Actions
Bug #5034
closeddns: probing/parser can return error when it should return incomplete
Affected Versions:
Effort:
Difficulty:
Label:
Description
The hostname parsing in the DNS parser will return an error when it runs out of data instead of incomplete. This can result in a specially crafted DNS payload not being detected as DNS.
Suricata-Verify test showing DNS stream being picked up as ENIP:
https://github.com/OISF/suricata-verify/pull/676
Fix with master (nom7) is trivially done by moving error handling to the question mark operator. Its likely the same is true for 5.0.x and 6.0.x. This will probably ripple up incomplete or error up the parse chain.
Updated by Jeff Lucovsky about 2 years ago
- Copied to Bug #5057: dns: probing/parser can return error when it should return incomplete added
Updated by Jeff Lucovsky about 2 years ago
- Copied to Bug #5058: dns: probing/parser can return error when it should return incomplete added
Updated by Jason Ish about 2 years ago
- Status changed from Assigned to In Review
Updated by Jason Ish about 2 years ago
- Target version changed from 6.0.5 to 7.0.0-beta1
Updated by Victor Julien about 2 years ago
- Status changed from In Review to Closed
27679a12aa4e03e960112f387640419d29780e5a0623ada24df1da99c72bb8cd4959b2cb0e64ccc2
Updated by Victor Julien over 1 year ago
- Private changed from Yes to No
- Label deleted (
Needs backport to 5.0, Needs backport to 6.0)
Actions