ipv6: detect frag header reserved field non-zero

Frag Header length field is reserved, and should be set to 0. decode-event:ipv6.fh_non_zero_reserved_field;
11 years ago · 938602c55e
parent 8c19e5ff63
commit 938602c55e
4 changed files with 11 additions and 1 deletions
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@ -39,6 +39,8 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS only padding"; decod
 alert ipv6 any any -> any any (msg:"SURICATA RH Type 0"; decode-event:ipv6.rh_type_0; sid:2200093; rev:1;)
 # padN option with zero length field
 alert ipv6 any any -> any any (msg:"SURICATA zero length padN option"; decode-event:ipv6.zero_len_padn; sid:2200094; rev:1;)
+# Frag Header 'length' field is reserved and should be 0
+alert ipv6 any any -> any any (msg:"SURICATA reserved field in Frag Header not zero"; decode-event:ipv6.fh_non_zero_reserved_field; sid:2200095; rev:1;)
 alert ipv6 any any -> any any (msg:"SURICATA IPv6 with ICMPv4 header"; decode-event:ipv6.icmpv4; sid:2200090; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 packet too small"; decode-event:icmpv4.pkt_too_small; sid:2200023; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown type"; decode-event:icmpv4.unknown_type; sid:2200024; rev:1;)
@ -110,5 +112,5 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; d
 alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short"; decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;)

-# next sid is 2200095
+# next sid is 2200096

--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -81,6 +81,7 @@ enum {

    IPV6_EXTHDR_RH_TYPE_0,          /**< RH 0 is deprecated as per rfc5095 */
    IPV6_EXTHDR_ZERO_LEN_PADN,      /**< padN w/o data (0 len) */
+    IPV6_FH_NON_ZERO_RES_FIELD,     /**< reserved field not zero */

    IPV6_WITH_ICMPV4,               /**< IPv6 packet with ICMPv4 header */

--- a/src/decode-ipv6.c
+++ b/src/decode-ipv6.c
@ -412,6 +412,12 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
                    SCReturn;
                }

+                /* for the frag header, the length field is reserved */
+                if (*(pkt + 1) != 0) {
+                    ENGINE_SET_EVENT(p, IPV6_FH_NON_ZERO_RES_FIELD);
+                    /* non fatal, lets try to continue */
+                }
+
                if(p->IPV6_EH_CNT<IPV6_MAX_OPT)
                {
                    p->IPV6_EXTHDRS[p->IPV6_EH_CNT].type = nh;
--- a/src/detect-engine-event.h
+++ b/src/detect-engine-event.h
@ -91,6 +91,7 @@ struct DetectEngineEvents_ {
    { "ipv6.dstopts_only_padding", IPV6_DSTOPTS_ONLY_PADDING, },
    { "ipv6.rh_type_0", IPV6_EXTHDR_RH_TYPE_0, },
    { "ipv6.zero_len_padn", IPV6_EXTHDR_ZERO_LEN_PADN, },
+    { "ipv6.fh_non_zero_reserved_field", IPV6_FH_NON_ZERO_RES_FIELD, },
    { "ipv6.icmpv4", IPV6_WITH_ICMPV4, },

    /* TCP EVENTS */