Bug #1849
closed
ICMPv6 incorrect checksum alert if Ethernet FCS is present
Added by ajaxtpm ajaxtpm over 8 years ago.
Updated about 8 years ago.
Description
If there is a frame check sequence (FCS) field in Ethernet header (placed after all high-level payload) then ICMPv6 checksum calculates incorrectly and suricata alerts a lot of "Invalid ICMPv6 checksum" messages. If remove FCS field then checksum calculates correctly.
See pcap attached
Files
|
1.pcap (134 Bytes)
1.pcap |
|
ajaxtpm ajaxtpm, 07/21/2016 09:42 AM
|
|
- Assignee set to OISF Dev
- Target version set to 70
That's also confirmed by Eric
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jason Ish
The problem is that the size of the data that is passed to the checksum function is calculated from the end of the packet instead of based on the IPv6 length. The fix isn't trivial though as it requires some careful look at the ICMPv6 decoder.
Jason, is this one up your alley?
- Status changed from Assigned to Closed
- Target version changed from 70 to 3.1.2
Also available in: Atom
PDF