From: Juliana Fajardini <jufajardini@oisf.net>
Date: Wed, 4 Jun 2025 17:56:25 +0000 (-0300)
Subject: decode/ipv4: add missing ip-in-ip case handling
X-Git-Tag: suricata-8.0.0-rc1~166
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F13370%2Fhead;p=thirdparty%2Fsuricata.git

decode/ipv4: add missing ip-in-ip case handling

A flow with IPv4 IP in IP traffic won't handle this tunneling case
properly.
This leads to potential malicious traffic not triggering alerts, as well
as other inaccuracies in the logs.

Bug #7725
---

diff --git a/src/decode-ipv4.c b/src/decode-ipv4.c
index 0db3e3cae9..2420f9c6ac 100644
--- a/src/decode-ipv4.c
+++ b/src/decode-ipv4.c
@@ -595,6 +595,16 @@ int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
             FlowSetupPacket(p);
             break;
         }
+        case IPPROTO_IPIP: {
+            /* spawn off tunnel packet */
+            Packet *tp = PacketTunnelPktSetup(tv, dtv, p, data, data_len, DECODE_TUNNEL_IPV4);
+            if (tp != NULL) {
+                PKT_SET_SRC(tp, PKT_SRC_DECODER_IPV4);
+                PacketEnqueueNoLock(&tv->decode_pq, tp);
+            }
+            FlowSetupPacket(p);
+            break;
+        }
         case IPPROTO_IP:
             /* check PPP VJ uncompressed packets and decode tcp dummy */
             if (p->flags & PKT_PPP_VJ_UCOMP) {