range: validity check when end is bigger than size

Ticket: 5132

Down the line, HttpRangeOpenFileAux assumes the range has a
valid value when doing buflen = end - start + 1;

diff --git a/rust/src/http2/range.rs b/rust/src/http2/range.rs
index 5adae63a477d2bbb6dcd74f7b5b79106f2329807..f86e2188f9b275e83efdba24f3f8c7bc96e6d430 100644 (file)
--- a/rust/src/http2/range.rs
+++ b/rust/src/http2/range.rs
@@ -77,7 +77,7 @@ fn http2_parse_content_range<'a>(input: &'a [u8]) -> IResult<&'a [u8], HTTPConte
 
 pub fn http2_parse_check_content_range<'a>(input: &'a [u8]) -> IResult<&'a [u8], HTTPContentRange> {
     let (rem, v) = http2_parse_content_range(input)?;
-    if v.start > v.end {
+    if v.start > v.end || (v.end > 0 && v.size > 0 && v.end > v.size - 1) {
         return Err(Err::Error(make_error(rem, ErrorKind::Verify)));
     }
     return Ok((rem, v));

diff --git a/src/app-layer-htp-file.c b/src/app-layer-htp-file.c
index 83fbf0dab30defba5dc6ed0411fa919eaf68494c..bdbcd2932294d6f7cadde6e1e91a935a2cf8630e 100644 (file)
--- a/src/app-layer-htp-file.c
+++ b/src/app-layer-htp-file.c
@@ -196,7 +196,7 @@ static int HTPParseAndCheckContentRange(
     } else if (range->end == range->size - 1 && range->start == 0) {
         SCLogDebug("range without all information");
         return -3;
-    } else if (range->start > range->end) {
+    } else if (range->start > range->end || range->end > range->size - 1) {
         AppLayerDecoderEventsSetEventRaw(&htud->tx_data.events, HTTP_DECODER_EVENT_RANGE_INVALID);
         s->events++;
         SCLogDebug("invalid range");