dcaa4b6c7982d..c7f88d26a8b8dcb1022a4d522fbf51abc618807e 100644 (file)
--- a/src/detect-engine-iponly.c
+++ b/src/detect-engine-iponly.c
@@ -1038,6 +1038,9 @@ void IPOnlyMatchPacket(ThreadVars *tv,
                     /* check the source & dst port in the sig */
                     if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
                         if (!(s->flags & SIG_FLAG_DP_ANY)) {
+                            if (p->flags & PKT_IS_FRAGMENT)
+                                continue;
+
                             DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
                             if (dport == NULL) {
                                 SCLogDebug("dport didn't match.");
@@ -1045,6 +1048,9 @@ void IPOnlyMatchPacket(ThreadVars *tv,
                             }
                         }
                         if (!(s->flags & SIG_FLAG_SP_ANY)) {
+                            if (p->flags & PKT_IS_FRAGMENT)
+                                continue;
+
                             DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp);
                             if (sport == NULL) {
                                 SCLogDebug("sport didn't match.");

diff --git a/src/detect.c b/src/detect.c
index c9a1b45d21a22e2d524896abf4ac85f1eb4efec7..8eb1a2325c24c283f6db1e5190b418973335d785 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1501,6 +1501,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
         /* check the source & dst port in the sig */
         if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
             if (!(s->flags & SIG_FLAG_DP_ANY)) {
+                if (p->flags & PKT_IS_FRAGMENT)
+                    goto next;
                 DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
                 if (dport == NULL) {
                     SCLogDebug("dport didn't match.");
@@ -1508,6 +1510,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                 }
             }
             if (!(s->flags & SIG_FLAG_SP_ANY)) {
+                if (p->flags & PKT_IS_FRAGMENT)
+                    goto next;
                 DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp);
                 if (sport == NULL) {
                     SCLogDebug("sport didn't match.");