Project

General

Profile

Actions

Bug #5034

closed

dns: probing/parser can return error when it should return incomplete

Added by Jason Ish about 2 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The hostname parsing in the DNS parser will return an error when it runs out of data instead of incomplete. This can result in a specially crafted DNS payload not being detected as DNS.

Suricata-Verify test showing DNS stream being picked up as ENIP:
https://github.com/OISF/suricata-verify/pull/676

Fix with master (nom7) is trivially done by moving error handling to the question mark operator. Its likely the same is true for 5.0.x and 6.0.x. This will probably ripple up incomplete or error up the parse chain.


Related issues 2 (0 open2 closed)

Copied to Suricata - Bug #5057: dns: probing/parser can return error when it should return incompleteClosedShivani BhardwajActions
Copied to Suricata - Bug #5058: dns: probing/parser can return error when it should return incompleteClosedJeff LucovskyActions
Actions #1

Updated by Jeff Lucovsky about 2 years ago

  • Copied to Bug #5057: dns: probing/parser can return error when it should return incomplete added
Actions #2

Updated by Jeff Lucovsky about 2 years ago

  • Copied to Bug #5058: dns: probing/parser can return error when it should return incomplete added
Actions #3

Updated by Jason Ish about 2 years ago

  • Status changed from Assigned to In Review
Actions #4

Updated by Jason Ish almost 2 years ago

  • Target version changed from 6.0.5 to 7.0.0-beta1
Actions #5

Updated by Victor Julien almost 2 years ago

  • Status changed from In Review to Closed

27679a12aa4e03e960112f387640419d29780e5a
0623ada24df1da99c72bb8cd4959b2cb0e64ccc2

Actions #6

Updated by Victor Julien about 1 year ago

  • Private changed from Yes to No
  • Label deleted (Needs backport to 5.0, Needs backport to 6.0)
Actions

Also available in: Atom PDF