Bug #6038
closedTCP resets have incorrect len, nh in IPv6
Description
Suricata's TCP rejects over IPv6 appear to have an incorrect length field value, which can cause these packets to be dropped as invalid elsewhere in the network before reaching their destination. We believe the problem is at [1] - it looks like Suricata is populating that field with the packet total length (which is correct for IPv4) instead of the payload length (correct for IPv6). We have tested a patched version of Suricata with this line corrected (lpacket.len = LIBNET_TCP_H;) which solves the problem for us.
JL Updated by Jamie Lavigne almost 3 years ago
I believe we also needed to fix this next protocol number in our local version as well: https://github.com/OISF/suricata/blob/f8ec993401aaeb25f96b6f752ea8095bf5213af6/src/respond-reject-libnet11.c#L461
VJ Updated by Victor Julien almost 3 years ago
- Subject changed from TCP resets have incorrect length in IPv6 to TCP resets have incorrect len, nh in IPv6
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 7.0.0-rc2
Thanks for pointing these out, they look wrong indeed.
OT Updated by OISF Ticketbot almost 3 years ago
- Subtask #6039 added
OT Updated by OISF Ticketbot almost 3 years ago
- Label deleted (
Needs backport to 6.0)
VJ Updated by Victor Julien almost 3 years ago
- Status changed from Assigned to In Review
VJ Updated by Victor Julien almost 3 years ago
- Status changed from In Review to Resolved
VJ Updated by Victor Julien almost 3 years ago
- Status changed from Resolved to Closed