Project

General

Profile

Actions

Bug #5057

closed

dns: probing/parser can return error when it should return incomplete

Added by Jeff Lucovsky over 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The hostname parsing in the DNS parser will return an error when it runs out of data instead of incomplete. This can result in a specially crafted DNS payload not being detected as DNS.

Suricata-Verify test showing DNS stream being picked up as ENIP:
https://github.com/OISF/suricata-verify/pull/676

Fix with master (nom7) is trivially done by moving error handling to the question mark operator. Its likely the same is true for 5.0.x and 6.0.x. This will probably ripple up incomplete or error up the parse chain.


Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #5034: dns: probing/parser can return error when it should return incompleteClosedJason IshActions
Actions #1

Updated by Jeff Lucovsky over 2 years ago

  • Copied from Bug #5034: dns: probing/parser can return error when it should return incomplete added
Actions #2

Updated by Shivani Bhardwaj over 2 years ago

  • Status changed from Assigned to In Progress
Actions #3

Updated by Jason Ish over 2 years ago

  • Status changed from In Progress to In Review
Actions #4

Updated by Shivani Bhardwaj over 2 years ago

  • Status changed from In Review to Resolved
Actions #5

Updated by Shivani Bhardwaj over 2 years ago

  • Status changed from Resolved to Closed
Actions #6

Updated by Victor Julien almost 2 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF