mirror of
https://git.yoctoproject.org/meta-security
synced 2026-04-30 02:38:59 +00:00
baae4dd8c7
Backport fixes for: * CVE-2024-55627 - Upstream-Status: Backport from0dc364aef2&&949bfeca0e&&7d47fcf7f7* CVE-2024-55628 - Upstream-Status: Backport from58c41a7fa9&&284ad462fc&&5edb84fe23&&71212b78bdSigned-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
115 lines
4.7 KiB
Diff
115 lines
4.7 KiB
Diff
From 5edb84fe234f47a0fedfbf9b10b49699152fe8cb Mon Sep 17 00:00:00 2001
|
|
From: Jason Ish <jason.ish@oisf.net>
|
|
Date: Thu, 31 Oct 2024 15:46:35 -0600
|
|
Subject: [PATCH] eve/dns: add truncation flags for fields that are truncated
|
|
|
|
If rrname, rdata or mname are truncated, set a flag field like
|
|
'rrname_truncated: true' to indicate that the name is truncated.
|
|
|
|
Ticket: #7280
|
|
|
|
(cherry picked from commit 37f4c52b22fcdde4adf9b479cb5700f89d00768d)
|
|
|
|
CVE: CVE-2024-55628
|
|
Upstream-Status: Backport [https://github.com/OISF/suricata/commit/5edb84fe234f47a0fedfbf9b10b49699152fe8cb]
|
|
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
|
---
|
|
etc/schema.json | 7 +++++++
|
|
rust/src/dns/log.rs | 19 +++++++++++++++++++
|
|
2 files changed, 26 insertions(+)
|
|
|
|
diff --git a/etc/schema.json b/etc/schema.json
|
|
index 99f419f..422d77c 100644
|
|
--- a/etc/schema.json
|
|
+++ b/etc/schema.json
|
|
@@ -790,6 +790,9 @@
|
|
"rrname": {
|
|
"type": "string"
|
|
},
|
|
+ "rrname_truncated": {
|
|
+ "type": "boolean"
|
|
+ },
|
|
"rrtype": {
|
|
"type": "string"
|
|
},
|
|
@@ -2365,6 +2368,10 @@
|
|
"type": "array",
|
|
"items": {
|
|
"type": "integer"
|
|
+ },
|
|
+ "rrname_truncated": {
|
|
+ "description": "Set to true if the rrname was too long and truncated by Suricata",
|
|
+ "type": "boolean"
|
|
}
|
|
}
|
|
},
|
|
diff --git a/rust/src/dns/log.rs b/rust/src/dns/log.rs
|
|
index 6bf9589..d0e468d 100644
|
|
--- a/rust/src/dns/log.rs
|
|
+++ b/rust/src/dns/log.rs
|
|
@@ -399,7 +399,13 @@ fn dns_log_soa(soa: &DNSRDataSOA) -> Result<JsonBuilder, JsonError> {
|
|
let mut js = JsonBuilder::try_new_object()?;
|
|
|
|
js.set_string_from_bytes("mname", &soa.mname.value)?;
|
|
+ if soa.mname.flags.contains(DNSNameFlags::TRUNCATED) {
|
|
+ js.set_bool("mname_truncated", true)?;
|
|
+ }
|
|
js.set_string_from_bytes("rname", &soa.rname.value)?;
|
|
+ if soa.rname.flags.contains(DNSNameFlags::TRUNCATED) {
|
|
+ js.set_bool("rname_truncated", true)?;
|
|
+ }
|
|
js.set_uint("serial", soa.serial as u64)?;
|
|
js.set_uint("refresh", soa.refresh as u64)?;
|
|
js.set_uint("retry", soa.retry as u64)?;
|
|
@@ -444,6 +450,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result<JsonBuilder, Js
|
|
let mut jsa = JsonBuilder::try_new_object()?;
|
|
|
|
jsa.set_string_from_bytes("rrname", &answer.name.value)?;
|
|
+ if answer.name.flags.contains(DNSNameFlags::TRUNCATED) {
|
|
+ jsa.set_bool("rrname_truncated", true)?;
|
|
+ }
|
|
jsa.set_string("rrtype", &dns_rrtype_string(answer.rrtype))?;
|
|
jsa.set_uint("ttl", answer.ttl as u64)?;
|
|
|
|
@@ -453,6 +462,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result<JsonBuilder, Js
|
|
}
|
|
DNSRData::CNAME(name) | DNSRData::MX(name) | DNSRData::NS(name) | DNSRData::PTR(name) => {
|
|
jsa.set_string_from_bytes("rdata", &name.value)?;
|
|
+ if name.flags.contains(DNSNameFlags::TRUNCATED) {
|
|
+ jsa.set_bool("rdata_truncated", true)?;
|
|
+ }
|
|
}
|
|
DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => {
|
|
jsa.set_string_from_bytes("rdata", bytes)?;
|
|
@@ -506,6 +518,9 @@ fn dns_log_json_answer(
|
|
|
|
if let Some(query) = response.queries.first() {
|
|
js.set_string_from_bytes("rrname", &query.name.value)?;
|
|
+ if query.name.flags.contains(DNSNameFlags::TRUNCATED) {
|
|
+ js.set_bool("rrname_truncated", true)?;
|
|
+ }
|
|
js.set_string("rrtype", &dns_rrtype_string(query.rrtype))?;
|
|
}
|
|
js.set_string("rcode", &dns_rcode_string(header.flags))?;
|
|
@@ -532,6 +547,7 @@ fn dns_log_json_answer(
|
|
| DNSRData::MX(name)
|
|
| DNSRData::NS(name)
|
|
| DNSRData::PTR(name) => {
|
|
+ // Flags like truncated not logged here as it would break the schema.
|
|
if !answer_types.contains_key(&type_string) {
|
|
answer_types
|
|
.insert(type_string.to_string(), JsonBuilder::try_new_array()?);
|
|
@@ -620,6 +636,9 @@ fn dns_log_query(
|
|
jb.set_string("type", "query")?;
|
|
jb.set_uint("id", request.header.tx_id as u64)?;
|
|
jb.set_string_from_bytes("rrname", &query.name.value)?;
|
|
+ if query.name.flags.contains(DNSNameFlags::TRUNCATED) {
|
|
+ jb.set_bool("rrname_truncated", true)?;
|
|
+ }
|
|
jb.set_string("rrtype", &dns_rrtype_string(query.rrtype))?;
|
|
jb.set_uint("tx_id", tx.id - 1)?;
|
|
if request.header.flags & 0x0040 != 0 {
|
|
--
|
|
2.50.1
|
|
|