spp_frag2 bug (Re: [Snort-devel] IP dgm len < IP Hdr len Alert question)

Jason_Royes jroyes at ...1975...
Sun May 11 07:11:02 EDT 2003


Something seems wrong with line 1227 of spp_frag2.c (snort-2.0.0): 

defrag_pkt->iph->ip_len = htons(defrag_pkt->pkth->len); 

defrag_pkt->pkth->len is set to the caplen in 1216: 

defrag_pkt->pkth->caplen = ETHERNET_HEADER_LEN + ft->calculated_size +
sizeof(IPHdr); 
defrag_pkt->pkth->len = defrag_pkt->pkth->caplen; 

The first problem here is that ip_len, a 16bit quantity, is being
assigned a 32bit quantity. This means ip_len will always be 14 bytes
bigger than it should and will overflow when caplen >= 65536. Could this
be fixed by changing 1227 to read something like: 

defrag_pkt->iph->ip_len = htons(defrag_pkt->pkth->len - 
ETHERNET_HEADER_LEN); 

That may break reassembly for different data link types though. I
suspect this is the cause for John Weidley's problem... see:
http://marc.theaimsgroup.com/?l=snort-devel&m=105182781614283&w=2. 
The pcap savefile header length will be correct in the dump (though
libpcap imposes a limit of 65535 on packet size) but the ip header
length will be truncated to 16bits. After fixing spp_frag2.c, tcpdump
will still not be capable of reading the dump without source tweaking. 

-- 
Jason Royes
Data Access Experts
http://www.da-experts.com/





More information about the Snort-devel mailing list