Bug #5058
closeddns: probing/parser can return error when it should return incomplete
Description
The hostname parsing in the DNS parser will return an error when it runs out of data instead of incomplete. This can result in a specially crafted DNS payload not being detected as DNS.
Suricata-Verify test showing DNS stream being picked up as ENIP:
https://github.com/OISF/suricata-verify/pull/676
Fix with master (nom7) is trivially done by moving error handling to the question mark operator. Its likely the same is true for 5.0.x and 6.0.x. This will probably ripple up incomplete or error up the parse chain.
Updated by Jeff Lucovsky almost 3 years ago
- Copied from Bug #5034: dns: probing/parser can return error when it should return incomplete added
Updated by Jeff Lucovsky over 2 years ago
- Status changed from Assigned to In Progress
Cherry-pick commit(s):
- 4b79702c04582a5180594b551f12bf8e5600b3c0
- 9e7ea631b2a067609c500539cd3a7a139f39c3e4
- 7e13c0d348689b44f38e04e4620de006f17cf8f5
Updated by Jeff Lucovsky over 2 years ago
- Status changed from In Progress to In Review
Updated by Jeff Lucovsky over 2 years ago
- Status changed from Resolved to Closed
Commit(s):
- f5c65949e87e54f5b7c493c5acfe70844ec78329
- bf0813d9f07c30cf3f8541c10561ffd6f17ef0bf
- 3f7a69dbb8025711f9d2887f6754e8674a360a60