Merge remote-tracking branch 'origin/topic/timw/fix-ip-header-length-checking'

* origin/topic/timw/fix-ip-header-length-checking:
  Fix handling of IP packets with bogus IP header lengths

src/packet_analysis/protocol/ip/IP.cc

@@ -235,6 +235,13 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 	packet->proto = proto;
 
+	// Double check the lengths one more time before forwarding this on.
+	if ( packet->ip_hdr->TotalLen() < packet->ip_hdr->HdrLen() )
+		{
+		Weird("bogus_IP_header_lengths", packet);
+		return false;
+		}
+
 	switch ( proto ) {
 	case IPPROTO_NONE:
 		// If the packet is encapsulated in Teredo, then it was a bubble and

testing/btest/Baseline/core.ip-broken-header/ip-bogus-header-weird.log

@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	118.181.144.194	0	136.255.115.116	0	ip_hdr_len_zero	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	118.181.144.194	0	136.255.115.116	0	bogus_IP_header_lengths	-	F	zeek	IP
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/core/ip-broken-header.zeek

@@ -2,6 +2,10 @@
 # OOB reads in Zeek. It has a number of packets broken in weird ways.
 #
 # @TEST-EXEC: gunzip -c $TRACES/trunc/mpls-6in6-broken.pcap.gz | zeek -C -b -r - %INPUT
-# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: mv weird.log mpls-6in6-broken-wierd.log
+# @TEST-EXEC: btest-diff mpls-6in6-broken-wierd.log
+# @TEST-EXEC: zeek -C -b -r $TRACES/ip-bogus-header-len.pcap %INPUT
+# @TEST-EXEC: mv weird.log ip-bogus-header-weird.log
+# @TEST-EXEC: btest-diff ip-bogus-header-weird.log
 
 @load base/frameworks/notice/weird