Project

General

Profile

Actions

Bug #5058

closed

dns: probing/parser can return error when it should return incomplete

Added by Jeff Lucovsky almost 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The hostname parsing in the DNS parser will return an error when it runs out of data instead of incomplete. This can result in a specially crafted DNS payload not being detected as DNS.

Suricata-Verify test showing DNS stream being picked up as ENIP:
https://github.com/OISF/suricata-verify/pull/676

Fix with master (nom7) is trivially done by moving error handling to the question mark operator. Its likely the same is true for 5.0.x and 6.0.x. This will probably ripple up incomplete or error up the parse chain.


Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #5034: dns: probing/parser can return error when it should return incompleteClosedJason IshActions
Actions #1

Updated by Jeff Lucovsky almost 3 years ago

  • Copied from Bug #5034: dns: probing/parser can return error when it should return incomplete added
Actions #2

Updated by Jeff Lucovsky over 2 years ago

  • Status changed from Assigned to In Progress

Cherry-pick commit(s):
- 4b79702c04582a5180594b551f12bf8e5600b3c0
- 9e7ea631b2a067609c500539cd3a7a139f39c3e4
- 7e13c0d348689b44f38e04e4620de006f17cf8f5

Actions #3

Updated by Jeff Lucovsky over 2 years ago

  • Status changed from In Progress to In Review
Actions #4

Updated by Victor Julien over 2 years ago

  • Status changed from In Review to Resolved

Fix staged.

Actions #5

Updated by Jeff Lucovsky over 2 years ago

  • Status changed from Resolved to Closed

Commit(s):
- f5c65949e87e54f5b7c493c5acfe70844ec78329
- bf0813d9f07c30cf3f8541c10561ffd6f17ef0bf
- 3f7a69dbb8025711f9d2887f6754e8674a360a60

Actions #6

Updated by Victor Julien about 2 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF