Project

General

Profile

Actions

Bug #1849

closed

ICMPv6 incorrect checksum alert if Ethernet FCS is present

Added by ajaxtpm ajaxtpm over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If there is a frame check sequence (FCS) field in Ethernet header (placed after all high-level payload) then ICMPv6 checksum calculates incorrectly and suricata alerts a lot of "Invalid ICMPv6 checksum" messages. If remove FCS field then checksum calculates correctly.
See pcap attached


Files

1.pcap (134 Bytes) 1.pcap ajaxtpm ajaxtpm, 07/21/2016 09:42 AM
Actions #1

Updated by Andreas Herz over 7 years ago

  • Assignee set to OISF Dev
  • Target version set to 70

That's also confirmed by Eric

Actions #2

Updated by Victor Julien over 7 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jason Ish

The problem is that the size of the data that is passed to the checksum function is calculated from the end of the packet instead of based on the IPv6 length. The fix isn't trivial though as it requires some careful look at the ICMPv6 decoder.

Jason, is this one up your alley?

Actions #3

Updated by Victor Julien over 7 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.1.2
Actions

Also available in: Atom PDF