From 374947c354b8f1b8693316f5f7d83ff690ee8b9b Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 30 Mar 2012 12:43:15 +0200 Subject: [PATCH] ipv6: properly deal with packets containing a FH header that has offset 0 and no more frags flag set. --- rules/decoder-events.rules | 4 ++++ src/decode-events.h | 1 + src/decode-ipv6.c | 13 +++++++++++++ src/detect-engine-event.h | 1 + 4 files changed, 19 insertions(+) diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules index fa16921fe0..58f7d02d28 100644 --- a/rules/decoder-events.rules +++ b/rules/decoder-events.rules @@ -16,6 +16,7 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv6 packet too small"; decode-ev alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated packet"; decode-event:ipv6.trunc_pkt; sid:2200013; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; sid:2200014; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; sid:2200015; rev:1;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; sid:2200080; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Routing extension header"; decode-event:ipv6.exthdr_dupl_rh; sid:2200016; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Hop-By-Hop Options extension header"; decode-event:ipv6.exthdr_dupl_hh; sid:2200017; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Destination Options extension header"; decode-event:ipv6.exthdr_dupl_dh; sid:2200018; rev:1;) @@ -82,3 +83,6 @@ alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum"; icmpv4-cs alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum"; tcpv6-csum:invalid; sid:2200077; rev:1;) alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum"; udpv6-csum:invalid; sid:2200078; rev:1;) alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; icmpv6-csum:invalid; sid:2200079; rev:1;) + +# next sid is 2200081 + diff --git a/src/decode-events.h b/src/decode-events.h index bff13ae320..237e068ebb 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -61,6 +61,7 @@ enum { IPV6_TRUNC_PKT, /**< truncated ipv6 packet */ IPV6_TRUNC_EXTHDR, /**< truncated ipv6 extension header */ IPV6_EXTHDR_DUPL_FH, /**< duplicated "fragment" header in ipv6 extension headers */ + IPV6_EXTHDR_USELESS_FH, /**< useless FH: offset 0 + no more fragments */ IPV6_EXTHDR_DUPL_RH, /**< duplicated "routing" header in ipv6 extension headers */ IPV6_EXTHDR_DUPL_HH, /**< duplicated "hop-by-hop" header in ipv6 extension headers */ IPV6_EXTHDR_DUPL_DH, /**< duplicated "destination" header in ipv6 extension headers */ diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c index e7c49f723d..a3c04d0f9d 100644 --- a/src/decode-ipv6.c +++ b/src/decode-ipv6.c @@ -309,6 +309,19 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt /* set the header ptr first */ IPV6_EXTHDR_SET_FH(p, pkt); + /* if FH has offset 0 and no more fragments are coming, we + * parse this packet further right away, no defrag will be + * needed. It is a useless FH then though, so we do set an + * decoder event. */ + if (IPV6_EXTHDR_GET_FH_FLAG(p) == 0 && IPV6_EXTHDR_GET_FH_OFFSET(p) == 0) { + ENGINE_SET_EVENT(p, IPV6_EXTHDR_USELESS_FH); + + nh = *pkt; + pkt += hdrextlen; + plen -= hdrextlen; + break; + } + /* the rest is parsed upon reassembly */ SCReturn; diff --git a/src/detect-engine-event.h b/src/detect-engine-event.h index f6f3e77f45..7cfc71e400 100644 --- a/src/detect-engine-event.h +++ b/src/detect-engine-event.h @@ -56,6 +56,7 @@ struct DetectEngineEvents_ { { "ipv6.trunc_pkt", IPV6_TRUNC_PKT, }, { "ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, }, { "ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, }, + { "ipv6.exthdr_useless_fh", IPV6_EXTHDR_USELESS_FH, }, { "ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, }, { "ipv6.exthdr_dupl_hh", IPV6_EXTHDR_DUPL_HH, }, { "ipv6.exthdr_dupl_dh", IPV6_EXTHDR_DUPL_DH, },