Bug #5058
closeddns: probing/parser can return error when it should return incomplete
Description
The hostname parsing in the DNS parser will return an error when it runs out of data instead of incomplete. This can result in a specially crafted DNS payload not being detected as DNS.
Suricata-Verify test showing DNS stream being picked up as ENIP:
https://github.com/OISF/suricata-verify/pull/676
Fix with master (nom7) is trivially done by moving error handling to the question mark operator. Its likely the same is true for 5.0.x and 6.0.x. This will probably ripple up incomplete or error up the parse chain.
JL Updated by Jeff Lucovsky about 4 years ago
- Copied from Bug #5034: dns: probing/parser can return error when it should return incomplete added
JL Updated by Jeff Lucovsky about 4 years ago
- Status changed from Assigned to In Progress
Cherry-pick commit(s):
- 4b79702c04582a5180594b551f12bf8e5600b3c0
- 9e7ea631b2a067609c500539cd3a7a139f39c3e4
- 7e13c0d348689b44f38e04e4620de006f17cf8f5
JL Updated by Jeff Lucovsky about 4 years ago
- Status changed from In Progress to In Review
VJ Updated by Victor Julien about 4 years ago
- Status changed from In Review to Resolved
Fix staged.
JL Updated by Jeff Lucovsky almost 4 years ago
- Status changed from Resolved to Closed
Commit(s):
- f5c65949e87e54f5b7c493c5acfe70844ec78329
- bf0813d9f07c30cf3f8541c10561ffd6f17ef0bf
- 3f7a69dbb8025711f9d2887f6754e8674a360a60
VJ Updated by Victor Julien over 3 years ago
- Private changed from Yes to No