[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-2.0.2-111-g2b84cd9
OISF Git
noreply at openinfosecfoundation.org
Wed Aug 6 13:20:28 UTC 2014
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".
The branch, master has been updated
via 2b84cd948381c3e33d728160a4c19b3a912bff94 (commit)
via 7c05685421afbb948cd6db308a5ee4cb347c7e15 (commit)
via bbcdb657dad9e26d12470ae01b9b0cca8e8f8712 (commit)
via 938602c55ec1bdad4f9ea664cd53382b6b454e9b (commit)
via 8c19e5ff63757efa2a6874f749f062754a47c8b6 (commit)
via abee95ca4fb815b2c723409580f937ad8824ab58 (commit)
via 83b031b4e025d84593424a1ed3d4d3e613956b37 (commit)
from e66c73abcd65786d686a02113f8709fe071a5d7f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2b84cd948381c3e33d728160a4c19b3a912bff94
Author: Victor Julien <victor at inliniac.net>
Date: Tue Aug 5 17:28:17 2014 +0200
defrag: use 'struct timeval' for timeout tracking
Until now the time out handling in defrag was done using a single
uint32_t that tracked seconds. This lead to corner cases, where
defrag trackers could be timed out a little too early.
commit 7c05685421afbb948cd6db308a5ee4cb347c7e15
Author: Victor Julien <victor at inliniac.net>
Date: Mon Jul 28 14:41:15 2014 +0200
ipv6: set event on unsupported nh
If a next header / protocol is encountered that we can't handle (yet)
set an event. Disabled the rule by default.
decode-event:ipv6.unknown_next_header;
commit bbcdb657dad9e26d12470ae01b9b0cca8e8f8712
Author: Victor Julien <victor at inliniac.net>
Date: Mon Jul 28 13:59:44 2014 +0200
ipv6: more robust ipv6 exthdr handling
Skip past Shim6, HIP and Mobility header.
Detect data after 'none' header.
decode-event:ipv6.data_after_none_header;
commit 938602c55ec1bdad4f9ea664cd53382b6b454e9b
Author: Victor Julien <victor at inliniac.net>
Date: Mon Jul 28 12:07:13 2014 +0200
ipv6: detect frag header reserved field non-zero
Frag Header length field is reserved, and should be set to 0.
decode-event:ipv6.fh_non_zero_reserved_field;
commit 8c19e5ff63757efa2a6874f749f062754a47c8b6
Author: Victor Julien <victor at inliniac.net>
Date: Thu Jul 24 16:50:34 2014 +0200
ipv6: make exthdr parsing more robust
Improve data length checks. Detect PadN option with 0 length.
commit abee95ca4fb815b2c723409580f937ad8824ab58
Author: Victor Julien <victor at inliniac.net>
Date: Thu Jul 17 15:57:16 2014 +0200
ipv6: set flag on type 0 routing header
Type 0 Routing headers are deprecated per RFC 5095.
This patch sets an decode event flag that can be matched on through:
decode-event:ipv6.rh_type_0;
commit 83b031b4e025d84593424a1ed3d4d3e613956b37
Author: Victor Julien <victor at inliniac.net>
Date: Thu Jul 24 13:39:10 2014 +0200
ipv6 defrag: fix unfragmentable exthdr handling
Fix or rather implement handling of unfragmentable exthdrs in ipv6.
The exthdr(s) appearing before the frag header were copied into the
reassembled packet correctly, however the stripping of the frag header
did not work correctly.
Example:
The common case is a frag header directly after the ipv6 header:
[ipv6 header]->[frag header]->[icmpv6 (part1)]
[ipv6 header]->[frag header]->[icmpv6 (part2)]
This would result in:
[ipv6 header]->[icmpv6]
The ipv6 headers 'next header' setting would be updated to point to
whatever the frag header was pointing to.
This would also happen when is this case:
[ipv6 header]->[hop header]->[frag header]->[icmpv6 (part1)]
[ipv6 header]->[hop header]->[frag header]->[icmpv6 (part2)]
The result would be:
[ipv6 header]->[hop header]->[icmpv6]
However, here too the ipv6 header would have been updated to point
to what the frag header pointed at. So it would consider the hop header
as if it was an ICMPv6 header, or whatever the frag header pointed at.
The result is that packets would not be correctly parsed, and thus this
issue can lead to evasion.
This patch implements handling of the unfragmentable part. In the first
segment that is stored in the list for reassembly, this patch detects
unfragmentable headers and updates it to have the last unfragmentable
header point to the layer after the frag header.
Also, the ipv6 headers 'next hdr' is only updated if no unfragmentable
headers are used. If they are used, the original value is correct.
Reported-By: Rafael Schaefer <rschaefer at ernw.de>
Bug #1244.
-----------------------------------------------------------------------
Summary of changes:
rules/decoder-events.rules | 12 ++++++-
src/decode-events.h | 6 ++++
src/decode-ipv6.c | 77 +++++++++++++++++++++++++++++++++++++++++---
src/decode.h | 13 ++++++++
src/defrag-timeout.c | 2 +-
src/defrag.c | 54 ++++++++++++++++++++++++++++---
src/defrag.h | 2 +-
src/detect-engine-event.h | 5 +++
8 files changed, 160 insertions(+), 11 deletions(-)
hooks/post-receive
--
OISF
More information about the Oisf-devel
mailing list