ipv6: properly deal with packets containing a FH header that has offset 0 and no more frags flag set.

rules/decoder-events.rules

@@ -16,6 +16,7 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv6 packet too small"; decode-ev
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated packet"; decode-event:ipv6.trunc_pkt; sid:2200013; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; sid:2200014; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; sid:2200015; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; sid:2200080; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Routing extension header"; decode-event:ipv6.exthdr_dupl_rh; sid:2200016; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Hop-By-Hop Options extension header"; decode-event:ipv6.exthdr_dupl_hh; sid:2200017; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Destination Options extension header"; decode-event:ipv6.exthdr_dupl_dh; sid:2200018; rev:1;)
@@ -82,3 +83,6 @@ alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum"; icmpv4-cs
 alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum"; tcpv6-csum:invalid; sid:2200077; rev:1;)
 alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum"; udpv6-csum:invalid; sid:2200078; rev:1;)
 alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; icmpv6-csum:invalid; sid:2200079; rev:1;)
+
+# next sid is 2200081
+

src/decode-events.h

@@ -61,6 +61,7 @@ enum {
     IPV6_TRUNC_PKT,                 /**< truncated ipv6 packet */
     IPV6_TRUNC_EXTHDR,              /**< truncated ipv6 extension header */
     IPV6_EXTHDR_DUPL_FH,            /**< duplicated "fragment" header in ipv6 extension headers */
+    IPV6_EXTHDR_USELESS_FH,         /**< useless FH: offset 0 + no more fragments */
     IPV6_EXTHDR_DUPL_RH,            /**< duplicated "routing" header in ipv6 extension headers */
     IPV6_EXTHDR_DUPL_HH,            /**< duplicated "hop-by-hop" header in ipv6 extension headers */
     IPV6_EXTHDR_DUPL_DH,            /**< duplicated "destination" header in ipv6 extension headers */

src/decode-ipv6.c

@@ -309,6 +309,19 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
                 /* set the header ptr first */
                 IPV6_EXTHDR_SET_FH(p, pkt);
 
+                /* if FH has offset 0 and no more fragments are coming, we
+                 * parse this packet further right away, no defrag will be
+                 * needed. It is a useless FH then though, so we do set an
+                 * decoder event. */
+                if (IPV6_EXTHDR_GET_FH_FLAG(p) == 0 && IPV6_EXTHDR_GET_FH_OFFSET(p) == 0) {
+                    ENGINE_SET_EVENT(p, IPV6_EXTHDR_USELESS_FH);
+
+                    nh = *pkt;
+                    pkt += hdrextlen;
+                    plen -= hdrextlen;
+                    break;
+                }
+
                 /* the rest is parsed upon reassembly */
                 SCReturn;
 

src/detect-engine-event.h

@@ -56,6 +56,7 @@ struct DetectEngineEvents_ {
     { "ipv6.trunc_pkt", IPV6_TRUNC_PKT, },
     { "ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, },
     { "ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, },
+    { "ipv6.exthdr_useless_fh", IPV6_EXTHDR_USELESS_FH, },
     { "ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, },
     { "ipv6.exthdr_dupl_hh", IPV6_EXTHDR_DUPL_HH, },
     { "ipv6.exthdr_dupl_dh", IPV6_EXTHDR_DUPL_DH, },