]> git.ipfire.org Git - thirdparty/snort3.git/commitdiff
Merge pull request #2454 in SNORT/snort3 from ~THOPETER/snort3:nhttp149 to master
authorMike Stepanek (mstepane) <mstepane@cisco.com>
Thu, 3 Sep 2020 16:04:21 +0000 (16:04 +0000)
committerMike Stepanek (mstepane) <mstepane@cisco.com>
Thu, 3 Sep 2020 16:04:21 +0000 (16:04 +0000)
Squashed commit of the following:

commit d0715acf006ad328ec79e7270eb02828d45ed0f6
Author: Tom Peters <thopeter@cisco.com>
Date:   Wed Sep 2 19:49:39 2020 -0400

    http_inspect: script detection and concurrency fixes

src/service_inspectors/http_inspect/http_cutter.cc
src/service_inspectors/http_inspect/http_cutter.h
src/service_inspectors/http_inspect/http_flow_data.cc

index 767557a6268f3bfc1580297286f4724e3522a369..c30854dff98c551365f42c5d130d3f90a732bd72 100644 (file)
@@ -21,8 +21,9 @@
 #include "config.h"
 #endif
 
-#include "http_common.h"
 #include "http_cutter.h"
+
+#include "http_common.h"
 #include "http_enum.h"
 
 using namespace HttpEnums;
@@ -770,9 +771,8 @@ ScanResult HttpBodyH2Cutter::cut(const uint8_t* /*buffer*/, uint32_t length,
     }
 }
 
-// This method searches the input stream looking for the beginning of a script or other dangerous
-// content that requires accelerated blocking. Exactly what we are looking for is encapsulated in
-// dangerous().
+// This method searches the input stream looking for a script or other dangerous content that
+// requires accelerated blocking. Exactly what we are looking for is encapsulated in dangerous().
 //
 // Return value true indicates a match and enables the packet that completes the matching sequence
 // to be detained (detained inspection) or sent for partial inspection (script detection).
@@ -818,17 +818,21 @@ bool HttpBodyCutter::need_accelerated_blocking(const uint8_t* data, uint32_t len
     return false;
 }
 
-// Currently we do detained inspection when we see a javascript starting
+// Currently we do accelerated blocking when we see a javascript
 bool HttpBodyCutter::dangerous(const uint8_t* data, uint32_t length)
 {
     const uint8_t* input_buf = data;
     uint32_t input_length = length;
     uint8_t* decomp_output = nullptr;
 
-    // Zipped flows must be decompressed before we can check them. Unzipping for detained
-    // inspection is completely separate from the unzipping done later in reassemble().
+    // Zipped flows must be decompressed before we can check them. Unzipping for accelerated
+    // blocking is completely separate from the unzipping done later in reassemble().
     if ((compression == CMP_GZIP) || (compression == CMP_DEFLATE))
     {
+        // Previous decompression failures make it impossible to search for scripts
+        if (decompress_failed)
+            return true;
+
         const uint32_t decomp_buffer_size = MAX_OCTETS;
         decomp_output = new uint8_t[decomp_buffer_size];
 
@@ -843,6 +847,7 @@ bool HttpBodyCutter::dangerous(const uint8_t* data, uint32_t length)
         // work out we assume it could be dangerous.
         if (((ret_val != Z_OK) && (ret_val != Z_STREAM_END)) || (compress_stream->avail_in > 0))
         {
+            decompress_failed = true;
             delete[] decomp_output;
             return true;
         }
index ffc686a6cfa6fd4379fd7e2cdb55a2f10cc2997f..f512f860d9ccf6bc13bf4a89f5a4835de57f986f 100644 (file)
@@ -117,6 +117,7 @@ private:
     bool detention_required = false;
     HttpEnums::CompressId compression;
     z_stream* compress_stream = nullptr;
+    bool decompress_failed = false;
     const uint8_t* match_string;
     const uint8_t* match_string_upper;
     uint8_t string_length;
index abc8876d018237ae6dd8c83ce5e906b770d0e048..3b2dc4ac341c74135964be8d3bed63d7b4397094 100644 (file)
@@ -53,12 +53,15 @@ const uint16_t HttpFlowData::memory_usage_estimate = sizeof(HttpFlowData) + size
 HttpFlowData::HttpFlowData() : FlowData(inspector_id)
 {
 #ifdef REG_TEST
-    seq_num = ++instance_count;
-    if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP) &&
-        !HttpTestManager::use_test_input(HttpTestManager::IN_HTTP))
+    if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP))
     {
-        fprintf(HttpTestManager::get_output_file(), "Flow Data construct %" PRIu64 "\n", seq_num);
-        fflush(HttpTestManager::get_output_file());
+        seq_num = ++instance_count;
+        if (!HttpTestManager::use_test_input(HttpTestManager::IN_HTTP))
+        {
+            fprintf(HttpTestManager::get_output_file(),
+                "Flow Data construct %" PRIu64 "\n", seq_num);
+            fflush(HttpTestManager::get_output_file());
+        }
     }
 #endif
     HttpModule::increment_peg_counts(PEG_CONCURRENT_SESSIONS);