Project

General

Profile

Actions

Security #7067

closed

defrag: off by one leads to possible evasion

Added by Philippe Antoine 6 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:
Severity:
HIGH
Disclosure Date:
09/04/2024


Files

lolc.pcap (129 KB) lolc.pcap Philippe Antoine, 06/11/2024 08:15 AM
lole.pcap (300 Bytes) lole.pcap Philippe Antoine, 06/11/2024 08:55 AM

Subtasks 1 (0 open1 closed)

Security #7215: defrag: off by one leads to possible evasion (7.0.x backport)ClosedPhilippe AntoineActions
Actions #1

Updated by Philippe Antoine 6 months ago

Ouch `tracker->ip_hdr_offset` 4 is greater than GET_PKT_LEN(r) 0

Actions #2

Updated by Victor Julien 6 months ago

Do you have pcap?

Actions #3

Updated by Philippe Antoine 6 months ago

  • File lol.pcap added

The pcap does trigger only on fuzz_decodepcapfile, not on suricata

Actions #4

Updated by Philippe Antoine 5 months ago

Here is a pcap reproducer

I had to do mergecap -a -w lolc.pcap lolb.pcap lolb.pcap because fuzzing runs the input twice (to check for leaks)

Actions #5

Updated by Philippe Antoine 5 months ago

  • File deleted (lol.pcap)
Actions #6

Updated by Philippe Antoine 5 months ago

Minimized reproducer

Actions #7

Updated by Victor Julien 5 months ago

  • Status changed from New to Assigned
Actions #8

Updated by Philippe Antoine 4 months ago

  • Status changed from Assigned to In Review

Gitlab MR

Actions #9

Updated by Philippe Antoine 3 months ago

  • Label Needs backport to 7.0 added
Actions #10

Updated by OISF Ticketbot 3 months ago

  • Subtask #7215 added
Actions #11

Updated by OISF Ticketbot 3 months ago

  • Label deleted (Needs backport to 7.0)
Actions #12

Updated by Philippe Antoine 3 months ago

  • Tracker changed from Bug to Security
  • Severity set to MODERATE
  • Disclosure Date set to 09/04/2024
Actions #13

Updated by Victor Julien 3 months ago

  • Assignee changed from Victor Julien to Philippe Antoine
Actions #14

Updated by Victor Julien 2 months ago

  • Severity changed from MODERATE to HIGH

HIGH as it could potentially lead to loss of visibility, and thus policy bypass.

Actions #15

Updated by Victor Julien 2 months ago

  • Subject changed from defrag: DEBUG_VALIDATE_BUG_ON(len > UINT16_MAX); to defrag: off by one leads to possible evasion
Actions #18

Updated by Victor Julien about 1 month ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF