Pull request #3991: http2_inspect: fix http2 frame length for logging

Merge in SNORT/snort3 from ~ADMAMOLE/snort3:fix_len to master

Squashed commit of the following:

commit fede0d17affda64ac54930a0f9c605ad5e1d7ef5
Author: Adrian Mamolea <admamole@cisco.com>
Date:   Fri Sep 8 11:14:28 2023 -0400

    http2_inspect: fix http2 frame length for logging

diff --git a/src/service_inspectors/http2_inspect/http2_frame.cc b/src/service_inspectors/http2_inspect/http2_frame.cc
index 813a27316d552eb0dc687a9699926cfbb221e16e..2271481379ac79e440f77d53d938472ce4676f80 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_frame.cc
+++ b/src/service_inspectors/http2_inspect/http2_frame.cc
@@ -171,6 +171,11 @@ const uint8_t* Http2Frame::get_frame_pdu(uint16_t& length) const
     memcpy(pdu, header.start(), hlen);
     if (dlen)
         memcpy(&pdu[hlen], data, dlen);
+
+    pdu[0] = (dlen >> 16) & 0xff;
+    pdu[1] = (dlen >> 8) & 0xff;
+    pdu[2] = dlen & 0xff;
+
     return pdu;
 }
 

diff --git a/src/service_inspectors/http2_inspect/http2_inspect.cc b/src/service_inspectors/http2_inspect/http2_inspect.cc
index feed041f1ebe1a86d142e7cc41fb97415e6f79dc..46e1f5fad78b9124230fe8f40f4da21ebab11c63 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_inspect.cc
+++ b/src/service_inspectors/http2_inspect/http2_inspect.cc
@@ -215,7 +215,7 @@ static void print_flow_issues(FILE* output, Http2Infractions* const infractions,
 }
 #endif
 
-const uint8_t* Http2Inspect::adjust_log_packet(Packet* p, uint16_t& length)
+static const uint8_t* get_frame_pdu(Packet* p, uint16_t& length)
 {
     auto* const session_data = (Http2FlowData*)p->flow->get_flow_data(Http2FlowData::inspector_id);
     if (!session_data)
@@ -231,3 +231,21 @@ const uint8_t* Http2Inspect::adjust_log_packet(Packet* p, uint16_t& length)
 
     return frame->get_frame_pdu(length);
 }
+
+const uint8_t* Http2Inspect::adjust_log_packet(Packet* p, uint16_t& length)
+{
+    const uint8_t* pdu = get_frame_pdu(p, length);
+    if (pdu or !p->has_parent())
+        return pdu;
+
+    // for rebuilt packet w/o frame fall back to wire packet
+    Packet* wire_packet = DetectionEngine::get_current_wire_packet();
+    if (!wire_packet or !wire_packet->data or !wire_packet->dsize)
+        return nullptr;
+
+    uint8_t* wire_pdu = new uint8_t[wire_packet->dsize];
+    memcpy(wire_pdu, wire_packet->data, wire_packet->dsize);
+    length = wire_packet->dsize;
+
+    return wire_pdu;
+}