decode-udp: Add exception for invalid length on padded packets

Lukas Sismis · lukashino · commit 2193e755c535 · 2022-11-18T16:28:14.000+01:00
If the original packet is shorter than Ethernet's minimal transmission unit (64B), the transmitting device pads the packet to the given size. Padding is added to the IP layer but the UDP layer remains unaffected. As a result, the UDP header length does not reach the end of the packet as there is still padding after the UDP layer. Redmine ticket: OISF#5693
diff --git a/src/decode-ethernet.h b/src/decode-ethernet.h
@@ -25,6 +25,7 @@
 #define __DECODE_ETHERNET_H__
 
 #define ETHERNET_HEADER_LEN           14
+#define ETHERNET_PKT_MIN_LEN          60 // Min. transmission unit on Ethernet is 64B (4B for FCS)
 
 /* Cisco Fabric Path / DCE header length. */
 #define ETHERNET_DCE_HEADER_LEN       (ETHERNET_HEADER_LEN + 2)
diff --git a/src/decode-udp.c b/src/decode-udp.c
@@ -56,7 +56,9 @@ static int DecodeUDPPacket(ThreadVars *t, Packet *p, const uint8_t *pkt, uint16_
         return -1;
     }
 
-    if (unlikely(len != UDP_GET_LEN(p))) {
+    if (unlikely(len != UDP_GET_LEN(p) &&
+                 // avoid flagging IP padded packets to the minimal Ethernet unit as invalid HLEN
+                 (p->ethh != NULL && p->pktlen > ETHERNET_PKT_MIN_LEN))) {
         ENGINE_SET_INVALID_EVENT(p, UDP_HLEN_INVALID);
         return -1;
     }

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,9 @@ static int DecodeUDPPacket(ThreadVars t, Packet p, const uint8_t *pkt, uint16_`
`56`	`56`	`return -1;`
`57`	`57`	`}`
`58`	`58`
`59`		`- if (unlikely(len != UDP_GET_LEN(p))) {`
	`59`	`+ if (unlikely(len != UDP_GET_LEN(p) &&`
	`60`	`+ // avoid flagging IP padded packets to the minimal Ethernet unit as invalid HLEN`
	`61`	`+ (p->ethh != NULL && p->pktlen > ETHERNET_PKT_MIN_LEN))) {`
`60`	`62`	`ENGINE_SET_INVALID_EVENT(p, UDP_HLEN_INVALID);`
`61`	`63`	`return -1;`
`62`	`64`	`}`