[Snort-devel] IP Option Router Alert Wrong Value

Todd Wease twease at ...402...
Mon Jul 9 12:29:15 EDT 2007


Jeffrey Denton wrote:
> In snort-2.7.0.RC2/src/decode.h:
> 
> #ifndef IPOPT_RTRALT
>     #define IPOPT_RTRALT         0x14
> 
> This is equivalent to decimal value 20.  However at
> http://www.iana.org/assignments/ip-parameters, RTRALT is listed as
> having a decimal value of 148.  The confusion starts with RFC 2113:
> 
> http://www.ietf.org/rfc/rfc2113.txt:
> 
>     The Router Alert option has the following format:
> 
>                  +--------+--------+--------+--------+
>                  |10010100|00000100|  2 octet value  |
>                  +--------+--------+--------+--------+
> 
>        Type:
>          Copied flag:  1 (all fragments must carry the option)
>          Option class: 0 (control)
>          Option number: 20 (decimal)
> 
> It would appear that the value for the Router Alert option is 20.
> However in RFC 791:
> 
> http://www.ietf.org/rfc/rfc0791.txt
> 
>      The option-type octet is viewed as having 3 fields:
> 
>           1 bit   copied flag,
>           2 bits  option class,
>           5 bits  option number.
> 
> All 8 bits are used to determine the IP option type value.  Examples
> from RFC 791:
> 
>    Loose Source and Record Route
> 
>         +--------+--------+--------+---------//--------+
>         |10000011| length | pointer|     route data    |
>         +--------+--------+--------+---------//--------+
>          Type=131
> 
>       Strict Source and Record Route
> 
>         +--------+--------+--------+---------//--------+
>         |10001001| length | pointer|     route data    |
>         +--------+--------+--------+---------//--------+
>          Type=137
> 
> The IP option type value for Router Alert (RTRALT) should be 148
> decimal.  The fix is to change decode.h to:
> 
> #ifndef IPOPT_RTRALT
>     #define IPOPT_RTRALT         0x94
> 
> This bug also affects snort-2.6.1.5.
> 

Thanks for pointing this out Jeffrey.  A bug has been created.  Not sure
yet what release this fix will be in, but attached is a patch to change
that option to the correct value.

Thanks
Todd

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipopt_rtralt.diff
Type: text/x-patch
Size: 475 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20070709/52c03c10/attachment.bin>


More information about the Snort-devel mailing list