From 3aeb86d836ee8231d1f175210306f10e3e912647 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Thu, 10 Mar 2011 17:56:05 +0100
Subject: [PATCH] Fix header_len in GRE decoder getting out of control in some
 cases.

---
 src/decode-events.h       |  1 +
 src/decode-gre.c          | 12 ++++++++----
 src/detect-decode-event.h |  1 +
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/decode-events.h b/src/decode-events.h
index 567faade41..5d3fb704ad 100644
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -108,6 +108,7 @@ enum {
     GRE_VERSION0_RECUR,             /**< gre v0 recursion control */
     GRE_VERSION0_FLAGS,             /**< gre v0 flags */
     GRE_VERSION0_HDR_TOO_BIG,       /**< gre v0 header bigger than maximum size */
+    GRE_VERSION0_MALFORMED_SRE_HDR, /**< gre v0 malformed source route entry header */
     GRE_VERSION1_CHKSUM,            /**< gre v1 checksum */
     GRE_VERSION1_ROUTE,             /**< gre v1 routing */
     GRE_VERSION1_SSR,               /**< gre v1 strict source route */
diff --git a/src/decode-gre.c b/src/decode-gre.c
index c25b4b69f1..fa31369ebd 100644
--- a/src/decode-gre.c
+++ b/src/decode-gre.c
@@ -96,16 +96,15 @@ void DecodeGRE(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u
 
             if (GRE_FLAG_ISSET_ROUTE(p->greh))
             {
-
                 gsre = (GRESreHdr *)(pkt + header_len);
                 if (gsre == NULL)
                     return;
 
                 while (1)
                 {
-                    if ((header_len+GRE_SRE_HDR_LEN) > len) {
-                        DECODER_SET_EVENT(p,GRE_VERSION1_MALFORMED_SRE_HDR);
-                        break;
+                    if ((header_len + GRE_SRE_HDR_LEN) > len) {
+                        DECODER_SET_EVENT(p, GRE_VERSION0_MALFORMED_SRE_HDR);
+                        return;
                     }
 
                     header_len += GRE_SRE_HDR_LEN;
@@ -114,6 +113,11 @@ void DecodeGRE(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u
                         break;
 
                     header_len += gsre->sre_length;
+                    if (header_len > len) {
+                        DECODER_SET_EVENT(p, GRE_VERSION0_MALFORMED_SRE_HDR);
+                        return;
+                    }
+
                     gsre = (GRESreHdr *)(pkt + header_len);
                     if (gsre == NULL)
                         return;
diff --git a/src/detect-decode-event.h b/src/detect-decode-event.h
index ba7612c5f4..5d848ca72f 100644
--- a/src/detect-decode-event.h
+++ b/src/detect-decode-event.h
@@ -97,6 +97,7 @@ struct DetectDecodeEvents_ {
     { "gre.version0_recur", GRE_VERSION0_RECUR, },
     { "gre.version0_flags", GRE_VERSION0_FLAGS, },
     { "gre.version0_hdr_too_big", GRE_VERSION0_HDR_TOO_BIG, },
+    { "gre.version0_malformed_sre_hdr", GRE_VERSION0_MALFORMED_SRE_HDR, },
     { "gre.version1_chksum", GRE_VERSION1_CHKSUM, },
     { "gre.version1_route", GRE_VERSION1_ROUTE, },
     { "gre.version1_ssr", GRE_VERSION1_SSR, },