ipv6: fix an AH header parsing issue. Add decoder event for non-null reserved fields.

13 years ago · b976ff228a
parent 52044bb81b
commit b976ff228a
4 changed files with 15 additions and 4 deletions
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@ -24,6 +24,8 @@ alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Authentication He
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicate ESP extension header"; decode-event:ipv6.exthdr_dupl_eh; sid:2200020; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 invalid option lenght in header"; decode-event:ipv6.exthdr_invalid_optlen; sid:2200021; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IPv6 wrong IP version"; decode-event:ipv6.wrong_ip_version; sid:2200022; rev:1;)
+# RFC 4302 states the reserved field should be 0.
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 AH reserved field not 0"; decode-event:ipv6.exthdr_ah_res_not_null; sid:2200081; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 packet too small"; decode-event:icmpv4.pkt_too_small; sid:2200023; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown type"; decode-event:icmpv4.unknown_type; sid:2200024; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code"; decode-event:icmpv4.unknown_code; sid:2200025; rev:1;)
@ -84,5 +86,5 @@ alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum"; tcpv6-csum:
 alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum"; udpv6-csum:invalid; sid:2200078; rev:1;)
 alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; icmpv6-csum:invalid; sid:2200079; rev:1;)

-# next sid is 2200081
+# next sid is 2200082

--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -70,6 +70,7 @@ enum {

    IPV6_EXTHDR_INVALID_OPTLEN,     /**< the opt len in an hop or dst hdr is invalid. */
    IPV6_WRONG_IP_VER,              /**< wrong version in ipv6 */
+    IPV6_EXTHDR_AH_RES_NOT_NULL,    /**< AH hdr reserved fields not null (rfc 4302) */

    /* TCP EVENTS */
    TCP_PKT_TOO_SMALL,              /**< tcp packet smaller than minimum size */
--- a/src/decode-ipv6.c
+++ b/src/decode-ipv6.c
@ -362,8 +362,10 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
                IPV6_SET_L4PROTO(p,nh);
                /* we need the header as a minimum */
                hdrextlen = sizeof(IPV6AuthHdr);
-                /* the payload len field is the number of extra 4 byte fields */
-                hdrextlen += (*(pkt+1)) * 4;
+                /* the payload len field is the number of extra 4 byte fields,
+                 * IPV6AuthHdr already contains the first */
+                if (*(pkt+1) > 0)
+                    hdrextlen += ((*(pkt+1) - 1) * 4);

                SCLogDebug("hdrextlen %"PRIu8, hdrextlen);

@ -372,7 +374,12 @@ DecodeIPV6ExtHdrs(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
                    SCReturn;
                }

-                if(p->IPV6_EH_CNT<IPV6_MAX_OPT)
+                IPV6AuthHdr *ahhdr = (IPV6AuthHdr *)pkt;
+                if (ahhdr->ip6ah_reserved != 0x0000) {
+                    ENGINE_SET_EVENT(p, IPV6_EXTHDR_AH_RES_NOT_NULL);
+                }
+
+                if(p->IPV6_EH_CNT < IPV6_MAX_OPT)
                {
                    p->IPV6_EXTHDRS[p->IPV6_EH_CNT].type = nh;
                    p->IPV6_EXTHDRS[p->IPV6_EH_CNT].next = *pkt;
--- a/src/detect-engine-event.h
+++ b/src/detect-engine-event.h
@ -64,6 +64,7 @@ struct DetectEngineEvents_ {
    { "ipv6.exthdr_dupl_eh", IPV6_EXTHDR_DUPL_EH, },
    { "ipv6.exthdr_invalid_optlen", IPV6_EXTHDR_INVALID_OPTLEN, },
    { "ipv6.wrong_ip_version", IPV6_WRONG_IP_VER, },
+    { "ipv6.exthdr_ah_res_not_null", IPV6_EXTHDR_AH_RES_NOT_NULL, },
    { "icmpv4.pkt_too_small", ICMPV4_PKT_TOO_SMALL, },
    { "icmpv4.unknown_type", ICMPV4_UNKNOWN_TYPE, },
    { "icmpv4.unknown_code", ICMPV4_UNKNOWN_CODE, },