Bug #6038
closedTCP resets have incorrect len, nh in IPv6
Description
Suricata's TCP rejects over IPv6 appear to have an incorrect length field value, which can cause these packets to be dropped as invalid elsewhere in the network before reaching their destination. We believe the problem is at [1] - it looks like Suricata is populating that field with the packet total length (which is correct for IPv4) instead of the payload length (correct for IPv6). We have tested a patched version of Suricata with this line corrected (lpacket.len = LIBNET_TCP_H;) which solves the problem for us.
Updated by Jamie Lavigne about 1 year ago
I believe we also needed to fix this next protocol number in our local version as well: https://github.com/OISF/suricata/blob/f8ec993401aaeb25f96b6f752ea8095bf5213af6/src/respond-reject-libnet11.c#L461
Updated by Victor Julien about 1 year ago
- Subject changed from TCP resets have incorrect length in IPv6 to TCP resets have incorrect len, nh in IPv6
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 7.0.0-rc2
Thanks for pointing these out, they look wrong indeed.
Updated by OISF Ticketbot about 1 year ago
- Label deleted (
Needs backport to 6.0)
Updated by Victor Julien about 1 year ago
- Status changed from Assigned to In Review
Updated by Victor Julien about 1 year ago
- Status changed from In Review to Resolved
Updated by Victor Julien about 1 year ago
- Status changed from Resolved to Closed