[Snort-devel] [#494701] MISC Large ICMP Packet false positive (snort 1.8.3)

Anders Larsen a.larsen at ...1053...
Fri Jan 11 03:15:04 EST 2002


Hi,

this bug was first reported by Steve Bonds on 2001-12-18.

I've browsed around in the source code and believe that there
is more problems around the ICMP handling.
Specifically, it seems that the ICMP header length is subtracted
from the packet length more than once in decode.c, causing an
integer underflow for short ping packets.

This appears to happen in the handling of ICMP_DEST_UNREACH
as well.

The enclosed patch fixes the problem re. ICMP_ECHO (and possible
also ICMP_DEST_UNREACH, but I haven't been able to verify this).

Cheers
  Anders
-------------- next part --------------
A non-text attachment was scrubbed...
Name: decode.c.patch
Type: application/octet-stream
Size: 1218 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020111/713e817f/attachment.obj>


More information about the Snort-devel mailing list