From: Samaresh Kumar Singh <ssam3003@gmail.com>
Date: Sat, 9 May 2026 13:54:15 +0000 (-0500)
Subject: dhcp: verify option 52 overload parsing
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=4cc100e351fcb01774d4c44bbb3330ee9b19ca15;p=thirdparty%2Fsuricata-verify.git

dhcp: verify option 52 overload parsing

Add a verification test that runs Suricata over a pcap where the server places dns_servers, routers and a domain inside the BOOTP sname continuation area while flagging Option Overload (52) value 2 in the standard options block. The test asserts that the EVE DHCP events for both the OFFER and the ACK now expose those
overloaded values and that the parallel non overloaded flow in the same capture still reports its inline values.

Bug: #8538.
---

diff --git a/tests/dhcp-option-52-overload/input.pcap b/tests/dhcp-option-52-overload/input.pcap
new file mode 100755
index 000000000..773edcdd8
Binary files /dev/null and b/tests/dhcp-option-52-overload/input.pcap differ
diff --git a/tests/dhcp-option-52-overload/suricata.yaml b/tests/dhcp-option-52-overload/suricata.yaml
new file mode 100644
index 000000000..055b4d3aa
--- /dev/null
+++ b/tests/dhcp-option-52-overload/suricata.yaml
@@ -0,0 +1,16 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      filename: eve.json
+      types:
+        - dhcp:
+            extended: true
+        - flow
+
+app-layer:
+  protocols:
+    dhcp:
+      enabled: yes
diff --git a/tests/dhcp-option-52-overload/test.yaml b/tests/dhcp-option-52-overload/test.yaml
new file mode 100644
index 000000000..f35660f84
--- /dev/null
+++ b/tests/dhcp-option-52-overload/test.yaml
@@ -0,0 +1,45 @@
+requires:
+  min-version: 9.0.0
+
+checks:
+# Packet 4 is a DHCP OFFER carrying Option Overload (52) value 2, which
+# means the BOOTP sname field holds extra options. The fix exposes
+# dns_servers and routers parsed out of sname.
+- filter:
+    count: 1
+    match:
+      event_type: dhcp
+      pcap_cnt: 4
+      dhcp.dhcp_type: offer
+      dhcp.dns_servers[0]: 10.100.0.2
+      dhcp.routers[0]: 10.100.0.2
+
+# Packet 7 is a DHCP ACK with the same overloaded sname options.
+- filter:
+    count: 1
+    match:
+      event_type: dhcp
+      pcap_cnt: 7
+      dhcp.dhcp_type: ack
+      dhcp.dns_servers[0]: 10.100.0.2
+      dhcp.routers[0]: 10.100.0.2
+
+# Sanity check that the parallel non-overloaded OFFER and ACK in the
+# same pcap still surface their inline option values unchanged.
+- filter:
+    count: 1
+    match:
+      event_type: dhcp
+      pcap_cnt: 3
+      dhcp.dhcp_type: offer
+      dhcp.dns_servers[0]: 10.100.0.1
+      dhcp.routers[0]: 10.100.0.1
+
+- filter:
+    count: 1
+    match:
+      event_type: dhcp
+      pcap_cnt: 8
+      dhcp.dhcp_type: ack
+      dhcp.dns_servers[0]: 10.100.0.1
+      dhcp.routers[0]: 10.100.0.1