-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pr 8341 and payload len fix/v2 #8393
Conversation
If the packet is shorter than IP payload length we no longer flag it as an invalid UDP packet. UDP packet can be therefore shorter than IP payload. Redmine ticket: OISF#5693
Fix payload_len calculation post removal of the condition that returned error code if the length to the decode fn did not match the length of header from the UDP packet. Bug 5379
db79144
to
28a2c70
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #8393 +/- ##
==========================================
- Coverage 81.94% 81.93% -0.02%
==========================================
Files 963 963
Lines 277683 277686 +3
==========================================
- Hits 227561 227530 -31
- Misses 50122 50156 +34
Flags with carried forward coverage won't be shown. Click here to find out more. |
WARNING:
Pipeline 11673 |
WARNING:
Pipeline 11677 |
@@ -160,6 +160,9 @@ static DetectEngineEventData *DetectEngineEventParse (const char *rawstr) | |||
|
|||
if (de->event == STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA) { | |||
StreamTcpReassembleConfigEnableOverlapCheck(); | |||
} else if (de->event == UDP_HLEN_INVALID) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be implemented using the strict concept as done here: https://github.com/OISF/suricata/blob/master/src/detect-app-layer-event.c#L201
cc @lukashino
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jufajardini this strict concept should make it to the dev guide :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
followed the concept and created OutdatedEvent
function in decode part of the engine.
replaced by #8404 |
Link to redmine tickets:
https://redmine.openinfosecfoundation.org/issues/5379
https://redmine.openinfosecfoundation.org/issues/5693
Previous PR: #8342
Changes since v1:
suricata-verify-pr: 1055