[Oisf-devel] Mybe a BUG of codes of dealing udp fragment

[iswalker]

In code of decode-ipv4.c/DecodeIPv4 function:

    /* If a fragment, pass off for re-assembly. */
    if (unlikely(IPV4_GET_IPOFFSET(p) > 0 || IPV4_GET_MF(p) == 1)) {
        Packet *rp = Defrag(tv, dtv, NULL, p);
        if (rp != NULL) {
            /* Got re-assembled packet, re-run through decoder. */
            DecodeIPV4(tv, dtv, rp, (void *)rp->ip4h, IPV4_GET_IPLEN(rp),
pq);
            PacketEnqueue(pq, rp);
        }
/*added by iswalker*/
      if (IPV4_GET_IPOFFSET(p) ==0 &&IPV4_GET_MF(p) == 1
&&IPV4_GET_IPPROTO(p)==IPPROTO_UDP ) {
                    DecodeUDP(tv, dtv, p, pkt + IPV4_GET_HLEN(p),
                                                IPV4_GET_IPLEN(p) -
IPV4_GET_HLEN(p), pq);
      }
/*end*/
        return;
    }
Problem:if the packet is an udp ,and the packet is the first
fragment(offset ===0 and MF is 1),the ip_payload contain the compete udp
header,which we should decode complete,or we will not define some signature
including fragment info and udp header info.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120524/b9dba156/attachment-0002.html>