Bug #5058: dns: probing/parser can return error when it should return incomplete - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #5058

closed

dns: probing/parser can return error when it should return incomplete

Added by Jeff Lucovsky over 2 years ago. Updated almost 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jeff Lucovsky

Target version:

5.0.9

Affected Versions:

Effort:

Difficulty:

Label:

Description

The hostname parsing in the DNS parser will return an error when it runs out of data instead of incomplete. This can result in a specially crafted DNS payload not being detected as DNS.

Suricata-Verify test showing DNS stream being picked up as ENIP:
https://github.com/OISF/suricata-verify/pull/676

Fix with master (nom7) is trivially done by moving error handling to the question mark operator. Its likely the same is true for 5.0.x and 6.0.x. This will probably ripple up incomplete or error up the parse chain.

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by Jeff Lucovsky over 2 years ago

Copied from Bug #5034: dns: probing/parser can return error when it should return incomplete added

Actions

Copy link

Updated by Jeff Lucovsky over 2 years ago

Status changed from Assigned to In Progress

Cherry-pick commit(s):
- 4b79702c04582a5180594b551f12bf8e5600b3c0
- 9e7ea631b2a067609c500539cd3a7a139f39c3e4
- 7e13c0d348689b44f38e04e4620de006f17cf8f5

Actions

Copy link