Merge pull request #2799 in SNORT/snort3 from ~NIHDESAI/snort3:h2_uppercase_check...

author Tom Peters (thopeter) <thopeter@cisco.com>

Wed, 24 Mar 2021 17:29:48 +0000 (17:29 +0000)

committer Tom Peters (thopeter) <thopeter@cisco.com>

Wed, 24 Mar 2021 17:29:48 +0000 (17:29 +0000)
author Tom Peters (thopeter) <thopeter@cisco.com>
Wed, 24 Mar 2021 17:29:48 +0000 (17:29 +0000)
committer Tom Peters (thopeter) <thopeter@cisco.com>
Wed, 24 Mar 2021 17:29:48 +0000 (17:29 +0000)
diff --git a/src/service_inspectors/http2_inspect/http2_enum.h b/src/service_inspectors/http2_inspect/http2_enum.h

index 0757095d4eb97f658228343148a53e36a25652a5..ec875c80dcd79db2bcd7f49b823364beb158d96a 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_enum.h
+++ b/src/service_inspectors/http2_inspect/http2_enum.h
@@ -84,6 +84,7 @@ enum EventSid
      EVENT_TOO_MANY_STREAMS = 27,
      EVENT_INVALID_RST_STREAM_FRAME = 28,
      EVENT_BAD_RST_STREAM_SEQUENCE = 29,
+    EVENT_HEADER_UPPERCASE = 30,
      EVENT__MAX_VALUE
  };
  
@@ -136,6 +137,7 @@ enum Infraction
      INF_TOO_MANY_STREAMS = 42,
      INF_INVALID_RST_STREAM_FRAME = 43,
      INF_BAD_RST_STREAM_SEQUENCE = 44,
+    INF_HEADER_UPPERCASE = 45,
      INF__MAX_VALUE
  };
  
diff --git a/src/service_inspectors/http2_inspect/http2_hpack.cc b/src/service_inspectors/http2_inspect/http2_hpack.cc

index 5f15828a94ae7455c2eca864e36396a85d5d030b..465dea1751dd9383aa305eb58eaa219a9cecfb2a 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_hpack.cc
+++ b/src/service_inspectors/http2_inspect/http2_hpack.cc
@@ -149,6 +149,17 @@ bool Http2HpackDecoder::decode_literal_header_line(const uint8_t* encoded_header
                  bytes_consumed, partial_bytes_consumed, decoded_header_buffer,
                  decoded_header_length, partial_bytes_written, name))
              return false;
+
+        const uint8_t* buff = name.start();
+        for (int i = 0; i < name.length(); i++)
+        {
+            if (buff[i] >= 'A' and buff[i] <= 'Z')
+            {
+                *infractions += INF_HEADER_UPPERCASE;
+                events->create_event(EVENT_HEADER_UPPERCASE);
+                break;
+            }
+        }
      }
      bytes_consumed += partial_bytes_consumed;
      bytes_written += partial_bytes_written;
diff --git a/src/service_inspectors/http2_inspect/http2_tables.cc b/src/service_inspectors/http2_inspect/http2_tables.cc

index 1ab80e7efcb1967ce5b126ecd7f0be83a69e4be3..947b89ff6c2d48a5d23d0113a71bad6214f1634d 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_tables.cc
+++ b/src/service_inspectors/http2_inspect/http2_tables.cc
@@ -60,6 +60,7 @@ const RuleMap Http2Module::http2_events[] =
      { EVENT_TOO_MANY_STREAMS, "excessive concurrent HTTP/2 streams" },
      { EVENT_INVALID_RST_STREAM_FRAME, "invalid HTTP/2 rst stream frame" },
      { EVENT_BAD_RST_STREAM_SEQUENCE, "HTTP/2 rst stream frame sent at invalid time" },
+    { EVENT_HEADER_UPPERCASE, "uppercase HTTP/2 header field name" },
      { 0, nullptr }
  };
author	Tom Peters (thopeter) <thopeter@cisco.com>
	Wed, 24 Mar 2021 17:29:48 +0000 (17:29 +0000)
committer	Tom Peters (thopeter) <thopeter@cisco.com>
	Wed, 24 Mar 2021 17:29:48 +0000 (17:29 +0000)
src/service_inspectors/http2_inspect/http2_enum.h		patch \| blob \| blame \| history
src/service_inspectors/http2_inspect/http2_hpack.cc		patch \| blob \| blame \| history
src/service_inspectors/http2_inspect/http2_tables.cc		patch \| blob \| blame \| history