decode-ipv4: adjust validation to RFC

RFC1108 only specifies a minimum field length of 3, not a fixed length of 11.
3 years ago · 8438ee48aa
parent fb790121bb
commit 8438ee48aa
2 changed files with 4 additions and 6 deletions
--- a/src/decode-ipv4.c
+++ b/src/decode-ipv4.c
@ -67,7 +67,7 @@ static int IPV4OptValidateGeneric(Packet *p, const IPV4Opt *o)
        /* See: RFC 1108 */
        case IPV4_OPT_SEC:
        case IPV4_OPT_ESEC:
-            if (o->len != IPV4_OPT_SEC_LEN) {
+            if (unlikely(o->len < IPV4_OPT_SEC_MIN)) {
                ENGINE_SET_INVALID_EVENT(p, IPV4_OPT_INVALID_LEN);
                return -1;
            }
@ -907,10 +907,8 @@ static int DecodeIPV4OptionsSECTest01(void)
 /** \test IPV4 with SEC option (invalid length). */
 static int DecodeIPV4OptionsSECTest02(void)
 {
-    uint8_t raw_opts[] = {
-        IPV4_OPT_SEC, 0x0a, 0xf1, 0x35, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-    };
+    uint8_t raw_opts[] = { IPV4_OPT_SEC, 0x02, 0xf1, 0x35, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00 };
    Packet *p = PacketGetFromAlloc();
    FAIL_IF(unlikely(p == NULL));

--- a/src/decode-ipv4.h
+++ b/src/decode-ipv4.h
@ -44,11 +44,11 @@
 #define IPV4_OPT_RTRALT           0x94  /**< Option: Router Alert */

 /** IP Option Lengths (fixed) */
-#define IPV4_OPT_SEC_LEN          11    /**< SEC Option Fixed Length */
 #define IPV4_OPT_SID_LEN          4     /**< SID Option Fixed Length */
 #define IPV4_OPT_RTRALT_LEN       4     /**< RTRALT Option Fixed Length */

 /** IP Option Lengths (variable) */
+#define IPV4_OPT_SEC_MIN          3     /**< SEC, ESEC Option Min Length */
 #define IPV4_OPT_ROUTE_MIN        3     /**< RR, SRR, LTRR Option Min Length */
 #define IPV4_OPT_QS_MIN           8     /**< QS Option Min Length */
 #define IPV4_OPT_TS_MIN           5     /**< TS Option Min Length */