Merge pull request #1700 in SNORT/snort3 from ~KATHARVE/snort3:0_byte_workaround...

author Mike Stepanek (mstepane) <mstepane@cisco.com>

Wed, 7 Aug 2019 20:47:27 +0000 (16:47 -0400)

committer Mike Stepanek (mstepane) <mstepane@cisco.com>

Wed, 7 Aug 2019 20:47:27 +0000 (16:47 -0400)
author Mike Stepanek (mstepane) <mstepane@cisco.com>
Wed, 7 Aug 2019 20:47:27 +0000 (16:47 -0400)
committer Mike Stepanek (mstepane) <mstepane@cisco.com>
Wed, 7 Aug 2019 20:47:27 +0000 (16:47 -0400)
diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc

index 0315a87b4dbc7c7fa734d8b052a65f1cd76c5cff..55e87d74bd33ba0f9f33e6e202bd6b2d0771b277 100644 (file)
--- a/src/managers/inspector_manager.cc
+++ b/src/managers/inspector_manager.cc
@@ -1022,7 +1022,9 @@ void InspectorManager::full_inspection(Packet* p)
      if ( flow->service and flow->clouseau and !p->is_cooked() )
          bumble(p);
  
-    if ( !p->dsize )
+    // For reassembled PDUs, a null data buffer signals no detection. Detection can be required
+    // with a length of 0. For raw packets, a length of 0 does signal no detection.
+    if ( (p->is_cooked() and !p->data) or (!p->is_cooked() and !p->dsize) )
          DetectionEngine::disable_content(p);
  
      else if ( flow->gadget && flow->gadget->likes(p) )
diff --git a/src/service_inspectors/http_inspect/http_flow_data.h b/src/service_inspectors/http_inspect/http_flow_data.h

index 42769c3270be66141be08ce84b56e043038c07f2..36558c8e635b9ed34c496f22f8dd254926c5fbc4 100644 (file)
--- a/src/service_inspectors/http_inspect/http_flow_data.h
+++ b/src/service_inspectors/http_inspect/http_flow_data.h
@@ -95,7 +95,6 @@ private:
                                                  HttpEnums::SEC__NOT_COMPUTE };
      int32_t num_head_lines[2] = { HttpEnums::STAT_NOT_PRESENT, HttpEnums::STAT_NOT_PRESENT };
      bool tcp_close[2] = { false, false };
-    bool zero_byte_workaround[2];
      bool partial_flush[2] = { false, false };
  
      // Infractions and events are associated with a specific message and are stored in the
diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc

index 14738a977cbd8ace95327dc37fcb8cb152377dc7..b1774c2aee017ed79ebc1e211555cc25dfacf51c 100644 (file)
--- a/src/service_inspectors/http_inspect/http_inspect.cc
+++ b/src/service_inspectors/http_inspect/http_inspect.cc
@@ -279,11 +279,10 @@ void HttpInspect::eval(Packet* p)
          return;
  
      // Don't make pkt_data for headers available to detection
-    // FIXIT-M One byte to avoid potential problems with zero
      if ((session_data->section_type[source_id] == SEC_HEADER) ||
          (session_data->section_type[source_id] == SEC_TRAILER))
      {
-        p->set_detect_limit(1);
+        p->set_detect_limit(0);
      }
  
      // Limit alt_dsize of message body sections to request/response depth
@@ -293,9 +292,8 @@ void HttpInspect::eval(Packet* p)
          p->set_detect_limit(session_data->detect_depth_remaining[source_id]);
      }
  
-    const int remove_workaround = session_data->zero_byte_workaround[source_id] ? 1 : 0;
      const bool partial_flush = session_data->partial_flush[source_id];
-    if (!process(p->data, p->dsize - remove_workaround, p->flow, source_id, !partial_flush))
+    if (!process(p->data, p->dsize, p->flow, source_id, !partial_flush))
      {
          DetectionEngine::disable_content(p);
      }
diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc b/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc

index 81d3dcab1cb6452acc615ea1df4d44af6da759ae..c9873678f318d701e12004adb3316a632ef8d87e 100644 (file)
--- a/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc
+++ b/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc
@@ -418,19 +418,9 @@ const snort::StreamBuffer HttpStreamSplitter::reassemble(snort::Flow* flow, unsi
              partial_buffer_length = buf_size;
          }
  
-        // FIXIT-M kludge until we work out issues with returning an empty buffer
          http_buf.data = buffer;
-        if (buf_size > 0)
-        {
-            http_buf.length = buf_size;
-            session_data->zero_byte_workaround[source_id] = false;
-        }
-        else
-        {
-            buffer[0] = '\0';
-            http_buf.length = 1;
-            session_data->zero_byte_workaround[source_id] = true;
-        }
+        http_buf.length = buf_size;
+
          buffer = nullptr;
          session_data->section_offset[source_id] = 0;
      }
diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc

index cf156041c5b92b208c65af5c2dd6ef5261bb313e..82a35b3a99a6a7eb7015972f60fa81b466733367 100644 (file)
--- a/src/stream/tcp/tcp_reassembler.cc
+++ b/src/stream/tcp/tcp_reassembler.cc
@@ -568,7 +568,7 @@ int TcpReassembler::_flush_to_seq(
          bytes_processed += flushed_bytes;
          trs.sos.seglist_base_seq += flushed_bytes;
  
-        if ( pdu->dsize )
+        if ( pdu->data )
          {
              if ( p->packet_flags & PKT_PDU_TAIL )
                  pdu->packet_flags |= ( PKT_REBUILT_STREAM | PKT_STREAM_EST | PKT_PDU_TAIL );
author	Mike Stepanek (mstepane) <mstepane@cisco.com>
	Wed, 7 Aug 2019 20:47:27 +0000 (16:47 -0400)
committer	Mike Stepanek (mstepane) <mstepane@cisco.com>
	Wed, 7 Aug 2019 20:47:27 +0000 (16:47 -0400)
src/managers/inspector_manager.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_flow_data.h		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_inspect.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc		patch \| blob \| blame \| history
src/stream/tcp/tcp_reassembler.cc		patch \| blob \| blame \| history