diff --git a/src/ICMP.cc b/src/ICMP.cc index 05a6b67dff..b06c6440e1 100644 --- a/src/ICMP.cc +++ b/src/ICMP.cc @@ -49,9 +49,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data, const struct icmp* icmpp = (const struct icmp*) data; - assert(caplen >= len); // Should have been caught earlier already. - - if ( ! ignore_checksums ) + if ( ! ignore_checksums && caplen >= len ) { int chksum = 0; diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output index f3d64b8b28..95d9073648 100644 --- a/testing/btest/Baseline/core.truncation/output +++ b/testing/btest/Baseline/core.truncation/output @@ -22,3 +22,11 @@ #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334094648.590126 - - - - - truncated_IP - F bro +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1338328954.078361 - - - - - internally_truncated_header - F bro diff --git a/testing/btest/Traces/trunc/icmp-header-trunc.pcap b/testing/btest/Traces/trunc/icmp-header-trunc.pcap new file mode 100644 index 0000000000..5765cf2886 Binary files /dev/null and b/testing/btest/Traces/trunc/icmp-header-trunc.pcap differ diff --git a/testing/btest/Traces/trunc/icmp-payload-trunc.pcap b/testing/btest/Traces/trunc/icmp-payload-trunc.pcap new file mode 100644 index 0000000000..13607dd50c Binary files /dev/null and b/testing/btest/Traces/trunc/icmp-payload-trunc.pcap differ diff --git a/testing/btest/core/truncation.test b/testing/btest/core/truncation.test index ee8bdd5bf9..3406879183 100644 --- a/testing/btest/core/truncation.test +++ b/testing/btest/core/truncation.test @@ -6,4 +6,17 @@ # @TEST-EXEC: cat weird.log >> output # @TEST-EXEC: bro -r $TRACES/trunc/ip6-ext-trunc.pcap # @TEST-EXEC: cat weird.log >> output + +# If an ICMP packet's payload is truncated due to too small snaplen, +# the checksum calculation is bypassed (and Bro doesn't crash, of course). + +# @TEST-EXEC: rm -f weird.log +# @TEST-EXEC: bro -r $TRACES/trunc/icmp-payload-trunc.pcap +# @TEST-EXEC: test ! -e weird.log + +# If an ICMP packet has the ICMP header truncated due to too small snaplen, +# an internally_truncated_header weird gets generated. + +# @TEST-EXEC: bro -r $TRACES/trunc/icmp-header-trunc.pcap +# @TEST-EXEC: cat weird.log >> output # @TEST-EXEC: btest-diff output