[Bro-Dev] #888: Bro crashes on IPv6 subnet [::FFFF:0:0]/96

Bro Tracker bro at tracker.bro-ids.org
Tue Oct 16 08:57:01 PDT 2012 

#888: Bro crashes on IPv6 subnet [::FFFF:0:0]/96
---------------------------+------------------------
  Reporter:  sheharbano.k  |      Owner:
      Type:  Problem       |     Status:  new
  Priority:  High          |  Milestone:  Bro2.2
 Component:  Bro           |    Version:  git/master
Resolution:                |   Keywords:
---------------------------+------------------------

Comment (by jsiwek):

 Replying to [ticket:888 sheharbano.k]:
 > Bro cannot handle the subnet [::FFFF:0:0]/96 (IPv4 mapped IPv6
 addresses-sec 2.2 of rfc5156). The error message says:
 > internal error: Bad IPAddr(v4) IPPrefix length : 96
 > Aborted
 >
 > Works fine on other subnets.
 >
 > ---------------------------------
 > test.bro
 > ---------------------------------
 >
 > event bro_init()
 >       {
 >       local snet = [::FFFF:0:0]/96;
 >       #local snet = [1::]/96;
 >       print snet;
 >       }

 The problem here is that the internal representation of an IPv4 address
 uses the IPv4-mapped IPv6 representation and that the parser doesn't have
 a rule to make literal constants of type subnet.  Rather, the subnet value
 is the result of a division expression with a left operand being a literal
 constant of addr type and the right operand being one of the integral
 types.  In this case, the address is taken as an IPv4 addr and doesn't
 care to remember that it came from the mapped representation, so the max
 mask length would be 32 and 96 is exceeds that.

 I'm thinking the fix is to teach the parser rules to make subnet literal
 constants (I have to add these rules to the signature parser anyway), but
 I don't know if that helps you do what you were expecting to do with the
 `[::FFFF:0:0]/96` subnet.  If the intention is to just detect if an
 address is within the IPv4 space, then that fix is ok (or you could
 instead use the `is_v4_addr()` BIF or just the `0.0.0.0/0` subnet).  If
 the intention is to see whether an IPv4-mapped IPv6 address was used on
 the wire (I think that's generally considered a no-no), that fix doesn't
 help, and using such a subnet wouldn't be the way to do it (instead you
 might be able to check for an IPv6 packet header that contains "IPv4"
 src/dst fields).

 So I think adding the parser rules is fine regardless of the intention,
 but more discussion/work is necessary if the second usage of that subnet
 is what is wanted.  Thoughts?

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/888#comment:1>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list