decode-udp: Allow shorter UDP packets than the remaining payload length

Lukas Sismis · lukashino · commit aa275e56cad0 · 2022-11-26T18:00:51.000+01:00
If the packet is shorter than IP payload length we no longer flag it as an invalid UDP packet. UDP packet can be therefore shorter than IP payload. Redmine ticket: OISF#5693
diff --git a/src/decode-udp.c b/src/decode-udp.c
@@ -56,11 +56,6 @@ static int DecodeUDPPacket(ThreadVars *t, Packet *p, const uint8_t *pkt, uint16_
         return -1;
     }
 
-    if (unlikely(len != UDP_GET_LEN(p))) {
-        ENGINE_SET_INVALID_EVENT(p, UDP_HLEN_INVALID);
-        return -1;
-    }
-
     SET_UDP_SRC_PORT(p,&p->sp);
     SET_UDP_DST_PORT(p,&p->dp);
 
diff --git a/src/detect-engine-event.c b/src/detect-engine-event.c
@@ -162,6 +162,9 @@ static DetectEngineEventData *DetectEngineEventParse (const char *rawstr)
 
     if (de->event == STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA) {
         StreamTcpReassembleConfigEnableOverlapCheck();
+    } else if (de->event == UDP_HLEN_INVALID) {
+        SCLogWarning(SC_WARN_DEPRECATED, "Rule uses decode-event \"udp.hlen_invalid\" which will "
+                                         "be deprecated in Suricata 8.0");
     }
     return de;
 

Original file line number	Diff line number	Diff line change
`@@ -162,6 +162,9 @@ static DetectEngineEventData DetectEngineEventParse (const char rawstr)`
`162`	`162`
`163`	`163`	`if (de->event == STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA) {`
`164`	`164`	`StreamTcpReassembleConfigEnableOverlapCheck();`
	`165`	`+ } else if (de->event == UDP_HLEN_INVALID) {`
	`166`	`+ SCLogWarning(SC_WARN_DEPRECATED, "Rule uses decode-event \"udp.hlen_invalid\" which will "`
	`167`	`+ "be deprecated in Suricata 8.0");`
`165`	`168`	`}`
`166`	`169`	`return de;`
`167`	`170`