Fix for the recent patch that allows segment offloaded packets.

We recently added support for segment offloaded packets. It turns out that this can lead to problems in UDP/ICMP based parsers since I missed correctly also updating the payloadlength there, and using the capture length instead when segment offloading is enabled. Credit to OSS-Fuzz for discovery https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41391 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41394 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41395 (Link to details becomes public 30 days after patch release)
2025-10-14 04:28:20 +00:00 · 2021-11-30 18:24:03 +00:00 · 2021-11-30 18:24:03 +00:00 · 94ee837398
commit 94ee837398
parent 6a5b51eba8
4 changed files with 24 additions and 1 deletions
--- a/15
+++ b/15
@ -1,3 +1,18 @@
+4.2.0-dev.394 | 2021-11-30 11:53:35 -0700
+
+  * Fix for the recent patch that allows segment offloaded packets. (Johanna Amann, Corelight)
+
+    We recently added support for segment offloaded packets. It turns out
+    that this can lead to problems in UDP/ICMP based parsers since I missed
+    correctly also updating the payloadlength there, and using the capture
+    length instead when segment offloading is enabled.
+
+    Credit to OSS-Fuzz for discovery
+    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41391
+    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41394
+    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41395
+    (Link to details becomes public 30 days after patch release)
+
 4.2.0-dev.393 | 2021-11-29 13:46:59 -0700

  * Fix a number of Coverity findings (Tim Wojtulewicz, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-4.2.0-dev.393
+4.2.0-dev.394
--- a/src/packet_analysis/protocol/icmp/ICMP.cc
+++ b/src/packet_analysis/protocol/icmp/ICMP.cc
@ -67,6 +67,10 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema

 	const u_char* data = pkt->ip_hdr->Payload();
 	int len = pkt->ip_hdr->PayloadLen();
+	// If segment offloading or similar is enabled, the payload len will return 0.
+	// Thus, let's ignore that case.
+	if ( len == 0 )
+		len = remaining;

 	if ( packet_contents && len > 0 )
 		adapter->PacketContents(data + 8, std::min(len, remaining) - 8);
--- a/src/packet_analysis/protocol/udp/UDP.cc
+++ b/src/packet_analysis/protocol/udp/UDP.cc
@ -84,6 +84,10 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai

 	const u_char* data = pkt->ip_hdr->Payload();
 	int len = pkt->ip_hdr->PayloadLen();
+	// If segment offloading or similar is enabled, the payload len will return 0.
+	// Thus, let's ignore that case.
+	if ( len == 0 )
+		len = remaining;

 	const struct udphdr* up = (const struct udphdr*)data;
 	const std::shared_ptr<IP_Hdr>& ip = pkt->ip_hdr;