Actions
Bug #1276
closedipv6 defrag issue with routing headers
Affected Versions:
Effort:
Difficulty:
Label:
Description
Reported privately.
Updated by Victor Julien over 10 years ago
- Subject changed from ipv6 issues to ipv6 defrag issue with routing headers
- Priority changed from Normal to High
ipv6: RH extension header parsing issue A logic error in the IPv6 Routing header parsing caused accidental updating of the original packet buffer. The calculated extension header lenght was set to the length field of the routing header, causing it to be wrong. This has 2 consequences: 1. defrag failure. As the now modified payload was used in defrag, the decoding of the reassembled packet now contained a broken length field for the routing header. This would lead to decoding failure. The potential here is evasion, although it would trigger: [1:2200014:1] SURICATA IPv6 truncated extension header 2. in IPS mode, especially the AF_PACKET mode, the modified and now broken packet would be transmitted on the wire. It's likely that end hosts and/or routers would reject this packet. NFQ based IPS mode would be less affected, as it 'verdicts' based on the packet handle. In case of replacing the packet (replace keyword or stream normalization) it could broadcast the bad packet. Additionally, the RH Type 0 address parsing was also broken. It too would modify the original packet. As the result of this code was not used anywhere else in the engine, this code is now disabled.
Updated by Victor Julien over 10 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Actions