[Snort-devel] [#494701] MISC Large ICMP Packet false positive (snort 1.8.3)
a.larsen at ...1053...
Fri Jan 11 03:15:04 EST 2002
this bug was first reported by Steve Bonds on 2001-12-18.
I've browsed around in the source code and believe that there
is more problems around the ICMP handling.
Specifically, it seems that the ICMP header length is subtracted
from the packet length more than once in decode.c, causing an
integer underflow for short ping packets.
This appears to happen in the handling of ICMP_DEST_UNREACH
The enclosed patch fixes the problem re. ICMP_ECHO (and possible
also ICMP_DEST_UNREACH, but I haven't been able to verify this).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1218 bytes
Desc: not available
More information about the Snort-devel