[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-2.0.2-111-g2b84cd9

OISF Git noreply at openinfosecfoundation.org
Wed Aug 6 13:20:28 UTC 2014 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".

The branch, master has been updated
       via  2b84cd948381c3e33d728160a4c19b3a912bff94 (commit)
       via  7c05685421afbb948cd6db308a5ee4cb347c7e15 (commit)
       via  bbcdb657dad9e26d12470ae01b9b0cca8e8f8712 (commit)
       via  938602c55ec1bdad4f9ea664cd53382b6b454e9b (commit)
       via  8c19e5ff63757efa2a6874f749f062754a47c8b6 (commit)
       via  abee95ca4fb815b2c723409580f937ad8824ab58 (commit)
       via  83b031b4e025d84593424a1ed3d4d3e613956b37 (commit)
      from  e66c73abcd65786d686a02113f8709fe071a5d7f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2b84cd948381c3e33d728160a4c19b3a912bff94
Author: Victor Julien <victor at inliniac.net>
Date:   Tue Aug 5 17:28:17 2014 +0200

    defrag: use 'struct timeval' for timeout tracking
    
    Until now the time out handling in defrag was done using a single
    uint32_t that tracked seconds. This lead to corner cases, where
    defrag trackers could be timed out a little too early.

commit 7c05685421afbb948cd6db308a5ee4cb347c7e15
Author: Victor Julien <victor at inliniac.net>
Date:   Mon Jul 28 14:41:15 2014 +0200

    ipv6: set event on unsupported nh
    
    If a next header / protocol is encountered that we can't handle (yet)
    set an event. Disabled the rule by default.
    
        decode-event:ipv6.unknown_next_header;

commit bbcdb657dad9e26d12470ae01b9b0cca8e8f8712
Author: Victor Julien <victor at inliniac.net>
Date:   Mon Jul 28 13:59:44 2014 +0200

    ipv6: more robust ipv6 exthdr handling
    
    Skip past Shim6, HIP and Mobility header.
    
    Detect data after 'none' header.
        decode-event:ipv6.data_after_none_header;

commit 938602c55ec1bdad4f9ea664cd53382b6b454e9b
Author: Victor Julien <victor at inliniac.net>
Date:   Mon Jul 28 12:07:13 2014 +0200

    ipv6: detect frag header reserved field non-zero
    
    Frag Header length field is reserved, and should be set to 0.
    
        decode-event:ipv6.fh_non_zero_reserved_field;

commit 8c19e5ff63757efa2a6874f749f062754a47c8b6
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jul 24 16:50:34 2014 +0200

    ipv6: make exthdr parsing more robust
    
    Improve data length checks. Detect PadN option with 0 length.

commit abee95ca4fb815b2c723409580f937ad8824ab58
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jul 17 15:57:16 2014 +0200

    ipv6: set flag on type 0 routing header
    
    Type 0 Routing headers are deprecated per RFC 5095.
    
    This patch sets an decode event flag that can be matched on through:
        decode-event:ipv6.rh_type_0;

commit 83b031b4e025d84593424a1ed3d4d3e613956b37
Author: Victor Julien <victor at inliniac.net>
Date:   Thu Jul 24 13:39:10 2014 +0200

    ipv6 defrag: fix unfragmentable exthdr handling
    
    Fix or rather implement handling of unfragmentable exthdrs in ipv6.
    The exthdr(s) appearing before the frag header were copied into the
    reassembled packet correctly, however the stripping of the frag header
    did not work correctly.
    
    Example:
    The common case is a frag header directly after the ipv6 header:
    
    [ipv6 header]->[frag header]->[icmpv6 (part1)]
    [ipv6 header]->[frag header]->[icmpv6 (part2)]
    
    This would result in:
    [ipv6 header]->[icmpv6]
    
    The ipv6 headers 'next header' setting would be updated to point to
    whatever the frag header was pointing to.
    
    This would also happen when is this case:
    
    [ipv6 header]->[hop header]->[frag header]->[icmpv6 (part1)]
    [ipv6 header]->[hop header]->[frag header]->[icmpv6 (part2)]
    
    The result would be:
    [ipv6 header]->[hop header]->[icmpv6]
    
    However, here too the ipv6 header would have been updated to point
    to what the frag header pointed at. So it would consider the hop header
    as if it was an ICMPv6 header, or whatever the frag header pointed at.
    
    The result is that packets would not be correctly parsed, and thus this
    issue can lead to evasion.
    
    This patch implements handling of the unfragmentable part. In the first
    segment that is stored in the list for reassembly, this patch detects
    unfragmentable headers and updates it to have the last unfragmentable
    header point to the layer after the frag header.
    
    Also, the ipv6 headers 'next hdr' is only updated if no unfragmentable
    headers are used. If they are used, the original value is correct.
    
    Reported-By: Rafael Schaefer <rschaefer at ernw.de>
    
    Bug #1244.

-----------------------------------------------------------------------

Summary of changes:
 rules/decoder-events.rules |   12 ++++++-
 src/decode-events.h        |    6 ++++
 src/decode-ipv6.c          |   77 +++++++++++++++++++++++++++++++++++++++++---
 src/decode.h               |   13 ++++++++
 src/defrag-timeout.c       |    2 +-
 src/defrag.c               |   54 ++++++++++++++++++++++++++++---
 src/defrag.h               |    2 +-
 src/detect-engine-event.h  |    5 +++
 8 files changed, 160 insertions(+), 11 deletions(-)


hooks/post-receive
-- 
OISF

More information about the Oisf-devel mailing list