Actions
Bug #1849
closedICMPv6 incorrect checksum alert if Ethernet FCS is present
Affected Versions:
Effort:
Difficulty:
Label:
Description
If there is a frame check sequence (FCS) field in Ethernet header (placed after all high-level payload) then ICMPv6 checksum calculates incorrectly and suricata alerts a lot of "Invalid ICMPv6 checksum" messages. If remove FCS field then checksum calculates correctly.
See pcap attached
Files
Updated by Andreas Herz over 8 years ago
- Assignee set to OISF Dev
- Target version set to 70
That's also confirmed by Eric
Updated by Victor Julien over 8 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jason Ish
The problem is that the size of the data that is passed to the checksum function is calculated from the end of the packet instead of based on the IPv6 length. The fix isn't trivial though as it requires some careful look at the ICMPv6 decoder.
Jason, is this one up your alley?
Updated by Victor Julien over 8 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 3.1.2
Actions