Actions
Security #6669
closed
JI
JI
Security #6493: ip defrag: several issues with overlap handling
ip defrag: re-assembly error in bsd policy
Security #6669:
ip defrag: re-assembly error in bsd policy
Git IDs:
f1709ea551124e1a64fdc509993ad022ab27aa77
Severity:
MODERATE
Disclosure Date:
Description
Given a subsequent fragment that starts before an original fragment, and overlaps the beginning of the original fragment, Suricata has been preferring the data from the original fragment.
However, per the Novak-Sturges paper, the original fragment data should only be preferred if it has an offset <= to the new fragment.
Fix is to use the data from the new fragment if it has an offset less than the offset of the original fragment.
This is covered in the test bsd/peose/test9.
OT Updated by OISF Ticketbot about 2 years ago
- Subtask #6670 added
OT Updated by OISF Ticketbot about 2 years ago
- Label deleted (
Needs backport to 6.0)
OT Updated by OISF Ticketbot about 2 years ago
- Subtask #6672 added
OT Updated by OISF Ticketbot about 2 years ago
- Label deleted (
Needs backport to 7.0)
JI Updated by Jason Ish about 2 years ago
- Status changed from New to In Review
JI Updated by Jason Ish almost 2 years ago
- Status changed from In Review to Resolved
JI Updated by Jason Ish almost 2 years ago
- Status changed from Resolved to In Review
VJ Updated by Victor Julien almost 2 years ago
- CVE set to 2024-32867
VJ Updated by Victor Julien almost 2 years ago
- Status changed from In Review to Closed
- Git IDs updated (diff)
VJ Updated by Victor Julien almost 2 years ago
- Private changed from Yes to No
VJ Updated by Victor Julien almost 2 years ago
Credits: PhD thesis work from Lucas Aubard supervised by Johan Mazel, Gilles Guette and Pierre Chifflier
Actions